microsoft
/
PSRule.Rules.Azure
зеркало из https://github.com/Azure/PSRule.Rules.Azure.git
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

Added support for .bicepparam files #2132 (#2230) 

* Added support for .bicepparam files #2132

* Update reference link
This commit is contained in:
Bernie White 2023-05-23 08:52:57 +10:00 коммит произвёл GitHub
Родитель 2ba5270444
Коммит 2fc07883dd
Не найден ключ, соответствующий данной подписи
Идентификатор ключа GPG: 4AEE18F83AFDEB23
30 изменённых файлов: 819 добавлений и 323 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

1
.vscode/settings.json поставляемый
Просмотреть файл

@ -49,6 +49,7 @@
"AUDITIFNOTEXISTS",
"AUTOMATIONACCOUNT",
"autoscaler",
"bicepparam",
"cmdlet",
"cmdlets",
"Concat",

449
.vscode/tasks.json поставляемый
Просмотреть файл

@ -1,226 +1,231 @@
{
// See https://go.microsoft.com/fwlink/?LinkId=733558
// for the documentation about the tasks.json format
"version": "2.0.0",
"tasks": [
{
"label": "test",
"detail": "Build and run unit tests.",
"type": "shell",
"command": "Invoke-Build Test -AssertStyle Client",
"group": {
"kind": "test",
"isDefault": true
},
"problemMatcher": [
"$pester"
],
"presentation": {
"clear": true,
"panel": "dedicated"
},
"linux": {
"options": {
"shell": {
"executable": "pwsh",
"args": [
"-c"
]
}
}
}
},
{
"label": "run pester test group",
"detail": "Runs a specific group for Pester tests.",
"type": "shell",
"command": "Invoke-Build Test -AssertStyle Client -TestGroup '${input:pesterTestGroup}'",
"group": "test",
"problemMatcher": [
"$pester"
],
"presentation": {
"clear": true,
"panel": "dedicated"
},
"linux": {
"options": {
"shell": {
"executable": "pwsh",
"args": [
"-c"
]
}
}
}
},
{
"label": "coverage",
"type": "shell",
"command": "Invoke-Build Test -CodeCoverage",
"problemMatcher": [
"$pester"
],
"presentation": {
"clear": true,
"panel": "dedicated"
}
},
{
"label": "build",
"detail": "Build module.",
"type": "shell",
"command": "Invoke-Build Build",
"group": {
"kind": "build",
"isDefault": true
},
"problemMatcher": [],
"presentation": {
"clear": true,
"panel": "dedicated"
},
"linux": {
"options": {
"shell": {
"executable": "pwsh",
"args": [
"-c"
]
}
}
}
},
{
"label": "clean",
"type": "shell",
"command": "Invoke-Build Clean",
"problemMatcher": [],
"linux": {
"options": {
"shell": {
"executable": "pwsh",
"args": [
"-c"
]
}
}
}
},
{
"label": "script analyzer",
"type": "shell",
"command": "Invoke-Build Analyze",
"problemMatcher": [],
"presentation": {
"clear": true,
"panel": "dedicated"
}
},
{
"label": "build docs",
"type": "shell",
"command": "Invoke-Build BuildHelp",
"problemMatcher": [],
"linux": {
"options": {
"shell": {
"executable": "pwsh",
"args": [
"-c"
]
}
}
}
},
{
"label": "scaffold docs",
"type": "shell",
"command": "Invoke-Build ScaffoldHelp",
"problemMatcher": []
},
{
"label": "rule docs",
"detail": "Generate rule and baseline documentation.",
"type": "shell",
"command": "Invoke-Build BuildDocs",
"problemMatcher": [],
"linux": {
"options": {
"shell": {
"executable": "pwsh",
"args": [
"-c"
]
}
}
}
},
{
"label": "export data",
"detail": "Export a list of resource providers from an Azure subscription.",
"type": "shell",
"command": "Invoke-Build ExportData",
"problemMatcher": [],
"linux": {
"options": {
"shell": {
"executable": "pwsh",
"args": [
"-c"
]
}
}
}
},
{
"label": "benchmark",
"type": "shell",
"command": "Invoke-Build Benchmark",
"problemMatcher": [],
"presentation": {
"clear": true,
"panel": "dedicated"
},
"linux": {
"options": {
"shell": {
"executable": "pwsh",
"args": [
"-c"
]
}
}
}
},
{
"label": "serve docs",
"detail": "Build and run documentation site locally.",
"type": "shell",
"command": "mkdocs serve",
"problemMatcher": [],
"presentation": {
"clear": true,
"panel": "dedicated"
}
},
{
"label": "install python dependencies",
"detail": "Install or upgrade dependencies to build and debug mkdocs documentation locally.",
"type": "shell",
"command": "python3 -m pip install -r requirements-docs.txt",
"problemMatcher": [],
"presentation": {
"clear": true,
"panel": "dedicated"
}
// See https://go.microsoft.com/fwlink/?LinkId=733558
// for the documentation about the tasks.json format
"version": "2.0.0",
"tasks": [
{
"label": "test",
"detail": "Build and run unit tests.",
"type": "shell",
"command": "Invoke-Build Test -AssertStyle Client",
"group": {
"kind": "test",
"isDefault": true
},
"problemMatcher": [
"$pester"
],
"presentation": {
"clear": true,
"panel": "dedicated"
},
"linux": {
"options": {
"shell": {
"executable": "pwsh",
"args": [
"-c"
]
}
}
],
"inputs": [
{
"id": "pesterTestGroup",
"type": "promptString",
"description": "A group to use for Pester tests."
},
"options": {
"env": {
"RUN_BICEP_INTEGRATION": "true"
}
]
}
},
{
"label": "run pester test group",
"detail": "Runs a specific group for Pester tests.",
"type": "shell",
"command": "Invoke-Build Test -AssertStyle Client -TestGroup '${input:pesterTestGroup}'",
"group": "test",
"problemMatcher": [
"$pester"
],
"presentation": {
"clear": true,
"panel": "dedicated"
},
"linux": {
"options": {
"shell": {
"executable": "pwsh",
"args": [
"-c"
]
}
}
}
},
{
"label": "coverage",
"type": "shell",
"command": "Invoke-Build Test -CodeCoverage",
"problemMatcher": [
"$pester"
],
"presentation": {
"clear": true,
"panel": "dedicated"
}
},
{
"label": "build",
"detail": "Build module.",
"type": "shell",
"command": "Invoke-Build Build",
"group": {
"kind": "build",
"isDefault": true
},
"problemMatcher": [],
"presentation": {
"clear": true,
"panel": "dedicated"
},
"linux": {
"options": {
"shell": {
"executable": "pwsh",
"args": [
"-c"
]
}
}
}
},
{
"label": "clean",
"type": "shell",
"command": "Invoke-Build Clean",
"problemMatcher": [],
"linux": {
"options": {
"shell": {
"executable": "pwsh",
"args": [
"-c"
]
}
}
}
},
{
"label": "script analyzer",
"type": "shell",
"command": "Invoke-Build Analyze",
"problemMatcher": [],
"presentation": {
"clear": true,
"panel": "dedicated"
}
},
{
"label": "build docs",
"type": "shell",
"command": "Invoke-Build BuildHelp",
"problemMatcher": [],
"linux": {
"options": {
"shell": {
"executable": "pwsh",
"args": [
"-c"
]
}
}
}
},
{
"label": "scaffold docs",
"type": "shell",
"command": "Invoke-Build ScaffoldHelp",
"problemMatcher": []
},
{
"label": "rule docs",
"detail": "Generate rule and baseline documentation.",
"type": "shell",
"command": "Invoke-Build BuildDocs",
"problemMatcher": [],
"linux": {
"options": {
"shell": {
"executable": "pwsh",
"args": [
"-c"
]
}
}
}
},
{
"label": "export data",
"detail": "Export a list of resource providers from an Azure subscription.",
"type": "shell",
"command": "Invoke-Build ExportData",
"problemMatcher": [],
"linux": {
"options": {
"shell": {
"executable": "pwsh",
"args": [
"-c"
]
}
}
}
},
{
"label": "benchmark",
"type": "shell",
"command": "Invoke-Build Benchmark",
"problemMatcher": [],
"presentation": {
"clear": true,
"panel": "dedicated"
},
"linux": {
"options": {
"shell": {
"executable": "pwsh",
"args": [
"-c"
]
}
}
}
},
{
"label": "serve docs",
"detail": "Build and run documentation site locally.",
"type": "shell",
"command": "mkdocs serve",
"problemMatcher": [],
"presentation": {
"clear": true,
"panel": "dedicated"
}
},
{
"label": "install python dependencies",
"detail": "Install or upgrade dependencies to build and debug mkdocs documentation locally.",
"type": "shell",
"command": "python3 -m pip install -r requirements-docs.txt",
"problemMatcher": [],
"presentation": {
"clear": true,
"panel": "dedicated"
}
}
],
"inputs": [
{
"id": "pesterTestGroup",
"type": "promptString",
"description": "A group to use for Pester tests."
}
]
}

16
docs/CHANGELOG-v1.md
Просмотреть файл

@ -26,6 +26,10 @@ See [upgrade notes][1] for helpful information when upgrading from previous vers
What's changed since pre-release v1.27.0-B0050:
- New features:
- **Experimental:** Added support for expanding deployments from `.bicepparam` files by @BernieWhite.
[#2132](https://github.com/Azure/PSRule.Rules.Azure/issues/2132)
- See [Using Bicep source](https://aka.ms/ps-rule-azure/bicep) for details.
- New rules:
- Storage Account:
- Check that Malware Scanning in Microsoft Defender for Storage is enabled for storage accounts by @BenjaminEngeset.
@ -313,7 +317,7 @@ What's changed since v1.25.0:
What's changed since v1.24.2:
- New features:
- **Experimental**: Added `Azure.MCSB.v1` which include rules aligned to the Microsoft Cloud Security Benchmark by @BernieWhite.
- **Experimental:** Added `Azure.MCSB.v1` which include rules aligned to the Microsoft Cloud Security Benchmark by @BernieWhite.
[#1634](https://github.com/Azure/PSRule.Rules.Azure/issues/1634)
- New rules:
- Defender for Cloud:
@ -433,7 +437,7 @@ What's changed since pre-release v1.25.0-B0013:
What's changed since v1.24.2:
- New features:
- **Experimental**: Added `Azure.MCSB.v1` which include rules aligned to the Microsoft Cloud Security Benchmark by @BernieWhite.
- **Experimental:** Added `Azure.MCSB.v1` which include rules aligned to the Microsoft Cloud Security Benchmark by @BernieWhite.
[#1634](https://github.com/Azure/PSRule.Rules.Azure/issues/1634)
- New rules:
- Virtual Machine:
@ -1946,7 +1950,7 @@ What's changed since v1.13.4:
- Added March 2022 baselines `Azure.GA_2022_03` and `Azure.Preview_2022_03`. [#1334](https://github.com/Azure/PSRule.Rules.Azure/issues/1334)
- Includes rules released before or during March 2022.
- Marked `Azure.GA_2021_12` and `Azure.Preview_2021_12` baselines as obsolete.
- **Experimental**: Cmdlets to validate objects with Azure policy conditions:
- **Experimental:** Cmdlets to validate objects with Azure policy conditions:
- `Export-AzPolicyAssignmentData` - Exports policy assignment data. [#1266](https://github.com/Azure/PSRule.Rules.Azure/issues/1266)
- `Export-AzPolicyAssignmentRuleData` - Exports JSON rules from policy assignment data. [#1278](https://github.com/Azure/PSRule.Rules.Azure/issues/1278)
- `Get-AzPolicyAssignmentDataSource` - Discovers policy assignment data. [#1340](https://github.com/Azure/PSRule.Rules.Azure/issues/1340)
@ -1997,7 +2001,7 @@ What's changed since pre-release v1.14.0-B2203117:
What's changed since pre-release v1.14.0-B2203088:
- New features:
- **Experimental**: Cmdlets to validate objects with Azure policy conditions:
- **Experimental:** Cmdlets to validate objects with Azure policy conditions:
- `Export-AzPolicyAssignmentData` - Exports policy assignment data. [#1266](https://github.com/Azure/PSRule.Rules.Azure/issues/1266)
- `Export-AzPolicyAssignmentRuleData` - Exports JSON rules from policy assignment data. [#1278](https://github.com/Azure/PSRule.Rules.Azure/issues/1278)
- `Get-AzPolicyAssignmentDataSource` - Discovers policy assignment data. [#1340](https://github.com/Azure/PSRule.Rules.Azure/issues/1340)
@ -2916,7 +2920,7 @@ What's changed since v1.6.0:
What's changed since v1.5.1:
- New features:
- **Experimental**: Added support for expansion from Bicep source files. [#848](https://github.com/Azure/PSRule.Rules.Azure/issues/848) [#670](https://github.com/Azure/PSRule.Rules.Azure/issues/670) [#858](https://github.com/Azure/PSRule.Rules.Azure/issues/858)
- **Experimental:** Added support for expansion from Bicep source files. [#848](https://github.com/Azure/PSRule.Rules.Azure/issues/848) [#670](https://github.com/Azure/PSRule.Rules.Azure/issues/670) [#858](https://github.com/Azure/PSRule.Rules.Azure/issues/858)
- Bicep support is currently experimental.
- To opt-in set the `AZURE_BICEP_FILE_EXPANSION` configuration to `true`.
- For more information see [Using Bicep](https://azure.github.io/PSRule.Rules.Azure/using-bicep/).
@ -2944,7 +2948,7 @@ What's changed since pre-release v1.6.0-B2108023:
What's changed since pre-release v1.6.0-B2107028:
- New features:
- **Experimental**: Added support for expansion from Bicep source files. [#848](https://github.com/Azure/PSRule.Rules.Azure/issues/848) [#670](https://github.com/Azure/PSRule.Rules.Azure/issues/670)
- **Experimental:** Added support for expansion from Bicep source files. [#848](https://github.com/Azure/PSRule.Rules.Azure/issues/848) [#670](https://github.com/Azure/PSRule.Rules.Azure/issues/670)
- Bicep support is currently experimental.
- To opt-in set the `AZURE_BICEP_FILE_EXPANSION` configuration to `true`.
- For more information see [Using Bicep](https://azure.github.io/PSRule.Rules.Azure/using-bicep/).

33
docs/commands/Export-AzPolicyAssignmentData.md
Просмотреть файл

@ -16,25 +16,28 @@ Export policy assignment data.
### Default (Default)
```text
Export-AzPolicyAssignmentData [-OutputPath <string>] [-PassThru] [-WhatIf] [-Confirm] [<CommonParameters>]
Export-AzPolicyAssignmentData [-OutputPath <String>] [-PassThru] [-WhatIf] [-Confirm] [<CommonParameters>]
```
### Name
```text
Export-AzPolicyAssignmentData [-Name <string>] [-Scope <string>] [-PolicyDefinitionId <string>] [-OutputPath <string>] [-PassThru] [-WhatIf] [-Confirm] [<CommonParameters>]
Export-AzPolicyAssignmentData [-Name <String>] [-Scope <String>] [-PolicyDefinitionId <String>]
[-OutputPath <String>] [-PassThru] [-WhatIf] [-Confirm] [<CommonParameters>]
```
### Id
```text
Export-AzPolicyAssignmentData -Id <string> [-PolicyDefinitionId <string>] [-OutputPath <string>] [-PassThru] [-WhatIf] [-Confirm] [<CommonParameters>]
Export-AzPolicyAssignmentData -Id <String> [-PolicyDefinitionId <String>] [-OutputPath <String>] [-PassThru]
[-WhatIf] [-Confirm] [<CommonParameters>]
```
### IncludeDescendent
```text
Export-AzPolicyAssignmentData -IncludeDescendent [-Scope <string>] [-OutputPath <string>] [-PassThru] [-WhatIf] [-Confirm] [<CommonParameters>]
Export-AzPolicyAssignmentData [-Scope <String>] [-IncludeDescendent] [-OutputPath <String>] [-PassThru]
[-WhatIf] [-Confirm] [<CommonParameters>]
```
## DESCRIPTION
@ -111,7 +114,7 @@ Specifies the name of the policy assignment.
```yaml
Type: String
Parameter Sets: (Name)
Parameter Sets: Name
Aliases:
Required: False
@ -127,7 +130,7 @@ Specifies the fully qualified resource ID for the policy assignment.
```yaml
Type: String
Parameter Sets: (Id)
Parameter Sets: Id
Aliases: AssignmentId
Required: True
@ -143,7 +146,7 @@ Specifies the scope at which the policy is applied for the assignment.
```yaml
Type: String
Parameter Sets: (Name, IncludeDescendent)
Parameter Sets: Name, IncludeDescendent
Aliases:
Required: False
@ -159,7 +162,7 @@ Specifies the ID of the policy definition of the policy assignment.
```yaml
Type: String
Parameter Sets: (Name, Id)
Parameter Sets: Name, Id
Aliases:
Required: False
@ -175,8 +178,8 @@ Causes the list of returned policy assignments to include all assignments relate
including those from ancestor scopes and those from descendent scopes.
```yaml
Type: String
Parameter Sets: (IncludeDescendent)
Type: SwitchParameter
Parameter Sets: IncludeDescendent
Aliases:
Required: True
@ -192,10 +195,10 @@ The path to store generated JSON files containing policy assignment data.
```yaml
Type: String
Parameter Sets: Default
Parameter Sets: (All)
Aliases:
Required: True
Required: False
Position: Named
Default value: $PWD
Accept pipeline input: False
@ -210,7 +213,7 @@ the pipeline instead.
```yaml
Type: SwitchParameter
Parameter Sets: Default
Parameter Sets: (All)
Aliases:
Required: False
@ -222,9 +225,7 @@ Accept wildcard characters: False
### CommonParameters
This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction,
-InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable.
For more information, see [about_CommonParameters](https://docs.microsoft.com/powershell/module/microsoft.powershell.core/about/about_commonparameters).
This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see [about_CommonParameters](https://go.microsoft.com/fwlink/?LinkID=113216).
## INPUTS

24
docs/commands/Export-AzPolicyAssignmentRuleData.md
Просмотреть файл

@ -13,10 +13,10 @@ Export JSON based rules from policy assignment data.
## SYNTAX
### Default (Default)
```text
Export-AzPolicyAssignmentRuleData [[-Name] <string>] [-AssignmentFile] <string> [[-ResourceGroup] <ResourceGroupReference>] [[-Subscription] <SubscriptionReference>] [[-OutputPath] <string>] [[-RulePrefix] <string>] [-PassThru] [<CommonParameters>]
Export-AzPolicyAssignmentRuleData [-Name <String>] -AssignmentFile <String>
[-ResourceGroup <ResourceGroupReference>] [-Subscription <SubscriptionReference>] [-OutputPath <String>]
[-RulePrefix <String>] [-PassThru] [<CommonParameters>]
```
## DESCRIPTION
@ -118,7 +118,7 @@ If not specified `export-<xxxxxxxx>` will be used as the name of the assignment.
```yaml
Type: String
Parameter Sets: Default
Parameter Sets: (All)
Aliases:
Required: False
@ -134,7 +134,7 @@ The absolute or relative path to an assignment data file.
```yaml
Type: String
Parameter Sets: Default
Parameter Sets: (All)
Aliases:
Required: True
@ -157,7 +157,7 @@ This parameter has no affect when `-PassThru` is used.
```yaml
Type: String
Parameter Sets: Default
Parameter Sets: (All)
Aliases:
Required: False
@ -177,7 +177,7 @@ For example, with `-RulePrefix 'CustomPolicyPrefix'` this would generate the pol
```yaml
Type: String
Parameter Sets: Default
Parameter Sets: (All)
Aliases:
Required: False
@ -195,7 +195,7 @@ the pipeline instead.
```yaml
Type: SwitchParameter
Parameter Sets: Default
Parameter Sets: (All)
Aliases:
Required: False
@ -221,7 +221,7 @@ For more details see about_PSRule_Azure_Configuration.
```yaml
Type: ResourceGroupReference
Parameter Sets: Default
Parameter Sets: (All)
Aliases: ResourceGroupName
Required: False
@ -247,7 +247,7 @@ For more details see about_PSRule_Azure_Configuration.
```yaml
Type: SubscriptionReference
Parameter Sets: Default
Parameter Sets: (All)
Aliases:
Required: False
@ -259,9 +259,7 @@ Accept wildcard characters: False
### CommonParameters
This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction,
-InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable.
For more information, see [about_CommonParameters](https://docs.microsoft.com/powershell/module/microsoft.powershell.core/about/about_commonparameters).
This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see [about_CommonParameters](https://go.microsoft.com/fwlink/?LinkID=113216).
## INPUTS

38
docs/commands/Export-AzRuleData.md
Просмотреть файл

@ -17,7 +17,8 @@ Export resource configuration data from one or more Azure subscriptions.
```text
Export-AzRuleData [[-OutputPath] <String>] [-Subscription <String[]>] [-Tenant <String[]>]
[-ResourceGroupName <String[]>] [-Tag <Hashtable>] [-PassThru] [-WhatIf] [-Confirm] [<CommonParameters>]
[-ResourceGroupName <String[]>] [-Tag <Hashtable>] [-PassThru] [-SkipDiscovery] [-ResourceId <String[]>]
[-WhatIf] [-Confirm] [<CommonParameters>]
```
### All
@ -205,6 +206,39 @@ Accept pipeline input: False
Accept wildcard characters: False
```
### -ResourceId
A list of resource Ids to expand.
```yaml
Type: String[]
Parameter Sets: Default
Aliases:
Required: False
Position: Named
Default value: None
Accept pipeline input: True (ByValue)
Accept wildcard characters: False
```
### -SkipDiscovery
Determines if resource discovery is skipped.
When skipped resources are expanded based on provided resource Ids.
```yaml
Type: SwitchParameter
Parameter Sets: Default
Aliases:
Required: False
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False
```
### -Confirm
Prompts you for confirmation before running the cmdlet.
@ -239,7 +273,7 @@ Accept wildcard characters: False
### CommonParameters
This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see [about_CommonParameters](http://go.microsoft.com/fwlink/?LinkID=113216).
This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see [about_CommonParameters](https://go.microsoft.com/fwlink/?LinkID=113216).
## INPUTS

31
docs/commands/Export-AzRuleTemplateData.md
Просмотреть файл

@ -13,12 +13,21 @@ Export resource configuration data from Azure templates.
## SYNTAX
### Template (Default)
```text
Export-AzRuleTemplateData [[-Name] <String>] -TemplateFile <String> [-ParameterFile <String[]>]
[-ResourceGroup <ResourceGroupReference>] [-Subscription <SubscriptionReference>] [-OutputPath <String>]
[-PassThru] [<CommonParameters>]
```
### Source
```text
Export-AzRuleTemplateData [[-Name] <String>] -SourceFile <String> [-ResourceGroup <ResourceGroupReference>]
[-Subscription <SubscriptionReference>] [-OutputPath <String>] [-PassThru] [<CommonParameters>]
```
## DESCRIPTION
Export resource configuration data by merging Azure Resource Manager (ARM) template and parameter files.
@ -137,7 +146,7 @@ The absolute or relative file path to an Azure Resource Manager template file.
```yaml
Type: String
Parameter Sets: (All)
Parameter Sets: Template
Aliases:
Required: True
@ -153,7 +162,7 @@ The absolute or relative file path to one or more Azure Resource Manager templat
```yaml
Type: String[]
Parameter Sets: (All)
Parameter Sets: Template
Aliases: TemplateParameterFile
Required: False
@ -163,6 +172,22 @@ Accept pipeline input: True (ByPropertyName)
Accept wildcard characters: False
```
### -SourceFile
The absolute or relative file path to a file of a Bicep file.
```yaml
Type: String
Parameter Sets: Source
Aliases: f, FullName
Required: True
Position: Named
Default value: None
Accept pipeline input: True (ByPropertyName)
Accept wildcard characters: False
```
### -OutputPath
The path to store generated JSON files containing resources.
@ -256,7 +281,7 @@ Accept wildcard characters: False
### CommonParameters
This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see [about_CommonParameters](http://go.microsoft.com/fwlink/?LinkID=113216).
This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see [about_CommonParameters](https://go.microsoft.com/fwlink/?LinkID=113216).
## INPUTS

10
docs/commands/Get-AzPolicyAssignmentDataSource.md
Просмотреть файл

@ -14,7 +14,7 @@ Get policy assignment sources.
## SYNTAX
```text
Get-AzPolicyAssignmentDataSource [[-InputPath] <string[]>] [[-Path] <string>] [<CommonParameters>]
Get-AzPolicyAssignmentDataSource [-InputPath <String[]>] [[-Path] <String>] [<CommonParameters>]
```
## DESCRIPTION
@ -54,7 +54,7 @@ To perform a shallow search, prefix input paths with `./`.
```yaml
Type: String[]
Parameter Sets: Default
Parameter Sets: (All)
Aliases: f, AssignmentFile, FullName
Required: False
@ -71,7 +71,7 @@ By default, this is the current working path.
```yaml
Type: String
Parameter Sets: Default
Parameter Sets: (All)
Aliases: p
Required: False
@ -83,9 +83,7 @@ Accept wildcard characters: False
### CommonParameters
This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction,
-InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable.
For more information, see [about_CommonParameters](https://docs.microsoft.com/powershell/module/microsoft.powershell.core/about/about_commonparameters).
This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see [about_CommonParameters](https://go.microsoft.com/fwlink/?LinkID=113216).
## INPUTS

2
docs/commands/Get-AzRuleTemplateLink.md
Просмотреть файл

@ -105,7 +105,7 @@ Accept wildcard characters: False
### CommonParameters
This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see [about_CommonParameters](http://go.microsoft.com/fwlink/?LinkID=113216).
This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see [about_CommonParameters](https://go.microsoft.com/fwlink/?LinkID=113216).
## INPUTS

15
docs/en/rules/index.md
Просмотреть файл

@ -1,6 +1,6 @@
---
generated: True
title: Reference
generated: True
---
# Reference
@ -306,7 +306,7 @@ AZR-000281 | [Azure.Cognitive.ManagedIdentity](Azure.Cognitive.ManagedIdentity.m
AZR-000282 | [Azure.Cognitive.DisableLocalAuth](Azure.Cognitive.DisableLocalAuth.md) | Authenticate requests to Cognitive Services with Azure AD identities. | GA
AZR-000283 | [Azure.Cognitive.PrivateEndpoints](Azure.Cognitive.PrivateEndpoints.md) | Use Private Endpoints to access Cognitive Services accounts. | GA
AZR-000284 | [Azure.Deployment.AdminUsername](Azure.Deployment.AdminUsername.md) | Use secure parameters for sensitive resource properties. | GA
AZR-000285 | [Azure.AKS.UptimeSLA](Azure.AKS.UptimeSLA.md) | AKS clusters should have Uptime SLA enabled to ensure availability of control plane components for production workloads. | GA
AZR-000285 | [Azure.AKS.UptimeSLA](Azure.AKS.UptimeSLA.md) | AKS clusters should have Uptime SLA enabled for a financially backed SLA. | GA
AZR-000286 | [Azure.CDN.UseFrontDoor](Azure.CDN.UseFrontDoor.md) | Use Azure Front Door Standard or Premium SKU to improve the performance of web pages with dynamic content and overall capabilities. | GA
AZR-000287 | [Azure.AKS.EphemeralOSDisk](Azure.AKS.EphemeralOSDisk.md) | AKS clusters should use ephemeral OS disks which can provide lower read/write latency, along with faster node scaling and cluster upgrades. | GA
AZR-000288 | [Azure.VMSS.PublicKey](Azure.VMSS.PublicKey.md) | Use SSH keys instead of common credentials to secure virtual machine scale sets against malicious activities. | GA
@ -392,6 +392,17 @@ AZR-000367 | [Azure.SQLMI.ManagedIdentity](Azure.SQLMI.ManagedIdentity.md) | Ens
AZR-000368 | [Azure.SQLMI.AAD](Azure.SQLMI.AAD.md) | Use Azure Active Directory (AAD) authentication with Azure SQL Managed Instance. | GA
AZR-000369 | [Azure.SQL.AADOnly](Azure.SQL.AADOnly.md) | Ensure Azure AD-only authentication is enabled with Azure SQL Database. | GA
AZR-000370 | [Azure.AKS.DefenderProfile](Azure.AKS.DefenderProfile.md) | Enable the Defender profile with Azure Kubernetes Service (AKS) cluster. | GA
AZR-000371 | [Azure.APIM.PolicyBase](Azure.APIM.PolicyBase.md) | Base element for any policy element in a section should be configured. | GA
AZR-000372 | [Azure.Defender.Cspm](Azure.Defender.Cspm.md) | Enable Microsoft Defender Cloud Security Posture Management Standard plan. | GA
AZR-000373 | [Azure.Arc.Kubernetes.Defender](Azure.Arc.Kubernetes.Defender.md) | Deploy Microsoft Defender for Containers extension for Arc-enabled Kubernetes clusters. | Preview
AZR-000374 | [Azure.Arc.Server.MaintenanceConfig](Azure.Arc.Server.MaintenanceConfig.md) | Use a maintenance configuration for Arc-enabled servers. | Preview
AZR-000375 | [Azure.VM.MaintenanceConfig](Azure.VM.MaintenanceConfig.md) | Use a maintenance configuration for virtual machines. | Preview
AZR-000376 | [Azure.AppGw.MigrateV2](Azure.AppGw.MigrateV2.md) | Use a Application Gateway v2 SKU. | GA
AZR-000377 | [Azure.Defender.Api](Azure.Defender.Api.md) | Enable Microsoft Defender for APIs. | Preview
AZR-000378 | [Azure.ContainerApp.DisableAffinity](Azure.ContainerApp.DisableAffinity.md) | Disable session affinity to prevent unbalanced distribution. | Preview
AZR-000379 | [Azure.Defender.CosmosDb](Azure.Defender.CosmosDb.md) | Enable Microsoft Defender for Azure Cosmos DB. | GA
AZR-000380 | [Azure.ContainerApp.RestrictIngress](Azure.ContainerApp.RestrictIngress.md) | IP ingress restrictions mode should be set to allow action for all rules defined. | GA
AZR-000381 | [Azure.Defender.OssRdb](Azure.Defender.OssRdb.md) | Enable Microsoft Defender for open-source relational databases. | GA
AZR-000382 | [Azure.Cosmos.DefenderCloud](Azure.Cosmos.DefenderCloud.md) | Enable Microsoft Defender for Azure Cosmos DB. | GA
*[GA]: Generally Available &mdash; Rules related to a generally available Azure features.

18
docs/en/rules/module.md
Просмотреть файл

@ -82,6 +82,7 @@ Name | Synopsis | Severity | Level
Name | Synopsis | Severity | Level
---- | -------- | -------- | -----
[Azure.AppGw.MigrateV2](Azure.AppGw.MigrateV2.md) | Use a Application Gateway v2 SKU. | Important | Error
[Azure.ASE.MigrateV3](Azure.ASE.MigrateV3.md) | Use ASEv3 as replacement for the classic app service environment versions ASEv1 and ASEv2. | Important | Error
[Azure.MySQL.UseFlexible](Azure.MySQL.UseFlexible.md) | Use Azure Database for MySQL Flexible Server deployment model. | Important | Warning
@ -140,6 +141,7 @@ Name | Synopsis | Severity | Level
[Azure.AppConfig.Name](Azure.AppConfig.Name.md) | App Configuration store names should meet naming requirements. | Awareness | Error
[Azure.AppGw.Name](Azure.AppGw.Name.md) | Application Gateways should meet naming requirements. | Awareness | Error
[Azure.AppInsights.Name](Azure.AppInsights.Name.md) | Azure Application Insights resources names should meet naming requirements. | Awareness | Error
[Azure.Arc.Server.MaintenanceConfig](Azure.Arc.Server.MaintenanceConfig.md) | Use a maintenance configuration for Arc-enabled servers. | Important | Error
[Azure.ASG.Name](Azure.ASG.Name.md) | Application Security Group (ASG) names should meet naming requirements. | Awareness | Error
[Azure.Bastion.Name](Azure.Bastion.Name.md) | Bastion hosts should meet naming requirements. | Awareness | Error
[Azure.CDN.EndpointName](Azure.CDN.EndpointName.md) | Azure CDN Endpoint names should meet naming requirements. | Awareness | Error
@ -194,6 +196,7 @@ Name | Synopsis | Severity | Level
[Azure.VM.ASName](Azure.VM.ASName.md) | Availability Set names should meet naming requirements. | Awareness | Error
[Azure.VM.ComputerName](Azure.VM.ComputerName.md) | Virtual Machine (VM) computer name should meet naming requirements. | Awareness | Error
[Azure.VM.DiskName](Azure.VM.DiskName.md) | Managed Disk names should meet naming requirements. | Awareness | Error
[Azure.VM.MaintenanceConfig](Azure.VM.MaintenanceConfig.md) | Use a maintenance configuration for virtual machines. | Important | Error
[Azure.VM.Name](Azure.VM.Name.md) | Virtual Machine (VM) names should meet naming requirements. | Awareness | Error
[Azure.VM.NICName](Azure.VM.NICName.md) | Network Interface (NIC) names should meet naming requirements. | Awareness | Error
[Azure.VM.PPGName](Azure.VM.PPGName.md) | Proximity Placement Group (PPG) names should meet naming requirements. | Awareness | Error
@ -238,6 +241,12 @@ Name | Synopsis | Severity | Level
---- | -------- | -------- | -----
[Azure.VM.SQLServerDisk](Azure.VM.SQLServerDisk.md) | Use Premium SSD disks or greater for data and log files for production SQL Server workloads. | Important | Error
### Design for performance efficiency
Name | Synopsis | Severity | Level
---- | -------- | -------- | -----
[Azure.ContainerApp.DisableAffinity](Azure.ContainerApp.DisableAffinity.md) | Disable session affinity to prevent unbalanced distribution. | Important | Error
### Performance
Name | Synopsis | Severity | Level
@ -356,7 +365,7 @@ Name | Synopsis | Severity | Level
---- | -------- | -------- | -----
[Azure.ACR.MinSku](Azure.ACR.MinSku.md) | ACR should use the Premium or Standard SKU for production deployments. | Important | Error
[Azure.ADX.SLA](Azure.ADX.SLA.md) | Use SKUs that include an SLA when configuring Azure Data Explorer (ADX) clusters. | Important | Error
[Azure.AKS.UptimeSLA](Azure.AKS.UptimeSLA.md) | AKS clusters should have Uptime SLA enabled to ensure availability of control plane components for production workloads. | Important | Error
[Azure.AKS.UptimeSLA](Azure.AKS.UptimeSLA.md) | AKS clusters should have Uptime SLA enabled for a financially backed SLA. | Important | Error
[Azure.AKS.Version](Azure.AKS.Version.md) | AKS control plane and nodes pools should use a current stable release. | Important | Error
[Azure.AppConfig.SKU](Azure.AppConfig.SKU.md) | App Configuration should use a minimum size of Standard. | Important | Error
[Azure.Redis.Version](Azure.Redis.Version.md) | Azure Cache for Redis should use the latest supported version of Redis. | Important | Error
@ -491,6 +500,7 @@ Name | Synopsis | Severity | Level
---- | -------- | -------- | -----
[Azure.AKS.AuthorizedIPs](Azure.AKS.AuthorizedIPs.md) | Restrict access to API server endpoints to authorized IP addresses. | Important | Error
[Azure.APIM.CORSPolicy](Azure.APIM.CORSPolicy.md) | Avoid using wildcard for any configuration option in CORS policies. | Important | Error
[Azure.APIM.PolicyBase](Azure.APIM.PolicyBase.md) | Base element for any policy element in a section should be configured. | Important | Error
[Azure.ContainerApp.Insecure](Azure.ContainerApp.Insecure.md) | Ensure insecure inbound traffic is not permitted to the container app. | Important | Error
[Azure.Resource.AllowedRegions](Azure.Resource.AllowedRegions.md) | Resources should be deployed to allowed regions. | Awareness | Error
@ -591,6 +601,7 @@ Name | Synopsis | Severity | Level
[Azure.AppGwWAF.PreventionMode](Azure.AppGwWAF.PreventionMode.md) | Use protection mode in Application Gateway Web Application Firewall (WAF) policies to protect back end resources. | Critical | Error
[Azure.AppGwWAF.RuleGroups](Azure.AppGwWAF.RuleGroups.md) | Use recommended rule groups in Application Gateway Web Application Firewall (WAF) policies to protect back end resources. | Critical | Error
[Azure.ContainerApp.ExternalIngress](Azure.ContainerApp.ExternalIngress.md) | Limit inbound communication for Container Apps is limited to callers within the Container Apps Environment. | Important | Error
[Azure.ContainerApp.RestrictIngress](Azure.ContainerApp.RestrictIngress.md) | IP ingress restrictions mode should be set to allow action for all rules defined. | Important | Error
[Azure.Firewall.Mode](Azure.Firewall.Mode.md) | Deny high confidence malicious IP addresses and domains on classic managed Azure Firewalls. | Critical | Error
[Azure.FrontDoor.WAF.Mode](Azure.FrontDoor.WAF.Mode.md) | Use protection mode in Front Door Web Application Firewall (WAF) policies to protect back end resources. | Critical | Error
[Azure.FrontDoorWAF.Enabled](Azure.FrontDoorWAF.Enabled.md) | Front Door Web Application Firewall (WAF) policy must be enabled to protect back end resources. | Critical | Error
@ -650,10 +661,15 @@ Name | Synopsis | Severity | Level
Name | Synopsis | Severity | Level
---- | -------- | -------- | -----
[Azure.Arc.Kubernetes.Defender](Azure.Arc.Kubernetes.Defender.md) | Deploy Microsoft Defender for Containers extension for Arc-enabled Kubernetes clusters. | Important | Error
[Azure.Cosmos.DefenderCloud](Azure.Cosmos.DefenderCloud.md) | Enable Microsoft Defender for Azure Cosmos DB. | Critical | Error
[Azure.Defender.Api](Azure.Defender.Api.md) | Enable Microsoft Defender for APIs. | Critical | Error
[Azure.Defender.Arm](Azure.Defender.Arm.md) | Enable Microsoft Defender for Azure Resource Manager (ARM). | Critical | Error
[Azure.Defender.CosmosDb](Azure.Defender.CosmosDb.md) | Enable Microsoft Defender for Azure Cosmos DB. | Critical | Error
[Azure.Defender.Cspm](Azure.Defender.Cspm.md) | Enable Microsoft Defender Cloud Security Posture Management Standard plan. | Critical | Error
[Azure.Defender.Dns](Azure.Defender.Dns.md) | Enable Microsoft Defender for DNS. | Critical | Error
[Azure.Defender.KeyVault](Azure.Defender.KeyVault.md) | Enable Microsoft Defender for Key Vault. | Critical | Error
[Azure.Defender.OssRdb](Azure.Defender.OssRdb.md) | Enable Microsoft Defender for open-source relational databases. | Critical | Error
[Azure.Defender.SQL](Azure.Defender.SQL.md) | Enable Microsoft Defender for SQL servers. | Critical | Error
[Azure.Defender.SQLOnVM](Azure.Defender.SQLOnVM.md) | Enable Microsoft Defender for SQL servers on machines. | Critical | Error
[Azure.DefenderCloud.Contact](Azure.DefenderCloud.Contact.md) | Microsoft Defender for Cloud email and phone contact details should be set. | Important | Error

18
docs/en/rules/resource.md
Просмотреть файл

@ -54,6 +54,7 @@ Name | Synopsis | Severity | Level
[Azure.APIM.MultiRegion](Azure.APIM.MultiRegion.md) | API Management instances should use multi-region deployment to improve service availability. | Important | Error
[Azure.APIM.MultiRegionGateway](Azure.APIM.MultiRegionGateway.md) | API Management instances should have multi-region deployment gateways enabled. | Important | Error
[Azure.APIM.Name](Azure.APIM.Name.md) | API Management service names should meet naming requirements. | Awareness | Error
[Azure.APIM.PolicyBase](Azure.APIM.PolicyBase.md) | Base element for any policy element in a section should be configured. | Important | Error
[Azure.APIM.ProductApproval](Azure.APIM.ProductApproval.md) | Configure products to require approval. | Important | Error
[Azure.APIM.ProductDescriptors](Azure.APIM.ProductDescriptors.md) | API Management products should have a display name and description. | Awareness | Warning
[Azure.APIM.ProductSubscription](Azure.APIM.ProductSubscription.md) | Configure products to require a subscription. | Important | Error
@ -102,6 +103,7 @@ Name | Synopsis | Severity | Level
Name | Synopsis | Severity | Level
---- | -------- | -------- | -----
[Azure.AppGw.AvailabilityZone](Azure.AppGw.AvailabilityZone.md) | Application gateways should use availability zones in supported regions for high availability. | Important | Error
[Azure.AppGw.MigrateV2](Azure.AppGw.MigrateV2.md) | Use a Application Gateway v2 SKU. | Important | Error
[Azure.AppGw.MinInstance](Azure.AppGw.MinInstance.md) | Application Gateways should use a minimum of two instances. | Important | Error
[Azure.AppGw.MinSku](Azure.AppGw.MinSku.md) | Application Gateway should use a minimum instance size of Medium. | Important | Error
[Azure.AppGw.Name](Azure.AppGw.Name.md) | Application Gateways should meet naming requirements. | Awareness | Error
@ -130,6 +132,13 @@ Name | Synopsis | Severity | Level
---- | -------- | -------- | -----
[Azure.ASG.Name](Azure.ASG.Name.md) | Application Security Group (ASG) names should meet naming requirements. | Awareness | Error
## Arc
Name | Synopsis | Severity | Level
---- | -------- | -------- | -----
[Azure.Arc.Kubernetes.Defender](Azure.Arc.Kubernetes.Defender.md) | Deploy Microsoft Defender for Containers extension for Arc-enabled Kubernetes clusters. | Important | Error
[Azure.Arc.Server.MaintenanceConfig](Azure.Arc.Server.MaintenanceConfig.md) | Use a maintenance configuration for Arc-enabled servers. | Important | Error
## Automation Account
Name | Synopsis | Severity | Level
@ -235,7 +244,7 @@ Name | Synopsis | Severity | Level
[Azure.AKS.SecretStore](Azure.AKS.SecretStore.md) | Deploy AKS clusters with Secrets Store CSI Driver and store Secrets in Key Vault. | Important | Error
[Azure.AKS.SecretStoreRotation](Azure.AKS.SecretStoreRotation.md) | Enable autorotation of Secrets Store CSI Driver secrets for AKS clusters. | Important | Error
[Azure.AKS.StandardLB](Azure.AKS.StandardLB.md) | Azure Kubernetes Clusters (AKS) should use a Standard load balancer SKU. | Important | Error
[Azure.AKS.UptimeSLA](Azure.AKS.UptimeSLA.md) | AKS clusters should have Uptime SLA enabled to ensure availability of control plane components for production workloads. | Important | Error
[Azure.AKS.UptimeSLA](Azure.AKS.UptimeSLA.md) | AKS clusters should have Uptime SLA enabled for a financially backed SLA. | Important | Error
[Azure.AKS.UseRBAC](Azure.AKS.UseRBAC.md) | Deploy AKS cluster with role-based access control (RBAC) enabled. | Important | Error
[Azure.AKS.Version](Azure.AKS.Version.md) | AKS control plane and nodes pools should use a current stable release. | Important | Error
@ -268,11 +277,13 @@ Name | Synopsis | Severity | Level
Name | Synopsis | Severity | Level
---- | -------- | -------- | -----
[Azure.ContainerApp.DisableAffinity](Azure.ContainerApp.DisableAffinity.md) | Disable session affinity to prevent unbalanced distribution. | Important | Error
[Azure.ContainerApp.ExternalIngress](Azure.ContainerApp.ExternalIngress.md) | Limit inbound communication for Container Apps is limited to callers within the Container Apps Environment. | Important | Error
[Azure.ContainerApp.Insecure](Azure.ContainerApp.Insecure.md) | Ensure insecure inbound traffic is not permitted to the container app. | Important | Error
[Azure.ContainerApp.ManagedIdentity](Azure.ContainerApp.ManagedIdentity.md) | Ensure managed identity is used for authentication. | Important | Error
[Azure.ContainerApp.Name](Azure.ContainerApp.Name.md) | Container Apps should meet naming requirements. | Awareness | Error
[Azure.ContainerApp.PublicAccess](Azure.ContainerApp.PublicAccess.md) | Ensure public network access for Container Apps environment is disabled. | Important | Error
[Azure.ContainerApp.RestrictIngress](Azure.ContainerApp.RestrictIngress.md) | IP ingress restrictions mode should be set to allow action for all rules defined. | Important | Error
[Azure.ContainerApp.Storage](Azure.ContainerApp.Storage.md) | Use of Azure Files volume mounts to persistent storage container data. | Awareness | Error
## Container Registry
@ -304,6 +315,7 @@ Name | Synopsis | Severity | Level
Name | Synopsis | Severity | Level
---- | -------- | -------- | -----
[Azure.Cosmos.AccountName](Azure.Cosmos.AccountName.md) | Cosmos DB account names should meet naming requirements. | Awareness | Error
[Azure.Cosmos.DefenderCloud](Azure.Cosmos.DefenderCloud.md) | Enable Microsoft Defender for Azure Cosmos DB. | Critical | Error
[Azure.Cosmos.DisableMetadataWrite](Azure.Cosmos.DisableMetadataWrite.md) | Use Azure AD identities for management place operations in Azure Cosmos DB. | Important | Error
## Data Explorer
@ -416,12 +428,15 @@ Name | Synopsis | Severity | Level
Name | Synopsis | Severity | Level
---- | -------- | -------- | -----
[Azure.Defender.Api](Azure.Defender.Api.md) | Enable Microsoft Defender for APIs. | Critical | Error
[Azure.Defender.AppServices](Azure.Defender.AppServices.md) | Enable Microsoft Defender for App Service. | Critical | Error
[Azure.Defender.Arm](Azure.Defender.Arm.md) | Enable Microsoft Defender for Azure Resource Manager (ARM). | Critical | Error
[Azure.Defender.Containers](Azure.Defender.Containers.md) | Enable Microsoft Defender for Containers. | Critical | Error
[Azure.Defender.CosmosDb](Azure.Defender.CosmosDb.md) | Enable Microsoft Defender for Azure Cosmos DB. | Critical | Error
[Azure.Defender.Cspm](Azure.Defender.Cspm.md) | Enable Microsoft Defender Cloud Security Posture Management Standard plan. | Critical | Error
[Azure.Defender.Dns](Azure.Defender.Dns.md) | Enable Microsoft Defender for DNS. | Critical | Error
[Azure.Defender.KeyVault](Azure.Defender.KeyVault.md) | Enable Microsoft Defender for Key Vault. | Critical | Error
[Azure.Defender.OssRdb](Azure.Defender.OssRdb.md) | Enable Microsoft Defender for open-source relational databases. | Critical | Error
[Azure.Defender.Servers](Azure.Defender.Servers.md) | Enable Microsoft Defender for Servers. | Critical | Error
[Azure.Defender.SQL](Azure.Defender.SQL.md) | Enable Microsoft Defender for SQL servers. | Critical | Error
[Azure.Defender.SQLOnVM](Azure.Defender.SQLOnVM.md) | Enable Microsoft Defender for SQL servers on machines. | Critical | Error
@ -597,6 +612,7 @@ Name | Synopsis | Severity | Level
[Azure.VM.DiskCaching](Azure.VM.DiskCaching.md) | Check disk caching is configured correctly for the workload. | Important | Error
[Azure.VM.DiskName](Azure.VM.DiskName.md) | Managed Disk names should meet naming requirements. | Awareness | Error
[Azure.VM.DiskSizeAlignment](Azure.VM.DiskSizeAlignment.md) | Align to the Managed Disk billing model to improve cost efficiency. | Awareness | Error
[Azure.VM.MaintenanceConfig](Azure.VM.MaintenanceConfig.md) | Use a maintenance configuration for virtual machines. | Important | Error
[Azure.VM.MigrateAMA](Azure.VM.MigrateAMA.md) | Use Azure Monitor Agent as replacement for Log Analytics Agent. | Important | Error
[Azure.VM.Name](Azure.VM.Name.md) | Virtual Machine (VM) names should meet naming requirements. | Awareness | Error
[Azure.VM.NICAttached](Azure.VM.NICAttached.md) | Network interfaces (NICs) should be attached. | Awareness | Error

15
docs/es/rules/index.md
Просмотреть файл

@ -1,6 +1,6 @@
---
generated: True
title: Reference
generated: True
---
# Reference
@ -306,7 +306,7 @@ AZR-000281 | [Azure.Cognitive.ManagedIdentity](Azure.Cognitive.ManagedIdentity.m
AZR-000282 | [Azure.Cognitive.DisableLocalAuth](Azure.Cognitive.DisableLocalAuth.md) | Authenticate requests to Cognitive Services with Azure AD identities. | GA
AZR-000283 | [Azure.Cognitive.PrivateEndpoints](Azure.Cognitive.PrivateEndpoints.md) | Use Private Endpoints to access Cognitive Services accounts. | GA
AZR-000284 | [Azure.Deployment.AdminUsername](Azure.Deployment.AdminUsername.md) | Use secure parameters for sensitive resource properties. | GA
AZR-000285 | [Azure.AKS.UptimeSLA](Azure.AKS.UptimeSLA.md) | AKS clusters should have Uptime SLA enabled to ensure availability of control plane components for production workloads. | GA
AZR-000285 | [Azure.AKS.UptimeSLA](Azure.AKS.UptimeSLA.md) | AKS clusters should have Uptime SLA enabled for a financially backed SLA. | GA
AZR-000286 | [Azure.CDN.UseFrontDoor](Azure.CDN.UseFrontDoor.md) | Use Azure Front Door Standard or Premium SKU to improve the performance of web pages with dynamic content and overall capabilities. | GA
AZR-000287 | [Azure.AKS.EphemeralOSDisk](Azure.AKS.EphemeralOSDisk.md) | AKS clusters should use ephemeral OS disks which can provide lower read/write latency, along with faster node scaling and cluster upgrades. | GA
AZR-000288 | [Azure.VMSS.PublicKey](Azure.VMSS.PublicKey.md) | Use SSH keys instead of common credentials to secure virtual machine scale sets against malicious activities. | GA
@ -392,6 +392,17 @@ AZR-000367 | [Azure.SQLMI.ManagedIdentity](Azure.SQLMI.ManagedIdentity.md) | Ens
AZR-000368 | [Azure.SQLMI.AAD](Azure.SQLMI.AAD.md) | Use Azure Active Directory (AAD) authentication with Azure SQL Managed Instance. | GA
AZR-000369 | [Azure.SQL.AADOnly](Azure.SQL.AADOnly.md) | Ensure Azure AD-only authentication is enabled with Azure SQL Database. | GA
AZR-000370 | [Azure.AKS.DefenderProfile](Azure.AKS.DefenderProfile.md) | Enable the Defender profile with Azure Kubernetes Service (AKS) cluster. | GA
AZR-000371 | [Azure.APIM.PolicyBase](Azure.APIM.PolicyBase.md) | Base element for any policy element in a section should be configured. | GA
AZR-000372 | [Azure.Defender.Cspm](Azure.Defender.Cspm.md) | Enable Microsoft Defender Cloud Security Posture Management Standard plan. | GA
AZR-000373 | [Azure.Arc.Kubernetes.Defender](Azure.Arc.Kubernetes.Defender.md) | Deploy Microsoft Defender for Containers extension for Arc-enabled Kubernetes clusters. | Preview
AZR-000374 | [Azure.Arc.Server.MaintenanceConfig](Azure.Arc.Server.MaintenanceConfig.md) | Use a maintenance configuration for Arc-enabled servers. | Preview
AZR-000375 | [Azure.VM.MaintenanceConfig](Azure.VM.MaintenanceConfig.md) | Use a maintenance configuration for virtual machines. | Preview
AZR-000376 | [Azure.AppGw.MigrateV2](Azure.AppGw.MigrateV2.md) | Use a Application Gateway v2 SKU. | GA
AZR-000377 | [Azure.Defender.Api](Azure.Defender.Api.md) | Enable Microsoft Defender for APIs. | Preview
AZR-000378 | [Azure.ContainerApp.DisableAffinity](Azure.ContainerApp.DisableAffinity.md) | Disable session affinity to prevent unbalanced distribution. | Preview
AZR-000379 | [Azure.Defender.CosmosDb](Azure.Defender.CosmosDb.md) | Enable Microsoft Defender for Azure Cosmos DB. | GA
AZR-000380 | [Azure.ContainerApp.RestrictIngress](Azure.ContainerApp.RestrictIngress.md) | IP ingress restrictions mode should be set to allow action for all rules defined. | GA
AZR-000381 | [Azure.Defender.OssRdb](Azure.Defender.OssRdb.md) | Enable Microsoft Defender for open-source relational databases. | GA
AZR-000382 | [Azure.Cosmos.DefenderCloud](Azure.Cosmos.DefenderCloud.md) | Enable Microsoft Defender for Azure Cosmos DB. | GA
*[GA]: Generally Available &mdash; Rules related to a generally available Azure features.

18
docs/es/rules/module.md
Просмотреть файл

@ -82,6 +82,7 @@ Name | Synopsis | Severity | Level
Name | Synopsis | Severity | Level
---- | -------- | -------- | -----
[Azure.AppGw.MigrateV2](Azure.AppGw.MigrateV2.md) | Use a Application Gateway v2 SKU. | Important | Error
[Azure.ASE.MigrateV3](Azure.ASE.MigrateV3.md) | Use ASEv3 as replacement for the classic app service environment versions ASEv1 and ASEv2. | Important | Error
[Azure.MySQL.UseFlexible](Azure.MySQL.UseFlexible.md) | Use Azure Database for MySQL Flexible Server deployment model. | Important | Warning
@ -140,6 +141,7 @@ Name | Synopsis | Severity | Level
[Azure.AppConfig.Name](Azure.AppConfig.Name.md) | App Configuration store names should meet naming requirements. | Awareness | Error
[Azure.AppGw.Name](Azure.AppGw.Name.md) | Application Gateways should meet naming requirements. | Awareness | Error
[Azure.AppInsights.Name](Azure.AppInsights.Name.md) | Azure Application Insights resources names should meet naming requirements. | Awareness | Error
[Azure.Arc.Server.MaintenanceConfig](Azure.Arc.Server.MaintenanceConfig.md) | Use a maintenance configuration for Arc-enabled servers. | Important | Error
[Azure.ASG.Name](Azure.ASG.Name.md) | Application Security Group (ASG) names should meet naming requirements. | Awareness | Error
[Azure.Bastion.Name](Azure.Bastion.Name.md) | Bastion hosts should meet naming requirements. | Awareness | Error
[Azure.CDN.EndpointName](Azure.CDN.EndpointName.md) | Azure CDN Endpoint names should meet naming requirements. | Awareness | Error
@ -194,6 +196,7 @@ Name | Synopsis | Severity | Level
[Azure.VM.ASName](Azure.VM.ASName.md) | Availability Set names should meet naming requirements. | Awareness | Error
[Azure.VM.ComputerName](Azure.VM.ComputerName.md) | Virtual Machine (VM) computer name should meet naming requirements. | Awareness | Error
[Azure.VM.DiskName](Azure.VM.DiskName.md) | Managed Disk names should meet naming requirements. | Awareness | Error
[Azure.VM.MaintenanceConfig](Azure.VM.MaintenanceConfig.md) | Use a maintenance configuration for virtual machines. | Important | Error
[Azure.VM.Name](Azure.VM.Name.md) | Virtual Machine (VM) names should meet naming requirements. | Awareness | Error
[Azure.VM.NICName](Azure.VM.NICName.md) | Network Interface (NIC) names should meet naming requirements. | Awareness | Error
[Azure.VM.PPGName](Azure.VM.PPGName.md) | Proximity Placement Group (PPG) names should meet naming requirements. | Awareness | Error
@ -238,6 +241,12 @@ Name | Synopsis | Severity | Level
---- | -------- | -------- | -----
[Azure.VM.SQLServerDisk](Azure.VM.SQLServerDisk.md) | Use Premium SSD disks or greater for data and log files for production SQL Server workloads. | Important | Error
### Design for performance efficiency
Name | Synopsis | Severity | Level
---- | -------- | -------- | -----
[Azure.ContainerApp.DisableAffinity](Azure.ContainerApp.DisableAffinity.md) | Disable session affinity to prevent unbalanced distribution. | Important | Error
### Performance
Name | Synopsis | Severity | Level
@ -356,7 +365,7 @@ Name | Synopsis | Severity | Level
---- | -------- | -------- | -----
[Azure.ACR.MinSku](Azure.ACR.MinSku.md) | ACR should use the Premium or Standard SKU for production deployments. | Important | Error
[Azure.ADX.SLA](Azure.ADX.SLA.md) | Use SKUs that include an SLA when configuring Azure Data Explorer (ADX) clusters. | Important | Error
[Azure.AKS.UptimeSLA](Azure.AKS.UptimeSLA.md) | AKS clusters should have Uptime SLA enabled to ensure availability of control plane components for production workloads. | Important | Error
[Azure.AKS.UptimeSLA](Azure.AKS.UptimeSLA.md) | AKS clusters should have Uptime SLA enabled for a financially backed SLA. | Important | Error
[Azure.AKS.Version](Azure.AKS.Version.md) | AKS control plane and nodes pools should use a current stable release. | Important | Error
[Azure.AppConfig.SKU](Azure.AppConfig.SKU.md) | App Configuration should use a minimum size of Standard. | Important | Error
[Azure.Redis.Version](Azure.Redis.Version.md) | Azure Cache for Redis should use the latest supported version of Redis. | Important | Error
@ -491,6 +500,7 @@ Name | Synopsis | Severity | Level
---- | -------- | -------- | -----
[Azure.AKS.AuthorizedIPs](Azure.AKS.AuthorizedIPs.md) | Restrict access to API server endpoints to authorized IP addresses. | Important | Error
[Azure.APIM.CORSPolicy](Azure.APIM.CORSPolicy.md) | Avoid using wildcard for any configuration option in CORS policies. | Important | Error
[Azure.APIM.PolicyBase](Azure.APIM.PolicyBase.md) | Base element for any policy element in a section should be configured. | Important | Error
[Azure.ContainerApp.Insecure](Azure.ContainerApp.Insecure.md) | Ensure insecure inbound traffic is not permitted to the container app. | Important | Error
[Azure.Resource.AllowedRegions](Azure.Resource.AllowedRegions.md) | Resources should be deployed to allowed regions. | Awareness | Error
@ -591,6 +601,7 @@ Name | Synopsis | Severity | Level
[Azure.AppGwWAF.PreventionMode](Azure.AppGwWAF.PreventionMode.md) | Use protection mode in Application Gateway Web Application Firewall (WAF) policies to protect back end resources. | Critical | Error
[Azure.AppGwWAF.RuleGroups](Azure.AppGwWAF.RuleGroups.md) | Use recommended rule groups in Application Gateway Web Application Firewall (WAF) policies to protect back end resources. | Critical | Error
[Azure.ContainerApp.ExternalIngress](Azure.ContainerApp.ExternalIngress.md) | Limit inbound communication for Container Apps is limited to callers within the Container Apps Environment. | Important | Error
[Azure.ContainerApp.RestrictIngress](Azure.ContainerApp.RestrictIngress.md) | IP ingress restrictions mode should be set to allow action for all rules defined. | Important | Error
[Azure.Firewall.Mode](Azure.Firewall.Mode.md) | Deny high confidence malicious IP addresses and domains on classic managed Azure Firewalls. | Critical | Error
[Azure.FrontDoor.WAF.Mode](Azure.FrontDoor.WAF.Mode.md) | Use protection mode in Front Door Web Application Firewall (WAF) policies to protect back end resources. | Critical | Error
[Azure.FrontDoorWAF.Enabled](Azure.FrontDoorWAF.Enabled.md) | Front Door Web Application Firewall (WAF) policy must be enabled to protect back end resources. | Critical | Error
@ -650,10 +661,15 @@ Name | Synopsis | Severity | Level
Name | Synopsis | Severity | Level
---- | -------- | -------- | -----
[Azure.Arc.Kubernetes.Defender](Azure.Arc.Kubernetes.Defender.md) | Deploy Microsoft Defender for Containers extension for Arc-enabled Kubernetes clusters. | Important | Error
[Azure.Cosmos.DefenderCloud](Azure.Cosmos.DefenderCloud.md) | Enable Microsoft Defender for Azure Cosmos DB. | Critical | Error
[Azure.Defender.Api](Azure.Defender.Api.md) | Enable Microsoft Defender for APIs. | Critical | Error
[Azure.Defender.Arm](Azure.Defender.Arm.md) | Enable Microsoft Defender for Azure Resource Manager (ARM). | Critical | Error
[Azure.Defender.CosmosDb](Azure.Defender.CosmosDb.md) | Enable Microsoft Defender for Azure Cosmos DB. | Critical | Error
[Azure.Defender.Cspm](Azure.Defender.Cspm.md) | Enable Microsoft Defender Cloud Security Posture Management Standard plan. | Critical | Error
[Azure.Defender.Dns](Azure.Defender.Dns.md) | Enable Microsoft Defender for DNS. | Critical | Error
[Azure.Defender.KeyVault](Azure.Defender.KeyVault.md) | Enable Microsoft Defender for Key Vault. | Critical | Error
[Azure.Defender.OssRdb](Azure.Defender.OssRdb.md) | Enable Microsoft Defender for open-source relational databases. | Critical | Error
[Azure.Defender.SQL](Azure.Defender.SQL.md) | Enable Microsoft Defender for SQL servers. | Critical | Error
[Azure.Defender.SQLOnVM](Azure.Defender.SQLOnVM.md) | Enable Microsoft Defender for SQL servers on machines. | Critical | Error
[Azure.DefenderCloud.Contact](Azure.DefenderCloud.Contact.md) | Microsoft Defender for Cloud email and phone contact details should be set. | Important | Error

18
docs/es/rules/resource.md
Просмотреть файл

@ -54,6 +54,7 @@ Name | Synopsis | Severity | Level
[Azure.APIM.MultiRegion](Azure.APIM.MultiRegion.md) | API Management instances should use multi-region deployment to improve service availability. | Important | Error
[Azure.APIM.MultiRegionGateway](Azure.APIM.MultiRegionGateway.md) | API Management instances should have multi-region deployment gateways enabled. | Important | Error
[Azure.APIM.Name](Azure.APIM.Name.md) | API Management service names should meet naming requirements. | Awareness | Error
[Azure.APIM.PolicyBase](Azure.APIM.PolicyBase.md) | Base element for any policy element in a section should be configured. | Important | Error
[Azure.APIM.ProductApproval](Azure.APIM.ProductApproval.md) | Configure products to require approval. | Important | Error
[Azure.APIM.ProductDescriptors](Azure.APIM.ProductDescriptors.md) | API Management products should have a display name and description. | Awareness | Warning
[Azure.APIM.ProductSubscription](Azure.APIM.ProductSubscription.md) | Configure products to require a subscription. | Important | Error
@ -102,6 +103,7 @@ Name | Synopsis | Severity | Level
Name | Synopsis | Severity | Level
---- | -------- | -------- | -----
[Azure.AppGw.AvailabilityZone](Azure.AppGw.AvailabilityZone.md) | Application gateways should use availability zones in supported regions for high availability. | Important | Error
[Azure.AppGw.MigrateV2](Azure.AppGw.MigrateV2.md) | Use a Application Gateway v2 SKU. | Important | Error
[Azure.AppGw.MinInstance](Azure.AppGw.MinInstance.md) | Application Gateways should use a minimum of two instances. | Important | Error
[Azure.AppGw.MinSku](Azure.AppGw.MinSku.md) | Application Gateway should use a minimum instance size of Medium. | Important | Error
[Azure.AppGw.Name](Azure.AppGw.Name.md) | Application Gateways should meet naming requirements. | Awareness | Error
@ -130,6 +132,13 @@ Name | Synopsis | Severity | Level
---- | -------- | -------- | -----
[Azure.ASG.Name](Azure.ASG.Name.md) | Application Security Group (ASG) names should meet naming requirements. | Awareness | Error
## Arc
Name | Synopsis | Severity | Level
---- | -------- | -------- | -----
[Azure.Arc.Kubernetes.Defender](Azure.Arc.Kubernetes.Defender.md) | Deploy Microsoft Defender for Containers extension for Arc-enabled Kubernetes clusters. | Important | Error
[Azure.Arc.Server.MaintenanceConfig](Azure.Arc.Server.MaintenanceConfig.md) | Use a maintenance configuration for Arc-enabled servers. | Important | Error
## Automation Account
Name | Synopsis | Severity | Level
@ -235,7 +244,7 @@ Name | Synopsis | Severity | Level
[Azure.AKS.SecretStore](Azure.AKS.SecretStore.md) | Deploy AKS clusters with Secrets Store CSI Driver and store Secrets in Key Vault. | Important | Error
[Azure.AKS.SecretStoreRotation](Azure.AKS.SecretStoreRotation.md) | Enable autorotation of Secrets Store CSI Driver secrets for AKS clusters. | Important | Error
[Azure.AKS.StandardLB](Azure.AKS.StandardLB.md) | Azure Kubernetes Clusters (AKS) should use a Standard load balancer SKU. | Important | Error
[Azure.AKS.UptimeSLA](Azure.AKS.UptimeSLA.md) | AKS clusters should have Uptime SLA enabled to ensure availability of control plane components for production workloads. | Important | Error
[Azure.AKS.UptimeSLA](Azure.AKS.UptimeSLA.md) | AKS clusters should have Uptime SLA enabled for a financially backed SLA. | Important | Error
[Azure.AKS.UseRBAC](Azure.AKS.UseRBAC.md) | Deploy AKS cluster with role-based access control (RBAC) enabled. | Important | Error
[Azure.AKS.Version](Azure.AKS.Version.md) | AKS control plane and nodes pools should use a current stable release. | Important | Error
@ -268,11 +277,13 @@ Name | Synopsis | Severity | Level
Name | Synopsis | Severity | Level
---- | -------- | -------- | -----
[Azure.ContainerApp.DisableAffinity](Azure.ContainerApp.DisableAffinity.md) | Disable session affinity to prevent unbalanced distribution. | Important | Error
[Azure.ContainerApp.ExternalIngress](Azure.ContainerApp.ExternalIngress.md) | Limit inbound communication for Container Apps is limited to callers within the Container Apps Environment. | Important | Error
[Azure.ContainerApp.Insecure](Azure.ContainerApp.Insecure.md) | Ensure insecure inbound traffic is not permitted to the container app. | Important | Error
[Azure.ContainerApp.ManagedIdentity](Azure.ContainerApp.ManagedIdentity.md) | Ensure managed identity is used for authentication. | Important | Error
[Azure.ContainerApp.Name](Azure.ContainerApp.Name.md) | Container Apps should meet naming requirements. | Awareness | Error
[Azure.ContainerApp.PublicAccess](Azure.ContainerApp.PublicAccess.md) | Ensure public network access for Container Apps environment is disabled. | Important | Error
[Azure.ContainerApp.RestrictIngress](Azure.ContainerApp.RestrictIngress.md) | IP ingress restrictions mode should be set to allow action for all rules defined. | Important | Error
[Azure.ContainerApp.Storage](Azure.ContainerApp.Storage.md) | Use of Azure Files volume mounts to persistent storage container data. | Awareness | Error
## Container Registry
@ -304,6 +315,7 @@ Name | Synopsis | Severity | Level
Name | Synopsis | Severity | Level
---- | -------- | -------- | -----
[Azure.Cosmos.AccountName](Azure.Cosmos.AccountName.md) | Cosmos DB account names should meet naming requirements. | Awareness | Error
[Azure.Cosmos.DefenderCloud](Azure.Cosmos.DefenderCloud.md) | Enable Microsoft Defender for Azure Cosmos DB. | Critical | Error
[Azure.Cosmos.DisableMetadataWrite](Azure.Cosmos.DisableMetadataWrite.md) | Use Azure AD identities for management place operations in Azure Cosmos DB. | Important | Error
## Data Explorer
@ -416,12 +428,15 @@ Name | Synopsis | Severity | Level
Name | Synopsis | Severity | Level
---- | -------- | -------- | -----
[Azure.Defender.Api](Azure.Defender.Api.md) | Enable Microsoft Defender for APIs. | Critical | Error
[Azure.Defender.AppServices](Azure.Defender.AppServices.md) | Enable Microsoft Defender for App Service. | Critical | Error
[Azure.Defender.Arm](Azure.Defender.Arm.md) | Enable Microsoft Defender for Azure Resource Manager (ARM). | Critical | Error
[Azure.Defender.Containers](Azure.Defender.Containers.md) | Enable Microsoft Defender for Containers. | Critical | Error
[Azure.Defender.CosmosDb](Azure.Defender.CosmosDb.md) | Enable Microsoft Defender for Azure Cosmos DB. | Critical | Error
[Azure.Defender.Cspm](Azure.Defender.Cspm.md) | Enable Microsoft Defender Cloud Security Posture Management Standard plan. | Critical | Error
[Azure.Defender.Dns](Azure.Defender.Dns.md) | Enable Microsoft Defender for DNS. | Critical | Error
[Azure.Defender.KeyVault](Azure.Defender.KeyVault.md) | Enable Microsoft Defender for Key Vault. | Critical | Error
[Azure.Defender.OssRdb](Azure.Defender.OssRdb.md) | Enable Microsoft Defender for open-source relational databases. | Critical | Error
[Azure.Defender.Servers](Azure.Defender.Servers.md) | Enable Microsoft Defender for Servers. | Critical | Error
[Azure.Defender.SQL](Azure.Defender.SQL.md) | Enable Microsoft Defender for SQL servers. | Critical | Error
[Azure.Defender.SQLOnVM](Azure.Defender.SQLOnVM.md) | Enable Microsoft Defender for SQL servers on machines. | Critical | Error
@ -597,6 +612,7 @@ Name | Synopsis | Severity | Level
[Azure.VM.DiskCaching](Azure.VM.DiskCaching.md) | Check disk caching is configured correctly for the workload. | Important | Error
[Azure.VM.DiskName](Azure.VM.DiskName.md) | Managed Disk names should meet naming requirements. | Awareness | Error
[Azure.VM.DiskSizeAlignment](Azure.VM.DiskSizeAlignment.md) | Align to the Managed Disk billing model to improve cost efficiency. | Awareness | Error
[Azure.VM.MaintenanceConfig](Azure.VM.MaintenanceConfig.md) | Use a maintenance configuration for virtual machines. | Important | Error
[Azure.VM.MigrateAMA](Azure.VM.MigrateAMA.md) | Use Azure Monitor Agent as replacement for Log Analytics Agent. | Important | Error
[Azure.VM.Name](Azure.VM.Name.md) | Virtual Machine (VM) names should meet naming requirements. | Awareness | Error
[Azure.VM.NICAttached](Azure.VM.NICAttached.md) | Network interfaces (NICs) should be attached. | Awareness | Error

32
docs/setup/configuring-expansion.md
Просмотреть файл

@ -80,6 +80,38 @@ configuration:
AZURE_BICEP_FILE_EXPANSION: true
```
### Bicep parameter expansion
:octicons-milestone-24: v1.27.0
This configuration option determines if Azure Bicep parameter files (`.bicepparam`) are expanded.
Currently while this is an experimental feature this is not enabled by default.
Bicep files are expanded when PSRule cmdlets with the `-Format File` parameter are used.
Syntax:
```yaml
configuration:
AZURE_BICEP_PARAMS_FILE_EXPANSION: bool
```
Default:
```yaml
# YAML: The default AZURE_BICEP_PARAMS_FILE_EXPANSION configuration option
configuration:
AZURE_BICEP_PARAMS_FILE_EXPANSION: false
```
Example:
```yaml
# YAML: Set the AZURE_BICEP_PARAMS_FILE_EXPANSION configuration option to enable expansion
configuration:
AZURE_BICEP_PARAMS_FILE_EXPANSION: true
```
### Bicep compilation timeout
:octicons-milestone-24: v1.13.3

60
docs/using-bicep.md
Просмотреть файл

@ -130,11 +130,21 @@ To do this configure `ps-rule.yaml` with the `input.pathIgnore` option.
!!! Note
In this example, Bicep files such as `deploy.bicep` in other directories will be expanded.
### Using parameter files
## Using parameter files
When using Bicep, you don't need to use parameter files.
You can call `.bicep` files directly from other `.bicep` files with modules by using the `module` keyword.
Alternatively, you can choose to expand and test a Bicep module from JSON parameter files [by metadata][7].
Alternatively, Bicep supports two options for parameter files:
- **JSON parameter files** &mdash; This format uses conventional JSON syntax compatible with ARM templates.
- **Bicep parameter files** &mdash; This format uses Bicep language from a `.bicepparam` file to reference a Bicep module.
Each option is described in more detail in the following sections.
### Using JSON parameter files
You can choose to expand and test a Bicep module from JSON parameter files [by metadata][7].
When using parameter files exclusively,
the `AZURE_BICEP_FILE_EXPANSION` configuration option does not need to be set.
@ -180,6 +190,50 @@ This option will discover Bicep files from parameter metadata.
[7]: using-templates.md#by-metadata
### Using Bicep parameter files
:octicons-beaker-24:{ .experimental } Experimental · :octicons-milestone-24: v1.27.0
You can use `.bicepparam` files to reference your Bicep modules as a method for providing parameters.
Using the Bicep parameter file format, allows you to get many of the benefits of the Bicep language.
For example:
```bicepparam
using 'template.bicep'
param storageAccountName = 'bicepstorage001'
param tags = {
env: 'test'
}
```
Presently, to use this feature you must:
1. Enable the experimental feature in `bicepconfig.json`.
2. Enable expansion of Bicep parameter files in `ps-rule.yaml`.
For example:
```json title="bicepconfig.json"
{
"experimentalFeaturesEnabled": {
"paramsFiles": true
}
}
```
```yaml title="ps-rule.yaml"
configuration:
AZURE_BICEP_PARAMS_FILE_EXPANSION: true
```
!!! Experimental "Experimental - [Learn more][13]"
Bicep parameter files are a work in progress.
This feature will be transitioned to stable after the Bicep CLI support is finalized.
[13]: versioning.md#experimental-features
## Restoring modules from a private registry
Bicep modules can be stored in a private registry.
@ -196,7 +250,7 @@ To configure authentication for PSRule to a private registry:
- [Granting access to a private registry](#granting-access-to-a-private-registry)
- [Set pipeline environment variables](#set-pipeline-environment-variables)
Some organizations may want to expose Bicep modules publically.
Some organizations may want to expose Bicep modules publicly.
This can be configured by enabling anonymous pull access.
To configure your registry see [Make your container registry content publicly available][14].

6
docs/versioning.md
Просмотреть файл

@ -24,11 +24,11 @@ Module versions and change log details for pre-releases will be removed as stabl
## Experimental features
From time to time we may ship experimential features.
These features are generally marked experimential in the change log as these features ship.
From time to time we may ship experiential features.
These features are generally marked experimental in the change log as these features ship.
Experimental features may ship in stable releases, however to use them you may need to:
- Enable or explictly reference them.
- Enable or explicitly reference them.
!!! Important
Experimental features should be considered work in progress.

36
src/PSRule.Rules.Azure/Configuration/ConfigurationOption.cs
Просмотреть файл

@ -13,6 +13,8 @@ namespace PSRule.Rules.Azure.Configuration
public sealed class ConfigurationOption : IEquatable<ConfigurationOption>
{
private const string DEFAULT_POLICYRULEPREFIX = "Azure";
private const string DEFAULT_BICEP_MINIMUM_VERSION = "0.4.451";
private const int DEFAULT_BICEP_FILE_EXPANSION_TIMEOUT = 5;
internal static readonly ConfigurationOption Default = new()
{
@ -23,6 +25,8 @@ namespace PSRule.Rules.Azure.Configuration
ParameterDefaults = ParameterDefaultsOption.Default,
Deployment = DeploymentOption.Default,
PolicyRulePrefix = DEFAULT_POLICYRULEPREFIX,
BicepMinimumVersion = DEFAULT_BICEP_MINIMUM_VERSION,
BicepFileExpansionTimeout = DEFAULT_BICEP_FILE_EXPANSION_TIMEOUT,
};
/// <summary>
@ -38,6 +42,8 @@ namespace PSRule.Rules.Azure.Configuration
Deployment = null;
PolicyIgnoreList = null;
PolicyRulePrefix = null;
BicepMinimumVersion = null;
BicepFileExpansionTimeout = null;
}
internal ConfigurationOption(ConfigurationOption option)
@ -53,6 +59,8 @@ namespace PSRule.Rules.Azure.Configuration
Deployment = option.Deployment;
PolicyIgnoreList = option.PolicyIgnoreList;
PolicyRulePrefix = option.PolicyRulePrefix;
BicepMinimumVersion = option.BicepMinimumVersion;
BicepFileExpansionTimeout = option.BicepFileExpansionTimeout;
}
/// <inheritdoc/>
@ -72,7 +80,9 @@ namespace PSRule.Rules.Azure.Configuration
ParameterDefaults == other.ParameterDefaults &&
Deployment == other.Deployment &&
PolicyIgnoreList == other.PolicyIgnoreList &&
PolicyRulePrefix == other.PolicyRulePrefix;
PolicyRulePrefix == other.PolicyRulePrefix &&
BicepMinimumVersion == other.BicepMinimumVersion &&
BicepFileExpansionTimeout == other.BicepFileExpansionTimeout;
}
/// <inheritdoc/>
@ -89,13 +99,15 @@ namespace PSRule.Rules.Azure.Configuration
hash = hash * 23 + (Deployment != null ? Deployment.GetHashCode() : 0);
hash = hash * 23 + (PolicyIgnoreList != null ? PolicyIgnoreList.GetHashCode() : 0);
hash = hash * 23 + (PolicyRulePrefix != null ? PolicyRulePrefix.GetHashCode() : 0);
hash = hash * 23 + (BicepMinimumVersion != null ? BicepMinimumVersion.GetHashCode() : 0);
hash = hash * 23 + (BicepFileExpansionTimeout != null ? BicepFileExpansionTimeout.GetHashCode() : 0);
return hash;
}
}
internal static ConfigurationOption Combine(ConfigurationOption o1, ConfigurationOption o2)
{
var result = new ConfigurationOption
return new ConfigurationOption
{
ResourceGroup = ResourceGroupOption.Combine(o1?.ResourceGroup, o2?.ResourceGroup),
Subscription = SubscriptionOption.Combine(o1?.Subscription, o2?.Subscription),
@ -104,9 +116,10 @@ namespace PSRule.Rules.Azure.Configuration
ParameterDefaults = ParameterDefaultsOption.Combine(o1?.ParameterDefaults, o2?.ParameterDefaults),
Deployment = DeploymentOption.Combine(o1?.Deployment, o2?.Deployment),
PolicyIgnoreList = o1?.PolicyIgnoreList ?? o2?.PolicyIgnoreList,
PolicyRulePrefix = o1?.PolicyRulePrefix ?? o2?.PolicyRulePrefix
PolicyRulePrefix = o1?.PolicyRulePrefix ?? o2?.PolicyRulePrefix,
BicepMinimumVersion = o1?.BicepMinimumVersion ?? o2?.BicepMinimumVersion,
BicepFileExpansionTimeout = o1?.BicepFileExpansionTimeout ?? o2?.BicepFileExpansionTimeout,
};
return result;
}
/// <summary>
@ -142,7 +155,6 @@ namespace PSRule.Rules.Azure.Configuration
/// </summary>
[DefaultValue(null)]
[YamlMember(Alias = "AZURE_PARAMETER_DEFAULTS", ApplyNamingConventions = false)]
[System.Diagnostics.CodeAnalysis.SuppressMessage("Usage", "CA2227:Collection properties should be read only", Justification = "Must be able to be deserialized using standard pattern.")]
public ParameterDefaultsOption ParameterDefaults { get; set; }
/// <summary>
@ -165,5 +177,19 @@ namespace PSRule.Rules.Azure.Configuration
[DefaultValue(null)]
[YamlMember(Alias = "AZURE_POLICY_IGNORE_LIST", ApplyNamingConventions = false)]
public string[] PolicyIgnoreList { get; set; }
/// <summary>
/// Configures the minimum version of Bicep to support.
/// </summary>
[DefaultValue(null)]
[YamlMember(Alias = "AZURE_BICEP_MINIMUM_VERSION", ApplyNamingConventions = false)]
public string BicepMinimumVersion { get; set; }
/// <summary>
/// Configures the timeout when expanding Bicep files.
/// </summary>
[DefaultValue(null)]
[YamlMember(Alias = "AZURE_BICEP_FILE_EXPANSION_TIMEOUT", ApplyNamingConventions = false)]
public int? BicepFileExpansionTimeout { get; set; }
}
}

73
src/PSRule.Rules.Azure/Data/Bicep/BicepHelper.cs
Просмотреть файл

@ -26,6 +26,8 @@ namespace PSRule.Rules.Azure.Data.Bicep
internal sealed class BicepHelper
{
private const int ERROR_FILE_NOT_FOUND = 2;
private const string ENV_AZURE_BICEP_ARGS = "PSRULE_AZURE_BICEP_ARGS";
private const string ENV_AZURE_BICEP_USE_AZURE_CLI = "PSRULE_AZURE_BICEP_USE_AZURE_CLI";
private readonly PipelineContext _Context;
private readonly RuntimeService _Service;
@ -295,6 +297,18 @@ namespace PSRule.Rules.Azure.Data.Bicep
return json == null ? Array.Empty<PSObject>() : ProcessJson(json, templateFile, parameterFile);
}
internal PSObject[] ProcessParamFile(string parameterFile)
{
if (!File.Exists(parameterFile))
throw new FileNotFoundException(string.Format(Thread.CurrentThread.CurrentCulture, PSRuleResources.TemplateFileNotFound, parameterFile), parameterFile);
var json = ReadBicepFile(parameterFile);
if (json == null || !json.TryGetProperty("templateJson", out var templateJson) || !json.TryGetProperty("parametersJson", out var parametersJson))
return Array.Empty<PSObject>();
return ProcessJson(JObject.Parse(templateJson), JObject.Parse(parametersJson), parameterFile);
}
private PSObject[] ProcessJson(JObject templateObject, string templateFile, string parameterFile)
{
var visitor = new RuleDataExportVisitor();
@ -330,6 +344,44 @@ namespace PSRule.Rules.Azure.Data.Bicep
}
// Return results
return GetResources(templateContext);
}
private PSObject[] ProcessJson(JObject templateObject, JObject parametersObject, string parameterFile)
{
var visitor = new RuleDataExportVisitor();
// Load context
var templateContext = new TemplateVisitor.TemplateContext(_Context);
try
{
templateContext.Load(parametersObject);
}
catch (Exception inner)
{
throw new TemplateReadException(string.Format(Thread.CurrentThread.CurrentCulture, PSRuleResources.TemplateExpandInvalid, null, parameterFile, inner.Message), inner, null, parameterFile);
}
// Process
try
{
templateContext.SetSource(null, parameterFile);
visitor.Visit(templateContext, "helper", templateObject);
}
catch (Exception inner)
{
throw new TemplateReadException(string.Format(Thread.CurrentThread.CurrentCulture, PSRuleResources.BicepExpandInvalid, parameterFile, inner.Message), inner, null, parameterFile);
}
// Return results
return GetResources(templateContext);
}
/// <summary>
/// Get resulting resources from expansion.
/// </summary>
private static PSObject[] GetResources(TemplateVisitor.TemplateContext templateContext)
{
var results = new List<PSObject>();
var serializer = new JsonSerializer();
serializer.Converters.Add(new PSObjectJsonConverter());
@ -430,8 +482,14 @@ namespace PSRule.Rules.Azure.Data.Bicep
private static string GetBicepBuildArgs(string sourcePath, bool useAzCLI)
{
GetBicepBuildAdditionalArgs(out var args);
return string.Concat("build --stdout ", args, useAzCLI ? " --file" : string.Empty, " \"", sourcePath, "\"");
var command = GetBicepBuildCommand(sourcePath);
var args = GetBicepBuildAdditionalArgs();
return string.Concat(command, args, useAzCLI ? " --file" : string.Empty, " \"", sourcePath, "\"");
}
private static string GetBicepBuildCommand(string sourcePath)
{
return sourcePath.EndsWith(".bicepparam") ? "build-params --stdout " : "build --stdout ";
}
private static string GetBicepVersionArgs(bool useAzCLI)
@ -439,17 +497,20 @@ namespace PSRule.Rules.Azure.Data.Bicep
return useAzCLI ? "version" : "--version";
}
private static void GetBicepBuildAdditionalArgs(out string args)
/// <summary>
/// Check if the <c>PSRULE_AZURE_BICEP_ARGS</c> environment variable is set.
/// </summary>
private static string GetBicepBuildAdditionalArgs()
{
args = Environment.GetEnvironmentVariable("PSRULE_AZURE_BICEP_ARGS") ?? string.Empty;
return Environment.GetEnvironmentVariable(ENV_AZURE_BICEP_ARGS) ?? string.Empty;
}
/// <summary>
/// Check if the <c>PSRULE_AZURE_BICEP_USE_AZURE_CLI</c> environment is set.
/// Check if the <c>PSRULE_AZURE_BICEP_USE_AZURE_CLI</c> environment variable is set.
/// </summary>
private static bool UseAzCLI()
{
return EnvironmentHelper.Default.TryBool("PSRULE_AZURE_BICEP_USE_AZURE_CLI", out var value) && value;
return EnvironmentHelper.Default.TryBool(ENV_AZURE_BICEP_USE_AZURE_CLI, out var value) && value;
}
}
}

22
src/PSRule.Rules.Azure/PSRule.Rules.Azure.psm1
Просмотреть файл

@ -165,20 +165,25 @@ function Export-AzRuleData {
# .ExternalHelp PSRule.Rules.Azure-help.xml
function Export-AzRuleTemplateData {
[CmdletBinding()]
[CmdletBinding(DefaultParameterSetName = "Template")]
[OutputType([System.IO.FileInfo])]
[OutputType([PSObject])]
param (
[Parameter(Position = 0, Mandatory = $False)]
[String]$Name,
[Parameter(Mandatory = $True, ValueFromPipelineByPropertyName = $True)]
[Parameter(Mandatory = $True, ValueFromPipelineByPropertyName = $True, ParameterSetName = "Template")]
[String]$TemplateFile,
[Parameter(Mandatory = $False, ValueFromPipelineByPropertyName = $True)]
[Parameter(Mandatory = $False, ValueFromPipelineByPropertyName = $True, ParameterSetName = "Template")]
[Alias('TemplateParameterFile')]
[String[]]$ParameterFile,
[Parameter(Mandatory = $True, ValueFromPipelineByPropertyName = $True, ParameterSetName = "Source")]
[Alias('f')]
[Alias('FullName')]
[String]$SourceFile,
[Parameter(Mandatory = $False)]
[Alias('ResourceGroupName')]
[PSRule.Rules.Azure.Configuration.ResourceGroupReference]$ResourceGroup,
@ -234,8 +239,15 @@ function Export-AzRuleTemplateData {
process {
if ($Null -ne (Get-Variable -Name pipeline -ErrorAction SilentlyContinue)) {
try {
$source = [PSRule.Rules.Azure.Pipeline.TemplateSource]::new($TemplateFile, $ParameterFile);
$pipeline.Process($source);
if ($PSCmdlet.ParameterSetName -eq 'Source') {
$source = [PSRule.Rules.Azure.Pipeline.TemplateSource]::new($SourceFile);
$pipeline.Process($source);
}
else {
$source = [PSRule.Rules.Azure.Pipeline.TemplateSource]::new($TemplateFile, $ParameterFile);
$pipeline.Process($source);
}
}
catch {
$pipeline.Dispose();

57
src/PSRule.Rules.Azure/Pipeline/TemplatePipeline.cs
Просмотреть файл

@ -2,19 +2,20 @@
// Licensed under the MIT License.
using System.Management.Automation;
using PSRule.Rules.Azure.Configuration;
using PSRule.Rules.Azure.Data.Bicep;
using PSRule.Rules.Azure.Data.Template;
using PSRule.Rules.Azure.Runtime;
namespace PSRule.Rules.Azure.Pipeline
{
internal sealed class TemplatePipeline : PipelineBase
{
private readonly TemplateHelper _TemplateHelper;
private TemplateHelper _TemplateHelper;
private BicepHelper _BicepHelper;
internal TemplatePipeline(PipelineContext context)
: base(context)
{
_TemplateHelper = new TemplateHelper(context);
}
: base(context) { }
/// <inheritdoc/>
public override void Process(PSObject sourceObject)
@ -23,17 +24,28 @@ namespace PSRule.Rules.Azure.Pipeline
return;
if (source.ParametersFile == null || source.ParametersFile.Length == 0)
ProcessCatch(source.TemplateFile, null);
ProcessCatch(source.TemplateFile, null, source.Kind);
else
for (var i = 0; i < source.ParametersFile.Length; i++)
ProcessCatch(source.TemplateFile, source.ParametersFile[i]);
ProcessCatch(source.TemplateFile, source.ParametersFile[i], source.Kind);
}
private void ProcessCatch(string templateFile, string parameterFile)
private void ProcessCatch(string templateFile, string parameterFile, TemplateSourceKind kind)
{
try
{
Context.Writer.WriteObject(ProcessTemplate(templateFile, parameterFile), true);
if (kind == TemplateSourceKind.Bicep)
{
Context.Writer.WriteObject(ProcessBicep(templateFile, parameterFile), true);
}
else if (kind == TemplateSourceKind.BicepParam)
{
Context.Writer.WriteObject(ProcessBicepParam(templateFile), true);
}
else
{
Context.Writer.WriteObject(ProcessTemplate(templateFile, parameterFile), true);
}
}
catch (PipelineException ex)
{
@ -45,9 +57,32 @@ namespace PSRule.Rules.Azure.Pipeline
}
}
internal PSObject[] ProcessTemplate(string templateFile, string parameterFile)
private PSObject[] ProcessTemplate(string templateFile, string parameterFile)
{
return _TemplateHelper.ProcessTemplate(templateFile, parameterFile, out _);
return GetTemplateHelper().ProcessTemplate(templateFile, parameterFile, out _);
}
private PSObject[] ProcessBicep(string templateFile, string parameterFile)
{
return GetBicepHelper().ProcessFile(templateFile, parameterFile);
}
private PSObject[] ProcessBicepParam(string parameterFile)
{
return GetBicepHelper().ProcessParamFile(parameterFile);
}
private TemplateHelper GetTemplateHelper()
{
return _TemplateHelper ??= new TemplateHelper(Context);
}
private BicepHelper GetBicepHelper()
{
return _BicepHelper ??= new BicepHelper(Context, new RuntimeService(
minimum: Context.Option.Configuration.BicepMinimumVersion ?? ConfigurationOption.Default.BicepMinimumVersion,
timeout: Context.Option.Configuration.BicepFileExpansionTimeout.GetValueOrDefault(ConfigurationOption.Default.BicepFileExpansionTimeout.Value)
));
}
}
}

35
src/PSRule.Rules.Azure/Pipeline/TemplateSource.cs
Просмотреть файл

@ -1,17 +1,50 @@
// Copyright (c) Microsoft Corporation.
// Copyright (c) Microsoft Corporation.
// Licensed under the MIT License.
using System;
namespace PSRule.Rules.Azure.Pipeline
{
internal enum TemplateSourceKind
{
None = 0,
Template = 1,
Bicep = 2,
BicepParam = 3,
}
/// <summary>
/// A source for template expansion.
/// </summary>
public sealed class TemplateSource
{
internal readonly string TemplateFile;
internal readonly string[] ParametersFile;
internal readonly TemplateSourceKind Kind;
/// <summary>
/// Create a source.
/// </summary>
public TemplateSource(string templateFile, string[] parametersFile)
{
TemplateFile = templateFile;
ParametersFile = parametersFile;
Kind = TemplateSourceKind.Template;
}
/// <summary>
/// Create a source.
/// </summary>
public TemplateSource(string sourceFile)
{
if (string.IsNullOrEmpty(sourceFile))
throw new ArgumentNullException(nameof(sourceFile));
TemplateFile = sourceFile;
if (TemplateFile.EndsWith(".bicep", StringComparison.OrdinalIgnoreCase))
Kind = TemplateSourceKind.Bicep;
else if (TemplateFile.EndsWith(".bicepparam", StringComparison.OrdinalIgnoreCase))
Kind = TemplateSourceKind.BicepParam;
}
}
}

18
src/PSRule.Rules.Azure/Runtime/Helper.cs
Просмотреть файл

@ -136,6 +136,14 @@ namespace PSRule.Rules.Azure.Runtime
return GetBicepResources(service as RuntimeService, bicepFile, null);
}
/// <summary>
/// Expand resources from a bicep param file.
/// </summary>
public static PSObject[] GetBicepParamResources(IService service, string bicepFile)
{
return GetBicepParamResources(service as RuntimeService, bicepFile);
}
/// <summary>
/// Get the linked template path.
/// </summary>
@ -202,6 +210,16 @@ namespace PSRule.Rules.Azure.Runtime
return bicep.ProcessFile(templateFile, parameterFile);
}
private static PSObject[] GetBicepParamResources(RuntimeService service, string parameterFile)
{
var context = GetContext();
var bicep = new BicepHelper(
context,
service
);
return bicep.ProcessParamFile(parameterFile);
}
private static PipelineContext GetContext()
{
PSCmdlet commandRuntime = null;

9
src/PSRule.Rules.Azure/Runtime/RuntimeService.cs
Просмотреть файл

@ -15,6 +15,11 @@ namespace PSRule.Rules.Azure.Runtime
private bool _Disposed;
/// <summary>
/// Create a runtime service.
/// </summary>
/// <param name="minimum">The minimum version of Bicep.</param>
/// <param name="timeout">The timeout in seconds for expansion.</param>
public RuntimeService(string minimum, int timeout)
{
Minimum = minimum;
@ -28,11 +33,13 @@ namespace PSRule.Rules.Azure.Runtime
/// </summary>
public int Timeout { get; }
/// <summary>
/// The minimum version of Bicep.
/// </summary>
public string Minimum { get; }
public BicepHelper.BicepInfo Bicep { get; internal set; }
#region IDisposable
private void Dispose(bool disposing)

12
src/PSRule.Rules.Azure/rules/Config.Rule.yaml
Просмотреть файл

@ -28,6 +28,7 @@ spec:
AZURE_PARAMETER_FILE_EXPANSION: false
AZURE_PARAMETER_FILE_METADATA_LINK: false
AZURE_BICEP_FILE_EXPANSION: false
AZURE_BICEP_PARAMS_FILE_EXPANSION: false
AZURE_BICEP_MINIMUM_VERSION: '0.4.451'
AZURE_BICEP_CHECK_TOOL: false
@ -43,11 +44,12 @@ spec:
convention:
include:
- 'Azure.Context'
- 'Azure.DeprecatedOptions'
- 'Azure.ExpandTemplate'
- 'Azure.BicepInstall'
- 'Azure.ExpandBicep'
- Azure.Context
- Azure.DeprecatedOptions
- Azure.ExpandTemplate
- Azure.BicepInstall
- Azure.ExpandBicep
- Azure.ExpandBicepParam
rule:
baseline: Azure.Default
output:

23
src/PSRule.Rules.Azure/rules/Conventions.Rule.ps1
Просмотреть файл

@ -102,4 +102,27 @@ Export-PSRuleConvention 'Azure.ExpandBicep' -If { $Configuration.AZURE_BICEP_FIL
Write-Verbose "[Azure.ExpandBicep] -- Complete expanding bicep source: $($TargetObject.FullName)";
}
# Synopsis: Expand .bicepparam files for analysis.
Export-PSRuleConvention 'Azure.ExpandBicepParam' -If { $Configuration.AZURE_BICEP_PARAMS_FILE_EXPANSION -eq $True -and $TargetObject.Extension -eq '.bicepparam' } -Begin {
Write-Verbose "[Azure.ExpandBicepParam] -- Start expanding bicep from parameter file: $($TargetObject.FullName)";
$context = $PSRule.GetService('Azure.Context');
try {
$data = [PSRule.Rules.Azure.Runtime.Helper]::GetBicepParamResources($context, $TargetObject.FullName);
if ($Null -ne $data) {
Write-Verbose "[Azure.ExpandBicepParam] -- Importing $($data.Length) Bicep resources.";
$PSRule.Import($data);
}
}
catch [PSRule.Rules.Azure.Pipeline.BicepCompileException] {
Write-Error -Exception $_.Exception -ErrorId 'Azure.ExpandBicepParam.BicepCompileException';
}
catch [System.IO.FileNotFoundException] {
Write-Error -Exception $_.Exception;
}
catch {
Write-Error -Message "Failed to expand bicep source '$($TargetObject.FullName)'. $($_.Exception.Message)" -ErrorId 'Azure.ExpandBicepParam.ConventionException';
}
Write-Verbose "[Azure.ExpandBicepParam] -- Complete expanding bicep source: $($TargetObject.FullName)";
}
#endregion Bicep

30
tests/Bicep/Bicep.Tests.ps1
Просмотреть файл

@ -41,6 +41,7 @@ Describe 'Bicep' -Tag 'Bicep' {
# Expand source files
$option = @{
'Configuration.AZURE_BICEP_FILE_EXPANSION' = $True
'Configuration.AZURE_BICEP_FILE_EXPANSION_TIMEOUT' = 60
}
$result = @(Invoke-PSRule @invokeParams -InputPath $sourceFile -Format File -Option $option);
$result.Length | Should -BeGreaterThan 1;
@ -70,6 +71,7 @@ Describe 'Bicep' -Tag 'Bicep' {
# Expand source files
$option = @{
'Configuration.AZURE_BICEP_FILE_EXPANSION' = $True
'Configuration.AZURE_BICEP_FILE_EXPANSION_TIMEOUT' = 60
}
$Env:PSRULE_AZURE_BICEP_USE_AZURE_CLI = 'true';
$result = @(Invoke-PSRule @invokeParams -InputPath $sourceFile -Format File -Option $option);
@ -83,7 +85,7 @@ Describe 'Bicep' -Tag 'Bicep' {
}
}
It 'Expands Bicep with parameters file' {
It 'Expands Bicep with JSON parameters file' {
$invokeParams = @{
Module = 'PSRule.Rules.Azure'
WarningAction = 'Ignore'
@ -101,6 +103,7 @@ Describe 'Bicep' -Tag 'Bicep' {
# Expand source files
$option = @{
'Configuration.AZURE_PARAMETER_FILE_EXPANSION' = $True
'Configuration.AZURE_BICEP_FILE_EXPANSION_TIMEOUT' = 60
}
$Env:PSRULE_AZURE_BICEP_USE_AZURE_CLI = 'true';
$result = @(Invoke-PSRule @invokeParams -InputPath $sourceFile -Format File -Option $option);
@ -115,6 +118,29 @@ Describe 'Bicep' -Tag 'Bicep' {
}
}
It 'Expands Bicep with .bicepparams file' {
$invokeParams = @{
Module = 'PSRule.Rules.Azure'
WarningAction = 'Ignore'
ErrorAction = 'Stop'
Name = 'Azure.Storage.Name'
}
# Default
$sourceFile = Join-Path -Path $here -ChildPath 'template.bicepparam';
# Expand source files
$option = @{
'Configuration.AZURE_BICEP_PARAMS_FILE_EXPANSION' = $True
}
$result = @(Invoke-PSRule @invokeParams -InputPath $sourceFile -Format File -Option $option);
$result.Length | Should -Be 1;
$resource = $result | Where-Object { $_.TargetType -eq 'Microsoft.Storage/storageAccounts' };
$resource | Should -Not -BeNullOrEmpty;
$resource.TargetName | Should -Be 'bicepstorage001';
$resource.TargetObject.tags.env | Should -Be 'test';
}
It 'Bicep expand completes with errors' {
$invokeParams = @{
Baseline = 'Azure.All'
@ -132,6 +158,7 @@ Describe 'Bicep' -Tag 'Bicep' {
# Expand source files
$option = @{
'Configuration.AZURE_BICEP_FILE_EXPANSION' = $True
'Configuration.AZURE_BICEP_FILE_EXPANSION_TIMEOUT' = 60
}
$Env:PSRULE_AZURE_BICEP_USE_AZURE_CLI = 'true';
$sourceFile = Join-Path -Path $here -ChildPath 'template.bicep';
@ -157,6 +184,7 @@ Describe 'Bicep' -Tag 'Bicep' {
# Expand source files
$option = @{
'Configuration.AZURE_BICEP_FILE_EXPANSION' = $True
'Configuration.AZURE_BICEP_FILE_EXPANSION_TIMEOUT' = 60
}
$Env:PSRULE_AZURE_BICEP_USE_AZURE_CLI = 'true';

14
tests/Bicep/bicepconfig.json
Просмотреть файл

@ -1,8 +1,12 @@
{
"analyzers": {
"core": {
"enabled": true,
"verbose": true
}
"analyzers": {
"core": {
"enabled": true,
"verbose": true
}
},
"experimentalFeaturesEnabled": {
"paramsFiles": true,
"userDefinedTypes": false
}
}

9
tests/Bicep/template.bicepparam Normal file
Просмотреть файл

@ -0,0 +1,9 @@
// Copyright (c) Microsoft Corporation.
// Licensed under the MIT License.
using 'template.bicep'
param storageAccountName = 'bicepstorage001'
param tags = {
env: 'test'
}