URIs Should Be Properly Constructed Triggers When Referencing KeyVault Secret

[aolszowka]

Similar issues related to this rule have been reported several times; the most relevant ones seem to be #417, #713, #590 in all these cases they appear to be using a "bare" or "naked" Uri for which the recommended solution of uri() seems appropriate.

However, consider the following example ARM Template:

{
    "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
    "contentVersion": "1.0.0.0",
    "parameters": {
    },
    "resources": [
        {
            "type": "Microsoft.Web/sites/config",
            "apiVersion": "2022-03-01",
            "name": "myCoolFunctionApp/appsettings",
            "dependsOn": [
                "[resourceId('Microsoft.KeyVault/vaults', 'mycoolKeyVault')]",
                "[resourceId('Microsoft.KeyVault/vaults/secrets', 'mycoolKeyVault', 'some-secret')]",
                "[resourceId('Microsoft.KeyVault/vaults/secrets', 'mycoolKeyVault', 'some-other-secret')]",
                "[resourceId('Microsoft.Web/sites', 'myCoolFunctionApp')]"
            ],
            "properties": {
                "Some:SecretUri": "[concat('@Microsoft.KeyVault(SecretUri=', reference(resourceId('Microsoft.KeyVault/vaults/secrets', 'mycoolKeyVault', 'some-secret')).secretUri, ')')]",
                "Some:OtherUriSecret": "[concat('@Microsoft.KeyVault(SecretUri=', reference(resourceId('Microsoft.KeyVault/vaults/secrets', 'mycoolKeyVault', 'some-other-secret')).secretUri, ')')]",
                "SecretUrl": "[format('@Microsoft.KeyVault(SecretUri={0})', reference(resourceId('Microsoft.KeyVault/vaults/secrets', 'mycoolKeyVault', 'some-other-secret')).secretUri)]"
            }
        }
    ]
}

This is using the Azure KeyVault Reference Syntax Documented here: https://learn.microsoft.com/en-us/azure/app-service/app-service-key-vault-references?tabs=azure-cli#reference-syntax. Both syntaxes will trigger the warning:

  URIs Should Be Properly Constructed
    [-] URIs Should Be Properly Constructed (11 ms)
        Function 'concat' found within 'Some:SecretUri'
        Function 'format' found within 'SecretUrl'
        Function 'concat' found within 'Some:SecretUri' Line: 20, Column: 18
        Function 'format' found within 'SecretUrl' Line: 20, Column: 18

Is there an alternate way that the Referenced Secret Syntax should be utilized that avoids this linter error? Even the alternative syntax @Microsoft.KeyVault(VaultName=myvault;SecretName=mysecret) will throw because you're still going to need to use concat() or format() to accomplish this.

The real problem seems to be the detection of what is considered a URI, it appears to only considers properties that end in Uri or Url which is not a bad heuristic.

[mcs1970]

I am having the same error flagged by the ARM TTK and would like to know the recommended method to pass a secret URI as an output.

Thanks!

[jimdigriz]

As mentioned by @aolszowka , probably best to just rename your variable to not have url or uri in it; I use instead var KeyVaultRef = "..."