Giter Club home page Giter Club logo

psrule.rules.caf's Introduction

PSRule for Cloud Adoption Framework

A suite of rules to validate Azure resources against the Cloud Adoption Framework (CAF) using PSRule.

ci-badge

Features of PSRule for CAF include:

  • Ready to go - Leverage configurable rules to validate Azure resources.
  • DevOps - Validate resources and infrastructure code pre or post-deployment.
  • Cross-platform - Run on MacOS, Linux, and Windows.

Support

This project uses GitHub Issues to track bugs and feature requests. Please search the existing issues before filing new issues to avoid duplicates.

  • For new issues, file your bug or feature request as a new issue.
  • For help, discussion, and support questions about using this project, join or start a discussion.

If you have any problems with the PSRule engine, please check the project GitHub issues page instead.

Support for this project/ product is limited to the resources listed above.

Getting the modules

This project requires the PSRule, PSRule.Rules.Azure and Az PowerShell modules. For details on each see install.

You can download and install these modules from the PowerShell Gallery.

Module Description Downloads / instructions
PSRule.Rules.CAF Validate Azure resources against the CAF. latest / instructions

Getting started

PSRule for CAF provides two methods for analyzing Azure resources:

  • Pre-flight - Before resources are deployed from Azure Resource Manager (ARM) templates.
  • In-flight - After resource are deployed to an Azure subscription.

For additional details see the FAQ.

Using with GitHub Actions

The following example shows how to setup Github Actions to validate templates pre-flight.

  1. See Creating a workflow file.
  2. Reference microsoft/ps-rule with modules: 'PSRule.Rules.CAF'.
  3. Create and configure ps-rule.yaml in the repository root directory.

Example workflow:

# Example: .github/workflows/analyze-arm.yaml

#
# STEP 1: Template validation
#
name: Analyze templates
on:
- pull_request
jobs:
  analyze_arm:
    name: Analyze templates
    runs-on: ubuntu-latest
    steps:

    - name: Checkout
      uses: actions/checkout@v3

    # STEP 3: Run analysis against PSRule for Cloud Adoption Framework
    - name: Test Azure Infrastructure as Code
      uses: microsoft/[email protected]
      with:
        modules: 'PSRule.Rules.CAF'

Example PSRule options:

# Example: ps-rule.yaml

#
# PSRule configuration
#

# Please see the documentation for all configuration options:
# https://aka.ms/ps-rule/options

include:
  module:
  - PSRule.Rules.CAF

requires:
  PSRule.Rules.CAF: '>=0.3.0'

output:
  culture:
  - en-US

configuration:
  # Enable expansion for Bicep source files.
  AZURE_BICEP_FILE_EXPANSION: true

  # Enable expansion for template expansion.
  AZURE_PARAMETER_FILE_EXPANSION: true

Using with Azure Pipelines

The following example shows how to setup Azure Pipelines to validate templates pre-flight.

  1. Install PSRule extension for Azure DevOps marketplace.
  2. Create a new YAML pipeline with the Starter pipeline template.
  3. Add the PSRule analysis task.
    • Set modules to PSRule.Rules.CAF.
  4. Create and configure ps-rule.yaml in the repository root directory.

Example pipeline:

# Example: .pipelines/analyze-arm.yaml

#
# STEP 2: Template validation
#
jobs:
- job: 'analyze_arm'
  displayName: 'Analyze templates'
  pool:
    vmImage: 'ubuntu-20.04'
  steps:

  # STEP 3: Run analysis against PSRule for Cloud Adoption Framework
  - task: ps-rule-assert@1
    displayName: Test Azure Infrastructure as Code
    inputs:
      modules: 'PSRule.Rules.CAF'

Example PSRule options:

# Example: ps-rule.yaml

#
# PSRule configuration
#

# Please see the documentation for all configuration options:
# https://aka.ms/ps-rule/options

include:
  module:
  - PSRule.Rules.CAF

requires:
  PSRule.Rules.CAF: '>=0.3.0'

output:
  culture:
  - en-US

configuration:
  # Enable expansion for Bicep source files.
  AZURE_BICEP_FILE_EXPANSION: true

  # Enable expansion for template expansion.
  AZURE_PARAMETER_FILE_EXPANSION: true

Using locally

The following example shows how to setup PSRule locally to validate templates pre-flight.

  1. Install the PSRule.Rules.CAF module and dependencies from the PowerShell Gallery.
  2. Create and configure ps-rule.yaml in the repository root directory.
  3. Run analysis against PSRule for Cloud Adoption Framework.

Example install command-line:

# STEP 1: Install from the PowerShell Gallery
Install-Module -Name 'PSRule.Rules.CAF' -Scope CurrentUser -Repository PSGallery;

Example PSRule options:

# Example: ps-rule.yaml

#
# PSRule configuration
#

# Please see the documentation for all configuration options:
# https://aka.ms/ps-rule/options

include:
  module:
  - PSRule.Rules.CAF

requires:
  PSRule.Rules.CAF: '>=0.3.0'

output:
  culture:
  - en-US

configuration:
  # Enable expansion for Bicep source files.
  AZURE_BICEP_FILE_EXPANSION: true

  # Enable expansion for template expansion.
  AZURE_PARAMETER_FILE_EXPANSION: true

Example test command-line:

# STEP 3: Test Azure Infrastructure as Code
Assert-PSRule -Module 'PSRule.Rules.CAF' -Format File -InputPath '.';

Troubleshooting expansion

A number of issues can occur when expanding Azure templates or Bicep source files. Or you may not get any results at all if expansion is not configured. See the following topics:

Export in-flight resource data

The following example shows how to setup PSRule locally to validate resources running in a subscription.

  1. Install the PSRule.Rules.CAF module and dependencies from the PowerShell Gallery.
  2. Connect and set context to an Azure subscription from PowerShell.
  3. Export the resource data with the Export-AzRuleData cmdlet.
  4. Run analysis against exported data.

For example:

# STEP 1: Install PSRule.Rules.CAF from the PowerShell Gallery
Install-Module -Name 'PSRule.Rules.CAF' -Scope CurrentUser;

# STEP 2: Authenticate to Azure, only required if not currently connected
Connect-AzAccount;

# Confirm the current subscription context
Get-AzContext;

# STEP 3: Exports a resource graph stored as JSON for analysis
Export-AzRuleData -OutputPath 'out/templates/';

# STEP 4: Run analysis against exported data
Assert-PSRule -Module 'PSRule.Rules.CAF' -InputPath 'out/templates/';

Rule reference

For a list of rules included in the PSRule.Rules.CAF module see:

Rules included in this module define a number of configurable values that can be set on an as need basis. By default these values use the standards defined by the CAF. A list of configurable values are included in the reference for each rule.

Language reference

Commands

This module uses commands from the PSRule.Rules.Azure module to export resource configuration data. The PSRule.Rules.Azure module is included as a dependency of PSRule.Rules.CAF.

For details of PSRule.Rules.Azure commands see:

Changes and versioning

Modules in this repository will use the semantic versioning model to declare breaking changes from v1.0.0. Prior to v1.0.0, breaking changes may be introduced in minor (0.x.0) version increments. For a list of module changes please see the change log.

Pre-release module versions are created on major commits and can be installed from the PowerShell Gallery. Pre-release versions should be considered experimental. Modules and change log details for pre-releases will be removed as standard releases are made available.

Contributing

This project welcomes contributions and suggestions. If you are ready to contribute, please visit the contribution guide.

Code of Conduct

This project has adopted the Microsoft Open Source Code of Conduct. For more information see the Code of Conduct FAQ or contact [email protected] with any additional questions or comments.

Maintainers

License

This project is licensed under the MIT License.

psrule.rules.caf's People

Contributors

berniewhite avatar dependabot[bot] avatar github-actions[bot] avatar microsoftopensource avatar

Stargazers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Watchers

avatar avatar avatar avatar avatar avatar avatar

Forkers

mcaj-old taffywrinkle paulooma claudiusgonzo berniewhite mcaj-git armaanmcleod ievsantillan isantillan1 test-mass-forker-org-1 isabella232 alanflorance seanpm2001

psrule.rules.caf's Issues

CAF.Name.PublicIP logic needs tweaking

Description of the issue

I don't believe the logic or message around public ip's is correct. (Happy to be wrong through).

My template fails with;

-> pip-agw-byo : Microsoft.Network/publicIPAddresses [3/4]

    [PASS] Azure.PublicIP.Name
    [PASS] Azure.PublicIP.AvailabilityZone
    [PASS] Azure.PublicIP.StandardSKU
    [FAIL] CAF.Name.PublicIP
    | Template: bicep/main.bicep:991:5
    | Parameter: .github/workflows_dep/AksDeploy-ByoVnet.parameters.json:1:0

    | RECOMMEND:
    | Consider creating public IPs with a standard name. Additionally consider using
    | Azure Policy to only permit creation using a standard naming convention.

    | REASON:
    | - The parameter 'prefix' is null.

    | HELP:
    | - https://github.com/microsoft/PSRule.Rules.CAF/blob/main/docs/rules/en/CAF.Name.PublicIP.md

Error: pip-agw-byo failed CAF.Name.PublicIP. Public IP address names should use a standard prefix.
  1. The parameter 'prefix' is null - I don't see prefix in the RP schema.
  2. Hoping it doesn't mean publicIPPrefix as that has another purpose, not naming.
  3. This PublicIP address is created with the name pip-agw-byo - which should already be CAF compliant.

Tag names and values should be case-sensitive

Description of the issue

Rules comparing tag names and values should be case sensitive.

Module in use and version:

  • Module: PSRule.Rules.CAF
  • Version: 0.1.0-B2009009

Captured output from $PSVersionTable:

Name                           Value
----                           -----
PSVersion                      7.0.3
PSEdition                      Core
GitCommitId                    7.0.3
OS                             Microsoft Windows 10.0.19041
Platform                       Win32NT
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0…}
PSRemotingProtocolVersion      2.3
SerializationVersion           1.1.0.1
WSManStackVersion              3.0

Add naming rule for Cognitive Search

Rule request

Suggested rule change

Add naming rule for Cognitive Search services.

Applies to the following

The rule applies to the following:

  • Resource type: Microsoft.Search/searchServices

Storage account prefix should use st

Description of the issue

Storage account prefix should be st instead of stor.

Module in use and version:

  • Module: PSRule.Rules.CAF
  • Version: 0.1.0-B2008005

Captured output from $PSVersionTable:

Name                           Value
----                           -----
PSVersion                      7.0.3
PSEdition                      Core
GitCommitId                    7.0.3
OS                             Microsoft Windows 10.0.19041
Platform                       Win32NT
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0…}
PSRemotingProtocolVersion      2.3
SerializationVersion           1.1.0.1
WSManStackVersion              3.0

Update CI pipeline to use PS 7.0

PowerShell 7.0 is now GA. Currently the pipeline only builds against VM configuration instead of docker images.

CI pipeline should be updated to run against different PS configurations.

Additionally CI pipeline needs to fix build issue with YamlDotNet.

Resource name rules should be case sensitive

Description of the issue

Rules comparing resource names should be case sensitive.

Module in use and version:

  • Module: PSRule.Rules.CAF
  • Version: 0.1.0-B2009009

Captured output from $PSVersionTable:

Name                           Value
----                           -----
PSVersion                      7.0.3
PSEdition                      Core
GitCommitId                    7.0.3
OS                             Microsoft Windows 10.0.19041
Platform                       Win32NT
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0…}
PSRemotingProtocolVersion      2.3
SerializationVersion           1.1.0.1
WSManStackVersion              3.0

Update PSRule dependency to v1.0.1

Update PSRule module dependency to v1.0.1. This fix is required to co-exist with PSRule.Rules.Azure when both modules are executed.

Additionally PSRule.Rules.Azure dependency can be bumped to v0.19.0.

Update naming rules to only check naming prefix

Currently PSRule.Rules.Azure already tests if the name of a resource is valid in terms of Azure resource naming requirements. This module is the most logical place for checking naming requirements of resources. This CAF module should focus on the specifics of CAF.

To this end, naming rules should be simplified to only check for recommended naming instead of naming requirements.

Add naming rule for Cognitive Services

Rule request

Suggested rule change

Add a naming rule for Cognitive Services accounts.

Applies to the following

The rule applies to the following:

  • Resource type: Microsoft.CognitiveServices/accounts

Virtual Machine prefix should use vm

Description of the issue

Virtual Machine prefix should be vm instead of vm-.

Module in use and version:

  • Module: PSRule.Rules.CAF
  • Version: 0.1.0-B2008005

Captured output from $PSVersionTable:

Name                           Value
----                           -----
PSVersion                      7.0.3
PSEdition                      Core
GitCommitId                    7.0.3
OS                             Microsoft Windows 10.0.19041
Platform                       Win32NT
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0…}
PSRemotingProtocolVersion      2.3
SerializationVersion           1.1.0.1
WSManStackVersion              3.0

Virtual Network Gateway prefix should use vgw-

Description of the issue

Virtual Network Gateway prefix should be vgw- instead of vnet-gw-.

Module in use and version:

  • Module: PSRule.Rules.CAF
  • Version: 0.1.0-B2008005

Captured output from $PSVersionTable:

Name                           Value
----                           -----
PSVersion                      7.0.3
PSEdition                      Core
GitCommitId                    7.0.3
OS                             Microsoft Windows 10.0.19041
Platform                       Win32NT
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0…}
PSRemotingProtocolVersion      2.3
SerializationVersion           1.1.0.1
WSManStackVersion              3.0

Coexistence with PSRule.Rules.Azure

Description of the issue

Currently the PSRule pipeline does not isolate module runspaces when called on the command line together.

For example:

Invoke-PSRule -Module 'PSRule.Rules.CAF', 'PSRule.Rules.Azure';

When internal functions use the same name they can clash and only one wins. In this case both module define a SupportsTags helper function.

Expected behaviour

Update helper function name with CAF_ prefix.

Module in use and version:

  • Module: PSRule.Rules.CAF
  • Version: 0.1.0-B2001009

Captured output from $PSVersionTable:

Name                           Value
----                           -----
PSVersion                      7.0.3
PSEdition                      Core
GitCommitId                    7.0.3
OS                             Microsoft Windows 10.0.19041
Platform                       Win32NT
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0…}
PSRemotingProtocolVersion      2.3
SerializationVersion           1.1.0.1
WSManStackVersion              3.0

PSRule.Rules.CAF version mismatch

Description of the issue

Specifying the prerelease flag on the CAF rules results in a version error.

To Reproduce

Ref: https://github.com/Azure/AKS-Construction/actions/runs/4054300944/workflow

      - name: PSRule for CAF
        uses: microsoft/[email protected]
        continue-on-error: true #Setting this whilst PSRule gets bedded in, in this project
        with:
          modules: 'PSRule.Rules.CAF'
          inputPath: "${{ env.ParamFilePath }}"
          prerelease: true

Error output

Error: The module version '0.4.0-B2208003' for 'PSRule.Rules.CAF' does not match the required version '>=0.3.0'. To continue, first update the module to match the version requirement.

Tags property causes case sensitive Env tag to fail

Description of the issue

When resource specifies tags they must be defined under the Tags (case-sensitive) property or the CAF.Tag.Environment rule will fail. Case sensitivity should only apply to the tag i.e. Env not the tags property name.

Expected behaviour

The resource Tags property should not be case-sensitive but the tag under the Tags property should be.

Module in use and version:

  • Module: PSRule.Rules.CAF
  • Version: v0.1.0-B2012004

Captured output from $PSVersionTable:

Name                           Value
----                           -----
PSVersion                      7.1.0
PSEdition                      Core
GitCommitId                    7.1.0
OS                             Microsoft Windows 10.0.19042
Platform                       Win32NT
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0…}
PSRemotingProtocolVersion      2.3
SerializationVersion           1.1.0.1
WSManStackVersion              3.0

Exclude AzureFirewallSubnet from CAF.Name.Subnet

Description of the issue

The subnet where an Azure Firewall is deployment must be AzureFirewallSubnet.

Expected behaviour

Exclude AzureFirewallSubnet subnets from the rule.

Module in use and version:

  • Module: PSRule.Rules.CAF
  • Version: 0.1.0-B2008005

Captured output from $PSVersionTable:

Name                           Value
----                           -----
PSVersion                      7.0.3
PSEdition                      Core
GitCommitId                    7.0.3
OS                             Microsoft Windows 10.0.19041
Platform                       Win32NT
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0…}
PSRemotingProtocolVersion      2.3
SerializationVersion           1.1.0.1
WSManStackVersion              3.0

Exclude cloud shell storage accounts from storage account name rule

Description of the issue

Storage accounts automatically created for Azure Cloud Shell are prefixed with cs instead of st.

Expected behaviour

The CAF standard should be excluded for storage accounts with the "ms-resource-usage": "azure-cloud-shell" tag.

Module in use and version:

  • Module: PSRule.Rules.CAF
  • Version: 0.1.0-B2101004

Captured output from $PSVersionTable:

Name                           Value
----                           -----
PSVersion                      7.1.0
PSEdition                      Core
GitCommitId                    7.1.0
OS                             Microsoft Windows 10.0.19042
Platform                       Win32NT
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0…}
PSRemotingProtocolVersion      2.3
SerializationVersion           1.1.0.1
WSManStackVersion              3.0

Load Balancer prefix should use lbe- and lbi-

Description of the issue

Load Balancer prefix should be lbe- and lbi- instead of lb-.

Module in use and version:

  • Module: PSRule.Rules.CAF
  • Version: 0.1.0-B2008005

Captured output from $PSVersionTable:

Name                           Value
----                           -----
PSVersion                      7.0.3
PSEdition                      Core
GitCommitId                    7.0.3
OS                             Microsoft Windows 10.0.19041
Platform                       Win32NT
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0…}
PSRemotingProtocolVersion      2.3
SerializationVersion           1.1.0.1
WSManStackVersion              3.0

Unable to build Azure DevOps pipeline to assert CAF pre-flight rule (using bicep file)

Hi,

I'm editing my original question as it seems that I failed to differentiate the pre/in-flight settings and my question diverged from where it should really land so the post became a mess... To recap... I'm not sure on how to deploy CAF pre-flight check on Azure Pipelines. I've made simple stage with several tasks, first one being building the ARM template from my main.bicep file and continuing with the rest of the code that was copied and pasted from the PSRule.Rules.CAF section with yaml pre-flight example. The result is 0 processed rules.

trigger:
  branches:
    include:
    - Development
pool:
  vmImage: ubuntu-latest
variables:
- name: ResourceGroupName
  value: 'biceptesting'
stages:

- stage: Cloud_Adoption_FRWK
  jobs:

#
# STEP 2: Template validation
#

  - job: 'analyze_arm'
    displayName: 'Analyze templates'
    pool:
      vmImage: 'ubuntu-18.04'
    steps:
    - task: CmdLine@2
      name: BuildARMfromBicep
      displayName: Build ARM from Bicep
      inputs:
        script: |
          az bicep build --file deploy/main.bicep
    # STEP 3: Install PSRule.Rules.CAF from the PowerShell Gallery
    - task: ps-rule-install@0
      displayName: Install PSRule.Rules.CAF
      inputs:
        module: 'PSRule.Rules.CAF'   # Install PSRule.Rules.CAF from the PowerShell Gallery.

    # STEP 4: Export template data for analysis
    - powershell: Get-AzRuleTemplateLink | Export-AzTemplateRuleData -OutputPath 'out/templates/';
      displayName: 'Export template data'

    # STEP 5: Run analysis against exported data
    - task: ps-rule-assert@0
      displayName: Analyze Azure template files
      inputs:
        inputType: inputPath
        inputPath: 'out/templates/'   # Read objects from JSON files in 'out/templates/'.
        modules: 'PSRule.Rules.CAF'   # Analyze objects using the rules within the PSRule.Rules.CAF PowerShell module.

This is how it looks when in-depth checking of the run>

Export part (this looks odd too):
image

Assert rule part:
image

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.