[Built-in rule] Add SystemAssigned, UserAssigned as an allowed identity on TA-000007, TA-000013, TA-000019

docs/built-in-rules.md

@@ -47,7 +47,7 @@ Cross-Origin Resource Sharing (CORS) should not allow all domains to access your
 ### TA-000007: Managed identity should be used in your API app
 For enhanced authentication security, use a managed identity. On Azure, managed identities eliminate the need for developers to have to manage credentials by providing an identity for the Azure resource in Azure AD and using it to obtain Azure Active Directory (Azure AD) tokens.
 
-**Recommendation**: To [use Managed Identity](https://docs.microsoft.com/azure/app-service/overview-managed-identity?tabs=dotnet), in the [Microsoft.Web/sites resource managed identity property](https://docs.microsoft.com/azure/templates/microsoft.web/sites?tabs=json#ManagedServiceIdentity), add (or update) the *type* property, setting its value to `"SystemAssigned"` or `"UserAssigned"` and providing any necessary identifiers for the identity if required.
+**Recommendation**: To [use Managed Identity](https://docs.microsoft.com/azure/app-service/overview-managed-identity?tabs=dotnet), in the [Microsoft.Web/sites resource managed identity property](https://docs.microsoft.com/azure/templates/microsoft.web/sites?tabs=json#ManagedServiceIdentity), add (or update) the *type* property, setting its value to `"SystemAssigned"`, `"UserAssigned"`, or `"SystemAssigned, UserAssigned"` and providing any necessary identifiers for the identity if required.
 #### Severity: 2
 
 ### TA-000008: Remote debugging should be turned off for function apps
@@ -83,7 +83,7 @@ Cross-Origin Resource Sharing (CORS) should not allow all domains to access your
 ### TA-000013: Managed identity should be used in your function app
 For enhanced authentication security, use a managed identity. On Azure, managed identities eliminate the need for developers to have to manage credentials by providing an identity for the Azure resource in Azure AD and using it to obtain Azure Active Directory (Azure AD) tokens.
 
-**Recommendation**: To [use Managed Identity](https://docs.microsoft.com/azure/app-service/overview-managed-identity?tabs=dotnet), in the [Microsoft.Web/sites resource managed identity property](https://docs.microsoft.com/azure/templates/microsoft.web/sites?tabs=json#ManagedServiceIdentity), add (or update) the *type* property, setting its value to `"SystemAssigned"` or `"UserAssigned"` and providing any necessary identifiers for the identity if required.
+**Recommendation**: To [use Managed Identity](https://docs.microsoft.com/azure/app-service/overview-managed-identity?tabs=dotnet), in the [Microsoft.Web/sites resource managed identity property](https://docs.microsoft.com/azure/templates/microsoft.web/sites?tabs=json#ManagedServiceIdentity), add (or update) the *type* property, setting its value to `"SystemAssigned"`, `"UserAssigned"`, or `"SystemAssigned, UserAssigned"` and providing any necessary identifiers for the identity if required.
 #### Severity: 2
 
 ### TA-000014: Remote debugging should be turned off for web apps
@@ -120,7 +120,7 @@ Cross-Origin Resource Sharing (CORS) should not allow all domains to access your
 ### TA-000019: Managed identity should be used in your web app
 For enhanced authentication security, use a managed identity. On Azure, managed identities eliminate the need for developers to have to manage credentials by providing an identity for the Azure resource in Azure AD and using it to obtain Azure Active Directory (Azure AD) tokens.
 
-**Recommendation**: To [use Managed Identity](https://docs.microsoft.com/azure/app-service/overview-managed-identity?tabs=dotnet), in the [Microsoft.Web/sites resource managed identity property](https://docs.microsoft.com/azure/templates/microsoft.web/sites?tabs=json#ManagedServiceIdentity), add (or update) the *type* property, setting its value to `"SystemAssigned"` or `"UserAssigned"` and providing any necessary identifiers for the identity if required.
+**Recommendation**: To [use Managed Identity](https://docs.microsoft.com/azure/app-service/overview-managed-identity?tabs=dotnet), in the [Microsoft.Web/sites resource managed identity property](https://docs.microsoft.com/azure/templates/microsoft.web/sites?tabs=json#ManagedServiceIdentity), add (or update) the *type* property, setting its value to `"SystemAssigned"`, `"UserAssigned"`, or `"SystemAssigned, UserAssigned"` and providing any necessary identifiers for the identity if required.
 #### Severity: 2
 
 ### TA-000020: Audit usage of custom RBAC roles

src/Analyzer.Core.BuiltInRuleTests/Tests/TA-000007/AppServiceAPIApps.bicep

@@ -0,0 +1,92 @@
+@description('Location for all resources.')
+param location string = resourceGroup().location
+
+resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = {
+  name: 'managedIdentity'
+  location: location
+}
+resource missingIdentity 'Microsoft.Web/sites@2019-08-01' = {
+  kind: 'api'
+  name: 'missingIdentity'
+  location: location
+  properties: {
+    siteConfig: {
+      detailedErrorLoggingEnabled: false
+      httpLoggingEnabled: false
+      requestTracingEnabled: false
+    }
+  }
+}
+
+resource systemManagedIdentity 'Microsoft.Web/sites@2019-08-01' = {
+  kind: 'api'
+  name: 'systemManagedIdentity'
+  location: location
+  properties: {
+    siteConfig: {
+      detailedErrorLoggingEnabled: false
+      httpLoggingEnabled: false
+      requestTracingEnabled: false
+    }
+  }
+  identity: {
+    type: 'SystemAssigned'
+  }
+}
+
+resource userManagedIdentity 'Microsoft.Web/sites@2019-08-01' = {
+  kind: 'api'
+  name: 'userManagedIdentity'
+  location: location
+  properties: {
+    siteConfig: {
+      detailedErrorLoggingEnabled: false
+      httpLoggingEnabled: false
+      requestTracingEnabled: false
+    }
+  }
+  identity: {
+    type: 'UserAssigned'
+    userAssignedIdentities: {
+      '${managedIdentity.id}': {}
+    }
+  }
+}
+
+resource systemAndUserManagedIdentity 'Microsoft.Web/sites@2019-08-01' = {
+  kind: 'api'
+  name: 'systemAndUserManagedIdentity'
+  location: location
+  properties: {
+    siteConfig: {
+      detailedErrorLoggingEnabled: false
+      httpLoggingEnabled: false
+      requestTracingEnabled: false
+    }
+  }
+  identity: {
+    type: 'SystemAssigned,UserAssigned'
+    userAssignedIdentities: {
+      '${managedIdentity.id}': {}
+    }
+  }
+}
+
+resource systemAndUserManagedWithSpaceIdentity 'Microsoft.Web/sites@2019-08-01' = {
+  kind: 'api'
+  name: 'systemAndUserManagedWithSpaceIdentity'
+  location: location
+  properties: {
+    siteConfig: {
+      detailedErrorLoggingEnabled: false
+      httpLoggingEnabled: false
+      requestTracingEnabled: false
+    }
+  }
+  identity: {
+    type: 'SystemAssigned, UserAssigned'
+    userAssignedIdentities: {
+      '${managedIdentity.id}': {}
+    }
+  }
+}

src/Analyzer.Core.BuiltInRuleTests/Tests/TA-000007/AppServiceAPIApps.json

@@ -0,0 +1,121 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "parameters": {
+    "location": {
+      "type": "string",
+      "defaultValue": "[resourceGroup().location]",
+      "metadata": {
+        "description": "Location for all resources."
+      }
+    }
+  },
+  "resources": [
+    {
+      "type": "Microsoft.ManagedIdentity/userAssignedIdentities",
+      "apiVersion": "2018-11-30",
+      "name": "managedIdentity",
+      "location": "[parameters('location')]"
+    },
+    {
+      "type": "Microsoft.Web/sites",
+      "apiVersion": "2019-08-01",
+      "name": "missingIdentity",
+      "kind": "api",
+      "location": "[parameters('location')]",
+      "properties": {
+        "siteConfig": {
+          "detailedErrorLoggingEnabled": false,
+          "httpLoggingEnabled": false,
+          "requestTracingEnabled": false
+        }
+      }
+    },
+    {
+      "type": "Microsoft.Web/sites",
+      "apiVersion": "2019-08-01",
+      "name": "systemManagedIdentity",
+      "kind": "api",
+      "location": "[parameters('location')]",
+      "properties": {
+        "siteConfig": {
+          "detailedErrorLoggingEnabled": false,
+          "httpLoggingEnabled": false,
+          "requestTracingEnabled": false
+        }
+      },
+      "identity": {
+        "type": "SystemAssigned"
+      }
+    },
+    {
+      "type": "Microsoft.Web/sites",
+      "apiVersion": "2019-08-01",
+      "name": "userManagedIdentity",
+      "kind": "api",
+      "location": "[parameters('location')]",
+      "properties": {
+        "siteConfig": {
+          "detailedErrorLoggingEnabled": false,
+          "httpLoggingEnabled": false,
+          "requestTracingEnabled": false
+        }
+      },
+      "identity": {
+        "type": "UserAssigned",
+        "userAssignedIdentities": {
+          "[format('{0}', resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', 'managedIdentity'))]": {}
+        }
+      },
+      "dependsOn": [
+        "[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', 'managedIdentity')]"
+      ]
+    },
+    {
+      "type": "Microsoft.Web/sites",
+      "apiVersion": "2019-08-01",
+      "name": "systemAndUserManagedIdentity",
+      "kind": "api",
+      "location": "[parameters('location')]",
+      "properties": {
+        "siteConfig": {
+          "detailedErrorLoggingEnabled": false,
+          "httpLoggingEnabled": false,
+          "requestTracingEnabled": false
+        }
+      },
+      "identity": {
+        "type": "SystemAssigned,UserAssigned",
+        "userAssignedIdentities": {
+          "[format('{0}', resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', 'managedIdentity'))]": {}
+        }
+      },
+      "dependsOn": [
+        "[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', 'managedIdentity')]"
+      ]
+    },
+    {
+      "type": "Microsoft.Web/sites",
+      "apiVersion": "2019-08-01",
+      "name": "systemAndUserManagedWithSpaceIdentity",
+      "kind": "api",
+      "location": "[parameters('location')]",
+      "properties": {
+        "siteConfig": {
+          "detailedErrorLoggingEnabled": false,
+          "httpLoggingEnabled": false,
+          "requestTracingEnabled": false
+        }
+      },
+      "identity": {
+        "type": "SystemAssigned, UserAssigned",
+        "userAssignedIdentities": {
+          "[format('{0}', resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', 'managedIdentity'))]": {}
+        }
+      },
+      "dependsOn": [
+        "[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', 'managedIdentity')]"
+      ]
+    }
+  ]
+}

src/Analyzer.Core.BuiltInRuleTests/Tests/TA-000007/TA-000007.json

@@ -0,0 +1,15 @@
+[
+  {
+    "Template": "AppServiceAPIApps.json",
+    "ReportedFailures": [
+      {
+        "LineNumber": 20,
+        "Description": "API app is missing an identity declaration."
+      },
+      {
+        "LineNumber": 88,
+        "Description": "Multiple identity types should be separated by a comma, followed by a space."
+      }
+    ]
+  }
+]

src/Analyzer.Core.BuiltInRuleTests/Tests/TA-000013/AppServiceFunctionApps.bicep

@@ -0,0 +1,92 @@
+@description('Location for all resources.')
+param location string = resourceGroup().location
+
+resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = {
+  name: 'managedIdentity'
+  location: location
+}
+resource missingIdentity 'Microsoft.Web/sites@2019-08-01' = {
+  kind: 'functionapp'
+  name: 'missingIdentity'
+  location: location
+  properties: {
+    siteConfig: {
+      detailedErrorLoggingEnabled: false
+      httpLoggingEnabled: false
+      requestTracingEnabled: false
+    }
+  }
+}
+
+resource systemManagedIdentity 'Microsoft.Web/sites@2019-08-01' = {
+  kind: 'functionapp'
+  name: 'systemManagedIdentity'
+  location: location
+  properties: {
+    siteConfig: {
+      detailedErrorLoggingEnabled: false
+      httpLoggingEnabled: false
+      requestTracingEnabled: false
+    }
+  }
+  identity: {
+    type: 'SystemAssigned'
+  }
+}
+
+resource userManagedIdentity 'Microsoft.Web/sites@2019-08-01' = {
+  kind: 'functionapp'
+  name: 'userManagedIdentity'
+  location: location
+  properties: {
+    siteConfig: {
+      detailedErrorLoggingEnabled: false
+      httpLoggingEnabled: false
+      requestTracingEnabled: false
+    }
+  }
+  identity: {
+    type: 'UserAssigned'
+    userAssignedIdentities: {
+      '${managedIdentity.id}': {}
+    }
+  }
+}
+
+resource systemAndUserManagedIdentity 'Microsoft.Web/sites@2019-08-01' = {
+  kind: 'functionapp'
+  name: 'systemAndUserManagedIdentity'
+  location: location
+  properties: {
+    siteConfig: {
+      detailedErrorLoggingEnabled: false
+      httpLoggingEnabled: false
+      requestTracingEnabled: false
+    }
+  }
+  identity: {
+    type: 'SystemAssigned,UserAssigned'
+    userAssignedIdentities: {
+      '${managedIdentity.id}': {}
+    }
+  }
+}
+
+resource systemAndUserManagedWithSpaceIdentity 'Microsoft.Web/sites@2019-08-01' = {
+  kind: 'functionapp'
+  name: 'systemAndUserManagedWithSpaceIdentity'
+  location: location
+  properties: {
+    siteConfig: {
+      detailedErrorLoggingEnabled: false
+      httpLoggingEnabled: false
+      requestTracingEnabled: false
+    }
+  }
+  identity: {
+    type: 'SystemAssigned, UserAssigned'
+    userAssignedIdentities: {
+      '${managedIdentity.id}': {}
+    }
+  }
+}