зеркало из
1
0
Форкнуть 0
PSRule.Rules.Azure/README.md

238 строки
9.0 KiB
Markdown
Исходник Обычный вид История

2019-04-30 02:02:02 +03:00
# PSRule for Azure
A suite of rules to validate Azure resources using PSRule.
![ci-badge]
2019-12-07 15:38:05 +03:00
Features of PSRule for Azure include:
- [Ready to go](docs/features.md#ready-to-go) - Leverage over 100 pre-built rules to validate Azure resources.
2019-12-07 15:38:05 +03:00
- [DevOps](docs/features.md#devops) - Validate resources pre or post-deployment.
- [Cross-platform](docs/features.md#cross-platform) - Run on MacOS, Linux and Windows.
2019-04-30 02:02:02 +03:00
## Disclaimer
2020-07-02 01:30:02 +03:00
This project is open source and **not a supported product**.
2019-04-30 02:02:02 +03:00
2020-07-02 01:30:02 +03:00
If you are experiencing problems, have a feature request, or a question, please check for an [issue] on GitHub.
If you do not see your problem captured, please file a new issue, and follow the provided template.
2019-04-30 02:02:02 +03:00
2019-10-12 15:20:36 +03:00
If you have any problems with the [PSRule][engine] engine, please check the project GitHub [issues](https://github.com/Microsoft/PSRule/issues) page instead.
## Getting the modules
This project requires the `PSRule` and `Az` PowerShell modules. For details on each see [install].
You can download and install these modules from the PowerShell Gallery.
Module | Description | Downloads / instructions
------ | ----------- | ------------------------
PSRule.Rules.Azure | Validate Azure resources | [latest][module] / [instructions][install]
## Getting started
2019-12-07 15:38:05 +03:00
PSRule for Azure provides two methods for analyzing Azure resources:
- _Pre-flight_ - Before resources are deployed from Azure Resource Manager templates.
- _In-flight_ - After resource are deployed to an Azure subscription.
The following example shows basic _In-flight_ usage. For specific use cases see [scenarios](#scenarios).
2019-12-07 15:38:05 +03:00
For additional details see the [FAQ](docs/features.md#frequently-asked-questions-faq).
### Export resource data
To validate Azure resources running in a subscription, export the resource data with the `Export-AzRuleData` cmdlet.
The `Export-AzRuleData` cmdlet exports a resource graph for one or more subscriptions that can be used for analysis with the rules in this module.
2019-06-05 16:51:59 +03:00
By default, resources for the current subscription context are exported. See below for more options.
Before running this command you should connect to Azure by using the `Connect-AzAccount` cmdlet.
For example:
```powershell
# Authenticate to Azure, only required if not currently connected
Connect-AzAccount;
# Export resource data
Export-AzRuleData;
```
### Validate resources
To validate Azure resources use the extracted data with the `Invoke-PSRule` cmdlet.
For example:
```powershell
Invoke-PSRule -InputPath .\*.json -Module 'PSRule.Rules.Azure';
```
### Additional options
By default, resource data for the current subscription context will be exported to the current working directory as JSON.
2019-06-05 16:51:59 +03:00
To export resource data for specific subscriptions use:
- `-Subscription` - to specify subscriptions by id or name.
- `-Tenant` - to specify subscriptions within an Azure Active Directory Tenant by id.
For example:
```powershell
2019-07-01 04:45:04 +03:00
# Export data from two specific subscriptions
Export-AzRuleData -Subscription 'Contoso Production', 'Contoso Non-production'
```
2019-07-01 04:45:04 +03:00
To export specific resource data use:
- `-ResourceGroupName` - to filter resources by Resource Group.
- `-Tag` - to filter resources based on tag.
For example:
```powershell
# Export information from two resource groups within the current subscription context
Export-AzRuleData -ResourceGroupName 'rg-app1-web', 'rg-app1-db'
```
2019-06-05 16:51:59 +03:00
To export resource data for all subscription contexts use:
- `-All` - to export resource data for all subscription contexts.
For example:
```powershell
# Export data from all subscription contexts
Export-AzRuleData -All;
```
To filter results to only failed rules, use `Invoke-PSRule -Outcome Fail`.
Passed, failed and error results are shown by default.
2019-05-17 17:30:01 +03:00
For example:
```powershell
# Only show failed results
Invoke-PSRule -InputPath .\*.json -Module 'PSRule.Rules.Azure' -Outcome Fail;
```
The output of this example is:
```text
TargetName: storage
RuleName Outcome Recommendation
-------- ------- --------------
2019-05-17 17:30:01 +03:00
Azure.Storage.UseReplication Fail Storage accounts not using GRS may be at risk
Azure.Storage.SecureTransferRequ... Fail Storage accounts should only accept secure traffic
Azure.Storage.SoftDelete Fail Enable soft delete on Storage Accounts
2019-05-17 17:30:01 +03:00
```
A summary of results can be displayed by using `Invoke-PSRule -As Summary`.
For example:
```powershell
# Display as summary results
Invoke-PSRule -InputPath .\*.json -Module 'PSRule.Rules.Azure' -As Summary;
```
The output of this example is:
```text
RuleName Pass Fail Outcome
-------- ---- ---- -------
Azure.ACR.MinSku 0 1 Fail
Azure.AppService.PlanInstanceCount 0 1 Fail
Azure.AppService.UseHTTPS 0 2 Fail
Azure.Resource.UseTags 73 36 Fail
Azure.SQL.ThreatDetection 0 1 Fail
Azure.SQL.Auditing 0 1 Fail
Azure.Storage.UseReplication 1 7 Fail
Azure.Storage.SecureTransferRequ... 2 6 Fail
Azure.Storage.SoftDelete 0 8 Fail
```
## Scenarios
For walk through examples of `PSRule.Rules.Azure` module usage see:
2020-05-25 08:04:02 +03:00
- [Validate Azure resources from templates with Azure Pipelines](docs/scenarios/azure-pipelines-ci/azure-pipelines-ci.md)
- [Validate Azure resources from templates with continuous integration (CI)](docs/scenarios/azure-template-ci/azure-template-ci.md)
## Rule reference
For a list of rules included in the `PSRule.Rules.Azure` module see:
- [Rules by category](docs/rules/en/module.md)
- [Rules by resource](docs/rules/en/resource.md)
## Baseline reference
The following baselines are included within `PSRule.Rules.Azure`.
- [Azure.Default](docs/baselines/en/Azure.Default.md) - Default baseline for Azure rules.
- [Azure.Preview](docs/baselines/en/Azure.Preview.md) - Includes Azure features in preview.
- [Azure.All](docs/baselines/en/Azure.All.md) - Includes all Azure rules.
- [Azure.GA_2020_06](docs/baselines/en/Azure.GA_2020_06.md) - Baseline for GA rules released June 2020 or prior.
## Language reference
PSRule for Azure extends PowerShell with the following cmdlets.
### Commands
The following commands exist in the `PSRule.Rules.Azure` module:
2019-12-07 15:38:05 +03:00
- [Export-AzRuleData](docs/commands/PSRule.Rules.Azure/en-US/Export-AzRuleData.md) - Export resource configuration data from Azure subscriptions.
- [Export-AzTemplateRuleData](docs/commands/PSRule.Rules.Azure/en-US/Export-AzTemplateRuleData.md) - Export resource configuration data from Azure templates.
- [Get-AzRuleTemplateLink](docs/commands/PSRule.Rules.Azure/en-US/Get-AzRuleTemplateLink.md) - Get a metadata link to a Azure template file.
### Concepts
The following conceptual topics exist in the `PSRule.Rules.Azure` module:
- [Azure metadata link](docs/concepts/PSRule.Rules.Azure/en-US/about_PSRule_Azure_Metadata_Link.md)
- [Configuration](docs/concepts/PSRule.Rules.Azure/en-US/about_PSRule_Azure_Configuration.md)
- [Azure_AKSMinimumVersion](docs/concepts/PSRule.Rules.Azure/en-US/about_PSRule_Azure_Configuration.md#azure_aksminimumversion)
- [Azure_AKSNodeMinimumMaxPods](docs/concepts/PSRule.Rules.Azure/en-US/about_PSRule_Azure_Configuration.md#azure_aksnodeminimummaxpods)
- [Azure_AllowedRegions](docs/concepts/PSRule.Rules.Azure/en-US/about_PSRule_Azure_Configuration.md#azure_allowedregions)
- [Azure_MinimumCertificateLifetime](docs/concepts/PSRule.Rules.Azure/en-US/about_PSRule_Azure_Configuration.md#azure_minimumcertificatelifetime)
2019-04-30 02:02:02 +03:00
## Changes and versioning
Modules in this repository will use the [semantic versioning](http://semver.org/) model to declare breaking changes from v1.0.0.
Prior to v1.0.0, breaking changes may be introduced in minor (0.x.0) version increments.
For a list of module changes please see the [change log](CHANGELOG.md).
2019-04-30 02:02:02 +03:00
2020-01-14 08:14:12 +03:00
> Pre-release module versions are created on major commits and can be installed from the PowerShell Gallery.
> Pre-release versions should be considered experimental.
> Modules and change log details for pre-releases will be removed as standard releases are made available.
2019-04-30 02:02:02 +03:00
## Contributing
This project welcomes contributions and suggestions.
If you are ready to contribute, please visit the [contribution guide](CONTRIBUTING.md).
## Code of Conduct
This project has adopted the [Microsoft Open Source Code of Conduct](https://opensource.microsoft.com/codeofconduct/).
For more information see the [Code of Conduct FAQ](https://opensource.microsoft.com/codeofconduct/faq/)
or contact [opencode@microsoft.com](mailto:opencode@microsoft.com) with any additional questions or comments.
2019-04-30 02:02:02 +03:00
## Maintainers
- [Bernie White](https://github.com/BernieWhite)
## License
This project is [licensed under the MIT License](LICENSE).
2020-07-02 01:30:02 +03:00
[issue]: https://github.com/Microsoft/PSRule.Rules.Azure/issues
2020-08-19 15:42:17 +03:00
[install]: docs/install-instructions.md
[ci-badge]: https://dev.azure.com/bewhite/PSRule.Rules.Azure/_apis/build/status/PSRule.Rules.Azure-CI?branchName=main
2019-04-30 02:02:02 +03:00
[module]: https://www.powershellgallery.com/packages/PSRule.Rules.Azure
2019-10-12 15:20:36 +03:00
[engine]: https://github.com/Microsoft/PSRule