Relax Azure.Cognitive.ManagedIdentity to required configurations #2559

(#2626)
Azure · Jan 3, 2024 · 233b3d4 · 233b3d4
1 parent 30658c3
commit 233b3d4
Show file tree

Hide file tree

Showing 11 changed files with 645 additions and 593 deletions.
diff --git a/.vscode/settings.json b/.vscode/settings.json
@@ -68,6 +68,7 @@
     "DEPLOYIFNOTEXISTS",
     "DISPLAYNAME",
     "endregion",
+    "Entra",
     "exfiltration",
     "failover",
     "GREATEROREQUAL",

diff --git a/docs/CHANGELOG-v1.md b/docs/CHANGELOG-v1.md
@@ -40,6 +40,8 @@ What's changed since v1.32.1:
   - Added option for excluding subnets to `Azure.VNET.UseNSGs` by @BernieWhite.
     [#2572](https://github.com/Azure/PSRule.Rules.Azure/issues/2572)
     - To add a subnet exclusion, set the `AZURE_VNET_SUBNET_EXCLUDED_FROM_NSG` option.
+  - Relax `Azure.Cognitive.ManagedIdentity` to required configurations by @BernieWhite.
+    [#2559](https://github.com/Azure/PSRule.Rules.Azure/issues/2559)
 - Engineering:
   - Bump xunit to v2.6.4.
     [#2618](https://github.com/Azure/PSRule.Rules.Azure/pull/2618)

diff --git a/docs/en/rules/Azure.Cognitive.ManagedIdentity.md b/docs/en/rules/Azure.Cognitive.ManagedIdentity.md
@@ -1,8 +1,8 @@
 ---
-reviewed: 2023-10-01
+reviewed: 2024-01-03
 severity: Important
 pillar: Security
-category: Authentication
+category: SE:05 Identity and access management
 resource: Cognitive Services
 online version: https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.Cognitive.ManagedIdentity/
 ---
@@ -22,7 +22,7 @@ Using Azure managed identities have the following benefits:
 
 - You don't need to store or manage credentials.
   Azure automatically generates tokens and performs rotation.
-- You can use managed identities to authenticate to any Azure service that supports Azure AD authentication.
+- You can use managed identities to authenticate to any Azure service that supports Entra ID (previously Azure AD) authentication.
 - Managed identities can be used without any additional cost.
 
 ## RECOMMENDATION
@@ -52,7 +52,7 @@ For example:
   "sku": {
     "name": "S0"
   },
-  "kind": "CognitiveServices",
+  "kind": "TextAnalytics",
   "properties": {
     "publicNetworkAccess": "Disabled",
     "networkAcls": {
@@ -73,7 +73,7 @@ To deploy accounts that pass this rule:
 For example:
 
 ```bicep
-resource account 'Microsoft.CognitiveServices/accounts@2023-05-01' = {
+resource language 'Microsoft.CognitiveServices/accounts@2023-05-01' = {
   name: name
   location: location
   identity: {
@@ -82,7 +82,7 @@ resource account 'Microsoft.CognitiveServices/accounts@2023-05-01' = {
   sku: {
     name: 'S0'
   }
-  kind: 'CognitiveServices'
+  kind: 'TextAnalytics'
   properties: {
     publicNetworkAccess: 'Disabled'
     networkAcls: {
@@ -101,9 +101,16 @@ To address this issue at runtime use the following policies:
 /providers/Microsoft.Authorization/policyDefinitions/fe3fd216-4f83-4fc1-8984-2bbec80a3418
 ```
 
+## NOTES
+
+Configuration of additional Azure resources is not required for all Cognitive Services.
+This rule will run for the following Cognitive Services:
+
+- `TextAnalytics` - Language service.
+
 ## LINKS
 
-- [Use identity-based authentication](https://learn.microsoft.com/azure/well-architected/security/design-identity-authentication#use-identity-based-authentication)
+- [SE:05 Identity and access management](https://learn.microsoft.com/azure/well-architected/security/identity-access#resource-identity)
 - [Azure Policy built-in policy definitions for Azure AI services](https://learn.microsoft.com/azure/ai-services/policy-reference)
 - [IM-1: Use centralized identity and authentication system](https://learn.microsoft.com/security/benchmark/azure/baselines/cognitive-services-security-baseline#im-1-use-centralized-identity-and-authentication-system)
 - [IM-3: Manage application identities securely and automatically](https://learn.microsoft.com/security/benchmark/azure/baselines/cognitive-services-security-baseline#im-3-manage-application-identities-securely-and-automatically)

diff --git a/docs/examples-cognitive.bicep b/docs/examples-cognitive.bicep
@@ -9,8 +9,25 @@ param name string
 @description('The location resources will be deployed.')
 param location string = resourceGroup().location
 
-// An example multi-service cognitive services account
+// An example multi-service cognitive services account.
 resource account 'Microsoft.CognitiveServices/accounts@2023-05-01' = {
+  name: name
+  location: location
+  sku: {
+    name: 'S0'
+  }
+  kind: 'CognitiveServices'
+  properties: {
+    publicNetworkAccess: 'Disabled'
+    networkAcls: {
+      defaultAction: 'Deny'
+    }
+    disableLocalAuth: true
+  }
+}
+
+// An example of the language services account.
+resource language 'Microsoft.CognitiveServices/accounts@2023-05-01' = {
   name: name
   location: location
   identity: {
@@ -19,7 +36,7 @@ resource account 'Microsoft.CognitiveServices/accounts@2023-05-01' = {
   sku: {
     name: 'S0'
   }
-  kind: 'CognitiveServices'
+  kind: 'TextAnalytics'
   properties: {
     publicNetworkAccess: 'Disabled'
     networkAcls: {

diff --git a/docs/examples-cognitive.json b/docs/examples-cognitive.json
@@ -4,8 +4,8 @@
   "metadata": {
     "_generator": {
       "name": "bicep",
-      "version": "0.21.1.54444",
-      "templateHash": "17850178672994683728"
+      "version": "0.24.24.22086",
+      "templateHash": "4359857000491870165"
     }
   },
   "parameters": {
@@ -24,6 +24,23 @@
     }
   },
   "resources": [
+    {
+      "type": "Microsoft.CognitiveServices/accounts",
+      "apiVersion": "2023-05-01",
+      "name": "[parameters('name')]",
+      "location": "[parameters('location')]",
+      "sku": {
+        "name": "S0"
+      },
+      "kind": "CognitiveServices",
+      "properties": {
+        "publicNetworkAccess": "Disabled",
+        "networkAcls": {
+          "defaultAction": "Deny"
+        },
+        "disableLocalAuth": true
+      }
+    },
     {
       "type": "Microsoft.CognitiveServices/accounts",
       "apiVersion": "2023-05-01",
@@ -35,7 +52,7 @@
       "sku": {
         "name": "S0"
       },
-      "kind": "CognitiveServices",
+      "kind": "TextAnalytics",
       "properties": {
         "publicNetworkAccess": "Disabled",
         "networkAcls": {

diff --git a/pipeline.build.ps1 b/pipeline.build.ps1
@@ -409,7 +409,7 @@ task BuildRuleDocs Build, Dependencies, {
             Recommendation = $_.Info.Recommendation
             Pillar = $_.Tag.'Azure.WAF/pillar'
             Control = $_.Tag.'Azure.MCSB.v1/control'
-            Source = "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/$(($_.Source.Path -split '/')[-1])"
+            Source = "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/$(($_.Source.Path -split '/', '\')[-1])"
         }
     }
     $metadata | ConvertTo-Json -Depth 5 | Set-Content -Path ./docs/es/rules/metadata.json -Force;

diff --git a/src/PSRule.Rules.Azure/rules/Azure.Cognitive.Rule.yaml b/src/PSRule.Rules.Azure/rules/Azure.Cognitive.Rule.yaml
@@ -40,13 +40,17 @@ metadata:
   tags:
     release: GA
     ruleSet: 2022_09
-    Azure.WAF/pillar: 'Security'
+    Azure.WAF/pillar: Security
   labels:
     Azure.MCSB.v1/control: [ 'IM-1', 'IM-3' ]
     Azure.Policy/id: /providers/Microsoft.Authorization/policyDefinitions/fe3fd216-4f83-4fc1-8984-2bbec80a3418
 spec:
   type:
   - Microsoft.CognitiveServices/accounts
+  where:
+    field: kind
+    in:
+    - TextAnalytics
   condition:
     field: Identity.Type
     in:

diff --git a/tests/PSRule.Rules.Azure.Tests/Azure.Cognitive.Tests.ps1 b/tests/PSRule.Rules.Azure.Tests/Azure.Cognitive.Tests.ps1
@@ -33,7 +33,7 @@ Describe 'Azure.Cognitive' -Tag 'Cognitive' {
                 ErrorAction = 'Stop'
             }
             $dataPath = Join-Path -Path $here -ChildPath 'Resources.Cognitive.json';
-            $result = Invoke-PSRule @invokeParams -InputPath $dataPath;
+            $result = Invoke-PSRule @invokeParams -InputPath $dataPath -Outcome All;
         }
 
         It 'Azure.Cognitive.PublicAccess' {
@@ -58,14 +58,20 @@ Describe 'Azure.Cognitive' -Tag 'Cognitive' {
             # Fail
             $ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'Fail' });
             $ruleResult | Should -Not -BeNullOrEmpty;
-            $ruleResult.Length | Should -Be 2;
-            $ruleResult.TargetName | Should -BeIn 'luis-A', 'luis-A-authoring';
+            $ruleResult.Length | Should -Be 1;
+            $ruleResult.TargetName | Should -BeIn 'textanalytics-A';
 
             # Pass
             $ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'Pass' });
             $ruleResult | Should -Not -BeNullOrEmpty;
+            $ruleResult.Length | Should -Be 1;
+            $ruleResult.TargetName | Should -BeIn 'textanalytics-B';
+
+            # Fail
+            $ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'None' });
+            $ruleResult | Should -Not -BeNullOrEmpty;
             $ruleResult.Length | Should -Be 2;
-            $ruleResult.TargetName | Should -BeIn 'textanalytics-A', 'textanalytics-B';
+            $ruleResult.TargetName | Should -BeIn 'luis-A', 'luis-A-authoring';
         }
 
         It 'Azure.Cognitive.DisableLocalAuth' {
@@ -148,8 +154,14 @@ Describe 'Azure.Cognitive' -Tag 'Cognitive' {
             # Pass
             $ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'Pass' });
             $ruleResult | Should -Not -BeNullOrEmpty;
-            $ruleResult.Length | Should -Be 2;
-            $ruleResult.TargetName | Should -BeIn 'cognitive-01', 'cognitive-03';
+            $ruleResult.Length | Should -Be 1;
+            $ruleResult.TargetName | Should -BeIn 'cognitive-03';
+
+            # None
+            $ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'None' });
+            $ruleResult | Should -Not -BeNullOrEmpty;
+            $ruleResult.Length | Should -Be 1;
+            $ruleResult.TargetName | Should -BeIn 'cognitive-01';
         }
 
         It 'Azure.Cognitive.DisableLocalAuth' {