Azure DevOps Repository
Everything starts with the Repository that is located with Azure DevOps site: ARM-Repo. After cloning the repository, you can add the required files to the Repo directory.
EelcoLabordus/ARM-Repo (github.com)
This blog is part of a series of blog about “Building an ARM Repository.”
Layout of the directory
The directory needs to contain the following files to publish a ARM template into the Azure Template Spec.
- [Name].json
- [Name].ARMTTKSkipControls.csv
- [Name].AzSSkipControlsFromFile.csv
- [Name].metadata.json
[Name].json
This is the actual ARM file itself, this contains the ARM code that needs to be executed.
[Name].ARMTTKSkipControls.csv
For more information about the creation of a ARMTTK request read the following: Checking ARM files for ARM-TTK
apiVersions-Should-Be-Recent DeploymentTemplate-Must-Not-Contain-Hardcoded-Uri Location-Should-Not-Be-Hardcoded Secure-String-Parameters-Cannot-Have-Default
TIP
First run the build one time to see what checks it feels, fix and/or copy those checks from the result logs of the build run.
[Name].AzSSkipControlsFromFile.csv
For more information about the creation of a AzSK request read the following: Checking ARM files for Security
"ControlId","FeatureName","Status","SupportedResources","Severity","PropertyPath","LineNumber","CurrentValue","ExpectedProperty","ExpectedValue","ResourcePath","ResourceLineNumber","Description","FilePath" "Azure_VNet_NetSec_Justify_IPForwarding_for_NICs","VirtualNetworkInterface","Failed","Microsoft.Network/networkInterfaces","High","Not found","-1","","$.properties.enableIPForwarding","'False'","resources[0]","236","Use of IP Forwarding on any NIC in a virtual network should be scrutinized",".\ActiveDirectoryServerDeploy.json" "Azure_VNet_NetSec_Configure_NSG","VirtualNetworkInterface","Failed","Microsoft.Network/networkInterfaces","Medium","Not found","-1","","$.properties.networkSecurityGroup.id","Non-null string","resources[0]","236","NSG should be used for subnets in a virtual network to permit traffic only on required inbound/outbound ports. NSGs should not have a rule to allow any-to-any traffic",".\ActiveDirectoryServerDeploy.json"
TIP
First run the build one time to see what checks it feels, fix and/or copy those checks from the result logs of the build run.
[Name].metadata.json
This file contains all the information needed for publishing the ARM template in Azure Template Specs. What is the name of the template, the description and the Display name.
{
"$schema": "https://aka.ms/azure-quickstart-templates-metadata-schema#",
"itemDisplayName": "HIP_Active_Directory_Domain_Services",
"type": "QuickStart",
"description": "This VmRole will allow you to deploy an 2012R2, 2016 or 2019 Domain Controller server in one of the following scenarios: 1.Create a new forest, 2. Create a new child domain at an existing forest, 3. Add a DC to an existing domain. Only the first two scenarios will setup a new AD domain and prepopulated it with default AD objects. More detailed information (only accessible from Externbeheer) of this role can be found at: SMS Sharepoint / Architecture / Hybrid Datacenter / Active Directory Domain Services / Active Directory Domain Services - Technical Design.docx. DSC will be used for final configuration. The following features are installed: 'AD-Domain-Services','DNS','GPMC','RSAT-File-Services'. OS: Windows 2012R2, Windows 2016 and Windows 2019 compatible.",
"summary": "HIP_Active_Directory_Domain_Services",
"githubUsername": "EelcoLabordus",
"dateUpdated": "09-02-2020"
}
ARM validation Reports
Before you can make an exclusion for the ARM checks you first need to run the build once. After the build is done it will fail on the ARM check part.
When you select the job that has failed you have on the right side three dots. Select them and select “Download Logs”. Download the zip file and extract the file.
After downloading the job logs you can extract them and open the files where the test are stored. You can use this information to improve (Preferred) your script or create exclusions for your script.