microsoft / psrule.rules.caf Goto Github PK
View Code? Open in Web Editor NEWA suite of rules to validate Azure resources against the Cloud Adoption Framework (CAF) using PSRule.
License: MIT License
A suite of rules to validate Azure resources against the Cloud Adoption Framework (CAF) using PSRule.
License: MIT License
PSRule for CAF includes a number of configuration options which include the defaults.
Currently no documentation is provided on overriding these configurations with different values.
Update included PSRule version to v0.20.0.
Description of the issue
Rules comparing resource names should be case sensitive.
Module in use and version:
Captured output from $PSVersionTable
:
Name Value
---- -----
PSVersion 7.0.3
PSEdition Core
GitCommitId 7.0.3
OS Microsoft Windows 10.0.19041
Platform Win32NT
PSCompatibleVersions {1.0, 2.0, 3.0, 4.0…}
PSRemotingProtocolVersion 2.3
SerializationVersion 1.1.0.1
WSManStackVersion 3.0
Description of the issue
Rules comparing tag names and values should be case sensitive.
Module in use and version:
Captured output from $PSVersionTable
:
Name Value
---- -----
PSVersion 7.0.3
PSEdition Core
GitCommitId 7.0.3
OS Microsoft Windows 10.0.19041
Platform Win32NT
PSCompatibleVersions {1.0, 2.0, 3.0, 4.0…}
PSRemotingProtocolVersion 2.3
SerializationVersion 1.1.0.1
WSManStackVersion 3.0
Update PSRule module dependency to v1.0.0.
Description of the issue
Storage accounts automatically created for Azure Cloud Shell are prefixed with cs
instead of st
.
Expected behaviour
The CAF standard should be excluded for storage accounts with the "ms-resource-usage": "azure-cloud-shell"
tag.
Module in use and version:
Captured output from $PSVersionTable
:
Name Value
---- -----
PSVersion 7.1.0
PSEdition Core
GitCommitId 7.1.0
OS Microsoft Windows 10.0.19042
Platform Win32NT
PSCompatibleVersions {1.0, 2.0, 3.0, 4.0…}
PSRemotingProtocolVersion 2.3
SerializationVersion 1.1.0.1
WSManStackVersion 3.0
Currently PSRule.Rules.Azure
already tests if the name of a resource is valid in terms of Azure resource naming requirements. This module is the most logical place for checking naming requirements of resources. This CAF module should focus on the specifics of CAF.
To this end, naming rules should be simplified to only check for recommended naming instead of naming requirements.
Description of the issue
Virtual Network Gateway prefix should be vgw-
instead of vnet-gw-
.
Module in use and version:
Captured output from $PSVersionTable
:
Name Value
---- -----
PSVersion 7.0.3
PSEdition Core
GitCommitId 7.0.3
OS Microsoft Windows 10.0.19041
Platform Win32NT
PSCompatibleVersions {1.0, 2.0, 3.0, 4.0…}
PSRemotingProtocolVersion 2.3
SerializationVersion 1.1.0.1
WSManStackVersion 3.0
Description of the issue
Storage account prefix should be st
instead of stor
.
Module in use and version:
Captured output from $PSVersionTable
:
Name Value
---- -----
PSVersion 7.0.3
PSEdition Core
GitCommitId 7.0.3
OS Microsoft Windows 10.0.19041
Platform Win32NT
PSCompatibleVersions {1.0, 2.0, 3.0, 4.0…}
PSRemotingProtocolVersion 2.3
SerializationVersion 1.1.0.1
WSManStackVersion 3.0
Add naming rules for event grid domains and topics.
Description of the issue
Currently the PSRule pipeline does not isolate module runspaces when called on the command line together.
For example:
Invoke-PSRule -Module 'PSRule.Rules.CAF', 'PSRule.Rules.Azure';
When internal functions use the same name they can clash and only one wins. In this case both module define a SupportsTags
helper function.
Expected behaviour
Update helper function name with CAF_
prefix.
Module in use and version:
Captured output from $PSVersionTable
:
Name Value
---- -----
PSVersion 7.0.3
PSEdition Core
GitCommitId 7.0.3
OS Microsoft Windows 10.0.19041
Platform Win32NT
PSCompatibleVersions {1.0, 2.0, 3.0, 4.0…}
PSRemotingProtocolVersion 2.3
SerializationVersion 1.1.0.1
WSManStackVersion 3.0
Tagging requirements for resources and resource groups may be different and should be separated to allow for individual configuration or exclusion.
Description of the issue
When resource specifies tags they must be defined under the Tags
(case-sensitive) property or the CAF.Tag.Environment
rule will fail. Case sensitivity should only apply to the tag i.e. Env
not the tags property name.
Expected behaviour
The resource Tags
property should not be case-sensitive but the tag under the Tags
property should be.
Module in use and version:
Captured output from $PSVersionTable
:
Name Value
---- -----
PSVersion 7.1.0
PSEdition Core
GitCommitId 7.1.0
OS Microsoft Windows 10.0.19042
Platform Win32NT
PSCompatibleVersions {1.0, 2.0, 3.0, 4.0…}
PSRemotingProtocolVersion 2.3
SerializationVersion 1.1.0.1
WSManStackVersion 3.0
Configuration for default baseline changed in PSRule v1.9.0. Now the recommended method for setting the default baseline is within module configuration.
Related to microsoft/PSRule#809
Description of the issue
Load Balancer prefix should be lbe-
and lbi-
instead of lb-
.
Module in use and version:
Captured output from $PSVersionTable
:
Name Value
---- -----
PSVersion 7.0.3
PSEdition Core
GitCommitId 7.0.3
OS Microsoft Windows 10.0.19041
Platform Win32NT
PSCompatibleVersions {1.0, 2.0, 3.0, 4.0…}
PSRemotingProtocolVersion 2.3
SerializationVersion 1.1.0.1
WSManStackVersion 3.0
Bump PSRule dependency to v1.9.0.
Add code signing to distribution of modules files including binary and PowerShell files.
PowerShell 7.0 is now GA. Currently the pipeline only builds against VM configuration instead of docker images.
CI pipeline should be updated to run against different PS configurations.
Additionally CI pipeline needs to fix build issue with YamlDotNet.
Update PSRule and PSRule.Rules.Azure module dependency to v1.2.0.
Description of the issue
I don't believe the logic or message around public ip's is correct. (Happy to be wrong through).
My template fails with;
-> pip-agw-byo : Microsoft.Network/publicIPAddresses [3/4]
[PASS] Azure.PublicIP.Name
[PASS] Azure.PublicIP.AvailabilityZone
[PASS] Azure.PublicIP.StandardSKU
[FAIL] CAF.Name.PublicIP
| Template: bicep/main.bicep:991:5
| Parameter: .github/workflows_dep/AksDeploy-ByoVnet.parameters.json:1:0
| RECOMMEND:
| Consider creating public IPs with a standard name. Additionally consider using
| Azure Policy to only permit creation using a standard naming convention.
| REASON:
| - The parameter 'prefix' is null.
| HELP:
| - https://github.com/microsoft/PSRule.Rules.CAF/blob/main/docs/rules/en/CAF.Name.PublicIP.md
Error: pip-agw-byo failed CAF.Name.PublicIP. Public IP address names should use a standard prefix.
The parameter 'prefix' is null
- I don't see prefix in the RP schema.publicIPPrefix
as that has another purpose, not naming.Add files to support software bill of materials (SBOM) for module.
Description of the issue
The subnet where an Azure Firewall is deployment must be AzureFirewallSubnet
.
Expected behaviour
Exclude AzureFirewallSubnet
subnets from the rule.
Module in use and version:
Captured output from $PSVersionTable
:
Name Value
---- -----
PSVersion 7.0.3
PSEdition Core
GitCommitId 7.0.3
OS Microsoft Windows 10.0.19041
Platform Win32NT
PSCompatibleVersions {1.0, 2.0, 3.0, 4.0…}
PSRemotingProtocolVersion 2.3
SerializationVersion 1.1.0.1
WSManStackVersion 3.0
Update PSRule module dependency to v1.0.1. This fix is required to co-exist with PSRule.Rules.Azure
when both modules are executed.
Additionally PSRule.Rules.Azure
dependency can be bumped to v0.19.0.
Update to the latest versions of PSRule and PSRule.Rules.Azure.
Description of the issue
Specifying the prerelease flag on the CAF rules results in a version error.
To Reproduce
Ref: https://github.com/Azure/AKS-Construction/actions/runs/4054300944/workflow
- name: PSRule for CAF
uses: microsoft/[email protected]
continue-on-error: true #Setting this whilst PSRule gets bedded in, in this project
with:
modules: 'PSRule.Rules.CAF'
inputPath: "${{ env.ParamFilePath }}"
prerelease: true
Error output
Error: The module version '0.4.0-B2208003' for 'PSRule.Rules.CAF' does not match the required version '>=0.3.0'. To continue, first update the module to match the version requirement.
Add a naming rule for Cognitive Services accounts.
The rule applies to the following:
Description of the issue
Virtual Machine prefix should be vm
instead of vm-
.
Module in use and version:
Captured output from $PSVersionTable
:
Name Value
---- -----
PSVersion 7.0.3
PSEdition Core
GitCommitId 7.0.3
OS Microsoft Windows 10.0.19041
Platform Win32NT
PSCompatibleVersions {1.0, 2.0, 3.0, 4.0…}
PSRemotingProtocolVersion 2.3
SerializationVersion 1.1.0.1
WSManStackVersion 3.0
Bump PSRule.Rules.Azure dependency to v1.9.1.
Add naming rule for Cognitive Search services.
The rule applies to the following:
Migrate this repository/ project to the Azure org.
Hi,
I'm editing my original question as it seems that I failed to differentiate the pre/in-flight settings and my question diverged from where it should really land so the post became a mess... To recap... I'm not sure on how to deploy CAF pre-flight check on Azure Pipelines. I've made simple stage with several tasks, first one being building the ARM template from my main.bicep file and continuing with the rest of the code that was copied and pasted from the PSRule.Rules.CAF section with yaml pre-flight example. The result is 0 processed rules.
trigger:
branches:
include:
- Development
pool:
vmImage: ubuntu-latest
variables:
- name: ResourceGroupName
value: 'biceptesting'
stages:
- stage: Cloud_Adoption_FRWK
jobs:
#
# STEP 2: Template validation
#
- job: 'analyze_arm'
displayName: 'Analyze templates'
pool:
vmImage: 'ubuntu-18.04'
steps:
- task: CmdLine@2
name: BuildARMfromBicep
displayName: Build ARM from Bicep
inputs:
script: |
az bicep build --file deploy/main.bicep
# STEP 3: Install PSRule.Rules.CAF from the PowerShell Gallery
- task: ps-rule-install@0
displayName: Install PSRule.Rules.CAF
inputs:
module: 'PSRule.Rules.CAF' # Install PSRule.Rules.CAF from the PowerShell Gallery.
# STEP 4: Export template data for analysis
- powershell: Get-AzRuleTemplateLink | Export-AzTemplateRuleData -OutputPath 'out/templates/';
displayName: 'Export template data'
# STEP 5: Run analysis against exported data
- task: ps-rule-assert@0
displayName: Analyze Azure template files
inputs:
inputType: inputPath
inputPath: 'out/templates/' # Read objects from JSON files in 'out/templates/'.
modules: 'PSRule.Rules.CAF' # Analyze objects using the rules within the PSRule.Rules.CAF PowerShell module.
This is how it looks when in-depth checking of the run>
Microsoft Azure Well-Architected Framework provides five pillars of architecture excellence. Currently rule categories by themselves don't always make sense. By having clearer alignment to these pillars will improve the overall understand of each rule and the intent each serves.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.