BugFIX - 25550 - flag as failed for a tenant that has no Azure Firewall#968
BugFIX - 25550 - flag as failed for a tenant that has no Azure Firewall#968Manoj-Kesana wants to merge 1 commit intomainfrom
Conversation
There was a problem hiding this comment.
Pull request overview
Adjusts Azure Network Security assessment test 25550 to avoid reporting a failure when no Azure Firewall Premium policies exist in the tenant/subscriptions.
Changes:
- Replaces the “❌ No Azure Firewall Premium policies found…” failure output with a
NotApplicableskip path. - Adds a verbose diagnostic message and returns early when no Premium policies are discovered.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
You can also share your feedback on Copilot code review. Take the survey.
alexandair
left a comment
There was a problem hiding this comment.
@Manoj-Kesana Please, address my feedback.
As we are already changing this test, should we replace Invoke-AzRestMethod with ARG query like we do for other similar tests?
| @@ -180,7 +180,9 @@ function Test-Assessment-25550 { | |||
| $testResultMarkdown = '' | |||
|
|
|||
| if ($firewallPoliciesWithTLS.Count -eq 0) { | |||
There was a problem hiding this comment.
Critical Issue — Skip is too broad, masks a spec-required Fail case
The $firewallPoliciesWithTLS array is only populated from Premium policies. When .Count -eq 0, there are two distinct scenarios:
| Scenario | Spec says | PR does |
|---|---|---|
| No firewall policies at all in any subscription | Skipped | ✅ Skipped (correct) |
| Firewall policies exist but none are Premium | Fail (spec eval step 5) | ❌ Skipped (incorrect) |
The spec explicitly states (eval step 5):
"If
premiumPoliciesis empty → Fail (firewall policies exist but no Premium SKU found)"
Fix: Track whether any firewall policies were found across all subscriptions, then differentiate:
# Before the subscription loop, add:
$anyFirewallPoliciesFound = $false
# Inside the subscription loop, after collecting $fwPolicies:
if ($fwPolicies.Count -gt 0) {
$anyFirewallPoliciesFound = $true
}
# In assessment logic, replace the single if-block:
if ($firewallPoliciesWithTLS.Count -eq 0 -and -not $anyFirewallPoliciesFound) {
Write-PSFMessage 'No Azure Firewall policies found in any subscription.' -Tag Test -Level VeryVerbose
Add-ZtTestResultDetail -SkippedBecause NotApplicable
return
}
elseif ($firewallPoliciesWithTLS.Count -eq 0) {
# Policies exist but none are Premium — this is a fail
$testResultMarkdown = "❌ Azure Firewall policies were found but none use the Premium SKU required for TLS inspection.`n`n"
}There is also this issue (pre-existing, not introduced by this PR):
properties.firewalls check (spec eval step 5–6)
The spec requires checking whether a Premium policy is attached to an actual firewall:
"Check if
properties.firewallsexists and is non-empty. If empty or missing → skip this policy."
The code never checks $policyDetail.properties.firewalls. Unattached policies are evaluated as if they're active, which could cause false passes or false fails on orphaned policies.
Fix #961