Example updates (#5)

.github/workflows/azure-analyze.yaml

@@ -3,7 +3,7 @@
 #
 
 # Note:
-# This workflow is designed to run in templated repositories.
+# This workflow is designed to run in templated repositories to check Azure Infrastructure as Code.
 
 # For PSRule for Azure documentation see:
 # https://aka.ms/ps-rule-azure

.ps-rule/Org.Rule.ps1

@@ -7,6 +7,6 @@
 # Synopsis: Policy exemptions must be approved by the security team and stored within deployments/contoso/landing-zones/subscription-1/policy/.
 Rule 'Org.CodeOwners' -Type 'Microsoft.Authorization/policyExemptions' {
     $Assert.WithinPath($PSRule.Source['Parameter'], 'File', @(
-        'deployments/contoso/landing-zones/subscription-1/policy/'
+        'template/deployments/contoso/landing-zones/subscription-1/policy/'
     ));
 }

README.md

@@ -1,6 +1,6 @@
 # PSRule for Azure Quick Start
 
-This repository contains a sample template you can use to quickly start using PSRule for Azure.
+This repository contains a sample code you can use to quickly start using PSRule for Azure.
 To learn more about PSRule for Azure, see https://aka.ms/ps-rule-azure.
 
 [![Use this template](https://img.shields.io/static/v1?label=GitHub&message=Use%20this%20template&logo=github&color=007acc)](https://github.com/Azure/PSRule.Rules.Azure-quickstart/generate)
@@ -10,9 +10,14 @@ To learn more about PSRule for Azure, see https://aka.ms/ps-rule-azure.
 
 This repository includes:
 
-- Starter Azure Resource Manager templates and parameter files.
-- Starter Azure Bicep deployments and test files.
-- GitHub Actions workflow to check Azure Infrastructure as Code.
+- **Azure Templates** — Starter Azure Resource Manager (ARM) templates and parameter files.
+  - Use the files in the `template/` folder if you are used ARM templates to deploy resources.
+- **Azure Bicep** — Starter Azure Bicep deployments and test files.
+  - Use the files in the `bicep/` folder if you are used Bicep deployments and modules to deploy resources.
+- **GitHub Actions** — Starter workflow for checking Azure Infrastructure as Code (IaC).
+  - Use the files in the `.github/workflows/` to check your Azure IaC with GitHub Actions.
+  - The `ms-analyze.yaml` file can be ignore or removed as this will not execute outside this repoistory.
+- **Azure Pipelines** — Comming soon.
 
 ## Support
 

bicep/deployments/contoso/landing-zones/subscription-1/rg-app-002/main.bicep

@@ -6,10 +6,12 @@
 // This file has multiple template errors to show validation.
 
 // An example Storage Account
-module storage '../../../../../templates/storage/v2/template.bicep' = {
+module storage '../../../../../modules/storage/v1/main.bicep' = {
   name: 'storage-deployment'
   params: {
-    storageAccountName: 'st002'
+    name: 'stbicepapp002'
+
+    location: 'antartic'
 
     // Don't allow anonymous access types of blob or container
     allowBlobPublicAccess: false
@@ -17,14 +19,14 @@ module storage '../../../../../templates/storage/v2/template.bicep' = {
 }
 
 // An example Key Vault
-module keyvault '../../../../../templates/keyvault/v2/template.json' = {
+module keyvault '../../../../../modules/keyvault/v1/main.bicep' = {
   name: 'keyvault-deployment'
   params: {
+    name: 'kv-bicep-app-002'
 
     // An env tag must be test, dev, or prod
     tags: {
       env: 'demo'
     }
-    vaultName: 'vault002'
   }
 }

bicep/modules/keyvault/v1/.tests/main.tests.bicep

@@ -0,0 +1,25 @@
+// Copyright (c) Microsoft Corporation.
+// Licensed under the MIT License.
+
+// Test with only required parameters
+module test_required_params '../main.bicep' = {
+  name: 'test_required_params'
+  params: {
+    name: 'kvtest001'
+    tags: {
+      env: 'test'
+    }
+  }
+}
+
+// Test with Log Analytics workspace configure for auditing
+module test_with_audit_logs '../main.bicep' = {
+  name: 'test_with_audit_logs'
+  params: {
+    name: 'kvtest002'
+    tags: {
+      env: 'test'
+    }
+    workspaceId: '/subscriptions/<subscription_id>/resourceGroups/rg-test/providers/Microsoft.OperationalInsights/workspaces/latest001'
+  }
+}

bicep/modules/keyvault/v1/main.bicep

@@ -0,0 +1,119 @@
+// Copyright (c) Microsoft Corporation.
+// Licensed under the MIT License.
+
+@description('The name of the Key Vault.')
+param name string
+
+@description('The Azure region to deploy to.')
+@metadata({
+  strongType: 'location'
+})
+param location string = resourceGroup().location
+
+@description('The access policies defined for this vault.')
+@metadata({
+  example: [
+    {
+      objectId: '<object_id>'
+      tenantId: '<tenant_id>'
+      permissions: {
+        secrets: [
+          'Get'
+          'List'
+          'Set'
+        ]
+      }
+    }
+  ]
+})
+param accessPolicies array = []
+
+@description('Determines if Azure can deploy certificates from this Key Vault.')
+param useDeployment bool = true
+
+@description('Determines if templates can reference secrets from this Key Vault.')
+param useTemplate bool = true
+
+@description('Determines if this Key Vault can be used for Azure Disk Encryption.')
+param useDiskEncryption bool = true
+
+@description('Determine if soft delete is enabled on this Key Vault.')
+param useSoftDelete bool = true
+
+@description('Determine if purge protection is enabled on this Key Vault.')
+param usePurgeProtection bool = true
+
+@description('The number of days to retain soft deleted vaults and vault objects.')
+@minValue(7)
+@maxValue(90)
+param softDeleteDays int = 90
+
+@description('Determines if access to the objects granted using RBAC. When true, access policies are ignored.')
+param useRBAC bool = false
+
+@description('The network firewall defined for this vault.')
+param networkAcls object = {
+  defaultAction: 'Allow'
+  bypass: 'AzureServices'
+  ipRules: []
+  virtualNetworkRules: []
+}
+
+@description('The workspace to store audit logs.')
+@metadata({
+  strongType: 'Microsoft.OperationalInsights/workspaces'
+  example: '/subscriptions/<subscription_id>/resourceGroups/<resource_group>/providers/Microsoft.OperationalInsights/workspaces/<workspace_name>'
+})
+param workspaceId string = ''
+
+@description('Tags to apply to the resource.')
+@metadata({
+  example: {
+    service: '<service_name>'
+    env: 'prod'
+  }
+})
+param tags object
+
+// Define a Key Vault
+resource vault 'Microsoft.KeyVault/vaults@2019-09-01' = {
+  name: name
+  location: location
+  properties: {
+    enabledForDeployment: useDeployment
+    enabledForTemplateDeployment: useTemplate
+    enabledForDiskEncryption: useDiskEncryption
+    accessPolicies: accessPolicies
+    tenantId: subscription().tenantId
+    sku: {
+      name: 'standard'
+      family: 'A'
+    }
+    networkAcls: networkAcls
+    enableSoftDelete: useSoftDelete
+    enablePurgeProtection: usePurgeProtection
+    softDeleteRetentionInDays: softDeleteDays
+    enableRbacAuthorization: useRBAC
+  }
+  tags: tags
+}
+
+// Configure logging
+resource vaultName_Microsoft_Insights_service 'Microsoft.KeyVault/vaults/providers/diagnosticSettings@2016-09-01' = if (!empty(workspaceId)) {
+  name: '${name}/Microsoft.Insights/service'
+  location: location
+  properties: {
+    workspaceId: workspaceId
+    logs: [
+      {
+        category: 'AuditEvent'
+        enabled: true
+      }
+    ]
+  }
+  dependsOn: [
+    vault
+  ]
+}
+
+output resourceId string = vault.id

bicep/modules/storage/v1/.tests/main.tests.bicep

@@ -0,0 +1,10 @@
+// Copyright (c) Microsoft Corporation.
+// Licensed under the MIT License.
+
+// Test with only required parameters
+module test_required_params '../main.bicep' = {
+  name: 'test_required_params'
+  params: {
+    name: 'sttest001'
+  }
+}

bicep/modules/storage/v1/main.bicep

@@ -2,9 +2,12 @@
 // Licensed under the MIT License.
 
 @description('The name of the Storage Account.')
-param storageAccountName string
+param name string
 
 @description('The Azure region to deploy to.')
+@metadata({
+  strongType: 'location'
+})
 param location string = resourceGroup().location
 
 @description('Create the Storage Account as LRS or GRS.')
@@ -15,7 +18,7 @@ param allowBlobPublicAccess bool = true
 
 // Define a Storage Account
 resource storageAccount 'Microsoft.Storage/storageAccounts@2019-06-01' = {
-  name: storageAccountName
+  name: name
   location: location
   sku: {
     name: sku

ps-rule.yaml

@@ -19,18 +19,24 @@ input:
   pathIgnore:
   - '.vscode/'
   - '*.md'
-  - 'templates/*.bicep'
+  - 'bicep/modules/**/*.bicep'
+  - '!bicep/modules/**/*.tests.bicep'
 
 configuration:
   # Enable automatic expansion of Azure parameter files
   AZURE_PARAMETER_FILE_EXPANSION: true
 
-  # Enable automatic expansion of bicep source files
+  # Enable automatic expansion of Azure Bicep source files
   AZURE_BICEP_FILE_EXPANSION: true
 
 # Suppression ignores rules for a specific Azure resource by name
 suppression:
   Azure.Storage.UseReplication:
-  - st001
+  - sttemplateapp001
   Azure.Storage.SoftDelete:
-  - st001
+  - sttemplateapp001
+  Azure.KeyVault.Logs:
+  - kvtest001
+  Azure.Storage.BlobPublicAccess:
+  - sttest001
+

template/deployments/contoso/landing-zones/subscription-1/policy/policy-exemptions.parameters.json

@@ -2,7 +2,7 @@
     "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#",
     "contentVersion": "1.0.0.0",
     "metadata": {
-        "template": "templates/policy-exemption/v1/template.json"
+        "template": "template/templates/policy-exemption/v1/template.json"
     },
     "parameters": {
         "exemptionNameSuffix": {

template/deployments/contoso/landing-zones/subscription-1/rg-app-001/sttemplateapp001.parameters.json

@@ -2,11 +2,11 @@
     "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#",
     "contentVersion": "1.0.0.0",
     "metadata": {
-        "template": "templates/storage/v2/template.json"
+        "template": "template/templates/storage/v1/template.json"
     },
     "parameters": {
         "storageAccountName": {
-            "value": "st001"
+            "value": "sttemplateapp001"
         },
         "sku": {
             "value": "Standard_LRS"

template/templates/keyvault/v1/template.json

@@ -19,8 +19,7 @@
             "metadata": {
                 "description": "The Azure region to deploy to.",
                 "strongType": "location",
-                "example": "eastus",
-                "ignore": true
+                "example": "eastus"
             }
         },
         "accessPolicies": {
@@ -47,40 +46,35 @@
             "type": "bool",
             "defaultValue": true,
             "metadata": {
-                "description": "Determines if Azure can deploy certificates from this Key Vault.",
-                "ignore": true
+                "description": "Determines if Azure can deploy certificates from this Key Vault."
             }
         },
         "useTemplate": {
             "type": "bool",
             "defaultValue": true,
             "metadata": {
-                "description": "Determines if templates can reference secrets from this Key Vault.",
-                "ignore": true
+                "description": "Determines if templates can reference secrets from this Key Vault."
             }
         },
         "useDiskEncryption": {
             "type": "bool",
             "defaultValue": true,
             "metadata": {
-                "description": "Determines if this Key Vault can be used for Azure Disk Encryption.",
-                "ignore": true
+                "description": "Determines if this Key Vault can be used for Azure Disk Encryption."
             }
         },
         "useSoftDelete": {
             "type": "bool",
             "defaultValue": true,
             "metadata": {
-                "description": "Determine if soft delete is enabled on this Key Vault.",
-                "ignore": true
+                "description": "Determine if soft delete is enabled on this Key Vault."
             }
         },
         "usePurgeProtection": {
             "type": "bool",
             "defaultValue": true,
             "metadata": {
-                "description": "Determine if purge protection is enabled on this Key Vault.",
-                "ignore": true
+                "description": "Determine if purge protection is enabled on this Key Vault."
             }
         },
         "softDeleteDays": {

template/templates/storage/v1/template.json

@@ -19,8 +19,7 @@
             "metadata": {
                 "description": "The Azure region to deploy to.",
                 "strongType": "location",
-                "example": "EastUS",
-                "ignore": true
+                "example": "EastUS"
             }
         },
         "sku": {
@@ -40,8 +39,7 @@
             "minValue": 0,
             "maxValue": 13,
             "metadata": {
-                "description": "Determine how many additional characters are added to the storage account name as a suffix.",
-                "ignore": true
+                "description": "Determine how many additional characters are added to the storage account name as a suffix."
             }
         },
         "containers": {
@@ -128,8 +126,7 @@
             "type": "bool",
             "defaultValue": false,
             "metadata": {
-                "description": "Determines if large file shares are enabled. This can not be disabled once enabled.",
-                "ignore": true
+                "description": "Determines if large file shares are enabled. This can not be disabled once enabled."
             }
         },
         "shareSoftDeleteDays": {
@@ -153,8 +150,7 @@
             "type": "string",
             "defaultValue": "",
             "metadata": {
-                "description": "Set to the objectId of Azure Key Vault to delegated permission for use with Key Managed Storage Accounts.",
-                "ignore": true
+                "description": "Set to the objectId of Azure Key Vault to delegated permission for use with Key Managed Storage Accounts."
             }
         },
         "tags": {