[CIS Azure] Investigate using Azure Resource Manager Template Toolkit (arm-ttk) #1663
Comments
orestisfl
added
Team:Cloud Security
|
From their docs: the checks are purely syntax and best practices, but actual validation happens only in the API. Therefore I see it as a "linter"
The tool itself requires powershell. So for us to run it either we install powershell in our machines our run through docker. It seems possible. Given that developing azure templates isn't something that we will do frequently, I question the value of having powershell infra to have a linter |
|
There is a working gh action linter under the PR #2091 What still needs to be discussed is if this is "allowed to fail" action or not. I believe it should not allow to fail The problem now is to fix the issues the linter found. While fixing all the issues, I could not find a replacement for the rule To exclude the rule, I had to delete a file that comes together with the ARM TTK installation. So I had to ditch the ARM TTK GH Action and implement ourselves, what is simple enough. Organization seems to work. Single I'm getting an internal error that I could not figure it out yet what is the problem.
|
Can you elaborate on the issue? why is this required? why do we use it? |
|
Single group also works
|
@oren-zohar I'm playing with deploying without the extension. If I understood correctly, the property Single works: Organization works: |
|
We got findings on both agents and no access denied errors on logs. I'll merge!
|
Motivation
The arm-ttk project can be used for analyzing and testing Azure Resource Manager Templates. We should consider using it in our CI pipeline.
Downside is that it uses powershell (likely hard to integrate that in pre-commit checks) and some of its checks might be too aggressive for us.
Benefits:
Links:
Definition of done
What needs to be completed at the end of this task
mcr.microsoft.com/powershelldocker imageThe text was updated successfully, but these errors were encountered: