* Added binding reference #2995 * Updated baseline metadata * Change log updates
This commit is contained in:
Родитель
f8b30532f8
Коммит
df2d5ef1af
|
@ -29,10 +29,15 @@ See [upgrade notes][1] for helpful information when upgrading from previous vers
|
|||
|
||||
## Unreleased
|
||||
|
||||
What's changed since pre-release v1.39.0-B0009:
|
||||
|
||||
- New rules:
|
||||
- Azure Kubernetes Service:
|
||||
- Verify that clusters have kube-audit logging disabled when not required by @BenjaminEngeset.
|
||||
[#2450](https://github.com/Azure/PSRule.Rules.Azure/issues/2450)
|
||||
- General improvements:
|
||||
- Add binding configuration to policy as rules docs by @BernieWhite.
|
||||
[#2995](https://github.com/Azure/PSRule.Rules.Azure/issues/2995)
|
||||
|
||||
## v1.39.0-B0009 (pre-release)
|
||||
|
||||
|
@ -4693,36 +4698,57 @@ What's changed since v1.8.0:
|
|||
What's changed since v1.7.0:
|
||||
|
||||
- New features:
|
||||
- Added `Azure.GA_2021_09` baseline. [#961](https://github.com/Azure/PSRule.Rules.Azure/issues/961)
|
||||
- Added `Azure.GA_2021_09` baseline.
|
||||
[#961](https://github.com/Azure/PSRule.Rules.Azure/issues/961)
|
||||
- Includes rules released before or during September 2021 for Azure GA features.
|
||||
- Marked baseline `Azure.GA_2021_06` as obsolete.
|
||||
- New rules:
|
||||
- Application Gateway:
|
||||
- Check App Gateways should use availability zones when available. Thanks [@ArmaanMcleod](https://github.com/ArmaanMcleod). [#928](https://github.com/Azure/PSRule.Rules.Azure/issues/928)
|
||||
- Check App Gateways should use availability zones when available by @ArmaanMcleod.
|
||||
[#928](https://github.com/Azure/PSRule.Rules.Azure/issues/928)
|
||||
- Azure Kubernetes Service:
|
||||
- Check clusters have control plane audit logs enabled. Thanks [@ArmaanMcleod](https://github.com/ArmaanMcleod). [#882](https://github.com/Azure/PSRule.Rules.Azure/issues/882)
|
||||
- Check clusters have control plane diagnostics enabled. Thanks [@ArmaanMcleod](https://github.com/ArmaanMcleod). [#922](https://github.com/Azure/PSRule.Rules.Azure/issues/922)
|
||||
- Check clusters use Container Insights for monitoring workloads. Thanks [@ArmaanMcleod](https://github.com/ArmaanMcleod). [#881](https://github.com/Azure/PSRule.Rules.Azure/issues/881)
|
||||
- Check clusters use availability zones when available. Thanks [@ArmaanMcleod](https://github.com/ArmaanMcleod). [#880](https://github.com/Azure/PSRule.Rules.Azure/issues/880)
|
||||
- Check clusters have control plane audit logs enabled by @ArmaanMcleod.
|
||||
[#882](https://github.com/Azure/PSRule.Rules.Azure/issues/882)
|
||||
- Check clusters have control plane diagnostics enabled by @ArmaanMcleod.
|
||||
[#922](https://github.com/Azure/PSRule.Rules.Azure/issues/922)
|
||||
- Check clusters use Container Insights for monitoring workloads by @ArmaanMcleod.
|
||||
[#881](https://github.com/Azure/PSRule.Rules.Azure/issues/881)
|
||||
- Check clusters use availability zones when available by @ArmaanMcleod.
|
||||
[#880](https://github.com/Azure/PSRule.Rules.Azure/issues/880)
|
||||
- Cosmos DB:
|
||||
- Check DB account names meet naming requirements. [#954](https://github.com/Azure/PSRule.Rules.Azure/issues/954)
|
||||
- Check DB accounts use Azure AD identities for resource management operations. [#953](https://github.com/Azure/PSRule.Rules.Azure/issues/953)
|
||||
- Check DB account names meet naming requirements.
|
||||
[#954](https://github.com/Azure/PSRule.Rules.Azure/issues/954)
|
||||
- Check DB accounts use Azure AD identities for resource management operations.
|
||||
[#953](https://github.com/Azure/PSRule.Rules.Azure/issues/953)
|
||||
- Load Balancer:
|
||||
- Check Load balancers are using Standard SKU. Thanks [@ArmaanMcleod](https://github.com/ArmaanMcleod). [#957](https://github.com/Azure/PSRule.Rules.Azure/issues/957)
|
||||
- Check Load Balancers are configured with zone-redundancy. Thanks [@ArmaanMcleod](https://github.com/ArmaanMcleod). [#927](https://github.com/Azure/PSRule.Rules.Azure/issues/927)
|
||||
- Check Load balancers are using Standard SKU by @ArmaanMcleod.
|
||||
[#957](https://github.com/Azure/PSRule.Rules.Azure/issues/957)
|
||||
- Check Load Balancers are configured with zone-redundancy by @ArmaanMcleod.
|
||||
[#927](https://github.com/Azure/PSRule.Rules.Azure/issues/927)
|
||||
- Engineering:
|
||||
- Bump PSRule dependency to v1.7.2. [#951](https://github.com/Azure/PSRule.Rules.Azure/issues/951)
|
||||
- Automated update of availability zone information in providers.json. [#907](https://github.com/Azure/PSRule.Rules.Azure/issues/907)
|
||||
- Increased test coverage of rule reasons. Thanks [@ArmaanMcleod](https://github.com/ArmaanMcleod). [#960](https://github.com/Azure/PSRule.Rules.Azure/issues/960)
|
||||
- Bump PSRule dependency to v1.7.2.
|
||||
[#951](https://github.com/Azure/PSRule.Rules.Azure/issues/951)
|
||||
- Automated update of availability zone information in providers.json.
|
||||
[#907](https://github.com/Azure/PSRule.Rules.Azure/issues/907)
|
||||
- Increased test coverage of rule reasons by @ArmaanMcleod.
|
||||
[#960](https://github.com/Azure/PSRule.Rules.Azure/issues/960)
|
||||
- Bug fixes:
|
||||
- Fixed export of in-flight AKS related subnets for kubenet clusters. Thanks [@ArmaanMcleod](https://github.com/ArmaanMcleod). [#920](https://github.com/Azure/PSRule.Rules.Azure/issues/920)
|
||||
- Fixed plan instance count is not applicable to Elastic Premium plans. [#946](https://github.com/Azure/PSRule.Rules.Azure/issues/946)
|
||||
- Fixed minimum App Service Plan fails Elastic Premium plans. [#945](https://github.com/Azure/PSRule.Rules.Azure/issues/945)
|
||||
- Fixed App Service Plan should include PremiumV3 plan. [#944](https://github.com/Azure/PSRule.Rules.Azure/issues/944)
|
||||
- Fixed Azure.VM.NICAttached with private endpoints. [#932](https://github.com/Azure/PSRule.Rules.Azure/issues/932)
|
||||
- Fixed Bicep CLI fails with unexpected end of content. [#889](https://github.com/Azure/PSRule.Rules.Azure/issues/889)
|
||||
- Fixed incomplete reason message for `Azure.Storage.MinTLS`. [#971](https://github.com/Azure/PSRule.Rules.Azure/issues/971)
|
||||
- Fixed false positive of `Azure.Storage.UseReplication` with large file storage. [#965](https://github.com/Azure/PSRule.Rules.Azure/issues/965)
|
||||
- Fixed export of in-flight AKS related subnets for kubenet clusters by @ArmaanMcleod.
|
||||
[#920](https://github.com/Azure/PSRule.Rules.Azure/issues/920)
|
||||
- Fixed plan instance count is not applicable to Elastic Premium plans.
|
||||
[#946](https://github.com/Azure/PSRule.Rules.Azure/issues/946)
|
||||
- Fixed minimum App Service Plan fails Elastic Premium plans.
|
||||
[#945](https://github.com/Azure/PSRule.Rules.Azure/issues/945)
|
||||
- Fixed App Service Plan should include PremiumV3 plan.
|
||||
[#944](https://github.com/Azure/PSRule.Rules.Azure/issues/944)
|
||||
- Fixed Azure.VM.NICAttached with private endpoints.
|
||||
[#932](https://github.com/Azure/PSRule.Rules.Azure/issues/932)
|
||||
- Fixed Bicep CLI fails with unexpected end of content.
|
||||
[#889](https://github.com/Azure/PSRule.Rules.Azure/issues/889)
|
||||
- Fixed incomplete reason message for `Azure.Storage.MinTLS`.
|
||||
[#971](https://github.com/Azure/PSRule.Rules.Azure/issues/971)
|
||||
- Fixed false positive of `Azure.Storage.UseReplication` with large file storage.
|
||||
[#965](https://github.com/Azure/PSRule.Rules.Azure/issues/965)
|
||||
|
||||
What's changed since pre-release v1.8.0-B2109060:
|
||||
|
||||
|
@ -4734,25 +4760,32 @@ What's changed since pre-release v1.8.0-B2109060:
|
|||
|
||||
- New rules:
|
||||
- Load Balancer:
|
||||
- Check Load balancers are using Standard SKU. Thanks [@ArmaanMcleod](https://github.com/ArmaanMcleod). [#957](https://github.com/Azure/PSRule.Rules.Azure/issues/957)
|
||||
- Check Load balancers are using Standard SKU. by @ArmaanMcleod.
|
||||
[#957](https://github.com/Azure/PSRule.Rules.Azure/issues/957)
|
||||
- Engineering:
|
||||
- Increased test coverage of rule reasons. Thanks [@ArmaanMcleod](https://github.com/ArmaanMcleod). [#960](https://github.com/Azure/PSRule.Rules.Azure/issues/960)
|
||||
- Increased test coverage of rule reasons. by @ArmaanMcleod.
|
||||
[#960](https://github.com/Azure/PSRule.Rules.Azure/issues/960)
|
||||
- Bug fixes:
|
||||
- Fixed Bicep CLI fails with unexpected end of content. [#889](https://github.com/Azure/PSRule.Rules.Azure/issues/889)
|
||||
- Fixed incomplete reason message for `Azure.Storage.MinTLS`. [#971](https://github.com/Azure/PSRule.Rules.Azure/issues/971)
|
||||
- Fixed false positive of `Azure.Storage.UseReplication` with large file storage. [#965](https://github.com/Azure/PSRule.Rules.Azure/issues/965)
|
||||
- Fixed Bicep CLI fails with unexpected end of content.
|
||||
[#889](https://github.com/Azure/PSRule.Rules.Azure/issues/889)
|
||||
- Fixed incomplete reason message for `Azure.Storage.MinTLS`.
|
||||
[#971](https://github.com/Azure/PSRule.Rules.Azure/issues/971)
|
||||
- Fixed false positive of `Azure.Storage.UseReplication` with large file storage.
|
||||
[#965](https://github.com/Azure/PSRule.Rules.Azure/issues/965)
|
||||
|
||||
## v1.8.0-B2109060 (pre-release)
|
||||
|
||||
What's changed since pre-release v1.8.0-B2109046:
|
||||
|
||||
- New features:
|
||||
- Added `Azure.GA_2021_09` baseline. [#961](https://github.com/Azure/PSRule.Rules.Azure/issues/961)
|
||||
- Added `Azure.GA_2021_09` baseline.
|
||||
[#961](https://github.com/Azure/PSRule.Rules.Azure/issues/961)
|
||||
- Includes rules released before or during September 2021 for Azure GA features.
|
||||
- Marked baseline `Azure.GA_2021_06` as obsolete.
|
||||
- New rules:
|
||||
- Load Balancer:
|
||||
- Check Load Balancers are configured with zone-redundancy. Thanks [@ArmaanMcleod](https://github.com/ArmaanMcleod). [#927](https://github.com/Azure/PSRule.Rules.Azure/issues/927)
|
||||
- Check Load Balancers are configured with zone-redundancy by @ArmaanMcleod.
|
||||
[#927](https://github.com/Azure/PSRule.Rules.Azure/issues/927)
|
||||
|
||||
## v1.8.0-B2109046 (pre-release)
|
||||
|
||||
|
@ -4760,17 +4793,25 @@ What's changed since pre-release v1.8.0-B2109020:
|
|||
|
||||
- New rules:
|
||||
- Application Gateway:
|
||||
- Check App Gateways should use availability zones when available. Thanks [@ArmaanMcleod](https://github.com/ArmaanMcleod). [#928](https://github.com/Azure/PSRule.Rules.Azure/issues/928)
|
||||
- Check App Gateways should use availability zones when available by @ArmaanMcleod
|
||||
[#928](https://github.com/Azure/PSRule.Rules.Azure/issues/928)
|
||||
- Cosmos DB:
|
||||
- Check DB account names meet naming requirements. [#954](https://github.com/Azure/PSRule.Rules.Azure/issues/954)
|
||||
- Check DB accounts use Azure AD identities for resource management operations. [#953](https://github.com/Azure/PSRule.Rules.Azure/issues/953)
|
||||
- Check DB account names meet naming requirements.
|
||||
[#954](https://github.com/Azure/PSRule.Rules.Azure/issues/954)
|
||||
- Check DB accounts use Azure AD identities for resource management operations.
|
||||
[#953](https://github.com/Azure/PSRule.Rules.Azure/issues/953)
|
||||
- Bug fixes:
|
||||
- Fixed plan instance count is not applicable to Elastic Premium plans. [#946](https://github.com/Azure/PSRule.Rules.Azure/issues/946)
|
||||
- Fixed minimum App Service Plan fails Elastic Premium plans. [#945](https://github.com/Azure/PSRule.Rules.Azure/issues/945)
|
||||
- Fixed App Service Plan should include PremiumV3 plan. [#944](https://github.com/Azure/PSRule.Rules.Azure/issues/944)
|
||||
- Fixed Azure.VM.NICAttached with private endpoints. [#932](https://github.com/Azure/PSRule.Rules.Azure/issues/932)
|
||||
- Fixed plan instance count is not applicable to Elastic Premium plans.
|
||||
[#946](https://github.com/Azure/PSRule.Rules.Azure/issues/946)
|
||||
- Fixed minimum App Service Plan fails Elastic Premium plans.
|
||||
[#945](https://github.com/Azure/PSRule.Rules.Azure/issues/945)
|
||||
- Fixed App Service Plan should include PremiumV3 plan.
|
||||
[#944](https://github.com/Azure/PSRule.Rules.Azure/issues/944)
|
||||
- Fixed Azure.VM.NICAttached with private endpoints.
|
||||
[#932](https://github.com/Azure/PSRule.Rules.Azure/issues/932)
|
||||
- Engineering:
|
||||
- Bump PSRule dependency to v1.7.2. [#951](https://github.com/Azure/PSRule.Rules.Azure/issues/951)
|
||||
- Bump PSRule dependency to v1.7.2.
|
||||
[#951](https://github.com/Azure/PSRule.Rules.Azure/issues/951)
|
||||
|
||||
## v1.8.0-B2109020 (pre-release)
|
||||
|
||||
|
@ -4778,10 +4819,13 @@ What's changed since pre-release v1.8.0-B2108026:
|
|||
|
||||
- New rules:
|
||||
- Azure Kubernetes Service:
|
||||
- Check clusters have control plane audit logs enabled. Thanks [@ArmaanMcleod](https://github.com/ArmaanMcleod). [#882](https://github.com/Azure/PSRule.Rules.Azure/issues/882)
|
||||
- Check clusters have control plane diagnostics enabled. Thanks [@ArmaanMcleod](https://github.com/ArmaanMcleod). [#922](https://github.com/Azure/PSRule.Rules.Azure/issues/922)
|
||||
- Check clusters have control plane audit logs enabled by @ArmaanMcleod.
|
||||
[#882](https://github.com/Azure/PSRule.Rules.Azure/issues/882)
|
||||
- Check clusters have control plane diagnostics enabled by @ArmaanMcleod.
|
||||
[#922](https://github.com/Azure/PSRule.Rules.Azure/issues/922)
|
||||
- Engineering:
|
||||
- Bump PSRule dependency to v1.7.0. [#938](https://github.com/Azure/PSRule.Rules.Azure/issues/938)
|
||||
- Bump PSRule dependency to v1.7.0.
|
||||
[#938](https://github.com/Azure/PSRule.Rules.Azure/issues/938)
|
||||
|
||||
## v1.8.0-B2108026 (pre-release)
|
||||
|
||||
|
@ -4789,9 +4833,11 @@ What's changed since pre-release v1.8.0-B2108013:
|
|||
|
||||
- New rules:
|
||||
- Azure Kubernetes Service:
|
||||
- Check clusters use Container Insights for monitoring workloads. Thanks [@ArmaanMcleod](https://github.com/ArmaanMcleod). [#881](https://github.com/Azure/PSRule.Rules.Azure/issues/881)
|
||||
- Check clusters use Container Insights for monitoring workloads by @ArmaanMcleod.
|
||||
[#881](https://github.com/Azure/PSRule.Rules.Azure/issues/881)
|
||||
- Bug fixes:
|
||||
- Fixed export of in-flight AKS related subnets for kubenet clusters. Thanks [@ArmaanMcleod](https://github.com/ArmaanMcleod). [#920](https://github.com/Azure/PSRule.Rules.Azure/issues/920)
|
||||
- Fixed export of in-flight AKS related subnets for kubenet clusters by @ArmaanMcleod.
|
||||
[#920](https://github.com/Azure/PSRule.Rules.Azure/issues/920)
|
||||
|
||||
## v1.8.0-B2108013 (pre-release)
|
||||
|
||||
|
@ -4799,10 +4845,13 @@ What's changed since v1.7.0:
|
|||
|
||||
- New rules:
|
||||
- Azure Kubernetes Service:
|
||||
- Check clusters use availability zones when available. Thanks [@ArmaanMcleod](https://github.com/ArmaanMcleod). [#880](https://github.com/Azure/PSRule.Rules.Azure/issues/880)
|
||||
- Check clusters use availability zones when available by @ArmaanMcleod.
|
||||
[#880](https://github.com/Azure/PSRule.Rules.Azure/issues/880)
|
||||
- Engineering:
|
||||
- Bump PSRule dependency to v1.6.1. [#913](https://github.com/Azure/PSRule.Rules.Azure/issues/913)
|
||||
- Automated update of availability zone information in providers.json. [#907](https://github.com/Azure/PSRule.Rules.Azure/issues/907)
|
||||
- Bump PSRule dependency to v1.6.1.
|
||||
[#913](https://github.com/Azure/PSRule.Rules.Azure/issues/913)
|
||||
- Automated update of availability zone information in providers.json.
|
||||
[#907](https://github.com/Azure/PSRule.Rules.Azure/issues/907)
|
||||
|
||||
## v1.7.0
|
||||
|
||||
|
@ -4818,8 +4867,8 @@ What's changed since v1.6.0:
|
|||
- Check template parameters set a value. [#896](https://github.com/Azure/PSRule.Rules.Azure/issues/896)
|
||||
- Check template parameters use a valid secret reference. [#897](https://github.com/Azure/PSRule.Rules.Azure/issues/897)
|
||||
- Azure Kubernetes Service:
|
||||
- Check clusters using Azure CNI should use large subnets. Thanks [@ArmaanMcleod](https://github.com/ArmaanMcleod). [#273](https://github.com/Azure/PSRule.Rules.Azure/issues/273)
|
||||
- Check clusters use auto-scale node pools. Thanks [@ArmaanMcleod](https://github.com/ArmaanMcleod). [#218](https://github.com/Azure/PSRule.Rules.Azure/issues/218)
|
||||
- Check clusters using Azure CNI should use large subnets by @ArmaanMcleod. [#273](https://github.com/Azure/PSRule.Rules.Azure/issues/273)
|
||||
- Check clusters use auto-scale node pools by @ArmaanMcleod. [#218](https://github.com/Azure/PSRule.Rules.Azure/issues/218)
|
||||
- By default, a minimum of a `/23` subnet is required.
|
||||
- Configure `AZURE_AKS_CNI_MINIMUM_CLUSTER_SUBNET_SIZE` to change the default minimum subnet size.
|
||||
- Storage Account:
|
||||
|
@ -4871,7 +4920,7 @@ What's changed since pre-release v1.7.0-B2108020:
|
|||
- Check template parameter files use metadata links. [#846](https://github.com/Azure/PSRule.Rules.Azure/issues/846)
|
||||
- Configure the `AZURE_PARAMETER_FILE_METADATA_LINK` option to enable this rule.
|
||||
- Azure Kubernetes Service:
|
||||
- Check clusters using Azure CNI should use large subnets. Thanks [@ArmaanMcleod](https://github.com/ArmaanMcleod). [#273](https://github.com/Azure/PSRule.Rules.Azure/issues/273)
|
||||
- Check clusters using Azure CNI should use large subnets by @ArmaanMcleod. [#273](https://github.com/Azure/PSRule.Rules.Azure/issues/273)
|
||||
- By default, a minimum of a `/23` subnet is required.
|
||||
- Configure `AZURE_AKS_CNI_MINIMUM_CLUSTER_SUBNET_SIZE` to change the default minimum subnet size.
|
||||
- Storage Account:
|
||||
|
@ -4883,7 +4932,7 @@ What's changed since v1.6.0:
|
|||
|
||||
- New rules:
|
||||
- Azure Kubernetes Service:
|
||||
- Check clusters use auto-scale node pools. Thanks [@ArmaanMcleod](https://github.com/ArmaanMcleod). [#218](https://github.com/Azure/PSRule.Rules.Azure/issues/218)
|
||||
- Check clusters use auto-scale node pools by @ArmaanMcleod. [#218](https://github.com/Azure/PSRule.Rules.Azure/issues/218)
|
||||
- Updated rules:
|
||||
- Virtual Network:
|
||||
- Excluded `AzureFirewallManagementSubnet` from `Azure.VNET.UseNSGs`. [#869](https://github.com/Azure/PSRule.Rules.Azure/issues/869)
|
||||
|
@ -4895,35 +4944,45 @@ What's changed since v1.6.0:
|
|||
What's changed since v1.5.1:
|
||||
|
||||
- New features:
|
||||
- **Experimental:** Added support for expansion from Bicep source files. [#848](https://github.com/Azure/PSRule.Rules.Azure/issues/848) [#670](https://github.com/Azure/PSRule.Rules.Azure/issues/670) [#858](https://github.com/Azure/PSRule.Rules.Azure/issues/858)
|
||||
- **Experimental:** Added support for expansion from Bicep source files.
|
||||
[#848](https://github.com/Azure/PSRule.Rules.Azure/issues/848)
|
||||
[#670](https://github.com/Azure/PSRule.Rules.Azure/issues/670)
|
||||
[#858](https://github.com/Azure/PSRule.Rules.Azure/issues/858)
|
||||
- Bicep support is currently experimental.
|
||||
- To opt-in set the `AZURE_BICEP_FILE_EXPANSION` configuration to `true`.
|
||||
- For more information see [Using Bicep](https://azure.github.io/PSRule.Rules.Azure/using-bicep/).
|
||||
- New rules:
|
||||
- Application Gateways:
|
||||
- Check Application Gateways publish endpoints by HTTPS. [#841](https://github.com/Azure/PSRule.Rules.Azure/issues/841)
|
||||
- Check Application Gateways publish endpoints by HTTPS.
|
||||
[#841](https://github.com/Azure/PSRule.Rules.Azure/issues/841)
|
||||
- Engineering:
|
||||
- Bump PSRule dependency to v1.5.0. [#832](https://github.com/Azure/PSRule.Rules.Azure/issues/832)
|
||||
- Migration of Pester v4 tests to Pester v5. Thanks [@ArmaanMcleod](https://github.com/ArmaanMcleod). [#395](https://github.com/Azure/PSRule.Rules.Azure/issues/395)
|
||||
- Bump PSRule dependency to v1.5.0.
|
||||
[#832](https://github.com/Azure/PSRule.Rules.Azure/issues/832)
|
||||
- Migration of Pester v4 tests to Pester v5 by @ArmaanMcleod.
|
||||
[#395](https://github.com/Azure/PSRule.Rules.Azure/issues/395)
|
||||
|
||||
What's changed since pre-release v1.6.0-B2108038:
|
||||
|
||||
- Bug fixes:
|
||||
- Fixed Bicep expand creates deadlock and times out. [#863](https://github.com/Azure/PSRule.Rules.Azure/issues/863)
|
||||
- Fixed Bicep expand creates deadlock and times out.
|
||||
[#863](https://github.com/Azure/PSRule.Rules.Azure/issues/863)
|
||||
|
||||
## v1.6.0-B2108038 (pre-release)
|
||||
|
||||
What's changed since pre-release v1.6.0-B2108023:
|
||||
|
||||
- Bug fixes:
|
||||
- Fixed Bicep expand hangs analysis. [#858](https://github.com/Azure/PSRule.Rules.Azure/issues/858)
|
||||
- Fixed Bicep expand hangs analysis.
|
||||
[#858](https://github.com/Azure/PSRule.Rules.Azure/issues/858)
|
||||
|
||||
## v1.6.0-B2108023 (pre-release)
|
||||
|
||||
What's changed since pre-release v1.6.0-B2107028:
|
||||
|
||||
- New features:
|
||||
- **Experimental:** Added support for expansion from Bicep source files. [#848](https://github.com/Azure/PSRule.Rules.Azure/issues/848) [#670](https://github.com/Azure/PSRule.Rules.Azure/issues/670)
|
||||
- **Experimental:** Added support for expansion from Bicep source files.
|
||||
[#848](https://github.com/Azure/PSRule.Rules.Azure/issues/848)
|
||||
[#670](https://github.com/Azure/PSRule.Rules.Azure/issues/670)
|
||||
- Bicep support is currently experimental.
|
||||
- To opt-in set the `AZURE_BICEP_FILE_EXPANSION` configuration to `true`.
|
||||
- For more information see [Using Bicep](https://azure.github.io/PSRule.Rules.Azure/using-bicep/).
|
||||
|
|
|
@ -86,6 +86,29 @@ For example:
|
|||
Export-AzPolicyAssignmentRuleData -AssignmentFile '.\<subscriptionId>.assignment.json'
|
||||
```
|
||||
|
||||
## Running policy rules
|
||||
|
||||
Rules and an initial baseline are generated in a file ending in `.Rule.jsonc`.
|
||||
This file extension and format are automatically detected by PSRule when it is run from an included source path.
|
||||
To start using the policy rules, copy the file to the default include sub-directory (`.ps-rule/`) in the root of your repository.
|
||||
|
||||
Additionally, the following setup is required to scan Infrastructure as Code (IaC):
|
||||
|
||||
1. Set a binding configuration.
|
||||
2. Configure expansion for processing Bicep or ARM templates.
|
||||
3. Include the `PSRule.Rules.Azure` module.
|
||||
4. Optionally specify a baseline to limit the rules evaluated to policy rules.
|
||||
|
||||
### Generated baseline
|
||||
|
||||
<!-- module:version v1.33.0 -->
|
||||
|
||||
When exporting policies, PSRule for Azure will automatically generate a baseline including any generated rules.
|
||||
By default, this baseline is called `Azure.PolicyBaseline.All`.
|
||||
If you change the prefix of generated rules the baseline will be named `<Prefix>.PolicyBaseline.All`.
|
||||
|
||||
See [Using baselines](../working-with-baselines.md#using-baselines) for examples on how to use a baseline in a run.
|
||||
|
||||
## Customizing the generated rules
|
||||
|
||||
PSRule for Azure allows you to:
|
||||
|
@ -108,16 +131,6 @@ configuration:
|
|||
- /providers/Microsoft.Authorization/policyDefinitions/b54ed75b-3e1a-44ac-a333-05ba39b99ff0
|
||||
```
|
||||
|
||||
## Generated baseline
|
||||
|
||||
<!-- module:version v1.33.0 -->
|
||||
|
||||
When exporting policies, PSRule for Azure will automatically generate a baseline including any generated rules.
|
||||
By default, this baseline is called `Azure.PolicyBaseline.All`.
|
||||
If you change the prefix of generated rules the baseline will be named `<Prefix>.PolicyBaseline.All`.
|
||||
|
||||
See [Using baselines](../working-with-baselines.md#using-baselines) for examples on how to use a baseline in a run.
|
||||
|
||||
## Duplicate policies
|
||||
|
||||
<!-- module:version v1.33.0 -->
|
||||
|
@ -143,3 +156,9 @@ This allows you to:
|
|||
- Reduce noise reporting the same issue multiple times.
|
||||
|
||||
To override this behavior use the `-KeepDuplicates` parameter switch when running `Export-AzPolicyAssignmentRuleData`.
|
||||
|
||||
## Recommended content
|
||||
|
||||
- [Using custom rules](../customization/using-custom-rules.md)
|
||||
- [Creating your pipeline](../creating-your-pipeline.md)
|
||||
- [Working with baselines](../working-with-baselines.md)
|
||||
|
|
|
@ -60,9 +60,9 @@ Some key points to call out with the rule snippet include:
|
|||
PSRule for Azure exposes a `Template` and `Parameter` source for resources originating from a template.
|
||||
|
||||
!!! Tip
|
||||
For recommendations on naming and storing rules see [storing custom rules][3].
|
||||
For recommendations on naming and storing rules see [using custom rules][3].
|
||||
|
||||
[3]: storing-custom-rules.md
|
||||
[3]: using-custom-rules.md
|
||||
|
||||
## Binding type
|
||||
|
||||
|
@ -78,8 +78,8 @@ To configure type binding:
|
|||
# Configure binding options
|
||||
binding:
|
||||
targetType:
|
||||
- 'resourceType'
|
||||
- 'type'
|
||||
- 'resourceType'
|
||||
- 'type'
|
||||
```
|
||||
|
||||
Some key points to call out include:
|
||||
|
|
|
@ -43,9 +43,9 @@ Some key points to call out with the rule snippet include:
|
|||
- The automatic variable `$TargetObject` automatically exposes the current resource being processed.
|
||||
|
||||
!!! Tip
|
||||
For recommendations on naming and storing rules see [storing custom rules][1].
|
||||
For recommendations on naming and storing rules see [using custom rules][1].
|
||||
|
||||
[1]: storing-custom-rules.md
|
||||
[1]: using-custom-rules.md
|
||||
|
||||
## Adding mandatory tags
|
||||
|
||||
|
@ -147,12 +147,12 @@ To configure type binding:
|
|||
- Create/ update the `ps-rule.yaml` file within the root of the repository.
|
||||
- Add the following configuration snippet.
|
||||
|
||||
```yaml
|
||||
```yaml title="ps-rule.yaml"
|
||||
# Configure binding options
|
||||
binding:
|
||||
targetType:
|
||||
- 'resourceType'
|
||||
- 'type'
|
||||
- 'resourceType'
|
||||
- 'type'
|
||||
```
|
||||
|
||||
Some key points to call out include:
|
||||
|
|
|
@ -1,62 +0,0 @@
|
|||
---
|
||||
author: BernieWhite
|
||||
---
|
||||
|
||||
# Storing custom rules
|
||||
|
||||
PSRule for Azure covers common use cases that align to the [Microsoft Azure Well-Architected Framework (WAF)][1].
|
||||
In addition to WAF alignment you may have a requirement to enforce organization specific rules.
|
||||
|
||||
For example:
|
||||
|
||||
- Required tags on a resource group.
|
||||
- Code ownership for sensitive resource types.
|
||||
|
||||
PSRule allows custom rules to be layered on.
|
||||
These custom rules work side-by-side with PSRule for Azure.
|
||||
|
||||
[1]: https://learn.microsoft.com/azure/well-architected/
|
||||
|
||||
## Using a standard file path
|
||||
|
||||
Rules can be standalone or packaged within a module.
|
||||
Standalone rules are ideal for a single project such as an Infrastructure as Code (IaC) repository.
|
||||
To reuse rules across multiple projects consider packaging these as a module.
|
||||
|
||||
The instructions for packaging rules in a module can be found here:
|
||||
|
||||
- [Packaging rules in a module][2]
|
||||
|
||||
To store standalone rules we recommend that you:
|
||||
|
||||
- **Use .ps-rule/** — Create a sub-directory called `.ps-rule` in the root of your repository.
|
||||
Use all lower-case in the sub-directory name.
|
||||
Put any custom rules within this sub-directory.
|
||||
- **Use files ending with .Rule.ps1** — PSRule uses a file naming convention to discover rules.
|
||||
We recommend using a file name that ends in `.Rule.ps1`.
|
||||
|
||||
!!! note
|
||||
Build pipelines are often case-sensitive or run on Linux-based systems.
|
||||
Using the casing rule above reduces confusion latter when you configure continuous integration (CI).
|
||||
|
||||
[2]: https://microsoft.github.io/PSRule/stable/authoring/packaging-rules/
|
||||
|
||||
## Naming rules
|
||||
|
||||
When running PSRule, rule names must be unique.
|
||||
PSRule for Azure uses the name prefix of `Azure.` on all rules and resources included in the module.
|
||||
|
||||
!!! example
|
||||
The following names are examples of rules included within PSRule for Azure:
|
||||
|
||||
- `Azure.AKS.Version`
|
||||
- `Azure.AKS.AuthorizedIPs`
|
||||
- `Azure.SQL.MinTLS`
|
||||
|
||||
When naming custom rules we recommend that you:
|
||||
|
||||
- **Use a standard prefix** — You can use the `Local.` or `Org.` prefix for standalone rules.
|
||||
- Alternatively choose a short prefix that identifies your organization.
|
||||
- **Use dotted notation** — Use dots to separate rule name.
|
||||
- **Use a maximum length of 35 characters** — The default view of `Invoke-PSRule` truncates longer names.
|
||||
PSRule supports longer rule names however if `Invoke-PSRule` is called directly consider using `Format-List`.
|
|
@ -0,0 +1,131 @@
|
|||
---
|
||||
description: This topic covers how you can use custom rules to test Azure Infrastructure as Code.
|
||||
author: BernieWhite
|
||||
---
|
||||
|
||||
# Using custom rules
|
||||
|
||||
PSRule for Azure covers common use cases that align to the [Microsoft Azure Well-Architected Framework (WAF)][1].
|
||||
In addition to WAF alignment you may have a requirement to enforce organization specific rules.
|
||||
|
||||
For example:
|
||||
|
||||
- Required tags on a resource group.
|
||||
- Code ownership for sensitive resource types.
|
||||
- Apply similar controls to Infrastructure as Code that are deployed via Azure Policies.
|
||||
|
||||
PSRule allows custom rules to be layered on.
|
||||
These custom rules work side-by-side with PSRule for Azure.
|
||||
|
||||
[1]: https://learn.microsoft.com/azure/well-architected/
|
||||
|
||||
!!! Abstract
|
||||
This topic covers how you can use custom rules to test Azure Infrastructure as Code (IaC).
|
||||
|
||||
## Requirements
|
||||
|
||||
For custom rules to work with IaC the following requirements must be configured:
|
||||
|
||||
1. Set a binding configuration.
|
||||
2. Configure expansion for processing Bicep or ARM templates.
|
||||
3. Include the `PSRule.Rules.Azure` module.
|
||||
|
||||
### Set binding configuration
|
||||
|
||||
Rules packaged within PSRule for Azure will automatically detect Azure resources by their type properties.
|
||||
Standalone rules will get their type binding configuration from `ps-rule.yaml` instead.
|
||||
When binding is not configured, custom rules will typically be ignored.
|
||||
|
||||
To configure type binding:
|
||||
|
||||
- Create/ update the `ps-rule.yaml` file within the root of the repository.
|
||||
- Add the following configuration snippet.
|
||||
|
||||
```yaml title="ps-rule.yaml"
|
||||
# Configure binding options
|
||||
binding:
|
||||
targetType:
|
||||
- 'resourceType'
|
||||
- 'type'
|
||||
```
|
||||
|
||||
### Configuring expansion
|
||||
|
||||
PSRule for Azure performs [expansion][2] on Bicep and ARM template files it finds in your repository.
|
||||
Enabling expansion is required for testing any IaC in your repository.
|
||||
The requirements for custom rules are no different then using the built-in rules included within PSRule for Azure.
|
||||
|
||||
To configure expansion see either:
|
||||
|
||||
- [Using Bicep source](../using-bicep.md)
|
||||
- [Using templates](../using-templates.md)
|
||||
|
||||
[2]: ../faq.md#what-is-expansion
|
||||
|
||||
### Including PSRule for Azure
|
||||
|
||||
When creating custom rules to test Azure IaC including PSRule for Azure is required for most scenarios.
|
||||
PSRule for Azure performs [expansion][2] on Bicep and ARM template files it finds in your repository.
|
||||
|
||||
You can include PSRule for Azure by specifying `PSRule.Rules.Azure` in one of the following:
|
||||
|
||||
- **Pipeline** — The `modules:` parameter in [GitHub Actions or Azure Pipelines][3].
|
||||
- **PowerShell** — The `-Module` parameter with the [PowerShell cmdlets][4].
|
||||
- **Options** — - The `Include.Module` [option][5].
|
||||
|
||||
[3]: ../creating-your-pipeline.md
|
||||
[4]: ../creating-your-pipeline.md
|
||||
[5]: https://microsoft.github.io/PSRule/v2/concepts/PSRule/en-US/about_PSRule_Options/#includemodule
|
||||
|
||||
## Using a standard file path
|
||||
|
||||
Rules can be standalone or packaged within a module.
|
||||
Standalone rules are ideal for a single project such as an Infrastructure as Code (IaC) repository.
|
||||
To reuse rules across multiple projects consider packaging these as a module.
|
||||
|
||||
The instructions for packaging rules in a module can be found here:
|
||||
|
||||
- [Packaging rules in a module][6]
|
||||
|
||||
To store standalone rules we recommend that you:
|
||||
|
||||
- **Use .ps-rule/** — Create a sub-directory called `.ps-rule` in the root of your repository.
|
||||
Use all lower-case in the sub-directory name.
|
||||
Put any custom rules within this sub-directory.
|
||||
- **Use files ending with .Rule.ps1 | .Rule.yaml | .Rule.jsonc** —
|
||||
PSRule uses a file naming convention to discover rules.
|
||||
We recommend using a file name that ends in `.Rule.ps1` or `.Rule.yaml` or `.Rule.jsonc`.
|
||||
|
||||
!!! note
|
||||
Build pipelines are often case-sensitive or run on Linux-based systems.
|
||||
Using the casing rule above reduces confusion latter when you configure continuous integration (CI).
|
||||
|
||||
[6]: https://microsoft.github.io/PSRule/stable/authoring/packaging-rules/
|
||||
|
||||
## Naming rules
|
||||
|
||||
When running PSRule, rule names must be unique.
|
||||
PSRule for Azure uses the name prefix of `Azure.` on all rules and resources included in the module.
|
||||
|
||||
!!! example
|
||||
The following names are examples of rules included within PSRule for Azure:
|
||||
|
||||
- `Azure.AKS.Version`
|
||||
- `Azure.AKS.AuthorizedIPs`
|
||||
- `Azure.SQL.MinTLS`
|
||||
|
||||
When naming custom rules we recommend that you:
|
||||
|
||||
- **Use a standard prefix** — You can use the `Local.` or `Org.` prefix for standalone rules.
|
||||
- Alternatively choose a short prefix that identifies your organization.
|
||||
- **Use dotted notation** — Use dots to separate rule name.
|
||||
- **Use a maximum length of 35 characters** — The default view of `Invoke-PSRule` truncates longer names.
|
||||
PSRule supports longer rule names however if `Invoke-PSRule` is called directly consider using `Format-List`.
|
||||
|
||||
## Related content
|
||||
|
||||
- [Using Bicep source](using-bicep.md)
|
||||
- [Using templates](using-templates.md)
|
||||
- [Creating your pipeline](creating-your-pipeline.md)
|
||||
|
||||
*[IaC]: Azure Resource Manager
|
|
@ -179,6 +179,12 @@ properties:
|
|||
|
||||
To override, configure [`AZURE_MANAGEMENT_GROUP`](setup/configuring-expansion.md#deployment-management-group).
|
||||
|
||||
## Related content
|
||||
|
||||
- [Using Bicep source](using-bicep.md)
|
||||
- [Using templates](using-templates.md)
|
||||
- [Creating your pipeline](creating-your-pipeline.md)
|
||||
|
||||
*[WAF]: Well-Architected Framework
|
||||
*[ARM]: Azure Resource Manager
|
||||
*[PR]: Pull Request
|
||||
|
|
20
docs/faq.md
20
docs/faq.md
|
@ -26,9 +26,12 @@ For general FAQ see [PSRule - Frequently Asked Questions (FAQ)][ps-rule-faq], in
|
|||
## What is a rule?
|
||||
|
||||
A rule is a named set of checks and documentation.
|
||||
Each rule is tests a specific aspect of an Azure resource or deployment to determine if
|
||||
it is aligned with the [Microsoft Azure Well-Architected Framework][AWAF].
|
||||
You can find the documentation for each rule under [reference][1].
|
||||
|
||||
[1]: en/rules/module.md
|
||||
[AWAF]: https://learn.microsoft.com/azure/architecture/framework/
|
||||
|
||||
## What is a baseline?
|
||||
|
||||
|
@ -40,9 +43,22 @@ Continue reading [working with baselines][2] for a detailed breakdown.
|
|||
|
||||
[2]: working-with-baselines.md
|
||||
|
||||
## What is expansion?
|
||||
|
||||
Expansion is a feature of PSRule for Azure that converts Azure Infrastructure as Code (IaC) to a testable Azure resource.
|
||||
IaC format such as Bicep and ARM templates, support dynamic capabilities such parameters, variables, and conditions...
|
||||
These dynamic capabilities allow customers to create modular reusable code that can scale across an organization.
|
||||
However, to determine if a specific Azure resource meets the requirements of an organization the final state must be known.
|
||||
|
||||
Expansion resolves these dynamic capabilities so that a final state for each resource can be tested by rules.
|
||||
Noting the final expanded state provided by PSRule for Azure is a close approximation.
|
||||
This close approximation allows testing of Azure resources offline directly from code before deployment to Azure.
|
||||
|
||||
Continue reading [Expanding source files](expanding-source-files.md).
|
||||
|
||||
## Is Terraform supported?
|
||||
|
||||
Currently PSRule for Azure supports testing Azure resources from Infrastructure as Code (IaC) with:
|
||||
Currently PSRule for Azure supports testing Azure resources from IaC with:
|
||||
|
||||
- Azure Resource Manager (ARM) templates.
|
||||
- Azure Bicep deployments.
|
||||
|
@ -89,8 +105,6 @@ You may want to use PSRule to enforce tagging or something similar early in a De
|
|||
|
||||
We have a walk through scenario [Enforcing custom tags][9] to get you started.
|
||||
|
||||
[AWAF]: https://learn.microsoft.com/azure/architecture/framework/
|
||||
|
||||
## How do I create a custom rule to enforce code ownership?
|
||||
|
||||
GitHub, Azure DevOps, and other DevOps platforms may implement code ownership.
|
||||
|
|
|
@ -140,7 +140,7 @@ There is a few common causes of this issue including:
|
|||
You may be able to use `git mv` to change the case of a file if it is committed to the repository incorrectly.
|
||||
|
||||
[5]: https://aka.ms/ps-rule/naming
|
||||
[6]: customization/enforce-custom-tags.md#binding-type
|
||||
[6]: customization/using-custom-rules.md#set-binding-configuration
|
||||
[12]: working-with-baselines.md#quarterly-baseline
|
||||
[13]: https://aka.ms/ps-rule/options#ruleincludelocal
|
||||
[14]: working-with-baselines.md#including-custom-rules
|
||||
|
|
|
@ -8,7 +8,7 @@ A baseline is a standard PSRule artifact that combines rules and configuration.
|
|||
PSRule for Azure provides several baselines that can be referenced when running PSRule.
|
||||
|
||||
!!! Abstract
|
||||
This topic covers how to use the baselines shipped with PSRule for Azure.
|
||||
This topic covers how to use standard baselines shipped with PSRule for Azure or custom baselines you define.
|
||||
|
||||
## Quarterly baselines
|
||||
|
||||
|
|
|
@ -67,7 +67,7 @@ nav:
|
|||
- Suppression: concepts/suppression.md
|
||||
- Policy as rules: concepts/policy-as-rules.md
|
||||
- Customization:
|
||||
- Storing custom rules: customization/storing-custom-rules.md
|
||||
- Using custom rules: customization/using-custom-rules.md
|
||||
- Enforcing custom tags: customization/enforce-custom-tags.md
|
||||
- Enforcing code ownership: customization/enforce-codeowners.md
|
||||
- Permit outbound management: customization/permit-outbound-management.md
|
||||
|
@ -148,7 +148,8 @@ plugins:
|
|||
install-instructions.md: install.md
|
||||
validating-locally.md: install.md
|
||||
using-metadata.md: using-templates.md
|
||||
customization/index.md: customization/storing-custom-rules.md
|
||||
customization/index.md: customization/using-custom-rules.md
|
||||
customization/storing-custom-rules.md: customization/using-custom-rules.md
|
||||
en/asb-v3.md: en/mcsb-v1.md
|
||||
setup/configuring-options.md: setup/index.md
|
||||
|
||||
|
|
|
@ -6,7 +6,7 @@
|
|||
#
|
||||
|
||||
---
|
||||
# Synopsis: Default baseline for Azure rules.
|
||||
# Synopsis: Default baseline for that includes the latest rules for Azure GA features that is updated each release.
|
||||
apiVersion: github.com/microsoft/PSRule/v1
|
||||
kind: Baseline
|
||||
metadata:
|
||||
|
@ -17,7 +17,7 @@ spec:
|
|||
release: GA
|
||||
|
||||
---
|
||||
# Synopsis: Includes rules for Azure GA and preview features.
|
||||
# Synopsis: Includes the latest rules for Azure GA and preview features that is updated each release.
|
||||
apiVersion: github.com/microsoft/PSRule/v1
|
||||
kind: Baseline
|
||||
metadata:
|
||||
|
|
|
@ -6,7 +6,7 @@
|
|||
#
|
||||
|
||||
---
|
||||
# Synopsis: Microsoft Cloud Security Benchmark v1.
|
||||
# Synopsis: Rules for GA Azure features that align to the Microsoft Cloud Security Benchmark v1. This baseline is updated each release.
|
||||
apiVersion: github.com/microsoft/PSRule/v1
|
||||
kind: Baseline
|
||||
metadata:
|
||||
|
|
Загрузка…
Ссылка в новой задаче