2f265e2962 | ||
---|---|---|
.azure-pipelines | ||
.config | ||
.devcontainer | ||
.github | ||
.ps-rule | ||
.vscode | ||
data | ||
docs | ||
overrides | ||
scripts | ||
src | ||
tests | ||
.editorconfig | ||
.gitignore | ||
.markdownlint.json | ||
BaselineToc.Doc.ps1 | ||
CHANGELOG.md | ||
CODE_OF_CONDUCT.md | ||
CONTRIBUTING.md | ||
GitVersion.yml | ||
LICENSE | ||
NuGet.config | ||
PSRule.Rules.Azure.sln | ||
README.md | ||
RuleHelp.Doc.ps1 | ||
RuleToc.Doc.ps1 | ||
SECURITY.md | ||
SUPPORT.md | ||
ThirdPartyNotices.txt | ||
bicepconfig.json | ||
build.ps1 | ||
mkdocs.yml | ||
modules.json | ||
pipeline.build.ps1 | ||
ps-docs.yaml | ||
ps-project.yaml | ||
ps-rule.yaml | ||
requirements-docs.txt |
README.md
PSRule for Azure
A suite of rules to validate Azure resources and infrastructure as code (IaC) using PSRule.
Features of PSRule for Azure include:
-
Learn by example - Fix issues quickly, and learn how to improve your Infrastructure as Code..
-
Framework aligned - Apply principals of Azure Well-Architected Framework to your workloads.
-
Start day one - Leverage over 350 pre-built rules to test Azure resources.
-
DevOps integrated - Test Azure infrastructure as code such as Bicep or Azure Resource Manager templates.
-
Cross-platform - Run locally or in the cloud on MacOS, Linux, and Windows.
-
Open community - Open source rules for the Azure community.
Project objectives
- Ready to go:
- Provide a Azure Well-Architected Framework aligned suite of rules for validating Azure resources.
- Provide meaningful information to allow remediation.
- DevOps:
- Resources and templates can be validated before deployment within DevOps workflows.
- Allow pull request (PR) validation to prevent invalid configuration being merged.
- Enterprise ready:
- Rules can be directly adopted and additional enterprise specific rules can be layed on.
- Provide regular baselines to allow progressive adoption.
Support
This project uses GitHub Issues to track bugs and feature requests. Before logging an issue please see our troubleshooting guide.
Please search the existing issues before filing new issues to avoid duplicates.
- For new issues, file your bug or feature request as a new issue.
- For help, discussion, and support questions about using this project, join or start a discussion.
If you have any problems with the PSRule engine, please check the project GitHub issues page instead.
Support for this project/ product is limited to the resources listed above.
Getting the modules
This project requires the PSRule
and Az
PowerShell modules. For details on each see install.
You can download and install these modules from the PowerShell Gallery.
Module | Description | Downloads / instructions |
---|---|---|
PSRule.Rules.Azure | Validate Azure resources and infrastructure as code using PSRule. | latest / instructions |
For rule and integration modules see related projects.
Getting started
PSRule for Azure provides two methods for analyzing Azure resources:
- Pre-flight - Before resources are deployed from Azure Resource Manager templates.
- In-flight - After resources are deployed to an Azure subscription.
For specific use cases see scenarios. For additional details see the FAQ.
Using with GitHub Actions
The following example shows how to setup GitHub Actions to validate templates pre-flight.
- See Creating a workflow file.
- Reference
Microsoft/ps-rule
withmodules: 'PSRule.Rules.Azure'
.
For example:
# Example: .github/workflows/analyze-arm.yaml
#
# STEP 1: Template validation
#
name: Analyze templates
on:
push:
branches:
- main
pull_request:
branches:
- main
jobs:
analyze_arm:
name: Analyze templates
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v3
# STEP 2: Run analysis against exported data
- name: Analyze Azure template files
uses: microsoft/ps-rule@v2.8.0
with:
modules: 'PSRule.Rules.Azure' # Analyze objects using the rules within the PSRule.Rules.Azure PowerShell module.
Using with Azure Pipelines
The following example shows how to setup Azure Pipelines to validate templates pre-flight.
- Install PSRule extension for Azure DevOps marketplace.
- Create a new YAML pipeline with the Starter pipeline template.
- Add the
Install PSRule module
task.- Set module to
PSRule.Rules.Azure
.
- Set module to
- Add the
PSRule analysis
task.- Set input type to
repository
. - Set modules to
PSRule.Rules.Azure
.
- Set input type to
For example:
# Example: .azure-pipelines/analyze-arm.yaml
#
# STEP 2: Template validation
#
jobs:
- job: 'analyze_arm'
displayName: 'Analyze templates'
pool:
vmImage: 'ubuntu-20.04'
steps:
# STEP 3: Install PSRule.Rules.Azure from the PowerShell Gallery
- task: ps-rule-install@2
displayName: Install PSRule.Rules.Azure
inputs:
module: 'PSRule.Rules.Azure' # Install PSRule.Rules.Azure from the PowerShell Gallery.
# STEP 4: Run analysis against exported data
- task: ps-rule-assert@2
displayName: Analyze Azure template files
inputs:
modules: 'PSRule.Rules.Azure' # Analyze objects using the rules within the PSRule.Rules.Azure PowerShell module.
Using locally
The following example shows how to setup PSRule locally to validate templates pre-flight.
- Install the
PSRule.Rules.Azure
module and dependencies from the PowerShell Gallery. - Run analysis against repository files.
For example:
# STEP 1: Install PSRule.Rules.Azure from the PowerShell Gallery
Install-Module -Name 'PSRule.Rules.Azure' -Scope CurrentUser;
# STEP 2: Run analysis against exported data
Assert-PSRule -Module 'PSRule.Rules.Azure' -InputPath 'out/templates/' -Format File;
Export in-flight resource data
The following example shows how to setup PSRule locally to validate resources running in a subscription.
- Install the
PSRule.Rules.Azure
module and dependencies from the PowerShell Gallery. - Connect and set context to an Azure subscription from PowerShell.
- Export the resource data with the
Export-AzRuleData
cmdlet. - Run analysis against exported data.
For example:
# STEP 1: Install PSRule.Rules.Azure from the PowerShell Gallery
Install-Module -Name 'PSRule.Rules.Azure' -Scope CurrentUser;
# STEP 2: Authenticate to Azure, only required if not currently connected
Connect-AzAccount;
# Confirm the current subscription context
Get-AzContext;
# STEP 3: Exports a resource graph stored as JSON for analysis
Export-AzRuleData -OutputPath 'out/templates/';
# STEP 4: Run analysis against exported data
Assert-PSRule -Module 'PSRule.Rules.Azure' -InputPath 'out/templates/';
Additional options
By default, resource data for the current subscription context will be exported.
To export resource data for specific subscriptions use:
-Subscription
- to specify subscriptions by id or name.-Tenant
- to specify subscriptions within an Azure Active Directory Tenant by id.
For example:
# Export data from two specific subscriptions
Export-AzRuleData -Subscription 'Contoso Production', 'Contoso Non-production';
To export specific resource data use:
-ResourceGroupName
- to filter resources by Resource Group.-Tag
- to filter resources based on tag.
For example:
# Export information from two resource groups within the current subscription context
Export-AzRuleData -ResourceGroupName 'rg-app1-web', 'rg-app1-db';
To export resource data for all subscription contexts use:
-All
- to export resource data for all subscription contexts.
For example:
# Export data from all subscription contexts
Export-AzRuleData -All;
To filter results to only failed rules, use Invoke-PSRule -Outcome Fail
.
Passed, failed and error results are shown by default.
For example:
# Only show failed results
Invoke-PSRule -InputPath 'out/templates/' -Module 'PSRule.Rules.Azure' -Outcome Fail;
The output of this example is:
TargetName: storage
RuleName Outcome Recommendation
-------- ------- --------------
Azure.Storage.UseReplication Fail Storage accounts not using GRS may be at risk
Azure.Storage.SecureTransferRequ... Fail Storage accounts should only accept secure traffic
Azure.Storage.SoftDelete Fail Enable soft delete on Storage Accounts
A summary of results can be displayed by using Invoke-PSRule -As Summary
.
For example:
# Display as summary results
Invoke-PSRule -InputPath 'out/templates/' -Module 'PSRule.Rules.Azure' -As Summary;
The output of this example is:
RuleName Pass Fail Outcome
-------- ---- ---- -------
Azure.ACR.MinSku 0 1 Fail
Azure.AppService.PlanInstanceCount 0 1 Fail
Azure.AppService.UseHTTPS 0 2 Fail
Azure.Resource.UseTags 73 36 Fail
Azure.SQL.ThreatDetection 0 1 Fail
Azure.SQL.Auditing 0 1 Fail
Azure.Storage.UseReplication 1 7 Fail
Azure.Storage.SecureTransferRequ... 2 6 Fail
Azure.Storage.SoftDelete 0 8 Fail
Scenarios
For walk through examples of PSRule for Azure module usage see:
- Validate Azure resources from templates with Azure Pipelines
- Validate Azure resources from templates with continuous integration (CI)
- Create a custom rule to enforce Resource Group tagging
- Create a custom rule to enforce code ownership
Rule reference
PSRule for Azure includes rules across five pillars of the Microsoft Azure Well-Architected Framework.
To view a list of rules by Azure resources see:
Baseline reference
The following baselines are included within PSRule.Rules.Azure
.
- Azure.Default - Default baseline for Azure rules.
- Azure.All - Includes all Azure rules.
- Azure.GA_2020_06 - Baseline for GA rules released June 2020 or prior.
- Azure.GA_2020_09 - Baseline for GA rules released September 2020 or prior.
- Azure.GA_2020_12 - Baseline for GA rules released December 2020 or prior.
- Azure.GA_2021_03 - Baseline for GA rules released March 2021 or prior.
- Azure.GA_2021_06 - Baseline for GA rules released June 2021 or prior.
- Azure.GA_2021_09 - Baseline for GA rules released September 2021 or prior.
- Azure.GA_2021_12 - Baseline for GA rules released December 2021 or prior.
- Azure.GA_2022_03 - Baseline for GA rules released March 2022 or prior.
- Azure.GA_2022_06 - Baseline for GA rules released June 2022 or prior.
- Azure.GA_2022_09 - Baseline for GA rules released September 2022 or prior.
- Azure.GA_2022_12 - Baseline for GA rules released December 2022 or prior.
- Azure.Preview - Includes rules for Azure GA and preview features.
- Azure.Preview_2021_09 - Baseline for rules released September 2021 or prior for Azure preview only features.
- Azure.Preview_2021_12 - Baseline for rules released December 2021 or prior for Azure preview only features.
- Azure.Preview_2022_03 - Baseline for rules released March 2022 or prior for Azure preview only features.
- Azure.Preview_2022_06 - Baseline for rules released June 2022 or prior for Azure preview only features.
- Azure.Preview_2022_09 - Baseline for rules released September 2022 or prior for Azure preview only features.
- Azure.Preview_2022_12 - Baseline for rules released December 2022 or prior for Azure preview only features.
- Azure.MCSB.v1 - A baseline aligned to Microsoft Cloud Security Benchmark v1 controls.
Language reference
PSRule for Azure extends PowerShell with the following cmdlets.
Commands
PSRule for Azure included the following cmdlets:
- Export-AzRuleData - Export resource configuration data from Azure subscriptions.
- Export-AzRuleTemplateData - Export resource configuration data from Azure templates.
- Export-AzPolicyAssignmentData - Export policy assignment data.
- Export-AzPolicyAssignmentRuleData - Export JSON based rules from policy assignment data.
- Get-AzRuleTemplateLink - Get a metadata link to a Azure template file.
- Get-AzPolicyAssignmentDataSource - Get policy assignment sources.
Concepts
To find out more, look at these conceptual topics:
- Getting started:
- Testing infrastructure as code:
- Setup:
Related projects
For a list of projects and integrations see Related projects.
Changes and versioning
This repository uses semantic versioning to declare breaking changes. For details please see the changes and versioning.
Contributing
This project welcomes contributions and suggestions. If you are ready to contribute, please visit the contribution guide.
Code of Conduct
This project has adopted the Microsoft Open Source Code of Conduct. For more information see the Code of Conduct FAQ or contact opencode@microsoft.com with any additional questions or comments.
Maintainers
License
This project is licensed under the MIT License.