Azure
/
PSRule.Rules.Azure
зеркало из
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

Realign naming of configuration settings #941 (#3041)

This commit is contained in:
Bernie White 2024-09-17 00:50:18 +10:00 коммит произвёл GitHub
Родитель 4555ac0a6c
Коммит f2a6ed5971
Не найден ключ, соответствующий данной подписи
Идентификатор ключа GPG: B5690EEEBB952194
18 изменённых файлов: 166 добавлений и 76 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

5
.vscode/settings.json поставляемый
Просмотреть файл

@ -50,7 +50,7 @@
"agentpool",
"APIM",
"apiserver",
"APIVERSION",
"apiVersion",
"APPGW",
"Architected",
"AUDITIFNOTEXISTS",
@ -62,7 +62,7 @@
"bicepparam",
"cmdlet",
"cmdlets",
"CODEOWNERS",
"codeowners",
"Concat",
"CONTAINERAPPS",
"Contoso",
@ -90,6 +90,7 @@
"LESSOREQUAL",
"LESSOREQUALS",
"lifecycle",
"maxpods",
"MCSB",
"Newtonsoft",
"nics",

35
docs/CHANGELOG-v1.md
Просмотреть файл

@ -14,14 +14,14 @@ See [upgrade notes][1] for helpful information when upgrading from previous vers
- Issue #741: `Could not load file or assembly YamlDotNet`.
See [troubleshooting guide] for a workaround to this issue.
- The configuration option `Azure_AKSMinimumVersion` is replaced with `AZURE_AKS_CLUSTER_MINIMUM_VERSION`.
If you have this option configured, please update it to `AZURE_AKS_CLUSTER_MINIMUM_VERSION`.
Support for `Azure_AKSMinimumVersion` will be removed in v2.
See [upgrade notes][1] for more information.
- The configuration option `Azure_AllowedRegions` is replaced with `AZURE_RESOURCE_ALLOWED_LOCATIONS`.
If you have this option configured, please update it to `AZURE_RESOURCE_ALLOWED_LOCATIONS`.
Support for `Azure_AllowedRegions` will be removed in v2.
- The following configuration options are deprecated and have been replaced with alternative options.
If you have these options configured, please update them to the replacement.
Support for the old names will be removed in v2.
See [upgrade notes][1] for more information.
- `Azure_AKSMinimumVersion` is replaced with `AZURE_AKS_CLUSTER_MINIMUM_VERSION`.
- `Azure_AKSNodeMinimumMaxPods` is replaced with `AZURE_AKS_POOL_MINIMUM_MAXPODS`.
- `Azure_AllowedRegions` is replaced with `AZURE_RESOURCE_ALLOWED_LOCATIONS`.
- `Azure_MinimumCertificateLifetime` is replaced with `AZURE_APIM_MINIMUM_CERTIFICATE_LIFETIME`.
- The `SupportsTag` PowerShell function has been replaced with the `Azure.Resource.SupportsTags` selector.
Update PowerShell rules to use the `Azure.Resource.SupportsTags` selector instead.
Support for the `SupportsTag` function will be removed in v2.
@ -35,6 +35,23 @@ See [upgrade notes][1] for helpful information when upgrading from previous vers
[#432](https://github.com/Azure/PSRule.Rules.Azure/issues/432)
- Verify that availability set members are in a backend pool by @BenjaminEngeset.
[#67](https://github.com/Azure/PSRule.Rules.Azure/issues/67)
- General improvements:
- **Important change:** Replaced the `Azure_AKSNodeMinimumMaxPods` option with `AZURE_AKS_POOL_MINIMUM_MAXPODS` by @BernieWhite.
[#941](https://github.com/Azure/PSRule.Rules.Azure/issues/941)
- For compatibility, if `Azure_AKSNodeMinimumMaxPods` is set it will be used instead of `AZURE_AKS_POOL_MINIMUM_MAXPODS`.
- If only `AZURE_AKS_POOL_MINIMUM_MAXPODS` is set, this value will be used.
- The default will be used neither options are configured.
- If `Azure_AKSNodeMinimumMaxPods` is set a warning will be generated until the configuration is removed.
- Support for `Azure_AKSNodeMinimumMaxPods` is deprecated and will be removed in v2.
- See [upgrade notes][1] for details.
- **Important change:** Replaced the `Azure_MinimumCertificateLifetime` option with `AZURE_APIM_MINIMUM_CERTIFICATE_LIFETIME` by @BernieWhite.
[#941](https://github.com/Azure/PSRule.Rules.Azure/issues/941)
- For compatibility, if `Azure_MinimumCertificateLifetime` is set it will be used instead of `AZURE_APIM_MINIMUM_CERTIFICATE_LIFETIME`.
- If only `AZURE_APIM_MINIMUM_CERTIFICATE_LIFETIME` is set, this value will be used.
- The default will be used neither options are configured.
- If `Azure_MinimumCertificateLifetime` is set a warning will be generated until the configuration is removed.
- Support for `Azure_MinimumCertificateLifetime` is deprecated and will be removed in v2.
- See [upgrade notes][1] for details.
- Bug fixed:
- Fixed `Azure.AppService.AvailabilityZone` only detects premium by tier property @BenjaminEngeset.
[#3034](https://github.com/Azure/PSRule.Rules.Azure/issues/3034)
@ -1455,7 +1472,7 @@ What's changed since v1.29.0:
- Promoted `Azure.ContainerApp.DisableAffinity` to GA rule set by @BernieWhite.
[#2455](https://github.com/Azure/PSRule.Rules.Azure/issues/2455)
- General improvements:
- **Important change:** Replaced the `Azure_AllowedRegions` option with `AZURE_RESOURCE_ALLOWED_LOCATIONS`.
- **Important change:** Replaced the `Azure_AllowedRegions` option with `AZURE_RESOURCE_ALLOWED_LOCATIONS` by @BernieWhite.
[#941](https://github.com/Azure/PSRule.Rules.Azure/issues/941)
- For compatibility, if `Azure_AllowedRegions` is set it will be used instead of `AZURE_RESOURCE_ALLOWED_LOCATIONS`.
- If only `AZURE_RESOURCE_ALLOWED_LOCATIONS` is set, this value will be used.
@ -1542,7 +1559,7 @@ What's changed since pre-release v1.30.0-B0080:
What's changed since pre-release v1.30.0-B0047:
- General improvements:
- **Important change:** Replaced the `Azure_AllowedRegions` option with `AZURE_RESOURCE_ALLOWED_LOCATIONS`.
- **Important change:** Replaced the `Azure_AllowedRegions` option with `AZURE_RESOURCE_ALLOWED_LOCATIONS` by @BernieWhite.
[#941](https://github.com/Azure/PSRule.Rules.Azure/issues/941)
- For compatibility, if `Azure_AllowedRegions` is set it will be used instead of `AZURE_RESOURCE_ALLOWED_LOCATIONS`.
- If only `AZURE_RESOURCE_ALLOWED_LOCATIONS` is set, this value will be used.

57
docs/concepts/about_PSRule_Azure_Configuration.md
Просмотреть файл

@ -18,9 +18,9 @@ For details of setting configuration options see [PSRule options][1].
The following configurations options are available for use:
- [AZURE_AKS_CLUSTER_MINIMUM_VERSION](#azure_aks_cluster_minimum_version)
- [Azure_AKSNodeMinimumMaxPods](#azure_aksnodeminimummaxpods)
- [Azure_AllowedRegions](#azure_allowedregions)
- [Azure_MinimumCertificateLifetime](#azure_minimumcertificatelifetime)
- [AZURE_AKS_POOL_MINIMUM_MAXPODS](#azure_aks_pool_minimum_maxpods)
- [AZURE_RESOURCE_ALLOWED_LOCATIONS](#azure_resource_allowed_locations)
- [AZURE_APIM_MINIMUM_CERTIFICATE_LIFETIME](#azure_apim_minimum_certificate_lifetime)
- [AZURE_PARAMETER_FILE_EXPANSION](#azure_parameter_file_expansion)
- [AZURE_POLICY_WAIVER_MAX_EXPIRY](#azure_policy_waiver_max_expiry)
- [AZURE_RESOURCE_GROUP](#azure_resource_group)
@ -42,87 +42,88 @@ Syntax:
```yaml
configuration:
Azure_AKSMinimumVersion: string # A version string
AZURE_AKS_CLUSTER_MINIMUM_VERSION: string # A version string
```
Default:
```yaml
# YAML: The default Azure_AKSMinimumVersion configuration option
# YAML: The default AZURE_AKS_CLUSTER_MINIMUM_VERSION configuration option
configuration:
Azure_AKSMinimumVersion: 1.20.5
AZURE_AKS_CLUSTER_MINIMUM_VERSION: 1.20.5
```
Example:
```yaml
# YAML: Set the Azure_AKSMinimumVersion configuration option to 1.19.7
# YAML: Set the AZURE_AKS_CLUSTER_MINIMUM_VERSION configuration option to 1.19.7
configuration:
Azure_AKSMinimumVersion: 1.19.7
AZURE_AKS_CLUSTER_MINIMUM_VERSION: 1.19.7
```
### Azure_AKSNodeMinimumMaxPods
### AZURE_AKS_POOL_MINIMUM_MAXPODS
This configuration option determines the minimum allowed max pods setting per node pool.
When an AKS cluster node pool is created, a `maxPods` option is used to determine the maximum number of pods for each node in the node pool.
When an AKS cluster node pool is created,
a `maxPods` option is used to determine the maximum number of pods for each node in the node pool.
Syntax:
```yaml
configuration:
Azure_AKSNodeMinimumMaxPods: integer
AZURE_AKS_POOL_MINIMUM_MAXPODS: integer
```
Default:
```yaml
# YAML: The default Azure_AKSNodeMinimumMaxPods configuration option
# YAML: The default AZURE_AKS_POOL_MINIMUM_MAXPODS configuration option
configuration:
Azure_AKSNodeMinimumMaxPods: 50
AZURE_AKS_POOL_MINIMUM_MAXPODS: 50
```
Example:
```yaml
# YAML: Set the Azure_AKSNodeMinimumMaxPods configuration option to 30
# YAML: Set the AZURE_AKS_POOL_MINIMUM_MAXPODS configuration option to 30
configuration:
Azure_AKSNodeMinimumMaxPods: 30
AZURE_AKS_POOL_MINIMUM_MAXPODS: 30
```
### Azure_AllowedRegions
### AZURE_RESOURCE_ALLOWED_LOCATIONS
This configuration option specifies a list of allowed locations that resources can be deployed to.
Rules that check the location of Azure resources fail when a resource or resource group is created in a different region.
By default, `Azure_AllowedRegions` is not configured.
By default, `AZURE_RESOURCE_ALLOWED_LOCATIONS` is not configured.
The rule `Azure.Resource.AllowedRegions` is skipped when no allowed locations are configured.
Syntax:
```yaml
configuration:
Azure_AllowedRegions: array # An array of regions
AZURE_RESOURCE_ALLOWED_LOCATIONS: array # An array of regions
```
Default:
```yaml
# YAML: The default Azure_AllowedRegions configuration option
# YAML: The default AZURE_RESOURCE_ALLOWED_LOCATIONS configuration option
configuration:
Azure_AllowedRegions: []
AZURE_RESOURCE_ALLOWED_LOCATIONS: []
```
Example:
```yaml
# YAML: Set the Azure_AllowedRegions configuration option to Australia East, Australia South East
# YAML: Set the AZURE_RESOURCE_ALLOWED_LOCATIONS configuration option to Australia East, Australia South East
configuration:
Azure_AllowedRegions:
AZURE_RESOURCE_ALLOWED_LOCATIONS:
- 'australiaeast'
- 'australiasoutheast'
```
### Azure_MinimumCertificateLifetime
### AZURE_APIM_MINIMUM_CERTIFICATE_LIFETIME
This configuration option determines the minimum number of days allowed before certificate expiry.
Rules that check certificate lifetime fail when the days remaining before expiry drop below this number.
@ -131,23 +132,23 @@ Syntax:
```yaml
configuration:
Azure_MinimumCertificateLifetime: integer
AZURE_APIM_MINIMUM_CERTIFICATE_LIFETIME: integer
```
Default:
```yaml
# YAML: The default Azure_MinimumCertificateLifetime configuration option
# YAML: The default AZURE_APIM_MINIMUM_CERTIFICATE_LIFETIME configuration option
configuration:
Azure_MinimumCertificateLifetime: 30
AZURE_APIM_MINIMUM_CERTIFICATE_LIFETIME: 30
```
Example:
```yaml
# YAML: Set the Azure_MinimumCertificateLifetime configuration option to 90
# YAML: Set the AZURE_APIM_MINIMUM_CERTIFICATE_LIFETIME configuration option to 90
configuration:
Azure_MinimumCertificateLifetime: 90
AZURE_APIM_MINIMUM_CERTIFICATE_LIFETIME: 90
```
### AZURE_PARAMETER_FILE_EXPANSION

4
docs/deprecations.md
Просмотреть файл

@ -19,9 +19,9 @@ Until v2, the old option names are still work and will take precedence if new an
New name | Old name | Available from
-------- | -------- | --------------
`AZURE_AKS_CLUSTER_MINIMUM_VERSION` | `Azure_AKSMinimumVersion` | :octicons-milestone-24: v1.12.0
`AZURE_AKS_POOL_MINIMUM_MAXPODS` | `Azure_AKSNodeMinimumMaxPods` | _TBA - not available_
`AZURE_AKS_POOL_MINIMUM_MAXPODS` | `Azure_AKSNodeMinimumMaxPods` | :octicons-milestone-24: v1.39.0
`AZURE_RESOURCE_ALLOWED_LOCATIONS` | `Azure_AllowedRegions` | :octicons-milestone-24: v1.30.0
`AZURE_APIM_MINIMUM_CERTIFICATE_LIFETIME` | `Azure_MinimumCertificateLifetime` | _TBA - not available_
`AZURE_APIM_MINIMUM_CERTIFICATE_LIFETIME` | `Azure_MinimumCertificateLifetime` | :octicons-milestone-24: v1.39.0
!!! Note
Configuration options marked _TBA_ are not available yet.

4
docs/en/rules/Azure.AKS.NodeMinPods.md
Просмотреть файл

@ -234,10 +234,10 @@ resource clusterWithPools 'Microsoft.ContainerService/managedClusters@2023-11-01
### Rule configuration
<!-- module:config rule Azure_AKSNodeMinimumMaxPods -->
<!-- module:config rule AZURE_AKS_POOL_MINIMUM_MAXPODS -->
By default, this rule fails when node pools have `maxPods` set to less than 50.
To configure this rule override the `Azure_AKSNodeMinimumMaxPods` configuration value with the minimum maxPods.
To configure this rule, override the `AZURE_AKS_POOL_MINIMUM_MAXPODS` configuration value with the minimum maxPods.
## LINKS

8
docs/en/rules/Azure.APIM.CertificateExpiry.md
Просмотреть файл

@ -28,9 +28,13 @@ Consider renewing certificates before expiry to prevent service issues.
By default, this rule fails when certificates have less than 30 days remaining before expiry.
To configure this rule:
### Rule configuration
- Override the `Azure_MinimumCertificateLifetime` configuration value with the minimum number of days until expiry.
<!-- module:config rule AZURE_APIM_MINIMUM_CERTIFICATE_LIFETIME -->
By default, this rule fails if the days before a configured certificate expires is less than 30 days.
To configure this rule,
override the `AZURE_APIM_MINIMUM_CERTIFICATE_LIFETIME` configuration value with the minimum number of days until expiry.
## LINKS

30
docs/setup/configuring-rules.md
Просмотреть файл

@ -245,9 +245,10 @@ configuration:
- AllMetrics
```
### Set the minimum MaxPods for a node pool
### AZURE_AKS_POOL_MINIMUM_MAXPODS
<!-- module:version v1.0.0 -->
<!-- module:version v1.39.0 -->
<!-- module:rule Azure.AKS.NodeMinPods -->
This configuration option determines the minimum allowed max pods setting per node pool.
When an AKS cluster node pool is created, a `maxPods` option is used to determine the maximum number of pods for each node in the node pool.
@ -261,23 +262,23 @@ Syntax:
```yaml title="ps-rule.yaml"
configuration:
Azure_AKSNodeMinimumMaxPods: integer
AZURE_AKS_POOL_MINIMUM_MAXPODS: integer
```
Default:
```yaml title="ps-rule.yaml"
# YAML: The default Azure_AKSNodeMinimumMaxPods configuration option
# YAML: The default AZURE_AKS_POOL_MINIMUM_MAXPODS configuration option
configuration:
Azure_AKSNodeMinimumMaxPods: 50
AZURE_AKS_POOL_MINIMUM_MAXPODS: 50
```
Example:
```yaml title="ps-rule.yaml"
# YAML: Set the Azure_AKSNodeMinimumMaxPods configuration option to 30
# YAML: Set the AZURE_AKS_POOL_MINIMUM_MAXPODS configuration option to 30
configuration:
Azure_AKSNodeMinimumMaxPods: 30
AZURE_AKS_POOL_MINIMUM_MAXPODS: 30
```
### AZURE_AKS_CLUSTER_USER_POOL_MINIMUM_NODES
@ -579,7 +580,10 @@ configuration:
location: australiaeast
```
### Azure_MinimumCertificateLifetime
### AZURE_APIM_MINIMUM_CERTIFICATE_LIFETIME
<!-- module:version v1.39.0 -->
<!-- module:rule Azure.APIM.CertificateExpiry -->
This configuration option determines the minimum number of days allowed before certificate expiry.
Rules that check certificate lifetime fail when the days remaining before expiry drop below this number.
@ -588,23 +592,23 @@ Syntax:
```yaml title="ps-rule.yaml"
configuration:
Azure_MinimumCertificateLifetime: integer
AZURE_APIM_MINIMUM_CERTIFICATE_LIFETIME: integer
```
Default:
```yaml
# YAML: The default Azure_MinimumCertificateLifetime configuration option
# YAML: The default AZURE_APIM_MINIMUM_CERTIFICATE_LIFETIME configuration option
configuration:
Azure_MinimumCertificateLifetime: 30
AZURE_APIM_MINIMUM_CERTIFICATE_LIFETIME: 30
```
Example:
```yaml title="ps-rule.yaml"
# YAML: Set the Azure_MinimumCertificateLifetime configuration option to 90
# YAML: Set the AZURE_APIM_MINIMUM_CERTIFICATE_LIFETIME configuration option to 90
configuration:
Azure_MinimumCertificateLifetime: 90
AZURE_APIM_MINIMUM_CERTIFICATE_LIFETIME: 90
```
### AZURE_LINUX_OS_OFFERS

2
docs/upgrade-notes.md
Просмотреть файл

@ -30,7 +30,9 @@ To locate any configurations, search for the old option names within your Infras
New name | Old name | Available from
-------- | -------- | --------------
`AZURE_AKS_CLUSTER_MINIMUM_VERSION` | `Azure_AKSMinimumVersion` | :octicons-milestone-24: v1.12.0
`AZURE_AKS_POOL_MINIMUM_MAXPODS` | `Azure_AKSNodeMinimumMaxPods` | :octicons-milestone-24: v1.39.0
`AZURE_RESOURCE_ALLOWED_LOCATIONS` | `Azure_AllowedRegions` | :octicons-milestone-24: v1.30.0
`AZURE_APIM_MINIMUM_CERTIFICATE_LIFETIME` | `Azure_MinimumCertificateLifetime` | :octicons-milestone-24: v1.39.0
To update your configuration, use the new name instead.

4
src/PSRule.Rules.Azure/en/PSRule-rules.psd1
Просмотреть файл

@ -66,7 +66,9 @@
PremiumRedisCacheAvailabilityZone = "The premium redis cache ({0}) deployed to region ({1}) should use a minimum of two availability zones from the following [{2}]."
EnterpriseRedisCacheAvailabilityZone = "The enterprise redis cache ({0}) deployed to region ({1}) should be zone-redundant."
AKSMinimumVersionReplace = "The configuration option 'Azure_AKSMinimumVersion' has been replaced with 'AZURE_AKS_CLUSTER_MINIMUM_VERSION'. The option 'Azure_AKSMinimumVersion' is deprecated and will no longer work in the next major version. Please update your configuration to the new name. See https://aka.ms/ps-rule-azure/upgrade."
AKSNodeMinimumMaxPodsReplace = "The configuration option 'Azure_AKSNodeMinimumMaxPods' has been replaced with 'AZURE_AKS_POOL_MINIMUM_MAXPODS'. The option 'Azure_AKSNodeMinimumMaxPods' is deprecated and will no longer work in the next major version. Please update your configuration to the new name. See https://aka.ms/ps-rule-azure/upgrade."
AzureAllowedRegionsReplace = "The configuration option 'Azure_AllowedRegions' has been replaced with 'AZURE_RESOURCE_ALLOWED_LOCATIONS'. The option 'Azure_AllowedRegions' is deprecated and will no longer work in the next major version. Please update your configuration to the new name. See https://aka.ms/ps-rule-azure/upgrade."
APIMMinimumCertificateLifetimeReplace = "The configuration option 'Azure_MinimumCertificateLifetime' has been replaced with 'AZURE_APIM_MINIMUM_CERTIFICATE_LIFETIME'. The option 'Azure_MinimumCertificateLifetime' is deprecated and will no longer work in the next major version. Please update your configuration to the new name. See https://aka.ms/ps-rule-azure/upgrade."
# DeprecatedSupportsTags = "The 'SupportsTags' PowerShell function has been replaced with the selector 'Azure.Resource.SupportsTags'. The 'SupportsTags' function is deprecated and will no longer work in the next major version. Please update your PowerShell rules to the selector instead. See https://aka.ms/ps-rule-azure/upgrade."
KeyVaultAutoRotationPolicy = "The key ({0}) should enable a auto-rotation policy."
ReplicaNotFound = "A replica was not found."
@ -122,4 +124,4 @@
VMSSPublicIPAttached = "The virtual machine scale set instances should not have public IP addresses directly attached to their network interfaces."
VMMultiTenantHostingRights = "The Windows 0S installed on the virtual machine ({0}) should use multi-tenant hosting rights."
VMAvailabilitySetDistributeTraffic = "The availability set member ({0}) should be a part of a backend pool."
}
}

5
src/PSRule.Rules.Azure/rules/Azure.AKS.Rule.ps1
Просмотреть файл

@ -56,14 +56,15 @@ Rule 'Azure.AKS.PoolScaleSet' -Ref 'AZR-000017' -Type 'Microsoft.ContainerServic
# Synopsis: AKS nodes should use a minimum number of pods
Rule 'Azure.AKS.NodeMinPods' -Ref 'AZR-000018' -Type 'Microsoft.ContainerService/managedClusters', 'Microsoft.ContainerService/managedClusters/agentPools' -Tag @{ release = 'GA'; ruleSet = '2020_06'; 'Azure.WAF/pillar' = 'Performance Efficiency'; } {
$minMaxPods = $Configuration.GetValueOrDefault('Azure_AKSNodeMinimumMaxPods', $Configuration.AZURE_AKS_POOL_MINIMUM_MAXPODS);
$agentPools = @(GetAgentPoolProfiles);
if ($agentPools.Length -eq 0) {
return $Assert.Pass();
}
foreach ($agentPool in $agentPools) {
$Assert.GreaterOrEqual($agentPool, 'maxPods', $Configuration.Azure_AKSNodeMinimumMaxPods);
$Assert.GreaterOrEqual($agentPool, 'maxPods', $minMaxPods);
}
} -Configure @{ Azure_AKSNodeMinimumMaxPods = 50 }
}
# Synopsis: Use Autoscaling to ensure AKS cluster is running efficiently with the right number of nodes for the workloads present.
Rule 'Azure.AKS.AutoScaling' -Ref 'AZR-000019' -Type 'Microsoft.ContainerService/managedClusters', 'Microsoft.ContainerService/managedClusters/agentPools' -Tag @{ release = 'GA'; ruleSet = '2021_09'; 'Azure.WAF/pillar' = 'Performance Efficiency'; } {

7
src/PSRule.Rules.Azure/rules/Azure.APIM.Rule.ps1
Просмотреть файл

@ -179,8 +179,9 @@ Rule 'Azure.APIM.ProductTerms' -Ref 'AZR-000050' -Type 'Microsoft.ApiManagement/
# Synopsis: Renew expired certificates
Rule 'Azure.APIM.CertificateExpiry' -Ref 'AZR-000051' -Type 'Microsoft.ApiManagement/service' -Tag @{ release = 'GA'; ruleSet = '2020_06'; 'Azure.WAF/pillar' = 'Security'; } -Labels @{ 'Azure.MCSB.v1/control' = 'DP-7' } {
$minDays = $Configuration.GetValueOrDefault('Azure_MinimumCertificateLifetime', $Configuration.AZURE_APIM_MINIMUM_CERTIFICATE_LIFETIME);
$configurations = @($TargetObject.Properties.hostnameConfigurations | Where-Object {
$Null -ne $_.certificate
$Null -ne $_.certificate.expiry
})
if ($configurations.Length -eq 0) {
return $Assert.Pass();
@ -188,10 +189,10 @@ Rule 'Azure.APIM.CertificateExpiry' -Ref 'AZR-000051' -Type 'Microsoft.ApiManage
foreach ($configuration in $configurations) {
$remaining = ($configuration.certificate.expiry - [DateTime]::Now).Days;
$Assert.
GreaterOrEqual($remaining, '.', $Configuration.Azure_MinimumCertificateLifetime).
GreaterOrEqual($remaining, '.', $minDays).
WithReason(($LocalizedData.APIMCertificateExpiry -f $configuration.hostName, $configuration.certificate.expiry.ToString('yyyy/MM/dd')), $True);
}
} -Configure @{ Azure_MinimumCertificateLifetime = 30 }
}
# Synopsis: API Management instances should use availability zones in supported regions for high availability.
Rule 'Azure.APIM.AvailabilityZone' -Ref 'AZR-000052' -Type 'Microsoft.ApiManagement/service' -Tag @{ release = 'GA'; ruleSet = '2024_06'; 'Azure.WAF/pillar' = 'Reliability'; } {

8
src/PSRule.Rules.Azure/rules/Config.Rule.yaml
Просмотреть файл

@ -39,9 +39,12 @@ spec:
AZURE_BICEP_MINIMUM_VERSION: '0.4.451'
AZURE_BICEP_CHECK_TOOL: false
# Configure minimum AKS cluster version.
# Configures minimum AKS cluster version.
AZURE_AKS_CLUSTER_MINIMUM_VERSION: '1.28.9'
# Configures the minimum allowed max pods setting per node pool.
AZURE_AKS_POOL_MINIMUM_MAXPODS: 50
# Configures the minimum number of nodes across all system node pools.
AZURE_AKS_CLUSTER_MINIMUM_SYSTEM_NODES: 3
@ -51,6 +54,9 @@ spec:
# Configures user pools that are excluded from checking for minimum nodes.
AZURE_AKS_CLUSTER_USER_POOL_EXCLUDED_FROM_MINIMUM_NODES: []
# Configures minimum number of days allowed before certificate expiry.
AZURE_APIM_MINIMUM_CERTIFICATE_LIFETIME: 30
AZURE_DEPLOYMENT_SENSITIVE_PROPERTY_NAMES:
- adminUsername
- administratorLogin

10
src/PSRule.Rules.Azure/rules/Conventions.Rule.ps1
Просмотреть файл

@ -12,10 +12,20 @@ Export-PSRuleConvention 'Azure.DeprecatedOptions' -Initialize {
Write-Warning -Message $LocalizedData.AKSMinimumVersionReplace;
}
$aksMinimumMaxPods = $Configuration.GetValueOrDefault('Azure_AKSNodeMinimumMaxPods', $Null);
if ($Null -ne $aksMinimumMaxPods) {
Write-Warning -Message $LocalizedData.AKSNodeMinimumMaxPodsReplace;
}
$allowedRegions = $Configuration.GetValueOrDefault('Azure_AllowedRegions', $Null);
if ($Null -ne $allowedRegions) {
Write-Warning -Message $LocalizedData.AzureAllowedRegionsReplace;
}
$apimMinDays = $Configuration.GetValueOrDefault('Azure_MinimumCertificateLifetime', $Null);
if ($Null -ne $apimMinDays) {
Write-Warning -Message $LocalizedData.APIMMinimumCertificateLifetimeReplace;
}
}
# Synopsis: Create a context singleton.

29
tests/PSRule.Rules.Azure.Tests/Azure.AKS.Tests.ps1
Просмотреть файл

@ -733,14 +733,14 @@ Describe 'Azure.AKS' -Tag AKS {
# Fail
$ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'Fail' });
$ruleResult | Should -Not -BeNullOrEmpty;
$ruleResult.Length | Should -Be 1;
$ruleResult.TargetName | Should -Be 'clusterA';
$ruleResult.Length | Should -Be 2;
$ruleResult.TargetName | Should -BeIn 'clusterA', 'clusterF';
# Pass
$ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'Pass' });
$ruleResult | Should -Not -BeNullOrEmpty;
$ruleResult.Length | Should -Be 6;
$ruleResult.TargetName | Should -BeIn 'clusterB', 'clusterC/agentpool3', 'clusterC/agentpool4', 'clusterD', 'clusterE', 'clusterF';
$ruleResult.Length | Should -Be 5;
$ruleResult.TargetName | Should -BeIn 'clusterB', 'clusterC/agentpool3', 'clusterC/agentpool4', 'clusterD', 'clusterE';
}
It 'Azure.AKS.MinUserPoolNodes' {
@ -1219,6 +1219,27 @@ Describe 'Azure.AKS' -Tag AKS {
$ruleResult.TargetName | Should -BeIn 'cluster-A', 'cluster-B', 'cluster-D';
}
It 'Azure.AKS.NodeMinPods - HashTable option' {
$option = @{
'Configuration.AZURE_AKS_POOL_MINIMUM_MAXPODS' = 30
}
$result = Invoke-PSRule @invokeParams -InputPath $dataPath -Option $option
$filteredResult = $result | Where-Object { $_.RuleName -eq 'Azure.AKS.NodeMinPods' };
# Fail
$ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'Fail' });
$ruleResult | Should -Not -BeNullOrEmpty;
$ruleResult.Length | Should -Be 1;
$ruleResult.TargetName | Should -BeIn 'cluster-B';
# Pass
$ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'Pass' });
$ruleResult | Should -Not -BeNullOrEmpty;
$ruleResult.Length | Should -Be 11;
$ruleResult.TargetName | Should -BeIn 'cluster-A', 'cluster-C', 'cluster-D', 'cluster-F', 'cluster-G', 'cluster-H', 'cluster-I', 'cluster-J', 'cluster-K', 'cluster-L', 'system';
}
It 'Azure.AKS.PlatformLogs - HashTable option - Excluding metrics category' {
$option = @{
'Configuration.AZURE_AKS_ENABLED_PLATFORM_LOG_CATEGORIES_LIST' = @(

28
tests/PSRule.Rules.Azure.Tests/Azure.APIM.Tests.ps1
Просмотреть файл

@ -276,8 +276,8 @@ Describe 'Azure.APIM' -Tag 'APIM' {
# Fail
$ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'Fail' });
$ruleResult | Should -Not -BeNullOrEmpty;
$ruleResult.Length | Should -Be 14;
$ruleResult.TargetName | Should -Be 'apim-C', 'apim-D', 'apim-E', 'apim-F', 'apim-G', 'apim-H', 'apim-I', 'apim-J', 'apim-K', 'apim-L', 'apim-M', 'apim-N', 'apim-O', 'apim-P';
$ruleResult.Length | Should -Be 13;
$ruleResult.TargetName | Should -Be 'apim-C', 'apim-D', 'apim-E', 'apim-F', 'apim-G', 'apim-H', 'apim-I', 'apim-J', 'apim-K', 'apim-L', 'apim-M', 'apim-N', 'apim-O';
$ruleResult[0].Reason | Should -Not -BeNullOrEmpty;
$ruleResult[0].Reason | Should -BeExactly "The certificate for host name 'api.contoso.com' expires or expired on '2020/01/01'.";
@ -285,8 +285,8 @@ Describe 'Azure.APIM' -Tag 'APIM' {
# Pass
$ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'Pass' });
$ruleResult | Should -Not -BeNullOrEmpty;
$ruleResult.Length | Should -Be 2;
$ruleResult.TargetName | Should -BeIn 'apim-B', 'apim-A';
$ruleResult.Length | Should -Be 3;
$ruleResult.TargetName | Should -BeIn 'apim-B', 'apim-A', 'apim-P';
}
It 'Azure.APIM.Name' {
@ -627,6 +627,26 @@ Describe 'Azure.APIM' -Tag 'APIM' {
$ruleResult.TargetName | Should -BeIn 'apim-M', 'apim-N', 'apim-O';
}
It 'Azure.APIM.CertificateExpiry - HashTable option' {
$option = @{
'Configuration.AZURE_APIM_MINIMUM_CERTIFICATE_LIFETIME' = 356
}
$result = Invoke-PSRule @invokeParams -InputPath $dataPath -Option $option -Outcome All;
$filteredResult = $result | Where-Object { $_.RuleName -eq 'Azure.APIM.CertificateExpiry' -and $_.TargetType -eq 'Microsoft.ApiManagement/service' };
# Fail
$ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'Fail' });
$ruleResult | Should -Not -BeNullOrEmpty;
$ruleResult.Length | Should -Be 14;
$ruleResult.TargetName | Should -Be 'apim-C', 'apim-D', 'apim-E', 'apim-F', 'apim-G', 'apim-H', 'apim-I', 'apim-J', 'apim-K', 'apim-L', 'apim-M', 'apim-N', 'apim-O', 'apim-P';
# Pass
$ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'Pass' });
$ruleResult | Should -Not -BeNullOrEmpty;
$ruleResult.Length | Should -Be 2;
$ruleResult.TargetName | Should -BeIn 'apim-B', 'apim-A';
}
It 'Azure.APIM.AvailabilityZone - YAML file option' {
$result = Invoke-PSRule @invokeParams -InputPath $dataPath -Option $configPath -Outcome All;
$filteredResult = $result | Where-Object { $_.RuleName -eq 'Azure.APIM.AvailabilityZone' -and $_.TargetType -eq 'Microsoft.ApiManagement/service' };

2
tests/PSRule.Rules.Azure.Tests/Resources.AKS.Template.json
Просмотреть файл

@ -840,7 +840,7 @@
"vmSize": "Standard_B2ms",
"osDiskSizeGB": 100,
"vnetSubnetID": "[concat(parameters('vnetId'), '/subnets/subnet-01')]",
"maxPods": 50,
"maxPods": 20,
"type": "VirtualMachineScaleSets",
"osType": "Linux",
"enableAutoScaling": true,

2
tests/PSRule.Rules.Azure.Tests/Resources.AKS.json
Просмотреть файл

@ -82,7 +82,7 @@
"vmSize": "Standard_F2s_v2",
"osDiskSizeGB": 30,
"vnetSubnetID": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/test-rg/providers/Microsoft.Network/virtualNetworks/vnet-A/subnets/subnet-A",
"maxPods": 30,
"maxPods": 20,
"type": "AvailabilitySet",
"orchestratorVersion": "1.11.4",
"osType": "Linux",

2
tests/PSRule.Rules.Azure.Tests/Resources.APIM.json
Просмотреть файл

@ -3061,7 +3061,7 @@
"certificatePassword": null,
"negotiateClientCertificate": false,
"certificate": {
"expiry": "2020-01-01T12:00:00+00:00",
"expiry": "2025-09-01T12:00:00+00:00",
"thumbprint": "0000000000000000000000000000000000000000",
"subject": "CN=api.contoso.com, OU=A, O=O, L=L, S=S, C=C"
},