Updated Azure.Deployment.SecureValue #2650 #2651 (#3139)

data/secret-property.json

@@ -0,0 +1,204 @@
+{
+  "Microsoft.AAD/DomainServices": [
+    "properties.ldapsSettings.pfxCertificatePassword"
+  ],
+  "Microsoft.ApiManagement/Service": [
+    "properties.hostnameConfigurations.certificatePassword",
+    "properties.certificates.certificatePassword"
+  ],
+  "Microsoft.ApiManagement/Service/AuthorizationServers": [
+    "properties.clientSecret",
+    "properties.resourceOwnerPassword"
+  ],
+  "Microsoft.ApiManagement/Service/Backends": [
+    "properties.proxy.password"
+  ],
+  "Microsoft.ApiManagement/Service/Certificates": [
+    "properties.password"
+  ],
+  "Microsoft.ApiManagement/Service/IdentityProviders": [
+    "properties.clientSecret"
+  ],
+  "Microsoft.ApiManagement/Service/OpenidConnectProviders": [
+    "properties.clientSecret"
+  ],
+  "Microsoft.ApiManagement/Service/Users": [
+    "properties.password"
+  ],
+  "Microsoft.App/containerApps": [
+    "properties.configuration.secrets[*].value"
+  ],
+  "Microsoft.App/jobs": [
+    "properties.configuration.secrets[*].value"
+  ],
+  "Microsoft.App/managedEnvironments": [
+    "properties.customDomainConfiguration.certificatePassword",
+    "properties.customDomainConfiguration.certificateValue"
+  ],
+  "Microsoft.App/managedEnvironments/certificates": [
+    "properties.password",
+    "properties.value"
+  ],
+  "Microsoft.Automation/AutomationAccounts/Credentials": [
+    "properties.password"
+  ],
+  "Microsoft.Batch/BatchAccounts/Pools": [
+    "properties.userAccounts.linuxUserConfiguration.sshPrivateKey"
+  ],
+  "Microsoft.Blockchain/BlockchainMembers": [
+    "properties.password",
+    "properties.consortiumManagementAccountPassword"
+  ],
+  "Microsoft.Blockchain/BlockchainMembers/TransactionNodes": [
+    "properties.password"
+  ],
+  "Microsoft.BotService/BotServices/Connections": [
+    "properties.clientSecret"
+  ],
+  "Microsoft.Compute/virtualMachineScaleSets": [
+    "properties.virtualMachineProfile.osProfile.adminPassword"
+  ],
+  "Microsoft.Compute/VirtualMachineScaleSets/Virtualmachines": [
+    "properties.osProfile.adminPassword"
+  ],
+  "Microsoft.Compute/VirtualMachines": [
+    "properties.osProfile.adminPassword"
+  ],
+  "Microsoft.ContainerInstance/ContainerGroups": [
+    "properties.imageRegistryCredentials.password"
+  ],
+  "Microsoft.ContainerService/ContainerServices": [
+    "properties.servicePrincipalProfile.secret",
+    "properties.windowsProfile.adminPassword"
+  ],
+  "Microsoft.ContainerService/ManagedClusters": [
+    "properties.windowsProfile.adminPassword",
+    "properties.servicePrincipalProfile.secret",
+    "properties.aadProfile.serverAppSecret"
+  ],
+  "Microsoft.ContainerService/OpenShiftManagedClusters": [
+    "properties.authProfile.identityProviders.provider.secret"
+  ],
+  "Microsoft.Resources/deploymentScripts": [
+    "properties.storageAccountSettings.storageAccountKey",
+    "properties.environmentVariables[*].secureValue"
+  ],
+  "Microsoft.DBforMariaDB/Servers": [
+    "properties.administratorLoginPassword"
+  ],
+  "Microsoft.DBforMySQL/Servers": [
+    "properties.administratorLoginPassword"
+  ],
+  "Microsoft.DBforPostgreSQL/Servers": [
+    "properties.administratorLoginPassword"
+  ],
+  "Microsoft.DataMigration/Services/Projects": [
+    "properties.sourceConnectionInfo.password",
+    "properties.targetConnectionInfo.password"
+  ],
+  "Microsoft.DevTestLab/Labs/Formulas": [
+    "properties.formulaContent.properties.password"
+  ],
+  "Microsoft.DevTestLab/Labs/Users/Secrets": [
+    "properties.value"
+  ],
+  "Microsoft.DevTestLab/Labs/Virtualmachines": [
+    "properties.password"
+  ],
+  "Microsoft.HDInsight/Clusters": [
+    "properties.securityProfile.domainUserPassword",
+    "properties.computeProfile.roles.osProfile.linuxOperatingSystemProfile.password"
+  ],
+  "Microsoft.HDInsight/Clusters/Applications": [
+    "properties.computeProfile.roles.osProfile.linuxOperatingSystemProfile.password"
+  ],
+  "Microsoft.KeyVault/Vaults/Secrets": [
+    "properties.value"
+  ],
+  "Microsoft.Logic/IntegrationAccounts/Agreements": [
+    "properties.content.x12.receiveAgreement.protocolSettings.securitySettings.passwordValue",
+    "properties.content.x12.sendAgreement.protocolSettings.securitySettings.passwordValue",
+    "properties.content.edifact.receiveAgreement.protocolSettings.envelopeSettings.recipientReferencePasswordValue",
+    "properties.content.edifact.sendAgreement.protocolSettings.envelopeSettings.recipientReferencePasswordValue",
+    "properties.content.edifact.receiveAgreement.protocolSettings.envelopeSettings.groupApplicationPassword",
+    "properties.content.edifact.sendAgreement.protocolSettings.envelopeSettings.groupApplicationPassword",
+    "properties.content.edifact.receiveAgreement.protocolSettings.envelopeOverrides.applicationPassword",
+    "properties.content.edifact.sendAgreement.protocolSettings.envelopeOverrides.applicationPassword"
+  ],
+  "Microsoft.NetApp/NetAppAccounts": [
+    "properties.activeDirectories.password"
+  ],
+  "Microsoft.Network/ApplicationGateways": [
+    "properties.sslCertificates.properties.password"
+  ],
+  "Microsoft.Network/Connections": [
+    "properties.virtualNetworkGateway1.properties.vpnClientConfiguration.radiusServerSecret",
+    "properties.virtualNetworkGateway2.properties.vpnClientConfiguration.radiusServerSecret",
+    "properties.sharedKey"
+  ],
+  "Microsoft.Network/VirtualNetworkGateways": [
+    "properties.vpnClientConfiguration.radiusServerSecret"
+  ],
+  "Microsoft.Network/VirtualWans/P2sVpnServerConfigurations": [
+    "properties.radiusServerSecret"
+  ],
+  "Microsoft.Network/VpnServerConfigurations": [
+    "properties.radiusServerSecret"
+  ],
+  "Microsoft.NotificationHubs/Namespaces/NotificationHubs": [
+    "properties.wnsCredential.properties.secretKey",
+    "properties.admCredential.properties.clientSecret",
+    "properties.baiduCredential.properties.baiduSecretKey"
+  ],
+  "Microsoft.ServiceFabricMesh/Applications": [
+    "properties.services.properties.codePackages.imageRegistryCredential.password"
+  ],
+  "Microsoft.ServiceFabricMesh/Secrets/Values": [
+    "properties.value"
+  ],
+  "Microsoft.Sql/ManagedInstances": [
+    "properties.administratorLoginPassword"
+  ],
+  "Microsoft.Sql/Servers": [
+    "properties.administratorLoginPassword"
+  ],
+  "Microsoft.Sql/Servers/Databases/Extensions": [
+    "properties.administratorLoginPassword"
+  ],
+  "Microsoft.Sql/Servers/Databases/SyncGroups": [
+    "properties.hubDatabasePassword"
+  ],
+  "Microsoft.Sql/Servers/Databases/SyncGroups/SyncMembers": [
+    "properties.password"
+  ],
+  "Microsoft.Sql/Servers/JobAgents/Credentials": [
+    "properties.password"
+  ],
+  "Microsoft.SqlVirtualMachine/SqlVirtualMachines": [
+    "properties.wsfcDomainCredentials.clusterBootstrapAccountPassword",
+    "properties.wsfcDomainCredentials.clusterOperatorAccountPassword",
+    "properties.wsfcDomainCredentials.sqlServiceAccountPassword",
+    "properties.autoBackupSettings.password",
+    "properties.keyVaultCredentialSettings.servicePrincipalSecret",
+    "properties.serverConfigurationsManagementSettings.sqlConnectivityUpdateSettings.sqlAuthUpdatePassword"
+  ],
+  "Microsoft.StorSimple/Managers/Devices/VolumeContainers": [
+    "properties.encryptionKey.value"
+  ],
+  "Microsoft.StorSimple/Managers/StorageAccountCredentials": [
+    "properties.accessKey.value"
+  ],
+  "Microsoft.StreamAnalytics/Streamingjobs": [
+    "properties.inputs[*].properties.datasource.properties.password",
+    "properties.outputs[*].properties.datasource.properties.password"
+  ],
+  "Microsoft.StreamAnalytics/Streamingjobs/Outputs": [
+    "properties.datasource.properties.password"
+  ],
+  "Microsoft.Web/Certificates": [
+    "properties.password"
+  ],
+  "Microsoft.Web/Sourcecontrols": [
+    "properties.tokenSecret"
+  ]
+}

docs/CHANGELOG-v1.md

@@ -31,6 +31,14 @@ See [upgrade notes][1] for helpful information when upgrading from previous vers
 
 What's changed since v1.39.3:
 
+- Updated rules:
+  - Deployment:
+    - Updated `Azure.Deployment.SecureValue` to check additional resource types by @BernieWhite.
+      [#2650](https://github.com/Azure/PSRule.Rules.Azure/issues/2650)
+      [#2651](https://github.com/Azure/PSRule.Rules.Azure/issues/2651)
+      - Added support for container apps secret properties.
+      - Added support for deployment script secret properties.
+      - Bumped rule set to `2024_12`.
 - Engineering:
   - Migrated Azure samples into PSRule for Azure by @BernieWhite.
     [#3085](https://github.com/Azure/PSRule.Rules.Azure/issues/3085)

docs/en/rules/Azure.Deployment.SecureValue.md

@@ -2,16 +2,16 @@
 reviewed: 2022-10-10
 severity: Critical
 pillar: Security
-category: Infrastructure provisioning
+category: SE:02 Secured development lifecycle
 resource: Deployment
 online version: https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.Deployment.SecureValue/
 ---
 
-# Use secure resource values
+# Deployment sets a secret property with a non-secure value
 
 ## SYNOPSIS
 
-Use secure parameters for setting properties of resources that contain sensitive information.
+A secret property set from a non-secure value may leak the secret into deployment history or logs.
 
 ## DESCRIPTION
 
@@ -80,15 +80,12 @@ resource goodSecret 'Microsoft.KeyVault/vaults/secrets@2022-07-01' = {
 
 ## NOTES
 
-This rule checks the following resource type properties:
+For a list of resource types and properties that are checked by this rule see:
 
-- `Microsoft.KeyVault/vaults/secrets`:
-  - `properties.value`
-- `Microsoft.Compute/virtualMachineScaleSets`:
-  - `properties.virtualMachineProfile.osProfile.adminPassword`
+- https://github.com/Azure/PSRule.Rules.Azure/blob/main/data/secret-property.json
 
 ## LINKS
 
-- [Infrastructure provisioning considerations in Azure](https://learn.microsoft.com/azure/architecture/framework/security/deploy-infrastructure)
+- [SE:02 Secured development lifecycle](https://learn.microsoft.com/azure/well-architected/security/secure-development-lifecycle)
 - [Use Azure Key Vault to pass secure parameter value during Bicep deployment](https://learn.microsoft.com/azure/azure-resource-manager/bicep/key-vault-parameter)
 - [Integrate Azure Key Vault in your ARM template deployment](https://learn.microsoft.com/azure/azure-resource-manager/templates/template-tutorial-use-key-vault#edit-the-parameters-file)

src/PSRule.Rules.Azure.BuildTool/ClientBuilder.cs

@@ -6,27 +6,26 @@
 using System.CommandLine.Invocation;
 using PSRule.Rules.Azure.BuildTool.Resources;
 
-namespace PSRule.Rules.Azure.BuildTool
+namespace PSRule.Rules.Azure.BuildTool;
+
+internal sealed class ClientBuilder : CommandBuilder
 {
-    internal sealed class ClientBuilder : CommandBuilder
-    {
-        private ClientBuilder(RootCommand cmd) : base(cmd) { }
+    private ClientBuilder(RootCommand cmd) : base(cmd) { }
 
-        public static ClientBuilder New()
-        {
-            var cmd = new RootCommand();
-            return new ClientBuilder(cmd);
-        }
+    public static ClientBuilder New()
+    {
+        var cmd = new RootCommand();
+        return new ClientBuilder(cmd);
+    }
 
-        public ClientBuilder AddProviderResource()
-        {
-            var cmd = new Command("provider", CmdStrings.Provider_Description);
-            cmd.AddOption(new Option<string>(
-                new string[] { "--output-path" }
-            ));
-            cmd.Handler = CommandHandler.Create<ProviderResourceOption, InvocationContext>(ProviderResource.Build);
-            Command.AddCommand(cmd);
-            return this;
-        }
+    public ClientBuilder AddProviderResource()
+    {
+        var cmd = new Command("provider", CmdStrings.Provider_Description);
+        cmd.AddOption(new Option<string>(
+            ["--output-path"]
+        ));
+        cmd.Handler = CommandHandler.Create<ProviderResourceOption, InvocationContext>(ProviderResource.Build);
+        Command.AddCommand(cmd);
+        return this;
     }
 }