/
Azure.EventGrid.Rule.yaml
143 lines (130 loc) · 2.86 KB
/
Azure.EventGrid.Rule.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
# Copyright (c) Microsoft Corporation.
# Licensed under the MIT License.
#
# Rules for Event Grid resources
#
#region Rules
---
# Synopsis: Use Private Endpoints to access Event Grid topics and domains.
apiVersion: github.com/microsoft/PSRule/v1
kind: Rule
metadata:
name: Azure.EventGrid.TopicPublicAccess
ref: AZR-000098
tags:
release: GA
ruleSet: 2021_12
Azure.WAF/pillar: 'Security'
labels:
Azure.MCSB.v1/control: 'NS-2'
spec:
type:
- Microsoft.EventGrid/topics
- Microsoft.EventGrid/domains
with:
- Azure.EventGrid.TopicNotArc
- Azure.EventGrid.Domain
condition:
field: properties.publicNetworkAccess
equals: Disabled
---
# Synopsis: Use managed identities to deliver Event Grid Topic events.
apiVersion: github.com/microsoft/PSRule/v1
kind: Rule
metadata:
name: Azure.EventGrid.ManagedIdentity
ref: AZR-000099
tags:
release: GA
ruleSet: 2021_12
Azure.WAF/pillar: 'Security'
labels:
Azure.MCSB.v1/control: [ 'IM-1', 'IM-3' ]
spec:
type:
- Microsoft.EventGrid/topics
- Microsoft.EventGrid/domains
- Microsoft.EventGrid/systemTopics
with:
- Azure.EventGrid.RegionalSystemTopic
- Azure.EventGrid.Topic
- Azure.EventGrid.Domain
condition:
field: Identity.Type
in:
- SystemAssigned
- UserAssigned
- SystemAssigned,UserAssigned
- SystemAssigned, UserAssigned
---
# Synopsis: Authenticate publishing clients with Azure AD identities.
apiVersion: github.com/microsoft/PSRule/v1
kind: Rule
metadata:
name: Azure.EventGrid.DisableLocalAuth
ref: AZR-000100
tags:
release: 'GA'
ruleSet: '2022_09'
Azure.WAF/pillar: 'Security'
labels:
Azure.MCSB.v1/control: 'IM-1'
spec:
type:
- Microsoft.EventGrid/topics
- Microsoft.EventGrid/domains
condition:
field: properties.disableLocalAuth
equals: true
#endregion Rules
#
# Selectors for Event Grid resources
#
#region Selectors
---
# Synopsis: Event Grid Topics that are not Azure Arc.
apiVersion: github.com/microsoft/PSRule/v1
kind: Selector
metadata:
name: Azure.EventGrid.TopicNotArc
spec:
if:
allOf:
- field: kind
notEquals: AzureArc
- type: '.'
equals: Microsoft.EventGrid/topics
---
# Synopsis: Event Grid Topics.
apiVersion: github.com/microsoft/PSRule/v1
kind: Selector
metadata:
name: Azure.EventGrid.Topic
spec:
if:
type: '.'
equals: Microsoft.EventGrid/topics
---
# Synopsis: Event Grid Domains.
apiVersion: github.com/microsoft/PSRule/v1
kind: Selector
metadata:
name: Azure.EventGrid.Domain
spec:
if:
type: '.'
equals: Microsoft.EventGrid/domains
---
# Synopsis: Regional Event Grid System Topics.
apiVersion: github.com/microsoft/PSRule/v1
kind: Selector
metadata:
name: Azure.EventGrid.RegionalSystemTopic
spec:
if:
allOf:
- type: '.'
equals: Microsoft.EventGrid/systemTopics
- field: location
notEquals: 'global'
#endregion Selectors