discussion | link_users |
---|---|
false |
true |
See upgrade notes for helpful information when upgrading from previous versions.
Important notes:
- Issue #741:
Could not load file or assembly YamlDotNet
. See troubleshooting guide for a workaround to this issue. - The following configuration options are deprecated and have been replaced with alternative options.
If you have these options configured, please update them to the replacement.
Support for the old names will be removed in v2.
See upgrade notes for more information.
Azure_AKSMinimumVersion
is replaced withAZURE_AKS_CLUSTER_MINIMUM_VERSION
.Azure_AKSNodeMinimumMaxPods
is replaced withAZURE_AKS_POOL_MINIMUM_MAXPODS
.Azure_AllowedRegions
is replaced withAZURE_RESOURCE_ALLOWED_LOCATIONS
.Azure_MinimumCertificateLifetime
is replaced withAZURE_APIM_MINIMUM_CERTIFICATE_LIFETIME
.
- The
SupportsTag
PowerShell function has been replaced with theAzure.Resource.SupportsTags
selector. Update PowerShell rules to use theAzure.Resource.SupportsTags
selector instead. Support for theSupportsTag
function will be removed in v2. See upgrade notes for more information.
What's changed since v1.39.3:
- New features:
- Added support for expanding from
.jsonc
parameter files by @BernieWhite. #2053- Previously only parameter files with the
.json
extension where automatically expanded. - This feature adds support so that JSON parameter files with the
.jsonc
extension are also discovered and expanded. - No additional configuration is required if expansion of JSON parameter files is enabled.
- To enable parameter file expansion set the
AZURE_PARAMETER_FILE_EXPANSION
configuration option totrue
.
- Previously only parameter files with the
- Added support for expanding from
- Updated rules:
- Deployment:
- Updated
Azure.Deployment.SecureValue
to check additional resource types by @BernieWhite. #2650 #2651- Added support for container apps secret properties.
- Added support for deployment script secret properties.
- Bumped rule set to
2024_12
.
- Updated
Azure.Deployment.SecureParameter
to reduce false positives by @BernieWhite. #3149- Parameters named ending with
name
,uri
,url
,path
,type
,id
, oroptions
are ignored. - The
customerManagedKey
parameter is ignored.
- Parameters named ending with
- Updated
- Microsoft Defender for Cloud:
- Updated
Azure.DefenderCloud.Contact
to useemails
property and removedphone
by @BernieWhite. #3117- Renamed rule to
Azure.Defender.SecurityContact
to better align with naming for defender rules. - Bumped rule set to
2024_12
.
- Renamed rule to
- Updated
- Deployment:
- General improvements:
- Engineering:
- Bug fixes:
- Fixed evaluation of APIM policies when using embedded C# with quotes by @BernieWhite. #3184
- Fixed resource group ID is incorrect under subscription scope by @BernieWhite. #3198
- Fixed object to hashtable conversion for default parameter values by @BernieWhite. #3033
- Fixed deployments with more than one module at tenant scope by @BernieWhite. #3167
- Fixed projection of default role authorization property
principalType
by @BernieWhite. #3163 - Fixed user defined function not found when used as parameter default by @BernieWhite. #3169
- Fixed evaluation of
Azure.NSG.LateralTraversal
with empty string properties by @BernieWhite. #3130 - Fixed evaluation of
Azure.Deployment.AdminUsername
with symbolic references by @BernieWhite. #3146 - Fixed output map expansion with resource IDs by @BernieWhite. #3153
What's changed since pre-release v1.40.0-B0206:
- No additional changes.
What's changed since pre-release v1.40.0-B0147:
- General improvements:
- Added first time contributor guide in docs by @that-ar-guy. #3097
- Engineering:
- Quality updates to rule documentation by @BernieWhite. #3102
- Bug fixes:
What's changed since pre-release v1.40.0-B0103:
- Bug fixes:
What's changed since pre-release v1.40.0-B0063:
- New features:
- Added support for expanding from
.jsonc
parameter files by @BernieWhite. #2053- Previously only parameter files with the
.json
extension where automatically expanded. - This feature adds support so that JSON parameter files with the
.jsonc
extension are also discovered and expanded. - No additional configuration is required if expansion of JSON parameter files is enabled.
- To enable parameter file expansion set the
AZURE_PARAMETER_FILE_EXPANSION
configuration option totrue
.
- Previously only parameter files with the
- Added support for expanding from
- General improvements:
- Additional quality updates to documentation by @BernieWhite. #3102
- Bug fixes:
What's changed since pre-release v1.40.0-B0029:
- Updated rules:
- Microsoft Defender for Cloud:
- Updated
Azure.DefenderCloud.Contact
to useemails
property and removedphone
by @BernieWhite. #3117- Renamed rule to
Azure.Defender.SecurityContact
to better align with naming for defender rules. - Bumped rule set to
2024_12
.
- Renamed rule to
- Updated
- Microsoft Defender for Cloud:
- Bug fixes:
What's changed since v1.39.3:
- Updated rules:
- Deployment:
- Updated
Azure.Deployment.SecureValue
to check additional resource types by @BernieWhite. #2650 #2651- Added support for container apps secret properties.
- Added support for deployment script secret properties.
- Bumped rule set to
2024_12
.
- Updated
Azure.Deployment.SecureParameter
to reduce false positives by @BernieWhite. #3149- Parameters named ending with
name
,uri
,url
,path
,type
,id
, oroptions
are ignored. - The
customerManagedKey
parameter is ignored.
- Parameters named ending with
- Updated
- Deployment:
- Engineering:
- Bug fixes:
- Fixed output map expansion with resource IDs by @BernieWhite. #3153
What's changed since v1.39.2:
- Bug fixes:
- Fixed index out of bounds for existing symbolic name reference by @BernieWhite. #3129
What's changed since v1.39.1:
- Bug fixes:
What's changed since v1.39.0:
- Bug fixes:
What's changed since v1.38.0:
- New features:
- Added September 2024 baselines
Azure.GA_2024_09
andAzure.Preview_2024_09
by @BernieWhite. #3048- Includes rules released before or during September 2024.
- Marked
Azure.GA_2024_06
andAzure.Preview_2024_06
baselines as obsolete.
- Added September 2024 baselines
- New rules:
- Azure Kubernetes Service:
- App Service:
- Verify that app service plans have availability zones configured by @BenjaminEngeset. #2964
- App Service Environment:
- Verify that app service environments have availability zones configured by @BenjaminEngeset. #2964
- Azure SQL Database:
- Verify that Azure SQL databases have a customer-controlled maintenance window configured by @BenjaminEngeset. #2956
- Azure SQL Managed Instance:
- Verify that Azure SQL Managed Instances have a customer-controlled maintenance window configured by @BenjaminEngeset. #2979
- Service Bus:
- Verify that service bus namespaces have geo-replication configured by @BenjaminEngeset. #2988
- Virtual Machine:
- Virtual Machine Scale Sets:
- Verify that virtual machine scale set instances does not have public IPs attached by @BenjaminEngeset. #3014
- Virtual Network:
- Updated rules:
- Azure Kubernetes Service:
- Container Apps:
- Updated
Azure.ContainerApp.AvailabilityZone
to check for infrastructure subnet by @BernieWhite. #3068- Configuring an infrastructure subnet is a requirement for enabling zone redundancy. Both rule and documentation have been updated to clearly call this out.
- Updated
- Virtual Network:
- Updated
Azure.VNET.UseNSGs
to correctly handle cases for special purpose and customer-excluded subnets by @BenjaminEngeset. #3007
- Updated
- General improvements:
- Important change: Replaced the
Azure_AKSNodeMinimumMaxPods
option withAZURE_AKS_POOL_MINIMUM_MAXPODS
by @BernieWhite. #941- For compatibility, if
Azure_AKSNodeMinimumMaxPods
is set it will be used instead ofAZURE_AKS_POOL_MINIMUM_MAXPODS
. - If only
AZURE_AKS_POOL_MINIMUM_MAXPODS
is set, this value will be used. - The default will be used neither options are configured.
- If
Azure_AKSNodeMinimumMaxPods
is set a warning will be generated until the configuration is removed. - Support for
Azure_AKSNodeMinimumMaxPods
is deprecated and will be removed in v2. - See upgrade notes for details.
- For compatibility, if
- Important change: Replaced the
Azure_MinimumCertificateLifetime
option withAZURE_APIM_MINIMUM_CERTIFICATE_LIFETIME
by @BernieWhite. #941- For compatibility, if
Azure_MinimumCertificateLifetime
is set it will be used instead ofAZURE_APIM_MINIMUM_CERTIFICATE_LIFETIME
. - If only
AZURE_APIM_MINIMUM_CERTIFICATE_LIFETIME
is set, this value will be used. - The default will be used neither options are configured.
- If
Azure_MinimumCertificateLifetime
is set a warning will be generated until the configuration is removed. - Support for
Azure_MinimumCertificateLifetime
is deprecated and will be removed in v2. - See upgrade notes for details.
- For compatibility, if
- Add binding configuration to policy as rules docs by @BernieWhite. #2995
- Updated resource providers and policy aliases. #3074
- Important change: Replaced the
- Engineering:
- Bug fixed:
- Fixed expansion with deployments by resource ID at management group by @BernieWhite #3013
- Fixed subscription aliases don't support tags by @BernieWhite. #3021
- Fixed
Azure.AppService.AvailabilityZone
only detects premium by tier property @BenjaminEngeset. #3034 - Fixed loading of expansion options from non-default options file @BernieWhite. #3033
- Fixed TLS defaults for
Azure.Redis.MinTLS
andAzure.RedisEnterprise.MinTLS
by @BernieWhite. #3066 - Fixed symbolic expand for existing with conditional cases by @BernieWhite. #2917
What's changed since pre-release v1.39.0-B0249:
- No additional changes.
What's changed since pre-release v1.39.0-B0182:
- Bug fixes:
- Fixed symbolic expand for existing with conditional cases by @BernieWhite. #2917
What's changed since pre-release v1.39.0-B0118:
- Updated rules:
- Container Apps:
- Updated
Azure.ContainerApp.AvailabilityZone
to check for infrastructure subnet by @BernieWhite. #3068- Configuring an infrastructure subnet is a requirement for enabling zone redundancy. Both rule and documentation have been updated to clearly call this out.
- Updated
- Container Apps:
- General improvements:
- Updated resource providers and policy aliases. #3074
- Engineering:
- Quality updates to rule documentation by @BernieWhite. #2570
- Bug fixes:
- Fixed TLS defaults for
Azure.Redis.MinTLS
andAzure.RedisEnterprise.MinTLS
by @BernieWhite. #3066
- Fixed TLS defaults for
What's changed since pre-release v1.39.0-B0072:
- New features:
- Added September 2024 baselines
Azure.GA_2024_09
andAzure.Preview_2024_09
by @BernieWhite. #3048- Includes rules released before or during September 2024.
- Marked
Azure.GA_2024_06
andAzure.Preview_2024_06
baselines as obsolete.
- Added September 2024 baselines
What's changed since pre-release v1.39.0-B0029:
- New rules:
- Virtual Machine:
- Virtual Machine Scale Sets:
- Verify that virtual machine scale set instances does not have public IPs attached by @BenjaminEngeset. #3014
- Updated rules:
- General improvements:
- Important change: Replaced the
Azure_AKSNodeMinimumMaxPods
option withAZURE_AKS_POOL_MINIMUM_MAXPODS
by @BernieWhite. #941- For compatibility, if
Azure_AKSNodeMinimumMaxPods
is set it will be used instead ofAZURE_AKS_POOL_MINIMUM_MAXPODS
. - If only
AZURE_AKS_POOL_MINIMUM_MAXPODS
is set, this value will be used. - The default will be used neither options are configured.
- If
Azure_AKSNodeMinimumMaxPods
is set a warning will be generated until the configuration is removed. - Support for
Azure_AKSNodeMinimumMaxPods
is deprecated and will be removed in v2. - See upgrade notes for details.
- For compatibility, if
- Important change: Replaced the
Azure_MinimumCertificateLifetime
option withAZURE_APIM_MINIMUM_CERTIFICATE_LIFETIME
by @BernieWhite. #941- For compatibility, if
Azure_MinimumCertificateLifetime
is set it will be used instead ofAZURE_APIM_MINIMUM_CERTIFICATE_LIFETIME
. - If only
AZURE_APIM_MINIMUM_CERTIFICATE_LIFETIME
is set, this value will be used. - The default will be used neither options are configured.
- If
Azure_MinimumCertificateLifetime
is set a warning will be generated until the configuration is removed. - Support for
Azure_MinimumCertificateLifetime
is deprecated and will be removed in v2. - See upgrade notes for details.
- For compatibility, if
- Important change: Replaced the
- Engineering:
- Bump development tools to .NET 8.0 SDK by @BernieWhite. #3017
- Bug fixed:
- Fixed expansion with deployments by resource ID at management group by @BernieWhite #3013
- Fixed subscription aliases don't support tags by @BernieWhite. #3021
- Fixed
Azure.AppService.AvailabilityZone
only detects premium by tier property @BenjaminEngeset. #3034 - Fixed loading of expansion options from non-default options file @BernieWhite. #3033
What's changed since pre-release v1.39.0-B0009:
- New rules:
- Azure Kubernetes Service:
- Virtual Network:
- Updated rules:
- Virtual Network:
- Updated
Azure.VNET.UseNSGs
to correctly handle cases for special purpose and customer-excluded subnets by @BenjaminEngeset. #3007
- Updated
- Virtual Network:
- General improvements:
- Add binding configuration to policy as rules docs by @BernieWhite. #2995
What's changed since v1.38.0:
- New rules:
- App Service:
- Verify that app service plans have availability zones configured by @BenjaminEngeset. #2964
- App Service Environment:
- Verify that app service environments have availability zones configured by @BenjaminEngeset. #2964
- Azure SQL Database:
- Verify that Azure SQL databases have a customer-controlled maintenance window configured by @BenjaminEngeset. #2956
- Azure SQL Managed Instance:
- Verify that Azure SQL Managed Instances have a customer-controlled maintenance window configured by @BenjaminEngeset. #2979
- Service Bus:
- Verify that service bus namespaces have geo-replication configured by @BenjaminEngeset. #2988
- App Service:
- Engineering:
What's changed since v1.37.0:
- New features:
- Added June 2024 baselines
Azure.GA_2024_06
andAzure.Preview_2024_06
by @BernieWhite. #2961- Includes rules released before or during June 2024.
- Marked
Azure.GA_2024_03
andAzure.Preview_2024_03
baselines as obsolete.
- Added June 2024 baselines
- New rules:
- Azure Database for MySQL:
- Azure Database for PostgreSQL:
- Azure Firewall:
- Verify that firewalls have availability zones configured by @BenjaminEngeset. #2909
- Azure Kubernetes Service:
- Added check to automatically upgrade AKS cluster node image by @sharmilamusunuru. #2445
- Azure Virtual Desktop:
- Added check for scheduled agent updates on host pools by @BernieWhite. #2946
- Cosmos DB:
- Verify that Cosmos DB accounts have continuous backup configured by @BenjaminEngeset. #2954
- Virtual Network Gateway:
- Verify that VPN/ExpressRoute gateways have a customer-controlled maintenance configuration configured by @BenjaminEngeset. #2910
- Virtual Machine Scale Sets:
- Updated rules:
- Engineering:
- Bug fixes:
- Fixed handling of multi-line descriptions for policy definition and assignment exports by @BernieWhite. #2973
- Fixed support for
references
function by @BernieWhite. #2922 - Fixed group by subscription casing when exporting in-flight resources by @BernieWhite. #2957
- Fixed install Az.Resources warning by @BernieWhite.
#2887
- Added new configuration option set by environment variable to suppress the warning.
- Set
PSRULE_AZURE_RESOURCE_MODULE_NOWARN
totrue
to suppress the warning.
- Fixed
filter
on unknown runtime property by @BernieWhite. #2966 - Fixed failed to expand with direct outputs reference by @BernieWhite. #2935
- Fixed identification of
list*
function false positive with resource by @BernieWhite. #2919 - Fixed documentation bugs for container apps by @BernieWhite. #2876
What's changed since pre-release v1.38.0-B0068:
- No additional changes.
What's changed since pre-release v1.38.0-B0068:
- New rules:
- Cosmos DB:
- Verify that Cosmos DB accounts have continuous backup configured by @BenjaminEngeset. #2954
- Cosmos DB:
- Bug fixes:
What's changed since pre-release v1.38.0-B0034:
- New features:
- Added March 2024 baselines
Azure.GA_2024_06
andAzure.Preview_2024_06
by @BernieWhite. #2961- Includes rules released before or during June 2024.
- Marked
Azure.GA_2024_03
andAzure.Preview_2024_03
baselines as obsolete.
- Added March 2024 baselines
- Engineering:
- Quality updates to rule documentation by @BernieWhite. #2570
- Bug fixes:
- Fixed support for
references
function by @BernieWhite. #2922 - Fixed group by subscription casing when exporting in-flight resources by @BernieWhite. #2957
- Fixed install Az.Resources warning by @BernieWhite.
#2887
- Added new configuration option set by environment variable to suppress the warning.
- Set
PSRULE_AZURE_RESOURCE_MODULE_NOWARN
totrue
to suppress the warning.
- Fixed
filter
on unknown runtime property by @BernieWhite. #2966
- Fixed support for
What's changed since pre-release v1.38.0-B0011:
- New rules:
- Engineering:
- Quality updates to rule documentation by @BernieWhite. #2570
- Bug fixes:
What's changed since v1.37.0:
- New rules:
- Azure Database for MySQL:
- Azure Database for PostgreSQL:
- Azure Firewall:
- Verify that firewalls have availability zones configured by @BenjaminEngeset. #2909
- Virtual Network Gateway:
- Verify that VPN/ExpressRoute gateways have a customer-controlled maintenance configuration configured by @BenjaminEngeset. #2910
- Updated rules:
- Engineering:
What's changed since v1.36.0:
- New features:
- New rules:
- App Service:
- Check that applications uses supported Node.js runtime versions by @BenjaminEngeset. #2879
- Application Gateway:
- Check that WAF v2 doesn't use legacy WAF configuration by @BenjaminEngeset. #2877
- Azure Cache for Redis:
- Verify that cache instances have Entra ID authentication enabled by @BenjaminEngeset. #2899
- Azure Managed Grafana:
- Check that Azure Managed Grafana workspaces uses Grafana version 10 by @BenjaminEngeset. #2878
- Cosmos DB:
- Event Hub:
- Check that access to the namespace endpoints is restricted to only allowed sources by @BenjaminEngeset. #2701
- Log Analytics:
- Check that workspaces have workspace replication enabled by @BenjaminEngeset. #2893
- Virtual Machine Scale Sets:
- Check that automatic instance repairs are enabled by @BenjaminEngeset. #2895
- App Service:
- Updated rules:
- API Management:
- Important change: Updated
Azure.APIM.AvailabilityZone
to improve accuracy with non-premium SKUs by @BenjaminEngeset. #2788- Removed the
If
Premium SKU. - Added check for Premium SKU.
- Bumped rule set to
2024_06
.
- Removed the
- Important change: Updated
Azure.APIM.MultiRegion
to improve accuracy with non-premium SKUs by @BenjaminEngeset. #2787- Removed the
If
Premium SKU. - Added check for Premium SKU.
- Bumped rule set to
2024_06
.
- Removed the
- Important change: Updated
- Deployment:
- Add additional exclusions for
Azure.Deployment.SecureParameter
by @BernieWhite. #2857
- Add additional exclusions for
- API Management:
- General improvements:
- Engineering:
- Bug fixed:
What's changed since pre-release v1.37.0-B0071:
- No additional changes.
What's changed since pre-release v1.37.0-B0034:
- New rules:
- App Service:
- Check that applications uses supported Node.js runtime versions by @BenjaminEngeset. #2879
- Azure Cache for Redis:
- Verify that cache instances have Entra ID authentication enabled by @BenjaminEngeset. #2899
- Log Analytics:
- Check that workspaces have workspace replication enabled by @BenjaminEngeset. #2893
- Virtual Machine Scale Sets:
- Check that automatic instance repairs are enabled by @BenjaminEngeset. #2895
- App Service:
- Updated rules:
- API Management:
- Important change: Updated
Azure.APIM.MultiRegion
to improve accuracy with non-premium SKUs by @BenjaminEngeset. #2787- Removed the
If
Premium SKU. - Added check for Premium SKU.
- Bumped rule set to
2024_06
.
- Removed the
- Important change: Updated
- API Management:
- General improvements:
- Added support for
split
andconcat
functions during policy export by @BernieWhite. #2851
- Added support for
- Engineering:
What's changed since pre-release v1.37.0-B0009:
- New features:
- New rules:
- Application Gateway:
- Check that WAF v2 doesn't use legacy WAF configuration by @BenjaminEngeset. #2877
- Azure Managed Grafana:
- Check that Azure Managed Grafana workspaces uses Grafana version 10 by @BenjaminEngeset. #2878
- Cosmos DB:
- Event Hub:
- Check that access to the namespace endpoints is restricted to only allowed sources by @BenjaminEngeset. #2701
- Application Gateway:
- Updated rules:
- API Management:
- Important change: Updated
Azure.APIM.AvailabilityZone
to improve accuracy with non-premium SKUs by @BenjaminEngeset. #2788- Removed the
If
Premium SKU. - Added check for Premium SKU.
- Bumped rule set to
2024_06
.
- Removed the
- Important change: Updated
- API Management:
- General improvements:
- Updated resource providers and policy aliases. #2880
- Engineering:
- Bug fixed:
- Fixed
union
does not perform deep merge or keep property order by @BernieWhite. #2885
- Fixed
What's changed since v1.36.0:
- New rules:
- Cosmos DB:
- Check that database accounts use a paid tier by @BernieWhite. #2845
- Cosmos DB:
- Updated rules:
- Deployment:
- Add additional exclusions for
Azure.Deployment.SecureParameter
by @BernieWhite. #2857
- Add additional exclusions for
- Deployment:
- General improvements:
- Quality updates to documentation by @BernieWhite. #2570
- Bug fixes:
- Fixed dependency ordering for cross scope deployments by @BernieWhite. #2850
What's changed since v1.35.3:
- New rules:
- Container App:
- Cosmos DB:
- Check that database accounts only accept a minimum of TLS 1.2 by @BernieWhite. #2809
- Entra Domain Services:
- General improvements:
- Important change: Deprecated rules with no clear WAF alignment by @BernieWhite.
#2493
- The following rules are deprecated:
Azure.Template.UseParameters
Azure.Template.UseVariables
Azure.Template.DefineParameters
Azure.Template.ValidSecretRef
- These rules have been deprecated and will be removed in v2.
- See deprecations for more information.
- The following rules are deprecated:
- Quality updates to documentation by @lukemurraynz @BernieWhite. #2789 #2570
- Additional policies added to default ignore list by @BernieWhite. #1731
- Important change: Deprecated rules with no clear WAF alignment by @BernieWhite.
#2493
- Bug fixes:
What's changed since pre-release v1.36.0-B0077:
- General improvements:
- Quality updates to documentation by @BernieWhite. #2570
What's changed since pre-release v1.36.0-B0046:
- New rules:
- General improvements:
- Important change: Deprecated rules with no clear WAF alignment by @BernieWhite.
#2493
- The following rules are deprecated:
Azure.Template.UseParameters
Azure.Template.UseVariables
Azure.Template.DefineParameters
Azure.Template.ValidSecretRef
- These rules have been deprecated and will be removed in v2.
- See deprecations for more information.
- The following rules are deprecated:
- Important change: Deprecated rules with no clear WAF alignment by @BernieWhite.
#2493
What's changed since pre-release v1.36.0-B0020:
- Bug fixes:
What's changed since v1.35.3:
- New rules:
- General improvements:
- Bug fixes:
- Fixed not found warning when exporting firewall policy
signatureOverrides
by @BernieWhite. #2806
- Fixed not found warning when exporting firewall policy
What's changed since v1.35.2:
- Bug fixes:
- Fixed false positive with load balancers that use a public IP by @BernieWhite. #2814
What's changed since v1.35.1:
- Bug fixes:
- Fixed regression when handing ambiguous mock array outputs by @BernieWhite. #2801
What's changed since v1.35.0:
- Bug fixes:
- Fixed null parameter overrides default value by @BernieWhite. #2795
What's changed since v1.34.2:
- New features:
- Added WAF pillar specific baselines by @BernieWhite.
#1633
#2752
- Use pillar specific baselines to target a specific area of the Azure Well-Architected Framework.
- The following baselines have been added:
Azure.Pillar.CostOptimization
Azure.Pillar.OperationalExcellence
Azure.Pillar.PerformanceEfficiency
Azure.Pillar.Reliability
Azure.Pillar.Security
- Added March 2024 baselines
Azure.GA_2024_03
andAzure.Preview_2024_03
by @BernieWhite. #2781- Includes rules released before or during March 2024.
- Marked
Azure.GA_2023_12
andAzure.Preview_2023_12
baselines as obsolete.
- Added WAF pillar specific baselines by @BernieWhite.
#1633
#2752
- Updated rules:
- Updated
Azure.AppService.NETVersion
to detect out of date .NET versions including .NET 5/6/7 by @BernieWhite. #2766- Bumped rule set to
2024_03
.
- Bumped rule set to
- Updated
Azure.AppService.PHPVersion
to detect out of date PHP versions before 8.2 by @BernieWhite. #2768- Fixed
Azure.AppService.PHPVersion
check fails when phpVersion is null. - Bumped rule set to
2024_03
.
- Fixed
- Updated
Azure.AKS.Version
to use1.27.9
as the minimum version by @BernieWhite. #2771
- Updated
- General improvements:
- Renamed Cognitive Services rules to Azure AI by @BernieWhite.
#2776
- Rules that were previously named
Azure.Cognitive.*
have been renamed toAzure.AI.*
. - For each rule that has been renamed, an alias has been added to reference the old name.
- Rules that were previously named
- Improved export of in-flight data for Event Grid and Azure Firewall Policies by @BernieWhite. #2774
- Additional policies added to default ignore list by @BernieWhite. #1731
- Quality updates to rule documentation by @BernieWhite.
#2570
#1243
#2757
- Add rule severity to rule documentation pages.
- Add documentation redirects for renamed rules.
- Updated links to learn.microsoft.com (from docs.microsoft.com) by @lukemurraynz. #2785
- Renamed Cognitive Services rules to Azure AI by @BernieWhite.
#2776
- Engineering:
- Bump coverlet.collector to v6.0.2. #2754
- Bug fixes:
What's changed since pre-release v1.35.0-B0116:
- General improvements:
- Updated links to learn.microsoft.com (from docs.microsoft.com) by @lukemurraynz. #2785
What's changed since pre-release v1.35.0-B0084:
- New features:
- Added March 2024 baselines
Azure.GA_2024_03
andAzure.Preview_2024_03
by @BernieWhite. #2781- Includes rules released before or during March 2024.
- Marked
Azure.GA_2023_12
andAzure.Preview_2023_12
baselines as obsolete.
- Added March 2024 baselines
- General improvements:
- Renamed Cognitive Services rules to Azure AI by @BernieWhite.
#2776
- Rules that were previously named
Azure.Cognitive.*
have been renamed toAzure.AI.*
. - For each rule that has been renamed, an alias has been added to reference the old name.
- Rules that were previously named
- Renamed Cognitive Services rules to Azure AI by @BernieWhite.
#2776
What's changed since pre-release v1.35.0-B0055:
- General improvements:
- Improved export of in-flight data for Event Grid and Azure Firewall Policies by @BernieWhite. #2774
What's changed since pre-release v1.35.0-B0030:
- Updated rules:
- Updated
Azure.AppService.NETVersion
to detect out of date .NET versions including .NET 5/6/7 by @BernieWhite. #2766- Bumped rule set to
2024_03
.
- Bumped rule set to
- Updated
Azure.AppService.PHPVersion
to detect out of date PHP versions before 8.2 by @BernieWhite. #2768- Fixed
Azure.AppService.PHPVersion
check fails when phpVersion is null. - Bumped rule set to
2024_03
.
- Fixed
- Updated
Azure.AKS.Version
to use1.27.9
as the minimum version by @BernieWhite. #2771
- Updated
- General improvements:
- Bug fixes:
- Fixed failed to expand JObject value with invalid key by @BernieWhite. #2751
What's changed since pre-release v1.35.0-B0012:
- General improvements:
- Engineering:
- Bump coverlet.collector to v6.0.2. #2754
- Bug fixes:
- Fixed false negative from
Azure.LB.AvailabilityZone
when zone list is empty or null by @jtracey93. #2759
- Fixed false negative from
What's changed since v1.34.2:
- New features:
- Added WAF pillar specific baselines by @BernieWhite.
#1633
#2752
- Use pillar specific baselines to target a specific area of the Azure Well-Architected Framework.
- The following baselines have been added:
Azure.Pillar.CostOptimization
Azure.Pillar.OperationalExcellence
Azure.Pillar.PerformanceEfficiency
Azure.Pillar.Reliability
Azure.Pillar.Security
- Added WAF pillar specific baselines by @BernieWhite.
#1633
#2752
- General improvements:
- Documentation improvements by @BernieWhite. #2570
What's changed since v1.34.1:
- Bug fixes:
- Fixed export of in-flight data for flexible PostgreSQL servers by @BernieWhite. #2744
What's changed since v1.34.0:
What's changed since v1.33.2:
- New rules:
- Azure Kubernetes Service:
- Check that user mode pools have a minimum number of nodes by @BernieWhite.
#2683
- Added configuration to support changing the minimum number of node and to exclude node pools.
- Set
AZURE_AKS_CLUSTER_USER_POOL_MINIMUM_NODES
to set the minimum number of user nodes. - Set
AZURE_AKS_CLUSTER_USER_POOL_EXCLUDED_FROM_MINIMUM_NODES
to exclude a specific node pool by name.
- Check that user mode pools have a minimum number of nodes by @BernieWhite.
#2683
- Azure Kubernetes Service:
- Updated rules:
- Azure Kubernetes Service:
- Updated
Azure.AKS.MinNodeCount
the count nodes system node pools by @BernieWhite. #2683- Improved guidance and examples specifically for system node pools.
- Added configuration to support changing the minimum number of node.
- Set
AZURE_AKS_CLUSTER_MINIMUM_SYSTEM_NODES
to set the minimum number of system nodes.
- Updated
- Front Door:
- Updated
Azure.FrontDoor.Logs
to cover premium and standard profiles instead of just classic by @BernieWhite. #2704- Added a selector for premium and standard profiles
Azure.FrontDoor.IsStandardOrPremium
. - Added a selector for classic profiles
Azure.FrontDoor.IsClassic
. - Updated rule set to
2024_03
.
- Added a selector for premium and standard profiles
- Updated
- Microsoft Defender for Cloud:
- Storage Account:
- Renamed rules to align with recommended naming length by @BernieWhite.
#2718
- Renamed
Azure.Storage.DefenderCloud.MalwareScan
toAzure.Storage.Defender.MalwareScan
. - Renamed
Azure.Storage.DefenderCloud.SensitiveData
toAzure.Storage.Defender.DataScan
.
- Renamed
- Promoted
Azure.Storage.Defender.MalwareScan
to GA rule set by @BernieWhite. #2590
- Renamed rules to align with recommended naming length by @BernieWhite.
#2718
- Azure Kubernetes Service:
- General improvements:
- Moved
.bicepparam
file support to stable by @BernieWhite. #2682- Bicep param files are now automatically expanded when found.
- To disable expansion, set the configuration option
AZURE_BICEP_PARAMS_FILE_EXPANSION
tofalse
.
- Added support for type/ variable/ and function imports from Bicep files by @BernieWhite. #2537
- Added duplicate policies to default ignore list by @BernieWhite. #1731
- Documentation and metadata improvements by @BernieWhite. #1772 #2570
- Moved
- Engineering:
- Updated resource providers and policy aliases. #2717
- Improved debugging experience by providing symbols for .NET code by @BernieWhite. #2712
- Bump Microsoft.NET.Test.Sdk to v17.9.0. #2680
- Bump xunit to v2.7.0. #2688
- Bump xunit.runner.visualstudio to v2.5.7. #2689
- Bump coverlet.collector to v6.0.1. #2699
- Bug fixes:
What's changed since pre-release v1.34.0-B0077:
- No additional changes.
What's changed since pre-release v1.34.0-B0047:
- Updated rules:
- Microsoft Defender for Cloud:
- Storage Account:
- Renamed rules to align with recommended naming length by @BernieWhite.
#2718
- Renamed
Azure.Storage.DefenderCloud.MalwareScan
toAzure.Storage.Defender.MalwareScan
. - Renamed
Azure.Storage.DefenderCloud.SensitiveData
toAzure.Storage.Defender.DataScan
.
- Renamed
- Promoted
Azure.Storage.Defender.MalwareScan
to GA rule set by @BernieWhite. #2590
- Renamed rules to align with recommended naming length by @BernieWhite.
#2718
- General improvements:
- Added duplicate policies to default ignore list by @BernieWhite. #1731
- Engineering:
- Updated resource providers and policy aliases. #2717
- Bug fixes:
What's changed since pre-release v1.34.0-B0022:
- General improvements:
- Added support for type/ variable/ and function imports from Bicep files by @BernieWhite. #2537
- Engineering:
- Improved debugging experience by providing symbols for .NET code by @BernieWhite. #2712
What's changed since v1.33.2:
- New rules:
- Azure Kubernetes Service:
- Check that user mode pools have a minimum number of nodes by @BernieWhite.
#2683
- Added configuration to support changing the minimum number of node and to exclude node pools.
- Set
AZURE_AKS_CLUSTER_USER_POOL_MINIMUM_NODES
to set the minimum number of user nodes. - Set
AZURE_AKS_CLUSTER_USER_POOL_EXCLUDED_FROM_MINIMUM_NODES
to exclude a specific node pool by name.
- Check that user mode pools have a minimum number of nodes by @BernieWhite.
#2683
- Azure Kubernetes Service:
- Updated rules:
- Azure Kubernetes Service:
- Updated
Azure.AKS.MinNodeCount
the count nodes system node pools by @BernieWhite. #2683- Improved guidance and examples specifically for system node pools.
- Added configuration to support changing the minimum number of node.
- Set
AZURE_AKS_CLUSTER_MINIMUM_SYSTEM_NODES
to set the minimum number of system nodes.
- Updated
- Front Door:
- Updated
Azure.FrontDoor.Logs
to cover premium and standard profiles instead of just classic by @BernieWhite. #2704- Added a selector for premium and standard profiles
Azure.FrontDoor.IsStandardOrPremium
. - Added a selector for classic profiles
Azure.FrontDoor.IsClassic
. - Updated rule set to
2024_03
.
- Added a selector for premium and standard profiles
- Updated
- Azure Kubernetes Service:
- General improvements:
- Engineering:
- Bug fixes:
- Fixed missing zones property for public IP addresses by @BernieWhite. #2698
What's changed since v1.33.1:
- Bug fixes:
- Fixed false positive of
Azure.Resource.AllowedRegions
raised during assertion call by @BernieWhite. #2687
- Fixed false positive of
What's changed since v1.33.0:
- Bug fixes:
What's changed since v1.32.1:
- New features:
- Exporting policy as rules also generates a baseline by @BernieWhite.
#2482
- A baseline is automatically generated that includes for all rules exported. If a policy rule has been replaced by a built-in rule, the baseline will include the built-in rule instead.
- The baseline is named
<Prefix>.PolicyBaseline.All
. i.e.Azure.PolicyBaseline.All
by default. - For details see Policy as rules.
- Exporting policy as rules also generates a baseline by @BernieWhite.
#2482
- New rules:
- Updated rules:
- Application Gateway:
- Updated
Azure.AppGwWAF.RuleGroups
to use the rule sets by @BenjaminEngeset. #2629- The latest Bot Manager rule set is now
1.0
. - The latest OWASP rule set is now
3.2
.
- The latest Bot Manager rule set is now
- Updated
- Cognitive Services:
- Relaxed
Azure.Cognitive.ManagedIdentity
to configurations that require managed identities by @BernieWhite. #2559
- Relaxed
- Virtual Machine:
- Checks for Azure Hybrid Benefit
Azure.VM.UseHybridUseBenefit
are not enabled by default by @BernieWhite. #2493- To enable, set the
AZURE_VM_USE_HYBRID_USE_BENEFIT
option totrue
.
- To enable, set the
- Checks for Azure Hybrid Benefit
- Virtual Network:
- Added option for excluding subnets to
Azure.VNET.UseNSGs
by @BernieWhite. #2572- To add a subnet exclusion, set the
AZURE_VNET_SUBNET_EXCLUDED_FROM_NSG
option.
- To add a subnet exclusion, set the
- Added option for excluding subnets to
- Application Gateway:
- General improvements:
- Rules that are ignored during exporting policy as rules are now generate a verbose logs by @BernieWhite.
#2482
- This is to improve transparency of why rules are not exported.
- To see details on why a rule is ignored, enable verbose logging with
-Verbose
.
- Policies that duplicate built-in rules can now be exported by using the
-KeepDuplicates
parameter by @BernieWhite. #2482- For details see Policy as rules.
- Quality updates to rules and documentation by @BernieWhite. #1772 #2570
- Rules that are ignored during exporting policy as rules are now generate a verbose logs by @BernieWhite.
#2482
- Engineering:
- Bug fixes:
- Fixed
dateTimeAdd
may fail with different localization by @BernieWhite. #2631 - Fixed inconclusive result reported for
Azure.ACR.Usage
by @BernieWhite. #2494 - Fixed export of Front Door resource data is incomplete by @BernieWhite. #2668
- Fixed
Azure.Template.TemplateFile
to support withlanguageVersion
2.0 template properties by @MrRoundRobin. #2660 - Fixed
Azure.VM.DiskSizeAlignment
does not handle smaller sizes and ultra disks by @BernieWhite. #2656
- Fixed
What's changed since pre-release v1.33.0-B0169:
- No additional changes.
What's changed since pre-release v1.33.0-B0126:
- New features:
- Exporting policy as rules also generates a baseline by @BernieWhite.
#2482
- A baseline is automatically generated that includes for all rules exported. If a policy rule has been replaced by a built-in rule, the baseline will include the built-in rule instead.
- The baseline is named
<Prefix>.PolicyBaseline.All
. i.e.Azure.PolicyBaseline.All
by default. - For details see Policy as rules.
- Exporting policy as rules also generates a baseline by @BernieWhite.
#2482
- General improvements:
- Rules that are ignored during exporting policy as rules are now generate a verbose logs by @BernieWhite.
#2482
- This is to improve transparency of why rules are not exported.
- To see details on why a rule is ignored, enable verbose logging with
-Verbose
.
- Policies that duplicate built-in rules can now be exported by using the
-KeepDuplicates
parameter by @BernieWhite. #2482- For details see Policy as rules.
- Rules that are ignored during exporting policy as rules are now generate a verbose logs by @BernieWhite.
#2482
- Bug fixes:
What's changed since pre-release v1.33.0-B0088:
- Bug fixes:
- Fixed
Azure.Template.TemplateFile
to support withlanguageVersion
2.0 template properties by @MrRoundRobin. #2660
- Fixed
What's changed since pre-release v1.33.0-B0053:
- New rules:
- Dev Box:
- Check that projects limit the number of Dev Boxes per user by @BernieWhite. #2654
- Dev Box:
- Bug fixes:
- Fixed
Azure.VM.DiskSizeAlignment
does not handle smaller sizes and ultra disks by @BernieWhite. #2656
- Fixed
What's changed since pre-release v1.33.0-B0023:
- New rules:
- Engineering:
What's changed since v1.32.1:
- Updated rules:
- Application Gateway:
- Updated
Azure.AppGwWAF.RuleGroups
to use the rule sets by @BenjaminEngeset. #2629- The latest Bot Manager rule set is now
1.0
. - The latest OWASP rule set is now
3.2
.
- The latest Bot Manager rule set is now
- Updated
- Cognitive Services:
- Relaxed
Azure.Cognitive.ManagedIdentity
to configurations that require managed identities by @BernieWhite. #2559
- Relaxed
- Virtual Machine:
- Checks for Azure Hybrid Benefit
Azure.VM.UseHybridUseBenefit
are not enabled by default by @BernieWhite. #2493- To enable, set the
AZURE_VM_USE_HYBRID_USE_BENEFIT
option totrue
.
- To enable, set the
- Checks for Azure Hybrid Benefit
- Virtual Network:
- Added option for excluding subnets to
Azure.VNET.UseNSGs
by @BernieWhite. #2572- To add a subnet exclusion, set the
AZURE_VNET_SUBNET_EXCLUDED_FROM_NSG
option.
- To add a subnet exclusion, set the
- Added option for excluding subnets to
- Application Gateway:
- General improvements:
- Engineering:
- Bug fixes:
- Fixed
dateTimeAdd
may fail with different localization by @BernieWhite. #2631
- Fixed
What's changed since v1.32.0:
- Bug fixes:
What's changed since v1.31.3:
- New features:
- Added December 2023 baselines
Azure.GA_2023_12
andAzure.Preview_2023_12
by @BernieWhite. #2580- Includes rules released before or during December 2023.
- Marked
Azure.GA_2023_09
andAzure.Preview_2023_09
baselines as obsolete.
- Added December 2023 baselines
- Updated rules:
- App Configuration:
- Promoted
Azure.AppConfig.GeoReplica
to GA rule set by @BernieWhite. #2592
- Promoted
- API Management:
- Promoted
Azure.APIM.DefenderCloud
to GA rule set by @BernieWhite. #2591
- Promoted
- Azure Kubernetes Service:
- Updated
Azure.AKS.Version
to use latest stable version1.27.7
by @BernieWhite. #2581
- Updated
- Defender for Cloud:
- Promoted
Azure.Defender.Api
to GA rule set by @BernieWhite. #2591
- Promoted
- Network Interface:
- Renamed NIC rules to reflect current usage by @BernieWhite.
#2574
- Rename
Azure.VM.NICAttached
toAzure.NIC.Attached
. - Rename
Azure.VM.NICName
toAzure.NIC.Name
. - Rename
Azure.VM.UniqueDns
toAzure.NIC.UniqueDns
. - Added aliases to reference the old names for suppression and exclusion.
- Rename
- Added support for private link services to
Azure.VM.NICAttached
by @BernieWhite. #2563
- Renamed NIC rules to reflect current usage by @BernieWhite.
#2574
- App Configuration:
- General improvements:
- Engineering:
- Updated resource providers and policy aliases. #2579
- Bump xunit to v2.6.2. #2544
- Bump xunit.runner.visualstudio to v2.5.4. #2567
- Bump Microsoft.SourceLink.GitHub to v8.0.0. #2538
- Bump BenchmarkDotNet.Diagnostics.Windows and BenchmarkDotNet to v0.13.11. #2575
- Bump Microsoft.CodeAnalysis.NetAnalyzers to v8.0.0. #2568
- Bump Microsoft.NET.Test.Sdk to v17.8.0. #2527
- Bug fixes:
What's changed since pre-release v1.32.0-B0099:
- No additional changes.
What's changed since pre-release v1.32.0-B0053:
- New features:
- Added December 2023 baselines
Azure.GA_2023_12
andAzure.Preview_2023_12
by @BernieWhite. #2580- Includes rules released before or during December 2023.
- Marked
Azure.GA_2023_09
andAzure.Preview_2023_09
baselines as obsolete.
- Added December 2023 baselines
- Updated rules:
- App Configuration:
- Promoted
Azure.AppConfig.GeoReplica
to GA rule set by @BernieWhite. #2592
- Promoted
- API Management:
- Promoted
Azure.APIM.DefenderCloud
to GA rule set by @BernieWhite. #2591
- Promoted
- Azure Kubernetes Service:
- Updated
Azure.AKS.Version
to use latest stable version1.27.7
by @BernieWhite. #2581
- Updated
- Defender for Cloud:
- Promoted
Azure.Defender.Api
to GA rule set by @BernieWhite. #2591
- Promoted
- App Configuration:
- General improvements:
- Improved reporting of null argument in length function by @BernieWhite. #2597
- Engineering:
What's changed since pre-release v1.32.0-B0021:
- Updated rules:
- Network Interface:
- Renamed NIC rules to reflect current usage by @BernieWhite.
#2574
- Rename
Azure.VM.NICAttached
toAzure.NIC.Attached
. - Rename
Azure.VM.NICName
toAzure.NIC.Name
. - Rename
Azure.VM.UniqueDns
toAzure.NIC.UniqueDns
. - Added aliases to reference the old names for suppression and exclusion.
- Rename
- Added support for private link services to
Azure.VM.NICAttached
by @BernieWhite. #2563
- Renamed NIC rules to reflect current usage by @BernieWhite.
#2574
- Network Interface:
- General improvements:
- Engineering:
- Bump xunit.runner.visualstudio to v2.5.4. #2567
- Bug fixes:
- Fixed dependency ordered is incorrect by @BernieWhite. #2578
What's changed since v1.31.3:
- General improvements:
- Quality updates to documentation by @BernieWhite. #2557
- Engineering:
- Bug fixes:
What's changed since v1.31.2:
- Bug fixes:
What's changed since v1.31.1:
- Bug fixes:
- Fixed nullable parameters with JValue null by @BernieWhite. #2535
What's changed since v1.31.0:
- Bug fixes:
- Fixed additional non-sensitive parameter name patterns by
Azure.Deployment.SecureParameter
by @BernieWhite. #2528- Added support for configuration of the rule by setting
AZURE_DEPLOYMENT_NONSENSITIVE_PARAMETER_NAMES
.
- Added support for configuration of the rule by setting
- Fixed incorrect handling of expressions with contains with JValue string by @BernieWhite. #2531
- Fixed additional non-sensitive parameter name patterns by
What's changed since v1.30.3:
- New rules:
- Deployment:
- Check parameters potentially containing secure values by @BernieWhite. #1476
- Machine Learning:
- Check compute instances are configured for an idle shutdown by @batemansogq. #2484
- Check workspace compute has local authentication disabled by @batemansogq. #2484
- Check workspace compute is connected to a VNET by @batemansogq. #2484
- Check public access to a workspace is disabled by @batemansogq. #2484
- Check workspaces use a user-assigned identity by @batemansogq. #2484
- Deployment:
- Engineering:
- Bug fixes:
What's changed since pre-release v1.31.0-B0048:
- No additional changes.
What's changed since pre-release v1.31.0-B0020:
- Engineering:
- Bug fixes:
What's changed since v1.30.3:
- New rules:
- Deployment:
- Check parameters potentially containing secure values by @BernieWhite. #1476
- Machine Learning:
- Check compute instances are configured for an idle shutdown by @batemansogq. #2484
- Check workspace compute has local authentication disabled by @batemansogq. #2484
- Check workspace compute is connected to a VNET by @batemansogq. #2484
- Check public access to a workspace is disabled by @batemansogq. #2484
- Check workspaces use a user-assigned identity by @batemansogq. #2484
- Deployment:
- Engineering:
What's changed since v1.30.2:
- Bug fixes:
- Fixed nullable parameters for built-in types by @BernieWhite. #2488
What's changed since v1.30.1:
- Bug fixes:
- Fixed binding of results resourceId and resourceGroupName by @BernieWhite. #2460
What's changed since v1.30.0:
- Bug fixes:
- Fixed
Azure.Resource.AllowedRegions
which was failing when no allowed regions were configured by @BernieWhite. #2461
- Fixed
What's changed since v1.29.0:
- New features:
- Added September 2023 baselines
Azure.GA_2023_09
andAzure.Preview_2023_09
by @BernieWhite. #2451- Includes rules released before or during September 2023.
- Marked
Azure.GA_2023_06
andAzure.Preview_2023_06
baselines as obsolete.
- Added September 2023 baselines
- New rules:
- Azure Database for MySQL:
- Check that Azure AD-only authentication is configured for Azure Database for MySQL databases by @BenjaminEngeset. #2227
- Azure Firewall:
- Check that Azure Firewall polices has configured threat intelligence-based filtering in
alert and deny
mode by @BenjaminEngeset. #2354
- Check that Azure Firewall polices has configured threat intelligence-based filtering in
- Backup vault:
- Check that immutability is configured for Backup vaults by @BenjaminEngeset. #2387
- Container App:
- Check that Container Apps uses a supported API version by @BenjaminEngeset. #2398
- Container Registry:
- Front Door:
- Check that managed identity for Azure Front Door instances are configured by @BenjaminEngeset. #2378
- Public IP address:
- Check that Public IP addresses uses Standard SKU by @BenjaminEngeset. #2376
- Recovery Services vault:
- Check that immutability is configured for Recovery Services vaults by @BenjaminEngeset. #2386
- Azure Database for MySQL:
- Updated rules:
- Azure Kubernetes Service:
- Container App:
- Promoted
Azure.ContainerApp.DisableAffinity
to GA rule set by @BernieWhite. #2455
- Promoted
- General improvements:
- Important change: Replaced the
Azure_AllowedRegions
option withAZURE_RESOURCE_ALLOWED_LOCATIONS
by @BernieWhite. #941- For compatibility, if
Azure_AllowedRegions
is set it will be used instead ofAZURE_RESOURCE_ALLOWED_LOCATIONS
. - If only
AZURE_RESOURCE_ALLOWED_LOCATIONS
is set, this value will be used. - The default will be used neither options are configured.
- If
Azure_AllowedRegions
is set a warning will be generated until the configuration is removed. - Support for
Azure_AllowedRegions
is deprecated and will be removed in v2. - See upgrade notes for details.
- For compatibility, if
- Add source link for rule in docs by @BernieWhite. #2115
- Important change: Replaced the
- Engineering:
- Updated resource providers and policy aliases. #2442
- Bump xunit to v2.5.1. #2436
- Bump xunit.runner.visualstudio to v2.5.1. #2435
- Bump Microsoft.NET.Test.Sdk to v17.7.2. #2407
- Bump BenchmarkDotNet to v0.13.8. #2425
- Bump BenchmarkDotNet.Diagnostics.Windows to v0.13.8. #2425
- Bump Microsoft.CodeAnalysis.NetAnalyzers to v7.0.4. #2405
- Bug fixes:
- Fixed false positive with
Azure.Storage.SecureTransfer
on new API versions by @BernieWhite. #2414 - Fixed false positive with
Azure.VNET.LocalDNS
for DNS server addresses out of local scope by @BernieWhite. #2370- This bug fix introduces a configuration option to flag when DNS from an Identity subscription is used.
- Set
AZURE_VNET_DNS_WITH_IDENTITY
totrue
when using an Identity subscription for DNS.
- Fixed non-resource group rule triggering for a resource group by @BernieWhite. #2401
- Fixed lambda map in map variable by @BernieWhite. #2410
- Fixed
Azure.AKS.Version
by excludingnode-image
channel by @BernieWhite. #2446
- Fixed false positive with
What's changed since pre-release v1.30.0-B0127:
- No additional changes.
What's changed since pre-release v1.30.0-B0080:
- New features:
- Added September 2023 baselines
Azure.GA_2023_09
andAzure.Preview_2023_09
by @BernieWhite. #2451- Includes rules released before or during September 2023.
- Marked
Azure.GA_2023_06
andAzure.Preview_2023_06
baselines as obsolete.
- Added September 2023 baselines
- New rules:
- Updated rules:
- Azure Kubernetes Service:
- Container App:
- Promoted
Azure.ContainerApp.DisableAffinity
to GA rule set by @BernieWhite. #2455
- Promoted
- General improvements:
- Add source link for rule in docs by @BernieWhite. #2115
- Engineering:
- Bug fixes:
- Fixed
Azure.AKS.Version
by excludingnode-image
channel by @BernieWhite. #2446
- Fixed
What's changed since pre-release v1.30.0-B0047:
- General improvements:
- Important change: Replaced the
Azure_AllowedRegions
option withAZURE_RESOURCE_ALLOWED_LOCATIONS
by @BernieWhite. #941- For compatibility, if
Azure_AllowedRegions
is set it will be used instead ofAZURE_RESOURCE_ALLOWED_LOCATIONS
. - If only
AZURE_RESOURCE_ALLOWED_LOCATIONS
is set, this value will be used. - The default will be used neither options are configured.
- If
Azure_AllowedRegions
is set a warning will be generated until the configuration is removed. - Support for
Azure_AllowedRegions
is deprecated and will be removed in v2. - See upgrade notes for details.
- For compatibility, if
- Important change: Replaced the
- Engineering:
- Bug fixes:
- Fixed false positive with
Azure.Storage.SecureTransfer
on new API versions by @BernieWhite. #2414 - Fixed false positive with
Azure.VNET.LocalDNS
for DNS server addresses out of local scope by @BernieWhite. #2370- This bug fix introduces a configuration option to flag when DNS from an Identity subscription is used.
- Set
AZURE_VNET_DNS_WITH_IDENTITY
totrue
when using an Identity subscription for DNS.
- Fixed false positive with
What's changed since pre-release v1.30.0-B0026:
- Engineering:
- Bump Microsoft.CodeAnalysis.NetAnalyzers to v7.0.4. #2405
- Bug fixes:
- Fixed lambda map in map variable by @BernieWhite. #2410
What's changed since pre-release v1.30.0-B0011:
- New rules:
- Container App:
- Check that Container Apps uses a supported API version by @BenjaminEngeset. #2398
- Container App:
- Bug fixes:
- Fixed non-resource group rule triggering for a resource group by @BernieWhite. #2401
What's changed since v1.29.0:
- New rules:
- Azure Database for MySQL:
- Check that Azure AD-only authentication is configured for Azure Database for MySQL databases by @BenjaminEngeset. #2227
- Azure Firewall:
- Check that Azure Firewall polices has configured threat intelligence-based filtering in
alert and deny
mode by @BenjaminEngeset. #2354
- Check that Azure Firewall polices has configured threat intelligence-based filtering in
- Backup vault:
- Check that immutability is configured for Backup vaults by @BenjaminEngeset. #2387
- Front Door:
- Check that managed identity for Azure Front Door instances are configured by @BenjaminEngeset. #2378
- Public IP address:
- Check that Public IP addresses uses Standard SKU by @BenjaminEngeset. #2376
- Recovery Services vault:
- Check that immutability is configured for Recovery Services vaults by @BenjaminEngeset. #2386
- Azure Database for MySQL:
- Engineering:
What's changed since v1.28.2:
- New rules:
- Databricks:
- Check that workspaces use secure cluster connectivity by @BernieWhite. #2334
- Databricks:
- General improvements:
- Bug fixes:
What's changed since pre-release v1.29.0-B0062:
- No additional changes.
What's changed since pre-release v1.29.0-B0036:
- Bug fixes:
What's changed since pre-release v1.29.0-B0015:
- General improvements:
What's changed since v1.28.2:
- New rules:
- Databricks:
- Check that workspaces use secure cluster connectivity by @BernieWhite. #2334
- Databricks:
- General improvements:
- Use policy definition name when generating a rule from it by @BernieWhite. #1959
- Bug fixes:
- Fixed policy expansion with unquoted field property by @BernieWhite. #2352
What's changed since v1.28.1:
- Bug fixes:
- Fixed policy rules with no effect conditions are evaluated incorrectly by @BernieWhite. #2346
What's changed since v1.28.0:
- Bug fixes:
- Fixed
parseCidr
with/32
is not valid by @BernieWhite. #2336 - Fixed mismatch of resource group type on policy as code rules by @BernieWhite. #2338
- Fixed length cannot be less than zero when converting policy to rules by @BernieWhite. #1802
- Fixed naming rules for MariaDB by @BernieWhite.
#2335
- Updated
Azure.MariaDB.VNETRuleName
to allow for parent resources. - Updated
Azure.MariaDB.FirewallRuleName
to allow for parent resources.
- Updated
- Fixed network watcher existence check by @BernieWhite. #2342
- Fixed
What's changed since v1.27.3:
- New features:
- Added June 2023 baselines
Azure.GA_2023_06
andAzure.Preview_2023_06
by @BernieWhite. #2310- Includes rules released before or during June 2023.
- Marked
Azure.GA_2023_03
andAzure.Preview_2023_03
baselines as obsolete.
- Added June 2023 baselines
- New rules:
- Azure Database for MySQL:
- Check that Azure AD authentication is configured for Azure Database for MySQL databases by @BenjaminEngeset. #2226
- Azure Database for PostgreSQL:
- Azure Database for MySQL:
- Removed rules:
- Azure Kubernetes Service:
- Removed
Azure.AKS.PodIdentity
as pod identities has been replaced by workload identities by @BernieWhite. #2273
- Removed
- Azure Kubernetes Service:
- General improvements:
- Added support for safe dereference operator by @BernieWhite.
#2322
- Added support for
tryGet
Bicep function.
- Added support for
- Added support for Bicep CIDR functions by @BernieWhite.
#2279
- Added support for
parseCidr
,cidrSubnet
, andcidrHost
.
- Added support for
- Added support for
managementGroupResourceId
Bicep function by @BernieWhite. #2294
- Added support for safe dereference operator by @BernieWhite.
#2322
- Engineering:
- Bump PSRule to v2.9.0. #2293
- Updated resource providers and policy aliases. #2261
- Bump Microsoft.CodeAnalysis.NetAnalyzers to v7.0.3. #2281
- Bump Microsoft.NET.Test.Sdk to v17.6.3. #2290
- Bump coverlet.collector to v6.0.0. #2232
- Bump Az.Resources to v6.7.0. #2274
- Bump xunit to v2.5.0. #2306
- Bump xunit.runner.visualstudio to v2.5.0. #2307
- Bump BenchmarkDotNet to v0.13.6. #2317
- Bump BenchmarkDotNet.Diagnostics.Windows to v0.13.6. #2318
- Bug fixes:
- Fixed Redis firewall rules can not bind to start by @BernieWhite. #2303
- Fixed null condition handling by @BernieWhite. #2316
- Fixed reference expression in property name by @BernieWhite. #2321
- Fixed handling of nested mock objects by @BernieWhite. #2325
- Fixed late binding of
coalesce
function by @BernieWhite. #2328 - Fixed handling of JArray outputs with runtime values by @BernieWhite. #2159
What's changed since pre-release v1.28.0-B0213:
- No additional changes.
What's changed since pre-release v1.28.0-B0159:
- General improvements:
- Added support for safe dereference operator by @BernieWhite.
#2322
- Added support for
tryGet
Bicep function.
- Added support for
- Added support for safe dereference operator by @BernieWhite.
#2322
- Engineering:
- Bug fixes:
What's changed since pre-release v1.28.0-B0115:
- New features:
- Added June 2023 baselines
Azure.GA_2023_06
andAzure.Preview_2023_06
by @BernieWhite. #2310- Includes rules released before or during June 2023.
- Marked
Azure.GA_2023_03
andAzure.Preview_2023_03
baselines as obsolete.
- Added June 2023 baselines
- Engineering:
- Bug fixes:
- Fixed Redis firewall rules can not bind to start by @BernieWhite. #2303
What's changed since pre-release v1.28.0-B0079:
- General improvements:
- Added support for Bicep CIDR functions by @BernieWhite.
#2279
- Added support for
parseCidr
,cidrSubnet
, andcidrHost
.
- Added support for
- Added support for Bicep CIDR functions by @BernieWhite.
#2279
What's changed since pre-release v1.28.0-B0045:
- General improvements:
- Added support for
managementGroupResourceId
Bicep function by @BernieWhite. #2294
- Added support for
- Engineering:
- Bug fixes:
- Fixed handling of JArray outputs with runtime values by @BernieWhite. #2159
What's changed since pre-release v1.28.0-B0024:
- Removed rules:
- Azure Kubernetes Service:
- Removed
Azure.AKS.PodIdentity
as pod identities has been replaced by workload identities by @BernieWhite. #2273
- Removed
- Azure Kubernetes Service:
- Engineering:
- Bug fixes:
- Fixed false positive of
IsolatedV2
withAzure.AppService.MinPlan
by @BernieWhite. #2277
- Fixed false positive of
What's changed since pre-release v1.28.0-B0010:
- Bug fixes:
What's changed since v1.27.1:
- New rules:
- Azure Database for MySQL:
- Check that Azure AD authentication is configured for Azure Database for MySQL databases by @BenjaminEngeset. #2226
- Azure Database for PostgreSQL:
- Azure Database for MySQL:
- Engineering:
What's changed since v1.27.2:
- Bug fixes:
- Fixed false positive of
IsolatedV2
withAzure.AppService.MinPlan
by @BernieWhite. #2277
- Fixed false positive of
What's changed since v1.27.1:
- Bug fixes:
What's changed since v1.27.0:
- Bug fixes:
- Fixed depends on ordering fails to expand deployment by @BernieWhite. #2255
What's changed since v1.26.1:
- New features:
- Experimental: Added support for expanding deployments from
.bicepparam
files by @BernieWhite. #2132- See Using Bicep source for details.
- Experimental: Added support for expanding deployments from
- New rules:
- Application Gateway:
- Check that Application Gateways uses a v2 SKU by @BenjaminEngeset. #2185
- API Management:
- Arc-enabled Kubernetes cluster:
- Check that Microsoft Defender for Containers extension for Arc-enabled Kubernetes clusters is configured by @BenjaminEngeset. #2124
- Arc-enabled server:
- Check that a maintenance configuration for Arc-enabled servers is associated by @BenjaminEngeset. #2122
- Container App:
- Cosmos DB:
- Check that Cosmos DB accounts has enabled Microsoft Defender by @BenjaminEngeset. #2203
- Defender for Cloud:
- Check that sensitive data threat detection in Microsoft Defender for Storage is enabled by @BenjaminEngeset. #2207
- Check that Malware Scanning in Microsoft Defender for Storage is enabled by @BenjaminEngeset. #2206
- Check that Microsoft Defender for APIs is enabled by @BenjaminEngeset. #2186
- Check that Microsoft Defender for Azure Cosmos DB is enabled by @BenjaminEngeset. #2204
- Check that Microsoft Defender for open-source relational databases is enabled by @BenjaminEngeset. #1632
- Check that Microsoft Defender Cloud Security Posture Management is using
Standard
plan by @BenjaminEngeset. #2151
- Key Vault:
- Check that key vaults uses Azure RBAC as the authorization system for the data plane by @BenjaminEngeset. #1916
- Storage Account:
- Check that Microsoft Defender for Storage is enabled for storage accounts by @BenjaminEngeset. #2225
- Check that sensitive data threat detection in Microsoft Defender for Storage is enabled for storage accounts by @BenjaminEngeset. #2207
- Check that Malware Scanning in Microsoft Defender for Storage is enabled for storage accounts by @BenjaminEngeset. #2206
- Virtual Machine:
- Check that a maintenance configuration for virtual machines is associated by @BenjaminEngeset. #2121
- Application Gateway:
- General improvements:
- Added support for Bicep symbolic names by @BernieWhite. #2238
- Updated rules:
- API Management:
- Updated
Azure.APIM.EncryptValues
to check all API Management named values are encrypted with Key Vault secrets @BenjaminEngeset. #2146
- Updated
- Container App:
- Promoted
Azure.ContainerApp.Insecure
to GA rule set by @BernieWhite. #2174
- Promoted
- Defender for Cloud:
- Check that Microsoft Defender for Storage v2 is enabled by @BenjaminEngeset. #2205
- API Management:
- Engineering:
- Bump Microsoft.NET.Test.Sdk to v17.6.0. #2216
- Bug fixes:
- Fixed ignoring Redis firewall rules when Redis is configured to allow private connectivity by @BenjaminEngeset. #2171
- Fixed left-side
or
function evaluation by @BernieWhite. #2220 - Fixed interdependent variable copy loop count by @BernieWhite. #2221
- Fixed handling of database name in
Azure.MariaDB.Database
by @BernieWhite. #2191 - Fixed typing error in
Azure.Defender.Api
documentation by @BenjaminEngeset. #2209 - Fixed
Azure.AKS.UptimeSLA
with new pricing by @BenjaminEngeset. #2065 #2202 - Fixed false positive on managed identity without space by @BernieWhite. #2235
- Fixed reference for runtime subnet ID property by @BernieWhite. #2159
What's changed since pre-release v1.27.0-B0186:
- No additional changes.
What's changed since pre-release v1.27.0-B0136:
- New rules:
What's changed since pre-release v1.27.0-B0091:
- New rules:
- Defender for Cloud:
- Check that sensitive data threat detection in Microsoft Defender for Storage is enabled by @BenjaminEngeset. #2207
- Defender for Cloud:
- General improvements:
- Added support for Bicep symbolic names by @BernieWhite. #2238
- Bug fixes:
- Fixed false positive on managed identity without space by @BernieWhite. #2235
What's changed since pre-release v1.27.0-B0050:
- New features:
- Experimental: Added support for expanding deployments from
.bicepparam
files by @BernieWhite. #2132- See Using Bicep source for details.
- Experimental: Added support for expanding deployments from
- New rules:
- Storage Account:
- Check that Malware Scanning in Microsoft Defender for Storage is enabled for storage accounts by @BenjaminEngeset.
- Defender for Cloud:
- Check that Malware Scanning in Microsoft Defender for Storage is enabled by @BenjaminEngeset. #2206
- Storage Account:
- Bug fixes:
What's changed since pre-release v1.27.0-B0015:
- New rules:
- Application Gateway:
- Check that Application Gateways uses a v2 SKU by @BenjaminEngeset. #2185
- Arc-enabled Kubernetes cluster:
- Check that Microsoft Defender for Containers extension for Arc-enabled Kubernetes clusters is configured by @BenjaminEngeset. #2124
- Arc-enabled server:
- Check that a maintenance configuration for Arc-enabled servers is associated by @BenjaminEngeset. #2122
- Container App:
- Cosmos DB:
- Check that Cosmos DB accounts has enabled Microsoft Defender by @BenjaminEngeset. #2203
- Defender for Cloud:
- Virtual Machine:
- Check that a maintenance configuration for virtual machines is associated by @BenjaminEngeset. #2121
- Application Gateway:
- Updated rules:
- Defender for Cloud:
- Check that Microsoft Defender for Storage v2 is enabled by @BenjaminEngeset. #2205
- Defender for Cloud:
- Engineering:
- Bump Microsoft.NET.Test.Sdk to v17.6.0. #2216
- Bug fixes:
What's changed since pre-release v1.27.0-B0003:
- New rules:
- Updated rules:
- Container App:
- Promoted
Azure.ContainerApp.Insecure
to GA rule set by @BernieWhite. #2174
- Promoted
- Container App:
- Bug fixes:
- Fixed ignoring Redis firewall rules when Redis is configured to allow private connectivity by @BenjaminEngeset. #2171
What's changed since v1.26.1:
- Updated rules:
- API Management:
- Updated
Azure.APIM.EncryptValues
to check all API Management named values are encrypted with Key Vault secrets @BenjaminEngeset. #2146
- Updated
- API Management:
- Bug fixes:
- Fixed reference for runtime subnet ID property by @BernieWhite. #2159
What's changed since v1.26.0:
- Bug fixes:
What's changed since v1.25.0:
- New features:
- Added March 2023 baselines
Azure.GA_2023_03
andAzure.Preview_2023_03
by @BernieWhite. #2138- Includes rules released before or during March 2023.
- Marked
Azure.GA_2022_12
andAzure.Preview_2022_12
baselines as obsolete.
- Added March 2023 baselines
- New rules:
- API Management:
- Check that wildcard
*
for any configuration option in CORS policies settings is not in use by @BenjaminEngeset. #2073
- Check that wildcard
- Azure Kubernetes Service:
- Check that the Defender profile with Azure Kubernetes Service clusters are enabled by @BenjaminEngeset. #2123
- Container App:
- Check that internal-only ingress for container apps are configured by @BenjaminEngeset. #2098
- Check that Azure File volumes for container apps are configured by @BenjaminEngeset. #2101
- Check that the names of container apps meets the naming requirements by @BenjaminEngeset. #2094
- Check that managed identity for container apps are configured by @BenjaminEngeset. #2096
- Check that public network access for container apps environments are disabled by @BenjaminEngeset. #2098
- Deployment:
- Check that the names of nested deployments meets the naming requirements of deployments by @BenjaminEngeset. #1915
- IoT Hub:
- Check IoT Hubs in supported regions only uses TLS 1.2 version by @BenjaminEngeset. #1996
- Service Bus:
- Check namespaces audit diagnostic logs are enabled by @BenjaminEngeset. #1862
- SQL Database:
- SQL Managed Instance:
- API Management:
- Updated rules:
- Azure Kubernetes Service:
- Updated
Azure.AKS.Version
to use latest stable version1.25.6
by @BernieWhite. #2136- Use
AZURE_AKS_CLUSTER_MINIMUM_VERSION
to configure the minimum version of the cluster.
- Use
- Updated
- Azure Kubernetes Service:
- General improvements:
- Engineering:
- Bug fixes:
What's changed since pre-release v1.26.0-B0078:
- No additional changes.
What's changed since pre-release v1.26.0-B0040:
- General improvements:
- Improved export of in-flight deeply nested API Management policies by @BernieWhite. #2153
- Engineering:
- Bug fixes:
- Fixed false positives for
Azure.AppService.AlwaysOn
with Functions and Workflows by @BernieWhite. #943
- Fixed false positives for
What's changed since pre-release v1.26.0-B0011:
- New features:
- Added March 2023 baselines
Azure.GA_2023_03
andAzure.Preview_2023_03
by @BernieWhite. #2138- Includes rules released before or during March 2023.
- Marked
Azure.GA_2022_12
andAzure.Preview_2022_12
baselines as obsolete.
- Added March 2023 baselines
- New rules:
- API Management:
- Check that wildcard
*
for any configuration option in CORS policies settings is not in use by @BenjaminEngeset. #2073
- Check that wildcard
- Azure Kubernetes Service:
- Check that the Defender profile with Azure Kubernetes Service clusters are enabled by @BenjaminEngeset. #2123
- Container App:
- SQL Database:
- SQL Managed Instance:
- API Management:
- Updated rules:
- Azure Kubernetes Service:
- Updated
Azure.AKS.Version
to use latest stable version1.25.6
by @BernieWhite. #2136- Use
AZURE_AKS_CLUSTER_MINIMUM_VERSION
to configure the minimum version of the cluster.
- Use
- Updated
- Azure Kubernetes Service:
- Bug fixes:
What's changed since v1.25.0:
- New rules:
- Container App:
- Deployment:
- Check that the names of nested deployments meets the naming requirements of deployments by @BenjaminEngeset. #1915
- IoT Hub:
- Check IoT Hubs in supported regions only uses TLS 1.2 version by @BenjaminEngeset. #1996
- Service Bus:
- Check namespaces audit diagnostic logs are enabled by @BenjaminEngeset. #1862
- General improvements:
- Added a selector for premium Service Bus namespaces by @BernieWhite. #2091
- Engineering:
What's changed since v1.25.0:
- Bug fixes:
- Fixed dependency issue of deployments across resource group scopes by @BernieWhite. #2111
What's changed since v1.24.2:
- New features:
- Experimental: Added
Azure.MCSB.v1
which include rules aligned to the Microsoft Cloud Security Benchmark by @BernieWhite. #1634
- Experimental: Added
- New rules:
- General improvements:
- Added support for Bicep
toObject
function by @BernieWhite. #2014 - Added support for configuring a minimum version of Bicep by @BernieWhite.
#1935
- Configure this option to increase the visibility of the version of the Bicep CLI used by PSRule for Azure.
- Set
AZURE_BICEP_CHECK_TOOL
totrue
to check the Bicep CLI. - Set
AZURE_BICEP_MINIMUM_VERSION
to configure the minimum version. - If the Bicep CLI is not installed or the version is less than the minimum version an error will be reported.
- By default, the minimum Bicep version defaults to
0.4.451
.
- Added support for Bicep custom types by @BernieWhite. #2026
- Added support for Bicep
- Engineering:
- Bug fixes:
What's changed since pre-release v1.25.0-B0100:
- No additional changes.
What's changed since pre-release v1.25.0-B0100:
- New rules:
- Event Hub:
- Check Event Hub namespaces only uses TLS 1.2 version by @BenjaminEngeset. #1995
- Event Hub:
What's changed since pre-release v1.25.0-B0065:
- New rules:
- Key Vault:
- Check if firewall is set to deny by @zilberd. #2067
- Key Vault:
What's changed since pre-release v1.25.0-B0035:
- General improvements:
- Added support for Bicep
toObject
function by @BernieWhite. #2014
- Added support for Bicep
- Engineering:
- Bug fixes:
- Fixed SQL transparent data Encryption (TDE) works properly on all resources including exported resources by @zilberd. #2059
What's changed since pre-release v1.25.0-B0013:
- New rules:
- General improvements:
- Added support for configuring a minimum version of Bicep by @BernieWhite.
#1935
- Configure this option to increase the visibility of the version of the Bicep CLI used by PSRule for Azure.
- Set
AZURE_BICEP_CHECK_TOOL
totrue
to check the Bicep CLI. - Set
AZURE_BICEP_MINIMUM_VERSION
to configure the minimum version. - If the Bicep CLI is not installed or the version is less than the minimum version an error will be reported.
- By default, the minimum Bicep version defaults to
0.4.451
.
- Added support for configuring a minimum version of Bicep by @BernieWhite.
#1935
- Engineering:
- Bump Az.Resources to v6.5.2. #2037
- Bug fixes:
- Fixed cases of exit code 5 with path probing by @BernieWhite. #1901
What's changed since v1.24.2:
- New features:
- Experimental: Added
Azure.MCSB.v1
which include rules aligned to the Microsoft Cloud Security Benchmark by @BernieWhite. #1634
- Experimental: Added
- New rules:
- Virtual Machine:
- Virtual machines should be fully deallocated and not stopped by @dcrreynolds. #88
- Virtual Machine:
- General improvements:
- Added support for Bicep custom types by @BernieWhite. #2026
- Engineering:
This is a republish of v1.24.1 to fix a release issue. What's changed since v1.24.0:
- Bug fixes:
- Fixed Bicep expand object or null by @BernieWhite. #2021
What's changed since v1.24.0:
- Bug fixes:
- Fixed Bicep expand object or null by @BernieWhite. #2021
What's changed since v1.23.0:
- General improvements:
- Updated
Export-AzRuleData
to improve export performance by @BernieWhite. #1341- Removed
Az.Resources
dependency. - Added async threading for export concurrency.
- Improved performance by using automatic look up of API versions by using provider cache.
- Removed
- Added support for Bicep lambda functions by @BernieWhite.
#1536
- Bicep
filter
,map
,reduce
, andsort
are supported. - Support for
flatten
was previously added in v1.23.0.
- Bicep
- Added optimization for policy type conditions by @BernieWhite. #1966
- Updated
- Engineering:
- Bug fixes:
- Fixed
Export-AzRuleData
may not export all data if throttled by @BernieWhite. #1341 - Fixed failed to expand nested deployment with runtime shallow parameter by @BernieWhite. #2004
- Fixed
apiVersion
comparison ofrequestContext
by @BernieWhite. #1654 - Fixed simple cases for field type expressions by @BernieWhite. #1323
- Fixed
What's changed since pre-release v1.24.0-B0035:
- No additional changes.
What's changed since pre-release v1.24.0-B0013:
- General improvements:
- Engineering:
- Updated resource providers and policy aliases. #1736
- Bug fixes:
What's changed since v1.23.0:
- General improvements:
- Updated
Export-AzRuleData
to improve export performance by @BernieWhite. #1341- Removed
Az.Resources
dependency. - Added async threading for export concurrency.
- Improved performance by using automatic look up of API versions by using provider cache.
- Removed
- Updated
- Engineering:
- Bug fixes:
- Fixed
Export-AzRuleData
may not export all data if throttled by @BernieWhite. #1341
- Fixed
What's changed since v1.22.2:
- New features:
- Added December 2022 baselines
Azure.GA_2022_12
andAzure.Preview_2022_12
by @BernieWhite. #1961- Includes rules released before or during December 2022.
- Marked
Azure.GA_2022_09
andAzure.Preview_2022_09
baselines as obsolete.
- Added December 2022 baselines
- New rules:
- API Management:
- Check API management instances has multi-region deployment gateways enabled by @BenjaminEngeset. #1910
- Application Gateway:
- Check Application Gateways names meet naming requirements by @BenjaminEngeset. #1943
- Azure Cache for Redis:
- Check Azure Cache for Redis instances uses Redis 6 by @BenjaminEngeset. #1077
- Azure Database for MariaDB:
- Check Azure Database for MariaDB servers limits the amount of firewall permitted IP addresses by @BenjaminEngeset. #1856
- Check Azure Database for MariaDB servers limits the amount of firewall rules allowed by @BenjaminEngeset. #1855
- Check Azure Database for MariaDB servers does not have Azure services bypassed on firewall by @BenjaminEngeset. #1857
- Bastion:
- Check Bastion hosts names meet naming requirements by @BenjaminEngeset. #1950
- Recovery Services Vault:
- Check Recovery Services vaults names meet naming requirements by @BenjaminEngeset. #1953
- Virtual Machine:
- Check virtual machines has Azure Monitor Agent installed by @BenjaminEngeset. #1868
- Virtual Machine Scale Sets:
- Check virtual machine scale sets has Azure Monitor Agent installed by @BenjaminEngeset. #1867
- API Management:
- Updated rules:
- Azure Kubernetes Service:
- Updated
Azure.AKS.Version
to use latest stable version1.25.4
by @BernieWhite. #1960- Use
AZURE_AKS_CLUSTER_MINIMUM_VERSION
to configure the minimum version of the cluster.
- Use
- Updated
- Azure Kubernetes Service:
- General improvements:
- Engineering:
- Bug fixes:
- Fixed Azure.AKS.Version ignore clusters with auto-upgrade enabled by @BenjaminEngeset. #1926
What's changed since pre-release v1.23.0-B0072:
- No additional changes.
What's changed since pre-release v1.23.0-B0046:
- New features:
- Added December 2022 baselines
Azure.GA_2022_12
andAzure.Preview_2022_12
by @BernieWhite. #1961- Includes rules released before or during December 2022.
- Marked
Azure.GA_2022_09
andAzure.Preview_2022_09
baselines as obsolete.
- Added December 2022 baselines
- Updated rules:
- Azure Kubernetes Service:
- Updated
Azure.AKS.Version
to use latest stable version1.25.4
by @BernieWhite. #1960- Use
AZURE_AKS_CLUSTER_MINIMUM_VERSION
to configure the minimum version of the cluster.
- Use
- Updated
- Azure Kubernetes Service:
- General improvements:
- Improves handling for policy definition modes by using support tags selector by @BernieWhite. #1946
- Engineering:
- Bump Microsoft.NET.Test.Sdk v17.4.1. #1964
What's changed since pre-release v1.23.0-B0025:
- New rules:
- Bug fixes:
- Fixed
Azure.Deployment.SecureValue
withreference
function expression by @BernieWhite. #1882
- Fixed
What's changed since pre-release v1.23.0-B0009:
- New rules:
- Application Gateway:
- Check Application Gateways names meet naming requirements by @BenjaminEngeset. #1943
- Azure Cache for Redis:
- Check Azure Cache for Redis instances uses Redis 6 by @BenjaminEngeset. #1077
- Virtual Machine Scale Sets:
- Check virtual machine scale sets has Azure Monitor Agent installed by @BenjaminEngeset. #1867
- Application Gateway:
- General improvements:
- Engineering:
- Bump Az.Resources to v6.5.0. #1945
What's changed since v1.22.1:
- New rules:
- API Management:
- Check API management instances has multi-region deployment gateways enabled by @BenjaminEngeset. #1910
- Azure Database for MariaDB:
- Check Azure Database for MariaDB servers limits the amount of firewall permitted IP addresses by @BenjaminEngeset. #1856
- Check Azure Database for MariaDB servers limits the amount of firewall rules allowed by @BenjaminEngeset. #1855
- Check Azure Database for MariaDB servers does not have Azure services bypassed on firewall by @BenjaminEngeset. #1857
- Virtual Machine:
- Check virtual machines has Azure Monitor Agent installed by @BenjaminEngeset. #1868
- API Management:
- Bug fixes:
- Fixed Azure.AKS.Version ignore clusters with auto-upgrade enabled by @BenjaminEngeset. #1926
What's changed since v1.22.1:
- Bug fixes:
- Fixed
Azure.Deployment.SecureValue
withreference
function expression by @BernieWhite. #1882
- Fixed
What's changed since v1.22.0:
- Bug fixes:
- Fixed template parameter does not use the required format by @BernieWhite. #1930
What's changed since v1.21.2:
- New rules:
- API Management:
- App Service Environment:
- Check app service environments uses version 3 (ASEv3) instead of classic version 1 (ASEv1) and version 2 (ASEv2) by @BenjaminEngeset. #1805
- Azure Database for MariaDB:
- Check Azure Database for MariaDB servers, databases, firewall rules and VNET rules names meet naming requirements by @BenjaminEngeset. #1854
- Check Azure Database for MariaDB servers only uses TLS 1.2 version by @BenjaminEngeset. #1853
- Check Azure Database for MariaDB servers only accept encrypted connections by @BenjaminEngeset. #1852
- Check Azure Database for MariaDB servers have Microsoft Defender configured by @BenjaminEngeset. #1850
- Check Azure Database for MariaDB servers have geo-redundant backup configured by @BenjaminEngeset. #1848
- Azure Database for PostgreSQL:
- Azure Database for MySQL:
- Check Azure Database for MySQL servers have Microsoft Defender configured by @BenjaminEngeset. #287
- Check Azure Database for MySQL servers uses the flexible deployment model by @BenjaminEngeset. #1841
- Check Azure Database for MySQL Flexible Servers have geo-redundant backup configured by @BenjaminEngeset. #1840
- Check Azure Database for MySQL servers have geo-redundant backup configured by @BenjaminEngeset. #284
- Azure Resource Deployments:
- Front Door:
- Check front door uses caching by @BenjaminEngeset. #548
- Virtual Machine:
- Check virtual machines running SQL Server uses Premium disks or above by @BenjaminEngeset. #9
- Virtual Network:
- Check VNETs with a GatewaySubnet also has an AzureFirewallSubnet by @BernieWhite. #875
- General improvements:
- Added debug logging improvements for Bicep expansion by @BernieWhite. #1901
- Engineering:
- Bug fixes:
- Fixed ref and name duplicated by @BernieWhite. #1876
- Fixed an item with the same key for parameters by @BernieWhite #1871
- Fixed policy parse of
requestContext
function by @BernieWhite. #1654 - Fixed handling of policy type field by @BernieWhite. #1323
- Fixed
Azure.AppService.WebProbe
with non-boolean value set by @BernieWhite. #1906 - Fixed managed identity flagged as secret by
Azure.Deployment.OutputSecretValue
by @BernieWhite. #1826 #1886 - Fixed missing support for diagnostic settings category groups by @BenjaminEngeset. #1873
What's changed since pre-release v1.22.0-B0203:
- No additional changes.
What's changed since pre-release v1.22.0-B0153:
- General improvements:
- Added debug logging improvements for Bicep expansion by @BernieWhite. #1901
- Bug fixes:
- Fixed
Azure.AppService.WebProbe
with non-boolean value set by @BernieWhite. #1906
- Fixed
What's changed since pre-release v1.22.0-B0106:
- Bug fixes:
What's changed since pre-release v1.22.0-B0062:
- New rules:
- Engineering:
- Bug fixes:
What's changed since pre-release v1.22.0-B0026:
- New rules:
- Azure Database for MariaDB:
- Check Azure Database for MariaDB servers only uses TLS 1.2 version by @BenjaminEngeset. #1853
- Check Azure Database for MariaDB servers only accept encrypted connections by @BenjaminEngeset. #1852
- Check Azure Database for MariaDB servers have Microsoft Defender configured by @BenjaminEngeset. #1850
- Check Azure Database for MariaDB servers have geo-redundant backup configured by @BenjaminEngeset. #1848
- Azure Database for PostgreSQL:
- Azure Database for MySQL:
- Check Azure Database for MySQL servers have Microsoft Defender configured by @BenjaminEngeset. #287
- Check Azure Database for MySQL servers uses the flexible deployment model by @BenjaminEngeset. #1841
- Check Azure Database for MySQL Flexible Servers have geo-redundant backup configured by @BenjaminEngeset. #1840
- Check Azure Database for MySQL servers have geo-redundant backup configured by @BenjaminEngeset. #284
- Azure Resource Deployments:
- Virtual Machine:
- Check virtual machines running SQL Server uses Premium disks or above by @BenjaminEngeset. #9
- Azure Database for MariaDB:
- Engineering:
- Bug fixes:
- Fixed missing support for diagnostic settings category groups by @BenjaminEngeset. #1873
What's changed since pre-release v1.22.0-B0011:
- New rules:
- API Management:
- Check api management instances limits control plane API calls to apim with version
'2021-08-01'
or newer by @BenjaminEngeset. #1819
- Check api management instances limits control plane API calls to apim with version
- API Management:
- Engineering:
- Bump Az.Resources to v6.4.0. #1829
- Bug fixes:
What's changed since v1.21.0:
- New rules:
- App Service Environment:
- Check app service environments uses version 3 (ASEv3) instead of classic version 1 (ASEv1) and version 2 (ASEv2) by @BenjaminEngeset. #1805
- Front Door:
- Check front door uses caching by @BenjaminEngeset. #548
- Virtual Network:
- Check VNETs with a GatewaySubnet also has an AzureFirewallSubnet by @BernieWhite. #875
- App Service Environment:
What's changed since v1.21.1:
- Bug fixes:
What's changed since v1.21.0:
- Bug fixes:
What's changed since v1.20.2:
- New features:
- Mapping of Azure Security Benchmark v3 to security rules by @jagoodwin. #1610
- New rules:
- Deployment:
- Check sensitive resource values use secure parameters by @VeraBE @BernieWhite. #1773
- Service Bus:
- Check service bus namespaces uses TLS 1.2 version by @BenjaminEngeset. #1777
- Virtual Machine:
- Check virtual machines uses Azure Monitor Agent instead of old legacy Log Analytics Agent by @BenjaminEngeset. #1792
- Virtual Machine Scale Sets:
- Check virtual machine scale sets uses Azure Monitor Agent instead of old legacy Log Analytics Agent by @BenjaminEngeset. #1792
- Virtual Network:
- Check VNETs with a GatewaySubnet also has a AzureBastionSubnet by @BenjaminEngeset. #1761
- Deployment:
- General improvements:
- Added built-in list of ignored policy definitions by @BernieWhite.
#1730
- To ignore additional policy definitions, use the
AZURE_POLICY_IGNORE_LIST
configuration option.
- To ignore additional policy definitions, use the
- Added built-in list of ignored policy definitions by @BernieWhite.
#1730
- Engineering:
What's changed since pre-release v1.21.0-B0050:
- No additional changes.
What's changed since pre-release v1.21.0-B0027:
- New rules:
- Engineering:
- Bug fixes:
- Fixed contains function unable to match array by @BernieWhite. #1793
What's changed since pre-release v1.21.0-B0011:
- New rules:
What's changed since v1.20.1:
- New features:
- Mapping of Azure Security Benchmark v3 to security rules by @jagoodwin. #1610
- New rules:
- Virtual Network:
- Check VNETs with a GatewaySubnet also has a AzureBastionSubnet by @BenjaminEngeset. #1761
- Virtual Network:
- General improvements:
- Added built-in list of ignored policy definitions by @BernieWhite.
#1730
- To ignore additional policy definitions, use the
AZURE_POLICY_IGNORE_LIST
configuration option.
- To ignore additional policy definitions, use the
- Added built-in list of ignored policy definitions by @BernieWhite.
#1730
- Engineering:
What's changed since v1.20.1:
- Bug fixes:
- Fixed contains function unable to match array by @BernieWhite. #1793
What's changed since v1.20.0:
- Bug fixes:
- Fixed expand bicep source when reading JsonContent into a parameter by @BernieWhite. #1780
What's changed since v1.19.2:
- New features:
- Added September 2022 baselines
Azure.GA_2022_09
andAzure.Preview_2022_09
by @BernieWhite. #1738- Includes rules released before or during September 2022.
- Marked
Azure.GA_2022_06
andAzure.Preview_2022_06
baselines as obsolete.
- Added September 2022 baselines
- New rules:
- AKS:
- Check clusters use Ephemeral OS disk by @BenjaminEngeset. #1618
- App Configuration:
- Check app configuration store has purge protection enabled by @BenjaminEngeset. #1689
- Check app configuration store has one or more replicas by @BenjaminEngeset. #1688
- Check app configuration store audit diagnostic logs are enabled by @BenjaminEngeset. #1690
- Check identity-based authentication is used for configuration stores by @pazdedav. #1691
- Application Gateway WAF:
- Azure Cache for Redis:
- CDN:
- Check CDN profile uses Front Door Standard or Premium tier by @BenjaminEngeset. #1612
- Container Registry:
- Check soft delete policy is enabled by @BenjaminEngeset. #1674
- Defender for Cloud:
- Check Microsoft Defender for Containers is enable by @jdewisscher. #1632
- Check Microsoft Defender for Servers is enabled by @jdewisscher. #1632
- Check Microsoft Defender for SQL is enabled by @jdewisscher. #1632
- Check Microsoft Defender for App Services is enabled by @jdewisscher. #1632
- Check Microsoft Defender for Storage is enabled by @jdewisscher. #1632
- Check Microsoft Defender for SQL Servers on VMs is enabled by @jdewisscher. #1632
- Deployment:
- Check that nested deployments securely pass through administrator usernames by @ms-sambell. #1479
- Front Door WAF:
- Network Security Group:
- Check AKS managed NSGs don't contain custom rules by @ms-sambell. #8
- Storage Account:
- VMSS:
- Check Linux VMSS has disabled password authentication by @BenjaminEngeset. #1635
- AKS:
- Updated rules:
- Important change: Updated rules, tests and docs with Microsoft Defender for Cloud by @jonathanruiz.
#545
- The following rules have been renamed with aliases:
- Renamed
Azure.SQL.ThreatDetection
toAzure.SQL.DefenderCloud
. - Renamed
Azure.SecurityCenter.Contact
toAzure.DefenderCloud.Contact
. - Renamed
Azure.SecurityCenter.Provisioning
toAzure.DefenderCloud.Provisioning
.
- Renamed
- If you are referencing the old names please consider updating to the new names.
- The following rules have been renamed with aliases:
- Updated documentation examples for Front Door and Key Vault rules by @lluppesms. #1667
- Improved the way we check that VM or VMSS has Linux by @verabe. #1704
- Azure Kubernetes Service:
- Updated
Azure.AKS.Version
to use latest stable version1.23.8
by @BernieWhite. #1627- Use
AZURE_AKS_CLUSTER_MINIMUM_VERSION
to configure the minimum version of the cluster.
- Use
- Updated
- Event Grid:
- Promoted
Azure.EventGrid.DisableLocalAuth
to GA rule set by @BernieWhite. #1628
- Promoted
- Key Vault:
- Promoted
Azure.KeyVault.AutoRotationPolicy
to GA rule set by @BernieWhite. #1629
- Promoted
- Important change: Updated rules, tests and docs with Microsoft Defender for Cloud by @jonathanruiz.
#545
- General improvements:
- Updated NSG documentation with code snippets and links by @simone-bennett. #1607
- Updated Application Gateway documentation with code snippets by @ms-sambell. #1608
- Updated SQL firewall rules documentation by @ms-sambell. #1569
- Updated Container Apps documentation and rule to new resource type by @marie-schmidt. #1672
- Updated KeyVault and FrontDoor documentation with code snippets by @lluppesms. #1667
- Added tag and annotation metadata from policy for rules generation by @BernieWhite. #1652
- Added hash to
name
andref
properties for policy rules by @ArmaanMcleod. #1653- Use
AZURE_POLICY_RULE_PREFIX
orExport-AzPolicyAssignmentRuleData -RulePrefix
to override rule prefix.
- Use
- Engineering:
- Bug fixes:
- Fixed continue processing policy assignments on error by @BernieWhite. #1651
- Fixed handling of runtime assessment data by @BernieWhite. #1707
- Fixed conversion of type conditions to pre-conditions by @BernieWhite. #1708
- Fixed inconclusive failure of
Azure.Deployment.AdminUsername
by @BernieWhite. #1631 - Fixed error expanding with
json()
and single quotes by @BernieWhite. #1656 - Fixed handling key collision with duplicate definitions using same parameters by @ArmaanMcleod. #1653
- Fixed bug requiring all diagnostic logs settings to have auditing enabled by @BenjaminEngeset. #1726
- Fixed
Azure.Deployment.AdminUsername
incorrectly fails with nested deployments by @BernieWhite. #1762 - Fixed
Azure.FrontDoorWAF.Exclusions
reports exclusions when none are specified by @BernieWhite. #1751 - Fixed
Azure.Deployment.AdminUsername
does not match the pattern by @BernieWhite. #1758 - Consider private offerings when checking that a VM or VMSS has Linux by @verabe. #1725
What's changed since pre-release v1.20.0-B0477:
- No additional changes.
What's changed since pre-release v1.20.0-B0389:
- General improvements:
- Added hash to
name
andref
properties for policy rules by @ArmaanMcleod. #1653- Use
AZURE_POLICY_RULE_PREFIX
orExport-AzPolicyAssignmentRuleData -RulePrefix
to override rule prefix.
- Use
- Added hash to
What's changed since pre-release v1.20.0-B0304:
- New rules:
- App Configuration:
- Check app configuration store has purge protection enabled by @BenjaminEngeset. #1689
- App Configuration:
- Bug fixes:
- Fixed
Azure.Deployment.AdminUsername
incorrectly fails with nested deployments by @BernieWhite. #1762
- Fixed
What's changed since pre-release v1.20.0-B0223:
- Engineering:
- Bug fixes:
What's changed since pre-release v1.20.0-B0148:
- New features:
- Added September 2022 baselines
Azure.GA_2022_09
andAzure.Preview_2022_09
by @BernieWhite. #1738- Includes rules released before or during September 2022.
- Marked
Azure.GA_2022_06
andAzure.Preview_2022_06
baselines as obsolete.
- Added September 2022 baselines
- New rules:
- App Configuration:
- Check app configuration store has one or more replicas by @BenjaminEngeset. #1688
- App Configuration:
- Engineering:
- Bug fixes:
What's changed since pre-release v1.20.0-B0085:
- New rules:
- App Configuration:
- Check app configuration store audit diagnostic logs are enabled by @BenjaminEngeset. #1690
- App Configuration:
- Engineering:
- Bump Microsoft.NET.Test.Sdk to v17.3.2. #1719
- Bug fixes:
- Fixed error expanding with
json()
and single quotes by @BernieWhite. #1656
- Fixed error expanding with
What's changed since pre-release v1.20.0-B0028:
- New rules:
- Azure Cache for Redis:
- App Configuration:
- Check identity-based authentication is used for configuration stores by @pazdedav. #1691
- Container Registry:
- Check soft delete policy is enabled by @BenjaminEngeset. #1674
- Defender for Cloud:
- Check Microsoft Defender for Cloud is enabled for Containers by @jdewisscher. #1632
- Check Microsoft Defender for Cloud is enabled for Virtual Machines by @jdewisscher. #1632
- Check Microsoft Defender for Cloud is enabled for SQL Servers by @jdewisscher. #1632
- Check Microsoft Defender for Cloud is enabled for App Services by @jdewisscher. #1632
- Check Microsoft Defender for Cloud is enabled for Storage Accounts by @jdewisscher. #1632
- Check Microsoft Defender for Cloud is enabled for SQL Servers on machines by @jdewisscher. #1632
- Network Security Group:
- Check AKS managed NSGs don't contain custom rules by @ms-sambell. #8
- Storage Account:
- Updated rules:
- Important change: Updated rules, tests and docs with Microsoft Defender for Cloud by @jonathanruiz.
#545
- The following rules have been renamed with aliases:
- Renamed
Azure.SQL.ThreatDetection
toAzure.SQL.DefenderCloud
. - Renamed
Azure.SecurityCenter.Contact
toAzure.DefenderCloud.Contact
. - Renamed
Azure.SecurityCenter.Provisioning
toAzure.DefenderCloud.Provisioning
.
- Renamed
- If you are referencing the old names please consider updating to the new names.
- The following rules have been renamed with aliases:
- Updated documentation examples for Front Door and Key Vault rules by @lluppesms. #1667
- Improved the way we check that VM or VMSS has Linux by @verabe. #1704
- Important change: Updated rules, tests and docs with Microsoft Defender for Cloud by @jonathanruiz.
#545
- General improvements:
- Updated NSG documentation with code snippets and links by @simone-bennett. #1607
- Updated Application Gateway documentation with code snippets by @ms-sambell. #1608
- Updated SQL firewall rules documentation by @ms-sambell. #1569
- Updated Container Apps documentation and rule to new resource type by @marie-schmidt. #1672
- Updated KeyVault and FrontDoor documentation with code snippets by @lluppesms. #1667
- Added tag and annotation metadata from policy for rules generation by @BernieWhite. #1652
- Bug fixes:
What's changed since pre-release v1.20.0-B0004:
- New rules:
- Updated rules:
- Azure Kubernetes Service:
- Updated
Azure.AKS.Version
to use latest stable version1.23.8
by @BernieWhite. #1627- Use
AZURE_AKS_CLUSTER_MINIMUM_VERSION
to configure the minimum version of the cluster.
- Use
- Updated
- Event Grid:
- Promoted
Azure.EventGrid.DisableLocalAuth
to GA rule set by @BernieWhite. #1628
- Promoted
- Key Vault:
- Promoted
Azure.KeyVault.AutoRotationPolicy
to GA rule set by @BernieWhite. #1629
- Promoted
- Azure Kubernetes Service:
- Engineering:
- Bug fixes:
What's changed since v1.19.1:
- New rules:
- Azure Resources:
- Check that nested deployments securely pass through administrator usernames by @ms-sambell. #1479
- Azure Resources:
- Engineering:
- Bump Microsoft.NET.Test.Sdk to v17.3.1. #1603
What's changed since v1.19.1:
- Bug fixes:
- Fixed function
dateTimeAdd
errors handlingutcNow
output by @BernieWhite. #1637
- Fixed function
What's changed since v1.19.0:
- Bug fixes:
- Fixed
Azure.VNET.UseNSGs
is missing exceptions by @BernieWhite. #1609- Added exclusions for
RouteServerSubnet
and any subnet with a dedicated HSM delegation.
- Added exclusions for
- Fixed
What's changed since v1.18.1:
- New rules:
- Azure Kubernetes Service:
- Check clusters use uptime SLA by @BenjaminEngeset. #1601
- Azure Kubernetes Service:
- General improvements:
- Updated rule level for the following rules by @BernieWhite.
#1551
- Set
Azure.APIM.APIDescriptors
to warning from error. - Set
Azure.APIM.ProductDescriptors
to warning from error. - Set
Azure.Template.UseLocationParameter
to warning from error. - Set
Azure.Template.UseComments
to information from error. - Set
Azure.Template.UseDescriptions
to information from error.
- Set
- Improve reporting of failing resource property for rules by @BernieWhite. #1429
- Updated rule level for the following rules by @BernieWhite.
#1551
- Engineering:
- Added publishing of symbols for NuGet packages by @BernieWhite. #1549
- Bump Az.Resources to v6.1.0. #1557
- Bump Microsoft.NET.Test.Sdk to v17.3.0. #1563
- Bump PSRule to v2.3.2. #1574
- Bump support projects to .NET 6 by @BernieWhite. #1560
- Bump BenchmarkDotNet to v0.13.2. #1593
- Bump BenchmarkDotNet.Diagnostics.Windows to v0.13.2. #1594
- Updated provider data for analysis. #1598
- Bug fixes:
What's changed since pre-release v1.19.0-B0077:
- No additional changes.
What's changed since pre-release v1.19.0-B0042:
- New rules:
- Azure Kubernetes Service:
- Check clusters use uptime SLA by @BenjaminEngeset. #1601
- Azure Kubernetes Service:
What's changed since pre-release v1.19.0-B0010:
- General improvements:
- Improve reporting of failing resource property for rules by @BernieWhite. #1429
- Engineering:
- Bug fixes:
What's changed since v1.18.1:
- General improvements:
- Updated rule level for the following rules by @BernieWhite.
#1551
- Set
Azure.APIM.APIDescriptors
to warning from error. - Set
Azure.APIM.ProductDescriptors
to warning from error. - Set
Azure.Template.UseLocationParameter
to warning from error. - Set
Azure.Template.UseComments
to information from error. - Set
Azure.Template.UseDescriptions
to information from error.
- Set
- Updated rule level for the following rules by @BernieWhite.
#1551
- Engineering:
What's changed since v1.18.0:
- Bug fixes:
What's changed since v1.17.1:
- New rules:
- Cognitive Services:
- Check accounts use network access restrictions by @BernieWhite. #1532
- Check accounts use managed identities to access Azure resources by @BernieWhite. #1532
- Check accounts only accept requests using Azure AD identities by @BernieWhite. #1532
- Check accounts disable access using public endpoints by @BernieWhite. #1532
- Cognitive Services:
- General improvements:
- Engineering:
- Bug fixes:
- Fixed
Azure.SQL.TDE
is not required to enable Transparent Data Encryption for IaC by @BernieWhite. #1530
- Fixed
What's changed since pre-release v1.18.0-B0027:
- No additional changes.
What's changed since pre-release v1.18.0-B0010:
- New rules:
- Cognitive Services:
- Check accounts use network access restrictions by @BernieWhite. #1532
- Check accounts use managed identities to access Azure resources by @BernieWhite. #1532
- Check accounts only accept requests using Azure AD identities by @BernieWhite. #1532
- Check accounts disable access using public endpoints by @BernieWhite. #1532
- Cognitive Services:
- General improvements:
- Engineering:
- Bug fixes:
- Fixed
Azure.SQL.TDE
is not required to enable Transparent Data Encryption for IaC by @BernieWhite. #1530
- Fixed
What's changed since pre-release v1.18.0-B0002:
- General improvements:
- Improved output of full path to emitted resources by @BernieWhite. #1523
- Engineering:
- Bump Az.Resources to v6.0.1. #1521
What's changed since v1.17.1:
- Engineering:
- Added readme and tags to NuGet by @BernieWhite. #1513
What's changed since v1.17.0:
- Bug fixes:
What's changed since v1.16.1:
- New features:
- Added more field count expression support for Azure Policy JSON rules by @ArmaanMcleod. #181
- Added June 2022 baselines
Azure.GA_2022_06
andAzure.Preview_2022_06
by @BernieWhite. #1499- Includes rules released before or during June 2022.
- Marked
Azure.GA_2022_03
andAzure.Preview_2022_03
baselines as obsolete.
- New rules:
- Deployment:
- Check for secure values in outputs by @BernieWhite. #297
- Deployment:
- Engineering:
- Bug fixes:
What's changed since pre-release v1.17.0-B0064:
- No additional changes.
What's changed since pre-release v1.17.0-B0035:
- Engineering:
- Bug fixes:
- Fixed TDE property status to state by @Dylan-Prins. #1505
What's changed since pre-release v1.17.0-B0014:
- New features:
- Added June 2022 baselines
Azure.GA_2022_06
andAzure.Preview_2022_06
by @BernieWhite. #1499- Includes rules released before or during June 2022.
- Marked
Azure.GA_2022_03
andAzure.Preview_2022_03
baselines as obsolete.
- Added June 2022 baselines
- Engineering:
What's changed since v1.16.1:
- New features:
- Added more field count expression support for Azure Policy JSON rules by @ArmaanMcleod. #181
- New rules:
- Deployment:
- Check for secure values in outputs by @BernieWhite. #297
- Deployment:
- Engineering:
- Updated NuGet packaging metadata by @BernieWhite. #1428
- Bug fixes:
- Fixed the language expression value fails in outputs by @BernieWhite. #1485
What's changed since v1.16.0:
- Bug fixes:
What's changed since v1.15.2:
- New rules:
- Updated rules:
- Public IP:
- Updated
Azure.PublicIP.AvailabilityZone
to exclude IP addresses for Azure Bastion by @BernieWhite. #1442- Public IP addresses with the
resource-usage
tag set toazure-bastion
are excluded.
- Public IP addresses with the
- Updated
- Public IP:
- General improvements:
- Added support for
dateTimeFromEpoch
anddateTimeToEpoch
ARM functions by @BernieWhite. #1451
- Added support for
- Engineering:
- Updated built documentation to include rule ref and metadata by @BernieWhite. #1432
- Added ref properties for several rules by @BernieWhite. #1430
- Updated provider data for analysis. #1453
- Bump Microsoft.NET.Test.Sdk to v17.2.0. #1410
- Update CI checks to include required ref property by @BernieWhite. #1431
- Added ref properties for rules by @BernieWhite. #1430
- Bug fixes:
- Fixed
Azure.Template.UseVariables
does not accept function variables names by @BernieWhite. #1427 - Fixed dependency issue within Azure Pipelines
AzurePowerShell
task by @BernieWhite. #1447- Removed dependency on
Az.Accounts
andAz.Resources
from manifest. Pre-install these modules to use export cmdlets.
- Removed dependency on
- Fixed
What's changed since pre-release v1.16.0-B0072:
- No additional changes.
What's changed since pre-release v1.16.0-B0041:
- Engineering:
- Bug fixes:
- Fixed dependency issue within Azure Pipelines
AzurePowerShell
task by @BernieWhite. #1447- Removed dependency on
Az.Accounts
andAz.Resources
from manifest. Pre-install these modules to use export cmdlets.
- Removed dependency on
- Fixed dependency issue within Azure Pipelines
What's changed since pre-release v1.16.0-B0017:
- Updated rules:
- Public IP:
- Updated
Azure.PublicIP.AvailabilityZone
to exclude IP addresses for Azure Bastion by @BernieWhite. #1442- Public IP addresses with the
resource-usage
tag set toazure-bastion
are excluded.
- Public IP addresses with the
- Updated
- Public IP:
- General improvements:
- Added support for
dateTimeFromEpoch
anddateTimeToEpoch
ARM functions by @BernieWhite. #1451
- Added support for
- Engineering:
What's changed since v1.15.2:
- New rules:
- Engineering:
- Bump Microsoft.NET.Test.Sdk to v17.2.0. #1410
- Bug fixes:
- Fixed
Azure.Template.UseVariables
does not accept function variables names by @BernieWhite. #1427
- Fixed
What's changed since v1.15.1:
- Bug fixes:
- Fixed
Azure.AppService.ManagedIdentity
does not accept both system and user assigned by @BernieWhite. #1415- This also applies to:
Azure.ADX.ManagedIdentity
Azure.APIM.ManagedIdentity
Azure.EventGrid.ManagedIdentity
Azure.Automation.ManagedIdentity
- This also applies to:
- Fixed Web apps with .NET 6 do not meet version constraint of
Azure.AppService.NETVersion
by @BernieWhite. #1414- This also applies to
Azure.AppService.PHPVersion
.
- This also applies to
- Fixed
What's changed since v1.15.0:
- Bug fixes:
What's changed since v1.14.3:
- New features:
- Important change: Added
Azure.Resource.SupportsTags
selector by @BernieWhite. #1339- Use this selector in custom rules to filter rules to only run against resources that support tags.
- This selector replaces the
SupportsTags
PowerShell function. - Using the
SupportsTag
function will now result in a warning. - The
SupportsTags
function will be removed in v2. - See upgrade notes for more information.
- Important change: Added
- Updated rules:
- Azure Kubernetes Service:
- Updated
Azure.AKS.Version
to use latest stable version1.22.6
by @BernieWhite. #1386- Use
AZURE_AKS_CLUSTER_MINIMUM_VERSION
to configure the minimum version of the cluster.
- Use
- Updated
- Azure Kubernetes Service:
- Engineering:
- Added code signing of module by @BernieWhite. #1379
- Added SBOM manifests to module by @BernieWhite. #1380
- Embedded provider and alias information as manifest resources by @BernieWhite.
#1383
- Resources are minified and compressed to improve size and speed.
- Added additional
nodeps
manifest that does not include dependencies for Az modules by @BernieWhite. #1392 - Bump Az.Accounts to 2.7.6. #1338
- Bump Az.Resources to 5.6.0. #1338
- Bump PSRule to 2.1.0. #1338
- Bump Pester to 5.3.3. #1338
- Bug fixes:
What's changed since pre-release v1.15.0-B0053:
- Bug fixes:
- Fixed error calling SupportsTags function by @BernieWhite. #1401
What's changed since pre-release v1.15.0-B0022:
- New features:
- Important change: Added
Azure.Resource.SupportsTags
selector. #1339- Use this selector in custom rules to filter rules to only run against resources that support tags.
- This selector replaces the
SupportsTags
PowerShell function. - Using the
SupportsTag
function will now result in a warning. - The
SupportsTags
function will be removed in v2. - See upgrade notes for more information.
- Important change: Added
- Engineering:
- Embedded provider and alias information as manifest resources. #1383
- Resources are minified and compressed to improve size and speed.
- Added additional
nodeps
manifest that does not include dependencies for Az modules. #1392 - Bump Az.Accounts to 2.7.6. #1338
- Bump Az.Resources to 5.6.0. #1338
- Bump PSRule to 2.1.0. #1338
- Bump Pester to 5.3.3. #1338
- Embedded provider and alias information as manifest resources. #1383
What's changed since v1.14.3:
- Updated rules:
- Azure Kubernetes Service:
- Updated
Azure.AKS.Version
to use latest stable version1.22.6
. #1386- Use
AZURE_AKS_CLUSTER_MINIMUM_VERSION
to configure the minimum version of the cluster.
- Use
- Updated
- Azure Kubernetes Service:
- Engineering:
- Bug fixes:
- Fixed dependency chain order when dependsOn copy. #1381
What's changed since v1.14.2:
- Bug fixes:
What's changed since v1.14.1:
- Bug fixes:
- Fixed handling of parent resources when sub resource is in a separate deployment. #1360
What's changed since v1.14.0:
- Bug fixes:
- Fixed unable to set parameter defaults option with type object. #1355
What's changed since v1.13.4:
- New features:
- Added support for referencing resources in template. #1315
- The
reference()
function can be used to reference resources in template. - A placeholder value is still used for resources outside of the template.
- The
- Added March 2022 baselines
Azure.GA_2022_03
andAzure.Preview_2022_03
. #1334- Includes rules released before or during March 2022.
- Marked
Azure.GA_2021_12
andAzure.Preview_2021_12
baselines as obsolete.
- Experimental: Cmdlets to validate objects with Azure policy conditions:
Export-AzPolicyAssignmentData
- Exports policy assignment data. #1266Export-AzPolicyAssignmentRuleData
- Exports JSON rules from policy assignment data. #1278Get-AzPolicyAssignmentDataSource
- Discovers policy assignment data. #1340- See cmdlet help for limitations and usage.
- Additional information will be posted as this feature evolves here.
- Added support for referencing resources in template. #1315
- New rules:
- Updated rules:
- Azure Kubernetes Service:
- Updated
Azure.AKS.Version
to use latest stable version1.21.9
. #1318- Use
AZURE_AKS_CLUSTER_MINIMUM_VERSION
to configure the minimum version of the cluster.
- Use
- Updated
- Azure Kubernetes Service:
- Engineering:
- Bug fixes:
What's changed since pre-release v1.14.0-B2204013:
- No additional changes.
What's changed since pre-release v1.14.0-B2204007:
- Engineering:
- Cleanup of additional alias metadata. #1351
What's changed since pre-release v1.14.0-B2203117:
- Bug fixes:
What's changed since pre-release v1.14.0-B2203088:
- New features:
- Experimental: Cmdlets to validate objects with Azure policy conditions:
Export-AzPolicyAssignmentData
- Exports policy assignment data. #1266Export-AzPolicyAssignmentRuleData
- Exports JSON rules from policy assignment data. #1278Get-AzPolicyAssignmentDataSource
- Discovers policy assignment data. #1340- See cmdlet help for limitations and usage.
- Additional information will be posted as this feature evolves here.
- Experimental: Cmdlets to validate objects with Azure policy conditions:
- Engineering:
- Cache Azure Policy Aliases. #1277
- Bug fixes:
- Fixed index was out of range with split on mock properties. #1327
What's changed since pre-release v1.14.0-B2203066:
- New features:
- Added March 2022 baselines
Azure.GA_2022_03
andAzure.Preview_2022_03
. #1334- Includes rules released before or during March 2022.
- Marked
Azure.GA_2021_12
andAzure.Preview_2021_12
baselines as obsolete.
- Added March 2022 baselines
- Bug fixes:
- Fixed expand of runtime properties on reference objects. #1324
What's changed since v1.13.4:
- New features:
- Added support for referencing resources in template. #1315
- The
reference()
function can be used to reference resources in template. - A placeholder value is still used for resources outside of the template.
- The
- Added support for referencing resources in template. #1315
- New rules:
- Updated rules:
- Azure Kubernetes Service:
- Updated
Azure.AKS.Version
to use latest stable version1.21.9
. #1318- Use
AZURE_AKS_CLUSTER_MINIMUM_VERSION
to configure the minimum version of the cluster.
- Use
- Updated
- Azure Kubernetes Service:
- Bug fixes:
- Fixed processing of deployment outputs. #1316
What's changed since v1.13.3:
- Bug fixes:
What's changed since v1.13.2:
- Bug fixes:
- Fixed bicep build timeout for complex deployments. #1299
What's changed since v1.13.1:
- Engineering:
- Bump PowerShellStandard.Library to 5.1.1. #1295
- Bug fixes:
- Fixed nested resource loops. #1293
What's changed since v1.13.0:
- Bug fixes:
- Fixed parsing of nested quote pairs within JSON function. #1288
What's changed since v1.12.2:
- New features:
- New rules:
- Engineering:
- Bug fixes:
What's changed since pre-release v1.13.0-B2202113:
- No additional changes.
What's changed since pre-release v1.13.0-B2202108:
- Bug fixes:
- Fixed resource id is incorrectly built for sub resource types. #1279
What's changed since pre-release v1.13.0-B2202103:
- Bug fixes:
- Fixed mapping default configuration causes cast exception. #1274
What's changed since pre-release v1.13.0-B2202090:
- Engineering:
- Bump PSRule dependency to v1.11.1. #1269
- Bug fixes:
- Fixed out of order parameters. #1257
What's changed since pre-release v1.13.0-B2202063:
- New rules:
- Azure Cache for Redis:
- Limit public access for Azure Cache for Redis instances. #935
- Azure Cache for Redis:
- Engineering:
- Automatically build baseline docs. #1242
- Bug fixes:
- Fixed empty value with strong type. #1258
What's changed since v1.12.2:
- New features:
- New rules:
- Bug fixes:
- Fixed error with empty logic app trigger. #1249
What's changed since v1.12.1:
- Bug fixes:
- Fixed detect strong type requirements for nested deployments. #1235
What's changed since v1.12.0:
- Bug fixes:
- Fixed Bicep already exists with PSRule v2. #1232
What's changed since v1.11.1:
- New rules:
- Data Explorer:
- Event Hub:
- Azure Recovery Services Vault:
- Check vaults use geo-redundant storage. #5
- Service Bus:
- Updated rules:
- Azure Kubernetes Service:
- Updated
Azure.AKS.Version
to use latest stable version1.21.7
. #1188- Pinned latest GA baseline
Azure.GA_2021_12
to previous version1.20.5
. - Use
AZURE_AKS_CLUSTER_MINIMUM_VERSION
to configure the minimum version of the cluster.
- Pinned latest GA baseline
- Updated
- Azure API Management:
- Check service disabled insecure ciphers. #1128
- Refactored the cipher and protocol rule into individual rules.
Azure.APIM.Protocols
Azure.APIM.Ciphers
- Azure Kubernetes Service:
- General improvements:
- Important change: Replaced
Azure_AKSMinimumVersion
option withAZURE_AKS_CLUSTER_MINIMUM_VERSION
. #941- For compatibility, if
Azure_AKSMinimumVersion
is set it will be used instead ofAZURE_AKS_CLUSTER_MINIMUM_VERSION
. - If only
AZURE_AKS_CLUSTER_MINIMUM_VERSION
is set, this value will be used. - The default will be used neither options are configured.
- If
Azure_AKSMinimumVersion
is set a warning will be generated until the configuration is removed. - Support for
Azure_AKSMinimumVersion
is deprecated and will be removed in v2. - See upgrade notes for details.
- For compatibility, if
- Important change: Replaced
- Bug fixes:
- Fixed false positive of blob container with access unspecified. #1212
What's changed since pre-release v1.12.0-B2201086:
- No additional changes.
What's changed since pre-release v1.12.0-B2201067:
- New rules:
What's changed since pre-release v1.12.0-B2201054:
- New rules:
- Bug fixes:
- Fixed false positive of blob container with access unspecified. #1212
What's changed since v1.11.1:
- Updated rules:
- Azure Kubernetes Service:
- Updated
Azure.AKS.Version
to use latest stable version1.21.7
. #1188- Pinned latest GA baseline
Azure.GA_2021_12
to previous version1.20.5
. - Use
AZURE_AKS_CLUSTER_MINIMUM_VERSION
to configure the minimum version of the cluster.
- Pinned latest GA baseline
- Updated
- Azure API Management:
- Check service disabled insecure ciphers. #1128
- Refactored the cipher and protocol rule into individual rules.
Azure.APIM.Protocols
Azure.APIM.Ciphers
- Azure Kubernetes Service:
- General improvements:
- Important change: Replaced
Azure_AKSMinimumVersion
option withAZURE_AKS_CLUSTER_MINIMUM_VERSION
. #941- For compatibility, if
Azure_AKSMinimumVersion
is set it will be used instead ofAZURE_AKS_CLUSTER_MINIMUM_VERSION
. - If only
AZURE_AKS_CLUSTER_MINIMUM_VERSION
is set, this value will be used. - The default will be used neither options are configured.
- If
Azure_AKSMinimumVersion
is set a warning will be generated until the configuration is removed. - Support for
Azure_AKSMinimumVersion
is deprecated and will be removed in v2. - See upgrade notes for details.
- For compatibility, if
- Important change: Replaced
What's changed since v1.11.0:
- Bug fixes:
- Fixed
Azure.AKS.CNISubnetSize
rule to use CNI selector. #1178
- Fixed
What's changed since v1.10.4:
- New features:
- Added baselines containing only Azure preview features. #1129
- Added baseline
Azure.Preview_2021_09
. - Added baseline
Azure.Preview_2021_12
.
- Added baseline
- Added
Azure.GA_2021_12
baseline. #1146- Includes rules released before or during December 2021 for Azure GA features.
- Marked baseline
Azure.GA_2021_09
as obsolete.
- Bicep support promoted from experimental to generally available (GA). #1176
- Added baselines containing only Azure preview features. #1129
- New rules:
- All resources:
- Check comments for each template resource. #969
- Automation Account:
- Automation accounts should enable diagnostic logs. #1075
- Azure Kubernetes Service:
- Azure Redis Cache:
- Use availability zones for Azure Cache for Redis for regions that support it. #1078
Azure.Redis.AvailabilityZone
Azure.RedisEnterprise.Zones
- Use availability zones for Azure Cache for Redis for regions that support it. #1078
- Application Security Group:
- Check Application Security Groups meet naming requirements. #1110
- Firewall:
- Private Endpoint:
- Check Private Endpoints meet naming requirements. #1110
- Virtual WAN:
- Check Virtual WANs meet naming requirements. #1110
- All resources:
- Updated rules:
- Azure Kubernetes Service:
- Promoted
Azure.AKS.AutoUpgrade
to GA rule set. #1130
- Promoted
- Azure Kubernetes Service:
- General improvements:
- Engineering:
- Rule refactoring of rules from PowerShell to YAML. #1109
- The following rules were refactored:
Azure.LB.Name
Azure.NSG.Name
Azure.Firewall.Mode
Azure.Route.Name
Azure.VNET.Name
Azure.VNG.Name
Azure.VNG.ConnectionName
Azure.AppConfig.SKU
Azure.AppConfig.Name
Azure.AppInsights.Workspace
Azure.AppInsights.Name
Azure.Cosmos.AccountName
Azure.FrontDoor.State
Azure.FrontDoor.Name
Azure.FrontDoor.WAF.Mode
Azure.FrontDoor.WAF.Enabled
Azure.FrontDoor.WAF.Name
Azure.AKS.MinNodeCount
Azure.AKS.ManagedIdentity
Azure.AKS.StandardLB
Azure.AKS.AzurePolicyAddOn
Azure.AKS.ManagedAAD
Azure.AKS.AuthorizedIPs
Azure.AKS.LocalAccounts
Azure.AKS.AzureRBAC
- The following rules were refactored:
- Rule refactoring of rules from PowerShell to YAML. #1109
- Bug fixes:
- Fixed output of Bicep informational and warning messages in error stream. #1157
What's changed since pre-release v1.11.0-B2112112:
- New features:
- Bicep support promoted from experimental to generally available (GA). #1176
What's changed since pre-release v1.11.0-B2112104:
- New rules:
- Azure Redis Cache:
- Use availability zones for Azure Cache for Redis for regions that support it. #1078
Azure.Redis.AvailabilityZone
Azure.RedisEnterprise.Zones
- Use availability zones for Azure Cache for Redis for regions that support it. #1078
- Azure Redis Cache:
What's changed since pre-release v1.11.0-B2112073:
- New rules:
- Azure Kubernetes Service:
- Check clusters use Azure AD Pod Managed Identities (preview). #991
- Azure Kubernetes Service:
- Engineering:
- Rule refactoring of rules from PowerShell to YAML. #1109
- The following rules were refactored:
Azure.AppConfig.SKU
Azure.AppConfig.Name
Azure.AppInsights.Workspace
Azure.AppInsights.Name
Azure.Cosmos.AccountName
Azure.FrontDoor.State
Azure.FrontDoor.Name
Azure.FrontDoor.WAF.Mode
Azure.FrontDoor.WAF.Enabled
Azure.FrontDoor.WAF.Name
Azure.AKS.MinNodeCount
Azure.AKS.ManagedIdentity
Azure.AKS.StandardLB
Azure.AKS.AzurePolicyAddOn
Azure.AKS.ManagedAAD
Azure.AKS.AuthorizedIPs
Azure.AKS.LocalAccounts
Azure.AKS.AzureRBAC
- The following rules were refactored:
- Rule refactoring of rules from PowerShell to YAML. #1109
- Bug fixes:
What's changed since pre-release v1.11.0-B2112024:
- New features:
- Added baselines containing only Azure preview features. #1129
- Added baseline
Azure.Preview_2021_09
. - Added baseline
Azure.Preview_2021_12
.
- Added baseline
- Added
Azure.GA_2021_12
baseline. #1146- Includes rules released before or during December 2021 for Azure GA features.
- Marked baseline
Azure.GA_2021_09
as obsolete.
- Added baselines containing only Azure preview features. #1129
- New rules:
- All resources:
- Check comments for each template resource. #969
- All resources:
- Bug fixes:
What's changed since pre-release v1.11.0-B2111014:
- New rules:
- Azure Kubernetes Service:
- Automation Account:
- Automation accounts should enable diagnostic logs. #1075
- Updated rules:
- Azure Kubernetes Service:
- Promoted
Azure.AKS.AutoUpgrade
to GA rule set. #1130
- Promoted
- Azure Kubernetes Service:
- General improvements:
- Bug fixes:
- Fixed
Azure.Policy.WaiverExpiry
date conversion. #1118
- Fixed
What's changed since v1.10.0:
- New rules:
- Engineering:
- Rule refactoring of rules from PowerShell to YAML. #1109
- The following rules were refactored:
Azure.LB.Name
Azure.NSG.Name
Azure.Firewall.Mode
Azure.Route.Name
Azure.VNET.Name
Azure.VNG.Name
Azure.VNG.ConnectionName
- The following rules were refactored:
- Rule refactoring of rules from PowerShell to YAML. #1109
What's changed since v1.10.3:
- Bug fixes:
- Fixed outer copy loop of nested deployment. #1154
What's changed since v1.10.2:
- Bug fixes:
- Fixed copy loop on nested deployment parameters is not handled. #1144
What's changed since v1.10.1:
- Bug fixes:
- Fixed template function
equals
parameter count mismatch. #1137
- Fixed template function
What's changed since v1.10.0:
- Bug fixes:
- Fixed
Azure.Policy.WaiverExpiry
date conversion. #1118
- Fixed
What's changed since v1.9.1:
- New features:
- Added support for parameter strong types. #1083
- The value of string parameters can be tested against the expected type.
- When configuring a location strong type, the parameter value must be a valid Azure location.
- When configuring a resource type strong type, the parameter value must be a matching resource Id.
- Added support for parameter strong types. #1083
- New rules:
- General improvements:
- Updated default baseline to use module configuration. #1089
- Engineering:
- Bug fixes:
What's changed since pre-release v1.10.0-B2111081:
- No additional changes.
What's changed since pre-release v1.10.0-B2111072:
- New rules:
- Automation Service:
- Automation accounts should use managed identities for authentication. #1074
- Automation Service:
What's changed since pre-release v1.10.0-B2111058:
- New rules:
- All resources:
- Check template expressions do not exceed a maximum length. #1006
- All resources:
- Bug fixes:
What's changed since pre-release v1.10.0-B2111040:
- New rules:
- General improvements:
- Updated default baseline to use module configuration. #1089
What's changed since v1.9.1:
- New features:
- Added support for parameter strong types. #1083
- The value of string parameters can be tested against the expected type.
- When configuring a location strong type, the parameter value must be a valid Azure location.
- When configuring a resource type strong type, the parameter value must be a matching resource Id.
- Added support for parameter strong types. #1083
- Engineering:
What's changed since v1.9.0:
- Bug fixes:
What's changed since v1.8.1:
- New rules:
- API Management Service:
- Check API management services are using availability zones when available. #1017
- Public IP Address:
- User Assigned Managed Identity:
- Check identities meet naming requirements. #1021
- Virtual Network Gateway:
- Check VPN/ExpressRoute gateways are configured with availability zone SKU. #926
- API Management Service:
- General improvements:
- Engineering:
- Bug fixes:
- Fixed AKS Network Policy should accept calico. #1046
- Fixed
Azure.ACR.AdminUser
fails whenadminUserEnabled
not set. #1014 - Fixed
Azure.KeyVault.Logs
reports cannot index into a null array. #1024 - Fixed template function empty returns object reference not set exception. #1025
- Fixed delayed binding of
and
template function. #1026 - Fixed template function array nests array with array parameters. #1027
- Fixed property used by
Azure.ACR.MinSKU
to work more reliably with templates. #1034 - Fixed could not determine JSON object type for MockMember using CreateObject. #1035
- Fixed Bicep convention ordering. #1053
What's changed since pre-release v1.9.0-B2110087:
- No additional changes.
What's changed since pre-release v1.9.0-B2110082:
- Bug fixes:
- Fixed Bicep convention ordering. #1053
What's changed since pre-release v1.9.0-B2110059:
- General improvements:
- Bicep is now installed when using PSRule GitHub Action. #1050
- Engineering:
- Added automated PR workflow to bump
providers.json
monthly. #1041
- Added automated PR workflow to bump
- Bug fixes:
- Fixed AKS Network Policy should accept calico. #1046
What's changed since pre-release v1.9.0-B2110040:
- New rules:
- API Management Service:
- Check API management services are using availability zones when available. #1017
- API Management Service:
- Bug fixes:
What's changed since pre-release v1.9.0-B2110025:
- New rules:
- User Assigned Managed Identity:
- Check identities meet naming requirements. #1021
- User Assigned Managed Identity:
- Bug fixes:
What's changed since pre-release v1.9.0-B2110014:
- Engineering:
- Bump PSRule dependency to v1.8.0. #1018
- Bug fixes:
- Fixed
Azure.ACR.AdminUser
fails whenadminUserEnabled
not set. #1014
- Fixed
What's changed since pre-release v1.9.0-B2110009:
- Bug fixes:
What's changed since pre-release v1.9.0-B2109027:
- Bug fixes:
What's changed since v1.8.0:
- New rules:
- General improvements:
- Improved processing of AzOps generated templates. #799
Azure.Template.DefineParameters
is ignored for AzOps generated templates.Azure.Template.UseLocationParameter
is ignored for AzOps generated templates.
- Improved processing of AzOps generated templates. #799
- Bug fixes:
- Fixed
ToUpper
fails to convert character. #986
- Fixed
What's changed since v1.8.0:
- Bug fixes:
- Fixed handling of comments with template and parameter file rules. #996
- Fixed
Azure.Template.UseLocationParameter
to only apply to templates deployed as RG scope #995 - Fixed expand template fails with
createObject
when no parameters are specified. #1000 - Fixed
ToUpper
fails to convert character. #986 - Fixed expression out of range of valid values. #1005
- Fixed template expand fails in nested reference expansion. #1007
What's changed since v1.7.0:
- New features:
- Added
Azure.GA_2021_09
baseline. #961- Includes rules released before or during September 2021 for Azure GA features.
- Marked baseline
Azure.GA_2021_06
as obsolete.
- Added
- New rules:
- Application Gateway:
- Check App Gateways should use availability zones when available by @ArmaanMcleod. #928
- Azure Kubernetes Service:
- Check clusters have control plane audit logs enabled by @ArmaanMcleod. #882
- Check clusters have control plane diagnostics enabled by @ArmaanMcleod. #922
- Check clusters use Container Insights for monitoring workloads by @ArmaanMcleod. #881
- Check clusters use availability zones when available by @ArmaanMcleod. #880
- Cosmos DB:
- Load Balancer:
- Application Gateway:
- Engineering:
- Bug fixes:
- Fixed export of in-flight AKS related subnets for kubenet clusters by @ArmaanMcleod. #920
- Fixed plan instance count is not applicable to Elastic Premium plans. #946
- Fixed minimum App Service Plan fails Elastic Premium plans. #945
- Fixed App Service Plan should include PremiumV3 plan. #944
- Fixed Azure.VM.NICAttached with private endpoints. #932
- Fixed Bicep CLI fails with unexpected end of content. #889
- Fixed incomplete reason message for
Azure.Storage.MinTLS
. #971 - Fixed false positive of
Azure.Storage.UseReplication
with large file storage. #965
What's changed since pre-release v1.8.0-B2109060:
- No additional changes.
What's changed since pre-release v1.8.0-B2109060:
- New rules:
- Load Balancer:
- Check Load balancers are using Standard SKU. by @ArmaanMcleod. #957
- Load Balancer:
- Engineering:
- Increased test coverage of rule reasons. by @ArmaanMcleod. #960
- Bug fixes:
What's changed since pre-release v1.8.0-B2109046:
- New features:
- Added
Azure.GA_2021_09
baseline. #961- Includes rules released before or during September 2021 for Azure GA features.
- Marked baseline
Azure.GA_2021_06
as obsolete.
- Added
- New rules:
- Load Balancer:
- Check Load Balancers are configured with zone-redundancy by @ArmaanMcleod. #927
- Load Balancer:
What's changed since pre-release v1.8.0-B2109020:
- New rules:
- Bug fixes:
- Engineering:
- Bump PSRule dependency to v1.7.2. #951
What's changed since pre-release v1.8.0-B2108026:
- New rules:
- Engineering:
- Bump PSRule dependency to v1.7.0. #938
What's changed since pre-release v1.8.0-B2108013:
- New rules:
- Azure Kubernetes Service:
- Check clusters use Container Insights for monitoring workloads by @ArmaanMcleod. #881
- Azure Kubernetes Service:
- Bug fixes:
- Fixed export of in-flight AKS related subnets for kubenet clusters by @ArmaanMcleod. #920
What's changed since v1.7.0:
- New rules:
- Azure Kubernetes Service:
- Check clusters use availability zones when available by @ArmaanMcleod. #880
- Azure Kubernetes Service:
- Engineering:
What's changed since v1.6.0:
- New rules:
- All resources:
- Check template parameter files use metadata links. #846
- Configure the
AZURE_PARAMETER_FILE_METADATA_LINK
option to enable this rule.
- Configure the
- Check template files use a recent schema. #845
- Check template files use a https schema scheme. #894
- Check template parameter files use a https schema scheme. #894
- Check template parameters set a value. #896
- Check template parameters use a valid secret reference. #897
- Check template parameter files use metadata links. #846
- Azure Kubernetes Service:
- Storage Account:
- Check Storage Accounts only accept explicitly allowed network traffic. #884
- All resources:
- Updated rules:
- Virtual Network:
- Excluded
AzureFirewallManagementSubnet
fromAzure.VNET.UseNSGs
. #869
- Excluded
- Virtual Network:
- General improvements:
- Added version information to bicep compilation exceptions. #903
- Engineering:
- Bump PSRule dependency to v1.6.0. #871
- Bug fixes:
What's changed since pre-release v1.7.0-B2108059:
- No additional changes.
What's changed since pre-release v1.7.0-B2108049:
- General improvements:
- Added version information to bicep compilation exceptions. #903
- Bug fixes:
- Fixed
Azure.Template.ParameterValue
failing on empty value. #901
- Fixed
What's changed since pre-release v1.7.0-B2108040:
- New rules:
- Bug fixes:
- Fixed DateTimeAdd function and tests within timezones with DST. #891
What's changed since pre-release v1.7.0-B2108020:
- New rules:
- All resources:
- Check template parameter files use metadata links. #846
- Configure the
AZURE_PARAMETER_FILE_METADATA_LINK
option to enable this rule.
- Configure the
- Check template parameter files use metadata links. #846
- Azure Kubernetes Service:
- Check clusters using Azure CNI should use large subnets by @ArmaanMcleod. #273
- By default, a minimum of a
/23
subnet is required. - Configure
AZURE_AKS_CNI_MINIMUM_CLUSTER_SUBNET_SIZE
to change the default minimum subnet size.
- By default, a minimum of a
- Check clusters using Azure CNI should use large subnets by @ArmaanMcleod. #273
- Storage Account:
- Check Storage Accounts only accept explicitly allowed network traffic. #884
- All resources:
What's changed since v1.6.0:
- New rules:
- Azure Kubernetes Service:
- Check clusters use auto-scale node pools by @ArmaanMcleod. #218
- Azure Kubernetes Service:
- Updated rules:
- Virtual Network:
- Excluded
AzureFirewallManagementSubnet
fromAzure.VNET.UseNSGs
. #869
- Excluded
- Virtual Network:
- Engineering:
- Bump PSRule dependency to v1.6.0. #871
What's changed since v1.5.1:
- New features:
- Experimental: Added support for expansion from Bicep source files.
#848
#670
#858
- Bicep support is currently experimental.
- To opt-in set the
AZURE_BICEP_FILE_EXPANSION
configuration totrue
. - For more information see Using Bicep.
- Experimental: Added support for expansion from Bicep source files.
#848
#670
#858
- New rules:
- Application Gateways:
- Check Application Gateways publish endpoints by HTTPS. #841
- Application Gateways:
- Engineering:
What's changed since pre-release v1.6.0-B2108038:
- Bug fixes:
- Fixed Bicep expand creates deadlock and times out. #863
What's changed since pre-release v1.6.0-B2108023:
- Bug fixes:
- Fixed Bicep expand hangs analysis. #858
What's changed since pre-release v1.6.0-B2107028:
- New features:
- Experimental: Added support for expansion from Bicep source files.
#848
#670
- Bicep support is currently experimental.
- To opt-in set the
AZURE_BICEP_FILE_EXPANSION
configuration totrue
. - For more information see Using Bicep.
- Experimental: Added support for expansion from Bicep source files.
#848
#670
What's changed since v1.5.1:
- New rules:
- Application Gateways:
- Check Application Gateways publish endpoints by HTTPS. #841
- Application Gateways:
- Engineering:
- Bump PSRule dependency to v1.5.0. #832
What's changed since v1.5.0:
- Bug fixes:
- Fixed rule does not detect more restrictive NSG rules. #831
What's changed since v1.4.1:
- New features:
- Added
Azure.GA_2021_06
baseline. #822- Includes rules released before or during June 2021 for Azure GA features.
- Marked baseline
Azure.GA_2021_03
as obsolete.
- Added
- New rules:
- General improvements:
- Engineering:
- Bug fixes:
- Fixed detection of parameters and variables with line breaks. #811
What's changed since pre-release v1.5.0-B2107002:
- No additional changes.
What's changed since pre-release v1.5.0-B2106018:
- New features:
- Added
Azure.GA_2021_06
baseline. #822- Includes rules released before or during June 2021 for Azure GA features.
- Marked baseline
Azure.GA_2021_03
as obsolete.
- Added
- General improvements:
- Updated rule help to use docs pages for online version. #824
- Engineering:
What's changed since v1.4.1:
- New rules:
- General improvements:
- Exclude not applicable rules for templates generated with Bicep and PSArm. #815
- Engineering:
- Bug fixes:
- Fixed detection of parameters and variables with line breaks. #811
What's changed since v1.4.0:
- Bug fixes:
What's changed since v1.3.2:
- New features:
- Automatically expand template from parameter files for analysis. #772
- Previously templates needed to be exported with
Export-AzRuleTemplateData
. - To export template data automatically use PSRule cmdlets with
-Format File
.
- Previously templates needed to be exported with
- Automatically expand template from parameter files for analysis. #772
- New rules:
- Cognitive Search:
- Azure Kubernetes Service:
- Check clusters use AKS-managed Azure AD integration. #436
- Check clusters have local account disabled (preview). #786
- Check clusters have an auto-upgrade channel set (preview). #787
- Check clusters limit access network access to the API server. #788
- Check clusters used Azure RBAC for Kubernetes authorization. #789
- Updated rules:
- Azure Kubernetes Service:
- Updated
Azure.AKS.Version
to 1.20.5. #767
- Updated
- Azure Kubernetes Service:
- General improvements:
- Automatically nest template sub-resources for analysis. #746
- Sub-resources such as diagnostic logs or configurations are automatically nested.
- Automatic nesting a resource requires:
- The parent resource is defined in the same template.
- The sub-resource depends on the parent resource.
- Added support for source location references to template files. #781
- Output includes source location to resources exported from a templates.
- Automatically nest template sub-resources for analysis. #746
- Bug fixes:
- Engineering:
- Added source link to project. #783
What's changed since pre-release v1.4.0-B2105057:
- No additional changes.
What's changed since pre-release v1.4.0-B2105050:
- New rules:
- Azure Kubernetes Service:
- Check clusters use AKS-managed Azure AD integration. #436
- Check clusters have local account disabled (preview). #786
- Check clusters have an auto-upgrade channel set (preview). #787
- Check clusters limit access network access to the API server. #788
- Check clusters used Azure RBAC for Kubernetes authorization. #789
- Azure Kubernetes Service:
- Updated rules:
- Azure Kubernetes Service:
- Updated
Azure.AKS.Version
to 1.20.5. #767
- Updated
- Azure Kubernetes Service:
- Engineering:
- Added source link to project. #783
What's changed since pre-release v1.4.0-B2105044:
- General improvements:
- Added support for source location references to template files. #781
- Output includes source location to resources exported from a templates.
- Added support for source location references to template files. #781
What's changed since pre-release v1.4.0-B2105027:
- New features:
- Automatically expand template from parameter files for analysis. #772
- Previously templates needed to be exported with
Export-AzRuleTemplateData
. - To export template data automatically use PSRule cmdlets with
-Format File
.
- Previously templates needed to be exported with
- Automatically expand template from parameter files for analysis. #772
- Bug fixes:
What's changed since pre-release v1.4.0-B2105020:
- New rules:
What's changed since v1.3.2:
- General improvements:
- Automatically nest template sub-resources for analysis. #746
- Sub-resources such as diagnostic logs or configurations are automatically nested.
- Automatic nesting a resource requires:
- The parent resource is defined in the same template.
- The sub-resource depends on the parent resource.
- Automatically nest template sub-resources for analysis. #746
What's changed since v1.3.1:
- Bug fixes:
- Fixed rule reason reported the parameter inputObject is null. #753
What's changed since v1.3.0:
What's changed since v1.2.1:
- New rules:
- Removed rules:
- Storage:
- Remove
Azure.Storage.UseEncryption
as Storage Service Encryption (SSE) is always on. #630- SSE is on by default and can not be disabled.
- Remove
- Storage:
- General improvements:
- Engineering:
- Bug fixes:
- Fixed could not load file or assembly YamlDotNet. #741
- This fix pins the PSRule version to v1.2.0 until the next stable release of PSRule for Azure.
- Fixed could not load file or assembly YamlDotNet. #741
What's changed since pre-release v1.3.0-B2104040:
- No additional changes.
What's changed since pre-release v1.3.0-B2104034:
- Bug fixes:
- Fixed could not load file or assembly YamlDotNet. #741
- This fix pins the PSRule version to v1.2.0 until the next stable release of PSRule for Azure.
- Fixed could not load file or assembly YamlDotNet. #741
What's changed since pre-release v1.3.0-B2104023:
- New rules:
- Engineering:
What's changed since pre-release v1.3.0-B2104013:
- General improvements:
What's changed since pre-release v1.3.0-B2103007:
- Engineering:
- Bump PSRule dependency to v1.2.0. #713
- Bug fixes:
- Fixed export not expanding nested deployments. #715
What's changed since v1.2.0:
- Removed rules:
- Storage:
- Remove
Azure.Storage.UseEncryption
as Storage Service Encryption (SSE) is always on. #630- SSE is on by default and can not be disabled.
- Remove
- Storage:
- General improvements:
- Additional metadata added in parameter files is passed through with
Get-AzRuleTemplateLink
. #706
- Additional metadata added in parameter files is passed through with
What's changed since v1.2.0:
- Bug fixes:
- Fixed export not expanding nested deployments. #715
What's changed since v1.1.4:
- New features:
- Added
Azure.GA_2021_03
baseline. #673- Includes rules released before or during March 2021 for Azure GA features.
- Marked baseline
Azure.GA_2020_12
as obsolete.
- Added
- New rules:
- Key Vault:
- Check vaults, keys, and secrets meet name requirements. #646
- Key Vault:
- Updated rules:
- Azure Kubernetes Service:
- Updated
Azure.AKS.Version
to 1.19.7. #696
- Updated
- Azure Kubernetes Service:
- General improvements:
- Added support for user defined functions in templates. #682
- Engineering:
- Bump PSRule dependency to v1.1.0. #692
What's changed since pre-release v1.2.0-B2103044:
- No additional changes.
What's changed since pre-release v1.2.0-B2103032:
- New features:
- Added
Azure.GA_2021_03
baseline. #673- Includes rules released before or during March 2021 for Azure GA features.
- Marked baseline
Azure.GA_2020_12
as obsolete.
- Added
- Updated rules:
- Azure Kubernetes Service:
- Updated
Azure.AKS.Version
to 1.19.7. #696
- Updated
- Azure Kubernetes Service:
What's changed since pre-release v1.2.0-B2103024:
- New rules:
- Key Vault:
- Check vaults, keys, and secrets meet name requirements. #646
- Key Vault:
- Engineering:
- Bump PSRule dependency to v1.1.0. #692
What's changed since v1.1.4:
- General improvements:
- Added support for user defined functions in templates. #682
What's changed since v1.1.3:
- Bug fixes:
What's changed since v1.1.2:
- Bug fixes:
- Fixed parsing of property names for functions across multiple lines. #683
What's changed since v1.1.1:
- Bug fixes:
What's changed since v1.1.0:
- Bug fixes:
- Fixed support for parameter file schemas. #674
What's changed since v1.0.0:
- New features:
- Exporting template with
Export-AzRuleTemplateData
supports custom resource group and subscription. #651- Subscription and resource group used for deployment can be specified instead of using defaults.
ResourceGroupName
parameter ofExport-AzRuleTemplateData
has been renamed toResourceGroup
.- Added a parameter alias for
ResourceGroupName
onExport-AzRuleTemplateData
.
- Exporting template with
- New rules:
- All resources:
- Check template parameters are defined. #631
- Check location parameter is type string. #632
- Check template parameter
minValue
andmaxValue
constraints are valid. #637 - Check template resources do not use hard coded locations. #633
- Check resource group location not referenced instead of location parameter. #634
- Check increased debug detail is disabled for nested deployments. #638
- All resources:
- General improvements:
- Added support for matching template by name. #661
Get-AzRuleTemplateLink
discovers<templateName>.json
from<templateName>.parameters.json
.
- Added support for matching template by name. #661
- Engineering:
- Bump PSRule dependency to v1.0.3. #648
- Bug fixes:
- Fixed
Azure.VM.ADE
to limit rule to exports only. #644 - Fixed
if
condition values evaluation order. #652 - Fixed handling of
int
parameters with large values. #653 - Fixed handling of expressions split over multiple lines. #654
- Fixed handling of bool parameter values within logical expressions. #655
- Fixed copy loop value does not fall within the expected range. #664
- Fixed template comparison functions handling of large integer values. #666
- Fixed handling of
createArray
function with no arguments. #667
- Fixed
What's changed since pre-release v1.1.0-B2102034:
- No additional changes.
What's changed since pre-release v1.1.0-B2102023:
- General improvements:
- Added support for matching template by name. #661
Get-AzRuleTemplateLink
discovers<templateName>.json
from<templateName>.parameters.json
.
- Added support for matching template by name. #661
- Bug fixes:
What's changed since pre-release v1.1.0-B2102015:
- New features:
- Exporting template with
Export-AzRuleTemplateData
supports custom resource group and subscription. #651- Subscription and resource group used for deployment can be specified instead of using defaults.
ResourceGroupName
parameter ofExport-AzRuleTemplateData
has been renamed toResourceGroup
.- Added a parameter alias for
ResourceGroupName
onExport-AzRuleTemplateData
.
- Exporting template with
What's changed since pre-release v1.1.0-B2102010:
- Bug fixes:
What's changed since pre-release v1.1.0-B2102001:
- Engineering:
- Bump PSRule dependency to v1.0.3. #648
- Bug fixes:
- Fixed
Azure.VM.ADE
to limit rule to exports only. #644
- Fixed
What's changed since v1.0.0:
- New rules:
- All resources:
- Check template parameters are defined. #631
- Check location parameter is type string. #632
- Check template parameter
minValue
andmaxValue
constraints are valid. #637 - Check template resources do not use hard coded locations. #633
- Check resource group location not referenced instead of location parameter. #634
- Check increased debug detail is disabled for nested deployments. #638
- All resources:
- Engineering:
- Bump PSRule dependency to v1.0.2. #635
What's changed since v0.19.0:
- New rules:
- All resources:
- Front Door:
- Service Fabric:
- Check Service Fabric clusters use AAD client authentication. #619
- Updated rules:
- Azure Kubernetes Service:
- Updated
Azure.AKS.Version
to 1.19.6. #603
- Updated
- Azure Kubernetes Service:
- General improvements:
- Renamed
Export-AzTemplateRuleData
toExport-AzRuleTemplateData
. #596- New name
Export-AzRuleTemplateData
aligns with prefix of other cmdlets. - Use of
Export-AzTemplateRuleData
is now deprecated and will be removed in the next major version. - Added alias to allow
Export-AzTemplateRuleData
to continue to be used. - Using
Export-AzTemplateRuleData
returns a deprecation warning.
- New name
- Added support for
environment
template function. #517
- Renamed
- Engineering:
- Bump PSRule dependency to v1.0.1. #611
What's changed since pre-release v1.0.0-B2101028:
- No additional changes.
What's changed since pre-release v1.0.0-B2101016:
- New rules:
- All resources:
- Check parameter default value type matches type. #311
- All resources:
- General improvements:
- Renamed
Export-AzTemplateRuleData
toExport-AzRuleTemplateData
. #596- New name
Export-AzRuleTemplateData
aligns with prefix of other cmdlets. - Use of
Export-AzTemplateRuleData
is now deprecated and will be removed in the next major version. - Added alias to allow
Export-AzTemplateRuleData
to continue to be used. - Using
Export-AzTemplateRuleData
returns a deprecation warning.
- New name
- Renamed
What's changed since pre-release v1.0.0-B2101006:
- New rules:
- Service Fabric:
- Check Service Fabric clusters use AAD client authentication. #619
- Service Fabric:
- Bug fixes:
- Fixed reason
Azure.FrontDoor.ProbePath
so the probe name is included. #617
- Fixed reason
What's changed since v0.19.0: