Excluded global services from region check #96 (#97)

.vscode/settings.json

@@ -25,6 +25,9 @@
         "VNET",
         "cmdlet",
         "cmdlets",
-        "vnets"
+        "NSGs",
+        "subnet",
+        "subnets",
+        "VNETs"
     ]
 }

CHANGELOG.md

@@ -1,6 +1,8 @@
 
 ## Unreleased
 
+- Excluded global services from Azure.Resource.AllowedRegions. [#96](https://github.com/BernieWhite/PSRule.Rules.Azure/issues/96)
+
 ## v0.3.0-B190710 (pre-release)
 
 - Fix handling of empty DNS servers in `Azure.VirtualNetwork.LocalDNS`. [#84](https://github.com/BernieWhite/PSRule.Rules.Azure/issues/84)

src/PSRule.Rules.Azure/rules/Azure.Common.Rule.ps1

@@ -125,6 +125,7 @@ function global:IsWindowsOS {
     }
 }
 
+# Determines if the object supports tags
 function global:SupportsTags {
     [CmdletBinding()]
     [OutputType([System.Boolean])]
@@ -149,6 +150,25 @@ function global:SupportsTags {
     }
 }
 
+# Determines if the object supports regions
+function global:SupportsRegions {
+    [CmdletBinding()]
+    [OutputType([System.Boolean])]
+    param ()
+    process {
+        if (
+            ($TargetObject.ResourceType -eq 'Microsoft.Subscription') -or
+            ($TargetObject.ResourceType -eq 'Microsoft.AzureActiveDirectory/b2cDirectories') -or
+            ($TargetObject.ResourceType -eq 'Microsoft.Network/trafficManagerProfiles') -or
+            ($TargetObject.Location -eq 'global')
+        ) {
+            return $False;
+        }
+
+        return $True;
+    }
+}
+
 function global:ConvertToUInt64 {
     param (
         [Parameter(Mandatory = $True)]

src/PSRule.Rules.Azure/rules/Azure.Resource.Rule.ps1

@@ -14,6 +14,6 @@ Rule 'Azure.Resource.UseTags' -If { (SupportsTags) } -Tag @{ severity = 'Awarene
 }
 
 # Synopsis: Resources should be deployed to allowed regions
-Rule 'Azure.Resource.AllowedRegions' -If { $Null -ne $Configuration.azureAllowedRegions } -Tag @{ severity = 'Awareness'; category = 'Operations management' } {
+Rule 'Azure.Resource.AllowedRegions' -If { ($Null -ne $Configuration.azureAllowedRegions) -and (SupportsRegions) } -Tag @{ severity = 'Awareness'; category = 'Operations management' } {
     IsAllowedRegion
 }

tests/PSRule.Rules.Azure.Tests/Azure.Resource.Tests.ps1

@@ -25,22 +25,22 @@ Describe 'Azure.Resource' {
 
     Context 'Conditions' {
         $options = New-PSRuleOption -BaselineConfiguration @{ 'azureAllowedRegions' = @('region-A') };
-        $result = Invoke-PSRule -Module PSRule.Rules.Azure -Option $options -InputPath $dataPath -WarningAction Ignore -ErrorAction Stop;
+        $result = Invoke-PSRule -Module PSRule.Rules.Azure -Option $options -Outcome All -InputPath $dataPath -WarningAction Ignore -ErrorAction Stop;
 
         It 'Azure.Resource.UseTags' {
             $filteredResult = $result | Where-Object { $_.RuleName -eq 'Azure.Resource.UseTags' };
 
             # Fail
             $ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'Fail' });
             $ruleResult | Should -Not -BeNullOrEmpty;
-            $ruleResult.Length | Should -Be 1;
-            $ruleResult.TargetName | Should -Be 'registry-B';
+            $ruleResult.Length | Should -Be 2;
+            $ruleResult.TargetName | Should -Be 'registry-B', 'registry-C';
 
             # Pass
             $ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'Pass' });
             $ruleResult | Should -Not -BeNullOrEmpty;
-            $ruleResult.Length | Should -Be 1;
-            $ruleResult.TargetName | Should -Be 'registry-A';
+            $ruleResult.Length | Should -Be 2;
+            $ruleResult.TargetName | Should -Be 'registry-A', 'trafficManager-A';
         }
 
         It 'Azure.Resource.AllowedRegions' {
@@ -57,6 +57,12 @@ Describe 'Azure.Resource' {
             $ruleResult | Should -Not -BeNullOrEmpty;
             $ruleResult.Length | Should -Be 1;
             $ruleResult.TargetName | Should -Be 'registry-A';
+
+            # None
+            $ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'None' });
+            $ruleResult | Should -Not -BeNullOrEmpty;
+            $ruleResult.Length | Should -Be 2;
+            $ruleResult.TargetName | Should -Be 'registry-C', 'trafficManager-A';
         }
     }
 }

tests/PSRule.Rules.Azure.Tests/Resources.Resource.json

@@ -48,5 +48,65 @@
         },
         "Tags": null,
         "SubscriptionId": "00000000-0000-0000-0000-000000000000"
+    },
+    {
+        "ResourceId": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/test-rg/providers/Microsoft.ContainerRegistry/registries/registry-C",
+        "Id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/test-rg/providers/Microsoft.ContainerRegistry/registries/registry-C",
+        "Location": "global",
+        "ResourceName": "registry-C",
+        "Name": "registry-C",
+        "Properties": {
+            "loginServer": "registry-C.azurecr.io",
+            "adminUserEnabled": true
+        },
+        "ResourceGroupName": "test-rg",
+        "Type": "Microsoft.ContainerRegistry/registries",
+        "ResourceType": "Microsoft.ContainerRegistry/registries",
+        "Sku": {
+            "Name": "Basic",
+            "Tier": "Basic",
+            "Size": null,
+            "Family": null,
+            "Model": null,
+            "Capacity": null
+        },
+        "Tags": null,
+        "SubscriptionId": "00000000-0000-0000-0000-000000000000"
+    },
+    {
+        "ResourceId": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/test-rg/providers/Microsoft.Network/trafficManagerProfiles/trafficManager-A",
+        "Id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/test-rg/providers/Microsoft.Network/trafficManagerProfiles/trafficManager-A",
+        "Location": "nnnn",
+        "ResourceName": "trafficManager-A",
+        "Name": "trafficManager-A",
+        "Properties": {
+            "profileStatus": "Enabled",
+            "trafficRoutingMethod": "Performance",
+            "dnsConfig": {
+                "relativeName": "trafficManager-A",
+                "fqdn": "trafficManager-A.trafficmanager.net",
+                "ttl": 60
+            },
+            "monitorConfig": {
+                "profileMonitorStatus": "Inactive",
+                "protocol": "HTTP",
+                "port": 80,
+                "path": "/",
+                "intervalInSeconds": 30,
+                "toleratedNumberOfFailures": 3,
+                "timeoutInSeconds": 10
+            },
+            "endpoints": [],
+            "trafficViewEnrollmentStatus": "Disabled",
+            "maxReturn": 0
+        },
+        "ResourceGroupName": "test-rg",
+        "Type": "Microsoft.Network/trafficManagerProfiles",
+        "ResourceType": "Microsoft.Network/trafficManagerProfiles",
+        "Sku": null,
+        "Tags": {
+            "environment": "production"
+        },
+        "SubscriptionId": "00000000-0000-0000-0000-000000000000"
     }
 ]