Azure PsRule, check if resource exists, if so validate that there is another resource with it as parent

[C0smin]

Hey guys,

This has been bugging me for a while now.
I want to check if this deployment has a storage account and if it has check if there is also a resource of type 'Microsoft.Security/advancedThreatProtectionSettings'.
I found that you can do that with json arm templates using $PSRule.GetContent($TargetObject)[0].resources but cant' figure out how to do it for bicep.
Do you have some pointers?

Thanks,
Cosmin

[BernieWhite]

@C0smin Deployments are streamed through the pipeline for both Bicep and ARM templates. So this is probably the answer, although if you have any bicep sample code that would help.

To write a rule to check a deployment use the Microsoft.Resources/deployments type. This will allow you to evaluate a deployment prior to it being expanded, which may not be ideal but it would have a similar result as $PSRule.GetContent($TargetObject)[0].

Some examples are here: https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Deployment.Rule.ps1

---

Alternatively you may be able to check for a sub-resource of the protected object. PSRule for Azure automatically nests sub-resources or resources with a child scope. It does this to help build a graph of related resources for the purpose you are describing.

For example:

param storageAccountName string = 'sa001'
param location string = 'eastus'

resource sa 'Microsoft.Storage/storageAccounts@2021-04-01' = {
  name: storageAccountName
  location: location
  sku: {
    name: 'Standard_LRS'
  }
  kind: 'StorageV2'
  properties: {}
}

resource atpSettings 'Microsoft.Security/advancedThreatProtectionSettings@2019-01-01' = {
  name: 'current'
  scope: sa
  properties: {
    isEnabled: true
  }
}

Will become:

{
  "type": "Microsoft.Storage/storageAccounts",
  "name": "sa001",
  "location": "eastus",
  "sku": {
    "name": "Standard_LRS"
  },
  "kind": "StorageV2",
  "properties": {},
  "id": "/subscriptions/ffffffff-ffff-ffff-ffff-ffffffffffff/resourceGroups/ps-rule-test-rg/providers/Microsoft.Storage/storageAccounts/sa001",
  "_PSRule": {
    "path": "resources[0]",
    "source": [
      {
        "file": ".\\docs\\ex.json",
        "type": "Template",
        "line": 22,
        "position": 5
      }
    ]
  },
  "resources": [
    {
      "type": "Microsoft.Security/advancedThreatProtectionSettings",
      "scope": "/subscriptions/ffffffff-ffff-ffff-ffff-ffffffffffff/resourceGroups/ps-rule-test-rg/providers/Microsoft.Storage/storageAccounts/sa001",
      "name": "current",
      "properties": {
        "isEnabled": true
      },
      "id": "/subscriptions/ffffffff-ffff-ffff-ffff-ffffffffffff/resourceGroups/ps-rule-test-rg/providers/Microsoft.Security/advancedThreatProtectionSettings/current",
      "_PSRule": {
        "path": "resources[1]",
        "source": [
          {
            "file": ".\\docs\\ex.json",
            "type": "Template",
            "line": 33,
            "position": 5
          }
        ]
      }
    }
  ]
}

No action is required for this to happen when expansion is enabled, that's just how it works.

So then your would write a rule for Microsoft.Storage/storageAccounts in my case, and fail the rule if the sub-resource is missing.

There is quite a lot of rules in PSRule for Azure that do this, however here are some that might be close to what you are trying to achieve.

• PSRule.Rules.Azure/src/PSRule.Rules.Azure/rules/Azure.KeyVault.Rule.ps1

  Lines 27 to 40 in 38c224c

  	Rule 'Azure.KeyVault.Logs' -Ref 'AZR-000119' -Type 'Microsoft.KeyVault/vaults' -Tag @{ release = 'GA'; ruleSet = '2020_06' } {
  	$logCategoryGroups = 'audit', 'allLogs'
  	$joinedLogCategoryGroups = $logCategoryGroups -join ', '
  	$diagnostics = @(GetSubResources -ResourceType 'microsoft.insights/diagnosticSettings', 'Microsoft.KeyVault/vaults/providers/diagnosticSettings' |
  	ForEach-Object { $_.properties.logs |
  	Where-Object { ($_.category -eq 'AuditEvent' -or $_.categoryGroup -in $logCategoryGroups) -and $_.enabled }
  	})
  	$Assert.Greater($diagnostics, '.', 0).Reason(
  	$LocalizedData.KeyVaultAuditDiagnosticSetting,
  	'AuditEvent',
  	$joinedLogCategoryGroups
  	).PathPrefix('resources')
  	}

• PSRule.Rules.Azure/src/PSRule.Rules.Azure/rules/Azure.MySQL.Rule.ps1

  Lines 64 to 78 in 38c224c

  	Rule 'Azure.MySQL.DefenderCloud' -Ref 'AZR-000328' -Type 'Microsoft.DBforMySQL/servers', 'Microsoft.DBforMySQL/servers/securityAlertPolicies' -Tag @{ release = 'GA'; ruleSet = '2022_12'; } {
  	if ($PSRule.TargetType -eq 'Microsoft.DBforMySQL/servers') {
  	$defenderConfigs = @(GetSubResources -ResourceType 'Microsoft.DBforMySQL/servers/securityAlertPolicies')
  	if ($defenderConfigs.Length -eq 0) {
  	$Assert.Fail($LocalizedData.SubResourceNotFound, 'Microsoft.DBforMySQL/servers/securityAlertPolicies')
  	}
  	foreach ($defenderConfig in $defenderConfigs) {
  	$Assert.HasFieldValue($defenderConfig, 'properties.state', 'Enabled').
  	PathPrefix('resources')
  	}
  	}
  	elseif ($PSRule.TargetType -eq 'Microsoft.DBforMySQL/servers/securityAlertPolicies') {
  	$Assert.HasFieldValue($TargetObject, 'properties.state', 'Enabled')
  	}
  	}

---

I hope that helps.

[C0smin]

This was actually the perfect answer, thank you so much @BernieWhite!
Currently I got something like this and it works:

Rule -Type 'Microsoft.Storage/storageAccounts' -Name 'Storage.AdvancedThreatProtection' -Body {
    $threatProtection = GetSubResources -ResourceType 'Microsoft.Security/advancedThreatProtectionSettings'
    if ($threatProtection) {
        $Assert.HasFieldValue($threatProtection, 'properties.isEnabled', $true)
    }
}

[BernieWhite]

@C0smin Nice. Just be aware if there is no results the rule will return inconclusive. Something like this would be an option:

Rule -Type 'Microsoft.Storage/storageAccounts' -Name 'Storage.AdvancedThreatProtection' -Body {
    $threatProtection = GetSubResources -ResourceType 'Microsoft.Security/advancedThreatProtectionSettings'
    if ($threatProtection) {
        $Assert.HasFieldValue($threatProtection, 'properties.isEnabled', $true)
    }
    else {
        $Assert.Fail("Expected 'Microsoft.Security/advancedThreatProtectionSettings'.")
    }
}

[C0smin]

Good catch, I did figure it out while testing and got to the same conclusion 😅