Add additional exclusions for Azure.Deployment.SecureParameter #2857

docs/CHANGELOG-v1.md

@@ -39,6 +39,10 @@ What's changed since v1.36.0:
   - Cosmos DB:
     - Check that database accounts use a paid tier by @BernieWhite.
       [#2845](https://github.com/Azure/PSRule.Rules.Azure/issues/2845)
+- Updated rules:
+  - Deployment:
+    - Add additional exclusions for `Azure.Deployment.SecureParameter` by @BernieWhite.
+      [#2857](https://github.com/Azure/PSRule.Rules.Azure/issues/2857)
 - General improvements:
   - Quality updates to documentation by @BernieWhite.
     [#2570](https://github.com/Azure/PSRule.Rules.Azure/issues/2570)

docs/en/rules/Azure.Deployment.SecureParameter.md

@@ -1,8 +1,8 @@
 ---
-reviewed: 2023-11-13
+reviewed: 2024-05-07
 severity: Critical
 pillar: Security
-category: Infrastructure provisioning
+category: SE:02 Secured development lifecycle
 resource: Deployment
 online version: https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.Deployment.SecureParameter/
 ---
@@ -86,18 +86,23 @@ This rule uses a heuristics to determine if a parameter should use a secure type
 - Parameters with the type `int` or `bool` are ignored regardless of how they are named.
 - Any parameter with a name containing `password`, `secret`, or `token` will be considered sensitive.
   - Except parameter names containing any of the following:
-    `passwordlength`, `secretname`, `secreturl`, `secreturi`, `secretrotation`, `secretinterval`, `secretprovider`,
-    `secretsprovider`, `secretref`, `secretid`, `disablepassword`, `sync*passwords`, or `tokenname`.
+    `length`, `interval`, `secretname`, `secreturl`, `secreturi`, `secrettype`, `secretrotation`,
+    `secretprovider`, `secretsprovider`, `secretref`, `secretid`, `disablepassword`, `sync*passwords`,
+    `tokenname`, `tokentype`, `keyvaultpath`, `keyvaultname`, or `keyvaulturi`.
 - Any parameter with a name ending in `key` or `keys` will be considered sensitive.
   - Except parameter names ending in `publickey` or `publickeys`.
 
+### Rule configuration
+
+<!-- module:config rule AZURE_DEPLOYMENT_NONSENSITIVE_PARAMETER_NAMES -->
+
 If you identify a parameter that is _not sensitive_, and is incorrectly flagged by this rule, you can override the rule.
 To override this rule:
 
 - Set the `AZURE_DEPLOYMENT_NONSENSITIVE_PARAMETER_NAMES` configuration value to identify parameters that are not sensitive.
 
 ## LINKS
 
-- [Infrastructure provisioning considerations in Azure](https://learn.microsoft.com/azure/architecture/framework/security/deploy-infrastructure)
+- [SE:02 Secured development lifecycle](https://learn.microsoft.com/azure/well-architected/security/secure-development-lifecycle)
 - [Use Azure Key Vault to pass secure parameter value during Bicep deployment](https://learn.microsoft.com/azure/azure-resource-manager/bicep/key-vault-parameter)
 - [Integrate Azure Key Vault in your ARM template deployment](https://learn.microsoft.com/azure/azure-resource-manager/templates/template-tutorial-use-key-vault#edit-the-parameters-file)

src/PSRule.Rules.Azure/rules/Azure.Deployment.Rule.ps1

@@ -75,19 +75,24 @@ function global:GetSecureParameter {
                     )).Result -and
                     $parameter.Name -notLike '*publickey' -and
                     $parameter.Name -notLike '*publickeys' -and
-                    $parameter.Name -notLike '*passwordlength*' -and
                     $parameter.Name -notLike '*secretname*' -and
                     $parameter.Name -notLike '*secreturl*' -and
                     $parameter.Name -notLike '*secreturi*' -and
-                    $parameter.Name -notLike '*tokenname*' -and
+                    $parameter.Name -notLike '*secrettype*' -and
                     $parameter.Name -notLike '*secretrotation*' -and
-                    $parameter.Name -notLike '*secretinterval*' -and
+                    $parameter.Name -notLike '*tokenname*' -and
+                    $parameter.Name -notLike '*tokentype*' -and
+                    $parameter.Name -notLike '*interval*' -and
+                    $parameter.Name -notLike '*length*' -and
                     $parameter.Name -notLike '*secretprovider*' -and
                     $parameter.Name -notLike '*secretsprovider*' -and
                     $parameter.Name -notLike '*secretref*' -and
                     $parameter.Name -notLike '*secretid*' -and
                     $parameter.Name -notLike '*disablepassword*' -and
                     $parameter.Name -notLike '*sync*passwords*' -and
+                    $parameter.Name -notLike '*keyvaultpath*' -and
+                    $parameter.Name -notLike '*keyvaultname*' -and
+                    $parameter.Name -notLike '*keyvaulturi*' -and
                     $Assert.NotIn($parameter, 'Name', $Configuration.GetStringValues('AZURE_DEPLOYMENT_NONSENSITIVE_PARAMETER_NAMES')).Result -and
                     $Null -ne $parameter.Value.type -and
                     $parameter.Value.type -ne 'bool' -and