Added Azure.PostgreSQL.AADOnly (#2246)

* Added Azure.PostgreSQL.AADOnly * Update CHANGELOG-v1.md * Add tenant id * Add tenant id * Update change log * Fix typo --------- Co-authored-by: Bernie White <bewhite@microsoft.com>
2023-06-03 08:34:20 +02:00 · 2023-06-03 08:34:20 +02:00 · 26a0614f94
--- a/docs/CHANGELOG-v1.md
+++ b/docs/CHANGELOG-v1.md
@ -30,6 +30,9 @@ What's changed since v1.27.1:
  - Azure Database for MySQL:
    - Check that Azure AD authentication is configured for Azure Database for MySQL databases by @BenjaminEngeset.
      [#2226](https://github.com/Azure/PSRule.Rules.Azure/issues/2226)
+  - Azure Database for PostgreSQL:
+    - Check that Azure AD-only authentication is configured for Azure Database for PostgreSQL databases by @BenjaminEngeset.
+      [#2250](https://github.com/Azure/PSRule.Rules.Azure/issues/2250)

 ## v1.27.1

--- a/docs/en/rules/Azure.PostgreSQL.AADOnly.md
+++ b/docs/en/rules/Azure.PostgreSQL.AADOnly.md
@ -0,0 +1,94 @@
+---
+severity: Important
+pillar: Security
+category: Identity and access management
+resource: Azure Database for PostgreSQL
+online version: https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.PostgreSQL.AADOnly/
+---
+
+# Azure AD-only authentication
+
+## SYNOPSIS
+
+Ensure Azure AD-only authentication is enabled with Azure Database for PostgreSQL databases.
+
+## DESCRIPTION
+
+Azure Database for PostgreSQL supports authentication with PostgreSQL logins and Azure AD authentication.
+
+By default, authentication with PostgreSQL logins is enabled.
+PostgreSQL logins are unable to provide sufficient protection for identities.
+Azure AD authentication provides strong protection controls including conditional access, identity governance, and privileged identity management.
+
+Once you decide to use Azure AD authentication, you can disable authentication with PostgreSQL logins.
+
+Azure AD-only authentication is only supported for the flexible server deployment model.
+
+## RECOMMENDATION
+
+Consider using Azure AD-only authentication.
+Also consider using Azure Policy for Azure AD-only authentication with Azure Database for PostgreSQL.
+
+## EXAMPLES
+
+### Configure with Azure template
+
+To deploy Azure Database for PostgreSQL flexible servers that pass this rule:
+
+- Set the `properties.authConfig.activeDirectoryAuth` property to `true`.
+- Set the `properties.authConfig.passwordAuth` property to `false`.
+
+For example:
+
+```json
+{
+  "type": "Microsoft.DBforPostgreSQL/flexibleServers",
+  "apiVersion": "2022-12-01",
+  "name": "[parameters('serverName')]",
+  "location": "[parameters('location')]",
+  "properties": {
+    "authConfig": {
+      "activeDirectoryAuth": "Enabled",
+      "passwordAuth": "Disabled",
+      "tenantId": "[parameters('tenantId')]"
+    }
+  }
+}
+```
+
+### Configure with Bicep
+
+To deploy Azure Database for PostgreSQL flexible servers that pass this rule:
+
+- Set the `properties.authConfig.activeDirectoryAuth` property to `true`.
+- Set the `properties.authConfig.passwordAuth` property to `false`.
+
+For example:
+
+```bicep
+resource postgreSqlFlexibleServer 'Microsoft.DBforPostgreSQL/flexibleServers@2022-12-01' = {
+  name: serverName
+  location: location
+  properties: {
+    authConfig: {
+      activeDirectoryAuth: 'Enabled'
+      passwordAuth: 'Disabled'
+      tenantId: tenantId
+    }
+  }
+}
+```
+
+## NOTES
+
+The Azure AD admin must be set before enabling Azure AD-only authentication.
+Azure AD-only authentication is only suppored for the flexible server deployment model.
+
+## LINKS
+
+- [Use modern password protection](https://learn.microsoft.com/azure/architecture/framework/security/design-identity-authentication#use-modern-password-protection)
+- [Use Azure AD for authentication with Azure Database for PostgreSQL - Flexible Server](https://learn.microsoft.com/azure/postgresql/flexible-server/how-to-configure-sign-in-azure-ad-authentication)
+- [Azure Active Directory Authentication (Single Server VS Flexible Server)](https://learn.microsoft.com/azure/postgresql/flexible-server/concepts-azure-ad-authentication#azure-active-directory-authentication-single-server-vs-flexible-server)
+- [Azure security baseline for Azure Database for PostgreSQL - Flexible Server](https://learn.microsoft.com/security/benchmark/azure/baselines/azure-database-for-postgresql-flexible-server-security-baseline)
+- [IM-1: Use centralized identity and authentication system](https://learn.microsoft.com/security/benchmark/azure/baselines/azure-database-for-postgresql-flexible-server-security-baseline#im-1-use-centralized-identity-and-authentication-system)
+- [Azure deployment reference](https://learn.microsoft.com/azure/templates/microsoft.dbforpostgresql/flexibleservers#authconfig)
--- a/src/PSRule.Rules.Azure/rules/Azure.PostgreSQL.Rule.yaml
+++ b/src/PSRule.Rules.Azure/rules/Azure.PostgreSQL.Rule.yaml
@ -22,7 +22,7 @@ metadata:
    Azure.MCSB.v1/control: 'NS-2'
 spec:
  type:
-  - Microsoft.DBforPostgreSQL/servers
+    - Microsoft.DBforPostgreSQL/servers
  condition:
    field: properties.sslEnforcement
    equals: Enabled
@ -42,9 +42,32 @@ metadata:
    Azure.MCSB.v1/control: 'DP-3'
 spec:
  type:
-  - Microsoft.DBforPostgreSQL/servers
+    - Microsoft.DBforPostgreSQL/servers
  condition:
    field: properties.minimalTlsVersion
    equals: TLS1_2

+---
+# Synopsis: Ensure Azure AD-only authentication is enabled with Azure Database for PostgreSQL databases.
+apiVersion: github.com/microsoft/PSRule/v1
+kind: Rule
+metadata:
+  name: Azure.PostgreSQL.AADOnly
+  ref: AZR-000390
+  tags:
+    release: GA
+    ruleSet: 2023_06
+    Azure.WAF/pillar: Security
+  labels:
+    Azure.MCSB.v1/control: IM-1
+spec:
+  type:
+    - Microsoft.DBforPostgreSQL/flexibleServers
+  condition:
+    allOf:
+      - field: properties.authConfig.activeDirectoryAuth
+        equals: Enabled
+      - field: properties.authConfig.passwordAuth
+        equals: Disabled
+
 #endregion Region
--- a/tests/PSRule.Rules.Azure.Tests/Azure.PostgreSQL.Tests.ps1
+++ b/tests/PSRule.Rules.Azure.Tests/Azure.PostgreSQL.Tests.ps1
@ -161,6 +161,23 @@ Describe 'Azure.PostgreSQL' -Tag 'PostgreSQL' {
            $ruleResult.Length | Should -Be 1;
            $ruleResult.TargetName | Should -BeIn 'server-C';
        }
+
+        It 'Azure.PostgreSQL.AADOnly' {
+            $filteredResult = $result | Where-Object { $_.RuleName -eq 'Azure.PostgreSQL.AADOnly' };
+            
+            # Fail
+            $ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'Fail' });
+            $ruleResult | Should -Not -BeNullOrEmpty;
+            $ruleResult.Length | Should -Be 2;
+            $ruleResult.TargetName | Should -BeIn 'server-D', 'server-E';
+            $ruleResult.Detail.Reason.Path | Should -BeIn 'properties.authConfig.activeDirectoryAuth'
+
+            # Pass
+            $ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'Pass' });
+            $ruleResult | Should -Not -BeNullOrEmpty;
+            $ruleResult.Length | Should -Be 1;
+            $ruleResult.TargetName | Should -BeIn 'server-F';
+        }
    }

    Context 'Resource name - Azure.PostgreSQL.ServerName' {
--- a/tests/PSRule.Rules.Azure.Tests/Resources.PostgreSQL.json
+++ b/tests/PSRule.Rules.Azure.Tests/Resources.PostgreSQL.json
@ -333,6 +333,11 @@
    "Name": "server-E",
    "Properties": {
      "administratorLogin": "db-admin",
+      "authConfig": {
+        "activeDirectoryAuth": "Disabled",
+        "passwordAuth": "Enabled",
+        "tenantId": "00000000-0000-0000-0000-000000000000"
+      },
      "storage": {
        "storageSizeGB": 20
      },
@ -363,6 +368,11 @@
    "Name": "server-F",
    "Properties": {
      "administratorLogin": "db-admin",
+      "authConfig": {
+        "activeDirectoryAuth": "Enabled",
+        "passwordAuth": "Disabled",
+        "tenantId": "00000000-0000-0000-0000-000000000000"
+      },
      "storage": {
        "storageSizeGB": 20
      },