Validating Your ARM Templates for Security Issues using Secure DevOps Kit for Azure (AzSK) ARM Template Checker

If you are using Azure Resource Manager (ARM) templates for automating your Azure resource provisioning, it’s important to validate your Infrastructure as Code (IoC) in your CI pipelines and Pull Request process. If you are using Azure Pipelines, you can use a task that Secure DevOps Kit for Azure (AzSK) provides to implement this.

Secure DevOps Kit for Azure (AzSK) was created by Core Service Engineering & Operations team at Microsoft with the purpose of using the Took Kit to enable the adoption of Azure inside Microsoft. They have opened the toolkit to the public so we can leverage the same tools that Microsoft is using in our projects.

To get started we need to install Secure DevOps Kit (AzSK) CICD Extensions for Azure for Azure Pipelines from the Visual Studio Marketplace. Click on the Get it Free button and install the extension in your Azure DevOps account

Let’s look at the sample solution we have so far. The solution is called AzureSecureDevOpsKit.Examples and We have an ASP.Net Core 2.2 MVP project with the default project template with the name WebApp, nothing modified. In the same solution we have Azure Resource Group project with the name Infrastructure, with only change being the classic alert rules removed. This is the template we are trying to validate.

We have an Azure Repo with the code base pushed to it and a pull request process setup for it using Azure Pipelines builds and Azure Repo Branch Policies. This is how the branch policy looks like

We have a Required Reviewers, Comment Resolution and Build Validation configured. The Azure Pipelines build that is configured for build validation is a simple ASP.Net build that comes out of the box in Azure Pipelines. It looks something like this.

A sample pull request would look something like this, with the required policy enforcements.

Implementing ARM Template Validation

What we want to do is implement ARM Template validation into the Pull Request process. To do that we will create a new build definition with ARM Template Deployment task and AzSK ARM Template Checker task. And then add that as a build validation requirement in the branch policy.

Let’s create a build definition with the name ARM Template Validation Build and add the required tasks and configure them.

ARM Template Deployment Task

The ARM Template Deployment task is usually used to deploy ARM templates and create/update resources. But ARM template deployment can be done in 3 modes, Complete, Incremental and Validation Only. We can use the task to validate the ARM template by checking for Syntax correctness, for valid JSON and any conflicts and structural issues in the ARM template. So, we will include this task and configure it.

All you need to do is,

1. The Resource Group Name and Location that you are validating the template against
2. Set the path to the ARM Template file from your source code repo
3. Set the path to the ARM Template Parameter file from your source repo
4. Set the Deployment mode to Validation Only.

The configured task would look something like this.

AzSK ARM Template Checker Task

ARM Template Checker task runs a scan on your ARM Templates to examine for various conditions and configurations that need to there for your ARM templates to be used for a secure resource deployment. To make it work all you need to provide is the path to your ARM Template and ARM Template Parameter files.

Now we are ready to configure this build to our Branch Policy so it will be executed when a Pull Request is created targeting the master branch. You need to select the ARM Template Validation Build definition we created, and then set the Trigger to automatic so it will trigger the validation as soon as the PR is create or updated, then set the Policy Enforcement to Required or Optional depending on your requirement. Finally set a name for the validation set and you are done.

If you create a new pull request now, you can see that there are 2 builds triggered. One is Build validation and the other is ARM Template Validation. Once the ARM Template Validation Build completes, you can see there are some failures.

To see what the failures are, you need to download the logs from the build that ran. You can download the build logs from the build summary page. Once you download them, extract the .zip file and you can find another .zip file inside the folder for the build agent you ran the build. Extract that .zip file and you will see the PowerShell Output and a CSV file that contains the details about the failing security controls.

This CSV file contains the details about the security controls that failed with a detailed description and also a suggested fix for it. You can use this information to fix your ARM template to remove these issues.

There might be a case where you don’t want to fix some of the mentioned issues, in that case you can make a copy of the CSV file, and remove all the security controls that you intend to fix and keep the ones that you are ignoring. Then add that CSV file to your source repo and select that file into the Skip Controls From File input in the AzSK ARM Template Checker task.

There you go, that is how you can leverage Secure DevOps Kit for Azure in your Azure DevOps pipelines and make sure that your ARM templates are deployed securely.

Summary

In this article you got a very brief introduction to Secure DevOps Kit for Azure and how you can use the Azure Pipelines extensions provided to configure ARM Template Validations for Security in your Azure DevOps account. And how you can integrate this checks in to your Pull Request process.