зеркало из
1
0
Форкнуть 0
Rules to validate Azure resources and infrastructure as code (IaC) using PSRule.
Перейти к файлу
Bernie White 2f265e2962
Doc updates #2134 (#2142)
2023-04-07 17:19:30 +10:00
.azure-pipelines
.config
.devcontainer
.github Bump actions/stale from 7 to 8 (#2105) 2023-04-04 03:47:20 +10:00
.ps-rule
.vscode Doc updates #2134 (#2142) 2023-04-07 17:19:30 +10:00
data
docs Doc updates #2134 (#2142) 2023-04-07 17:19:30 +10:00
overrides
scripts
src Add baselines for March 2023 #2138 (#2139) 2023-04-06 08:48:26 +10:00
tests Add baselines for March 2023 #2138 (#2139) 2023-04-06 08:48:26 +10:00
.editorconfig
.gitignore
.markdownlint.json Doc updates #2134 (#2142) 2023-04-07 17:19:30 +10:00
BaselineToc.Doc.ps1
CHANGELOG.md
CODE_OF_CONDUCT.md
CONTRIBUTING.md
GitVersion.yml
LICENSE
NuGet.config
PSRule.Rules.Azure.sln
README.md Doc updates #2134 (#2142) 2023-04-07 17:19:30 +10:00
RuleHelp.Doc.ps1
RuleToc.Doc.ps1
SECURITY.md
SUPPORT.md
ThirdPartyNotices.txt
bicepconfig.json
build.ps1
mkdocs.yml
modules.json
pipeline.build.ps1
ps-docs.yaml
ps-project.yaml
ps-rule.yaml
requirements-docs.txt Bump mkdocs-material from 9.1.4 to 9.1.5 (#2126) 2023-04-01 20:39:43 +10:00

README.md

PSRule for Azure

A suite of rules to validate Azure resources and infrastructure as code (IaC) using PSRule.

Open in vscode.dev

Features of PSRule for Azure include:

  • Learn by example - Fix issues quickly, and learn how to improve your Infrastructure as Code..

  • Framework aligned - Apply principals of Azure Well-Architected Framework to your workloads.

  • Start day one - Leverage over 350 pre-built rules to test Azure resources.

  • DevOps integrated - Test Azure infrastructure as code such as Bicep or Azure Resource Manager templates.

  • Cross-platform - Run locally or in the cloud on MacOS, Linux, and Windows.

  • Open community - Open source rules for the Azure community.

Project objectives

  1. Ready to go:
  2. DevOps:
    • Resources and templates can be validated before deployment within DevOps workflows.
    • Allow pull request (PR) validation to prevent invalid configuration being merged.
  3. Enterprise ready:
    • Rules can be directly adopted and additional enterprise specific rules can be layed on.
    • Provide regular baselines to allow progressive adoption.

Support

This project uses GitHub Issues to track bugs and feature requests. Before logging an issue please see our troubleshooting guide.

Please search the existing issues before filing new issues to avoid duplicates.

  • For new issues, file your bug or feature request as a new issue.
  • For help, discussion, and support questions about using this project, join or start a discussion.

If you have any problems with the PSRule engine, please check the project GitHub issues page instead.

Support for this project/ product is limited to the resources listed above.

Getting the modules

This project requires the PSRule and Az PowerShell modules. For details on each see install.

You can download and install these modules from the PowerShell Gallery.

Module Description Downloads / instructions
PSRule.Rules.Azure Validate Azure resources and infrastructure as code using PSRule. latest / instructions

For rule and integration modules see related projects.

Getting started

PSRule for Azure provides two methods for analyzing Azure resources:

  • Pre-flight - Before resources are deployed from Azure Resource Manager templates.
  • In-flight - After resources are deployed to an Azure subscription.

For specific use cases see scenarios. For additional details see the FAQ.

Using with GitHub Actions

The following example shows how to setup GitHub Actions to validate templates pre-flight.

  1. See Creating a workflow file.
  2. Reference Microsoft/ps-rule with modules: 'PSRule.Rules.Azure'.

For example:

# Example: .github/workflows/analyze-arm.yaml

#
# STEP 1: Template validation
#
name: Analyze templates
on:
  push:
    branches:
    - main
  pull_request:
    branches:
    - main
jobs:
  analyze_arm:
    name: Analyze templates
    runs-on: ubuntu-latest
    steps:

    - name: Checkout
      uses: actions/checkout@v3

    # STEP 2: Run analysis against exported data
    - name: Analyze Azure template files
      uses: microsoft/ps-rule@v2.8.0
      with:
        modules: 'PSRule.Rules.Azure'  # Analyze objects using the rules within the PSRule.Rules.Azure PowerShell module.

Using with Azure Pipelines

The following example shows how to setup Azure Pipelines to validate templates pre-flight.

  1. Install PSRule extension for Azure DevOps marketplace.
  2. Create a new YAML pipeline with the Starter pipeline template.
  3. Add the Install PSRule module task.
    • Set module to PSRule.Rules.Azure.
  4. Add the PSRule analysis task.
    • Set input type to repository.
    • Set modules to PSRule.Rules.Azure.

For example:

# Example: .azure-pipelines/analyze-arm.yaml

#
# STEP 2: Template validation
#
jobs:
- job: 'analyze_arm'
  displayName: 'Analyze templates'
  pool:
    vmImage: 'ubuntu-20.04'
  steps:

  # STEP 3: Install PSRule.Rules.Azure from the PowerShell Gallery
  - task: ps-rule-install@2
    displayName: Install PSRule.Rules.Azure
    inputs:
      module: 'PSRule.Rules.Azure'   # Install PSRule.Rules.Azure from the PowerShell Gallery.

  # STEP 4: Run analysis against exported data
  - task: ps-rule-assert@2
    displayName: Analyze Azure template files
    inputs:
      modules: 'PSRule.Rules.Azure'   # Analyze objects using the rules within the PSRule.Rules.Azure PowerShell module.

Using locally

The following example shows how to setup PSRule locally to validate templates pre-flight.

  1. Install the PSRule.Rules.Azure module and dependencies from the PowerShell Gallery.
  2. Run analysis against repository files.

For example:

# STEP 1: Install PSRule.Rules.Azure from the PowerShell Gallery
Install-Module -Name 'PSRule.Rules.Azure' -Scope CurrentUser;

# STEP 2: Run analysis against exported data
Assert-PSRule -Module 'PSRule.Rules.Azure' -InputPath 'out/templates/' -Format File;

Export in-flight resource data

The following example shows how to setup PSRule locally to validate resources running in a subscription.

  1. Install the PSRule.Rules.Azure module and dependencies from the PowerShell Gallery.
  2. Connect and set context to an Azure subscription from PowerShell.
  3. Export the resource data with the Export-AzRuleData cmdlet.
  4. Run analysis against exported data.

For example:

# STEP 1: Install PSRule.Rules.Azure from the PowerShell Gallery
Install-Module -Name 'PSRule.Rules.Azure' -Scope CurrentUser;

# STEP 2: Authenticate to Azure, only required if not currently connected
Connect-AzAccount;

# Confirm the current subscription context
Get-AzContext;

# STEP 3: Exports a resource graph stored as JSON for analysis
Export-AzRuleData -OutputPath 'out/templates/';

# STEP 4: Run analysis against exported data
Assert-PSRule -Module 'PSRule.Rules.Azure' -InputPath 'out/templates/';

Additional options

By default, resource data for the current subscription context will be exported.

To export resource data for specific subscriptions use:

  • -Subscription - to specify subscriptions by id or name.
  • -Tenant - to specify subscriptions within an Azure Active Directory Tenant by id.

For example:

# Export data from two specific subscriptions
Export-AzRuleData -Subscription 'Contoso Production', 'Contoso Non-production';

To export specific resource data use:

  • -ResourceGroupName - to filter resources by Resource Group.
  • -Tag - to filter resources based on tag.

For example:

# Export information from two resource groups within the current subscription context
Export-AzRuleData -ResourceGroupName 'rg-app1-web', 'rg-app1-db';

To export resource data for all subscription contexts use:

  • -All - to export resource data for all subscription contexts.

For example:

# Export data from all subscription contexts
Export-AzRuleData -All;

To filter results to only failed rules, use Invoke-PSRule -Outcome Fail. Passed, failed and error results are shown by default.

For example:

# Only show failed results
Invoke-PSRule -InputPath 'out/templates/' -Module 'PSRule.Rules.Azure' -Outcome Fail;

The output of this example is:

   TargetName: storage

RuleName                            Outcome    Recommendation
--------                            -------    --------------
Azure.Storage.UseReplication        Fail       Storage accounts not using GRS may be at risk
Azure.Storage.SecureTransferRequ... Fail       Storage accounts should only accept secure traffic
Azure.Storage.SoftDelete            Fail       Enable soft delete on Storage Accounts

A summary of results can be displayed by using Invoke-PSRule -As Summary.

For example:

# Display as summary results
Invoke-PSRule -InputPath 'out/templates/' -Module 'PSRule.Rules.Azure' -As Summary;

The output of this example is:

RuleName                            Pass  Fail  Outcome
--------                            ----  ----  -------
Azure.ACR.MinSku                    0     1     Fail
Azure.AppService.PlanInstanceCount  0     1     Fail
Azure.AppService.UseHTTPS           0     2     Fail
Azure.Resource.UseTags              73    36    Fail
Azure.SQL.ThreatDetection           0     1     Fail
Azure.SQL.Auditing                  0     1     Fail
Azure.Storage.UseReplication        1     7     Fail
Azure.Storage.SecureTransferRequ... 2     6     Fail
Azure.Storage.SoftDelete            0     8     Fail

Scenarios

For walk through examples of PSRule for Azure module usage see:

Rule reference

PSRule for Azure includes rules across five pillars of the Microsoft Azure Well-Architected Framework.

To view a list of rules by Azure resources see:

Baseline reference

The following baselines are included within PSRule.Rules.Azure.

Language reference

PSRule for Azure extends PowerShell with the following cmdlets.

Commands

PSRule for Azure included the following cmdlets:

Concepts

To find out more, look at these conceptual topics:

For a list of projects and integrations see Related projects.

Changes and versioning

This repository uses semantic versioning to declare breaking changes. For details please see the changes and versioning.

Contributing

This project welcomes contributions and suggestions. If you are ready to contribute, please visit the contribution guide.

Code of Conduct

This project has adopted the Microsoft Open Source Code of Conduct. For more information see the Code of Conduct FAQ or contact opencode@microsoft.com with any additional questions or comments.

Maintainers

License

This project is licensed under the MIT License.