From b3dbd21272248fa504197abf4d13a60a5a5813f5 Mon Sep 17 00:00:00 2001 From: Bernie White Date: Sat, 28 May 2022 00:09:49 +1000 Subject: [PATCH 1/6] Final updates for merge --- .github/workflows/bicep-build-to-validate.yml | 3 ++- .ps-rule/Minimum.Rule.yaml | 8 ++++++ .ps-rule/Unsupported.Rule.yaml | 25 +++++++++++++++++++ .../modules/hubNetworking/hubNetworking.bicep | 4 ++- ps-rule.yaml | 3 +++ 5 files changed, 41 insertions(+), 2 deletions(-) create mode 100644 .ps-rule/Unsupported.Rule.yaml diff --git a/.github/workflows/bicep-build-to-validate.yml b/.github/workflows/bicep-build-to-validate.yml index ba98489cc..6e3565833 100644 --- a/.github/workflows/bicep-build-to-validate.yml +++ b/.github/workflows/bicep-build-to-validate.yml @@ -51,7 +51,8 @@ jobs: with: fetch-depth: 0 - # Add pipeline tests for Azure Well-Architected Framework + # Add pipeline tests for Azure Well-Architected Framework. + # See https://aka.ms/ps-rule-action for configuration options. - name: Run PSRule analysis uses: Microsoft/ps-rule@v2.1.0 with: diff --git a/.ps-rule/Minimum.Rule.yaml b/.ps-rule/Minimum.Rule.yaml index c16ecbf47..a231f4ed0 100644 --- a/.ps-rule/Minimum.Rule.yaml +++ b/.ps-rule/Minimum.Rule.yaml @@ -1,3 +1,11 @@ +# +# Suppression and rules for the minimum sample configuration. +# + +# NOTE: +# For details on authoring suppression groups see: +# https://microsoft.github.io/PSRule/v2/concepts/PSRule/en-US/about_PSRule_SuppressionGroups/ +# https://microsoft.github.io/PSRule/v2/concepts/PSRule/en-US/about_PSRule_Expressions/ --- # Synopsis: Ignore the minimum sample configuration. diff --git a/.ps-rule/Unsupported.Rule.yaml b/.ps-rule/Unsupported.Rule.yaml new file mode 100644 index 000000000..9b174bed9 --- /dev/null +++ b/.ps-rule/Unsupported.Rule.yaml @@ -0,0 +1,25 @@ +# +# Suppression and rules for unsupported scenarios. +# + +# NOTE: +# For details on authoring suppression groups see: +# https://microsoft.github.io/PSRule/v2/concepts/PSRule/en-US/about_PSRule_SuppressionGroups/ +# https://microsoft.github.io/PSRule/v2/concepts/PSRule/en-US/about_PSRule_Expressions/ + +--- +# Synopsis: Ignore availability zones for Azure Bastion public IP which is not supported. https://github.com/Azure/PSRule.Rules.Azure/issues/1442 +apiVersion: github.com/microsoft/PSRule/v1 +kind: SuppressionGroup +metadata: + name: ALZ.PublicIPForBastion +spec: + rule: + - Azure.PublicIP.AvailabilityZone + if: + allOf: + - name: '.' + contains: '-bastion-' + - type: '.' + in: + - Microsoft.Network/publicIPAddresses diff --git a/infra-as-code/bicep/modules/hubNetworking/hubNetworking.bicep b/infra-as-code/bicep/modules/hubNetworking/hubNetworking.bicep index f98245335..0245888a7 100644 --- a/infra-as-code/bicep/modules/hubNetworking/hubNetworking.bicep +++ b/infra-as-code/bicep/modules/hubNetworking/hubNetworking.bicep @@ -258,7 +258,9 @@ module modBastionPublicIP '../publicIp/publicIp.bicep' = if (parBastionEnabled) publicIPAddressVersion: 'IPv4' publicIPAllocationMethod: 'Static' } - parTags: parTags + parTags: union({ + 'resource-usage': 'azure-bastion' + }, parTags) parTelemetryOptOut: parTelemetryOptOut } } diff --git a/ps-rule.yaml b/ps-rule.yaml index 5cb19afd0..a25e7d379 100644 --- a/ps-rule.yaml +++ b/ps-rule.yaml @@ -4,6 +4,9 @@ # Please see the documentation for all configuration options: # https://aka.ms/ps-rule-azure +# https://aka.ms/ps-rule-azure/options +# https://aka.ms/ps-rule/options +# https://aka.ms/ps-rule-azure/bicep # Use rules from the following modules/ include: From 70f512d505b9f029f95656631e39b9a8acb8f1c7 Mon Sep 17 00:00:00 2001 From: Bernie White Date: Sat, 28 May 2022 00:15:09 +1000 Subject: [PATCH 2/6] Update to tags --- .ps-rule/Unsupported.Rule.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.ps-rule/Unsupported.Rule.yaml b/.ps-rule/Unsupported.Rule.yaml index 9b174bed9..fcf9215c6 100644 --- a/.ps-rule/Unsupported.Rule.yaml +++ b/.ps-rule/Unsupported.Rule.yaml @@ -18,8 +18,8 @@ spec: - Azure.PublicIP.AvailabilityZone if: allOf: - - name: '.' - contains: '-bastion-' + - field: tags.'resource-usage' + equals: azure-bastion - type: '.' in: - Microsoft.Network/publicIPAddresses From d51e60d2a93667d5163943a36a2a15107aa5c083 Mon Sep 17 00:00:00 2001 From: Bernie White Date: Sat, 28 May 2022 00:24:25 +1000 Subject: [PATCH 3/6] Clean up ps-rule branch trigger --- .github/workflows/bicep-build-to-validate.yml | 3 --- 1 file changed, 3 deletions(-) diff --git a/.github/workflows/bicep-build-to-validate.yml b/.github/workflows/bicep-build-to-validate.yml index 6e3565833..a9d7636d8 100644 --- a/.github/workflows/bicep-build-to-validate.yml +++ b/.github/workflows/bicep-build-to-validate.yml @@ -4,9 +4,6 @@ on: pull_request: branches: - main - - # TODO: Branch for integration testing, to be removed before integration into main. - - ps-rule paths: - "**.bicep" - "ps-rule.yaml" From 54b75687139dac076fc446bfe683a6d12d3c3e33 Mon Sep 17 00:00:00 2001 From: Bernie White Date: Thu, 11 Aug 2022 22:11:43 +1000 Subject: [PATCH 4/6] Fixes --- .github/workflows/bicep-build-to-validate.yml | 4 ++-- infra-as-code/bicep/modules/hubNetworking/hubNetworking.bicep | 4 +--- ps-rule.yaml | 4 ++-- 3 files changed, 5 insertions(+), 7 deletions(-) diff --git a/.github/workflows/bicep-build-to-validate.yml b/.github/workflows/bicep-build-to-validate.yml index a9d7636d8..bb9e1e58e 100644 --- a/.github/workflows/bicep-build-to-validate.yml +++ b/.github/workflows/bicep-build-to-validate.yml @@ -17,7 +17,7 @@ jobs: steps: - name: Checkout Repo - uses: actions/checkout@v2 + uses: actions/checkout@v3 with: fetch-depth: 0 @@ -51,7 +51,7 @@ jobs: # Add pipeline tests for Azure Well-Architected Framework. # See https://aka.ms/ps-rule-action for configuration options. - name: Run PSRule analysis - uses: Microsoft/ps-rule@v2.1.0 + uses: Microsoft/ps-rule@v2.3.0 with: modules: PSRule.Rules.Azure baseline: Azure.GA_2022_03 diff --git a/infra-as-code/bicep/modules/hubNetworking/hubNetworking.bicep b/infra-as-code/bicep/modules/hubNetworking/hubNetworking.bicep index 0245888a7..f98245335 100644 --- a/infra-as-code/bicep/modules/hubNetworking/hubNetworking.bicep +++ b/infra-as-code/bicep/modules/hubNetworking/hubNetworking.bicep @@ -258,9 +258,7 @@ module modBastionPublicIP '../publicIp/publicIp.bicep' = if (parBastionEnabled) publicIPAddressVersion: 'IPv4' publicIPAllocationMethod: 'Static' } - parTags: union({ - 'resource-usage': 'azure-bastion' - }, parTags) + parTags: parTags parTelemetryOptOut: parTelemetryOptOut } } diff --git a/ps-rule.yaml b/ps-rule.yaml index a25e7d379..7eeab8974 100644 --- a/ps-rule.yaml +++ b/ps-rule.yaml @@ -15,8 +15,8 @@ include: # Require a minimum version of modules that include referenced baseline. requires: - PSRule: '@pre >=2.1.0' - PSRule.Rules.Azure: '@pre >=1.15.2' + PSRule: '@pre >=2.3.0' + PSRule.Rules.Azure: '@pre >=1.18.1' # Reference the repository in output. repository: From 7acc0207aae1279c3e16420d7b10f15e5b976876 Mon Sep 17 00:00:00 2001 From: Bernie White Date: Fri, 12 Aug 2022 08:26:13 +1000 Subject: [PATCH 5/6] Ignore by name --- .ps-rule/Unsupported.Rule.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.ps-rule/Unsupported.Rule.yaml b/.ps-rule/Unsupported.Rule.yaml index fcf9215c6..7cc38de4b 100644 --- a/.ps-rule/Unsupported.Rule.yaml +++ b/.ps-rule/Unsupported.Rule.yaml @@ -18,8 +18,8 @@ spec: - Azure.PublicIP.AvailabilityZone if: allOf: - - field: tags.'resource-usage' - equals: azure-bastion + - name: '.' + contains: bastion - type: '.' in: - Microsoft.Network/publicIPAddresses From 35ca5133cd1be878e108a31d751f143eb4ace415 Mon Sep 17 00:00:00 2001 From: Bernie White Date: Sun, 14 Aug 2022 12:40:56 +1000 Subject: [PATCH 6/6] Final updates --- .github/workflows/bicep-build-to-validate.yml | 4 ++-- .ps-rule/Minimum.Rule.yaml | 3 +++ ps-rule.yaml | 2 +- 3 files changed, 6 insertions(+), 3 deletions(-) diff --git a/.github/workflows/bicep-build-to-validate.yml b/.github/workflows/bicep-build-to-validate.yml index bb9e1e58e..82b37c35a 100644 --- a/.github/workflows/bicep-build-to-validate.yml +++ b/.github/workflows/bicep-build-to-validate.yml @@ -51,8 +51,8 @@ jobs: # Add pipeline tests for Azure Well-Architected Framework. # See https://aka.ms/ps-rule-action for configuration options. - name: Run PSRule analysis - uses: Microsoft/ps-rule@v2.3.0 + uses: Microsoft/ps-rule@v2.3.2 with: modules: PSRule.Rules.Azure - baseline: Azure.GA_2022_03 + baseline: Azure.GA_2022_06 continue-on-error: true diff --git a/.ps-rule/Minimum.Rule.yaml b/.ps-rule/Minimum.Rule.yaml index a231f4ed0..af5c2d71f 100644 --- a/.ps-rule/Minimum.Rule.yaml +++ b/.ps-rule/Minimum.Rule.yaml @@ -20,12 +20,15 @@ spec: - Azure.PublicIP.AvailabilityZone - Azure.VNG.VPNActiveActive - Azure.PublicIP.StandardSKU + - Azure.VNET.UseNSGs if: allOf: - type: '.' in: - Microsoft.Network/azureFirewalls - Microsoft.Network/publicIPAddresses + - Microsoft.Network/virtualNetworks + - Microsoft.Network/virtualNetworkGateways - source: 'Template' endsWith: - 'minimum.sample.bicep' diff --git a/ps-rule.yaml b/ps-rule.yaml index 7eeab8974..c42e074be 100644 --- a/ps-rule.yaml +++ b/ps-rule.yaml @@ -15,7 +15,7 @@ include: # Require a minimum version of modules that include referenced baseline. requires: - PSRule: '@pre >=2.3.0' + PSRule: '@pre >=2.3.2' PSRule.Rules.Azure: '@pre >=1.18.1' # Reference the repository in output.