Relax `Azure.Cognitive.ManagedIdentity` to required configurations #2559 (#2626)

2024-01-04 00:26:04 +10:00 · 2024-01-04 00:26:04 +10:00 · 233b3d4add
--- a/.vscode/settings.json
+++ b/.vscode/settings.json
@ -68,6 +68,7 @@
    "DEPLOYIFNOTEXISTS",
    "DISPLAYNAME",
    "endregion",
+    "Entra",
    "exfiltration",
    "failover",
    "GREATEROREQUAL",
--- a/docs/CHANGELOG-v1.md
+++ b/docs/CHANGELOG-v1.md
@ -40,6 +40,8 @@ What's changed since v1.32.1:
  - Added option for excluding subnets to `Azure.VNET.UseNSGs` by @BernieWhite.
    [#2572](https://github.com/Azure/PSRule.Rules.Azure/issues/2572)
    - To add a subnet exclusion, set the `AZURE_VNET_SUBNET_EXCLUDED_FROM_NSG` option.
+  - Relax `Azure.Cognitive.ManagedIdentity` to required configurations by @BernieWhite.
+    [#2559](https://github.com/Azure/PSRule.Rules.Azure/issues/2559)
 - Engineering:
  - Bump xunit to v2.6.4.
    [#2618](https://github.com/Azure/PSRule.Rules.Azure/pull/2618)
--- a/docs/en/rules/Azure.Cognitive.ManagedIdentity.md
+++ b/docs/en/rules/Azure.Cognitive.ManagedIdentity.md
@ -1,8 +1,8 @@
 ---
-reviewed: 2023-10-01
+reviewed: 2024-01-03
 severity: Important
 pillar: Security
-category: Authentication
+category: SE:05 Identity and access management
 resource: Cognitive Services
 online version: https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.Cognitive.ManagedIdentity/
 ---
@ -22,7 +22,7 @@ Using Azure managed identities have the following benefits:

 - You don't need to store or manage credentials.
  Azure automatically generates tokens and performs rotation.
- You can use managed identities to authenticate to any Azure service that supports Azure AD authentication.
+- You can use managed identities to authenticate to any Azure service that supports Entra ID (previously Azure AD) authentication.
 - Managed identities can be used without any additional cost.

 ## RECOMMENDATION
@ -52,7 +52,7 @@ For example:
  "sku": {
    "name": "S0"
  },
-  "kind": "CognitiveServices",
+  "kind": "TextAnalytics",
  "properties": {
    "publicNetworkAccess": "Disabled",
    "networkAcls": {
@ -73,7 +73,7 @@ To deploy accounts that pass this rule:
 For example:

 ```bicep
-resource account 'Microsoft.CognitiveServices/accounts@2023-05-01' = {
+resource language 'Microsoft.CognitiveServices/accounts@2023-05-01' = {
  name: name
  location: location
  identity: {
@ -82,7 +82,7 @@ resource account 'Microsoft.CognitiveServices/accounts@2023-05-01' = {
  sku: {
    name: 'S0'
  }
-  kind: 'CognitiveServices'
+  kind: 'TextAnalytics'
  properties: {
    publicNetworkAccess: 'Disabled'
    networkAcls: {
@ -101,9 +101,16 @@ To address this issue at runtime use the following policies:
 /providers/Microsoft.Authorization/policyDefinitions/fe3fd216-4f83-4fc1-8984-2bbec80a3418
 ```

+## NOTES
+
+Configuration of additional Azure resources is not required for all Cognitive Services.
+This rule will run for the following Cognitive Services:
+
+- `TextAnalytics` - Language service.
+
 ## LINKS

- [Use identity-based authentication](https://learn.microsoft.com/azure/well-architected/security/design-identity-authentication#use-identity-based-authentication)
+- [SE:05 Identity and access management](https://learn.microsoft.com/azure/well-architected/security/identity-access#resource-identity)
 - [Azure Policy built-in policy definitions for Azure AI services](https://learn.microsoft.com/azure/ai-services/policy-reference)
 - [IM-1: Use centralized identity and authentication system](https://learn.microsoft.com/security/benchmark/azure/baselines/cognitive-services-security-baseline#im-1-use-centralized-identity-and-authentication-system)
 - [IM-3: Manage application identities securely and automatically](https://learn.microsoft.com/security/benchmark/azure/baselines/cognitive-services-security-baseline#im-3-manage-application-identities-securely-and-automatically)
--- a/docs/examples-cognitive.bicep
+++ b/docs/examples-cognitive.bicep
@ -9,13 +9,10 @@ param name string
@description('The location resources will be deployed.')
 param location string = resourceGroup().location

-// An example multi-service cognitive services account
+// An example multi-service cognitive services account.
 resource account 'Microsoft.CognitiveServices/accounts@2023-05-01' = {
  name: name
  location: location
-  identity: {
-    type: 'SystemAssigned'
-  }
  sku: {
    name: 'S0'
  }
@ -28,3 +25,23 @@ resource account 'Microsoft.CognitiveServices/accounts@2023-05-01' = {
    disableLocalAuth: true
  }
 }
+
+// An example of the language services account.
+resource language 'Microsoft.CognitiveServices/accounts@2023-05-01' = {
+  name: name
+  location: location
+  identity: {
+    type: 'SystemAssigned'
+  }
+  sku: {
+    name: 'S0'
+  }
+  kind: 'TextAnalytics'
+  properties: {
+    publicNetworkAccess: 'Disabled'
+    networkAcls: {
+      defaultAction: 'Deny'
+    }
+    disableLocalAuth: true
+  }
+}
--- a/docs/examples-cognitive.json
+++ b/docs/examples-cognitive.json
@ -4,8 +4,8 @@
  "metadata": {
    "_generator": {
      "name": "bicep",
-      "version": "0.21.1.54444",
-      "templateHash": "17850178672994683728"
+      "version": "0.24.24.22086",
+      "templateHash": "4359857000491870165"
    }
  },
  "parameters": {
@ -29,9 +29,6 @@
      "apiVersion": "2023-05-01",
      "name": "[parameters('name')]",
      "location": "[parameters('location')]",
-      "identity": {
-        "type": "SystemAssigned"
-      },
      "sku": {
        "name": "S0"
      },
@ -43,6 +40,26 @@
        },
        "disableLocalAuth": true
      }
+    },
+    {
+      "type": "Microsoft.CognitiveServices/accounts",
+      "apiVersion": "2023-05-01",
+      "name": "[parameters('name')]",
+      "location": "[parameters('location')]",
+      "identity": {
+        "type": "SystemAssigned"
+      },
+      "sku": {
+        "name": "S0"
+      },
+      "kind": "TextAnalytics",
+      "properties": {
+        "publicNetworkAccess": "Disabled",
+        "networkAcls": {
+          "defaultAction": "Deny"
+        },
+        "disableLocalAuth": true
+      }
    }
  ]
 }
--- a/pipeline.build.ps1
+++ b/pipeline.build.ps1
@ -409,7 +409,7 @@ task BuildRuleDocs Build, Dependencies, {
            Recommendation = $_.Info.Recommendation
            Pillar = $_.Tag.'Azure.WAF/pillar'
            Control = $_.Tag.'Azure.MCSB.v1/control'
-            Source = "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/$(($_.Source.Path -split '/')[-1])"
+            Source = "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/$(($_.Source.Path -split '/', '\')[-1])"
        }
    }
    $metadata | ConvertTo-Json -Depth 5 | Set-Content -Path ./docs/es/rules/metadata.json -Force;
--- a/src/PSRule.Rules.Azure/rules/Azure.Cognitive.Rule.yaml
+++ b/src/PSRule.Rules.Azure/rules/Azure.Cognitive.Rule.yaml
@ -40,13 +40,17 @@ metadata:
  tags:
    release: GA
    ruleSet: 2022_09
-    Azure.WAF/pillar: 'Security'
+    Azure.WAF/pillar: Security
  labels:
    Azure.MCSB.v1/control: [ 'IM-1', 'IM-3' ]
    Azure.Policy/id: /providers/Microsoft.Authorization/policyDefinitions/fe3fd216-4f83-4fc1-8984-2bbec80a3418
 spec:
  type:
  - Microsoft.CognitiveServices/accounts
+  where:
+    field: kind
+    in:
+    - TextAnalytics
  condition:
    field: Identity.Type
    in:
--- a/tests/PSRule.Rules.Azure.Tests/Azure.Cognitive.Tests.ps1
+++ b/tests/PSRule.Rules.Azure.Tests/Azure.Cognitive.Tests.ps1
@ -33,7 +33,7 @@ Describe 'Azure.Cognitive' -Tag 'Cognitive' {
                ErrorAction = 'Stop'
            }
            $dataPath = Join-Path -Path $here -ChildPath 'Resources.Cognitive.json';
-            $result = Invoke-PSRule @invokeParams -InputPath $dataPath;
+            $result = Invoke-PSRule @invokeParams -InputPath $dataPath -Outcome All;
        }

        It 'Azure.Cognitive.PublicAccess' {
@ -58,14 +58,20 @@ Describe 'Azure.Cognitive' -Tag 'Cognitive' {
            # Fail
            $ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'Fail' });
            $ruleResult | Should -Not -BeNullOrEmpty;
-            $ruleResult.Length | Should -Be 2;
-            $ruleResult.TargetName | Should -BeIn 'luis-A', 'luis-A-authoring';
+            $ruleResult.Length | Should -Be 1;
+            $ruleResult.TargetName | Should -BeIn 'textanalytics-A';

            # Pass
            $ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'Pass' });
            $ruleResult | Should -Not -BeNullOrEmpty;
+            $ruleResult.Length | Should -Be 1;
+            $ruleResult.TargetName | Should -BeIn 'textanalytics-B';
+
+            # Fail
+            $ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'None' });
+            $ruleResult | Should -Not -BeNullOrEmpty;
            $ruleResult.Length | Should -Be 2;
-            $ruleResult.TargetName | Should -BeIn 'textanalytics-A', 'textanalytics-B';
+            $ruleResult.TargetName | Should -BeIn 'luis-A', 'luis-A-authoring';
        }

        It 'Azure.Cognitive.DisableLocalAuth' {
@ -148,8 +154,14 @@ Describe 'Azure.Cognitive' -Tag 'Cognitive' {
            # Pass
            $ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'Pass' });
            $ruleResult | Should -Not -BeNullOrEmpty;
-            $ruleResult.Length | Should -Be 2;
-            $ruleResult.TargetName | Should -BeIn 'cognitive-01', 'cognitive-03';
+            $ruleResult.Length | Should -Be 1;
+            $ruleResult.TargetName | Should -BeIn 'cognitive-03';
+
+            # None
+            $ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'None' });
+            $ruleResult | Should -Not -BeNullOrEmpty;
+            $ruleResult.Length | Should -Be 1;
+            $ruleResult.TargetName | Should -BeIn 'cognitive-01';
        }

        It 'Azure.Cognitive.DisableLocalAuth' {
--- a/tests/PSRule.Rules.Azure.Tests/Resources.Cognitive.json
+++ b/tests/PSRule.Rules.Azure.Tests/Resources.Cognitive.json
--- a/tests/PSRule.Rules.Azure.Tests/cognitive.tests.bicep
+++ b/tests/PSRule.Rules.Azure.Tests/cognitive.tests.bicep
@ -32,10 +32,8 @@ resource account02 'Microsoft.CognitiveServices/accounts@2022-03-01' = {
  sku: {
    name: 'S0'
  }
-  kind: 'CognitiveServices'
-  properties: {
-
-  }
+  kind: 'TextAnalytics'
+  properties: {}
 }

 resource account03 'Microsoft.CognitiveServices/accounts@2022-03-01' = {
@ -47,7 +45,7 @@ resource account03 'Microsoft.CognitiveServices/accounts@2022-03-01' = {
  sku: {
    name: 'S0'
  }
-  kind: 'CognitiveServices'
+  kind: 'TextAnalytics'
  properties: {
    networkAcls: {
      defaultAction: 'Deny'
--- a/tests/PSRule.Rules.Azure.Tests/cognitive.tests.json
+++ b/tests/PSRule.Rules.Azure.Tests/cognitive.tests.json
@ -4,8 +4,8 @@
  "metadata": {
    "_generator": {
      "name": "bicep",
-      "version": "0.8.9.13224",
-      "templateHash": "11908813895130022399"
+      "version": "0.24.24.22086",
+      "templateHash": "18405374500797131306"
    }
  },
  "parameters": {
@ -13,7 +13,7 @@
      "type": "string",
      "defaultValue": "cognitive",
      "metadata": {
-        "description": "The name of the cognitive services account."
+        "description": "The name of the resource."
      }
    },
    "location": {
@ -53,7 +53,7 @@
      "sku": {
        "name": "S0"
      },
-      "kind": "CognitiveServices",
+      "kind": "TextAnalytics",
      "properties": {}
    },
    {
@ -67,7 +67,7 @@
      "sku": {
        "name": "S0"
      },
-      "kind": "CognitiveServices",
+      "kind": "TextAnalytics",
      "properties": {
        "networkAcls": {
          "defaultAction": "Deny"