2019-04-30 02:02:02 +03:00
# PSRule for Azure
A suite of rules to validate Azure resources using PSRule.
![ci-badge]
2019-12-07 15:38:05 +03:00
Features of PSRule for Azure include:
2020-02-18 13:03:47 +03:00
- [Ready to go ](docs/features.md#ready-to-go ) - Leverage over 100 pre-built rules to validate Azure resources.
2019-12-07 15:38:05 +03:00
- [DevOps ](docs/features.md#devops ) - Validate resources pre or post-deployment.
- [Cross-platform ](docs/features.md#cross-platform ) - Run on MacOS, Linux and Windows.
2019-04-30 02:02:02 +03:00
## Disclaimer
2020-07-02 01:30:02 +03:00
This project is open source and **not a supported product** .
2019-04-30 02:02:02 +03:00
2020-07-02 01:30:02 +03:00
If you are experiencing problems, have a feature request, or a question, please check for an [issue] on GitHub.
If you do not see your problem captured, please file a new issue, and follow the provided template.
2019-04-30 02:02:02 +03:00
2019-10-12 15:20:36 +03:00
If you have any problems with the [PSRule][engine] engine, please check the project GitHub [issues ](https://github.com/Microsoft/PSRule/issues ) page instead.
2019-05-17 02:29:23 +03:00
## Getting the modules
This project requires the `PSRule` and `Az` PowerShell modules. For details on each see [install].
You can download and install these modules from the PowerShell Gallery.
Module | Description | Downloads / instructions
------ | ----------- | ------------------------
PSRule.Rules.Azure | Validate Azure resources | [latest][module] / [instructions][install]
## Getting started
2019-12-07 15:38:05 +03:00
PSRule for Azure provides two methods for analyzing Azure resources:
- _Pre-flight_ - Before resources are deployed from Azure Resource Manager templates.
- _In-flight_ - After resource are deployed to an Azure subscription.
2020-02-18 15:42:48 +03:00
The following example shows basic _In-flight_ usage. For specific use cases see [scenarios ](#scenarios ).
2019-12-07 15:38:05 +03:00
For additional details see the [FAQ ](docs/features.md#frequently-asked-questions-faq ).
2019-05-17 02:29:23 +03:00
### Export resource data
2019-11-09 09:19:07 +03:00
To validate Azure resources running in a subscription, export the resource data with the `Export-AzRuleData` cmdlet.
The `Export-AzRuleData` cmdlet exports a resource graph for one or more subscriptions that can be used for analysis with the rules in this module.
2019-05-17 02:29:23 +03:00
2019-06-05 16:51:59 +03:00
By default, resources for the current subscription context are exported. See below for more options.
2019-05-17 02:29:23 +03:00
Before running this command you should connect to Azure by using the `Connect-AzAccount` cmdlet.
For example:
```powershell
# Authenticate to Azure, only required if not currently connected
Connect-AzAccount;
# Export resource data
Export-AzRuleData;
```
### Validate resources
To validate Azure resources use the extracted data with the `Invoke-PSRule` cmdlet.
For example:
```powershell
Invoke-PSRule -InputPath .\*.json -Module 'PSRule.Rules.Azure';
```
### Additional options
2019-05-20 12:32:09 +03:00
By default, resource data for the current subscription context will be exported to the current working directory as JSON.
2019-05-17 02:29:23 +03:00
2019-06-05 16:51:59 +03:00
To export resource data for specific subscriptions use:
2019-05-17 02:29:23 +03:00
- `-Subscription` - to specify subscriptions by id or name.
- `-Tenant` - to specify subscriptions within an Azure Active Directory Tenant by id.
For example:
```powershell
2019-07-01 04:45:04 +03:00
# Export data from two specific subscriptions
2019-05-17 02:29:23 +03:00
Export-AzRuleData -Subscription 'Contoso Production', 'Contoso Non-production'
```
2019-07-01 04:45:04 +03:00
To export specific resource data use:
- `-ResourceGroupName` - to filter resources by Resource Group.
- `-Tag` - to filter resources based on tag.
For example:
```powershell
# Export information from two resource groups within the current subscription context
Export-AzRuleData -ResourceGroupName 'rg-app1-web', 'rg-app1-db'
```
2019-06-05 16:51:59 +03:00
To export resource data for all subscription contexts use:
- `-All` - to export resource data for all subscription contexts.
For example:
```powershell
# Export data from all subscription contexts
Export-AzRuleData -All;
```
2019-11-09 09:19:07 +03:00
To filter results to only failed rules, use `Invoke-PSRule -Outcome Fail` .
Passed, failed and error results are shown by default.
2019-05-17 17:30:01 +03:00
For example:
```powershell
# Only show failed results
Invoke-PSRule -InputPath .\*.json -Module 'PSRule.Rules.Azure' -Outcome Fail;
```
The output of this example is:
```text
TargetName: storage
2019-06-13 01:38:36 +03:00
RuleName Outcome Recommendation
-------- ------- --------------
2019-05-17 17:30:01 +03:00
Azure.Storage.UseReplication Fail Storage accounts not using GRS may be at risk
2019-05-19 10:57:11 +03:00
Azure.Storage.SecureTransferRequ... Fail Storage accounts should only accept secure traffic
Azure.Storage.SoftDelete Fail Enable soft delete on Storage Accounts
2019-05-17 17:30:01 +03:00
```
A summary of results can be displayed by using `Invoke-PSRule -As Summary` .
For example:
```powershell
# Display as summary results
Invoke-PSRule -InputPath .\*.json -Module 'PSRule.Rules.Azure' -As Summary;
```
The output of this example is:
```text
RuleName Pass Fail Outcome
-------- ---- ---- -------
Azure.ACR.MinSku 0 1 Fail
Azure.AppService.PlanInstanceCount 0 1 Fail
Azure.AppService.UseHTTPS 0 2 Fail
Azure.Resource.UseTags 73 36 Fail
Azure.SQL.ThreatDetection 0 1 Fail
Azure.SQL.Auditing 0 1 Fail
Azure.Storage.UseReplication 1 7 Fail
Azure.Storage.SecureTransferRequ... 2 6 Fail
Azure.Storage.SoftDelete 0 8 Fail
```
2019-11-23 05:42:19 +03:00
## Scenarios
For walk through examples of `PSRule.Rules.Azure` module usage see:
2020-05-25 08:04:02 +03:00
- [Validate Azure resources from templates with Azure Pipelines ](docs/scenarios/azure-pipelines-ci/azure-pipelines-ci.md )
- [Validate Azure resources from templates with continuous integration (CI) ](docs/scenarios/azure-template-ci/azure-template-ci.md )
2019-11-23 05:42:19 +03:00
2019-05-17 02:29:23 +03:00
## Rule reference
2020-01-05 16:21:55 +03:00
For a list of rules included in the `PSRule.Rules.Azure` module see:
2019-05-17 02:29:23 +03:00
2020-04-12 08:17:49 +03:00
- [Rules by category ](docs/rules/en/module.md )
- [Rules by resource ](docs/rules/en/resource.md )
2019-05-17 02:29:23 +03:00
2020-06-21 11:14:32 +03:00
## Baseline reference
The following baselines are included within `PSRule.Rules.Azure` .
- [Azure.Default ](docs/baselines/en/Azure.Default.md ) - Default baseline for Azure rules.
- [Azure.Preview ](docs/baselines/en/Azure.Preview.md ) - Includes Azure features in preview.
- [Azure.All ](docs/baselines/en/Azure.All.md ) - Includes all Azure rules.
- [Azure.GA_2020_06 ](docs/baselines/en/Azure.GA_2020_06.md ) - Baseline for GA rules released June 2020 or prior.
2019-05-17 02:29:23 +03:00
## Language reference
2020-06-21 11:14:32 +03:00
PSRule for Azure extends PowerShell with the following cmdlets.
2019-05-17 02:29:23 +03:00
### Commands
The following commands exist in the `PSRule.Rules.Azure` module:
2019-12-07 15:38:05 +03:00
- [Export-AzRuleData ](docs/commands/PSRule.Rules.Azure/en-US/Export-AzRuleData.md ) - Export resource configuration data from Azure subscriptions.
2019-11-09 09:19:07 +03:00
- [Export-AzTemplateRuleData ](docs/commands/PSRule.Rules.Azure/en-US/Export-AzTemplateRuleData.md ) - Export resource configuration data from Azure templates.
2020-03-20 13:48:01 +03:00
- [Get-AzRuleTemplateLink ](docs/commands/PSRule.Rules.Azure/en-US/Get-AzRuleTemplateLink.md ) - Get a metadata link to a Azure template file.
### Concepts
The following conceptual topics exist in the `PSRule.Rules.Azure` module:
- [Azure metadata link ](docs/concepts/PSRule.Rules.Azure/en-US/about_PSRule_Azure_Metadata_Link.md )
2020-04-21 10:10:25 +03:00
- [Configuration ](docs/concepts/PSRule.Rules.Azure/en-US/about_PSRule_Azure_Configuration.md )
- [Azure_AKSMinimumVersion ](docs/concepts/PSRule.Rules.Azure/en-US/about_PSRule_Azure_Configuration.md#azure_aksminimumversion )
- [Azure_AKSNodeMinimumMaxPods ](docs/concepts/PSRule.Rules.Azure/en-US/about_PSRule_Azure_Configuration.md#azure_aksnodeminimummaxpods )
- [Azure_AllowedRegions ](docs/concepts/PSRule.Rules.Azure/en-US/about_PSRule_Azure_Configuration.md#azure_allowedregions )
- [Azure_MinimumCertificateLifetime ](docs/concepts/PSRule.Rules.Azure/en-US/about_PSRule_Azure_Configuration.md#azure_minimumcertificatelifetime )
2019-04-30 02:02:02 +03:00
## Changes and versioning
2019-11-09 09:19:07 +03:00
Modules in this repository will use the [semantic versioning ](http://semver.org/ ) model to declare breaking changes from v1.0.0.
Prior to v1.0.0, breaking changes may be introduced in minor (0.x.0) version increments.
For a list of module changes please see the [change log ](CHANGELOG.md ).
2019-04-30 02:02:02 +03:00
2020-01-14 08:14:12 +03:00
> Pre-release module versions are created on major commits and can be installed from the PowerShell Gallery.
> Pre-release versions should be considered experimental.
> Modules and change log details for pre-releases will be removed as standard releases are made available.
2019-04-30 02:02:02 +03:00
2020-02-06 14:22:54 +03:00
## Contributing
This project welcomes contributions and suggestions.
If you are ready to contribute, please visit the [contribution guide ](CONTRIBUTING.md ).
## Code of Conduct
This project has adopted the [Microsoft Open Source Code of Conduct ](https://opensource.microsoft.com/codeofconduct/ ).
For more information see the [Code of Conduct FAQ ](https://opensource.microsoft.com/codeofconduct/faq/ )
or contact [opencode@microsoft.com ](mailto:opencode@microsoft.com ) with any additional questions or comments.
2019-04-30 02:02:02 +03:00
## Maintainers
- [Bernie White ](https://github.com/BernieWhite )
## License
This project is [licensed under the MIT License ](LICENSE ).
2020-07-02 01:30:02 +03:00
[issue]: https://github.com/Microsoft/PSRule.Rules.Azure/issues
2020-08-19 15:42:17 +03:00
[install]: docs/install-instructions.md
2020-07-07 01:42:19 +03:00
[ci-badge]: https://dev.azure.com/bewhite/PSRule.Rules.Azure/_apis/build/status/PSRule.Rules.Azure-CI?branchName=main
2019-04-30 02:02:02 +03:00
[module]: https://www.powershellgallery.com/packages/PSRule.Rules.Azure
2019-10-12 15:20:36 +03:00
[engine]: https://github.com/Microsoft/PSRule