Merge pull request #370 from richardsondev/jorichar/SystemAssignedUse…

…rAssignedRule [Built-in rule] Add `SystemAssigned, UserAssigned` as an allowed identity on TA-000007, TA-000013, TA-000019
Azure · Sep 9, 2024 · 01cffdb · 01cffdb
2 parents 1ba7313 + ebbd329
commit 01cffdb
Show file tree

Hide file tree

Showing 11 changed files with 722 additions and 6 deletions.
diff --git a/docs/built-in-rules.md b/docs/built-in-rules.md
@@ -47,7 +47,7 @@ Cross-Origin Resource Sharing (CORS) should not allow all domains to access your
 ### TA-000007: Managed identity should be used in your API app
 For enhanced authentication security, use a managed identity. On Azure, managed identities eliminate the need for developers to have to manage credentials by providing an identity for the Azure resource in Azure AD and using it to obtain Azure Active Directory (Azure AD) tokens.
 
-**Recommendation**: To [use Managed Identity](https://docs.microsoft.com/azure/app-service/overview-managed-identity?tabs=dotnet), in the [Microsoft.Web/sites resource managed identity property](https://docs.microsoft.com/azure/templates/microsoft.web/sites?tabs=json#ManagedServiceIdentity), add (or update) the *type* property, setting its value to `"SystemAssigned"` or `"UserAssigned"` and providing any necessary identifiers for the identity if required.
+**Recommendation**: To [use Managed Identity](https://docs.microsoft.com/azure/app-service/overview-managed-identity?tabs=dotnet), in the [Microsoft.Web/sites resource managed identity property](https://docs.microsoft.com/azure/templates/microsoft.web/sites?tabs=json#ManagedServiceIdentity), add (or update) the *type* property, setting its value to `"SystemAssigned"`, `"UserAssigned"`, or `"SystemAssigned, UserAssigned"` and providing any necessary identifiers for the identity if required.
 #### Severity: 2
 
 ### TA-000008: Remote debugging should be turned off for function apps
@@ -83,7 +83,7 @@ Cross-Origin Resource Sharing (CORS) should not allow all domains to access your
 ### TA-000013: Managed identity should be used in your function app
 For enhanced authentication security, use a managed identity. On Azure, managed identities eliminate the need for developers to have to manage credentials by providing an identity for the Azure resource in Azure AD and using it to obtain Azure Active Directory (Azure AD) tokens.
 
-**Recommendation**: To [use Managed Identity](https://docs.microsoft.com/azure/app-service/overview-managed-identity?tabs=dotnet), in the [Microsoft.Web/sites resource managed identity property](https://docs.microsoft.com/azure/templates/microsoft.web/sites?tabs=json#ManagedServiceIdentity), add (or update) the *type* property, setting its value to `"SystemAssigned"` or `"UserAssigned"` and providing any necessary identifiers for the identity if required.
+**Recommendation**: To [use Managed Identity](https://docs.microsoft.com/azure/app-service/overview-managed-identity?tabs=dotnet), in the [Microsoft.Web/sites resource managed identity property](https://docs.microsoft.com/azure/templates/microsoft.web/sites?tabs=json#ManagedServiceIdentity), add (or update) the *type* property, setting its value to `"SystemAssigned"`, `"UserAssigned"`, or `"SystemAssigned, UserAssigned"` and providing any necessary identifiers for the identity if required.
 #### Severity: 2
 
 ### TA-000014: Remote debugging should be turned off for web apps
@@ -120,7 +120,7 @@ Cross-Origin Resource Sharing (CORS) should not allow all domains to access your
 ### TA-000019: Managed identity should be used in your web app
 For enhanced authentication security, use a managed identity. On Azure, managed identities eliminate the need for developers to have to manage credentials by providing an identity for the Azure resource in Azure AD and using it to obtain Azure Active Directory (Azure AD) tokens.
 
-**Recommendation**: To [use Managed Identity](https://docs.microsoft.com/azure/app-service/overview-managed-identity?tabs=dotnet), in the [Microsoft.Web/sites resource managed identity property](https://docs.microsoft.com/azure/templates/microsoft.web/sites?tabs=json#ManagedServiceIdentity), add (or update) the *type* property, setting its value to `"SystemAssigned"` or `"UserAssigned"` and providing any necessary identifiers for the identity if required.
+**Recommendation**: To [use Managed Identity](https://docs.microsoft.com/azure/app-service/overview-managed-identity?tabs=dotnet), in the [Microsoft.Web/sites resource managed identity property](https://docs.microsoft.com/azure/templates/microsoft.web/sites?tabs=json#ManagedServiceIdentity), add (or update) the *type* property, setting its value to `"SystemAssigned"`, `"UserAssigned"`, or `"SystemAssigned, UserAssigned"` and providing any necessary identifiers for the identity if required.
 #### Severity: 2
 
 ### TA-000020: Audit usage of custom RBAC roles

diff --git a/src/Analyzer.Core.BuiltInRuleTests/Tests/TA-000007/AppServiceAPIApps.bicep b/src/Analyzer.Core.BuiltInRuleTests/Tests/TA-000007/AppServiceAPIApps.bicep
@@ -0,0 +1,92 @@
+@description('Location for all resources.')
+param location string = resourceGroup().location
+
+resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = {
+  name: 'managedIdentity'
+  location: location
+}
+resource missingIdentity 'Microsoft.Web/sites@2019-08-01' = {
+  kind: 'api'
+  name: 'missingIdentity'
+  location: location
+  properties: {
+    siteConfig: {
+      detailedErrorLoggingEnabled: false
+      httpLoggingEnabled: false
+      requestTracingEnabled: false
+    }
+  }
+}
+
+resource systemManagedIdentity 'Microsoft.Web/sites@2019-08-01' = {
+  kind: 'api'
+  name: 'systemManagedIdentity'
+  location: location
+  properties: {
+    siteConfig: {
+      detailedErrorLoggingEnabled: false
+      httpLoggingEnabled: false
+      requestTracingEnabled: false
+    }
+  }
+  identity: {
+    type: 'SystemAssigned'
+  }
+}
+
+resource userManagedIdentity 'Microsoft.Web/sites@2019-08-01' = {
+  kind: 'api'
+  name: 'userManagedIdentity'
+  location: location
+  properties: {
+    siteConfig: {
+      detailedErrorLoggingEnabled: false
+      httpLoggingEnabled: false
+      requestTracingEnabled: false
+    }
+  }
+  identity: {
+    type: 'UserAssigned'
+    userAssignedIdentities: {
+      '${managedIdentity.id}': {}
+    }
+  }
+}
+
+resource systemAndUserManagedIdentity 'Microsoft.Web/sites@2019-08-01' = {
+  kind: 'api'
+  name: 'systemAndUserManagedIdentity'
+  location: location
+  properties: {
+    siteConfig: {
+      detailedErrorLoggingEnabled: false
+      httpLoggingEnabled: false
+      requestTracingEnabled: false
+    }
+  }
+  identity: {
+    type: 'SystemAssigned,UserAssigned'
+    userAssignedIdentities: {
+      '${managedIdentity.id}': {}
+    }
+  }
+}
+
+resource systemAndUserManagedWithSpaceIdentity 'Microsoft.Web/sites@2019-08-01' = {
+  kind: 'api'
+  name: 'systemAndUserManagedWithSpaceIdentity'
+  location: location
+  properties: {
+    siteConfig: {
+      detailedErrorLoggingEnabled: false
+      httpLoggingEnabled: false
+      requestTracingEnabled: false
+    }
+  }
+  identity: {
+    type: 'SystemAssigned, UserAssigned'
+    userAssignedIdentities: {
+      '${managedIdentity.id}': {}
+    }
+  }
+}
diff --git a/src/Analyzer.Core.BuiltInRuleTests/Tests/TA-000007/AppServiceAPIApps.json b/src/Analyzer.Core.BuiltInRuleTests/Tests/TA-000007/AppServiceAPIApps.json
@@ -0,0 +1,121 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "parameters": {
+    "location": {
+      "type": "string",
+      "defaultValue": "[resourceGroup().location]",
+      "metadata": {
+        "description": "Location for all resources."
+      }
+    }
+  },
+  "resources": [
+    {
+      "type": "Microsoft.ManagedIdentity/userAssignedIdentities",
+      "apiVersion": "2018-11-30",
+      "name": "managedIdentity",
+      "location": "[parameters('location')]"
+    },
+    {
+      "type": "Microsoft.Web/sites",
+      "apiVersion": "2019-08-01",
+      "name": "missingIdentity",
+      "kind": "api",
+      "location": "[parameters('location')]",
+      "properties": {
+        "siteConfig": {
+          "detailedErrorLoggingEnabled": false,
+          "httpLoggingEnabled": false,
+          "requestTracingEnabled": false
+        }
+      }
+    },
+    {
+      "type": "Microsoft.Web/sites",
+      "apiVersion": "2019-08-01",
+      "name": "systemManagedIdentity",
+      "kind": "api",
+      "location": "[parameters('location')]",
+      "properties": {
+        "siteConfig": {
+          "detailedErrorLoggingEnabled": false,
+          "httpLoggingEnabled": false,
+          "requestTracingEnabled": false
+        }
+      },
+      "identity": {
+        "type": "SystemAssigned"
+      }
+    },
+    {
+      "type": "Microsoft.Web/sites",
+      "apiVersion": "2019-08-01",
+      "name": "userManagedIdentity",
+      "kind": "api",
+      "location": "[parameters('location')]",
+      "properties": {
+        "siteConfig": {
+          "detailedErrorLoggingEnabled": false,
+          "httpLoggingEnabled": false,
+          "requestTracingEnabled": false
+        }
+      },
+      "identity": {
+        "type": "UserAssigned",
+        "userAssignedIdentities": {
+          "[format('{0}', resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', 'managedIdentity'))]": {}
+        }
+      },
+      "dependsOn": [
+        "[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', 'managedIdentity')]"
+      ]
+    },
+    {
+      "type": "Microsoft.Web/sites",
+      "apiVersion": "2019-08-01",
+      "name": "systemAndUserManagedIdentity",
+      "kind": "api",
+      "location": "[parameters('location')]",
+      "properties": {
+        "siteConfig": {
+          "detailedErrorLoggingEnabled": false,
+          "httpLoggingEnabled": false,
+          "requestTracingEnabled": false
+        }
+      },
+      "identity": {
+        "type": "SystemAssigned,UserAssigned",
+        "userAssignedIdentities": {
+          "[format('{0}', resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', 'managedIdentity'))]": {}
+        }
+      },
+      "dependsOn": [
+        "[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', 'managedIdentity')]"
+      ]
+    },
+    {
+      "type": "Microsoft.Web/sites",
+      "apiVersion": "2019-08-01",
+      "name": "systemAndUserManagedWithSpaceIdentity",
+      "kind": "api",
+      "location": "[parameters('location')]",
+      "properties": {
+        "siteConfig": {
+          "detailedErrorLoggingEnabled": false,
+          "httpLoggingEnabled": false,
+          "requestTracingEnabled": false
+        }
+      },
+      "identity": {
+        "type": "SystemAssigned, UserAssigned",
+        "userAssignedIdentities": {
+          "[format('{0}', resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', 'managedIdentity'))]": {}
+        }
+      },
+      "dependsOn": [
+        "[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', 'managedIdentity')]"
+      ]
+    }
+  ]
+}
diff --git a/src/Analyzer.Core.BuiltInRuleTests/Tests/TA-000007/TA-000007.json b/src/Analyzer.Core.BuiltInRuleTests/Tests/TA-000007/TA-000007.json
@@ -0,0 +1,15 @@
+[
+  {
+    "Template": "AppServiceAPIApps.json",
+    "ReportedFailures": [
+      {
+        "LineNumber": 20,
+        "Description": "API app is missing an identity declaration."
+      },
+      {
+        "LineNumber": 88,
+        "Description": "Multiple identity types should be separated by a comma, followed by a space."
+      }
+    ]
+  }
+]
diff --git a/src/Analyzer.Core.BuiltInRuleTests/Tests/TA-000013/AppServiceFunctionApps.bicep b/src/Analyzer.Core.BuiltInRuleTests/Tests/TA-000013/AppServiceFunctionApps.bicep
@@ -0,0 +1,92 @@
+@description('Location for all resources.')
+param location string = resourceGroup().location
+
+resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = {
+  name: 'managedIdentity'
+  location: location
+}
+resource missingIdentity 'Microsoft.Web/sites@2019-08-01' = {
+  kind: 'functionapp'
+  name: 'missingIdentity'
+  location: location
+  properties: {
+    siteConfig: {
+      detailedErrorLoggingEnabled: false
+      httpLoggingEnabled: false
+      requestTracingEnabled: false
+    }
+  }
+}
+
+resource systemManagedIdentity 'Microsoft.Web/sites@2019-08-01' = {
+  kind: 'functionapp'
+  name: 'systemManagedIdentity'
+  location: location
+  properties: {
+    siteConfig: {
+      detailedErrorLoggingEnabled: false
+      httpLoggingEnabled: false
+      requestTracingEnabled: false
+    }
+  }
+  identity: {
+    type: 'SystemAssigned'
+  }
+}
+
+resource userManagedIdentity 'Microsoft.Web/sites@2019-08-01' = {
+  kind: 'functionapp'
+  name: 'userManagedIdentity'
+  location: location
+  properties: {
+    siteConfig: {
+      detailedErrorLoggingEnabled: false
+      httpLoggingEnabled: false
+      requestTracingEnabled: false
+    }
+  }
+  identity: {
+    type: 'UserAssigned'
+    userAssignedIdentities: {
+      '${managedIdentity.id}': {}
+    }
+  }
+}
+
+resource systemAndUserManagedIdentity 'Microsoft.Web/sites@2019-08-01' = {
+  kind: 'functionapp'
+  name: 'systemAndUserManagedIdentity'
+  location: location
+  properties: {
+    siteConfig: {
+      detailedErrorLoggingEnabled: false
+      httpLoggingEnabled: false
+      requestTracingEnabled: false
+    }
+  }
+  identity: {
+    type: 'SystemAssigned,UserAssigned'
+    userAssignedIdentities: {
+      '${managedIdentity.id}': {}
+    }
+  }
+}
+
+resource systemAndUserManagedWithSpaceIdentity 'Microsoft.Web/sites@2019-08-01' = {
+  kind: 'functionapp'
+  name: 'systemAndUserManagedWithSpaceIdentity'
+  location: location
+  properties: {
+    siteConfig: {
+      detailedErrorLoggingEnabled: false
+      httpLoggingEnabled: false
+      requestTracingEnabled: false
+    }
+  }
+  identity: {
+    type: 'SystemAssigned, UserAssigned'
+    userAssignedIdentities: {
+      '${managedIdentity.id}': {}
+    }
+  }
+}