From e0711fd7f71f0e5e2de76947ceca500e84e207d9 Mon Sep 17 00:00:00 2001
From: Bernie White <bewhite@microsoft.com>
Date: Tue, 7 May 2024 22:21:55 +1000
Subject: [PATCH] Add additional exclusions for
 Azure.Deployment.SecureParameter #2857

---
 docs/CHANGELOG-v1.md                              |  4 ++++
 docs/en/rules/Azure.Deployment.SecureParameter.md | 15 ++++++++++-----
 .../rules/Azure.Deployment.Rule.ps1               | 11 ++++++++---
 3 files changed, 22 insertions(+), 8 deletions(-)

diff --git a/docs/CHANGELOG-v1.md b/docs/CHANGELOG-v1.md
index 94d5f232c76..18392c9f85f 100644
--- a/docs/CHANGELOG-v1.md
+++ b/docs/CHANGELOG-v1.md
@@ -39,6 +39,10 @@ What's changed since v1.36.0:
   - Cosmos DB:
     - Check that database accounts use a paid tier by @BernieWhite.
       [#2845](https://github.com/Azure/PSRule.Rules.Azure/issues/2845)
+- Updated rules:
+  - Deployment:
+    - Add additional exclusions for `Azure.Deployment.SecureParameter` by @BernieWhite.
+      [#2857](https://github.com/Azure/PSRule.Rules.Azure/issues/2857)
 - General improvements:
   - Quality updates to documentation by @BernieWhite.
     [#2570](https://github.com/Azure/PSRule.Rules.Azure/issues/2570)
diff --git a/docs/en/rules/Azure.Deployment.SecureParameter.md b/docs/en/rules/Azure.Deployment.SecureParameter.md
index b96c38ad5a0..159b9f70f71 100644
--- a/docs/en/rules/Azure.Deployment.SecureParameter.md
+++ b/docs/en/rules/Azure.Deployment.SecureParameter.md
@@ -1,8 +1,8 @@
 ---
-reviewed: 2023-11-13
+reviewed: 2024-05-07
 severity: Critical
 pillar: Security
-category: Infrastructure provisioning
+category: SE:02 Secured development lifecycle
 resource: Deployment
 online version: https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.Deployment.SecureParameter/
 ---
@@ -86,11 +86,16 @@ This rule uses a heuristics to determine if a parameter should use a secure type
 - Parameters with the type `int` or `bool` are ignored regardless of how they are named.
 - Any parameter with a name containing `password`, `secret`, or `token` will be considered sensitive.
   - Except parameter names containing any of the following:
-    `passwordlength`, `secretname`, `secreturl`, `secreturi`, `secretrotation`, `secretinterval`, `secretprovider`,
-    `secretsprovider`, `secretref`, `secretid`, `disablepassword`, `sync*passwords`, or `tokenname`.
+    `length`, `interval`, `secretname`, `secreturl`, `secreturi`, `secrettype`, `secretrotation`,
+    `secretprovider`, `secretsprovider`, `secretref`, `secretid`, `disablepassword`, `sync*passwords`,
+    `tokenname`, `tokentype`, `keyvaultpath`, `keyvaultname`, or `keyvaulturi`.
 - Any parameter with a name ending in `key` or `keys` will be considered sensitive.
   - Except parameter names ending in `publickey` or `publickeys`.
 
+### Rule configuration
+
+<!-- module:config rule AZURE_DEPLOYMENT_NONSENSITIVE_PARAMETER_NAMES -->
+
 If you identify a parameter that is _not sensitive_, and is incorrectly flagged by this rule, you can override the rule.
 To override this rule:
 
@@ -98,6 +103,6 @@ To override this rule:
 
 ## LINKS
 
-- [Infrastructure provisioning considerations in Azure](https://learn.microsoft.com/azure/architecture/framework/security/deploy-infrastructure)
+- [SE:02 Secured development lifecycle](https://learn.microsoft.com/azure/well-architected/security/secure-development-lifecycle)
 - [Use Azure Key Vault to pass secure parameter value during Bicep deployment](https://learn.microsoft.com/azure/azure-resource-manager/bicep/key-vault-parameter)
 - [Integrate Azure Key Vault in your ARM template deployment](https://learn.microsoft.com/azure/azure-resource-manager/templates/template-tutorial-use-key-vault#edit-the-parameters-file)
diff --git a/src/PSRule.Rules.Azure/rules/Azure.Deployment.Rule.ps1 b/src/PSRule.Rules.Azure/rules/Azure.Deployment.Rule.ps1
index 1ee2748ff37..c2830185c9d 100644
--- a/src/PSRule.Rules.Azure/rules/Azure.Deployment.Rule.ps1
+++ b/src/PSRule.Rules.Azure/rules/Azure.Deployment.Rule.ps1
@@ -75,19 +75,24 @@ function global:GetSecureParameter {
                     )).Result -and
                     $parameter.Name -notLike '*publickey' -and
                     $parameter.Name -notLike '*publickeys' -and
-                    $parameter.Name -notLike '*passwordlength*' -and
                     $parameter.Name -notLike '*secretname*' -and
                     $parameter.Name -notLike '*secreturl*' -and
                     $parameter.Name -notLike '*secreturi*' -and
-                    $parameter.Name -notLike '*tokenname*' -and
+                    $parameter.Name -notLike '*secrettype*' -and
                     $parameter.Name -notLike '*secretrotation*' -and
-                    $parameter.Name -notLike '*secretinterval*' -and
+                    $parameter.Name -notLike '*tokenname*' -and
+                    $parameter.Name -notLike '*tokentype*' -and
+                    $parameter.Name -notLike '*interval*' -and
+                    $parameter.Name -notLike '*length*' -and
                     $parameter.Name -notLike '*secretprovider*' -and
                     $parameter.Name -notLike '*secretsprovider*' -and
                     $parameter.Name -notLike '*secretref*' -and
                     $parameter.Name -notLike '*secretid*' -and
                     $parameter.Name -notLike '*disablepassword*' -and
                     $parameter.Name -notLike '*sync*passwords*' -and
+                    $parameter.Name -notLike '*keyvaultpath*' -and
+                    $parameter.Name -notLike '*keyvaultname*' -and
+                    $parameter.Name -notLike '*keyvaulturi*' -and
                     $Assert.NotIn($parameter, 'Name', $Configuration.GetStringValues('AZURE_DEPLOYMENT_NONSENSITIVE_PARAMETER_NAMES')).Result -and
                     $Null -ne $parameter.Value.type -and
                     $parameter.Value.type -ne 'bool' -and