[BUG] AZR-000284: Administrator Username Types

[karpikpl]

Existing rule

AZR-000284

Description of the issue

When creating SQL server AZR-000284 and AZR-000316 are raised for username and password, even though they are passed as Secure in bicep.

This is similar to #1762

Error messages

        AZR-000284: Administrator Username Types
                Severity: High
                Recommendation: Sensitive properties should be passed as parameters. Avoid using deterministic values for sensitive properties.
                More information: https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.Deployment.AdminUsername/
                Result: Failed 
                Line: 9
        AZR-000316: Use secure resource values
                Severity: High
                Recommendation: Consider using secure parameters for sensitive resource properties.
                More information: https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.Deployment.SecureValue/
                Result: Failed 
                Line: 9

Reproduction

main.bicep

// Parameters
@description('The name of the SQL logical server.')
param sqlServerName string = uniqueString('sql', resourceGroup().id)

@description('The name of the SQL Database.')
param sqlDbName string = 'SampleDB'

@description('Location for all resources.')
param location string = resourceGroup().location

@description('The administrator username of the SQL logical server.')
@secure()
param sqlAdminLogin string

@description('The administrator password of the SQL logical server.')
@secure()
param sqlAdminPassword string

@description('SKU name.  Typically a letter representing tier, followed by a number e.g. S4')
param sqlSkuName string = 'Standard'

@description('SKU level/tier.  Typically Basic/Standard/Premium')
param sqlSkuTier string = 'Standard'

// Resource Declarations
module sql_database './modules/sqlDatabase.bicep' = {
  name: 'sqlDatabaseDeploy'
  params: {
    serverName: sqlServerName
    databaseName: sqlDbName
    location: location
    adminLogin: sqlAdminLogin
    adminPassword: sqlAdminPassword
    skuName: sqlSkuName
    skuTier: sqlSkuTier
  }
}

modules/sqlDatabase.bicep

@description('The name of the SQL logical server.')
param serverName string = uniqueString('sql', resourceGroup().id)

@description('The name of the SQL Database.')
param databaseName string = 'SampleDB'

@description('Location for all resources.')
param location string = resourceGroup().location

@description('The administrator username of the SQL logical server.')
@secure()
param adminLogin string

@description('The administrator password of the SQL logical server.')
@secure()
param adminPassword string

@description('SKU name.  Typically a letter representing tier, followed by a number e.g. S4')
param skuName string = 'Standard'

@description('SKU level/tier.  Typically Basic/Standard/Premium')
param skuTier string = 'Standard'

resource sqlServer 'Microsoft.Sql/servers@2022-05-01-preview' = {
  name: serverName
  location: location
  properties: {
    administratorLogin: adminLogin
    administratorLoginPassword: adminPassword
    publicNetworkAccess: 'Disabled'
    minimalTlsVersion: '1.2'
  }
}

resource sqlDatabase 'Microsoft.Sql/servers/databases@2022-05-01-preview' = {
  parent: sqlServer
  name: databaseName
  location: location
  sku: {
    name: skuName
    tier: skuTier
  }
}

resource sqlAdmins 'Microsoft.Sql/servers/administrators@2022-05-01-preview' = {
  name: 'ActiveDirectory'
  parent: sqlServer
  properties: {
    administratorType: 'ActiveDirectory'
    login: 'sql-admins'
    sid: '0c82f823-ffb6-428b-8ef8-de1f967840af'
    tenantId: subscription().tenantId
  }
}

resource sqlSecurityAlertPolicy 'Microsoft.Sql/servers/securityAlertPolicies@2022-05-01-preview' = {
  parent: sqlServer
  name: 'default'
  properties: {
    state: 'Enabled'
    emailAccountAdmins: true
    disabledAlerts: []
    retentionDays: 30
  }
}

resource sqlAuditSettings 'Microsoft.Sql/servers/auditingSettings@2022-08-01-preview' = {
  name: 'default'
  parent: sqlServer
  properties: {
    isAzureMonitorTargetEnabled: true
    state: 'Enabled'
    retentionDays: 7
    auditActionsAndGroups: [
      'SUCCESSFUL_DATABASE_AUTHENTICATION_GROUP'
      'FAILED_DATABASE_AUTHENTICATION_GROUP'
      'BATCH_COMPLETED_GROUP'
    ]
  }
}

Version of PSRule

2.9.0

Version of PSRule for Azure

1.33.2

Additional context

I'm testing using TemplateAnalyzer - latest version.
Version of Microsoft.PSRule.Rules.Azure.Core.dll is 1.33.2.0

[BernieWhite]

@karpikpl Thanks for reporting the issue. Can you confirm you are using a key vault reference in the calling deployment or parameter file?

[karpikpl]

I'm using a parameter file in the deployment.
It has tokenized values, so it looks something like this:

    "sqlAdminLogin": {
      "value": "__sqlAdminLogin__"
    },

but I've been running TemplateAnalyzer with the param file and without it - same results.

My first thought was that analyzers don't know that values are not hardcoded but tokenized, it doesn't seem to be the case.

[BernieWhite]

Ok thanks for that @karpikpl. Let me investigate these bugs and get back to you.

[lsegovia-dev]

Is there an update on this issue or a suggested work around? I have tested on PSRule 1.37.0 and am also encountering this issue.

[lsegovia-dev]

@BernieWhite following up again as I have tested with version 1.20 where this issue was reportedly first resolved but I still encountered the same error.