Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[PSRule] Discuss PSRule validation results and update modules/module tests accordingly #2151

Closed
11 of 33 tasks
Tracked by #2149
eriqua opened this issue Sep 29, 2022 · 5 comments
Closed
11 of 33 tasks
Tracked by #2149

[PSRule] Discuss PSRule validation results and update modules/module tests accordingly #2151

eriqua opened this issue Sep 29, 2022 · 5 comments
Assignees
@fabmas @elbatane @elanzel
Labels
[cat] modules category: modules [cat] pipelines category: pipelines [cat] testing category: testing enhancement New feature or request
Milestone
Azure Verified Mo...

Comments

@eriqua
Copy link
Contributor

eriqua commented Sep 29, 2022
edited by elbatane
Loading

Analyze the output of PSRule validation. List all modules to be updated and open separated issues for each.

For each failed rule we should:

  • either fix the module/module test to have it compliant
  • or suppress the rule if not making sense in our scenario,documenting the reason

Example

List of failed rules after running PSRule validation on RG, KV and VNET modules:
image

  • Tags should be added to common tests, the ones aiming to validate all possible parameters for a module
  • Purge keyvault should be suppressed. It doesn't make sense for our testing scenario because we want to clean up the environment after each test

Following the list of rules to be fixed:

Tasks
Beta Give feedback
  1. [PSRule] Fix Rule Azure.Resource.UseTags #2666
    [cat] modules enhancement
    elanzel elbatane
    fabmas
  2. [PSRule] Fix Rule Azure.Policy.AssignmentAssignedBy #2667
    [cat] modules enhancement
    elanzel elbatane
    fabmas
  3. [PSRule] Fix Rule Azure.Policy.AssignmentDescriptors #2668
    [cat] modules enhancement
    elanzel elbatane
    fabmas
  4. [PSRule] Fix Rule Azure.Policy.Descriptors #3894
    [cat] modules [cat] pipelines [cat] testing enhancement
    elanzel
  5. [PSRule] Fix Rule Azure.Policy.ExemptionDescriptors #3896
    [cat] modules [cat] pipelines [cat] testing enhancement
    elanzel
  6. [PSRule] Fix Rule Azure.VMSS.AMA #3418
    [cat] modules [cat] testing enhancement
    elanzel elbatane
    fabmas
  7. [PSRule] Fix Rule Azure.VMSS.MigrateAMA #3917
    [cat] modules [cat] pipelines [cat] testing enhancement
    fabmas
  8. [PSRule] Fix Rule Azure.VM.AMA bicep-registry-modules#2377
    Class: Resource Module 📦 Type: AVM 🅰️ ✌️ Ⓜ️
    rahalan
  9. [PSRule] Fix Rule Azure.VM.DiskCaching bicep-registry-modules#2399
    Class: Resource Module 📦 Type: AVM 🅰️ ✌️ Ⓜ️
    rahalan
  32. [PSRule] Fix Keyvault issues #3987
    [cat] modules [cat] pipelines [cat] testing enhancement
    elanzel elbatane
    fabmas
  33. [PSRule] Pubic IP address #3997
    elbatane
@eriqua eriqua mentioned this issue Sep 29, 2022
Open
@eriqua eriqua added enhancement New feature or request [cat] modules category: modules [cat] testing category: testing [cat] needs further discussion labels Oct 2, 2022
@AlexanderSehr AlexanderSehr mentioned this issue Nov 7, 2022
Closed
8 tasks
@eriqua eriqua changed the title Discuss PSRule validation results and update modules/module tests accordingly [PSRule] Discuss PSRule validation results and update modules/module tests accordingly Dec 10, 2022
@eriqua eriqua added documentation Improvements or additions to documentation [cat] pipelines category: pipelines [cat] needs further discussion and removed [cat] needs further discussion documentation Improvements or additions to documentation labels Dec 10, 2022
@eriqua
Copy link
Contributor Author

eriqua commented Dec 10, 2022

Suggestion: keep in triage with the needsfurtherdiscussion label until refinement completion. This will include the list of modules to be fixed based on the outcome of issue #2425

@eriqua eriqua mentioned this issue Dec 10, 2022
Closed
@rahalan
Copy link
Contributor

rahalan commented Jan 19, 2023

Team decides that issues should be created per rule, not per module

@elanzel
Copy link
Contributor

elanzel commented Jan 24, 2023
edited
Loading

Following list of failing rules:

Failed_PSRule_Output_v03 (3).xlsx

TO DO LIST:

Rule Azure.Resource.UseTags

Error example: Error: AZR-000166: ***splhcom001 failed Azure.Resource.UseTags. Azure resources should be tagged using a standard convention.
There are no modules where we need to add tags support. So the 2 scenarios are:

  • resource supporting tags but tags not used in test files

  • Azure resource not supporting tags

  • Add tags with values in test files for the following modules:
    Microsoft.Compute/availabilitySets
    Microsoft.Compute/diskEncryptionSets
    Microsoft.Compute/disks
    Microsoft.Compute/galleries
    Microsoft.Compute/virtualMachines
    Microsoft.Compute/virtualMachineScaleSets
    Microsoft.ContainerInstance/containerGroups
    Microsoft.DataProtection/backupVaults
    Microsoft.HealthBot/healthBots
    microsoft.insights/actionGroups
    Microsoft.Insights/activityLogAlerts
    Microsoft.Insights/components
    Microsoft.Insights/metricAlerts
    microsoft.insights/privateLinkScopes
    Microsoft.Insights/scheduledQueryRules
    Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies
    Microsoft.Network/applicationSecurityGroups
    Microsoft.Network/connections
    Microsoft.Network/ddosProtectionPlans
    Microsoft.Network/dnsResolvers
    Microsoft.Network/firewallPolicies
    Microsoft.Network/ipGroups
    Microsoft.Network/loadBalancers
    Microsoft.Network/localNetworkGateways
    Microsoft.Network/networkInterfaces
    Microsoft.Network/networkManagers
    Microsoft.Network/networkWatchers
    Microsoft.Network/privateDnsZones
    Microsoft.Network/privateEndpoints
    Microsoft.Network/privateLinkServices
    Microsoft.Network/publicIPPrefixes
    Microsoft.Network/routeTables
    Microsoft.Network/virtualHubs
    Microsoft.Network/virtualNetworks
    Microsoft.Network/virtualWans
    Microsoft.Network/vpnGateways
    Microsoft.Resources/deploymentScripts
    Microsoft.Resources/resourceGroups
    Microsoft.ServiceFabric/clusters
    Microsoft.SignalRService/webPubSub
    Microsoft.Sql/servers
    Microsoft.Storage/storageAccounts
    Microsoft.Synapse/privateLinkHubs
    Microsoft.VirtualMachineImages/imageTemplates
    Microsoft.Web/connections
    Microsoft.Web/staticSites
    https://github.com/Azure/ResourceModules/pull/2241/files can be used as a reference, the following code needs to be added:

  tags: {
      Environment: 'Non-Prod'
      Role: 'DeploymentValidation'    ----> there is no standard with TAGS, should we standardize?
    }

Examples of other found tags:
tags: {      purpose: 'test'    }

  • Add resource or file path to exclusion because tags are not supported by the resource:
    Microsoft.KubernetesConfiguration/extensions
    Microsoft.KubernetesConfiguration/fluxConfigurations
    Microsoft.ManagedServices/registrationAssignments
    Microsoft.ManagedServices/registrationDefinitions
    Microsoft.Management/managementGroups
    Microsoft.OperationsManagement/solutions
    Microsoft.PolicyInsights/remediations

Rule Azure.Policy.AssignmentAssignedBy

Error example Error: AZR-000144: ***apamgcom001 failed Azure.Policy.AssignmentAssignedBy. Policy assignments should use assignedBy metadata.

File path Action
Microsoft.Authorization/policyAssignments/.test/mg.common/deploy.test.bicep Add assignedby metadata on the existing metadata block
Microsoft.Authorization/policyAssignments/.test/rg.common/deploy.test.bicep Add assignedby metadata on the existing metadata block
Microsoft.Authorization/policyAssignments/.test/mg.min/deploy.test.bicep Metadata block is missing. Add the whole metadata block including the assignedby
Microsoft.Authorization/policyAssignments/.test/rg.min/deploy.test.bicep Metadata block is missing. Add the whole metadata block including the assignedby
Microsoft.Authorization/policyAssignments/.test/sub.min/deploy.test.bicep Metadata block is missing. Add the whole metadata block including the assignedby
Microsoft.Authorization/policyAssignments/.test/sub.common/deploy.test.bicep Add assignedby metadata on the existing metadata block

Example of metadata block

metadata: {
      category: 'Security'
      version: '1.0'
      assignedby: 'Carml' --> approved?
}

Rule Azure.Policy.AssignmentDescriptors

Error: AZR-000143: ***apasubmin001 failed Azure.Policy.AssignmentDescriptors. Policy assignments should use a display name and description.

❓ Validate with the team if the following actions are good:

  1. Set "description" and "displayName" as mandatory parameters in the deploy.bicep file.
  2. Add the following parameters on the deploy.test.bicep:
description: '[Description] Policy Assignment at the management group scope'   
displayName: '[Display Name] Policy Assignment at the management group scope'

Above actions should be applied to the following files:

ResourceModules/ResourceModules/modules/Microsoft.Authorization/policyAssignments/.test/sub.min/deploy.test.bicep 
ResourceModules/ResourceModules/modules/Microsoft.Authorization/policyAssignments/.test/rg.min/deploy.test.bicep 
ResourceModules/ResourceModules/modules/Microsoft.Authorization/policyAssignments/.test/mg.min/deploy.test.bicep 
ResourceModules/ResourceModules/modules/Microsoft.Authorization/policyAssignments/deploy.bicep 

Rule Azure.Policy.Descriptors

Error: AZR-000142: ***apdmgmin001 failed Azure.Policy.Descriptors. Policy and initiative definitions should use a display name, description, and category.

❓ Validate with the team if the following actions are good:

  1. Set "description" and "displayName" as mandatory parameters in the deploy.bicep file.
  2. Add the following parameters on the deploy.test.bicep:
  3. Add the "category" in to the metadata block
    description: '[Description] This policy definition is deployed at the management group scope'
    displayName: '[DisplayName] This policy definition is deployed at the management group scope'
    metadata: {
      category: 'Security'
    }

Above actions should be applied to the following files:
ResourceModules/ResourceModules/modules/Microsoft.Authorization/policyDefinitions/.test/mg.min/deploy.test.bicep
ResourceModules/ResourceModules/modules/Microsoft.Authorization/policyDefinitions/.test/sub.min/deploy.test.bicep
ResourceModules/ResourceModules/modules/Microsoft.Authorization/policySetDefinitions/.test/mg.min/deploy.test.bicep
ResourceModules/ResourceModules/modules/Microsoft.Authorization/policySetDefinitions/.test/sub.min/deploy.test.bicep

Rule Azure.Policy.ExemptionDescriptors

Error: AZR-000145: ***apemgmin001 failed Azure.Policy.ExemptionDescriptors. Policy exemptions should use a display name and description.

❓ Validate with the team if the following actions are good:

  1. Set "description" and "displayName" as mandatory parameters in the deploy.bicep file.
  2. Add the following parameters on the deploy.test.bicep:
description: '[Description] Policy Assignment at the management group scope'   
displayName: '[Display Name] Policy Assignment at the management group scope'

Above actions should be applied to the following files:

ResourceModules/ResourceModules/modules/Microsoft.Authorization/policyExemptions/.test/mg.min/deploy.test.bicep
ResourceModules/ResourceModules/modules/Microsoft.Authorization/policyExemptions/.test/rg.min/deploy.test.bicep
ResourceModules/ResourceModules/modules/Microsoft.Authorization/policyExemptions/.test/sub.min/deploy.test.bicep

Rule Azure.VMSS.AMA

Error: AZR-000346: ***cvmsswin001 failed Azure.VMSS.AMA. Use Azure Monitor Agent for collecting monitoring data.
HELP: https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.VMSS.AMA/

  • Update module (ResourceModules-main\modules\Microsoft.Compute\virtualMachineScaleSets\deploy.bicep) with the reference to the new AMA agent instead of 'MicrosoftMonitoringAgent' or 'OmsAgentForLinux' as follow:

Set properties. Type to AzureMonitorWindowsAgent (Windows) or AzureMonitorLinuxAgent (Linux).
Set properties. Publisher to Microsoft.Azure.Monitor.

In this way the errors will be solved for the following files:
ResourceModules\modules\Microsoft.Compute\virtualMachineScaleSets.test\linux\deploy.test.bicep
ResourceModules\modules\Microsoft.Compute\virtualMachineScaleSets.test\windows\deploy.test.bicep

  • ❓ For the "min" files, check with the team whether update the following files to enable extensionMonitoringAgentConfig:

ResourceModules\modules\Microsoft.Compute\virtualMachineScaleSets.test\linux.min\deploy.test.bicep
ResourceModules\modules\Microsoft.Compute\virtualMachineScaleSets.test\windows.min\deploy.test.bicep
ResourceModules\modules\Microsoft.Compute\virtualMachineScaleSets.test\linux.ssecmk\deploy.test.bicep

Action:
extensionMonitoringAgentConfig: {      enabled: true    }

Rule Azure.VMSS.MigrateAMA

ℹ️ Automatically solved when the issue for Azure.VMSS.AMA is closed

Error: AZR-000318: ***cvmsswin001 failed Azure.VMSS.MigrateAMA. Use Azure Monitor Agent as replacement for Log Analytics Agent.

Rule Azure.VM.AMA

Error: AZR-000345: ***cvmwinatmg failed Azure.VM.AMA. Use Azure Monitor Agent for collecting monitoring data.
HELP: https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.VM.AMA/

  • Update module (ResourceModules-main\modules\Microsoft.Compute\virtualMachines\deploy.bicep) with the reference to the new AMA agent instead of 'MicrosoftMonitoringAgent' or 'OmsAgentForLinux' as follow:

Set properties. Type to AzureMonitorWindowsAgent (Windows) or AzureMonitorLinuxAgent (Linux).
Set properties. Publisher to Microsoft.Azure.Monitor.

In this way the errors will be solved for the following files:
ResourceModules\modules\Microsoft.Compute\virtualMachines.test\linux\deploy.test.bicep
ResourceModules\modules\Microsoft.Compute\virtualMachines.test\windows\deploy.test.bicepvirtualMachines

  • ❓ For the "min" files, check with the team whether update the following files to enable extensionMonitoringAgentConfig:

ResourceModules\modules\Microsoft.Compute\virtualMachines.test\windows.atmg\deploy.test.bicep
ResourceModules\modules\Microsoft.Compute\virtualMachines.test\windows.ssecmk\deploy.test.bicep
ResourceModules\modules\Microsoft.Compute\virtualMachines.test\windows.min\deploy.test.bicep
ResourceModules\modules\Microsoft.Compute\virtualMachines.test\linux.min\deploy.test.bicep
ResourceModules\modules\Microsoft.Compute\virtualMachines.test\linux.atmg\deploy.test.bicep

Action:

extensionMonitoringAgentConfig: {      enabled: true    }

Rule Azure.VM.DiskCaching

Error: AZR-000242: ***cvmwinatmg failed Azure.VM.DiskCaching. Check disk caching is configured correctly for the workload.
HELP: https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.VM.DiskCaching/

❓ This is not an error but only a reminder to check the right disk configuration. We can exclude this rule from the test.

Exclude PSrule from the following files:
ResourceModules/modules/Microsoft.Compute/virtualMachines/.test/windows.min/deploy.test.bicep
ResourceModules/modules/Microsoft.Compute/virtualMachines/.test/windows.ssecmk/deploy.test.bicep
ResourceModules/modules/Microsoft.Compute/virtualMachines/.test/windows.atmg/deploy.test.bicep

Note: PsRule doesn't fail the following file which includes "dataDisks: [ { caching: 'None' }]"
ResourceModules/modules/Microsoft.Compute/virtualMachines/.test/windows/deploy.test.bicep

Rule Azure.VM.DiskSizeAlignment

Error: AZR-000251: ***-cdimp001 failed Azure.VM.DiskSizeAlignment. Align to the Managed Disk billing model to improve cost efficiency.
HELP: https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.VM.DiskSizeAlignment/

❓ Validate with the team if the following actions are good:

  1. Set "diskSizeGB " as mandatory parameters in the deploy.bicep file.
  2. Add the following parameters on the deploy.test.bicep: diskSizeGB = 32

Above actions should be applied to the following files:
ResourceModules/modules/Microsoft.Compute/disks/.test/import/deploy.test.bicep
ResourceModules/modules/Microsoft.Compute/disks/.test/min/deploy.test.bicep
ResourceModules/modules/Microsoft.Compute/disks/.test/image/deploy.test.bicep

Rule Azure.VM.DiskSizeAlignment

Error: AZR-000239: ***cvmwinatmg failed Azure.VM.Standalone. Use VM features to increase reliability and improve covered SLA for VM configurations.
HELP: https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.VM.Standalone/

❓ This is not an error but only a recommendation to consider using availability zones/ sets or only premium/ ultra disks to improve SLA. High availability not needed for temporary tests. We can exclude this rule from the test.

Exclude PSrule from the following files:
ResourceModules/modules/Microsoft.Compute/virtualMachines/windows.atmg/deploy.test.bicep
ResourceModules/modules/Microsoft.Compute/virtualMachines/windows.ssecmk/deploy.test.bicep
ResourceModules/modules/Microsoft.Compute/virtualMachines/windows.min/deploy.test.bicep

Rule Azure.VM.UseHybridUseBenefit

Error: AZR-000243: ***cvmwinatmg failed Azure.VM.UseHybridUseBenefit. Use Azure Hybrid Benefit for applicable virtual machine (VM) workloads.

❓ This is not an error but only a recommendation to consider using Azure Hybrid Benefit for eligible workloads. Not relevant for a test. We can exclude this rule from the test.

Exclude PSrule from the following files:
ResourceModules/modules/Microsoft.Compute/virtualMachines/windows.atmg/deploy.test.bicep
ResourceModules/modules/Microsoft.Compute/virtualMachines/windows.ssecmk/deploy.test.bicep
ResourceModules/modules/Microsoft.Compute/virtualMachines/windows.min/deploy.test.bicep

Rule Azure.VNET.UseNSGs

Error: AZR-000263: adp-***-vnet-sqlspe failed Azure.VNET.UseNSGs. Virtual network (VNET) subnets should have Network Security Groups (NSGs) assigned.
HELP: https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.VNET.UseNSGs/

❓ This is not an error but only a recommendation to consider assigning a network security group (NSG) to the virtual network sybnet. It optional for testing private endpoint. We can exclude this rule from the test.

Exclude PSrule from the following files:
ResourceModules/modules/Microsoft.Sql/servers/test/pe/deploy.test.bicep

Rule Azure.WebPubSub.ManagedIdentity

Error: AZR-000277: ***-srswpsmin-001 failed Azure.WebPubSub.ManagedIdentity. Configure Web PubSub Services to use managed identities to access Azure resources securely.
HELP: https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.WebPubSub.ManagedIdentity/

❓ Validate with the team if the following actions are good:

  1. Set "systemAssignedIdentity" as mandatory parameters in the deploy.bicep file.
  2. Add the following parameters on the deploy.test.bicep: systemAssignedIdentity= true

Above actions should be applied to the following files:
ResourceModules\modules\Microsoft.SignalRService\webPubSub\deploy.bicep
ResourceModules\modules\Microsoft.SignalRService\webPubSub.test\min\deploy.test.bicep
ResourceModules\modules\Microsoft.SignalRService\webPubSub.test\pe\deploy.test.bicep

Rule Azure.AppService.PlanInstanceCount

Error: AZR-000071: ***wsfcom001 failed Azure.AppService.PlanInstanceCount. App Service Plan should use a minimum number of instances for failover.

❓ This is not an error but only a recommendation to have minimum two instances. Not needed for test. We can exclude this rule from the test.

Exclude PSrule from the following files:
ResourceModules\modules\Microsoft.Web\serverfarms.test\common\deploy.test.bicep

Rule Azure.Defender.AppServices

Error: AZR-000295: AppServices failed Azure.Defender.AppServices. Enable Microsoft Defender for App Service.

❓ Validate with the team if the following actions are good:

  1. Set the "appServicesPricingTier" parameter to "Standard"

Above action should be applied to the following files:
ResourceModules/modules/Microsoft.Security/azureSecurityCenter/.test/common/deploy.test.bicep

Rule Azure.Defender.Containers

Error: AZR-000290: Containers failed Azure.Defender.Containers. Enable Microsoft Defender for Containers.

❓ Validate with the team if the following actions are good:

  1. Set the "containersTier" parameter to "Standard"

Above action should be applied to the following files:
ResourceModules/modules/Microsoft.Security/azureSecurityCenter/.test/common/deploy.test.bicep

Rule Azure.Defender.Servers

Error: AZR-000293: VirtualMachines failed Azure.Defender.Servers. Enable Microsoft Defender for Servers.

❓ Validate with the team if the following actions are good:

  1. Set the "virtualMachinesPricingTier" parameter to "Standard"

Above action should be applied to the following files:
ResourceModules/modules/Microsoft.Security/azureSecurityCenter/.test/common/deploy.test.bicep

Rule Azure.Defender.SQL

Error: AZR-000294: SqlServers failed Azure.Defender.SQL. Enable Defender for SQL servers.

❓ Validate with the team if the following actions are good:

  1. Set the "sqlServersPricingTier" parameter to "Standard"

Above action should be applied to the following files:
ResourceModules/modules/Microsoft.Security/azureSecurityCenter/.test/common/deploy.test.bicep

Rule Azure.Defender.SQLOnVM

Error: AZR-000297: SqlServerVirtualMachines failed Azure.Defender.SQLOnVM. Enable Defender for SQL servers on machines.

❓ Validate with the team if the following actions are good:

  1. Set the "sqlServerVirtualMachinesPricingTier" parameter to "Standard"

Above action should be applied to the following files:
ResourceModules/modules/Microsoft.Security/azureSecurityCenter/.test/common/deploy.test.bicep

Rule Azure.Defender.Storage

Error: AZR-000297: SqlServerVirtualMachines failed Azure.Defender.SQLOnVM. Enable Defender for SQL servers on machines.

❓ Validate with the team if the following actions are good:

  1. Set the "storageAccountsPricingTier" parameter to "Standard"

Above action should be applied to the following files:
ResourceModules/modules/Microsoft.Security/azureSecurityCenter/.test/common/deploy.test.bicep

Rule Azure.LB.Probe

Error: AZR-000126: ***nlbcom001 failed Azure.LB.Probe. Use a specific probe for web protocols.
HELP: https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.LB.Probe/

❓ Validate with the team if the following actions are good:

  1. Row 92: Change "protocol: 'Tcp' " with "protocol: 'HTTPS' "
  2. Row 114: Change "protocol: 'Tcp' " with "protocol: 'HTTP' "

Above action should be applied to the following files:
ResourceModules/modules/Microsoft.Network/loadBalancers/.test/common/deploy.test.bicep

  1. Add exception for ResourceModules/modules/Microsoft.Network/loadBalancers/.test/min/deploy.test.bicep

Rule Azure.ServiceFabric.AAD

Error: AZR-000179: ***sfcmin001 failed Azure.ServiceFabric.AAD. Use Azure Active Directory (AAD) client authentication for Service Fabric clusters.
HELP: https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.ServiceFabric.AAD/

❓ This is not an error but only a recommendation to enable Azure Active Directory (AAD) client authentication for Service Fabric clusters. We can exclude this rule from the test.

Exclude PSrule from the following files:
ResourceModules/modules/Microsoft.ServiceFabric/clusters/.test/min/deploy.test.bicep
ResourceModules/modules/Microsoft.ServiceFabric/clusters/.test/cert/deploy.test.bicep

Rule Azure.SignalR.ManagedIdentity

Error: AZR-000181: ***-srssrcom-001 failed Azure.SignalR.ManagedIdentity. Configure SignalR Services to use managed identities to access Azure resources securely.
Path Identity.Type: The field 'Identity.Type' does not exist.

❓ Validate with the team if the following actions are good:

  1. Update the module adding Identity.Type as per https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.SignalR.ManagedIdentity/

Above action should be applied to the following files:
modules/Microsoft.SignalRService/signalR/deploy.bicep

"identity": {
"type": "SystemAssigned" or "User.Assigned"
}

Specify the type of identity in parameter files:
ResourceModules/modules/Microsoft.SignalRService/signalR/.test/min/deploy.test.bicep
ResourceModules/modules/Microsoft.SignalRService/signalR/.test/common/deploy.test.bicep

Rule Azure.SQL.AAD

Error: AZR-000188: ***-sqlspe failed Azure.SQL.AAD. Use Azure Active Directory (AAD) authentication with Azure SQL databases.
HELP: https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.SQL.AAD/

❓ This is not an error but only a recommendation to use Azure Active Directory (AAD) authentication with SQL databases. We can exclude this rule from the test.

Exclude PSrule from the following files:
ResourceModules/modules/Microsoft.Sql/servers/.test/pe/deploy.test.bicep

Rule Azure.SQL.Auditing

Error: AZR-000187: ***-sqlsadmin failed Azure.SQL.Auditing. Enable auditing for Azure SQL logical server.
HELP: https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.SQL.Auditing/

❓ This is not an error but only a recommendation to enable auditing for each SQL Database logical server . We can exclude this rule from the test.

Exclude PSrule from the following files:
ResourceModules/modules/Microsoft.Sql/servers/.test/admin/deploy.test.bicep

Rule Azure.SQL.DefenderCloud

Error: AZR-000186: ***-sqlsadmin failed Azure.SQL.DefenderCloud. Enable Microsoft Defender for Azure SQL logical server.
HELP: https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.SQL.DefenderCloud/

❓ This is not an error but only a recommendation to enable Advanced Data Security and configuring Microsoft Defender for SQL logical servers. We can exclude this rule from the test.

Exclude PSrule from the following files:
ResourceModules/modules/Microsoft.Sql/servers/.test/admin/deploy.test.bicep

Rule Azure.Storage.ContainerSoftDelete

Error: AZR-000289: ***ssamin001 failed Azure.Storage.ContainerSoftDelete. Enable container soft delete on Storage Accounts.
A sub-resource of type 'Microsoft.Storage/storageAccounts/blobServices' has not been specified.

HELP: https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.Storage.ContainerSoftDelete/

❓ Validate with the team if the following actions are good:

  1. Update the module adding a sub-resource of type 'Microsoft.Storage/storageAccounts/blobServices'

Above action should be applied to the following files:
ResourceModules/modules/Microsoft.Storage/storageAccounts/.test/v1/deploy.test.bicep

Rule Azure.Storage.ContainerSoftDelete

Error: AZR-000289: ***ssamin001 failed Azure.Storage.ContainerSoftDelete. Enable container soft delete on Storage Accounts.
HELP: https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.Storage.ContainerSoftDelete/

❓ It is only a recommendation to enable container soft delete on storage accounts to protect blob containers from accidental deletion. Not needed for minimal test. We can remove this test to /min.

Exclude PSrule from the following files:
ResourceModules/modules/Microsoft.Storage/storageAccounts/.test/min/deploy.test.bicep
ResourceModules/modules/Microsoft.Storage/storageAccounts/.test/V1/deploy.test.bicep

Rule Azure.Storage.Firewall

Error: AZR-000202: ***ssamin001 failed Azure.Storage.Firewall. Storage Accounts should only accept explicitly allowed traffic.
Path properties.networkAcls.defaultAction: The field 'properties.networkAcls.defaultAction' does not exist.

HELP: https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.Storage.Firewall/

❓ Validate with the team if the following actions are good:

  1. Update the test.bicep adding the parameter networkAcls to "Deny"

Above action should be applied to the following files:
ResourceModules/modules/Microsoft.Storage/storageAccounts/.test/v1/deploy.test.bicep

❓ Validate if this will apply also to /min otherwise we can exclude the test.
ResourceModules/modules/Microsoft.Storage/storageAccounts/.test/min/deploy.test.bicep

Rule Azure.Deployment.AdminUsername

Error: AZR-000284: /home/runner/work/ResourceModules/ResourceModules/modules/Microsoft.Network/networkWatchers/.test/common/deploy.test.bicep failed Azure.Deployment.AdminUsername. Use secure parameters for sensitive resource properties.

REASON:
| - The property 'adminUsername' uses a deterministic literal value.

HELP https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.Deployment.AdminUsername/
❓ Validate with the team if the following actions are good:

The issue is related to .test/common/dependencies.bicep
where we have
adminUsername: '${virtualMachineName}cake' , instead of a single parameter.

ACTIONS:

  • put adminUserName as parameter
  • or exclude dependencies.bicep files from psrule validation

@elanzel
Copy link
Contributor

elanzel commented Feb 3, 2023

@eriqua we have completed rules' review. Can we have a call to discuss all the decisions and create issues?

@eriqua eriqua pinned this issue Feb 11, 2023
@BernieWhite BernieWhite mentioned this issue Apr 3, 2023
Closed
9 tasks
@AlexanderSehr AlexanderSehr mentioned this issue Aug 7, 2023
Closed
9 tasks
@AlexanderSehr AlexanderSehr unpinned this issue Aug 16, 2023
@AlexanderSehr
Copy link
Contributor

Covered in AVM by the PSRule reliability tests

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@fabmas fabmas

@elbatane elbatane

@elanzel elanzel

Labels
[cat] modules category: modules [cat] pipelines category: pipelines [cat] testing category: testing enhancement New feature or request
Projects
Backlog
Status: Done
Milestone
Azure Verified Modules (AVM) - Module...
Development

No branches or pull requests
6 participants
@AlexanderSehr @fabmas @elbatane @elanzel @eriqua @rahalan