Bernie White
GitHub
Родитель
41e53904ff
Коммит
2ee29f2118
|
|
@ -2,6 +2,9 @@
|
|||
|
||||
## Unreleased
|
||||
|
||||
- Fixed detection of diagnostic logging for Front Door. [#307](https://github.com/Microsoft/PSRule.Rules.Azure/issues/307)
|
||||
- Fixed Front Door WAF Policy export. [#308](https://github.com/Microsoft/PSRule.Rules.Azure/issues/308)
|
||||
|
||||
## v0.10.0-B2002023 (pre-release)
|
||||
|
||||
- Improvements to verbose logging of `Export-AzRuleData`. [#301](https://github.com/Microsoft/PSRule.Rules.Azure/issues/301)
|
||||
|
|
|
|||
|
|
@ -146,7 +146,7 @@ task VersionModule ModuleDependencies, {
|
|||
$manifest = Test-ModuleManifest -Path $manifestPath;
|
||||
$requiredModules = $manifest.RequiredModules | ForEach-Object -Process {
|
||||
if ($_.Name -eq 'PSRule' -and $Configuration -eq 'Release') {
|
||||
@{ ModuleName = 'PSRule'; ModuleVersion = '0.14.0' }
|
||||
@{ ModuleName = 'PSRule'; ModuleVersion = '0.15.0' }
|
||||
}
|
||||
else {
|
||||
@{ ModuleName = $_.Name; ModuleVersion = $_.Version }
|
||||
|
|
@ -196,8 +196,8 @@ task PSScriptAnalyzer NuGet, {
|
|||
|
||||
# Synopsis: Install PSRule
|
||||
task PSRule NuGet, {
|
||||
if ($Null -eq (Get-InstalledModule -Name PSRule -MinimumVersion 0.15.0-B2002005 -AllowPrerelease -ErrorAction Ignore)) {
|
||||
Install-Module -Name PSRule -Repository PSGallery -MinimumVersion 0.15.0-B2002005 -AllowPrerelease -Scope CurrentUser -Force;
|
||||
if ($Null -eq (Get-InstalledModule -Name PSRule -MinimumVersion 0.15.0 -ErrorAction Ignore)) {
|
||||
Install-Module -Name PSRule -Repository PSGallery -MinimumVersion 0.15.0 -Scope CurrentUser -Force;
|
||||
}
|
||||
Import-Module -Name PSRule -Verbose:$False;
|
||||
}
|
||||
|
|
|
|||
|
|
@ -682,7 +682,7 @@ function VisitFrontDoor {
|
|||
)
|
||||
process {
|
||||
# Patch Front Door properties not fully returned from the default API version
|
||||
$Resource = Get-AzResource -Name $resource.Name -ResourceGroupName $resource.ResourceGroupName -DefaultProfile $Context -ResourceType 'Microsoft.Network/frontdoors' -ExpandProperties -ApiVersion '2018-08-01';
|
||||
$Resource = Get-AzResource -Name $resource.Name -ResourceGroupName $resource.ResourceGroupName -DefaultProfile $Context -ResourceType 'Microsoft.Network/frontdoors' -ExpandProperties -ApiVersion '2018-08-01';
|
||||
|
||||
$resources = @();
|
||||
$resources += Get-AzResource -Name $resource.Name -ResourceType 'Microsoft.Network/frontdoors/providers/microsoft.insights/diagnosticSettings' -ResourceGroupName $resource.ResourceGroupName -DefaultProfile $Context -ApiVersion '2017-05-01-preview' -ExpandProperties;
|
||||
|
|
@ -690,6 +690,22 @@ function VisitFrontDoor {
|
|||
}
|
||||
}
|
||||
|
||||
function VisitFrontDoorWAFPolicy {
|
||||
[CmdletBinding()]
|
||||
param (
|
||||
[Parameter(Mandatory = $True, ValueFromPipeline = $True)]
|
||||
[PSObject]$Resource,
|
||||
|
||||
[Parameter(Mandatory = $True)]
|
||||
[Microsoft.Azure.Commands.Common.Authentication.Abstractions.Core.IAzureContextContainer]$Context
|
||||
)
|
||||
process {
|
||||
# Patch Front Door WAF policy properties not fully returned from the default API version
|
||||
$Resource = Get-AzResource -Name $resource.Name -ResourceGroupName $resource.ResourceGroupName -DefaultProfile $Context -ResourceType 'Microsoft.Network/FrontDoorWebApplicationFirewallPolicies' -ExpandProperties -ApiVersion '2019-10-01';
|
||||
$Resource;
|
||||
}
|
||||
}
|
||||
|
||||
function VisitSubscription {
|
||||
[CmdletBinding()]
|
||||
param (
|
||||
|
|
@ -766,6 +782,7 @@ function ExpandResource {
|
|||
'Microsoft.Compute/virtualMachines' { VisitVirtualMachine @PSBoundParameters; }
|
||||
'Microsoft.KeyVault/vaults' { VisitKeyVault @PSBoundParameters; }
|
||||
'Microsoft.Network/frontDoors' { VisitFrontDoor @PSBoundParameters; }
|
||||
'Microsoft.Network/FrontDoorWebApplicationFirewallPolicies' { VisitFrontDoorWAFPolicy @PSBoundParameters; }
|
||||
'Microsoft.Subscription' { VisitSubscription @PSBoundParameters; }
|
||||
'Microsoft.Resources/resourceGroups' { VisitResourceGroup @PSBoundParameters; }
|
||||
default { $Resource; }
|
||||
|
|
|
|||
|
|
@ -229,13 +229,15 @@ Rule 'Azure.FrontDoor.MinTLS' -Type 'Microsoft.Network/frontDoors', 'Microsoft.N
|
|||
# Synopsis: Use diagnostics to audit Front Door access
|
||||
Rule 'Azure.FrontDoor.Logs' -Type 'Microsoft.Network/frontDoors' -Tag @{ release = 'GA' } {
|
||||
Reason $LocalizedData.DiagnosticSettingsNotConfigured;
|
||||
$diagnostics = @(GetSubResources -ResourceType 'microsoft.insights/diagnosticSettings', 'Microsoft.Network/frontDoors/providers/diagnosticSettings' | Where-Object {
|
||||
$_.Properties.logs[0].category -eq 'FrontdoorAccessLog'
|
||||
$diagnostics = @(GetSubResources -ResourceType 'microsoft.insights/diagnosticSettings', 'Microsoft.Network/frontDoors/providers/diagnosticSettings');
|
||||
$logCategories = @($diagnostics | ForEach-Object {
|
||||
foreach ($log in $_.Properties.logs) {
|
||||
if ($log.category -eq 'FrontdoorAccessLog' -and $log.enabled -eq $True) {
|
||||
$log;
|
||||
}
|
||||
}
|
||||
});
|
||||
$Null -ne $diagnostics -and $diagnostics.Length -gt 0;
|
||||
foreach ($setting in $diagnostics) {
|
||||
$Assert.HasFieldValue($setting, 'Properties.logs[0].enabled', $True);
|
||||
}
|
||||
$Null -ne $logCategories -and $logCategories.Length -gt 0;
|
||||
}
|
||||
|
||||
# Synopsis: Enable WAF policy of each endpoint
|
||||
|
|
|
|||
|
|
@ -654,14 +654,14 @@ Describe 'Azure.FrontDoor' -Tag 'Network', 'FrontDoor' {
|
|||
# Fail
|
||||
$ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'Fail' });
|
||||
$ruleResult | Should -Not -BeNullOrEmpty;
|
||||
$ruleResult.Length | Should -Be 2;
|
||||
$ruleResult.TargetName | Should -Be 'frontdoor-B', 'frontdoor-C';
|
||||
$ruleResult.Length | Should -Be 1;
|
||||
$ruleResult.TargetName | Should -Be 'frontdoor-B';
|
||||
|
||||
# Pass
|
||||
$ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'Pass' });
|
||||
$ruleResult | Should -Not -BeNullOrEmpty;
|
||||
$ruleResult.Length | Should -Be 1;
|
||||
$ruleResult.TargetName | Should -BeIn 'frontdoor-A';
|
||||
$ruleResult.Length | Should -Be 2;
|
||||
$ruleResult.TargetName | Should -BeIn 'frontdoor-A', 'frontdoor-C';
|
||||
}
|
||||
|
||||
It 'Azure.FrontDoor.UseWAF' {
|
||||
|
|
|
|||
|
|
@ -184,40 +184,32 @@
|
|||
"ParentResource": null,
|
||||
"Plan": null,
|
||||
"Properties": {
|
||||
"storageAccountId": null,
|
||||
"serviceBusRuleId": null,
|
||||
"workspaceId": "/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/cb-dev-shd/providers/microsoft.operationalinsights/workspaces/be-cb-la",
|
||||
"eventHubAuthorizationRuleId": null,
|
||||
"eventHubName": null,
|
||||
"metrics": [
|
||||
{
|
||||
"category": "AllMetrics",
|
||||
"enabled": false,
|
||||
"retentionPolicy": {
|
||||
"enabled": false,
|
||||
"days": 0
|
||||
}
|
||||
}
|
||||
],
|
||||
"logs": [
|
||||
{
|
||||
"category": "FrontdoorAccessLog",
|
||||
"enabled": true,
|
||||
"retentionPolicy": {
|
||||
"enabled": false,
|
||||
"days": 0
|
||||
}
|
||||
},
|
||||
{
|
||||
"category": "FrontdoorWebApplicationFirewallLog",
|
||||
"enabled": true,
|
||||
"retentionPolicy": {
|
||||
"enabled": false,
|
||||
"days": 0
|
||||
}
|
||||
}
|
||||
],
|
||||
"logAnalyticsDestinationType": null
|
||||
"storageAccountId": null,
|
||||
"serviceBusRuleId": null,
|
||||
"workspaceId": "/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/rg-test/providers/microsoft.operationalinsights/workspaces/workspace-A",
|
||||
"eventHubAuthorizationRuleId": null,
|
||||
"eventHubName": null,
|
||||
"metrics": [
|
||||
{
|
||||
"category": "AllMetrics",
|
||||
"enabled": false,
|
||||
"retentionPolicy": {
|
||||
"enabled": false,
|
||||
"days": 0
|
||||
}
|
||||
}
|
||||
],
|
||||
"logs": [
|
||||
{
|
||||
"category": "FrontdoorAccessLog",
|
||||
"enabled": true,
|
||||
"retentionPolicy": {
|
||||
"enabled": false,
|
||||
"days": 0
|
||||
}
|
||||
}
|
||||
],
|
||||
"logAnalyticsDestinationType": null
|
||||
},
|
||||
"ResourceGroupName": "rg-test",
|
||||
"Type": "microsoft.network/frontdoors",
|
||||
|
|
@ -229,7 +221,7 @@
|
|||
"CreatedTime": null,
|
||||
"ChangedTime": null,
|
||||
"ETag": null
|
||||
}
|
||||
}
|
||||
]
|
||||
},
|
||||
{
|
||||
|
|
@ -577,7 +569,67 @@
|
|||
"ResourceType": "Microsoft.Network/frontdoors",
|
||||
"Sku": null,
|
||||
"SubscriptionId": "00000000-0000-0000-0000-000000000000",
|
||||
"ETag": null
|
||||
"resources": [
|
||||
{
|
||||
"ResourceId": "/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/rg-test/providers/microsoft.network/frontdoors/frontdoor-C/providers/microsoft.insights/diagnosticSettings/access-logs",
|
||||
"Id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/rg-test/providers/microsoft.network/frontdoors/frontdoor-C/providers/microsoft.insights/diagnosticSettings/access-logs",
|
||||
"Identity": null,
|
||||
"Kind": null,
|
||||
"Location": null,
|
||||
"ManagedBy": null,
|
||||
"ResourceName": "access-logs",
|
||||
"Name": "access-logs",
|
||||
"ExtensionResourceName": "access-logs",
|
||||
"ParentResource": null,
|
||||
"Plan": null,
|
||||
"Properties": {
|
||||
"storageAccountId": null,
|
||||
"serviceBusRuleId": null,
|
||||
"workspaceId": "/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/rg-test/providers/microsoft.operationalinsights/workspaces/workspace-A",
|
||||
"eventHubAuthorizationRuleId": null,
|
||||
"eventHubName": null,
|
||||
"metrics": [
|
||||
{
|
||||
"category": "AllMetrics",
|
||||
"enabled": false,
|
||||
"retentionPolicy": {
|
||||
"enabled": false,
|
||||
"days": 0
|
||||
}
|
||||
}
|
||||
],
|
||||
"logs": [
|
||||
{
|
||||
"category": "FrontdoorWebApplicationFirewallLog",
|
||||
"enabled": true,
|
||||
"retentionPolicy": {
|
||||
"enabled": false,
|
||||
"days": 0
|
||||
}
|
||||
},
|
||||
{
|
||||
"category": "FrontdoorAccessLog",
|
||||
"enabled": true,
|
||||
"retentionPolicy": {
|
||||
"enabled": false,
|
||||
"days": 0
|
||||
}
|
||||
}
|
||||
],
|
||||
"logAnalyticsDestinationType": null
|
||||
},
|
||||
"ResourceGroupName": "rg-test",
|
||||
"Type": "microsoft.network/frontdoors",
|
||||
"ResourceType": "microsoft.network/frontdoors",
|
||||
"ExtensionResourceType": "microsoft.insights/diagnosticSettings",
|
||||
"Sku": null,
|
||||
"Tags": null,
|
||||
"SubscriptionId": "00000000-0000-0000-0000-000000000000",
|
||||
"CreatedTime": null,
|
||||
"ChangedTime": null,
|
||||
"ETag": null
|
||||
}
|
||||
]
|
||||
},
|
||||
{
|
||||
"ResourceId": "/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/rg-test/providers/Microsoft.Network/frontdoorwebapplicationfirewallpolicies/frontdoor-waf-A",
|
||||
|
|
|
|||
Загрузка…
Ссылка в новой задаче