Skip to content

Secret value in deployment output#

Security · Deployment · Rule · 2022_12 · Critical

Do not use Outer deployments when references SecureString or SecureObject parameters.

Description#

Template child deployments can be scoped as either outer or inner. When using outer scope evaluated deployments, parameters from the parent template are used directly within nested templates instead of enforcing secureString and secureObject types.

When passing secure values to nested deployments always use inner scope deployments to ensure secure values are not logging. Bicep modules always use inner scope evaluated deployments.

Recommendation#

Consider using inner deployments to prevent secure values from being exposed.

Examples#

Configure with Azure template#

Nested Deployments within an ARM template need the property expressionEvaluationOptions.Scope to be set to inner.

Azure Template snippet
{
    "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
    "contentVersion": "1.0.0.0",
    "parameters": {
        "adminUsername": {
            "type": "securestring",
            "defaultValue": "admin"
        }
    },
    "resources": [
         {
            "name": "nestedDeployment-A",
            "type": "Microsoft.Resources/deployments",
            "apiVersion": "2020-10-01",
            "properties": {
                "expressionEvaluationOptions": {
                    "scope": "inner"
                },
                "mode": "Incremental",
                "template": {
                    "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
                    "contentVersion": "1.0.0.0",
                    "parameters": {
                        "adminUsername": {
                            "type": "securestring",
                            "defaultValue": "password"
                        }
                    },
                    "variables": {},
                    "resources": [
                        {
                            "apiVersion": "2019-12-01",
                            "type": "Microsoft.Compute/virtualMachines",
                            "name": "vm-example",
                            "location": "australiaeast",
                            "properties": {
                                "osProfile": {
                                    "computerName": "vm-example",
                                    "adminUsername": "[parameters('adminUsername')]"
                                }
                            }
                        }
                    ]
                }
            }
        }
    ]
}

Configure with Bicep#

Bicep templates will do this by default when performing nested deployments.

Comments