feat(new): Added Azure.VNET.PrivateSubnet

Azure / PSRule.Rules.Azure

Rules to validate Azure resources and infrastructure as code (IaC) using PSRule.

https://azure.github.io/PSRule.Rules.Azure/

MIT License

394 stars 85 forks source link

feat(new): Added Azure.VNET.PrivateSubnet #2999

Closed BenjaminEngeset closed 3 months ago

BenjaminEngeset commented 3 months ago

PR Summary

Fixes #3001

Added Azure.VNET.PrivateSubnet.

PR Checklist

[x] PR has a meaningful title
[x] Summarized changes
[x] Change is not breaking
[ ] This PR is ready to merge and is not Work in Progress
Rule changes
- [x] Unit tests created/ updated
- [ ] Rule documentation created/ updated
- [x] Link to a filed issue
- [ ] Change log has been updated with change under unreleased section
Other code changes
- [ ] Unit tests created/ updated
- [ ] Link to a filed issue
- [ ] Change log has been updated with change under unreleased section

BenjaminEngeset commented 3 months ago

Hi @BernieWhite,

I am working on resolving this old issue by implementing a new feature for virtual machines and virtual machines within a scale set. Please let me know if you think this approach is incorrect.

The general recommendation nowadays is to use a NAT gateway instead of attaching a dedicated public IP to the NIC.

By implementing this feature on a subnet, the default behavior will be invalidated, necessitating the configuration of explicit outbound access.

I am encountering an issue with the test suite and looking for help with it. Your insights would be greatly appreciated.

Specifically, I expect vnet-F to pass, as it has no subnets configured. However, the rule body identifies it with a subnet for some reason.

I am wondering if the statement for some reason produces and yields some output.

BenjaminEngeset commented 3 months ago

Ready for review @BernieWhite.

BenjaminEngeset commented 3 months ago

Thanks @BenjaminEngeset, nice work!

There are a few suggestions below. Let me know if anything doesn't make sense.

It makes sense, @BernieWhite. But should we have these service-specific subnets onto the rule body and have them pass, or should we discard them from the rule body? Thanks!

BernieWhite commented 3 months ago

Thanks @BenjaminEngeset, nice work! There are a few suggestions below. Let me know if anything doesn't make sense.

It makes sense, @BernieWhite. But should we have these service-specific subnets onto the rule body and have them pass, or should we discard them from the rule body? Thanks!

Because we're targeting -Type 'Microsoft.Network/virtualNetworks', 'Microsoft.Network/virtualNetworks/subnets' I think it might be easier to include it in the two Where-Object blocks.

In an ideal case then we'd ignore them, but that won't help for Microsoft.Network/virtualNetworks.

BenjaminEngeset commented 3 months ago

I have adjusted the logic accordingly now, @BernieWhite. What do you think?

BenjaminEngeset commented 3 months ago

After our discussion regarding overhead of using regex, do you want me to move with the PSRule helper method instead here @BernieWhite?

BernieWhite commented 3 months ago

After our discussion regarding overhead of using regex, do you want me to move with the PSRule helper method instead here @BernieWhite?

Sure that would be great. Thanks.

BenjaminEngeset commented 3 months ago

I have switched over to the preferred solution now, @BernieWhite. What do you think?