-
Notifications
You must be signed in to change notification settings - Fork 459
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[PSRule] Discuss PSRule validation results and update modules/module tests accordingly #2151
Comments
Suggestion: keep in triage with the |
Team decides that issues should be created per rule, not per module |
Following list of failing rules: Failed_PSRule_Output_v03 (3).xlsx TO DO LIST: Rule Azure.Resource.UseTagsError example: Error: AZR-000166: ***splhcom001 failed Azure.Resource.UseTags. Azure resources should be tagged using a standard convention.
Examples of other found tags:
Rule Azure.Policy.AssignmentAssignedByError example Error: AZR-000144: ***apamgcom001 failed Azure.Policy.AssignmentAssignedBy. Policy assignments should use assignedBy metadata.
Example of metadata block
Rule Azure.Policy.AssignmentDescriptorsError: AZR-000143: ***apasubmin001 failed Azure.Policy.AssignmentDescriptors. Policy assignments should use a display name and description. ❓ Validate with the team if the following actions are good:
Above actions should be applied to the following files: ResourceModules/ResourceModules/modules/Microsoft.Authorization/policyAssignments/.test/sub.min/deploy.test.bicep Rule Azure.Policy.DescriptorsError: AZR-000142: ***apdmgmin001 failed Azure.Policy.Descriptors. Policy and initiative definitions should use a display name, description, and category. ❓ Validate with the team if the following actions are good:
Above actions should be applied to the following files: Rule Azure.Policy.ExemptionDescriptorsError: AZR-000145: ***apemgmin001 failed Azure.Policy.ExemptionDescriptors. Policy exemptions should use a display name and description. ❓ Validate with the team if the following actions are good:
Above actions should be applied to the following files: ResourceModules/ResourceModules/modules/Microsoft.Authorization/policyExemptions/.test/mg.min/deploy.test.bicep Rule Azure.VMSS.AMAError: AZR-000346: ***cvmsswin001 failed Azure.VMSS.AMA. Use Azure Monitor Agent for collecting monitoring data.
Set properties. Type to AzureMonitorWindowsAgent (Windows) or AzureMonitorLinuxAgent (Linux). In this way the errors will be solved for the following files:
ResourceModules\modules\Microsoft.Compute\virtualMachineScaleSets.test\linux.min\deploy.test.bicep Action: Rule Azure.VMSS.MigrateAMAℹ️ Automatically solved when the issue for Azure.VMSS.AMA is closed Error: AZR-000318: ***cvmsswin001 failed Azure.VMSS.MigrateAMA. Use Azure Monitor Agent as replacement for Log Analytics Agent. Rule Azure.VM.AMAError: AZR-000345: ***cvmwinatmg failed Azure.VM.AMA. Use Azure Monitor Agent for collecting monitoring data.
Set properties. Type to AzureMonitorWindowsAgent (Windows) or AzureMonitorLinuxAgent (Linux). In this way the errors will be solved for the following files:
ResourceModules\modules\Microsoft.Compute\virtualMachines.test\windows.atmg\deploy.test.bicep Action:
Rule Azure.VM.DiskCachingError: AZR-000242: ***cvmwinatmg failed Azure.VM.DiskCaching. Check disk caching is configured correctly for the workload. ❓ This is not an error but only a reminder to check the right disk configuration. We can exclude this rule from the test. Exclude PSrule from the following files: Note: PsRule doesn't fail the following file which includes "dataDisks: [ { caching: 'None' }]" Rule Azure.VM.DiskSizeAlignmentError: AZR-000251: ***-cdimp001 failed Azure.VM.DiskSizeAlignment. Align to the Managed Disk billing model to improve cost efficiency. ❓ Validate with the team if the following actions are good:
Above actions should be applied to the following files: Rule Azure.VM.DiskSizeAlignmentError: AZR-000239: ***cvmwinatmg failed Azure.VM.Standalone. Use VM features to increase reliability and improve covered SLA for VM configurations. ❓ This is not an error but only a recommendation to consider using availability zones/ sets or only premium/ ultra disks to improve SLA. High availability not needed for temporary tests. We can exclude this rule from the test. Exclude PSrule from the following files: Rule Azure.VM.UseHybridUseBenefitError: AZR-000243: ***cvmwinatmg failed Azure.VM.UseHybridUseBenefit. Use Azure Hybrid Benefit for applicable virtual machine (VM) workloads. ❓ This is not an error but only a recommendation to consider using Azure Hybrid Benefit for eligible workloads. Not relevant for a test. We can exclude this rule from the test. Exclude PSrule from the following files: Rule Azure.VNET.UseNSGsError: AZR-000263: adp-***-vnet-sqlspe failed Azure.VNET.UseNSGs. Virtual network (VNET) subnets should have Network Security Groups (NSGs) assigned. ❓ This is not an error but only a recommendation to consider assigning a network security group (NSG) to the virtual network sybnet. It optional for testing private endpoint. We can exclude this rule from the test. Exclude PSrule from the following files: Rule Azure.WebPubSub.ManagedIdentityError: AZR-000277: ***-srswpsmin-001 failed Azure.WebPubSub.ManagedIdentity. Configure Web PubSub Services to use managed identities to access Azure resources securely. ❓ Validate with the team if the following actions are good:
Above actions should be applied to the following files: Rule Azure.AppService.PlanInstanceCountError: AZR-000071: ***wsfcom001 failed Azure.AppService.PlanInstanceCount. App Service Plan should use a minimum number of instances for failover. ❓ This is not an error but only a recommendation to have minimum two instances. Not needed for test. We can exclude this rule from the test. Exclude PSrule from the following files: Rule Azure.Defender.AppServicesError: AZR-000295: AppServices failed Azure.Defender.AppServices. Enable Microsoft Defender for App Service. ❓ Validate with the team if the following actions are good:
Above action should be applied to the following files: Rule Azure.Defender.ContainersError: AZR-000290: Containers failed Azure.Defender.Containers. Enable Microsoft Defender for Containers. ❓ Validate with the team if the following actions are good:
Above action should be applied to the following files: Rule Azure.Defender.ServersError: AZR-000293: VirtualMachines failed Azure.Defender.Servers. Enable Microsoft Defender for Servers. ❓ Validate with the team if the following actions are good:
Above action should be applied to the following files: Rule Azure.Defender.SQLError: AZR-000294: SqlServers failed Azure.Defender.SQL. Enable Defender for SQL servers. ❓ Validate with the team if the following actions are good:
Above action should be applied to the following files: Rule Azure.Defender.SQLOnVMError: AZR-000297: SqlServerVirtualMachines failed Azure.Defender.SQLOnVM. Enable Defender for SQL servers on machines. ❓ Validate with the team if the following actions are good:
Above action should be applied to the following files: Rule Azure.Defender.StorageError: AZR-000297: SqlServerVirtualMachines failed Azure.Defender.SQLOnVM. Enable Defender for SQL servers on machines. ❓ Validate with the team if the following actions are good:
Above action should be applied to the following files: Rule Azure.LB.ProbeError: AZR-000126: ***nlbcom001 failed Azure.LB.Probe. Use a specific probe for web protocols. ❓ Validate with the team if the following actions are good:
Above action should be applied to the following files:
Rule Azure.ServiceFabric.AADError: AZR-000179: ***sfcmin001 failed Azure.ServiceFabric.AAD. Use Azure Active Directory (AAD) client authentication for Service Fabric clusters. ❓ This is not an error but only a recommendation to enable Azure Active Directory (AAD) client authentication for Service Fabric clusters. We can exclude this rule from the test. Exclude PSrule from the following files: Rule Azure.SignalR.ManagedIdentityError: AZR-000181: ***-srssrcom-001 failed Azure.SignalR.ManagedIdentity. Configure SignalR Services to use managed identities to access Azure resources securely. ❓ Validate with the team if the following actions are good:
Above action should be applied to the following files: "identity": { Specify the type of identity in parameter files: Rule Azure.SQL.AADError: AZR-000188: ***-sqlspe failed Azure.SQL.AAD. Use Azure Active Directory (AAD) authentication with Azure SQL databases. ❓ This is not an error but only a recommendation to use Azure Active Directory (AAD) authentication with SQL databases. We can exclude this rule from the test. Exclude PSrule from the following files: Rule Azure.SQL.AuditingError: AZR-000187: ***-sqlsadmin failed Azure.SQL.Auditing. Enable auditing for Azure SQL logical server. ❓ This is not an error but only a recommendation to enable auditing for each SQL Database logical server . We can exclude this rule from the test. Exclude PSrule from the following files: Rule Azure.SQL.DefenderCloudError: AZR-000186: ***-sqlsadmin failed Azure.SQL.DefenderCloud. Enable Microsoft Defender for Azure SQL logical server. ❓ This is not an error but only a recommendation to enable Advanced Data Security and configuring Microsoft Defender for SQL logical servers. We can exclude this rule from the test. Exclude PSrule from the following files: Rule Azure.Storage.ContainerSoftDeleteError: AZR-000289: ***ssamin001 failed Azure.Storage.ContainerSoftDelete. Enable container soft delete on Storage Accounts. HELP: https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.Storage.ContainerSoftDelete/ ❓ Validate with the team if the following actions are good:
Above action should be applied to the following files: Rule Azure.Storage.ContainerSoftDeleteError: AZR-000289: ***ssamin001 failed Azure.Storage.ContainerSoftDelete. Enable container soft delete on Storage Accounts. ❓ It is only a recommendation to enable container soft delete on storage accounts to protect blob containers from accidental deletion. Not needed for minimal test. We can remove this test to /min. Exclude PSrule from the following files: Rule Azure.Storage.FirewallError: AZR-000202: ***ssamin001 failed Azure.Storage.Firewall. Storage Accounts should only accept explicitly allowed traffic. HELP: https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.Storage.Firewall/ ❓ Validate with the team if the following actions are good:
Above action should be applied to the following files: ❓ Validate if this will apply also to /min otherwise we can exclude the test. Rule Azure.Deployment.AdminUsernameError: AZR-000284: /home/runner/work/ResourceModules/ResourceModules/modules/Microsoft.Network/networkWatchers/.test/common/deploy.test.bicep failed Azure.Deployment.AdminUsername. Use secure parameters for sensitive resource properties. REASON: HELP https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.Deployment.AdminUsername/ The issue is related to .test/common/dependencies.bicep ACTIONS:
|
@eriqua we have completed rules' review. Can we have a call to discuss all the decisions and create issues? |
Covered in AVM by the PSRule reliability tests |
Analyze the output of PSRule validation. List all modules to be updated and open separated issues for each.
For each failed rule we should:
Example
List of failed rules after running PSRule validation on RG, KV and VNET modules:
Following the list of rules to be fixed:
Tasks
The text was updated successfully, but these errors were encountered: