[BUG] GuardianErrorExitCodeException: templateanalyzer completed with an Error exit code: 21. Error: An error was encountered trying to analyze a template
apalich opened this issue · 8 comments
Describe the bug
Trying to setup defender for devops workflow for IaC repo. But workflow fails with error
Error: Error running tool 1 of 2: templateanalyzer
Error: Error running templateanalyzer job: 1 of 1
Error: GuardianErrorExitCodeException: templateanalyzer completed with an Error exit code: 21. Error: An error was encountered trying to analyze a template
Error: BreakException: Guardian detected one or more breaking results.
Error: Error: The process 'D:\a_msdo\versions\microsoft.security.devops.cli\0.171.1\tools\guardian.cmd' failed with exit code 1
Template has two file main.bicep with all config and main.parameter.json for the parameters.
1 instance of: An exception occurred while analyzing template D:\a\til-iac\til-iac\bicep\products\energy-demand\main.json with parameters file D:\a\my project\main.parameters.json
Expected behavior
Template Analyzer shouldnt fail
Reproduction Steps
- Create Project folder with Main.bicep template
- Create parameter files with parameter. example
{
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"tags": {
"value": {
"APPID": "AP0000",
"Application Name": "name",
"Business Function": "Azure Resources",
"Application Owner": "name",
"Data Classification": "Internal Information",
"Regulatory Controlled Information": "N/A",
"Application Criticality": "N/A",
"TIS Portfolio Executive": "Name",
"Environment Type": "de",
"Business Criticality": "Level 4 - Deferrable",
"Primary Business Capability": "Data Services",
"Support Group": "Support Group",
"TIS Application Owner": "name"
}
}
}
}
Environment
No response
Getting the exact same issue when we tried to integrate this with our bicep repos today.
We did see some exceptions in the log...
Warning: An exception occurred while evaluating the properties of the resource named [variables('varTemplateIdentityRoleAssignmentName')]
Which correlates to this (and is perfectly valid):
var varTemplateIdentityRoleAssignmentName = guid(resTemplateIdentity.id, resourceGroup().id, resTemplateIdentityRoleDefinition.id)
... and is only used as the resource name:
resource resTemplateRoleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = {
name: varTemplateIdentityRoleAssignmentName
properties: {
roleDefinitionId: resTemplateIdentityRoleDefinition.id
principalId: resTemplateIdentity.properties.principalId
principalType: 'ServicePrincipal'
}
}
Warning: An exception occurred while evaluating the properties of the resource named [format('{0}ImageTemplate', variables('varDeployPrefix'))]
Which correlates to this:
var varDeployPrefix = 'DeployBuildAgent-'
... and is only used for deployment names:
module modTemplateIdentity './gallery.templateidentity.bicep' = {
scope: resAzComputeRg
name: '${varDeployPrefix}TemplateIdentity'
params: {
paramTemplateIdentityName: varTemplateIdentityName
paramLocation: paramLocation
paramTags: paramTags
}
}
Thanks for reporting this issue, we will investigate.
Any updates on this? This is completely breaking the functionality of the Defender for DevOps pipeline task in Azure DevOps, as we have to skip the templateanalyzer tool - which is the most important tool for IaC in Azure.
same here:
Error: Error running tool 1 of 2: templateanalyzer
Error: Error running templateanalyzer job: 1 of 1
Error: GuardianErrorExitCodeException: templateanalyzer completed with an Error exit code: 21. Error: An error was encountered trying to analyze a template
Leaving BaseCommand`1.HandledRun()
Leaving BaseStartup.Run(options)
shouldBreak = True
Error: BreakException: Guardian detected one or more breaking results.
Bicep deploys without errors.
We are using main.bicep, a parameters file and a module that deploys storage account/ blob/ container. The storage resources are nested and we have some if/then/else logic to send each storage account to the appropriate subscriptions
Has this been fixed in the new version 0.7.0? Has anyone verified?
If anyone can verify, i will suggest in the Azure DevOps Security extension, that they upgrade to the latest version (https://github.com/microsoft/security-devops-action/issues). Currently they use v. 0.5.2 as per the nuget package here: https://nuget.info/packages/Microsoft.Security.DevOps.Cli/0.199.0 - which obviously still has this problem.
Hi, the most recent release of template analyzer (0.7.0) has updates for various dependencies, most specifically bicep, which may resolve some of the issues in this thread. This will be coming out for the DevOps CLI soon as well.
However, it's likely some of the issues in this thread are related to existing issues around template parameters, e.g.: #296, #314.
Unfortunately, the new TemplateAnalyzer 0.7.0 which is part of the (now fixed) Microsoft.Security.DevOps.Cli 0.204.0, still has exactly the same issue.
Neither in Microsoft.Security.DevOps.Cli 0.205.0, though that was expected as it is still using TemplateAnalyzer 0.7.0.