Merge pull request #212062 from mumian/0921-linter-secure-params

New Bicep linter rule: secure-params-in-nested-deploy

Author: JamesJBarnett

articles/azure-resource-manager/bicep/bicep-config-linter.md

@@ -2,7 +2,7 @@
 title: Linter settings for Bicep config
 description: Describes how to customize configuration values for the Bicep linter
 ms.topic: conceptual
-ms.date: 08/01/2022
+ms.date: 09/21/2022
 ---
 
 # Add linter settings in the Bicep config file
@@ -29,9 +29,27 @@ The following example shows the rules that are available for configuration.
         "artifacts-parameters": {
           "level": "warning"
         },
+        "max-outputs": {
+          "level": "warning"
+        },
+        "max-params": {
+          "level": "warning"
+        },
+        "max-resources": {
+          "level": "warning"
+        },
+        "max-variables": {
+          "level": "warning"
+        },
         "no-hardcoded-env-urls": {
           "level": "warning"
         },
+        "no-hardcoded-location": {
+          "level": "warning"
+        },
+        "no-loc-expr-outside-params": {
+          "level": "warning"
+        },
         "no-unnecessary-dependson": {
           "level": "warning"
         },
@@ -59,12 +77,18 @@ The following example shows the rules that are available for configuration.
         "secure-parameter-default": {
           "level": "warning"
         },
-        "simplify-interpolation": {
+        "secure-params-in-nested-deploy": {
           "level": "warning"
         },
         "secure-secrets-in-params": {
           "level": "warning"
         },
+        "simplify-interpolation": {
+          "level": "warning"
+        },
+        "use-protectedsettings-for-commandtoexecute-secrets": {
+          "level": "warning"
+        },
         "use-stable-resource-identifiers": {
           "level": "warning"
         },

articles/azure-resource-manager/bicep/linter-rule-secure-params-in-nested-deploy.md

@@ -0,0 +1,104 @@
+---
+title: Linter rule - secure params in nested deploy
+description: Linter rule - secure params in nested deploy
+ms.topic: conceptual
+ms.date: 09/22/2022
+---
+
+# Linter rule - secure params in nested deploy
+
+Outer-scoped nested deployment resources shouldn't use for secure parameters or list* functions. You could expose the secure values in the deployment history.
+
+## Linter rule code
+
+Use the following value in the [Bicep configuration file](bicep-config-linter.md) to customize rule settings:
+
+`secure-params-in-nested-deploy`
+
+## Solution
+
+Either set the [deployment's properties.expressionEvaluationOptions.scope](/azure/templates/microsoft.resources/deployments?pivots=deployment-language-bicep) to `inner` or use a Bicep module instead.
+
+The following example fails this test because a secure parameter is referenced in an outer-scoped nested deployment resource.
+
+```bicep
+@secure()
+param secureValue string
+
+resource nested 'Microsoft.Resources/deployments@2021-04-01' = {
+  name: 'nested'
+  properties: {
+    mode: 'Incremental'
+    template: {
+      '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#'
+      contentVersion: '1.0.0.0'
+      variables: {}
+      resources: [
+        {
+          name: 'outerImplicit'
+          type: 'Microsoft.Network/networkSecurityGroups'
+          apiVersion: '2019-11-01'
+          location: '[resourceGroup().location]'
+          properties: {
+            securityRules: [
+              {
+                name: 'outerImplicit'
+                properties: {
+                  description: format('{0}', secureValue)
+                  protocol: 'Tcp'
+                }
+              }
+            ]
+          }
+        }
+      ]
+    }
+  }
+}
+```
+
+You can fix it by setting the deployment's properties.expressionEvaluationOptions.scope to 'inner':
+
+```bicep
+@secure()
+param secureValue string
+
+resource nested 'Microsoft.Resources/deployments@2021-04-01' = {
+  name: 'nested'
+  properties: {
+    mode: 'Incremental'
+    expressionEvaluationOptions: {
+      scope: 'Inner'      // Set to inner scope
+    }
+    template: {
+      '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#'
+      contentVersion: '1.0.0.0'
+      variables: {}
+      resources: [
+        {
+          name: 'outerImplicit'
+          type: 'Microsoft.Network/networkSecurityGroups'
+          apiVersion: '2019-11-01'
+          location: '[resourceGroup().location]'
+          properties: {
+            securityRules: [
+              {
+                name: 'outerImplicit'
+                properties: {
+                  description: format('{0}', secureValue)
+                  protocol: 'Tcp'
+                }
+              }
+            ]
+          }
+        }
+      ]
+    }
+  }
+}
+
+```
+
+## Next steps
+
+For more information about the linter, see [Use Bicep linter](./linter.md).

articles/azure-resource-manager/bicep/linter.md

@@ -2,7 +2,7 @@
 title: Use Bicep linter
 description: Learn how to use Bicep linter.
 ms.topic: conceptual
-ms.date: 07/29/2022
+ms.date: 09/21/2022
 ---
 
 # Use Bicep linter
@@ -24,14 +24,18 @@ The default set of linter rules is minimal and taken from [arm-ttk test cases](.
 - [max-resources](./linter-rule-max-resources.md)
 - [max-variables](./linter-rule-max-variables.md)
 - [no-hardcoded-env-urls](./linter-rule-no-hardcoded-environment-urls.md)
+- [no-hardcoded-location](./linter-rule-no-hardcoded-location.md)
+- [no-loc-expr-outside-params](./linter-rule-no-loc-expr-outside-params.md)
 - [no-unnecessary-dependson](./linter-rule-no-unnecessary-dependson.md)
 - [no-unused-existing-resources](./linter-rule-no-unused-existing-resources.md)
 - [no-unused-params](./linter-rule-no-unused-parameters.md)
 - [no-unused-vars](./linter-rule-no-unused-variables.md)
 - [outputs-should-not-contain-secrets](./linter-rule-outputs-should-not-contain-secrets.md)
 - [prefer-interpolation](./linter-rule-prefer-interpolation.md)
 - [prefer-unquoted-property-names](./linter-rule-prefer-unquoted-property-names.md)
+- [protect-commandtoexecute-secrets](./linter-rule-protect-commandtoexecute-secrets.md)
 - [secure-parameter-default](./linter-rule-secure-parameter-default.md)
+- [secure-params-in-nested-deploy](./linter-rule-secure-params-in-nested-deploy.md)
 - [secure-secrets-in-params](./linter-rule-secure-secrets-in-parameters.md)
 - [simplify-interpolation](./linter-rule-simplify-interpolation.md)
 - [use-protectedsettings-for-commandtoexecute-secrets](./linter-rule-use-protectedsettings-for-commandtoexecute-secrets.md)
@@ -68,15 +72,15 @@ You can integrate these checks as a part of your CI/CD pipelines. You can use a
 
 ## Silencing false positives
 
-Sometimes a rule can have false positives. For example you may need to include a link to a blob storage directly without using the [environment()](./bicep-functions-deployment.md#environment) function.
+Sometimes a rule can have false positives. For example, you may need to include a link to a blob storage directly without using the [environment()](./bicep-functions-deployment.md#environment) function.
 In this case you can disable the warning for one line only, not the entire document, by adding `#disable-next-line <rule name>` before the line with the warning.
 
 ```bicep
 #disable-next-line no-hardcoded-env-urls //Direct download link to my toolset
 scriptDownloadUrl: 'https://mytools.blob.core.windows.net/...'
 ```
 
-It is good practice to add a comment explaining why the rule does not apply to this line.
+It's good practice to add a comment explaining why the rule doesn't apply to this line.
 
 ## Next steps
 

articles/azure-resource-manager/bicep/toc.yml

@@ -402,7 +402,7 @@
         href: linter-rule-max-variables.md
       - name: No hardcoded environment URLs
         href: linter-rule-no-hardcoded-environment-urls.md
-      - name: No hard-coded locations
+      - name: No hardcoded locations
         href: linter-rule-no-hardcoded-location.md
       - name: No location expressions outside of parameter default values
         href: linter-rule-no-loc-expr-outside-params.md
@@ -424,6 +424,8 @@
         href: linter-rule-protect-commandtoexecute-secrets.md
       - name: Secure parameter default
         href: linter-rule-secure-parameter-default.md
+      - name: Secure parameters in nested deployments
+        href: linter-rule-secure-params-in-nested-deploy.md
       - name: Secure secrets in parameters
         href: linter-rule-secure-secrets-in-parameters.md
       - name: Simplify interpolation