Skip to content

Releases: Azure/PSRule.Rules.Azure

v1.40.0

09 Dec 16:30
faf7b2d
Compare
Choose a tag to compare

What's changed since v1.39.3:

  • New features:
    • Added support for expanding from .jsonc parameter files by @BernieWhite.
      #2053
      • Previously only parameter files with the .json extension where automatically expanded.
      • This feature adds support so that JSON parameter files with the .jsonc extension are also discovered and expanded.
      • No additional configuration is required if expansion of JSON parameter files is enabled.
      • To enable parameter file expansion set the AZURE_PARAMETER_FILE_EXPANSION configuration option to true.
  • Updated rules:
    • Deployment:
      • Updated Azure.Deployment.SecureValue to check additional resource types by @BernieWhite.
        #2650
        #2651
        • Added support for container apps secret properties.
        • Added support for deployment script secret properties.
        • Bumped rule set to 2024_12.
      • Updated Azure.Deployment.SecureParameter to reduce false positives by @BernieWhite.
        #3149
        • Parameters named ending with name, uri, url, path, type, id, or options are ignored.
        • The customerManagedKey parameter is ignored.
    • Microsoft Defender for Cloud:
      • Updated Azure.DefenderCloud.Contact to use emails property and removed phone by @BernieWhite.
        #3117
        • Renamed rule to Azure.Defender.SecurityContact to better align with naming for defender rules.
        • Bumped rule set to 2024_12.
  • General improvements:
  • Engineering:
  • Bug fixes:
    • Fixed evaluation of APIM policies when using embedded C# with quotes by @BernieWhite.
      #3184
    • Fixed resource group ID is incorrect under subscription scope by @BernieWhite.
      #3198
    • Fixed object to hashtable conversion for default parameter values by @BernieWhite.
      #3033
    • Fixed deployments with more than one module at tenant scope by @BernieWhite.
      #3167
    • Fixed projection of default role authorization property principalType by @BernieWhite.
      #3163
    • Fixed user defined function not found when used as parameter default by @BernieWhite.
      #3169
    • Fixed evaluation of Azure.NSG.LateralTraversal with empty string properties by @BernieWhite.
      #3130
    • Fixed evaluation of Azure.Deployment.AdminUsername with symbolic references by @BernieWhite.
      #3146
    • Fixed output map expansion with resource IDs by @BernieWhite.
      #3153

What's changed since pre-release v1.40.0-B0206:

  • No additional changes.

See change log.

v1.40.0-B0206

07 Dec 18:07
f2a1600
Compare
Choose a tag to compare
v1.40.0-B0206 Pre-release
Pre-release

What's changed since pre-release v1.40.0-B0147:

  • General improvements:
  • Engineering:
  • Bug fixes:
    • Fixed evaluation of APIM policies when using embedded C# with quotes by @BernieWhite.
      #3184
    • Fixed Resource group ID is incorrect under subscription scope by @BernieWhite.
      #3198

See change log.

v1.40.0-B0147

11 Nov 03:42
6edffa5
Compare
Choose a tag to compare
v1.40.0-B0147 Pre-release
Pre-release

What's changed since pre-release v1.40.0-B0103:

  • Bug fixes:
    • Fixed object to hashtable conversion for default parameter values by @BernieWhite.
      #3033
    • Fixed deployments with more than one module at tenant scope by @BernieWhite.
      #3167

See change log.

v1.40.0-B0103

07 Nov 16:57
2f7fa2d
Compare
Choose a tag to compare
v1.40.0-B0103 Pre-release
Pre-release

What's changed since pre-release v1.40.0-B0063:

  • New features:
    • Added support for expanding from .jsonc parameter files by @BernieWhite.
      #2053
      • Previously only parameter files with the .json extension where automatically expanded.
      • This feature adds support so that JSON parameter files with the .jsonc extension are also discovered and expanded.
      • No additional configuration is required if expansion of JSON parameter files is enabled.
      • To enable parameter file expansion set the AZURE_PARAMETER_FILE_EXPANSION configuration option to true.
  • General improvements:
  • Bug fixes:
    • Fixed projection of default role authorization property principalType by @BernieWhite.
      #3163
    • Fixed user defined function not found when used as parameter default by @BernieWhite.
      #3169

See change log.

v1.40.0-B0063

02 Nov 05:27
ef2b154
Compare
Choose a tag to compare
v1.40.0-B0063 Pre-release
Pre-release

What's changed since pre-release v1.40.0-B0029:

  • Updated rules:
    • Microsoft Defender for Cloud:
      • Updated Azure.DefenderCloud.Contact to use emails property and removed phone by @BernieWhite.
        #3117
        • Renamed rule to Azure.Defender.SecurityContact to better align with naming for defender rules.
        • Bumped rule set to 2024_12.
  • Bug fixes:
    • Fixed evaluation of Azure.NSG.LateralTraversal with empty string properties by @BernieWhite.
      #3130
    • Fixed evaluation of Azure.Deployment.AdminUsername with symbolic references by @BernieWhite.
      #3146

See change log.

v1.40.0-B0029

31 Oct 07:08
070cca7
Compare
Choose a tag to compare
v1.40.0-B0029 Pre-release
Pre-release

What's changed since v1.39.3:

  • Updated rules:
    • Deployment:
      • Updated Azure.Deployment.SecureValue to check additional resource types by @BernieWhite.
        #2650
        #2651
        • Added support for container apps secret properties.
        • Added support for deployment script secret properties.
        • Bumped rule set to 2024_12.
      • Updated Azure.Deployment.SecureParameter to reduce false positives by @BernieWhite.
        #3149
        • Parameters named ending with name, uri, url, path, type, id, or options are ignored.
        • The customerManagedKey parameter is ignored.
  • Engineering:
  • Bug fixes:

See change log.

v1.39.3

19 Oct 10:38
07a27cf
Compare
Choose a tag to compare

What's changed since v1.39.2:

  • Bug fixes:
    • Fixed index out of bounds for existing symbolic name reference by @BernieWhite.
      #3129

See change log.

v1.39.2

16 Oct 17:24
7d4e510
Compare
Choose a tag to compare

What's changed since v1.39.1:

See change log.

v1.39.1

12 Oct 03:45
d8a5b8f
Compare
Choose a tag to compare

What's changed since v1.39.0:

  • Bug fixes:
    • Fixed GetBicepParamResources exception when expanding Microsoft.Graph/groups resource by @BernieWhite.
      #3062
    • Fixed Azure.AppGw.AvailabilityZone passes when a zonal configuration is used by @BernieWhite.
      #3061
    • Fixed conditional secret as parameter or placeholder by @BernieWhite.
      #2054

See change log.

v1.39.0

10 Oct 17:54
25a6389
Compare
Choose a tag to compare

What's changed since v1.38.0:

  • New features:
    • Added September 2024 baselines Azure.GA_2024_09 and Azure.Preview_2024_09 by @BernieWhite.
      #3048
      • Includes rules released before or during September 2024.
      • Marked Azure.GA_2024_06 and Azure.Preview_2024_06 baselines as obsolete.
  • New rules:
    • Azure Kubernetes Service:
      • Verify that clusters have kube-audit logging disabled when not required by @BenjaminEngeset.
        #2450
      • Verify that clusters have the customer-controlled maintenance windows aksManagedAutoUpgradeSchedule and aksManagedNodeOSUpgradeSchedule configured by @BenjaminEngeset.
        #2444
    • App Service:
    • App Service Environment:
    • Azure SQL Database:
      • Verify that Azure SQL databases have a customer-controlled maintenance window configured by @BenjaminEngeset.
        #2956
    • Azure SQL Managed Instance:
      • Verify that Azure SQL Managed Instances have a customer-controlled maintenance window configured by @BenjaminEngeset.
        #2979
    • Service Bus:
    • Virtual Machine:
    • Virtual Machine Scale Sets:
      • Verify that virtual machine scale set instances does not have public IPs attached by @BenjaminEngeset.
        #3014
    • Virtual Network:
      • Verify that zonal-deployed Azure firewalls uses Azure NAT Gateway for outbound access by @BenjaminEngeset.
        ##3005
      • Verify that subnets have disabled default outbound access for virtual machines by @BenjaminEngeset.
        #3001
  • Updated rules:
    • Azure Kubernetes Service:
      • Updated Azure.AKS.AuditLogs documentation to call out important specific of the kube-audit log by @BernieWhite.
        #2449
      • Updated Azure.AKS.Version to use 1.29.7 as the minimum version by @BernieWhite.
        #3042
    • Container Apps:
      • Updated Azure.ContainerApp.AvailabilityZone to check for infrastructure subnet by @BernieWhite.
        #3068
        • Configuring an infrastructure subnet is a requirement for enabling zone redundancy.
          Both rule and documentation have been updated to clearly call this out.
    • Virtual Network:
      • Updated Azure.VNET.UseNSGs to correctly handle cases for special purpose and customer-excluded subnets by @BenjaminEngeset.
        #3007
  • General improvements:
    • Important change: Replaced the Azure_AKSNodeMinimumMaxPods option with AZURE_AKS_POOL_MINIMUM_MAXPODS by @BernieWhite.
      #941
      • For compatibility, if Azure_AKSNodeMinimumMaxPods is set it will be used instead of AZURE_AKS_POOL_MINIMUM_MAXPODS.
      • If only AZURE_AKS_POOL_MINIMUM_MAXPODS is set, this value will be used.
      • The default will be used neither options are configured.
      • If Azure_AKSNodeMinimumMaxPods is set a warning will be generated until the configuration is removed.
      • Support for Azure_AKSNodeMinimumMaxPods is deprecated and will be removed in v2.
    • Important change: Replaced the Azure_MinimumCertificateLifetime option with AZURE_APIM_MINIMUM_CERTIFICATE_LIFETIME by @BernieWhite.
      #941
      • For compatibility, if Azure_MinimumCertificateLifetime is set it will be used instead of AZURE_APIM_MINIMUM_CERTIFICATE_LIFETIME.
      • If only AZURE_APIM_MINIMUM_CERTIFICATE_LIFETIME is set, this value will be used.
      • The default will be used neither options are configured.
      • If Azure_MinimumCertificateLifetime is set a warning will be generated until the configuration is removed.
      • Support for Azure_MinimumCertificateLifetime is deprecated and will be removed in v2.
    • Add binding configuration to policy as rules docs by @BernieWhite.
      #2995
    • Updated resource providers and policy aliases.
      #3074
  • Engineering:
  • Bug fixed:

What's changed since pre-release v1.39.0-B0249:

  • No additional changes.

See change log.