A suite of rules to validate Azure resources and infrastructure as code (IaC) using PSRule.
Features of PSRule for Azure include:
- Ready to go - Leverage over 200 pre-built rules to validate Azure resources.
- DevOps - Validate resources and infrastructure code pre or post-deployment.
- Cross-platform - Run on MacOS, Linux, and Windows.
- Ready to go:
- Provide a Azure Well-Architected Framework aligned suite of rules for validating Azure resources.
- Provide meaningful information to allow remediation.
- DevOps:
- Resources and templates can be validated before deployment within DevOps workflows.
- Allow pull request (PR) validation to prevent invalid configuration being merged.
- Enterprise ready:
- Rules can be directly adopted and additional enterprise specific rules can be layed on.
- Provide regular baselines to allow progressive adoption.
This project uses GitHub Issues to track bugs and feature requests. Before logging an issue please see our troubleshooting guide.
Please search the existing issues before filing new issues to avoid duplicates.
- For new issues, file your bug or feature request as a new issue.
- For help, discussion, and support questions about using this project, join or start a discussion.
If you have any problems with the PSRule engine, please check the project GitHub issues page instead.
Support for this project/ product is limited to the resources listed above.
This project requires the PSRule and Az PowerShell modules. For details on each see install.
You can download and install these modules from the PowerShell Gallery.
| Module | Description | Downloads / instructions |
|---|---|---|
| PSRule.Rules.Azure | Validate Azure resources and infrastructure as code using PSRule. | latest / instructions |
PSRule for Azure provides two methods for analyzing Azure resources:
- Pre-flight - Before resources are deployed from Azure Resource Manager templates.
- In-flight - After resources are deployed to an Azure subscription.
For specific use cases see scenarios. For additional details see the FAQ.
The following example shows how to setup GitHub Actions to validate templates pre-flight.
- See Creating a workflow file.
- Reference
Microsoft/ps-rulewithmodules: 'PSRule.Rules.Azure'.
For example:
# Example: .github/workflows/analyze-arm.yaml
#
# STEP 1: Template validation
#
name: Analyze templates
on:
- pull_request
jobs:
analyze_arm:
name: Analyze templates
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v2
# STEP 2: Run analysis against exported data
- name: Analyze Azure template files
uses: Microsoft/ps-rule@main
with:
modules: 'PSRule.Rules.Azure' # Analyze objects using the rules within the PSRule.Rules.Azure PowerShell module.The following example shows how to setup Azure Pipelines to validate templates pre-flight.
- Install PSRule extension for Azure DevOps marketplace.
- Create a new YAML pipeline with the Starter pipeline template.
- Add the
Install PSRule moduletask.- Set module to
PSRule.Rules.Azure.
- Set module to
- Add the
PSRule analysistask.- Set input type to
repository. - Set modules to
PSRule.Rules.Azure.
- Set input type to
For example:
# Example: .azure-pipelines/analyze-arm.yaml
#
# STEP 2: Template validation
#
jobs:
- job: 'analyze_arm'
displayName: 'Analyze templates'
pool:
vmImage: 'ubuntu-18.04'
steps:
# STEP 3: Install PSRule.Rules.Azure from the PowerShell Gallery
- task: ps-rule-install@0
displayName: Install PSRule.Rules.Azure
inputs:
module: 'PSRule.Rules.Azure' # Install PSRule.Rules.Azure from the PowerShell Gallery.
# STEP 4: Run analysis against exported data
- task: ps-rule-assert@0
displayName: Analyze Azure template files
inputs:
inputType: repository
modules: 'PSRule.Rules.Azure' # Analyze objects using the rules within the PSRule.Rules.Azure PowerShell module.The following example shows how to setup PSRule locally to validate templates pre-flight.
- Install the
PSRule.Rules.Azuremodule and dependencies from the PowerShell Gallery. - Run analysis against repository files.
For example:
# STEP 1: Install PSRule.Rules.Azure from the PowerShell Gallery
Install-Module -Name 'PSRule.Rules.Azure' -Scope CurrentUser;
# STEP 2: Run analysis against exported data
Assert-PSRule -Module 'PSRule.Rules.Azure' -InputPath 'out/templates/' -Format File;The following example shows how to setup PSRule locally to validate resources running in a subscription.
- Install the
PSRule.Rules.Azuremodule and dependencies from the PowerShell Gallery. - Connect and set context to an Azure subscription from PowerShell.
- Export the resource data with the
Export-AzRuleDatacmdlet. - Run analysis against exported data.
For example:
# STEP 1: Install PSRule.Rules.Azure from the PowerShell Gallery
Install-Module -Name 'PSRule.Rules.Azure' -Scope CurrentUser;
# STEP 2: Authenticate to Azure, only required if not currently connected
Connect-AzAccount;
# Confirm the current subscription context
Get-AzContext;
# STEP 3: Exports a resource graph stored as JSON for analysis
Export-AzRuleData -OutputPath 'out/templates/';
# STEP 4: Run analysis against exported data
Assert-PSRule -Module 'PSRule.Rules.Azure' -InputPath 'out/templates/';By default, resource data for the current subscription context will be exported.
To export resource data for specific subscriptions use:
-Subscription- to specify subscriptions by id or name.-Tenant- to specify subscriptions within an Azure Active Directory Tenant by id.
For example:
# Export data from two specific subscriptions
Export-AzRuleData -Subscription 'Contoso Production', 'Contoso Non-production';To export specific resource data use:
-ResourceGroupName- to filter resources by Resource Group.-Tag- to filter resources based on tag.
For example:
# Export information from two resource groups within the current subscription context
Export-AzRuleData -ResourceGroupName 'rg-app1-web', 'rg-app1-db';To export resource data for all subscription contexts use:
-All- to export resource data for all subscription contexts.
For example:
# Export data from all subscription contexts
Export-AzRuleData -All;To filter results to only failed rules, use Invoke-PSRule -Outcome Fail.
Passed, failed and error results are shown by default.
For example:
# Only show failed results
Invoke-PSRule -InputPath 'out/templates/' -Module 'PSRule.Rules.Azure' -Outcome Fail;The output of this example is:
TargetName: storage
RuleName Outcome Recommendation
-------- ------- --------------
Azure.Storage.UseReplication Fail Storage accounts not using GRS may be at risk
Azure.Storage.SecureTransferRequ... Fail Storage accounts should only accept secure traffic
Azure.Storage.SoftDelete Fail Enable soft delete on Storage Accounts
A summary of results can be displayed by using Invoke-PSRule -As Summary.
For example:
# Display as summary results
Invoke-PSRule -InputPath 'out/templates/' -Module 'PSRule.Rules.Azure' -As Summary;The output of this example is:
RuleName Pass Fail Outcome
-------- ---- ---- -------
Azure.ACR.MinSku 0 1 Fail
Azure.AppService.PlanInstanceCount 0 1 Fail
Azure.AppService.UseHTTPS 0 2 Fail
Azure.Resource.UseTags 73 36 Fail
Azure.SQL.ThreatDetection 0 1 Fail
Azure.SQL.Auditing 0 1 Fail
Azure.Storage.UseReplication 1 7 Fail
Azure.Storage.SecureTransferRequ... 2 6 Fail
Azure.Storage.SoftDelete 0 8 Fail
For walk through examples of PSRule for Azure module usage see:
- Validate Azure resources from templates with Azure Pipelines
- Validate Azure resources from templates with continuous integration (CI)
- Create a custom rule to enforce Resource Group tagging
- Create a custom rule to enforce code ownership
PSRule for Azure includes rules across five pillars of the Microsoft Azure Well-Architected Framework.
To view a list of rules by Azure resources see:
The following baselines are included within PSRule.Rules.Azure.
- Azure.Default - Default baseline for Azure rules.
- Azure.Preview - Includes Azure features in preview.
- Azure.All - Includes all Azure rules.
- Azure.GA_2020_06 - Baseline for GA rules released June 2020 or prior.
- Azure.GA_2020_09 - Baseline for GA rules released September 2020 or prior.
- Azure.GA_2020_12 - Baseline for GA rules released December 2020 or prior.
- Azure.GA_2021_03 - Baseline for GA rules released March 2021 or prior.
- Azure.GA_2021_06 - Baseline for GA rules released June 2021 or prior.
PSRule for Azure extends PowerShell with the following cmdlets.
The following commands exist in the PSRule.Rules.Azure module:
- Export-AzRuleData - Export resource configuration data from Azure subscriptions.
- Export-AzRuleTemplateData - Export resource configuration data from Azure templates.
- Get-AzRuleTemplateLink - Get a metadata link to a Azure template file.
The following conceptual topics exist in the PSRule.Rules.Azure module:
The following projects can also be used with PSRule for Azure.
| Name | Description |
|---|---|
| PSRule.Rules.CAF | A suite of rules to validate Azure resources against the Cloud Adoption Framework (CAF) using PSRule. |
| PSRule.Monitor | Send and query PSRule analysis results in Azure Monitor. |
| PSRule-pipelines | An Azure DevOps extension for using PSRule within Azure Pipelines. |
| ps-rule | Validate infrastructure as code (IaC) and DevOps repositories using GitHub Actions. |
This repository uses semantic versioning to declare breaking changes. For a list of module changes please see the change log.
Pre-release module versions are created on major commits and can be installed from the PowerShell Gallery. Pre-release versions should be considered experimental. Modules and change log details for pre-releases will be removed as standard releases are made available.
This project welcomes contributions and suggestions. If you are ready to contribute, please visit the contribution guide.
This project has adopted the Microsoft Open Source Code of Conduct. For more information see the Code of Conduct FAQ or contact [email protected] with any additional questions or comments.
This project is licensed under the MIT License.
![dependabot[bot] avatar](https://avatars.githubusercontent.com/in/29110?v=4 "dependabot[bot]")
React
Typescript
Django
Laravel
Facebook
Microsoft
Google
Alibaba
D3
Tencent