Closed eriqua closed 2 months ago
Suggestion: keep in triage with the needsfurtherdiscussion
label until refinement completion. This will include the list of modules to be fixed based on the outcome of issue Azure/ResourceModules#2425
Team decides that issues should be created per rule, not per module
Following list of failing rules:
Failed_PSRule_Output_v03 (3).xlsx
TO DO LIST:
Error example: Error: AZR-000166: ***splhcom001 failed Azure.Resource.UseTags. Azure resources should be tagged using a standard convention. There are no modules where we need to add tags support. So the 2 scenarios are:
resource supporting tags but tags not used in test files
Azure resource not supporting tags
[ ] Add tags with values in test files for the following modules: Microsoft.Compute/availabilitySets Microsoft.Compute/diskEncryptionSets Microsoft.Compute/disks Microsoft.Compute/galleries Microsoft.Compute/virtualMachines Microsoft.Compute/virtualMachineScaleSets Microsoft.ContainerInstance/containerGroups Microsoft.DataProtection/backupVaults Microsoft.HealthBot/healthBots microsoft.insights/actionGroups Microsoft.Insights/activityLogAlerts Microsoft.Insights/components Microsoft.Insights/metricAlerts microsoft.insights/privateLinkScopes Microsoft.Insights/scheduledQueryRules Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies Microsoft.Network/applicationSecurityGroups Microsoft.Network/connections Microsoft.Network/ddosProtectionPlans Microsoft.Network/dnsResolvers Microsoft.Network/firewallPolicies Microsoft.Network/ipGroups Microsoft.Network/loadBalancers Microsoft.Network/localNetworkGateways Microsoft.Network/networkInterfaces Microsoft.Network/networkManagers Microsoft.Network/networkWatchers Microsoft.Network/privateDnsZones Microsoft.Network/privateEndpoints Microsoft.Network/privateLinkServices Microsoft.Network/publicIPPrefixes Microsoft.Network/routeTables Microsoft.Network/virtualHubs Microsoft.Network/virtualNetworks Microsoft.Network/virtualWans Microsoft.Network/vpnGateways Microsoft.Resources/deploymentScripts Microsoft.Resources/resourceGroups Microsoft.ServiceFabric/clusters Microsoft.SignalRService/webPubSub Microsoft.Sql/servers Microsoft.Storage/storageAccounts Microsoft.Synapse/privateLinkHubs Microsoft.VirtualMachineImages/imageTemplates Microsoft.Web/connections Microsoft.Web/staticSites https://github.com/Azure/ResourceModules/pull/2241/files can be used as a reference, the following code needs to be added:
tags: {
Environment: 'Non-Prod'
Role: 'DeploymentValidation' ----> there is no standard with TAGS, should we standardize?
}
Examples of other found tags: tags: { purpose: 'test' }
Error example Error: AZR-000144: ***apamgcom001 failed Azure.Policy.AssignmentAssignedBy. Policy assignments should use assignedBy metadata.
File path | Action |
---|---|
Microsoft.Authorization/policyAssignments/.test/mg.common/deploy.test.bicep | Add assignedby metadata on the existing metadata block |
Microsoft.Authorization/policyAssignments/.test/rg.common/deploy.test.bicep | Add assignedby metadata on the existing metadata block |
Microsoft.Authorization/policyAssignments/.test/mg.min/deploy.test.bicep | Metadata block is missing. Add the whole metadata block including the assignedby |
Microsoft.Authorization/policyAssignments/.test/rg.min/deploy.test.bicep | Metadata block is missing. Add the whole metadata block including the assignedby |
Microsoft.Authorization/policyAssignments/.test/sub.min/deploy.test.bicep | Metadata block is missing. Add the whole metadata block including the assignedby |
Microsoft.Authorization/policyAssignments/.test/sub.common/deploy.test.bicep | Add assignedby metadata on the existing metadata block |
Example of metadata block
metadata: {
category: 'Security'
version: '1.0'
assignedby: 'Carml' --> approved?
}
Error: AZR-000143: ***apasubmin001 failed Azure.Policy.AssignmentDescriptors. Policy assignments should use a display name and description.
:question: Validate with the team if the following actions are good:
description: '[Description] Policy Assignment at the management group scope'
displayName: '[Display Name] Policy Assignment at the management group scope'
Above actions should be applied to the following files:
ResourceModules/ResourceModules/modules/Microsoft.Authorization/policyAssignments/.test/sub.min/deploy.test.bicep ResourceModules/ResourceModules/modules/Microsoft.Authorization/policyAssignments/.test/rg.min/deploy.test.bicep ResourceModules/ResourceModules/modules/Microsoft.Authorization/policyAssignments/.test/mg.min/deploy.test.bicep ResourceModules/ResourceModules/modules/Microsoft.Authorization/policyAssignments/deploy.bicep
Error: AZR-000142: ***apdmgmin001 failed Azure.Policy.Descriptors. Policy and initiative definitions should use a display name, description, and category.
:question: Validate with the team if the following actions are good:
description: '[Description] This policy definition is deployed at the management group scope'
displayName: '[DisplayName] This policy definition is deployed at the management group scope'
metadata: {
category: 'Security'
}
Above actions should be applied to the following files: ResourceModules/ResourceModules/modules/Microsoft.Authorization/policyDefinitions/.test/mg.min/deploy.test.bicep ResourceModules/ResourceModules/modules/Microsoft.Authorization/policyDefinitions/.test/sub.min/deploy.test.bicep ResourceModules/ResourceModules/modules/Microsoft.Authorization/policySetDefinitions/.test/mg.min/deploy.test.bicep ResourceModules/ResourceModules/modules/Microsoft.Authorization/policySetDefinitions/.test/sub.min/deploy.test.bicep
Error: AZR-000145: ***apemgmin001 failed Azure.Policy.ExemptionDescriptors. Policy exemptions should use a display name and description.
:question: Validate with the team if the following actions are good:
description: '[Description] Policy Assignment at the management group scope'
displayName: '[Display Name] Policy Assignment at the management group scope'
Above actions should be applied to the following files:
ResourceModules/ResourceModules/modules/Microsoft.Authorization/policyExemptions/.test/mg.min/deploy.test.bicep ResourceModules/ResourceModules/modules/Microsoft.Authorization/policyExemptions/.test/rg.min/deploy.test.bicep ResourceModules/ResourceModules/modules/Microsoft.Authorization/policyExemptions/.test/sub.min/deploy.test.bicep
Error: AZR-000346: ***cvmsswin001 failed Azure.VMSS.AMA. Use Azure Monitor Agent for collecting monitoring data. HELP: https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.VMSS.AMA/
Set properties. Type to AzureMonitorWindowsAgent (Windows) or AzureMonitorLinuxAgent (Linux). Set properties. Publisher to Microsoft.Azure.Monitor.
In this way the errors will be solved for the following files: ResourceModules\modules\Microsoft.Compute\virtualMachineScaleSets.test\linux\deploy.test.bicep ResourceModules\modules\Microsoft.Compute\virtualMachineScaleSets.test\windows\deploy.test.bicep
ResourceModules\modules\Microsoft.Compute\virtualMachineScaleSets.test\linux.min\deploy.test.bicep ResourceModules\modules\Microsoft.Compute\virtualMachineScaleSets.test\windows.min\deploy.test.bicep ResourceModules\modules\Microsoft.Compute\virtualMachineScaleSets.test\linux.ssecmk\deploy.test.bicep
Action: extensionMonitoringAgentConfig: { enabled: true }
ℹ️ Automatically solved when the issue for Azure.VMSS.AMA is closed
Error: AZR-000318: ***cvmsswin001 failed Azure.VMSS.MigrateAMA. Use Azure Monitor Agent as replacement for Log Analytics Agent.
Error: AZR-000345: ***cvmwinatmg failed Azure.VM.AMA. Use Azure Monitor Agent for collecting monitoring data. HELP: https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.VM.AMA/
Set properties. Type to AzureMonitorWindowsAgent (Windows) or AzureMonitorLinuxAgent (Linux). Set properties. Publisher to Microsoft.Azure.Monitor.
In this way the errors will be solved for the following files: ResourceModules\modules\Microsoft.Compute\virtualMachines.test\linux\deploy.test.bicep ResourceModules\modules\Microsoft.Compute\virtualMachines.test\windows\deploy.test.bicepvirtualMachines
ResourceModules\modules\Microsoft.Compute\virtualMachines.test\windows.atmg\deploy.test.bicep ResourceModules\modules\Microsoft.Compute\virtualMachines.test\windows.ssecmk\deploy.test.bicep ResourceModules\modules\Microsoft.Compute\virtualMachines.test\windows.min\deploy.test.bicep ResourceModules\modules\Microsoft.Compute\virtualMachines.test\linux.min\deploy.test.bicep ResourceModules\modules\Microsoft.Compute\virtualMachines.test\linux.atmg\deploy.test.bicep
Action:
extensionMonitoringAgentConfig: { enabled: true }
Error: AZR-000242: ***cvmwinatmg failed Azure.VM.DiskCaching. Check disk caching is configured correctly for the workload. HELP: https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.VM.DiskCaching/
:question: This is not an error but only a reminder to check the right disk configuration. We can exclude this rule from the test.
Exclude PSrule from the following files: ResourceModules/modules/Microsoft.Compute/virtualMachines/.test/windows.min/deploy.test.bicep ResourceModules/modules/Microsoft.Compute/virtualMachines/.test/windows.ssecmk/deploy.test.bicep ResourceModules/modules/Microsoft.Compute/virtualMachines/.test/windows.atmg/deploy.test.bicep
Note: PsRule doesn't fail the following file which includes "dataDisks: [ { caching: 'None' }]" ResourceModules/modules/Microsoft.Compute/virtualMachines/.test/windows/deploy.test.bicep
Error: AZR-000251: ***-cdimp001 failed Azure.VM.DiskSizeAlignment. Align to the Managed Disk billing model to improve cost efficiency. HELP: https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.VM.DiskSizeAlignment/
:question: Validate with the team if the following actions are good:
Above actions should be applied to the following files: ResourceModules/modules/Microsoft.Compute/disks/.test/import/deploy.test.bicep ResourceModules/modules/Microsoft.Compute/disks/.test/min/deploy.test.bicep ResourceModules/modules/Microsoft.Compute/disks/.test/image/deploy.test.bicep
Error: AZR-000239: ***cvmwinatmg failed Azure.VM.Standalone. Use VM features to increase reliability and improve covered SLA for VM configurations. HELP: https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.VM.Standalone/
:question: This is not an error but only a recommendation to consider using availability zones/ sets or only premium/ ultra disks to improve SLA. High availability not needed for temporary tests. We can exclude this rule from the test.
Exclude PSrule from the following files: ResourceModules/modules/Microsoft.Compute/virtualMachines/windows.atmg/deploy.test.bicep ResourceModules/modules/Microsoft.Compute/virtualMachines/windows.ssecmk/deploy.test.bicep ResourceModules/modules/Microsoft.Compute/virtualMachines/windows.min/deploy.test.bicep
Error: AZR-000243: ***cvmwinatmg failed Azure.VM.UseHybridUseBenefit. Use Azure Hybrid Benefit for applicable virtual machine (VM) workloads.
:question: This is not an error but only a recommendation to consider using Azure Hybrid Benefit for eligible workloads. Not relevant for a test. We can exclude this rule from the test.
Exclude PSrule from the following files: ResourceModules/modules/Microsoft.Compute/virtualMachines/windows.atmg/deploy.test.bicep ResourceModules/modules/Microsoft.Compute/virtualMachines/windows.ssecmk/deploy.test.bicep ResourceModules/modules/Microsoft.Compute/virtualMachines/windows.min/deploy.test.bicep
Error: AZR-000263: adp-***-vnet-sqlspe failed Azure.VNET.UseNSGs. Virtual network (VNET) subnets should have Network Security Groups (NSGs) assigned. HELP: https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.VNET.UseNSGs/
:question: This is not an error but only a recommendation to consider assigning a network security group (NSG) to the virtual network sybnet. It optional for testing private endpoint. We can exclude this rule from the test.
Exclude PSrule from the following files: ResourceModules/modules/Microsoft.Sql/servers/test/pe/deploy.test.bicep
Error: AZR-000277: ***-srswpsmin-001 failed Azure.WebPubSub.ManagedIdentity. Configure Web PubSub Services to use managed identities to access Azure resources securely. HELP: https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.WebPubSub.ManagedIdentity/
:question: Validate with the team if the following actions are good:
Above actions should be applied to the following files: ResourceModules\modules\Microsoft.SignalRService\webPubSub\deploy.bicep ResourceModules\modules\Microsoft.SignalRService\webPubSub.test\min\deploy.test.bicep ResourceModules\modules\Microsoft.SignalRService\webPubSub.test\pe\deploy.test.bicep
Error: AZR-000071: ***wsfcom001 failed Azure.AppService.PlanInstanceCount. App Service Plan should use a minimum number of instances for failover.
:question: This is not an error but only a recommendation to have minimum two instances. Not needed for test. We can exclude this rule from the test.
Exclude PSrule from the following files: ResourceModules\modules\Microsoft.Web\serverfarms.test\common\deploy.test.bicep
Error: AZR-000295: AppServices failed Azure.Defender.AppServices. Enable Microsoft Defender for App Service.
:question: Validate with the team if the following actions are good:
Above action should be applied to the following files: ResourceModules/modules/Microsoft.Security/azureSecurityCenter/.test/common/deploy.test.bicep
Error: AZR-000290: Containers failed Azure.Defender.Containers. Enable Microsoft Defender for Containers.
:question: Validate with the team if the following actions are good:
Above action should be applied to the following files: ResourceModules/modules/Microsoft.Security/azureSecurityCenter/.test/common/deploy.test.bicep
Error: AZR-000293: VirtualMachines failed Azure.Defender.Servers. Enable Microsoft Defender for Servers.
:question: Validate with the team if the following actions are good:
Above action should be applied to the following files: ResourceModules/modules/Microsoft.Security/azureSecurityCenter/.test/common/deploy.test.bicep
Error: AZR-000294: SqlServers failed Azure.Defender.SQL. Enable Defender for SQL servers.
:question: Validate with the team if the following actions are good:
Above action should be applied to the following files: ResourceModules/modules/Microsoft.Security/azureSecurityCenter/.test/common/deploy.test.bicep
Error: AZR-000297: SqlServerVirtualMachines failed Azure.Defender.SQLOnVM. Enable Defender for SQL servers on machines.
:question: Validate with the team if the following actions are good:
Above action should be applied to the following files: ResourceModules/modules/Microsoft.Security/azureSecurityCenter/.test/common/deploy.test.bicep
Error: AZR-000297: SqlServerVirtualMachines failed Azure.Defender.SQLOnVM. Enable Defender for SQL servers on machines.
:question: Validate with the team if the following actions are good:
Above action should be applied to the following files: ResourceModules/modules/Microsoft.Security/azureSecurityCenter/.test/common/deploy.test.bicep
Error: AZR-000126: ***nlbcom001 failed Azure.LB.Probe. Use a specific probe for web protocols. HELP: https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.LB.Probe/
:question: Validate with the team if the following actions are good:
Above action should be applied to the following files: ResourceModules/modules/Microsoft.Network/loadBalancers/.test/common/deploy.test.bicep
Error: AZR-000179: ***sfcmin001 failed Azure.ServiceFabric.AAD. Use Azure Active Directory (AAD) client authentication for Service Fabric clusters. HELP: https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.ServiceFabric.AAD/
:question: This is not an error but only a recommendation to enable Azure Active Directory (AAD) client authentication for Service Fabric clusters. We can exclude this rule from the test.
Exclude PSrule from the following files: ResourceModules/modules/Microsoft.ServiceFabric/clusters/.test/min/deploy.test.bicep ResourceModules/modules/Microsoft.ServiceFabric/clusters/.test/cert/deploy.test.bicep
Error: AZR-000181: ***-srssrcom-001 failed Azure.SignalR.ManagedIdentity. Configure SignalR Services to use managed identities to access Azure resources securely. Path Identity.Type: The field 'Identity.Type' does not exist.
:question: Validate with the team if the following actions are good:
Above action should be applied to the following files: modules/Microsoft.SignalRService/signalR/deploy.bicep
"identity": { "type": "SystemAssigned" or "User.Assigned" }
Specify the type of identity in parameter files: ResourceModules/modules/Microsoft.SignalRService/signalR/.test/min/deploy.test.bicep ResourceModules/modules/Microsoft.SignalRService/signalR/.test/common/deploy.test.bicep
Error: AZR-000188: ***-sqlspe failed Azure.SQL.AAD. Use Azure Active Directory (AAD) authentication with Azure SQL databases. HELP: https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.SQL.AAD/
:question: This is not an error but only a recommendation to use Azure Active Directory (AAD) authentication with SQL databases. We can exclude this rule from the test.
Exclude PSrule from the following files: ResourceModules/modules/Microsoft.Sql/servers/.test/pe/deploy.test.bicep
Error: AZR-000187: ***-sqlsadmin failed Azure.SQL.Auditing. Enable auditing for Azure SQL logical server. HELP: https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.SQL.Auditing/
:question: This is not an error but only a recommendation to enable auditing for each SQL Database logical server . We can exclude this rule from the test.
Exclude PSrule from the following files: ResourceModules/modules/Microsoft.Sql/servers/.test/admin/deploy.test.bicep
Error: AZR-000186: ***-sqlsadmin failed Azure.SQL.DefenderCloud. Enable Microsoft Defender for Azure SQL logical server. HELP: https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.SQL.DefenderCloud/
:question: This is not an error but only a recommendation to enable Advanced Data Security and configuring Microsoft Defender for SQL logical servers. We can exclude this rule from the test.
Exclude PSrule from the following files: ResourceModules/modules/Microsoft.Sql/servers/.test/admin/deploy.test.bicep
Error: AZR-000289: ***ssamin001 failed Azure.Storage.ContainerSoftDelete. Enable container soft delete on Storage Accounts. A sub-resource of type 'Microsoft.Storage/storageAccounts/blobServices' has not been specified.
HELP: https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.Storage.ContainerSoftDelete/
:question: Validate with the team if the following actions are good:
Above action should be applied to the following files: ResourceModules/modules/Microsoft.Storage/storageAccounts/.test/v1/deploy.test.bicep
Error: AZR-000289: ***ssamin001 failed Azure.Storage.ContainerSoftDelete. Enable container soft delete on Storage Accounts. HELP: https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.Storage.ContainerSoftDelete/
:question: It is only a recommendation to enable container soft delete on storage accounts to protect blob containers from accidental deletion. Not needed for minimal test. We can remove this test to /min.
Exclude PSrule from the following files: ResourceModules/modules/Microsoft.Storage/storageAccounts/.test/min/deploy.test.bicep ResourceModules/modules/Microsoft.Storage/storageAccounts/.test/V1/deploy.test.bicep
Error: AZR-000202: ***ssamin001 failed Azure.Storage.Firewall. Storage Accounts should only accept explicitly allowed traffic. Path properties.networkAcls.defaultAction: The field 'properties.networkAcls.defaultAction' does not exist.
HELP: https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.Storage.Firewall/
:question: Validate with the team if the following actions are good:
Above action should be applied to the following files: ResourceModules/modules/Microsoft.Storage/storageAccounts/.test/v1/deploy.test.bicep
:question: Validate if this will apply also to /min otherwise we can exclude the test. ResourceModules/modules/Microsoft.Storage/storageAccounts/.test/min/deploy.test.bicep
Error: AZR-000284: /home/runner/work/ResourceModules/ResourceModules/modules/Microsoft.Network/networkWatchers/.test/common/deploy.test.bicep failed Azure.Deployment.AdminUsername. Use secure parameters for sensitive resource properties.
REASON: | - The property 'adminUsername' uses a deterministic literal value.
HELP https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.Deployment.AdminUsername/ :question: Validate with the team if the following actions are good:
The issue is related to .test/common/dependencies.bicep where we have adminUsername: '${virtualMachineName}cake' , instead of a single parameter.
ACTIONS:
@eriqua we have completed rules' review. Can we have a call to discuss all the decisions and create issues?
Covered in AVM by the PSRule reliability tests
Analyze the output of PSRule validation. List all modules to be updated and open separated issues for each.
For each failed rule we should:
Example
List of failed rules after running PSRule validation on RG, KV and VNET modules:
Following the list of rules to be fixed: