Azure
/
PSRule.Rules.Azure
зеркало из
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

Added ref and doc updates #1432 #1430 (#1445)

This commit is contained in:
Bernie White 2022-05-31 07:25:05 +10:00 коммит произвёл GitHub
Родитель cd76169cac
Коммит 490fc38a82
Не найден ключ, соответствующий данной подписи
Идентификатор ключа GPG: 4AEE18F83AFDEB23
18 изменённых файлов: 3350 добавлений и 118 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

5
.ps-rule/Rule.Rule.ps1
Просмотреть файл

@ -9,6 +9,11 @@ Rule 'Rule.Name' -Type 'PSRule.Rules.Rule' {
$Assert.StartsWith($TargetObject, 'RuleName', 'Azure.')
}
# # Synopsis: Rules must use a valid opaque identifier.
# Rule 'Rule.Ref' -Type 'PSRule.Rules.Rule' {
# $Assert.Match($TargetObject, 'Ref', '^AZR-[0-9]{6,6}$')
# }
# Synopsis: Complete help documentation.
Rule 'Rule.Help' -Type 'PSRule.Rules.Rule' {
$Assert.HasFieldValue($TargetObject, 'Info.Synopsis')

5
docs/CHANGELOG-v1.md
Просмотреть файл

@ -26,6 +26,11 @@ What's changed since pre-release v1.16.0-B0017:
- Updated `Azure.PublicIP.AvailabilityZone` to exclude IP addresses for Azure Bastion by @BernieWhite.
[#1442](https://github.com/Azure/PSRule.Rules.Azure/issues/1442)
- Public IP addresses with the `resource-usage` tag set to `azure-bastion` are excluded.
- Engineering:
- Updated built documentation to include rule ref and metadata by @BernieWhite.
[#1432](https://github.com/Azure/PSRule.Rules.Azure/issues/1432)
- Added ref properties for several rules by @BernieWhite.
[#1430](https://github.com/Azure/PSRule.Rules.Azure/issues/1430)
## v1.16.0-B0017 (pre-release)

6
docs/assets/stylesheets/extra.css
Просмотреть файл

@ -9,7 +9,11 @@
.heart {
animation: heart 1000ms infinite;
color:#e91e63;
color: #e91e63;
}
.experimental {
color: rgb(124, 77, 255)
}
:root {

3014
docs/en/rules/metadata.json Normal file
Просмотреть файл

Разница между файлами не показана из-за своего большого размера Загрузить разницу

46
docs/hooks.py
Просмотреть файл

@ -1,6 +1,8 @@
# Copyright (c) Microsoft Corporation.
# Licensed under the MIT License.
import json
import os
import re
import shutil
import logging
@ -34,20 +36,29 @@ def replace_maml(markdown: str, page: mkdocs.structure.nav.Page, config: mkdocs.
markdown = add_tags(markdown)
if markdown.__contains__("<!-- OBSOLETE -->"):
page.meta['obsolete'] = 'true'
if page.canonical_url.__contains__("/baselines/"):
page.meta['template'] = 'reference.html'
page.meta['generated'] = 'true'
if page.meta.get('obsolete', 'false') == 'true':
markdown = markdown.replace("<!-- OBSOLETE -->", "!!! Warning\r The baseline is obsolete.\r Consider switching to a newer baseline.")
if page.canonical_url.__contains__("/rules/"):
page.meta['template'] = 'reference.html'
if page.canonical_url.__contains__("/rules/") and page.meta.get("pillar", "None") != "None":
page.meta['rule'] = page.canonical_url.split("/")[-2]
read_metadata(page)
if markdown.__contains__("<!-- OBSOLETE -->"):
page.meta['obsolete'] = 'true'
markdown = markdown.replace("<!-- OBSOLETE -->", ":octicons-alert-24: Obsolete")
if page.meta.get('rule', 'None') != 'None':
markdown = markdown.replace('<!-- TAGS -->', '<nav class="md-tags"><rule/><ref/></nav>\r<!-- TAGS -->')
markdown = markdown.replace('<rule/>', '<span class="md-tag">' + page.meta['rule'] + '</span>')
if page.meta.get('ref', 'None') != 'None':
markdown = markdown.replace('<ref/>', '<span class="md-tag">' + page.meta['ref'] + '</span>')
if page.meta.get('ref', 'None') == 'None':
markdown = markdown.replace('<ref/>', '')
if page.meta.get("pillar", "None") != "None":
markdown = markdown.replace("<!-- TAGS -->", "[:octicons-diamond-24: " + page.meta['pillar'] + "](module.md#" + page.meta['pillar'].lower().replace(" ", "") + ")\r<!-- TAGS -->")
@ -55,8 +66,11 @@ def replace_maml(markdown: str, page: mkdocs.structure.nav.Page, config: mkdocs.
if page.meta.get("resource", "None") != "None":
markdown = markdown.replace("<!-- TAGS -->", " · [:octicons-container-24: " + page.meta['resource'] + "](resource.md#" + page.meta['resource'].lower().replace(" ", "") + ")\r<!-- TAGS -->")
if page.meta.get("rule", "None") != "None":
markdown = markdown.replace("<!-- TAGS -->", " · :octicons-file-code-24: " + page.meta['rule'] + "\r<!-- TAGS -->")
if page.meta.get('release', 'None') == 'preview':
markdown = markdown.replace("<!-- TAGS -->", " · :octicons-beaker-24: Preview\r<!-- TAGS -->")
if page.meta.get('ruleSet', 'None') != 'None':
markdown = markdown.replace("<!-- TAGS -->", " · :octicons-tag-24: " + page.meta['ruleSet'] + "\r<!-- TAGS -->")
return markdown.replace("<!-- TAGS -->", "")
@ -72,6 +86,26 @@ def add_tags(markdown: str) -> str:
return "\r".join(converted)
def read_metadata(page: mkdocs.structure.nav.Page):
file: str = os.path.join(os.path.dirname(page.file.abs_src_path), 'metadata.json')
tags = []
with open(file) as f:
data = json.load(f)
name = page.meta['rule']
tags.append(name)
if page.meta.get('rule', '') != '' and data.get(name, None) != None and data[name].get('Ref', None) != None and data[name]['Ref'].get('Name', None) != None:
page.meta['ref'] = data[name]['Ref']['Name']
tags.append(page.meta['ref'])
if page.meta.get('rule', '') != '' and data.get(name, None) != None and data[name].get('Release', None) != None:
page.meta['release'] = data[name]['Release']
if page.meta.get('rule', '') != '' and data.get(name, None) != None and data[name].get('RuleSet', None) != None:
page.meta['ruleSet'] = data[name]['RuleSet']
page.meta['tags'] = tags
# Dynamically build reference nav
def build_reference_nav(nav: mkdocs.structure.nav.Navigation, config: mkdocs.config.Config, files: mkdocs.structure.files.Files) -> mkdocs.structure.nav.Navigation:
build_rule_nav(nav, config, files)

1
mkdocs.yml
Просмотреть файл

@ -113,6 +113,7 @@ plugins:
on_nav: "docs.hooks:build_reference_nav"
- search
- git-revision-date
- tags
- redirects:
redirect_maps:
'using-metadata.md': 'using-templates.md'

13
pipeline.build.ps1
Просмотреть файл

@ -368,6 +368,19 @@ task BuildRuleDocs Build, Dependencies, {
Import-Module (Join-Path -Path $PWD -ChildPath out/modules/PSRule.Rules.Azure) -Force;
$Null = './out/modules/PSRule.Rules.Azure' | Invoke-PSDocument -Name module -OutputPath ./docs/en/rules/ -Path ./RuleToc.Doc.ps1;
$Null = './out/modules/PSRule.Rules.Azure' | Invoke-PSDocument -Name resource -OutputPath ./docs/en/rules/ -Path ./RuleToc.Doc.ps1;
$metadata = @{}
Get-PSRule -Module PSRule.Rules.Azure -Baseline Azure.All | ForEach-Object {
$metadata[$_.Name] = [PSCustomObject]@{
Name = $_.Name
Ref = $_.Ref
Alias = @($_.Alias)
Flags = $_.Flags
Release = $_.Tag.release
RuleSet = $_.Tag.ruleSet
}
}
$metadata | ConvertTo-Json -Depth 5 | Set-Content -Path ./docs/en/rules/metadata.json -Force;
}
# Synopsis: Build table of content for baselines

15
src/PSRule.Rules.Azure/rules/Azure.ACR.Rule.ps1
Просмотреть файл

@ -5,13 +5,10 @@
# Rules for Azure Container Registry (ACR)
#
# Synopsis: Use RBAC for delegating access to ACR instead of the registry admin user
Rule 'Azure.ACR.AdminUser' -Type 'Microsoft.ContainerRegistry/registries' -Tag @{ release = 'GA'; ruleSet = '2020_06' } {
$Assert.HasDefaultValue($TargetObject, 'Properties.adminUserEnabled', $False)
}
#region Rules
# Synopsis: Consider freeing up registry space.
Rule 'Azure.ACR.Usage' -Type 'Microsoft.ContainerRegistry/registries' -If { IsExport } -Tag @{ release = 'GA'; ruleSet = '2020_12' } {
Rule 'Azure.ACR.Usage' -Ref 'AZR-000001' -Type 'Microsoft.ContainerRegistry/registries' -If { IsExport } -Tag @{ release = 'GA'; ruleSet = '2020_12' } {
$usages = @(GetSubResources -ResourceType 'Microsoft.ContainerRegistry/registries/listUsages' | ForEach-Object {
$_.value | Where-Object { $_.Name -eq 'Size' }
});
@ -23,13 +20,13 @@ Rule 'Azure.ACR.Usage' -Type 'Microsoft.ContainerRegistry/registries' -If { IsEx
}
# Synopsis: Consider enabling vulnerability scanning for container images.
Rule 'Azure.ACR.ContainerScan' -Type 'Microsoft.ContainerRegistry/registries' -If { IsExport } -Tag @{ release = 'GA'; ruleSet = '2020_12' } {
Rule 'Azure.ACR.ContainerScan' -Ref 'AZR-000002' -Type 'Microsoft.ContainerRegistry/registries' -If { IsExport } -Tag @{ release = 'GA'; ruleSet = '2020_12' } {
$assessments = @(GetSubResources -ResourceType 'Microsoft.Security/assessments');
$Assert.GreaterOrEqual($assessments, '.', 1).Reason($LocalizedData.AssessmentNotFound);
}
# Synopsis: Consider removing vulnerable container images.
Rule 'Azure.ACR.ImageHealth' -Type 'Microsoft.ContainerRegistry/registries' -If { (IsExport) -and (@(GetSubResources -ResourceType 'Microsoft.Security/assessments')).Length -gt 0 } -Tag @{ release = 'GA'; ruleSet = '2020_12' } {
Rule 'Azure.ACR.ImageHealth' -Ref 'AZR-000003' -Type 'Microsoft.ContainerRegistry/registries' -If { (IsExport) -and (@(GetSubResources -ResourceType 'Microsoft.Security/assessments')).Length -gt 0 } -Tag @{ release = 'GA'; ruleSet = '2020_12' } {
$assessments = @(GetSubResources -ResourceType 'Microsoft.Security/assessments');
foreach ($assessment in $assessments) {
$Assert.In($assessment, 'Properties.status.code', @('Healthy', 'NotApplicable')).Reason($LocalizedData.AssessmentUnhealthy);
@ -37,7 +34,7 @@ Rule 'Azure.ACR.ImageHealth' -Type 'Microsoft.ContainerRegistry/registries' -If
}
# Synopsis: Consider geo-replicating container images.
Rule 'Azure.ACR.GeoReplica' -Type 'Microsoft.ContainerRegistry/registries' -If { IsExport } -Tag @{ release = 'GA'; ruleSet = '2020_12' } {
Rule 'Azure.ACR.GeoReplica' -Ref 'AZR-000004' -Type 'Microsoft.ContainerRegistry/registries' -If { IsExport } -Tag @{ release = 'GA'; ruleSet = '2020_12' } {
$replications = @(GetSubResources -ResourceType 'Microsoft.ContainerRegistry/registries/replications');
$registryLocation = GetNormalLocation -Location $TargetObject.Location;
foreach ($replica in $replications) {
@ -49,3 +46,5 @@ Rule 'Azure.ACR.GeoReplica' -Type 'Microsoft.ContainerRegistry/registries' -If {
}
}
}
#endregion Rules

22
src/PSRule.Rules.Azure/rules/Azure.ACR.Rule.yaml
Просмотреть файл

@ -7,12 +7,30 @@
#region Rules
---
# Synopsis: Use Azure AD identities instead of using the registry admin user.
apiVersion: github.com/microsoft/PSRule/v1
kind: Rule
metadata:
name: Azure.ACR.AdminUser
ref: AZR-000005
tags:
release: 'GA'
ruleSet: '2020_06'
spec:
type:
- Microsoft.ContainerRegistry/registries
condition:
field: Properties.adminUserEnabled
hasDefault: false
---
# Synopsis: ACR should use the Premium or Standard SKU for production deployments.
apiVersion: github.com/microsoft/PSRule/v1
kind: Rule
metadata:
name: Azure.ACR.MinSku
ref: AZR-000006
tags:
release: 'GA'
ruleSet: '2020_06'
@ -29,6 +47,7 @@ apiVersion: github.com/microsoft/PSRule/v1
kind: Rule
metadata:
name: Azure.ACR.Name
ref: AZR-000007
tags:
release: 'GA'
ruleSet: '2020_06'
@ -50,6 +69,7 @@ apiVersion: github.com/microsoft/PSRule/v1
kind: Rule
metadata:
name: Azure.ACR.Quarantine
ref: AZR-000008
tags:
release: 'preview'
ruleSet: '2020_12'
@ -66,6 +86,7 @@ apiVersion: github.com/microsoft/PSRule/v1
kind: Rule
metadata:
name: Azure.ACR.ContentTrust
ref: AZR-000009
tags:
release: 'GA'
ruleSet: '2020_12'
@ -84,6 +105,7 @@ apiVersion: github.com/microsoft/PSRule/v1
kind: Rule
metadata:
name: Azure.ACR.Retention
ref: AZR-000010
tags:
release: 'preview'
ruleSet: '2020_12'

2
src/PSRule.Rules.Azure/rules/Azure.ADX.Rule.ps1
Просмотреть файл

@ -8,7 +8,7 @@
#region Rules
# Synopsis: Regularly remove unused resources to reduce costs.
Rule 'Azure.ADX.Usage' -Type 'Microsoft.Kusto/clusters' -If { IsExport } -With 'Azure.ADX.IsClusterRunning' -Tag @{ release = 'GA'; ruleSet = '2022_03'; } {
Rule 'Azure.ADX.Usage' -Ref 'AZR-000011' -Type 'Microsoft.Kusto/clusters' -If { IsExport } -With 'Azure.ADX.IsClusterRunning' -Tag @{ release = 'GA'; ruleSet = '2022_03'; } {
$items = @(GetSubResources -ResourceType 'Microsoft.Kusto/clusters/databases');
$Assert.GreaterOrEqual($items, '.', 1);
}

3
src/PSRule.Rules.Azure/rules/Azure.ADX.Rule.yaml
Просмотреть файл

@ -13,6 +13,7 @@ apiVersion: github.com/microsoft/PSRule/v1
kind: Rule
metadata:
name: Azure.ADX.ManagedIdentity
ref: AZR-000012
tags:
release: GA
ruleSet: 2022_03
@ -32,6 +33,7 @@ apiVersion: github.com/microsoft/PSRule/v1
kind: Rule
metadata:
name: Azure.ADX.DiskEncryption
ref: AZR-000013
tags:
release: GA
ruleSet: 2022_03
@ -48,6 +50,7 @@ apiVersion: github.com/microsoft/PSRule/v1
kind: Rule
metadata:
name: Azure.ADX.SLA
ref: AZR-000014
tags:
release: GA
ruleSet: 2022_03

52
src/PSRule.Rules.Azure/rules/Azure.AKS.Rule.ps1
Просмотреть файл

@ -6,7 +6,7 @@
#
# Synopsis: AKS control plane and nodes pools should use a current stable release.
Rule 'Azure.AKS.Version' -Type 'Microsoft.ContainerService/managedClusters', 'Microsoft.ContainerService/managedClusters/agentPools' -Tag @{ release = 'GA'; ruleSet = '2020_06' } {
Rule 'Azure.AKS.Version' -Ref 'AZR-000015' -Type 'Microsoft.ContainerService/managedClusters', 'Microsoft.ContainerService/managedClusters/agentPools' -Tag @{ release = 'GA'; ruleSet = '2020_06' } {
$minVersion = $Configuration.GetValueOrDefault('Azure_AKSMinimumVersion', $Configuration.AZURE_AKS_CLUSTER_MINIMUM_VERSION);
if ($PSRule.TargetType -eq 'Microsoft.ContainerService/managedClusters') {
$Assert.Version($TargetObject, 'Properties.kubernetesVersion', ">=$minVersion");
@ -20,7 +20,7 @@ Rule 'Azure.AKS.Version' -Type 'Microsoft.ContainerService/managedClusters', 'Mi
}
# Synopsis: AKS agent pools should run the same Kubernetes version as the cluster
Rule 'Azure.AKS.PoolVersion' -Type 'Microsoft.ContainerService/managedClusters' -Tag @{ release = 'GA'; ruleSet = '2020_06' } {
Rule 'Azure.AKS.PoolVersion' -Ref 'AZR-000016' -Type 'Microsoft.ContainerService/managedClusters' -Tag @{ release = 'GA'; ruleSet = '2020_06' } {
$clusterVersion = $TargetObject.Properties.kubernetesVersion;
$agentPools = @(GetAgentPoolProfiles);
if ($agentPools.Length -eq 0) {
@ -32,13 +32,8 @@ Rule 'Azure.AKS.PoolVersion' -Type 'Microsoft.ContainerService/managedClusters'
}
}
# Synopsis: AKS cluster should use role-based access control
Rule 'Azure.AKS.UseRBAC' -Type 'Microsoft.ContainerService/managedClusters' -Tag @{ release = 'GA'; ruleSet = '2020_06' } {
$Assert.HasFieldValue($TargetObject, 'Properties.enableRBAC', $True)
}
# Synopsis: AKS node pools should use scale sets
Rule 'Azure.AKS.PoolScaleSet' -Type 'Microsoft.ContainerService/managedClusters', 'Microsoft.ContainerService/managedClusters/agentPools' -Tag @{ release = 'GA'; ruleSet = '2020_06' } {
Rule 'Azure.AKS.PoolScaleSet' -Ref 'AZR-000017' -Type 'Microsoft.ContainerService/managedClusters', 'Microsoft.ContainerService/managedClusters/agentPools' -Tag @{ release = 'GA'; ruleSet = '2020_06' } {
$agentPools = @(GetAgentPoolProfiles);
if ($agentPools.Length -eq 0) {
return $Assert.Pass();
@ -50,7 +45,7 @@ Rule 'Azure.AKS.PoolScaleSet' -Type 'Microsoft.ContainerService/managedClusters'
}
# Synopsis: AKS nodes should use a minimum number of pods
Rule 'Azure.AKS.NodeMinPods' -Type 'Microsoft.ContainerService/managedClusters', 'Microsoft.ContainerService/managedClusters/agentPools' -Tag @{ release = 'GA'; ruleSet = '2020_06' } {
Rule 'Azure.AKS.NodeMinPods' -Ref 'AZR-000018' -Type 'Microsoft.ContainerService/managedClusters', 'Microsoft.ContainerService/managedClusters/agentPools' -Tag @{ release = 'GA'; ruleSet = '2020_06' } {
$agentPools = @(GetAgentPoolProfiles);
if ($agentPools.Length -eq 0) {
return $Assert.Pass();
@ -60,32 +55,8 @@ Rule 'Azure.AKS.NodeMinPods' -Type 'Microsoft.ContainerService/managedClusters',
}
} -Configure @{ Azure_AKSNodeMinimumMaxPods = 50 }
# Synopsis: Use AKS naming requirements
Rule 'Azure.AKS.Name' -Type 'Microsoft.ContainerService/managedClusters' -Tag @{ release = 'GA'; ruleSet = '2020_06' } {
# https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/resource-name-rules#microsoftcontainerservice
# Between 1 and 63 characters long
$Assert.GreaterOrEqual($PSRule, 'TargetName', 1);
$Assert.LessOrEqual($PSRule, 'TargetName', 63);
# Alphanumerics, underscores, and hyphens
# Start and end with alphanumeric
$Assert.Match($PSRule, 'TargetName', '^[A-Za-z0-9](-|\w)*[A-Za-z0-9]$');
}
# Synopsis: Use AKS naming requirements for DNS prefix
Rule 'Azure.AKS.DNSPrefix' -Type 'Microsoft.ContainerService/managedClusters' -Tag @{ release = 'GA'; ruleSet = '2020_06' } {
# Between 1 and 54 characters long
$Assert.GreaterOrEqual($TargetObject, 'Properties.dnsPrefix', 1);
$Assert.LessOrEqual($TargetObject, 'Properties.dnsPrefix', 54);
# Alphanumerics and hyphens
# Start and end with alphanumeric
$Assert.Match($TargetObject, 'Properties.dnsPrefix', '^[A-Za-z0-9]((-|[A-Za-z0-9]){0,}[A-Za-z0-9]){0,}$');
}
# Synopsis: Use Autoscaling to ensure AKS cluster is running efficiently with the right number of nodes for the workloads present.
Rule 'Azure.AKS.AutoScaling' -Type 'Microsoft.ContainerService/managedClusters', 'Microsoft.ContainerService/managedClusters/agentPools' -Tag @{ release = 'GA'; ruleSet = '2021_09'; } {
Rule 'Azure.AKS.AutoScaling' -Ref 'AZR-000019' -Type 'Microsoft.ContainerService/managedClusters', 'Microsoft.ContainerService/managedClusters/agentPools' -Tag @{ release = 'GA'; ruleSet = '2021_09'; } {
$agentPools = @(GetAgentPoolProfiles);
if ($agentPools.Length -eq 0) {
@ -105,7 +76,7 @@ Rule 'Azure.AKS.AutoScaling' -Type 'Microsoft.ContainerService/managedClusters',
}
# Synopsis: AKS clusters using Azure CNI should use large subnets to reduce IP exhaustion issues.
Rule 'Azure.AKS.CNISubnetSize' -If { IsExport } -With 'Azure.AKS.AzureCNI' -Tag @{ release = 'GA'; ruleSet = '2021_09'; } {
Rule 'Azure.AKS.CNISubnetSize' -Ref 'AZR-000020' -If { IsExport } -With 'Azure.AKS.AzureCNI' -Tag @{ release = 'GA'; ruleSet = '2021_09'; } {
$clusterSubnets = @(GetSubResources -ResourceType 'Microsoft.Network/virtualNetworks/subnets');
if ($clusterSubnets.Length -eq 0) {
@ -127,7 +98,7 @@ Rule 'Azure.AKS.CNISubnetSize' -If { IsExport } -With 'Azure.AKS.AzureCNI' -Tag
} -Configure @{ AZURE_AKS_CNI_MINIMUM_CLUSTER_SUBNET_SIZE = 23 }
# Synopsis: AKS clusters deployed with virtual machine scale sets should use availability zones in supported regions for high availability.
Rule 'Azure.AKS.AvailabilityZone' -Type 'Microsoft.ContainerService/managedClusters' -Tag @{ release = 'GA'; ruleSet = '2021_09'; } {
Rule 'Azure.AKS.AvailabilityZone' -Ref 'AZR-000021' -Type 'Microsoft.ContainerService/managedClusters' -Tag @{ release = 'GA'; ruleSet = '2021_09'; } {
$agentPools = @(GetAgentPoolProfiles);
if ($agentPools.Length -eq 0) {
@ -161,13 +132,8 @@ Rule 'Azure.AKS.AvailabilityZone' -Type 'Microsoft.ContainerService/managedClust
}
} -Configure @{ AZURE_AKS_ADDITIONAL_REGION_AVAILABILITY_ZONE_LIST = @() }
# Synopsis: Enable Container insights to monitor AKS cluster workloads.
Rule 'Azure.AKS.ContainerInsights' -Type 'Microsoft.ContainerService/managedClusters' -Tag @{ release = 'GA'; ruleSet = '2021_09'; } {
$Assert.HasFieldValue($TargetObject, 'Properties.addonProfiles.omsAgent.enabled', $True);
}
# Synopsis: AKS clusters should collect security-based audit logs to assess and monitor the compliance status of workloads.
Rule 'Azure.AKS.AuditLogs' -Type 'Microsoft.ContainerService/managedClusters' -Tag @{ release = 'GA'; ruleSet = '2021_09'; } {
Rule 'Azure.AKS.AuditLogs' -Ref 'AZR-000022' -Type 'Microsoft.ContainerService/managedClusters' -Tag @{ release = 'GA'; ruleSet = '2021_09'; } {
$diagnosticLogs = @(GetSubResources -ResourceType 'Microsoft.Insights/diagnosticSettings', 'Microsoft.ContainerService/managedClusters/providers/diagnosticSettings');
$Assert.Greater($diagnosticLogs, '.', 0).Reason($LocalizedData.DiagnosticSettingsNotConfigured, $TargetObject.name);
@ -189,7 +155,7 @@ Rule 'Azure.AKS.AuditLogs' -Type 'Microsoft.ContainerService/managedClusters' -T
}
# Synopsis: AKS clusters should collect platform diagnostic logs to monitor the state of workloads.
Rule 'Azure.AKS.PlatformLogs' -Type 'Microsoft.ContainerService/managedClusters' -Tag @{ release = 'GA'; ruleSet = '2021_09'; } {
Rule 'Azure.AKS.PlatformLogs' -Ref 'AZR-000023' -Type 'Microsoft.ContainerService/managedClusters' -Tag @{ release = 'GA'; ruleSet = '2021_09'; } {
$configurationLogCategoriesList = $Configuration.GetStringValues('AZURE_AKS_ENABLED_PLATFORM_LOG_CATEGORIES_LIST');
if ($configurationLogCategoriesList.Length -eq 0) {

96
src/PSRule.Rules.Azure/rules/Azure.AKS.Rule.yaml
Просмотреть файл

@ -13,6 +13,7 @@ apiVersion: github.com/microsoft/PSRule/v1
kind: Rule
metadata:
name: Azure.AKS.MinNodeCount
ref: AZR-000024
tags:
release: 'GA'
ruleSet: '2020_06'
@ -29,6 +30,7 @@ apiVersion: github.com/microsoft/PSRule/v1
kind: Rule
metadata:
name: Azure.AKS.ManagedIdentity
ref: AZR-000025
tags:
release: 'GA'
ruleSet: '2020_06'
@ -47,6 +49,7 @@ apiVersion: github.com/microsoft/PSRule/v1
kind: Rule
metadata:
name: Azure.AKS.StandardLB
ref: AZR-000026
tags:
release: 'GA'
ruleSet: '2020_06'
@ -63,6 +66,7 @@ apiVersion: github.com/microsoft/PSRule/v1
kind: Rule
metadata:
name: Azure.AKS.NetworkPolicy
ref: AZR-000027
tags:
release: 'GA'
ruleSet: '2020_06'
@ -81,6 +85,7 @@ apiVersion: github.com/microsoft/PSRule/v1
kind: Rule
metadata:
name: Azure.AKS.AzurePolicyAddOn
ref: AZR-000028
tags:
release: 'GA'
ruleSet: '2020_12'
@ -97,6 +102,7 @@ apiVersion: github.com/microsoft/PSRule/v1
kind: Rule
metadata:
name: Azure.AKS.ManagedAAD
ref: AZR-000029
tags:
release: 'GA'
ruleSet: '2021_06'
@ -113,6 +119,7 @@ apiVersion: github.com/microsoft/PSRule/v1
kind: Rule
metadata:
name: Azure.AKS.AuthorizedIPs
ref: AZR-000030
tags:
release: 'GA'
ruleSet: '2021_06'
@ -129,6 +136,7 @@ apiVersion: github.com/microsoft/PSRule/v1
kind: Rule
metadata:
name: Azure.AKS.LocalAccounts
ref: AZR-000031
tags:
release: 'preview'
ruleSet: '2021_06'
@ -145,6 +153,7 @@ apiVersion: github.com/microsoft/PSRule/v1
kind: Rule
metadata:
name: Azure.AKS.AzureRBAC
ref: AZR-000032
tags:
release: 'GA'
ruleSet: '2021_06'
@ -161,6 +170,7 @@ apiVersion: github.com/microsoft/PSRule/v1
kind: Rule
metadata:
name: Azure.AKS.SecretStore
ref: AZR-000033
tags:
release: 'GA'
ruleSet: '2021_12'
@ -177,6 +187,7 @@ apiVersion: github.com/microsoft/PSRule/v1
kind: Rule
metadata:
name: Azure.AKS.SecretStoreRotation
ref: AZR-000034
tags:
release: 'GA'
ruleSet: '2021_12'
@ -195,6 +206,7 @@ apiVersion: github.com/microsoft/PSRule/v1
kind: Rule
metadata:
name: Azure.AKS.HttpAppRouting
ref: AZR-000035
tags:
release: 'GA'
ruleSet: '2021_12'
@ -214,6 +226,7 @@ apiVersion: github.com/microsoft/PSRule/v1
kind: Rule
metadata:
name: Azure.AKS.AutoUpgrade
ref: AZR-000036
tags:
release: 'GA'
ruleSet: '2021_12'
@ -233,6 +246,7 @@ apiVersion: github.com/microsoft/PSRule/v1
kind: Rule
metadata:
name: Azure.AKS.PodIdentity
ref: AZR-000037
tags:
release: 'preview'
ruleSet: '2021_12'
@ -245,6 +259,88 @@ spec:
field: Properties.podIdentityProfile.enabled
equals: true
---
# Synopsis: Deploy AKS cluster with role-based access control (RBAC) enabled.
apiVersion: github.com/microsoft/PSRule/v1
kind: Rule
metadata:
name: Azure.AKS.UseRBAC
ref: AZR-000038
tags:
release: 'GA'
ruleSet: '2020_06'
spec:
type:
- Microsoft.ContainerService/managedClusters
condition:
field: Properties.enableRBAC
equals: true
---
# Synopsis: Azure Kubernetes Service (AKS) cluster names should meet naming requirements.
apiVersion: github.com/microsoft/PSRule/v1
kind: Rule
metadata:
name: Azure.AKS.Name
ref: AZR-000039
tags:
release: 'GA'
ruleSet: '2020_06'
spec:
type:
- Microsoft.ContainerService/managedClusters
condition:
allOf:
- name: '.'
greaterOrEquals: 1
- name: '.'
lessOrEquals: 63
# The name must contain between 1 to 63 characters inclusive.
# The name only allows alphanumerics, underscores, and hyphens and must start and end with alphanumeric.
- name: '.'
match: '^[A-Za-z0-9](-|\w)*[A-Za-z0-9]$'
---
# Synopsis: Azure Kubernetes Service (AKS) cluster DNS prefix should meet naming requirements.
apiVersion: github.com/microsoft/PSRule/v1
kind: Rule
metadata:
name: Azure.AKS.DNSPrefix
ref: AZR-000040
tags:
release: 'GA'
ruleSet: '2020_06'
spec:
type:
- Microsoft.ContainerService/managedClusters
condition:
allOf:
- field: Properties.dnsPrefix
greaterOrEquals: 1
- field: Properties.dnsPrefix
lessOrEquals: 54
# The dnsPrefix must contain between 1 to 54 characters inclusive.
# The dnsPrefix only allows alphanumerics, and hyphens and must start and end with alphanumeric.
- field: Properties.dnsPrefix
match: '^[A-Za-z0-9]((-|[A-Za-z0-9]){0,}[A-Za-z0-9]){0,}$'
---
# Synopsis: Enable Container insights to monitor AKS cluster workloads.
apiVersion: github.com/microsoft/PSRule/v1
kind: Rule
metadata:
name: Azure.AKS.ContainerInsights
ref: AZR-000041
tags:
release: 'GA'
ruleSet: '2021_09'
spec:
type:
- Microsoft.ContainerService/managedClusters
condition:
field: Properties.addonProfiles.omsAgent.enabled
equals: true
#endregion Rules
#region Selectors

59
src/PSRule.Rules.Azure/rules/Azure.APIM.Rule.ps1
Просмотреть файл

@ -5,31 +5,8 @@
# Validation rules for API Management
#
# Synopsis: Disable insecure protocols
Rule 'Azure.APIM.Protocols' -Type 'Microsoft.ApiManagement/service' -Tag @{ release = 'GA'; ruleSet = '2020_06' } {
$Assert.HasDefaultValue($TargetObject, 'properties.customProperties.''Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Protocols.Tls10''', 'False')
$Assert.HasDefaultValue($TargetObject, 'properties.customProperties.''Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Protocols.Tls11''', 'False')
$Assert.HasDefaultValue($TargetObject, 'properties.customProperties.''Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Protocols.Ssl30''', 'False')
$Assert.HasDefaultValue($TargetObject, 'properties.customProperties.''Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Backend.Protocols.Tls10''', 'False')
$Assert.HasDefaultValue($TargetObject, 'properties.customProperties.''Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Backend.Protocols.Tls11''', 'False')
$Assert.HasDefaultValue($TargetObject, 'properties.customProperties.''Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Backend.Protocols.Ssl30''', 'False')
}
# Synopsis: Disable insecure ciphers
Rule 'Azure.APIM.Ciphers' -Type 'Microsoft.ApiManagement/service' -Tag @{ release = 'GA'; ruleSet = '2022_03' } {
$Assert.HasDefaultValue($TargetObject, 'properties.customProperties.''Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TripleDes168''', 'False')
$Assert.HasFieldValue($TargetObject, 'properties.customProperties.''Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_RSA_WITH_AES_128_CBC_SHA''', 'False')
$Assert.HasFieldValue($TargetObject, 'properties.customProperties.''Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_RSA_WITH_AES_256_CBC_SHA''', 'False')
$Assert.HasFieldValue($TargetObject, 'properties.customProperties.''Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_RSA_WITH_AES_128_CBC_SHA256''', 'False')
$Assert.HasFieldValue($TargetObject, 'properties.customProperties.''Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA''', 'False')
$Assert.HasFieldValue($TargetObject, 'properties.customProperties.''Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_RSA_WITH_AES_256_CBC_SHA256''', 'False')
$Assert.HasFieldValue($TargetObject, 'properties.customProperties.''Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA''', 'False')
$Assert.HasFieldValue($TargetObject, 'properties.customProperties.''Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_RSA_WITH_AES_128_GCM_SHA256''', 'False')
}
# Synopsis: Use HTTPS APIs
Rule 'Azure.APIM.HTTPEndpoint' -Type 'Microsoft.ApiManagement/service', 'Microsoft.ApiManagement/service/apis' -Tag @{ release = 'GA'; ruleSet = '2020_06' } {
Rule 'Azure.APIM.HTTPEndpoint' -Ref 'AZR-000042' -Type 'Microsoft.ApiManagement/service', 'Microsoft.ApiManagement/service/apis' -Tag @{ release = 'GA'; ruleSet = '2020_06' } {
Reason 'http is in use'
if ($PSRule.TargetType -eq 'Microsoft.ApiManagement/service') {
$apis = @(GetSubResources -ResourceType 'Microsoft.ApiManagement/service/apis')
@ -46,7 +23,7 @@ Rule 'Azure.APIM.HTTPEndpoint' -Type 'Microsoft.ApiManagement/service', 'Microso
}
# Synopsis: APIs should have descriptors set
Rule 'Azure.APIM.APIDescriptors' -Type 'Microsoft.ApiManagement/service', 'Microsoft.ApiManagement/service/apis' -Tag @{ release = 'GA'; ruleSet = '2020_09' } {
Rule 'Azure.APIM.APIDescriptors' -Ref 'AZR-000043' -Type 'Microsoft.ApiManagement/service', 'Microsoft.ApiManagement/service/apis' -Tag @{ release = 'GA'; ruleSet = '2020_09' } {
$apis = @($TargetObject);
if ($PSRule.TargetType -eq 'Microsoft.ApiManagement/service') {
$apis = @(GetSubResources -ResourceType 'Microsoft.ApiManagement/service/apis');
@ -65,7 +42,7 @@ Rule 'Azure.APIM.APIDescriptors' -Type 'Microsoft.ApiManagement/service', 'Micro
}
# Synopsis: Use HTTPS backends
Rule 'Azure.APIM.HTTPBackend' -Type 'Microsoft.ApiManagement/service', 'Microsoft.ApiManagement/service/backends', 'Microsoft.ApiManagement/service/apis' -Tag @{ release = 'GA'; ruleSet = '2020_06' } {
Rule 'Azure.APIM.HTTPBackend' -Ref 'AZR-000044' -Type 'Microsoft.ApiManagement/service', 'Microsoft.ApiManagement/service/backends', 'Microsoft.ApiManagement/service/apis' -Tag @{ release = 'GA'; ruleSet = '2020_06' } {
if ($PSRule.TargetType -eq 'Microsoft.ApiManagement/service') {
$backends = @(GetSubResources -ResourceType 'Microsoft.ApiManagement/service/backends')
if ($backends.Length -eq 0) {
@ -99,7 +76,7 @@ Rule 'Azure.APIM.HTTPBackend' -Type 'Microsoft.ApiManagement/service', 'Microsof
}
# Synopsis: Encrypt all named values
Rule 'Azure.APIM.EncryptValues' -Type 'Microsoft.ApiManagement/service', 'Microsoft.ApiManagement/service/properties', 'Microsoft.ApiManagement/service/namedValues' -Tag @{ release = 'GA'; ruleSet = '2020_06' } {
Rule 'Azure.APIM.EncryptValues' -Ref 'AZR-000045' -Type 'Microsoft.ApiManagement/service', 'Microsoft.ApiManagement/service/properties', 'Microsoft.ApiManagement/service/namedValues' -Tag @{ release = 'GA'; ruleSet = '2020_06' } {
$properties = @($TargetObject);
if ($PSRule.TargetType -eq 'Microsoft.ApiManagement/service') {
$properties = @(GetSubResources -ResourceType 'Microsoft.ApiManagement/service/properties', 'Microsoft.ApiManagement/service/namedValues');
@ -115,7 +92,7 @@ Rule 'Azure.APIM.EncryptValues' -Type 'Microsoft.ApiManagement/service', 'Micros
}
# Synopsis: Require subscription for products
Rule 'Azure.APIM.ProductSubscription' -Type 'Microsoft.ApiManagement/service', 'Microsoft.ApiManagement/service/products' -Tag @{ release = 'GA'; ruleSet = '2020_06' } {
Rule 'Azure.APIM.ProductSubscription' -Ref 'AZR-000046' -Type 'Microsoft.ApiManagement/service', 'Microsoft.ApiManagement/service/products' -Tag @{ release = 'GA'; ruleSet = '2020_06' } {
$products = @($TargetObject);
if ($PSRule.TargetType -eq 'Microsoft.ApiManagement/service') {
$products = @(GetSubResources -ResourceType 'Microsoft.ApiManagement/service/products');
@ -131,7 +108,7 @@ Rule 'Azure.APIM.ProductSubscription' -Type 'Microsoft.ApiManagement/service', '
}
# Synopsis: Require approval for products
Rule 'Azure.APIM.ProductApproval' -Type 'Microsoft.ApiManagement/service', 'Microsoft.ApiManagement/service/products' -Tag @{ release = 'GA'; ruleSet = '2020_06' } {
Rule 'Azure.APIM.ProductApproval' -Ref 'AZR-000047' -Type 'Microsoft.ApiManagement/service', 'Microsoft.ApiManagement/service/products' -Tag @{ release = 'GA'; ruleSet = '2020_06' } {
$products = @($TargetObject);
if ($PSRule.TargetType -eq 'Microsoft.ApiManagement/service') {
$products = @(GetSubResources -ResourceType 'Microsoft.ApiManagement/service/products');
@ -147,7 +124,7 @@ Rule 'Azure.APIM.ProductApproval' -Type 'Microsoft.ApiManagement/service', 'Micr
}
# Synopsis: Remove sample products
Rule 'Azure.APIM.SampleProducts' -Type 'Microsoft.ApiManagement/service', 'Microsoft.ApiManagement/service/products' -Tag @{ release = 'GA'; ruleSet = '2020_06' } {
Rule 'Azure.APIM.SampleProducts' -Ref 'AZR-000048' -Type 'Microsoft.ApiManagement/service', 'Microsoft.ApiManagement/service/products' -Tag @{ release = 'GA'; ruleSet = '2020_06' } {
$products = @($TargetObject);
if ($PSRule.TargetType -eq 'Microsoft.ApiManagement/service') {
$products = @(GetSubResources -ResourceType 'Microsoft.ApiManagement/service/products');
@ -161,7 +138,7 @@ Rule 'Azure.APIM.SampleProducts' -Type 'Microsoft.ApiManagement/service', 'Micro
}
# Synopsis: Products should have descriptors set
Rule 'Azure.APIM.ProductDescriptors' -Type 'Microsoft.ApiManagement/service', 'Microsoft.ApiManagement/service/products' -Tag @{ release = 'GA'; ruleSet = '2020_09' } {
Rule 'Azure.APIM.ProductDescriptors' -Ref 'AZR-000049' -Type 'Microsoft.ApiManagement/service', 'Microsoft.ApiManagement/service/products' -Tag @{ release = 'GA'; ruleSet = '2020_09' } {
$products = @($TargetObject);
if ($PSRule.TargetType -eq 'Microsoft.ApiManagement/service') {
$products = @(GetSubResources -ResourceType 'Microsoft.ApiManagement/service/products');
@ -180,7 +157,7 @@ Rule 'Azure.APIM.ProductDescriptors' -Type 'Microsoft.ApiManagement/service', 'M
}
# Synopsis: Use product terms
Rule 'Azure.APIM.ProductTerms' -Type 'Microsoft.ApiManagement/service', 'Microsoft.ApiManagement/service/products' -Tag @{ release = 'GA'; ruleSet = '2020_09' } {
Rule 'Azure.APIM.ProductTerms' -Ref 'AZR-000050' -Type 'Microsoft.ApiManagement/service', 'Microsoft.ApiManagement/service/products' -Tag @{ release = 'GA'; ruleSet = '2020_09' } {
$products = @($TargetObject);
if ($PSRule.TargetType -eq 'Microsoft.ApiManagement/service') {
$products = @(GetSubResources -ResourceType 'Microsoft.ApiManagement/service/products');
@ -196,7 +173,7 @@ Rule 'Azure.APIM.ProductTerms' -Type 'Microsoft.ApiManagement/service', 'Microso
}
# Synopsis: Renew expired certificates
Rule 'Azure.APIM.CertificateExpiry' -Type 'Microsoft.ApiManagement/service' -Tag @{ release = 'GA'; ruleSet = '2020_06' } {
Rule 'Azure.APIM.CertificateExpiry' -Ref 'AZR-000051' -Type 'Microsoft.ApiManagement/service' -Tag @{ release = 'GA'; ruleSet = '2020_06' } {
$configurations = @($TargetObject.Properties.hostnameConfigurations | Where-Object {
$Null -ne $_.certificate
})
@ -211,22 +188,8 @@ Rule 'Azure.APIM.CertificateExpiry' -Type 'Microsoft.ApiManagement/service' -Tag
}
} -Configure @{ Azure_MinimumCertificateLifetime = 30 }
# Synopsis: Use API Management service naming requirements
Rule 'Azure.APIM.Name' -Type 'Microsoft.ApiManagement/service' -Tag @{ release = 'GA'; ruleSet = '2020_09' } {
# https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/resource-name-rules#microsoftapimanagement
# Between 1 and 50 characters long
$Assert.GreaterOrEqual($PSRule, 'TargetName', 1);
$Assert.LessOrEqual($PSRule, 'TargetName', 50);
# Alphanumerics and hyphens
# Start with a letter
# End with letter or number
$Assert.Match($PSRule, 'TargetName', '^[a-zA-Z]([A-Za-z0-9-]*[a-zA-Z0-9]){0,49}$');
}
# Synopsis: API management services deployed with Premium SKU should use availability zones in supported regions for high availability.
Rule 'Azure.APIM.AvailabilityZone' -Type 'Microsoft.ApiManagement/service' -If { IsPremiumAPIM } -Tag @{ release = 'GA'; ruleSet = '2021_12' } {
Rule 'Azure.APIM.AvailabilityZone' -Ref 'AZR-000052' -Type 'Microsoft.ApiManagement/service' -If { IsPremiumAPIM } -Tag @{ release = 'GA'; ruleSet = '2021_12' } {
$apiManagementServiceProvider = [PSRule.Rules.Azure.Runtime.Helper]::GetResourceType('Microsoft.ApiManagement', 'service');
$configurationZoneMappings = $Configuration.AZURE_APIM_ADDITIONAL_REGION_AVAILABILITY_ZONE_LIST;

86
src/PSRule.Rules.Azure/rules/Azure.APIM.Rule.yaml
Просмотреть файл

@ -13,6 +13,7 @@ apiVersion: github.com/microsoft/PSRule/v1
kind: Rule
metadata:
name: Azure.APIM.ManagedIdentity
ref: AZR-000053
tags:
release: GA
ruleSet: 2020_06
@ -26,4 +27,89 @@ spec:
- UserAssigned
- SystemAssigned, UserAssigned
---
# Synopsis: API Management should only accept a minimum of TLS 1.2.
apiVersion: github.com/microsoft/PSRule/v1
kind: Rule
metadata:
name: Azure.APIM.Protocols
ref: AZR-000054
tags:
release: 'GA'
ruleSet: '2020_06'
spec:
type:
- Microsoft.ApiManagement/service
condition:
allOf:
- field: properties.customProperties.'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Protocols.Tls10'
hasDefault: 'False'
- field: properties.customProperties.'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Protocols.Tls11'
hasDefault: 'False'
- field: properties.customProperties.'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Protocols.Ssl30'
hasDefault: 'False'
- field: properties.customProperties.'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Backend.Protocols.Tls10'
hasDefault: 'False'
- field: properties.customProperties.'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Backend.Protocols.Tls11'
hasDefault: 'False'
- field: properties.customProperties.'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Backend.Protocols.Ssl30'
hasDefault: 'False'
---
# Synopsis: API Management should not accept weak or deprecated ciphers.
apiVersion: github.com/microsoft/PSRule/v1
kind: Rule
metadata:
name: Azure.APIM.Ciphers
ref: AZR-000055
tags:
release: 'GA'
ruleSet: '2022_03'
spec:
type:
- Microsoft.ApiManagement/service
condition:
allOf:
- field: properties.customProperties.'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TripleDes168'
hasDefault: 'False'
- field: properties.customProperties.'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_RSA_WITH_AES_128_CBC_SHA'
equals: 'False'
- field: properties.customProperties.'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_RSA_WITH_AES_256_CBC_SHA'
equals: 'False'
- field: properties.customProperties.'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_RSA_WITH_AES_128_CBC_SHA256'
equals: 'False'
- field: properties.customProperties.'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA'
equals: 'False'
- field: properties.customProperties.'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_RSA_WITH_AES_256_CBC_SHA256'
equals: 'False'
- field: properties.customProperties.'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA'
equals: 'False'
- field: properties.customProperties.'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_RSA_WITH_AES_128_GCM_SHA256'
equals: 'False'
---
# Synopsis: API Management service names should meet naming requirements.
apiVersion: github.com/microsoft/PSRule/v1
kind: Rule
metadata:
name: Azure.APIM.Name
ref: AZR-000056
tags:
release: 'GA'
ruleSet: '2020_09'
spec:
type:
- Microsoft.ApiManagement/service
condition:
allOf:
- name: '.'
greaterOrEquals: 1
- name: '.'
lessOrEquals: 50
# The name must contain between 1 to 63 characters inclusive.
# The name only allows alphanumerics, and hyphens.
# Must start with a letter and end with alphanumeric.
- name: '.'
match: '^[a-zA-Z]([A-Za-z0-9-]*[a-zA-Z0-9]){0,49}$'
#endregion Rules

2
src/PSRule.Rules.Azure/rules/Azure.AppConfig.Rule.yaml
Просмотреть файл

@ -13,6 +13,7 @@ apiVersion: github.com/microsoft/PSRule/v1
kind: Rule
metadata:
name: Azure.AppConfig.SKU
ref: AZR-000057
tags:
release: 'GA'
ruleSet: '2020_12'
@ -29,6 +30,7 @@ apiVersion: github.com/microsoft/PSRule/v1
kind: Rule
metadata:
name: Azure.AppConfig.Name
ref: AZR-000058
tags:
release: 'GA'
ruleSet: '2020_12'

11
src/PSRule.Rules.Azure/rules/Azure.AppGw.Rule.ps1
Просмотреть файл

@ -7,17 +7,6 @@
#region Application Gateway
# Synopsis: Application Gateway should use a minimum of two instances
Rule 'Azure.AppGw.MinInstance' -Type 'Microsoft.Network/applicationGateways' -Tag @{ release = 'GA'; ruleSet = '2020_06' } {
AnyOf {
# Applies to v1 and v2 without autoscale
$Assert.GreaterOrEqual($TargetObject, 'Properties.sku.capacity', 2);
# Applies to v2 with autoscale
$Assert.GreaterOrEqual($TargetObject, 'Properties.autoscaleConfiguration.minCapacity', 2);
}
}
# Synopsis: Application Gateway should use a minimum of Medium
Rule 'Azure.AppGw.MinSku' -Type 'Microsoft.Network/applicationGateways' -Tag @{ release = 'GA'; ruleSet = '2020_06' } {
Within 'Properties.sku.name' 'WAF_Medium', 'Standard_Medium', 'WAF_Large', 'Standard_Large', 'WAF_v2', 'Standard_v2'

30
src/PSRule.Rules.Azure/rules/Azure.AppGw.Rule.yaml
Просмотреть файл

@ -5,6 +5,34 @@
# Selectors for Application Gateways
#
#region Rules
---
# Synopsis: Application Gateways should use a minimum of two instances.
apiVersion: github.com/microsoft/PSRule/v1
kind: Rule
metadata:
name: Azure.AppGw.MinInstance
tags:
release: 'GA'
ruleSet: '2020_06'
spec:
type:
- Microsoft.Network/applicationGateways
condition:
anyOf:
# Applies to v1 and v2 without autoscale
- field: Properties.sku.capacity
greaterOrEquals: 2
# Applies to v2 with autoscale
- field: Properties.autoscaleConfiguration.minCapacity
greaterOrEquals: 2
#endregion Rules
#region Selectors
---
# Synopsis: Application Gateways with WAF enabled
apiVersion: github.com/microsoft/PSRule/v1
@ -20,3 +48,5 @@ spec:
- 'WAF_v2'
- field: Properties.webApplicationFirewallConfiguration.enabled
equals: true
#endregion Selectors