Bug Report (Repeat of 1627: Security Contact failing compliance)

[a11smiles]

Guys, it's a repeat of #1627.

I've got emails and notifications set, but subscriptions are still failing compliance for no Security Contacts set. I've also confirmed in the UI that the emails and notifications have been set.

Here's my Terraform:

resource "azapi_resource" "SecurityContacts" {
    type = "Microsoft.Security/securityContacts@2023-12-01-preview"
  name = "default"
  location = "West Europe"
  parent_id = data.azurerm_subscription.current.id
  body = {
    properties = {
      emails = join(";", var.security_contacts)
      
      isEnabled = true
      notificationsByRole = {
        roles = []
        state = "Off"
      }
      notificationsSources = [
        {
          sourceType = "AttackPath"
          minimalRiskLevel = "Critical"
        },
        {
          sourceType = "Alert"
          minimalSeverity = "High"
        }
      ]
    }
  }

  schema_validation_enabled = false
}

Additionally:

(Invoke-AzRestMethod -Method 'Get' -Path ('/subscriptions/7dfd****/providers/Microsoft.Security/securityContacts?api-version=2023-12-01-preview')).Content | ConvertFrom-Json -Depth 10 | ConvertTo-Json -Depth 10
{
  "value": [
    {
      "properties": {
        "notificationsSources": [
          {
            "minimalRiskLevel": "Critical",
            "sourceType": "AttackPath"
          },
          {
            "minimalSeverity": "High",
            "sourceType": "Alert"
          }
        ],
        "isEnabled": true,
        "notificationsByRole": {
          "state": "Off",
          "roles": []
        },
        "emails": "(redacted)",
        "phone": ""
      },
      "id": "/subscriptions/7dfd****/providers/Microsoft.Security/securityContacts/default",
      "name": "default",
      "type": "Microsoft.Security/securityContacts",
      "etag": "\"19044f43-0000-0d00-0000-6877d1800000\"",
      "location": "West Europe"
    }
  ]
}

[a11smiles]

So, I found the problem.

The issue is because of these lines in the policy: https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/blob/ab15ee3230ee66923ed6f757b373487b43c109e5/modules/archetypes/lib/policy_definitions/policy_definition_es_deploy_asc_securitycontacts.json#L133-L138

                    "notificationsSources": [
                      {
                        "sourceType": "Alert",
                        "minimalSeverity": "[parameters('minimalSeverity')]"
                      }
                    ]

In my configuration above, I've not only configured the Alert notification source but also the AttackPath. This is what's causing the non-compliance. Here's why:

Notice that the AttackPath does not have a minimumSeverity. Instead, it has a minimumRiskLevel. So, when the attack path is set, an array is returned: [null, High] vs. the expected (compliant) result of High. When I disable the attack path notification, the policy passes.

See the image below for when the attack path is set.

In the end, it looks like the provider's API isn't filtering out based on sourceType: Alert but returning both (Alert and Attack Path) if they are set, which is causing the issue.

[Springstone]

@a11smiles thanks for reporting and the detailed analysis. The team that owns this feature is notorious for making breaking changes to the API and don't follow API versioning properly. Will add this to the backlog and get it fixed in the next refresh.