```azureresourcemanager Bad theme={null} { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0.0", "resources": [ { "type": "Microsoft.Storage/storageAccounts", "apiVersion": "2023-01-01", "sku": "Standard_GRS", "name": null, "kind": "", "tags": {}, "dependsOn": [] } ] } ``` ```azureresourcemanager Fix theme={null} { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0.0", "resources": [ { "type": "Microsoft.Storage/storageAccounts", "apiVersion": "2023-01-01", "sku": "Standard_GRS", "name": "myStorage", "kind": "BlobStorage" } ] } ```

In Azure Resource Manager (ARM) templates, dependencies between resources can be defined in two ways: implicitly or explicitly. An implicit dependency is set when you use the reference function and pass in the resource name. An explicit dependency is defined when you add a dependsOn element. However, a code smell arises when these dependencies are used simultaneously for the same resources. This redundancy is unnecessary and can lead to confusion. Therefore, to maintain clarity and efficiency in your code, it is best to omit explicit dependencies when they are already defined implicitly.

```azureresourcemanager Bad theme={null} { "apiVersion": "2019-04-01", "type": "Microsoft.Network/networkInterfaces", "name": "exampleNic", "location": "[resourceGroup().location]", "dependsOn": [ "[resourceId('Microsoft.Network/virtualNetworks', 'exampleVNet')]" ], "properties": { "ipConfigurations": [ { "name": "ipconfig1", "properties": { "subnet": { "id": "[reference('Microsoft.Network/virtualNetworks/exampleVNet/subnets/exampleSubnet').id]" } } } ] } } ``` ```azureresourcemanager Fix theme={null} { "apiVersion": "2019-04-01", "type": "Microsoft.Network/networkInterfaces", "name": "exampleNic", "location": "[resourceGroup().location]", "properties": { "ipConfigurations": [ { "name": "ipconfig1", "properties": { "subnet": { "id": "[reference('Microsoft.Network/virtualNetworks/exampleVNet/subnets/exampleSubnet').id]" } } } ] } } ```

When deploying an Azure Resource Manager template (ARM template), you must provide a location for each resource. This can be done directly in the template or by passing parameters. However, hardcoding locations in the template can limit flexibility and potentially create deployment challenges, restricting users from choosing their preferred deployment location.

It is therefore recommended to use a parameter to specify the location for resources, with the default value set to resourceGroup().location. This practice ensures consistency in resource allocation and provides users of the template the flexibility to specify a location where they have the necessary permissions to deploy resources. This approach helps avoid hardcoding locations, which can lead to potential deployment issues and restrictions.

```azureresourcemanager Bad theme={null} { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0.0", "resources": [ { "type": "Microsoft.Storage/storageAccounts", "apiVersion": "2022-09-01", "name": "[parameters('storageAccountName')]", "location": "westus", "sku": { "name": "Standard_LRS" }, "kind": "StorageV2" } ] } ``` ```azureresourcemanager Fix theme={null} { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0.0", "parameters": { "location": { "type": "string", "defaultValue": "[resourceGroup().location]", "metadata": { "description": "Location for all resources." } } }, "resources": [ { "type": "Microsoft.Storage/storageAccounts", "apiVersion": "2022-09-01", "name": "[parameters('storageAccountName')]", "location": "[parameters('location')]", "sku": { "name": "Standard_LRS" }, "kind": "StorageV2" } ] } ```

According to the best practices defined by Azure, a consistent order of properties and elements in a templates is recommended. This makes it easier to read and understand the template.

Not following this convention has no technical impact, but will reduce the template’s readability because most developers are used to the standard order.

Sorting the resources according to deployment order is recommended as well, as this will convey the intent of the orchestration.

```azureresourcemanager Bad theme={null} { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/...", "contentVersion": "1.0.0.0", "apiProfile": "...", "parameters": {}, "functions": {}, "variables": {}, "resources": [], "outputs": {} } ``` ```azureresourcemanager Fix theme={null} { "resources": [ { "comments": "if any", "condition": true, "scope": "% parent scope %", "type": "Microsoft.Compute/virtualMachines", "apiVersion": "2023-09-01", "name": "resourceName", "location": "[parameters('location')]", "zones": [], "sku": {}, "kind": "", "scale": "", "plan": {}, "identity": {}, "copy": { "name": "vmLoop", "count": "[parameters('numberOfVMs')]" }, "dependsOn": [ "nicLoop" ], "tags": {}, "properties": {} } ] } ```

An unused parameter is a parameter that has been declared but is not used anywhere in the block of code where it is defined. It is dead code, contributing to unnecessary complexity and leading to confusion when reading the code. Therefore, it should be removed from your code to maintain clarity and efficiency.

```azureresourcemanager Bad theme={null} { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "parameters": { "unusedParameter": { "type": "string" }, "virtualMachinesName": { "type": "string" } }, "resources": [ { "type": "Microsoft.Compute/virtualMachines", "name": "[parameters('virtualMachinesName')]", "apiVersion": "2023-09-01", "location": "[resourceGroup().location]" } ] } ``` ```azureresourcemanager Fix theme={null} { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "parameters": { "virtualMachinesName": { "type": "string" } }, "resources": [ { "type": "Microsoft.Compute/virtualMachines", "name": "[parameters('virtualMachinesName')]", "apiVersion": "2023-09-01", "location": "[resourceGroup().location]" } ] } ```

Allowing anonymous access can reduce an organization’s ability to protect itself against attacks on its Azure resources.

Security incidents may include disrupting critical functions, data theft, and additional Azure subscription costs due to resource overload.

Using authentication coupled with fine-grained authorizations helps bring defense-in-depth and bring traceability to investigators of security incidents.

Depending on the affected Azure resource, multiple authentication choices are possible: Active Directory Authentication, OpenID implementations (Google, Microsoft, etc.) or native Azure mechanisms.

Enabling public network access to cloud resources can affect an organization’s ability to protect its data or internal operations from data theft or disruption.

Depending on the component, inbound access from the Internet can be enabled via:

a boolean value that explicitly allows access to the public network.
the assignment of a public IP address.
database firewall rules that allow public IP ranges.

Deciding to allow public access may happen for various reasons such as for quick maintenance, time saving, or by accident.

This decision increases the likelihood of attacks on the organization, such as:

data breaches.
intrusions into the infrastructure to permanently steal from it.
and various malicious traffic, such as DDoS attacks.

```azureresourcemanager Bad theme={null} resource exampleSite 'Microsoft.Web/sites@2020-12-01' = { name: 'example-site' properties: { publicNetworkAccess: 'Enabled' } } ``` ```azureresourcemanager Fix theme={null} { "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", "contentVersion": "1.0.0.0", "resources": [ { "type": "Microsoft.Web/sites", "apiVersion": "2020-12-01", "name": "example-site", "properties": { "siteConfig": { "publicNetworkAccess": "Enabled" } } } ] } ```

Development tools and frameworks usually have options to make debugging easier for developers. Although these features are useful during development, they should never be enabled for applications deployed in production. Debug instructions or error messages can leak detailed information about the system, like the application’s path or file names.

Azure Resource Manager offers built-in roles that can be assigned to users, groups, or service principals. Some of these roles should be carefully assigned as they grant sensitive permissions like the ability to reset passwords for all users.

An Azure account that fails to limit the use of such roles has a higher risk of being breached by a compromised owner.

This rule raises an issue when one of the following roles is assigned:

Contributor (b24988ac-6180-42a0-ab88-20f7382dd24c)
Owner (8e3af657-a8ff-443c-a75c-2fe8c4bcb635)
User Access Administrator (18d7d88d-d35e-4fb5-a5c3-7773c20a72d9)

```azureresourcemanager Bad theme={null} { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0.0", "resources": [ { "name": "example", "type": "Microsoft.Authorization/roleAssignments", "apiVersion": "2022-04-01", "properties": { "description": "Assign the contributor role", "principalId": "string", "principalType": "ServicePrincipal", "roleDefinitionId": "[resourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]" } } ] } ``` ```azureresourcemanager Fix theme={null} resource symbolicname 'Microsoft.Authorization/roleAssignments@2022-04-01' = { scope: tenant() properties: { description: 'Assign the contributor role' principalId: 'string' principalType: 'ServicePrincipal' roleDefinitionId: resourceId('Microsoft.Authorization/roleAssignments', 'b24988ac-6180-42a0-ab88-20f7382dd24c') // Sensitive } } ```

Clear-text protocols such as \`ftp, telnet, or http lack encryption of transported data, as well as the capability to build an authenticated connection. It means that an attacker able to sniff traffic from the network can read, modify, or corrupt the transported content. These protocols are not secure as they expose applications to an extensive range of risks:

sensitive data exposure
traffic redirected to a malicious endpoint
malware-infected software update or installer
execution of client-side code
corruption of critical information

Even in the context of isolated networks like offline environments or segmented cloud environments, the insider threat exists. Thus, attacks involving communications being sniffed or tampered with can still happen.

For example, attackers could successfully compromise prior security layers by:

bypassing isolation mechanisms
compromising a component of the network
getting the credentials of an internal IAM account (either from a service account or an actual person)

In such cases, encrypting communications would decrease the chances of attackers to successfully leak data or steal credentials from other network components. By layering various security practices (segmentation and encryption, for example), the application will follow the defense-in-depth principle.

Note that using the http\` protocol is being deprecated by major web browsers.

In the past, it has led to the following vulnerabilities:

```azureresourcemanager Bad theme={null} { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0.0", "resources": [ { "type": "Microsoft.Web/sites", "name": "example", "apiVersion": "2022-09-01", "properties": { "httpsOnly": false } } ] } ``` ```azureresourcemanager Fix theme={null} resource symbolicname 'Microsoft.Web/sites@2022-03-01' = { properties: { httpsOnly: false // Sensitive } } ```

Enabling Azure resource-specific admin accounts can reduce an organization’s ability to protect itself against account or service account thefts.

Full Administrator permissions fail to correctly separate duties and create potentially critical attack vectors on the impacted resources.

In case of abuse of elevated permissions, both the data on which impacted resources operate and their access traceability are at risk.

```azureresourcemanager Bad theme={null} { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0.0", "resources": [ { "name": "example", "type": "Microsoft.Batch/batchAccounts/pools", "apiVersion": "2022-10-01", "properties": { "startTask": { "userIdentity": { "autoUser": { "elevationLevel": "Admin" } } } } } ] } ``` ```azureresourcemanager Fix theme={null} resource AdminBatchPool 'Microsoft.Batch/batchAccounts/pools@2022-10-01' = { properties: { startTask: { userIdentity: { autoUser: { elevationLevel: 'Admin' // Sensitive } } } } } ```

Reducing the backup retention duration can reduce an organization’s ability to re-establish service in case of a security incident.

Data backups allow to overcome corruption or unavailability of data by recovering as efficiently as possible from a security incident.

Backup retention duration, coverage, and backup locations are essential criteria regarding functional continuity.

```azureresourcemanager Bad theme={null} resource webApp 'Microsoft.Web/sites@2022-03-01' = { name: 'webApp' } resource backup 'config@2022-03-01' = { name: 'backup' parent: webApp properties: { backupSchedule: { frequencyInterval: 1 frequencyUnit: 'Day' keepAtLeastOneBackup: true retentionPeriodInDays: 2 // Sensitive } } } ``` ```azureresourcemanager Fix theme={null} { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0.0", "resources": [ { "type": "Microsoft.Web/sites", "apiVersion": "2022-03-01", "name": "webApp", }, { "type": "Microsoft.Web/sites/config", "apiVersion": "2022-03-01", "name": "webApp/backup", "properties": { "backupSchedule": { "frequencyInterval": 1, "frequencyUnit": "Day", "keepAtLeastOneBackup": true, "retentionPeriodInDays": 2 } }, "dependsOn": [ "[resourceId('Microsoft.Web/sites', 'webApp')]" ] } ] } ```

Duplicated string literals make the process of refactoring complex and error-prone, as any change would need to be propagated on all occurrences.

```azureresourcemanager Bad theme={null} { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0.0", "variables": {}, "resources": [ { "type": "Microsoft.Storage/storageAccounts", "apiVersion": "2021-01-01", "name": "appSuperStorage", "tags": { "displayName": "appSuperStorage", "shortName" : "appSuperStorage" } } ] } ``` ```azureresourcemanager Fix theme={null} { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0.0", "variables": { "storageAccountName": "appSuperStorage" }, "resources": [ { "type": "Microsoft.Storage/storageAccounts", "apiVersion": "2021-01-01", "name": "[variables('storageAccountName')]", "tags": { "displayName": "[variables('storageAccountName')]", "shortName" : "[variables('storageAccountName')]" } } ] } ```

Disabling Managed Identities can reduce an organization’s ability to protect itself against configuration faults and credential leaks.

Authenticating via managed identities to an Azure resource solely relies on an API call with a non-secret token. The process is inner to Azure: secrets used by Azure are not even accessible to end-users.

In typical scenarios without managed identities, the use of credentials can lead to mistakenly leaving them in code bases. In addition, configuration faults may also happen when storing these values or assigning them permissions.

By transparently taking care of the Azure Active Directory authentication, Managed Identities allow getting rid of day-to-day credentials management.

Defining a short log retention duration can reduce an organization’s ability to backtrace the actions of malicious actors in case of a security incident.

Logging allows operational and security teams to get detailed and real-time feedback on an information system’s events. The logging coverage enables them to quickly react to events, ranging from the most benign bugs to the most impactful security incidents, such as intrusions.

Apart from security detection, logging capabilities also directly influence future digital forensic analyses. For example, detailed logging will allow investigators to establish a timeline of the actions perpetrated by an attacker.

```azureresourcemanager Bad theme={null} { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0.0", "resources": [ { "name": "example", "type": "Microsoft.Network/firewallPolicies", "apiVersion": "2022-07-01", "properties": { "insights": { "isEnabled": true, "retentionDays": 7 } } } ] } ``` ```azureresourcemanager Fix theme={null} resource firewallPolicy 'Microsoft.Network/firewallPolicies@2022-07-01' = { properties: { insights: { isEnabled: true retentionDays: 7 // Sensitive } } } ```

Developers often use TODO tags to mark areas in the code where additional work or improvements are needed but are not implemented immediately. However, these TODO tags sometimes get overlooked or forgotten, leading to incomplete or unfinished code. This rule aims to identify and address unattended TODO tags to ensure a clean and maintainable codebase. This description explores why this is a problem and how it can be fixed to improve the overall code quality.

```azureresourcemanager Bad theme={null} resource Microsoft_ApiManagement_service_apis_Raise_issue_because_protocols_contains_http 'Microsoft.ApiManagement/service/apis@2022-08-01' = { properties: { protocols: [ // TODO change to secure protocol 'http' ] } } ``` ```azureresourcemanager Fix theme={null} ```

Disabling Role-Based Access Control (RBAC) on Azure resources can reduce an organization’s ability to protect itself against access controls being compromised.

To be considered safe, access controls must follow the principle of least privilege and correctly segregate duties amongst users. RBAC helps enforce these practices by adapting the organization’s access control needs into explicit role-based policies: It helps keeping access controls maintainable and sustainable.

Furthermore, RBAC allows operations teams to work faster during a security incident. It helps to mitigate account theft or intrusions by quickly shutting down accesses.

```azureresourcemanager Bad theme={null} { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0.0", "resources": [ { "name": "example", "type": "Microsoft.ContainerService/managedClusters", "apiVersion": "2023-03-01", "properties": { "aadProfile": { "enableAzureRBAC": false }, "enableRBAC": false } } ] } ``` ```azureresourcemanager Fix theme={null} resource aks 'Microsoft.ContainerService/managedClusters@2023-03-01' = { properties: { aadProfile: { enableAzureRBAC: false // Sensitive } enableRBAC: false // Sensitive } } ```

Azure RBAC roles can be assigned to users, groups, or service principals. A role assignment grants permissions on a predefined set of resources called "scope".

The widest scopes a role can be assigned to are:

Subscription: a role assigned with this scope grants access to all resources of this Subscription.
Management Group: a scope assigned with this scope grants access to all resources of all the Subscriptions in this Management Group.

In case of security incidents involving a compromised identity (user, group, or service principal), limiting its role assignment to the narrowest scope possible helps separate duties and limits what resources are at risk.

```azureresourcemanager Bad theme={null} targetScope = 'subscription' // Sensitive resource roleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = { name: guid(subscription().id, 'exampleRoleAssignment') } ``` ```azureresourcemanager Fix theme={null} { "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#", "contentVersion": "1.0.0.0", "resources": [ { "name": "example", "type": "Microsoft.Authorization/roleAssignments", "apiVersion": "2022-04-01", "name": "[guid(subscription().id, 'exampleRoleAssignment')]" } ] } ```

Cloud platforms such as AWS, Azure, or GCP support virtual firewalls that can be used to restrict access to services by controlling inbound and outbound traffic. Any firewall rule allowing traffic from all IP addresses to standard network ports on which administration services traditionally listen, such as 22 for SSH, can expose these services to exploits and unauthorized access.

```azureresourcemanager Bad theme={null} { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0.0", "resources": [ { "name": "networkSecurityGroups/example", "type": "Microsoft.Network/networkSecurityGroups/securityRules", "apiVersion": "2022-11-01", "properties": { "protocol": "*", "destinationPortRange": "*", "sourceAddressPrefix": "*", "access": "Allow", "direction": "Inbound" } } ] } ``` ```azureresourcemanager Fix theme={null} resource securityRules 'Microsoft.Network/networkSecurityGroups/securityRules@2022-11-01' = { name: 'securityRules' properties: { direction: 'Inbound' access: 'Allow' protocol: '*' destinationPortRange: '*' sourceAddressPrefix: '*' } } ```

An unused local variable is a variable that has been declared but is not used anywhere in the block of code where it is defined. It is dead code, contributing to unnecessary complexity and leading to confusion when reading the code. Therefore, it should be removed from your code to maintain clarity and efficiency.

```azureresourcemanager Bad theme={null} { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "variables": { "unusedVariable": "unusedValue", "virtualMachinesName": "[uniqueString(resourceGroup().id)]" }, "resources": [ { "type": "Microsoft.Compute/virtualMachines", "name": "[variables('virtualMachinesName')]", "apiVersion": "2023-09-01", "location": "[resourceGroup().location]" } ] } ``` ```azureresourcemanager Fix theme={null} { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "variables": { "virtualMachinesName": "[uniqueString(resourceGroup().id)]" }, "resources": [ { "type": "Microsoft.Compute/virtualMachines", "name": "[variables('virtualMachinesName')]", "apiVersion": "2023-09-01", "location": "[resourceGroup().location]" } ] } ```

A naming convention in software development is a set of guidelines for naming code elements like variables, functions, and classes. \{identifier\_capital\_plural} hold the meaning of the written code. Their names should be meaningful and follow a consistent and easily recognizable pattern. Adhering to a consistent naming convention helps to make the code more readable and understandable, which makes it easier to maintain and debug. It also ensures consistency in the code, especially when multiple developers are working on the same project.

This rule checks that \{identifier} names match a provided regular expression.

```azureresourcemanager Bad theme={null} { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0.0", "parameters": { "storage_account_name": { "type": "string" } }, "variables": { "string_variable": "example value" } } ``` ```azureresourcemanager Fix theme={null} { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0.0", "parameters": { "storageAccountName": { "type": "string" } }, "variables": { "stringVariable": "example value" } } ```