[BUG] False positive 'remoteDebuggingEnabled'

[ThijmenDam]

Existing rule

No response

Description of the issue

Hi. If I am not mistaken, it appears that PSRule gives a false positive for the following Bicep and rule:

module functionApp 'br/public:avm/res/web/site:0.19.3' = {
  scope: resourceGroup(deployResourceGroupName)
  name: '${identifier}-${functionName}-${deploymentTimeStamp}'
  params: {
    ...
    kind: 'functionapp'
    siteConfig: {
      remoteDebuggingEnabled: false
      ...
    }
  }
}

...
{
    // Synopsis: Remote debugging requires inbound ports to be opened on Function apps. Remote debugging should be turned off.
    "apiVersion": "github.com/microsoft/PSRule/v1",
    "kind": "Rule",
    "metadata": {
      "name": "CUSTOM.Azure.Policy.b1dd94a330e4",
      "displayName": "Function apps should have remote debugging turned off",
      "tags": {
        "Azure.Policy/category": "App Service"
      },
      "annotations": {
        "Azure.Policy/id": "/providers/Microsoft.Authorization/policyDefinitions/0e60b895-3786-45da-8377-9c6b4b6ac5f9",
        "Azure.Policy/version": "2.1.0"
      }
    },
    "spec": {
      "recommend": "Remote debugging requires inbound ports to be opened on Function apps. Remote debugging should be turned off.",
      "type": [
        "Microsoft.Web/sites"
      ],
      "with": [
        "PSRule.Rules.Azure\\Azure.Policy.Indexed"
      ],
      "where": {
        "allOf": [
          {
            "field": "kind",
            "contains": "functionapp"
          },
          {
            "field": "kind",
            "notContains": "workflowapp"
          },
          {
            "field": "kind",
            "notContains": "azurecontainerapps"
          }
        ]
      },
      "condition": {
        "field": "resources",
        "allOf": [
          {
            "field": "properties.remoteDebuggingEnabled",
            "equals": false,
            "convert": true
          }
        ],
        "where": {
          "type": ".",
          "equals": "Microsoft.Web/sites/config"
        }
      }
    }
  }
...

Error messages

    [FAIL] CUSTOM.Azure.Policy.b1dd94a330e4
    | Template: modules/serviceteam-function-stack/main.bicep:12760:28

    | RECOMMEND:
    | Remote debugging requires inbound ports to be opened on Function apps. Remote
    | debugging should be turned off.

    | REASON:
    | - Path properties.remoteDebuggingEnabled: The field 'properties.remoteDebuggingEnabled' does not exist.

Reproduction

1. Build br/public:avm/res/web/site:0.19.3 Bicep module with remoteDebugging set to false.
2. Validate custom rule mentioned above.

Version of PSRule

2.9.0

Version of PSRule for Azure

1.45.2

Additional context

No response

[BernieWhite]

Thanks for reporting the issue @ThijmenDam

[BernieWhite]

@ThijmenDam I'm not seeing the same behaviour based on:

targetScope = 'subscription'

module functionApp 'br/public:avm/res/web/site:0.19.3' = {
  scope: resourceGroup('rg-test')
  params: {
    name: 'test-app'
    serverFarmResourceId: appServicePlan.outputs.resourceId
    kind: 'functionapp'
    siteConfig: {
      remoteDebuggingEnabled: false
    }
  }
}

module appServicePlan 'br/public:avm/res/web/serverfarm:0.5.0' = {
  scope: resourceGroup('rg-test')
  params: {
    name: 'test-plan'
    location: 'eastus'
    kind: 'functionapp'
    skuName: 'Y1'
  }
}

Your provided rule passes with v1.45.2.

However, I did find a false negative condition if remoteDebuggingEnabled is set to true.

This occurs because the rule is looking for a sub-resource Microsoft.Web/sites/config but the AVM module doesn't set this resource instead if used properties.siteConfig which is an alternative way to set the same thing.

Can you confirm?

[BernieWhite]

What may be happening is it have other site configs that don't have the properties.remoteDebuggingEnabled property set.