In the first post of this series, I covered how to use the ARM Template Checker tool (part of the Secure DevOps Kit for Azure) to assess the security of Azure ARM templates in development and CICD stages of Azure IaC implementation.

In this second post, I’ll be showing you how to use another FREE tool by Microsoft called the ARM Template Test Toolkit (ARM-TTK) to assess the security of Azure IaC templates.

In the third post, I’ll show you how to use a FREE third party tool called Checkov to achieve the same thing but with support for more templating formats beyound ARM.

What is the ARM-TTK?

Unlike the ARM template checker of the Secure DevOps kit, this tool is less focused on security. Its main focus is on template compliance with recommended practices but as we’ll see, the recommended best practices also includes security assessments even though that’s not the focus of the tool.

If you’re familiar with the Azure Quick start templates repo on GitHub, this is the tool that Microsoft uses to continuously validate the compliance and security of those templates. The Microsoft Azure marketplace team also uses this tool to validate all Azure marketplace templates before they are published.

So what security checks can it assess by default?

What template formats can the tool assess?

Using the ARM-TTK in the development stage

The value of this use case is for IaC template authors and contributors to be able to assess the security compliance of their contributions ad-hoc

1. Download test toolkit

As the module is not yet in the PowerShell Gallery, we need to download it from the Github Repository and import the module into our PowerShell session.

Invoke-WebRequest -Uri https://aka.ms/arm-ttk-latest -OutFile arm-ttk-latest.zip

Expand-Archive -LiteralPath 'arm-ttk-latest.zip'

cd .\arm-ttk-latest\arm-ttk\

2. Import the module into your PowerShell session

Set-ExecutionPolicy Unrestricted

Import-Module .\arm-ttk.psd1

3. Assess ARM templates ad-hoc

Test-AzTemplate -TemplatePath <template_path>

Test-AzTemplate -TemplatePath C:\Users\azureadmin\Downloads\templates\azuredeploy.json

4. Assessing multiple templates ad-hoc

Test-AzTemplate -TemplatePath <template_folder_path>

When you provide the -TemplatePath parameter, the toolkit looks in that folder for a template named azuredeploy.json or maintemplate.json.

5. Interpreting results

6. Can we add our own custom tests? YES!!

7. Selecting individual tests to run

Test-AzTemplate -TemplatePath $TemplateFolder -Test "<Name of Test to Run>"

For example:

Test-AzTemplate -TemplatePath $TemplateFolder -Test "Resources Should Have Location"

Using the ARM-TTK in the CICD stage

The value of this use case is for continuous security validation of Azure ARM templates. This is useful for code review processes.

1. First, we need to install the ARM Test Toolkit Azure DevOps extension

2. Validate installation:

The installation adds a new task that we can use for security assessment to our pipelines

3. We can then use the task in our pipelines

4. We can also publish the test results to our pipelines

5. Sample result

Leave a Reply

Your email address will not be published. Required fields are marked *