Releases: Azure/PSRule.Rules.Azure
Releases · Azure/PSRule.Rules.Azure
v1.40.0
What's changed since v1.39.3:
- New features:
- Added support for expanding from
.jsonc
parameter files by @BernieWhite.
#2053- Previously only parameter files with the
.json
extension where automatically expanded. - This feature adds support so that JSON parameter files with the
.jsonc
extension are also discovered and expanded. - No additional configuration is required if expansion of JSON parameter files is enabled.
- To enable parameter file expansion set the
AZURE_PARAMETER_FILE_EXPANSION
configuration option totrue
.
- Previously only parameter files with the
- Added support for expanding from
- Updated rules:
- Deployment:
- Updated
Azure.Deployment.SecureValue
to check additional resource types by @BernieWhite.
#2650
#2651- Added support for container apps secret properties.
- Added support for deployment script secret properties.
- Bumped rule set to
2024_12
.
- Updated
Azure.Deployment.SecureParameter
to reduce false positives by @BernieWhite.
#3149- Parameters named ending with
name
,uri
,url
,path
,type
,id
, oroptions
are ignored. - The
customerManagedKey
parameter is ignored.
- Parameters named ending with
- Updated
- Microsoft Defender for Cloud:
- Updated
Azure.DefenderCloud.Contact
to useemails
property and removedphone
by @BernieWhite.
#3117- Renamed rule to
Azure.Defender.SecurityContact
to better align with naming for defender rules. - Bumped rule set to
2024_12
.
- Renamed rule to
- Updated
- Deployment:
- General improvements:
- Added first time contributor guide in docs by @that-ar-guy.
#3097 - Additional quality updates to documentation by @BernieWhite.
#3102
- Added first time contributor guide in docs by @that-ar-guy.
- Engineering:
- Quality updates to rule documentation by @BernieWhite.
#3102 - Migrated Azure samples into PSRule for Azure by @BernieWhite.
#3085
- Quality updates to rule documentation by @BernieWhite.
- Bug fixes:
- Fixed evaluation of APIM policies when using embedded C# with quotes by @BernieWhite.
#3184 - Fixed resource group ID is incorrect under subscription scope by @BernieWhite.
#3198 - Fixed object to hashtable conversion for default parameter values by @BernieWhite.
#3033 - Fixed deployments with more than one module at tenant scope by @BernieWhite.
#3167 - Fixed projection of default role authorization property
principalType
by @BernieWhite.
#3163 - Fixed user defined function not found when used as parameter default by @BernieWhite.
#3169 - Fixed evaluation of
Azure.NSG.LateralTraversal
with empty string properties by @BernieWhite.
#3130 - Fixed evaluation of
Azure.Deployment.AdminUsername
with symbolic references by @BernieWhite.
#3146 - Fixed output map expansion with resource IDs by @BernieWhite.
#3153
- Fixed evaluation of APIM policies when using embedded C# with quotes by @BernieWhite.
What's changed since pre-release v1.40.0-B0206:
- No additional changes.
See change log.
v1.40.0-B0206
What's changed since pre-release v1.40.0-B0147:
- General improvements:
- Added first time contributor guide in docs by @that-ar-guy.
#3097
- Added first time contributor guide in docs by @that-ar-guy.
- Engineering:
- Quality updates to rule documentation by @BernieWhite.
#3102
- Quality updates to rule documentation by @BernieWhite.
- Bug fixes:
- Fixed evaluation of APIM policies when using embedded C# with quotes by @BernieWhite.
#3184 - Fixed Resource group ID is incorrect under subscription scope by @BernieWhite.
#3198
- Fixed evaluation of APIM policies when using embedded C# with quotes by @BernieWhite.
See change log.
v1.40.0-B0147
What's changed since pre-release v1.40.0-B0103:
- Bug fixes:
- Fixed object to hashtable conversion for default parameter values by @BernieWhite.
#3033 - Fixed deployments with more than one module at tenant scope by @BernieWhite.
#3167
- Fixed object to hashtable conversion for default parameter values by @BernieWhite.
See change log.
v1.40.0-B0103
What's changed since pre-release v1.40.0-B0063:
- New features:
- Added support for expanding from
.jsonc
parameter files by @BernieWhite.
#2053- Previously only parameter files with the
.json
extension where automatically expanded. - This feature adds support so that JSON parameter files with the
.jsonc
extension are also discovered and expanded. - No additional configuration is required if expansion of JSON parameter files is enabled.
- To enable parameter file expansion set the
AZURE_PARAMETER_FILE_EXPANSION
configuration option totrue
.
- Previously only parameter files with the
- Added support for expanding from
- General improvements:
- Additional quality updates to documentation by @BernieWhite.
#3102
- Additional quality updates to documentation by @BernieWhite.
- Bug fixes:
- Fixed projection of default role authorization property
principalType
by @BernieWhite.
#3163 - Fixed user defined function not found when used as parameter default by @BernieWhite.
#3169
- Fixed projection of default role authorization property
See change log.
v1.40.0-B0063
What's changed since pre-release v1.40.0-B0029:
- Updated rules:
- Microsoft Defender for Cloud:
- Updated
Azure.DefenderCloud.Contact
to useemails
property and removedphone
by @BernieWhite.
#3117- Renamed rule to
Azure.Defender.SecurityContact
to better align with naming for defender rules. - Bumped rule set to
2024_12
.
- Renamed rule to
- Updated
- Microsoft Defender for Cloud:
- Bug fixes:
- Fixed evaluation of
Azure.NSG.LateralTraversal
with empty string properties by @BernieWhite.
#3130 - Fixed evaluation of
Azure.Deployment.AdminUsername
with symbolic references by @BernieWhite.
#3146
- Fixed evaluation of
See change log.
v1.40.0-B0029
What's changed since v1.39.3:
- Updated rules:
- Deployment:
- Updated
Azure.Deployment.SecureValue
to check additional resource types by @BernieWhite.
#2650
#2651- Added support for container apps secret properties.
- Added support for deployment script secret properties.
- Bumped rule set to
2024_12
.
- Updated
Azure.Deployment.SecureParameter
to reduce false positives by @BernieWhite.
#3149- Parameters named ending with
name
,uri
,url
,path
,type
,id
, oroptions
are ignored. - The
customerManagedKey
parameter is ignored.
- Parameters named ending with
- Updated
- Deployment:
- Engineering:
- Migrated Azure samples into PSRule for Azure by @BernieWhite.
#3085 - Quality updates to rule documentation by @BernieWhite.
#3102
- Migrated Azure samples into PSRule for Azure by @BernieWhite.
- Bug fixes:
- Fixed output map expansion with resource IDs by @BernieWhite.
#3153
- Fixed output map expansion with resource IDs by @BernieWhite.
See change log.
v1.39.3
What's changed since v1.39.2:
- Bug fixes:
- Fixed index out of bounds for existing symbolic name reference by @BernieWhite.
#3129
- Fixed index out of bounds for existing symbolic name reference by @BernieWhite.
See change log.
v1.39.2
What's changed since v1.39.1:
- Bug fixes:
- Fixed user-defined function reference to exported variable by @BernieWhite.
#3120 - Fixed name expand of existing resource references by @BernieWhite.
#3123
- Fixed user-defined function reference to exported variable by @BernieWhite.
See change log.
v1.39.1
What's changed since v1.39.0:
- Bug fixes:
- Fixed
GetBicepParamResources
exception when expandingMicrosoft.Graph/groups
resource by @BernieWhite.
#3062 - Fixed
Azure.AppGw.AvailabilityZone
passes when a zonal configuration is used by @BernieWhite.
#3061 - Fixed conditional secret as parameter or placeholder by @BernieWhite.
#2054
- Fixed
See change log.
v1.39.0
What's changed since v1.38.0:
- New features:
- Added September 2024 baselines
Azure.GA_2024_09
andAzure.Preview_2024_09
by @BernieWhite.
#3048- Includes rules released before or during September 2024.
- Marked
Azure.GA_2024_06
andAzure.Preview_2024_06
baselines as obsolete.
- Added September 2024 baselines
- New rules:
- Azure Kubernetes Service:
- Verify that clusters have kube-audit logging disabled when not required by @BenjaminEngeset.
#2450 - Verify that clusters have the customer-controlled maintenance windows
aksManagedAutoUpgradeSchedule
andaksManagedNodeOSUpgradeSchedule
configured by @BenjaminEngeset.
#2444
- Verify that clusters have kube-audit logging disabled when not required by @BenjaminEngeset.
- App Service:
- Verify that app service plans have availability zones configured by @BenjaminEngeset.
#2964
- Verify that app service plans have availability zones configured by @BenjaminEngeset.
- App Service Environment:
- Verify that app service environments have availability zones configured by @BenjaminEngeset.
#2964
- Verify that app service environments have availability zones configured by @BenjaminEngeset.
- Azure SQL Database:
- Verify that Azure SQL databases have a customer-controlled maintenance window configured by @BenjaminEngeset.
#2956
- Verify that Azure SQL databases have a customer-controlled maintenance window configured by @BenjaminEngeset.
- Azure SQL Managed Instance:
- Verify that Azure SQL Managed Instances have a customer-controlled maintenance window configured by @BenjaminEngeset.
#2979
- Verify that Azure SQL Managed Instances have a customer-controlled maintenance window configured by @BenjaminEngeset.
- Service Bus:
- Verify that service bus namespaces have geo-replication configured by @BenjaminEngeset.
#2988
- Verify that service bus namespaces have geo-replication configured by @BenjaminEngeset.
- Virtual Machine:
- Verify that virtual machines does not have public IPs attached by @BenjaminEngeset.
#11 - Verify that multi-tenant Hosting Rights are used for Windows client VMs by @BenjaminEngeset.
#432 - Verify that availability set members are in a backend pool by @BenjaminEngeset.
#67
- Verify that virtual machines does not have public IPs attached by @BenjaminEngeset.
- Virtual Machine Scale Sets:
- Verify that virtual machine scale set instances does not have public IPs attached by @BenjaminEngeset.
#3014
- Verify that virtual machine scale set instances does not have public IPs attached by @BenjaminEngeset.
- Virtual Network:
- Verify that zonal-deployed Azure firewalls uses Azure NAT Gateway for outbound access by @BenjaminEngeset.
##3005 - Verify that subnets have disabled default outbound access for virtual machines by @BenjaminEngeset.
#3001
- Verify that zonal-deployed Azure firewalls uses Azure NAT Gateway for outbound access by @BenjaminEngeset.
- Azure Kubernetes Service:
- Updated rules:
- Azure Kubernetes Service:
- Updated
Azure.AKS.AuditLogs
documentation to call out important specific of thekube-audit
log by @BernieWhite.
#2449 - Updated
Azure.AKS.Version
to use1.29.7
as the minimum version by @BernieWhite.
#3042
- Updated
- Container Apps:
- Updated
Azure.ContainerApp.AvailabilityZone
to check for infrastructure subnet by @BernieWhite.
#3068- Configuring an infrastructure subnet is a requirement for enabling zone redundancy.
Both rule and documentation have been updated to clearly call this out.
- Configuring an infrastructure subnet is a requirement for enabling zone redundancy.
- Updated
- Virtual Network:
- Updated
Azure.VNET.UseNSGs
to correctly handle cases for special purpose and customer-excluded subnets by @BenjaminEngeset.
#3007
- Updated
- Azure Kubernetes Service:
- General improvements:
- Important change: Replaced the
Azure_AKSNodeMinimumMaxPods
option withAZURE_AKS_POOL_MINIMUM_MAXPODS
by @BernieWhite.
#941- For compatibility, if
Azure_AKSNodeMinimumMaxPods
is set it will be used instead ofAZURE_AKS_POOL_MINIMUM_MAXPODS
. - If only
AZURE_AKS_POOL_MINIMUM_MAXPODS
is set, this value will be used. - The default will be used neither options are configured.
- If
Azure_AKSNodeMinimumMaxPods
is set a warning will be generated until the configuration is removed. - Support for
Azure_AKSNodeMinimumMaxPods
is deprecated and will be removed in v2.
- For compatibility, if
- Important change: Replaced the
Azure_MinimumCertificateLifetime
option withAZURE_APIM_MINIMUM_CERTIFICATE_LIFETIME
by @BernieWhite.
#941- For compatibility, if
Azure_MinimumCertificateLifetime
is set it will be used instead ofAZURE_APIM_MINIMUM_CERTIFICATE_LIFETIME
. - If only
AZURE_APIM_MINIMUM_CERTIFICATE_LIFETIME
is set, this value will be used. - The default will be used neither options are configured.
- If
Azure_MinimumCertificateLifetime
is set a warning will be generated until the configuration is removed. - Support for
Azure_MinimumCertificateLifetime
is deprecated and will be removed in v2.
- For compatibility, if
- Add binding configuration to policy as rules docs by @BernieWhite.
#2995 - Updated resource providers and policy aliases.
#3074
- Important change: Replaced the
- Engineering:
- Bump development tools to .NET 8.0 SDK by @BernieWhite.
#3017 - Quality updates to rule documentation by @BernieWhite.
#2570 - Bump xunit to v2.9.0.
#2982 - Bump xunit.runner.visualstudio to v2.8.2.
#2982
- Bump development tools to .NET 8.0 SDK by @BernieWhite.
- Bug fixed:
- Fixed expansion with deployments by resource ID at management group by @BernieWhite
#3013 - Fixed subscription aliases don't support tags by @BernieWhite.
#3021 - Fixed
Azure.AppService.AvailabilityZone
only detects premium by tier property @BenjaminEngeset.
#3034 - Fixed loading of expansion options from non-default options file @BernieWhite.
#3033 - Fixed TLS defaults for
Azure.Redis.MinTLS
andAzure.RedisEnterprise.MinTLS
by @BernieWhite.
#3066 - Fixed symbolic expand for existing with conditional cases by @BernieWhite.
#2917
- Fixed expansion with deployments by resource ID at management group by @BernieWhite
What's changed since pre-release v1.39.0-B0249:
- No additional changes.
See change log.