azure / template-analyzer Goto Github PK

Template scanner for security misconfiguration and best practices

License: MIT License

C# 90.37% Bicep 9.63%

template-analyzer's Introduction

Template Analyzer

What is Template Analyzer?

Template Analyzer scans ARM (Azure Resource Manager) and Bicep Infrastructure-as-Code (IaC) templates to ensure security and best practice checks are being followed before deployment of your Azure solutions.

Template Analyzer provides a simple and extensible solution to improve the security of your Azure resources before deployment and ensures your templates follow best practices. Template Analyzer is designed to be customizable - users can write their own checks and/or enforce only the checks that are relevant for them.

Getting started with Template Analyzer

Download the latest Template Analyzer release in the releases section.

To preview the rules that come bundled with Template Analyzer, explore the built-in rules.

Using Template Analyzer

Template Analyzer is executed via a command line. There are two formats to invoke it:

TemplateAnalyzer.exe analyze-template <template-path> [-p <parameters-path>] [-c <config-path>] [--report-format <format>] [-o <output-path>] [-v]

TemplateAnalyzer.exe analyze-directory <directory-path> [-c <config-path>] [--report-format <format>] [-o <output-path>] [-v]

Input

Template Analyzer accepts the following inputs:

Argument	Description
`<template-path>`	The path of the template to analyze
`<directory-path>`	The directory in which to search for templates (recursively finds and analyzes all ARM and Bicep templates in the directory and its subdirectories). ARM templates are identified by a '.json' file extension and a valid top-level $schema property>. Bicep templates are identified by a '.bicep' file extension.
(Optional) `-p` or `--parameters-file-path`	A parameters file
(Optional) `-c` or `--config-file-path`	A configuration file which sets custom settings for the analyzer. *If argument is not provided, Template Analyzer will attempt to load a configuration from <ExecutablePath>/configuration.json* if the file exists.**.
(Optional) `--report-format`	Valid formats: Console: output results to the console in plain text. (default) Sarif: output results to a file in SARIF format.
`-o` or `--output-file-path`	*(Required if `--report-format` is Sarif)* File path to output SARIF results to.
(Optional) `-v` or `--verbose`	Shows details about the analysis
(Optional) `--include-non-security-rules`	Run all the rules against the templates, including non-security rules

Template Analyzer runs the configured rules against the provided template and its corresponding template parameters, if specified. If no template parameters are specified, then Template Analyzer will check if templates with the general naming standards defined by Microsoft are present in the same folder, otherwise it generates the minimum number of placeholder parameters to properly evaluate template functions in the template.

Note: Providing Template Analyzer with template parameter values will result in more accurate results as it will more accurately represent your deployments. The values provided to parameters may affect the evaluation of Template Analyzer rules, altering its results. That said, DO NOT save sensitive data (passwords, connection strings, etc.) in parameter files in your repositories. Instead, retrieve these values from your template from Azure Key Vault.

Output

Results can be output in plain text to the console, or output to a file in SARIF format. Template Analyzer will exit with an error code if any errors or violations are found during a scan.

Console

Template Analyzer outputs the results of violated rules, the corresponding line numbers where rules failed, and a recommendation to remediate each violation.

For a template which deploys an API App that does not require HTTPS, running Template Analyzer on the template would produce output which looks similar to the following:

>TemplateAnalyzer.exe analyze-template "C:\Templates\azuredeploy.json"

File: C:\Templates\azuredeploy.json

        TA-000004: API app should only be accessible over HTTPS
                Severity: Medium
                Recommendation: Use HTTPS to ensure server/service authentication and protect data in transit from network layer eavesdropping attacks
                More information: https://github.com/Azure/template-analyzer/blob/main/docs/built-in-rules.md#ta-000004-api-app-should-only-be-accessible-over-https
                Result: Failed
                Line: 67

        Rules passed: 16

Execution summary:
        The execution completed successfully

SARIF

Results are written to the file specified (with the -o or --output-file-path argument) in SARIF format.

Exit codes

Scenario	Exit Code
Success: Operation was successful	0
Error: Problem with command	1
Error: Invalid file or directory path	2
Error: Missing file or directory path	3
Error: Problem loading configuration file	4
Error: Invalid ARM template specified	10
Error: Invalid Bicep template specified	11
Violation: Scan found rule violations in analyzed template(s)	20
Error: An error was encountered trying to analyze a template	21
Violation + Error: Scan encountered both violations in template(s) and errors trying to analyze template(s)	22

Understanding and customizing rules

The analysis rules used by Template Analyzer are written in JSON, located in Rules/BuiltInRules.json (starting from the directory TemplateAnalyzer.exe is in). This file can be added to and/or modified to change the rules that are run. See the documentation for more information about how to author Template Analyzer JSON rules.

Contributing

This project welcomes contributions and suggestions. Please see the Contribution Guide for more details about how to contribute to Template Analyzer. Most contributions require you to agree to a Contributor License Agreement (CLA) declaring that you have the right to, and actually do, grant us the rights to use your contribution. For details, visit https://cla.microsoft.com.

When you submit a pull request, a CLA-bot will automatically determine whether you need to provide a CLA and decorate the PR appropriately (e.g., label, comment). Simply follow the instructions provided by the bot. You will only need to do this once across all repositories using our CLA.

This project has adopted the Microsoft Open Source Code of Conduct. For more information see the Code of Conduct FAQ or contact [email protected] with any additional questions or comments.

Trademarks

This project may contain trademarks or logos for projects, products, or services. Authorized use of Microsoft trademarks or logos is subject to and must follow Microsoft's Trademark & Brand Guidelines. Use of Microsoft trademarks or logos in modified versions of this project must not cause confusion or imply Microsoft sponsorship. Any use of third-party trademarks or logos are subject to those third-party's policies.

Usage

This project follows Microsoft Privacy Standards. This product does not collect nor store any personal data.

template-analyzer's People

Contributors

Stargazers

Watchers

template-analyzer's Issues

Overlap with ARM teams ARM-ttk project

In case you weren't aware there is over lap with this project and ARM-ttk (template test kit) & I would recommend you check that project out https://github.com/Azure/arm-ttk

Creating Test Infrastructure for Testing Built-in Rules

A new test project should be added that allows easy, config-based validations to be written for built-in rules. This project will essentially provide a small test infrastructure for validating these rules.

At a high level, the project should:

Run the template analyzer against templates specified in a config
Validate the results of the run against the expectations specified in the config
The config should specify (at least):
- A template to run against
- The rule that should flag a result (i.e. fail)
- The expected line number of the failure

[Built-in Rule] Service Fabric clusters should have the ClusterProtectionLevel property set to EncryptAndSign

Azure policy: https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Service%20Fabric/ServiceFabric_AuditClusterProtectionLevel_Audit.json

{
    "name": "ServiceFabric_ClusterProtectionLevel_EncryptAndSign",
    "description": "Service Fabric clusters should have the ClusterProtectionLevel property set to EncryptAndSign",
    "recommendation": "Set the protection level to ensure that all node-to-node messages are encrypted and digitally signed",
    "helpUri": "https://github.com/Azure/template-analyzer/docs/built-in-bpa-rules.md/#service-fabric-clusters-should-have-the-clusterprotectionlevel-property-set-to-encryptandsign",
    "evaluation": {
      "resourceType": "Microsoft.ServiceFabric/clusters",
      "allOf": [
        {
          "path": "properties.fabricSettings[*].name",
          "equals": "Security"
        },
        {
          "path": "properties.fabricSettings[*].parameters[*].name",
          "equals": "ClusterProtectionLevel"
        },
        {
          "path": "properties.fabricSettings[*].parameters[*].value",
          "equals": "EncryptAndSign"
        }
      ]
    }
}

Report line numbers in violated rules

If a rule is violated and returns a failing result, the result should include the line number where the violation happened.

[Built-in Rule] Only secure connections to your Azure Cache for Redis should be enabled

Azure policy: https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cache/RedisCache_AuditSSLPort_Audit.json

{
    "name": "Cache_Redis_SSL_Only",
    "description": "Only secure connections to your Azure Cache for Redis should be enabled",
    "recommendation": "Enable connections via SSL only to Redis Cache",
    "helpUri": "https://github.com/Azure/template-analyzer/docs/built-in-bpa-rules.md/#only-secure-connections-to-your-azure-cache-for redis-should-be-enabled",
    "evaluation": {
      "resourceType": "Microsoft.Cache/redis",
      "path": "properties.enableNonSslPort",
      "equals": false
    }
}

Equals operator should be case-insensitive for objects

Paths some.path and some.Path are treated as unequal regardless of values when calling the equals operators on objects. This comparison should be case-insensitive.

[Built-in Rule] Role-Based Access Control (RBAC) should be used on Kubernetes Services

Azure policy: https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableRBAC_KubernetesService_Audit.json

{
    "name": "Kubernetes_Must_Use_RBAC",
    "description": "Role-Based Access Control (RBAC) should be used on Kubernetes Services",
    "recommendation": "Enable RBAC in Kubernetes clusters",
    "helpUri": "https://github.com/Azure/template-analyzer/docs/built-in-bpa-rules.md/#role-based-access-control-rbac-should-be-used-on-kubernetes-services",
    "evaluation": {
      "resourceType": "Microsoft.ContainerService/managedClusters",
      "allOf": [
        {
          "path": "properties.enableRBAC",
          "hasValue": true
        },
        {
          "path": "properties.enableRBAC",
          "equals": true
        }
      ]
    }
  }

[Built-in Rule] Managed identity should be used in your API App

Azure Policy link: https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_UseManagedIdentity_ApiApp_Audit.json

{
  "name": "AppServiceApiApp_UseManagedIdentity",
  "description": "Managed identity should be used in your API App",
  "recommendation": "Use a managed identity for enhanced authentication security",
  "helpUri": "https://github.com/Azure/template-analyzer/blob/main/docs/built-in-bpa-rules.md/#managed-identity-should-be-used-in-your-api-app",
  "evaluation": {
    "resourceType": "Microsoft.Web/sites",
    "where": {
      "path": "kind",
      "regex": "api$"
    },
    "evaluate": {
      "anyOf": [
        {
          "path": "identity.type",
          "equals": "UserAssigned"
        },
        {
          "path": "identity.type",
          "equals": "SystemAssigned"
        }
      ]
    }
  }
}

[Built-in Rule] SQL servers should retain audit data for at least 90 days

Azure policy: https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SqlServerAuditingRetentionDays_Audit.json

{
  "name": "SQL_Rentention_Days",
  "description": "SQL servers with auditing to storage account destination should be configured with 90 days retention or higher",
  "recommendation": "Set the data retention for your SQL Server's auditing to storage account destination to at least 90 days",
  "helpUri": "https://github.com/Azure/template-analyzer/docs/built-in-bpa-rules.md/#sql-servers-with-auditing-to-storage-account-destination-should-be-configured-with-90-days-retention-or-higher",
  "evaluation": {
    "resourceType": "Microsoft.Sql/servers",
    "where": {
      "path": "properties.kind",
      "regex": "^((?!analytics).)*$"
    },
    "evaluate": {
      "resourceType": "Microsoft.Sql/servers/auditingSettings",
      "where": {
        "path": "name",
        "equals": "default"
      },
      "allOf": [
        {
          "anyOf": [
            {
              "path": "properties.isAzureMonitorTargetEnabled",
              "equals": false
            },
            {
              "path": "properties.storageEndpoint",
              "hasValue": true
            }
          ]
        },
        {
          "path": "properties.retentionDays",
          "greaterOrEqual": 90
        }
      ]
    }
  }
}

Enforce path to be present in Value Operators

The documentation explains that path must have a value in all Value Operators, but it currently isn't checked or enforced in code. The Analyzer should not run rules where path is missing but should be present.

[Built-in Rule] SQL Auditing settings should have Action-Groups configured to capture critical activities

Azure policy: https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SqlServerAuditing_ActionsAndGroups_Audit.json

{
  "name": "SQL_Auditing_Actions_And_Groups",
  "description": "SQL Auditing settings should have Action-Groups configured to capture critical activities",
  "recommendation": "The AuditActionsAndGroups property should contain at least SUCCESSFUL_DATABASE_AUTHENTICATION_GROUP, FAILED_DATABASE_AUTHENTICATION_GROUP, BATCH_COMPLETED_GROUP to ensure a thorough audit logging",
  "helpUri": "https://github.com/Azure/template-analyzer/docs/built-in-bpa-rules.md/#sql-auditing-settings-should-have-action-groups-configured-to-capture-critical-activities",
  "evaluation": {
    "resourceType": "Microsoft.Sql/servers"
    "allOf": [
      {
        "resourceType": "Microsoft.Sql/servers/auditingSettings",
        "where": {
          "path": "name",
          "equals": "default"
        },
        "evaluate": {
          "path": "properties.auditActionsAndGroups[*]",
          "in": [
            "SUCCESSFUL_DATABASE_AUTHENTICATION_GROUP",
            "FAILED_DATABASE_AUTHENTICATION_GROUP",
            "BATCH_COMPLETED_GROUP"
          ]
        }
      }
    ]
  }
}

[Built-in Rule] FTPS only should be required in your API App

Azure Policy link: https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_AuditFTPS_ApiApp_Audit.json

{
  "name": "AppServiceApiApp_FTPS",
  "description": "FTPS only should be required in your API App",
  "recommendation": "Enable FTPS enforcement for enhanced security",
  "helpUri": "https://github.com/Azure/template-analyzer/docs/built-in-bpa-rules.md/#ftps-only-should-be-required-in-your-api-app",
  "evaluation": {
    "resourceType": "Microsoft.Web/sites",
    "where": {
      "path": "properties.kind",
      "regex": "api$"
    },
    "evaluate": {
      "anyOf": [
        {
          "resourceType": "Microsoft.Web/sites/config",
          "where": {
            "path": "name",
            "equals": "web"
          },
          "anyOf": [
            {
              "path": "properties.ftpsState",
              "exists": false
            },
            {
              "path": "properties.ftpsState",
              "in": ["FtpsOnly", "Disabled"]
            }
          ]
        },
        {
          "anyOf": [
            {
              "path": "properties.siteConfig.ftpsState",
              "exists": false
            },
            {
              "path": "properties.siteConfig.ftpsState",
              "in": ["FtpsOnly", "Disabled"]
            }
          ]
        }
      ]
    }
  }
}

[Built-in Rule] Virtual machines should be migrated to new Azure Resource Manager resources

Azure policy: https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Compute/ClassicCompute_Audit.json

{
    "name": "ClassicCompute_Do_Not_Use",
    "description": "Virtual machines should be migrated to new Azure Resource Manager resources",
    "recommendation": "Deploy Azure Resource Manager VMs, not Classic Compute VMs",
    "helpUri": "https://github.com/Azure/template-analyzer/docs/built-in-bpa-rules.md/#virtual-machines-should-be-migrated-to-new-azure-resource-manager-resources",
    "evaluation": {
      "resourceType": "Microsoft.ClassicCompute/virtualMachines",
      "exists": false
    }
}

Add support for notEquals operator

This operator supports all JSON types

The logical inverse of equals. Evaluations on incompatible types results in true.

{
    "resourceType": "Microsoft.Compute/virtualMachines",
    "path": "properties.osProfile.adminPassword",
    "notEquals": "password" // Evaluates to `true` because the value of the path "properties.osProfile.adminPassword" is `null`, which does not match the value in the rule.
}

[Built-in Rule] Certificates should not expire within the specified number of days

Azure policy: https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Key%20Vault/Certificates_Expiry_ByDays.json

{
  "name": "Certificates_Expiry_ByDays",
  "description": "Certificates should not expire within the specified number of days",
  "recommendation": "Have certificates expire within a certain number of days",
  "helpUri": "https://github.com/Azure/template-analyzer/docs/built-in-bpa-rules.md/#certificates-should-not-expire-within-the-specified-number-of-days",
  "parameters": {
    "daysToExpire": 90
  },
  "evaluation": {
    "resourceType": "Microsoft.KeyVault.Data/vaults/certificates",
    "path": "attribures.expiresOn",
    "lessOrEquals": "[addDays(utcNow(), parameters('daysToExpire'))]"
  }
}

Add support for allOf operator

This operator is a logical and operator

{
    "anyOf": [
        {
            "resourceType": "Microsoft.Compute/virtualMachines",
            "path": "properties.osProfile.adminPassword",
            "hasValue": false // Evaluates to `false`
        },
        {
            "resourceType": "Microsoft.Compute/virtualMachines",
            "path": "properties.osProfile.adminUsername",
            "regex": "username" // Evaluates to `true`
        }
    ] // Evaluates to `false` because not all the expressions contained in "allOf" resulted in `true`
}

Add tests for the CLI [#53217]

The CLI project doesn't have any tests. Tests need to be written for it.

Add support for the in (a list) operator

Checks whether there is an element in the array equal to the specified value

{
    "resourceType": "Microsoft.Compute/virtualMachines",
    "path": "apiVersion",
    "in": [
         "2020-06-01",
         "2019-12-01",
         "2019-07-01",
         "2019-03-01"
    ] // Evaluates to `true` because the value of "apiVersion" in the template ("2020-06-01") is equal to one of the values in the array specified for `in`.
}

Add support for the equals operator

This operator supports all JSON types

Tests the template value of the path to determine if it is equal to the value specified in the rule.

If the type of the value of equals does not match the type of the value at path, this evaluates to false (except for integer and float, which can be compared with one another). Otherwise, this behaves as expected for the given type.
Evaluations on string types are case-insensitive.

{
    "resourceType": "Microsoft.Compute/virtualMachines",
    "path": "name",
    "equals": "MyVMResource" // Evaluates to `true` because the value of the path "name" is a string and case-insensitively matches the value in the rule.
}

Make language update for differentiating between rule scope narrowing and rule requirements

The JSON rule language needs some modification (new properties added) to differentiate between Value Operators that violate a rule and Value Operators that simply narrow the scope of when a rule should be enforced.

For example, if a rule is written that enforces both minimum and maximum values being present on a parameter if one of them is specified (i.e. the parameter can specify both or neither), when the rule checks to see if one is present, it should not report a failing rule.

[Built-in Rule] Service Fabric clusters should only use Azure Active Directory for client authentication

Azure policy: https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Service%20Fabric/ServiceFabric_AuditADAuth_Audit.json

{
    "name": "ServiceFabric_Client_AAD_Auth_Only",
    "description": "Service Fabric clusters should only use Azure Active Directory for client authentication",
    "recommendation": "Enable AAD client authentication on your Service Fabric clusters",
    "helpUri": "https://github.com/Azure/template-analyzer/docs/built-in-bpa-rules.md/#service-fabric-clusters-should-only-use-azure-active-directory-for-client-authentication",
    "evaluation": {
      "resourceType": "Microsoft.ServiceFabric/clusters",
      "path": "properties.azureActiveDirectory.tenantId",
      "hasValue": true
    }
  }

[Built-in Rule] Remote debugging should be turned off for API Apps

Azure Policy link: https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Automation/Automation_AuditUnencryptedVars_Audit.json

{
  "name": "AppService_DisableRemoteDebugging_ApiApp",
  "description": "Remote debugging should be turned off for API Apps",
  "recommendation": "Remote debugging should be turned off",
  "helpUri": "https://github.com/Azure/template-analyzer/docs/built-in-bpa-rules.md/#remote-debugging-should-be-turned-off-for-api-apps",
  "evaluation": {
    "resourceType": "Microsoft.Web/sites",
    "where": {
      "path": "properties.kind",
      "regex": "api$"
    },
    "evaluate": {
      "anyOf": [
        {
          "resourceType": "Microsoft.Web/sites/config",
          "where": {
            "path": "name",
            "equals": "web"
          },
          "evaluate": {
            "path": "properties.remoteDebuggingEnabled",
            "notEquals": true
          }
        },
        {
          "path": "properties.siteConfig.remoteDebuggingEnabled",
          "notEquals": true
        }
      ]  
    }
  }
}

[Built-in Rule] Kubernetes Services should be upgraded to a non-vulnerable Kubernetes version

Azure policy: https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_UpgradeVersion_KubernetesService_Audit.json

{
    "name": "Kubernetes_Upgrade_Non-Vulnerable_Version",
    "description": "Kubernetes Services should be upgraded to a non-vulnerable Kubernetes version",
    "recommendation": "Upgrade to a non-vulnerable Kubernetes version",
    "helpUri": "https://github.com/Azure/template-analyzer/docs/built-in-bpa-rules.md/#kubernetes-services-should-be-upgraded-to-a-non-vulnerable-kubernetes-version",
    "evaluation": {
        "resourceType": "Microsoft.ContainerService/managedClusters",
        "allOf": [
            {
                "not": {
                    "path": "properties.kubernetesVersion",
                    "in": [
                        "1.13.4",
                        "1.13.3",
                        "1.13.2",
                        "1.13.1",
                        "1.13.0"
                    ]
                }
             },
            {
                "not": {
                    "path": "properties.kubernetesVersion",
                    "in": [
                        "1.12.6",
                        "1.12.5",
                        "1.12.4",
                        "1.12.3",
                        "1.12.2",
                        "1.12.1",
                        "1.12.0"
                    ]
                }
            },
            {
                "not": {
                    "path": "properties.kubernetesVersion",
                    "in": [
                        "1.11.8",
                        "1.11.7",
                        "1.11.6",
                        "1.11.5",
                        "1.11.4",
                        "1.11.3",
                        "1.11.2",
                        "1.11.1",
                        "1.11.0"
                    ]
                }
            },
            {
                "not": {
                    "path": "properties.kubernetesVersion",
                    "regex": "1.10.*"
                }
            },
            {
                "not": {
                    "path": "properties.kubernetesVersion",
                    "regex": "1.9.*"
                }
            },
            {
                "not": {
                    "path": "properties.kubernetesVersion",
                    "regex": "1.8.*"
                }
            },
            {
                "not": {
                    "path": "properties.kubernetesVersion",
                    "regex": "1.7.*"
                }
            },
            {
                "not": {
                    "path": "properties.kubernetesVersion",
                    "regex": "1.6.*"
                }
            },
            {
                "not": {
                    "path": "properties.kubernetesVersion",
                    "regex": "1.5.*"
                }
            },
            {
                "not": {
                    "path": "properties.kubernetesVersion",
                    "regex": "1.4.*"
                }
            },
            {
                "not": {
                    "path": "properties.kubernetesVersion",
                    "regex": "1.3.*"
                }
            },
            {
                "not": {
                    "path": "properties.kubernetesVersion",
                    "regex": "1.2.*"
                }
            },
            {
                "not": {
                    "path": "properties.kubernetesVersion",
                    "regex": "1.1.*"
                }
            },
            {
                "not": {
                    "path": "properties.kubernetesVersion",
                    "regex": "1.0.*"
                }
            }
        ]
    }
}

[Built-in Rule] Authorized IP ranges should be defined on Kubernetes Services

Azure policy: https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableIpRanges_KubernetesService_Audit.json

{
    "name": "Kubernetes_Must_Restrict_Network_Access",
    "description": "Authorized IP ranges should be defined on Kubernetes Services",
    "recommendation": "Restrict access to the Kubernetes Service Management API by granting API access only to IP addresses in specific ranges",
    "helpUri": "https://github.com/Azure/template-analyzer/docs/built-in-bpa-rules.md/#authorized-ip-ranges-should-be-defined-on-kubernetes-services",
    "evaluation": {
      "resourceType": "Microsoft.ContainerService/managedClusters",
      "anyOf": [
          {
              "path": "properties.apiServerAccessProfile.authorizedIPRanges"
              "exists": true
          },
          {
              "path": "properties.apiServerAccessProfile.enablePrivateCluster"
              "equals": true
          }
      ]
    }
}

Add support to allow for running custom rules

A user should be able to write their own rules and run them without adding them to the list of built-in rules.

Add support for regex comparisons

Runs the regular expression in the specified value against the value at the path

{
    "resourceType": "Microsoft.Compute/virtualMachines",
    "path": "properties.osProfile.adminUsername",
    "regex": "admin" // Evaluates to `false` because "admin" is not contained in the value of the path "properties.osProfile.adminUsername".
}

Move JsonPathResolver.cs to Utilities project

Relocate the class to Utilities. Potentially remove the interface it implements too, and in tests, mock the class directly instead of mocking the interface.

Enable PowerShell execution

POC for PowerShell rule execution

[Built-in Rule] FTPS only should be required in your Function App

Azure Policy link: https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_AuditFTPS_FunctionApp_Audit.json

{
  "name": "AppServiceFunctionApp_FTPS",
  "description": "FTPS only should be required in your Function App",
  "recommendation": "Enable FTPS enforcement for enhanced security",
  "helpUri": "https://github.com/Azure/template-analyzer/docs/built-in-bpa-rules.md/#ftps-only-should-be-required-in-your-function-app",
  "evaluation": {
    "resourceType": "Microsoft.Web/sites",
    "where": {
      "path": "properties.kind",
      "regex": "^functionapp"
    },
    "evaluate": {
      "anyOf": [
        {
          "resourceType": "Microsoft.Web/sites/config",
          "where": {
            "path": "name",
            "equals": "web"
          },
          "anyOf": [
            {
              "path": "properties.ftpsState",
              "exists": false
            },
            {
              "path": "properties.ftpsState",
              "in": ["FtpsOnly", "Disabled"]
            }
          ]
        },
        {
          "anyOf": [
            {
              "path": "properties.siteConfig.ftpsState",
              "exists": false
            },
            {
              "path": "properties.siteConfig.ftpsState",
              "in": ["FtpsOnly", "Disabled"]
            }
          ]
        }
      ]
    }
  }
}

Add support for wildcard in a JArray

The path field can support a wildcard to query all elements in a JArray
somePath.array[*]

[Built-in Rule] Remote debugging should be turned off for Function Apps

Azure Policy link: https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_DisableRemoteDebugging_FunctionApp_Audit.json

{
  "name": "AppService_DisableRemoteDebugging_FunctionApp",
  "description": "Remote debugging should be turned off for Function Apps",
  "recommendation": "Remote debugging should be turned off",
  "helpUri": "https://github.com/Azure/template-analyzer/docs/built-in-bpa-rules.md/#remote-debugging-should-be-turned-off-for-function-apps",
  "evaluation": {
    "resourceType": "Microsoft.Web/sites",
    "where": {
      "path": "properties.kind",
      "regex": "^functionapp"
    },
    "evaluate": {
      "anyOf": [
        {
          "resourceType": "Microsoft.Web/sites/config",
          "where": {
            "path": "name",
            "equals": "web"
          },
          "evaluate": {
            "path": "properties.remoteDebuggingEnabled",
            "notEquals": true
          }
        },
        {
          "path": "properties.siteConfig.remoteDebuggingEnabled",
          "notEquals": true
        }
      ]  
    }
  }
}

[Built-in Rule] Managed identity should be used in your Function App

Azure Policy link: https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_UseManagedIdentity_FunctionApp_Audit.json

{
  "name": "AppServiceFunctionApp_UseManagedIdentity",
  "description": "Managed identity should be used in your Function App",
  "recommendation": "Use a managed identity for enhanced authentication security",
  "helpUri": "https://github.com/Azure/template-analyzer/docs/built-in-bpa-rules.md/#managed-identity-should-be-used-in-your-function-app",
  "evaluation": {
    "resourceType": "Microsoft.Web/sites",
    "where": {
      "path": "properties.kind",
      "regex": "^functionapp"
    },
    "evaluate": {
      "anyOf": [
        {
          "path": "identity.type",
          "equals": "UserAssigned"
        },
        {
          "path": "identity.type",
          "equals": "SystemAssigned"
        }
      ]
    }
  }
}

Design PowerShell Rule Engine AB#52192

Evaluate our options

Template Expansion: Put dependent resources into dependency resource

In an ARM template, a resource can be designated as depending upon other resources in the template, like:

"resources": [
  {
    "name": "<dependency-name>"
    "type": "<dependency-type>",
    ...
  },
  {
    "name": "<name-of-dependent-resource>"
    "type": "<some-resource-type>",
    "dependsOn": [
      "<dependency-type>/<dependency-name>",
      ...
    ]
    ...
  }
]

When processing and expanding a template, when these resources are found, a copy of them should be put into the resources sub-array of each resource they depend on.

Then in the expanded template, the dependency resource would look something like:

{
  "name": "<dependency-name>"
  "type": "<dependency-type>",
  ...,
+  "resources": [
+    {
+      "name": "<name-of-dependent-resource>"
+      "type": "<some-resource-type>",
+      ...
+    }
+  ]
}

This will enable rules to be written where the rule only applies to a resource type if some condition about its parent is met.

Template Processor Assumes Templates are Deployed at Subscription Scope

If the template being checked is meant to be deployed in an existing resource group (at the resource group scope), the parser throws an error and cannot parse the template.

Repro Steps:
Use a template that has the resourceGroup field present. https://docs.microsoft.com/en-us/azure/templates/microsoft.resources/deployments

[Built-in Rule] Use built-in roles instead of custom RBAC roles

Azure policy: https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/General/Subscription_AuditCustomRBACRoles_Audit.json

{
    "name": "Authorization_RoleDefinition_No_Custom_RBAC",
    "description": "Use built-in roles instead of custom RBAC roles",
    "recommendation": "Use built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles",
    "helpUri": "https://github.com/Azure/template-analyzer/docs/built-in-bpa-rules.md/#use-built-in-roles-instead-of-custom-rbac-roles",
    "evaluation": {
      "resourceType": "Microsoft.Authorization/roleDefinitions",
      "path": "properties.type",
      "notEquals": "CustomRole"
    }
  }

Support rules written in Powershell

Allow rules to be written in Powershell instead of json

Add metadata to result to help identify exactly what part of the check was violated

Add message for determining the error
Report Line Number and other metadata to CLI results

In an AllOf expression, this will help identify which sub-expressions caused the AllOf to fail.

Related Issue: #199

[Built-in Rule] FTPS only should be required in your Web App

Azure Policy link: https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_AuditFTPS_WebApp_Audit.json

{
  "name": "AppServiceWebApp_FTPS",
  "description": "FTPS only should be required in your Web App",
  "recommendation": "Enable FTPS enforcement for enhanced security",
  "helpUri": "https://github.com/Azure/template-analyzer/docs/built-in-bpa-rules.md/#ftps-only-should-be-required-in-your-web-app",
  "evaluation": {
    "resourceType": "Microsoft.Web/sites",
    "where": {
      "path": "properties.kind",
      "regex": "^app"
    },
    "evaluate": {
      "anyOf": [
        {
          "resourceType": "Microsoft.Web/sites/config",
          "where": {
            "path": "name",
            "equals": "web"
          },
          "anyOf": [
            {
              "path": "properties.ftpsState",
              "exists": false
            },
            {
              "path": "properties.ftpsState",
              "in": ["FtpsOnly", "Disabled"]
            }
          ]
        },
        {
          "anyOf": [
            {
              "path": "properties.siteConfig.ftpsState",
              "exists": false
            },
            {
              "path": "properties.siteConfig.ftpsState",
              "in": ["FtpsOnly", "Disabled"]
            }
          ]
        }
      ]
    }
  }
}

Equals Operator throws exception when evaluating path that does not exist

If a path specified in a rule is evaluated with the equals operator does not exist in the template being evaluated, the operator throws a null-reference exception.

Instead, the operator should evaluate to false, as a path that doesn't exist will never equal any specific value.

[Built-in Rule] Transparent Data Encryption on SQL databases should be enabled

Azure policy: https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SqlDBEncryption_Audit.json

{
  "name": "SQL_Enable_Encryption",
  "description": "Transparent Data Encryption on SQL databases should be enabled",
  "recommendation": "Transparent data encryption should be enabled to protect data-at-rest and meet compliance requirements",
  "helpUri": "https://github.com/Azure/template-analyzer/docs/built-in-bpa-rules.md/#transparent-data-encryption-on-sql-databases-should-be-enabled",
  "evaluation": {
    "resourceType": "Microsoft.Sql/servers/databases",
    "where": {
      "path": "name",
      "notEquals": "master"
    },
    "evaluate": {
      "resourceType": "Microsoft.Sql/servers/databases/transparentDataEncryption",
      "path": "properties.state",
      "equals": "enabled"
    }
  }
}

Add support for anyOf operator

This operator is a logical or operator

{
    "anyOf": [
        {
            "resourceType": "Microsoft.Compute/virtualMachines",
            "path": "properties.osProfile.adminPassword",
            "hasValue": false // Evaluates to `false`
        },
        {
            "resourceType": "Microsoft.Compute/virtualMachines",
            "path": "properties.osProfile.adminUsername",
            "regex": "username" // Evaluates to `true`
        }
    ] // Evaluates to `true` because one of the expressions contained in "anyOf" resulted in `true`
}

[Built-in Rule] Auditing on SQL server should be enabled

Azure policy: https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SqlServerAuditing_Audit.json

{
  "name": "SQL_Auditing_Enabled",
  "description": "Auditing on SQL server should be enabled",
  "recommendation": "Enable auditing on your SQL Server",
  "helpUri": "https://github.com/Azure/template-analyzer/docs/built-in-bpa-rules.md/#auditing-on-sql-server-should-be-enabled",
  "parameters": {
    "setting": "defaultSetting"
  },
  "evaluation": {
    "resourceType": "Microsoft.Sql/servers",
    "where": {
      "path": "kind",
      "regex": "^((?!analytics).)*$"
    },
    "evaluate": {
      "resourceType": "Microsoft.Sql/servers/auditingSettings",
      "path": "properties.auditingSettings.state",
      "equals": "[parameters('setting')]"
  }
}

[Built-in Rule] Managed identity should be used in your Web App

Azure Policy link: https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_UseManagedIdentity_WebApp_Audit.json

{
  "name": "AppServiceWebApp_UseManagedIdentity",
  "description": "Managed identity should be used in your Web App",
  "recommendation": "Use a managed identity for enhanced authentication security",
  "helpUri": "https://github.com/Azure/template-analyzer/docs/built-in-bpa-rules.md/#managed-identity-should-be-used-in-your-web-app",
  "evaluation": {
    "resourceType": "Microsoft.Web/sites",
      "resourceType": "Microsoft.Web/sites",
      "where": {
        "anyOf": [
          {
            "path": "kind",
            "exists": false
          },
          {
            "path": "kind",
            "regex": "^app"
          }
        ]
      },
      "anyOf": [
        {
          "path": "identity.type",
          "equals": "UserAssigned"
        },
        {
          "path": "identity.type",
          "equals": "SystemAssigned"
        }
      ]
    }
  }
}

Define wildcard behavior

Having wildcards specified in a JSON path is a promised supported feature. However, the resulting behavior is not yet sufficiently defined.

Two scenarios as examples, each validating the elements of an object array:

Rule A

There must exist at least one element where a property equals a specific value

{
    "resourceType": "Microsoft/someResource",
    "path": "properties.array[*].atLeastOnePropertyWithValue",
    "equals": "thisValueAtLeastOnce"
}

Rule B

Every element in the array must have a specific property set to a specific value

{
    "resourceType": "Microsoft/someResource",
    "path": "properties.array[*].everyPropertyWithValue",
    "equals": "thisValueAlways"
}

There is no logic difference between these two rules, but the intents are different. It's not clear how each rule should be written differently. We therefore need to decide how these wildcards should behave and make that behavior clear in documentation.

Template Processor does not account for any variables defined in a nested template in a deployments resource

{
  "name": "string",
  "type": "Microsoft.Resources/deployments",
  "apiVersion": "2020-10-01",
  "location": "string",
  "scope": "string",
  "subscriptionId": "string",
  "resourceGroup": "string",
  "properties": {
    "expressionEvaluationOptions": {
      "scope": "inner"
    },
    "template": {<WHERE THIS NESTED TEMPLATE HAS ITS OWN VARIABLES DEFINED>},
}

Error thrown is: "The template variable '<variable_name>' is not found."
This depends on a setting to set the scope of the inner template: https://docs.microsoft.com/en-us/azure/templates/microsoft.resources/deployments?tabs=json#expressionevaluationoptions-object

[Built-in Rule] Remote debugging should be turned off for Web Applications

Azure Policy link: https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_DisableRemoteDebugging_WebApp_Audit.json

{
  "name": "AppService_DisableRemoteDebugging_WebApp",
  "description": "Remote debugging should be turned off for Web Applications",
  "recommendation": "Remote debugging should be turned off",
  "helpUri": "https://github.com/Azure/template-analyzer/docs/built-in-bpa-rules.md/#remote-debugging-should-be-turned-off-for-web-applications",
  "evaluation": {
    "resourceType": "Microsoft.Web/sites",
    "where": {
      "path": "properties.kind",
      "regex": "^app"
    },
    "evaluate": {
      "anyOf": [
        {
          "resourceType": "Microsoft.Web/sites/config",
          "where": {
            "path": "name",
            "equals": "web"
          },
          "evaluate": {
            "path": "properties.remoteDebuggingEnabled",
            "notEquals": true
          }
        },
        {
          "path": "properties.siteConfig.remoteDebuggingEnabled",
          "notEquals": true
        }
      ]  
    }
  }
}

[Built-in Rule] Automation account variables should be encrypted

Azure policy: https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Automation/Automation_AuditUnencryptedVars_Audit.json

{
    "name": "AutomationAccounts_Variables_Encrypted",
    "description": "Automation account variables should be encrypted",
    "recommendation": "Enable encryption of Automation account variable assets when storing sensitive data",
    "helpUri": "https://github.com/Azure/template-analyzer/docs/built-in-bpa-rules.md/#automation-account-variables-should-be-encrypted",
    "evaluation": {
      "resourceType": "Microsoft.Automation/automationAccounts/variables",
      "path": "properties.isEncrypted",
      "equals": true
    }
  }

Add documentation about how to use the CLI

How to run the CLI
Example of the output
Maybe a gif as a demo

[Built-in Rule] Storage accounts should be migrated to new Azure Resource Manager resources

Azure policy: https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Storage/Classic_AuditForClassicStorages_Audit.json

{
    "name": "ClassicStorage_Do_Not_Use",
    "description": "Storage accounts should be migrated to new Azure Resource Manager resources",
    "recommendation": "Deploy Azure Resource Manager Storage Accounts, not Classic Storage Accounts",
    "helpUri": "https://github.com/Azure/template-analyzer/docs/built-in-bpa-rules.md/#storage-accounts-should-be-migrated-to-new-azure-resource-manager-resources",
    "evaluation": {
      "resourceType": "Microsoft.ClassicStorage/storageAccounts",
      "exists": false
    }
}