v1.34.0

What's changed since v1.33.2:

• New rules:
  • Azure Kubernetes Service:
    • Check that user mode pools have a minimum number of nodes by @BernieWhite.
      #2683
      • Added configuration to support changing the minimum number of node and to exclude node pools.
      • Set AZURE_AKS_CLUSTER_USER_POOL_MINIMUM_NODES to set the minimum number of user nodes.
      • Set AZURE_AKS_CLUSTER_USER_POOL_EXCLUDED_FROM_MINIMUM_NODES to exclude a specific node pool by name.
• Updated rules:
  • Azure Kubernetes Service:
    • Updated Azure.AKS.MinNodeCount the count nodes system node pools by @BernieWhite.
      #2683
      • Improved guidance and examples specifically for system node pools.
      • Added configuration to support changing the minimum number of node.
      • Set AZURE_AKS_CLUSTER_MINIMUM_SYSTEM_NODES to set the minimum number of system nodes.
  • Front Door:
    • Updated Azure.FrontDoor.Logs to cover premium and standard profiles instead of just classic by @BernieWhite.
      #2704
      • Added a selector for premium and standard profiles Azure.FrontDoor.IsStandardOrPremium.
      • Added a selector for classic profiles Azure.FrontDoor.IsClassic.
      • Updated rule set to 2024_03.
  • Microsoft Defender for Cloud:
    • Renamed rules to align with recommended naming length by @BernieWhite.
      #2718
      • Renamed Azure.Defender.Storage.SensitiveData to Azure.Defender.Storage.DataScan.
    • Promoted Azure.Defender.Storage.MalwareScan to GA rule set by @BernieWhite.
      #2590
  • Storage Account:
    • Renamed rules to align with recommended naming length by @BernieWhite.
      #2718
      • Renamed Azure.Storage.DefenderCloud.MalwareScan to Azure.Storage.Defender.MalwareScan.
      • Renamed Azure.Storage.DefenderCloud.SensitiveData to Azure.Storage.Defender.DataScan.
    • Promoted Azure.Storage.Defender.MalwareScan to GA rule set by @BernieWhite.
      #2590
• General improvements:
  • Moved .bicepparam file support to stable by @BernieWhite.
    #2682
    • Bicep param files are now automatically expanded when found.
    • To disable expansion, set the configuration option AZURE_BICEP_PARAMS_FILE_EXPANSION to false.
  • Added support for type/ variable/ and function imports from Bicep files by @BernieWhite.
    #2537
  • Added duplicate policies to default ignore list by @BernieWhite.
    #1731
  • Documentation and metadata improvements by @BernieWhite.
    #1772
    #2570
• Engineering:
  • Updated resource providers and policy aliases.
    #2717
  • Improved debugging experience by providing symbols for .NET code by @BernieWhite.
    #2712
  • Bump Microsoft.NET.Test.Sdk to v17.9.0.
    #2680
  • Bump xunit to v2.7.0.
    #2688
  • Bump xunit.runner.visualstudio to v2.5.7.
    #2689
  • Bump coverlet.collector to v6.0.1.
    #2699
• Bug fixes:
  • Fixed missing zones property for public IP addresses by @BernieWhite.
    #2698
  • Fixes for policy as rules by @BernieWhite.
    #181
    #1323

What's changed since pre-release v1.34.0-B0077:

• No additional changes.

See change log.

v1.34.0-B0077

What's changed since pre-release v1.34.0-B0047:

• Updated rules:
  • Microsoft Defender for Cloud:
    • Renamed rules to align with recommended naming length by @BernieWhite.
      #2718
      • Renamed Azure.Defender.Storage.SensitiveData to Azure.Defender.Storage.DataScan.
    • Promoted Azure.Defender.Storage.MalwareScan to GA rule set by @BernieWhite.
      #2590
  • Storage Account:
    • Renamed rules to align with recommended naming length by @BernieWhite.
      #2718
      • Renamed Azure.Storage.DefenderCloud.MalwareScan to Azure.Storage.Defender.MalwareScan.
      • Renamed Azure.Storage.DefenderCloud.SensitiveData to Azure.Storage.Defender.DataScan.
    • Promoted Azure.Storage.Defender.MalwareScan to GA rule set by @BernieWhite.
      #2590
• General improvements:
  • Added duplicate policies to default ignore list by @BernieWhite.
    #1731
• Engineering:
  • Updated resource providers and policy aliases.
    #2717
• Bug fixes:
  • Fixes for policy as rules by @BernieWhite.
    #181
    #1323

See change log.

v1.34.0-B0047

What's changed since pre-release v1.34.0-B0022:

• General improvements:
  • Added support for type/ variable/ and function imports from Bicep files by @BernieWhite.
    #2537
• Engineering:
  • Improved debugging experience by providing symbols for .NET code by @BernieWhite.
    #2712

See change log.

v1.34.0-B0022

What's changed since v1.33.2:

• New rules:
  • Azure Kubernetes Service:
    • Check that user mode pools have a minimum number of nodes by @BernieWhite.
      #2683
      • Added configuration to support changing the minimum number of node and to exclude node pools.
      • Set AZURE_AKS_CLUSTER_USER_POOL_MINIMUM_NODES to set the minimum number of user nodes.
      • Set AZURE_AKS_CLUSTER_USER_POOL_EXCLUDED_FROM_MINIMUM_NODES to exclude a specific node pool by name.
• Updated rules:
  • Azure Kubernetes Service:
    • Updated Azure.AKS.MinNodeCount the count nodes system node pools by @BernieWhite.
      #2683
      • Improved guidance and examples specifically for system node pools.
      • Added configuration to support changing the minimum number of node.
      • Set AZURE_AKS_CLUSTER_MINIMUM_SYSTEM_NODES to set the minimum number of system nodes.
  • Front Door:
    • Updated Azure.FrontDoor.Logs to cover premium and standard profiles instead of just classic by @BernieWhite.
      #2704
      • Added a selector for premium and standard profiles Azure.FrontDoor.IsStandardOrPremium.
      • Added a selector for classic profiles Azure.FrontDoor.IsClassic.
      • Updated rule set to 2024_03.
• General improvements:
  • Moved .bicepparam file support to stable by @BernieWhite.
    #2682
    • Bicep param files are now automatically expanded when found.
    • To disable expansion, set the configuration option AZURE_BICEP_PARAMS_FILE_EXPANSION to false.
  • Documentation and metadata improvements by @BernieWhite.
    #1772
    #2570
• Engineering:
  • Bump Microsoft.NET.Test.Sdk to v17.9.0.
    #2680
  • Bump xunit to v2.7.0.
    #2688
  • Bump xunit.runner.visualstudio to v2.5.7.
    #2689
  • Bump coverlet.collector to v6.0.1.
    #2699
• Bug fixes:
  • Fixed missing zones property for public IP addresses by @BernieWhite.
    #2698

See change log.

v1.33.2

What's changed since v1.33.1:

• Bug fixes:
  • Fixed false positive of Azure.Resource.AllowedRegions raised during assertion call by @BernieWhite.
    #2687

See change log.

v1.33.1

What's changed since v1.33.0:

• Bug fixes:
  • Fixed Azure.AKS.AuthorizedIPs is not valid for a private cluster by @BernieWhite.
    #2677
  • Fixed generating rule for VM extensions from policy is incorrect by @BernieWhite.
    #2608

See change log.

v1.33.0

What's changed since v1.32.1:

• New features:
  • Exporting policy as rules also generates a baseline by @BernieWhite.
    #2482
    • A baseline is automatically generated that includes for all rules exported.
      If a policy rule has been replaced by a built-in rule, the baseline will include the built-in rule instead.
    • The baseline is named <Prefix>.PolicyBaseline.All. i.e. Azure.PolicyBaseline.All by default.
    • For details see Policy as rules.
• New rules:
  • Databricks:
    • Check that Databricks workspaces use a non-trial SKU by @batemansogq.
      #2646
    • Check that Databricks workspaces require use of private endpoints by @batemansogq.
      #2646
  • Dev Box:
    • Check that projects limit the number of Dev Boxes per user by @BernieWhite.
      #2654
• Updated rules:
  • Application Gateway:
    • Updated Azure.AppGwWAF.RuleGroups to use the rule sets by @BenjaminEngeset.
      #2629
      • The latest Bot Manager rule set is now 1.0.
      • The latest OWASP rule set is now 3.2.
  • Cognitive Services:
    • Relaxed Azure.Cognitive.ManagedIdentity to configurations that require managed identities by @BernieWhite.
      #2559
  • Virtual Machine:
    • Checks for Azure Hybrid Benefit Azure.VM.UseHybridUseBenefit are not enabled by default by @BernieWhite.
      #2493
      • To enable, set the AZURE_VM_USE_HYBRID_USE_BENEFIT option to true.
  • Virtual Network:
    • Added option for excluding subnets to Azure.VNET.UseNSGs by @BernieWhite.
      #2572
      • To add a subnet exclusion, set the AZURE_VNET_SUBNET_EXCLUDED_FROM_NSG option.
• General improvements:
  • Rules that are ignored during exporting policy as rules are now generate a verbose logs by @BernieWhite.
    #2482
    • This is to improve transparency of why rules are not exported.
    • To see details on why a rule is ignored, enable verbose logging with -Verbose.
  • Policies that duplicate built-in rules can now be exported by using the -KeepDuplicates parameter by @BernieWhite.
    #2482
    • For details see Policy as rules.
  • Quality updates to rules and documentation by @BernieWhite.
    #1772
    #2570
• Engineering:
  • Bump xunit to v2.6.6.
    #2645
  • Bump xunit.runner.visualstudio to v2.5.6.
    #2619
  • Bump BenchmarkDotNet to v0.13.12.
    #2636
  • Bump BenchmarkDotNet.Diagnostics.Windows to v0.13.12.
    #2636
• Bug fixes:
  • Fixed dateTimeAdd may fail with different localization by @BernieWhite.
    #2631
  • Fixed inconclusive result reported for Azure.ACR.Usage by @BernieWhite.
    #2494
  • Fixed export of Front Door resource data is incomplete by @BernieWhite.
    #2668
  • Fixed Azure.Template.TemplateFile to support with languageVersion 2.0 template properties by @MrRoundRobin.
    #2660
  • Fixed Azure.VM.DiskSizeAlignment does not handle smaller sizes and ultra disks by @BernieWhite.
    #2656

What's changed since pre-release v1.33.0-B0169:

• No additional changes.

See change log.

v1.33.0-B0169

What's changed since pre-release v1.33.0-B0126:

• New features:
  • Exporting policy as rules also generates a baseline by @BernieWhite.
    #2482
    • A baseline is automatically generated that includes for all rules exported.
      If a policy rule has been replaced by a built-in rule, the baseline will include the built-in rule instead.
    • The baseline is named <Prefix>.PolicyBaseline.All. i.e. Azure.PolicyBaseline.All by default.
    • For details see Policy as rules.
• General improvements:
  • Rules that are ignored during exporting policy as rules are now generate a verbose logs by @BernieWhite.
    #2482
    • This is to improve transparency of why rules are not exported.
    • To see details on why a rule is ignored, enable verbose logging with -Verbose.
  • Policies that duplicate built-in rules can now be exported by using the -KeepDuplicates parameter by @BernieWhite.
    #2482
    • For details see Policy as rules.
• Bug fixes:
  • Fixed inconclusive result reported for Azure.ACR.Usage by @BernieWhite.
    #2494
  • Fixed export of Front Door resource data is incomplete by @BernieWhite.
    #2668

See change log.

v1.33.0-B0126

What's changed since pre-release v1.33.0-B0088:

• Bug fixes:
  • Fixed Azure.Template.TemplateFile to support with languageVersion 2.0 template properties by @MrRoundRobin.
    #2660

See change log.

v1.33.0-B0088

What's changed since pre-release v1.33.0-B0053:

• New rules:
  • Dev Box:
    • Check that projects limit the number of Dev Boxes per user by @BernieWhite.
      #2654
• Bug fixes:
  • Fixed Azure.VM.DiskSizeAlignment does not handle smaller sizes and ultra disks by @BernieWhite.
    #2656

See change log.