PSRule-pipelines/docs/features.md

PSRule for Azure features

The following sections describe key features of PSRule for Azure.

• Ready to go
• DevOps
• Cross-platform

Ready to go

PSRule for Azure includes over 80 rules for validating resources against configuration recommendations. Each rule includes additional information to help remediate validation issues.

Use the built-in rules to start enforcing release processes quickly. Then layer on your own rules as your organization's requirements mature. Custom rules can be implemented quickly and work side-by-side with built-in rules.

As new built-in rules are added and improved, download the latest PowerShell module to start using them.

DevOps

Azure resources can be validated throughout their lifecycle to support a DevOps culture.

From as early as authoring a Azure Resource Manager (ARM) template, resources can be validated offline. Pre-flight validation can be integrated into a continuous integration (CI) processes to:

• Identify configuration issues and provide fast feedback in a pull request.
• Implement quality gates between environments such as development, test and production.
• Perform ongoing checks for configuration optimization opportunities.

PSRule for Azure provides the following cmdlets that extract data for analysis:

• Export-AzTemplateRuleData - Used for pre-flight analysis of one or more ARM templates.
• Export-AzRuleData - Used for in-flight analysis of resources deployed to one or more Azure subscriptions.

Cross-platform

PSRule uses modern PowerShell libraries at its core, allowing it to go anywhere Windows PowerShell 5.1 or PowerShell Core 6.2 can go. PSRule runs on MacOS, Linux and Windows.

To install PSRule for Azure use the Install-Module cmdlet within Windows PowerShell or PowerShell Core.

Install-Module -Name PSRule.Rules.Azure -Scope CurrentUser;

For additional installation options see install instructions.

Frequently Asked Questions (FAQ)

What permissions do I need to export data?

The default built-in Reader role to a subscription is required for:

• Exporting rule data with Export-AzRuleData.
• Exporting rule data from templates with Export-AzTemplateRuleData when online features are used.
  • Optionally -ResourceGroupName and -Subscription parameter can be used, these require access Reader access.

What permissions do I need to analyze exported data?

No access to Azure is required after data has been exported to JSON.

Should I continue to use Azure Security Center, Azure Advisor or Azure Policy?

Absolutely. PSRule for Azure does not replace Azure Security Center, Azure Advisor or Azure Policy.

PSRule complements Azure Security Center, Azure Advisor and Azure Policy features by:

• Recommending turning on and using features of Azure Security Center, Azure Advisor or Azure Policy.
• Providing offline analysis in split environments where the analyst has no access to Azure subscriptions.
  • Rule data for analysis can be exported out to a JSON file.
• Providing the ability to analyze resources in Azure Resource Manager template before deployment.
  • Additionally analysis can be performed in a continuous integration (CI) process.
• Providing the ability to layer on organization specific rules, as required.
• Data collection requires limited permission and requires no additional configuration.