Updates to settings and modules (#34)

.github/dependabot.yml

@@ -7,9 +7,8 @@
 
 version: 2
 updates:
-
-# Maintain dependencies for GitHub Actions
-- package-ecosystem: 'github-actions'
-  directory: '/'
-  schedule:
-    interval: 'daily'
+  # Maintain dependencies for GitHub Actions
+  - package-ecosystem: 'github-actions'
+    directory: '/'
+    schedule:
+      interval: 'daily'

.github/workflows/azure-analyze.yaml

@@ -17,10 +17,10 @@ name: Analyze Azure resources
 on:
   push:
     branches:
-    - main
+      - main
   pull_request:
     branches:
-    - main
+      - main
   workflow_dispatch:
 
 jobs:
@@ -29,12 +29,11 @@ jobs:
     runs-on: ubuntu-latest
     if: github.repository != 'Azure/PSRule.Rules.Azure-quickstart'
     steps:
+      - name: Checkout
+        uses: actions/checkout@v3
 
-    - name: Checkout
-      uses: actions/checkout@v3
-
-    # Run analysis by using the PSRule GitHub action.
-    - name: Run PSRule analysis
-      uses: microsoft/ps-rule@v2.7.0
-      with:
-        modules: 'PSRule.Rules.Azure'
+      # Run analysis by using the PSRule GitHub action.
+      - name: Run PSRule analysis
+        uses: microsoft/ps-rule@v2.7.0
+        with:
+          modules: PSRule.Rules.Azure

.github/workflows/ms-analyze.yaml

@@ -18,7 +18,7 @@ name: Analyze repository
 on:
   pull_request:
     branches:
-    - main
+      - main
   workflow_dispatch:
 
 jobs:
@@ -27,11 +27,10 @@ jobs:
     runs-on: ubuntu-latest
     if: github.repository == 'Azure/PSRule.Rules.Azure-quickstart'
     steps:
+      - name: Checkout
+        uses: actions/checkout@v3
 
-    - name: Checkout
-      uses: actions/checkout@v3
-
-    - name: Run PSRule analysis
-      uses: microsoft/ps-rule@v2.7.0
-      with:
-        modules: PSRule.Rules.MSFT.OSS
+      - name: Run PSRule analysis
+        uses: microsoft/ps-rule@v2.7.0
+        with:
+          modules: PSRule.Rules.MSFT.OSS

.ps-rule/Org.Rule.ps1

@@ -3,10 +3,3 @@
 
 # Note:
 # This script demonstrates using PowerShell-based rules.
-
-# Synopsis: Policy exemptions must be approved by the security team and stored within deployments/contoso/landing-zones/subscription-1/policy/.
-Rule 'Org.CodeOwners' -Type 'Microsoft.Authorization/policyExemptions' {
-    $Assert.WithinPath($PSRule.Source['Parameter'], 'File', @(
-        'template/deployments/contoso/landing-zones/subscription-1/policy/'
-    ));
-}

.ps-rule/Org.Rule.yaml

@@ -12,11 +12,25 @@ metadata:
   name: Org.Azure.Tags
 spec:
   with:
-  - PSRule.Rules.Azure\Azure.Resource.SupportsTags
+    - PSRule.Rules.Azure\Azure.Resource.SupportsTags
   condition:
     allOf:
-    - in:
-        - 'prod'
-        - 'test'
-        - 'dev'
-      field: 'tags.env'
+      - in:
+          - 'prod'
+          - 'test'
+          - 'dev'
+        field: 'tags.env'
+
+---
+# Synopsis: Policy exemptions must be approved by the security team and stored within deployments/contoso/landing-zones/subscription-1/policy/.
+apiVersion: github.com/microsoft/PSRule/v1
+kind: Rule
+metadata:
+  name: Org.CodeOwners
+spec:
+  type:
+    - Microsoft.Authorization/policyExemptions
+  condition:
+    source: Parameter
+    withinPath:
+      - template/deployments/contoso/landing-zones/subscription-1/policy/

.vscode/settings.json

@@ -2,22 +2,14 @@
   "files.associations": {
     "**/.pipelines/**/*.yaml": "azure-pipelines"
   },
+  "yaml.format.singleQuote": true,
+  "files.insertFinalNewline": true,
   "editor.insertSpaces": true,
-  "[json]": {
-    "editor.detectIndentation": false,
-    "editor.formatOnSave": true,
-    "editor.tabSize": 2,
-    "files.insertFinalNewline": true
-  },
-  "[jsonc]": {
-    "editor.detectIndentation": false,
-    "editor.formatOnSave": true,
-    "editor.tabSize": 2,
-    "files.insertFinalNewline": true
-  },
-  "[markdown]": {
-    "editor.detectIndentation": false,
-    "editor.tabSize": 2,
-    "files.insertFinalNewline": true
+  "editor.detectIndentation": false,
+  "editor.formatOnSave": true,
+  "editor.tabSize": 2,
+  "[powershell]": {
+    "editor.formatOnSave": false,
+    "editor.tabSize": 4
   }
 }

CONTRIBUTING.md

@@ -14,7 +14,7 @@ The goal of this document is to provide a high-level overview of how you can get
 This project welcomes contributions and suggestions. Most contributions require you to
 agree to a Contributor License Agreement (CLA) declaring that you have the right to,
 and actually do, grant us the rights to use your contribution. For details, visit
-https://cla.microsoft.com.
+<https://cla.microsoft.com>.
 
 When you submit a pull request, a CLA-bot will automatically determine whether you need
 to provide a CLA and decorate the PR appropriately (e.g., label, comment). Simply follow the
@@ -41,7 +41,7 @@ If you find your issue already exists,
 make relevant comments and add your [reaction](https://github.com/blog/2119-add-reactions-to-pull-requests-issues-and-comments).
 Use a reaction in place of a "+1" comment:
 
-* 👍 - upvote
+- 👍 - upvote
 
 ### Intro to Git and GitHub
 
@@ -55,7 +55,7 @@ Check out the links below to get started.
   - [Fork a repo][github-fork].
   - [About Pull Requests][github-pr].
 
-## Thank You!
+## Thank You
 
 Your contributions to open source, large or small, make great projects like this possible.
 Thank you for taking the time to contribute.
@@ -65,4 +65,3 @@ Thank you for taking the time to contribute.
 [github-signup]: https://github.com/signup/free
 [github-fork]: https://help.github.com/en/github/getting-started-with-github/fork-a-repo
 [github-pr]: https://help.github.com/en/github/collaborating-with-issues-and-pull-requests/about-pull-requests
-[github-pr-create]: https://help.github.com/en/github/collaborating-with-issues-and-pull-requests/creating-a-pull-request-from-a-fork

README.md

@@ -1,7 +1,7 @@
 # PSRule for Azure Quick Start
 
 This repository contains a sample code you can use to quickly start using PSRule for Azure.
-To learn more about PSRule for Azure, see https://aka.ms/ps-rule-azure.
+To learn more about PSRule for Azure, see <https://aka.ms/ps-rule-azure>.
 
 [![Use this template](https://img.shields.io/static/v1?label=GitHub&message=Use%20this%20template&logo=github&color=007acc)][1]
 [![Open in vscode.dev](https://img.shields.io/badge/Open%20in-vscode.dev-blue)][2]

SECURITY.md

@@ -16,17 +16,17 @@ Instead, please report them to the Microsoft Security Response Center (MSRC) at
 
 If you prefer to submit without logging in, send email to [secure@microsoft.com](mailto:secure@microsoft.com).  If possible, encrypt your message with our PGP key; please download it from the [Microsoft Security Response Center PGP Key page](https://www.microsoft.com/en-us/msrc/pgp-key-msrc).
 
-You should receive a response within 24 hours. If for some reason you do not, please follow up via email to ensure we received your original message. Additional information can be found at [microsoft.com/msrc](https://www.microsoft.com/msrc). 
+You should receive a response within 24 hours. If for some reason you do not, please follow up via email to ensure we received your original message. Additional information can be found at [microsoft.com/msrc](https://www.microsoft.com/msrc).
 
 Please include the requested information listed below (as much as you can provide) to help us better understand the nature and scope of the possible issue:
 
-  * Type of issue (e.g. buffer overflow, SQL injection, cross-site scripting, etc.)
-  * Full paths of source file(s) related to the manifestation of the issue
-  * The location of the affected source code (tag/branch/commit or direct URL)
-  * Any special configuration required to reproduce the issue
-  * Step-by-step instructions to reproduce the issue
-  * Proof-of-concept or exploit code (if possible)
-  * Impact of the issue, including how an attacker might exploit the issue
+- Type of issue (e.g. buffer overflow, SQL injection, cross-site scripting, etc.)
+- Full paths of source file(s) related to the manifestation of the issue
+- The location of the affected source code (tag/branch/commit or direct URL)
+- Any special configuration required to reproduce the issue
+- Step-by-step instructions to reproduce the issue
+- Proof-of-concept or exploit code (if possible)
+- Impact of the issue, including how an attacker might exploit the issue
 
 This information will help us triage your report more quickly.
 

bicep/modules/keyvault/v1/main.bicep

@@ -1,16 +1,19 @@
 // Copyright (c) Microsoft Corporation.
 // Licensed under the MIT License.
 
-@description('The name of the Key Vault.')
+metadata name = 'Key Vault'
+metadata description = 'Create or update an Azure Key Vault.'
+
+@sys.description('The name of the Key Vault.')
 param name string
 
-@description('The Azure region to deploy to.')
+@sys.description('The Azure region to deploy to.')
 @metadata({
   strongType: 'location'
 })
 param location string = resourceGroup().location
 
-@description('The access policies defined for this vault.')
+@sys.description('The access policies defined for this vault.')
 @metadata({
   example: [
     {
@@ -28,30 +31,30 @@ param location string = resourceGroup().location
 })
 param accessPolicies array = []
 
-@description('Determines if Azure can deploy certificates from this Key Vault.')
+@sys.description('Determines if Azure can deploy certificates from this Key Vault.')
 param useDeployment bool = true
 
-@description('Determines if templates can reference secrets from this Key Vault.')
+@sys.description('Determines if templates can reference secrets from this Key Vault.')
 param useTemplate bool = true
 
-@description('Determines if this Key Vault can be used for Azure Disk Encryption.')
+@sys.description('Determines if this Key Vault can be used for Azure Disk Encryption.')
 param useDiskEncryption bool = true
 
-@description('Determine if soft delete is enabled on this Key Vault.')
+@sys.description('Determine if soft delete is enabled on this Key Vault.')
 param useSoftDelete bool = true
 
-@description('Determine if purge protection is enabled on this Key Vault.')
+@sys.description('Determine if purge protection is enabled on this Key Vault.')
 param usePurgeProtection bool = true
 
-@description('The number of days to retain soft deleted vaults and vault objects.')
+@sys.description('The number of days to retain soft deleted vaults and vault objects.')
 @minValue(7)
 @maxValue(90)
 param softDeleteDays int = 90
 
-@description('Determines if access to the objects granted using RBAC. When true, access policies are ignored.')
+@sys.description('Determines if access to the objects granted using RBAC. When true, access policies are ignored.')
 param useRBAC bool = false
 
-@description('The network firewall defined for this vault.')
+@sys.description('The network firewall defined for this vault.')
 param networkAcls object = {
   defaultAction: 'Allow'
   bypass: 'AzureServices'
@@ -59,14 +62,14 @@ param networkAcls object = {
   virtualNetworkRules: []
 }
 
-@description('The workspace to store audit logs.')
+@sys.description('The workspace to store audit logs.')
 @metadata({
   strongType: 'Microsoft.OperationalInsights/workspaces'
   example: '/subscriptions/<subscription_id>/resourceGroups/<resource_group>/providers/Microsoft.OperationalInsights/workspaces/<workspace_name>'
 })
 param workspaceId string = ''
 
-@description('Tags to apply to the resource.')
+@sys.description('Tags to apply to the resource.')
 @metadata({
   example: {
     service: '<service_name>'

bicep/modules/storage/v1/main.bicep

@@ -1,10 +1,13 @@
 // Copyright (c) Microsoft Corporation.
 // Licensed under the MIT License.
 
-@description('The name of the Storage Account.')
+metadata name = 'Storage Account'
+metadata description = 'Create or update an Storage Account.'
+
+@sys.description('The name of the Storage Account.')
 param name string
 
-@description('The Azure region to deploy to.')
+@sys.description('The Azure region to deploy to.')
 @metadata({
   strongType: 'location'
 })
@@ -14,13 +17,13 @@ param location string = resourceGroup().location
   'Standard_GRS'
   'Standard_LRS'
 ])
-@description('Create the Storage Account as LRS or GRS.')
+@sys.description('Create the Storage Account as LRS or GRS.')
 param sku string = 'Standard_GRS'
 
-@description('Determines if any containers can be configured with the anonymous access types of blob or container.')
+@sys.description('Determines if any containers can be configured with the anonymous access types of blob or container.')
 param allowBlobPublicAccess bool = true
 
-@description('Tags to apply to the resource.')
+@sys.description('Tags to apply to the resource.')
 @metadata({
   example: {
     service: '<service_name>'

ps-rule.yaml

@@ -10,34 +10,33 @@
 binding:
   preferTargetInfo: true
   targetType:
-  - type
-  - resourceType
+    - type
+    - resourceType
 
 # Require minimum versions of modules.
 requires:
-  PSRule: '@pre >=2.4.2'
-  PSRule.Rules.Azure: '@pre >=1.19.2'
+  PSRule: '@pre >=2.7.0'
+  PSRule.Rules.Azure: '@pre >=1.24.2'
 
 # Use PSRule for Azure.
 include:
   module:
-  - PSRule.Rules.Azure
+    - PSRule.Rules.Azure
 
 output:
   culture:
-  - 'en-US'
+    - 'en-US'
 
 input:
   pathIgnore:
+    # Ignore other files in the repository.
+    - '.vscode/'
+    - '.github/'
+    - '*.md'
 
-  # Ignore other files in the repository.
-  - '.vscode/'
-  - '.github/'
-  - '*.md'
-
-  # Exclude modules but not tests.
-  - 'bicep/modules/**/*.bicep'
-  - '!bicep/modules/**/*.tests.bicep'
+    # Exclude modules but not tests.
+    - 'bicep/modules/**/*.bicep'
+    - '!bicep/modules/**/*.tests.bicep'
 
 configuration:
   # Enable automatic expansion of Azure parameter files.
@@ -49,9 +48,15 @@ configuration:
   # Configures the number of seconds to wait for build Bicep files.
   AZURE_BICEP_FILE_EXPANSION_TIMEOUT: 10
 
+  # Enable Bicep CLI checks.
+  AZURE_BICEP_CHECK_TOOL: true
+
+  # Configure the minimum version of the Bicep CLI.
+  AZURE_BICEP_MINIMUM_VERSION: '0.13.0'
+
 # Suppression ignores rules for a specific Azure resource by name.
 suppression:
   Azure.KeyVault.Logs:
-  - kvtest001
+    - kvtest001
   Azure.Storage.BlobPublicAccess:
-  - sttest001
+    - sttest001