Selectively suppress Azure.Deployment.SecureParameter

[mderriey]

Hi there 👋

Our CI picked up PSRule.Rules.Azure v1.31.0 and we get errors related to the new Azure.Deployment.SecureParameter rule.

Some of those errors are false-positive that we'd like to exclude, but we couldn't find out how to selectively do this.

For example, we have a Bicep template to store a secret in Key Vault:

param keyVaultName string = uniqueString('akv', resourceGroup().id)
param secretName string = 'ExampleSecret'
@secure()
param secretValue string = ''
param override bool = true

resource secret 'Microsoft.KeyVault/vaults/secrets@2019-09-01' = if (override) {
  name: '${keyVaultName}/${secretName}'
  properties: {
    attributes: {
      enabled: true
    }
    value: secretValue
  }
}

output secretUri string = secret.properties.secretUri
output secretUriWithVersion string = secret.properties.secretUriWithVersion

Here, the secretName param gets flagged, although it only represents the name of the secret, so it's not actually sensitive.

I was wondering if we could leverage a suppression group to selectively allow such cases?
Right now, the only solution we found is to disable the rule entirely, which is not ideal.

Another question is, I couldn't find documentation telling what sort of "input object" gets passed to the suppression group, which could help figure out how I could construct the spec.if object.
Is this documented somewhere, or is there a way to see the context passed to the suppression group through a PowerShell parameter to get a better sense of how we might do this?

[BernieWhite]

@mderriey You should be able to create a suppression group but this is also a bug so I'll raise one off this discussion. #2528

To create a suppression group the rule triggers off Microsoft.Resources/deployments (

PSRule.Rules.Azure/src/PSRule.Rules.Azure/rules/Azure.Deployment.Rule.ps1

Lines 20 to 23 in 7f4efa5

	# Synopsis: Use secure parameters for any parameter that contains sensitive information.
	Rule 'Azure.Deployment.SecureParameter' -Ref 'AZR-000408' -Type 'Microsoft.Resources/deployments' -Tag @{ release = 'GA'; ruleSet = '2023_12'; 'Azure.WAF/pillar' = 'Security'; } {
	GetSecureParameter -Deployment $TargetObject
	}

) so your condition might look like this:

---
# Synopsis: Example suppressing Azure.Deployment.SecureParameter.
apiVersion: github.com/microsoft/PSRule/v1
kind: SuppressionGroup
metadata:
  name: Example
spec:
  rule: 
  - PSRule.Rules.Azure\Azure.Deployment.SecureParameter
  if:
    allOf:
    - type: .
      equals: Microsoft.Resources/deployments
    - field: properties.template.parameters.secretName
      exists: true

---

The input object that is passed to the suppression group is the same object that is analyzed by the rule. Because PSRule for Azure runs expansion before processing most content so troubleshoot what the object looks like you can use the Export-AzRuleTemplateData PowerShell cmdlet.

For example: Export-AzRuleTemplateData -SourceFile .\my.tests.bicep

This cmdlet will dump a JSON file containing an array of all the input resource objects that will be passed through PSRule. Each object is passed separately to evaluate any suppression groups and each rule.

[BernieWhite]

@mderriey This this answer the question? Separately we also released a bug fix in v1.31.1.

[mderriey]

It does, thanks a lot.

The explanation is very clear.
The new option to allow specific parameter names is great as it doesn't require to suppress the rule for a whole deployment, which I think is what your previous comment does.

Thanks again.