microsoft
/
PSRule.Rules.Azure
зеркало из https://github.com/Azure/PSRule.Rules.Azure.git
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

Add Traffic Manager rules #240 #241 (#279)

This commit is contained in:
Bernie White 2020-02-15 15:12:42 +10:00 коммит произвёл GitHub
Родитель 500a71ebd0
Коммит a498afb287
Не найден ключ, соответствующий данной подписи
Идентификатор ключа GPG: 4AEE18F83AFDEB23
9 изменённых файлов: 379 добавлений и 9 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

15
CHANGELOG.md
Просмотреть файл

@ -2,14 +2,19 @@
## Unreleased
- Added new rules for Traffic Manager:
- Check web-based endpoints are monitored with HTTPS. [#240](https://github.com/Microsoft/PSRule.Rules.Azure/issues/240)
- Check at least two endpoints are enabled. [#241](https://github.com/Microsoft/PSRule.Rules.Azure/issues/241)
## v0.9.0-B2002019 (pre-release)
- Added new rule to check Azure Firewall threat intelligence is configured as deny. [#266](https://github.com/Microsoft/PSRule.Rules.Azure/issues/266)
- Added new rule to check Front Door is enabled. [#267](https://github.com/Microsoft/PSRule.Rules.Azure/issues/267)
- Added new rule to check Front Door uses TLS 1.2. [#268](https://github.com/Microsoft/PSRule.Rules.Azure/issues/268)
- Added new rule to check Front Door uses WAF. [#269](https://github.com/Microsoft/PSRule.Rules.Azure/issues/269)
- Added new rule to check Front Door WAF policy is configured in prevention mode. [#271](https://github.com/Microsoft/PSRule.Rules.Azure/issues/271)
- Added new rule to check Front Door WAF policy is enabled. [#270](https://github.com/Microsoft/PSRule.Rules.Azure/issues/270)
- Added new rules for Front Door:
- Check Front Door is enabled. [#267](https://github.com/Microsoft/PSRule.Rules.Azure/issues/267)
- Check Front Door uses TLS 1.2. [#268](https://github.com/Microsoft/PSRule.Rules.Azure/issues/268)
- Check Front Door has a configured WAF policy. [#269](https://github.com/Microsoft/PSRule.Rules.Azure/issues/269)
- Check Front Door WAF policy is configured in prevention mode. [#271](https://github.com/Microsoft/PSRule.Rules.Azure/issues/271)
- Check Front Door WAF policy is enabled. [#270](https://github.com/Microsoft/PSRule.Rules.Azure/issues/270)
## v0.9.0-B2002011 (pre-release)

29
docs/rules/en/Azure.TrafficManager.Endpoints.md Normal file
Просмотреть файл

@ -0,0 +1,29 @@
---
severity: Single point of failure
category: Reliability
resource: Traffic Manager
online version: https://github.com/Microsoft/PSRule.Rules.Azure/blob/master/docs/rules/en/Azure.TrafficManager.Endpoints.md
---
# Use at least two Traffic Manager endpoints
## SYNOPSIS
Traffic Manager should use at lest two enabled endpoints.
## DESCRIPTION
Traffic Manager is a DNS service that enables you to distribute traffic to improve availability and responsiveness.
Traffic is distributed across endpoints, which can be located in different availability zones and regions.
When only one enabled endpoint exists, routing for high availability and/ or responsiveness is not possible.
## RECOMMENDATION
Consider adding additional endpoints or enabling disabled endpoints.
Also consider, using endpoints deployed across different regions to provide high availability.
## LINKS
- [What is Traffic Manager?](https://docs.microsoft.com/en-us/azure/traffic-manager/traffic-manager-overview)
- [How Traffic Manager Works](https://docs.microsoft.com/en-us/azure/traffic-manager/traffic-manager-how-it-works)

34
docs/rules/en/Azure.TrafficManager.Protocol.md Normal file
Просмотреть файл

@ -0,0 +1,34 @@
---
severity: Important
category: Security configuration
resource: Traffic Manager
online version: https://github.com/Microsoft/PSRule.Rules.Azure/blob/master/docs/rules/en/Azure.TrafficManager.Protocol.md
---
# Use HTTPS to monitor web-based endpoints
## SYNOPSIS
Monitor Traffic Manager web-based endpoints with HTTPS.
## DESCRIPTION
Traffic Manager can use TCP, HTTP or HTTPS to monitor endpoint health.
For web-based endpoints use HTTPS.
If TCP is used, Traffic Manager only checks that it can open a TCP port on the endpoint.
This alone does not indicate that the endpoint is operational and ready to receive requests.
Additionally when using HTTP and HTTPS, Traffic Manager check HTTP response codes.
If HTTP is used, Traffic Manager will send unencrypted health checks to the endpoint.
HTTPS-based health checks additionally check if a certificate is present,
but do not validate if the certificate is valid.
## RECOMMENDATION
Consider using HTTPS to monitor web-based endpoint health.
HTTPS-based monitoring improves security and increases accuracy of health probes.
## LINKS
- [Traffic Manager endpoint monitoring](https://docs.microsoft.com/en-us/azure/traffic-manager/traffic-manager-monitoring)

8
docs/rules/en/module.md
Просмотреть файл

@ -11,7 +11,7 @@ Name | Synopsis | Severity
[Azure.VM.DiskAttached](Azure.VM.DiskAttached.md) | Managed disks should be attached to virtual machines. | Awareness
[Azure.VM.DiskSizeAlignment](Azure.VM.DiskSizeAlignment.md) | Managed disk is smaller than SKU size. | Awareness
[Azure.VM.PromoSku](Azure.VM.PromoSku.md) | Virtual machines (VMs) should not use expired promotional SKU. | Awareness
[Azure.VM.UseHybridUseBenefit](Azure.VM.UseHybridUseBenefit.md) | Use Hybrid Use Benefit. | Awareness
[Azure.VM.UseHybridUseBenefit](Azure.VM.UseHybridUseBenefit.md) | Use Hybrid Use Benefit (HUB) for applicable virtual machine (VM) workloads. | Awareness
### Data recovery
@ -65,10 +65,11 @@ Name | Synopsis | Severity
[Azure.AppService.PlanInstanceCount](Azure.AppService.PlanInstanceCount.md) | Use an App Service Plan with at least two (2) instances. | Single point of failure
[Azure.NSG.DenyAllInbound](Azure.NSG.DenyAllInbound.md) | Avoid denying all inbound traffic. | Important
[Azure.Storage.UseReplication](Azure.Storage.UseReplication.md) | Storage accounts not using GRS may be at risk. | Single point of failure
[Azure.TrafficManager.Endpoints](Azure.TrafficManager.Endpoints.md) | Traffic Manager should use at lest two enabled endpoints. | Single point of failure
[Azure.VM.ASAlignment](Azure.VM.ASAlignment.md) | Availability sets should be aligned. | Single point of failure
[Azure.VM.ASMinMembers](Azure.VM.ASMinMembers.md) | Availability sets should be deployed with at least two members. | Single point of failure
[Azure.VM.Standalone](Azure.VM.Standalone.md) | VMs must use premium disks or use availability sets/ zones to meet SLA requirements. | Single point of failure
[Azure.VM.UseManagedDisks](Azure.VM.UseManagedDisks.md) | Virtual machines should use managed disks. | Single point of failure
[Azure.VM.UseManagedDisks](Azure.VM.UseManagedDisks.md) | Virtual machines (VMs) should use managed disks. | Single point of failure
[Azure.VNET.LocalDNS](Azure.VNET.LocalDNS.md) | Virtual networks (VNETs) should use Azure local DNS servers. | Important
[Azure.VNET.SingleDNS](Azure.VNET.SingleDNS.md) | VNETs should have at least two DNS servers assigned. | Single point of failure
@ -123,7 +124,7 @@ Name | Synopsis | Severity
[Azure.MySQL.AllowAzureAccess](Azure.MySQL.AllowAzureAccess.md) | Determine if access from Azure services is required. | Important
[Azure.MySQL.FirewallIPRange](Azure.MySQL.FirewallIPRange.md) | Determine if there is an excessive number of permitted IP addresses. | Important
[Azure.MySQL.UseSSL](Azure.MySQL.UseSSL.md) | Enforce encrypted MySQL connections. | Critical
[Azure.NSG.AnyInboundSource](Azure.NSG.AnyInboundSource.md) | Network security groups should avoid any inbound rules. | Critical
[Azure.NSG.AnyInboundSource](Azure.NSG.AnyInboundSource.md) | Network security groups (NSGs) should avoid rules that allow any inbound source. | Critical
[Azure.NSG.LateralTraversal](Azure.NSG.LateralTraversal.md) | Deny outbound management connections from non-management hosts. | Important
[Azure.PostgreSQL.AllowAzureAccess](Azure.PostgreSQL.AllowAzureAccess.md) | Determine if access from Azure services is required. | Important
[Azure.PostgreSQL.FirewallIPRange](Azure.PostgreSQL.FirewallIPRange.md) | Determine if there is an excessive number of permitted IP addresses. | Important
@ -136,6 +137,7 @@ Name | Synopsis | Severity
[Azure.SQL.ThreatDetection](Azure.SQL.ThreatDetection.md) | Enable Advanced Thread Protection for Azure SQL logical server. | Important
[Azure.Storage.SecureTransfer](Azure.Storage.SecureTransfer.md) | Storage accounts should only accept encrypted connections. | Important
[Azure.Storage.UseEncryption](Azure.Storage.UseEncryption.md) | Storage Service Encryption (SSE) should be enabled. | Important
[Azure.TrafficManager.Protocol](Azure.TrafficManager.Protocol.md) | Monitor Traffic Manager web-based endpoints with HTTPS. | Important
[Azure.VM.ADE](Azure.VM.ADE.md) | Use Azure Disk Encryption. | Important
[Azure.VM.PublicKey](Azure.VM.PublicKey.md) | Linux virtual machines should use public keys. | Important
[Azure.VNET.UseNSGs](Azure.VNET.UseNSGs.md) | Subnets should have NSGs assigned. | Critical

2
pipeline.build.ps1
Просмотреть файл

@ -146,7 +146,7 @@ task VersionModule ModuleDependencies, {
$manifest = Test-ModuleManifest -Path $manifestPath;
$requiredModules = $manifest.RequiredModules | ForEach-Object -Process {
if ($_.Name -eq 'PSRule' -and $Configuration -eq 'Release') {
@{ ModuleName = 'PSRule'; ModuleVersion = '0.13.0' }
@{ ModuleName = 'PSRule'; ModuleVersion = '0.14.0' }
}
else {
@{ ModuleName = $_.Name; ModuleVersion = $_.Version }

1
src/PSRule.Rules.Azure/en/PSRule-rules.psd1
Просмотреть файл

@ -14,4 +14,5 @@
ServiceUrlNotHttps = "The service URL for '{0}' is not a HTTPS endpoint."
BackendUrlNotHttps = "The backend URL for '{0}' is not a HTTPS endpoint."
ResourceNotAssociated = "The resource is not associated."
EnabledEndpoints = "The number of enabled endpoints is {0}."
}

25
src/PSRule.Rules.Azure/rules/Azure.TrafficManager.Rule.ps1 Normal file
Просмотреть файл

@ -0,0 +1,25 @@
# Copyright (c) Microsoft Corporation.
# Licensed under the MIT License.
#
# Validation rules for Traffic Manager resources
#
# Synopsis: Traffic Manager should use at lest two enabled endpoints
Rule 'Azure.TrafficManager.Endpoints' -Type 'Microsoft.Network/trafficManagerProfiles' -Tag @{ release = 'GA' } {
$endpoints = @($TargetObject.Properties.endpoints | Where-Object { $_.Properties.endpointStatus -eq 'Enabled'});
$Assert.Create($endpoints.Length -ge 2, ($LocalizedData.EnabledEndpoints -f $endpoints.Length))
}
# Synopsis: Monitor Traffic Manager endpoints with HTTPS
Rule 'Azure.TrafficManager.Protocol' -Type 'Microsoft.Network/trafficManagerProfiles' -If { (IsHttpMonitor) } -Tag @{ release = 'GA' } {
$Assert.HasFieldValue($TargetObject, 'Properties.monitorConfig.protocol', 'HTTPS');
}
function global:IsHttpMonitor {
[CmdletBinding()]
param ()
process {
return $TargetObject.Properties.monitorConfig.port -in 80, 443;
}
}

76
tests/PSRule.Rules.Azure.Tests/Azure.TrafficManager.Tests.ps1 Normal file
Просмотреть файл

@ -0,0 +1,76 @@
# Copyright (c) Microsoft Corporation.
# Licensed under the MIT License.
#
# Unit tests for Traffic Manager rules
#
[CmdletBinding()]
param (
)
# Setup error handling
$ErrorActionPreference = 'Stop';
Set-StrictMode -Version latest;
if ($Env:SYSTEM_DEBUG -eq 'true') {
$VerbosePreference = 'Continue';
}
# Setup tests paths
$rootPath = $PWD;
Import-Module (Join-Path -Path $rootPath -ChildPath out/modules/PSRule.Rules.Azure) -Force;
$here = (Resolve-Path $PSScriptRoot).Path;
Describe 'Azure.TrafficManager' -Tag 'TrafficManager' {
$dataPath = Join-Path -Path $here -ChildPath 'Resources.TrafficManager.json';
Context 'Conditions' {
$invokeParams = @{
Baseline = 'Azure.All'
Module = 'PSRule.Rules.Azure'
WarningAction = 'Ignore'
ErrorAction = 'Stop'
}
$result = Invoke-PSRule @invokeParams -InputPath $dataPath -Outcome All;
It 'Azure.TrafficManager.Endpoints' {
$filteredResult = $result | Where-Object { $_.RuleName -eq 'Azure.TrafficManager.Endpoints' };
# Fail
$ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'Fail' });
$ruleResult | Should -Not -BeNullOrEmpty;
$ruleResult.Length | Should -Be 2;
$ruleResult.TargetName | Should -Be 'profile-B', 'profile-C';
# Pass
$ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'Pass' });
$ruleResult | Should -Not -BeNullOrEmpty;
$ruleResult.Length | Should -Be 1;
$ruleResult.TargetName | Should -Be 'profile-A';
}
It 'Azure.TrafficManager.Protocol' {
$filteredResult = $result | Where-Object { $_.RuleName -eq 'Azure.TrafficManager.Protocol' };
# Fail
$ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'Fail' });
$ruleResult | Should -Not -BeNullOrEmpty;
$ruleResult.Length | Should -Be 1;
$ruleResult.TargetName | Should -Be 'profile-A';
# Pass
$ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'Pass' });
$ruleResult | Should -Not -BeNullOrEmpty;
$ruleResult.Length | Should -Be 1;
$ruleResult.TargetName | Should -Be 'profile-C';
# None
$ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'None' });
$ruleResult | Should -Not -BeNullOrEmpty;
$ruleResult.Length | Should -Be 1;
$ruleResult.TargetName | Should -Be 'profile-B';
}
}
}

198
tests/PSRule.Rules.Azure.Tests/Resources.TrafficManager.json Normal file
Просмотреть файл

@ -0,0 +1,198 @@
[
{
"ResourceId": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/rg-test/providers/Microsoft.Network/trafficManagerProfiles/profile-A",
"Id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/rg-test/providers/Microsoft.Network/trafficManagerProfiles/profile-A",
"Identity": null,
"Kind": null,
"Location": "global",
"ManagedBy": null,
"ResourceName": "profile-A",
"Name": "profile-A",
"Properties": {
"profileStatus": "Enabled",
"trafficRoutingMethod": "Geographic",
"dnsConfig": {
"relativeName": "profile-A",
"fqdn": "profile-A.trafficmanager.net",
"ttl": 60
},
"monitorConfig": {
"profileMonitorStatus": "Degraded",
"protocol": "HTTP",
"port": 80,
"path": "/",
"intervalInSeconds": 30,
"toleratedNumberOfFailures": 3,
"timeoutInSeconds": 10
},
"endpoints": [
{
"id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/rg-test/providers/Microsoft.Network/trafficManagerProfiles/profile-A/externalEndpoints/endpoint-A",
"name": "endpoint-A",
"type": "Microsoft.Network/trafficManagerProfiles/externalEndpoints",
"properties": {
"endpointStatus": "Enabled",
"endpointMonitorStatus": "Degraded",
"target": "endpoint-A01.azureedge.net",
"weight": 1,
"priority": 1,
"endpointLocation": null,
"geoMapping": [
"WORLD"
]
}
},
{
"id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/rg-test/providers/Microsoft.Network/trafficManagerProfiles/profile-A/externalEndpoints/endpoint-B",
"name": "endpoint-B",
"type": "Microsoft.Network/trafficManagerProfiles/externalEndpoints",
"properties": {
"endpointStatus": "Enabled",
"endpointMonitorStatus": "Degraded",
"target": "endpoint-B01.azureedge.net",
"weight": 1,
"priority": 1,
"endpointLocation": null,
"geoMapping": [
"WORLD"
]
}
}
],
"trafficViewEnrollmentStatus": "Disabled",
"maxReturn": 0
},
"ResourceGroupName": "rg-test",
"Type": "Microsoft.Network/trafficManagerProfiles",
"ResourceType": "Microsoft.Network/trafficManagerProfiles",
"ExtensionResourceType": null,
"Sku": null,
"Tags": {},
"SubscriptionId": "00000000-0000-0000-0000-000000000000"
},
{
"ResourceId": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/rg-test/providers/Microsoft.Network/trafficManagerProfiles/profile-B",
"Id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/rg-test/providers/Microsoft.Network/trafficManagerProfiles/profile-B",
"Identity": null,
"Kind": null,
"Location": "global",
"ManagedBy": null,
"ResourceName": "profile-B",
"Name": "profile-B",
"Properties": {
"profileStatus": "Enabled",
"trafficRoutingMethod": "Geographic",
"dnsConfig": {
"relativeName": "profile-B",
"fqdn": "profile-B.trafficmanager.net",
"ttl": 60
},
"monitorConfig": {
"profileMonitorStatus": "Degraded",
"protocol": "TCP",
"port": 1433,
"intervalInSeconds": 30,
"toleratedNumberOfFailures": 3,
"timeoutInSeconds": 10
},
"endpoints": [
{
"id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/rg-test/providers/Microsoft.Network/trafficManagerProfiles/profile-B/externalEndpoints/endpoint-A",
"name": "endpoint-A",
"type": "Microsoft.Network/trafficManagerProfiles/externalEndpoints",
"properties": {
"endpointStatus": "Enabled",
"endpointMonitorStatus": "Degraded",
"target": "endpoint-A01.azureedge.net",
"weight": 1,
"priority": 1,
"endpointLocation": null,
"geoMapping": [
"WORLD"
]
}
},
{
"id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/rg-test/providers/Microsoft.Network/trafficManagerProfiles/profile-B/externalEndpoints/endpoint-B",
"name": "endpoint-B",
"type": "Microsoft.Network/trafficManagerProfiles/externalEndpoints",
"properties": {
"endpointStatus": "Disabled",
"endpointMonitorStatus": "Degraded",
"target": "endpoint-B01.azureedge.net",
"weight": 1,
"priority": 1,
"endpointLocation": null,
"geoMapping": [
"WORLD"
]
}
}
],
"trafficViewEnrollmentStatus": "Disabled",
"maxReturn": 0
},
"ResourceGroupName": "rg-test",
"Type": "Microsoft.Network/trafficManagerProfiles",
"ResourceType": "Microsoft.Network/trafficManagerProfiles",
"ExtensionResourceType": null,
"Sku": null,
"Tags": {},
"SubscriptionId": "00000000-0000-0000-0000-000000000000"
},
{
"ResourceId": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/rg-test/providers/Microsoft.Network/trafficManagerProfiles/profile-C",
"Id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/rg-test/providers/Microsoft.Network/trafficManagerProfiles/profile-C",
"Identity": null,
"Kind": null,
"Location": "global",
"ManagedBy": null,
"ResourceName": "profile-C",
"Name": "profile-C",
"Properties": {
"profileStatus": "Enabled",
"trafficRoutingMethod": "Geographic",
"dnsConfig": {
"relativeName": "profile-C",
"fqdn": "profile-C.trafficmanager.net",
"ttl": 60
},
"monitorConfig": {
"profileMonitorStatus": "Degraded",
"protocol": "HTTPS",
"port": 443,
"path": "/",
"intervalInSeconds": 30,
"toleratedNumberOfFailures": 3,
"timeoutInSeconds": 10
},
"endpoints": [
{
"id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/rg-test/providers/Microsoft.Network/trafficManagerProfiles/profile-C/externalEndpoints/endpoint-A",
"name": "endpoint-A",
"type": "Microsoft.Network/trafficManagerProfiles/externalEndpoints",
"properties": {
"endpointStatus": "Enabled",
"endpointMonitorStatus": "Degraded",
"target": "endpoint-A01.azureedge.net",
"weight": 1,
"priority": 1,
"endpointLocation": null,
"geoMapping": [
"WORLD"
]
}
}
],
"trafficViewEnrollmentStatus": "Disabled",
"maxReturn": 0
},
"ResourceGroupName": "rg-test",
"Type": "Microsoft.Network/trafficManagerProfiles",
"ResourceType": "Microsoft.Network/trafficManagerProfiles",
"ExtensionResourceType": null,
"Sku": null,
"Tags": {},
"SubscriptionId": "00000000-0000-0000-0000-000000000000"
}
]