Custom rule to validate ARM template resource property minimumTlsVersion

[Marc013]

Can anyone help me? I'm trying to learn how this works.

I'm trying to create a custom rule to validate if an ARM template has resource property minimumTlsVersion and if so, that it is set to TLS_1_2, 1.2 or '^\[.*\]$'

Unfortunately, I can not get it to work.

This is what I have come up with thus far:

# Synopsis: TESTING - should reject TLS versions older than 1.2.
Rule 'Azure.Template.MinTLS' -Type '.json' -If { (IsTemplateFile) } -Tag @{ release = 'TST'; ruleSet = '2022_03' } {

    # $TargetObject.Properties.minimumTlsVersion -eq '^\[.*\]$'
        $jsonObject = $PSRule.GetContent($TargetObject)[0].resources;
        return $Assert.HasField($jsonObject, 'properties.minimumTlsVersion').Result;
}

Outcome of the test:

The ARM template does have property minimumTlsVersion.

[Marc013]

I managed to solve my challenge.
Property resources of $TargetObject is an array. By specifying the first array entry in that object I got access to the properties of the ARM template.

However, I do wonder if this is the best solution.
Any feedback is much appreciated.

# Synopsis: TESTING - should reject TLS versions older than 1.2.
Rule 'Azure.Template.MinTLS' -Type '.json' -If { (IsTemplateFile) } -Tag @{ release = 'TST'; ruleSet = '2022_03' } {
    $jsonObject = $PSRule.GetContent($TargetObject)[0].resources[0];
    AnyOf {
        $Assert.NotHasField($jsonObject, 'properties.minimumTlsVersion');
        $Assert.Match($jsonObject, 'properties.minimumTlsVersion', 'TLS1_2');
        $Assert.Match($jsonObject, 'properties.minimumTlsVersion', '1\.2');
        $Assert.Match($jsonObject, 'properties.minimumTlsVersion', '^\[.*\]$');
    }
}

[BernieWhite]

@Marc013 Nice. Your approach is fine, but note $Assert.Match accepts a regular expression, so . has a special meaning as a wildcard in 1.2.

Other options that might work for you are:

• HasFieldValue - https://microsoft.github.io/PSRule/v2/concepts/PSRule/en-US/about_PSRule_Assert/#hasfieldvalue
• Version - https://microsoft.github.io/PSRule/v2/concepts/PSRule/en-US/about_PSRule_Assert/#version
• HasDefaultValue - (when the default value might be omitted is the desired/ secure default) https://microsoft.github.io/PSRule/v2/concepts/PSRule/en-US/about_PSRule_Assert/#hasdefaultvalue

You could also use:

$jsonObject = $PSRule.GetContent($TargetObject)[0].resources;
foreach ($resource in $jsonObject) {
    AnyOf {
        $Assert.NotHasField($jsonObject, 'properties.minimumTlsVersion');
        $Assert.Match($jsonObject, 'properties.minimumTlsVersion', 'TLS_1_2');
        $Assert.Match($jsonObject, 'properties.minimumTlsVersion', '1.2');
        # $Assert.Match($jsonObject, 'properties.minimumTlsVersion', '^\[.*\]$');
    }
}

Since there may be more then one resource.

---

One challenge worthwhile calling out specifically with this example and Azure Resource Manager (ARM) templates. Although I know this is only an example.

ARM template are highly reusable. So it is possible for properties.minimumTlsVersion to be [variables('tlsVersion')] or [parameters('tlsVersion')]. This makes it hard to validate values that are not hard coded.

We have a pre-built module that solves this issue be resolving templates and Bicep code called PSRule for Azure so the values that would be deployed are tested instead of the JSON value set for a specific property.

In this case, we expose the resource type so that the rule only apply to the resources that should have the property. See https://github.com/Azure/PSRule.Rules.Azure/blob/ba4236ac92ee3f50aee9b891d9d3a1dd8f3d6f7c/src/PSRule.Rules.Azure/rules/Azure.Storage.Rule.ps1#L57-L60.

You don't need to use the rules in this module, but you can write your own custom rules and take advantage of this feature by taking this module as a dependency in a custom module.

Hope that helps.

[Marc013]

@BernieWhite,
Thank you very much for your feedback!
I will be looking at your suggestions and correct the faulty regex.

[Marc013]

@BernieWhite ,

Regarding your suggestion to use module PSRule for Azure.
I have noticed the rule you reference is not asserted on the ARM template file.

Can you tell me what I am doing wrong?

My results

minimumTlsVersion version is set to TLS1_0

$StorageJsonFile references the full path to the storage account ARM template file.

Assert-PSRule -Format File -InputPath $StorageJsonFile -Module PSRule.Rules.Azure -Outcome Fail

    ____  _____ ____        __
   / __ \/ ___// __ \__  __/ /__
  / /_/ /\__ \/ /_/ / / / / / _ \
 / ____/___/ / _, _/ /_/ / /  __/
/_/    /____/_/ |_|\__,_/_/\___/

Using PSRule v1.11.1+afb984da105956a944a2770d242e2b1c12db05d2
Using PSRule.Rules.Azure v1.13.0

----------------------------
Explore documentation: https://microsoft.github.io/PSRule/
Contribute and find source: https://github.com/microsoft/PSRule
Report issues: https://github.com/microsoft/PSRule/issues
PSRule.Rules.Azure: https://aka.ms/ps-rule-azure
----------------------------

 -> MyRepo/Products/Microsoft.Storage/Template/storageAccount.json : .json [10/16]

    [FAIL] Azure.Template.TemplateSchema

    | RECOMMEND:
    | Consider using a more recent schema version for Azure template files.

    | REASON:
    | - None of the specified schemas match 'http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#'.

    | HELP:
    | - https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.Template.TemplateSchema/

    [FAIL] Azure.Template.TemplateScheme

    | RECOMMEND:
    | Consider using a schema with the https scheme.

    | REASON:
    | - The field '$schema' does not start with 'https://'.

    | HELP:
    | - https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.Template.TemplateScheme/

    [FAIL] Azure.Template.ParameterMetadata

    | RECOMMEND:
    | Consider defining a metadata description for each template parameter.

    | REASON:
    | - The parameter 'location' does not have a description set.
    | - The parameter 'storageAccountName' does not have a description set.
    | - The parameter 'accountType' does not have a description set.
    | - The parameter 'kind' does not have a description set.
    | - The parameter 'accessTier' does not have a description set.

    | HELP:
    | - https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.Template.ParameterMetadata/

    [FAIL] Azure.Template.UseParameters

    | RECOMMEND:
    | Consider removing unused parameters from Azure template files.

    | REASON:
    | - The parameter 'minimumTlsVersion' was not used within the template.

    | HELP:
    | - https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.Template.UseParameters/

    [FAIL] Azure.Template.LocationDefault

    | RECOMMEND:
    | Consider updating the location parameter to use [resourceGroup().location] as
    | the default value.

    | REASON:
    | - The default value for the parameter 'location' is ''.

    | HELP:
    | - https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.Template.LocationDefault/

    [FAIL] Azure.Template.UseComments

    | RECOMMEND:
    | Specify comments for each resource in the template.

    | REASON:
    | - The template (X:\MyRepo\Products\Microsoft.Storage\Template\storageAccount.json) has (2) resource/s without comments.

    | HELP:
    | - https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.Template.UseComments/


Rules processed: 16, failed: 6, errored: 0
Run f354066e2d70b187b35955f2a2c5af9779477cee completed in 00:00:00.3406199
Assert-PSRule: One or more rules reported failure.

[BernieWhite]

@Marc013 Have a look at https://azure.github.io/PSRule.Rules.Azure/using-templates/.

It describes a few steps to be completed. A key one being setting the AZURE_PARAMETER_FILE_EXPANSION configuration option.

Also see the linking templates section.