How can you find a different TargetObject via id? #1983

C0smin · 2023-01-09T14:24:50Z

C0smin
Jan 9, 2023

Hi,
I'm looking into making a rule for ActivityLog_StorageAccountBYOK but the question hopefully has a more general answer to help more people if possible.
What would be a good way to get a different resource from the same deployment?
The jist of it is that I want to check if storageAccount1 has any logs in storageDiagnostics1, then storageDiagnostics1 should use properties.encryption.keySource='Microsoft.KeyVault'
Something like:

resource storageAccount1 'Microsoft.Storage/storageAccounts@2022-05-01' = {
  name: 'storageAccount1'
  location: location
  kind: 'StorageV2'
  sku: {
    name: 'Standard_LRS'
  }
}

resource storageDiagnostics1 'Microsoft.Storage/storageAccounts@2022-09-01' = {
  name: 'storageDiagnostics1'
  location: location
  kind: 'StorageV2'
  sku: {
    name: 'Standard_LRS'
  }
}

resource storageDiagnostics 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = {
  name: 'default'
  scope: storageAccount
  properties: {
    storageAccountId: storageDiagnostics1.id
    metrics: [
      {
        category: 'Transaction'
        enabled: true
      }
    ]
  }
}

Rule -Type 'Microsoft.Storage/storageAccounts' -Body {
    $diagnosticSettings = GetSubResources -ResourceType 'Microsoft.Insights/diagnosticSettings'
    if ($diagnosticSettings) {
        $diagnosticsStorageAccount = Get-PSRuleItem $diagnosticSettings.properties.storageAccountId # <-- How can I write this to work?
        $Assert.HasFieldValue($diagnosticsStorageAccount, 'properties.encryption.keySource', 'Microsoft.KeyVault')
    }
}

Thanks for getting to this part, does anyone have an idea?

Answered by BernieWhite

Jan 9, 2023

@C0smin Yeah that is a tricky one. PSRule for Azure today doesn't provide a good solution to co-ordinate or follow relationships between resources. The exception is parent and sub-resources.

So storageDiagnostics is nested in storageAccount1 as discussed in #1969. However there isn't an equivalent of Get-PSRuleItem available today.

One way you could approach it would be to create a rule based on the Microsoft.Resources/deployments resource, however the downside here is that you will need to process an un-expanded ARM template structure.

If the community would find such a feature helpful please upvote this idea over here #1984.

View full answer

BernieWhite · 2023-01-09T14:57:33Z

BernieWhite
Jan 9, 2023
Maintainer

@C0smin Yeah that is a tricky one. PSRule for Azure today doesn't provide a good solution to co-ordinate or follow relationships between resources. The exception is parent and sub-resources.

So storageDiagnostics is nested in storageAccount1 as discussed in #1969. However there isn't an equivalent of Get-PSRuleItem available today.

One way you could approach it would be to create a rule based on the Microsoft.Resources/deployments resource, however the downside here is that you will need to process an un-expanded ARM template structure.

If the community would find such a feature helpful please upvote this idea over here #1984.

1 reply

C0smin Jan 9, 2023
Author

Thanks for the fast reply!
Sad to hear that it's currently not available but I'm hoping we get some upvotes 🤞

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

How can you find a different TargetObject via id? #1983

{{title}}

{{editor}}'s edit

{{editor}}'s edit

Replies: 1 comment 1 reply

{{title}}

{{title}}

Select a reply

How can you find a different TargetObject via id? #1983

C0smin Jan 9, 2023

Replies: 1 comment · 1 reply

BernieWhite Jan 9, 2023 Maintainer

C0smin Jan 9, 2023 Author

C0smin
Jan 9, 2023

Replies: 1 comment 1 reply

BernieWhite
Jan 9, 2023
Maintainer

C0smin Jan 9, 2023
Author