microsoft
/
PSRule.Rules.Azure
зеркало из https://github.com/Azure/PSRule.Rules.Azure.git
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

Added and renamed VM rules #132 #131 #130 #119 (#133)

This commit is contained in:
Bernie White 2019-10-04 14:07:53 +10:00 коммит произвёл GitHub
Родитель ea11fb6dd9
Коммит e9563190f0
Не найден ключ, соответствующий данной подписи
Идентификатор ключа GPG: 4AEE18F83AFDEB23
25 изменённых файлов: 195 добавлений и 103 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

4
.azure-pipelines/pipeline-deps.ps1
Просмотреть файл

@ -10,8 +10,8 @@ if ($Null -eq (Get-PackageProvider -Name NuGet -ErrorAction Ignore)) {
Install-PackageProvider -Name NuGet -Force -Scope CurrentUser;
}
if ($Null -eq (Get-InstalledModule -Name PowerShellGet -MinimumVersion 2.1.4 -ErrorAction Ignore)) {
Install-Module PowerShellGet -MinimumVersion 2.1.4 -Scope CurrentUser -Force -AllowClobber;
if ($Null -eq (Get-InstalledModule -Name PowerShellGet -MinimumVersion 2.2.1 -ErrorAction Ignore)) {
Install-Module PowerShellGet -MinimumVersion 2.2.1 -Scope CurrentUser -Force -AllowClobber;
}
if ($Null -eq (Get-InstalledModule -Name InvokeBuild -MinimumVersion 5.4.0 -ErrorAction Ignore)) {

5
CHANGELOG.md
Просмотреть файл

@ -2,6 +2,11 @@
## Unreleased
- Added rule to verify Windows automatic updates are enabled. [#132](https://github.com/BernieWhite/PSRule.Rules.Azure/issues/132)
- Added rule to verify VM agent is automatically provisioned. [#131](https://github.com/BernieWhite/PSRule.Rules.Azure/issues/131)
- Updated `Azure.AKS.Version` to 1.14.6. [#130](https://github.com/BernieWhite/PSRule.Rules.Azure/issues/130)
- **Breaking change**: Renamed `Azure.VirtualMachine.*` rules to `Azure.VM.*` [#119](https://github.com/BernieWhite/PSRule.Rules.Azure/issues/119)
## v0.4.0
What's changed since v0.3.0:

2
docs/rules/en-US/Azure.VirtualMachine.ADE.md → docs/rules/en-US/Azure.VM.ADE.md
Просмотреть файл

@ -1,7 +1,7 @@
---
severity: Important
category: Security configuration
online version: https://github.com/BernieWhite/PSRule.Rules.Azure/blob/master/docs/rules/en-US/Azure.VirtualMachine.ADE.md
online version: https://github.com/BernieWhite/PSRule.Rules.Azure/blob/master/docs/rules/en-US/Azure.VM.ADE.md
---
# Use Azure Disk Encryption

2
docs/rules/en-US/Azure.VirtualMachine.ASAlignment.md → docs/rules/en-US/Azure.VM.ASAlignment.md
Просмотреть файл

@ -1,7 +1,7 @@
---
severity: Single point of failure
category: Reliability
online version: https://github.com/BernieWhite/PSRule.Rules.Azure/blob/master/docs/rules/en-US/Azure.VirtualMachine.ASAlignment.md
online version: https://github.com/BernieWhite/PSRule.Rules.Azure/blob/master/docs/rules/en-US/Azure.VM.ASAlignment.md
ms-content-id: 28583693-11e4-4a16-b864-8caa6e408162
---

4
docs/rules/en-US/Azure.VirtualMachine.ASMinMembers.md → docs/rules/en-US/Azure.VM.ASMinMembers.md
Просмотреть файл

@ -1,11 +1,11 @@
---
severity: Single point of failure
category: Reliability
online version: https://github.com/BernieWhite/PSRule.Rules.Azure/blob/master/docs/rules/en-US/Azure.VirtualMachine.ASMinMembers.md
online version: https://github.com/BernieWhite/PSRule.Rules.Azure/blob/master/docs/rules/en-US/Azure.VM.ASMinMembers.md
ms-content-id: 0e9b75e5-2a63-4bea-afeb-2807e6f9d5a0
---
# Azure.VirtualMachine.ASMinMembers
# Use availability sets with at least two members
## SYNOPSIS

4
docs/rules/en-US/Azure.VirtualMachine.AcceleratedNetworking.md → docs/rules/en-US/Azure.VM.AcceleratedNetworking.md
Просмотреть файл

@ -1,11 +1,11 @@
---
severity: Important
category: Performance optimisation
online version: https://github.com/BernieWhite/PSRule.Rules.Azure/blob/master/docs/rules/en-US/Azure.VirtualMachine.AcceleratedNetworking.md
online version: https://github.com/BernieWhite/PSRule.Rules.Azure/blob/master/docs/rules/en-US/Azure.VM.AcceleratedNetworking.md
ms-content-id: c2b60867-f911-45d6-8d9a-a22bf0a7e729
---
# Azure.VirtualMachine.AcceleratedNetworking
# Use accelerated networking
## SYNOPSIS

22
docs/rules/en-US/Azure.VM.Agent.md Normal file
Просмотреть файл

@ -0,0 +1,22 @@
---
severity: Important
category: Operations management
online version: https://github.com/BernieWhite/PSRule.Rules.Azure/blob/master/docs/rules/en-US/Azure.VM.Agent.md
ms-content-id: e4f6f6e7-593c-4507-811d-778ee8ec9ac4
---
# VM agent is provisioned automatically
## SYNOPSIS
Ensure the VM agent is provisioned automatically.
## DESCRIPTION
The virtual machine (VM) agent is required for most functionality that interacts with the guest operating system.
VM extensions help reduce management overhead by providing an entry point to bootstrap monitoring and configuration of the guest operating system. The VM agent is required to use any VM extensions.
## RECOMMENDATION
Automatically provision the VM agent for all supported operating systems, this is the default.

4
docs/rules/en-US/Azure.VirtualMachine.BasicSku.md → docs/rules/en-US/Azure.VM.BasicSku.md
Просмотреть файл

@ -1,11 +1,11 @@
---
severity: Important
category: Performance
online version: https://github.com/BernieWhite/PSRule.Rules.Azure/blob/master/docs/rules/en-US/Azure.VirtualMachine.BasicSku.md
online version: https://github.com/BernieWhite/PSRule.Rules.Azure/blob/master/docs/rules/en-US/Azure.VM.BasicSku.md
ms-content-id: 49cef14e-19f0-4a54-be14-7c27a0347b4c
---
# Azure.VirtualMachine.BasicSku
# Avoid Basic VM SKU
## SYNOPSIS

2
docs/rules/en-US/Azure.VirtualMachine.DiskAttached.md → docs/rules/en-US/Azure.VM.DiskAttached.md
Просмотреть файл

@ -1,7 +1,7 @@
---
severity: Awareness
category: Cost management
online version: https://github.com/BernieWhite/PSRule.Rules.Azure/blob/master/docs/rules/en-US/Azure.VirtualMachine.DiskAttached.md
online version: https://github.com/BernieWhite/PSRule.Rules.Azure/blob/master/docs/rules/en-US/Azure.VM.DiskAttached.md
ms-content-id: 23a06a0e-7965-4d43-8e29-bb9ac6eeffcc
---

4
docs/rules/en-US/Azure.VirtualMachine.DiskCaching.md → docs/rules/en-US/Azure.VM.DiskCaching.md
Просмотреть файл

@ -1,11 +1,11 @@
---
severity: Important
category: Performance
online version: https://github.com/BernieWhite/PSRule.Rules.Azure/blob/master/docs/rules/en-US/Azure.VirtualMachine.DiskCaching.md
online version: https://github.com/BernieWhite/PSRule.Rules.Azure/blob/master/docs/rules/en-US/Azure.VM.DiskCaching.md
ms-content-id: d28da16e-4639-466f-95e5-4ab6bf61aec7
---
# Azure.VirtualMachine.DiskCaching
# Configure host caching
## SYNOPSIS

2
docs/rules/en-US/Azure.VirtualMachine.DiskSizeAlignment.md → docs/rules/en-US/Azure.VM.DiskSizeAlignment.md
Просмотреть файл

@ -1,7 +1,7 @@
---
severity: Awareness
category: Cost management
online version: https://github.com/BernieWhite/PSRule.Rules.Azure/blob/master/docs/rules/en-US/Azure.VirtualMachine.DiskSizeAlignment.md
online version: https://github.com/BernieWhite/PSRule.Rules.Azure/blob/master/docs/rules/en-US/Azure.VM.DiskSizeAlignment.md
---
# Azure.VirtualMachine.DiskSizeAlignment

2
docs/rules/en-US/Azure.VirtualMachine.PromoSku.md → docs/rules/en-US/Azure.VM.PromoSku.md
Просмотреть файл

@ -1,7 +1,7 @@
---
severity: Awareness
category: Cost management
online version: https://github.com/BernieWhite/PSRule.Rules.Azure/blob/master/docs/rules/en-US/Azure.VirtualMachine.PromoSku.md
online version: https://github.com/BernieWhite/PSRule.Rules.Azure/blob/master/docs/rules/en-US/Azure.VM.PromoSku.md
---
# Azure.VirtualMachine.PromoSku

2
docs/rules/en-US/Azure.VirtualMachine.PublicKey.md → docs/rules/en-US/Azure.VM.PublicKey.md
Просмотреть файл

@ -1,7 +1,7 @@
---
severity: Important
category: Security configuration
online version: https://github.com/BernieWhite/PSRule.Rules.Azure/blob/master/docs/rules/en-US/Azure.VirtualMachine.PublicKey.md
online version: https://github.com/BernieWhite/PSRule.Rules.Azure/blob/master/docs/rules/en-US/Azure.VM.PublicKey.md
---
# Use public keys for Linux

2
docs/rules/en-US/Azure.VirtualMachine.Standalone.md → docs/rules/en-US/Azure.VM.Standalone.md
Просмотреть файл

@ -1,7 +1,7 @@
---
severity: Single point of failure
category: Reliability
online version: https://github.com/BernieWhite/PSRule.Rules.Azure/blob/master/docs/rules/en-US/Azure.VirtualMachine.Standalone.md
online version: https://github.com/BernieWhite/PSRule.Rules.Azure/blob/master/docs/rules/en-US/Azure.VM.Standalone.md
---
# Azure.VirtualMachine.Standalone

2
docs/rules/en-US/Azure.VirtualMachine.UniqueDns.md → docs/rules/en-US/Azure.VM.UniqueDns.md
Просмотреть файл

@ -1,7 +1,7 @@
---
severity: Awareness
category: Operations management
online version: https://github.com/BernieWhite/PSRule.Rules.Azure/blob/master/docs/rules/en-US/Azure.VirtualMachine.UniqueDns.md
online version: https://github.com/BernieWhite/PSRule.Rules.Azure/blob/master/docs/rules/en-US/Azure.VM.UniqueDns.md
---
# NICs with custom DNS settings

22
docs/rules/en-US/Azure.VM.Updates.md Normal file
Просмотреть файл

@ -0,0 +1,22 @@
---
severity: Important
category: Operations management
online version: https://github.com/BernieWhite/PSRule.Rules.Azure/blob/master/docs/rules/en-US/Azure.VM.Updates.md
ms-content-id: 8781c21b-4e6a-47fe-860d-d2191f0304ae
---
# Automatic updates are enabled
## SYNOPSIS
Ensure automatic updates are enabled at deployment.
## DESCRIPTION
Window virtual machines (VMs) have automatic updates turned on at deployment time by default. The option can be enabled/ disabled at deployment time or updated for VM scale sets.
Enabling this option does not prevent automatic updates being disabled or reconfigured within the operating system after deployment.
## RECOMMENDATION
Enable automatic updates at deployment time, then reconfigure as required to meet patch management requirements.

4
docs/rules/en-US/Azure.VirtualMachine.UseHybridUseBenefit.md → docs/rules/en-US/Azure.VM.UseHybridUseBenefit.md
Просмотреть файл

@ -1,10 +1,10 @@
---
severity: Awareness
category: Cost management
online version: https://github.com/BernieWhite/PSRule.Rules.Azure/blob/master/docs/rules/en-US/Azure.VirtualMachine.UseHybridUseBenefit.md
online version: https://github.com/BernieWhite/PSRule.Rules.Azure/blob/master/docs/rules/en-US/Azure.VM.UseHybridUseBenefit.md
---
# Azure.VirtualMachine.UseHybridUseBenefit
# Use Hybrid Use Benefit
## SYNOPSIS

4
docs/rules/en-US/Azure.VirtualMachine.UseManagedDisks.md → docs/rules/en-US/Azure.VM.UseManagedDisks.md
Просмотреть файл

@ -1,10 +1,10 @@
---
severity: Single point of failure
category: Reliability
online version: https://github.com/BernieWhite/PSRule.Rules.Azure/blob/master/docs/rules/en-US/Azure.VirtualMachine.UseManagedDisks.md
online version: https://github.com/BernieWhite/PSRule.Rules.Azure/blob/master/docs/rules/en-US/Azure.VM.UseManagedDisks.md
---
# Azure.VirtualMachine.UseManagedDisks
# Use Managed Disks
## SYNOPSIS

30
docs/rules/en-US/Azure.md
Просмотреть файл

@ -41,20 +41,22 @@ RuleName | Description | Category
[Azure.Subscription.SecurityCenterContact](Azure.Subscription.SecurityCenterContact.md) | Security Center email and phone contact details should be set. | Security operations
[Azure.Subscription.SecurityCenterProvisioning](Azure.Subscription.SecurityCenterProvisioning.md) | Enable auto-provisioning on VMs to improve Security Center insights. | Security operations
[Azure.Subscription.UseRGDelegation](Azure.Subscription.UseRGDelegation.md) | Use RBAC assignments on resource groups instead of individual resources. | Security operations
[Azure.VirtualMachine.UseManagedDisks](Azure.VirtualMachine.UseManagedDisks.md) | Virtual machines should use managed disks. | Reliability
[Azure.VirtualMachine.Standalone](Azure.VirtualMachine.Standalone.md) | VMs much use premium disks or use availability sets/ zones to meet SLA requirements. | Reliability
[Azure.VirtualMachine.PromoSku](Azure.VirtualMachine.PromoSku.md) | Virtual machines (VMs) should not use expired promotional SKU. | Cost management
[Azure.VirtualMachine.BasicSku](Azure.VirtualMachine.BasicSku.md) | Virtual machines (VMs) should not use Basic sizes. | Performance
[Azure.VirtualMachine.DiskCaching](Azure.VirtualMachine.DiskCaching.md) | Check disk caching is configured correctly for the workload. | Performance
[Azure.VirtualMachine.UniqueDns](Azure.VirtualMachine.UniqueDns.md) | Network interfaces (NICs) should inherit DNS from virtual networks. | Operations management
[Azure.VirtualMachine.DiskAttached](Azure.VirtualMachine.DiskAttached.md) | Managed disks should be attached to virtual machines. | Cost management
[Azure.VirtualMachine.DiskSizeAlignment](Azure.VirtualMachine.DiskSizeAlignment.md) | Managed disk is smaller than SKU size. | Cost management
[Azure.VirtualMachine.UseHybridUseBenefit](Azure.VirtualMachine.UseHybridUseBenefit.md) | Use Hybrid Use Benefit. | Cost management
[Azure.VirtualMachine.AcceleratedNetworking](Azure.VirtualMachine.AcceleratedNetworking.md) | Enabled accelerated networking for supported operating systems. | Performance optimisation
[Azure.VirtualMachine.ASAlignment](Azure.VirtualMachine.ASAlignment.md) | Availability sets should be aligned. | Reliability
[Azure.VirtualMachine.ASMinMembers](Azure.VirtualMachine.ASMinMembers.md) | Availability sets should be deployed with at least two members. | Reliability
[Azure.VirtualMachine.ADE](Azure.VirtualMachine.ADE.md) | Use Azure Disk Encryption. | Security configuration
[Azure.VirtualMachine.PublicKey](Azure.VirtualMachine.PublicKey.md) | Linux virtual machines should use public keys. | Security configuration
[Azure.VM.UseManagedDisks](Azure.VM.UseManagedDisks.md) | Virtual machines should use managed disks. | Reliability
[Azure.VM.Standalone](Azure.VM.Standalone.md) | VMs much use premium disks or use availability sets/ zones to meet SLA requirements. | Reliability
[Azure.VM.PromoSku](Azure.VM.PromoSku.md) | Virtual machines (VMs) should not use expired promotional SKU. | Cost management
[Azure.VM.BasicSku](Azure.VM.BasicSku.md) | Virtual machines (VMs) should not use Basic sizes. | Performance
[Azure.VM.DiskCaching](Azure.VM.DiskCaching.md) | Check disk caching is configured correctly for the workload. | Performance
[Azure.VM.UniqueDns](Azure.VM.UniqueDns.md) | Network interfaces (NICs) should inherit DNS from virtual networks. | Operations management
[Azure.VM.DiskAttached](Azure.VM.DiskAttached.md) | Managed disks should be attached to virtual machines. | Cost management
[Azure.VM.DiskSizeAlignment](Azure.VM.DiskSizeAlignment.md) | Managed disk is smaller than SKU size. | Cost management
[Azure.VM.UseHybridUseBenefit](Azure.VM.UseHybridUseBenefit.md) | Use Hybrid Use Benefit. | Cost management
[Azure.VM.AcceleratedNetworking](Azure.VM.AcceleratedNetworking.md) | Enabled accelerated networking for supported operating systems. | Performance optimisation
[Azure.VM.ASAlignment](Azure.VM.ASAlignment.md) | Availability sets should be aligned. | Reliability
[Azure.VM.ASMinMembers](Azure.VM.ASMinMembers.md) | Availability sets should be deployed with at least two members. | Reliability
[Azure.VM.ADE](Azure.VM.ADE.md) | Use Azure Disk Encryption. | Security configuration
[Azure.VM.PublicKey](Azure.VM.PublicKey.md) | Linux virtual machines should use public keys. | Security configuration
[Azure.VM.Agent](Azure.VM.Agent.md) | Ensure the VM agent is provisioned automatically. | Operations management
[Azure.VM.Updates](Azure.VM.Updates.md) | Ensure automatic updates are enabled at deployment. | Operations management
[Azure.VirtualNetwork.UseNSGs](Azure.VirtualNetwork.UseNSGs.md) | Subnets should have NSGs assigned. | Security configuration
[Azure.VirtualNetwork.SingleDNS](Azure.VirtualNetwork.SingleDNS.md) | VNETs should have at least two DNS servers assigned. | Reliability
[Azure.VirtualNetwork.LocalDNS](Azure.VirtualNetwork.LocalDNS.md) | Virtual networks (VNETs) should use Azure local DNS servers. | Reliability

27
pipeline.build.ps1
Просмотреть файл

@ -101,7 +101,7 @@ task VersionModule ModuleDependencies, {
$manifest = Test-ModuleManifest -Path $manifestPath;
$requiredModules = $manifest.RequiredModules | ForEach-Object -Process {
if ($_.Name -eq 'PSRule' -and $Configuration -eq 'Release') {
@{ ModuleName = 'PSRule'; ModuleVersion = '0.8.0' }
@{ ModuleName = 'PSRule'; ModuleVersion = '0.10.0' }
}
else {
@{ ModuleName = $_.Name; ModuleVersion = $_.Version }
@ -135,24 +135,24 @@ task NuGet {
# Synopsis: Install Pester module
task Pester NuGet, {
if ($Null -eq (Get-InstalledModule -Name Pester -MinimumVersion 4.0.0 -ErrorAction Ignore)) {
Install-Module -Name Pester -MinimumVersion 4.0.0 -Scope CurrentUser -Force -SkipPublisherCheck;
if ($Null -eq (Get-InstalledModule -Name Pester -MinimumVersion 4.9.0 -ErrorAction Ignore)) {
Install-Module -Name Pester -MinimumVersion 4.9.0 -Scope CurrentUser -Force -SkipPublisherCheck;
}
Import-Module -Name Pester -Verbose:$False;
}
# Synopsis: Install PSScriptAnalyzer module
task PSScriptAnalyzer NuGet, {
if ($Null -eq (Get-InstalledModule -Name PSScriptAnalyzer -MinimumVersion 1.17.0 -ErrorAction Ignore)) {
Install-Module -Name PSScriptAnalyzer -MinimumVersion 1.17.0 -Scope CurrentUser -Force;
if ($Null -eq (Get-InstalledModule -Name PSScriptAnalyzer -MinimumVersion 1.18.3 -ErrorAction Ignore)) {
Install-Module -Name PSScriptAnalyzer -MinimumVersion 1.18.3 -Scope CurrentUser -Force;
}
Import-Module -Name PSScriptAnalyzer -Verbose:$False;
}
# Synopsis: Install PSRule
task PSRule NuGet, {
if ($Null -eq (Get-InstalledModule -Name PSRule -MinimumVersion 0.8.0 -ErrorAction Ignore)) {
Install-Module -Name PSRule -MinimumVersion 0.8.0 -Scope CurrentUser -Force;
if ($Null -eq (Get-InstalledModule -Name PSRule -MinimumVersion 0.10.0 -ErrorAction Ignore)) {
Install-Module -Name PSRule -Repository PSGallery -MinimumVersion 0.10.0-B1910011 -AllowPrerelease -Scope CurrentUser -Force;
}
Import-Module -Name PSRule -Verbose:$False;
}
@ -160,7 +160,7 @@ task PSRule NuGet, {
# Synopsis: Install PSDocs
task PSDocs NuGet, {
if ($Null -eq (Get-InstalledModule -Name PSDocs -MinimumVersion 0.6.1 -ErrorAction Ignore)) {
Install-Module -Name PSDocs -MinimumVersion 0.6.1 -AllowPrerelease -Scope CurrentUser -Force;
Install-Module -Name PSDocs -Repository PSGallery -MinimumVersion 0.6.1 -AllowPrerelease -Scope CurrentUser -Force;
}
Import-Module -Name PSDocs -Verbose:$False;
}
@ -184,9 +184,6 @@ task ModuleDependencies NuGet, PSRule, {
if ($Null -eq (Get-InstalledModule -Name Az.Security -MinimumVersion 0.7.4 -ErrorAction Ignore)) {
Install-Module -Name Az.Security -Scope CurrentUser -MinimumVersion 0.7.4 -Force;
}
if ($Null -eq (Get-InstalledModule -Name Az.Storage -MinimumVersion 1.3.0 -ErrorAction Ignore)) {
Install-Module -Name Az.Storage -Scope CurrentUser -MinimumVersion 1.3.0 -Force -AllowClobber;
}
}
task CopyModule {
@ -229,10 +226,10 @@ task Analyze Build, PSScriptAnalyzer, {
task BuildRuleDocs Build, PSRule, PSDocs, {
Import-Module (Join-Path -Path $PWD -ChildPath out/modules/PSRule.Rules.Azure) -Force;
$Null = Invoke-PSDocument -Name Azure -OutputPath .\docs\rules\en-US\ -Path .\RuleToc.Doc.ps1;
$rules = Get-PSRule -Module 'PSRule.Rules.Azure';
$rules | ForEach-Object -Process {
Invoke-PSDocument -Path .\RuleHelp.Doc.ps1 -OutputPath .\docs\rules\en-US\ -InstanceName $_.Info.Name -inputObject $_;
}
# $rules = Get-PSRule -Module 'PSRule.Rules.Azure';
# $rules | ForEach-Object -Process {
# Invoke-PSDocument -Path .\RuleHelp.Doc.ps1 -OutputPath .\docs\rules\en-US\ -InstanceName $_.Info.Name -inputObject $_;
# }
}
# Synopsis: Build help

2
src/PSRule.Rules.Azure/rules/Azure.AKS.Rule.ps1
Просмотреть файл

@ -16,7 +16,7 @@ Rule 'Azure.AKS.Version' -If { ResourceType 'Microsoft.ContainerService/managedC
Recommend "Upgrade Kubernetes to at least $minVersion"
([Version]$TargetObject.Properties.kubernetesVersion) -ge $minVersion
} -Configure @{ minAKSVersion = '1.14.5' }
} -Configure @{ minAKSVersion = '1.14.6' }
# Synopsis: AKS cluster should use role-based access control
Rule 'Azure.AKS.UseRBAC' -If { ResourceType 'Microsoft.ContainerService/managedClusters' } -Tag @{ severity = 'Important'; category = 'Security configuration' } {

39
src/PSRule.Rules.Azure/rules/Azure.VirtualMachine.Rule.ps1
Просмотреть файл

@ -3,7 +3,7 @@
#
# Synopsis: Virtual machines should use managed disks
Rule 'Azure.VirtualMachine.UseManagedDisks' -If { ResourceType 'Microsoft.Compute/virtualMachines' } -Tag @{ severity = 'Single point of failure'; category = 'Reliability' } {
Rule 'Azure.VM.UseManagedDisks' -Type 'Microsoft.Compute/virtualMachines' -Tag @{ severity = 'Single point of failure'; category = 'Reliability' } {
# Check OS disk
$Null -ne $TargetObject.properties.storageProfile.osDisk.managedDisk.id
@ -15,7 +15,7 @@ Rule 'Azure.VirtualMachine.UseManagedDisks' -If { ResourceType 'Microsoft.Comput
}
# Synopsis: VMs much use premium disks or use availability sets/ zones to meet SLA requirements
Rule 'Azure.VirtualMachine.Standalone' -If { ResourceType 'Microsoft.Compute/virtualMachines' } -Tag @{ severity = 'Single point of failure'; category = 'Reliability' } {
Rule 'Azure.VM.Standalone' -Type 'Microsoft.Compute/virtualMachines' -Tag @{ severity = 'Single point of failure'; category = 'Reliability' } {
Recommend 'Virtual machines should use availability sets or only premium disks'
$types = @(
@ -34,17 +34,17 @@ Rule 'Azure.VirtualMachine.Standalone' -If { ResourceType 'Microsoft.Compute/vir
}
# Synopsis: VMs should not use expired promo SKU
Rule 'Azure.VirtualMachine.PromoSku' -If { (IsVMPromoSku) } {
Rule 'Azure.VM.PromoSku' -If { (IsVMPromoSku) } {
Match 'Properties.hardwareProfile.vmSize' -Not -Expression 'Standard_DS{0,1}1{0,1}[1-9]{1}_v2_Promo'
}
# Synopsis: VMs should not use Basic SKU
Rule 'Azure.VirtualMachine.BasicSku' -If { ResourceType 'Microsoft.Compute/virtualMachines' } {
Rule 'Azure.VM.BasicSku' -Type 'Microsoft.Compute/virtualMachines' {
Match 'Properties.hardwareProfile.vmSize' -Not -Expression 'Basic_A[0-4]'
}
# Synopsis: Check disk caching is configured correctly for the workload
Rule 'Azure.VirtualMachine.DiskCaching' -If { ResourceType 'Microsoft.Compute/virtualMachines' } -Tag @{ severity = 'Important'; category = 'Performance' } {
Rule 'Azure.VM.DiskCaching' -Type 'Microsoft.Compute/virtualMachines' -Tag @{ severity = 'Important'; category = 'Performance' } {
# Check OS disk
Within 'properties.storageProfile.osDisk.caching' 'ReadWrite'
@ -62,12 +62,12 @@ Rule 'Azure.VirtualMachine.DiskCaching' -If { ResourceType 'Microsoft.Compute/vi
}
# Synopsis: Network interfaces should inherit from virtual network
Rule 'Azure.VirtualMachine.UniqueDns' -If { ResourceType 'Microsoft.Network/networkInterfaces' } -Tag @{ severity = 'Awareness'; category = 'Operations management' } {
Rule 'Azure.VM.UniqueDns' -Type 'Microsoft.Network/networkInterfaces' -Tag @{ severity = 'Awareness'; category = 'Operations management' } {
$Assert.NullOrEmpty($TargetObject, 'Properties.dnsSettings.dnsServers')
}
# Synopsis: Managed disks should be attached to virtual machines
Rule 'Azure.VirtualMachine.DiskAttached' -If { (ResourceType 'Microsoft.Compute/disks') -and ($TargetObject.ResourceName -notlike '*-ASRReplica') } -Tag @{ severity = 'Awareness'; category = 'Operations management' } {
Rule 'Azure.VM.DiskAttached' -If { (ResourceType 'Microsoft.Compute/disks') -and ($TargetObject.ResourceName -notlike '*-ASRReplica') } -Tag @{ severity = 'Awareness'; category = 'Operations management' } {
# Disks should be attached unless they are used by ASR, which are not attached until fail over
# Disks for VMs that are off are marked as Reserved
Within 'properties.diskState' 'Attached', 'Reserved'
@ -76,7 +76,7 @@ Rule 'Azure.VirtualMachine.DiskAttached' -If { (ResourceType 'Microsoft.Compute/
# TODO: Check IOPS
# Synopsis: Managed disk is smaller than SKU size
Rule 'Azure.VirtualMachine.DiskSizeAlignment' -If { ResourceType 'Microsoft.Compute/disks' } -Tag @{ severity = 'Awareness'; category = 'Cost management' } {
Rule 'Azure.VM.DiskSizeAlignment' -Type 'Microsoft.Compute/disks' -Tag @{ severity = 'Awareness'; category = 'Cost management' } {
$diskSize = @(32, 64, 128, 256, 512, 1024, 2048, 4096, 8192, 16384, 32768)
$actualSize = $TargetObject.properties.diskSizeGB
@ -93,12 +93,12 @@ Rule 'Azure.VirtualMachine.DiskSizeAlignment' -If { ResourceType 'Microsoft.Comp
# TODO: Check number of disks
# Synopsis: Use Hybrid Use Benefit
Rule 'Azure.VirtualMachine.UseHybridUseBenefit' -If { (IsWindowsOS) } -Tag @{ severity = 'Awareness'; category = 'Cost management' } {
Rule 'Azure.VM.UseHybridUseBenefit' -If { (IsWindowsOS) } -Tag @{ severity = 'Awareness'; category = 'Cost management' } {
Within 'properties.licenseType' 'Windows_Server'
}
# Synopsis: Enabled accelerated networking for supported operating systems
Rule 'Azure.VirtualMachine.AcceleratedNetworking' -If { (SupportsAcceleratedNetworking) } -Tag @{ severity = 'Important'; category = 'Performance optimisation' } {
Rule 'Azure.VM.AcceleratedNetworking' -If { (SupportsAcceleratedNetworking) } -Tag @{ severity = 'Important'; category = 'Performance optimisation' } {
$networkInterfaces = $TargetObject.resources | Where-Object { $_.ResourceType -eq 'Microsoft.Network/networkInterfaces' };
foreach ($interface in $networkInterfaces) {
($interface.Properties.enableAcceleratedNetworking -eq $True)
@ -106,22 +106,33 @@ Rule 'Azure.VirtualMachine.AcceleratedNetworking' -If { (SupportsAcceleratedNetw
}
# Synopsis: Availability sets should be aligned
Rule 'Azure.VirtualMachine.ASAlignment' -If { ResourceType 'Microsoft.Compute/availabilitySets' } -Tag @{ severity = 'Single point of failure'; category = 'Reliability' } {
Rule 'Azure.VM.ASAlignment' -Type 'Microsoft.Compute/availabilitySets' -Tag @{ severity = 'Single point of failure'; category = 'Reliability' } {
Within 'sku.name' 'aligned'
}
# Synopsis: Availability sets should be deployed with at least two members
Rule 'Azure.VirtualMachine.ASMinMembers' -If { ResourceType 'Microsoft.Compute/availabilitySets' } -Tag @{ severity = 'Single point of failure'; category = 'Reliability' } {
Rule 'Azure.VM.ASMinMembers' -Type 'Microsoft.Compute/availabilitySets' -Tag @{ severity = 'Single point of failure'; category = 'Reliability' } {
($TargetObject.properties.virtualmachines.id | Measure-Object).Count -ge 2
}
# Synopsis: Use Azure Disk Encryption
Rule 'Azure.VirtualMachine.ADE' -If { ResourceType 'Microsoft.Compute/disks' } {
Rule 'Azure.VM.ADE' -Type 'Microsoft.Compute/disks' {
$Assert.HasFieldValue($TargetObject, 'Properties.encryptionSettingsCollection.enabled', $True)
$Assert.HasFieldValue($TargetObject, 'Properties.encryptionSettingsCollection.encryptionSettings')
}
# Synopsis: Linux VMs should use public key pair
Rule 'Azure.VirtualMachine.PublicKey' -If { (IsLinuxOS) } {
Rule 'Azure.VM.PublicKey' -If { (IsLinuxOS) } {
$Assert.HasFieldValue($TargetObject, 'Properties.osProfile.linuxConfiguration.disablePasswordAuthentication', $True)
}
# Synopsis: Ensure that the VM agent is provisioned automatically
Rule 'Azure.VM.Agent' -Type 'Microsoft.Compute/virtualMachines' {
$Assert.HasDefaultValue($TargetObject, 'Properties.osProfile.linuxConfiguration.provisionVMAgent', $True)
$Assert.HasDefaultValue($TargetObject, 'Properties.osProfile.windowsConfiguration.provisionVMAgent', $True)
}
# Synopsis: Ensure automatic updates are enabled at deployment
Rule 'Azure.VM.Updates' -Type 'Microsoft.Compute/virtualMachines' -If { (IsWindowsOS) } {
$Assert.HasDefaultValue($TargetObject, 'Properties.osProfile.windowsConfiguration.enableAutomaticUpdates', $True)
}

94
tests/PSRule.Rules.Azure.Tests/Azure.VirtualMachine.Tests.ps1
Просмотреть файл

@ -26,8 +26,8 @@ Describe 'Azure.VirtualMachine' {
Context 'Conditions' {
$result = Invoke-PSRule -Module PSRule.Rules.Azure -InputPath $dataPath -Outcome All -WarningAction Ignore -ErrorAction Stop;
It 'Azure.VirtualMachine.UseManagedDisks' {
$filteredResult = $result | Where-Object { $_.RuleName -eq 'Azure.VirtualMachine.UseManagedDisks' };
It 'Azure.VM.UseManagedDisks' {
$filteredResult = $result | Where-Object { $_.RuleName -eq 'Azure.VM.UseManagedDisks' };
# Fail
$ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'Fail' });
@ -42,8 +42,8 @@ Describe 'Azure.VirtualMachine' {
$ruleResult.TargetName | Should -BeIn 'vm-A', 'aks-agentpool-00000000-1', 'aks-agentpool-00000000-2', 'aks-agentpool-00000000-3', 'vm-C';
}
It 'Azure.VirtualMachine.Standalone' {
$filteredResult = $result | Where-Object { $_.RuleName -eq 'Azure.VirtualMachine.Standalone' };
It 'Azure.VM.Standalone' {
$filteredResult = $result | Where-Object { $_.RuleName -eq 'Azure.VM.Standalone' };
# Fail
$ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'Fail' });
@ -58,7 +58,7 @@ Describe 'Azure.VirtualMachine' {
$ruleResult.TargetName | Should -BeIn 'aks-agentpool-00000000-1', 'aks-agentpool-00000000-2', 'aks-agentpool-00000000-3';
}
It 'Azure.VirtualMachine.PromoSku' {
It 'Azure.VM.PromoSku' {
$expiredSku = @(
'Standard_DS2_v2_Promo'
'Standard_DS3_v2_Promo'
@ -97,25 +97,25 @@ Describe 'Azure.VirtualMachine' {
}
foreach ($sku in $expiredSku) {
$vmObject.Properties.hardwareProfile.vmSize = $sku;
$result = $vmObject | Invoke-PSRule -Name 'Azure.VirtualMachine.PromoSku' -Module PSRule.Rules.Azure -WarningAction Ignore;
$result = $vmObject | Invoke-PSRule -Name 'Azure.VM.PromoSku' -Module PSRule.Rules.Azure -WarningAction Ignore;
$result | Should -Not -BeNullOrEmpty;
$result.IsSuccess() | Should -Be $False;
}
foreach ($sku in $notExpiredSku) {
$vmObject.Properties.hardwareProfile.vmSize = $sku;
$result = $vmObject | Invoke-PSRule -Name 'Azure.VirtualMachine.PromoSku' -Module PSRule.Rules.Azure -WarningAction Ignore;
$result = $vmObject | Invoke-PSRule -Name 'Azure.VM.PromoSku' -Module PSRule.Rules.Azure -WarningAction Ignore;
$result | Should -Not -BeNullOrEmpty;
$result.IsSuccess() | Should -Be $True;
}
foreach ($sku in $notPromo) {
$vmObject.Properties.hardwareProfile.vmSize = $sku;
$result = $vmObject | Invoke-PSRule -Name 'Azure.VirtualMachine.PromoSku' -Module PSRule.Rules.Azure -WarningAction Ignore -Outcome All;
$result = $vmObject | Invoke-PSRule -Name 'Azure.VM.PromoSku' -Module PSRule.Rules.Azure -WarningAction Ignore -Outcome All;
$result | Should -Not -BeNullOrEmpty;
$result.Outcome | Should -Be 'None';
}
}
It 'Azure.VirtualMachine.BasicSku' {
It 'Azure.VM.BasicSku' {
$basicSku = @(
'Basic_A0'
'Basic_A1'
@ -139,20 +139,20 @@ Describe 'Azure.VirtualMachine' {
}
foreach ($sku in $basicSku) {
$vmObject.Properties.hardwareProfile.vmSize = $sku;
$result = $vmObject | Invoke-PSRule -Name 'Azure.VirtualMachine.BasicSku' -Module PSRule.Rules.Azure -WarningAction Ignore;
$result = $vmObject | Invoke-PSRule -Name 'Azure.VM.BasicSku' -Module PSRule.Rules.Azure -WarningAction Ignore;
$result | Should -Not -BeNullOrEmpty;
$result.IsSuccess() | Should -Be $False;
}
foreach ($sku in $otherSku) {
$vmObject.Properties.hardwareProfile.vmSize = $sku;
$result = $vmObject | Invoke-PSRule -Name 'Azure.VirtualMachine.BasicSku' -Module PSRule.Rules.Azure -WarningAction Ignore;
$result = $vmObject | Invoke-PSRule -Name 'Azure.VM.BasicSku' -Module PSRule.Rules.Azure -WarningAction Ignore;
$result | Should -Not -BeNullOrEmpty;
$result.IsSuccess() | Should -Be $True;
}
}
It 'Azure.VirtualMachine.DiskCaching' {
$filteredResult = $result | Where-Object { $_.RuleName -eq 'Azure.VirtualMachine.DiskCaching' };
It 'Azure.VM.DiskCaching' {
$filteredResult = $result | Where-Object { $_.RuleName -eq 'Azure.VM.DiskCaching' };
# Fail
$ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'Fail' });
@ -167,8 +167,8 @@ Describe 'Azure.VirtualMachine' {
$ruleResult.TargetName | Should -BeIn 'aks-agentpool-00000000-1', 'aks-agentpool-00000000-2', 'aks-agentpool-00000000-3', 'vm-C';
}
It 'Azure.VirtualMachine.UniqueDns' {
$filteredResult = $result | Where-Object { $_.RuleName -eq 'Azure.VirtualMachine.UniqueDns' };
It 'Azure.VM.UniqueDns' {
$filteredResult = $result | Where-Object { $_.RuleName -eq 'Azure.VM.UniqueDns' };
# Fail
$ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'Fail' });
@ -183,8 +183,8 @@ Describe 'Azure.VirtualMachine' {
$ruleResult.TargetName | Should -BeIn 'aks-agentpool-00000000-nic-1', 'aks-agentpool-00000000-nic-2', 'aks-agentpool-00000000-nic-3';
}
It 'Azure.VirtualMachine.DiskAttached' {
$filteredResult = $result | Where-Object { $_.RuleName -eq 'Azure.VirtualMachine.DiskAttached' };
It 'Azure.VM.DiskAttached' {
$filteredResult = $result | Where-Object { $_.RuleName -eq 'Azure.VM.DiskAttached' };
# Ignore ASR disks
$ruleResult = @($filteredResult | Where-Object { $_.TargetName -eq 'ReplicaVM_DataDisk_0-ASRReplica' });
@ -206,8 +206,8 @@ Describe 'Azure.VirtualMachine' {
$ruleResult.TargetName | Should -Be 'disk-A';
}
It 'Azure.VirtualMachine.DiskSizeAlignment' {
$filteredResult = $result | Where-Object { $_.RuleName -eq 'Azure.VirtualMachine.DiskSizeAlignment' };
It 'Azure.VM.DiskSizeAlignment' {
$filteredResult = $result | Where-Object { $_.RuleName -eq 'Azure.VM.DiskSizeAlignment' };
# Fail
$ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'Fail' });
@ -222,8 +222,8 @@ Describe 'Azure.VirtualMachine' {
$ruleResult.TargetName | Should -Be 'disk-A';
}
It 'Azure.VirtualMachine.UseHybridUseBenefit' {
$filteredResult = $result | Where-Object { $_.RuleName -eq 'Azure.VirtualMachine.UseHybridUseBenefit' };
It 'Azure.VM.UseHybridUseBenefit' {
$filteredResult = $result | Where-Object { $_.RuleName -eq 'Azure.VM.UseHybridUseBenefit' };
# Skip Linux
$ruleResult = @($filteredResult | Where-Object {
@ -245,8 +245,8 @@ Describe 'Azure.VirtualMachine' {
$ruleResult.TargetName | Should -Be 'vm-A';
}
It 'Azure.VirtualMachine.AcceleratedNetworking' {
$filteredResult = $result | Where-Object { $_.RuleName -eq 'Azure.VirtualMachine.AcceleratedNetworking' };
It 'Azure.VM.AcceleratedNetworking' {
$filteredResult = $result | Where-Object { $_.RuleName -eq 'Azure.VM.AcceleratedNetworking' };
# Fail
$ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'Fail' });
@ -261,8 +261,8 @@ Describe 'Azure.VirtualMachine' {
$ruleResult.TargetName | Should -Be 'vm-A';
}
It 'Azure.VirtualMachine.ASAlignment' {
$filteredResult = $result | Where-Object { $_.RuleName -eq 'Azure.VirtualMachine.ASAlignment' };
It 'Azure.VM.ASAlignment' {
$filteredResult = $result | Where-Object { $_.RuleName -eq 'Azure.VM.ASAlignment' };
# Fail
$ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'Fail' });
@ -277,8 +277,8 @@ Describe 'Azure.VirtualMachine' {
$ruleResult.TargetName | Should -Be 'agentpool-availabilitySet-00000000';
}
It 'Azure.VirtualMachine.ASMinMembers' {
$filteredResult = $result | Where-Object { $_.RuleName -eq 'Azure.VirtualMachine.ASMinMembers' };
It 'Azure.VM.ASMinMembers' {
$filteredResult = $result | Where-Object { $_.RuleName -eq 'Azure.VM.ASMinMembers' };
# Fail
$ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'Fail' });
@ -293,8 +293,8 @@ Describe 'Azure.VirtualMachine' {
$ruleResult.TargetName | Should -Be 'agentpool-availabilitySet-00000000';
}
It 'Azure.VirtualMachine.ADE' {
$filteredResult = $result | Where-Object { $_.RuleName -eq 'Azure.VirtualMachine.ADE' };
It 'Azure.VM.ADE' {
$filteredResult = $result | Where-Object { $_.RuleName -eq 'Azure.VM.ADE' };
# Fail
$ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'Fail' });
@ -309,8 +309,8 @@ Describe 'Azure.VirtualMachine' {
$ruleResult.TargetName | Should -Be 'disk-A';
}
It 'Azure.VirtualMachine.PublicKey' {
$filteredResult = $result | Where-Object { $_.RuleName -eq 'Azure.VirtualMachine.PublicKey' };
It 'Azure.VM.PublicKey' {
$filteredResult = $result | Where-Object { $_.RuleName -eq 'Azure.VM.PublicKey' };
# Fail
$ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'Fail' });
@ -324,5 +324,37 @@ Describe 'Azure.VirtualMachine' {
$ruleResult.Length | Should -Be 3;
$ruleResult.TargetName | Should -BeIn 'aks-agentpool-00000000-1', 'aks-agentpool-00000000-2', 'aks-agentpool-00000000-3';
}
It 'Azure.VM.Agent' {
$filteredResult = $result | Where-Object { $_.RuleName -eq 'Azure.VM.Agent' };
# Fail
$ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'Fail' });
$ruleResult | Should -Not -BeNullOrEmpty;
$ruleResult.Length | Should -Be 2;
$ruleResult.TargetName | Should -BeIn 'vm-C', 'vm-B';
# Pass
$ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'Pass' });
$ruleResult | Should -Not -BeNullOrEmpty;
$ruleResult.Length | Should -Be 4;
$ruleResult.TargetName | Should -BeIn 'vm-A', 'aks-agentpool-00000000-1', 'aks-agentpool-00000000-2', 'aks-agentpool-00000000-3';
}
It 'Azure.VM.Updates' {
$filteredResult = $result | Where-Object { $_.RuleName -eq 'Azure.VM.Updates' };
# Fail
$ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'Fail' });
$ruleResult | Should -Not -BeNullOrEmpty;
$ruleResult.Length | Should -Be 1;
$ruleResult.TargetName | Should -Be 'vm-B';
# Pass
$ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'Pass' });
$ruleResult | Should -Not -BeNullOrEmpty;
$ruleResult.Length | Should -Be 1;
$ruleResult.TargetName | Should -Be 'vm-A';
}
}
}

4
tests/PSRule.Rules.Azure.Tests/Resources.AKS.json
Просмотреть файл

@ -6,7 +6,7 @@
"ResourceName": "cluster-A",
"Name": "cluster-A",
"Properties": {
"kubernetesVersion": "1.14.5",
"kubernetesVersion": "1.14.6",
"dnsPrefix": "cluster-A",
"fqdn": "cluster-A-00000000.nnn.region.azmk8s.io",
"agentPoolProfiles": [
@ -18,7 +18,7 @@
"vnetSubnetID": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/test-rg/providers/Microsoft.Network/virtualNetworks/vnet-A/subnets/subnet-A",
"maxPods": 30,
"type": "AvailabilitySet",
"orchestratorVersion": "1.13.7",
"orchestratorVersion": "1.14.6",
"osType": "Linux"
}
],

9
tests/PSRule.Rules.Azure.Tests/Resources.VirtualMachine.json
Просмотреть файл

@ -404,11 +404,11 @@
"computerName": "vm-B",
"adminUsername": "vm-admin",
"windowsConfiguration": {
"provisionVMAgent": true,
"enableAutomaticUpdates": true
"provisionVMAgent": false,
"enableAutomaticUpdates": false
},
"secrets": [],
"allowExtensionOperations": true
"allowExtensionOperations": false
},
"networkProfile": {
"networkInterfaces": [
@ -1179,7 +1179,8 @@
"computerName": "vm-C",
"adminUsername": "admin-account",
"linuxConfiguration": {
"disablePasswordAuthentication": false
"disablePasswordAuthentication": false,
"provisionVMAgent": false
},
"secrets": []
},