99 .\Password-params-must-be-secure.test.ps1 -TemplateObject (Get-Content ..\..\..\unit-tests\Password-params-must-be-secure.test.json -Raw | ConvertFrom-Json)
1010#>
1111param (
12- [Parameter (Mandatory = $true , Position = 0 )]
13- [PSObject ]
14- $TemplateObject
12+ [Parameter (Mandatory = $true , Position = 0 )]
13+ [PSObject ]
14+ $TemplateObject
1515)
1616
1717<#
@@ -33,11 +33,31 @@ foreach ($parameter in $templateObject.parameters.psobject.properties) {
3333 $name = $parameter.name
3434
3535 # using a name matching pattern to decide if this should be secured or not
36- if ($name -like " *password*"
36+ if ($name -like " *password*" -or
37+ $name -like " *secret*" -or
38+ $name -like " *accountkey*"
3739 # if it's not secure, flag it
40+
3841 if ($type -ne ' securestring' -and $type -ne ' secureobject'
39- Write-Error - Message " Parameter `" $name `" is of type `" $type `" but should be secure." - ErrorId Password.Param.Not.Secure - TargetObject $parameter
40- }
42+ # except certain patterns we know about in ARM
43+ # secret + Permissions (keyVault secret perms is an accessPolicy property)
44+ # secret + Version (url or simply the version property of a secret)
45+ # secret + url
46+ # secret + name
47+ if ($name -like " *secret*" -and
48+ ($name -like " *permission*" -or
49+ $name -like " *version*" -or
50+ $name -like " *url*" -or
51+ $name -like " *uri*" -or
52+ $name -like " *name*"
53+ )
54+ {
55+ Write-Warning " Skipping parameter `" $name `" "
56+ }
57+ else {
58+ Write-Error - Message " Parameter `" $name `" is of type `" $type `" but should be secure." - ErrorId Password.Param.Not.Secure - TargetObject $parameter
59+ }
60+ }
4161 }
4262}
4363
0 commit comments