microsoft / psrule.rules.caf Goto Github PK
View Code? Open in Web Editor NEWA suite of rules to validate Azure resources against the Cloud Adoption Framework (CAF) using PSRule.
License: MIT License
psrule.rules.caf's Issues
Add documentation for overriding default configuration
PSRule for CAF includes a number of configuration options which include the defaults.
Currently no documentation is provided on overriding these configurations with different values.
Update PSRule dependency to v0.20.0
Update included PSRule version to v0.20.0.
Resource name rules should be case sensitive
Description of the issue
Rules comparing resource names should be case sensitive.
Module in use and version:
- Module: PSRule.Rules.CAF
- Version: 0.1.0-B2009009
Captured output from $PSVersionTable:
Name Value
---- -----
PSVersion 7.0.3
PSEdition Core
GitCommitId 7.0.3
OS Microsoft Windows 10.0.19041
Platform Win32NT
PSCompatibleVersions {1.0, 2.0, 3.0, 4.0…}
PSRemotingProtocolVersion 2.3
SerializationVersion 1.1.0.1
WSManStackVersion 3.0
Tag names and values should be case-sensitive
Description of the issue
Rules comparing tag names and values should be case sensitive.
Module in use and version:
- Module: PSRule.Rules.CAF
- Version: 0.1.0-B2009009
Captured output from $PSVersionTable:
Name Value
---- -----
PSVersion 7.0.3
PSEdition Core
GitCommitId 7.0.3
OS Microsoft Windows 10.0.19041
Platform Win32NT
PSCompatibleVersions {1.0, 2.0, 3.0, 4.0…}
PSRemotingProtocolVersion 2.3
SerializationVersion 1.1.0.1
WSManStackVersion 3.0
Update PSRule dependency to v1.0.0
Update PSRule module dependency to v1.0.0.
Exclude cloud shell storage accounts from storage account name rule
Description of the issue
Storage accounts automatically created for Azure Cloud Shell are prefixed with cs instead of st.
Expected behaviour
The CAF standard should be excluded for storage accounts with the "ms-resource-usage": "azure-cloud-shell" tag.
Module in use and version:
- Module: PSRule.Rules.CAF
- Version: 0.1.0-B2101004
Captured output from $PSVersionTable:
Name Value
---- -----
PSVersion 7.1.0
PSEdition Core
GitCommitId 7.1.0
OS Microsoft Windows 10.0.19042
Platform Win32NT
PSCompatibleVersions {1.0, 2.0, 3.0, 4.0…}
PSRemotingProtocolVersion 2.3
SerializationVersion 1.1.0.1
WSManStackVersion 3.0
Update naming rules to only check naming prefix
Currently PSRule.Rules.Azure already tests if the name of a resource is valid in terms of Azure resource naming requirements. This module is the most logical place for checking naming requirements of resources. This CAF module should focus on the specifics of CAF.
To this end, naming rules should be simplified to only check for recommended naming instead of naming requirements.
Virtual Network Gateway prefix should use vgw-
Description of the issue
Virtual Network Gateway prefix should be vgw- instead of vnet-gw-.
Module in use and version:
- Module: PSRule.Rules.CAF
- Version: 0.1.0-B2008005
Captured output from $PSVersionTable:
Name Value
---- -----
PSVersion 7.0.3
PSEdition Core
GitCommitId 7.0.3
OS Microsoft Windows 10.0.19041
Platform Win32NT
PSCompatibleVersions {1.0, 2.0, 3.0, 4.0…}
PSRemotingProtocolVersion 2.3
SerializationVersion 1.1.0.1
WSManStackVersion 3.0
Storage account prefix should use st
Description of the issue
Storage account prefix should be st instead of stor.
Module in use and version:
- Module: PSRule.Rules.CAF
- Version: 0.1.0-B2008005
Captured output from $PSVersionTable:
Name Value
---- -----
PSVersion 7.0.3
PSEdition Core
GitCommitId 7.0.3
OS Microsoft Windows 10.0.19041
Platform Win32NT
PSCompatibleVersions {1.0, 2.0, 3.0, 4.0…}
PSRemotingProtocolVersion 2.3
SerializationVersion 1.1.0.1
WSManStackVersion 3.0
Add name rules for EventGrid
Rule request
Suggested rule change
Add naming rules for event grid domains and topics.
Coexistence with PSRule.Rules.Azure
Description of the issue
Currently the PSRule pipeline does not isolate module runspaces when called on the command line together.
For example:
Invoke-PSRule -Module 'PSRule.Rules.CAF', 'PSRule.Rules.Azure';When internal functions use the same name they can clash and only one wins. In this case both module define a SupportsTags helper function.
Expected behaviour
Update helper function name with CAF_ prefix.
Module in use and version:
- Module: PSRule.Rules.CAF
- Version: 0.1.0-B2001009
Captured output from $PSVersionTable:
Name Value
---- -----
PSVersion 7.0.3
PSEdition Core
GitCommitId 7.0.3
OS Microsoft Windows 10.0.19041
Platform Win32NT
PSCompatibleVersions {1.0, 2.0, 3.0, 4.0…}
PSRemotingProtocolVersion 2.3
SerializationVersion 1.1.0.1
WSManStackVersion 3.0
Split tagging rules for resource and resource group
Tagging requirements for resources and resource groups may be different and should be separated to allow for individual configuration or exclusion.
Tags property causes case sensitive Env tag to fail
Description of the issue
When resource specifies tags they must be defined under the Tags (case-sensitive) property or the CAF.Tag.Environment rule will fail. Case sensitivity should only apply to the tag i.e. Env not the tags property name.
Expected behaviour
The resource Tags property should not be case-sensitive but the tag under the Tags property should be.
Module in use and version:
- Module: PSRule.Rules.CAF
- Version: v0.1.0-B2012004
Captured output from $PSVersionTable:
Name Value
---- -----
PSVersion 7.1.0
PSEdition Core
GitCommitId 7.1.0
OS Microsoft Windows 10.0.19042
Platform Win32NT
PSCompatibleVersions {1.0, 2.0, 3.0, 4.0…}
PSRemotingProtocolVersion 2.3
SerializationVersion 1.1.0.1
WSManStackVersion 3.0
Update configuration for default baseline
Configuration for default baseline changed in PSRule v1.9.0. Now the recommended method for setting the default baseline is within module configuration.
Related to microsoft/PSRule#809
Load Balancer prefix should use lbe- and lbi-
Description of the issue
Load Balancer prefix should be lbe- and lbi- instead of lb-.
Module in use and version:
- Module: PSRule.Rules.CAF
- Version: 0.1.0-B2008005
Captured output from $PSVersionTable:
Name Value
---- -----
PSVersion 7.0.3
PSEdition Core
GitCommitId 7.0.3
OS Microsoft Windows 10.0.19041
Platform Win32NT
PSCompatibleVersions {1.0, 2.0, 3.0, 4.0…}
PSRemotingProtocolVersion 2.3
SerializationVersion 1.1.0.1
WSManStackVersion 3.0
Bump PSRule dependency to v1.9.0
Bump PSRule dependency to v1.9.0.
Add code signing to module
Add code signing to distribution of modules files including binary and PowerShell files.
Update CI pipeline to use PS 7.0
PowerShell 7.0 is now GA. Currently the pipeline only builds against VM configuration instead of docker images.
CI pipeline should be updated to run against different PS configurations.
Additionally CI pipeline needs to fix build issue with YamlDotNet.
Update PSRule and PSRule.Rules.Azure dependency to v1.2.0
Update PSRule and PSRule.Rules.Azure module dependency to v1.2.0.
CAF.Name.PublicIP logic needs tweaking
Description of the issue
I don't believe the logic or message around public ip's is correct. (Happy to be wrong through).
My template fails with;
-> pip-agw-byo : Microsoft.Network/publicIPAddresses [3/4]
[PASS] Azure.PublicIP.Name
[PASS] Azure.PublicIP.AvailabilityZone
[PASS] Azure.PublicIP.StandardSKU
[FAIL] CAF.Name.PublicIP
| Template: bicep/main.bicep:991:5
| Parameter: .github/workflows_dep/AksDeploy-ByoVnet.parameters.json:1:0
| RECOMMEND:
| Consider creating public IPs with a standard name. Additionally consider using
| Azure Policy to only permit creation using a standard naming convention.
| REASON:
| - The parameter 'prefix' is null.
| HELP:
| - https://github.com/microsoft/PSRule.Rules.CAF/blob/main/docs/rules/en/CAF.Name.PublicIP.md
Error: pip-agw-byo failed CAF.Name.PublicIP. Public IP address names should use a standard prefix.
The parameter 'prefix' is null- I don't see prefix in the RP schema.- Hoping it doesn't mean
publicIPPrefixas that has another purpose, not naming. - This PublicIP address is created with the name pip-agw-byo - which should already be CAF compliant.
Add SBOM support to module
Add files to support software bill of materials (SBOM) for module.
Exclude AzureFirewallSubnet from CAF.Name.Subnet
Description of the issue
The subnet where an Azure Firewall is deployment must be AzureFirewallSubnet.
Expected behaviour
Exclude AzureFirewallSubnet subnets from the rule.
Module in use and version:
- Module: PSRule.Rules.CAF
- Version: 0.1.0-B2008005
Captured output from $PSVersionTable:
Name Value
---- -----
PSVersion 7.0.3
PSEdition Core
GitCommitId 7.0.3
OS Microsoft Windows 10.0.19041
Platform Win32NT
PSCompatibleVersions {1.0, 2.0, 3.0, 4.0…}
PSRemotingProtocolVersion 2.3
SerializationVersion 1.1.0.1
WSManStackVersion 3.0
Update PSRule dependency to v1.0.1
Update PSRule module dependency to v1.0.1. This fix is required to co-exist with PSRule.Rules.Azure when both modules are executed.
Additionally PSRule.Rules.Azure dependency can be bumped to v0.19.0.
Update PSRule and PSRule.Rules.Azure dependency to v1.3.0 and v1.3.2
Update to the latest versions of PSRule and PSRule.Rules.Azure.
PSRule.Rules.CAF version mismatch
Description of the issue
Specifying the prerelease flag on the CAF rules results in a version error.
To Reproduce
Ref: https://github.com/Azure/AKS-Construction/actions/runs/4054300944/workflow
- name: PSRule for CAF
uses: microsoft/[email protected]
continue-on-error: true #Setting this whilst PSRule gets bedded in, in this project
with:
modules: 'PSRule.Rules.CAF'
inputPath: "${{ env.ParamFilePath }}"
prerelease: trueError output
Error: The module version '0.4.0-B2208003' for 'PSRule.Rules.CAF' does not match the required version '>=0.3.0'. To continue, first update the module to match the version requirement.
Add naming rule for Cognitive Services
Rule request
Suggested rule change
Add a naming rule for Cognitive Services accounts.
Applies to the following
The rule applies to the following:
- Resource type: Microsoft.CognitiveServices/accounts
Virtual Machine prefix should use vm
Description of the issue
Virtual Machine prefix should be vm instead of vm-.
Module in use and version:
- Module: PSRule.Rules.CAF
- Version: 0.1.0-B2008005
Captured output from $PSVersionTable:
Name Value
---- -----
PSVersion 7.0.3
PSEdition Core
GitCommitId 7.0.3
OS Microsoft Windows 10.0.19041
Platform Win32NT
PSCompatibleVersions {1.0, 2.0, 3.0, 4.0…}
PSRemotingProtocolVersion 2.3
SerializationVersion 1.1.0.1
WSManStackVersion 3.0
Bump PSRule.Rules.Azure dependency to v1.9.1
Bump PSRule.Rules.Azure dependency to v1.9.1.
Add naming rule for Cognitive Search
Rule request
Suggested rule change
Add naming rule for Cognitive Search services.
Applies to the following
The rule applies to the following:
- Resource type: Microsoft.Search/searchServices
Migrate to Azure org
Migrate this repository/ project to the Azure org.
Unable to build Azure DevOps pipeline to assert CAF pre-flight rule (using bicep file)
Hi,
I'm editing my original question as it seems that I failed to differentiate the pre/in-flight settings and my question diverged from where it should really land so the post became a mess... To recap... I'm not sure on how to deploy CAF pre-flight check on Azure Pipelines. I've made simple stage with several tasks, first one being building the ARM template from my main.bicep file and continuing with the rest of the code that was copied and pasted from the PSRule.Rules.CAF section with yaml pre-flight example. The result is 0 processed rules.
trigger:
branches:
include:
- Development
pool:
vmImage: ubuntu-latest
variables:
- name: ResourceGroupName
value: 'biceptesting'
stages:
- stage: Cloud_Adoption_FRWK
jobs:
#
# STEP 2: Template validation
#
- job: 'analyze_arm'
displayName: 'Analyze templates'
pool:
vmImage: 'ubuntu-18.04'
steps:
- task: CmdLine@2
name: BuildARMfromBicep
displayName: Build ARM from Bicep
inputs:
script: |
az bicep build --file deploy/main.bicep
# STEP 3: Install PSRule.Rules.CAF from the PowerShell Gallery
- task: ps-rule-install@0
displayName: Install PSRule.Rules.CAF
inputs:
module: 'PSRule.Rules.CAF' # Install PSRule.Rules.CAF from the PowerShell Gallery.
# STEP 4: Export template data for analysis
- powershell: Get-AzRuleTemplateLink | Export-AzTemplateRuleData -OutputPath 'out/templates/';
displayName: 'Export template data'
# STEP 5: Run analysis against exported data
- task: ps-rule-assert@0
displayName: Analyze Azure template files
inputs:
inputType: inputPath
inputPath: 'out/templates/' # Read objects from JSON files in 'out/templates/'.
modules: 'PSRule.Rules.CAF' # Analyze objects using the rules within the PSRule.Rules.CAF PowerShell module.
This is how it looks when in-depth checking of the run>
Export part (this looks odd too):
Assert rule part:
Update rule categories to align with Microsoft Azure Well-Architected Framework
Microsoft Azure Well-Architected Framework provides five pillars of architecture excellence. Currently rule categories by themselves don't always make sense. By having clearer alignment to these pillars will improve the overall understand of each rule and the intent each serves.
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.