Skip to content

Commit

Permalink
Add additional exclusions for Azure.Deployment.SecureParameter #2857 (#…
Browse files Browse the repository at this point in the history
  • Loading branch information
BernieWhite authored May 7, 2024
1 parent 793cf0c commit 777e13e
Show file tree
Hide file tree
Showing 3 changed files with 22 additions and 8 deletions.
4 changes: 4 additions & 0 deletions docs/CHANGELOG-v1.md
Original file line number Diff line number Diff line change
Expand Up @@ -39,6 +39,10 @@ What's changed since v1.36.0:
- Cosmos DB:
- Check that database accounts use a paid tier by @BernieWhite.
[#2845](https://github.com/Azure/PSRule.Rules.Azure/issues/2845)
- Updated rules:
- Deployment:
- Add additional exclusions for `Azure.Deployment.SecureParameter` by @BernieWhite.
[#2857](https://github.com/Azure/PSRule.Rules.Azure/issues/2857)
- General improvements:
- Quality updates to documentation by @BernieWhite.
[#2570](https://github.com/Azure/PSRule.Rules.Azure/issues/2570)
Expand Down
15 changes: 10 additions & 5 deletions docs/en/rules/Azure.Deployment.SecureParameter.md
Original file line number Diff line number Diff line change
@@ -1,8 +1,8 @@
---
reviewed: 2023-11-13
reviewed: 2024-05-07
severity: Critical
pillar: Security
category: Infrastructure provisioning
category: SE:02 Secured development lifecycle
resource: Deployment
online version: https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.Deployment.SecureParameter/
---
Expand Down Expand Up @@ -86,18 +86,23 @@ This rule uses a heuristics to determine if a parameter should use a secure type
- Parameters with the type `int` or `bool` are ignored regardless of how they are named.
- Any parameter with a name containing `password`, `secret`, or `token` will be considered sensitive.
- Except parameter names containing any of the following:
`passwordlength`, `secretname`, `secreturl`, `secreturi`, `secretrotation`, `secretinterval`, `secretprovider`,
`secretsprovider`, `secretref`, `secretid`, `disablepassword`, `sync*passwords`, or `tokenname`.
`length`, `interval`, `secretname`, `secreturl`, `secreturi`, `secrettype`, `secretrotation`,
`secretprovider`, `secretsprovider`, `secretref`, `secretid`, `disablepassword`, `sync*passwords`,
`tokenname`, `tokentype`, `keyvaultpath`, `keyvaultname`, or `keyvaulturi`.
- Any parameter with a name ending in `key` or `keys` will be considered sensitive.
- Except parameter names ending in `publickey` or `publickeys`.

### Rule configuration

<!-- module:config rule AZURE_DEPLOYMENT_NONSENSITIVE_PARAMETER_NAMES -->

If you identify a parameter that is _not sensitive_, and is incorrectly flagged by this rule, you can override the rule.
To override this rule:

- Set the `AZURE_DEPLOYMENT_NONSENSITIVE_PARAMETER_NAMES` configuration value to identify parameters that are not sensitive.

## LINKS

- [Infrastructure provisioning considerations in Azure](https://learn.microsoft.com/azure/architecture/framework/security/deploy-infrastructure)
- [SE:02 Secured development lifecycle](https://learn.microsoft.com/azure/well-architected/security/secure-development-lifecycle)
- [Use Azure Key Vault to pass secure parameter value during Bicep deployment](https://learn.microsoft.com/azure/azure-resource-manager/bicep/key-vault-parameter)
- [Integrate Azure Key Vault in your ARM template deployment](https://learn.microsoft.com/azure/azure-resource-manager/templates/template-tutorial-use-key-vault#edit-the-parameters-file)
11 changes: 8 additions & 3 deletions src/PSRule.Rules.Azure/rules/Azure.Deployment.Rule.ps1
Original file line number Diff line number Diff line change
Expand Up @@ -75,19 +75,24 @@ function global:GetSecureParameter {
)).Result -and
$parameter.Name -notLike '*publickey' -and
$parameter.Name -notLike '*publickeys' -and
$parameter.Name -notLike '*passwordlength*' -and
$parameter.Name -notLike '*secretname*' -and
$parameter.Name -notLike '*secreturl*' -and
$parameter.Name -notLike '*secreturi*' -and
$parameter.Name -notLike '*tokenname*' -and
$parameter.Name -notLike '*secrettype*' -and
$parameter.Name -notLike '*secretrotation*' -and
$parameter.Name -notLike '*secretinterval*' -and
$parameter.Name -notLike '*tokenname*' -and
$parameter.Name -notLike '*tokentype*' -and
$parameter.Name -notLike '*interval*' -and
$parameter.Name -notLike '*length*' -and
$parameter.Name -notLike '*secretprovider*' -and
$parameter.Name -notLike '*secretsprovider*' -and
$parameter.Name -notLike '*secretref*' -and
$parameter.Name -notLike '*secretid*' -and
$parameter.Name -notLike '*disablepassword*' -and
$parameter.Name -notLike '*sync*passwords*' -and
$parameter.Name -notLike '*keyvaultpath*' -and
$parameter.Name -notLike '*keyvaultname*' -and
$parameter.Name -notLike '*keyvaulturi*' -and
$Assert.NotIn($parameter, 'Name', $Configuration.GetStringValues('AZURE_DEPLOYMENT_NONSENSITIVE_PARAMETER_NAMES')).Result -and
$Null -ne $parameter.Value.type -and
$parameter.Value.type -ne 'bool' -and
Expand Down

0 comments on commit 777e13e

Please sign in to comment.