For latest PSRule updates (#15)

2022-05-18 01:03:35 +10:00 · 2022-05-18 01:03:35 +10:00 · 0ac569ab24
--- a/.ps-rule/Org.Rule.yaml
+++ b/.ps-rule/Org.Rule.yaml
@ -11,9 +11,8 @@ kind: Rule
 metadata:
  name: Org.Azure.Tags
 spec:
-  type:
-  - 'Microsoft.Storage/storageAccounts'
-  - 'Microsoft.KeyVault/vaults'
+  with:
+  - PSRule.Rules.Azure\Azure.Resource.SupportsTags
  condition:
    allOf:
    - in:
--- a/README.md
+++ b/README.md
@ -17,16 +17,19 @@ This repository includes:
 - **GitHub Actions** &mdash; Starter workflow for checking Azure Infrastructure as Code (IaC).
  - Use the files in the `.github/workflows/` to check your Azure IaC with GitHub Actions.
  - The `ms-analyze.yaml` file can be ignore or removed as this will not execute outside this repository.
- **Azure Pipelines** &mdash; Comming soon.
+- **Azure Pipelines** &mdash; Coming soon.
 - **Custom rules** &mdash; Example custom rules that enforce organization specific requirements.
  - Use the files in the `.ps-rule/` folder to configure custom rules.
+- **PSRule options** &mdash; Example options for using PSRule for Azure.
+  - PSRule options are configures within `ps-rule.yaml`.
+  - Options include suppressing rules, configuring input/ output, and any rules modules.

 ## What to expect?

 This repository shows valid uses of PSRule for Azure, both pass and failure cases.
 Inspect the following files for instructions to test PSRule for Azure rules by creating a failure.

- [bicep/deployments/contoso/landing-zones/subscription-1/rg-app-002/main.bicep](bicep/deployments/contoso/landing-zones/subscription-1/rg-app-002/main.bicep)
+- [bicep/deployments/contoso/landing-zones/subscription-1/rg-app-002/deploy.bicep](bicep/deployments/contoso/landing-zones/subscription-1/rg-app-002/deploy.bicep)
 - [template/deployments/contoso/landing-zones/subscription-1/rg-app-001/sttemplateapp001.parameters.json](template/deployments/contoso/landing-zones/subscription-1/rg-app-001/sttemplateapp001.parameters.json)

 ## Support
--- a/bicep/deployments/contoso/landing-zones/subscription-1/rg-app-002/deploy.bicep
+++ b/bicep/deployments/contoso/landing-zones/subscription-1/rg-app-002/deploy.bicep
@ -5,6 +5,9 @@
 // This Azure Bicep code demonistrates a deployment of one or more modules.
 // This file has multiple template errors to show validation.

+@description('Configures the location to deploy the Azure resources.')
+param location string = resourceGroup().location
+
 // An example Storage Account
 module storage '../../../../../modules/storage/v1/main.bicep' = {
  name: 'storage-deployment'
@ -13,11 +16,17 @@ module storage '../../../../../modules/storage/v1/main.bicep' = {

    // The Azure location must be valid
    // Try setting this to 'Antarctica'
-    location: 'eastus'
+    location: location

    // Don't allow anonymous access types of blob or container.
    // Try setting this false to fail the Azure.Storage.BlobPublicAccess rule.
    allowBlobPublicAccess: false
+
+    // An env tag must be test, dev, or prod.
+    // Try setting this to 'demo' to fail the Org.Azure.Tags rule.
+    tags: {
+      env: 'dev'
+    }
  }
 }

@ -26,6 +35,7 @@ module keyvault '../../../../../modules/keyvault/v1/main.bicep' = {
  name: 'keyvault-deployment'
  params: {
    name: 'kv-bicep-app-002'
+    location: location

    // Must have a workspace
    // Try commenting out this line to have the Azure.KeyVault.Logs rule fail.
--- a/bicep/modules/keyvault/v1/.tests/main.tests.bicep
+++ b/bicep/modules/keyvault/v1/.tests/main.tests.bicep
@ -1,11 +1,15 @@
 // Copyright (c) Microsoft Corporation.
 // Licensed under the MIT License.

+@description('Configures the location to deploy the Azure resources.')
+param location string = resourceGroup().location
+
 // Test with only required parameters
 module test_required_params '../main.bicep' = {
  name: 'test_required_params'
  params: {
    name: 'kvtest001'
+    location: location
    tags: {
      env: 'test'
    }
@ -17,6 +21,7 @@ module test_with_audit_logs '../main.bicep' = {
  name: 'test_with_audit_logs'
  params: {
    name: 'kvtest002'
+    location: location
    tags: {
      env: 'test'
    }
--- a/bicep/modules/keyvault/v1/main.bicep
+++ b/bicep/modules/keyvault/v1/main.bicep
@ -73,7 +73,7 @@ param workspaceId string = ''
    env: 'prod'
  }
 })
-param tags object
+param tags object = resourceGroup().tags

 // Define a Key Vault
 resource vault 'Microsoft.KeyVault/vaults@2019-09-01' = {
--- a/bicep/modules/storage/v1/.tests/main.tests.bicep
+++ b/bicep/modules/storage/v1/.tests/main.tests.bicep
@ -1,10 +1,17 @@
 // Copyright (c) Microsoft Corporation.
 // Licensed under the MIT License.

+@description('Configures the location to deploy the Azure resources.')
+param location string = resourceGroup().location
+
 // Test with only required parameters
 module test_required_params '../main.bicep' = {
  name: 'test_required_params'
  params: {
    name: 'sttest001'
+    location: location
+    tags: {
+      env: 'test'
+    }
  }
 }
--- a/bicep/modules/storage/v1/main.bicep
+++ b/bicep/modules/storage/v1/main.bicep
@ -10,12 +10,25 @@ param name string
 })
 param location string = resourceGroup().location

+@allowed([
+  'Standard_GRS'
+  'Standard_LRS'
+])
@description('Create the Storage Account as LRS or GRS.')
 param sku string = 'Standard_GRS'

@description('Determines if any containers can be configured with the anonymous access types of blob or container.')
 param allowBlobPublicAccess bool = true

+@description('Tags to apply to the resource.')
+@metadata({
+  example: {
+    service: '<service_name>'
+    env: 'prod'
+  }
+})
+param tags object = resourceGroup().tags
+
 // Define a Storage Account
 resource storageAccount 'Microsoft.Storage/storageAccounts@2019-06-01' = {
  name: name
@ -36,9 +49,7 @@ resource storageAccount 'Microsoft.Storage/storageAccounts@2019-06-01' = {
    allowBlobPublicAccess: allowBlobPublicAccess
    minimumTlsVersion: 'TLS1_2'
  }
-  tags: {
-    env: 'test'
-  }
+  tags: tags
 }

 resource blobServices 'Microsoft.Storage/storageAccounts/blobServices@2019-06-01' = {
--- a/ps-rule.yaml
+++ b/ps-rule.yaml
@ -3,14 +3,21 @@
 #

 # Please see the documentation for all configuration options:
-# https://aka.ms/ps-rule-azure
+# https://aka.ms/ps-rule/options
+# https://aka.ms/ps-rule-azure/options

+# Configure binding for local rules
 binding:
  preferTargetInfo: true
  targetType:
  - type
  - resourceType

+# Require minimum versions of modules
+requires:
+  PSRule: '@pre >=2.1.0'
+  PSRule.Rules.Azure: '@pre >=1.15.2'
+
 # Use PSRule for Azure
 include:
  module:
@ -22,6 +29,8 @@ output:

 input:
  pathIgnore:
+
+  # Ignore other files in the repository.
  - '.vscode/'
  - '.github/'
  - '*.md'