Rules to validate Azure resources and infrastructure as code (IaC) using PSRule.

azure azure-templates bicep cicd devops devops-tools hacktoberfest infrastructure-as-code powershell powershell-module psrule rule testing-tools

Перейти к файлу

Bernie White a71c612436 Release v0.8.0 (#259 )		2020-01-17 12:45:12 +10:00
.azure-pipelines	Updated documentation to use parent culture #224 (#226 )	2020-01-05 23:21:55 +10:00
.github	Updates to repo doco (#249 )	2020-01-14 15:14:12 +10:00
.ps-rule	Added rule QA rules (#215 )	2019-12-29 00:57:35 +10:00
.vscode	Improvements from PSRule v0.12.0 #219 #220 (#221 )	2019-12-30 20:38:49 +10:00
docs	Renamed Azure.File rules #252 (#253 )	2020-01-14 16:20:40 +10:00
src/PSRule.Rules.Azure	Fix Azure.VNET.UseNSGs reason message #256 #257 (#258 )	2020-01-17 08:54:28 +10:00
tests	Renamed Azure.File rules #252 (#253 )	2020-01-14 16:20:40 +10:00
.gitignore	Fix template processing #173 #174 #175 (#176 )	2019-11-27 21:20:36 +10:00
.markdownlint.json	Export rule data from templates #145 (#147 )	2019-11-09 16:19:07 +10:00
CHANGELOG.md	Release v0.8.0 (#259 )	2020-01-17 12:45:12 +10:00
LICENSE	Initial commit	2019-04-30 09:02:02 +10:00
PSRule.Rules.Azure.sln	Export rule data from templates #145 (#147 )	2019-11-09 16:19:07 +10:00
README.md	Updates to repo doco (#249 )	2020-01-14 15:14:12 +10:00
RuleHelp.Doc.ps1	Updated documentation to use parent culture #224 (#226 )	2020-01-05 23:21:55 +10:00
RuleToc.Doc.ps1	Updated documentation to use parent culture #224 (#226 )	2020-01-05 23:21:55 +10:00
ThirdPartyNotices.txt	Add third party notices (#183 )	2019-12-02 22:06:23 +10:00
pipeline.build.ps1	Fix Azure.VNET.UseNSGs reason message #256 #257 (#258 )	2020-01-17 08:54:28 +10:00
ps-project.yaml	Add additional AKS rules and fixes (#192 )	2019-12-07 21:56:38 +10:00
ps-rule.yaml	Renamed long rule names #119 (#228 )	2020-01-06 01:05:09 +10:00

README.md

PSRule for Azure

A suite of rules to validate Azure resources using PSRule.

Features of PSRule for Azure include:

Ready to go - Leverage over 80 pre-built rules to validate Azure resources.
DevOps - Validate resources pre or post-deployment.
Cross-platform - Run on MacOS, Linux and Windows.

Disclaimer

This project is to be considered a proof-of-concept and not a supported product.

For issues with rules and documentation please check our GitHub issues page. If you do not see your problem captured, please file a new issue and follow the provided template.

If you have any problems with the PSRule engine, please check the project GitHub issues page instead.

Getting the modules

This project requires the PSRule and Az PowerShell modules. For details on each see install.

You can download and install these modules from the PowerShell Gallery.

Module	Description	Downloads / instructions
PSRule.Rules.Azure	Validate Azure resources	latest / instructions

Getting started

PSRule for Azure provides two methods for analyzing Azure resources:

Pre-flight - Before resources are deployed from Azure Resource Manager templates.
In-flight - After resource are deployed to an Azure subscription.

For additional details see the FAQ.

Export resource data

To validate Azure resources running in a subscription, export the resource data with the Export-AzRuleData cmdlet. The Export-AzRuleData cmdlet exports a resource graph for one or more subscriptions that can be used for analysis with the rules in this module.

By default, resources for the current subscription context are exported. See below for more options.

Before running this command you should connect to Azure by using the Connect-AzAccount cmdlet.

For example:

# Authenticate to Azure, only required if not currently connected
Connect-AzAccount;

# Export resource data
Export-AzRuleData;

Validate resources

To validate Azure resources use the extracted data with the Invoke-PSRule cmdlet.

For example:

Invoke-PSRule -InputPath .\*.json -Module 'PSRule.Rules.Azure';

Additional options

By default, resource data for the current subscription context will be exported to the current working directory as JSON.

To export resource data for specific subscriptions use:

-Subscription - to specify subscriptions by id or name.
-Tenant - to specify subscriptions within an Azure Active Directory Tenant by id.

For example:

# Export data from two specific subscriptions
Export-AzRuleData -Subscription 'Contoso Production', 'Contoso Non-production'

To export specific resource data use:

-ResourceGroupName - to filter resources by Resource Group.
-Tag - to filter resources based on tag.

For example:

# Export information from two resource groups within the current subscription context
Export-AzRuleData -ResourceGroupName 'rg-app1-web', 'rg-app1-db'

To export resource data for all subscription contexts use:

-All - to export resource data for all subscription contexts.

For example:

# Export data from all subscription contexts
Export-AzRuleData -All;

To filter results to only failed rules, use Invoke-PSRule -Outcome Fail. Passed, failed and error results are shown by default.

For example:

# Only show failed results
Invoke-PSRule -InputPath .\*.json -Module 'PSRule.Rules.Azure' -Outcome Fail;

The output of this example is:

   TargetName: storage

RuleName                            Outcome    Recommendation
--------                            -------    --------------
Azure.Storage.UseReplication        Fail       Storage accounts not using GRS may be at risk
Azure.Storage.SecureTransferRequ... Fail       Storage accounts should only accept secure traffic
Azure.Storage.SoftDelete            Fail       Enable soft delete on Storage Accounts

A summary of results can be displayed by using Invoke-PSRule -As Summary.

For example:

# Display as summary results
Invoke-PSRule -InputPath .\*.json -Module 'PSRule.Rules.Azure' -As Summary;

The output of this example is:

RuleName                            Pass  Fail  Outcome
--------                            ----  ----  -------
Azure.ACR.MinSku                    0     1     Fail
Azure.AppService.PlanInstanceCount  0     1     Fail
Azure.AppService.UseHTTPS           0     2     Fail
Azure.Resource.UseTags              73    36    Fail
Azure.SQL.ThreatDetection           0     1     Fail
Azure.SQL.Auditing                  0     1     Fail
Azure.Storage.UseReplication        1     7     Fail
Azure.Storage.SecureTransferRequ... 2     6     Fail
Azure.Storage.SoftDelete            0     8     Fail

Scenarios

For walk through examples of PSRule.Rules.Azure module usage see:

Validate Azure templates with continuous integration

Rule reference

For a list of rules included in the PSRule.Rules.Azure module see:

Module rule reference

Language reference

PSRule.Rules.Azure extends PowerShell with the following cmdlets.

Commands

The following commands exist in the PSRule.Rules.Azure module:

Export-AzRuleData - Export resource configuration data from Azure subscriptions.
Export-AzTemplateRuleData - Export resource configuration data from Azure templates.

Changes and versioning

Modules in this repository will use the semantic versioning model to declare breaking changes from v1.0.0. Prior to v1.0.0, breaking changes may be introduced in minor (0.x.0) version increments. For a list of module changes please see the change log.

Pre-release module versions are created on major commits and can be installed from the PowerShell Gallery. Pre-release versions should be considered experimental. Modules and change log details for pre-releases will be removed as standard releases are made available.

Maintainers

Bernie White

License

This project is licensed under the MIT License.