AzSDK.ArmTemplateEvaluator.psm1

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
Set-StrictMode -Version Latest

function Get-AzSDKArmTemplateSecurityStatus
{
    <#
    .SYNOPSIS
    This command would help in evaluating the ARM Templates for security issues
    .DESCRIPTION
    This command would help in evaluating the ARM Templates for security issues
     
    .PARAMETER ArmTemplatePath
        Path to ARM Template file
    .PARAMETER ArmTemplateParameterPath
        Path to ARM Template parameter file
             
    .LINK
    https://aka.ms/azsdkossdocs
 
    #>

    Param(
        [Parameter(Mandatory = $true, HelpMessage = "Path to ARM Template file")]
        [string]        
        $ArmTemplatePath,

        [Parameter(Mandatory = $false, HelpMessage = "Path to ARM Template parameter file")]
        [string]
        $ArmTemplateParameterPath
    )
    Write-Host "`nPREVIEW WARNING: AzSDK ARM Template Evaluator is currently in preview and supports controls from only AppService(7/11), Storage(4/5) and CosmosDb(5/5). Support for additional controls and services will be added in future releases.`n" -ForegroundColor Cyan
    $controlsPath = Join-Path $PSScriptRoot "controls.gen.json"
    $controlsContent = Get-Content $controlsPath -Raw
    $armTemplateContent = Get-Content $ArmTemplatePath -Raw
    $libResults = $null
    if([string]::IsNullOrWhiteSpace($ArmTemplateParameterPath)) {
        $libResults = Get-AzSDKArmTemplateSecurityStatusObj `
            -EvaluatorRulesContent $controlsContent `
            -ArmTemplateContent $armTemplateContent
    } else {
        $armTemplateParameterContent = Get-Content $ArmTemplateParameterPath -Raw
        $libResults = Get-AzSDKArmTemplateSecurityStatusInternal `
            -EvaluatorRulesContent $controlsContent `
            -ArmTemplateContent $armTemplateContent `
            -ArmTemplateParameterContent $armTemplateParameterContent
    }
    $results = $libResults | Where-Object {$_.VerificationResult -ne "NotSupported"} | Select-Object -ExcludeProperty "IsEnabled"
    $timeMarker = [datetime]::Now.ToString("yyyyMMdd_HHmmss")
    $resultsFolder = [System.IO.Path]::Combine($env:LOCALAPPDATA, "Microsoft", "AzSDKLogs", "ARMTemplateEvaluator", $timeMarker)
    $csvFileName = "ATE_Results_" + $timeMarker + ".csv"
    $csvFilePath = [System.IO.Path]::Combine($resultsFolder, $csvFileName)
    $csvResults = [System.Collections.ArrayList]::new()
    foreach($result in $results) {
        $csvResultItem = "" | Select-Object "ResourceType", "ControlId", "Description", "VerificationResult", `
                                "LineNumber", "JsonPath", "Value", "Recommendation", "IsPropertyFound", "IsValueValid", `
                                 "ResourceLineNumber", "ResourceJsonPath"
        $csvResultItem.ResourceType = $result.ResourceType
        $csvResultItem.ControlId = $result.ControlId
        $csvResultItem.Description = $result.Description
        $csvResultItem.VerificationResult = $result.VerificationResult
        $csvResultItem.IsPropertyFound = !$result.IsTokenNotFound
        $csvResultItem.IsValueValid = !$result.IsTokenNotValid
        if($result.ResultDataMarkers.Count -gt 0) {
            $csvResultItem.LineNumber = $result.ResultDataMarkers[0].LineNumber
            $csvResultItem.JsonPath = $result.ResultDataMarkers[0].JsonPath
            $data = $result.ResultDataMarkers[0].DataMarker
            if($data -ieq "true" -or $data -ieq "false") {
                $csvResultItem.Value = $data.ToLower()
            } else{
                $csvResultItem.Value = $data
            }
        } else {
            $csvResultItem.LineNumber = -1
            $csvResultItem.JsonPath = "Not found"
            $csvResultItem.Value = ""
        }
        $csvResultItem.Recommendation = $result.Recommendation
        $csvResultItem.ResourceLineNumber = $result.ResourceDataMarker.LineNumber
        $csvResultItem.ResourceJsonPath = $result.ResourceDataMarker.JsonPath
        $csvResults.Add($csvResultItem) | Out-Null
        if($result.VerificationResult -eq "Passed") { 
            Write-Result -result $result -color Green
        } elseif ($result.VerificationResult -eq "Verify") {
            WWrite-Result -result $result -color Yellow
        } elseif ($result.VerificationResult -eq "Failed") {
            Write-Result -result $result -color Red
        } else {
            Write-Result -result $result -color White
        }
    }
    [System.IO.Directory]::CreateDirectory($resultsFolder) | Out-Null
    $csvResults | ConvertTo-Csv -Delimiter "`t" -NoTypeInformation | Out-File $csvFilePath -Force
    $detailedOutputFileName = "ATE_Detailed_" + $timeMarker + ".json"
    $detailedOutputFilePath = [System.IO.Path]::Combine($resultsFolder, $detailedOutputFileName)

    $serializerSettings = [Newtonsoft.Json.JsonSerializerSettings]::new();
    $serializerSettings.Converters.Add([Newtonsoft.Json.Converters.StringEnumConverter]::new());
    $serializerSettings.Formatting = [Newtonsoft.Json.Formatting]::Indented;
    $serializerSettings.NullValueHandling = [Newtonsoft.Json.NullValueHandling]::Ignore;
    $serializerSettings.ReferenceLoopHandling = [Newtonsoft.Json.ReferenceLoopHandling]::Ignore;

    $detailedOutput = [Newtonsoft.Json.JsonConvert]::SerializeObject($libResults, $serializerSettings)
    $detailedOutput | Out-File $detailedOutputFilePath -Force
    Copy-Item $ArmTemplatePath -Destination $resultsFolder -Force
    if(![string]::IsNullOrWhiteSpace($ArmTemplateParameterPath)) {
        Copy-Item $ArmTemplateParameterPath -Destination $resultsFolder -Force
    }
    Start-Process $resultsFolder
    Write-Host "`nResults are exported to $resultsFolder`n`n"
    return $resultsFolder
}

function Write-Result($result, $color) {
    Write-Host $result.ResourceType "-" $result.ControlId -ForegroundColor $color
    if($result.ResultDataMarkers.Count -gt 0) {
        Write-Host "`t" "LineNumber:" $result.ResultDataMarkers[0].LineNumber -ForegroundColor $color
        Write-Host "`t" "JsonPath:" $result.ResultDataMarkers[0].JsonPath -ForegroundColor $color
        Write-Host "`t" "Value:" $result.ResultDataMarkers[0].DataMarker -ForegroundColor $color
    } else {
        Write-Host "`t" "LineNumber:" "-1" -ForegroundColor $color
        Write-Host "`t" "JsonPath:" "Not found" -ForegroundColor $color
        Write-Host "`t" "Value:" "" -ForegroundColor $color
    }
    Write-Host "`t" "Result:" $result.VerificationResult "`n" -ForegroundColor $color
}