search

Azure / PSRule.Rules.Azure

Rules to validate Azure resources and infrastructure as code (IaC) using PSRule.
https://azure.github.io/PSRule.Rules.Azure/
MIT License
395 stars 86 forks source link

Check each Microsoft Defender for Cloud Pricing plan is Standard #1632

Closed BernieWhite closed 1 year ago

BernieWhite commented 2 years ago

Rule request

Any pricing plans deployed for Microsoft Defender for Cloud should use the Standard pricing tier.

Let's create individual rules for each pricing plan to allow customers to granularly suppress as required.

For example:

// Configures Azure Defender for Containers.
resource defenderForContainers 'Microsoft.Security/pricings@2022-03-01' = {
  name: 'Containers'
  properties: {
    pricingTier: 'Standard'
  }
}

// Configures Azure Defender for Virtual Machines.
resource defenderForVirtualMachines 'Microsoft.Security/pricings@2022-03-01' = {
  name: 'VirtualMachines'
  properties: {
    pricingTier: 'Standard'
    subPlan: 'P2'
  }
}

// Configures Azure Defender for Sql Servers.
resource defenderForSqlServers 'Microsoft.Security/pricings@2022-03-01' = {
  name: 'SqlServers'
  properties: {
    pricingTier: 'Standard'
  }
}

// Configures Azure Defender for App Services.
resource defenderForAppServices 'Microsoft.Security/pricings@2022-03-01' = {
  name: 'AppServices'
  properties: {
    pricingTier: 'Standard'
  }
}

// Configures Azure Defender for Storage Accounts.
resource defenderForStorageAccounts 'Microsoft.Security/pricings@2022-03-01' = {
  name: 'StorageAccounts'
  properties: {
    pricingTier: 'Standard'
  }
}

// Configures Azure Defender for Sql Server Virtual Machines.
resource defenderForSqlServerVirtualMachines 'Microsoft.Security/pricings@2022-03-01' = {
  name: 'SqlServerVirtualMachines'
  properties: {
    pricingTier: 'Standard'
  }
}

// Configures Azure Defender for Key Vaults.
resource defenderForKeyVaults 'Microsoft.Security/pricings@2022-03-01' = {
  name: 'KeyVaults'
  properties: {
    pricingTier: 'Standard'
  }
}

// Configures Azure Defender for Dns.
resource defenderForDns 'Microsoft.Security/pricings@2022-03-01' = {
  name: 'Dns'
  properties: {
    pricingTier: 'Standard'
  }
}

// Configures Azure Defender for Arm.
resource defenderForArm 'Microsoft.Security/pricings@2022-03-01' = {
  name: 'Arm'
  properties: {
    pricingTier: 'Standard'
  }
}

// Configures Azure Defender for Open Source Relational Databases.
resource defenderForOpenSourceRelationalDatabases 'Microsoft.Security/pricings@2022-03-01' = {
  name: 'OpenSourceRelationalDatabases'
  properties: {
    pricingTier: 'Standard'
  }
}

// Configures Azure Defender for Cosmos Dbs.
resource defenderForCosmosDbs 'Microsoft.Security/pricings@2022-03-01' = {
  name: 'CosmosDbs'
  properties: {
    pricingTier: 'Standard'
  }
}
jdewisscher commented 2 years ago

Initial batch of rules part of PR #1676

Remaining rules:

BernieWhite commented 2 years ago

Thanks @jdewisscher for your progress so far on this issue. Do you think in the next few weeks (so we can target completion for v1.21.0) you would complete the remaining rules or should we plan to reassign this issue.

s1mb414 commented 2 years ago

Hello, I am not sure if its 100% related to this but since Monday I began to face the issues with Azure.Defender rule. Basicity I am getting Azure.Defender rule failed with message stating that I have pricingTier set to 'Free'. Based on this rule source code I understand that it is expecting to find 'standard' but actually its already set to be 'standard'. Please see a screenshot with few error messages examples.

image

Also I am attaching a module and a parameters so it would be easier to replicate the issue.

Any ideas why PSrule could see pricingTier as 'Free' instead of 'standard' while using attached module and parameter file?

BernieWhite commented 2 years ago

@s1mb414 Thanks for reporting the issue. We will have a look at it.

s1mb414 commented 2 years ago

Hello, @BernieWhite did you had a chance to look into this issue?

BernieWhite commented 2 years ago

Hello, @BernieWhite did you had a chance to look into this issue?

@s1mb414 Thanks for the prompt. Sorry I lost track of this one. I've created a separate issue for tracking this bug. #1793

BernieWhite commented 1 year ago

Unassigning @jdewisscher to allow someone else to pick this up.

BernieWhite commented 1 year ago

This one should be fairly easy since it is already partially implemented for a number of cases. Use the existing cases defined here https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/Azure.Defender.Rule.yaml as a guide.