[Fix] GR1 V6 and GR7 V3 Added appropriate messaging for uploaded file with incorrect extension and a few misc. update

.github/ISSUE_TEMPLATE/bug_report.md

@@ -10,6 +10,9 @@ assignees: ''
 **Describe the bug**
 A clear and concise description of what the bug is.
 
+**Azure CaC version**
+A version tag e.g. v2.1.2
+
 **To Reproduce**
 Steps to reproduce the behavior:
 1. Go to '...'
@@ -23,20 +26,23 @@ A clear and concise description of what you expected to happen.
 **Screenshots**
 If applicable, add screenshots to help explain your problem.
 
-**Desktop (please complete the following information):**
+**Additional context**
+Add any other context about the problem here
+
+
+**Other configuration (If applicable)**
+
+***Desktop (please complete the following information):***
  - OS: [e.g. iOS]
  - Browser [e.g. chrome, safari]
  - Version [e.g. 22]
 
-**Smartphone (please complete the following information if applicable):**
+***Smartphone (please complete the following information if applicable):***
  - Device: [e.g. iPhone6]
  - OS: [e.g. iOS8.1]
  - Browser [e.g. stock browser, safari]
  - Version [e.g. 22]
 
-**Software versions used:**
+***Software versions used:***
  - E.g. Azure CLI version [e.g. v2.23.0]
  - Azure Bicep version [e.g. v0.4.613]
-
-**Additional context**
-Add any other context about the problem here.

.github/ISSUE_TEMPLATE/feature_request.md

@@ -7,9 +7,15 @@ assignees: ''
 
 ---
 
+**Azure CaC current version**
+A version tag e.g. v2.1.2
+
 **Is your feature request related to a problem? Please describe.**
 A clear and concise description of what the problem is. E.g. I'm always frustrated when [...]
 
+**screenshot**
+If applicable, add screenshots/visualization to help explain the feature.
+
 **Describe the solution you'd like**
 A clear and concise description of what you want to happen.
 

setup/IaC/modules/automationaccount.bicep

@@ -294,7 +294,7 @@ resource guardrailsAC 'Microsoft.Automation/automationAccounts@2021-06-22' = if
     properties: {
       contentLink: {
         uri: '${ModuleBaseURL}/Check-AllUserMFARequired.zip'
-        version: '1.0.3'
+        version: '1.0.4'
       }
     }
   }
@@ -349,7 +349,7 @@ resource guardrailsAC 'Microsoft.Automation/automationAccounts@2021-06-22' = if
     properties: {
       contentLink: {
         uri: '${ModuleBaseURL}/Check-ApplicationGatewayCertificateValidity.zip'
-        version: '1.0.2'
+        version: '1.0.3'
       }
     }
   }
@@ -369,7 +369,7 @@ resource guardrailsAC 'Microsoft.Automation/automationAccounts@2021-06-22' = if
     properties: {
       contentLink: {
         uri: '${ModuleBaseURL}/Check-DedicatedAdminAccounts.zip'
-        version: '1.0.2'
+        version: '1.0.3'
       }
     }
   }

src/GUARDRAIL 1 PROTECT USER ACCOUNTS AND IDENTITIES/Audit/Check-AllUserMFARequired.psd1

@@ -14,7 +14,7 @@
 RootModule = 'Check-AllUserMFARequired'
 
 # Version number of this module.
-ModuleVersion = '1.0.3'
+ModuleVersion = '1.0.4'
 
 # Supported PSEditions
 # CompatiblePSEditions = @()

src/GUARDRAIL 1 PROTECT USER ACCOUNTS AND IDENTITIES/Audit/Check-AllUserMFARequired.psm1

@@ -117,15 +117,9 @@ function Check-AllUserMFARequired {
     }
     # Condition: Not all user UPNs are MFA enabled or MFA is not configured properly
     else {
-        # This will be used for debugging
-        if($userUPNsBadMFA.Count -eq 0){
-            Write-Error "Something is wrong as userUPNsBadMFA Count equals 0. This output should only execute if there is an error populating userUPNsBadMFA"
-        }
-        else {
-            $upnString = ($userUPNsBadMFA | ForEach-Object { $_.UPN }) -join ', '
-            $commentsArray = $msgTable.userMisconfiguredMFA -f $upnString
-            $IsCompliant = $false
-        }
+        $upnString = ($userUPNsBadMFA | ForEach-Object { $_.UPN }) -join ', '
+        $commentsArray = $msgTable.userMisconfiguredMFA -f $upnString
+        $IsCompliant = $false
     }
 
     $Comments = $commentsArray -join ";"

src/GUARDRAIL 1 PROTECT USER ACCOUNTS AND IDENTITIES/Audit/Check-DedicatedAdminAccounts.psd1

@@ -14,7 +14,7 @@
 RootModule = 'Check-DedicatedAdminAccounts'
 
 # Version number of this module.
-ModuleVersion = '1.0.2'
+ModuleVersion = '1.0.3'
 
 # Supported PSEditions
 # CompatiblePSEditions = @()

src/GUARDRAIL 1 PROTECT USER ACCOUNTS AND IDENTITIES/Audit/Check-DedicatedAdminAccounts.psm1

@@ -35,6 +35,9 @@ function Check-DedicatedAdminAccounts {
     [bool] $IsCompliant = $false
     [string] $Comments = $null
 
+    # highly privileged Role names
+    $highlyPrivilegedAdminRoleNames = @("Global Administrator","Privileged Role Administrator")
+
     # Get the list of GA users (ACTIVE assignments)
     $urlPath = "/directoryRoles"
     try {
@@ -57,7 +60,7 @@ function Check-DedicatedAdminAccounts {
     $hpAdminUserAccounts = @()
 
     # # Filter the highly privileged Administrator role ID
-    $highlyPrivilegedAdminRole = $rolesResponse | Where-Object { $_.displayName -eq "Global Administrator" -or $_.displayName -eq "Privileged Role Administrator" }
+    $highlyPrivilegedAdminRole = $rolesResponse | Where-Object { $_.displayName -eq $highlyPrivilegedAdminRoleNames[0] -or $_.displayName -eq $highlyPrivilegedAdminRoleNames[1] }
     foreach ($role in  $highlyPrivilegedAdminRole){
         # Get directory roles for each user with the highly privileged admin access
 
@@ -143,95 +146,137 @@ function Check-DedicatedAdminAccounts {
     }
 
     $commentsArray = @()
-
-    # get UPN from the file
-    $blob = Get-AzStorageBlob -Container $ContainerName -Context $StorageAccount.Context -Blob $DocumentName_new -ErrorAction SilentlyContinue
+    $blobFound = $false
+    $baseFileNameFound = $false
 
-    if ($null -eq $blob) {            
+    # Get a list of filenames uploaded in the blob storage
+    $blobs = Get-AzStorageBlob -Container $ContainerName -Context $StorageAccount.Context
+    if ($null -eq $blobs) {            
         # a blob with the name $DocumentName was not located in the specified storage account
         $errorMsg = "Could not get blob from storage account '$storageAccountName' in resoruce group '$resourceGroupName' of `
         subscription '$subscriptionId'; verify that the blob exists and that you have permissions to it. Error: $_"
         $ErrorList.Add($errorMsg) 
-              
+
         $commentsArray += $msgTable.procedureFileNotFound -f $DocumentName[0], $ContainerName, $StorageAccountName
     }
-    else {
-        try {
-            $blobContent = $blob.ICloudBlob.DownloadText()| ConvertFrom-Csv
-        } catch {
-            $errorMsg = "Error downloading content from blob '$DocumentName_new': $_"
-            $ErrorList.Add($errorMsg)
-            Write-Error "Error: $errorMsg"                    
+    else{
+        $fileNamesList = @()
+        $blobs | ForEach-Object {
+            $fileNamesList += $_.Name
         }
-
-        if ($null -eq $blobContent -or $blobContent -ieq 'N/A' -or $blobContent -ieq 'NA') {
-            $commentsArray += $msgTable.invalidUserFile -f $DocumentName_new
-        } else {
-            # Blob content is present
-            $UserAccountUPNs = $blobContent 
+        $matchingFiles = $fileNamesList | Where-Object { $_ -in $DocumentName_new }
+        if ( $matchingFiles.count -lt 1 ){
+            # check if any fileName matches without the extension
+            $baseFileNames = $fileNamesList | ForEach-Object { ($_.Split('.')[0]) }
 
-            # if BG accounts present in the UPN list
-            $BGfound = $false
-            foreach ($user in $UserAccountUPNs) {
-                if ($user.HP_admin_account_UPN -like $FirstBreakGlassUPN  -or $user.regular_account_UPN -like $FirstBreakGlassUPN  -or `
-                    $user.HP_admin_account_UPN -like $SecondBreakGlassUPN  -or $user.regular_account_UPN -like $SecondBreakGlassUPN) {
-                    $BGfound = $true
-                    break
-                } 
+            $BaseFileNamesMatch = $baseFileNames | Where-Object { $_ -in $DocumentName  }
+            if ($BaseFileNamesMatch.Count -gt 0){
+                $baseFileNameFound = $true
             }
-            ## BG account in attestation file list
-            if ($BGfound) { 
-                $IsCompliant = $false
-                $commentsArray = $msgTable.isNotCompliant + " " + $msgTable.bgAccExistInUPNlist
+            else {
+                $blobFound = $false
+                $baseFileNameFound = $false
             }
-            else{
-                $hpUPNinRegFound = $false
-                $regUPNinPAFound = $false
-                $hpUPNnotGA = $false
-                # validate: check HP users ONLY have HP admin role assignments
-                foreach ($hpAdmin in $UserAccountUPNs.HP_admin_account_UPN){
-
-                    if ( $hpAdminUserAccounts.userPrincipalName -contains $hpAdmin){
-                        # each HP admin has active GA or PA role assignment
-                        if ($nonHPAdminUserAccounts.userPrincipalName -contains $hpAdmin){
-                            # not dedicated user UPN for admin
-                            $hpUPNinRegFound = $true
-                            break
-                        }
-                        else{
-                            # validate: regular accounts are non-GA/PA role assignments
-                            foreach ($regUPN in $UserAccountUPNs.regular_account_UPN){
-                                if ( $hpAdminUserAccounts.userPrincipalName -contains $regUPN){
-                                    $regUPNinPAFound = $true
-                                    break 
+        }
+        else {
+            # also covers the use case if more than 1 appropriate files are uploaded
+            $blobFound = $true
+        }
+    }
+
+    # Use case: uploaded fileName is correct but has wrong extension
+    if ($baseFileNameFound){
+        # a blob with the name $documentName was located in the specified storage account; however, the ext is not correct
+        $commentsArray += $msgTable.procedureFileNotFoundWithCorrectExtension -f $DocumentName[0], $ContainerName, $StorageAccountName
+    }
+    elseif ($blobFound){
+        # get UPN from the file
+        $blob = Get-AzStorageBlob -Container $ContainerName -Context $StorageAccount.Context -Blob $DocumentName_new
+        if ($blob) {            
+            ## blob found
+            try {
+                $blobContent = $blob.ICloudBlob.DownloadText()| ConvertFrom-Csv
+            } catch {
+                $errorMsg = "Error downloading content from blob '$DocumentName_new': $_"
+                $ErrorList.Add($errorMsg)
+                Write-Error "Error: $errorMsg"                    
+            }
+
+            if ($null -eq $blobContent -or $blobContent -ieq 'N/A' -or $blobContent -ieq 'NA') {
+                $commentsArray += $msgTable.invalidUserFile -f $DocumentName_new
+
+            } else {
+                # Blob content is present
+                $UserAccountUPNs = $blobContent 
+
+                # if BG accounts present in the UPN list
+                $BGfound = $false
+                foreach ($user in $UserAccountUPNs) {
+                    if ($user.HP_admin_account_UPN -like $FirstBreakGlassUPN  -or $user.regular_account_UPN -like $FirstBreakGlassUPN  -or `
+                        $user.HP_admin_account_UPN -like $SecondBreakGlassUPN  -or $user.regular_account_UPN -like $SecondBreakGlassUPN) {
+                        $BGfound = $true
+                        break
+                    } 
+                }
+                ## BG account in attestation file list
+                if ($BGfound) { 
+                    $IsCompliant = $false
+                    $commentsArray = $msgTable.isNotCompliant + " " + $msgTable.bgAccExistInUPNlist
+                }
+                else{
+                    $hpUPNinRegFound = $false
+                    $regUPNinPAFound = $false
+                    $hpUPNnotGA = $false
+                    # validate: check HP users ONLY have HP admin role assignments
+                    foreach ($hpAdmin in $UserAccountUPNs.HP_admin_account_UPN){
+
+                        if ( $hpAdminUserAccounts.userPrincipalName -contains $hpAdmin){
+                            # each HP admin has active GA or PA role assignment
+                            if ($nonHPAdminUserAccounts.userPrincipalName -contains $hpAdmin){
+                                # not dedicated user UPN for admin
+                                $hpUPNinRegFound = $true
+                                break
+                            }
+                            else{
+                                # validate: regular accounts are non-GA/PA role assignments
+                                foreach ($regUPN in $UserAccountUPNs.regular_account_UPN){
+                                    if ( $hpAdminUserAccounts.userPrincipalName -contains $regUPN){
+                                        $regUPNinPAFound = $true
+                                        break 
+                                    }
                                 }
                             }
                         }
+                        else{
+                            # listed admin UPN doesn't have active GA
+                            $hpUPNnotGA = $true
+                            break
+                        }
+                    }
+
+                    if($hpUPNinRegFound){
+                        $IsCompliant = $false
+                        $commentsArray = $msgTable.isNotCompliant + " " + $msgTable.dedicatedAdminAccNotExist
+                    }
+                    elseif($regUPNinPAFound){
+                        $IsCompliant = $false
+                        $commentsArray = $msgTable.isNotCompliant + " " + $msgTable.regAccHasHProle
                     }
                     else{
-                        # listed admin UPN doesn't have active GA
-                        $hpUPNnotGA = $true
-                        break
+                        $IsCompliant = $true
+                        $commentsArray = $msgTable.isCompliant + " " + $msgTable.dedicatedAccExist
+                    }
+                    if( $hpUPNnotGA){
+                        $commentsArray += " " + $msgTable.hpAccNotGA
                     }
-                }
-
-                if($hpUPNinRegFound){
-                    $IsCompliant = $false
-                    $commentsArray = $msgTable.isNotCompliant + " " + $msgTable.dedicatedAdminAccNotExist
-                }
-                elseif($regUPNinPAFound){
-                    $IsCompliant = $false
-                    $commentsArray = $msgTable.isNotCompliant + " " + $msgTable.regAccHasHProle
-                }
-                else{
-                    $IsCompliant = $true
-                    $commentsArray = $msgTable.isCompliant + " " + $msgTable.dedicatedAccExist
-                }
-                if( $hpUPNnotGA){
-                    $commentsArray += $msgTable.hpAccNotGA
                 }
             }
-        }
+        }       
+    }
+    else {
+        # a blob with the name $DocumentName was not located in the specified storage account    
+        $commentsArray += $msgTable.procedureFileNotFound -f $DocumentName[0], $ContainerName, $StorageAccountName
+
     }
 
     $Comments = $commentsArray -join ";"

src/GUARDRAIL 7 PROTECTION OF DATA-IN-TRANSIT/Audit/Check-ApplicationGatewayCertificateValidity.psd1

@@ -14,7 +14,7 @@
 RootModule = 'Check-ApplicationGatewayCertificateValidity'
 
 # Version number of this module.
-ModuleVersion = '1.0.2'
+ModuleVersion = '1.0.3'
 
 # Supported PSEditions
 # CompatiblePSEditions = @()