Release v1.20.0 · Azure/PSRule.Rules.Azure

What's changed since pre-release v1.19.2:

New features:
- Added September 2022 baselines Azure.GA_2022_09 and Azure.Preview_2022_09 by @BernieWhite.
  #1738
  - Includes rules released before or during September 2022.
  - Marked Azure.GA_2022_06 and Azure.Preview_2022_06 baselines as obsolete.
New rules:
- AKS:
  - Check clusters use Ephemeral OS disk by @bengeset96.
    #1618
- App Configuration:
  - Check app configuration store has purge protection enabled by @bengeset96.
    #1689
  - Check app configuration store has one or more replicas by @bengeset96.
    #1688
  - Check app configuration store audit diagnostic logs are enabled by @bengeset96.
    #1690
  - Check identity-based authentication is used for configuration stores by @pazdedav.
    #1691
- Application Gateway WAF:
  - Check policy is enabled by @fbinotto.
    #1470
  - Check policy uses prevention mode by @fbinotto.
    #1470
  - Check policy uses managed rule sets by @fbinotto.
    #1470
  - Check policy does not have any exclusions defined by @fbinotto.
    #1470
- Azure Cache for Redis:
  - Check the number of firewall rules for caches by @jonathanruiz.
    #544
  - Check the number of IP addresses in firewall rules for caches by @jonathanruiz.
    #544
- CDN:
  - Check CDN profile uses Front Door Standard or Premium tier by @bengeset96.
    #1612
- Container Registry:
  - Check soft delete policy is enabled by @bengeset96.
    #1674
- Defender for Cloud:
  - Check Microsoft Defender for Cloud is enabled for Containers by @jdewisscher.
    #1632
  - Check Microsoft Defender for Cloud is enabled for Virtual Machines by @jdewisscher.
    #1632
  - Check Microsoft Defender for Cloud is enabled for SQL Servers by @jdewisscher.
    #1632
  - Check Microsoft Defender for Cloud is enabled for App Services by @jdewisscher.
    #1632
  - Check Microsoft Defender for Cloud is enabled for Storage Accounts by @jdewisscher.
    #1632
  - Check Microsoft Defender for Cloud is enabled for SQL Servers on machines by @jdewisscher.
    #1632
- Deployment:
  - Check that nested deployments securely pass through administrator usernames by @ms-sambell.
    #1479
- Front Door WAF:
  - Check policy is enabled by @fbinotto.
    #1470
  - Check policy uses prevention mode by @fbinotto.
    #1470
  - Check policy uses managed rule sets by @fbinotto.
    #1470
  - Check policy does not have any exclusions defined by @fbinotto.
    #1470
- Network Security Group:
  - Check AKS managed NSGs don't contain custom rules by @ms-sambell.
    #8
- Storage Account:
  - Check blob container soft delete is enabled by @pazdedav.
    #1671
  - Check file share soft delete is enabled by @jonathanruiz.
    #966
- VMSS:
  - Check Linux VMSS has disabled password authentication by @bengeset96.
    #1635
Updated rules:
- Important change: Updated rules, tests and docs with Microsoft Defender for Cloud by @jonathanruiz.
  #545
  - The following rules have been renamed with aliases:
    - Renamed Azure.SQL.ThreatDetection to Azure.SQL.DefenderCloud.
    - Renamed Azure.SecurityCenter.Contact to Azure.DefenderCloud.Contact.
    - Renamed Azure.SecurityCenter.Provisioning to Azure.DefenderCloud.Provisioning.
  - If you are referencing the old names please consider updating to the new names.
- Updated documentation examples for Front Door and Key Vault rules by @lluppesms.
  #1667
- Improved the way we check that VM or VMSS has Linux by @VeraBE.
  #1704
- Azure Kubernetes Service:
  - Updated Azure.AKS.Version to use latest stable version 1.23.8 by @BernieWhite.
    #1627
    - Use AZURE_AKS_CLUSTER_MINIMUM_VERSION to configure the minimum version of the cluster.
- Event Grid:
  - Promoted Azure.EventGrid.DisableLocalAuth to GA rule set by @BernieWhite.
    #1628
- Key Vault:
  - Promoted Azure.KeyVault.AutoRotationPolicy to GA rule set by @BernieWhite.
    #1629
General improvements:
- Updated NSG documentation with code snippets and links by @simone-bennett.
  #1607
- Updated Application Gateway documentation with code snippets by @ms-sambell.
  #1608
- Updated SQL firewall rules documentation by @ms-sambell.
  #1569
- Updated Container Apps documentation and rule to new resource type by @marie-schmidt.
  #1672
- Updated KeyVault and FrontDoor documentation with code snippets by @lluppesms.
  #1667
- Added tag and annotation metadata from policy for rules generation by @BernieWhite.
  #1652
- Added hash to name and ref properties for policy rules by @ArmaanMcleod.
  #1653
  - Use AZURE_POLICY_RULE_PREFIX or Export-AzPolicyAssignmentRuleData -RulePrefix to override rule prefix.
Engineering:
- Bump PSRule to v2.4.2.
  #1753
  #1748
- Bump Microsoft.NET.Test.Sdk to v17.3.2.
  #1719
- Updated provider data for analysis.
  #1605
- Bump Az.Resources to v6.2.0.
  #1636
- Bump PSScriptAnalyzer to v1.21.0.
  #1636
Bug fixes:
- Fixed continue processing policy assignments on error by @BernieWhite.
  #1651
- Fixed handling of runtime assessment data by @BernieWhite.
  #1707
- Fixed conversion of type conditions to pre-conditions by @BernieWhite.
  #1708
- Fixed inconclusive failure of Azure.Deployment.AdminUsername by @BernieWhite.
  #1631
- Fixed error expanding with json() and single quotes by @BernieWhite.
  #1656
- Fixed handling key collision with duplicate definitions using same parameters by @ArmaanMcleod.
  #1653
- Fixed bug requiring all diagnostic logs settings to have auditing enabled by @bengeset96.
  #1726
- Fixed Azure.Deployment.AdminUsername incorrectly fails with nested deployments by @BernieWhite.
  #1762
- Fixed Azure.FrontDoorWAF.Exclusions reports exclusions when none are specified by @BernieWhite.
  #1751
- Fixed Azure.Deployment.AdminUsername does not match the pattern by @BernieWhite.
  #1758
- Consider private offerings when checking that a VM or VMSS has Linux by @VeraBE.
  #1725

What's changed since pre-release v1.20.0-B0477:

No additional changes.

See change log.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

v1.20.0

Contributors