rules/Azure.LogicApps.Rule.ps1

# Copyright (c) Microsoft Corporation.
# Licensed under the MIT License.

#
# Validation rules for Logic App
#

# Synopsis: Access IPs should be limited for HTTP triggers
Rule 'Azure.LogicApp.LimitHTTPTrigger' -Type 'Microsoft.Logic/workflows' -If { LogicAppWithHttpTrigger } -Tag @{ release = 'GA'; ruleSet = '2020_12' } {
    $Assert.GreaterOrEqual($TargetObject, 'Properties.accessControl.triggers.allowedCallerIpAddresses', 1);
}

#region Helper functions

function global:LogicAppWithHttpTrigger {
    [CmdletBinding()]
    [OutputType([System.Boolean])]
    param ()
    process {
        if ($PSRule.TargetType -ne 'Microsoft.Logic/workflows' -or $Assert.NotHasField($TargetObject, 'Properties.definition.triggers').Result) {
            return $False;
        }
        $triggers = @($TargetObject.Properties.definition.triggers.PSObject.Properties.GetEnumerator() | ForEach-Object {
            $_.Value
        });
        foreach ($trigger in $triggers) {
            if ($trigger.Type -eq 'Request' -and $trigger.Kind -eq 'Http') {
                return $True;
            }
        }
        return $False;
    }
}

#endregion Helper functions