Added binding reference #2995 (#2996)

* Added binding reference #2995 * Updated baseline metadata * Change log updates
2024-07-20 17:53:53 +10:00 · 2024-07-20 17:53:53 +10:00 · df2d5ef1af
--- a/docs/CHANGELOG-v1.md
+++ b/docs/CHANGELOG-v1.md
@ -29,10 +29,15 @@ See [upgrade notes][1] for helpful information when upgrading from previous vers

 ## Unreleased

+What's changed since pre-release v1.39.0-B0009:
+
 - New rules:
  - Azure Kubernetes Service:
    - Verify that clusters have kube-audit logging disabled when not required by @BenjaminEngeset.
      [#2450](https://github.com/Azure/PSRule.Rules.Azure/issues/2450)
+- General improvements:
+  - Add binding configuration to policy as rules docs by @BernieWhite.
+    [#2995](https://github.com/Azure/PSRule.Rules.Azure/issues/2995)

 ## v1.39.0-B0009 (pre-release)

@ -4693,36 +4698,57 @@ What's changed since v1.8.0:
 What's changed since v1.7.0:

 - New features:
-  - Added `Azure.GA_2021_09` baseline. [#961](https://github.com/Azure/PSRule.Rules.Azure/issues/961)
+  - Added `Azure.GA_2021_09` baseline.
+    [#961](https://github.com/Azure/PSRule.Rules.Azure/issues/961)
    - Includes rules released before or during September 2021 for Azure GA features.
    - Marked baseline `Azure.GA_2021_06` as obsolete.
 - New rules:
  - Application Gateway:
-    - Check App Gateways should use availability zones when available. Thanks [@ArmaanMcleod](https://github.com/ArmaanMcleod). [#928](https://github.com/Azure/PSRule.Rules.Azure/issues/928)
+    - Check App Gateways should use availability zones when available by @ArmaanMcleod.
+      [#928](https://github.com/Azure/PSRule.Rules.Azure/issues/928)
  - Azure Kubernetes Service:
-    - Check clusters have control plane audit logs enabled. Thanks [@ArmaanMcleod](https://github.com/ArmaanMcleod). [#882](https://github.com/Azure/PSRule.Rules.Azure/issues/882)
-    - Check clusters have control plane diagnostics enabled. Thanks [@ArmaanMcleod](https://github.com/ArmaanMcleod). [#922](https://github.com/Azure/PSRule.Rules.Azure/issues/922)
-    - Check clusters use Container Insights for monitoring workloads. Thanks [@ArmaanMcleod](https://github.com/ArmaanMcleod). [#881](https://github.com/Azure/PSRule.Rules.Azure/issues/881)
-    - Check clusters use availability zones when available. Thanks [@ArmaanMcleod](https://github.com/ArmaanMcleod). [#880](https://github.com/Azure/PSRule.Rules.Azure/issues/880)
+    - Check clusters have control plane audit logs enabled by @ArmaanMcleod.
+      [#882](https://github.com/Azure/PSRule.Rules.Azure/issues/882)
+    - Check clusters have control plane diagnostics enabled by @ArmaanMcleod.
+      [#922](https://github.com/Azure/PSRule.Rules.Azure/issues/922)
+    - Check clusters use Container Insights for monitoring workloads by @ArmaanMcleod.
+      [#881](https://github.com/Azure/PSRule.Rules.Azure/issues/881)
+    - Check clusters use availability zones when available by @ArmaanMcleod.
+      [#880](https://github.com/Azure/PSRule.Rules.Azure/issues/880)
  - Cosmos DB:
-    - Check DB account names meet naming requirements. [#954](https://github.com/Azure/PSRule.Rules.Azure/issues/954)
-    - Check DB accounts use Azure AD identities for resource management operations. [#953](https://github.com/Azure/PSRule.Rules.Azure/issues/953)
+    - Check DB account names meet naming requirements.
+      [#954](https://github.com/Azure/PSRule.Rules.Azure/issues/954)
+    - Check DB accounts use Azure AD identities for resource management operations.
+      [#953](https://github.com/Azure/PSRule.Rules.Azure/issues/953)
  - Load Balancer:
-    - Check Load balancers are using Standard SKU. Thanks [@ArmaanMcleod](https://github.com/ArmaanMcleod). [#957](https://github.com/Azure/PSRule.Rules.Azure/issues/957)
-    - Check Load Balancers are configured with zone-redundancy. Thanks [@ArmaanMcleod](https://github.com/ArmaanMcleod). [#927](https://github.com/Azure/PSRule.Rules.Azure/issues/927)
+    - Check Load balancers are using Standard SKU by @ArmaanMcleod.
+      [#957](https://github.com/Azure/PSRule.Rules.Azure/issues/957)
+    - Check Load Balancers are configured with zone-redundancy by @ArmaanMcleod.
+      [#927](https://github.com/Azure/PSRule.Rules.Azure/issues/927)
 - Engineering:
-  - Bump PSRule dependency to v1.7.2. [#951](https://github.com/Azure/PSRule.Rules.Azure/issues/951)
-  - Automated update of availability zone information in providers.json. [#907](https://github.com/Azure/PSRule.Rules.Azure/issues/907)
-  - Increased test coverage of rule reasons. Thanks [@ArmaanMcleod](https://github.com/ArmaanMcleod). [#960](https://github.com/Azure/PSRule.Rules.Azure/issues/960)
+  - Bump PSRule dependency to v1.7.2.
+    [#951](https://github.com/Azure/PSRule.Rules.Azure/issues/951)
+  - Automated update of availability zone information in providers.json.
+    [#907](https://github.com/Azure/PSRule.Rules.Azure/issues/907)
+  - Increased test coverage of rule reasons by @ArmaanMcleod.
+    [#960](https://github.com/Azure/PSRule.Rules.Azure/issues/960)
 - Bug fixes:
-  - Fixed export of in-flight AKS related subnets for kubenet clusters. Thanks [@ArmaanMcleod](https://github.com/ArmaanMcleod). [#920](https://github.com/Azure/PSRule.Rules.Azure/issues/920)
-  - Fixed plan instance count is not applicable to Elastic Premium plans. [#946](https://github.com/Azure/PSRule.Rules.Azure/issues/946)
-  - Fixed minimum App Service Plan fails Elastic Premium plans. [#945](https://github.com/Azure/PSRule.Rules.Azure/issues/945)
-  - Fixed App Service Plan should include PremiumV3 plan. [#944](https://github.com/Azure/PSRule.Rules.Azure/issues/944)
-  - Fixed Azure.VM.NICAttached with private endpoints. [#932](https://github.com/Azure/PSRule.Rules.Azure/issues/932)
-  - Fixed Bicep CLI fails with unexpected end of content. [#889](https://github.com/Azure/PSRule.Rules.Azure/issues/889)
-  - Fixed incomplete reason message for `Azure.Storage.MinTLS`. [#971](https://github.com/Azure/PSRule.Rules.Azure/issues/971)
-  - Fixed false positive of `Azure.Storage.UseReplication` with large file storage. [#965](https://github.com/Azure/PSRule.Rules.Azure/issues/965)
+  - Fixed export of in-flight AKS related subnets for kubenet clusters by @ArmaanMcleod.
+    [#920](https://github.com/Azure/PSRule.Rules.Azure/issues/920)
+  - Fixed plan instance count is not applicable to Elastic Premium plans.
+    [#946](https://github.com/Azure/PSRule.Rules.Azure/issues/946)
+  - Fixed minimum App Service Plan fails Elastic Premium plans.
+    [#945](https://github.com/Azure/PSRule.Rules.Azure/issues/945)
+  - Fixed App Service Plan should include PremiumV3 plan.
+    [#944](https://github.com/Azure/PSRule.Rules.Azure/issues/944)
+  - Fixed Azure.VM.NICAttached with private endpoints.
+    [#932](https://github.com/Azure/PSRule.Rules.Azure/issues/932)
+  - Fixed Bicep CLI fails with unexpected end of content.
+    [#889](https://github.com/Azure/PSRule.Rules.Azure/issues/889)
+  - Fixed incomplete reason message for `Azure.Storage.MinTLS`.
+    [#971](https://github.com/Azure/PSRule.Rules.Azure/issues/971)
+  - Fixed false positive of `Azure.Storage.UseReplication` with large file storage.
+    [#965](https://github.com/Azure/PSRule.Rules.Azure/issues/965)

 What's changed since pre-release v1.8.0-B2109060:

@ -4734,25 +4760,32 @@ What's changed since pre-release v1.8.0-B2109060:

 - New rules:
  - Load Balancer:
-    - Check Load balancers are using Standard SKU. Thanks [@ArmaanMcleod](https://github.com/ArmaanMcleod). [#957](https://github.com/Azure/PSRule.Rules.Azure/issues/957)
+    - Check Load balancers are using Standard SKU. by @ArmaanMcleod.
+      [#957](https://github.com/Azure/PSRule.Rules.Azure/issues/957)
 - Engineering:
-  - Increased test coverage of rule reasons. Thanks [@ArmaanMcleod](https://github.com/ArmaanMcleod). [#960](https://github.com/Azure/PSRule.Rules.Azure/issues/960)
+  - Increased test coverage of rule reasons. by @ArmaanMcleod.
+    [#960](https://github.com/Azure/PSRule.Rules.Azure/issues/960)
 - Bug fixes:
-  - Fixed Bicep CLI fails with unexpected end of content. [#889](https://github.com/Azure/PSRule.Rules.Azure/issues/889)
-  - Fixed incomplete reason message for `Azure.Storage.MinTLS`. [#971](https://github.com/Azure/PSRule.Rules.Azure/issues/971)
-  - Fixed false positive of `Azure.Storage.UseReplication` with large file storage. [#965](https://github.com/Azure/PSRule.Rules.Azure/issues/965)
+  - Fixed Bicep CLI fails with unexpected end of content.
+    [#889](https://github.com/Azure/PSRule.Rules.Azure/issues/889)
+  - Fixed incomplete reason message for `Azure.Storage.MinTLS`.
+    [#971](https://github.com/Azure/PSRule.Rules.Azure/issues/971)
+  - Fixed false positive of `Azure.Storage.UseReplication` with large file storage.
+    [#965](https://github.com/Azure/PSRule.Rules.Azure/issues/965)

 ## v1.8.0-B2109060 (pre-release)

 What's changed since pre-release v1.8.0-B2109046:

 - New features:
-  - Added `Azure.GA_2021_09` baseline. [#961](https://github.com/Azure/PSRule.Rules.Azure/issues/961)
+  - Added `Azure.GA_2021_09` baseline.
+    [#961](https://github.com/Azure/PSRule.Rules.Azure/issues/961)
    - Includes rules released before or during September 2021 for Azure GA features.
    - Marked baseline `Azure.GA_2021_06` as obsolete.
 - New rules:
  - Load Balancer:
-    - Check Load Balancers are configured with zone-redundancy. Thanks [@ArmaanMcleod](https://github.com/ArmaanMcleod). [#927](https://github.com/Azure/PSRule.Rules.Azure/issues/927)
+    - Check Load Balancers are configured with zone-redundancy by @ArmaanMcleod.
+      [#927](https://github.com/Azure/PSRule.Rules.Azure/issues/927)

 ## v1.8.0-B2109046 (pre-release)

@ -4760,17 +4793,25 @@ What's changed since pre-release v1.8.0-B2109020:

 - New rules:
  - Application Gateway:
-    - Check App Gateways should use availability zones when available. Thanks [@ArmaanMcleod](https://github.com/ArmaanMcleod). [#928](https://github.com/Azure/PSRule.Rules.Azure/issues/928)
+    - Check App Gateways should use availability zones when available by @ArmaanMcleod
+      [#928](https://github.com/Azure/PSRule.Rules.Azure/issues/928)
  - Cosmos DB:
-    - Check DB account names meet naming requirements. [#954](https://github.com/Azure/PSRule.Rules.Azure/issues/954)
-    - Check DB accounts use Azure AD identities for resource management operations. [#953](https://github.com/Azure/PSRule.Rules.Azure/issues/953)
+    - Check DB account names meet naming requirements.
+      [#954](https://github.com/Azure/PSRule.Rules.Azure/issues/954)
+    - Check DB accounts use Azure AD identities for resource management operations.
+      [#953](https://github.com/Azure/PSRule.Rules.Azure/issues/953)
 - Bug fixes:
-  - Fixed plan instance count is not applicable to Elastic Premium plans. [#946](https://github.com/Azure/PSRule.Rules.Azure/issues/946)
-  - Fixed minimum App Service Plan fails Elastic Premium plans. [#945](https://github.com/Azure/PSRule.Rules.Azure/issues/945)
-  - Fixed App Service Plan should include PremiumV3 plan. [#944](https://github.com/Azure/PSRule.Rules.Azure/issues/944)
-  - Fixed Azure.VM.NICAttached with private endpoints. [#932](https://github.com/Azure/PSRule.Rules.Azure/issues/932)
+  - Fixed plan instance count is not applicable to Elastic Premium plans.
+    [#946](https://github.com/Azure/PSRule.Rules.Azure/issues/946)
+  - Fixed minimum App Service Plan fails Elastic Premium plans.
+    [#945](https://github.com/Azure/PSRule.Rules.Azure/issues/945)
+  - Fixed App Service Plan should include PremiumV3 plan.
+    [#944](https://github.com/Azure/PSRule.Rules.Azure/issues/944)
+  - Fixed Azure.VM.NICAttached with private endpoints.
+    [#932](https://github.com/Azure/PSRule.Rules.Azure/issues/932)
 - Engineering:
-  - Bump PSRule dependency to v1.7.2. [#951](https://github.com/Azure/PSRule.Rules.Azure/issues/951)
+  - Bump PSRule dependency to v1.7.2.
+    [#951](https://github.com/Azure/PSRule.Rules.Azure/issues/951)

 ## v1.8.0-B2109020 (pre-release)

@ -4778,10 +4819,13 @@ What's changed since pre-release v1.8.0-B2108026:

 - New rules:
  - Azure Kubernetes Service:
-    - Check clusters have control plane audit logs enabled. Thanks [@ArmaanMcleod](https://github.com/ArmaanMcleod). [#882](https://github.com/Azure/PSRule.Rules.Azure/issues/882)
-    - Check clusters have control plane diagnostics enabled. Thanks [@ArmaanMcleod](https://github.com/ArmaanMcleod). [#922](https://github.com/Azure/PSRule.Rules.Azure/issues/922)
+    - Check clusters have control plane audit logs enabled by @ArmaanMcleod.
+      [#882](https://github.com/Azure/PSRule.Rules.Azure/issues/882)
+    - Check clusters have control plane diagnostics enabled by @ArmaanMcleod.
+      [#922](https://github.com/Azure/PSRule.Rules.Azure/issues/922)
 - Engineering:
-  - Bump PSRule dependency to v1.7.0. [#938](https://github.com/Azure/PSRule.Rules.Azure/issues/938)
+  - Bump PSRule dependency to v1.7.0.
+    [#938](https://github.com/Azure/PSRule.Rules.Azure/issues/938)

 ## v1.8.0-B2108026 (pre-release)

@ -4789,9 +4833,11 @@ What's changed since pre-release v1.8.0-B2108013:

 - New rules:
  - Azure Kubernetes Service:
-    - Check clusters use Container Insights for monitoring workloads. Thanks [@ArmaanMcleod](https://github.com/ArmaanMcleod). [#881](https://github.com/Azure/PSRule.Rules.Azure/issues/881)
+    - Check clusters use Container Insights for monitoring workloads by @ArmaanMcleod.
+      [#881](https://github.com/Azure/PSRule.Rules.Azure/issues/881)
 - Bug fixes:
-  - Fixed export of in-flight AKS related subnets for kubenet clusters. Thanks [@ArmaanMcleod](https://github.com/ArmaanMcleod). [#920](https://github.com/Azure/PSRule.Rules.Azure/issues/920)
+  - Fixed export of in-flight AKS related subnets for kubenet clusters by @ArmaanMcleod.
+    [#920](https://github.com/Azure/PSRule.Rules.Azure/issues/920)

 ## v1.8.0-B2108013 (pre-release)

@ -4799,10 +4845,13 @@ What's changed since v1.7.0:

 - New rules:
  - Azure Kubernetes Service:
-    - Check clusters use availability zones when available. Thanks [@ArmaanMcleod](https://github.com/ArmaanMcleod). [#880](https://github.com/Azure/PSRule.Rules.Azure/issues/880)
+    - Check clusters use availability zones when available by @ArmaanMcleod.
+      [#880](https://github.com/Azure/PSRule.Rules.Azure/issues/880)
 - Engineering:
-  - Bump PSRule dependency to v1.6.1. [#913](https://github.com/Azure/PSRule.Rules.Azure/issues/913)
-  - Automated update of availability zone information in providers.json. [#907](https://github.com/Azure/PSRule.Rules.Azure/issues/907)
+  - Bump PSRule dependency to v1.6.1.
+    [#913](https://github.com/Azure/PSRule.Rules.Azure/issues/913)
+  - Automated update of availability zone information in providers.json.
+    [#907](https://github.com/Azure/PSRule.Rules.Azure/issues/907)

 ## v1.7.0

@ -4818,8 +4867,8 @@ What's changed since v1.6.0:
    - Check template parameters set a value. [#896](https://github.com/Azure/PSRule.Rules.Azure/issues/896)
    - Check template parameters use a valid secret reference. [#897](https://github.com/Azure/PSRule.Rules.Azure/issues/897)
  - Azure Kubernetes Service:
-    - Check clusters using Azure CNI should use large subnets. Thanks [@ArmaanMcleod](https://github.com/ArmaanMcleod). [#273](https://github.com/Azure/PSRule.Rules.Azure/issues/273)
-    - Check clusters use auto-scale node pools. Thanks [@ArmaanMcleod](https://github.com/ArmaanMcleod). [#218](https://github.com/Azure/PSRule.Rules.Azure/issues/218)
+    - Check clusters using Azure CNI should use large subnets by @ArmaanMcleod. [#273](https://github.com/Azure/PSRule.Rules.Azure/issues/273)
+    - Check clusters use auto-scale node pools by @ArmaanMcleod. [#218](https://github.com/Azure/PSRule.Rules.Azure/issues/218)
      - By default, a minimum of a `/23` subnet is required.
      - Configure `AZURE_AKS_CNI_MINIMUM_CLUSTER_SUBNET_SIZE` to change the default minimum subnet size.
  - Storage Account:
@ -4871,7 +4920,7 @@ What's changed since pre-release v1.7.0-B2108020:
    - Check template parameter files use metadata links. [#846](https://github.com/Azure/PSRule.Rules.Azure/issues/846)
      - Configure the `AZURE_PARAMETER_FILE_METADATA_LINK` option to enable this rule.
  - Azure Kubernetes Service:
-    - Check clusters using Azure CNI should use large subnets. Thanks [@ArmaanMcleod](https://github.com/ArmaanMcleod). [#273](https://github.com/Azure/PSRule.Rules.Azure/issues/273)
+    - Check clusters using Azure CNI should use large subnets by @ArmaanMcleod. [#273](https://github.com/Azure/PSRule.Rules.Azure/issues/273)
      - By default, a minimum of a `/23` subnet is required.
      - Configure `AZURE_AKS_CNI_MINIMUM_CLUSTER_SUBNET_SIZE` to change the default minimum subnet size.
  - Storage Account:
@ -4883,7 +4932,7 @@ What's changed since v1.6.0:

 - New rules:
  - Azure Kubernetes Service:
-    - Check clusters use auto-scale node pools. Thanks [@ArmaanMcleod](https://github.com/ArmaanMcleod). [#218](https://github.com/Azure/PSRule.Rules.Azure/issues/218)
+    - Check clusters use auto-scale node pools by @ArmaanMcleod. [#218](https://github.com/Azure/PSRule.Rules.Azure/issues/218)
 - Updated rules:
  - Virtual Network:
    - Excluded `AzureFirewallManagementSubnet` from `Azure.VNET.UseNSGs`. [#869](https://github.com/Azure/PSRule.Rules.Azure/issues/869)
@ -4895,35 +4944,45 @@ What's changed since v1.6.0:
 What's changed since v1.5.1:

 - New features:
-  - **Experimental:** Added support for expansion from Bicep source files. [#848](https://github.com/Azure/PSRule.Rules.Azure/issues/848) [#670](https://github.com/Azure/PSRule.Rules.Azure/issues/670) [#858](https://github.com/Azure/PSRule.Rules.Azure/issues/858)
+  - **Experimental:** Added support for expansion from Bicep source files.
+    [#848](https://github.com/Azure/PSRule.Rules.Azure/issues/848)
+    [#670](https://github.com/Azure/PSRule.Rules.Azure/issues/670)
+    [#858](https://github.com/Azure/PSRule.Rules.Azure/issues/858)
    - Bicep support is currently experimental.
    - To opt-in set the `AZURE_BICEP_FILE_EXPANSION` configuration to `true`.
    - For more information see [Using Bicep](https://azure.github.io/PSRule.Rules.Azure/using-bicep/).
 - New rules:
  - Application Gateways:
-    - Check Application Gateways publish endpoints by HTTPS. [#841](https://github.com/Azure/PSRule.Rules.Azure/issues/841)
+    - Check Application Gateways publish endpoints by HTTPS.
+      [#841](https://github.com/Azure/PSRule.Rules.Azure/issues/841)
 - Engineering:
-  - Bump PSRule dependency to v1.5.0. [#832](https://github.com/Azure/PSRule.Rules.Azure/issues/832)
-  - Migration of Pester v4 tests to Pester v5. Thanks [@ArmaanMcleod](https://github.com/ArmaanMcleod). [#395](https://github.com/Azure/PSRule.Rules.Azure/issues/395)
+  - Bump PSRule dependency to v1.5.0.
+    [#832](https://github.com/Azure/PSRule.Rules.Azure/issues/832)
+  - Migration of Pester v4 tests to Pester v5 by @ArmaanMcleod.
+    [#395](https://github.com/Azure/PSRule.Rules.Azure/issues/395)

 What's changed since pre-release v1.6.0-B2108038:

 - Bug fixes:
-  - Fixed Bicep expand creates deadlock and times out. [#863](https://github.com/Azure/PSRule.Rules.Azure/issues/863)
+  - Fixed Bicep expand creates deadlock and times out.
+    [#863](https://github.com/Azure/PSRule.Rules.Azure/issues/863)

 ## v1.6.0-B2108038 (pre-release)

 What's changed since pre-release v1.6.0-B2108023:

 - Bug fixes:
-  - Fixed Bicep expand hangs analysis. [#858](https://github.com/Azure/PSRule.Rules.Azure/issues/858)
+  - Fixed Bicep expand hangs analysis.
+    [#858](https://github.com/Azure/PSRule.Rules.Azure/issues/858)

 ## v1.6.0-B2108023 (pre-release)

 What's changed since pre-release v1.6.0-B2107028:

 - New features:
-  - **Experimental:** Added support for expansion from Bicep source files. [#848](https://github.com/Azure/PSRule.Rules.Azure/issues/848) [#670](https://github.com/Azure/PSRule.Rules.Azure/issues/670)
+  - **Experimental:** Added support for expansion from Bicep source files.
+    [#848](https://github.com/Azure/PSRule.Rules.Azure/issues/848)
+    [#670](https://github.com/Azure/PSRule.Rules.Azure/issues/670)
    - Bicep support is currently experimental.
    - To opt-in set the `AZURE_BICEP_FILE_EXPANSION` configuration to `true`.
    - For more information see [Using Bicep](https://azure.github.io/PSRule.Rules.Azure/using-bicep/).
--- a/docs/concepts/policy-as-rules.md
+++ b/docs/concepts/policy-as-rules.md
@ -86,6 +86,29 @@ For example:
 Export-AzPolicyAssignmentRuleData -AssignmentFile '.\<subscriptionId>.assignment.json'
 ```

+## Running policy rules
+
+Rules and an initial baseline are generated in a file ending in `.Rule.jsonc`.
+This file extension and format are automatically detected by PSRule when it is run from an included source path.
+To start using the policy rules, copy the file to the default include sub-directory (`.ps-rule/`) in the root of your repository.
+
+Additionally, the following setup is required to scan Infrastructure as Code (IaC):
+
+1. Set a binding configuration.
+2. Configure expansion for processing Bicep or ARM templates.
+3. Include the `PSRule.Rules.Azure` module.
+4. Optionally specify a baseline to limit the rules evaluated to policy rules.
+
+### Generated baseline
+
+<!-- module:version v1.33.0 -->
+
+When exporting policies, PSRule for Azure will automatically generate a baseline including any generated rules.
+By default, this baseline is called `Azure.PolicyBaseline.All`.
+If you change the prefix of generated rules the baseline will be named `<Prefix>.PolicyBaseline.All`.
+
+See [Using baselines](../working-with-baselines.md#using-baselines) for examples on how to use a baseline in a run.
+
 ## Customizing the generated rules

 PSRule for Azure allows you to:
@ -108,16 +131,6 @@ configuration:
  - /providers/Microsoft.Authorization/policyDefinitions/b54ed75b-3e1a-44ac-a333-05ba39b99ff0
 ```

-## Generated baseline
-
-<!-- module:version v1.33.0 -->
-
-When exporting policies, PSRule for Azure will automatically generate a baseline including any generated rules.
-By default, this baseline is called `Azure.PolicyBaseline.All`.
-If you change the prefix of generated rules the baseline will be named `<Prefix>.PolicyBaseline.All`.
-
-See [Using baselines](../working-with-baselines.md#using-baselines) for examples on how to use a baseline in a run.
-
 ## Duplicate policies

 <!-- module:version v1.33.0 -->
@ -143,3 +156,9 @@ This allows you to:
 - Reduce noise reporting the same issue multiple times.

 To override this behavior use the `-KeepDuplicates` parameter switch when running `Export-AzPolicyAssignmentRuleData`.
+
+## Recommended content
+
+- [Using custom rules](../customization/using-custom-rules.md)
+- [Creating your pipeline](../creating-your-pipeline.md)
+- [Working with baselines](../working-with-baselines.md)
--- a/docs/customization/enforce-codeowners.md
+++ b/docs/customization/enforce-codeowners.md
@ -60,9 +60,9 @@ Some key points to call out with the rule snippet include:
  PSRule for Azure exposes a `Template` and `Parameter` source for resources originating from a template.

 !!! Tip
-    For recommendations on naming and storing rules see [storing custom rules][3].
+    For recommendations on naming and storing rules see [using custom rules][3].

-  [3]: storing-custom-rules.md
+  [3]: using-custom-rules.md

 ## Binding type

@ -78,8 +78,8 @@ To configure type binding:
 # Configure binding options
 binding:
  targetType:
-  - 'resourceType'
-  - 'type'
+    - 'resourceType'
+    - 'type'
 ```

 Some key points to call out include:
--- a/docs/customization/enforce-custom-tags.md
+++ b/docs/customization/enforce-custom-tags.md
@ -43,9 +43,9 @@ Some key points to call out with the rule snippet include:
 - The automatic variable `$TargetObject` automatically exposes the current resource being processed.

 !!! Tip
-    For recommendations on naming and storing rules see [storing custom rules][1].
+    For recommendations on naming and storing rules see [using custom rules][1].

-  [1]: storing-custom-rules.md
+  [1]: using-custom-rules.md

 ## Adding mandatory tags

@ -147,12 +147,12 @@ To configure type binding:
 - Create/ update the `ps-rule.yaml` file within the root of the repository.
 - Add the following configuration snippet.

-```yaml
+```yaml title="ps-rule.yaml"
 # Configure binding options
 binding:
  targetType:
-  - 'resourceType'
-  - 'type'
+    - 'resourceType'
+    - 'type'
 ```

 Some key points to call out include:
--- a/docs/customization/storing-custom-rules.md
+++ b/docs/customization/storing-custom-rules.md
@ -1,62 +0,0 @@
---
-author: BernieWhite
---
-
-# Storing custom rules
-
-PSRule for Azure covers common use cases that align to the [Microsoft Azure Well-Architected Framework (WAF)][1].
-In addition to WAF alignment you may have a requirement to enforce organization specific rules.
-
-For example:
-
- Required tags on a resource group.
- Code ownership for sensitive resource types.
-
-PSRule allows custom rules to be layered on.
-These custom rules work side-by-side with PSRule for Azure.
-
-  [1]: https://learn.microsoft.com/azure/well-architected/
-
-## Using a standard file path
-
-Rules can be standalone or packaged within a module.
-Standalone rules are ideal for a single project such as an Infrastructure as Code (IaC) repository.
-To reuse rules across multiple projects consider packaging these as a module.
-
-The instructions for packaging rules in a module can be found here:
-
- [Packaging rules in a module][2]
-
-To store standalone rules we recommend that you:
-
- **Use .ps-rule/** &mdash; Create a sub-directory called `.ps-rule` in the root of your repository.
-  Use all lower-case in the sub-directory name.
-  Put any custom rules within this sub-directory.
- **Use files ending with .Rule.ps1** &mdash; PSRule uses a file naming convention to discover rules.
-  We recommend using a file name that ends in `.Rule.ps1`.
-
-!!! note
-    Build pipelines are often case-sensitive or run on Linux-based systems.
-    Using the casing rule above reduces confusion latter when you configure continuous integration (CI).
-
-  [2]: https://microsoft.github.io/PSRule/stable/authoring/packaging-rules/
-
-## Naming rules
-
-When running PSRule, rule names must be unique.
-PSRule for Azure uses the name prefix of `Azure.` on all rules and resources included in the module.
-
-!!! example
-    The following names are examples of rules included within PSRule for Azure:
-
-    - `Azure.AKS.Version`
-    - `Azure.AKS.AuthorizedIPs`
-    - `Azure.SQL.MinTLS`
-
-When naming custom rules we recommend that you:
-
- **Use a standard prefix** &mdash; You can use the `Local.` or `Org.` prefix for standalone rules.
-  - Alternatively choose a short prefix that identifies your organization.
- **Use dotted notation** &mdash; Use dots to separate rule name.
- **Use a maximum length of 35 characters** &mdash; The default view of `Invoke-PSRule` truncates longer names.
-  PSRule supports longer rule names however if `Invoke-PSRule` is called directly consider using `Format-List`.
--- a/docs/customization/using-custom-rules.md
+++ b/docs/customization/using-custom-rules.md
@ -0,0 +1,131 @@
+---
+description: This topic covers how you can use custom rules to test Azure Infrastructure as Code.
+author: BernieWhite
+---
+
+# Using custom rules
+
+PSRule for Azure covers common use cases that align to the [Microsoft Azure Well-Architected Framework (WAF)][1].
+In addition to WAF alignment you may have a requirement to enforce organization specific rules.
+
+For example:
+
+- Required tags on a resource group.
+- Code ownership for sensitive resource types.
+- Apply similar controls to Infrastructure as Code that are deployed via Azure Policies.
+
+PSRule allows custom rules to be layered on.
+These custom rules work side-by-side with PSRule for Azure.
+
+  [1]: https://learn.microsoft.com/azure/well-architected/
+
+!!! Abstract
+    This topic covers how you can use custom rules to test Azure Infrastructure as Code (IaC).
+
+## Requirements
+
+For custom rules to work with IaC the following requirements must be configured:
+
+1. Set a binding configuration.
+2. Configure expansion for processing Bicep or ARM templates.
+3. Include the `PSRule.Rules.Azure` module.
+
+### Set binding configuration
+
+Rules packaged within PSRule for Azure will automatically detect Azure resources by their type properties.
+Standalone rules will get their type binding configuration from `ps-rule.yaml` instead.
+When binding is not configured, custom rules will typically be ignored.
+
+To configure type binding:
+
+- Create/ update the `ps-rule.yaml` file within the root of the repository.
+- Add the following configuration snippet.
+
+```yaml title="ps-rule.yaml"
+# Configure binding options
+binding:
+  targetType:
+    - 'resourceType'
+    - 'type'
+```
+
+### Configuring expansion
+
+PSRule for Azure performs [expansion][2] on Bicep and ARM template files it finds in your repository.
+Enabling expansion is required for testing any IaC in your repository.
+The requirements for custom rules are no different then using the built-in rules included within PSRule for Azure.
+
+To configure expansion see either:
+
+- [Using Bicep source](../using-bicep.md)
+- [Using templates](../using-templates.md)
+
+  [2]: ../faq.md#what-is-expansion
+
+### Including PSRule for Azure
+
+When creating custom rules to test Azure IaC including PSRule for Azure is required for most scenarios.
+PSRule for Azure performs [expansion][2] on Bicep and ARM template files it finds in your repository.
+
+You can include PSRule for Azure by specifying `PSRule.Rules.Azure` in one of the following:
+
+- **Pipeline** &mdash; The `modules:` parameter in [GitHub Actions or Azure Pipelines][3].
+- **PowerShell** &mdash; The `-Module` parameter with the [PowerShell cmdlets][4].
+- **Options** &mdash; - The `Include.Module` [option][5].
+
+  [3]: ../creating-your-pipeline.md
+  [4]: ../creating-your-pipeline.md
+  [5]: https://microsoft.github.io/PSRule/v2/concepts/PSRule/en-US/about_PSRule_Options/#includemodule
+
+## Using a standard file path
+
+Rules can be standalone or packaged within a module.
+Standalone rules are ideal for a single project such as an Infrastructure as Code (IaC) repository.
+To reuse rules across multiple projects consider packaging these as a module.
+
+The instructions for packaging rules in a module can be found here:
+
+- [Packaging rules in a module][6]
+
+To store standalone rules we recommend that you:
+
+- **Use .ps-rule/** &mdash; Create a sub-directory called `.ps-rule` in the root of your repository.
+  Use all lower-case in the sub-directory name.
+  Put any custom rules within this sub-directory.
+- **Use files ending with .Rule.ps1 | .Rule.yaml | .Rule.jsonc** &mdash;
+  PSRule uses a file naming convention to discover rules.
+  We recommend using a file name that ends in `.Rule.ps1` or `.Rule.yaml` or `.Rule.jsonc`.
+
+!!! note
+    Build pipelines are often case-sensitive or run on Linux-based systems.
+    Using the casing rule above reduces confusion latter when you configure continuous integration (CI).
+
+  [6]: https://microsoft.github.io/PSRule/stable/authoring/packaging-rules/
+
+## Naming rules
+
+When running PSRule, rule names must be unique.
+PSRule for Azure uses the name prefix of `Azure.` on all rules and resources included in the module.
+
+!!! example
+    The following names are examples of rules included within PSRule for Azure:
+
+    - `Azure.AKS.Version`
+    - `Azure.AKS.AuthorizedIPs`
+    - `Azure.SQL.MinTLS`
+
+When naming custom rules we recommend that you:
+
+- **Use a standard prefix** &mdash; You can use the `Local.` or `Org.` prefix for standalone rules.
+  - Alternatively choose a short prefix that identifies your organization.
+- **Use dotted notation** &mdash; Use dots to separate rule name.
+- **Use a maximum length of 35 characters** &mdash; The default view of `Invoke-PSRule` truncates longer names.
+  PSRule supports longer rule names however if `Invoke-PSRule` is called directly consider using `Format-List`.
+
+## Related content
+
+- [Using Bicep source](using-bicep.md)
+- [Using templates](using-templates.md)
+- [Creating your pipeline](creating-your-pipeline.md)
+
+*[IaC]: Azure Resource Manager
--- a/docs/expanding-source-files.md
+++ b/docs/expanding-source-files.md
@ -179,6 +179,12 @@ properties:

 To override, configure [`AZURE_MANAGEMENT_GROUP`](setup/configuring-expansion.md#deployment-management-group).

+## Related content
+
+- [Using Bicep source](using-bicep.md)
+- [Using templates](using-templates.md)
+- [Creating your pipeline](creating-your-pipeline.md)
+
 *[WAF]: Well-Architected Framework
 *[ARM]: Azure Resource Manager
 *[PR]: Pull Request
--- a/docs/faq.md
+++ b/docs/faq.md
@ -26,9 +26,12 @@ For general FAQ see [PSRule - Frequently Asked Questions (FAQ)][ps-rule-faq], in
 ## What is a rule?

 A rule is a named set of checks and documentation.
+Each rule is tests a specific aspect of an Azure resource or deployment to determine if
+it is aligned with the [Microsoft Azure Well-Architected Framework][AWAF].
 You can find the documentation for each rule under [reference][1].

  [1]: en/rules/module.md
+  [AWAF]: https://learn.microsoft.com/azure/architecture/framework/

 ## What is a baseline?

@ -40,9 +43,22 @@ Continue reading [working with baselines][2] for a detailed breakdown.

  [2]: working-with-baselines.md

+## What is expansion?
+
+Expansion is a feature of PSRule for Azure that converts Azure Infrastructure as Code (IaC) to a testable Azure resource.
+IaC format such as Bicep and ARM templates, support dynamic capabilities such parameters, variables, and conditions...
+These dynamic capabilities allow customers to create modular reusable code that can scale across an organization.
+However, to determine if a specific Azure resource meets the requirements of an organization the final state must be known.
+
+Expansion resolves these dynamic capabilities so that a final state for each resource can be tested by rules.
+Noting the final expanded state provided by PSRule for Azure is a close approximation.
+This close approximation allows testing of Azure resources offline directly from code before deployment to Azure.
+
+Continue reading [Expanding source files](expanding-source-files.md).
+
 ## Is Terraform supported?

-Currently PSRule for Azure supports testing Azure resources from Infrastructure as Code (IaC) with:
+Currently PSRule for Azure supports testing Azure resources from IaC with:

 - Azure Resource Manager (ARM) templates.
 - Azure Bicep deployments.
@ -89,8 +105,6 @@ You may want to use PSRule to enforce tagging or something similar early in a De

 We have a walk through scenario [Enforcing custom tags][9] to get you started.

-  [AWAF]: https://learn.microsoft.com/azure/architecture/framework/
-
 ## How do I create a custom rule to enforce code ownership?

 GitHub, Azure DevOps, and other DevOps platforms may implement code ownership.
--- a/docs/troubleshooting.md
+++ b/docs/troubleshooting.md
@ -140,7 +140,7 @@ There is a few common causes of this issue including:
    You may be able to use `git mv` to change the case of a file if it is committed to the repository incorrectly.

  [5]: https://aka.ms/ps-rule/naming
-  [6]: customization/enforce-custom-tags.md#binding-type
+  [6]: customization/using-custom-rules.md#set-binding-configuration
  [12]: working-with-baselines.md#quarterly-baseline
  [13]: https://aka.ms/ps-rule/options#ruleincludelocal
  [14]: working-with-baselines.md#including-custom-rules
--- a/docs/working-with-baselines.md
+++ b/docs/working-with-baselines.md
@ -8,7 +8,7 @@ A baseline is a standard PSRule artifact that combines rules and configuration.
 PSRule for Azure provides several baselines that can be referenced when running PSRule.

 !!! Abstract
-    This topic covers how to use the baselines shipped with PSRule for Azure.
+    This topic covers how to use standard baselines shipped with PSRule for Azure or custom baselines you define.

 ## Quarterly baselines

--- a/mkdocs.yml
+++ b/mkdocs.yml
@ -67,7 +67,7 @@ nav:
      - Suppression: concepts/suppression.md
      - Policy as rules: concepts/policy-as-rules.md
    - Customization:
-      - Storing custom rules: customization/storing-custom-rules.md
+      - Using custom rules: customization/using-custom-rules.md
      - Enforcing custom tags: customization/enforce-custom-tags.md
      - Enforcing code ownership: customization/enforce-codeowners.md
      - Permit outbound management: customization/permit-outbound-management.md
@ -148,7 +148,8 @@ plugins:
      install-instructions.md: install.md
      validating-locally.md: install.md
      using-metadata.md: using-templates.md
-      customization/index.md: customization/storing-custom-rules.md
+      customization/index.md: customization/using-custom-rules.md
+      customization/storing-custom-rules.md: customization/using-custom-rules.md
      en/asb-v3.md: en/mcsb-v1.md
      setup/configuring-options.md: setup/index.md

--- a/src/PSRule.Rules.Azure/rules/Baseline.Rule.yaml
+++ b/src/PSRule.Rules.Azure/rules/Baseline.Rule.yaml
@ -6,7 +6,7 @@
 #

 ---
-# Synopsis: Default baseline for Azure rules.
+# Synopsis: Default baseline for that includes the latest rules for Azure GA features that is updated each release.
 apiVersion: github.com/microsoft/PSRule/v1
 kind: Baseline
 metadata:
@ -17,7 +17,7 @@ spec:
      release: GA

 ---
-# Synopsis: Includes rules for Azure GA and preview features.
+# Synopsis: Includes the latest rules for Azure GA and preview features that is updated each release.
 apiVersion: github.com/microsoft/PSRule/v1
 kind: Baseline
 metadata:
--- a/src/PSRule.Rules.Azure/rules/MCSB.Rule.yaml
+++ b/src/PSRule.Rules.Azure/rules/MCSB.Rule.yaml
@ -6,7 +6,7 @@
 #

 ---
-# Synopsis: Microsoft Cloud Security Benchmark v1.
+# Synopsis: Rules for GA Azure features that align to the Microsoft Cloud Security Benchmark v1. This baseline is updated each release.
 apiVersion: github.com/microsoft/PSRule/v1
 kind: Baseline
 metadata: