From 6feed7a2cbd7c3b623761ea3badbe94056283c39 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Mon, 24 Nov 2025 07:50:45 +0000 Subject: [PATCH 01/15] Initial plan From bb85afa443e2c06064083fc40cc8c7182a3adea0 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Mon, 24 Nov 2025 08:03:50 +0000 Subject: [PATCH 02/15] Add Azure.RedisEnterprise.MigrateAMR rule for issue #3606 Co-authored-by: BenjaminEngeset <99641908+BenjaminEngeset@users.noreply.github.com> --- docs/changelog.md | 2 + .../rules/Azure.RedisEnterprise.MigrateAMR.md | 101 ++++++++++++++++++ docs/en/rules/index.md | 1 + src/PSRule.Rules.Azure/en/PSRule-rules.psd1 | 1 + .../rules/Azure.Redis.Rule.ps1 | 5 + .../Azure.Redis.Tests.ps1 | 12 +++ 6 files changed, 122 insertions(+) create mode 100644 docs/en/rules/Azure.RedisEnterprise.MigrateAMR.md diff --git a/docs/changelog.md b/docs/changelog.md index f0a6ec011d..636fef83de 100644 --- a/docs/changelog.md +++ b/docs/changelog.md @@ -37,6 +37,8 @@ See [upgrade notes][1] for helpful information when upgrading from previous vers - Azure Cache for Redis: - Check for legacy Azure Cache for Redis instances by @BenjaminEngeset. [#3605](https://github.com/Azure/PSRule.Rules.Azure/issues/3605) + - Check for deprecated Redis Enterprise and Enterprise Flash SKUs by @BenjaminEngeset. + [#3606](https://github.com/Azure/PSRule.Rules.Azure/issues/3606) - Managed Instance for Apache Cassandra: - Check that Managed Instance for Apache Cassandra clusters have availability zones enabled by @BenjaminEngeset. [#3592](https://github.com/Azure/PSRule.Rules.Azure/issues/3592) diff --git a/docs/en/rules/Azure.RedisEnterprise.MigrateAMR.md b/docs/en/rules/Azure.RedisEnterprise.MigrateAMR.md new file mode 100644 index 0000000000..22593aa887 --- /dev/null +++ b/docs/en/rules/Azure.RedisEnterprise.MigrateAMR.md @@ -0,0 +1,101 @@ +--- +reviewed: 2025-11-23 +severity: Important +pillar: Operational Excellence +category: OE:05 Infrastructure as code +resource: Redis Enterprise +resourceType: Microsoft.Cache/redisEnterprise +online version: https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.RedisEnterprise.MigrateAMR/ +--- + +# Migrate to Azure Managed Redis + +## SYNOPSIS + +Redis Enterprise and Enterprise Flash are being retired. Migrate to Azure Managed Redis. + +## DESCRIPTION + +Microsoft has announced the retirement timeline for Redis Enterprise and Enterprise Flash SKUs. +The recommended replacement going forward is Azure Managed Redis. + +Redis Enterprise (`Enterprise_*`) and Enterprise Flash (`EnterpriseFlash_*`) SKUs will be retired according to the following timeline: + +- Creation blocked for new customers: April 1, 2026. +- Creation blocked for existing customers: October 1, 2026. +- Retirement Date: September 30, 2028. +- Instances will be disabled starting October 1, 2028. + +To avoid service disruption, migrate your workloads to Azure Managed Redis. + +## RECOMMENDATION + +Plan and execute migration from Redis Enterprise / Enterprise Flash to Azure Managed Redis before the retirement dates to avoid service disruption. + +## EXAMPLES + +### Configure with Bicep + +To deploy resource that pass this rule: + +- Create resources of type `Microsoft.Cache/redisEnterprise` and an Azure Managed Redis SKU, such as: + - `Balanced_*` + - `MemoryOptimized_*` + - `ComputeOptimized_*` + +For example: + +```bicep +resource primary 'Microsoft.Cache/redisEnterprise@2025-07-01' = { + name: name + location: location + properties: { + highAvailability: 'Enabled' + publicNetworkAccess: 'Disabled' + } + sku: { + name: 'Balanced_B10' + } +} +``` + +### Configure with Azure template + +To deploy resource that pass this rule: + +- Create resources of type `Microsoft.Cache/redisEnterprise` and an Azure Managed Redis SKU, such as: + - `Balanced_*` + - `MemoryOptimized_*` + - `ComputeOptimized_*` + +For example: + +```json +{ + "type": "Microsoft.Cache/redisEnterprise", + "apiVersion": "2025-07-01", + "name": "[parameters('name')]", + "location": "[parameters('location')]", + "properties": { + "highAvailability": "Enabled", + "publicNetworkAccess": "Disabled" + }, + "sku": { + "name": "Balanced_B10" + } +} +``` + +## NOTES + +Redis Enterprise and Enterprise Flash SKUs `Enterprise_*` and `EnterpriseFlash_*` are deprecated. + +Azure Cache for Redis (Basic, Standard, Premium) using the `Microsoft.Cache/redis` resource type is also deprecated and covered by a separate rule. + +## LINKS + +- [OE:05 Infrastructure as code](https://learn.microsoft.com/azure/architecture/framework/devops/automation-infrastructure) +- [Azure Cache for Redis retirement: What to know and how to prepare](https://techcommunity.microsoft.com/blog/azure-managed-redis/azure-cache-for-redis-retirement-what-to-know-and-how-to-prepare/4458721) +- [Azure Cache for Redis retirement FAQ](https://learn.microsoft.com/azure/azure-cache-for-redis/retirement-faq) +- [Azure Managed Redis documentation](https://learn.microsoft.com/azure/azure-cache-for-redis/managed-redis/managed-redis-overview) +- [Azure deployment reference](https://learn.microsoft.com/azure/templates/microsoft.cache/redisenterprise) diff --git a/docs/en/rules/index.md b/docs/en/rules/index.md index fd59c161b6..18a6f9ebff 100644 --- a/docs/en/rules/index.md +++ b/docs/en/rules/index.md @@ -518,5 +518,6 @@ AZR-000495 | [Azure.ACR.ExportPolicy](Azure.ACR.ExportPolicy.md) | Export policy AZR-000496 | [Azure.Redis.LocalAuth](Azure.Redis.LocalAuth.md) | Access keys allow depersonalized access to Azure Cache for Redis using a shared secret. | GA AZR-000497 | [Azure.Storage.LocalAuth](Azure.Storage.LocalAuth.md) | Access keys allow depersonalized access to Storage Accounts using a shared secret. | GA AZR-000498 | [Azure.AppConfig.ReplicaLocation](Azure.AppConfig.ReplicaLocation.md) | The replication location determines the country or region where configuration data is stored and processed. | GA +AZR-000534 | [Azure.RedisEnterprise.MigrateAMR](Azure.RedisEnterprise.MigrateAMR.md) | Redis Enterprise and Enterprise Flash are being retired. Migrate to Azure Managed Redis. | GA *[GA]: Generally Available — Rules related to a generally available Azure features. diff --git a/src/PSRule.Rules.Azure/en/PSRule-rules.psd1 b/src/PSRule.Rules.Azure/en/PSRule-rules.psd1 index b6c103ef3b..14cd0d56eb 100644 --- a/src/PSRule.Rules.Azure/en/PSRule-rules.psd1 +++ b/src/PSRule.Rules.Azure/en/PSRule-rules.psd1 @@ -132,4 +132,5 @@ ActiveSecurityAlerts = "There are {0} active security alerts of high or medium severity." KeyValueShouldNotContainSecrets = "The key value '{0}' property should not contain secrets." CacheRedisMigrateAMR = "Azure Cache for Redis is being retired. Migrate to Azure Managed Redis." + RedisEnterpriseMigrateAMR = "Redis Enterprise and Enterprise Flash are being retired. Migrate to Azure Managed Redis." } diff --git a/src/PSRule.Rules.Azure/rules/Azure.Redis.Rule.ps1 b/src/PSRule.Rules.Azure/rules/Azure.Redis.Rule.ps1 index 4e53f43fb6..fbe97dbdf1 100644 --- a/src/PSRule.Rules.Azure/rules/Azure.Redis.Rule.ps1 +++ b/src/PSRule.Rules.Azure/rules/Azure.Redis.Rule.ps1 @@ -128,6 +128,11 @@ Rule 'Azure.Redis.MigrateAMR' -Ref 'AZR-000533' -Type 'Microsoft.Cache/redis' -T $Assert.Fail($LocalizedData.CacheRedisMigrateAMR) } +# Synopsis: Redis Enterprise and Enterprise Flash are being retired. Migrate to Azure Managed Redis. +Rule 'Azure.RedisEnterprise.MigrateAMR' -Ref 'AZR-000534' -Type 'Microsoft.Cache/redisEnterprise' -If { IsEnterpriseCache } -Tag @{ release = 'GA'; ruleSet = '2025_12'; 'Azure.WAF/pillar' = 'Operational Excellence'; } { + $Assert.Fail($LocalizedData.RedisEnterpriseMigrateAMR) +} + #region Helper functions function global:GetCacheMemory { diff --git a/tests/PSRule.Rules.Azure.Tests/Azure.Redis.Tests.ps1 b/tests/PSRule.Rules.Azure.Tests/Azure.Redis.Tests.ps1 index dede38e472..7e5c5d75a1 100644 --- a/tests/PSRule.Rules.Azure.Tests/Azure.Redis.Tests.ps1 +++ b/tests/PSRule.Rules.Azure.Tests/Azure.Redis.Tests.ps1 @@ -365,6 +365,18 @@ Describe 'Azure.Redis' -Tag 'Redis' { $ruleResult[0].Reason | Should -BeExactly "Azure Cache for Redis is being retired. Migrate to Azure Managed Redis."; } + + It 'Azure.RedisEnterprise.MigrateAMR' { + $filteredResult = $result | Where-Object { $_.RuleName -eq 'Azure.RedisEnterprise.MigrateAMR' }; + + # Fail - all Enterprise and EnterpriseFlash instances should fail + $ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'Fail' }); + $ruleResult | Should -Not -BeNullOrEmpty; + $ruleResult.Length | Should -Be 7; + $ruleResult.TargetName | Should -BeIn 'redis-K', 'redis-L', 'redis-M', 'redis-N', 'redis-O', 'redis-P', 'redis-S'; + + $ruleResult[0].Reason | Should -BeExactly "Redis Enterprise and Enterprise Flash are being retired. Migrate to Azure Managed Redis."; + } } Context 'With Configuration Option' -Tag 'Configuration' { From f7b26d11923e65b9871f4bb74df00f95dcda0cca Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Mon, 24 Nov 2025 11:59:44 +0000 Subject: [PATCH 03/15] Address PR feedback: Move rule to separate file and update documentation Co-authored-by: BenjaminEngeset <99641908+BenjaminEngeset@users.noreply.github.com> --- .../rules/Azure.RedisEnterprise.MigrateAMR.md | 17 ++++++++--------- docs/en/rules/index.md | 1 - src/PSRule.Rules.Azure/en/PSRule-rules.psd1 | 2 +- .../rules/Azure.Redis.Rule.ps1 | 5 ----- .../rules/Azure.RedisEnterprise.Rule.ps1 | 11 +++++++++++ .../Azure.Redis.Tests.ps1 | 4 ++-- 6 files changed, 22 insertions(+), 18 deletions(-) create mode 100644 src/PSRule.Rules.Azure/rules/Azure.RedisEnterprise.Rule.ps1 diff --git a/docs/en/rules/Azure.RedisEnterprise.MigrateAMR.md b/docs/en/rules/Azure.RedisEnterprise.MigrateAMR.md index 22593aa887..999fa76637 100644 --- a/docs/en/rules/Azure.RedisEnterprise.MigrateAMR.md +++ b/docs/en/rules/Azure.RedisEnterprise.MigrateAMR.md @@ -1,5 +1,5 @@ --- -reviewed: 2025-11-23 +reviewed: 2025-11-24 severity: Important pillar: Operational Excellence category: OE:05 Infrastructure as code @@ -12,25 +12,24 @@ online version: https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.RedisE ## SYNOPSIS -Redis Enterprise and Enterprise Flash are being retired. Migrate to Azure Managed Redis. +Azure Cache for Redis Enterprise and Enterprise Flash are being retired. Migrate to Azure Managed Redis. ## DESCRIPTION -Microsoft has announced the retirement timeline for Redis Enterprise and Enterprise Flash SKUs. +Microsoft has announced the retirement timeline for Azure Cache for Redis Enterprise and Enterprise Flash SKUs. The recommended replacement going forward is Azure Managed Redis. -Redis Enterprise (`Enterprise_*`) and Enterprise Flash (`EnterpriseFlash_*`) SKUs will be retired according to the following timeline: +Azure Cache for Redis Enterprise (`Enterprise_*`) and Enterprise Flash (`EnterpriseFlash_*`) SKUs will be retired according to the following timeline: -- Creation blocked for new customers: April 1, 2026. -- Creation blocked for existing customers: October 1, 2026. -- Retirement Date: September 30, 2028. -- Instances will be disabled starting October 1, 2028. +- Creation blocked for all customers: April 1, 2026. +- Retirement Date: March 31, 2027. +- Instances will be migrated to Azure Managed Redis starting April 1, 2027. To avoid service disruption, migrate your workloads to Azure Managed Redis. ## RECOMMENDATION -Plan and execute migration from Redis Enterprise / Enterprise Flash to Azure Managed Redis before the retirement dates to avoid service disruption. +Plan and execute migration from Azure Cache for Redis Enterprise / Enterprise Flash to Azure Managed Redis before the retirement dates to avoid service disruption. ## EXAMPLES diff --git a/docs/en/rules/index.md b/docs/en/rules/index.md index 18a6f9ebff..fd59c161b6 100644 --- a/docs/en/rules/index.md +++ b/docs/en/rules/index.md @@ -518,6 +518,5 @@ AZR-000495 | [Azure.ACR.ExportPolicy](Azure.ACR.ExportPolicy.md) | Export policy AZR-000496 | [Azure.Redis.LocalAuth](Azure.Redis.LocalAuth.md) | Access keys allow depersonalized access to Azure Cache for Redis using a shared secret. | GA AZR-000497 | [Azure.Storage.LocalAuth](Azure.Storage.LocalAuth.md) | Access keys allow depersonalized access to Storage Accounts using a shared secret. | GA AZR-000498 | [Azure.AppConfig.ReplicaLocation](Azure.AppConfig.ReplicaLocation.md) | The replication location determines the country or region where configuration data is stored and processed. | GA -AZR-000534 | [Azure.RedisEnterprise.MigrateAMR](Azure.RedisEnterprise.MigrateAMR.md) | Redis Enterprise and Enterprise Flash are being retired. Migrate to Azure Managed Redis. | GA *[GA]: Generally Available — Rules related to a generally available Azure features. diff --git a/src/PSRule.Rules.Azure/en/PSRule-rules.psd1 b/src/PSRule.Rules.Azure/en/PSRule-rules.psd1 index 14cd0d56eb..e8781197c2 100644 --- a/src/PSRule.Rules.Azure/en/PSRule-rules.psd1 +++ b/src/PSRule.Rules.Azure/en/PSRule-rules.psd1 @@ -132,5 +132,5 @@ ActiveSecurityAlerts = "There are {0} active security alerts of high or medium severity." KeyValueShouldNotContainSecrets = "The key value '{0}' property should not contain secrets." CacheRedisMigrateAMR = "Azure Cache for Redis is being retired. Migrate to Azure Managed Redis." - RedisEnterpriseMigrateAMR = "Redis Enterprise and Enterprise Flash are being retired. Migrate to Azure Managed Redis." + RedisEnterpriseMigrateAMR = "Azure Cache for Redis Enterprise and Enterprise Flash are being retired. Migrate to Azure Managed Redis." } diff --git a/src/PSRule.Rules.Azure/rules/Azure.Redis.Rule.ps1 b/src/PSRule.Rules.Azure/rules/Azure.Redis.Rule.ps1 index fbe97dbdf1..4e53f43fb6 100644 --- a/src/PSRule.Rules.Azure/rules/Azure.Redis.Rule.ps1 +++ b/src/PSRule.Rules.Azure/rules/Azure.Redis.Rule.ps1 @@ -128,11 +128,6 @@ Rule 'Azure.Redis.MigrateAMR' -Ref 'AZR-000533' -Type 'Microsoft.Cache/redis' -T $Assert.Fail($LocalizedData.CacheRedisMigrateAMR) } -# Synopsis: Redis Enterprise and Enterprise Flash are being retired. Migrate to Azure Managed Redis. -Rule 'Azure.RedisEnterprise.MigrateAMR' -Ref 'AZR-000534' -Type 'Microsoft.Cache/redisEnterprise' -If { IsEnterpriseCache } -Tag @{ release = 'GA'; ruleSet = '2025_12'; 'Azure.WAF/pillar' = 'Operational Excellence'; } { - $Assert.Fail($LocalizedData.RedisEnterpriseMigrateAMR) -} - #region Helper functions function global:GetCacheMemory { diff --git a/src/PSRule.Rules.Azure/rules/Azure.RedisEnterprise.Rule.ps1 b/src/PSRule.Rules.Azure/rules/Azure.RedisEnterprise.Rule.ps1 new file mode 100644 index 0000000000..4331cbf3a2 --- /dev/null +++ b/src/PSRule.Rules.Azure/rules/Azure.RedisEnterprise.Rule.ps1 @@ -0,0 +1,11 @@ +# Copyright (c) Microsoft Corporation. +# Licensed under the MIT License. + +# +# Validation rules for Azure Redis Enterprise Cache +# + +# Synopsis: Azure Cache for Redis Enterprise and Enterprise Flash are being retired. Migrate to Azure Managed Redis. +Rule 'Azure.RedisEnterprise.MigrateAMR' -Ref 'AZR-000534' -Type 'Microsoft.Cache/redisEnterprise' -Tag @{ release = 'GA'; ruleSet = '2025_12'; 'Azure.WAF/pillar' = 'Operational Excellence'; } { + $Assert.Fail($LocalizedData.RedisEnterpriseMigrateAMR) +} diff --git a/tests/PSRule.Rules.Azure.Tests/Azure.Redis.Tests.ps1 b/tests/PSRule.Rules.Azure.Tests/Azure.Redis.Tests.ps1 index 7e5c5d75a1..76b9b34034 100644 --- a/tests/PSRule.Rules.Azure.Tests/Azure.Redis.Tests.ps1 +++ b/tests/PSRule.Rules.Azure.Tests/Azure.Redis.Tests.ps1 @@ -369,13 +369,13 @@ Describe 'Azure.Redis' -Tag 'Redis' { It 'Azure.RedisEnterprise.MigrateAMR' { $filteredResult = $result | Where-Object { $_.RuleName -eq 'Azure.RedisEnterprise.MigrateAMR' }; - # Fail - all Enterprise and EnterpriseFlash instances should fail + # Fail - all redisEnterprise instances should fail $ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'Fail' }); $ruleResult | Should -Not -BeNullOrEmpty; $ruleResult.Length | Should -Be 7; $ruleResult.TargetName | Should -BeIn 'redis-K', 'redis-L', 'redis-M', 'redis-N', 'redis-O', 'redis-P', 'redis-S'; - $ruleResult[0].Reason | Should -BeExactly "Redis Enterprise and Enterprise Flash are being retired. Migrate to Azure Managed Redis."; + $ruleResult[0].Reason | Should -BeExactly "Azure Cache for Redis Enterprise and Enterprise Flash are being retired. Migrate to Azure Managed Redis."; } } From 28ad228a71544e6bcf172b7ae360e509f9016556 Mon Sep 17 00:00:00 2001 From: Benjamin Engeset <99641908+BenjaminEngeset@users.noreply.github.com> Date: Mon, 24 Nov 2025 13:20:12 +0100 Subject: [PATCH 04/15] Added Azure.Redis.MigrateAMR (#3607) * Initial plan * Add Azure.Redis.Retirement rule Co-authored-by: BenjaminEngeset <99641908+BenjaminEngeset@users.noreply.github.com> * Fix resource type naming in documentation Co-authored-by: BenjaminEngeset <99641908+BenjaminEngeset@users.noreply.github.com> * Address feedback: update rule reference, synopsis, and documentation Co-authored-by: BenjaminEngeset <99641908+BenjaminEngeset@users.noreply.github.com> * Address feedback: rename rule, update dates, and clarify changelog Co-authored-by: BenjaminEngeset <99641908+BenjaminEngeset@users.noreply.github.com> * Address feedback: improve timeline clarity and rename localized string Co-authored-by: BenjaminEngeset <99641908+BenjaminEngeset@users.noreply.github.com> * fixes * Rename localized string to CacheRedisMigrateAMR Co-authored-by: BenjaminEngeset <99641908+BenjaminEngeset@users.noreply.github.com> * Updates --------- Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: Bernie White --- docs/changelog.md | 3 + docs/en/rules/Azure.Redis.MigrateAMR.md | 100 ++++++++++++++++++ docs/examples/resources/amr.bicep | 72 +++++++++++++ docs/examples/resources/amr.json | 97 +++++++++++++++++ src/PSRule.Rules.Azure/en/PSRule-rules.psd1 | 1 + .../rules/Azure.Redis.Rule.ps1 | 5 + .../Azure.Redis.Tests.ps1 | 12 +++ 7 files changed, 290 insertions(+) create mode 100644 docs/en/rules/Azure.Redis.MigrateAMR.md create mode 100644 docs/examples/resources/amr.bicep create mode 100644 docs/examples/resources/amr.json diff --git a/docs/changelog.md b/docs/changelog.md index 77ec75aff8..f0a6ec011d 100644 --- a/docs/changelog.md +++ b/docs/changelog.md @@ -34,6 +34,9 @@ See [upgrade notes][1] for helpful information when upgrading from previous vers - App Configuration: - Check that replica locations are in allowed regions by @BernieWhite. [#3441](https://github.com/Azure/PSRule.Rules.Azure/issues/3441) + - Azure Cache for Redis: + - Check for legacy Azure Cache for Redis instances by @BenjaminEngeset. + [#3605](https://github.com/Azure/PSRule.Rules.Azure/issues/3605) - Managed Instance for Apache Cassandra: - Check that Managed Instance for Apache Cassandra clusters have availability zones enabled by @BenjaminEngeset. [#3592](https://github.com/Azure/PSRule.Rules.Azure/issues/3592) diff --git a/docs/en/rules/Azure.Redis.MigrateAMR.md b/docs/en/rules/Azure.Redis.MigrateAMR.md new file mode 100644 index 0000000000..dbc4c26b5a --- /dev/null +++ b/docs/en/rules/Azure.Redis.MigrateAMR.md @@ -0,0 +1,100 @@ +--- +reviewed: 2025-11-23 +severity: Important +pillar: Operational Excellence +category: OE:05 Infrastructure as code +resource: Azure Cache for Redis +resourceType: Microsoft.Cache/redis +online version: https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.Redis.MigrateAMR/ +--- + +# Migrate to Azure Managed Redis + +## SYNOPSIS + +Azure Cache for Redis is being retired. Migrate to Azure Managed Redis. + +## DESCRIPTION + +Microsoft has announced the retirement timeline for Azure Cache for Redis across all SKUs. +The recommended replacement going forward is Azure Managed Redis. + +Azure Cache for Redis (Basic, Standard, Premium) will be retired according to the following timeline: + +- Creation blocked for new customers: April 1, 2026. +- Creation blocked for existing customers: October 1, 2026. +- Retirement Date: September 30, 2028. +- Instances will be disabled starting October 1, 2028. + +To avoid service disruption, migrate your workloads to Azure Managed Redis. + +## RECOMMENDATION + +Plan and execute migration from Azure Cache for Redis to Azure Managed Redis before the retirement dates to avoid service disruption. + +## EXAMPLES + +### Configure with Bicep + +To deploy resource that pass this rule: + +- Create resources of type `Microsoft.Cache/redisEnterprise` and an Azure Managed Redis SKU, such as: + - `Balanced_*` + - `MemoryOptimized_*` + - `ComputeOptimized_*` + +For example: + +```bicep +resource primary 'Microsoft.Cache/redisEnterprise@2025-07-01' = { + name: name + location: location + properties: { + highAvailability: 'Enabled' + publicNetworkAccess: 'Disabled' + } + sku: { + name: 'Balanced_B10' + } +} +``` + +### Configure with Azure template + +To deploy resource that pass this rule: + +- Create resources of type `Microsoft.Cache/redisEnterprise` and an Azure Managed Redis SKU, such as: + - `Balanced_*` + - `MemoryOptimized_*` + - `ComputeOptimized_*` + +For example: + +```json +{ + "type": "Microsoft.Cache/redisEnterprise", + "apiVersion": "2025-07-01", + "name": "[parameters('name')]", + "location": "[parameters('location')]", + "properties": { + "highAvailability": "Enabled", + "publicNetworkAccess": "Disabled" + }, + "sku": { + "name": "Balanced_B10" + } +} +``` + +## NOTES + +Redis Enterprise and Enterprise Flash used the `Microsoft.Cache/redisEnterprise` resource type. +Redis Enterprise and Enterprise Flash SKUs `Enterprise_*` and `EnterpriseFlash_*` are also deprecated. + +## LINKS + +- [OE:05 Infrastructure as code](https://learn.microsoft.com/azure/architecture/framework/devops/automation-infrastructure) +- [Azure Cache for Redis retirement: What to know and how to prepare](https://techcommunity.microsoft.com/blog/azure-managed-redis/azure-cache-for-redis-retirement-what-to-know-and-how-to-prepare/4458721) +- [Azure Cache for Redis retirement FAQ](https://learn.microsoft.com/azure/azure-cache-for-redis/retirement-faq) +- [Azure Managed Redis documentation](https://learn.microsoft.com/azure/azure-cache-for-redis/managed-redis/managed-redis-overview) +- [Azure deployment reference](https://learn.microsoft.com/azure/templates/microsoft.cache/redisenterprise) diff --git a/docs/examples/resources/amr.bicep b/docs/examples/resources/amr.bicep new file mode 100644 index 0000000000..49ce229c74 --- /dev/null +++ b/docs/examples/resources/amr.bicep @@ -0,0 +1,72 @@ +// Copyright (c) Microsoft Corporation. +// Licensed under the MIT License. + +// Bicep documentation examples + +@minLength(1) +@maxLength(63) +@sys.description('The name of the resource.') +param name string + +@sys.description('The location resources will be deployed.') +param location string = resourceGroup().location + +@sys.description('The location of a secondary replica.') +param secondaryLocation string = location + +// An example Azure Managed Redis instance with availability zones. +resource primary 'Microsoft.Cache/redisEnterprise@2025-07-01' = { + name: name + location: location + properties: { + highAvailability: 'Enabled' + publicNetworkAccess: 'Disabled' + } + sku: { + name: 'Balanced_B10' + } +} + +// An example secondary replica in an alternative region. +resource secondary 'Microsoft.Cache/redisEnterprise@2025-07-01' = { + name: name + location: secondaryLocation + properties: { + highAvailability: 'Enabled' + publicNetworkAccess: 'Disabled' + } + sku: { + name: 'Balanced_B10' + } +} + +// An example database replicated across the primary and secondary instances. +resource database 'Microsoft.Cache/redisEnterprise/databases@2025-07-01' = { + parent: primary + name: 'default' + properties: { + clientProtocol: 'Encrypted' + evictionPolicy: 'VolatileLRU' + clusteringPolicy: 'OSSCluster' + deferUpgrade: 'NotDeferred' + modules: [ + { + name: 'RedisJSON' + } + ] + persistence: { + aofEnabled: false + rdbEnabled: true + rdbFrequency: '12h' + } + accessKeysAuthentication: 'Disabled' + geoReplication: { + groupNickname: 'group' + linkedDatabases: [ + { + id: resourceId('Microsoft.Cache/redisEnterprise/databases', secondary.name, 'default') + } + ] + } + } +} diff --git a/docs/examples/resources/amr.json b/docs/examples/resources/amr.json new file mode 100644 index 0000000000..748e199303 --- /dev/null +++ b/docs/examples/resources/amr.json @@ -0,0 +1,97 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "_generator": { + "name": "bicep", + "version": "0.39.26.7824", + "templateHash": "6517319720095351040" + } + }, + "parameters": { + "name": { + "type": "string", + "minLength": 1, + "maxLength": 63, + "metadata": { + "description": "The name of the resource." + } + }, + "location": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "The location resources will be deployed." + } + }, + "secondaryLocation": { + "type": "string", + "defaultValue": "[parameters('location')]", + "metadata": { + "description": "The location of a secondary replica." + } + } + }, + "resources": [ + { + "type": "Microsoft.Cache/redisEnterprise", + "apiVersion": "2025-07-01", + "name": "[parameters('name')]", + "location": "[parameters('location')]", + "properties": { + "highAvailability": "Enabled", + "publicNetworkAccess": "Disabled" + }, + "sku": { + "name": "Balanced_B10" + } + }, + { + "type": "Microsoft.Cache/redisEnterprise", + "apiVersion": "2025-07-01", + "name": "[parameters('name')]", + "location": "[parameters('secondaryLocation')]", + "properties": { + "highAvailability": "Enabled", + "publicNetworkAccess": "Disabled" + }, + "sku": { + "name": "Balanced_B10" + } + }, + { + "type": "Microsoft.Cache/redisEnterprise/databases", + "apiVersion": "2025-07-01", + "name": "[format('{0}/{1}', parameters('name'), 'default')]", + "properties": { + "clientProtocol": "Encrypted", + "evictionPolicy": "VolatileLRU", + "clusteringPolicy": "OSSCluster", + "deferUpgrade": "NotDeferred", + "modules": [ + { + "name": "RedisJSON" + } + ], + "persistence": { + "aofEnabled": false, + "rdbEnabled": true, + "rdbFrequency": "12h" + }, + "accessKeysAuthentication": "Disabled", + "geoReplication": { + "groupNickname": "group", + "linkedDatabases": [ + { + "id": "[resourceId('Microsoft.Cache/redisEnterprise/databases', parameters('name'), 'default')]" + } + ] + } + }, + "dependsOn": [ + "[resourceId('Microsoft.Cache/redisEnterprise', parameters('name'))]", + "[resourceId('Microsoft.Cache/redisEnterprise', parameters('name'))]" + ] + } + ] +} \ No newline at end of file diff --git a/src/PSRule.Rules.Azure/en/PSRule-rules.psd1 b/src/PSRule.Rules.Azure/en/PSRule-rules.psd1 index 2aa982b189..b6c103ef3b 100644 --- a/src/PSRule.Rules.Azure/en/PSRule-rules.psd1 +++ b/src/PSRule.Rules.Azure/en/PSRule-rules.psd1 @@ -131,4 +131,5 @@ ResourceHasNoTags = "The resource does not have any tags. Expected tags: {0}." ActiveSecurityAlerts = "There are {0} active security alerts of high or medium severity." KeyValueShouldNotContainSecrets = "The key value '{0}' property should not contain secrets." + CacheRedisMigrateAMR = "Azure Cache for Redis is being retired. Migrate to Azure Managed Redis." } diff --git a/src/PSRule.Rules.Azure/rules/Azure.Redis.Rule.ps1 b/src/PSRule.Rules.Azure/rules/Azure.Redis.Rule.ps1 index caba1003df..4e53f43fb6 100644 --- a/src/PSRule.Rules.Azure/rules/Azure.Redis.Rule.ps1 +++ b/src/PSRule.Rules.Azure/rules/Azure.Redis.Rule.ps1 @@ -123,6 +123,11 @@ Rule 'Azure.Redis.Version' -Ref 'AZR-000347' -Type 'Microsoft.Cache/redis' -Tag ).Reason($LocalizedData.AzureCacheRedisVersion) } +# Synopsis: Azure Cache for Redis is being retired. Migrate to Azure Managed Redis. +Rule 'Azure.Redis.MigrateAMR' -Ref 'AZR-000533' -Type 'Microsoft.Cache/redis' -Tag @{ release = 'GA'; ruleSet = '2025_12'; 'Azure.WAF/pillar' = 'Operational Excellence'; } { + $Assert.Fail($LocalizedData.CacheRedisMigrateAMR) +} + #region Helper functions function global:GetCacheMemory { diff --git a/tests/PSRule.Rules.Azure.Tests/Azure.Redis.Tests.ps1 b/tests/PSRule.Rules.Azure.Tests/Azure.Redis.Tests.ps1 index 44bbcbeaac..dede38e472 100644 --- a/tests/PSRule.Rules.Azure.Tests/Azure.Redis.Tests.ps1 +++ b/tests/PSRule.Rules.Azure.Tests/Azure.Redis.Tests.ps1 @@ -353,6 +353,18 @@ Describe 'Azure.Redis' -Tag 'Redis' { $ruleResult.TargetName | Should -BeIn 'redis-R'; $ruleResult.Length | Should -Be 1; } + + It 'Azure.Redis.MigrateAMR' { + $filteredResult = $result | Where-Object { $_.RuleName -eq 'Azure.Redis.MigrateAMR' }; + + # Fail - all instances should fail + $ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'Fail' }); + $ruleResult | Should -Not -BeNullOrEmpty; + $ruleResult.Length | Should -Be 12; + $ruleResult.TargetName | Should -BeIn 'redis-A', 'redis-B', 'redis-C', 'redis-D', 'redis-E', 'redis-F', 'redis-G', 'redis-H', 'redis-I', 'redis-J', 'redis-Q', 'redis-R'; + + $ruleResult[0].Reason | Should -BeExactly "Azure Cache for Redis is being retired. Migrate to Azure Managed Redis."; + } } Context 'With Configuration Option' -Tag 'Configuration' { From 014fdd33da621c1e5884b86b68a0fffbb46201e5 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 25 Nov 2025 01:48:10 +1000 Subject: [PATCH 05/15] Bump pymdown-extensions from 10.16.1 to 10.17.1 (#3594) Bumps [pymdown-extensions](https://github.com/facelessuser/pymdown-extensions) from 10.16.1 to 10.17.1. - [Release notes](https://github.com/facelessuser/pymdown-extensions/releases) - [Commits](https://github.com/facelessuser/pymdown-extensions/compare/10.16.1...10.17.1) --- updated-dependencies: - dependency-name: pymdown-extensions dependency-version: 10.17.1 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- requirements-docs.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements-docs.txt b/requirements-docs.txt index b3e16200b7..abcc557966 100644 --- a/requirements-docs.txt +++ b/requirements-docs.txt @@ -1,6 +1,6 @@ mkdocs==1.6.1 mkdocs-material==9.7.0 -pymdown-extensions==10.16.1 +pymdown-extensions==10.17.1 mike==2.1.3 mkdocs-git-revision-date-localized-plugin==1.5.0 mkdocs-git-committers-plugin-2==2.5.0 From 145e8a99806822ba847fc2ea6b7b5663aefa3faf Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Tue, 25 Nov 2025 11:34:13 +0000 Subject: [PATCH 06/15] Fix rule logic to pass AMR instances and fail deprecated SKUs Co-authored-by: BenjaminEngeset <99641908+BenjaminEngeset@users.noreply.github.com> --- .../rules/Azure.RedisEnterprise.MigrateAMR.md | 2 +- .../rules/Azure.RedisEnterprise.Rule.ps1 | 17 +++++++++++++++-- 2 files changed, 16 insertions(+), 3 deletions(-) diff --git a/docs/en/rules/Azure.RedisEnterprise.MigrateAMR.md b/docs/en/rules/Azure.RedisEnterprise.MigrateAMR.md index 999fa76637..fde812b550 100644 --- a/docs/en/rules/Azure.RedisEnterprise.MigrateAMR.md +++ b/docs/en/rules/Azure.RedisEnterprise.MigrateAMR.md @@ -87,7 +87,7 @@ For example: ## NOTES -Redis Enterprise and Enterprise Flash SKUs `Enterprise_*` and `EnterpriseFlash_*` are deprecated. +Azure Cache for Redis Enterprise and Enterprise Flash SKUs `Enterprise_*` and `EnterpriseFlash_*` are deprecated. Azure Cache for Redis (Basic, Standard, Premium) using the `Microsoft.Cache/redis` resource type is also deprecated and covered by a separate rule. diff --git a/src/PSRule.Rules.Azure/rules/Azure.RedisEnterprise.Rule.ps1 b/src/PSRule.Rules.Azure/rules/Azure.RedisEnterprise.Rule.ps1 index 4331cbf3a2..40ee364b92 100644 --- a/src/PSRule.Rules.Azure/rules/Azure.RedisEnterprise.Rule.ps1 +++ b/src/PSRule.Rules.Azure/rules/Azure.RedisEnterprise.Rule.ps1 @@ -2,10 +2,23 @@ # Licensed under the MIT License. # -# Validation rules for Azure Redis Enterprise Cache +# Validation rules for Azure Cache for Redis Enterprise and Enterprise Flash # # Synopsis: Azure Cache for Redis Enterprise and Enterprise Flash are being retired. Migrate to Azure Managed Redis. Rule 'Azure.RedisEnterprise.MigrateAMR' -Ref 'AZR-000534' -Type 'Microsoft.Cache/redisEnterprise' -Tag @{ release = 'GA'; ruleSet = '2025_12'; 'Azure.WAF/pillar' = 'Operational Excellence'; } { - $Assert.Fail($LocalizedData.RedisEnterpriseMigrateAMR) + $deprecatedSkus = @( + 'Enterprise_E1', + 'Enterprise_E5', + 'Enterprise_E10', + 'Enterprise_E20', + 'Enterprise_E50', + 'Enterprise_E100', + 'Enterprise_E200', + 'Enterprise_E400', + 'EnterpriseFlash_F300', + 'EnterpriseFlash_F700', + 'EnterpriseFlash_F1500' + ) + $Assert.NotIn($TargetObject, 'sku.name', $deprecatedSkus).Reason($LocalizedData.RedisEnterpriseMigrateAMR) } From b696af8d307a0947c7880e2ece22489666027b97 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 27 Nov 2025 21:06:01 +1000 Subject: [PATCH 07/15] Bump Azure.Identity and Azure.Identity.Broker (#3602) Bumps Azure.Identity from 1.15.0 to 1.17.1 Bumps Azure.Identity.Broker from 1.3.0 to 1.3.1 --- updated-dependencies: - dependency-name: Azure.Identity dependency-version: 1.17.1 dependency-type: direct:production update-type: version-update:semver-minor - dependency-name: Azure.Identity.Broker dependency-version: 1.3.1 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .../PSRule.Rules.Azure.Tool.csproj | 4 +- .../packages.lock.json | 54 +++++++++---------- 2 files changed, 29 insertions(+), 29 deletions(-) diff --git a/src/PSRule.Rules.Azure.Tool/PSRule.Rules.Azure.Tool.csproj b/src/PSRule.Rules.Azure.Tool/PSRule.Rules.Azure.Tool.csproj index 326ea56999..fd4d6bf0ea 100644 --- a/src/PSRule.Rules.Azure.Tool/PSRule.Rules.Azure.Tool.csproj +++ b/src/PSRule.Rules.Azure.Tool/PSRule.Rules.Azure.Tool.csproj @@ -25,8 +25,8 @@ - - + + diff --git a/src/PSRule.Rules.Azure.Tool/packages.lock.json b/src/PSRule.Rules.Azure.Tool/packages.lock.json index 9063f54986..b64417a795 100644 --- a/src/PSRule.Rules.Azure.Tool/packages.lock.json +++ b/src/PSRule.Rules.Azure.Tool/packages.lock.json @@ -4,23 +4,23 @@ "net8.0": { "Azure.Identity": { "type": "Direct", - "requested": "[1.15.0, )", - "resolved": "1.15.0", - "contentHash": "tvJVy5s8VdsAYHIcBw1KrwDTcTWr2K5fG5o/xEJ2zU3+QUViDx/utut83+fGoB/bcBspxuC6wG650GwAUkU2UQ==", + "requested": "[1.17.1, )", + "resolved": "1.17.1", + "contentHash": "MSZkBrctcpiGxs9Cvr2VKKoN6qFLZlP3I6xuCWJ9iTgitI5Rgxtk5gfOSpXPZE3+CJmZ/mnqpQyGyjawFn5Vvg==", "dependencies": { - "Azure.Core": "1.47.1", - "Microsoft.Identity.Client": "4.73.1", - "Microsoft.Identity.Client.Extensions.Msal": "4.73.1" + "Azure.Core": "1.50.0", + "Microsoft.Identity.Client": "4.78.0", + "Microsoft.Identity.Client.Extensions.Msal": "4.78.0" } }, "Azure.Identity.Broker": { "type": "Direct", - "requested": "[1.3.0, )", - "resolved": "1.3.0", - "contentHash": "BkEl38nXtMO9N4R1njLuC4pQ/uNXTD1aQTWTau+IE5f+XN8eXNXkvbX2g4Lzc1Y88IwPiEHRef9Skzh0zfFHgg==", + "requested": "[1.3.1, )", + "resolved": "1.3.1", + "contentHash": "qdkdqDafotQMz3iq07TkrrrSbsB2MHhEbntzfIWBlsdPjBR02RK/N8tDjkvSyjyobzNGL2kELYkrtFUU3xjCWA==", "dependencies": { - "Azure.Identity": "1.15.0", - "Microsoft.Identity.Client.Broker": "4.76.0" + "Azure.Identity": "1.17.1", + "Microsoft.Identity.Client.Broker": "4.78.0" } }, "Microsoft.Extensions.Hosting": { @@ -81,11 +81,11 @@ }, "Azure.Core": { "type": "Transitive", - "resolved": "1.47.1", - "contentHash": "oPcncSsDHuxB8SC522z47xbp2+ttkcKv2YZ90KXhRKN0YQd2+7l1UURT9EBzUNEXtkLZUOAB5xbByMTrYRh3yA==", + "resolved": "1.50.0", + "contentHash": "GBNKZEhdIbTXxedvD3R7I/yDVFX9jJJEz02kCziFSJxspSQ5RMHc3GktulJ1s7+ffXaXD7kMgrtdQTaggyInLw==", "dependencies": { "Microsoft.Bcl.AsyncInterfaces": "8.0.0", - "System.ClientModel": "1.5.1", + "System.ClientModel": "1.8.0", "System.Memory.Data": "8.0.1" } }, @@ -355,28 +355,28 @@ }, "Microsoft.Identity.Client": { "type": "Transitive", - "resolved": "4.76.0", - "contentHash": "j2FtmljuCveDJ7umBVYm6Bx3iVGA71U07Dc7byGr2Hrj7XlByZSknruCBUeYN3V75nn1VEhXegxE0MerxvxrXQ==", + "resolved": "4.78.0", + "contentHash": "vZ50HE9INSN+Ew8pCgTm0t7wzxQTqozF9L4MAsl64etXz0Teo0dbUvjpVzqDHRs6m1Vn8mHF04fGaxXrIvGpsg==", "dependencies": { - "Microsoft.IdentityModel.Abstractions": "6.35.0", + "Microsoft.IdentityModel.Abstractions": "8.14.0", "System.Diagnostics.DiagnosticSource": "6.0.1" } }, "Microsoft.Identity.Client.Broker": { "type": "Transitive", - "resolved": "4.76.0", - "contentHash": "dJEbSPSNm8L/e+QSvTFUKkspUk3YVaJF97VB0RpxIUAs3h8/QAXbVVGjNyVwoU7UV43e4+xrMJOXOuQ089+RAg==", + "resolved": "4.78.0", + "contentHash": "HMo2MNsN86d27QK4Z0auOXu0kEJejTzyOt/G+ZMjYJTn9mi4BUqFcY8nMshutr+1nQqKEG/XaCMfOzpjO/IXtA==", "dependencies": { - "Microsoft.Identity.Client": "4.76.0", + "Microsoft.Identity.Client": "4.78.0", "Microsoft.Identity.Client.NativeInterop": "0.19.4" } }, "Microsoft.Identity.Client.Extensions.Msal": { "type": "Transitive", - "resolved": "4.73.1", - "contentHash": "xDztAiV2F0wI0W8FLKv5cbaBefyLD6JVaAsvgSN7bjWNCzGYzHbcOEIP5s4TJXUpQzMfUyBsFl1mC6Zmgpz0PQ==", + "resolved": "4.78.0", + "contentHash": "DYU9o+DrDQuyZxeq91GBA9eNqBvA3ZMkLzQpF7L9dTk6FcIBM1y1IHXWqiKXTvptPF7CZE59upbyUoa+FJ5eiA==", "dependencies": { - "Microsoft.Identity.Client": "4.73.1", + "Microsoft.Identity.Client": "4.78.0", "System.Security.Cryptography.ProtectedData": "4.5.0" } }, @@ -387,8 +387,8 @@ }, "Microsoft.IdentityModel.Abstractions": { "type": "Transitive", - "resolved": "6.35.0", - "contentHash": "xuR8E4Rd96M41CnUSCiOJ2DBh+z+zQSmyrYHdYhD6K4fXBcQGVnRCFQ0efROUYpP+p0zC1BLKr0JRpVuujTZSg==" + "resolved": "8.14.0", + "contentHash": "iwbCpSjD3ehfTwBhtSNEtKPK0ICun6ov7Ibx6ISNA9bfwIyzI2Siwyi9eJFCJBwxowK9xcA1mj+jBWiigeqgcQ==" }, "Microsoft.SourceLink.Common": { "type": "Transitive", @@ -402,8 +402,8 @@ }, "System.ClientModel": { "type": "Transitive", - "resolved": "1.5.1", - "contentHash": "k2jKSO0X45IqhVOT9iQB4xralNN9foRQsRvXBTyRpAVxyzCJlG895T9qYrQWbcJ6OQXxOouJQ37x5nZH5XKK+A==", + "resolved": "1.8.0", + "contentHash": "AqRzhn0v29GGGLj/Z6gKq4lGNtvPHT4nHdG5PDJh9IfVjv/nYUVmX11hwwws1vDFeIAzrvmn0dPu8IjLtu6fAw==", "dependencies": { "Microsoft.Extensions.Logging.Abstractions": "8.0.3", "System.Memory.Data": "8.0.1" From d85cbc061e6cbe4f90cde7abb9e65e9d3cc985db Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 27 Nov 2025 23:46:22 +1000 Subject: [PATCH 08/15] Bump actions/setup-dotnet from 5.0.0 to 5.0.1 (#3609) Bumps [actions/setup-dotnet](https://github.com/actions/setup-dotnet) from 5.0.0 to 5.0.1. - [Release notes](https://github.com/actions/setup-dotnet/releases) - [Commits](https://github.com/actions/setup-dotnet/compare/d4c94342e560b34958eacfc5d055d21461ed1c5d...2016bd2012dba4e32de620c46fe006a3ac9f0602) --- updated-dependencies: - dependency-name: actions/setup-dotnet dependency-version: 5.0.1 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/build.yaml | 6 +++--- .github/workflows/copilot-setup-steps.yml | 2 +- .github/workflows/docs.yaml | 2 +- 3 files changed, 5 insertions(+), 5 deletions(-) diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index 753a7733d0..7f1891af27 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -34,7 +34,7 @@ jobs: uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 - name: Setup .NET - uses: actions/setup-dotnet@d4c94342e560b34958eacfc5d055d21461ed1c5d # v5.0.0 + uses: actions/setup-dotnet@2016bd2012dba4e32de620c46fe006a3ac9f0602 # v5.0.1 with: global-json-file: global.json @@ -112,7 +112,7 @@ jobs: uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 - name: Setup .NET - uses: actions/setup-dotnet@d4c94342e560b34958eacfc5d055d21461ed1c5d # v5.0.0 + uses: actions/setup-dotnet@2016bd2012dba4e32de620c46fe006a3ac9f0602 # v5.0.1 with: global-json-file: global.json @@ -159,7 +159,7 @@ jobs: fetch-depth: 0 - name: Setup .NET - uses: actions/setup-dotnet@d4c94342e560b34958eacfc5d055d21461ed1c5d # v5.0.0 + uses: actions/setup-dotnet@2016bd2012dba4e32de620c46fe006a3ac9f0602 # v5.0.1 with: global-json-file: global.json diff --git a/.github/workflows/copilot-setup-steps.yml b/.github/workflows/copilot-setup-steps.yml index 86b72a4924..3106c1e8db 100644 --- a/.github/workflows/copilot-setup-steps.yml +++ b/.github/workflows/copilot-setup-steps.yml @@ -29,7 +29,7 @@ jobs: fetch-depth: 0 - name: Setup .NET - uses: actions/setup-dotnet@d4c94342e560b34958eacfc5d055d21461ed1c5d # v5.0.0 + uses: actions/setup-dotnet@2016bd2012dba4e32de620c46fe006a3ac9f0602 # v5.0.1 with: global-json-file: global.json diff --git a/.github/workflows/docs.yaml b/.github/workflows/docs.yaml index 912ebae3cc..029a8dc45d 100644 --- a/.github/workflows/docs.yaml +++ b/.github/workflows/docs.yaml @@ -42,7 +42,7 @@ jobs: architecture: x64 - name: Setup .NET - uses: actions/setup-dotnet@d4c94342e560b34958eacfc5d055d21461ed1c5d # v5.0.0 + uses: actions/setup-dotnet@2016bd2012dba4e32de620c46fe006a3ac9f0602 # v5.0.1 with: global-json-file: global.json From 76c88e410bb385236ae619a35f072f8e145e18b4 Mon Sep 17 00:00:00 2001 From: Copilot <198982749+Copilot@users.noreply.github.com> Date: Fri, 28 Nov 2025 01:27:31 +1000 Subject: [PATCH 09/15] Add naming format rules for containers, databases and infrastructure services (#3549) --- docs/changelog.md | 77 +++++- docs/en/baselines/Azure.All.csv | 50 +++- docs/en/baselines/Azure.All.md | 40 ++- docs/en/baselines/Azure.CAF_2025_03.csv | 12 +- docs/en/baselines/Azure.CAF_2025_06.csv | 12 +- docs/en/baselines/Azure.CAF_Compatibility.csv | 12 +- docs/en/baselines/Azure.Default.csv | 50 +++- docs/en/baselines/Azure.Default.md | 40 ++- docs/en/baselines/Azure.GA_2020_06.csv | 4 +- docs/en/baselines/Azure.GA_2020_09.csv | 4 +- docs/en/baselines/Azure.GA_2020_12.csv | 8 +- docs/en/baselines/Azure.GA_2021_03.csv | 8 +- docs/en/baselines/Azure.GA_2021_06.csv | 8 +- docs/en/baselines/Azure.GA_2021_09.csv | 10 +- docs/en/baselines/Azure.GA_2021_12.csv | 10 +- docs/en/baselines/Azure.GA_2022_03.csv | 10 +- docs/en/baselines/Azure.GA_2022_06.csv | 10 +- docs/en/baselines/Azure.GA_2022_09.csv | 10 +- docs/en/baselines/Azure.GA_2022_12.csv | 10 +- docs/en/baselines/Azure.GA_2023_03.csv | 12 +- docs/en/baselines/Azure.GA_2023_06.csv | 12 +- docs/en/baselines/Azure.GA_2023_09.csv | 12 +- docs/en/baselines/Azure.GA_2023_12.csv | 12 +- docs/en/baselines/Azure.GA_2024_03.csv | 13 +- docs/en/baselines/Azure.GA_2024_03.md | 3 +- docs/en/baselines/Azure.GA_2024_06.csv | 15 +- docs/en/baselines/Azure.GA_2024_06.md | 5 +- docs/en/baselines/Azure.GA_2024_09.csv | 15 +- docs/en/baselines/Azure.GA_2024_09.md | 5 +- docs/en/baselines/Azure.GA_2024_12.csv | 15 +- docs/en/baselines/Azure.GA_2024_12.md | 5 +- docs/en/baselines/Azure.GA_2025_03.csv | 15 +- docs/en/baselines/Azure.GA_2025_03.md | 5 +- docs/en/baselines/Azure.GA_2025_06.csv | 15 +- docs/en/baselines/Azure.GA_2025_06.md | 5 +- docs/en/baselines/Azure.GA_2025_09.csv | 15 +- docs/en/baselines/Azure.GA_2025_09.md | 5 +- docs/en/baselines/Azure.MCSB.v1.csv | 4 +- docs/en/baselines/Azure.MCSB.v1.md | 6 +- .../Azure.Pillar.OperationalExcellence.csv | 39 ++- .../Azure.Pillar.OperationalExcellence.md | 41 ++- .../en/baselines/Azure.Pillar.Reliability.csv | 5 + docs/en/baselines/Azure.Pillar.Reliability.md | 7 +- .../en/baselines/Azure.Pillar.Security.L1.csv | 3 +- docs/en/baselines/Azure.Pillar.Security.L1.md | 5 +- docs/en/baselines/Azure.Pillar.Security.csv | 6 +- docs/en/baselines/Azure.Pillar.Security.md | 8 +- docs/en/baselines/Azure.Preview.csv | 50 +++- docs/en/baselines/Azure.Preview.md | 40 ++- docs/en/rules/Azure.ACI.Naming.md | 182 +++++++++++++ docs/en/rules/Azure.ACR.Name.md | 123 +++++---- docs/en/rules/Azure.ACR.Naming.md | 199 ++++++++++++++ docs/en/rules/Azure.AI.FoundryNaming.md | 5 +- docs/en/rules/Azure.AKS.Name.md | 176 ++++++++++++- docs/en/rules/Azure.AKS.Naming.md | 247 ++++++++++++++++++ docs/en/rules/Azure.AKS.SystemPoolNaming.md | 166 ++++++++++++ docs/en/rules/Azure.AKS.UserPoolNaming.md | 166 ++++++++++++ docs/en/rules/Azure.ContainerApp.EnvNaming.md | 182 +++++++++++++ docs/en/rules/Azure.ContainerApp.JobNaming.md | 174 ++++++++++++ docs/en/rules/Azure.ContainerApp.Name.md | 101 +++---- docs/en/rules/Azure.ContainerApp.Naming.md | 221 ++++++++++++++++ docs/en/rules/Azure.Cosmos.AccountName.md | 106 +++++++- docs/en/rules/Azure.Cosmos.CassandraNaming.md | 193 ++++++++++++++ docs/en/rules/Azure.Cosmos.DatabaseNaming.md | 162 ++++++++++++ docs/en/rules/Azure.Cosmos.GremlinNaming.md | 197 ++++++++++++++ docs/en/rules/Azure.Cosmos.MongoNaming.md | 183 +++++++++++++ docs/en/rules/Azure.Cosmos.NoSQLNaming.md | 193 ++++++++++++++ .../en/rules/Azure.Cosmos.PostgreSQLNaming.md | 174 ++++++++++++ docs/en/rules/Azure.Cosmos.TableNaming.md | 193 ++++++++++++++ docs/en/rules/Azure.LB.Name.md | 22 +- docs/en/rules/Azure.MySQL.ServerName.md | 11 +- docs/en/rules/Azure.MySQL.ServerNaming.md | 177 +++++++++++++ docs/en/rules/Azure.PostgreSQL.ServerName.md | 11 +- .../en/rules/Azure.PostgreSQL.ServerNaming.md | 185 +++++++++++++ docs/en/rules/Azure.Redis.Naming.md | 184 +++++++++++++ docs/en/rules/Azure.RedisEnterprise.Naming.md | 168 ++++++++++++ docs/en/rules/Azure.RedisEnterprise.Zones.md | 4 +- docs/en/rules/Azure.SQL.DBName.md | 95 ++++++- docs/en/rules/Azure.SQL.DBNaming.md | 155 +++++++++++ docs/en/rules/Azure.SQL.ElasticPoolNaming.md | 163 ++++++++++++ docs/en/rules/Azure.SQL.JobAgentNaming.md | 149 +++++++++++ docs/en/rules/Azure.SQL.MaintenanceWindow.md | 4 +- docs/en/rules/Azure.SQL.ServerName.md | 110 +++++++- docs/en/rules/Azure.SQL.ServerNaming.md | 171 ++++++++++++ docs/en/rules/Azure.SQLMI.ManagedIdentity.md | 70 +++-- docs/en/rules/Azure.SQLMI.Naming.md | 176 +++++++++++++ .../Azure.ServiceFabric.ManagedNaming.md | 196 ++++++++++++++ docs/en/rules/Azure.ServiceFabric.Naming.md | 209 +++++++++++++++ docs/en/rules/Azure.VM.Name.md | 3 + docs/en/rules/Azure.VM.Naming.md | 5 +- docs/en/rules/index.md | 36 ++- docs/en/rules/module.md | 48 +++- docs/en/rules/resource.md | 125 ++++++++- docs/es/rules/index.md | 38 ++- docs/es/rules/module.md | 48 +++- docs/es/rules/resource.md | 125 ++++++++- docs/examples/resources/aci.bicep | 62 +++++ docs/examples/resources/aci.json | 84 ++++++ docs/examples/resources/aks.bicep | 52 +++- docs/examples/resources/aks.json | 62 ++++- docs/examples/resources/containerapp.bicep | 43 ++- docs/examples/resources/containerapp.json | 64 +++-- docs/examples/resources/cosmos.bicep | 142 +++++++++- docs/examples/resources/cosmos.json | 148 ++++++++++- docs/examples/resources/mysql.bicep | 12 +- docs/examples/resources/mysql.json | 8 +- docs/examples/resources/postgresql.bicep | 14 +- docs/examples/resources/postgresql.json | 10 +- docs/examples/resources/redisenterprise.bicep | 4 +- docs/examples/resources/redisenterprise.json | 8 +- docs/examples/resources/service-fabric.bicep | 39 ++- docs/examples/resources/service-fabric.json | 43 ++- docs/examples/resources/sql.bicep | 32 ++- docs/examples/resources/sql.json | 43 ++- docs/examples/resources/sqlmi.bicep | 43 +++ docs/examples/resources/sqlmi.json | 59 +++++ docs/setup/setup-naming-and-tagging.md | 26 ++ docs/updates/v1.47.md | 68 +++++ pipeline.build.ps1 | 2 + .../rules/Azure.ACI.Rule.ps1 | 15 ++ .../rules/Azure.ACR.Rule.ps1 | 5 + .../rules/Azure.ACR.Rule.yaml | 1 + .../rules/Azure.AKS.Rule.ps1 | 27 ++ .../rules/Azure.AKS.Rule.yaml | 1 + .../rules/Azure.ContainerApp.Rule.ps1 | 15 ++ .../rules/Azure.ContainerApp.Rule.yaml | 1 + .../rules/Azure.Cosmos.Rule.ps1 | 35 +++ .../rules/Azure.Cosmos.Rule.yaml | 1 + .../rules/Azure.MySQL.Rule.ps1 | 9 + .../rules/Azure.PostgreSQL.Rule.ps1 | 9 + .../rules/Azure.Redis.Rule.ps1 | 9 + .../rules/Azure.Redis.Rule.yaml | 36 +++ .../rules/Azure.RedisEnterprise.Rule.ps1 | 15 ++ .../rules/Azure.RedisEnterprise.Rule.yaml | 4 +- .../rules/Azure.SQL.Rule.ps1 | 28 +- .../rules/Azure.SQLMI.Rule.ps1 | 5 + .../rules/Azure.ServiceFabric.Rule.ps1 | 20 ++ src/PSRule.Rules.Azure/rules/CAF.Rule.yaml | 128 +++++++++ src/PSRule.Rules.Azure/rules/Config.Rule.yaml | 26 ++ .../Azure.ACI.Tests.ps1 | 67 +++++ .../Azure.ACR.Tests.ps1 | 46 ++++ .../Azure.AKS.Tests.ps1 | 112 ++++++++ .../Azure.ContainerApp.Tests.ps1 | 110 ++++++++ .../Azure.Cosmos.Tests.ps1 | 218 ++++++++++++++++ .../Azure.MySQL.Tests.ps1 | 41 +++ .../Azure.PostgreSQL.Tests.ps1 | 41 +++ .../Azure.Redis.Tests.ps1 | 67 +++++ .../Azure.SQL.Tests.ps1 | 122 +++++++++ .../Azure.SQLMI.Tests.ps1 | 41 +++ .../Azure.ServiceFabric.Tests.ps1 | 70 +++++ .../Resources.Redis.json | 70 +++-- 151 files changed, 8723 insertions(+), 554 deletions(-) create mode 100644 docs/en/rules/Azure.ACI.Naming.md create mode 100644 docs/en/rules/Azure.ACR.Naming.md create mode 100644 docs/en/rules/Azure.AKS.Naming.md create mode 100644 docs/en/rules/Azure.AKS.SystemPoolNaming.md create mode 100644 docs/en/rules/Azure.AKS.UserPoolNaming.md create mode 100644 docs/en/rules/Azure.ContainerApp.EnvNaming.md create mode 100644 docs/en/rules/Azure.ContainerApp.JobNaming.md create mode 100644 docs/en/rules/Azure.ContainerApp.Naming.md create mode 100644 docs/en/rules/Azure.Cosmos.CassandraNaming.md create mode 100644 docs/en/rules/Azure.Cosmos.DatabaseNaming.md create mode 100644 docs/en/rules/Azure.Cosmos.GremlinNaming.md create mode 100644 docs/en/rules/Azure.Cosmos.MongoNaming.md create mode 100644 docs/en/rules/Azure.Cosmos.NoSQLNaming.md create mode 100644 docs/en/rules/Azure.Cosmos.PostgreSQLNaming.md create mode 100644 docs/en/rules/Azure.Cosmos.TableNaming.md create mode 100644 docs/en/rules/Azure.MySQL.ServerNaming.md create mode 100644 docs/en/rules/Azure.PostgreSQL.ServerNaming.md create mode 100644 docs/en/rules/Azure.Redis.Naming.md create mode 100644 docs/en/rules/Azure.RedisEnterprise.Naming.md create mode 100644 docs/en/rules/Azure.SQL.DBNaming.md create mode 100644 docs/en/rules/Azure.SQL.ElasticPoolNaming.md create mode 100644 docs/en/rules/Azure.SQL.JobAgentNaming.md create mode 100644 docs/en/rules/Azure.SQL.ServerNaming.md create mode 100644 docs/en/rules/Azure.SQLMI.Naming.md create mode 100644 docs/en/rules/Azure.ServiceFabric.ManagedNaming.md create mode 100644 docs/en/rules/Azure.ServiceFabric.Naming.md create mode 100644 docs/examples/resources/aci.bicep create mode 100644 docs/examples/resources/aci.json create mode 100644 docs/examples/resources/sqlmi.bicep create mode 100644 docs/examples/resources/sqlmi.json create mode 100644 docs/updates/v1.47.md create mode 100644 src/PSRule.Rules.Azure/rules/Azure.ACI.Rule.ps1 create mode 100644 src/PSRule.Rules.Azure/rules/Azure.RedisEnterprise.Rule.ps1 create mode 100644 src/PSRule.Rules.Azure/rules/Azure.ServiceFabric.Rule.ps1 create mode 100644 tests/PSRule.Rules.Azure.Tests/Azure.ACI.Tests.ps1 diff --git a/docs/changelog.md b/docs/changelog.md index f0a6ec011d..103cab874b 100644 --- a/docs/changelog.md +++ b/docs/changelog.md @@ -31,15 +31,54 @@ See [upgrade notes][1] for helpful information when upgrading from previous vers ## Unreleased - New rules: + - Added naming format rules for AKS, Container Apps, Service Fabric, Cosmos DB, Redis, and SQL resources. + [#3548](https://github.com/Azure/PSRule.Rules.Azure/issues/3548) - App Configuration: - Check that replica locations are in allowed regions by @BernieWhite. [#3441](https://github.com/Azure/PSRule.Rules.Azure/issues/3441) - Azure Cache for Redis: - Check for legacy Azure Cache for Redis instances by @BenjaminEngeset. [#3605](https://github.com/Azure/PSRule.Rules.Azure/issues/3605) - - Managed Instance for Apache Cassandra: - - Check that Managed Instance for Apache Cassandra clusters have availability zones enabled by @BenjaminEngeset. - [#3592](https://github.com/Azure/PSRule.Rules.Azure/issues/3592) + - Check resources naming matches configured name format by @BernieWhite. + [#3548](https://github.com/Azure/PSRule.Rules.Azure/issues/3548) + - The name format can be configured by the following configuration options: + - `AZURE_REDIS_CACHE_NAME_FORMAT` + - `AZURE_REDIS_ENTERPRISE_NAME_FORMAT` + - Added configured name format by @BernieWhite. + - Azure Database for MySQL: + - Check resources naming matches configured name format by @BernieWhite. + [#3548](https://github.com/Azure/PSRule.Rules.Azure/issues/3548) + - The name format can be configured by the following configuration options: + - `AZURE_MYSQL_SERVER_NAME_FORMAT` + - Azure Database for PostgreSQL: + - Check resources naming matches configured name format by @BernieWhite. + [#3548](https://github.com/Azure/PSRule.Rules.Azure/issues/3548) + - The name format can be configured by the following configuration options: + - `AZURE_POSTGRESQL_SERVER_NAME_FORMAT` + - Azure Kubernetes Service: + - Check resources naming matches configured name format by @BernieWhite. + [#3548](https://github.com/Azure/PSRule.Rules.Azure/issues/3548) + - The name format can be configured by the following configuration options: + - `AZURE_AKS_CLUSTER_NAME_FORMAT` + - `AZURE_AKS_SYSTEM_POOL_NAME_FORMAT` + - `AZURE_AKS_USER_POOL_NAME_FORMAT` + - Container Apps: + - Check resources naming matches configured name format by @BernieWhite. + [#3548](https://github.com/Azure/PSRule.Rules.Azure/issues/3548) + - The name format can be configured by the following configuration options: + - `AZURE_CONTAINER_APP_NAME_FORMAT` + - `AZURE_CONTAINER_APP_ENVIRONMENT_NAME_FORMAT` + - `AZURE_CONTAINER_APP_JOB_NAME_FORMAT` + - Container Instance: + - Check resources naming matches configured name format by @BernieWhite. + [#3548](https://github.com/Azure/PSRule.Rules.Azure/issues/3548) + - The name format can be configured by the following configuration option: + - `AZURE_CONTAINER_INSTANCE_NAME_FORMAT` + - Container Registry: + - Check resources naming matches configured name format by @BernieWhite. + [#3548](https://github.com/Azure/PSRule.Rules.Azure/issues/3548) + - The name format can be configured by the following configuration option: + - `AZURE_CONTAINER_REGISTRY_NAME_FORMAT` - Cosmos DB: - Check that Cosmos DB accounts have availability zones enabled by @BenjaminEngeset. [#3055](https://github.com/Azure/PSRule.Rules.Azure/issues/3055) @@ -47,15 +86,47 @@ See [upgrade notes][1] for helpful information when upgrading from previous vers [#3369](https://github.com/Azure/PSRule.Rules.Azure/issues/3369) - Check that MongoDB vCore clusters have availability zones enabled by @BenjaminEngeset. [#3586](https://github.com/Azure/PSRule.Rules.Azure/issues/3586) + - Check resources naming matches configured name format by @BernieWhite. + [#3548](https://github.com/Azure/PSRule.Rules.Azure/issues/3548) + - The name format can be configured by the following configuration options: + - `AZURE_COSMOS_CASSANDRA_NAME_FORMAT` + - `AZURE_COSMOS_DATABASE_NAME_FORMAT` + - `AZURE_COSMOS_GREMLIN_NAME_FORMAT` + - `AZURE_COSMOS_MONGO_NAME_FORMAT` + - `AZURE_COSMOS_NOSQL_NAME_FORMAT` + - `AZURE_COSMOS_POSTGRESQL_NAME_FORMAT` + - `AZURE_COSMOS_TABLE_NAME_FORMAT` - Data Explorer: - Check that public network access is disabled by @BenjaminEngeset. [#3114](https://github.com/Azure/PSRule.Rules.Azure/issues/3114) - Event Hub: - Check that zone redundancy is enabled for Event Hub namespaces in supported regions by @BenjaminEngeset. [#3029](https://github.com/Azure/PSRule.Rules.Azure/issues/3029) + - Managed Instance for Apache Cassandra: + - Check that Managed Instance for Apache Cassandra clusters have availability zones enabled by @BenjaminEngeset. + [#3592](https://github.com/Azure/PSRule.Rules.Azure/issues/3592) - Managed Grafana: - Check that zone redundancy is enabled for Grafana workspaces in supported regions by @BenjaminEngeset. [#3294](https://github.com/Azure/PSRule.Rules.Azure/issues/3294) + - Service Fabric: + - Check resources naming matches configured name format by @BernieWhite. + [#3548](https://github.com/Azure/PSRule.Rules.Azure/issues/3548) + - The name format can be configured by the following configuration option: + - `AZURE_SERVICE_FABRIC_CLUSTER_NAME_FORMAT` + - `AZURE_SERVICE_FABRIC_MANAGED_CLUSTER_NAME_FORMAT` + - SQL Database: + - Check resources naming matches configured name format by @BernieWhite. + [#3548](https://github.com/Azure/PSRule.Rules.Azure/issues/3548) + - The name format can be configured by the following configuration option: + - `AZURE_SQL_DATABASE_NAME_FORMAT` + - `AZURE_SQL_SERVER_NAME_FORMAT` + - `AZURE_SQL_ELASTIC_POOL_NAME_FORMAT` + - `AZURE_SQL_JOB_AGENT_NAME_FORMAT` + - SQL Managed Instance: + - Check resources naming matches configured name format by @BernieWhite. + [#3548](https://github.com/Azure/PSRule.Rules.Azure/issues/3548) + - The name format can be configured by the following configuration option: + - `AZURE_SQL_MI_NAME_FORMAT` - Updated rules: - Application Gateway Policy: - Updated `Azure.AppGwWAF.RuleGroups` to use Microsoft Default Rule Set instead of legacy OWASP rule set by @BenjaminEngeset. diff --git a/docs/en/baselines/Azure.All.csv b/docs/en/baselines/Azure.All.csv index 145ccdfc3a..5519e8b437 100644 --- a/docs/en/baselines/Azure.All.csv +++ b/docs/en/baselines/Azure.All.csv @@ -1,4 +1,5 @@ "Name","Synopsis","Severity","Pillar","Maturity" +"Azure.ACI.Naming","Container Instance resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" "Azure.ACR.AdminUser","The local admin account allows depersonalized access to a container registry using a shared secret.","Critical","Security","L1" "Azure.ACR.AnonymousAccess","Anonymous pull access allows unidentified downloading of images and metadata from a container registry.","Important","Security","-" "Azure.ACR.ContainerScan","Container images or their base images may have vulnerabilities discovered after they are built.","Critical","Security","-" @@ -8,7 +9,8 @@ "Azure.ACR.GeoReplica","Applications or infrastructure relying on a container image may fail if the registry is not available at the time they start.","Important","Reliability","-" "Azure.ACR.ImageHealth","Remove container images with known vulnerabilities.","Critical","Security","L2" "Azure.ACR.MinSku","The Basic SKU provides limited performance and features for production container registry workloads.","Important","Reliability","-" -"Azure.ACR.Name","Container registry names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.ACR.Name","Container registry names should meet naming requirements.","Awareness","Operational Excellence","L2" +"Azure.ACR.Naming","Container Registry resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" "Azure.ACR.Quarantine","Enable container image quarantine, scan, and mark images as verified.","Important","Security","-" "Azure.ACR.ReplicaLocation","The replication location determines the country or region where container images and metadata are stored and processed.","Important","Security","-" "Azure.ACR.Retention","Use a retention policy to cleanup untagged manifests.","Important","Cost Optimization","-" @@ -16,6 +18,7 @@ "Azure.ACR.Usage","Regularly remove deprecated and unneeded images to reduce storage usage.","Important","Cost Optimization","-" "Azure.ADX.DiskEncryption","Use disk encryption for Azure Data Explorer (ADX) clusters.","Important","Security","L1" "Azure.ADX.ManagedIdentity","Configure Data Explorer clusters to use managed identities to access Azure resources securely.","Important","Security","L1" +"Azure.ADX.PublicAccess","Azure Data Explorer (ADX) clusters should have public network access disabled.","Critical","Security","L4" "Azure.ADX.SLA","Use SKUs that include an SLA when configuring Azure Data Explorer (ADX) clusters.","Important","Reliability","-" "Azure.ADX.Usage","Regularly remove unused resources to reduce costs.","Important","Cost Optimization","-" "Azure.AI.DisableLocalAuth","Access keys allow depersonalized access to Azure AI using a shared secret.","Important","Security","L1" @@ -43,7 +46,8 @@ "Azure.AKS.ManagedIdentity","Configure AKS clusters to use managed identities for managing cluster infrastructure.","Important","Security","L1" "Azure.AKS.MinNodeCount","AKS clusters should have minimum number of system nodes for failover and updates.","Important","Reliability","-" "Azure.AKS.MinUserPoolNodes","User node pools in an AKS cluster should have a minimum number of nodes for failover and updates.","Important","Reliability","-" -"Azure.AKS.Name","Azure Kubernetes Service (AKS) cluster names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.AKS.Name","Azure Kubernetes Service (AKS) cluster names should meet naming requirements.","Awareness","Operational Excellence","L2" +"Azure.AKS.Naming","AKS cluster resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" "Azure.AKS.NetworkPolicy","AKS clusters without inter-pod network restrictions may be permit unauthorized lateral movement.","Important","Security","-" "Azure.AKS.NodeAutoUpgrade","Operating system (OS) security updates should be applied to AKS nodes and rebooted as required to address security vulnerabilities.","Important","Security","-" "Azure.AKS.NodeMinPods","Azure Kubernetes Cluster (AKS) nodes should use a minimum number of pods.","Important","Performance Efficiency","-" @@ -53,8 +57,10 @@ "Azure.AKS.SecretStore","Deploy AKS clusters with Secrets Store CSI Driver and store Secrets in Key Vault.","Important","Security","-" "Azure.AKS.SecretStoreRotation","Enable autorotation of Secrets Store CSI Driver secrets for AKS clusters.","Important","Security","-" "Azure.AKS.StandardLB","Azure Kubernetes Clusters (AKS) should use a Standard load balancer SKU.","Important","Performance Efficiency","-" +"Azure.AKS.SystemPoolNaming","AKS system node pool resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" "Azure.AKS.UptimeSLA","AKS clusters should have Uptime SLA enabled for a financially backed SLA.","Important","Reliability","-" "Azure.AKS.UseRBAC","Deploy AKS cluster with role-based access control (RBAC) enabled.","Important","Security","-" +"Azure.AKS.UserPoolNaming","AKS user node pool resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" "Azure.AKS.Version","Older versions of Kubernetes may have known bugs or security vulnerabilities, and may have limited support.","Important","Reliability","-" "Azure.Alert.HighFrequencyQuery","High frequency scheduled queries are changed as a higher rate than low frequency queries.","Important","Cost Optimization","-" "Azure.Alert.MetricAutoMitigate","Alerts that require manual intervention for mitigation can lead to increased personnel time and effort.","Important","Cost Optimization","-" @@ -103,7 +109,7 @@ "Azure.AppGwWAF.Enabled","Application Gateway Web Application Firewall (WAF) must be enabled to protect backend resources.","Critical","Security","-" "Azure.AppGwWAF.Exclusions","Application Gateway Web Application Firewall (WAF) should have all rules enabled.","Critical","Security","-" "Azure.AppGwWAF.PreventionMode","Use protection mode in Application Gateway Web Application Firewall (WAF) policies to protect back end resources.","Critical","Security","-" -"Azure.AppGwWAF.RuleGroups","Use recommended rule groups in Application Gateway Web Application Firewall (WAF) policies to protect back end resources.","Critical","Security","-" +"Azure.AppGwWAF.RuleGroups","Application Gateway WAF policies should include both Microsoft Default Rule Set and Bot Manager Rule Set to provide comprehensive protection against web application threats and malicious bot traffic.","Critical","Security","L2" "Azure.AppInsights.LocalAuth","Local authentication allows depersonalized access to store telemetry in Application Insights using a shared identifier.","Critical","Security","L1" "Azure.AppInsights.Name","Azure Resource Manager (ARM) has requirements for Application Insights resource names.","Awareness","Operational Excellence","-" "Azure.AppInsights.Naming","Application Insights resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","-" @@ -144,22 +150,35 @@ "Azure.ContainerApp.APIVersion","Migrate from retired API version to a supported version.","Important","Operational Excellence","-" "Azure.ContainerApp.AvailabilityZone","Use Container Apps environments that are zone redundant to improve reliability.","Important","Reliability","-" "Azure.ContainerApp.DisableAffinity","Disable session affinity to prevent unbalanced distribution.","Awareness","Performance Efficiency","-" +"Azure.ContainerApp.EnvNaming","Container App Environment resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" "Azure.ContainerApp.ExternalIngress","Limit inbound communication for Container Apps is limited to callers within the Container Apps Environment.","Important","Security","-" "Azure.ContainerApp.Insecure","Ensure insecure inbound traffic is not permitted to the container app.","Important","Security","L1" +"Azure.ContainerApp.JobNaming","Container App Job resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" "Azure.ContainerApp.ManagedIdentity","Ensure managed identity is used for authentication.","Important","Security","L1" "Azure.ContainerApp.MinReplicas","Use multiple replicas to remove a single point of failure.","Important","Reliability","-" -"Azure.ContainerApp.Name","Container Apps should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.ContainerApp.Name","Container Apps should meet naming requirements.","Awareness","Operational Excellence","L2" +"Azure.ContainerApp.Naming","Container App resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" "Azure.ContainerApp.PublicAccess","Ensure public network access for Container Apps environment is disabled.","Important","Security","-" "Azure.ContainerApp.RestrictIngress","IP ingress restrictions mode should be set to allow action for all rules defined.","Important","Security","-" "Azure.ContainerApp.Storage","Use of Azure Files volume mounts to persistent storage container data.","Awareness","Reliability","-" -"Azure.Cosmos.AccountName","Cosmos DB account names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.Cosmos.AccountName","Cosmos DB account names should meet naming requirements.","Awareness","Operational Excellence","L2" +"Azure.Cosmos.AvailabilityZone","Use zone redundant Cosmos DB accounts in supported regions to improve reliability.","Important","Reliability","L1" +"Azure.Cosmos.CassandraNaming","Cosmos DB for Apache Cassandra account resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" "Azure.Cosmos.ContinuousBackup","Enable continuous backup on Cosmos DB accounts.","Important","Reliability","-" +"Azure.Cosmos.DatabaseNaming","Cosmos DB database resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" "Azure.Cosmos.DefenderCloud","Enable Microsoft Defender for Azure Cosmos DB.","Critical","Security","-" -"Azure.Cosmos.DisableLocalAuth","Access keys allow depersonalized access to Cosmos DB accounts using a shared secret.","Critical","Security","L1" "Azure.Cosmos.DisableMetadataWrite","Use Entra ID identities for management place operations in Azure Cosmos DB.","Important","Security","-" +"Azure.Cosmos.GremlinNaming","Cosmos DB for Apache Gremlin account resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" "Azure.Cosmos.MinTLS","Cosmos DB accounts should reject TLS versions older than 1.2.","Critical","Security","L1" +"Azure.Cosmos.MongoAvailabilityZone","Use zone redundant Cosmos DB vCore clusters in supported regions to improve reliability.","Important","Reliability","L1" +"Azure.Cosmos.MongoEntraID","MongoDB vCore clusters should have Microsoft Entra ID authentication enabled.","Critical","Security","L1" +"Azure.Cosmos.MongoNaming","Cosmos DB for MongoDB account resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" +"Azure.Cosmos.NoSQLLocalAuth","Access keys allow depersonalized access to Cosmos DB NoSQL API accounts using a shared secret.","Critical","Security","L1" +"Azure.Cosmos.NoSQLNaming","Cosmos DB for NoSQL account resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" +"Azure.Cosmos.PostgreSQLNaming","Cosmos DB PostgreSQL cluster resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" "Azure.Cosmos.PublicAccess","Azure Cosmos DB should have public network access disabled.","Critical","Security","-" "Azure.Cosmos.SLA","Use a paid tier to qualify for a Service Level Agreement (SLA).","Important","Reliability","-" +"Azure.Cosmos.TableNaming","Cosmos DB for Table account resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" "Azure.Databricks.PublicAccess","Azure Databricks workspaces should disable public network access.","Critical","Security","-" "Azure.Databricks.SecureConnectivity","Use Databricks workspaces configured for secure cluster connectivity.","Critical","Security","-" "Azure.Databricks.SKU","Ensure Databricks workspaces are non-trial SKUs for production workloads.","Critical","Performance Efficiency","-" @@ -206,6 +225,7 @@ "Azure.EventGrid.TopicNaming","Event Grid topics without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","-" "Azure.EventGrid.TopicPublicAccess","Use Private Endpoints to access Event Grid topics and domains.","Important","Security","-" "Azure.EventGrid.TopicTLS","Weak or deprecated transport protocols for client-server communication introduce security vulnerabilities.","Critical","Security","L1" +"Azure.EventHub.AvailabilityZone","Use zone redundant Event Hub namespaces in supported regions to improve reliability.","Important","Reliability","L1" "Azure.EventHub.DisableLocalAuth","Authenticate Event Hub publishers and consumers with Entra ID identities.","Important","Security","L1" "Azure.EventHub.Firewall","Access to the namespace endpoints should be restricted to only allowed sources.","Critical","Security","-" "Azure.EventHub.MinTLS","Weak or deprecated transport protocols for client-server communication introduce security vulnerabilities.","Critical","Security","L1" @@ -232,6 +252,7 @@ "Azure.FrontDoorWAF.Exclusions","Use recommended rule groups in Front Door Web Application Firewall (WAF) policies to protect back end resources. Avoid configuring rule exclusions.","Critical","Security","-" "Azure.FrontDoorWAF.PreventionMode","Use protection mode in Front Door Web Application Firewall (WAF) policies to protect back end resources.","Critical","Security","-" "Azure.FrontDoorWAF.RuleGroups","Use recommended rule groups in Front Door Web Application Firewall (WAF) policies to protect back end resources.","Critical","Security","-" +"Azure.Grafana.AvailabilityZone","Use zone redundant Grafana workspaces in supported regions to improve reliability.","Important","Reliability","L1" "Azure.Grafana.Version","Grafana workspaces should be on Grafana version 10.","Important","Reliability","-" "Azure.Group.Name","Azure Resource Manager (ARM) has requirements for Resource Groups names.","Awareness","Operational Excellence","-" "Azure.Group.Naming","Resource Groups without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","-" @@ -271,6 +292,7 @@ "Azure.MariaDB.ServerName","Azure Database for MariaDB servers should meet naming requirements.","Awareness","Operational Excellence","-" "Azure.MariaDB.UseSSL","Azure Database for MariaDB servers should only accept encrypted connections.","Critical","Security","L1" "Azure.MariaDB.VNETRuleName","Azure Database for MariaDB VNET rules should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.MICassandra.AvailabilityZone","Use zone redundant Managed Instance for Apache Cassandra clusters in supported regions to improve reliability.","Important","Reliability","L1" "Azure.ML.ComputeIdleShutdown","Configure an idle shutdown timeout for Machine Learning compute instances.","Critical","Cost Optimization","-" "Azure.ML.ComputeVnet","Azure Machine Learning Computes should be hosted in a virtual network (VNet).","Critical","Security","-" "Azure.ML.DisableLocalAuth","Azure Machine Learning compute resources should have local authentication methods disabled.","Critical","Security","L1" @@ -287,6 +309,7 @@ "Azure.MySQL.MaintenanceWindow","Configure a customer-controlled maintenance window for Azure Database for MySQL servers.","Important","Reliability","-" "Azure.MySQL.MinTLS","MySQL DB servers should reject TLS versions older than 1.2.","Critical","Security","L1" "Azure.MySQL.ServerName","Azure MySQL DB server names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.MySQL.ServerNaming","MySQL database server resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" "Azure.MySQL.UseFlexible","Use Azure Database for MySQL Flexible Server deployment model.","Important","Reliability","-" "Azure.MySQL.UseSSL","Enforce encrypted MySQL connections.","Critical","Security","L1" "Azure.MySQL.ZoneRedundantHA","Deploy Azure Database for MySQL servers using zone-redundant high availability (HA) in supported regions to ensure high availability and resilience.","Important","Reliability","-" @@ -315,6 +338,7 @@ "Azure.PostgreSQL.MaintenanceWindow","Configure a customer-controlled maintenance window for Azure Database for PostgreSQL servers.","Important","Reliability","-" "Azure.PostgreSQL.MinTLS","PostgreSQL DB servers should reject TLS versions older than 1.2.","Critical","Security","L1" "Azure.PostgreSQL.ServerName","Azure PostgreSQL DB server names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.PostgreSQL.ServerNaming","PostgreSQL database server resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" "Azure.PostgreSQL.UseSSL","Enforce encrypted PostgreSQL connections.","Critical","Security","L1" "Azure.PostgreSQL.ZoneRedundantHA","Deploy Azure Database for PostgreSQL servers using zone-redundant high availability (HA) in supported regions to ensure high availability and resilience.","Important","Reliability","-" "Azure.PrivateEndpoint.Name","Private Endpoint names should meet naming requirements.","Awareness","Operational Excellence","-" @@ -337,12 +361,15 @@ "Azure.Redis.FirewallRuleCount","Determine if there is an excessive number of firewall rules for the Redis cache.","Awareness","Security","-" "Azure.Redis.LocalAuth","Access keys allow depersonalized access to Azure Cache for Redis using a shared secret.","Important","Security","L1" "Azure.Redis.MaxMemoryReserved","Configure maxmemory-reserved to reserve memory for non-cache operations.","Important","Performance Efficiency","-" +"Azure.Redis.MigrateAMR","Azure Cache for Redis is being retired. Migrate to Azure Managed Redis.","Important","Operational Excellence","-" "Azure.Redis.MinSKU","Use Azure Cache for Redis instances of at least Standard C1.","Important","Performance Efficiency","-" "Azure.Redis.MinTLS","Redis Cache should reject TLS versions older than 1.2.","Critical","Security","L1" +"Azure.Redis.Naming","Azure Cache for Redis resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" "Azure.Redis.NonSslPort","Azure Cache for Redis should only accept secure connections.","Critical","Security","L1" "Azure.Redis.PublicNetworkAccess","Redis cache should disable public network access.","Critical","Security","-" "Azure.Redis.Version","Azure Cache for Redis should use the latest supported version of Redis.","Important","Reliability","-" "Azure.RedisEnterprise.MinTLS","Redis Cache should reject TLS versions older than 1.2.","Critical","Security","L1" +"Azure.RedisEnterprise.Naming","Azure Cache for Redis Enterprise resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" "Azure.RedisEnterprise.Zones","Enterprise Redis cache should be zone-redundant for high availability.","Important","Reliability","-" "Azure.Resource.AllowedRegions","The deployment location of a resource determines the country or region where metadata and data is stored and processed.","Important","Security","-" "Azure.Resource.RequiredTags","Resources without a standard tagging convention may be difficult to identify and manage.","Awareness","Operational Excellence","-" @@ -365,6 +392,8 @@ "Azure.ServiceBus.MinTLS","Service Bus namespaces should reject TLS versions older than 1.2.","Important","Security","L1" "Azure.ServiceBus.Usage","Regularly remove unused resources to reduce costs.","Important","Cost Optimization","-" "Azure.ServiceFabric.AAD","Use Entra ID client authentication for Service Fabric clusters.","Critical","Security","L1" +"Azure.ServiceFabric.ManagedNaming","Service Fabric managed cluster resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" +"Azure.ServiceFabric.Naming","Service Fabric cluster resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" "Azure.ServiceFabric.ProtectionLevel","Node to node communication that is not signed and encrypted may be susceptible to man-in-the-middle attacks.","Important","Security","L1" "Azure.SignalR.ManagedIdentity","Configure SignalR Services to use managed identities to access Azure resources securely.","Important","Security","L1" "Azure.SignalR.Name","SignalR service instance names should meet naming requirements.","Awareness","Operational Excellence","-" @@ -373,14 +402,18 @@ "Azure.SQL.AADOnly","Ensure Entra ID only authentication is enabled with Azure SQL Database.","Important","Security","L1" "Azure.SQL.AllowAzureAccess","Determine if access from Azure services is required.","Important","Security","-" "Azure.SQL.Auditing","Enable auditing for Azure SQL logical server.","Important","Security","-" -"Azure.SQL.DBName","Azure SQL Database names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.SQL.DBName","Azure SQL Database names should meet naming requirements.","Awareness","Operational Excellence","L2" +"Azure.SQL.DBNaming","Azure SQL database resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" "Azure.SQL.DefenderCloud","Enable Microsoft Defender for Azure SQL logical server.","Important","Security","-" +"Azure.SQL.ElasticPoolNaming","Azure SQL Elastic Pool resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" "Azure.SQL.FGName","Azure SQL failover group names should meet naming requirements.","Awareness","Operational Excellence","-" "Azure.SQL.FirewallIPRange","Each IP address in the permitted IP list is allowed network access to any databases hosted on the same logical server.","Important","Security","-" "Azure.SQL.FirewallRuleCount","Determine if there is an excessive number of firewall rules.","Awareness","Security","-" +"Azure.SQL.JobAgentNaming","Azure SQL Elastic Job agent resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" "Azure.SQL.MaintenanceWindow","Configure a customer-controlled maintenance window for Azure SQL databases.","Important","Reliability","-" "Azure.SQL.MinTLS","Azure SQL Database servers should reject TLS versions older than 1.2.","Critical","Security","L1" -"Azure.SQL.ServerName","Azure SQL logical server names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.SQL.ServerName","Azure SQL logical server names should meet naming requirements.","Awareness","Operational Excellence","L2" +"Azure.SQL.ServerNaming","Azure SQL Database server resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" "Azure.SQL.TDE","Use Transparent Data Encryption (TDE) with Azure SQL Database.","Critical","Security","L1" "Azure.SQL.VAScan","SQL Databases may have configuration vulnerabilities discovered after they are deployed.","Important","Security","-" "Azure.SQLMI.AAD","Use Azure Active Directory (AAD) authentication with Azure SQL Managed Instance.","Critical","Security","L1" @@ -388,6 +421,7 @@ "Azure.SQLMI.MaintenanceWindow","Configure a customer-controlled maintenance window for Azure SQL Managed Instances.","Important","Reliability","-" "Azure.SQLMI.ManagedIdentity","Ensure managed identity is used to allow support for Azure AD authentication.","Important","Security","L1" "Azure.SQLMI.Name","SQL Managed Instance names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.SQLMI.Naming","SQL Managed Instance resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" "Azure.Storage.BlobAccessType","Use containers configured with a private access type that requires authorization.","Important","Security","-" "Azure.Storage.BlobPublicAccess","Storage Accounts should only accept authorized requests.","Important","Security","-" "Azure.Storage.ContainerSoftDelete","Enable container soft delete on Storage Accounts.","Important","Reliability","-" diff --git a/docs/en/baselines/Azure.All.md b/docs/en/baselines/Azure.All.md index 0a243d0f51..36b54a97bc 100644 --- a/docs/en/baselines/Azure.All.md +++ b/docs/en/baselines/Azure.All.md @@ -10,10 +10,11 @@ Includes all Azure rules. The following rules are included within the `Azure.All` baseline. -This baseline includes a total of 496 rules. +This baseline includes a total of 530 rules. Name | Synopsis | Severity ---- | -------- | -------- +[Azure.ACI.Naming](../rules/Azure.ACI.Naming.md) | Container Instance resources without a standard naming convention may be difficult to identify and manage. | Awareness [Azure.ACR.AdminUser](../rules/Azure.ACR.AdminUser.md) | The local admin account allows depersonalized access to a container registry using a shared secret. | Critical [Azure.ACR.AnonymousAccess](../rules/Azure.ACR.AnonymousAccess.md) | Anonymous pull access allows unidentified downloading of images and metadata from a container registry. | Important [Azure.ACR.ContainerScan](../rules/Azure.ACR.ContainerScan.md) | Container images or their base images may have vulnerabilities discovered after they are built. | Critical @@ -24,6 +25,7 @@ Name | Synopsis | Severity [Azure.ACR.ImageHealth](../rules/Azure.ACR.ImageHealth.md) | Remove container images with known vulnerabilities. | Critical [Azure.ACR.MinSku](../rules/Azure.ACR.MinSku.md) | The Basic SKU provides limited performance and features for production container registry workloads. | Important [Azure.ACR.Name](../rules/Azure.ACR.Name.md) | Container registry names should meet naming requirements. | Awareness +[Azure.ACR.Naming](../rules/Azure.ACR.Naming.md) | Container Registry resources without a standard naming convention may be difficult to identify and manage. | Awareness [Azure.ACR.Quarantine](../rules/Azure.ACR.Quarantine.md) | Enable container image quarantine, scan, and mark images as verified. | Important [Azure.ACR.ReplicaLocation](../rules/Azure.ACR.ReplicaLocation.md) | The replication location determines the country or region where container images and metadata are stored and processed. | Important [Azure.ACR.Retention](../rules/Azure.ACR.Retention.md) | Use a retention policy to cleanup untagged manifests. | Important @@ -31,6 +33,7 @@ Name | Synopsis | Severity [Azure.ACR.Usage](../rules/Azure.ACR.Usage.md) | Regularly remove deprecated and unneeded images to reduce storage usage. | Important [Azure.ADX.DiskEncryption](../rules/Azure.ADX.DiskEncryption.md) | Use disk encryption for Azure Data Explorer (ADX) clusters. | Important [Azure.ADX.ManagedIdentity](../rules/Azure.ADX.ManagedIdentity.md) | Configure Data Explorer clusters to use managed identities to access Azure resources securely. | Important +[Azure.ADX.PublicAccess](../rules/Azure.ADX.PublicAccess.md) | Azure Data Explorer (ADX) clusters should have public network access disabled. | Critical [Azure.ADX.SLA](../rules/Azure.ADX.SLA.md) | Use SKUs that include an SLA when configuring Azure Data Explorer (ADX) clusters. | Important [Azure.ADX.Usage](../rules/Azure.ADX.Usage.md) | Regularly remove unused resources to reduce costs. | Important [Azure.AI.DisableLocalAuth](../rules/Azure.AI.DisableLocalAuth.md) | Access keys allow depersonalized access to Azure AI using a shared secret. | Important @@ -59,6 +62,7 @@ Name | Synopsis | Severity [Azure.AKS.MinNodeCount](../rules/Azure.AKS.MinNodeCount.md) | AKS clusters should have minimum number of system nodes for failover and updates. | Important [Azure.AKS.MinUserPoolNodes](../rules/Azure.AKS.MinUserPoolNodes.md) | User node pools in an AKS cluster should have a minimum number of nodes for failover and updates. | Important [Azure.AKS.Name](../rules/Azure.AKS.Name.md) | Azure Kubernetes Service (AKS) cluster names should meet naming requirements. | Awareness +[Azure.AKS.Naming](../rules/Azure.AKS.Naming.md) | AKS cluster resources without a standard naming convention may be difficult to identify and manage. | Awareness [Azure.AKS.NetworkPolicy](../rules/Azure.AKS.NetworkPolicy.md) | AKS clusters without inter-pod network restrictions may be permit unauthorized lateral movement. | Important [Azure.AKS.NodeAutoUpgrade](../rules/Azure.AKS.NodeAutoUpgrade.md) | Operating system (OS) security updates should be applied to AKS nodes and rebooted as required to address security vulnerabilities. | Important [Azure.AKS.NodeMinPods](../rules/Azure.AKS.NodeMinPods.md) | Azure Kubernetes Cluster (AKS) nodes should use a minimum number of pods. | Important @@ -68,8 +72,10 @@ Name | Synopsis | Severity [Azure.AKS.SecretStore](../rules/Azure.AKS.SecretStore.md) | Deploy AKS clusters with Secrets Store CSI Driver and store Secrets in Key Vault. | Important [Azure.AKS.SecretStoreRotation](../rules/Azure.AKS.SecretStoreRotation.md) | Enable autorotation of Secrets Store CSI Driver secrets for AKS clusters. | Important [Azure.AKS.StandardLB](../rules/Azure.AKS.StandardLB.md) | Azure Kubernetes Clusters (AKS) should use a Standard load balancer SKU. | Important +[Azure.AKS.SystemPoolNaming](../rules/Azure.AKS.SystemPoolNaming.md) | AKS system node pool resources without a standard naming convention may be difficult to identify and manage. | Awareness [Azure.AKS.UptimeSLA](../rules/Azure.AKS.UptimeSLA.md) | AKS clusters should have Uptime SLA enabled for a financially backed SLA. | Important [Azure.AKS.UseRBAC](../rules/Azure.AKS.UseRBAC.md) | Deploy AKS cluster with role-based access control (RBAC) enabled. | Important +[Azure.AKS.UserPoolNaming](../rules/Azure.AKS.UserPoolNaming.md) | AKS user node pool resources without a standard naming convention may be difficult to identify and manage. | Awareness [Azure.AKS.Version](../rules/Azure.AKS.Version.md) | Older versions of Kubernetes may have known bugs or security vulnerabilities, and may have limited support. | Important [Azure.Alert.HighFrequencyQuery](../rules/Azure.Alert.HighFrequencyQuery.md) | High frequency scheduled queries are changed as a higher rate than low frequency queries. | Important [Azure.Alert.MetricAutoMitigate](../rules/Azure.Alert.MetricAutoMitigate.md) | Alerts that require manual intervention for mitigation can lead to increased personnel time and effort. | Important @@ -118,7 +124,7 @@ Name | Synopsis | Severity [Azure.AppGwWAF.Enabled](../rules/Azure.AppGwWAF.Enabled.md) | Application Gateway Web Application Firewall (WAF) must be enabled to protect backend resources. | Critical [Azure.AppGwWAF.Exclusions](../rules/Azure.AppGwWAF.Exclusions.md) | Application Gateway Web Application Firewall (WAF) should have all rules enabled. | Critical [Azure.AppGwWAF.PreventionMode](../rules/Azure.AppGwWAF.PreventionMode.md) | Use protection mode in Application Gateway Web Application Firewall (WAF) policies to protect back end resources. | Critical -[Azure.AppGwWAF.RuleGroups](../rules/Azure.AppGwWAF.RuleGroups.md) | Use recommended rule groups in Application Gateway Web Application Firewall (WAF) policies to protect back end resources. | Critical +[Azure.AppGwWAF.RuleGroups](../rules/Azure.AppGwWAF.RuleGroups.md) | Application Gateway WAF policies should include both Microsoft Default Rule Set and Bot Manager Rule Set to provide comprehensive protection against web application threats and malicious bot traffic. | Critical [Azure.AppInsights.LocalAuth](../rules/Azure.AppInsights.LocalAuth.md) | Local authentication allows depersonalized access to store telemetry in Application Insights using a shared identifier. | Critical [Azure.AppInsights.Name](../rules/Azure.AppInsights.Name.md) | Azure Resource Manager (ARM) has requirements for Application Insights resource names. | Awareness [Azure.AppInsights.Naming](../rules/Azure.AppInsights.Naming.md) | Application Insights resources without a standard naming convention may be difficult to identify and manage. | Awareness @@ -159,22 +165,35 @@ Name | Synopsis | Severity [Azure.ContainerApp.APIVersion](../rules/Azure.ContainerApp.APIVersion.md) | Migrate from retired API version to a supported version. | Important [Azure.ContainerApp.AvailabilityZone](../rules/Azure.ContainerApp.AvailabilityZone.md) | Use Container Apps environments that are zone redundant to improve reliability. | Important [Azure.ContainerApp.DisableAffinity](../rules/Azure.ContainerApp.DisableAffinity.md) | Disable session affinity to prevent unbalanced distribution. | Awareness +[Azure.ContainerApp.EnvNaming](../rules/Azure.ContainerApp.EnvNaming.md) | Container App Environment resources without a standard naming convention may be difficult to identify and manage. | Awareness [Azure.ContainerApp.ExternalIngress](../rules/Azure.ContainerApp.ExternalIngress.md) | Limit inbound communication for Container Apps is limited to callers within the Container Apps Environment. | Important [Azure.ContainerApp.Insecure](../rules/Azure.ContainerApp.Insecure.md) | Ensure insecure inbound traffic is not permitted to the container app. | Important +[Azure.ContainerApp.JobNaming](../rules/Azure.ContainerApp.JobNaming.md) | Container App Job resources without a standard naming convention may be difficult to identify and manage. | Awareness [Azure.ContainerApp.ManagedIdentity](../rules/Azure.ContainerApp.ManagedIdentity.md) | Ensure managed identity is used for authentication. | Important [Azure.ContainerApp.MinReplicas](../rules/Azure.ContainerApp.MinReplicas.md) | Use multiple replicas to remove a single point of failure. | Important [Azure.ContainerApp.Name](../rules/Azure.ContainerApp.Name.md) | Container Apps should meet naming requirements. | Awareness +[Azure.ContainerApp.Naming](../rules/Azure.ContainerApp.Naming.md) | Container App resources without a standard naming convention may be difficult to identify and manage. | Awareness [Azure.ContainerApp.PublicAccess](../rules/Azure.ContainerApp.PublicAccess.md) | Ensure public network access for Container Apps environment is disabled. | Important [Azure.ContainerApp.RestrictIngress](../rules/Azure.ContainerApp.RestrictIngress.md) | IP ingress restrictions mode should be set to allow action for all rules defined. | Important [Azure.ContainerApp.Storage](../rules/Azure.ContainerApp.Storage.md) | Use of Azure Files volume mounts to persistent storage container data. | Awareness [Azure.Cosmos.AccountName](../rules/Azure.Cosmos.AccountName.md) | Cosmos DB account names should meet naming requirements. | Awareness +[Azure.Cosmos.AvailabilityZone](../rules/Azure.Cosmos.AvailabilityZone.md) | Use zone redundant Cosmos DB accounts in supported regions to improve reliability. | Important +[Azure.Cosmos.CassandraNaming](../rules/Azure.Cosmos.CassandraNaming.md) | Cosmos DB for Apache Cassandra account resources without a standard naming convention may be difficult to identify and manage. | Awareness [Azure.Cosmos.ContinuousBackup](../rules/Azure.Cosmos.ContinuousBackup.md) | Enable continuous backup on Cosmos DB accounts. | Important +[Azure.Cosmos.DatabaseNaming](../rules/Azure.Cosmos.DatabaseNaming.md) | Cosmos DB database resources without a standard naming convention may be difficult to identify and manage. | Awareness [Azure.Cosmos.DefenderCloud](../rules/Azure.Cosmos.DefenderCloud.md) | Enable Microsoft Defender for Azure Cosmos DB. | Critical -[Azure.Cosmos.DisableLocalAuth](../rules/Azure.Cosmos.DisableLocalAuth.md) | Access keys allow depersonalized access to Cosmos DB accounts using a shared secret. | Critical [Azure.Cosmos.DisableMetadataWrite](../rules/Azure.Cosmos.DisableMetadataWrite.md) | Use Entra ID identities for management place operations in Azure Cosmos DB. | Important +[Azure.Cosmos.GremlinNaming](../rules/Azure.Cosmos.GremlinNaming.md) | Cosmos DB for Apache Gremlin account resources without a standard naming convention may be difficult to identify and manage. | Awareness [Azure.Cosmos.MinTLS](../rules/Azure.Cosmos.MinTLS.md) | Cosmos DB accounts should reject TLS versions older than 1.2. | Critical +[Azure.Cosmos.MongoAvailabilityZone](../rules/Azure.Cosmos.MongoAvailabilityZone.md) | Use zone redundant Cosmos DB vCore clusters in supported regions to improve reliability. | Important +[Azure.Cosmos.MongoEntraID](../rules/Azure.Cosmos.MongoEntraID.md) | MongoDB vCore clusters should have Microsoft Entra ID authentication enabled. | Critical +[Azure.Cosmos.MongoNaming](../rules/Azure.Cosmos.MongoNaming.md) | Cosmos DB for MongoDB account resources without a standard naming convention may be difficult to identify and manage. | Awareness +[Azure.Cosmos.NoSQLLocalAuth](../rules/Azure.Cosmos.NoSQLLocalAuth.md) | Access keys allow depersonalized access to Cosmos DB NoSQL API accounts using a shared secret. | Critical +[Azure.Cosmos.NoSQLNaming](../rules/Azure.Cosmos.NoSQLNaming.md) | Cosmos DB for NoSQL account resources without a standard naming convention may be difficult to identify and manage. | Awareness +[Azure.Cosmos.PostgreSQLNaming](../rules/Azure.Cosmos.PostgreSQLNaming.md) | Cosmos DB PostgreSQL cluster resources without a standard naming convention may be difficult to identify and manage. | Awareness [Azure.Cosmos.PublicAccess](../rules/Azure.Cosmos.PublicAccess.md) | Azure Cosmos DB should have public network access disabled. | Critical [Azure.Cosmos.SLA](../rules/Azure.Cosmos.SLA.md) | Use a paid tier to qualify for a Service Level Agreement (SLA). | Important +[Azure.Cosmos.TableNaming](../rules/Azure.Cosmos.TableNaming.md) | Cosmos DB for Table account resources without a standard naming convention may be difficult to identify and manage. | Awareness [Azure.Databricks.PublicAccess](../rules/Azure.Databricks.PublicAccess.md) | Azure Databricks workspaces should disable public network access. | Critical [Azure.Databricks.SecureConnectivity](../rules/Azure.Databricks.SecureConnectivity.md) | Use Databricks workspaces configured for secure cluster connectivity. | Critical [Azure.Databricks.SKU](../rules/Azure.Databricks.SKU.md) | Ensure Databricks workspaces are non-trial SKUs for production workloads. | Critical @@ -221,6 +240,7 @@ Name | Synopsis | Severity [Azure.EventGrid.TopicNaming](../rules/Azure.EventGrid.TopicNaming.md) | Event Grid topics without a standard naming convention may be difficult to identify and manage. | Awareness [Azure.EventGrid.TopicPublicAccess](../rules/Azure.EventGrid.TopicPublicAccess.md) | Use Private Endpoints to access Event Grid topics and domains. | Important [Azure.EventGrid.TopicTLS](../rules/Azure.EventGrid.TopicTLS.md) | Weak or deprecated transport protocols for client-server communication introduce security vulnerabilities. | Critical +[Azure.EventHub.AvailabilityZone](../rules/Azure.EventHub.AvailabilityZone.md) | Use zone redundant Event Hub namespaces in supported regions to improve reliability. | Important [Azure.EventHub.DisableLocalAuth](../rules/Azure.EventHub.DisableLocalAuth.md) | Authenticate Event Hub publishers and consumers with Entra ID identities. | Important [Azure.EventHub.Firewall](../rules/Azure.EventHub.Firewall.md) | Access to the namespace endpoints should be restricted to only allowed sources. | Critical [Azure.EventHub.MinTLS](../rules/Azure.EventHub.MinTLS.md) | Weak or deprecated transport protocols for client-server communication introduce security vulnerabilities. | Critical @@ -247,6 +267,7 @@ Name | Synopsis | Severity [Azure.FrontDoorWAF.Exclusions](../rules/Azure.FrontDoorWAF.Exclusions.md) | Use recommended rule groups in Front Door Web Application Firewall (WAF) policies to protect back end resources. Avoid configuring rule exclusions. | Critical [Azure.FrontDoorWAF.PreventionMode](../rules/Azure.FrontDoorWAF.PreventionMode.md) | Use protection mode in Front Door Web Application Firewall (WAF) policies to protect back end resources. | Critical [Azure.FrontDoorWAF.RuleGroups](../rules/Azure.FrontDoorWAF.RuleGroups.md) | Use recommended rule groups in Front Door Web Application Firewall (WAF) policies to protect back end resources. | Critical +[Azure.Grafana.AvailabilityZone](../rules/Azure.Grafana.AvailabilityZone.md) | Use zone redundant Grafana workspaces in supported regions to improve reliability. | Important [Azure.Grafana.Version](../rules/Azure.Grafana.Version.md) | Grafana workspaces should be on Grafana version 10. | Important [Azure.Group.Name](../rules/Azure.Group.Name.md) | Azure Resource Manager (ARM) has requirements for Resource Groups names. | Awareness [Azure.Group.Naming](../rules/Azure.Group.Naming.md) | Resource Groups without a standard naming convention may be difficult to identify and manage. | Awareness @@ -286,6 +307,7 @@ Name | Synopsis | Severity [Azure.MariaDB.ServerName](../rules/Azure.MariaDB.ServerName.md) | Azure Database for MariaDB servers should meet naming requirements. | Awareness [Azure.MariaDB.UseSSL](../rules/Azure.MariaDB.UseSSL.md) | Azure Database for MariaDB servers should only accept encrypted connections. | Critical [Azure.MariaDB.VNETRuleName](../rules/Azure.MariaDB.VNETRuleName.md) | Azure Database for MariaDB VNET rules should meet naming requirements. | Awareness +[Azure.MICassandra.AvailabilityZone](../rules/Azure.MICassandra.AvailabilityZone.md) | Use zone redundant Managed Instance for Apache Cassandra clusters in supported regions to improve reliability. | Important [Azure.ML.ComputeIdleShutdown](../rules/Azure.ML.ComputeIdleShutdown.md) | Configure an idle shutdown timeout for Machine Learning compute instances. | Critical [Azure.ML.ComputeVnet](../rules/Azure.ML.ComputeVnet.md) | Azure Machine Learning Computes should be hosted in a virtual network (VNet). | Critical [Azure.ML.DisableLocalAuth](../rules/Azure.ML.DisableLocalAuth.md) | Azure Machine Learning compute resources should have local authentication methods disabled. | Critical @@ -302,6 +324,7 @@ Name | Synopsis | Severity [Azure.MySQL.MaintenanceWindow](../rules/Azure.MySQL.MaintenanceWindow.md) | Configure a customer-controlled maintenance window for Azure Database for MySQL servers. | Important [Azure.MySQL.MinTLS](../rules/Azure.MySQL.MinTLS.md) | MySQL DB servers should reject TLS versions older than 1.2. | Critical [Azure.MySQL.ServerName](../rules/Azure.MySQL.ServerName.md) | Azure MySQL DB server names should meet naming requirements. | Awareness +[Azure.MySQL.ServerNaming](../rules/Azure.MySQL.ServerNaming.md) | MySQL database server resources without a standard naming convention may be difficult to identify and manage. | Awareness [Azure.MySQL.UseFlexible](../rules/Azure.MySQL.UseFlexible.md) | Use Azure Database for MySQL Flexible Server deployment model. | Important [Azure.MySQL.UseSSL](../rules/Azure.MySQL.UseSSL.md) | Enforce encrypted MySQL connections. | Critical [Azure.MySQL.ZoneRedundantHA](../rules/Azure.MySQL.ZoneRedundantHA.md) | Deploy Azure Database for MySQL servers using zone-redundant high availability (HA) in supported regions to ensure high availability and resilience. | Important @@ -330,6 +353,7 @@ Name | Synopsis | Severity [Azure.PostgreSQL.MaintenanceWindow](../rules/Azure.PostgreSQL.MaintenanceWindow.md) | Configure a customer-controlled maintenance window for Azure Database for PostgreSQL servers. | Important [Azure.PostgreSQL.MinTLS](../rules/Azure.PostgreSQL.MinTLS.md) | PostgreSQL DB servers should reject TLS versions older than 1.2. | Critical [Azure.PostgreSQL.ServerName](../rules/Azure.PostgreSQL.ServerName.md) | Azure PostgreSQL DB server names should meet naming requirements. | Awareness +[Azure.PostgreSQL.ServerNaming](../rules/Azure.PostgreSQL.ServerNaming.md) | PostgreSQL database server resources without a standard naming convention may be difficult to identify and manage. | Awareness [Azure.PostgreSQL.UseSSL](../rules/Azure.PostgreSQL.UseSSL.md) | Enforce encrypted PostgreSQL connections. | Critical [Azure.PostgreSQL.ZoneRedundantHA](../rules/Azure.PostgreSQL.ZoneRedundantHA.md) | Deploy Azure Database for PostgreSQL servers using zone-redundant high availability (HA) in supported regions to ensure high availability and resilience. | Important [Azure.PrivateEndpoint.Name](../rules/Azure.PrivateEndpoint.Name.md) | Private Endpoint names should meet naming requirements. | Awareness @@ -352,12 +376,15 @@ Name | Synopsis | Severity [Azure.Redis.FirewallRuleCount](../rules/Azure.Redis.FirewallRuleCount.md) | Determine if there is an excessive number of firewall rules for the Redis cache. | Awareness [Azure.Redis.LocalAuth](../rules/Azure.Redis.LocalAuth.md) | Access keys allow depersonalized access to Azure Cache for Redis using a shared secret. | Important [Azure.Redis.MaxMemoryReserved](../rules/Azure.Redis.MaxMemoryReserved.md) | Configure maxmemory-reserved to reserve memory for non-cache operations. | Important +[Azure.Redis.MigrateAMR](../rules/Azure.Redis.MigrateAMR.md) | Azure Cache for Redis is being retired. Migrate to Azure Managed Redis. | Important [Azure.Redis.MinSKU](../rules/Azure.Redis.MinSKU.md) | Use Azure Cache for Redis instances of at least Standard C1. | Important [Azure.Redis.MinTLS](../rules/Azure.Redis.MinTLS.md) | Redis Cache should reject TLS versions older than 1.2. | Critical +[Azure.Redis.Naming](../rules/Azure.Redis.Naming.md) | Azure Cache for Redis resources without a standard naming convention may be difficult to identify and manage. | Awareness [Azure.Redis.NonSslPort](../rules/Azure.Redis.NonSslPort.md) | Azure Cache for Redis should only accept secure connections. | Critical [Azure.Redis.PublicNetworkAccess](../rules/Azure.Redis.PublicNetworkAccess.md) | Redis cache should disable public network access. | Critical [Azure.Redis.Version](../rules/Azure.Redis.Version.md) | Azure Cache for Redis should use the latest supported version of Redis. | Important [Azure.RedisEnterprise.MinTLS](../rules/Azure.RedisEnterprise.MinTLS.md) | Redis Cache should reject TLS versions older than 1.2. | Critical +[Azure.RedisEnterprise.Naming](../rules/Azure.RedisEnterprise.Naming.md) | Azure Cache for Redis Enterprise resources without a standard naming convention may be difficult to identify and manage. | Awareness [Azure.RedisEnterprise.Zones](../rules/Azure.RedisEnterprise.Zones.md) | Enterprise Redis cache should be zone-redundant for high availability. | Important [Azure.Resource.AllowedRegions](../rules/Azure.Resource.AllowedRegions.md) | The deployment location of a resource determines the country or region where metadata and data is stored and processed. | Important [Azure.Resource.RequiredTags](../rules/Azure.Resource.RequiredTags.md) | Resources without a standard tagging convention may be difficult to identify and manage. | Awareness @@ -380,6 +407,8 @@ Name | Synopsis | Severity [Azure.ServiceBus.MinTLS](../rules/Azure.ServiceBus.MinTLS.md) | Service Bus namespaces should reject TLS versions older than 1.2. | Important [Azure.ServiceBus.Usage](../rules/Azure.ServiceBus.Usage.md) | Regularly remove unused resources to reduce costs. | Important [Azure.ServiceFabric.AAD](../rules/Azure.ServiceFabric.AAD.md) | Use Entra ID client authentication for Service Fabric clusters. | Critical +[Azure.ServiceFabric.ManagedNaming](../rules/Azure.ServiceFabric.ManagedNaming.md) | Service Fabric managed cluster resources without a standard naming convention may be difficult to identify and manage. | Awareness +[Azure.ServiceFabric.Naming](../rules/Azure.ServiceFabric.Naming.md) | Service Fabric cluster resources without a standard naming convention may be difficult to identify and manage. | Awareness [Azure.ServiceFabric.ProtectionLevel](../rules/Azure.ServiceFabric.ProtectionLevel.md) | Node to node communication that is not signed and encrypted may be susceptible to man-in-the-middle attacks. | Important [Azure.SignalR.ManagedIdentity](../rules/Azure.SignalR.ManagedIdentity.md) | Configure SignalR Services to use managed identities to access Azure resources securely. | Important [Azure.SignalR.Name](../rules/Azure.SignalR.Name.md) | SignalR service instance names should meet naming requirements. | Awareness @@ -389,13 +418,17 @@ Name | Synopsis | Severity [Azure.SQL.AllowAzureAccess](../rules/Azure.SQL.AllowAzureAccess.md) | Determine if access from Azure services is required. | Important [Azure.SQL.Auditing](../rules/Azure.SQL.Auditing.md) | Enable auditing for Azure SQL logical server. | Important [Azure.SQL.DBName](../rules/Azure.SQL.DBName.md) | Azure SQL Database names should meet naming requirements. | Awareness +[Azure.SQL.DBNaming](../rules/Azure.SQL.DBNaming.md) | Azure SQL database resources without a standard naming convention may be difficult to identify and manage. | Awareness [Azure.SQL.DefenderCloud](../rules/Azure.SQL.DefenderCloud.md) | Enable Microsoft Defender for Azure SQL logical server. | Important +[Azure.SQL.ElasticPoolNaming](../rules/Azure.SQL.ElasticPoolNaming.md) | Azure SQL Elastic Pool resources without a standard naming convention may be difficult to identify and manage. | Awareness [Azure.SQL.FGName](../rules/Azure.SQL.FGName.md) | Azure SQL failover group names should meet naming requirements. | Awareness [Azure.SQL.FirewallIPRange](../rules/Azure.SQL.FirewallIPRange.md) | Each IP address in the permitted IP list is allowed network access to any databases hosted on the same logical server. | Important [Azure.SQL.FirewallRuleCount](../rules/Azure.SQL.FirewallRuleCount.md) | Determine if there is an excessive number of firewall rules. | Awareness +[Azure.SQL.JobAgentNaming](../rules/Azure.SQL.JobAgentNaming.md) | Azure SQL Elastic Job agent resources without a standard naming convention may be difficult to identify and manage. | Awareness [Azure.SQL.MaintenanceWindow](../rules/Azure.SQL.MaintenanceWindow.md) | Configure a customer-controlled maintenance window for Azure SQL databases. | Important [Azure.SQL.MinTLS](../rules/Azure.SQL.MinTLS.md) | Azure SQL Database servers should reject TLS versions older than 1.2. | Critical [Azure.SQL.ServerName](../rules/Azure.SQL.ServerName.md) | Azure SQL logical server names should meet naming requirements. | Awareness +[Azure.SQL.ServerNaming](../rules/Azure.SQL.ServerNaming.md) | Azure SQL Database server resources without a standard naming convention may be difficult to identify and manage. | Awareness [Azure.SQL.TDE](../rules/Azure.SQL.TDE.md) | Use Transparent Data Encryption (TDE) with Azure SQL Database. | Critical [Azure.SQL.VAScan](../rules/Azure.SQL.VAScan.md) | SQL Databases may have configuration vulnerabilities discovered after they are deployed. | Important [Azure.SQLMI.AAD](../rules/Azure.SQLMI.AAD.md) | Use Azure Active Directory (AAD) authentication with Azure SQL Managed Instance. | Critical @@ -403,6 +436,7 @@ Name | Synopsis | Severity [Azure.SQLMI.MaintenanceWindow](../rules/Azure.SQLMI.MaintenanceWindow.md) | Configure a customer-controlled maintenance window for Azure SQL Managed Instances. | Important [Azure.SQLMI.ManagedIdentity](../rules/Azure.SQLMI.ManagedIdentity.md) | Ensure managed identity is used to allow support for Azure AD authentication. | Important [Azure.SQLMI.Name](../rules/Azure.SQLMI.Name.md) | SQL Managed Instance names should meet naming requirements. | Awareness +[Azure.SQLMI.Naming](../rules/Azure.SQLMI.Naming.md) | SQL Managed Instance resources without a standard naming convention may be difficult to identify and manage. | Awareness [Azure.Storage.BlobAccessType](../rules/Azure.Storage.BlobAccessType.md) | Use containers configured with a private access type that requires authorization. | Important [Azure.Storage.BlobPublicAccess](../rules/Azure.Storage.BlobPublicAccess.md) | Storage Accounts should only accept authorized requests. | Important [Azure.Storage.ContainerSoftDelete](../rules/Azure.Storage.ContainerSoftDelete.md) | Enable container soft delete on Storage Accounts. | Important diff --git a/docs/en/baselines/Azure.CAF_2025_03.csv b/docs/en/baselines/Azure.CAF_2025_03.csv index 81e5e076da..0172a53a7b 100644 --- a/docs/en/baselines/Azure.CAF_2025_03.csv +++ b/docs/en/baselines/Azure.CAF_2025_03.csv @@ -1,7 +1,7 @@ "Name","Synopsis","Severity","Pillar","Maturity" -"Azure.ACR.Name","Container registry names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.ACR.Name","Container registry names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.AI.FoundryNaming","Azure AI Foundry accounts without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","-" -"Azure.AKS.Name","Azure Kubernetes Service (AKS) cluster names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.AKS.Name","Azure Kubernetes Service (AKS) cluster names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.APIM.Name","API Management service names should meet naming requirements.","Awareness","Operational Excellence","-" "Azure.AppConfig.Name","App Configuration store names should meet naming requirements.","Awareness","Operational Excellence","-" "Azure.AppGw.Name","Application Gateways should meet naming requirements.","Awareness","Operational Excellence","-" @@ -10,8 +10,8 @@ "Azure.ASG.Name","Application Security Group (ASG) names should meet naming requirements.","Awareness","Operational Excellence","-" "Azure.Bastion.Name","Bastion hosts should meet naming requirements.","Awareness","Operational Excellence","-" "Azure.CDN.EndpointName","Azure CDN Endpoint names should meet naming requirements.","Awareness","Operational Excellence","-" -"Azure.ContainerApp.Name","Container Apps should meet naming requirements.","Awareness","Operational Excellence","-" -"Azure.Cosmos.AccountName","Cosmos DB account names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.ContainerApp.Name","Container Apps should meet naming requirements.","Awareness","Operational Excellence","L2" +"Azure.Cosmos.AccountName","Cosmos DB account names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.Deployment.Name","Nested deployments should meet naming requirements of deployments.","Awareness","Operational Excellence","-" "Azure.EventGrid.DomainNaming","Event Grid domains without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","-" "Azure.EventGrid.SystemTopicNaming","Event Grid system topics without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","-" @@ -49,9 +49,9 @@ "Azure.Search.Name","Azure Resource Manager (ARM) has requirements for AI Search service names.","Awareness","Operational Excellence","-" "Azure.Search.Naming","Azure AI Search services without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","-" "Azure.SignalR.Name","SignalR service instance names should meet naming requirements.","Awareness","Operational Excellence","-" -"Azure.SQL.DBName","Azure SQL Database names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.SQL.DBName","Azure SQL Database names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.SQL.FGName","Azure SQL failover group names should meet naming requirements.","Awareness","Operational Excellence","-" -"Azure.SQL.ServerName","Azure SQL logical server names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.SQL.ServerName","Azure SQL logical server names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.SQLMI.Name","SQL Managed Instance names should meet naming requirements.","Awareness","Operational Excellence","-" "Azure.Storage.Name","Azure Resource Manager (ARM) has requirements for Storage Account names.","Awareness","Operational Excellence","-" "Azure.Storage.Naming","Storage Accounts without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","-" diff --git a/docs/en/baselines/Azure.CAF_2025_06.csv b/docs/en/baselines/Azure.CAF_2025_06.csv index 81e5e076da..0172a53a7b 100644 --- a/docs/en/baselines/Azure.CAF_2025_06.csv +++ b/docs/en/baselines/Azure.CAF_2025_06.csv @@ -1,7 +1,7 @@ "Name","Synopsis","Severity","Pillar","Maturity" -"Azure.ACR.Name","Container registry names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.ACR.Name","Container registry names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.AI.FoundryNaming","Azure AI Foundry accounts without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","-" -"Azure.AKS.Name","Azure Kubernetes Service (AKS) cluster names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.AKS.Name","Azure Kubernetes Service (AKS) cluster names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.APIM.Name","API Management service names should meet naming requirements.","Awareness","Operational Excellence","-" "Azure.AppConfig.Name","App Configuration store names should meet naming requirements.","Awareness","Operational Excellence","-" "Azure.AppGw.Name","Application Gateways should meet naming requirements.","Awareness","Operational Excellence","-" @@ -10,8 +10,8 @@ "Azure.ASG.Name","Application Security Group (ASG) names should meet naming requirements.","Awareness","Operational Excellence","-" "Azure.Bastion.Name","Bastion hosts should meet naming requirements.","Awareness","Operational Excellence","-" "Azure.CDN.EndpointName","Azure CDN Endpoint names should meet naming requirements.","Awareness","Operational Excellence","-" -"Azure.ContainerApp.Name","Container Apps should meet naming requirements.","Awareness","Operational Excellence","-" -"Azure.Cosmos.AccountName","Cosmos DB account names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.ContainerApp.Name","Container Apps should meet naming requirements.","Awareness","Operational Excellence","L2" +"Azure.Cosmos.AccountName","Cosmos DB account names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.Deployment.Name","Nested deployments should meet naming requirements of deployments.","Awareness","Operational Excellence","-" "Azure.EventGrid.DomainNaming","Event Grid domains without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","-" "Azure.EventGrid.SystemTopicNaming","Event Grid system topics without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","-" @@ -49,9 +49,9 @@ "Azure.Search.Name","Azure Resource Manager (ARM) has requirements for AI Search service names.","Awareness","Operational Excellence","-" "Azure.Search.Naming","Azure AI Search services without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","-" "Azure.SignalR.Name","SignalR service instance names should meet naming requirements.","Awareness","Operational Excellence","-" -"Azure.SQL.DBName","Azure SQL Database names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.SQL.DBName","Azure SQL Database names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.SQL.FGName","Azure SQL failover group names should meet naming requirements.","Awareness","Operational Excellence","-" -"Azure.SQL.ServerName","Azure SQL logical server names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.SQL.ServerName","Azure SQL logical server names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.SQLMI.Name","SQL Managed Instance names should meet naming requirements.","Awareness","Operational Excellence","-" "Azure.Storage.Name","Azure Resource Manager (ARM) has requirements for Storage Account names.","Awareness","Operational Excellence","-" "Azure.Storage.Naming","Storage Accounts without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","-" diff --git a/docs/en/baselines/Azure.CAF_Compatibility.csv b/docs/en/baselines/Azure.CAF_Compatibility.csv index 81e5e076da..0172a53a7b 100644 --- a/docs/en/baselines/Azure.CAF_Compatibility.csv +++ b/docs/en/baselines/Azure.CAF_Compatibility.csv @@ -1,7 +1,7 @@ "Name","Synopsis","Severity","Pillar","Maturity" -"Azure.ACR.Name","Container registry names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.ACR.Name","Container registry names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.AI.FoundryNaming","Azure AI Foundry accounts without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","-" -"Azure.AKS.Name","Azure Kubernetes Service (AKS) cluster names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.AKS.Name","Azure Kubernetes Service (AKS) cluster names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.APIM.Name","API Management service names should meet naming requirements.","Awareness","Operational Excellence","-" "Azure.AppConfig.Name","App Configuration store names should meet naming requirements.","Awareness","Operational Excellence","-" "Azure.AppGw.Name","Application Gateways should meet naming requirements.","Awareness","Operational Excellence","-" @@ -10,8 +10,8 @@ "Azure.ASG.Name","Application Security Group (ASG) names should meet naming requirements.","Awareness","Operational Excellence","-" "Azure.Bastion.Name","Bastion hosts should meet naming requirements.","Awareness","Operational Excellence","-" "Azure.CDN.EndpointName","Azure CDN Endpoint names should meet naming requirements.","Awareness","Operational Excellence","-" -"Azure.ContainerApp.Name","Container Apps should meet naming requirements.","Awareness","Operational Excellence","-" -"Azure.Cosmos.AccountName","Cosmos DB account names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.ContainerApp.Name","Container Apps should meet naming requirements.","Awareness","Operational Excellence","L2" +"Azure.Cosmos.AccountName","Cosmos DB account names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.Deployment.Name","Nested deployments should meet naming requirements of deployments.","Awareness","Operational Excellence","-" "Azure.EventGrid.DomainNaming","Event Grid domains without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","-" "Azure.EventGrid.SystemTopicNaming","Event Grid system topics without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","-" @@ -49,9 +49,9 @@ "Azure.Search.Name","Azure Resource Manager (ARM) has requirements for AI Search service names.","Awareness","Operational Excellence","-" "Azure.Search.Naming","Azure AI Search services without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","-" "Azure.SignalR.Name","SignalR service instance names should meet naming requirements.","Awareness","Operational Excellence","-" -"Azure.SQL.DBName","Azure SQL Database names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.SQL.DBName","Azure SQL Database names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.SQL.FGName","Azure SQL failover group names should meet naming requirements.","Awareness","Operational Excellence","-" -"Azure.SQL.ServerName","Azure SQL logical server names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.SQL.ServerName","Azure SQL logical server names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.SQLMI.Name","SQL Managed Instance names should meet naming requirements.","Awareness","Operational Excellence","-" "Azure.Storage.Name","Azure Resource Manager (ARM) has requirements for Storage Account names.","Awareness","Operational Excellence","-" "Azure.Storage.Naming","Storage Accounts without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","-" diff --git a/docs/en/baselines/Azure.Default.csv b/docs/en/baselines/Azure.Default.csv index e55d5dbcd5..0d0d5dccd0 100644 --- a/docs/en/baselines/Azure.Default.csv +++ b/docs/en/baselines/Azure.Default.csv @@ -1,4 +1,5 @@ "Name","Synopsis","Severity","Pillar","Maturity" +"Azure.ACI.Naming","Container Instance resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" "Azure.ACR.AdminUser","The local admin account allows depersonalized access to a container registry using a shared secret.","Critical","Security","L1" "Azure.ACR.AnonymousAccess","Anonymous pull access allows unidentified downloading of images and metadata from a container registry.","Important","Security","-" "Azure.ACR.ContainerScan","Container images or their base images may have vulnerabilities discovered after they are built.","Critical","Security","-" @@ -7,11 +8,13 @@ "Azure.ACR.GeoReplica","Applications or infrastructure relying on a container image may fail if the registry is not available at the time they start.","Important","Reliability","-" "Azure.ACR.ImageHealth","Remove container images with known vulnerabilities.","Critical","Security","L2" "Azure.ACR.MinSku","The Basic SKU provides limited performance and features for production container registry workloads.","Important","Reliability","-" -"Azure.ACR.Name","Container registry names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.ACR.Name","Container registry names should meet naming requirements.","Awareness","Operational Excellence","L2" +"Azure.ACR.Naming","Container Registry resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" "Azure.ACR.ReplicaLocation","The replication location determines the country or region where container images and metadata are stored and processed.","Important","Security","-" "Azure.ACR.Usage","Regularly remove deprecated and unneeded images to reduce storage usage.","Important","Cost Optimization","-" "Azure.ADX.DiskEncryption","Use disk encryption for Azure Data Explorer (ADX) clusters.","Important","Security","L1" "Azure.ADX.ManagedIdentity","Configure Data Explorer clusters to use managed identities to access Azure resources securely.","Important","Security","L1" +"Azure.ADX.PublicAccess","Azure Data Explorer (ADX) clusters should have public network access disabled.","Critical","Security","L4" "Azure.ADX.SLA","Use SKUs that include an SLA when configuring Azure Data Explorer (ADX) clusters.","Important","Reliability","-" "Azure.ADX.Usage","Regularly remove unused resources to reduce costs.","Important","Cost Optimization","-" "Azure.AI.DisableLocalAuth","Access keys allow depersonalized access to Azure AI using a shared secret.","Important","Security","L1" @@ -39,7 +42,8 @@ "Azure.AKS.ManagedIdentity","Configure AKS clusters to use managed identities for managing cluster infrastructure.","Important","Security","L1" "Azure.AKS.MinNodeCount","AKS clusters should have minimum number of system nodes for failover and updates.","Important","Reliability","-" "Azure.AKS.MinUserPoolNodes","User node pools in an AKS cluster should have a minimum number of nodes for failover and updates.","Important","Reliability","-" -"Azure.AKS.Name","Azure Kubernetes Service (AKS) cluster names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.AKS.Name","Azure Kubernetes Service (AKS) cluster names should meet naming requirements.","Awareness","Operational Excellence","L2" +"Azure.AKS.Naming","AKS cluster resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" "Azure.AKS.NetworkPolicy","AKS clusters without inter-pod network restrictions may be permit unauthorized lateral movement.","Important","Security","-" "Azure.AKS.NodeAutoUpgrade","Operating system (OS) security updates should be applied to AKS nodes and rebooted as required to address security vulnerabilities.","Important","Security","-" "Azure.AKS.NodeMinPods","Azure Kubernetes Cluster (AKS) nodes should use a minimum number of pods.","Important","Performance Efficiency","-" @@ -49,8 +53,10 @@ "Azure.AKS.SecretStore","Deploy AKS clusters with Secrets Store CSI Driver and store Secrets in Key Vault.","Important","Security","-" "Azure.AKS.SecretStoreRotation","Enable autorotation of Secrets Store CSI Driver secrets for AKS clusters.","Important","Security","-" "Azure.AKS.StandardLB","Azure Kubernetes Clusters (AKS) should use a Standard load balancer SKU.","Important","Performance Efficiency","-" +"Azure.AKS.SystemPoolNaming","AKS system node pool resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" "Azure.AKS.UptimeSLA","AKS clusters should have Uptime SLA enabled for a financially backed SLA.","Important","Reliability","-" "Azure.AKS.UseRBAC","Deploy AKS cluster with role-based access control (RBAC) enabled.","Important","Security","-" +"Azure.AKS.UserPoolNaming","AKS user node pool resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" "Azure.AKS.Version","Older versions of Kubernetes may have known bugs or security vulnerabilities, and may have limited support.","Important","Reliability","-" "Azure.Alert.HighFrequencyQuery","High frequency scheduled queries are changed as a higher rate than low frequency queries.","Important","Cost Optimization","-" "Azure.Alert.MetricAutoMitigate","Alerts that require manual intervention for mitigation can lead to increased personnel time and effort.","Important","Cost Optimization","-" @@ -98,7 +104,7 @@ "Azure.AppGwWAF.Enabled","Application Gateway Web Application Firewall (WAF) must be enabled to protect backend resources.","Critical","Security","-" "Azure.AppGwWAF.Exclusions","Application Gateway Web Application Firewall (WAF) should have all rules enabled.","Critical","Security","-" "Azure.AppGwWAF.PreventionMode","Use protection mode in Application Gateway Web Application Firewall (WAF) policies to protect back end resources.","Critical","Security","-" -"Azure.AppGwWAF.RuleGroups","Use recommended rule groups in Application Gateway Web Application Firewall (WAF) policies to protect back end resources.","Critical","Security","-" +"Azure.AppGwWAF.RuleGroups","Application Gateway WAF policies should include both Microsoft Default Rule Set and Bot Manager Rule Set to provide comprehensive protection against web application threats and malicious bot traffic.","Critical","Security","L2" "Azure.AppInsights.LocalAuth","Local authentication allows depersonalized access to store telemetry in Application Insights using a shared identifier.","Critical","Security","L1" "Azure.AppInsights.Name","Azure Resource Manager (ARM) has requirements for Application Insights resource names.","Awareness","Operational Excellence","-" "Azure.AppInsights.Naming","Application Insights resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","-" @@ -137,22 +143,35 @@ "Azure.ContainerApp.APIVersion","Migrate from retired API version to a supported version.","Important","Operational Excellence","-" "Azure.ContainerApp.AvailabilityZone","Use Container Apps environments that are zone redundant to improve reliability.","Important","Reliability","-" "Azure.ContainerApp.DisableAffinity","Disable session affinity to prevent unbalanced distribution.","Awareness","Performance Efficiency","-" +"Azure.ContainerApp.EnvNaming","Container App Environment resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" "Azure.ContainerApp.ExternalIngress","Limit inbound communication for Container Apps is limited to callers within the Container Apps Environment.","Important","Security","-" "Azure.ContainerApp.Insecure","Ensure insecure inbound traffic is not permitted to the container app.","Important","Security","L1" +"Azure.ContainerApp.JobNaming","Container App Job resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" "Azure.ContainerApp.ManagedIdentity","Ensure managed identity is used for authentication.","Important","Security","L1" "Azure.ContainerApp.MinReplicas","Use multiple replicas to remove a single point of failure.","Important","Reliability","-" -"Azure.ContainerApp.Name","Container Apps should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.ContainerApp.Name","Container Apps should meet naming requirements.","Awareness","Operational Excellence","L2" +"Azure.ContainerApp.Naming","Container App resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" "Azure.ContainerApp.PublicAccess","Ensure public network access for Container Apps environment is disabled.","Important","Security","-" "Azure.ContainerApp.RestrictIngress","IP ingress restrictions mode should be set to allow action for all rules defined.","Important","Security","-" "Azure.ContainerApp.Storage","Use of Azure Files volume mounts to persistent storage container data.","Awareness","Reliability","-" -"Azure.Cosmos.AccountName","Cosmos DB account names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.Cosmos.AccountName","Cosmos DB account names should meet naming requirements.","Awareness","Operational Excellence","L2" +"Azure.Cosmos.AvailabilityZone","Use zone redundant Cosmos DB accounts in supported regions to improve reliability.","Important","Reliability","L1" +"Azure.Cosmos.CassandraNaming","Cosmos DB for Apache Cassandra account resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" "Azure.Cosmos.ContinuousBackup","Enable continuous backup on Cosmos DB accounts.","Important","Reliability","-" +"Azure.Cosmos.DatabaseNaming","Cosmos DB database resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" "Azure.Cosmos.DefenderCloud","Enable Microsoft Defender for Azure Cosmos DB.","Critical","Security","-" -"Azure.Cosmos.DisableLocalAuth","Access keys allow depersonalized access to Cosmos DB accounts using a shared secret.","Critical","Security","L1" "Azure.Cosmos.DisableMetadataWrite","Use Entra ID identities for management place operations in Azure Cosmos DB.","Important","Security","-" +"Azure.Cosmos.GremlinNaming","Cosmos DB for Apache Gremlin account resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" "Azure.Cosmos.MinTLS","Cosmos DB accounts should reject TLS versions older than 1.2.","Critical","Security","L1" +"Azure.Cosmos.MongoAvailabilityZone","Use zone redundant Cosmos DB vCore clusters in supported regions to improve reliability.","Important","Reliability","L1" +"Azure.Cosmos.MongoEntraID","MongoDB vCore clusters should have Microsoft Entra ID authentication enabled.","Critical","Security","L1" +"Azure.Cosmos.MongoNaming","Cosmos DB for MongoDB account resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" +"Azure.Cosmos.NoSQLLocalAuth","Access keys allow depersonalized access to Cosmos DB NoSQL API accounts using a shared secret.","Critical","Security","L1" +"Azure.Cosmos.NoSQLNaming","Cosmos DB for NoSQL account resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" +"Azure.Cosmos.PostgreSQLNaming","Cosmos DB PostgreSQL cluster resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" "Azure.Cosmos.PublicAccess","Azure Cosmos DB should have public network access disabled.","Critical","Security","-" "Azure.Cosmos.SLA","Use a paid tier to qualify for a Service Level Agreement (SLA).","Important","Reliability","-" +"Azure.Cosmos.TableNaming","Cosmos DB for Table account resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" "Azure.Databricks.PublicAccess","Azure Databricks workspaces should disable public network access.","Critical","Security","-" "Azure.Databricks.SecureConnectivity","Use Databricks workspaces configured for secure cluster connectivity.","Critical","Security","-" "Azure.Databricks.SKU","Ensure Databricks workspaces are non-trial SKUs for production workloads.","Critical","Performance Efficiency","-" @@ -198,6 +217,7 @@ "Azure.EventGrid.TopicNaming","Event Grid topics without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","-" "Azure.EventGrid.TopicPublicAccess","Use Private Endpoints to access Event Grid topics and domains.","Important","Security","-" "Azure.EventGrid.TopicTLS","Weak or deprecated transport protocols for client-server communication introduce security vulnerabilities.","Critical","Security","L1" +"Azure.EventHub.AvailabilityZone","Use zone redundant Event Hub namespaces in supported regions to improve reliability.","Important","Reliability","L1" "Azure.EventHub.DisableLocalAuth","Authenticate Event Hub publishers and consumers with Entra ID identities.","Important","Security","L1" "Azure.EventHub.Firewall","Access to the namespace endpoints should be restricted to only allowed sources.","Critical","Security","-" "Azure.EventHub.MinTLS","Weak or deprecated transport protocols for client-server communication introduce security vulnerabilities.","Critical","Security","L1" @@ -224,6 +244,7 @@ "Azure.FrontDoorWAF.Exclusions","Use recommended rule groups in Front Door Web Application Firewall (WAF) policies to protect back end resources. Avoid configuring rule exclusions.","Critical","Security","-" "Azure.FrontDoorWAF.PreventionMode","Use protection mode in Front Door Web Application Firewall (WAF) policies to protect back end resources.","Critical","Security","-" "Azure.FrontDoorWAF.RuleGroups","Use recommended rule groups in Front Door Web Application Firewall (WAF) policies to protect back end resources.","Critical","Security","-" +"Azure.Grafana.AvailabilityZone","Use zone redundant Grafana workspaces in supported regions to improve reliability.","Important","Reliability","L1" "Azure.Grafana.Version","Grafana workspaces should be on Grafana version 10.","Important","Reliability","-" "Azure.Group.Name","Azure Resource Manager (ARM) has requirements for Resource Groups names.","Awareness","Operational Excellence","-" "Azure.Group.Naming","Resource Groups without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","-" @@ -263,6 +284,7 @@ "Azure.MariaDB.ServerName","Azure Database for MariaDB servers should meet naming requirements.","Awareness","Operational Excellence","-" "Azure.MariaDB.UseSSL","Azure Database for MariaDB servers should only accept encrypted connections.","Critical","Security","L1" "Azure.MariaDB.VNETRuleName","Azure Database for MariaDB VNET rules should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.MICassandra.AvailabilityZone","Use zone redundant Managed Instance for Apache Cassandra clusters in supported regions to improve reliability.","Important","Reliability","L1" "Azure.ML.ComputeIdleShutdown","Configure an idle shutdown timeout for Machine Learning compute instances.","Critical","Cost Optimization","-" "Azure.ML.ComputeVnet","Azure Machine Learning Computes should be hosted in a virtual network (VNet).","Critical","Security","-" "Azure.ML.DisableLocalAuth","Azure Machine Learning compute resources should have local authentication methods disabled.","Critical","Security","L1" @@ -279,6 +301,7 @@ "Azure.MySQL.MaintenanceWindow","Configure a customer-controlled maintenance window for Azure Database for MySQL servers.","Important","Reliability","-" "Azure.MySQL.MinTLS","MySQL DB servers should reject TLS versions older than 1.2.","Critical","Security","L1" "Azure.MySQL.ServerName","Azure MySQL DB server names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.MySQL.ServerNaming","MySQL database server resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" "Azure.MySQL.UseFlexible","Use Azure Database for MySQL Flexible Server deployment model.","Important","Reliability","-" "Azure.MySQL.UseSSL","Enforce encrypted MySQL connections.","Critical","Security","L1" "Azure.MySQL.ZoneRedundantHA","Deploy Azure Database for MySQL servers using zone-redundant high availability (HA) in supported regions to ensure high availability and resilience.","Important","Reliability","-" @@ -307,6 +330,7 @@ "Azure.PostgreSQL.MaintenanceWindow","Configure a customer-controlled maintenance window for Azure Database for PostgreSQL servers.","Important","Reliability","-" "Azure.PostgreSQL.MinTLS","PostgreSQL DB servers should reject TLS versions older than 1.2.","Critical","Security","L1" "Azure.PostgreSQL.ServerName","Azure PostgreSQL DB server names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.PostgreSQL.ServerNaming","PostgreSQL database server resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" "Azure.PostgreSQL.UseSSL","Enforce encrypted PostgreSQL connections.","Critical","Security","L1" "Azure.PostgreSQL.ZoneRedundantHA","Deploy Azure Database for PostgreSQL servers using zone-redundant high availability (HA) in supported regions to ensure high availability and resilience.","Important","Reliability","-" "Azure.PrivateEndpoint.Name","Private Endpoint names should meet naming requirements.","Awareness","Operational Excellence","-" @@ -329,12 +353,15 @@ "Azure.Redis.FirewallRuleCount","Determine if there is an excessive number of firewall rules for the Redis cache.","Awareness","Security","-" "Azure.Redis.LocalAuth","Access keys allow depersonalized access to Azure Cache for Redis using a shared secret.","Important","Security","L1" "Azure.Redis.MaxMemoryReserved","Configure maxmemory-reserved to reserve memory for non-cache operations.","Important","Performance Efficiency","-" +"Azure.Redis.MigrateAMR","Azure Cache for Redis is being retired. Migrate to Azure Managed Redis.","Important","Operational Excellence","-" "Azure.Redis.MinSKU","Use Azure Cache for Redis instances of at least Standard C1.","Important","Performance Efficiency","-" "Azure.Redis.MinTLS","Redis Cache should reject TLS versions older than 1.2.","Critical","Security","L1" +"Azure.Redis.Naming","Azure Cache for Redis resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" "Azure.Redis.NonSslPort","Azure Cache for Redis should only accept secure connections.","Critical","Security","L1" "Azure.Redis.PublicNetworkAccess","Redis cache should disable public network access.","Critical","Security","-" "Azure.Redis.Version","Azure Cache for Redis should use the latest supported version of Redis.","Important","Reliability","-" "Azure.RedisEnterprise.MinTLS","Redis Cache should reject TLS versions older than 1.2.","Critical","Security","L1" +"Azure.RedisEnterprise.Naming","Azure Cache for Redis Enterprise resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" "Azure.RedisEnterprise.Zones","Enterprise Redis cache should be zone-redundant for high availability.","Important","Reliability","-" "Azure.Resource.AllowedRegions","The deployment location of a resource determines the country or region where metadata and data is stored and processed.","Important","Security","-" "Azure.Resource.RequiredTags","Resources without a standard tagging convention may be difficult to identify and manage.","Awareness","Operational Excellence","-" @@ -356,6 +383,8 @@ "Azure.ServiceBus.MinTLS","Service Bus namespaces should reject TLS versions older than 1.2.","Important","Security","L1" "Azure.ServiceBus.Usage","Regularly remove unused resources to reduce costs.","Important","Cost Optimization","-" "Azure.ServiceFabric.AAD","Use Entra ID client authentication for Service Fabric clusters.","Critical","Security","L1" +"Azure.ServiceFabric.ManagedNaming","Service Fabric managed cluster resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" +"Azure.ServiceFabric.Naming","Service Fabric cluster resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" "Azure.ServiceFabric.ProtectionLevel","Node to node communication that is not signed and encrypted may be susceptible to man-in-the-middle attacks.","Important","Security","L1" "Azure.SignalR.ManagedIdentity","Configure SignalR Services to use managed identities to access Azure resources securely.","Important","Security","L1" "Azure.SignalR.Name","SignalR service instance names should meet naming requirements.","Awareness","Operational Excellence","-" @@ -364,14 +393,18 @@ "Azure.SQL.AADOnly","Ensure Entra ID only authentication is enabled with Azure SQL Database.","Important","Security","L1" "Azure.SQL.AllowAzureAccess","Determine if access from Azure services is required.","Important","Security","-" "Azure.SQL.Auditing","Enable auditing for Azure SQL logical server.","Important","Security","-" -"Azure.SQL.DBName","Azure SQL Database names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.SQL.DBName","Azure SQL Database names should meet naming requirements.","Awareness","Operational Excellence","L2" +"Azure.SQL.DBNaming","Azure SQL database resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" "Azure.SQL.DefenderCloud","Enable Microsoft Defender for Azure SQL logical server.","Important","Security","-" +"Azure.SQL.ElasticPoolNaming","Azure SQL Elastic Pool resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" "Azure.SQL.FGName","Azure SQL failover group names should meet naming requirements.","Awareness","Operational Excellence","-" "Azure.SQL.FirewallIPRange","Each IP address in the permitted IP list is allowed network access to any databases hosted on the same logical server.","Important","Security","-" "Azure.SQL.FirewallRuleCount","Determine if there is an excessive number of firewall rules.","Awareness","Security","-" +"Azure.SQL.JobAgentNaming","Azure SQL Elastic Job agent resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" "Azure.SQL.MaintenanceWindow","Configure a customer-controlled maintenance window for Azure SQL databases.","Important","Reliability","-" "Azure.SQL.MinTLS","Azure SQL Database servers should reject TLS versions older than 1.2.","Critical","Security","L1" -"Azure.SQL.ServerName","Azure SQL logical server names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.SQL.ServerName","Azure SQL logical server names should meet naming requirements.","Awareness","Operational Excellence","L2" +"Azure.SQL.ServerNaming","Azure SQL Database server resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" "Azure.SQL.TDE","Use Transparent Data Encryption (TDE) with Azure SQL Database.","Critical","Security","L1" "Azure.SQL.VAScan","SQL Databases may have configuration vulnerabilities discovered after they are deployed.","Important","Security","-" "Azure.SQLMI.AAD","Use Azure Active Directory (AAD) authentication with Azure SQL Managed Instance.","Critical","Security","L1" @@ -379,6 +412,7 @@ "Azure.SQLMI.MaintenanceWindow","Configure a customer-controlled maintenance window for Azure SQL Managed Instances.","Important","Reliability","-" "Azure.SQLMI.ManagedIdentity","Ensure managed identity is used to allow support for Azure AD authentication.","Important","Security","L1" "Azure.SQLMI.Name","SQL Managed Instance names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.SQLMI.Naming","SQL Managed Instance resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" "Azure.Storage.BlobAccessType","Use containers configured with a private access type that requires authorization.","Important","Security","-" "Azure.Storage.BlobPublicAccess","Storage Accounts should only accept authorized requests.","Important","Security","-" "Azure.Storage.ContainerSoftDelete","Enable container soft delete on Storage Accounts.","Important","Reliability","-" diff --git a/docs/en/baselines/Azure.Default.md b/docs/en/baselines/Azure.Default.md index 9c8463f3cd..1d81ecc3b7 100644 --- a/docs/en/baselines/Azure.Default.md +++ b/docs/en/baselines/Azure.Default.md @@ -10,10 +10,11 @@ Default baseline for that includes the latest rules for Azure GA features that i The following rules are included within the `Azure.Default` baseline. -This baseline includes a total of 482 rules. +This baseline includes a total of 516 rules. Name | Synopsis | Severity ---- | -------- | -------- +[Azure.ACI.Naming](../rules/Azure.ACI.Naming.md) | Container Instance resources without a standard naming convention may be difficult to identify and manage. | Awareness [Azure.ACR.AdminUser](../rules/Azure.ACR.AdminUser.md) | The local admin account allows depersonalized access to a container registry using a shared secret. | Critical [Azure.ACR.AnonymousAccess](../rules/Azure.ACR.AnonymousAccess.md) | Anonymous pull access allows unidentified downloading of images and metadata from a container registry. | Important [Azure.ACR.ContainerScan](../rules/Azure.ACR.ContainerScan.md) | Container images or their base images may have vulnerabilities discovered after they are built. | Critical @@ -23,10 +24,12 @@ Name | Synopsis | Severity [Azure.ACR.ImageHealth](../rules/Azure.ACR.ImageHealth.md) | Remove container images with known vulnerabilities. | Critical [Azure.ACR.MinSku](../rules/Azure.ACR.MinSku.md) | The Basic SKU provides limited performance and features for production container registry workloads. | Important [Azure.ACR.Name](../rules/Azure.ACR.Name.md) | Container registry names should meet naming requirements. | Awareness +[Azure.ACR.Naming](../rules/Azure.ACR.Naming.md) | Container Registry resources without a standard naming convention may be difficult to identify and manage. | Awareness [Azure.ACR.ReplicaLocation](../rules/Azure.ACR.ReplicaLocation.md) | The replication location determines the country or region where container images and metadata are stored and processed. | Important [Azure.ACR.Usage](../rules/Azure.ACR.Usage.md) | Regularly remove deprecated and unneeded images to reduce storage usage. | Important [Azure.ADX.DiskEncryption](../rules/Azure.ADX.DiskEncryption.md) | Use disk encryption for Azure Data Explorer (ADX) clusters. | Important [Azure.ADX.ManagedIdentity](../rules/Azure.ADX.ManagedIdentity.md) | Configure Data Explorer clusters to use managed identities to access Azure resources securely. | Important +[Azure.ADX.PublicAccess](../rules/Azure.ADX.PublicAccess.md) | Azure Data Explorer (ADX) clusters should have public network access disabled. | Critical [Azure.ADX.SLA](../rules/Azure.ADX.SLA.md) | Use SKUs that include an SLA when configuring Azure Data Explorer (ADX) clusters. | Important [Azure.ADX.Usage](../rules/Azure.ADX.Usage.md) | Regularly remove unused resources to reduce costs. | Important [Azure.AI.DisableLocalAuth](../rules/Azure.AI.DisableLocalAuth.md) | Access keys allow depersonalized access to Azure AI using a shared secret. | Important @@ -55,6 +58,7 @@ Name | Synopsis | Severity [Azure.AKS.MinNodeCount](../rules/Azure.AKS.MinNodeCount.md) | AKS clusters should have minimum number of system nodes for failover and updates. | Important [Azure.AKS.MinUserPoolNodes](../rules/Azure.AKS.MinUserPoolNodes.md) | User node pools in an AKS cluster should have a minimum number of nodes for failover and updates. | Important [Azure.AKS.Name](../rules/Azure.AKS.Name.md) | Azure Kubernetes Service (AKS) cluster names should meet naming requirements. | Awareness +[Azure.AKS.Naming](../rules/Azure.AKS.Naming.md) | AKS cluster resources without a standard naming convention may be difficult to identify and manage. | Awareness [Azure.AKS.NetworkPolicy](../rules/Azure.AKS.NetworkPolicy.md) | AKS clusters without inter-pod network restrictions may be permit unauthorized lateral movement. | Important [Azure.AKS.NodeAutoUpgrade](../rules/Azure.AKS.NodeAutoUpgrade.md) | Operating system (OS) security updates should be applied to AKS nodes and rebooted as required to address security vulnerabilities. | Important [Azure.AKS.NodeMinPods](../rules/Azure.AKS.NodeMinPods.md) | Azure Kubernetes Cluster (AKS) nodes should use a minimum number of pods. | Important @@ -64,8 +68,10 @@ Name | Synopsis | Severity [Azure.AKS.SecretStore](../rules/Azure.AKS.SecretStore.md) | Deploy AKS clusters with Secrets Store CSI Driver and store Secrets in Key Vault. | Important [Azure.AKS.SecretStoreRotation](../rules/Azure.AKS.SecretStoreRotation.md) | Enable autorotation of Secrets Store CSI Driver secrets for AKS clusters. | Important [Azure.AKS.StandardLB](../rules/Azure.AKS.StandardLB.md) | Azure Kubernetes Clusters (AKS) should use a Standard load balancer SKU. | Important +[Azure.AKS.SystemPoolNaming](../rules/Azure.AKS.SystemPoolNaming.md) | AKS system node pool resources without a standard naming convention may be difficult to identify and manage. | Awareness [Azure.AKS.UptimeSLA](../rules/Azure.AKS.UptimeSLA.md) | AKS clusters should have Uptime SLA enabled for a financially backed SLA. | Important [Azure.AKS.UseRBAC](../rules/Azure.AKS.UseRBAC.md) | Deploy AKS cluster with role-based access control (RBAC) enabled. | Important +[Azure.AKS.UserPoolNaming](../rules/Azure.AKS.UserPoolNaming.md) | AKS user node pool resources without a standard naming convention may be difficult to identify and manage. | Awareness [Azure.AKS.Version](../rules/Azure.AKS.Version.md) | Older versions of Kubernetes may have known bugs or security vulnerabilities, and may have limited support. | Important [Azure.Alert.HighFrequencyQuery](../rules/Azure.Alert.HighFrequencyQuery.md) | High frequency scheduled queries are changed as a higher rate than low frequency queries. | Important [Azure.Alert.MetricAutoMitigate](../rules/Azure.Alert.MetricAutoMitigate.md) | Alerts that require manual intervention for mitigation can lead to increased personnel time and effort. | Important @@ -113,7 +119,7 @@ Name | Synopsis | Severity [Azure.AppGwWAF.Enabled](../rules/Azure.AppGwWAF.Enabled.md) | Application Gateway Web Application Firewall (WAF) must be enabled to protect backend resources. | Critical [Azure.AppGwWAF.Exclusions](../rules/Azure.AppGwWAF.Exclusions.md) | Application Gateway Web Application Firewall (WAF) should have all rules enabled. | Critical [Azure.AppGwWAF.PreventionMode](../rules/Azure.AppGwWAF.PreventionMode.md) | Use protection mode in Application Gateway Web Application Firewall (WAF) policies to protect back end resources. | Critical -[Azure.AppGwWAF.RuleGroups](../rules/Azure.AppGwWAF.RuleGroups.md) | Use recommended rule groups in Application Gateway Web Application Firewall (WAF) policies to protect back end resources. | Critical +[Azure.AppGwWAF.RuleGroups](../rules/Azure.AppGwWAF.RuleGroups.md) | Application Gateway WAF policies should include both Microsoft Default Rule Set and Bot Manager Rule Set to provide comprehensive protection against web application threats and malicious bot traffic. | Critical [Azure.AppInsights.LocalAuth](../rules/Azure.AppInsights.LocalAuth.md) | Local authentication allows depersonalized access to store telemetry in Application Insights using a shared identifier. | Critical [Azure.AppInsights.Name](../rules/Azure.AppInsights.Name.md) | Azure Resource Manager (ARM) has requirements for Application Insights resource names. | Awareness [Azure.AppInsights.Naming](../rules/Azure.AppInsights.Naming.md) | Application Insights resources without a standard naming convention may be difficult to identify and manage. | Awareness @@ -152,22 +158,35 @@ Name | Synopsis | Severity [Azure.ContainerApp.APIVersion](../rules/Azure.ContainerApp.APIVersion.md) | Migrate from retired API version to a supported version. | Important [Azure.ContainerApp.AvailabilityZone](../rules/Azure.ContainerApp.AvailabilityZone.md) | Use Container Apps environments that are zone redundant to improve reliability. | Important [Azure.ContainerApp.DisableAffinity](../rules/Azure.ContainerApp.DisableAffinity.md) | Disable session affinity to prevent unbalanced distribution. | Awareness +[Azure.ContainerApp.EnvNaming](../rules/Azure.ContainerApp.EnvNaming.md) | Container App Environment resources without a standard naming convention may be difficult to identify and manage. | Awareness [Azure.ContainerApp.ExternalIngress](../rules/Azure.ContainerApp.ExternalIngress.md) | Limit inbound communication for Container Apps is limited to callers within the Container Apps Environment. | Important [Azure.ContainerApp.Insecure](../rules/Azure.ContainerApp.Insecure.md) | Ensure insecure inbound traffic is not permitted to the container app. | Important +[Azure.ContainerApp.JobNaming](../rules/Azure.ContainerApp.JobNaming.md) | Container App Job resources without a standard naming convention may be difficult to identify and manage. | Awareness [Azure.ContainerApp.ManagedIdentity](../rules/Azure.ContainerApp.ManagedIdentity.md) | Ensure managed identity is used for authentication. | Important [Azure.ContainerApp.MinReplicas](../rules/Azure.ContainerApp.MinReplicas.md) | Use multiple replicas to remove a single point of failure. | Important [Azure.ContainerApp.Name](../rules/Azure.ContainerApp.Name.md) | Container Apps should meet naming requirements. | Awareness +[Azure.ContainerApp.Naming](../rules/Azure.ContainerApp.Naming.md) | Container App resources without a standard naming convention may be difficult to identify and manage. | Awareness [Azure.ContainerApp.PublicAccess](../rules/Azure.ContainerApp.PublicAccess.md) | Ensure public network access for Container Apps environment is disabled. | Important [Azure.ContainerApp.RestrictIngress](../rules/Azure.ContainerApp.RestrictIngress.md) | IP ingress restrictions mode should be set to allow action for all rules defined. | Important [Azure.ContainerApp.Storage](../rules/Azure.ContainerApp.Storage.md) | Use of Azure Files volume mounts to persistent storage container data. | Awareness [Azure.Cosmos.AccountName](../rules/Azure.Cosmos.AccountName.md) | Cosmos DB account names should meet naming requirements. | Awareness +[Azure.Cosmos.AvailabilityZone](../rules/Azure.Cosmos.AvailabilityZone.md) | Use zone redundant Cosmos DB accounts in supported regions to improve reliability. | Important +[Azure.Cosmos.CassandraNaming](../rules/Azure.Cosmos.CassandraNaming.md) | Cosmos DB for Apache Cassandra account resources without a standard naming convention may be difficult to identify and manage. | Awareness [Azure.Cosmos.ContinuousBackup](../rules/Azure.Cosmos.ContinuousBackup.md) | Enable continuous backup on Cosmos DB accounts. | Important +[Azure.Cosmos.DatabaseNaming](../rules/Azure.Cosmos.DatabaseNaming.md) | Cosmos DB database resources without a standard naming convention may be difficult to identify and manage. | Awareness [Azure.Cosmos.DefenderCloud](../rules/Azure.Cosmos.DefenderCloud.md) | Enable Microsoft Defender for Azure Cosmos DB. | Critical -[Azure.Cosmos.DisableLocalAuth](../rules/Azure.Cosmos.DisableLocalAuth.md) | Access keys allow depersonalized access to Cosmos DB accounts using a shared secret. | Critical [Azure.Cosmos.DisableMetadataWrite](../rules/Azure.Cosmos.DisableMetadataWrite.md) | Use Entra ID identities for management place operations in Azure Cosmos DB. | Important +[Azure.Cosmos.GremlinNaming](../rules/Azure.Cosmos.GremlinNaming.md) | Cosmos DB for Apache Gremlin account resources without a standard naming convention may be difficult to identify and manage. | Awareness [Azure.Cosmos.MinTLS](../rules/Azure.Cosmos.MinTLS.md) | Cosmos DB accounts should reject TLS versions older than 1.2. | Critical +[Azure.Cosmos.MongoAvailabilityZone](../rules/Azure.Cosmos.MongoAvailabilityZone.md) | Use zone redundant Cosmos DB vCore clusters in supported regions to improve reliability. | Important +[Azure.Cosmos.MongoEntraID](../rules/Azure.Cosmos.MongoEntraID.md) | MongoDB vCore clusters should have Microsoft Entra ID authentication enabled. | Critical +[Azure.Cosmos.MongoNaming](../rules/Azure.Cosmos.MongoNaming.md) | Cosmos DB for MongoDB account resources without a standard naming convention may be difficult to identify and manage. | Awareness +[Azure.Cosmos.NoSQLLocalAuth](../rules/Azure.Cosmos.NoSQLLocalAuth.md) | Access keys allow depersonalized access to Cosmos DB NoSQL API accounts using a shared secret. | Critical +[Azure.Cosmos.NoSQLNaming](../rules/Azure.Cosmos.NoSQLNaming.md) | Cosmos DB for NoSQL account resources without a standard naming convention may be difficult to identify and manage. | Awareness +[Azure.Cosmos.PostgreSQLNaming](../rules/Azure.Cosmos.PostgreSQLNaming.md) | Cosmos DB PostgreSQL cluster resources without a standard naming convention may be difficult to identify and manage. | Awareness [Azure.Cosmos.PublicAccess](../rules/Azure.Cosmos.PublicAccess.md) | Azure Cosmos DB should have public network access disabled. | Critical [Azure.Cosmos.SLA](../rules/Azure.Cosmos.SLA.md) | Use a paid tier to qualify for a Service Level Agreement (SLA). | Important +[Azure.Cosmos.TableNaming](../rules/Azure.Cosmos.TableNaming.md) | Cosmos DB for Table account resources without a standard naming convention may be difficult to identify and manage. | Awareness [Azure.Databricks.PublicAccess](../rules/Azure.Databricks.PublicAccess.md) | Azure Databricks workspaces should disable public network access. | Critical [Azure.Databricks.SecureConnectivity](../rules/Azure.Databricks.SecureConnectivity.md) | Use Databricks workspaces configured for secure cluster connectivity. | Critical [Azure.Databricks.SKU](../rules/Azure.Databricks.SKU.md) | Ensure Databricks workspaces are non-trial SKUs for production workloads. | Critical @@ -213,6 +232,7 @@ Name | Synopsis | Severity [Azure.EventGrid.TopicNaming](../rules/Azure.EventGrid.TopicNaming.md) | Event Grid topics without a standard naming convention may be difficult to identify and manage. | Awareness [Azure.EventGrid.TopicPublicAccess](../rules/Azure.EventGrid.TopicPublicAccess.md) | Use Private Endpoints to access Event Grid topics and domains. | Important [Azure.EventGrid.TopicTLS](../rules/Azure.EventGrid.TopicTLS.md) | Weak or deprecated transport protocols for client-server communication introduce security vulnerabilities. | Critical +[Azure.EventHub.AvailabilityZone](../rules/Azure.EventHub.AvailabilityZone.md) | Use zone redundant Event Hub namespaces in supported regions to improve reliability. | Important [Azure.EventHub.DisableLocalAuth](../rules/Azure.EventHub.DisableLocalAuth.md) | Authenticate Event Hub publishers and consumers with Entra ID identities. | Important [Azure.EventHub.Firewall](../rules/Azure.EventHub.Firewall.md) | Access to the namespace endpoints should be restricted to only allowed sources. | Critical [Azure.EventHub.MinTLS](../rules/Azure.EventHub.MinTLS.md) | Weak or deprecated transport protocols for client-server communication introduce security vulnerabilities. | Critical @@ -239,6 +259,7 @@ Name | Synopsis | Severity [Azure.FrontDoorWAF.Exclusions](../rules/Azure.FrontDoorWAF.Exclusions.md) | Use recommended rule groups in Front Door Web Application Firewall (WAF) policies to protect back end resources. Avoid configuring rule exclusions. | Critical [Azure.FrontDoorWAF.PreventionMode](../rules/Azure.FrontDoorWAF.PreventionMode.md) | Use protection mode in Front Door Web Application Firewall (WAF) policies to protect back end resources. | Critical [Azure.FrontDoorWAF.RuleGroups](../rules/Azure.FrontDoorWAF.RuleGroups.md) | Use recommended rule groups in Front Door Web Application Firewall (WAF) policies to protect back end resources. | Critical +[Azure.Grafana.AvailabilityZone](../rules/Azure.Grafana.AvailabilityZone.md) | Use zone redundant Grafana workspaces in supported regions to improve reliability. | Important [Azure.Grafana.Version](../rules/Azure.Grafana.Version.md) | Grafana workspaces should be on Grafana version 10. | Important [Azure.Group.Name](../rules/Azure.Group.Name.md) | Azure Resource Manager (ARM) has requirements for Resource Groups names. | Awareness [Azure.Group.Naming](../rules/Azure.Group.Naming.md) | Resource Groups without a standard naming convention may be difficult to identify and manage. | Awareness @@ -278,6 +299,7 @@ Name | Synopsis | Severity [Azure.MariaDB.ServerName](../rules/Azure.MariaDB.ServerName.md) | Azure Database for MariaDB servers should meet naming requirements. | Awareness [Azure.MariaDB.UseSSL](../rules/Azure.MariaDB.UseSSL.md) | Azure Database for MariaDB servers should only accept encrypted connections. | Critical [Azure.MariaDB.VNETRuleName](../rules/Azure.MariaDB.VNETRuleName.md) | Azure Database for MariaDB VNET rules should meet naming requirements. | Awareness +[Azure.MICassandra.AvailabilityZone](../rules/Azure.MICassandra.AvailabilityZone.md) | Use zone redundant Managed Instance for Apache Cassandra clusters in supported regions to improve reliability. | Important [Azure.ML.ComputeIdleShutdown](../rules/Azure.ML.ComputeIdleShutdown.md) | Configure an idle shutdown timeout for Machine Learning compute instances. | Critical [Azure.ML.ComputeVnet](../rules/Azure.ML.ComputeVnet.md) | Azure Machine Learning Computes should be hosted in a virtual network (VNet). | Critical [Azure.ML.DisableLocalAuth](../rules/Azure.ML.DisableLocalAuth.md) | Azure Machine Learning compute resources should have local authentication methods disabled. | Critical @@ -294,6 +316,7 @@ Name | Synopsis | Severity [Azure.MySQL.MaintenanceWindow](../rules/Azure.MySQL.MaintenanceWindow.md) | Configure a customer-controlled maintenance window for Azure Database for MySQL servers. | Important [Azure.MySQL.MinTLS](../rules/Azure.MySQL.MinTLS.md) | MySQL DB servers should reject TLS versions older than 1.2. | Critical [Azure.MySQL.ServerName](../rules/Azure.MySQL.ServerName.md) | Azure MySQL DB server names should meet naming requirements. | Awareness +[Azure.MySQL.ServerNaming](../rules/Azure.MySQL.ServerNaming.md) | MySQL database server resources without a standard naming convention may be difficult to identify and manage. | Awareness [Azure.MySQL.UseFlexible](../rules/Azure.MySQL.UseFlexible.md) | Use Azure Database for MySQL Flexible Server deployment model. | Important [Azure.MySQL.UseSSL](../rules/Azure.MySQL.UseSSL.md) | Enforce encrypted MySQL connections. | Critical [Azure.MySQL.ZoneRedundantHA](../rules/Azure.MySQL.ZoneRedundantHA.md) | Deploy Azure Database for MySQL servers using zone-redundant high availability (HA) in supported regions to ensure high availability and resilience. | Important @@ -322,6 +345,7 @@ Name | Synopsis | Severity [Azure.PostgreSQL.MaintenanceWindow](../rules/Azure.PostgreSQL.MaintenanceWindow.md) | Configure a customer-controlled maintenance window for Azure Database for PostgreSQL servers. | Important [Azure.PostgreSQL.MinTLS](../rules/Azure.PostgreSQL.MinTLS.md) | PostgreSQL DB servers should reject TLS versions older than 1.2. | Critical [Azure.PostgreSQL.ServerName](../rules/Azure.PostgreSQL.ServerName.md) | Azure PostgreSQL DB server names should meet naming requirements. | Awareness +[Azure.PostgreSQL.ServerNaming](../rules/Azure.PostgreSQL.ServerNaming.md) | PostgreSQL database server resources without a standard naming convention may be difficult to identify and manage. | Awareness [Azure.PostgreSQL.UseSSL](../rules/Azure.PostgreSQL.UseSSL.md) | Enforce encrypted PostgreSQL connections. | Critical [Azure.PostgreSQL.ZoneRedundantHA](../rules/Azure.PostgreSQL.ZoneRedundantHA.md) | Deploy Azure Database for PostgreSQL servers using zone-redundant high availability (HA) in supported regions to ensure high availability and resilience. | Important [Azure.PrivateEndpoint.Name](../rules/Azure.PrivateEndpoint.Name.md) | Private Endpoint names should meet naming requirements. | Awareness @@ -344,12 +368,15 @@ Name | Synopsis | Severity [Azure.Redis.FirewallRuleCount](../rules/Azure.Redis.FirewallRuleCount.md) | Determine if there is an excessive number of firewall rules for the Redis cache. | Awareness [Azure.Redis.LocalAuth](../rules/Azure.Redis.LocalAuth.md) | Access keys allow depersonalized access to Azure Cache for Redis using a shared secret. | Important [Azure.Redis.MaxMemoryReserved](../rules/Azure.Redis.MaxMemoryReserved.md) | Configure maxmemory-reserved to reserve memory for non-cache operations. | Important +[Azure.Redis.MigrateAMR](../rules/Azure.Redis.MigrateAMR.md) | Azure Cache for Redis is being retired. Migrate to Azure Managed Redis. | Important [Azure.Redis.MinSKU](../rules/Azure.Redis.MinSKU.md) | Use Azure Cache for Redis instances of at least Standard C1. | Important [Azure.Redis.MinTLS](../rules/Azure.Redis.MinTLS.md) | Redis Cache should reject TLS versions older than 1.2. | Critical +[Azure.Redis.Naming](../rules/Azure.Redis.Naming.md) | Azure Cache for Redis resources without a standard naming convention may be difficult to identify and manage. | Awareness [Azure.Redis.NonSslPort](../rules/Azure.Redis.NonSslPort.md) | Azure Cache for Redis should only accept secure connections. | Critical [Azure.Redis.PublicNetworkAccess](../rules/Azure.Redis.PublicNetworkAccess.md) | Redis cache should disable public network access. | Critical [Azure.Redis.Version](../rules/Azure.Redis.Version.md) | Azure Cache for Redis should use the latest supported version of Redis. | Important [Azure.RedisEnterprise.MinTLS](../rules/Azure.RedisEnterprise.MinTLS.md) | Redis Cache should reject TLS versions older than 1.2. | Critical +[Azure.RedisEnterprise.Naming](../rules/Azure.RedisEnterprise.Naming.md) | Azure Cache for Redis Enterprise resources without a standard naming convention may be difficult to identify and manage. | Awareness [Azure.RedisEnterprise.Zones](../rules/Azure.RedisEnterprise.Zones.md) | Enterprise Redis cache should be zone-redundant for high availability. | Important [Azure.Resource.AllowedRegions](../rules/Azure.Resource.AllowedRegions.md) | The deployment location of a resource determines the country or region where metadata and data is stored and processed. | Important [Azure.Resource.RequiredTags](../rules/Azure.Resource.RequiredTags.md) | Resources without a standard tagging convention may be difficult to identify and manage. | Awareness @@ -371,6 +398,8 @@ Name | Synopsis | Severity [Azure.ServiceBus.MinTLS](../rules/Azure.ServiceBus.MinTLS.md) | Service Bus namespaces should reject TLS versions older than 1.2. | Important [Azure.ServiceBus.Usage](../rules/Azure.ServiceBus.Usage.md) | Regularly remove unused resources to reduce costs. | Important [Azure.ServiceFabric.AAD](../rules/Azure.ServiceFabric.AAD.md) | Use Entra ID client authentication for Service Fabric clusters. | Critical +[Azure.ServiceFabric.ManagedNaming](../rules/Azure.ServiceFabric.ManagedNaming.md) | Service Fabric managed cluster resources without a standard naming convention may be difficult to identify and manage. | Awareness +[Azure.ServiceFabric.Naming](../rules/Azure.ServiceFabric.Naming.md) | Service Fabric cluster resources without a standard naming convention may be difficult to identify and manage. | Awareness [Azure.ServiceFabric.ProtectionLevel](../rules/Azure.ServiceFabric.ProtectionLevel.md) | Node to node communication that is not signed and encrypted may be susceptible to man-in-the-middle attacks. | Important [Azure.SignalR.ManagedIdentity](../rules/Azure.SignalR.ManagedIdentity.md) | Configure SignalR Services to use managed identities to access Azure resources securely. | Important [Azure.SignalR.Name](../rules/Azure.SignalR.Name.md) | SignalR service instance names should meet naming requirements. | Awareness @@ -380,13 +409,17 @@ Name | Synopsis | Severity [Azure.SQL.AllowAzureAccess](../rules/Azure.SQL.AllowAzureAccess.md) | Determine if access from Azure services is required. | Important [Azure.SQL.Auditing](../rules/Azure.SQL.Auditing.md) | Enable auditing for Azure SQL logical server. | Important [Azure.SQL.DBName](../rules/Azure.SQL.DBName.md) | Azure SQL Database names should meet naming requirements. | Awareness +[Azure.SQL.DBNaming](../rules/Azure.SQL.DBNaming.md) | Azure SQL database resources without a standard naming convention may be difficult to identify and manage. | Awareness [Azure.SQL.DefenderCloud](../rules/Azure.SQL.DefenderCloud.md) | Enable Microsoft Defender for Azure SQL logical server. | Important +[Azure.SQL.ElasticPoolNaming](../rules/Azure.SQL.ElasticPoolNaming.md) | Azure SQL Elastic Pool resources without a standard naming convention may be difficult to identify and manage. | Awareness [Azure.SQL.FGName](../rules/Azure.SQL.FGName.md) | Azure SQL failover group names should meet naming requirements. | Awareness [Azure.SQL.FirewallIPRange](../rules/Azure.SQL.FirewallIPRange.md) | Each IP address in the permitted IP list is allowed network access to any databases hosted on the same logical server. | Important [Azure.SQL.FirewallRuleCount](../rules/Azure.SQL.FirewallRuleCount.md) | Determine if there is an excessive number of firewall rules. | Awareness +[Azure.SQL.JobAgentNaming](../rules/Azure.SQL.JobAgentNaming.md) | Azure SQL Elastic Job agent resources without a standard naming convention may be difficult to identify and manage. | Awareness [Azure.SQL.MaintenanceWindow](../rules/Azure.SQL.MaintenanceWindow.md) | Configure a customer-controlled maintenance window for Azure SQL databases. | Important [Azure.SQL.MinTLS](../rules/Azure.SQL.MinTLS.md) | Azure SQL Database servers should reject TLS versions older than 1.2. | Critical [Azure.SQL.ServerName](../rules/Azure.SQL.ServerName.md) | Azure SQL logical server names should meet naming requirements. | Awareness +[Azure.SQL.ServerNaming](../rules/Azure.SQL.ServerNaming.md) | Azure SQL Database server resources without a standard naming convention may be difficult to identify and manage. | Awareness [Azure.SQL.TDE](../rules/Azure.SQL.TDE.md) | Use Transparent Data Encryption (TDE) with Azure SQL Database. | Critical [Azure.SQL.VAScan](../rules/Azure.SQL.VAScan.md) | SQL Databases may have configuration vulnerabilities discovered after they are deployed. | Important [Azure.SQLMI.AAD](../rules/Azure.SQLMI.AAD.md) | Use Azure Active Directory (AAD) authentication with Azure SQL Managed Instance. | Critical @@ -394,6 +427,7 @@ Name | Synopsis | Severity [Azure.SQLMI.MaintenanceWindow](../rules/Azure.SQLMI.MaintenanceWindow.md) | Configure a customer-controlled maintenance window for Azure SQL Managed Instances. | Important [Azure.SQLMI.ManagedIdentity](../rules/Azure.SQLMI.ManagedIdentity.md) | Ensure managed identity is used to allow support for Azure AD authentication. | Important [Azure.SQLMI.Name](../rules/Azure.SQLMI.Name.md) | SQL Managed Instance names should meet naming requirements. | Awareness +[Azure.SQLMI.Naming](../rules/Azure.SQLMI.Naming.md) | SQL Managed Instance resources without a standard naming convention may be difficult to identify and manage. | Awareness [Azure.Storage.BlobAccessType](../rules/Azure.Storage.BlobAccessType.md) | Use containers configured with a private access type that requires authorization. | Important [Azure.Storage.BlobPublicAccess](../rules/Azure.Storage.BlobPublicAccess.md) | Storage Accounts should only accept authorized requests. | Important [Azure.Storage.ContainerSoftDelete](../rules/Azure.Storage.ContainerSoftDelete.md) | Enable container soft delete on Storage Accounts. | Important diff --git a/docs/en/baselines/Azure.GA_2020_06.csv b/docs/en/baselines/Azure.GA_2020_06.csv index 716d32d284..f0394d1237 100644 --- a/docs/en/baselines/Azure.GA_2020_06.csv +++ b/docs/en/baselines/Azure.GA_2020_06.csv @@ -1,11 +1,11 @@ "Name","Synopsis","Severity","Pillar","Maturity" "Azure.ACR.AdminUser","The local admin account allows depersonalized access to a container registry using a shared secret.","Critical","Security","L1" "Azure.ACR.MinSku","The Basic SKU provides limited performance and features for production container registry workloads.","Important","Reliability","-" -"Azure.ACR.Name","Container registry names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.ACR.Name","Container registry names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.AKS.DNSPrefix","Azure Kubernetes Service (AKS) cluster DNS prefix should meet naming requirements.","Awareness","Operational Excellence","-" "Azure.AKS.ManagedIdentity","Configure AKS clusters to use managed identities for managing cluster infrastructure.","Important","Security","L1" "Azure.AKS.MinNodeCount","AKS clusters should have minimum number of system nodes for failover and updates.","Important","Reliability","-" -"Azure.AKS.Name","Azure Kubernetes Service (AKS) cluster names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.AKS.Name","Azure Kubernetes Service (AKS) cluster names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.AKS.NetworkPolicy","AKS clusters without inter-pod network restrictions may be permit unauthorized lateral movement.","Important","Security","-" "Azure.AKS.NodeMinPods","Azure Kubernetes Cluster (AKS) nodes should use a minimum number of pods.","Important","Performance Efficiency","-" "Azure.AKS.PoolScaleSet","Deploy AKS clusters with nodes pools based on VM scale sets.","Important","Performance Efficiency","-" diff --git a/docs/en/baselines/Azure.GA_2020_09.csv b/docs/en/baselines/Azure.GA_2020_09.csv index 67b92c0231..c05c90dc45 100644 --- a/docs/en/baselines/Azure.GA_2020_09.csv +++ b/docs/en/baselines/Azure.GA_2020_09.csv @@ -1,11 +1,11 @@ "Name","Synopsis","Severity","Pillar","Maturity" "Azure.ACR.AdminUser","The local admin account allows depersonalized access to a container registry using a shared secret.","Critical","Security","L1" "Azure.ACR.MinSku","The Basic SKU provides limited performance and features for production container registry workloads.","Important","Reliability","-" -"Azure.ACR.Name","Container registry names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.ACR.Name","Container registry names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.AKS.DNSPrefix","Azure Kubernetes Service (AKS) cluster DNS prefix should meet naming requirements.","Awareness","Operational Excellence","-" "Azure.AKS.ManagedIdentity","Configure AKS clusters to use managed identities for managing cluster infrastructure.","Important","Security","L1" "Azure.AKS.MinNodeCount","AKS clusters should have minimum number of system nodes for failover and updates.","Important","Reliability","-" -"Azure.AKS.Name","Azure Kubernetes Service (AKS) cluster names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.AKS.Name","Azure Kubernetes Service (AKS) cluster names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.AKS.NetworkPolicy","AKS clusters without inter-pod network restrictions may be permit unauthorized lateral movement.","Important","Security","-" "Azure.AKS.NodeMinPods","Azure Kubernetes Cluster (AKS) nodes should use a minimum number of pods.","Important","Performance Efficiency","-" "Azure.AKS.PoolScaleSet","Deploy AKS clusters with nodes pools based on VM scale sets.","Important","Performance Efficiency","-" diff --git a/docs/en/baselines/Azure.GA_2020_12.csv b/docs/en/baselines/Azure.GA_2020_12.csv index af6e64485c..823f7f46bf 100644 --- a/docs/en/baselines/Azure.GA_2020_12.csv +++ b/docs/en/baselines/Azure.GA_2020_12.csv @@ -3,13 +3,13 @@ "Azure.ACR.ContainerScan","Container images or their base images may have vulnerabilities discovered after they are built.","Critical","Security","-" "Azure.ACR.ImageHealth","Remove container images with known vulnerabilities.","Critical","Security","L2" "Azure.ACR.MinSku","The Basic SKU provides limited performance and features for production container registry workloads.","Important","Reliability","-" -"Azure.ACR.Name","Container registry names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.ACR.Name","Container registry names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.ACR.Usage","Regularly remove deprecated and unneeded images to reduce storage usage.","Important","Cost Optimization","-" "Azure.AKS.AzurePolicyAddOn","Configure Azure Kubernetes Service (AKS) clusters to use Azure Policy Add-on for Kubernetes.","Important","Security","-" "Azure.AKS.DNSPrefix","Azure Kubernetes Service (AKS) cluster DNS prefix should meet naming requirements.","Awareness","Operational Excellence","-" "Azure.AKS.ManagedIdentity","Configure AKS clusters to use managed identities for managing cluster infrastructure.","Important","Security","L1" "Azure.AKS.MinNodeCount","AKS clusters should have minimum number of system nodes for failover and updates.","Important","Reliability","-" -"Azure.AKS.Name","Azure Kubernetes Service (AKS) cluster names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.AKS.Name","Azure Kubernetes Service (AKS) cluster names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.AKS.NetworkPolicy","AKS clusters without inter-pod network restrictions may be permit unauthorized lateral movement.","Important","Security","-" "Azure.AKS.NodeMinPods","Azure Kubernetes Cluster (AKS) nodes should use a minimum number of pods.","Important","Performance Efficiency","-" "Azure.AKS.PoolScaleSet","Deploy AKS clusters with nodes pools based on VM scale sets.","Important","Performance Efficiency","-" @@ -112,13 +112,13 @@ "Azure.SQL.AAD","Use Entra ID authentication with Azure SQL databases.","Critical","Security","L1" "Azure.SQL.AllowAzureAccess","Determine if access from Azure services is required.","Important","Security","-" "Azure.SQL.Auditing","Enable auditing for Azure SQL logical server.","Important","Security","-" -"Azure.SQL.DBName","Azure SQL Database names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.SQL.DBName","Azure SQL Database names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.SQL.DefenderCloud","Enable Microsoft Defender for Azure SQL logical server.","Important","Security","-" "Azure.SQL.FGName","Azure SQL failover group names should meet naming requirements.","Awareness","Operational Excellence","-" "Azure.SQL.FirewallIPRange","Each IP address in the permitted IP list is allowed network access to any databases hosted on the same logical server.","Important","Security","-" "Azure.SQL.FirewallRuleCount","Determine if there is an excessive number of firewall rules.","Awareness","Security","-" "Azure.SQL.MinTLS","Azure SQL Database servers should reject TLS versions older than 1.2.","Critical","Security","L1" -"Azure.SQL.ServerName","Azure SQL logical server names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.SQL.ServerName","Azure SQL logical server names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.SQL.TDE","Use Transparent Data Encryption (TDE) with Azure SQL Database.","Critical","Security","L1" "Azure.SQLMI.Name","SQL Managed Instance names should meet naming requirements.","Awareness","Operational Excellence","-" "Azure.Storage.BlobAccessType","Use containers configured with a private access type that requires authorization.","Important","Security","-" diff --git a/docs/en/baselines/Azure.GA_2021_03.csv b/docs/en/baselines/Azure.GA_2021_03.csv index 8df454ec71..c4a8413c77 100644 --- a/docs/en/baselines/Azure.GA_2021_03.csv +++ b/docs/en/baselines/Azure.GA_2021_03.csv @@ -3,13 +3,13 @@ "Azure.ACR.ContainerScan","Container images or their base images may have vulnerabilities discovered after they are built.","Critical","Security","-" "Azure.ACR.ImageHealth","Remove container images with known vulnerabilities.","Critical","Security","L2" "Azure.ACR.MinSku","The Basic SKU provides limited performance and features for production container registry workloads.","Important","Reliability","-" -"Azure.ACR.Name","Container registry names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.ACR.Name","Container registry names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.ACR.Usage","Regularly remove deprecated and unneeded images to reduce storage usage.","Important","Cost Optimization","-" "Azure.AKS.AzurePolicyAddOn","Configure Azure Kubernetes Service (AKS) clusters to use Azure Policy Add-on for Kubernetes.","Important","Security","-" "Azure.AKS.DNSPrefix","Azure Kubernetes Service (AKS) cluster DNS prefix should meet naming requirements.","Awareness","Operational Excellence","-" "Azure.AKS.ManagedIdentity","Configure AKS clusters to use managed identities for managing cluster infrastructure.","Important","Security","L1" "Azure.AKS.MinNodeCount","AKS clusters should have minimum number of system nodes for failover and updates.","Important","Reliability","-" -"Azure.AKS.Name","Azure Kubernetes Service (AKS) cluster names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.AKS.Name","Azure Kubernetes Service (AKS) cluster names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.AKS.NetworkPolicy","AKS clusters without inter-pod network restrictions may be permit unauthorized lateral movement.","Important","Security","-" "Azure.AKS.NodeMinPods","Azure Kubernetes Cluster (AKS) nodes should use a minimum number of pods.","Important","Performance Efficiency","-" "Azure.AKS.PoolScaleSet","Deploy AKS clusters with nodes pools based on VM scale sets.","Important","Performance Efficiency","-" @@ -119,13 +119,13 @@ "Azure.SQL.AAD","Use Entra ID authentication with Azure SQL databases.","Critical","Security","L1" "Azure.SQL.AllowAzureAccess","Determine if access from Azure services is required.","Important","Security","-" "Azure.SQL.Auditing","Enable auditing for Azure SQL logical server.","Important","Security","-" -"Azure.SQL.DBName","Azure SQL Database names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.SQL.DBName","Azure SQL Database names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.SQL.DefenderCloud","Enable Microsoft Defender for Azure SQL logical server.","Important","Security","-" "Azure.SQL.FGName","Azure SQL failover group names should meet naming requirements.","Awareness","Operational Excellence","-" "Azure.SQL.FirewallIPRange","Each IP address in the permitted IP list is allowed network access to any databases hosted on the same logical server.","Important","Security","-" "Azure.SQL.FirewallRuleCount","Determine if there is an excessive number of firewall rules.","Awareness","Security","-" "Azure.SQL.MinTLS","Azure SQL Database servers should reject TLS versions older than 1.2.","Critical","Security","L1" -"Azure.SQL.ServerName","Azure SQL logical server names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.SQL.ServerName","Azure SQL logical server names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.SQL.TDE","Use Transparent Data Encryption (TDE) with Azure SQL Database.","Critical","Security","L1" "Azure.SQLMI.Name","SQL Managed Instance names should meet naming requirements.","Awareness","Operational Excellence","-" "Azure.Storage.BlobAccessType","Use containers configured with a private access type that requires authorization.","Important","Security","-" diff --git a/docs/en/baselines/Azure.GA_2021_06.csv b/docs/en/baselines/Azure.GA_2021_06.csv index 76be59d2ef..0dcccdf6c4 100644 --- a/docs/en/baselines/Azure.GA_2021_06.csv +++ b/docs/en/baselines/Azure.GA_2021_06.csv @@ -3,7 +3,7 @@ "Azure.ACR.ContainerScan","Container images or their base images may have vulnerabilities discovered after they are built.","Critical","Security","-" "Azure.ACR.ImageHealth","Remove container images with known vulnerabilities.","Critical","Security","L2" "Azure.ACR.MinSku","The Basic SKU provides limited performance and features for production container registry workloads.","Important","Reliability","-" -"Azure.ACR.Name","Container registry names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.ACR.Name","Container registry names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.ACR.Usage","Regularly remove deprecated and unneeded images to reduce storage usage.","Important","Cost Optimization","-" "Azure.AKS.AuthorizedIPs","Restrict access to API server endpoints to authorized IP addresses.","Important","Security","-" "Azure.AKS.AzurePolicyAddOn","Configure Azure Kubernetes Service (AKS) clusters to use Azure Policy Add-on for Kubernetes.","Important","Security","-" @@ -12,7 +12,7 @@ "Azure.AKS.ManagedAAD","Use AKS-managed Azure AD to simplify authorization and improve security.","Important","Security","L1" "Azure.AKS.ManagedIdentity","Configure AKS clusters to use managed identities for managing cluster infrastructure.","Important","Security","L1" "Azure.AKS.MinNodeCount","AKS clusters should have minimum number of system nodes for failover and updates.","Important","Reliability","-" -"Azure.AKS.Name","Azure Kubernetes Service (AKS) cluster names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.AKS.Name","Azure Kubernetes Service (AKS) cluster names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.AKS.NetworkPolicy","AKS clusters without inter-pod network restrictions may be permit unauthorized lateral movement.","Important","Security","-" "Azure.AKS.NodeMinPods","Azure Kubernetes Cluster (AKS) nodes should use a minimum number of pods.","Important","Performance Efficiency","-" "Azure.AKS.PoolScaleSet","Deploy AKS clusters with nodes pools based on VM scale sets.","Important","Performance Efficiency","-" @@ -133,13 +133,13 @@ "Azure.SQL.AAD","Use Entra ID authentication with Azure SQL databases.","Critical","Security","L1" "Azure.SQL.AllowAzureAccess","Determine if access from Azure services is required.","Important","Security","-" "Azure.SQL.Auditing","Enable auditing for Azure SQL logical server.","Important","Security","-" -"Azure.SQL.DBName","Azure SQL Database names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.SQL.DBName","Azure SQL Database names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.SQL.DefenderCloud","Enable Microsoft Defender for Azure SQL logical server.","Important","Security","-" "Azure.SQL.FGName","Azure SQL failover group names should meet naming requirements.","Awareness","Operational Excellence","-" "Azure.SQL.FirewallIPRange","Each IP address in the permitted IP list is allowed network access to any databases hosted on the same logical server.","Important","Security","-" "Azure.SQL.FirewallRuleCount","Determine if there is an excessive number of firewall rules.","Awareness","Security","-" "Azure.SQL.MinTLS","Azure SQL Database servers should reject TLS versions older than 1.2.","Critical","Security","L1" -"Azure.SQL.ServerName","Azure SQL logical server names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.SQL.ServerName","Azure SQL logical server names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.SQL.TDE","Use Transparent Data Encryption (TDE) with Azure SQL Database.","Critical","Security","L1" "Azure.SQLMI.Name","SQL Managed Instance names should meet naming requirements.","Awareness","Operational Excellence","-" "Azure.Storage.BlobAccessType","Use containers configured with a private access type that requires authorization.","Important","Security","-" diff --git a/docs/en/baselines/Azure.GA_2021_09.csv b/docs/en/baselines/Azure.GA_2021_09.csv index 1857e1a33f..38fc5daa6d 100644 --- a/docs/en/baselines/Azure.GA_2021_09.csv +++ b/docs/en/baselines/Azure.GA_2021_09.csv @@ -3,7 +3,7 @@ "Azure.ACR.ContainerScan","Container images or their base images may have vulnerabilities discovered after they are built.","Critical","Security","-" "Azure.ACR.ImageHealth","Remove container images with known vulnerabilities.","Critical","Security","L2" "Azure.ACR.MinSku","The Basic SKU provides limited performance and features for production container registry workloads.","Important","Reliability","-" -"Azure.ACR.Name","Container registry names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.ACR.Name","Container registry names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.ACR.Usage","Regularly remove deprecated and unneeded images to reduce storage usage.","Important","Cost Optimization","-" "Azure.AKS.AuditLogs","AKS clusters should collect security-based audit logs to assess and monitor the compliance status of workloads.","Important","Security","L1" "Azure.AKS.AuthorizedIPs","Restrict access to API server endpoints to authorized IP addresses.","Important","Security","-" @@ -17,7 +17,7 @@ "Azure.AKS.ManagedAAD","Use AKS-managed Azure AD to simplify authorization and improve security.","Important","Security","L1" "Azure.AKS.ManagedIdentity","Configure AKS clusters to use managed identities for managing cluster infrastructure.","Important","Security","L1" "Azure.AKS.MinNodeCount","AKS clusters should have minimum number of system nodes for failover and updates.","Important","Reliability","-" -"Azure.AKS.Name","Azure Kubernetes Service (AKS) cluster names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.AKS.Name","Azure Kubernetes Service (AKS) cluster names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.AKS.NetworkPolicy","AKS clusters without inter-pod network restrictions may be permit unauthorized lateral movement.","Important","Security","-" "Azure.AKS.NodeMinPods","Azure Kubernetes Cluster (AKS) nodes should use a minimum number of pods.","Important","Performance Efficiency","-" "Azure.AKS.PlatformLogs","AKS clusters should collect platform diagnostic logs to monitor the state of workloads.","Important","Operational Excellence","-" @@ -65,7 +65,7 @@ "Azure.CDN.EndpointName","Azure CDN Endpoint names should meet naming requirements.","Awareness","Operational Excellence","-" "Azure.CDN.HTTP","Unencrypted communication could allow disclosure of information to an untrusted party.","Important","Security","-" "Azure.CDN.MinTLS","Azure CDN endpoints should reject TLS versions older than 1.2.","Important","Security","L1" -"Azure.Cosmos.AccountName","Cosmos DB account names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.Cosmos.AccountName","Cosmos DB account names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.Cosmos.DisableMetadataWrite","Use Entra ID identities for management place operations in Azure Cosmos DB.","Important","Security","-" "Azure.DataFactory.Version","Consider migrating to DataFactory v2.","Awareness","Reliability","-" "Azure.DefenderCloud.Provisioning","Enable auto-provisioning on to improve Microsoft Defender for Cloud insights.","Important","Security","-" @@ -145,13 +145,13 @@ "Azure.SQL.AAD","Use Entra ID authentication with Azure SQL databases.","Critical","Security","L1" "Azure.SQL.AllowAzureAccess","Determine if access from Azure services is required.","Important","Security","-" "Azure.SQL.Auditing","Enable auditing for Azure SQL logical server.","Important","Security","-" -"Azure.SQL.DBName","Azure SQL Database names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.SQL.DBName","Azure SQL Database names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.SQL.DefenderCloud","Enable Microsoft Defender for Azure SQL logical server.","Important","Security","-" "Azure.SQL.FGName","Azure SQL failover group names should meet naming requirements.","Awareness","Operational Excellence","-" "Azure.SQL.FirewallIPRange","Each IP address in the permitted IP list is allowed network access to any databases hosted on the same logical server.","Important","Security","-" "Azure.SQL.FirewallRuleCount","Determine if there is an excessive number of firewall rules.","Awareness","Security","-" "Azure.SQL.MinTLS","Azure SQL Database servers should reject TLS versions older than 1.2.","Critical","Security","L1" -"Azure.SQL.ServerName","Azure SQL logical server names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.SQL.ServerName","Azure SQL logical server names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.SQL.TDE","Use Transparent Data Encryption (TDE) with Azure SQL Database.","Critical","Security","L1" "Azure.SQLMI.Name","SQL Managed Instance names should meet naming requirements.","Awareness","Operational Excellence","-" "Azure.Storage.BlobAccessType","Use containers configured with a private access type that requires authorization.","Important","Security","-" diff --git a/docs/en/baselines/Azure.GA_2021_12.csv b/docs/en/baselines/Azure.GA_2021_12.csv index 8c7f0c2f5f..118ad1ca0d 100644 --- a/docs/en/baselines/Azure.GA_2021_12.csv +++ b/docs/en/baselines/Azure.GA_2021_12.csv @@ -3,7 +3,7 @@ "Azure.ACR.ContainerScan","Container images or their base images may have vulnerabilities discovered after they are built.","Critical","Security","-" "Azure.ACR.ImageHealth","Remove container images with known vulnerabilities.","Critical","Security","L2" "Azure.ACR.MinSku","The Basic SKU provides limited performance and features for production container registry workloads.","Important","Reliability","-" -"Azure.ACR.Name","Container registry names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.ACR.Name","Container registry names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.ACR.Usage","Regularly remove deprecated and unneeded images to reduce storage usage.","Important","Cost Optimization","-" "Azure.AKS.AuditLogs","AKS clusters should collect security-based audit logs to assess and monitor the compliance status of workloads.","Important","Security","L1" "Azure.AKS.AuthorizedIPs","Restrict access to API server endpoints to authorized IP addresses.","Important","Security","-" @@ -19,7 +19,7 @@ "Azure.AKS.ManagedAAD","Use AKS-managed Azure AD to simplify authorization and improve security.","Important","Security","L1" "Azure.AKS.ManagedIdentity","Configure AKS clusters to use managed identities for managing cluster infrastructure.","Important","Security","L1" "Azure.AKS.MinNodeCount","AKS clusters should have minimum number of system nodes for failover and updates.","Important","Reliability","-" -"Azure.AKS.Name","Azure Kubernetes Service (AKS) cluster names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.AKS.Name","Azure Kubernetes Service (AKS) cluster names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.AKS.NetworkPolicy","AKS clusters without inter-pod network restrictions may be permit unauthorized lateral movement.","Important","Security","-" "Azure.AKS.NodeMinPods","Azure Kubernetes Cluster (AKS) nodes should use a minimum number of pods.","Important","Performance Efficiency","-" "Azure.AKS.PlatformLogs","AKS clusters should collect platform diagnostic logs to monitor the state of workloads.","Important","Operational Excellence","-" @@ -73,7 +73,7 @@ "Azure.CDN.EndpointName","Azure CDN Endpoint names should meet naming requirements.","Awareness","Operational Excellence","-" "Azure.CDN.HTTP","Unencrypted communication could allow disclosure of information to an untrusted party.","Important","Security","-" "Azure.CDN.MinTLS","Azure CDN endpoints should reject TLS versions older than 1.2.","Important","Security","L1" -"Azure.Cosmos.AccountName","Cosmos DB account names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.Cosmos.AccountName","Cosmos DB account names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.Cosmos.DisableMetadataWrite","Use Entra ID identities for management place operations in Azure Cosmos DB.","Important","Security","-" "Azure.DataFactory.Version","Consider migrating to DataFactory v2.","Awareness","Reliability","-" "Azure.DefenderCloud.Provisioning","Enable auto-provisioning on to improve Microsoft Defender for Cloud insights.","Important","Security","-" @@ -163,13 +163,13 @@ "Azure.SQL.AAD","Use Entra ID authentication with Azure SQL databases.","Critical","Security","L1" "Azure.SQL.AllowAzureAccess","Determine if access from Azure services is required.","Important","Security","-" "Azure.SQL.Auditing","Enable auditing for Azure SQL logical server.","Important","Security","-" -"Azure.SQL.DBName","Azure SQL Database names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.SQL.DBName","Azure SQL Database names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.SQL.DefenderCloud","Enable Microsoft Defender for Azure SQL logical server.","Important","Security","-" "Azure.SQL.FGName","Azure SQL failover group names should meet naming requirements.","Awareness","Operational Excellence","-" "Azure.SQL.FirewallIPRange","Each IP address in the permitted IP list is allowed network access to any databases hosted on the same logical server.","Important","Security","-" "Azure.SQL.FirewallRuleCount","Determine if there is an excessive number of firewall rules.","Awareness","Security","-" "Azure.SQL.MinTLS","Azure SQL Database servers should reject TLS versions older than 1.2.","Critical","Security","L1" -"Azure.SQL.ServerName","Azure SQL logical server names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.SQL.ServerName","Azure SQL logical server names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.SQL.TDE","Use Transparent Data Encryption (TDE) with Azure SQL Database.","Critical","Security","L1" "Azure.SQLMI.Name","SQL Managed Instance names should meet naming requirements.","Awareness","Operational Excellence","-" "Azure.Storage.BlobAccessType","Use containers configured with a private access type that requires authorization.","Important","Security","-" diff --git a/docs/en/baselines/Azure.GA_2022_03.csv b/docs/en/baselines/Azure.GA_2022_03.csv index 7cb76cf059..7d2de8d42f 100644 --- a/docs/en/baselines/Azure.GA_2022_03.csv +++ b/docs/en/baselines/Azure.GA_2022_03.csv @@ -3,7 +3,7 @@ "Azure.ACR.ContainerScan","Container images or their base images may have vulnerabilities discovered after they are built.","Critical","Security","-" "Azure.ACR.ImageHealth","Remove container images with known vulnerabilities.","Critical","Security","L2" "Azure.ACR.MinSku","The Basic SKU provides limited performance and features for production container registry workloads.","Important","Reliability","-" -"Azure.ACR.Name","Container registry names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.ACR.Name","Container registry names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.ACR.Usage","Regularly remove deprecated and unneeded images to reduce storage usage.","Important","Cost Optimization","-" "Azure.ADX.DiskEncryption","Use disk encryption for Azure Data Explorer (ADX) clusters.","Important","Security","L1" "Azure.ADX.ManagedIdentity","Configure Data Explorer clusters to use managed identities to access Azure resources securely.","Important","Security","L1" @@ -23,7 +23,7 @@ "Azure.AKS.ManagedAAD","Use AKS-managed Azure AD to simplify authorization and improve security.","Important","Security","L1" "Azure.AKS.ManagedIdentity","Configure AKS clusters to use managed identities for managing cluster infrastructure.","Important","Security","L1" "Azure.AKS.MinNodeCount","AKS clusters should have minimum number of system nodes for failover and updates.","Important","Reliability","-" -"Azure.AKS.Name","Azure Kubernetes Service (AKS) cluster names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.AKS.Name","Azure Kubernetes Service (AKS) cluster names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.AKS.NetworkPolicy","AKS clusters without inter-pod network restrictions may be permit unauthorized lateral movement.","Important","Security","-" "Azure.AKS.NodeMinPods","Azure Kubernetes Cluster (AKS) nodes should use a minimum number of pods.","Important","Performance Efficiency","-" "Azure.AKS.PlatformLogs","AKS clusters should collect platform diagnostic logs to monitor the state of workloads.","Important","Operational Excellence","-" @@ -78,7 +78,7 @@ "Azure.CDN.EndpointName","Azure CDN Endpoint names should meet naming requirements.","Awareness","Operational Excellence","-" "Azure.CDN.HTTP","Unencrypted communication could allow disclosure of information to an untrusted party.","Important","Security","-" "Azure.CDN.MinTLS","Azure CDN endpoints should reject TLS versions older than 1.2.","Important","Security","L1" -"Azure.Cosmos.AccountName","Cosmos DB account names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.Cosmos.AccountName","Cosmos DB account names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.Cosmos.DisableMetadataWrite","Use Entra ID identities for management place operations in Azure Cosmos DB.","Important","Security","-" "Azure.DataFactory.Version","Consider migrating to DataFactory v2.","Awareness","Reliability","-" "Azure.DefenderCloud.Provisioning","Enable auto-provisioning on to improve Microsoft Defender for Cloud insights.","Important","Security","-" @@ -177,13 +177,13 @@ "Azure.SQL.AAD","Use Entra ID authentication with Azure SQL databases.","Critical","Security","L1" "Azure.SQL.AllowAzureAccess","Determine if access from Azure services is required.","Important","Security","-" "Azure.SQL.Auditing","Enable auditing for Azure SQL logical server.","Important","Security","-" -"Azure.SQL.DBName","Azure SQL Database names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.SQL.DBName","Azure SQL Database names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.SQL.DefenderCloud","Enable Microsoft Defender for Azure SQL logical server.","Important","Security","-" "Azure.SQL.FGName","Azure SQL failover group names should meet naming requirements.","Awareness","Operational Excellence","-" "Azure.SQL.FirewallIPRange","Each IP address in the permitted IP list is allowed network access to any databases hosted on the same logical server.","Important","Security","-" "Azure.SQL.FirewallRuleCount","Determine if there is an excessive number of firewall rules.","Awareness","Security","-" "Azure.SQL.MinTLS","Azure SQL Database servers should reject TLS versions older than 1.2.","Critical","Security","L1" -"Azure.SQL.ServerName","Azure SQL logical server names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.SQL.ServerName","Azure SQL logical server names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.SQL.TDE","Use Transparent Data Encryption (TDE) with Azure SQL Database.","Critical","Security","L1" "Azure.SQLMI.Name","SQL Managed Instance names should meet naming requirements.","Awareness","Operational Excellence","-" "Azure.Storage.BlobAccessType","Use containers configured with a private access type that requires authorization.","Important","Security","-" diff --git a/docs/en/baselines/Azure.GA_2022_06.csv b/docs/en/baselines/Azure.GA_2022_06.csv index fe1e661569..ec28b90a88 100644 --- a/docs/en/baselines/Azure.GA_2022_06.csv +++ b/docs/en/baselines/Azure.GA_2022_06.csv @@ -3,7 +3,7 @@ "Azure.ACR.ContainerScan","Container images or their base images may have vulnerabilities discovered after they are built.","Critical","Security","-" "Azure.ACR.ImageHealth","Remove container images with known vulnerabilities.","Critical","Security","L2" "Azure.ACR.MinSku","The Basic SKU provides limited performance and features for production container registry workloads.","Important","Reliability","-" -"Azure.ACR.Name","Container registry names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.ACR.Name","Container registry names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.ACR.Usage","Regularly remove deprecated and unneeded images to reduce storage usage.","Important","Cost Optimization","-" "Azure.ADX.DiskEncryption","Use disk encryption for Azure Data Explorer (ADX) clusters.","Important","Security","L1" "Azure.ADX.ManagedIdentity","Configure Data Explorer clusters to use managed identities to access Azure resources securely.","Important","Security","L1" @@ -23,7 +23,7 @@ "Azure.AKS.ManagedAAD","Use AKS-managed Azure AD to simplify authorization and improve security.","Important","Security","L1" "Azure.AKS.ManagedIdentity","Configure AKS clusters to use managed identities for managing cluster infrastructure.","Important","Security","L1" "Azure.AKS.MinNodeCount","AKS clusters should have minimum number of system nodes for failover and updates.","Important","Reliability","-" -"Azure.AKS.Name","Azure Kubernetes Service (AKS) cluster names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.AKS.Name","Azure Kubernetes Service (AKS) cluster names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.AKS.NetworkPolicy","AKS clusters without inter-pod network restrictions may be permit unauthorized lateral movement.","Important","Security","-" "Azure.AKS.NodeMinPods","Azure Kubernetes Cluster (AKS) nodes should use a minimum number of pods.","Important","Performance Efficiency","-" "Azure.AKS.PlatformLogs","AKS clusters should collect platform diagnostic logs to monitor the state of workloads.","Important","Operational Excellence","-" @@ -81,7 +81,7 @@ "Azure.CDN.EndpointName","Azure CDN Endpoint names should meet naming requirements.","Awareness","Operational Excellence","-" "Azure.CDN.HTTP","Unencrypted communication could allow disclosure of information to an untrusted party.","Important","Security","-" "Azure.CDN.MinTLS","Azure CDN endpoints should reject TLS versions older than 1.2.","Important","Security","L1" -"Azure.Cosmos.AccountName","Cosmos DB account names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.Cosmos.AccountName","Cosmos DB account names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.Cosmos.DisableMetadataWrite","Use Entra ID identities for management place operations in Azure Cosmos DB.","Important","Security","-" "Azure.DataFactory.Version","Consider migrating to DataFactory v2.","Awareness","Reliability","-" "Azure.DefenderCloud.Provisioning","Enable auto-provisioning on to improve Microsoft Defender for Cloud insights.","Important","Security","-" @@ -181,13 +181,13 @@ "Azure.SQL.AAD","Use Entra ID authentication with Azure SQL databases.","Critical","Security","L1" "Azure.SQL.AllowAzureAccess","Determine if access from Azure services is required.","Important","Security","-" "Azure.SQL.Auditing","Enable auditing for Azure SQL logical server.","Important","Security","-" -"Azure.SQL.DBName","Azure SQL Database names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.SQL.DBName","Azure SQL Database names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.SQL.DefenderCloud","Enable Microsoft Defender for Azure SQL logical server.","Important","Security","-" "Azure.SQL.FGName","Azure SQL failover group names should meet naming requirements.","Awareness","Operational Excellence","-" "Azure.SQL.FirewallIPRange","Each IP address in the permitted IP list is allowed network access to any databases hosted on the same logical server.","Important","Security","-" "Azure.SQL.FirewallRuleCount","Determine if there is an excessive number of firewall rules.","Awareness","Security","-" "Azure.SQL.MinTLS","Azure SQL Database servers should reject TLS versions older than 1.2.","Critical","Security","L1" -"Azure.SQL.ServerName","Azure SQL logical server names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.SQL.ServerName","Azure SQL logical server names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.SQL.TDE","Use Transparent Data Encryption (TDE) with Azure SQL Database.","Critical","Security","L1" "Azure.SQLMI.Name","SQL Managed Instance names should meet naming requirements.","Awareness","Operational Excellence","-" "Azure.Storage.BlobAccessType","Use containers configured with a private access type that requires authorization.","Important","Security","-" diff --git a/docs/en/baselines/Azure.GA_2022_09.csv b/docs/en/baselines/Azure.GA_2022_09.csv index ad35c4b7ca..1cf370fc25 100644 --- a/docs/en/baselines/Azure.GA_2022_09.csv +++ b/docs/en/baselines/Azure.GA_2022_09.csv @@ -3,7 +3,7 @@ "Azure.ACR.ContainerScan","Container images or their base images may have vulnerabilities discovered after they are built.","Critical","Security","-" "Azure.ACR.ImageHealth","Remove container images with known vulnerabilities.","Critical","Security","L2" "Azure.ACR.MinSku","The Basic SKU provides limited performance and features for production container registry workloads.","Important","Reliability","-" -"Azure.ACR.Name","Container registry names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.ACR.Name","Container registry names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.ACR.Usage","Regularly remove deprecated and unneeded images to reduce storage usage.","Important","Cost Optimization","-" "Azure.ADX.DiskEncryption","Use disk encryption for Azure Data Explorer (ADX) clusters.","Important","Security","L1" "Azure.ADX.ManagedIdentity","Configure Data Explorer clusters to use managed identities to access Azure resources securely.","Important","Security","L1" @@ -28,7 +28,7 @@ "Azure.AKS.ManagedAAD","Use AKS-managed Azure AD to simplify authorization and improve security.","Important","Security","L1" "Azure.AKS.ManagedIdentity","Configure AKS clusters to use managed identities for managing cluster infrastructure.","Important","Security","L1" "Azure.AKS.MinNodeCount","AKS clusters should have minimum number of system nodes for failover and updates.","Important","Reliability","-" -"Azure.AKS.Name","Azure Kubernetes Service (AKS) cluster names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.AKS.Name","Azure Kubernetes Service (AKS) cluster names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.AKS.NetworkPolicy","AKS clusters without inter-pod network restrictions may be permit unauthorized lateral movement.","Important","Security","-" "Azure.AKS.NodeMinPods","Azure Kubernetes Cluster (AKS) nodes should use a minimum number of pods.","Important","Performance Efficiency","-" "Azure.AKS.PlatformLogs","AKS clusters should collect platform diagnostic logs to monitor the state of workloads.","Important","Operational Excellence","-" @@ -93,7 +93,7 @@ "Azure.CDN.HTTP","Unencrypted communication could allow disclosure of information to an untrusted party.","Important","Security","-" "Azure.CDN.MinTLS","Azure CDN endpoints should reject TLS versions older than 1.2.","Important","Security","L1" "Azure.CDN.UseFrontDoor","Use Azure Front Door Standard or Premium SKU to improve the performance of web pages with dynamic content and overall capabilities.","Important","Performance Efficiency","-" -"Azure.Cosmos.AccountName","Cosmos DB account names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.Cosmos.AccountName","Cosmos DB account names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.Cosmos.DisableMetadataWrite","Use Entra ID identities for management place operations in Azure Cosmos DB.","Important","Security","-" "Azure.DataFactory.Version","Consider migrating to DataFactory v2.","Awareness","Reliability","-" "Azure.Defender.AppServices","Enable Microsoft Defender for App Service.","Critical","Security","-" @@ -209,13 +209,13 @@ "Azure.SQL.AAD","Use Entra ID authentication with Azure SQL databases.","Critical","Security","L1" "Azure.SQL.AllowAzureAccess","Determine if access from Azure services is required.","Important","Security","-" "Azure.SQL.Auditing","Enable auditing for Azure SQL logical server.","Important","Security","-" -"Azure.SQL.DBName","Azure SQL Database names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.SQL.DBName","Azure SQL Database names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.SQL.DefenderCloud","Enable Microsoft Defender for Azure SQL logical server.","Important","Security","-" "Azure.SQL.FGName","Azure SQL failover group names should meet naming requirements.","Awareness","Operational Excellence","-" "Azure.SQL.FirewallIPRange","Each IP address in the permitted IP list is allowed network access to any databases hosted on the same logical server.","Important","Security","-" "Azure.SQL.FirewallRuleCount","Determine if there is an excessive number of firewall rules.","Awareness","Security","-" "Azure.SQL.MinTLS","Azure SQL Database servers should reject TLS versions older than 1.2.","Critical","Security","L1" -"Azure.SQL.ServerName","Azure SQL logical server names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.SQL.ServerName","Azure SQL logical server names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.SQL.TDE","Use Transparent Data Encryption (TDE) with Azure SQL Database.","Critical","Security","L1" "Azure.SQLMI.Name","SQL Managed Instance names should meet naming requirements.","Awareness","Operational Excellence","-" "Azure.Storage.BlobAccessType","Use containers configured with a private access type that requires authorization.","Important","Security","-" diff --git a/docs/en/baselines/Azure.GA_2022_12.csv b/docs/en/baselines/Azure.GA_2022_12.csv index 10a05f7cc7..91b145b1d6 100644 --- a/docs/en/baselines/Azure.GA_2022_12.csv +++ b/docs/en/baselines/Azure.GA_2022_12.csv @@ -3,7 +3,7 @@ "Azure.ACR.ContainerScan","Container images or their base images may have vulnerabilities discovered after they are built.","Critical","Security","-" "Azure.ACR.ImageHealth","Remove container images with known vulnerabilities.","Critical","Security","L2" "Azure.ACR.MinSku","The Basic SKU provides limited performance and features for production container registry workloads.","Important","Reliability","-" -"Azure.ACR.Name","Container registry names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.ACR.Name","Container registry names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.ACR.Usage","Regularly remove deprecated and unneeded images to reduce storage usage.","Important","Cost Optimization","-" "Azure.ADX.DiskEncryption","Use disk encryption for Azure Data Explorer (ADX) clusters.","Important","Security","L1" "Azure.ADX.ManagedIdentity","Configure Data Explorer clusters to use managed identities to access Azure resources securely.","Important","Security","L1" @@ -28,7 +28,7 @@ "Azure.AKS.ManagedAAD","Use AKS-managed Azure AD to simplify authorization and improve security.","Important","Security","L1" "Azure.AKS.ManagedIdentity","Configure AKS clusters to use managed identities for managing cluster infrastructure.","Important","Security","L1" "Azure.AKS.MinNodeCount","AKS clusters should have minimum number of system nodes for failover and updates.","Important","Reliability","-" -"Azure.AKS.Name","Azure Kubernetes Service (AKS) cluster names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.AKS.Name","Azure Kubernetes Service (AKS) cluster names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.AKS.NetworkPolicy","AKS clusters without inter-pod network restrictions may be permit unauthorized lateral movement.","Important","Security","-" "Azure.AKS.NodeMinPods","Azure Kubernetes Cluster (AKS) nodes should use a minimum number of pods.","Important","Performance Efficiency","-" "Azure.AKS.PlatformLogs","AKS clusters should collect platform diagnostic logs to monitor the state of workloads.","Important","Operational Excellence","-" @@ -99,7 +99,7 @@ "Azure.CDN.HTTP","Unencrypted communication could allow disclosure of information to an untrusted party.","Important","Security","-" "Azure.CDN.MinTLS","Azure CDN endpoints should reject TLS versions older than 1.2.","Important","Security","L1" "Azure.CDN.UseFrontDoor","Use Azure Front Door Standard or Premium SKU to improve the performance of web pages with dynamic content and overall capabilities.","Important","Performance Efficiency","-" -"Azure.Cosmos.AccountName","Cosmos DB account names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.Cosmos.AccountName","Cosmos DB account names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.Cosmos.DisableMetadataWrite","Use Entra ID identities for management place operations in Azure Cosmos DB.","Important","Security","-" "Azure.DataFactory.Version","Consider migrating to DataFactory v2.","Awareness","Reliability","-" "Azure.Defender.AppServices","Enable Microsoft Defender for App Service.","Critical","Security","-" @@ -236,13 +236,13 @@ "Azure.SQL.AAD","Use Entra ID authentication with Azure SQL databases.","Critical","Security","L1" "Azure.SQL.AllowAzureAccess","Determine if access from Azure services is required.","Important","Security","-" "Azure.SQL.Auditing","Enable auditing for Azure SQL logical server.","Important","Security","-" -"Azure.SQL.DBName","Azure SQL Database names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.SQL.DBName","Azure SQL Database names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.SQL.DefenderCloud","Enable Microsoft Defender for Azure SQL logical server.","Important","Security","-" "Azure.SQL.FGName","Azure SQL failover group names should meet naming requirements.","Awareness","Operational Excellence","-" "Azure.SQL.FirewallIPRange","Each IP address in the permitted IP list is allowed network access to any databases hosted on the same logical server.","Important","Security","-" "Azure.SQL.FirewallRuleCount","Determine if there is an excessive number of firewall rules.","Awareness","Security","-" "Azure.SQL.MinTLS","Azure SQL Database servers should reject TLS versions older than 1.2.","Critical","Security","L1" -"Azure.SQL.ServerName","Azure SQL logical server names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.SQL.ServerName","Azure SQL logical server names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.SQL.TDE","Use Transparent Data Encryption (TDE) with Azure SQL Database.","Critical","Security","L1" "Azure.SQLMI.Name","SQL Managed Instance names should meet naming requirements.","Awareness","Operational Excellence","-" "Azure.Storage.BlobAccessType","Use containers configured with a private access type that requires authorization.","Important","Security","-" diff --git a/docs/en/baselines/Azure.GA_2023_03.csv b/docs/en/baselines/Azure.GA_2023_03.csv index 50e6d053a0..ae02e25a61 100644 --- a/docs/en/baselines/Azure.GA_2023_03.csv +++ b/docs/en/baselines/Azure.GA_2023_03.csv @@ -3,7 +3,7 @@ "Azure.ACR.ContainerScan","Container images or their base images may have vulnerabilities discovered after they are built.","Critical","Security","-" "Azure.ACR.ImageHealth","Remove container images with known vulnerabilities.","Critical","Security","L2" "Azure.ACR.MinSku","The Basic SKU provides limited performance and features for production container registry workloads.","Important","Reliability","-" -"Azure.ACR.Name","Container registry names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.ACR.Name","Container registry names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.ACR.Usage","Regularly remove deprecated and unneeded images to reduce storage usage.","Important","Cost Optimization","-" "Azure.ADX.DiskEncryption","Use disk encryption for Azure Data Explorer (ADX) clusters.","Important","Security","L1" "Azure.ADX.ManagedIdentity","Configure Data Explorer clusters to use managed identities to access Azure resources securely.","Important","Security","L1" @@ -29,7 +29,7 @@ "Azure.AKS.ManagedAAD","Use AKS-managed Azure AD to simplify authorization and improve security.","Important","Security","L1" "Azure.AKS.ManagedIdentity","Configure AKS clusters to use managed identities for managing cluster infrastructure.","Important","Security","L1" "Azure.AKS.MinNodeCount","AKS clusters should have minimum number of system nodes for failover and updates.","Important","Reliability","-" -"Azure.AKS.Name","Azure Kubernetes Service (AKS) cluster names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.AKS.Name","Azure Kubernetes Service (AKS) cluster names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.AKS.NetworkPolicy","AKS clusters without inter-pod network restrictions may be permit unauthorized lateral movement.","Important","Security","-" "Azure.AKS.NodeMinPods","Azure Kubernetes Cluster (AKS) nodes should use a minimum number of pods.","Important","Performance Efficiency","-" "Azure.AKS.PlatformLogs","AKS clusters should collect platform diagnostic logs to monitor the state of workloads.","Important","Operational Excellence","-" @@ -103,10 +103,10 @@ "Azure.CDN.UseFrontDoor","Use Azure Front Door Standard or Premium SKU to improve the performance of web pages with dynamic content and overall capabilities.","Important","Performance Efficiency","-" "Azure.ContainerApp.ExternalIngress","Limit inbound communication for Container Apps is limited to callers within the Container Apps Environment.","Important","Security","-" "Azure.ContainerApp.ManagedIdentity","Ensure managed identity is used for authentication.","Important","Security","L1" -"Azure.ContainerApp.Name","Container Apps should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.ContainerApp.Name","Container Apps should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.ContainerApp.PublicAccess","Ensure public network access for Container Apps environment is disabled.","Important","Security","-" "Azure.ContainerApp.Storage","Use of Azure Files volume mounts to persistent storage container data.","Awareness","Reliability","-" -"Azure.Cosmos.AccountName","Cosmos DB account names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.Cosmos.AccountName","Cosmos DB account names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.Cosmos.DisableMetadataWrite","Use Entra ID identities for management place operations in Azure Cosmos DB.","Important","Security","-" "Azure.DataFactory.Version","Consider migrating to DataFactory v2.","Awareness","Reliability","-" "Azure.Defender.AppServices","Enable Microsoft Defender for App Service.","Critical","Security","-" @@ -252,13 +252,13 @@ "Azure.SQL.AADOnly","Ensure Entra ID only authentication is enabled with Azure SQL Database.","Important","Security","L1" "Azure.SQL.AllowAzureAccess","Determine if access from Azure services is required.","Important","Security","-" "Azure.SQL.Auditing","Enable auditing for Azure SQL logical server.","Important","Security","-" -"Azure.SQL.DBName","Azure SQL Database names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.SQL.DBName","Azure SQL Database names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.SQL.DefenderCloud","Enable Microsoft Defender for Azure SQL logical server.","Important","Security","-" "Azure.SQL.FGName","Azure SQL failover group names should meet naming requirements.","Awareness","Operational Excellence","-" "Azure.SQL.FirewallIPRange","Each IP address in the permitted IP list is allowed network access to any databases hosted on the same logical server.","Important","Security","-" "Azure.SQL.FirewallRuleCount","Determine if there is an excessive number of firewall rules.","Awareness","Security","-" "Azure.SQL.MinTLS","Azure SQL Database servers should reject TLS versions older than 1.2.","Critical","Security","L1" -"Azure.SQL.ServerName","Azure SQL logical server names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.SQL.ServerName","Azure SQL logical server names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.SQL.TDE","Use Transparent Data Encryption (TDE) with Azure SQL Database.","Critical","Security","L1" "Azure.SQLMI.AAD","Use Azure Active Directory (AAD) authentication with Azure SQL Managed Instance.","Critical","Security","L1" "Azure.SQLMI.AADOnly","Ensure Azure AD-only authentication is enabled with Azure SQL Managed Instance.","Important","Security","L1" diff --git a/docs/en/baselines/Azure.GA_2023_06.csv b/docs/en/baselines/Azure.GA_2023_06.csv index 585ba58664..b85c09df9e 100644 --- a/docs/en/baselines/Azure.GA_2023_06.csv +++ b/docs/en/baselines/Azure.GA_2023_06.csv @@ -3,7 +3,7 @@ "Azure.ACR.ContainerScan","Container images or their base images may have vulnerabilities discovered after they are built.","Critical","Security","-" "Azure.ACR.ImageHealth","Remove container images with known vulnerabilities.","Critical","Security","L2" "Azure.ACR.MinSku","The Basic SKU provides limited performance and features for production container registry workloads.","Important","Reliability","-" -"Azure.ACR.Name","Container registry names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.ACR.Name","Container registry names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.ACR.Usage","Regularly remove deprecated and unneeded images to reduce storage usage.","Important","Cost Optimization","-" "Azure.ADX.DiskEncryption","Use disk encryption for Azure Data Explorer (ADX) clusters.","Important","Security","L1" "Azure.ADX.ManagedIdentity","Configure Data Explorer clusters to use managed identities to access Azure resources securely.","Important","Security","L1" @@ -29,7 +29,7 @@ "Azure.AKS.ManagedAAD","Use AKS-managed Azure AD to simplify authorization and improve security.","Important","Security","L1" "Azure.AKS.ManagedIdentity","Configure AKS clusters to use managed identities for managing cluster infrastructure.","Important","Security","L1" "Azure.AKS.MinNodeCount","AKS clusters should have minimum number of system nodes for failover and updates.","Important","Reliability","-" -"Azure.AKS.Name","Azure Kubernetes Service (AKS) cluster names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.AKS.Name","Azure Kubernetes Service (AKS) cluster names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.AKS.NetworkPolicy","AKS clusters without inter-pod network restrictions may be permit unauthorized lateral movement.","Important","Security","-" "Azure.AKS.NodeMinPods","Azure Kubernetes Cluster (AKS) nodes should use a minimum number of pods.","Important","Performance Efficiency","-" "Azure.AKS.PlatformLogs","AKS clusters should collect platform diagnostic logs to monitor the state of workloads.","Important","Operational Excellence","-" @@ -107,11 +107,11 @@ "Azure.ContainerApp.ExternalIngress","Limit inbound communication for Container Apps is limited to callers within the Container Apps Environment.","Important","Security","-" "Azure.ContainerApp.Insecure","Ensure insecure inbound traffic is not permitted to the container app.","Important","Security","L1" "Azure.ContainerApp.ManagedIdentity","Ensure managed identity is used for authentication.","Important","Security","L1" -"Azure.ContainerApp.Name","Container Apps should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.ContainerApp.Name","Container Apps should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.ContainerApp.PublicAccess","Ensure public network access for Container Apps environment is disabled.","Important","Security","-" "Azure.ContainerApp.RestrictIngress","IP ingress restrictions mode should be set to allow action for all rules defined.","Important","Security","-" "Azure.ContainerApp.Storage","Use of Azure Files volume mounts to persistent storage container data.","Awareness","Reliability","-" -"Azure.Cosmos.AccountName","Cosmos DB account names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.Cosmos.AccountName","Cosmos DB account names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.Cosmos.DefenderCloud","Enable Microsoft Defender for Azure Cosmos DB.","Critical","Security","-" "Azure.Cosmos.DisableMetadataWrite","Use Entra ID identities for management place operations in Azure Cosmos DB.","Important","Security","-" "Azure.DataFactory.Version","Consider migrating to DataFactory v2.","Awareness","Reliability","-" @@ -266,13 +266,13 @@ "Azure.SQL.AADOnly","Ensure Entra ID only authentication is enabled with Azure SQL Database.","Important","Security","L1" "Azure.SQL.AllowAzureAccess","Determine if access from Azure services is required.","Important","Security","-" "Azure.SQL.Auditing","Enable auditing for Azure SQL logical server.","Important","Security","-" -"Azure.SQL.DBName","Azure SQL Database names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.SQL.DBName","Azure SQL Database names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.SQL.DefenderCloud","Enable Microsoft Defender for Azure SQL logical server.","Important","Security","-" "Azure.SQL.FGName","Azure SQL failover group names should meet naming requirements.","Awareness","Operational Excellence","-" "Azure.SQL.FirewallIPRange","Each IP address in the permitted IP list is allowed network access to any databases hosted on the same logical server.","Important","Security","-" "Azure.SQL.FirewallRuleCount","Determine if there is an excessive number of firewall rules.","Awareness","Security","-" "Azure.SQL.MinTLS","Azure SQL Database servers should reject TLS versions older than 1.2.","Critical","Security","L1" -"Azure.SQL.ServerName","Azure SQL logical server names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.SQL.ServerName","Azure SQL logical server names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.SQL.TDE","Use Transparent Data Encryption (TDE) with Azure SQL Database.","Critical","Security","L1" "Azure.SQLMI.AAD","Use Azure Active Directory (AAD) authentication with Azure SQL Managed Instance.","Critical","Security","L1" "Azure.SQLMI.AADOnly","Ensure Azure AD-only authentication is enabled with Azure SQL Managed Instance.","Important","Security","L1" diff --git a/docs/en/baselines/Azure.GA_2023_09.csv b/docs/en/baselines/Azure.GA_2023_09.csv index 703d2a4cc6..da3391e988 100644 --- a/docs/en/baselines/Azure.GA_2023_09.csv +++ b/docs/en/baselines/Azure.GA_2023_09.csv @@ -4,7 +4,7 @@ "Azure.ACR.Firewall","Container Registry without restrictions can be accessed from any network location including the Internet.","Important","Security","-" "Azure.ACR.ImageHealth","Remove container images with known vulnerabilities.","Critical","Security","L2" "Azure.ACR.MinSku","The Basic SKU provides limited performance and features for production container registry workloads.","Important","Reliability","-" -"Azure.ACR.Name","Container registry names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.ACR.Name","Container registry names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.ACR.Usage","Regularly remove deprecated and unneeded images to reduce storage usage.","Important","Cost Optimization","-" "Azure.ADX.DiskEncryption","Use disk encryption for Azure Data Explorer (ADX) clusters.","Important","Security","L1" "Azure.ADX.ManagedIdentity","Configure Data Explorer clusters to use managed identities to access Azure resources securely.","Important","Security","L1" @@ -31,7 +31,7 @@ "Azure.AKS.ManagedAAD","Use AKS-managed Azure AD to simplify authorization and improve security.","Important","Security","L1" "Azure.AKS.ManagedIdentity","Configure AKS clusters to use managed identities for managing cluster infrastructure.","Important","Security","L1" "Azure.AKS.MinNodeCount","AKS clusters should have minimum number of system nodes for failover and updates.","Important","Reliability","-" -"Azure.AKS.Name","Azure Kubernetes Service (AKS) cluster names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.AKS.Name","Azure Kubernetes Service (AKS) cluster names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.AKS.NetworkPolicy","AKS clusters without inter-pod network restrictions may be permit unauthorized lateral movement.","Important","Security","-" "Azure.AKS.NodeMinPods","Azure Kubernetes Cluster (AKS) nodes should use a minimum number of pods.","Important","Performance Efficiency","-" "Azure.AKS.PlatformLogs","AKS clusters should collect platform diagnostic logs to monitor the state of workloads.","Important","Operational Excellence","-" @@ -112,11 +112,11 @@ "Azure.ContainerApp.ExternalIngress","Limit inbound communication for Container Apps is limited to callers within the Container Apps Environment.","Important","Security","-" "Azure.ContainerApp.Insecure","Ensure insecure inbound traffic is not permitted to the container app.","Important","Security","L1" "Azure.ContainerApp.ManagedIdentity","Ensure managed identity is used for authentication.","Important","Security","L1" -"Azure.ContainerApp.Name","Container Apps should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.ContainerApp.Name","Container Apps should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.ContainerApp.PublicAccess","Ensure public network access for Container Apps environment is disabled.","Important","Security","-" "Azure.ContainerApp.RestrictIngress","IP ingress restrictions mode should be set to allow action for all rules defined.","Important","Security","-" "Azure.ContainerApp.Storage","Use of Azure Files volume mounts to persistent storage container data.","Awareness","Reliability","-" -"Azure.Cosmos.AccountName","Cosmos DB account names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.Cosmos.AccountName","Cosmos DB account names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.Cosmos.DefenderCloud","Enable Microsoft Defender for Azure Cosmos DB.","Critical","Security","-" "Azure.Cosmos.DisableMetadataWrite","Use Entra ID identities for management place operations in Azure Cosmos DB.","Important","Security","-" "Azure.Databricks.SecureConnectivity","Use Databricks workspaces configured for secure cluster connectivity.","Critical","Security","-" @@ -277,13 +277,13 @@ "Azure.SQL.AADOnly","Ensure Entra ID only authentication is enabled with Azure SQL Database.","Important","Security","L1" "Azure.SQL.AllowAzureAccess","Determine if access from Azure services is required.","Important","Security","-" "Azure.SQL.Auditing","Enable auditing for Azure SQL logical server.","Important","Security","-" -"Azure.SQL.DBName","Azure SQL Database names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.SQL.DBName","Azure SQL Database names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.SQL.DefenderCloud","Enable Microsoft Defender for Azure SQL logical server.","Important","Security","-" "Azure.SQL.FGName","Azure SQL failover group names should meet naming requirements.","Awareness","Operational Excellence","-" "Azure.SQL.FirewallIPRange","Each IP address in the permitted IP list is allowed network access to any databases hosted on the same logical server.","Important","Security","-" "Azure.SQL.FirewallRuleCount","Determine if there is an excessive number of firewall rules.","Awareness","Security","-" "Azure.SQL.MinTLS","Azure SQL Database servers should reject TLS versions older than 1.2.","Critical","Security","L1" -"Azure.SQL.ServerName","Azure SQL logical server names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.SQL.ServerName","Azure SQL logical server names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.SQL.TDE","Use Transparent Data Encryption (TDE) with Azure SQL Database.","Critical","Security","L1" "Azure.SQLMI.AAD","Use Azure Active Directory (AAD) authentication with Azure SQL Managed Instance.","Critical","Security","L1" "Azure.SQLMI.AADOnly","Ensure Azure AD-only authentication is enabled with Azure SQL Managed Instance.","Important","Security","L1" diff --git a/docs/en/baselines/Azure.GA_2023_12.csv b/docs/en/baselines/Azure.GA_2023_12.csv index 653f23ca95..c5422f29d1 100644 --- a/docs/en/baselines/Azure.GA_2023_12.csv +++ b/docs/en/baselines/Azure.GA_2023_12.csv @@ -4,7 +4,7 @@ "Azure.ACR.Firewall","Container Registry without restrictions can be accessed from any network location including the Internet.","Important","Security","-" "Azure.ACR.ImageHealth","Remove container images with known vulnerabilities.","Critical","Security","L2" "Azure.ACR.MinSku","The Basic SKU provides limited performance and features for production container registry workloads.","Important","Reliability","-" -"Azure.ACR.Name","Container registry names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.ACR.Name","Container registry names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.ACR.Usage","Regularly remove deprecated and unneeded images to reduce storage usage.","Important","Cost Optimization","-" "Azure.ADX.DiskEncryption","Use disk encryption for Azure Data Explorer (ADX) clusters.","Important","Security","L1" "Azure.ADX.ManagedIdentity","Configure Data Explorer clusters to use managed identities to access Azure resources securely.","Important","Security","L1" @@ -31,7 +31,7 @@ "Azure.AKS.ManagedAAD","Use AKS-managed Azure AD to simplify authorization and improve security.","Important","Security","L1" "Azure.AKS.ManagedIdentity","Configure AKS clusters to use managed identities for managing cluster infrastructure.","Important","Security","L1" "Azure.AKS.MinNodeCount","AKS clusters should have minimum number of system nodes for failover and updates.","Important","Reliability","-" -"Azure.AKS.Name","Azure Kubernetes Service (AKS) cluster names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.AKS.Name","Azure Kubernetes Service (AKS) cluster names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.AKS.NetworkPolicy","AKS clusters without inter-pod network restrictions may be permit unauthorized lateral movement.","Important","Security","-" "Azure.AKS.NodeMinPods","Azure Kubernetes Cluster (AKS) nodes should use a minimum number of pods.","Important","Performance Efficiency","-" "Azure.AKS.PlatformLogs","AKS clusters should collect platform diagnostic logs to monitor the state of workloads.","Important","Operational Excellence","-" @@ -114,11 +114,11 @@ "Azure.ContainerApp.ExternalIngress","Limit inbound communication for Container Apps is limited to callers within the Container Apps Environment.","Important","Security","-" "Azure.ContainerApp.Insecure","Ensure insecure inbound traffic is not permitted to the container app.","Important","Security","L1" "Azure.ContainerApp.ManagedIdentity","Ensure managed identity is used for authentication.","Important","Security","L1" -"Azure.ContainerApp.Name","Container Apps should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.ContainerApp.Name","Container Apps should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.ContainerApp.PublicAccess","Ensure public network access for Container Apps environment is disabled.","Important","Security","-" "Azure.ContainerApp.RestrictIngress","IP ingress restrictions mode should be set to allow action for all rules defined.","Important","Security","-" "Azure.ContainerApp.Storage","Use of Azure Files volume mounts to persistent storage container data.","Awareness","Reliability","-" -"Azure.Cosmos.AccountName","Cosmos DB account names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.Cosmos.AccountName","Cosmos DB account names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.Cosmos.DefenderCloud","Enable Microsoft Defender for Azure Cosmos DB.","Critical","Security","-" "Azure.Cosmos.DisableMetadataWrite","Use Entra ID identities for management place operations in Azure Cosmos DB.","Important","Security","-" "Azure.Databricks.SecureConnectivity","Use Databricks workspaces configured for secure cluster connectivity.","Critical","Security","-" @@ -286,13 +286,13 @@ "Azure.SQL.AADOnly","Ensure Entra ID only authentication is enabled with Azure SQL Database.","Important","Security","L1" "Azure.SQL.AllowAzureAccess","Determine if access from Azure services is required.","Important","Security","-" "Azure.SQL.Auditing","Enable auditing for Azure SQL logical server.","Important","Security","-" -"Azure.SQL.DBName","Azure SQL Database names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.SQL.DBName","Azure SQL Database names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.SQL.DefenderCloud","Enable Microsoft Defender for Azure SQL logical server.","Important","Security","-" "Azure.SQL.FGName","Azure SQL failover group names should meet naming requirements.","Awareness","Operational Excellence","-" "Azure.SQL.FirewallIPRange","Each IP address in the permitted IP list is allowed network access to any databases hosted on the same logical server.","Important","Security","-" "Azure.SQL.FirewallRuleCount","Determine if there is an excessive number of firewall rules.","Awareness","Security","-" "Azure.SQL.MinTLS","Azure SQL Database servers should reject TLS versions older than 1.2.","Critical","Security","L1" -"Azure.SQL.ServerName","Azure SQL logical server names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.SQL.ServerName","Azure SQL logical server names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.SQL.TDE","Use Transparent Data Encryption (TDE) with Azure SQL Database.","Critical","Security","L1" "Azure.SQLMI.AAD","Use Azure Active Directory (AAD) authentication with Azure SQL Managed Instance.","Critical","Security","L1" "Azure.SQLMI.AADOnly","Ensure Azure AD-only authentication is enabled with Azure SQL Managed Instance.","Important","Security","L1" diff --git a/docs/en/baselines/Azure.GA_2024_03.csv b/docs/en/baselines/Azure.GA_2024_03.csv index 7a2a612089..ecb0fd2c9b 100644 --- a/docs/en/baselines/Azure.GA_2024_03.csv +++ b/docs/en/baselines/Azure.GA_2024_03.csv @@ -4,7 +4,7 @@ "Azure.ACR.Firewall","Container Registry without restrictions can be accessed from any network location including the Internet.","Important","Security","-" "Azure.ACR.ImageHealth","Remove container images with known vulnerabilities.","Critical","Security","L2" "Azure.ACR.MinSku","The Basic SKU provides limited performance and features for production container registry workloads.","Important","Reliability","-" -"Azure.ACR.Name","Container registry names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.ACR.Name","Container registry names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.ACR.Usage","Regularly remove deprecated and unneeded images to reduce storage usage.","Important","Cost Optimization","-" "Azure.ADX.DiskEncryption","Use disk encryption for Azure Data Explorer (ADX) clusters.","Important","Security","L1" "Azure.ADX.ManagedIdentity","Configure Data Explorer clusters to use managed identities to access Azure resources securely.","Important","Security","L1" @@ -32,7 +32,7 @@ "Azure.AKS.ManagedIdentity","Configure AKS clusters to use managed identities for managing cluster infrastructure.","Important","Security","L1" "Azure.AKS.MinNodeCount","AKS clusters should have minimum number of system nodes for failover and updates.","Important","Reliability","-" "Azure.AKS.MinUserPoolNodes","User node pools in an AKS cluster should have a minimum number of nodes for failover and updates.","Important","Reliability","-" -"Azure.AKS.Name","Azure Kubernetes Service (AKS) cluster names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.AKS.Name","Azure Kubernetes Service (AKS) cluster names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.AKS.NetworkPolicy","AKS clusters without inter-pod network restrictions may be permit unauthorized lateral movement.","Important","Security","-" "Azure.AKS.NodeMinPods","Azure Kubernetes Cluster (AKS) nodes should use a minimum number of pods.","Important","Performance Efficiency","-" "Azure.AKS.PlatformLogs","AKS clusters should collect platform diagnostic logs to monitor the state of workloads.","Important","Operational Excellence","-" @@ -83,7 +83,6 @@ "Azure.AppGwWAF.Enabled","Application Gateway Web Application Firewall (WAF) must be enabled to protect backend resources.","Critical","Security","-" "Azure.AppGwWAF.Exclusions","Application Gateway Web Application Firewall (WAF) should have all rules enabled.","Critical","Security","-" "Azure.AppGwWAF.PreventionMode","Use protection mode in Application Gateway Web Application Firewall (WAF) policies to protect back end resources.","Critical","Security","-" -"Azure.AppGwWAF.RuleGroups","Use recommended rule groups in Application Gateway Web Application Firewall (WAF) policies to protect back end resources.","Critical","Security","-" "Azure.AppInsights.Name","Azure Resource Manager (ARM) has requirements for Application Insights resource names.","Awareness","Operational Excellence","-" "Azure.AppInsights.Workspace","Configure Application Insights resources to store data in a workspace.","Important","Operational Excellence","-" "Azure.AppService.AlwaysOn","Configure Always On for App Service apps.","Important","Reliability","-" @@ -118,11 +117,11 @@ "Azure.ContainerApp.ExternalIngress","Limit inbound communication for Container Apps is limited to callers within the Container Apps Environment.","Important","Security","-" "Azure.ContainerApp.Insecure","Ensure insecure inbound traffic is not permitted to the container app.","Important","Security","L1" "Azure.ContainerApp.ManagedIdentity","Ensure managed identity is used for authentication.","Important","Security","L1" -"Azure.ContainerApp.Name","Container Apps should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.ContainerApp.Name","Container Apps should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.ContainerApp.PublicAccess","Ensure public network access for Container Apps environment is disabled.","Important","Security","-" "Azure.ContainerApp.RestrictIngress","IP ingress restrictions mode should be set to allow action for all rules defined.","Important","Security","-" "Azure.ContainerApp.Storage","Use of Azure Files volume mounts to persistent storage container data.","Awareness","Reliability","-" -"Azure.Cosmos.AccountName","Cosmos DB account names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.Cosmos.AccountName","Cosmos DB account names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.Cosmos.DefenderCloud","Enable Microsoft Defender for Azure Cosmos DB.","Critical","Security","-" "Azure.Cosmos.DisableMetadataWrite","Use Entra ID identities for management place operations in Azure Cosmos DB.","Important","Security","-" "Azure.Databricks.PublicAccess","Azure Databricks workspaces should disable public network access.","Critical","Security","-" @@ -295,13 +294,13 @@ "Azure.SQL.AADOnly","Ensure Entra ID only authentication is enabled with Azure SQL Database.","Important","Security","L1" "Azure.SQL.AllowAzureAccess","Determine if access from Azure services is required.","Important","Security","-" "Azure.SQL.Auditing","Enable auditing for Azure SQL logical server.","Important","Security","-" -"Azure.SQL.DBName","Azure SQL Database names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.SQL.DBName","Azure SQL Database names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.SQL.DefenderCloud","Enable Microsoft Defender for Azure SQL logical server.","Important","Security","-" "Azure.SQL.FGName","Azure SQL failover group names should meet naming requirements.","Awareness","Operational Excellence","-" "Azure.SQL.FirewallIPRange","Each IP address in the permitted IP list is allowed network access to any databases hosted on the same logical server.","Important","Security","-" "Azure.SQL.FirewallRuleCount","Determine if there is an excessive number of firewall rules.","Awareness","Security","-" "Azure.SQL.MinTLS","Azure SQL Database servers should reject TLS versions older than 1.2.","Critical","Security","L1" -"Azure.SQL.ServerName","Azure SQL logical server names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.SQL.ServerName","Azure SQL logical server names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.SQL.TDE","Use Transparent Data Encryption (TDE) with Azure SQL Database.","Critical","Security","L1" "Azure.SQLMI.AAD","Use Azure Active Directory (AAD) authentication with Azure SQL Managed Instance.","Critical","Security","L1" "Azure.SQLMI.AADOnly","Ensure Azure AD-only authentication is enabled with Azure SQL Managed Instance.","Important","Security","L1" diff --git a/docs/en/baselines/Azure.GA_2024_03.md b/docs/en/baselines/Azure.GA_2024_03.md index 7ec555d74b..8ea340d81d 100644 --- a/docs/en/baselines/Azure.GA_2024_03.md +++ b/docs/en/baselines/Azure.GA_2024_03.md @@ -15,7 +15,7 @@ Include rules released March 2024 or prior for Azure GA features. The following rules are included within the `Azure.GA_2024_03` baseline. -This baseline includes a total of 391 rules. +This baseline includes a total of 390 rules. Name | Synopsis | Severity ---- | -------- | -------- @@ -103,7 +103,6 @@ Name | Synopsis | Severity [Azure.AppGwWAF.Enabled](../rules/Azure.AppGwWAF.Enabled.md) | Application Gateway Web Application Firewall (WAF) must be enabled to protect backend resources. | Critical [Azure.AppGwWAF.Exclusions](../rules/Azure.AppGwWAF.Exclusions.md) | Application Gateway Web Application Firewall (WAF) should have all rules enabled. | Critical [Azure.AppGwWAF.PreventionMode](../rules/Azure.AppGwWAF.PreventionMode.md) | Use protection mode in Application Gateway Web Application Firewall (WAF) policies to protect back end resources. | Critical -[Azure.AppGwWAF.RuleGroups](../rules/Azure.AppGwWAF.RuleGroups.md) | Use recommended rule groups in Application Gateway Web Application Firewall (WAF) policies to protect back end resources. | Critical [Azure.AppInsights.Name](../rules/Azure.AppInsights.Name.md) | Azure Resource Manager (ARM) has requirements for Application Insights resource names. | Awareness [Azure.AppInsights.Workspace](../rules/Azure.AppInsights.Workspace.md) | Configure Application Insights resources to store data in a workspace. | Important [Azure.AppService.AlwaysOn](../rules/Azure.AppService.AlwaysOn.md) | Configure Always On for App Service apps. | Important diff --git a/docs/en/baselines/Azure.GA_2024_06.csv b/docs/en/baselines/Azure.GA_2024_06.csv index 33f14b72cb..857636e9bb 100644 --- a/docs/en/baselines/Azure.GA_2024_06.csv +++ b/docs/en/baselines/Azure.GA_2024_06.csv @@ -4,7 +4,7 @@ "Azure.ACR.Firewall","Container Registry without restrictions can be accessed from any network location including the Internet.","Important","Security","-" "Azure.ACR.ImageHealth","Remove container images with known vulnerabilities.","Critical","Security","L2" "Azure.ACR.MinSku","The Basic SKU provides limited performance and features for production container registry workloads.","Important","Reliability","-" -"Azure.ACR.Name","Container registry names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.ACR.Name","Container registry names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.ACR.Usage","Regularly remove deprecated and unneeded images to reduce storage usage.","Important","Cost Optimization","-" "Azure.ADX.DiskEncryption","Use disk encryption for Azure Data Explorer (ADX) clusters.","Important","Security","L1" "Azure.ADX.ManagedIdentity","Configure Data Explorer clusters to use managed identities to access Azure resources securely.","Important","Security","L1" @@ -32,7 +32,7 @@ "Azure.AKS.ManagedIdentity","Configure AKS clusters to use managed identities for managing cluster infrastructure.","Important","Security","L1" "Azure.AKS.MinNodeCount","AKS clusters should have minimum number of system nodes for failover and updates.","Important","Reliability","-" "Azure.AKS.MinUserPoolNodes","User node pools in an AKS cluster should have a minimum number of nodes for failover and updates.","Important","Reliability","-" -"Azure.AKS.Name","Azure Kubernetes Service (AKS) cluster names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.AKS.Name","Azure Kubernetes Service (AKS) cluster names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.AKS.NetworkPolicy","AKS clusters without inter-pod network restrictions may be permit unauthorized lateral movement.","Important","Security","-" "Azure.AKS.NodeAutoUpgrade","Operating system (OS) security updates should be applied to AKS nodes and rebooted as required to address security vulnerabilities.","Important","Security","-" "Azure.AKS.NodeMinPods","Azure Kubernetes Cluster (AKS) nodes should use a minimum number of pods.","Important","Performance Efficiency","-" @@ -87,7 +87,6 @@ "Azure.AppGwWAF.Enabled","Application Gateway Web Application Firewall (WAF) must be enabled to protect backend resources.","Critical","Security","-" "Azure.AppGwWAF.Exclusions","Application Gateway Web Application Firewall (WAF) should have all rules enabled.","Critical","Security","-" "Azure.AppGwWAF.PreventionMode","Use protection mode in Application Gateway Web Application Firewall (WAF) policies to protect back end resources.","Critical","Security","-" -"Azure.AppGwWAF.RuleGroups","Use recommended rule groups in Application Gateway Web Application Firewall (WAF) policies to protect back end resources.","Critical","Security","-" "Azure.AppInsights.Name","Azure Resource Manager (ARM) has requirements for Application Insights resource names.","Awareness","Operational Excellence","-" "Azure.AppInsights.Workspace","Configure Application Insights resources to store data in a workspace.","Important","Operational Excellence","-" "Azure.AppService.AlwaysOn","Configure Always On for App Service apps.","Important","Reliability","-" @@ -126,15 +125,15 @@ "Azure.ContainerApp.Insecure","Ensure insecure inbound traffic is not permitted to the container app.","Important","Security","L1" "Azure.ContainerApp.ManagedIdentity","Ensure managed identity is used for authentication.","Important","Security","L1" "Azure.ContainerApp.MinReplicas","Use multiple replicas to remove a single point of failure.","Important","Reliability","-" -"Azure.ContainerApp.Name","Container Apps should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.ContainerApp.Name","Container Apps should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.ContainerApp.PublicAccess","Ensure public network access for Container Apps environment is disabled.","Important","Security","-" "Azure.ContainerApp.RestrictIngress","IP ingress restrictions mode should be set to allow action for all rules defined.","Important","Security","-" "Azure.ContainerApp.Storage","Use of Azure Files volume mounts to persistent storage container data.","Awareness","Reliability","-" -"Azure.Cosmos.AccountName","Cosmos DB account names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.Cosmos.AccountName","Cosmos DB account names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.Cosmos.DefenderCloud","Enable Microsoft Defender for Azure Cosmos DB.","Critical","Security","-" -"Azure.Cosmos.DisableLocalAuth","Access keys allow depersonalized access to Cosmos DB accounts using a shared secret.","Critical","Security","L1" "Azure.Cosmos.DisableMetadataWrite","Use Entra ID identities for management place operations in Azure Cosmos DB.","Important","Security","-" "Azure.Cosmos.MinTLS","Cosmos DB accounts should reject TLS versions older than 1.2.","Critical","Security","L1" +"Azure.Cosmos.NoSQLLocalAuth","Access keys allow depersonalized access to Cosmos DB NoSQL API accounts using a shared secret.","Critical","Security","L1" "Azure.Cosmos.PublicAccess","Azure Cosmos DB should have public network access disabled.","Critical","Security","-" "Azure.Cosmos.SLA","Use a paid tier to qualify for a Service Level Agreement (SLA).","Important","Reliability","-" "Azure.Databricks.PublicAccess","Azure Databricks workspaces should disable public network access.","Critical","Security","-" @@ -314,13 +313,13 @@ "Azure.SQL.AADOnly","Ensure Entra ID only authentication is enabled with Azure SQL Database.","Important","Security","L1" "Azure.SQL.AllowAzureAccess","Determine if access from Azure services is required.","Important","Security","-" "Azure.SQL.Auditing","Enable auditing for Azure SQL logical server.","Important","Security","-" -"Azure.SQL.DBName","Azure SQL Database names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.SQL.DBName","Azure SQL Database names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.SQL.DefenderCloud","Enable Microsoft Defender for Azure SQL logical server.","Important","Security","-" "Azure.SQL.FGName","Azure SQL failover group names should meet naming requirements.","Awareness","Operational Excellence","-" "Azure.SQL.FirewallIPRange","Each IP address in the permitted IP list is allowed network access to any databases hosted on the same logical server.","Important","Security","-" "Azure.SQL.FirewallRuleCount","Determine if there is an excessive number of firewall rules.","Awareness","Security","-" "Azure.SQL.MinTLS","Azure SQL Database servers should reject TLS versions older than 1.2.","Critical","Security","L1" -"Azure.SQL.ServerName","Azure SQL logical server names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.SQL.ServerName","Azure SQL logical server names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.SQL.TDE","Use Transparent Data Encryption (TDE) with Azure SQL Database.","Critical","Security","L1" "Azure.SQLMI.AAD","Use Azure Active Directory (AAD) authentication with Azure SQL Managed Instance.","Critical","Security","L1" "Azure.SQLMI.AADOnly","Ensure Azure AD-only authentication is enabled with Azure SQL Managed Instance.","Important","Security","L1" diff --git a/docs/en/baselines/Azure.GA_2024_06.md b/docs/en/baselines/Azure.GA_2024_06.md index f8bca1a7db..5a30cdf71a 100644 --- a/docs/en/baselines/Azure.GA_2024_06.md +++ b/docs/en/baselines/Azure.GA_2024_06.md @@ -15,7 +15,7 @@ Include rules released June 2024 or prior for Azure GA features. The following rules are included within the `Azure.GA_2024_06` baseline. -This baseline includes a total of 411 rules. +This baseline includes a total of 410 rules. Name | Synopsis | Severity ---- | -------- | -------- @@ -107,7 +107,6 @@ Name | Synopsis | Severity [Azure.AppGwWAF.Enabled](../rules/Azure.AppGwWAF.Enabled.md) | Application Gateway Web Application Firewall (WAF) must be enabled to protect backend resources. | Critical [Azure.AppGwWAF.Exclusions](../rules/Azure.AppGwWAF.Exclusions.md) | Application Gateway Web Application Firewall (WAF) should have all rules enabled. | Critical [Azure.AppGwWAF.PreventionMode](../rules/Azure.AppGwWAF.PreventionMode.md) | Use protection mode in Application Gateway Web Application Firewall (WAF) policies to protect back end resources. | Critical -[Azure.AppGwWAF.RuleGroups](../rules/Azure.AppGwWAF.RuleGroups.md) | Use recommended rule groups in Application Gateway Web Application Firewall (WAF) policies to protect back end resources. | Critical [Azure.AppInsights.Name](../rules/Azure.AppInsights.Name.md) | Azure Resource Manager (ARM) has requirements for Application Insights resource names. | Awareness [Azure.AppInsights.Workspace](../rules/Azure.AppInsights.Workspace.md) | Configure Application Insights resources to store data in a workspace. | Important [Azure.AppService.AlwaysOn](../rules/Azure.AppService.AlwaysOn.md) | Configure Always On for App Service apps. | Important @@ -152,9 +151,9 @@ Name | Synopsis | Severity [Azure.ContainerApp.Storage](../rules/Azure.ContainerApp.Storage.md) | Use of Azure Files volume mounts to persistent storage container data. | Awareness [Azure.Cosmos.AccountName](../rules/Azure.Cosmos.AccountName.md) | Cosmos DB account names should meet naming requirements. | Awareness [Azure.Cosmos.DefenderCloud](../rules/Azure.Cosmos.DefenderCloud.md) | Enable Microsoft Defender for Azure Cosmos DB. | Critical -[Azure.Cosmos.DisableLocalAuth](../rules/Azure.Cosmos.DisableLocalAuth.md) | Access keys allow depersonalized access to Cosmos DB accounts using a shared secret. | Critical [Azure.Cosmos.DisableMetadataWrite](../rules/Azure.Cosmos.DisableMetadataWrite.md) | Use Entra ID identities for management place operations in Azure Cosmos DB. | Important [Azure.Cosmos.MinTLS](../rules/Azure.Cosmos.MinTLS.md) | Cosmos DB accounts should reject TLS versions older than 1.2. | Critical +[Azure.Cosmos.NoSQLLocalAuth](../rules/Azure.Cosmos.NoSQLLocalAuth.md) | Access keys allow depersonalized access to Cosmos DB NoSQL API accounts using a shared secret. | Critical [Azure.Cosmos.PublicAccess](../rules/Azure.Cosmos.PublicAccess.md) | Azure Cosmos DB should have public network access disabled. | Critical [Azure.Cosmos.SLA](../rules/Azure.Cosmos.SLA.md) | Use a paid tier to qualify for a Service Level Agreement (SLA). | Important [Azure.Databricks.PublicAccess](../rules/Azure.Databricks.PublicAccess.md) | Azure Databricks workspaces should disable public network access. | Critical diff --git a/docs/en/baselines/Azure.GA_2024_09.csv b/docs/en/baselines/Azure.GA_2024_09.csv index b75a54929a..797a391821 100644 --- a/docs/en/baselines/Azure.GA_2024_09.csv +++ b/docs/en/baselines/Azure.GA_2024_09.csv @@ -4,7 +4,7 @@ "Azure.ACR.Firewall","Container Registry without restrictions can be accessed from any network location including the Internet.","Important","Security","-" "Azure.ACR.ImageHealth","Remove container images with known vulnerabilities.","Critical","Security","L2" "Azure.ACR.MinSku","The Basic SKU provides limited performance and features for production container registry workloads.","Important","Reliability","-" -"Azure.ACR.Name","Container registry names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.ACR.Name","Container registry names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.ACR.Usage","Regularly remove deprecated and unneeded images to reduce storage usage.","Important","Cost Optimization","-" "Azure.ADX.DiskEncryption","Use disk encryption for Azure Data Explorer (ADX) clusters.","Important","Security","L1" "Azure.ADX.ManagedIdentity","Configure Data Explorer clusters to use managed identities to access Azure resources securely.","Important","Security","L1" @@ -34,7 +34,7 @@ "Azure.AKS.ManagedIdentity","Configure AKS clusters to use managed identities for managing cluster infrastructure.","Important","Security","L1" "Azure.AKS.MinNodeCount","AKS clusters should have minimum number of system nodes for failover and updates.","Important","Reliability","-" "Azure.AKS.MinUserPoolNodes","User node pools in an AKS cluster should have a minimum number of nodes for failover and updates.","Important","Reliability","-" -"Azure.AKS.Name","Azure Kubernetes Service (AKS) cluster names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.AKS.Name","Azure Kubernetes Service (AKS) cluster names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.AKS.NetworkPolicy","AKS clusters without inter-pod network restrictions may be permit unauthorized lateral movement.","Important","Security","-" "Azure.AKS.NodeAutoUpgrade","Operating system (OS) security updates should be applied to AKS nodes and rebooted as required to address security vulnerabilities.","Important","Security","-" "Azure.AKS.NodeMinPods","Azure Kubernetes Cluster (AKS) nodes should use a minimum number of pods.","Important","Performance Efficiency","-" @@ -89,7 +89,6 @@ "Azure.AppGwWAF.Enabled","Application Gateway Web Application Firewall (WAF) must be enabled to protect backend resources.","Critical","Security","-" "Azure.AppGwWAF.Exclusions","Application Gateway Web Application Firewall (WAF) should have all rules enabled.","Critical","Security","-" "Azure.AppGwWAF.PreventionMode","Use protection mode in Application Gateway Web Application Firewall (WAF) policies to protect back end resources.","Critical","Security","-" -"Azure.AppGwWAF.RuleGroups","Use recommended rule groups in Application Gateway Web Application Firewall (WAF) policies to protect back end resources.","Critical","Security","-" "Azure.AppInsights.Name","Azure Resource Manager (ARM) has requirements for Application Insights resource names.","Awareness","Operational Excellence","-" "Azure.AppInsights.Workspace","Configure Application Insights resources to store data in a workspace.","Important","Operational Excellence","-" "Azure.AppService.AlwaysOn","Configure Always On for App Service apps.","Important","Reliability","-" @@ -130,16 +129,16 @@ "Azure.ContainerApp.Insecure","Ensure insecure inbound traffic is not permitted to the container app.","Important","Security","L1" "Azure.ContainerApp.ManagedIdentity","Ensure managed identity is used for authentication.","Important","Security","L1" "Azure.ContainerApp.MinReplicas","Use multiple replicas to remove a single point of failure.","Important","Reliability","-" -"Azure.ContainerApp.Name","Container Apps should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.ContainerApp.Name","Container Apps should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.ContainerApp.PublicAccess","Ensure public network access for Container Apps environment is disabled.","Important","Security","-" "Azure.ContainerApp.RestrictIngress","IP ingress restrictions mode should be set to allow action for all rules defined.","Important","Security","-" "Azure.ContainerApp.Storage","Use of Azure Files volume mounts to persistent storage container data.","Awareness","Reliability","-" -"Azure.Cosmos.AccountName","Cosmos DB account names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.Cosmos.AccountName","Cosmos DB account names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.Cosmos.ContinuousBackup","Enable continuous backup on Cosmos DB accounts.","Important","Reliability","-" "Azure.Cosmos.DefenderCloud","Enable Microsoft Defender for Azure Cosmos DB.","Critical","Security","-" -"Azure.Cosmos.DisableLocalAuth","Access keys allow depersonalized access to Cosmos DB accounts using a shared secret.","Critical","Security","L1" "Azure.Cosmos.DisableMetadataWrite","Use Entra ID identities for management place operations in Azure Cosmos DB.","Important","Security","-" "Azure.Cosmos.MinTLS","Cosmos DB accounts should reject TLS versions older than 1.2.","Critical","Security","L1" +"Azure.Cosmos.NoSQLLocalAuth","Access keys allow depersonalized access to Cosmos DB NoSQL API accounts using a shared secret.","Critical","Security","L1" "Azure.Cosmos.PublicAccess","Azure Cosmos DB should have public network access disabled.","Critical","Security","-" "Azure.Cosmos.SLA","Use a paid tier to qualify for a Service Level Agreement (SLA).","Important","Reliability","-" "Azure.Databricks.PublicAccess","Azure Databricks workspaces should disable public network access.","Critical","Security","-" @@ -322,14 +321,14 @@ "Azure.SQL.AADOnly","Ensure Entra ID only authentication is enabled with Azure SQL Database.","Important","Security","L1" "Azure.SQL.AllowAzureAccess","Determine if access from Azure services is required.","Important","Security","-" "Azure.SQL.Auditing","Enable auditing for Azure SQL logical server.","Important","Security","-" -"Azure.SQL.DBName","Azure SQL Database names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.SQL.DBName","Azure SQL Database names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.SQL.DefenderCloud","Enable Microsoft Defender for Azure SQL logical server.","Important","Security","-" "Azure.SQL.FGName","Azure SQL failover group names should meet naming requirements.","Awareness","Operational Excellence","-" "Azure.SQL.FirewallIPRange","Each IP address in the permitted IP list is allowed network access to any databases hosted on the same logical server.","Important","Security","-" "Azure.SQL.FirewallRuleCount","Determine if there is an excessive number of firewall rules.","Awareness","Security","-" "Azure.SQL.MaintenanceWindow","Configure a customer-controlled maintenance window for Azure SQL databases.","Important","Reliability","-" "Azure.SQL.MinTLS","Azure SQL Database servers should reject TLS versions older than 1.2.","Critical","Security","L1" -"Azure.SQL.ServerName","Azure SQL logical server names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.SQL.ServerName","Azure SQL logical server names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.SQL.TDE","Use Transparent Data Encryption (TDE) with Azure SQL Database.","Critical","Security","L1" "Azure.SQLMI.AAD","Use Azure Active Directory (AAD) authentication with Azure SQL Managed Instance.","Critical","Security","L1" "Azure.SQLMI.AADOnly","Ensure Azure AD-only authentication is enabled with Azure SQL Managed Instance.","Important","Security","L1" diff --git a/docs/en/baselines/Azure.GA_2024_09.md b/docs/en/baselines/Azure.GA_2024_09.md index b3110e9207..1c8f1964e8 100644 --- a/docs/en/baselines/Azure.GA_2024_09.md +++ b/docs/en/baselines/Azure.GA_2024_09.md @@ -15,7 +15,7 @@ Include rules released September 2024 or prior for Azure GA features. The following rules are included within the `Azure.GA_2024_09` baseline. -This baseline includes a total of 428 rules. +This baseline includes a total of 427 rules. Name | Synopsis | Severity ---- | -------- | -------- @@ -109,7 +109,6 @@ Name | Synopsis | Severity [Azure.AppGwWAF.Enabled](../rules/Azure.AppGwWAF.Enabled.md) | Application Gateway Web Application Firewall (WAF) must be enabled to protect backend resources. | Critical [Azure.AppGwWAF.Exclusions](../rules/Azure.AppGwWAF.Exclusions.md) | Application Gateway Web Application Firewall (WAF) should have all rules enabled. | Critical [Azure.AppGwWAF.PreventionMode](../rules/Azure.AppGwWAF.PreventionMode.md) | Use protection mode in Application Gateway Web Application Firewall (WAF) policies to protect back end resources. | Critical -[Azure.AppGwWAF.RuleGroups](../rules/Azure.AppGwWAF.RuleGroups.md) | Use recommended rule groups in Application Gateway Web Application Firewall (WAF) policies to protect back end resources. | Critical [Azure.AppInsights.Name](../rules/Azure.AppInsights.Name.md) | Azure Resource Manager (ARM) has requirements for Application Insights resource names. | Awareness [Azure.AppInsights.Workspace](../rules/Azure.AppInsights.Workspace.md) | Configure Application Insights resources to store data in a workspace. | Important [Azure.AppService.AlwaysOn](../rules/Azure.AppService.AlwaysOn.md) | Configure Always On for App Service apps. | Important @@ -157,9 +156,9 @@ Name | Synopsis | Severity [Azure.Cosmos.AccountName](../rules/Azure.Cosmos.AccountName.md) | Cosmos DB account names should meet naming requirements. | Awareness [Azure.Cosmos.ContinuousBackup](../rules/Azure.Cosmos.ContinuousBackup.md) | Enable continuous backup on Cosmos DB accounts. | Important [Azure.Cosmos.DefenderCloud](../rules/Azure.Cosmos.DefenderCloud.md) | Enable Microsoft Defender for Azure Cosmos DB. | Critical -[Azure.Cosmos.DisableLocalAuth](../rules/Azure.Cosmos.DisableLocalAuth.md) | Access keys allow depersonalized access to Cosmos DB accounts using a shared secret. | Critical [Azure.Cosmos.DisableMetadataWrite](../rules/Azure.Cosmos.DisableMetadataWrite.md) | Use Entra ID identities for management place operations in Azure Cosmos DB. | Important [Azure.Cosmos.MinTLS](../rules/Azure.Cosmos.MinTLS.md) | Cosmos DB accounts should reject TLS versions older than 1.2. | Critical +[Azure.Cosmos.NoSQLLocalAuth](../rules/Azure.Cosmos.NoSQLLocalAuth.md) | Access keys allow depersonalized access to Cosmos DB NoSQL API accounts using a shared secret. | Critical [Azure.Cosmos.PublicAccess](../rules/Azure.Cosmos.PublicAccess.md) | Azure Cosmos DB should have public network access disabled. | Critical [Azure.Cosmos.SLA](../rules/Azure.Cosmos.SLA.md) | Use a paid tier to qualify for a Service Level Agreement (SLA). | Important [Azure.Databricks.PublicAccess](../rules/Azure.Databricks.PublicAccess.md) | Azure Databricks workspaces should disable public network access. | Critical diff --git a/docs/en/baselines/Azure.GA_2024_12.csv b/docs/en/baselines/Azure.GA_2024_12.csv index 1bdcae2854..1310c681f3 100644 --- a/docs/en/baselines/Azure.GA_2024_12.csv +++ b/docs/en/baselines/Azure.GA_2024_12.csv @@ -5,7 +5,7 @@ "Azure.ACR.Firewall","Container Registry without restrictions can be accessed from any network location including the Internet.","Important","Security","-" "Azure.ACR.ImageHealth","Remove container images with known vulnerabilities.","Critical","Security","L2" "Azure.ACR.MinSku","The Basic SKU provides limited performance and features for production container registry workloads.","Important","Reliability","-" -"Azure.ACR.Name","Container registry names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.ACR.Name","Container registry names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.ACR.Usage","Regularly remove deprecated and unneeded images to reduce storage usage.","Important","Cost Optimization","-" "Azure.ADX.DiskEncryption","Use disk encryption for Azure Data Explorer (ADX) clusters.","Important","Security","L1" "Azure.ADX.ManagedIdentity","Configure Data Explorer clusters to use managed identities to access Azure resources securely.","Important","Security","L1" @@ -35,7 +35,7 @@ "Azure.AKS.ManagedIdentity","Configure AKS clusters to use managed identities for managing cluster infrastructure.","Important","Security","L1" "Azure.AKS.MinNodeCount","AKS clusters should have minimum number of system nodes for failover and updates.","Important","Reliability","-" "Azure.AKS.MinUserPoolNodes","User node pools in an AKS cluster should have a minimum number of nodes for failover and updates.","Important","Reliability","-" -"Azure.AKS.Name","Azure Kubernetes Service (AKS) cluster names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.AKS.Name","Azure Kubernetes Service (AKS) cluster names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.AKS.NetworkPolicy","AKS clusters without inter-pod network restrictions may be permit unauthorized lateral movement.","Important","Security","-" "Azure.AKS.NodeAutoUpgrade","Operating system (OS) security updates should be applied to AKS nodes and rebooted as required to address security vulnerabilities.","Important","Security","-" "Azure.AKS.NodeMinPods","Azure Kubernetes Cluster (AKS) nodes should use a minimum number of pods.","Important","Performance Efficiency","-" @@ -90,7 +90,6 @@ "Azure.AppGwWAF.Enabled","Application Gateway Web Application Firewall (WAF) must be enabled to protect backend resources.","Critical","Security","-" "Azure.AppGwWAF.Exclusions","Application Gateway Web Application Firewall (WAF) should have all rules enabled.","Critical","Security","-" "Azure.AppGwWAF.PreventionMode","Use protection mode in Application Gateway Web Application Firewall (WAF) policies to protect back end resources.","Critical","Security","-" -"Azure.AppGwWAF.RuleGroups","Use recommended rule groups in Application Gateway Web Application Firewall (WAF) policies to protect back end resources.","Critical","Security","-" "Azure.AppInsights.Name","Azure Resource Manager (ARM) has requirements for Application Insights resource names.","Awareness","Operational Excellence","-" "Azure.AppInsights.Workspace","Configure Application Insights resources to store data in a workspace.","Important","Operational Excellence","-" "Azure.AppService.AlwaysOn","Configure Always On for App Service apps.","Important","Reliability","-" @@ -131,16 +130,16 @@ "Azure.ContainerApp.Insecure","Ensure insecure inbound traffic is not permitted to the container app.","Important","Security","L1" "Azure.ContainerApp.ManagedIdentity","Ensure managed identity is used for authentication.","Important","Security","L1" "Azure.ContainerApp.MinReplicas","Use multiple replicas to remove a single point of failure.","Important","Reliability","-" -"Azure.ContainerApp.Name","Container Apps should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.ContainerApp.Name","Container Apps should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.ContainerApp.PublicAccess","Ensure public network access for Container Apps environment is disabled.","Important","Security","-" "Azure.ContainerApp.RestrictIngress","IP ingress restrictions mode should be set to allow action for all rules defined.","Important","Security","-" "Azure.ContainerApp.Storage","Use of Azure Files volume mounts to persistent storage container data.","Awareness","Reliability","-" -"Azure.Cosmos.AccountName","Cosmos DB account names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.Cosmos.AccountName","Cosmos DB account names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.Cosmos.ContinuousBackup","Enable continuous backup on Cosmos DB accounts.","Important","Reliability","-" "Azure.Cosmos.DefenderCloud","Enable Microsoft Defender for Azure Cosmos DB.","Critical","Security","-" -"Azure.Cosmos.DisableLocalAuth","Access keys allow depersonalized access to Cosmos DB accounts using a shared secret.","Critical","Security","L1" "Azure.Cosmos.DisableMetadataWrite","Use Entra ID identities for management place operations in Azure Cosmos DB.","Important","Security","-" "Azure.Cosmos.MinTLS","Cosmos DB accounts should reject TLS versions older than 1.2.","Critical","Security","L1" +"Azure.Cosmos.NoSQLLocalAuth","Access keys allow depersonalized access to Cosmos DB NoSQL API accounts using a shared secret.","Critical","Security","L1" "Azure.Cosmos.PublicAccess","Azure Cosmos DB should have public network access disabled.","Critical","Security","-" "Azure.Cosmos.SLA","Use a paid tier to qualify for a Service Level Agreement (SLA).","Important","Reliability","-" "Azure.Databricks.PublicAccess","Azure Databricks workspaces should disable public network access.","Critical","Security","-" @@ -325,14 +324,14 @@ "Azure.SQL.AADOnly","Ensure Entra ID only authentication is enabled with Azure SQL Database.","Important","Security","L1" "Azure.SQL.AllowAzureAccess","Determine if access from Azure services is required.","Important","Security","-" "Azure.SQL.Auditing","Enable auditing for Azure SQL logical server.","Important","Security","-" -"Azure.SQL.DBName","Azure SQL Database names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.SQL.DBName","Azure SQL Database names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.SQL.DefenderCloud","Enable Microsoft Defender for Azure SQL logical server.","Important","Security","-" "Azure.SQL.FGName","Azure SQL failover group names should meet naming requirements.","Awareness","Operational Excellence","-" "Azure.SQL.FirewallIPRange","Each IP address in the permitted IP list is allowed network access to any databases hosted on the same logical server.","Important","Security","-" "Azure.SQL.FirewallRuleCount","Determine if there is an excessive number of firewall rules.","Awareness","Security","-" "Azure.SQL.MaintenanceWindow","Configure a customer-controlled maintenance window for Azure SQL databases.","Important","Reliability","-" "Azure.SQL.MinTLS","Azure SQL Database servers should reject TLS versions older than 1.2.","Critical","Security","L1" -"Azure.SQL.ServerName","Azure SQL logical server names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.SQL.ServerName","Azure SQL logical server names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.SQL.TDE","Use Transparent Data Encryption (TDE) with Azure SQL Database.","Critical","Security","L1" "Azure.SQLMI.AAD","Use Azure Active Directory (AAD) authentication with Azure SQL Managed Instance.","Critical","Security","L1" "Azure.SQLMI.AADOnly","Ensure Azure AD-only authentication is enabled with Azure SQL Managed Instance.","Important","Security","L1" diff --git a/docs/en/baselines/Azure.GA_2024_12.md b/docs/en/baselines/Azure.GA_2024_12.md index 658d33ebc5..85212dfaaa 100644 --- a/docs/en/baselines/Azure.GA_2024_12.md +++ b/docs/en/baselines/Azure.GA_2024_12.md @@ -15,7 +15,7 @@ Include rules released December 2024 or prior for Azure GA features. The following rules are included within the `Azure.GA_2024_12` baseline. -This baseline includes a total of 431 rules. +This baseline includes a total of 430 rules. Name | Synopsis | Severity ---- | -------- | -------- @@ -110,7 +110,6 @@ Name | Synopsis | Severity [Azure.AppGwWAF.Enabled](../rules/Azure.AppGwWAF.Enabled.md) | Application Gateway Web Application Firewall (WAF) must be enabled to protect backend resources. | Critical [Azure.AppGwWAF.Exclusions](../rules/Azure.AppGwWAF.Exclusions.md) | Application Gateway Web Application Firewall (WAF) should have all rules enabled. | Critical [Azure.AppGwWAF.PreventionMode](../rules/Azure.AppGwWAF.PreventionMode.md) | Use protection mode in Application Gateway Web Application Firewall (WAF) policies to protect back end resources. | Critical -[Azure.AppGwWAF.RuleGroups](../rules/Azure.AppGwWAF.RuleGroups.md) | Use recommended rule groups in Application Gateway Web Application Firewall (WAF) policies to protect back end resources. | Critical [Azure.AppInsights.Name](../rules/Azure.AppInsights.Name.md) | Azure Resource Manager (ARM) has requirements for Application Insights resource names. | Awareness [Azure.AppInsights.Workspace](../rules/Azure.AppInsights.Workspace.md) | Configure Application Insights resources to store data in a workspace. | Important [Azure.AppService.AlwaysOn](../rules/Azure.AppService.AlwaysOn.md) | Configure Always On for App Service apps. | Important @@ -158,9 +157,9 @@ Name | Synopsis | Severity [Azure.Cosmos.AccountName](../rules/Azure.Cosmos.AccountName.md) | Cosmos DB account names should meet naming requirements. | Awareness [Azure.Cosmos.ContinuousBackup](../rules/Azure.Cosmos.ContinuousBackup.md) | Enable continuous backup on Cosmos DB accounts. | Important [Azure.Cosmos.DefenderCloud](../rules/Azure.Cosmos.DefenderCloud.md) | Enable Microsoft Defender for Azure Cosmos DB. | Critical -[Azure.Cosmos.DisableLocalAuth](../rules/Azure.Cosmos.DisableLocalAuth.md) | Access keys allow depersonalized access to Cosmos DB accounts using a shared secret. | Critical [Azure.Cosmos.DisableMetadataWrite](../rules/Azure.Cosmos.DisableMetadataWrite.md) | Use Entra ID identities for management place operations in Azure Cosmos DB. | Important [Azure.Cosmos.MinTLS](../rules/Azure.Cosmos.MinTLS.md) | Cosmos DB accounts should reject TLS versions older than 1.2. | Critical +[Azure.Cosmos.NoSQLLocalAuth](../rules/Azure.Cosmos.NoSQLLocalAuth.md) | Access keys allow depersonalized access to Cosmos DB NoSQL API accounts using a shared secret. | Critical [Azure.Cosmos.PublicAccess](../rules/Azure.Cosmos.PublicAccess.md) | Azure Cosmos DB should have public network access disabled. | Critical [Azure.Cosmos.SLA](../rules/Azure.Cosmos.SLA.md) | Use a paid tier to qualify for a Service Level Agreement (SLA). | Important [Azure.Databricks.PublicAccess](../rules/Azure.Databricks.PublicAccess.md) | Azure Databricks workspaces should disable public network access. | Critical diff --git a/docs/en/baselines/Azure.GA_2025_03.csv b/docs/en/baselines/Azure.GA_2025_03.csv index 55d7ae10a1..6df7727668 100644 --- a/docs/en/baselines/Azure.GA_2025_03.csv +++ b/docs/en/baselines/Azure.GA_2025_03.csv @@ -5,7 +5,7 @@ "Azure.ACR.Firewall","Container Registry without restrictions can be accessed from any network location including the Internet.","Important","Security","-" "Azure.ACR.ImageHealth","Remove container images with known vulnerabilities.","Critical","Security","L2" "Azure.ACR.MinSku","The Basic SKU provides limited performance and features for production container registry workloads.","Important","Reliability","-" -"Azure.ACR.Name","Container registry names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.ACR.Name","Container registry names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.ACR.Usage","Regularly remove deprecated and unneeded images to reduce storage usage.","Important","Cost Optimization","-" "Azure.ADX.DiskEncryption","Use disk encryption for Azure Data Explorer (ADX) clusters.","Important","Security","L1" "Azure.ADX.ManagedIdentity","Configure Data Explorer clusters to use managed identities to access Azure resources securely.","Important","Security","L1" @@ -35,7 +35,7 @@ "Azure.AKS.ManagedIdentity","Configure AKS clusters to use managed identities for managing cluster infrastructure.","Important","Security","L1" "Azure.AKS.MinNodeCount","AKS clusters should have minimum number of system nodes for failover and updates.","Important","Reliability","-" "Azure.AKS.MinUserPoolNodes","User node pools in an AKS cluster should have a minimum number of nodes for failover and updates.","Important","Reliability","-" -"Azure.AKS.Name","Azure Kubernetes Service (AKS) cluster names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.AKS.Name","Azure Kubernetes Service (AKS) cluster names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.AKS.NetworkPolicy","AKS clusters without inter-pod network restrictions may be permit unauthorized lateral movement.","Important","Security","-" "Azure.AKS.NodeAutoUpgrade","Operating system (OS) security updates should be applied to AKS nodes and rebooted as required to address security vulnerabilities.","Important","Security","-" "Azure.AKS.NodeMinPods","Azure Kubernetes Cluster (AKS) nodes should use a minimum number of pods.","Important","Performance Efficiency","-" @@ -90,7 +90,6 @@ "Azure.AppGwWAF.Enabled","Application Gateway Web Application Firewall (WAF) must be enabled to protect backend resources.","Critical","Security","-" "Azure.AppGwWAF.Exclusions","Application Gateway Web Application Firewall (WAF) should have all rules enabled.","Critical","Security","-" "Azure.AppGwWAF.PreventionMode","Use protection mode in Application Gateway Web Application Firewall (WAF) policies to protect back end resources.","Critical","Security","-" -"Azure.AppGwWAF.RuleGroups","Use recommended rule groups in Application Gateway Web Application Firewall (WAF) policies to protect back end resources.","Critical","Security","-" "Azure.AppInsights.Name","Azure Resource Manager (ARM) has requirements for Application Insights resource names.","Awareness","Operational Excellence","-" "Azure.AppInsights.Workspace","Configure Application Insights resources to store data in a workspace.","Important","Operational Excellence","-" "Azure.AppService.AlwaysOn","Configure Always On for App Service apps.","Important","Reliability","-" @@ -131,16 +130,16 @@ "Azure.ContainerApp.Insecure","Ensure insecure inbound traffic is not permitted to the container app.","Important","Security","L1" "Azure.ContainerApp.ManagedIdentity","Ensure managed identity is used for authentication.","Important","Security","L1" "Azure.ContainerApp.MinReplicas","Use multiple replicas to remove a single point of failure.","Important","Reliability","-" -"Azure.ContainerApp.Name","Container Apps should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.ContainerApp.Name","Container Apps should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.ContainerApp.PublicAccess","Ensure public network access for Container Apps environment is disabled.","Important","Security","-" "Azure.ContainerApp.RestrictIngress","IP ingress restrictions mode should be set to allow action for all rules defined.","Important","Security","-" "Azure.ContainerApp.Storage","Use of Azure Files volume mounts to persistent storage container data.","Awareness","Reliability","-" -"Azure.Cosmos.AccountName","Cosmos DB account names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.Cosmos.AccountName","Cosmos DB account names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.Cosmos.ContinuousBackup","Enable continuous backup on Cosmos DB accounts.","Important","Reliability","-" "Azure.Cosmos.DefenderCloud","Enable Microsoft Defender for Azure Cosmos DB.","Critical","Security","-" -"Azure.Cosmos.DisableLocalAuth","Access keys allow depersonalized access to Cosmos DB accounts using a shared secret.","Critical","Security","L1" "Azure.Cosmos.DisableMetadataWrite","Use Entra ID identities for management place operations in Azure Cosmos DB.","Important","Security","-" "Azure.Cosmos.MinTLS","Cosmos DB accounts should reject TLS versions older than 1.2.","Critical","Security","L1" +"Azure.Cosmos.NoSQLLocalAuth","Access keys allow depersonalized access to Cosmos DB NoSQL API accounts using a shared secret.","Critical","Security","L1" "Azure.Cosmos.PublicAccess","Azure Cosmos DB should have public network access disabled.","Critical","Security","-" "Azure.Cosmos.SLA","Use a paid tier to qualify for a Service Level Agreement (SLA).","Important","Reliability","-" "Azure.Databricks.PublicAccess","Azure Databricks workspaces should disable public network access.","Critical","Security","-" @@ -331,14 +330,14 @@ "Azure.SQL.AADOnly","Ensure Entra ID only authentication is enabled with Azure SQL Database.","Important","Security","L1" "Azure.SQL.AllowAzureAccess","Determine if access from Azure services is required.","Important","Security","-" "Azure.SQL.Auditing","Enable auditing for Azure SQL logical server.","Important","Security","-" -"Azure.SQL.DBName","Azure SQL Database names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.SQL.DBName","Azure SQL Database names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.SQL.DefenderCloud","Enable Microsoft Defender for Azure SQL logical server.","Important","Security","-" "Azure.SQL.FGName","Azure SQL failover group names should meet naming requirements.","Awareness","Operational Excellence","-" "Azure.SQL.FirewallIPRange","Each IP address in the permitted IP list is allowed network access to any databases hosted on the same logical server.","Important","Security","-" "Azure.SQL.FirewallRuleCount","Determine if there is an excessive number of firewall rules.","Awareness","Security","-" "Azure.SQL.MaintenanceWindow","Configure a customer-controlled maintenance window for Azure SQL databases.","Important","Reliability","-" "Azure.SQL.MinTLS","Azure SQL Database servers should reject TLS versions older than 1.2.","Critical","Security","L1" -"Azure.SQL.ServerName","Azure SQL logical server names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.SQL.ServerName","Azure SQL logical server names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.SQL.TDE","Use Transparent Data Encryption (TDE) with Azure SQL Database.","Critical","Security","L1" "Azure.SQL.VAScan","SQL Databases may have configuration vulnerabilities discovered after they are deployed.","Important","Security","-" "Azure.SQLMI.AAD","Use Azure Active Directory (AAD) authentication with Azure SQL Managed Instance.","Critical","Security","L1" diff --git a/docs/en/baselines/Azure.GA_2025_03.md b/docs/en/baselines/Azure.GA_2025_03.md index 86a4d602c6..1dbf52c55c 100644 --- a/docs/en/baselines/Azure.GA_2025_03.md +++ b/docs/en/baselines/Azure.GA_2025_03.md @@ -15,7 +15,7 @@ Include rules released March 2025 or prior for Azure GA features. The following rules are included within the `Azure.GA_2025_03` baseline. -This baseline includes a total of 438 rules. +This baseline includes a total of 437 rules. Name | Synopsis | Severity ---- | -------- | -------- @@ -110,7 +110,6 @@ Name | Synopsis | Severity [Azure.AppGwWAF.Enabled](../rules/Azure.AppGwWAF.Enabled.md) | Application Gateway Web Application Firewall (WAF) must be enabled to protect backend resources. | Critical [Azure.AppGwWAF.Exclusions](../rules/Azure.AppGwWAF.Exclusions.md) | Application Gateway Web Application Firewall (WAF) should have all rules enabled. | Critical [Azure.AppGwWAF.PreventionMode](../rules/Azure.AppGwWAF.PreventionMode.md) | Use protection mode in Application Gateway Web Application Firewall (WAF) policies to protect back end resources. | Critical -[Azure.AppGwWAF.RuleGroups](../rules/Azure.AppGwWAF.RuleGroups.md) | Use recommended rule groups in Application Gateway Web Application Firewall (WAF) policies to protect back end resources. | Critical [Azure.AppInsights.Name](../rules/Azure.AppInsights.Name.md) | Azure Resource Manager (ARM) has requirements for Application Insights resource names. | Awareness [Azure.AppInsights.Workspace](../rules/Azure.AppInsights.Workspace.md) | Configure Application Insights resources to store data in a workspace. | Important [Azure.AppService.AlwaysOn](../rules/Azure.AppService.AlwaysOn.md) | Configure Always On for App Service apps. | Important @@ -158,9 +157,9 @@ Name | Synopsis | Severity [Azure.Cosmos.AccountName](../rules/Azure.Cosmos.AccountName.md) | Cosmos DB account names should meet naming requirements. | Awareness [Azure.Cosmos.ContinuousBackup](../rules/Azure.Cosmos.ContinuousBackup.md) | Enable continuous backup on Cosmos DB accounts. | Important [Azure.Cosmos.DefenderCloud](../rules/Azure.Cosmos.DefenderCloud.md) | Enable Microsoft Defender for Azure Cosmos DB. | Critical -[Azure.Cosmos.DisableLocalAuth](../rules/Azure.Cosmos.DisableLocalAuth.md) | Access keys allow depersonalized access to Cosmos DB accounts using a shared secret. | Critical [Azure.Cosmos.DisableMetadataWrite](../rules/Azure.Cosmos.DisableMetadataWrite.md) | Use Entra ID identities for management place operations in Azure Cosmos DB. | Important [Azure.Cosmos.MinTLS](../rules/Azure.Cosmos.MinTLS.md) | Cosmos DB accounts should reject TLS versions older than 1.2. | Critical +[Azure.Cosmos.NoSQLLocalAuth](../rules/Azure.Cosmos.NoSQLLocalAuth.md) | Access keys allow depersonalized access to Cosmos DB NoSQL API accounts using a shared secret. | Critical [Azure.Cosmos.PublicAccess](../rules/Azure.Cosmos.PublicAccess.md) | Azure Cosmos DB should have public network access disabled. | Critical [Azure.Cosmos.SLA](../rules/Azure.Cosmos.SLA.md) | Use a paid tier to qualify for a Service Level Agreement (SLA). | Important [Azure.Databricks.PublicAccess](../rules/Azure.Databricks.PublicAccess.md) | Azure Databricks workspaces should disable public network access. | Critical diff --git a/docs/en/baselines/Azure.GA_2025_06.csv b/docs/en/baselines/Azure.GA_2025_06.csv index c929eff5e8..ddaade2146 100644 --- a/docs/en/baselines/Azure.GA_2025_06.csv +++ b/docs/en/baselines/Azure.GA_2025_06.csv @@ -5,7 +5,7 @@ "Azure.ACR.Firewall","Container Registry without restrictions can be accessed from any network location including the Internet.","Important","Security","-" "Azure.ACR.ImageHealth","Remove container images with known vulnerabilities.","Critical","Security","L2" "Azure.ACR.MinSku","The Basic SKU provides limited performance and features for production container registry workloads.","Important","Reliability","-" -"Azure.ACR.Name","Container registry names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.ACR.Name","Container registry names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.ACR.Usage","Regularly remove deprecated and unneeded images to reduce storage usage.","Important","Cost Optimization","-" "Azure.ADX.DiskEncryption","Use disk encryption for Azure Data Explorer (ADX) clusters.","Important","Security","L1" "Azure.ADX.ManagedIdentity","Configure Data Explorer clusters to use managed identities to access Azure resources securely.","Important","Security","L1" @@ -36,7 +36,7 @@ "Azure.AKS.ManagedIdentity","Configure AKS clusters to use managed identities for managing cluster infrastructure.","Important","Security","L1" "Azure.AKS.MinNodeCount","AKS clusters should have minimum number of system nodes for failover and updates.","Important","Reliability","-" "Azure.AKS.MinUserPoolNodes","User node pools in an AKS cluster should have a minimum number of nodes for failover and updates.","Important","Reliability","-" -"Azure.AKS.Name","Azure Kubernetes Service (AKS) cluster names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.AKS.Name","Azure Kubernetes Service (AKS) cluster names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.AKS.NetworkPolicy","AKS clusters without inter-pod network restrictions may be permit unauthorized lateral movement.","Important","Security","-" "Azure.AKS.NodeAutoUpgrade","Operating system (OS) security updates should be applied to AKS nodes and rebooted as required to address security vulnerabilities.","Important","Security","-" "Azure.AKS.NodeMinPods","Azure Kubernetes Cluster (AKS) nodes should use a minimum number of pods.","Important","Performance Efficiency","-" @@ -94,7 +94,6 @@ "Azure.AppGwWAF.Enabled","Application Gateway Web Application Firewall (WAF) must be enabled to protect backend resources.","Critical","Security","-" "Azure.AppGwWAF.Exclusions","Application Gateway Web Application Firewall (WAF) should have all rules enabled.","Critical","Security","-" "Azure.AppGwWAF.PreventionMode","Use protection mode in Application Gateway Web Application Firewall (WAF) policies to protect back end resources.","Critical","Security","-" -"Azure.AppGwWAF.RuleGroups","Use recommended rule groups in Application Gateway Web Application Firewall (WAF) policies to protect back end resources.","Critical","Security","-" "Azure.AppInsights.LocalAuth","Local authentication allows depersonalized access to store telemetry in Application Insights using a shared identifier.","Critical","Security","L1" "Azure.AppInsights.Name","Azure Resource Manager (ARM) has requirements for Application Insights resource names.","Awareness","Operational Excellence","-" "Azure.AppInsights.Naming","Application Insights resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","-" @@ -137,16 +136,16 @@ "Azure.ContainerApp.Insecure","Ensure insecure inbound traffic is not permitted to the container app.","Important","Security","L1" "Azure.ContainerApp.ManagedIdentity","Ensure managed identity is used for authentication.","Important","Security","L1" "Azure.ContainerApp.MinReplicas","Use multiple replicas to remove a single point of failure.","Important","Reliability","-" -"Azure.ContainerApp.Name","Container Apps should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.ContainerApp.Name","Container Apps should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.ContainerApp.PublicAccess","Ensure public network access for Container Apps environment is disabled.","Important","Security","-" "Azure.ContainerApp.RestrictIngress","IP ingress restrictions mode should be set to allow action for all rules defined.","Important","Security","-" "Azure.ContainerApp.Storage","Use of Azure Files volume mounts to persistent storage container data.","Awareness","Reliability","-" -"Azure.Cosmos.AccountName","Cosmos DB account names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.Cosmos.AccountName","Cosmos DB account names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.Cosmos.ContinuousBackup","Enable continuous backup on Cosmos DB accounts.","Important","Reliability","-" "Azure.Cosmos.DefenderCloud","Enable Microsoft Defender for Azure Cosmos DB.","Critical","Security","-" -"Azure.Cosmos.DisableLocalAuth","Access keys allow depersonalized access to Cosmos DB accounts using a shared secret.","Critical","Security","L1" "Azure.Cosmos.DisableMetadataWrite","Use Entra ID identities for management place operations in Azure Cosmos DB.","Important","Security","-" "Azure.Cosmos.MinTLS","Cosmos DB accounts should reject TLS versions older than 1.2.","Critical","Security","L1" +"Azure.Cosmos.NoSQLLocalAuth","Access keys allow depersonalized access to Cosmos DB NoSQL API accounts using a shared secret.","Critical","Security","L1" "Azure.Cosmos.PublicAccess","Azure Cosmos DB should have public network access disabled.","Critical","Security","-" "Azure.Cosmos.SLA","Use a paid tier to qualify for a Service Level Agreement (SLA).","Important","Reliability","-" "Azure.Databricks.PublicAccess","Azure Databricks workspaces should disable public network access.","Critical","Security","-" @@ -359,14 +358,14 @@ "Azure.SQL.AADOnly","Ensure Entra ID only authentication is enabled with Azure SQL Database.","Important","Security","L1" "Azure.SQL.AllowAzureAccess","Determine if access from Azure services is required.","Important","Security","-" "Azure.SQL.Auditing","Enable auditing for Azure SQL logical server.","Important","Security","-" -"Azure.SQL.DBName","Azure SQL Database names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.SQL.DBName","Azure SQL Database names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.SQL.DefenderCloud","Enable Microsoft Defender for Azure SQL logical server.","Important","Security","-" "Azure.SQL.FGName","Azure SQL failover group names should meet naming requirements.","Awareness","Operational Excellence","-" "Azure.SQL.FirewallIPRange","Each IP address in the permitted IP list is allowed network access to any databases hosted on the same logical server.","Important","Security","-" "Azure.SQL.FirewallRuleCount","Determine if there is an excessive number of firewall rules.","Awareness","Security","-" "Azure.SQL.MaintenanceWindow","Configure a customer-controlled maintenance window for Azure SQL databases.","Important","Reliability","-" "Azure.SQL.MinTLS","Azure SQL Database servers should reject TLS versions older than 1.2.","Critical","Security","L1" -"Azure.SQL.ServerName","Azure SQL logical server names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.SQL.ServerName","Azure SQL logical server names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.SQL.TDE","Use Transparent Data Encryption (TDE) with Azure SQL Database.","Critical","Security","L1" "Azure.SQL.VAScan","SQL Databases may have configuration vulnerabilities discovered after they are deployed.","Important","Security","-" "Azure.SQLMI.AAD","Use Azure Active Directory (AAD) authentication with Azure SQL Managed Instance.","Critical","Security","L1" diff --git a/docs/en/baselines/Azure.GA_2025_06.md b/docs/en/baselines/Azure.GA_2025_06.md index b8111e7911..ee4ed9377d 100644 --- a/docs/en/baselines/Azure.GA_2025_06.md +++ b/docs/en/baselines/Azure.GA_2025_06.md @@ -15,7 +15,7 @@ Include rules released June 2025 or prior for Azure GA features. The following rules are included within the `Azure.GA_2025_06` baseline. -This baseline includes a total of 476 rules. +This baseline includes a total of 475 rules. Name | Synopsis | Severity ---- | -------- | -------- @@ -114,7 +114,6 @@ Name | Synopsis | Severity [Azure.AppGwWAF.Enabled](../rules/Azure.AppGwWAF.Enabled.md) | Application Gateway Web Application Firewall (WAF) must be enabled to protect backend resources. | Critical [Azure.AppGwWAF.Exclusions](../rules/Azure.AppGwWAF.Exclusions.md) | Application Gateway Web Application Firewall (WAF) should have all rules enabled. | Critical [Azure.AppGwWAF.PreventionMode](../rules/Azure.AppGwWAF.PreventionMode.md) | Use protection mode in Application Gateway Web Application Firewall (WAF) policies to protect back end resources. | Critical -[Azure.AppGwWAF.RuleGroups](../rules/Azure.AppGwWAF.RuleGroups.md) | Use recommended rule groups in Application Gateway Web Application Firewall (WAF) policies to protect back end resources. | Critical [Azure.AppInsights.LocalAuth](../rules/Azure.AppInsights.LocalAuth.md) | Local authentication allows depersonalized access to store telemetry in Application Insights using a shared identifier. | Critical [Azure.AppInsights.Name](../rules/Azure.AppInsights.Name.md) | Azure Resource Manager (ARM) has requirements for Application Insights resource names. | Awareness [Azure.AppInsights.Naming](../rules/Azure.AppInsights.Naming.md) | Application Insights resources without a standard naming convention may be difficult to identify and manage. | Awareness @@ -164,9 +163,9 @@ Name | Synopsis | Severity [Azure.Cosmos.AccountName](../rules/Azure.Cosmos.AccountName.md) | Cosmos DB account names should meet naming requirements. | Awareness [Azure.Cosmos.ContinuousBackup](../rules/Azure.Cosmos.ContinuousBackup.md) | Enable continuous backup on Cosmos DB accounts. | Important [Azure.Cosmos.DefenderCloud](../rules/Azure.Cosmos.DefenderCloud.md) | Enable Microsoft Defender for Azure Cosmos DB. | Critical -[Azure.Cosmos.DisableLocalAuth](../rules/Azure.Cosmos.DisableLocalAuth.md) | Access keys allow depersonalized access to Cosmos DB accounts using a shared secret. | Critical [Azure.Cosmos.DisableMetadataWrite](../rules/Azure.Cosmos.DisableMetadataWrite.md) | Use Entra ID identities for management place operations in Azure Cosmos DB. | Important [Azure.Cosmos.MinTLS](../rules/Azure.Cosmos.MinTLS.md) | Cosmos DB accounts should reject TLS versions older than 1.2. | Critical +[Azure.Cosmos.NoSQLLocalAuth](../rules/Azure.Cosmos.NoSQLLocalAuth.md) | Access keys allow depersonalized access to Cosmos DB NoSQL API accounts using a shared secret. | Critical [Azure.Cosmos.PublicAccess](../rules/Azure.Cosmos.PublicAccess.md) | Azure Cosmos DB should have public network access disabled. | Critical [Azure.Cosmos.SLA](../rules/Azure.Cosmos.SLA.md) | Use a paid tier to qualify for a Service Level Agreement (SLA). | Important [Azure.Databricks.PublicAccess](../rules/Azure.Databricks.PublicAccess.md) | Azure Databricks workspaces should disable public network access. | Critical diff --git a/docs/en/baselines/Azure.GA_2025_09.csv b/docs/en/baselines/Azure.GA_2025_09.csv index 3d9e8a2268..744bb3cf65 100644 --- a/docs/en/baselines/Azure.GA_2025_09.csv +++ b/docs/en/baselines/Azure.GA_2025_09.csv @@ -7,7 +7,7 @@ "Azure.ACR.GeoReplica","Applications or infrastructure relying on a container image may fail if the registry is not available at the time they start.","Important","Reliability","-" "Azure.ACR.ImageHealth","Remove container images with known vulnerabilities.","Critical","Security","L2" "Azure.ACR.MinSku","The Basic SKU provides limited performance and features for production container registry workloads.","Important","Reliability","-" -"Azure.ACR.Name","Container registry names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.ACR.Name","Container registry names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.ACR.ReplicaLocation","The replication location determines the country or region where container images and metadata are stored and processed.","Important","Security","-" "Azure.ACR.Usage","Regularly remove deprecated and unneeded images to reduce storage usage.","Important","Cost Optimization","-" "Azure.ADX.DiskEncryption","Use disk encryption for Azure Data Explorer (ADX) clusters.","Important","Security","L1" @@ -39,7 +39,7 @@ "Azure.AKS.ManagedIdentity","Configure AKS clusters to use managed identities for managing cluster infrastructure.","Important","Security","L1" "Azure.AKS.MinNodeCount","AKS clusters should have minimum number of system nodes for failover and updates.","Important","Reliability","-" "Azure.AKS.MinUserPoolNodes","User node pools in an AKS cluster should have a minimum number of nodes for failover and updates.","Important","Reliability","-" -"Azure.AKS.Name","Azure Kubernetes Service (AKS) cluster names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.AKS.Name","Azure Kubernetes Service (AKS) cluster names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.AKS.NetworkPolicy","AKS clusters without inter-pod network restrictions may be permit unauthorized lateral movement.","Important","Security","-" "Azure.AKS.NodeAutoUpgrade","Operating system (OS) security updates should be applied to AKS nodes and rebooted as required to address security vulnerabilities.","Important","Security","-" "Azure.AKS.NodeMinPods","Azure Kubernetes Cluster (AKS) nodes should use a minimum number of pods.","Important","Performance Efficiency","-" @@ -97,7 +97,6 @@ "Azure.AppGwWAF.Enabled","Application Gateway Web Application Firewall (WAF) must be enabled to protect backend resources.","Critical","Security","-" "Azure.AppGwWAF.Exclusions","Application Gateway Web Application Firewall (WAF) should have all rules enabled.","Critical","Security","-" "Azure.AppGwWAF.PreventionMode","Use protection mode in Application Gateway Web Application Firewall (WAF) policies to protect back end resources.","Critical","Security","-" -"Azure.AppGwWAF.RuleGroups","Use recommended rule groups in Application Gateway Web Application Firewall (WAF) policies to protect back end resources.","Critical","Security","-" "Azure.AppInsights.LocalAuth","Local authentication allows depersonalized access to store telemetry in Application Insights using a shared identifier.","Critical","Security","L1" "Azure.AppInsights.Name","Azure Resource Manager (ARM) has requirements for Application Insights resource names.","Awareness","Operational Excellence","-" "Azure.AppInsights.Naming","Application Insights resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","-" @@ -140,16 +139,16 @@ "Azure.ContainerApp.Insecure","Ensure insecure inbound traffic is not permitted to the container app.","Important","Security","L1" "Azure.ContainerApp.ManagedIdentity","Ensure managed identity is used for authentication.","Important","Security","L1" "Azure.ContainerApp.MinReplicas","Use multiple replicas to remove a single point of failure.","Important","Reliability","-" -"Azure.ContainerApp.Name","Container Apps should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.ContainerApp.Name","Container Apps should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.ContainerApp.PublicAccess","Ensure public network access for Container Apps environment is disabled.","Important","Security","-" "Azure.ContainerApp.RestrictIngress","IP ingress restrictions mode should be set to allow action for all rules defined.","Important","Security","-" "Azure.ContainerApp.Storage","Use of Azure Files volume mounts to persistent storage container data.","Awareness","Reliability","-" -"Azure.Cosmos.AccountName","Cosmos DB account names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.Cosmos.AccountName","Cosmos DB account names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.Cosmos.ContinuousBackup","Enable continuous backup on Cosmos DB accounts.","Important","Reliability","-" "Azure.Cosmos.DefenderCloud","Enable Microsoft Defender for Azure Cosmos DB.","Critical","Security","-" -"Azure.Cosmos.DisableLocalAuth","Access keys allow depersonalized access to Cosmos DB accounts using a shared secret.","Critical","Security","L1" "Azure.Cosmos.DisableMetadataWrite","Use Entra ID identities for management place operations in Azure Cosmos DB.","Important","Security","-" "Azure.Cosmos.MinTLS","Cosmos DB accounts should reject TLS versions older than 1.2.","Critical","Security","L1" +"Azure.Cosmos.NoSQLLocalAuth","Access keys allow depersonalized access to Cosmos DB NoSQL API accounts using a shared secret.","Critical","Security","L1" "Azure.Cosmos.PublicAccess","Azure Cosmos DB should have public network access disabled.","Critical","Security","-" "Azure.Cosmos.SLA","Use a paid tier to qualify for a Service Level Agreement (SLA).","Important","Reliability","-" "Azure.Databricks.PublicAccess","Azure Databricks workspaces should disable public network access.","Critical","Security","-" @@ -363,14 +362,14 @@ "Azure.SQL.AADOnly","Ensure Entra ID only authentication is enabled with Azure SQL Database.","Important","Security","L1" "Azure.SQL.AllowAzureAccess","Determine if access from Azure services is required.","Important","Security","-" "Azure.SQL.Auditing","Enable auditing for Azure SQL logical server.","Important","Security","-" -"Azure.SQL.DBName","Azure SQL Database names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.SQL.DBName","Azure SQL Database names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.SQL.DefenderCloud","Enable Microsoft Defender for Azure SQL logical server.","Important","Security","-" "Azure.SQL.FGName","Azure SQL failover group names should meet naming requirements.","Awareness","Operational Excellence","-" "Azure.SQL.FirewallIPRange","Each IP address in the permitted IP list is allowed network access to any databases hosted on the same logical server.","Important","Security","-" "Azure.SQL.FirewallRuleCount","Determine if there is an excessive number of firewall rules.","Awareness","Security","-" "Azure.SQL.MaintenanceWindow","Configure a customer-controlled maintenance window for Azure SQL databases.","Important","Reliability","-" "Azure.SQL.MinTLS","Azure SQL Database servers should reject TLS versions older than 1.2.","Critical","Security","L1" -"Azure.SQL.ServerName","Azure SQL logical server names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.SQL.ServerName","Azure SQL logical server names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.SQL.TDE","Use Transparent Data Encryption (TDE) with Azure SQL Database.","Critical","Security","L1" "Azure.SQL.VAScan","SQL Databases may have configuration vulnerabilities discovered after they are deployed.","Important","Security","-" "Azure.SQLMI.AAD","Use Azure Active Directory (AAD) authentication with Azure SQL Managed Instance.","Critical","Security","L1" diff --git a/docs/en/baselines/Azure.GA_2025_09.md b/docs/en/baselines/Azure.GA_2025_09.md index 5f3afb555f..9e5ac1544f 100644 --- a/docs/en/baselines/Azure.GA_2025_09.md +++ b/docs/en/baselines/Azure.GA_2025_09.md @@ -12,7 +12,7 @@ Include rules released September 2025 or prior for Azure GA features. The following rules are included within the `Azure.GA_2025_09` baseline. -This baseline includes a total of 481 rules. +This baseline includes a total of 480 rules. Name | Synopsis | Severity ---- | -------- | -------- @@ -114,7 +114,6 @@ Name | Synopsis | Severity [Azure.AppGwWAF.Enabled](../rules/Azure.AppGwWAF.Enabled.md) | Application Gateway Web Application Firewall (WAF) must be enabled to protect backend resources. | Critical [Azure.AppGwWAF.Exclusions](../rules/Azure.AppGwWAF.Exclusions.md) | Application Gateway Web Application Firewall (WAF) should have all rules enabled. | Critical [Azure.AppGwWAF.PreventionMode](../rules/Azure.AppGwWAF.PreventionMode.md) | Use protection mode in Application Gateway Web Application Firewall (WAF) policies to protect back end resources. | Critical -[Azure.AppGwWAF.RuleGroups](../rules/Azure.AppGwWAF.RuleGroups.md) | Use recommended rule groups in Application Gateway Web Application Firewall (WAF) policies to protect back end resources. | Critical [Azure.AppInsights.LocalAuth](../rules/Azure.AppInsights.LocalAuth.md) | Local authentication allows depersonalized access to store telemetry in Application Insights using a shared identifier. | Critical [Azure.AppInsights.Name](../rules/Azure.AppInsights.Name.md) | Azure Resource Manager (ARM) has requirements for Application Insights resource names. | Awareness [Azure.AppInsights.Naming](../rules/Azure.AppInsights.Naming.md) | Application Insights resources without a standard naming convention may be difficult to identify and manage. | Awareness @@ -164,9 +163,9 @@ Name | Synopsis | Severity [Azure.Cosmos.AccountName](../rules/Azure.Cosmos.AccountName.md) | Cosmos DB account names should meet naming requirements. | Awareness [Azure.Cosmos.ContinuousBackup](../rules/Azure.Cosmos.ContinuousBackup.md) | Enable continuous backup on Cosmos DB accounts. | Important [Azure.Cosmos.DefenderCloud](../rules/Azure.Cosmos.DefenderCloud.md) | Enable Microsoft Defender for Azure Cosmos DB. | Critical -[Azure.Cosmos.DisableLocalAuth](../rules/Azure.Cosmos.DisableLocalAuth.md) | Access keys allow depersonalized access to Cosmos DB accounts using a shared secret. | Critical [Azure.Cosmos.DisableMetadataWrite](../rules/Azure.Cosmos.DisableMetadataWrite.md) | Use Entra ID identities for management place operations in Azure Cosmos DB. | Important [Azure.Cosmos.MinTLS](../rules/Azure.Cosmos.MinTLS.md) | Cosmos DB accounts should reject TLS versions older than 1.2. | Critical +[Azure.Cosmos.NoSQLLocalAuth](../rules/Azure.Cosmos.NoSQLLocalAuth.md) | Access keys allow depersonalized access to Cosmos DB NoSQL API accounts using a shared secret. | Critical [Azure.Cosmos.PublicAccess](../rules/Azure.Cosmos.PublicAccess.md) | Azure Cosmos DB should have public network access disabled. | Critical [Azure.Cosmos.SLA](../rules/Azure.Cosmos.SLA.md) | Use a paid tier to qualify for a Service Level Agreement (SLA). | Important [Azure.Databricks.PublicAccess](../rules/Azure.Databricks.PublicAccess.md) | Azure Databricks workspaces should disable public network access. | Critical diff --git a/docs/en/baselines/Azure.MCSB.v1.csv b/docs/en/baselines/Azure.MCSB.v1.csv index 65ede0dc85..887441ef3e 100644 --- a/docs/en/baselines/Azure.MCSB.v1.csv +++ b/docs/en/baselines/Azure.MCSB.v1.csv @@ -7,6 +7,7 @@ "Azure.ACR.ImageHealth","Remove container images with known vulnerabilities.","Critical","Security","L2" "Azure.ADX.DiskEncryption","Use disk encryption for Azure Data Explorer (ADX) clusters.","Important","Security","L1" "Azure.ADX.ManagedIdentity","Configure Data Explorer clusters to use managed identities to access Azure resources securely.","Important","Security","L1" +"Azure.ADX.PublicAccess","Azure Data Explorer (ADX) clusters should have public network access disabled.","Critical","Security","L4" "Azure.AI.DisableLocalAuth","Access keys allow depersonalized access to Azure AI using a shared secret.","Important","Security","L1" "Azure.AI.ManagedIdentity","Configure managed identities to access Azure resources.","Important","Security","L1" "Azure.AI.PrivateEndpoints","Use Private Endpoints to access Azure AI services accounts.","Important","Security","-" @@ -57,8 +58,9 @@ "Azure.ContainerApp.PublicAccess","Ensure public network access for Container Apps environment is disabled.","Important","Security","-" "Azure.ContainerApp.RestrictIngress","IP ingress restrictions mode should be set to allow action for all rules defined.","Important","Security","-" "Azure.Cosmos.DefenderCloud","Enable Microsoft Defender for Azure Cosmos DB.","Critical","Security","-" -"Azure.Cosmos.DisableLocalAuth","Access keys allow depersonalized access to Cosmos DB accounts using a shared secret.","Critical","Security","L1" "Azure.Cosmos.DisableMetadataWrite","Use Entra ID identities for management place operations in Azure Cosmos DB.","Important","Security","-" +"Azure.Cosmos.MongoEntraID","MongoDB vCore clusters should have Microsoft Entra ID authentication enabled.","Critical","Security","L1" +"Azure.Cosmos.NoSQLLocalAuth","Access keys allow depersonalized access to Cosmos DB NoSQL API accounts using a shared secret.","Critical","Security","L1" "Azure.Cosmos.PublicAccess","Azure Cosmos DB should have public network access disabled.","Critical","Security","-" "Azure.Defender.Api","Enable Microsoft Defender for APIs.","Critical","Security","-" "Azure.Defender.AppServices","Enable Microsoft Defender for App Service.","Critical","Security","-" diff --git a/docs/en/baselines/Azure.MCSB.v1.md b/docs/en/baselines/Azure.MCSB.v1.md index 83b87ba2f3..3cb90a77d1 100644 --- a/docs/en/baselines/Azure.MCSB.v1.md +++ b/docs/en/baselines/Azure.MCSB.v1.md @@ -16,7 +16,7 @@ Rules for GA Azure features that align to the Microsoft Cloud Security Benchmark The following rules are included within the `Azure.MCSB.v1` baseline. -This baseline includes a total of 143 rules. +This baseline includes a total of 145 rules. Name | Synopsis | Severity ---- | -------- | -------- @@ -28,6 +28,7 @@ Name | Synopsis | Severity [Azure.ACR.ImageHealth](../rules/Azure.ACR.ImageHealth.md) | Remove container images with known vulnerabilities. | Critical [Azure.ADX.DiskEncryption](../rules/Azure.ADX.DiskEncryption.md) | Use disk encryption for Azure Data Explorer (ADX) clusters. | Important [Azure.ADX.ManagedIdentity](../rules/Azure.ADX.ManagedIdentity.md) | Configure Data Explorer clusters to use managed identities to access Azure resources securely. | Important +[Azure.ADX.PublicAccess](../rules/Azure.ADX.PublicAccess.md) | Azure Data Explorer (ADX) clusters should have public network access disabled. | Critical [Azure.AI.DisableLocalAuth](../rules/Azure.AI.DisableLocalAuth.md) | Access keys allow depersonalized access to Azure AI using a shared secret. | Important [Azure.AI.ManagedIdentity](../rules/Azure.AI.ManagedIdentity.md) | Configure managed identities to access Azure resources. | Important [Azure.AI.PrivateEndpoints](../rules/Azure.AI.PrivateEndpoints.md) | Use Private Endpoints to access Azure AI services accounts. | Important @@ -78,8 +79,9 @@ Name | Synopsis | Severity [Azure.ContainerApp.PublicAccess](../rules/Azure.ContainerApp.PublicAccess.md) | Ensure public network access for Container Apps environment is disabled. | Important [Azure.ContainerApp.RestrictIngress](../rules/Azure.ContainerApp.RestrictIngress.md) | IP ingress restrictions mode should be set to allow action for all rules defined. | Important [Azure.Cosmos.DefenderCloud](../rules/Azure.Cosmos.DefenderCloud.md) | Enable Microsoft Defender for Azure Cosmos DB. | Critical -[Azure.Cosmos.DisableLocalAuth](../rules/Azure.Cosmos.DisableLocalAuth.md) | Access keys allow depersonalized access to Cosmos DB accounts using a shared secret. | Critical [Azure.Cosmos.DisableMetadataWrite](../rules/Azure.Cosmos.DisableMetadataWrite.md) | Use Entra ID identities for management place operations in Azure Cosmos DB. | Important +[Azure.Cosmos.MongoEntraID](../rules/Azure.Cosmos.MongoEntraID.md) | MongoDB vCore clusters should have Microsoft Entra ID authentication enabled. | Critical +[Azure.Cosmos.NoSQLLocalAuth](../rules/Azure.Cosmos.NoSQLLocalAuth.md) | Access keys allow depersonalized access to Cosmos DB NoSQL API accounts using a shared secret. | Critical [Azure.Cosmos.PublicAccess](../rules/Azure.Cosmos.PublicAccess.md) | Azure Cosmos DB should have public network access disabled. | Critical [Azure.Defender.Api](../rules/Azure.Defender.Api.md) | Enable Microsoft Defender for APIs. | Critical [Azure.Defender.AppServices](../rules/Azure.Defender.AppServices.md) | Enable Microsoft Defender for App Service. | Critical diff --git a/docs/en/baselines/Azure.Pillar.OperationalExcellence.csv b/docs/en/baselines/Azure.Pillar.OperationalExcellence.csv index 7c892adc7b..412e2a8e2e 100644 --- a/docs/en/baselines/Azure.Pillar.OperationalExcellence.csv +++ b/docs/en/baselines/Azure.Pillar.OperationalExcellence.csv @@ -1,10 +1,15 @@ "Name","Synopsis","Severity","Pillar","Maturity" -"Azure.ACR.Name","Container registry names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.ACI.Naming","Container Instance resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" +"Azure.ACR.Name","Container registry names should meet naming requirements.","Awareness","Operational Excellence","L2" +"Azure.ACR.Naming","Container Registry resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" "Azure.AI.FoundryNaming","Azure AI Foundry accounts without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","-" "Azure.AKS.ContainerInsights","Enable Container insights to monitor AKS cluster workloads.","Important","Operational Excellence","-" "Azure.AKS.DNSPrefix","Azure Kubernetes Service (AKS) cluster DNS prefix should meet naming requirements.","Awareness","Operational Excellence","-" -"Azure.AKS.Name","Azure Kubernetes Service (AKS) cluster names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.AKS.Name","Azure Kubernetes Service (AKS) cluster names should meet naming requirements.","Awareness","Operational Excellence","L2" +"Azure.AKS.Naming","AKS cluster resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" "Azure.AKS.PlatformLogs","AKS clusters should collect platform diagnostic logs to monitor the state of workloads.","Important","Operational Excellence","-" +"Azure.AKS.SystemPoolNaming","AKS system node pool resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" +"Azure.AKS.UserPoolNaming","AKS user node pool resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" "Azure.APIM.APIDescriptors","APIs should have a display name and description.","Awareness","Operational Excellence","-" "Azure.APIM.MinAPIVersion","API Management instances should limit control plane API calls to API Management with version '2021-08-01' or newer.","Important","Operational Excellence","-" "Azure.APIM.Name","API Management service names should meet naming requirements.","Awareness","Operational Excellence","-" @@ -22,8 +27,18 @@ "Azure.Bastion.Name","Bastion hosts should meet naming requirements.","Awareness","Operational Excellence","-" "Azure.CDN.EndpointName","Azure CDN Endpoint names should meet naming requirements.","Awareness","Operational Excellence","-" "Azure.ContainerApp.APIVersion","Migrate from retired API version to a supported version.","Important","Operational Excellence","-" -"Azure.ContainerApp.Name","Container Apps should meet naming requirements.","Awareness","Operational Excellence","-" -"Azure.Cosmos.AccountName","Cosmos DB account names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.ContainerApp.EnvNaming","Container App Environment resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" +"Azure.ContainerApp.JobNaming","Container App Job resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" +"Azure.ContainerApp.Name","Container Apps should meet naming requirements.","Awareness","Operational Excellence","L2" +"Azure.ContainerApp.Naming","Container App resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" +"Azure.Cosmos.AccountName","Cosmos DB account names should meet naming requirements.","Awareness","Operational Excellence","L2" +"Azure.Cosmos.CassandraNaming","Cosmos DB for Apache Cassandra account resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" +"Azure.Cosmos.DatabaseNaming","Cosmos DB database resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" +"Azure.Cosmos.GremlinNaming","Cosmos DB for Apache Gremlin account resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" +"Azure.Cosmos.MongoNaming","Cosmos DB for MongoDB account resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" +"Azure.Cosmos.NoSQLNaming","Cosmos DB for NoSQL account resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" +"Azure.Cosmos.PostgreSQLNaming","Cosmos DB PostgreSQL cluster resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" +"Azure.Cosmos.TableNaming","Cosmos DB for Table account resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" "Azure.Deployment.Name","Nested deployments should meet naming requirements of deployments.","Awareness","Operational Excellence","-" "Azure.EventGrid.DomainNaming","Event Grid domains without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","-" "Azure.EventGrid.SystemTopicNaming","Event Grid system topics without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","-" @@ -48,6 +63,7 @@ "Azure.MariaDB.ServerName","Azure Database for MariaDB servers should meet naming requirements.","Awareness","Operational Excellence","-" "Azure.MariaDB.VNETRuleName","Azure Database for MariaDB VNET rules should meet naming requirements.","Awareness","Operational Excellence","-" "Azure.MySQL.ServerName","Azure MySQL DB server names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.MySQL.ServerNaming","MySQL database server resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" "Azure.NIC.Name","Network Interface (NIC) names should meet naming requirements.","Awareness","Operational Excellence","-" "Azure.NSG.AKSRules","AKS Network Security Group (NSG) should not have custom rules.","Awareness","Operational Excellence","-" "Azure.NSG.Name","Azure Resource Manager (ARM) has requirements for Network Security Group (NSG) names.","Awareness","Operational Excellence","-" @@ -57,22 +73,33 @@ "Azure.Policy.Descriptors","Policy and initiative definitions should use a display name, description, and category.","Awareness","Operational Excellence","-" "Azure.Policy.ExemptionDescriptors","Policy exemptions should use a display name and description.","Awareness","Operational Excellence","-" "Azure.PostgreSQL.ServerName","Azure PostgreSQL DB server names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.PostgreSQL.ServerNaming","PostgreSQL database server resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" "Azure.PrivateEndpoint.Name","Private Endpoint names should meet naming requirements.","Awareness","Operational Excellence","-" "Azure.PublicIP.DNSLabel","Public IP domain name labels should meet naming requirements.","Awareness","Operational Excellence","-" "Azure.PublicIP.MigrateStandard","Use the Standard SKU for Public IP addresses as the Basic SKU will be retired.","Important","Operational Excellence","-" "Azure.PublicIP.Name","Azure Resource Manager (ARM) has requirements for Public IP address names.","Awareness","Operational Excellence","-" "Azure.PublicIP.Naming","Public IP addresses without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","-" +"Azure.Redis.MigrateAMR","Azure Cache for Redis is being retired. Migrate to Azure Managed Redis.","Important","Operational Excellence","-" +"Azure.Redis.Naming","Azure Cache for Redis resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" +"Azure.RedisEnterprise.Naming","Azure Cache for Redis Enterprise resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" "Azure.Resource.RequiredTags","Resources without a standard tagging convention may be difficult to identify and manage.","Awareness","Operational Excellence","-" "Azure.Route.Name","Azure Resource Manager (ARM) has requirements for Route table names.","Awareness","Operational Excellence","-" "Azure.Route.Naming","Route tables without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","-" "Azure.RSV.Name","Recovery Services vaults should meet naming requirements.","Awareness","Operational Excellence","-" "Azure.Search.Name","Azure Resource Manager (ARM) has requirements for AI Search service names.","Awareness","Operational Excellence","-" "Azure.Search.Naming","Azure AI Search services without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","-" +"Azure.ServiceFabric.ManagedNaming","Service Fabric managed cluster resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" +"Azure.ServiceFabric.Naming","Service Fabric cluster resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" "Azure.SignalR.Name","SignalR service instance names should meet naming requirements.","Awareness","Operational Excellence","-" -"Azure.SQL.DBName","Azure SQL Database names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.SQL.DBName","Azure SQL Database names should meet naming requirements.","Awareness","Operational Excellence","L2" +"Azure.SQL.DBNaming","Azure SQL database resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" +"Azure.SQL.ElasticPoolNaming","Azure SQL Elastic Pool resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" "Azure.SQL.FGName","Azure SQL failover group names should meet naming requirements.","Awareness","Operational Excellence","-" -"Azure.SQL.ServerName","Azure SQL logical server names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.SQL.JobAgentNaming","Azure SQL Elastic Job agent resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" +"Azure.SQL.ServerName","Azure SQL logical server names should meet naming requirements.","Awareness","Operational Excellence","L2" +"Azure.SQL.ServerNaming","Azure SQL Database server resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" "Azure.SQLMI.Name","SQL Managed Instance names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.SQLMI.Naming","SQL Managed Instance resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" "Azure.Storage.Name","Azure Resource Manager (ARM) has requirements for Storage Account names.","Awareness","Operational Excellence","-" "Azure.Storage.Naming","Storage Accounts without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","-" "Azure.Subscription.RequiredTags","Subscriptions without a standard tagging convention may be difficult to identify and manage.","Awareness","Operational Excellence","-" diff --git a/docs/en/baselines/Azure.Pillar.OperationalExcellence.md b/docs/en/baselines/Azure.Pillar.OperationalExcellence.md index 70c453ea4b..3fea57ffc3 100644 --- a/docs/en/baselines/Azure.Pillar.OperationalExcellence.md +++ b/docs/en/baselines/Azure.Pillar.OperationalExcellence.md @@ -14,16 +14,21 @@ Microsoft Azure Well-Architected Framework - Operational Excellence pillar speci The following rules are included within the `Azure.Pillar.OperationalExcellence` baseline. -This baseline includes a total of 119 rules. +This baseline includes a total of 146 rules. Name | Synopsis | Severity | Maturity ---- | -------- | -------- | -------- -[Azure.ACR.Name](../rules/Azure.ACR.Name.md) | Container registry names should meet naming requirements. | Awareness | - +[Azure.ACI.Naming](../rules/Azure.ACI.Naming.md) | Container Instance resources without a standard naming convention may be difficult to identify and manage. | Awareness | L2 +[Azure.ACR.Name](../rules/Azure.ACR.Name.md) | Container registry names should meet naming requirements. | Awareness | L2 +[Azure.ACR.Naming](../rules/Azure.ACR.Naming.md) | Container Registry resources without a standard naming convention may be difficult to identify and manage. | Awareness | L2 [Azure.AI.FoundryNaming](../rules/Azure.AI.FoundryNaming.md) | Azure AI Foundry accounts without a standard naming convention may be difficult to identify and manage. | Awareness | - [Azure.AKS.ContainerInsights](../rules/Azure.AKS.ContainerInsights.md) | Enable Container insights to monitor AKS cluster workloads. | Important | - [Azure.AKS.DNSPrefix](../rules/Azure.AKS.DNSPrefix.md) | Azure Kubernetes Service (AKS) cluster DNS prefix should meet naming requirements. | Awareness | - -[Azure.AKS.Name](../rules/Azure.AKS.Name.md) | Azure Kubernetes Service (AKS) cluster names should meet naming requirements. | Awareness | - +[Azure.AKS.Name](../rules/Azure.AKS.Name.md) | Azure Kubernetes Service (AKS) cluster names should meet naming requirements. | Awareness | L2 +[Azure.AKS.Naming](../rules/Azure.AKS.Naming.md) | AKS cluster resources without a standard naming convention may be difficult to identify and manage. | Awareness | L2 [Azure.AKS.PlatformLogs](../rules/Azure.AKS.PlatformLogs.md) | AKS clusters should collect platform diagnostic logs to monitor the state of workloads. | Important | - +[Azure.AKS.SystemPoolNaming](../rules/Azure.AKS.SystemPoolNaming.md) | AKS system node pool resources without a standard naming convention may be difficult to identify and manage. | Awareness | L2 +[Azure.AKS.UserPoolNaming](../rules/Azure.AKS.UserPoolNaming.md) | AKS user node pool resources without a standard naming convention may be difficult to identify and manage. | Awareness | L2 [Azure.APIM.APIDescriptors](../rules/Azure.APIM.APIDescriptors.md) | APIs should have a display name and description. | Awareness | - [Azure.APIM.MinAPIVersion](../rules/Azure.APIM.MinAPIVersion.md) | API Management instances should limit control plane API calls to API Management with version '2021-08-01' or newer. | Important | - [Azure.APIM.Name](../rules/Azure.APIM.Name.md) | API Management service names should meet naming requirements. | Awareness | - @@ -41,8 +46,18 @@ Name | Synopsis | Severity | Maturity [Azure.Bastion.Name](../rules/Azure.Bastion.Name.md) | Bastion hosts should meet naming requirements. | Awareness | - [Azure.CDN.EndpointName](../rules/Azure.CDN.EndpointName.md) | Azure CDN Endpoint names should meet naming requirements. | Awareness | - [Azure.ContainerApp.APIVersion](../rules/Azure.ContainerApp.APIVersion.md) | Migrate from retired API version to a supported version. | Important | - -[Azure.ContainerApp.Name](../rules/Azure.ContainerApp.Name.md) | Container Apps should meet naming requirements. | Awareness | - -[Azure.Cosmos.AccountName](../rules/Azure.Cosmos.AccountName.md) | Cosmos DB account names should meet naming requirements. | Awareness | - +[Azure.ContainerApp.EnvNaming](../rules/Azure.ContainerApp.EnvNaming.md) | Container App Environment resources without a standard naming convention may be difficult to identify and manage. | Awareness | L2 +[Azure.ContainerApp.JobNaming](../rules/Azure.ContainerApp.JobNaming.md) | Container App Job resources without a standard naming convention may be difficult to identify and manage. | Awareness | L2 +[Azure.ContainerApp.Name](../rules/Azure.ContainerApp.Name.md) | Container Apps should meet naming requirements. | Awareness | L2 +[Azure.ContainerApp.Naming](../rules/Azure.ContainerApp.Naming.md) | Container App resources without a standard naming convention may be difficult to identify and manage. | Awareness | L2 +[Azure.Cosmos.AccountName](../rules/Azure.Cosmos.AccountName.md) | Cosmos DB account names should meet naming requirements. | Awareness | L2 +[Azure.Cosmos.CassandraNaming](../rules/Azure.Cosmos.CassandraNaming.md) | Cosmos DB for Apache Cassandra account resources without a standard naming convention may be difficult to identify and manage. | Awareness | L2 +[Azure.Cosmos.DatabaseNaming](../rules/Azure.Cosmos.DatabaseNaming.md) | Cosmos DB database resources without a standard naming convention may be difficult to identify and manage. | Awareness | L2 +[Azure.Cosmos.GremlinNaming](../rules/Azure.Cosmos.GremlinNaming.md) | Cosmos DB for Apache Gremlin account resources without a standard naming convention may be difficult to identify and manage. | Awareness | L2 +[Azure.Cosmos.MongoNaming](../rules/Azure.Cosmos.MongoNaming.md) | Cosmos DB for MongoDB account resources without a standard naming convention may be difficult to identify and manage. | Awareness | L2 +[Azure.Cosmos.NoSQLNaming](../rules/Azure.Cosmos.NoSQLNaming.md) | Cosmos DB for NoSQL account resources without a standard naming convention may be difficult to identify and manage. | Awareness | L2 +[Azure.Cosmos.PostgreSQLNaming](../rules/Azure.Cosmos.PostgreSQLNaming.md) | Cosmos DB PostgreSQL cluster resources without a standard naming convention may be difficult to identify and manage. | Awareness | L2 +[Azure.Cosmos.TableNaming](../rules/Azure.Cosmos.TableNaming.md) | Cosmos DB for Table account resources without a standard naming convention may be difficult to identify and manage. | Awareness | L2 [Azure.Deployment.Name](../rules/Azure.Deployment.Name.md) | Nested deployments should meet naming requirements of deployments. | Awareness | - [Azure.EventGrid.DomainNaming](../rules/Azure.EventGrid.DomainNaming.md) | Event Grid domains without a standard naming convention may be difficult to identify and manage. | Awareness | - [Azure.EventGrid.SystemTopicNaming](../rules/Azure.EventGrid.SystemTopicNaming.md) | Event Grid system topics without a standard naming convention may be difficult to identify and manage. | Awareness | - @@ -67,6 +82,7 @@ Name | Synopsis | Severity | Maturity [Azure.MariaDB.ServerName](../rules/Azure.MariaDB.ServerName.md) | Azure Database for MariaDB servers should meet naming requirements. | Awareness | - [Azure.MariaDB.VNETRuleName](../rules/Azure.MariaDB.VNETRuleName.md) | Azure Database for MariaDB VNET rules should meet naming requirements. | Awareness | - [Azure.MySQL.ServerName](../rules/Azure.MySQL.ServerName.md) | Azure MySQL DB server names should meet naming requirements. | Awareness | - +[Azure.MySQL.ServerNaming](../rules/Azure.MySQL.ServerNaming.md) | MySQL database server resources without a standard naming convention may be difficult to identify and manage. | Awareness | L2 [Azure.NIC.Name](../rules/Azure.NIC.Name.md) | Network Interface (NIC) names should meet naming requirements. | Awareness | - [Azure.NSG.AKSRules](../rules/Azure.NSG.AKSRules.md) | AKS Network Security Group (NSG) should not have custom rules. | Awareness | - [Azure.NSG.Name](../rules/Azure.NSG.Name.md) | Azure Resource Manager (ARM) has requirements for Network Security Group (NSG) names. | Awareness | - @@ -76,22 +92,33 @@ Name | Synopsis | Severity | Maturity [Azure.Policy.Descriptors](../rules/Azure.Policy.Descriptors.md) | Policy and initiative definitions should use a display name, description, and category. | Awareness | - [Azure.Policy.ExemptionDescriptors](../rules/Azure.Policy.ExemptionDescriptors.md) | Policy exemptions should use a display name and description. | Awareness | - [Azure.PostgreSQL.ServerName](../rules/Azure.PostgreSQL.ServerName.md) | Azure PostgreSQL DB server names should meet naming requirements. | Awareness | - +[Azure.PostgreSQL.ServerNaming](../rules/Azure.PostgreSQL.ServerNaming.md) | PostgreSQL database server resources without a standard naming convention may be difficult to identify and manage. | Awareness | L2 [Azure.PrivateEndpoint.Name](../rules/Azure.PrivateEndpoint.Name.md) | Private Endpoint names should meet naming requirements. | Awareness | - [Azure.PublicIP.DNSLabel](../rules/Azure.PublicIP.DNSLabel.md) | Public IP domain name labels should meet naming requirements. | Awareness | - [Azure.PublicIP.MigrateStandard](../rules/Azure.PublicIP.MigrateStandard.md) | Use the Standard SKU for Public IP addresses as the Basic SKU will be retired. | Important | - [Azure.PublicIP.Name](../rules/Azure.PublicIP.Name.md) | Azure Resource Manager (ARM) has requirements for Public IP address names. | Awareness | - [Azure.PublicIP.Naming](../rules/Azure.PublicIP.Naming.md) | Public IP addresses without a standard naming convention may be difficult to identify and manage. | Awareness | - +[Azure.Redis.MigrateAMR](../rules/Azure.Redis.MigrateAMR.md) | Azure Cache for Redis is being retired. Migrate to Azure Managed Redis. | Important | - +[Azure.Redis.Naming](../rules/Azure.Redis.Naming.md) | Azure Cache for Redis resources without a standard naming convention may be difficult to identify and manage. | Awareness | L2 +[Azure.RedisEnterprise.Naming](../rules/Azure.RedisEnterprise.Naming.md) | Azure Cache for Redis Enterprise resources without a standard naming convention may be difficult to identify and manage. | Awareness | L2 [Azure.Resource.RequiredTags](../rules/Azure.Resource.RequiredTags.md) | Resources without a standard tagging convention may be difficult to identify and manage. | Awareness | - [Azure.Route.Name](../rules/Azure.Route.Name.md) | Azure Resource Manager (ARM) has requirements for Route table names. | Awareness | - [Azure.Route.Naming](../rules/Azure.Route.Naming.md) | Route tables without a standard naming convention may be difficult to identify and manage. | Awareness | - [Azure.RSV.Name](../rules/Azure.RSV.Name.md) | Recovery Services vaults should meet naming requirements. | Awareness | - [Azure.Search.Name](../rules/Azure.Search.Name.md) | Azure Resource Manager (ARM) has requirements for AI Search service names. | Awareness | - [Azure.Search.Naming](../rules/Azure.Search.Naming.md) | Azure AI Search services without a standard naming convention may be difficult to identify and manage. | Awareness | - +[Azure.ServiceFabric.ManagedNaming](../rules/Azure.ServiceFabric.ManagedNaming.md) | Service Fabric managed cluster resources without a standard naming convention may be difficult to identify and manage. | Awareness | L2 +[Azure.ServiceFabric.Naming](../rules/Azure.ServiceFabric.Naming.md) | Service Fabric cluster resources without a standard naming convention may be difficult to identify and manage. | Awareness | L2 [Azure.SignalR.Name](../rules/Azure.SignalR.Name.md) | SignalR service instance names should meet naming requirements. | Awareness | - -[Azure.SQL.DBName](../rules/Azure.SQL.DBName.md) | Azure SQL Database names should meet naming requirements. | Awareness | - +[Azure.SQL.DBName](../rules/Azure.SQL.DBName.md) | Azure SQL Database names should meet naming requirements. | Awareness | L2 +[Azure.SQL.DBNaming](../rules/Azure.SQL.DBNaming.md) | Azure SQL database resources without a standard naming convention may be difficult to identify and manage. | Awareness | L2 +[Azure.SQL.ElasticPoolNaming](../rules/Azure.SQL.ElasticPoolNaming.md) | Azure SQL Elastic Pool resources without a standard naming convention may be difficult to identify and manage. | Awareness | L2 [Azure.SQL.FGName](../rules/Azure.SQL.FGName.md) | Azure SQL failover group names should meet naming requirements. | Awareness | - -[Azure.SQL.ServerName](../rules/Azure.SQL.ServerName.md) | Azure SQL logical server names should meet naming requirements. | Awareness | - +[Azure.SQL.JobAgentNaming](../rules/Azure.SQL.JobAgentNaming.md) | Azure SQL Elastic Job agent resources without a standard naming convention may be difficult to identify and manage. | Awareness | L2 +[Azure.SQL.ServerName](../rules/Azure.SQL.ServerName.md) | Azure SQL logical server names should meet naming requirements. | Awareness | L2 +[Azure.SQL.ServerNaming](../rules/Azure.SQL.ServerNaming.md) | Azure SQL Database server resources without a standard naming convention may be difficult to identify and manage. | Awareness | L2 [Azure.SQLMI.Name](../rules/Azure.SQLMI.Name.md) | SQL Managed Instance names should meet naming requirements. | Awareness | - +[Azure.SQLMI.Naming](../rules/Azure.SQLMI.Naming.md) | SQL Managed Instance resources without a standard naming convention may be difficult to identify and manage. | Awareness | L2 [Azure.Storage.Name](../rules/Azure.Storage.Name.md) | Azure Resource Manager (ARM) has requirements for Storage Account names. | Awareness | - [Azure.Storage.Naming](../rules/Azure.Storage.Naming.md) | Storage Accounts without a standard naming convention may be difficult to identify and manage. | Awareness | - [Azure.Subscription.RequiredTags](../rules/Azure.Subscription.RequiredTags.md) | Subscriptions without a standard tagging convention may be difficult to identify and manage. | Awareness | - diff --git a/docs/en/baselines/Azure.Pillar.Reliability.csv b/docs/en/baselines/Azure.Pillar.Reliability.csv index 7c2172b95d..ecae6941a3 100644 --- a/docs/en/baselines/Azure.Pillar.Reliability.csv +++ b/docs/en/baselines/Azure.Pillar.Reliability.csv @@ -30,15 +30,19 @@ "Azure.ContainerApp.AvailabilityZone","Use Container Apps environments that are zone redundant to improve reliability.","Important","Reliability","-" "Azure.ContainerApp.MinReplicas","Use multiple replicas to remove a single point of failure.","Important","Reliability","-" "Azure.ContainerApp.Storage","Use of Azure Files volume mounts to persistent storage container data.","Awareness","Reliability","-" +"Azure.Cosmos.AvailabilityZone","Use zone redundant Cosmos DB accounts in supported regions to improve reliability.","Important","Reliability","L1" "Azure.Cosmos.ContinuousBackup","Enable continuous backup on Cosmos DB accounts.","Important","Reliability","-" +"Azure.Cosmos.MongoAvailabilityZone","Use zone redundant Cosmos DB vCore clusters in supported regions to improve reliability.","Important","Reliability","L1" "Azure.Cosmos.SLA","Use a paid tier to qualify for a Service Level Agreement (SLA).","Important","Reliability","-" "Azure.DataFactory.Version","Consider migrating to DataFactory v2.","Awareness","Reliability","-" "Azure.EntraDS.MinReplicas","Applications or infrastructure relying on a managed domain may fail if the domain is not available.","Important","Reliability","-" "Azure.EntraDS.SKU","The default SKU for Microsoft Entra Domain Services supports resiliency in a single region.","Important","Reliability","-" +"Azure.EventHub.AvailabilityZone","Use zone redundant Event Hub namespaces in supported regions to improve reliability.","Important","Reliability","L1" "Azure.Firewall.AvailabilityZone","Deploy firewall instances using availability zones in supported regions to ensure high availability and resilience.","Important","Reliability","-" "Azure.FrontDoor.Probe","Use health probes to check the health of each backend.","Important","Reliability","-" "Azure.FrontDoor.ProbeMethod","Configure health probes to use HEAD requests to reduce performance overhead.","Important","Reliability","-" "Azure.FrontDoor.ProbePath","Configure a dedicated path for health probe requests.","Important","Reliability","-" +"Azure.Grafana.AvailabilityZone","Use zone redundant Grafana workspaces in supported regions to improve reliability.","Important","Reliability","L1" "Azure.Grafana.Version","Grafana workspaces should be on Grafana version 10.","Important","Reliability","-" "Azure.KeyVault.PurgeProtect","Enable Purge Protection on Key Vaults to prevent early purge of vaults and vault items.","Important","Reliability","-" "Azure.KeyVault.SoftDelete","Enable Soft Delete on Key Vaults to protect vaults and vault items from accidental deletion.","Important","Reliability","-" @@ -47,6 +51,7 @@ "Azure.LB.StandardSKU","Load balancers should be deployed with Standard SKU for production workloads.","Important","Reliability","-" "Azure.Log.Replication","Log Analytics workspaces should have workspace replication enabled to improve service availability.","Important","Reliability","-" "Azure.MariaDB.GeoRedundantBackup","Azure Database for MariaDB should store backups in a geo-redundant storage.","Important","Reliability","-" +"Azure.MICassandra.AvailabilityZone","Use zone redundant Managed Instance for Apache Cassandra clusters in supported regions to improve reliability.","Important","Reliability","L1" "Azure.Monitor.ServiceHealth","Configure Service Health alerts to notify administrators.","Important","Reliability","-" "Azure.MySQL.GeoRedundantBackup","Azure Database for MySQL should store backups in a geo-redundant storage.","Important","Reliability","-" "Azure.MySQL.MaintenanceWindow","Configure a customer-controlled maintenance window for Azure Database for MySQL servers.","Important","Reliability","-" diff --git a/docs/en/baselines/Azure.Pillar.Reliability.md b/docs/en/baselines/Azure.Pillar.Reliability.md index 0c2e09c056..a4d926f1b4 100644 --- a/docs/en/baselines/Azure.Pillar.Reliability.md +++ b/docs/en/baselines/Azure.Pillar.Reliability.md @@ -14,7 +14,7 @@ Microsoft Azure Well-Architected Framework - Reliability pillar specific baselin The following rules are included within the `Azure.Pillar.Reliability` baseline. -This baseline includes a total of 96 rules. +This baseline includes a total of 101 rules. Name | Synopsis | Severity | Maturity ---- | -------- | -------- | -------- @@ -49,15 +49,19 @@ Name | Synopsis | Severity | Maturity [Azure.ContainerApp.AvailabilityZone](../rules/Azure.ContainerApp.AvailabilityZone.md) | Use Container Apps environments that are zone redundant to improve reliability. | Important | - [Azure.ContainerApp.MinReplicas](../rules/Azure.ContainerApp.MinReplicas.md) | Use multiple replicas to remove a single point of failure. | Important | - [Azure.ContainerApp.Storage](../rules/Azure.ContainerApp.Storage.md) | Use of Azure Files volume mounts to persistent storage container data. | Awareness | - +[Azure.Cosmos.AvailabilityZone](../rules/Azure.Cosmos.AvailabilityZone.md) | Use zone redundant Cosmos DB accounts in supported regions to improve reliability. | Important | L1 [Azure.Cosmos.ContinuousBackup](../rules/Azure.Cosmos.ContinuousBackup.md) | Enable continuous backup on Cosmos DB accounts. | Important | - +[Azure.Cosmos.MongoAvailabilityZone](../rules/Azure.Cosmos.MongoAvailabilityZone.md) | Use zone redundant Cosmos DB vCore clusters in supported regions to improve reliability. | Important | L1 [Azure.Cosmos.SLA](../rules/Azure.Cosmos.SLA.md) | Use a paid tier to qualify for a Service Level Agreement (SLA). | Important | - [Azure.DataFactory.Version](../rules/Azure.DataFactory.Version.md) | Consider migrating to DataFactory v2. | Awareness | - [Azure.EntraDS.MinReplicas](../rules/Azure.EntraDS.MinReplicas.md) | Applications or infrastructure relying on a managed domain may fail if the domain is not available. | Important | - [Azure.EntraDS.SKU](../rules/Azure.EntraDS.SKU.md) | The default SKU for Microsoft Entra Domain Services supports resiliency in a single region. | Important | - +[Azure.EventHub.AvailabilityZone](../rules/Azure.EventHub.AvailabilityZone.md) | Use zone redundant Event Hub namespaces in supported regions to improve reliability. | Important | L1 [Azure.Firewall.AvailabilityZone](../rules/Azure.Firewall.AvailabilityZone.md) | Deploy firewall instances using availability zones in supported regions to ensure high availability and resilience. | Important | - [Azure.FrontDoor.Probe](../rules/Azure.FrontDoor.Probe.md) | Use health probes to check the health of each backend. | Important | - [Azure.FrontDoor.ProbeMethod](../rules/Azure.FrontDoor.ProbeMethod.md) | Configure health probes to use HEAD requests to reduce performance overhead. | Important | - [Azure.FrontDoor.ProbePath](../rules/Azure.FrontDoor.ProbePath.md) | Configure a dedicated path for health probe requests. | Important | - +[Azure.Grafana.AvailabilityZone](../rules/Azure.Grafana.AvailabilityZone.md) | Use zone redundant Grafana workspaces in supported regions to improve reliability. | Important | L1 [Azure.Grafana.Version](../rules/Azure.Grafana.Version.md) | Grafana workspaces should be on Grafana version 10. | Important | - [Azure.KeyVault.PurgeProtect](../rules/Azure.KeyVault.PurgeProtect.md) | Enable Purge Protection on Key Vaults to prevent early purge of vaults and vault items. | Important | - [Azure.KeyVault.SoftDelete](../rules/Azure.KeyVault.SoftDelete.md) | Enable Soft Delete on Key Vaults to protect vaults and vault items from accidental deletion. | Important | - @@ -66,6 +70,7 @@ Name | Synopsis | Severity | Maturity [Azure.LB.StandardSKU](../rules/Azure.LB.StandardSKU.md) | Load balancers should be deployed with Standard SKU for production workloads. | Important | - [Azure.Log.Replication](../rules/Azure.Log.Replication.md) | Log Analytics workspaces should have workspace replication enabled to improve service availability. | Important | - [Azure.MariaDB.GeoRedundantBackup](../rules/Azure.MariaDB.GeoRedundantBackup.md) | Azure Database for MariaDB should store backups in a geo-redundant storage. | Important | - +[Azure.MICassandra.AvailabilityZone](../rules/Azure.MICassandra.AvailabilityZone.md) | Use zone redundant Managed Instance for Apache Cassandra clusters in supported regions to improve reliability. | Important | L1 [Azure.Monitor.ServiceHealth](../rules/Azure.Monitor.ServiceHealth.md) | Configure Service Health alerts to notify administrators. | Important | - [Azure.MySQL.GeoRedundantBackup](../rules/Azure.MySQL.GeoRedundantBackup.md) | Azure Database for MySQL should store backups in a geo-redundant storage. | Important | - [Azure.MySQL.MaintenanceWindow](../rules/Azure.MySQL.MaintenanceWindow.md) | Configure a customer-controlled maintenance window for Azure Database for MySQL servers. | Important | - diff --git a/docs/en/baselines/Azure.Pillar.Security.L1.csv b/docs/en/baselines/Azure.Pillar.Security.L1.csv index 6a7ea459dd..ab2c9b65e6 100644 --- a/docs/en/baselines/Azure.Pillar.Security.L1.csv +++ b/docs/en/baselines/Azure.Pillar.Security.L1.csv @@ -28,8 +28,9 @@ "Azure.CDN.MinTLS","Azure CDN endpoints should reject TLS versions older than 1.2.","Important","Security","L1" "Azure.ContainerApp.Insecure","Ensure insecure inbound traffic is not permitted to the container app.","Important","Security","L1" "Azure.ContainerApp.ManagedIdentity","Ensure managed identity is used for authentication.","Important","Security","L1" -"Azure.Cosmos.DisableLocalAuth","Access keys allow depersonalized access to Cosmos DB accounts using a shared secret.","Critical","Security","L1" "Azure.Cosmos.MinTLS","Cosmos DB accounts should reject TLS versions older than 1.2.","Critical","Security","L1" +"Azure.Cosmos.MongoEntraID","MongoDB vCore clusters should have Microsoft Entra ID authentication enabled.","Critical","Security","L1" +"Azure.Cosmos.NoSQLLocalAuth","Access keys allow depersonalized access to Cosmos DB NoSQL API accounts using a shared secret.","Critical","Security","L1" "Azure.EntraDS.NTLM","Disable NTLM v1 for Microsoft Entra Domain Services.","Critical","Security","L1" "Azure.EntraDS.RC4","Disable RC4 encryption for Microsoft Entra Domain Services.","Critical","Security","L1" "Azure.EntraDS.TLS","Disable TLS v1 for Microsoft Entra Domain Services.","Critical","Security","L1" diff --git a/docs/en/baselines/Azure.Pillar.Security.L1.md b/docs/en/baselines/Azure.Pillar.Security.L1.md index 02a3a765ad..5e807a3a4f 100644 --- a/docs/en/baselines/Azure.Pillar.Security.L1.md +++ b/docs/en/baselines/Azure.Pillar.Security.L1.md @@ -16,7 +16,7 @@ Microsoft Azure Well-Architected Framework - Security pillar Level 1 maturity ba The following rules are included within the `Azure.Pillar.Security.L1` baseline. -This baseline includes a total of 84 rules. +This baseline includes a total of 85 rules. Name | Synopsis | Severity | Maturity ---- | -------- | -------- | -------- @@ -49,8 +49,9 @@ Name | Synopsis | Severity | Maturity [Azure.CDN.MinTLS](../rules/Azure.CDN.MinTLS.md) | Azure CDN endpoints should reject TLS versions older than 1.2. | Important | L1 [Azure.ContainerApp.Insecure](../rules/Azure.ContainerApp.Insecure.md) | Ensure insecure inbound traffic is not permitted to the container app. | Important | L1 [Azure.ContainerApp.ManagedIdentity](../rules/Azure.ContainerApp.ManagedIdentity.md) | Ensure managed identity is used for authentication. | Important | L1 -[Azure.Cosmos.DisableLocalAuth](../rules/Azure.Cosmos.DisableLocalAuth.md) | Access keys allow depersonalized access to Cosmos DB accounts using a shared secret. | Critical | L1 [Azure.Cosmos.MinTLS](../rules/Azure.Cosmos.MinTLS.md) | Cosmos DB accounts should reject TLS versions older than 1.2. | Critical | L1 +[Azure.Cosmos.MongoEntraID](../rules/Azure.Cosmos.MongoEntraID.md) | MongoDB vCore clusters should have Microsoft Entra ID authentication enabled. | Critical | L1 +[Azure.Cosmos.NoSQLLocalAuth](../rules/Azure.Cosmos.NoSQLLocalAuth.md) | Access keys allow depersonalized access to Cosmos DB NoSQL API accounts using a shared secret. | Critical | L1 [Azure.EntraDS.NTLM](../rules/Azure.EntraDS.NTLM.md) | Disable NTLM v1 for Microsoft Entra Domain Services. | Critical | L1 [Azure.EntraDS.RC4](../rules/Azure.EntraDS.RC4.md) | Disable RC4 encryption for Microsoft Entra Domain Services. | Critical | L1 [Azure.EntraDS.TLS](../rules/Azure.EntraDS.TLS.md) | Disable TLS v1 for Microsoft Entra Domain Services. | Critical | L1 diff --git a/docs/en/baselines/Azure.Pillar.Security.csv b/docs/en/baselines/Azure.Pillar.Security.csv index 7eb3b5e715..32d9a331ed 100644 --- a/docs/en/baselines/Azure.Pillar.Security.csv +++ b/docs/en/baselines/Azure.Pillar.Security.csv @@ -8,6 +8,7 @@ "Azure.ACR.ReplicaLocation","The replication location determines the country or region where container images and metadata are stored and processed.","Important","Security","-" "Azure.ADX.DiskEncryption","Use disk encryption for Azure Data Explorer (ADX) clusters.","Important","Security","L1" "Azure.ADX.ManagedIdentity","Configure Data Explorer clusters to use managed identities to access Azure resources securely.","Important","Security","L1" +"Azure.ADX.PublicAccess","Azure Data Explorer (ADX) clusters should have public network access disabled.","Critical","Security","L4" "Azure.AI.DisableLocalAuth","Access keys allow depersonalized access to Azure AI using a shared secret.","Important","Security","L1" "Azure.AI.ManagedIdentity","Configure managed identities to access Azure resources.","Important","Security","L1" "Azure.AI.PrivateEndpoints","Use Private Endpoints to access Azure AI services accounts.","Important","Security","-" @@ -53,7 +54,7 @@ "Azure.AppGwWAF.Enabled","Application Gateway Web Application Firewall (WAF) must be enabled to protect backend resources.","Critical","Security","-" "Azure.AppGwWAF.Exclusions","Application Gateway Web Application Firewall (WAF) should have all rules enabled.","Critical","Security","-" "Azure.AppGwWAF.PreventionMode","Use protection mode in Application Gateway Web Application Firewall (WAF) policies to protect back end resources.","Critical","Security","-" -"Azure.AppGwWAF.RuleGroups","Use recommended rule groups in Application Gateway Web Application Firewall (WAF) policies to protect back end resources.","Critical","Security","-" +"Azure.AppGwWAF.RuleGroups","Application Gateway WAF policies should include both Microsoft Default Rule Set and Bot Manager Rule Set to provide comprehensive protection against web application threats and malicious bot traffic.","Critical","Security","L2" "Azure.AppInsights.LocalAuth","Local authentication allows depersonalized access to store telemetry in Application Insights using a shared identifier.","Critical","Security","L1" "Azure.AppService.ManagedIdentity","Configure managed identities to access Azure resources.","Important","Security","L1" "Azure.AppService.MinTLS","App Service should not accept weak or deprecated transport protocols for client-server communication.","Critical","Security","L1" @@ -76,9 +77,10 @@ "Azure.ContainerApp.PublicAccess","Ensure public network access for Container Apps environment is disabled.","Important","Security","-" "Azure.ContainerApp.RestrictIngress","IP ingress restrictions mode should be set to allow action for all rules defined.","Important","Security","-" "Azure.Cosmos.DefenderCloud","Enable Microsoft Defender for Azure Cosmos DB.","Critical","Security","-" -"Azure.Cosmos.DisableLocalAuth","Access keys allow depersonalized access to Cosmos DB accounts using a shared secret.","Critical","Security","L1" "Azure.Cosmos.DisableMetadataWrite","Use Entra ID identities for management place operations in Azure Cosmos DB.","Important","Security","-" "Azure.Cosmos.MinTLS","Cosmos DB accounts should reject TLS versions older than 1.2.","Critical","Security","L1" +"Azure.Cosmos.MongoEntraID","MongoDB vCore clusters should have Microsoft Entra ID authentication enabled.","Critical","Security","L1" +"Azure.Cosmos.NoSQLLocalAuth","Access keys allow depersonalized access to Cosmos DB NoSQL API accounts using a shared secret.","Critical","Security","L1" "Azure.Cosmos.PublicAccess","Azure Cosmos DB should have public network access disabled.","Critical","Security","-" "Azure.Databricks.PublicAccess","Azure Databricks workspaces should disable public network access.","Critical","Security","-" "Azure.Databricks.SecureConnectivity","Use Databricks workspaces configured for secure cluster connectivity.","Critical","Security","-" diff --git a/docs/en/baselines/Azure.Pillar.Security.md b/docs/en/baselines/Azure.Pillar.Security.md index 530260453f..1cee0f9c42 100644 --- a/docs/en/baselines/Azure.Pillar.Security.md +++ b/docs/en/baselines/Azure.Pillar.Security.md @@ -14,7 +14,7 @@ Microsoft Azure Well-Architected Framework - Security pillar specific baseline. The following rules are included within the `Azure.Pillar.Security` baseline. -This baseline includes a total of 230 rules. +This baseline includes a total of 232 rules. Name | Synopsis | Severity | Maturity ---- | -------- | -------- | -------- @@ -27,6 +27,7 @@ Name | Synopsis | Severity | Maturity [Azure.ACR.ReplicaLocation](../rules/Azure.ACR.ReplicaLocation.md) | The replication location determines the country or region where container images and metadata are stored and processed. | Important | - [Azure.ADX.DiskEncryption](../rules/Azure.ADX.DiskEncryption.md) | Use disk encryption for Azure Data Explorer (ADX) clusters. | Important | L1 [Azure.ADX.ManagedIdentity](../rules/Azure.ADX.ManagedIdentity.md) | Configure Data Explorer clusters to use managed identities to access Azure resources securely. | Important | L1 +[Azure.ADX.PublicAccess](../rules/Azure.ADX.PublicAccess.md) | Azure Data Explorer (ADX) clusters should have public network access disabled. | Critical | L4 [Azure.AI.DisableLocalAuth](../rules/Azure.AI.DisableLocalAuth.md) | Access keys allow depersonalized access to Azure AI using a shared secret. | Important | L1 [Azure.AI.ManagedIdentity](../rules/Azure.AI.ManagedIdentity.md) | Configure managed identities to access Azure resources. | Important | L1 [Azure.AI.PrivateEndpoints](../rules/Azure.AI.PrivateEndpoints.md) | Use Private Endpoints to access Azure AI services accounts. | Important | - @@ -72,7 +73,7 @@ Name | Synopsis | Severity | Maturity [Azure.AppGwWAF.Enabled](../rules/Azure.AppGwWAF.Enabled.md) | Application Gateway Web Application Firewall (WAF) must be enabled to protect backend resources. | Critical | - [Azure.AppGwWAF.Exclusions](../rules/Azure.AppGwWAF.Exclusions.md) | Application Gateway Web Application Firewall (WAF) should have all rules enabled. | Critical | - [Azure.AppGwWAF.PreventionMode](../rules/Azure.AppGwWAF.PreventionMode.md) | Use protection mode in Application Gateway Web Application Firewall (WAF) policies to protect back end resources. | Critical | - -[Azure.AppGwWAF.RuleGroups](../rules/Azure.AppGwWAF.RuleGroups.md) | Use recommended rule groups in Application Gateway Web Application Firewall (WAF) policies to protect back end resources. | Critical | - +[Azure.AppGwWAF.RuleGroups](../rules/Azure.AppGwWAF.RuleGroups.md) | Application Gateway WAF policies should include both Microsoft Default Rule Set and Bot Manager Rule Set to provide comprehensive protection against web application threats and malicious bot traffic. | Critical | L2 [Azure.AppInsights.LocalAuth](../rules/Azure.AppInsights.LocalAuth.md) | Local authentication allows depersonalized access to store telemetry in Application Insights using a shared identifier. | Critical | L1 [Azure.AppService.ManagedIdentity](../rules/Azure.AppService.ManagedIdentity.md) | Configure managed identities to access Azure resources. | Important | L1 [Azure.AppService.MinTLS](../rules/Azure.AppService.MinTLS.md) | App Service should not accept weak or deprecated transport protocols for client-server communication. | Critical | L1 @@ -95,9 +96,10 @@ Name | Synopsis | Severity | Maturity [Azure.ContainerApp.PublicAccess](../rules/Azure.ContainerApp.PublicAccess.md) | Ensure public network access for Container Apps environment is disabled. | Important | - [Azure.ContainerApp.RestrictIngress](../rules/Azure.ContainerApp.RestrictIngress.md) | IP ingress restrictions mode should be set to allow action for all rules defined. | Important | - [Azure.Cosmos.DefenderCloud](../rules/Azure.Cosmos.DefenderCloud.md) | Enable Microsoft Defender for Azure Cosmos DB. | Critical | - -[Azure.Cosmos.DisableLocalAuth](../rules/Azure.Cosmos.DisableLocalAuth.md) | Access keys allow depersonalized access to Cosmos DB accounts using a shared secret. | Critical | L1 [Azure.Cosmos.DisableMetadataWrite](../rules/Azure.Cosmos.DisableMetadataWrite.md) | Use Entra ID identities for management place operations in Azure Cosmos DB. | Important | - [Azure.Cosmos.MinTLS](../rules/Azure.Cosmos.MinTLS.md) | Cosmos DB accounts should reject TLS versions older than 1.2. | Critical | L1 +[Azure.Cosmos.MongoEntraID](../rules/Azure.Cosmos.MongoEntraID.md) | MongoDB vCore clusters should have Microsoft Entra ID authentication enabled. | Critical | L1 +[Azure.Cosmos.NoSQLLocalAuth](../rules/Azure.Cosmos.NoSQLLocalAuth.md) | Access keys allow depersonalized access to Cosmos DB NoSQL API accounts using a shared secret. | Critical | L1 [Azure.Cosmos.PublicAccess](../rules/Azure.Cosmos.PublicAccess.md) | Azure Cosmos DB should have public network access disabled. | Critical | - [Azure.Databricks.PublicAccess](../rules/Azure.Databricks.PublicAccess.md) | Azure Databricks workspaces should disable public network access. | Critical | - [Azure.Databricks.SecureConnectivity](../rules/Azure.Databricks.SecureConnectivity.md) | Use Databricks workspaces configured for secure cluster connectivity. | Critical | - diff --git a/docs/en/baselines/Azure.Preview.csv b/docs/en/baselines/Azure.Preview.csv index d8b6801ed8..bc5584be63 100644 --- a/docs/en/baselines/Azure.Preview.csv +++ b/docs/en/baselines/Azure.Preview.csv @@ -1,4 +1,5 @@ "Name","Synopsis","Severity","Pillar","Maturity" +"Azure.ACI.Naming","Container Instance resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" "Azure.ACR.AdminUser","The local admin account allows depersonalized access to a container registry using a shared secret.","Critical","Security","L1" "Azure.ACR.AnonymousAccess","Anonymous pull access allows unidentified downloading of images and metadata from a container registry.","Important","Security","-" "Azure.ACR.ContainerScan","Container images or their base images may have vulnerabilities discovered after they are built.","Critical","Security","-" @@ -7,7 +8,8 @@ "Azure.ACR.GeoReplica","Applications or infrastructure relying on a container image may fail if the registry is not available at the time they start.","Important","Reliability","-" "Azure.ACR.ImageHealth","Remove container images with known vulnerabilities.","Critical","Security","L2" "Azure.ACR.MinSku","The Basic SKU provides limited performance and features for production container registry workloads.","Important","Reliability","-" -"Azure.ACR.Name","Container registry names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.ACR.Name","Container registry names should meet naming requirements.","Awareness","Operational Excellence","L2" +"Azure.ACR.Naming","Container Registry resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" "Azure.ACR.Quarantine","Enable container image quarantine, scan, and mark images as verified.","Important","Security","-" "Azure.ACR.ReplicaLocation","The replication location determines the country or region where container images and metadata are stored and processed.","Important","Security","-" "Azure.ACR.Retention","Use a retention policy to cleanup untagged manifests.","Important","Cost Optimization","-" @@ -15,6 +17,7 @@ "Azure.ACR.Usage","Regularly remove deprecated and unneeded images to reduce storage usage.","Important","Cost Optimization","-" "Azure.ADX.DiskEncryption","Use disk encryption for Azure Data Explorer (ADX) clusters.","Important","Security","L1" "Azure.ADX.ManagedIdentity","Configure Data Explorer clusters to use managed identities to access Azure resources securely.","Important","Security","L1" +"Azure.ADX.PublicAccess","Azure Data Explorer (ADX) clusters should have public network access disabled.","Critical","Security","L4" "Azure.ADX.SLA","Use SKUs that include an SLA when configuring Azure Data Explorer (ADX) clusters.","Important","Reliability","-" "Azure.ADX.Usage","Regularly remove unused resources to reduce costs.","Important","Cost Optimization","-" "Azure.AI.DisableLocalAuth","Access keys allow depersonalized access to Azure AI using a shared secret.","Important","Security","L1" @@ -42,7 +45,8 @@ "Azure.AKS.ManagedIdentity","Configure AKS clusters to use managed identities for managing cluster infrastructure.","Important","Security","L1" "Azure.AKS.MinNodeCount","AKS clusters should have minimum number of system nodes for failover and updates.","Important","Reliability","-" "Azure.AKS.MinUserPoolNodes","User node pools in an AKS cluster should have a minimum number of nodes for failover and updates.","Important","Reliability","-" -"Azure.AKS.Name","Azure Kubernetes Service (AKS) cluster names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.AKS.Name","Azure Kubernetes Service (AKS) cluster names should meet naming requirements.","Awareness","Operational Excellence","L2" +"Azure.AKS.Naming","AKS cluster resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" "Azure.AKS.NetworkPolicy","AKS clusters without inter-pod network restrictions may be permit unauthorized lateral movement.","Important","Security","-" "Azure.AKS.NodeAutoUpgrade","Operating system (OS) security updates should be applied to AKS nodes and rebooted as required to address security vulnerabilities.","Important","Security","-" "Azure.AKS.NodeMinPods","Azure Kubernetes Cluster (AKS) nodes should use a minimum number of pods.","Important","Performance Efficiency","-" @@ -52,8 +56,10 @@ "Azure.AKS.SecretStore","Deploy AKS clusters with Secrets Store CSI Driver and store Secrets in Key Vault.","Important","Security","-" "Azure.AKS.SecretStoreRotation","Enable autorotation of Secrets Store CSI Driver secrets for AKS clusters.","Important","Security","-" "Azure.AKS.StandardLB","Azure Kubernetes Clusters (AKS) should use a Standard load balancer SKU.","Important","Performance Efficiency","-" +"Azure.AKS.SystemPoolNaming","AKS system node pool resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" "Azure.AKS.UptimeSLA","AKS clusters should have Uptime SLA enabled for a financially backed SLA.","Important","Reliability","-" "Azure.AKS.UseRBAC","Deploy AKS cluster with role-based access control (RBAC) enabled.","Important","Security","-" +"Azure.AKS.UserPoolNaming","AKS user node pool resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" "Azure.AKS.Version","Older versions of Kubernetes may have known bugs or security vulnerabilities, and may have limited support.","Important","Reliability","-" "Azure.Alert.HighFrequencyQuery","High frequency scheduled queries are changed as a higher rate than low frequency queries.","Important","Cost Optimization","-" "Azure.Alert.MetricAutoMitigate","Alerts that require manual intervention for mitigation can lead to increased personnel time and effort.","Important","Cost Optimization","-" @@ -101,7 +107,7 @@ "Azure.AppGwWAF.Enabled","Application Gateway Web Application Firewall (WAF) must be enabled to protect backend resources.","Critical","Security","-" "Azure.AppGwWAF.Exclusions","Application Gateway Web Application Firewall (WAF) should have all rules enabled.","Critical","Security","-" "Azure.AppGwWAF.PreventionMode","Use protection mode in Application Gateway Web Application Firewall (WAF) policies to protect back end resources.","Critical","Security","-" -"Azure.AppGwWAF.RuleGroups","Use recommended rule groups in Application Gateway Web Application Firewall (WAF) policies to protect back end resources.","Critical","Security","-" +"Azure.AppGwWAF.RuleGroups","Application Gateway WAF policies should include both Microsoft Default Rule Set and Bot Manager Rule Set to provide comprehensive protection against web application threats and malicious bot traffic.","Critical","Security","L2" "Azure.AppInsights.LocalAuth","Local authentication allows depersonalized access to store telemetry in Application Insights using a shared identifier.","Critical","Security","L1" "Azure.AppInsights.Name","Azure Resource Manager (ARM) has requirements for Application Insights resource names.","Awareness","Operational Excellence","-" "Azure.AppInsights.Naming","Application Insights resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","-" @@ -142,22 +148,35 @@ "Azure.ContainerApp.APIVersion","Migrate from retired API version to a supported version.","Important","Operational Excellence","-" "Azure.ContainerApp.AvailabilityZone","Use Container Apps environments that are zone redundant to improve reliability.","Important","Reliability","-" "Azure.ContainerApp.DisableAffinity","Disable session affinity to prevent unbalanced distribution.","Awareness","Performance Efficiency","-" +"Azure.ContainerApp.EnvNaming","Container App Environment resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" "Azure.ContainerApp.ExternalIngress","Limit inbound communication for Container Apps is limited to callers within the Container Apps Environment.","Important","Security","-" "Azure.ContainerApp.Insecure","Ensure insecure inbound traffic is not permitted to the container app.","Important","Security","L1" +"Azure.ContainerApp.JobNaming","Container App Job resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" "Azure.ContainerApp.ManagedIdentity","Ensure managed identity is used for authentication.","Important","Security","L1" "Azure.ContainerApp.MinReplicas","Use multiple replicas to remove a single point of failure.","Important","Reliability","-" -"Azure.ContainerApp.Name","Container Apps should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.ContainerApp.Name","Container Apps should meet naming requirements.","Awareness","Operational Excellence","L2" +"Azure.ContainerApp.Naming","Container App resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" "Azure.ContainerApp.PublicAccess","Ensure public network access for Container Apps environment is disabled.","Important","Security","-" "Azure.ContainerApp.RestrictIngress","IP ingress restrictions mode should be set to allow action for all rules defined.","Important","Security","-" "Azure.ContainerApp.Storage","Use of Azure Files volume mounts to persistent storage container data.","Awareness","Reliability","-" -"Azure.Cosmos.AccountName","Cosmos DB account names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.Cosmos.AccountName","Cosmos DB account names should meet naming requirements.","Awareness","Operational Excellence","L2" +"Azure.Cosmos.AvailabilityZone","Use zone redundant Cosmos DB accounts in supported regions to improve reliability.","Important","Reliability","L1" +"Azure.Cosmos.CassandraNaming","Cosmos DB for Apache Cassandra account resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" "Azure.Cosmos.ContinuousBackup","Enable continuous backup on Cosmos DB accounts.","Important","Reliability","-" +"Azure.Cosmos.DatabaseNaming","Cosmos DB database resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" "Azure.Cosmos.DefenderCloud","Enable Microsoft Defender for Azure Cosmos DB.","Critical","Security","-" -"Azure.Cosmos.DisableLocalAuth","Access keys allow depersonalized access to Cosmos DB accounts using a shared secret.","Critical","Security","L1" "Azure.Cosmos.DisableMetadataWrite","Use Entra ID identities for management place operations in Azure Cosmos DB.","Important","Security","-" +"Azure.Cosmos.GremlinNaming","Cosmos DB for Apache Gremlin account resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" "Azure.Cosmos.MinTLS","Cosmos DB accounts should reject TLS versions older than 1.2.","Critical","Security","L1" +"Azure.Cosmos.MongoAvailabilityZone","Use zone redundant Cosmos DB vCore clusters in supported regions to improve reliability.","Important","Reliability","L1" +"Azure.Cosmos.MongoEntraID","MongoDB vCore clusters should have Microsoft Entra ID authentication enabled.","Critical","Security","L1" +"Azure.Cosmos.MongoNaming","Cosmos DB for MongoDB account resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" +"Azure.Cosmos.NoSQLLocalAuth","Access keys allow depersonalized access to Cosmos DB NoSQL API accounts using a shared secret.","Critical","Security","L1" +"Azure.Cosmos.NoSQLNaming","Cosmos DB for NoSQL account resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" +"Azure.Cosmos.PostgreSQLNaming","Cosmos DB PostgreSQL cluster resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" "Azure.Cosmos.PublicAccess","Azure Cosmos DB should have public network access disabled.","Critical","Security","-" "Azure.Cosmos.SLA","Use a paid tier to qualify for a Service Level Agreement (SLA).","Important","Reliability","-" +"Azure.Cosmos.TableNaming","Cosmos DB for Table account resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" "Azure.Databricks.PublicAccess","Azure Databricks workspaces should disable public network access.","Critical","Security","-" "Azure.Databricks.SecureConnectivity","Use Databricks workspaces configured for secure cluster connectivity.","Critical","Security","-" "Azure.Databricks.SKU","Ensure Databricks workspaces are non-trial SKUs for production workloads.","Critical","Performance Efficiency","-" @@ -204,6 +223,7 @@ "Azure.EventGrid.TopicNaming","Event Grid topics without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","-" "Azure.EventGrid.TopicPublicAccess","Use Private Endpoints to access Event Grid topics and domains.","Important","Security","-" "Azure.EventGrid.TopicTLS","Weak or deprecated transport protocols for client-server communication introduce security vulnerabilities.","Critical","Security","L1" +"Azure.EventHub.AvailabilityZone","Use zone redundant Event Hub namespaces in supported regions to improve reliability.","Important","Reliability","L1" "Azure.EventHub.DisableLocalAuth","Authenticate Event Hub publishers and consumers with Entra ID identities.","Important","Security","L1" "Azure.EventHub.Firewall","Access to the namespace endpoints should be restricted to only allowed sources.","Critical","Security","-" "Azure.EventHub.MinTLS","Weak or deprecated transport protocols for client-server communication introduce security vulnerabilities.","Critical","Security","L1" @@ -230,6 +250,7 @@ "Azure.FrontDoorWAF.Exclusions","Use recommended rule groups in Front Door Web Application Firewall (WAF) policies to protect back end resources. Avoid configuring rule exclusions.","Critical","Security","-" "Azure.FrontDoorWAF.PreventionMode","Use protection mode in Front Door Web Application Firewall (WAF) policies to protect back end resources.","Critical","Security","-" "Azure.FrontDoorWAF.RuleGroups","Use recommended rule groups in Front Door Web Application Firewall (WAF) policies to protect back end resources.","Critical","Security","-" +"Azure.Grafana.AvailabilityZone","Use zone redundant Grafana workspaces in supported regions to improve reliability.","Important","Reliability","L1" "Azure.Grafana.Version","Grafana workspaces should be on Grafana version 10.","Important","Reliability","-" "Azure.Group.Name","Azure Resource Manager (ARM) has requirements for Resource Groups names.","Awareness","Operational Excellence","-" "Azure.Group.Naming","Resource Groups without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","-" @@ -269,6 +290,7 @@ "Azure.MariaDB.ServerName","Azure Database for MariaDB servers should meet naming requirements.","Awareness","Operational Excellence","-" "Azure.MariaDB.UseSSL","Azure Database for MariaDB servers should only accept encrypted connections.","Critical","Security","L1" "Azure.MariaDB.VNETRuleName","Azure Database for MariaDB VNET rules should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.MICassandra.AvailabilityZone","Use zone redundant Managed Instance for Apache Cassandra clusters in supported regions to improve reliability.","Important","Reliability","L1" "Azure.ML.ComputeIdleShutdown","Configure an idle shutdown timeout for Machine Learning compute instances.","Critical","Cost Optimization","-" "Azure.ML.ComputeVnet","Azure Machine Learning Computes should be hosted in a virtual network (VNet).","Critical","Security","-" "Azure.ML.DisableLocalAuth","Azure Machine Learning compute resources should have local authentication methods disabled.","Critical","Security","L1" @@ -285,6 +307,7 @@ "Azure.MySQL.MaintenanceWindow","Configure a customer-controlled maintenance window for Azure Database for MySQL servers.","Important","Reliability","-" "Azure.MySQL.MinTLS","MySQL DB servers should reject TLS versions older than 1.2.","Critical","Security","L1" "Azure.MySQL.ServerName","Azure MySQL DB server names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.MySQL.ServerNaming","MySQL database server resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" "Azure.MySQL.UseFlexible","Use Azure Database for MySQL Flexible Server deployment model.","Important","Reliability","-" "Azure.MySQL.UseSSL","Enforce encrypted MySQL connections.","Critical","Security","L1" "Azure.MySQL.ZoneRedundantHA","Deploy Azure Database for MySQL servers using zone-redundant high availability (HA) in supported regions to ensure high availability and resilience.","Important","Reliability","-" @@ -313,6 +336,7 @@ "Azure.PostgreSQL.MaintenanceWindow","Configure a customer-controlled maintenance window for Azure Database for PostgreSQL servers.","Important","Reliability","-" "Azure.PostgreSQL.MinTLS","PostgreSQL DB servers should reject TLS versions older than 1.2.","Critical","Security","L1" "Azure.PostgreSQL.ServerName","Azure PostgreSQL DB server names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.PostgreSQL.ServerNaming","PostgreSQL database server resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" "Azure.PostgreSQL.UseSSL","Enforce encrypted PostgreSQL connections.","Critical","Security","L1" "Azure.PostgreSQL.ZoneRedundantHA","Deploy Azure Database for PostgreSQL servers using zone-redundant high availability (HA) in supported regions to ensure high availability and resilience.","Important","Reliability","-" "Azure.PrivateEndpoint.Name","Private Endpoint names should meet naming requirements.","Awareness","Operational Excellence","-" @@ -335,12 +359,15 @@ "Azure.Redis.FirewallRuleCount","Determine if there is an excessive number of firewall rules for the Redis cache.","Awareness","Security","-" "Azure.Redis.LocalAuth","Access keys allow depersonalized access to Azure Cache for Redis using a shared secret.","Important","Security","L1" "Azure.Redis.MaxMemoryReserved","Configure maxmemory-reserved to reserve memory for non-cache operations.","Important","Performance Efficiency","-" +"Azure.Redis.MigrateAMR","Azure Cache for Redis is being retired. Migrate to Azure Managed Redis.","Important","Operational Excellence","-" "Azure.Redis.MinSKU","Use Azure Cache for Redis instances of at least Standard C1.","Important","Performance Efficiency","-" "Azure.Redis.MinTLS","Redis Cache should reject TLS versions older than 1.2.","Critical","Security","L1" +"Azure.Redis.Naming","Azure Cache for Redis resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" "Azure.Redis.NonSslPort","Azure Cache for Redis should only accept secure connections.","Critical","Security","L1" "Azure.Redis.PublicNetworkAccess","Redis cache should disable public network access.","Critical","Security","-" "Azure.Redis.Version","Azure Cache for Redis should use the latest supported version of Redis.","Important","Reliability","-" "Azure.RedisEnterprise.MinTLS","Redis Cache should reject TLS versions older than 1.2.","Critical","Security","L1" +"Azure.RedisEnterprise.Naming","Azure Cache for Redis Enterprise resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" "Azure.RedisEnterprise.Zones","Enterprise Redis cache should be zone-redundant for high availability.","Important","Reliability","-" "Azure.Resource.AllowedRegions","The deployment location of a resource determines the country or region where metadata and data is stored and processed.","Important","Security","-" "Azure.Resource.RequiredTags","Resources without a standard tagging convention may be difficult to identify and manage.","Awareness","Operational Excellence","-" @@ -363,6 +390,8 @@ "Azure.ServiceBus.MinTLS","Service Bus namespaces should reject TLS versions older than 1.2.","Important","Security","L1" "Azure.ServiceBus.Usage","Regularly remove unused resources to reduce costs.","Important","Cost Optimization","-" "Azure.ServiceFabric.AAD","Use Entra ID client authentication for Service Fabric clusters.","Critical","Security","L1" +"Azure.ServiceFabric.ManagedNaming","Service Fabric managed cluster resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" +"Azure.ServiceFabric.Naming","Service Fabric cluster resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" "Azure.ServiceFabric.ProtectionLevel","Node to node communication that is not signed and encrypted may be susceptible to man-in-the-middle attacks.","Important","Security","L1" "Azure.SignalR.ManagedIdentity","Configure SignalR Services to use managed identities to access Azure resources securely.","Important","Security","L1" "Azure.SignalR.Name","SignalR service instance names should meet naming requirements.","Awareness","Operational Excellence","-" @@ -371,14 +400,18 @@ "Azure.SQL.AADOnly","Ensure Entra ID only authentication is enabled with Azure SQL Database.","Important","Security","L1" "Azure.SQL.AllowAzureAccess","Determine if access from Azure services is required.","Important","Security","-" "Azure.SQL.Auditing","Enable auditing for Azure SQL logical server.","Important","Security","-" -"Azure.SQL.DBName","Azure SQL Database names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.SQL.DBName","Azure SQL Database names should meet naming requirements.","Awareness","Operational Excellence","L2" +"Azure.SQL.DBNaming","Azure SQL database resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" "Azure.SQL.DefenderCloud","Enable Microsoft Defender for Azure SQL logical server.","Important","Security","-" +"Azure.SQL.ElasticPoolNaming","Azure SQL Elastic Pool resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" "Azure.SQL.FGName","Azure SQL failover group names should meet naming requirements.","Awareness","Operational Excellence","-" "Azure.SQL.FirewallIPRange","Each IP address in the permitted IP list is allowed network access to any databases hosted on the same logical server.","Important","Security","-" "Azure.SQL.FirewallRuleCount","Determine if there is an excessive number of firewall rules.","Awareness","Security","-" +"Azure.SQL.JobAgentNaming","Azure SQL Elastic Job agent resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" "Azure.SQL.MaintenanceWindow","Configure a customer-controlled maintenance window for Azure SQL databases.","Important","Reliability","-" "Azure.SQL.MinTLS","Azure SQL Database servers should reject TLS versions older than 1.2.","Critical","Security","L1" -"Azure.SQL.ServerName","Azure SQL logical server names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.SQL.ServerName","Azure SQL logical server names should meet naming requirements.","Awareness","Operational Excellence","L2" +"Azure.SQL.ServerNaming","Azure SQL Database server resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" "Azure.SQL.TDE","Use Transparent Data Encryption (TDE) with Azure SQL Database.","Critical","Security","L1" "Azure.SQL.VAScan","SQL Databases may have configuration vulnerabilities discovered after they are deployed.","Important","Security","-" "Azure.SQLMI.AAD","Use Azure Active Directory (AAD) authentication with Azure SQL Managed Instance.","Critical","Security","L1" @@ -386,6 +419,7 @@ "Azure.SQLMI.MaintenanceWindow","Configure a customer-controlled maintenance window for Azure SQL Managed Instances.","Important","Reliability","-" "Azure.SQLMI.ManagedIdentity","Ensure managed identity is used to allow support for Azure AD authentication.","Important","Security","L1" "Azure.SQLMI.Name","SQL Managed Instance names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.SQLMI.Naming","SQL Managed Instance resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" "Azure.Storage.BlobAccessType","Use containers configured with a private access type that requires authorization.","Important","Security","-" "Azure.Storage.BlobPublicAccess","Storage Accounts should only accept authorized requests.","Important","Security","-" "Azure.Storage.ContainerSoftDelete","Enable container soft delete on Storage Accounts.","Important","Reliability","-" diff --git a/docs/en/baselines/Azure.Preview.md b/docs/en/baselines/Azure.Preview.md index dc28401935..3de89c19d4 100644 --- a/docs/en/baselines/Azure.Preview.md +++ b/docs/en/baselines/Azure.Preview.md @@ -10,10 +10,11 @@ Includes the latest rules for Azure GA and preview features that is updated each The following rules are included within the `Azure.Preview` baseline. -This baseline includes a total of 490 rules. +This baseline includes a total of 524 rules. Name | Synopsis | Severity ---- | -------- | -------- +[Azure.ACI.Naming](../rules/Azure.ACI.Naming.md) | Container Instance resources without a standard naming convention may be difficult to identify and manage. | Awareness [Azure.ACR.AdminUser](../rules/Azure.ACR.AdminUser.md) | The local admin account allows depersonalized access to a container registry using a shared secret. | Critical [Azure.ACR.AnonymousAccess](../rules/Azure.ACR.AnonymousAccess.md) | Anonymous pull access allows unidentified downloading of images and metadata from a container registry. | Important [Azure.ACR.ContainerScan](../rules/Azure.ACR.ContainerScan.md) | Container images or their base images may have vulnerabilities discovered after they are built. | Critical @@ -23,6 +24,7 @@ Name | Synopsis | Severity [Azure.ACR.ImageHealth](../rules/Azure.ACR.ImageHealth.md) | Remove container images with known vulnerabilities. | Critical [Azure.ACR.MinSku](../rules/Azure.ACR.MinSku.md) | The Basic SKU provides limited performance and features for production container registry workloads. | Important [Azure.ACR.Name](../rules/Azure.ACR.Name.md) | Container registry names should meet naming requirements. | Awareness +[Azure.ACR.Naming](../rules/Azure.ACR.Naming.md) | Container Registry resources without a standard naming convention may be difficult to identify and manage. | Awareness [Azure.ACR.Quarantine](../rules/Azure.ACR.Quarantine.md) | Enable container image quarantine, scan, and mark images as verified. | Important [Azure.ACR.ReplicaLocation](../rules/Azure.ACR.ReplicaLocation.md) | The replication location determines the country or region where container images and metadata are stored and processed. | Important [Azure.ACR.Retention](../rules/Azure.ACR.Retention.md) | Use a retention policy to cleanup untagged manifests. | Important @@ -30,6 +32,7 @@ Name | Synopsis | Severity [Azure.ACR.Usage](../rules/Azure.ACR.Usage.md) | Regularly remove deprecated and unneeded images to reduce storage usage. | Important [Azure.ADX.DiskEncryption](../rules/Azure.ADX.DiskEncryption.md) | Use disk encryption for Azure Data Explorer (ADX) clusters. | Important [Azure.ADX.ManagedIdentity](../rules/Azure.ADX.ManagedIdentity.md) | Configure Data Explorer clusters to use managed identities to access Azure resources securely. | Important +[Azure.ADX.PublicAccess](../rules/Azure.ADX.PublicAccess.md) | Azure Data Explorer (ADX) clusters should have public network access disabled. | Critical [Azure.ADX.SLA](../rules/Azure.ADX.SLA.md) | Use SKUs that include an SLA when configuring Azure Data Explorer (ADX) clusters. | Important [Azure.ADX.Usage](../rules/Azure.ADX.Usage.md) | Regularly remove unused resources to reduce costs. | Important [Azure.AI.DisableLocalAuth](../rules/Azure.AI.DisableLocalAuth.md) | Access keys allow depersonalized access to Azure AI using a shared secret. | Important @@ -58,6 +61,7 @@ Name | Synopsis | Severity [Azure.AKS.MinNodeCount](../rules/Azure.AKS.MinNodeCount.md) | AKS clusters should have minimum number of system nodes for failover and updates. | Important [Azure.AKS.MinUserPoolNodes](../rules/Azure.AKS.MinUserPoolNodes.md) | User node pools in an AKS cluster should have a minimum number of nodes for failover and updates. | Important [Azure.AKS.Name](../rules/Azure.AKS.Name.md) | Azure Kubernetes Service (AKS) cluster names should meet naming requirements. | Awareness +[Azure.AKS.Naming](../rules/Azure.AKS.Naming.md) | AKS cluster resources without a standard naming convention may be difficult to identify and manage. | Awareness [Azure.AKS.NetworkPolicy](../rules/Azure.AKS.NetworkPolicy.md) | AKS clusters without inter-pod network restrictions may be permit unauthorized lateral movement. | Important [Azure.AKS.NodeAutoUpgrade](../rules/Azure.AKS.NodeAutoUpgrade.md) | Operating system (OS) security updates should be applied to AKS nodes and rebooted as required to address security vulnerabilities. | Important [Azure.AKS.NodeMinPods](../rules/Azure.AKS.NodeMinPods.md) | Azure Kubernetes Cluster (AKS) nodes should use a minimum number of pods. | Important @@ -67,8 +71,10 @@ Name | Synopsis | Severity [Azure.AKS.SecretStore](../rules/Azure.AKS.SecretStore.md) | Deploy AKS clusters with Secrets Store CSI Driver and store Secrets in Key Vault. | Important [Azure.AKS.SecretStoreRotation](../rules/Azure.AKS.SecretStoreRotation.md) | Enable autorotation of Secrets Store CSI Driver secrets for AKS clusters. | Important [Azure.AKS.StandardLB](../rules/Azure.AKS.StandardLB.md) | Azure Kubernetes Clusters (AKS) should use a Standard load balancer SKU. | Important +[Azure.AKS.SystemPoolNaming](../rules/Azure.AKS.SystemPoolNaming.md) | AKS system node pool resources without a standard naming convention may be difficult to identify and manage. | Awareness [Azure.AKS.UptimeSLA](../rules/Azure.AKS.UptimeSLA.md) | AKS clusters should have Uptime SLA enabled for a financially backed SLA. | Important [Azure.AKS.UseRBAC](../rules/Azure.AKS.UseRBAC.md) | Deploy AKS cluster with role-based access control (RBAC) enabled. | Important +[Azure.AKS.UserPoolNaming](../rules/Azure.AKS.UserPoolNaming.md) | AKS user node pool resources without a standard naming convention may be difficult to identify and manage. | Awareness [Azure.AKS.Version](../rules/Azure.AKS.Version.md) | Older versions of Kubernetes may have known bugs or security vulnerabilities, and may have limited support. | Important [Azure.Alert.HighFrequencyQuery](../rules/Azure.Alert.HighFrequencyQuery.md) | High frequency scheduled queries are changed as a higher rate than low frequency queries. | Important [Azure.Alert.MetricAutoMitigate](../rules/Azure.Alert.MetricAutoMitigate.md) | Alerts that require manual intervention for mitigation can lead to increased personnel time and effort. | Important @@ -116,7 +122,7 @@ Name | Synopsis | Severity [Azure.AppGwWAF.Enabled](../rules/Azure.AppGwWAF.Enabled.md) | Application Gateway Web Application Firewall (WAF) must be enabled to protect backend resources. | Critical [Azure.AppGwWAF.Exclusions](../rules/Azure.AppGwWAF.Exclusions.md) | Application Gateway Web Application Firewall (WAF) should have all rules enabled. | Critical [Azure.AppGwWAF.PreventionMode](../rules/Azure.AppGwWAF.PreventionMode.md) | Use protection mode in Application Gateway Web Application Firewall (WAF) policies to protect back end resources. | Critical -[Azure.AppGwWAF.RuleGroups](../rules/Azure.AppGwWAF.RuleGroups.md) | Use recommended rule groups in Application Gateway Web Application Firewall (WAF) policies to protect back end resources. | Critical +[Azure.AppGwWAF.RuleGroups](../rules/Azure.AppGwWAF.RuleGroups.md) | Application Gateway WAF policies should include both Microsoft Default Rule Set and Bot Manager Rule Set to provide comprehensive protection against web application threats and malicious bot traffic. | Critical [Azure.AppInsights.LocalAuth](../rules/Azure.AppInsights.LocalAuth.md) | Local authentication allows depersonalized access to store telemetry in Application Insights using a shared identifier. | Critical [Azure.AppInsights.Name](../rules/Azure.AppInsights.Name.md) | Azure Resource Manager (ARM) has requirements for Application Insights resource names. | Awareness [Azure.AppInsights.Naming](../rules/Azure.AppInsights.Naming.md) | Application Insights resources without a standard naming convention may be difficult to identify and manage. | Awareness @@ -157,22 +163,35 @@ Name | Synopsis | Severity [Azure.ContainerApp.APIVersion](../rules/Azure.ContainerApp.APIVersion.md) | Migrate from retired API version to a supported version. | Important [Azure.ContainerApp.AvailabilityZone](../rules/Azure.ContainerApp.AvailabilityZone.md) | Use Container Apps environments that are zone redundant to improve reliability. | Important [Azure.ContainerApp.DisableAffinity](../rules/Azure.ContainerApp.DisableAffinity.md) | Disable session affinity to prevent unbalanced distribution. | Awareness +[Azure.ContainerApp.EnvNaming](../rules/Azure.ContainerApp.EnvNaming.md) | Container App Environment resources without a standard naming convention may be difficult to identify and manage. | Awareness [Azure.ContainerApp.ExternalIngress](../rules/Azure.ContainerApp.ExternalIngress.md) | Limit inbound communication for Container Apps is limited to callers within the Container Apps Environment. | Important [Azure.ContainerApp.Insecure](../rules/Azure.ContainerApp.Insecure.md) | Ensure insecure inbound traffic is not permitted to the container app. | Important +[Azure.ContainerApp.JobNaming](../rules/Azure.ContainerApp.JobNaming.md) | Container App Job resources without a standard naming convention may be difficult to identify and manage. | Awareness [Azure.ContainerApp.ManagedIdentity](../rules/Azure.ContainerApp.ManagedIdentity.md) | Ensure managed identity is used for authentication. | Important [Azure.ContainerApp.MinReplicas](../rules/Azure.ContainerApp.MinReplicas.md) | Use multiple replicas to remove a single point of failure. | Important [Azure.ContainerApp.Name](../rules/Azure.ContainerApp.Name.md) | Container Apps should meet naming requirements. | Awareness +[Azure.ContainerApp.Naming](../rules/Azure.ContainerApp.Naming.md) | Container App resources without a standard naming convention may be difficult to identify and manage. | Awareness [Azure.ContainerApp.PublicAccess](../rules/Azure.ContainerApp.PublicAccess.md) | Ensure public network access for Container Apps environment is disabled. | Important [Azure.ContainerApp.RestrictIngress](../rules/Azure.ContainerApp.RestrictIngress.md) | IP ingress restrictions mode should be set to allow action for all rules defined. | Important [Azure.ContainerApp.Storage](../rules/Azure.ContainerApp.Storage.md) | Use of Azure Files volume mounts to persistent storage container data. | Awareness [Azure.Cosmos.AccountName](../rules/Azure.Cosmos.AccountName.md) | Cosmos DB account names should meet naming requirements. | Awareness +[Azure.Cosmos.AvailabilityZone](../rules/Azure.Cosmos.AvailabilityZone.md) | Use zone redundant Cosmos DB accounts in supported regions to improve reliability. | Important +[Azure.Cosmos.CassandraNaming](../rules/Azure.Cosmos.CassandraNaming.md) | Cosmos DB for Apache Cassandra account resources without a standard naming convention may be difficult to identify and manage. | Awareness [Azure.Cosmos.ContinuousBackup](../rules/Azure.Cosmos.ContinuousBackup.md) | Enable continuous backup on Cosmos DB accounts. | Important +[Azure.Cosmos.DatabaseNaming](../rules/Azure.Cosmos.DatabaseNaming.md) | Cosmos DB database resources without a standard naming convention may be difficult to identify and manage. | Awareness [Azure.Cosmos.DefenderCloud](../rules/Azure.Cosmos.DefenderCloud.md) | Enable Microsoft Defender for Azure Cosmos DB. | Critical -[Azure.Cosmos.DisableLocalAuth](../rules/Azure.Cosmos.DisableLocalAuth.md) | Access keys allow depersonalized access to Cosmos DB accounts using a shared secret. | Critical [Azure.Cosmos.DisableMetadataWrite](../rules/Azure.Cosmos.DisableMetadataWrite.md) | Use Entra ID identities for management place operations in Azure Cosmos DB. | Important +[Azure.Cosmos.GremlinNaming](../rules/Azure.Cosmos.GremlinNaming.md) | Cosmos DB for Apache Gremlin account resources without a standard naming convention may be difficult to identify and manage. | Awareness [Azure.Cosmos.MinTLS](../rules/Azure.Cosmos.MinTLS.md) | Cosmos DB accounts should reject TLS versions older than 1.2. | Critical +[Azure.Cosmos.MongoAvailabilityZone](../rules/Azure.Cosmos.MongoAvailabilityZone.md) | Use zone redundant Cosmos DB vCore clusters in supported regions to improve reliability. | Important +[Azure.Cosmos.MongoEntraID](../rules/Azure.Cosmos.MongoEntraID.md) | MongoDB vCore clusters should have Microsoft Entra ID authentication enabled. | Critical +[Azure.Cosmos.MongoNaming](../rules/Azure.Cosmos.MongoNaming.md) | Cosmos DB for MongoDB account resources without a standard naming convention may be difficult to identify and manage. | Awareness +[Azure.Cosmos.NoSQLLocalAuth](../rules/Azure.Cosmos.NoSQLLocalAuth.md) | Access keys allow depersonalized access to Cosmos DB NoSQL API accounts using a shared secret. | Critical +[Azure.Cosmos.NoSQLNaming](../rules/Azure.Cosmos.NoSQLNaming.md) | Cosmos DB for NoSQL account resources without a standard naming convention may be difficult to identify and manage. | Awareness +[Azure.Cosmos.PostgreSQLNaming](../rules/Azure.Cosmos.PostgreSQLNaming.md) | Cosmos DB PostgreSQL cluster resources without a standard naming convention may be difficult to identify and manage. | Awareness [Azure.Cosmos.PublicAccess](../rules/Azure.Cosmos.PublicAccess.md) | Azure Cosmos DB should have public network access disabled. | Critical [Azure.Cosmos.SLA](../rules/Azure.Cosmos.SLA.md) | Use a paid tier to qualify for a Service Level Agreement (SLA). | Important +[Azure.Cosmos.TableNaming](../rules/Azure.Cosmos.TableNaming.md) | Cosmos DB for Table account resources without a standard naming convention may be difficult to identify and manage. | Awareness [Azure.Databricks.PublicAccess](../rules/Azure.Databricks.PublicAccess.md) | Azure Databricks workspaces should disable public network access. | Critical [Azure.Databricks.SecureConnectivity](../rules/Azure.Databricks.SecureConnectivity.md) | Use Databricks workspaces configured for secure cluster connectivity. | Critical [Azure.Databricks.SKU](../rules/Azure.Databricks.SKU.md) | Ensure Databricks workspaces are non-trial SKUs for production workloads. | Critical @@ -219,6 +238,7 @@ Name | Synopsis | Severity [Azure.EventGrid.TopicNaming](../rules/Azure.EventGrid.TopicNaming.md) | Event Grid topics without a standard naming convention may be difficult to identify and manage. | Awareness [Azure.EventGrid.TopicPublicAccess](../rules/Azure.EventGrid.TopicPublicAccess.md) | Use Private Endpoints to access Event Grid topics and domains. | Important [Azure.EventGrid.TopicTLS](../rules/Azure.EventGrid.TopicTLS.md) | Weak or deprecated transport protocols for client-server communication introduce security vulnerabilities. | Critical +[Azure.EventHub.AvailabilityZone](../rules/Azure.EventHub.AvailabilityZone.md) | Use zone redundant Event Hub namespaces in supported regions to improve reliability. | Important [Azure.EventHub.DisableLocalAuth](../rules/Azure.EventHub.DisableLocalAuth.md) | Authenticate Event Hub publishers and consumers with Entra ID identities. | Important [Azure.EventHub.Firewall](../rules/Azure.EventHub.Firewall.md) | Access to the namespace endpoints should be restricted to only allowed sources. | Critical [Azure.EventHub.MinTLS](../rules/Azure.EventHub.MinTLS.md) | Weak or deprecated transport protocols for client-server communication introduce security vulnerabilities. | Critical @@ -245,6 +265,7 @@ Name | Synopsis | Severity [Azure.FrontDoorWAF.Exclusions](../rules/Azure.FrontDoorWAF.Exclusions.md) | Use recommended rule groups in Front Door Web Application Firewall (WAF) policies to protect back end resources. Avoid configuring rule exclusions. | Critical [Azure.FrontDoorWAF.PreventionMode](../rules/Azure.FrontDoorWAF.PreventionMode.md) | Use protection mode in Front Door Web Application Firewall (WAF) policies to protect back end resources. | Critical [Azure.FrontDoorWAF.RuleGroups](../rules/Azure.FrontDoorWAF.RuleGroups.md) | Use recommended rule groups in Front Door Web Application Firewall (WAF) policies to protect back end resources. | Critical +[Azure.Grafana.AvailabilityZone](../rules/Azure.Grafana.AvailabilityZone.md) | Use zone redundant Grafana workspaces in supported regions to improve reliability. | Important [Azure.Grafana.Version](../rules/Azure.Grafana.Version.md) | Grafana workspaces should be on Grafana version 10. | Important [Azure.Group.Name](../rules/Azure.Group.Name.md) | Azure Resource Manager (ARM) has requirements for Resource Groups names. | Awareness [Azure.Group.Naming](../rules/Azure.Group.Naming.md) | Resource Groups without a standard naming convention may be difficult to identify and manage. | Awareness @@ -284,6 +305,7 @@ Name | Synopsis | Severity [Azure.MariaDB.ServerName](../rules/Azure.MariaDB.ServerName.md) | Azure Database for MariaDB servers should meet naming requirements. | Awareness [Azure.MariaDB.UseSSL](../rules/Azure.MariaDB.UseSSL.md) | Azure Database for MariaDB servers should only accept encrypted connections. | Critical [Azure.MariaDB.VNETRuleName](../rules/Azure.MariaDB.VNETRuleName.md) | Azure Database for MariaDB VNET rules should meet naming requirements. | Awareness +[Azure.MICassandra.AvailabilityZone](../rules/Azure.MICassandra.AvailabilityZone.md) | Use zone redundant Managed Instance for Apache Cassandra clusters in supported regions to improve reliability. | Important [Azure.ML.ComputeIdleShutdown](../rules/Azure.ML.ComputeIdleShutdown.md) | Configure an idle shutdown timeout for Machine Learning compute instances. | Critical [Azure.ML.ComputeVnet](../rules/Azure.ML.ComputeVnet.md) | Azure Machine Learning Computes should be hosted in a virtual network (VNet). | Critical [Azure.ML.DisableLocalAuth](../rules/Azure.ML.DisableLocalAuth.md) | Azure Machine Learning compute resources should have local authentication methods disabled. | Critical @@ -300,6 +322,7 @@ Name | Synopsis | Severity [Azure.MySQL.MaintenanceWindow](../rules/Azure.MySQL.MaintenanceWindow.md) | Configure a customer-controlled maintenance window for Azure Database for MySQL servers. | Important [Azure.MySQL.MinTLS](../rules/Azure.MySQL.MinTLS.md) | MySQL DB servers should reject TLS versions older than 1.2. | Critical [Azure.MySQL.ServerName](../rules/Azure.MySQL.ServerName.md) | Azure MySQL DB server names should meet naming requirements. | Awareness +[Azure.MySQL.ServerNaming](../rules/Azure.MySQL.ServerNaming.md) | MySQL database server resources without a standard naming convention may be difficult to identify and manage. | Awareness [Azure.MySQL.UseFlexible](../rules/Azure.MySQL.UseFlexible.md) | Use Azure Database for MySQL Flexible Server deployment model. | Important [Azure.MySQL.UseSSL](../rules/Azure.MySQL.UseSSL.md) | Enforce encrypted MySQL connections. | Critical [Azure.MySQL.ZoneRedundantHA](../rules/Azure.MySQL.ZoneRedundantHA.md) | Deploy Azure Database for MySQL servers using zone-redundant high availability (HA) in supported regions to ensure high availability and resilience. | Important @@ -328,6 +351,7 @@ Name | Synopsis | Severity [Azure.PostgreSQL.MaintenanceWindow](../rules/Azure.PostgreSQL.MaintenanceWindow.md) | Configure a customer-controlled maintenance window for Azure Database for PostgreSQL servers. | Important [Azure.PostgreSQL.MinTLS](../rules/Azure.PostgreSQL.MinTLS.md) | PostgreSQL DB servers should reject TLS versions older than 1.2. | Critical [Azure.PostgreSQL.ServerName](../rules/Azure.PostgreSQL.ServerName.md) | Azure PostgreSQL DB server names should meet naming requirements. | Awareness +[Azure.PostgreSQL.ServerNaming](../rules/Azure.PostgreSQL.ServerNaming.md) | PostgreSQL database server resources without a standard naming convention may be difficult to identify and manage. | Awareness [Azure.PostgreSQL.UseSSL](../rules/Azure.PostgreSQL.UseSSL.md) | Enforce encrypted PostgreSQL connections. | Critical [Azure.PostgreSQL.ZoneRedundantHA](../rules/Azure.PostgreSQL.ZoneRedundantHA.md) | Deploy Azure Database for PostgreSQL servers using zone-redundant high availability (HA) in supported regions to ensure high availability and resilience. | Important [Azure.PrivateEndpoint.Name](../rules/Azure.PrivateEndpoint.Name.md) | Private Endpoint names should meet naming requirements. | Awareness @@ -350,12 +374,15 @@ Name | Synopsis | Severity [Azure.Redis.FirewallRuleCount](../rules/Azure.Redis.FirewallRuleCount.md) | Determine if there is an excessive number of firewall rules for the Redis cache. | Awareness [Azure.Redis.LocalAuth](../rules/Azure.Redis.LocalAuth.md) | Access keys allow depersonalized access to Azure Cache for Redis using a shared secret. | Important [Azure.Redis.MaxMemoryReserved](../rules/Azure.Redis.MaxMemoryReserved.md) | Configure maxmemory-reserved to reserve memory for non-cache operations. | Important +[Azure.Redis.MigrateAMR](../rules/Azure.Redis.MigrateAMR.md) | Azure Cache for Redis is being retired. Migrate to Azure Managed Redis. | Important [Azure.Redis.MinSKU](../rules/Azure.Redis.MinSKU.md) | Use Azure Cache for Redis instances of at least Standard C1. | Important [Azure.Redis.MinTLS](../rules/Azure.Redis.MinTLS.md) | Redis Cache should reject TLS versions older than 1.2. | Critical +[Azure.Redis.Naming](../rules/Azure.Redis.Naming.md) | Azure Cache for Redis resources without a standard naming convention may be difficult to identify and manage. | Awareness [Azure.Redis.NonSslPort](../rules/Azure.Redis.NonSslPort.md) | Azure Cache for Redis should only accept secure connections. | Critical [Azure.Redis.PublicNetworkAccess](../rules/Azure.Redis.PublicNetworkAccess.md) | Redis cache should disable public network access. | Critical [Azure.Redis.Version](../rules/Azure.Redis.Version.md) | Azure Cache for Redis should use the latest supported version of Redis. | Important [Azure.RedisEnterprise.MinTLS](../rules/Azure.RedisEnterprise.MinTLS.md) | Redis Cache should reject TLS versions older than 1.2. | Critical +[Azure.RedisEnterprise.Naming](../rules/Azure.RedisEnterprise.Naming.md) | Azure Cache for Redis Enterprise resources without a standard naming convention may be difficult to identify and manage. | Awareness [Azure.RedisEnterprise.Zones](../rules/Azure.RedisEnterprise.Zones.md) | Enterprise Redis cache should be zone-redundant for high availability. | Important [Azure.Resource.AllowedRegions](../rules/Azure.Resource.AllowedRegions.md) | The deployment location of a resource determines the country or region where metadata and data is stored and processed. | Important [Azure.Resource.RequiredTags](../rules/Azure.Resource.RequiredTags.md) | Resources without a standard tagging convention may be difficult to identify and manage. | Awareness @@ -378,6 +405,8 @@ Name | Synopsis | Severity [Azure.ServiceBus.MinTLS](../rules/Azure.ServiceBus.MinTLS.md) | Service Bus namespaces should reject TLS versions older than 1.2. | Important [Azure.ServiceBus.Usage](../rules/Azure.ServiceBus.Usage.md) | Regularly remove unused resources to reduce costs. | Important [Azure.ServiceFabric.AAD](../rules/Azure.ServiceFabric.AAD.md) | Use Entra ID client authentication for Service Fabric clusters. | Critical +[Azure.ServiceFabric.ManagedNaming](../rules/Azure.ServiceFabric.ManagedNaming.md) | Service Fabric managed cluster resources without a standard naming convention may be difficult to identify and manage. | Awareness +[Azure.ServiceFabric.Naming](../rules/Azure.ServiceFabric.Naming.md) | Service Fabric cluster resources without a standard naming convention may be difficult to identify and manage. | Awareness [Azure.ServiceFabric.ProtectionLevel](../rules/Azure.ServiceFabric.ProtectionLevel.md) | Node to node communication that is not signed and encrypted may be susceptible to man-in-the-middle attacks. | Important [Azure.SignalR.ManagedIdentity](../rules/Azure.SignalR.ManagedIdentity.md) | Configure SignalR Services to use managed identities to access Azure resources securely. | Important [Azure.SignalR.Name](../rules/Azure.SignalR.Name.md) | SignalR service instance names should meet naming requirements. | Awareness @@ -387,13 +416,17 @@ Name | Synopsis | Severity [Azure.SQL.AllowAzureAccess](../rules/Azure.SQL.AllowAzureAccess.md) | Determine if access from Azure services is required. | Important [Azure.SQL.Auditing](../rules/Azure.SQL.Auditing.md) | Enable auditing for Azure SQL logical server. | Important [Azure.SQL.DBName](../rules/Azure.SQL.DBName.md) | Azure SQL Database names should meet naming requirements. | Awareness +[Azure.SQL.DBNaming](../rules/Azure.SQL.DBNaming.md) | Azure SQL database resources without a standard naming convention may be difficult to identify and manage. | Awareness [Azure.SQL.DefenderCloud](../rules/Azure.SQL.DefenderCloud.md) | Enable Microsoft Defender for Azure SQL logical server. | Important +[Azure.SQL.ElasticPoolNaming](../rules/Azure.SQL.ElasticPoolNaming.md) | Azure SQL Elastic Pool resources without a standard naming convention may be difficult to identify and manage. | Awareness [Azure.SQL.FGName](../rules/Azure.SQL.FGName.md) | Azure SQL failover group names should meet naming requirements. | Awareness [Azure.SQL.FirewallIPRange](../rules/Azure.SQL.FirewallIPRange.md) | Each IP address in the permitted IP list is allowed network access to any databases hosted on the same logical server. | Important [Azure.SQL.FirewallRuleCount](../rules/Azure.SQL.FirewallRuleCount.md) | Determine if there is an excessive number of firewall rules. | Awareness +[Azure.SQL.JobAgentNaming](../rules/Azure.SQL.JobAgentNaming.md) | Azure SQL Elastic Job agent resources without a standard naming convention may be difficult to identify and manage. | Awareness [Azure.SQL.MaintenanceWindow](../rules/Azure.SQL.MaintenanceWindow.md) | Configure a customer-controlled maintenance window for Azure SQL databases. | Important [Azure.SQL.MinTLS](../rules/Azure.SQL.MinTLS.md) | Azure SQL Database servers should reject TLS versions older than 1.2. | Critical [Azure.SQL.ServerName](../rules/Azure.SQL.ServerName.md) | Azure SQL logical server names should meet naming requirements. | Awareness +[Azure.SQL.ServerNaming](../rules/Azure.SQL.ServerNaming.md) | Azure SQL Database server resources without a standard naming convention may be difficult to identify and manage. | Awareness [Azure.SQL.TDE](../rules/Azure.SQL.TDE.md) | Use Transparent Data Encryption (TDE) with Azure SQL Database. | Critical [Azure.SQL.VAScan](../rules/Azure.SQL.VAScan.md) | SQL Databases may have configuration vulnerabilities discovered after they are deployed. | Important [Azure.SQLMI.AAD](../rules/Azure.SQLMI.AAD.md) | Use Azure Active Directory (AAD) authentication with Azure SQL Managed Instance. | Critical @@ -401,6 +434,7 @@ Name | Synopsis | Severity [Azure.SQLMI.MaintenanceWindow](../rules/Azure.SQLMI.MaintenanceWindow.md) | Configure a customer-controlled maintenance window for Azure SQL Managed Instances. | Important [Azure.SQLMI.ManagedIdentity](../rules/Azure.SQLMI.ManagedIdentity.md) | Ensure managed identity is used to allow support for Azure AD authentication. | Important [Azure.SQLMI.Name](../rules/Azure.SQLMI.Name.md) | SQL Managed Instance names should meet naming requirements. | Awareness +[Azure.SQLMI.Naming](../rules/Azure.SQLMI.Naming.md) | SQL Managed Instance resources without a standard naming convention may be difficult to identify and manage. | Awareness [Azure.Storage.BlobAccessType](../rules/Azure.Storage.BlobAccessType.md) | Use containers configured with a private access type that requires authorization. | Important [Azure.Storage.BlobPublicAccess](../rules/Azure.Storage.BlobPublicAccess.md) | Storage Accounts should only accept authorized requests. | Important [Azure.Storage.ContainerSoftDelete](../rules/Azure.Storage.ContainerSoftDelete.md) | Enable container soft delete on Storage Accounts. | Important diff --git a/docs/en/rules/Azure.ACI.Naming.md b/docs/en/rules/Azure.ACI.Naming.md new file mode 100644 index 0000000000..0abdb69ea5 --- /dev/null +++ b/docs/en/rules/Azure.ACI.Naming.md @@ -0,0 +1,182 @@ +--- +reviewed: 2025-10-26 +severity: Awareness +pillar: Operational Excellence +category: OE:04 Tools and processes +resource: Container Instance +resourceType: Microsoft.ContainerInstance/containerGroups +online version: https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.ACI.Naming/ +--- + +# Container Instance resources must use standard naming + +## SYNOPSIS + +Container Instance resources without a standard naming convention may be difficult to identify and manage. + +## DESCRIPTION + +An effective naming convention allows operators to quickly identify resources, related systems, and their purpose. +Identifying resources easily is important to improve operational efficiency, reduce the time to respond to incidents, +and minimize the risk of human error. + +Some of the benefits of using standardized tagging and naming conventions are: + +- They provide consistency and clarity for resource identification and discovery across the Azure Portal, CLIs, and APIs. +- They enable filtering and grouping of resources for billing, monitoring, security, and compliance purposes. +- They support resource lifecycle management, such as provisioning, decommissioning, backup, and recovery. + +For example, if you come upon a security incident, it's critical to quickly identify affected systems, +the functions that those systems support, and the potential business impact. + +For Container Instance, the Cloud Adoption Framework (CAF) recommends using the `ci-` prefix. + +Requirements for Container Instance resource names: + +- Between 1 and 63 characters long. +- Lowercase letters, numbers, and hyphens. +- Start with letter and end with alphanumeric. +- Can not contain consecutive hyphens. + +## RECOMMENDATION + +Consider creating Container Instance resources with a standard name. +Additionally consider using Azure Policy to only permit creation using a standard naming convention. + +## EXAMPLES + +### Configure with Bicep + +To deploy resources that pass this rule: + +- Set the `name` property to a string that matches the naming requirements. +- Optionally, consider constraining name parameters with `minLength` and `maxLength` attributes. + +For example: + +```bicep +@minLength(1) +@maxLength(63) +@description('The name of the resource.') +param name string + +@description('The location resources will be deployed.') +param location string = resourceGroup().location + +resource containerGroup 'Microsoft.ContainerInstance/containerGroups@2025-09-01' = { + name: name + location: location + properties: { + containers: containers + osType: 'Linux' + sku: 'Standard' + restartPolicy: 'Always' + ipAddress: { + ports: [ + { + port: 80 + protocol: 'TCP' + } + ] + type: 'Private' + } + subnetIds: [ + { + id: subnetId + } + ] + } +} +``` + +### Configure with Azure template + +To deploy resources that pass this rule: + +- Set the `name` property to a string that matches the naming requirements. +- Optionally, consider constraining name parameters with `minLength` and `maxLength` attributes. + +For example: + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "name": { + "type": "string", + "minLength": 1, + "maxLength": 63, + "metadata": { + "description": "The name of the resource." + } + }, + "location": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "The location resources will be deployed." + } + }, + }, + "resources": [ + { + "type": "Microsoft.ContainerInstance/containerGroups", + "apiVersion": "2025-09-01", + "name": "[parameters('name')]", + "location": "[parameters('location')]", + "properties": { + "containers": "[variables('containers')]", + "osType": "Linux", + "sku": "Standard", + "restartPolicy": "Always", + "ipAddress": { + "ports": [ + { + "port": 80, + "protocol": "TCP" + } + ], + "type": "Private" + }, + "subnetIds": [ + { + "id": "[parameters('subnetId')]" + } + ] + } + } + ] +} +``` + +## NOTES + +This rule does not check if Container Instance resource names are unique. + + + +### Rule configuration + + + +To configure this rule set the `AZURE_CONTAINER_INSTANCE_NAME_FORMAT` configuration value to a regular expression +that matches the required format. + +For example: + +```yaml +configuration: + AZURE_CONTAINER_INSTANCE_NAME_FORMAT: '^ci-' +``` + +## LINKS + +- [OE:04 Tools and processes](https://learn.microsoft.com/azure/well-architected/operational-excellence/tools-processes) +- [Operational Excellence: Level 2](https://learn.microsoft.com/azure/well-architected/operational-excellence/maturity-model?tabs=level2) +- [Recommended abbreviations for Azure resource types](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations) +- [Naming rules and restrictions for Azure resources](https://learn.microsoft.com/azure/azure-resource-manager/management/resource-name-rules) +- [Define your naming convention](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-naming) +- [Parameters in Bicep](https://learn.microsoft.com/azure/azure-resource-manager/bicep/parameters) +- [Bicep functions](https://learn.microsoft.com/azure/azure-resource-manager/bicep/bicep-functions) +- [Azure deployment reference](https://learn.microsoft.com/azure/templates/microsoft.containerinstance/containergroups) diff --git a/docs/en/rules/Azure.ACR.Name.md b/docs/en/rules/Azure.ACR.Name.md index 00c1db14d9..f566a4df77 100644 --- a/docs/en/rules/Azure.ACR.Name.md +++ b/docs/en/rules/Azure.ACR.Name.md @@ -1,5 +1,5 @@ --- -reviewed: 2023-12-01 +reviewed: 2025-10-25 severity: Awareness pillar: Operational Excellence category: OE:04 Continuous integration @@ -30,12 +30,66 @@ Additionally consider naming resources with a standard naming convention. ## EXAMPLES +### Configure with Bicep + +To deploy registries that pass this rule, consider: + +- Set the `name` property to a string that matches the naming requirements. +- Optionally, consider constraining name parameters with `minLength` and `maxLength` attributes. + +For example: + +```bicep +@minLength(5) +@maxLength(50) +@description('The name of the resource.') +param name string + +@description('The location resources will be deployed.') +param location string = resourceGroup().location + +resource registry 'Microsoft.ContainerRegistry/registries@2025-05-01-preview' = { + name: name + location: location + sku: { + name: 'Premium' + } + identity: { + type: 'SystemAssigned' + } + properties: { + adminUserEnabled: false + anonymousPullEnabled: false + publicNetworkAccess: 'Disabled' + zoneRedundancy: 'Enabled' + policies: { + quarantinePolicy: { + status: 'enabled' + } + retentionPolicy: { + days: 30 + status: 'enabled' + } + softDeletePolicy: { + retentionDays: 90 + status: 'enabled' + } + exportPolicy: { + status: 'disabled' + } + } + } +} +``` + + + ### Configure with Azure template To deploy registries that pass this rule, consider: -- Configuring a `minLength` and `maxLength` constraint for the resource name parameter. -- Optionally, you could also use a `uniqueString()` function to generate a unique name. +- Set the `name` property to a string that matches the naming requirements. +- Optionally, consider constraining name parameters with `minLength` and `maxLength` attributes. For example: @@ -63,7 +117,7 @@ For example: "resources": [ { "type": "Microsoft.ContainerRegistry/registries", - "apiVersion": "2023-08-01-preview", + "apiVersion": "2025-05-01-preview", "name": "[parameters('name')]", "location": "[parameters('location')]", "sku": { @@ -74,14 +128,23 @@ For example: }, "properties": { "adminUserEnabled": false, + "anonymousPullEnabled": false, + "publicNetworkAccess": "Disabled", + "zoneRedundancy": "Enabled", "policies": { - "trustPolicy": { - "status": "enabled", - "type": "Notary" + "quarantinePolicy": { + "status": "enabled" }, "retentionPolicy": { "days": 30, "status": "enabled" + }, + "softDeletePolicy": { + "retentionDays": 90, + "status": "enabled" + }, + "exportPolicy": { + "status": "disabled" } } } @@ -90,51 +153,6 @@ For example: } ``` -### Configure with Bicep - -To deploy registries that pass this rule, consider: - -- Configuring a `minLength` and `maxLength` constraint for the resource name parameter. -- Optionally, you could also use a `uniqueString()` function to generate a unique name. - -For example: - -```bicep -@minLength(5) -@maxLength(50) -@sys.description('The name of the resource.') -param name string - -@sys.description('The location resources will be deployed.') -param location string = resourceGroup().location - -resource registry 'Microsoft.ContainerRegistry/registries@2023-08-01-preview' = { - name: name - location: location - sku: { - name: 'Premium' - } - identity: { - type: 'SystemAssigned' - } - properties: { - adminUserEnabled: false - policies: { - trustPolicy: { - status: 'enabled' - type: 'Notary' - } - retentionPolicy: { - days: 30 - status: 'enabled' - } - } - } -} -``` - - - ## NOTES This rule does not check if container registry names are unique. @@ -142,6 +160,7 @@ This rule does not check if container registry names are unique. ## LINKS - [OE:04 Continuous integration](https://learn.microsoft.com/azure/well-architected/operational-excellence/release-engineering-continuous-integration) +- [Operational Excellence: Level 2](https://learn.microsoft.com/azure/well-architected/operational-excellence/maturity-model?tabs=level2) - [Naming rules and restrictions for Azure resources](https://learn.microsoft.com/azure/azure-resource-manager/management/resource-name-rules) - [Recommended abbreviations for Azure resource types](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations) - [Parameters in Bicep](https://learn.microsoft.com/azure/azure-resource-manager/bicep/parameters) diff --git a/docs/en/rules/Azure.ACR.Naming.md b/docs/en/rules/Azure.ACR.Naming.md new file mode 100644 index 0000000000..b9d9345f1b --- /dev/null +++ b/docs/en/rules/Azure.ACR.Naming.md @@ -0,0 +1,199 @@ +--- +reviewed: 2025-10-25 +severity: Awareness +pillar: Operational Excellence +category: OE:04 Tools and processes +resource: Container Registry +resourceType: Microsoft.ContainerRegistry/registries +online version: https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.ACR.Naming/ +--- + +# Container Registry resources must use standard naming + +## SYNOPSIS + +Container Registry resources without a standard naming convention may be difficult to identify and manage. + +## DESCRIPTION + +An effective naming convention allows operators to quickly identify resources, related systems, and their purpose. +Identifying resources easily is important to improve operational efficiency, reduce the time to respond to incidents, +and minimize the risk of human error. + +Some of the benefits of using standardized tagging and naming conventions are: + +- They provide consistency and clarity for resource identification and discovery across the Azure Portal, CLIs, and APIs. +- They enable filtering and grouping of resources for billing, monitoring, security, and compliance purposes. +- They support resource lifecycle management, such as provisioning, decommissioning, backup, and recovery. + +For example, if you come upon a security incident, it's critical to quickly identify affected systems, +the functions that those systems support, and the potential business impact. + +For Container Registry, the Cloud Adoption Framework (CAF) recommends using the `cr` prefix. + +Requirements for Container Registry resource names: + +- Between 5 and 50 characters long. +- Alphanumerics. +- Container registry names must be globally unique. + +## RECOMMENDATION + +Consider creating Container Registry resources with a standard name. +Additionally consider using Azure Policy to only permit creation using a standard naming convention. + +## EXAMPLES + +### Configure with Bicep + +To deploy resources that pass this rule: + +- Set the `name` property to a string that matches the naming requirements. +- Optionally, consider constraining name parameters with `minLength` and `maxLength` attributes. + +For example: + +```bicep +@minLength(5) +@maxLength(50) +@description('The name of the resource.') +param name string + +@description('The location resources will be deployed.') +param location string = resourceGroup().location + +resource registry 'Microsoft.ContainerRegistry/registries@2025-05-01-preview' = { + name: name + location: location + sku: { + name: 'Premium' + } + identity: { + type: 'SystemAssigned' + } + properties: { + adminUserEnabled: false + anonymousPullEnabled: false + publicNetworkAccess: 'Disabled' + zoneRedundancy: 'Enabled' + policies: { + quarantinePolicy: { + status: 'enabled' + } + retentionPolicy: { + days: 30 + status: 'enabled' + } + softDeletePolicy: { + retentionDays: 90 + status: 'enabled' + } + exportPolicy: { + status: 'disabled' + } + } + } +} +``` + + + +### Configure with Azure template + +To deploy resources that pass this rule: + +- Set the `name` property to a string that matches the naming requirements. +- Optionally, consider constraining name parameters with `minLength` and `maxLength` attributes. + +For example: + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "name": { + "type": "string", + "minLength": 5, + "maxLength": 50, + "metadata": { + "description": "The name of the resource." + } + }, + "location": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "The location resources will be deployed." + } + } + }, + "resources": [ + { + "type": "Microsoft.ContainerRegistry/registries", + "apiVersion": "2025-05-01-preview", + "name": "[parameters('name')]", + "location": "[parameters('location')]", + "sku": { + "name": "Premium" + }, + "identity": { + "type": "SystemAssigned" + }, + "properties": { + "adminUserEnabled": false, + "anonymousPullEnabled": false, + "publicNetworkAccess": "Disabled", + "zoneRedundancy": "Enabled", + "policies": { + "quarantinePolicy": { + "status": "enabled" + }, + "retentionPolicy": { + "days": 30, + "status": "enabled" + }, + "softDeletePolicy": { + "retentionDays": 90, + "status": "enabled" + }, + "exportPolicy": { + "status": "disabled" + } + } + } + } + ] +} +``` + +## NOTES + +This rule does not check if Container Registry resource names are unique. + + + +### Rule configuration + + + +To configure this rule set the `AZURE_CONTAINER_REGISTRY_NAME_FORMAT` configuration value to a regular expression +that matches the required format. + +For example: + +```yaml +configuration: + AZURE_CONTAINER_REGISTRY_NAME_FORMAT: '^cr' +``` + +## LINKS + +- [OE:04 Tools and processes](https://learn.microsoft.com/azure/well-architected/operational-excellence/tools-processes) +- [Operational Excellence: Level 2](https://learn.microsoft.com/azure/well-architected/operational-excellence/maturity-model?tabs=level2) +- [Recommended abbreviations for Azure resource types](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations) +- [Naming rules and restrictions for Azure resources](https://learn.microsoft.com/azure/azure-resource-manager/management/resource-name-rules) +- [Define your naming convention](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-naming) +- [Parameters in Bicep](https://learn.microsoft.com/azure/azure-resource-manager/bicep/parameters) +- [Bicep functions](https://learn.microsoft.com/azure/azure-resource-manager/bicep/bicep-functions) +- [Azure deployment reference](https://learn.microsoft.com/azure/templates/microsoft.containerregistry/registries) diff --git a/docs/en/rules/Azure.AI.FoundryNaming.md b/docs/en/rules/Azure.AI.FoundryNaming.md index 4cc3adc150..0b2392fab5 100644 --- a/docs/en/rules/Azure.AI.FoundryNaming.md +++ b/docs/en/rules/Azure.AI.FoundryNaming.md @@ -1,5 +1,5 @@ --- -reviewed: 2025-007-10 +reviewed: 2025-10-25 severity: Awareness pillar: Operational Excellence category: OE:04 Tools and processes @@ -166,7 +166,10 @@ configuration: ## LINKS - [OE:04 Tools and processes](https://learn.microsoft.com/azure/well-architected/operational-excellence/tools-processes) +- [Operational Excellence: Level 2](https://learn.microsoft.com/azure/well-architected/operational-excellence/maturity-model?tabs=level2) - [Recommended abbreviations for Azure resource types](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations) - [Naming rules and restrictions for Azure resources](https://learn.microsoft.com/azure/azure-resource-manager/management/resource-name-rules) - [Define your naming convention](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-naming) +- [Parameters in Bicep](https://learn.microsoft.com/azure/azure-resource-manager/bicep/parameters) +- [Bicep functions](https://learn.microsoft.com/azure/azure-resource-manager/bicep/bicep-functions) - [Azure deployment reference](https://learn.microsoft.com/azure/templates/microsoft.cognitiveservices/accounts) diff --git a/docs/en/rules/Azure.AKS.Name.md b/docs/en/rules/Azure.AKS.Name.md index c2ab7a81f0..18388c50f9 100644 --- a/docs/en/rules/Azure.AKS.Name.md +++ b/docs/en/rules/Azure.AKS.Name.md @@ -1,5 +1,5 @@ --- -reviewed: 2023-12-01 +reviewed: 2025-10-25 severity: Awareness pillar: Operational Excellence category: OE:04 Continuous integration @@ -29,6 +29,179 @@ The requirements for AKS cluster names are: Consider using names that meet AKS cluster naming requirements. Additionally consider naming resources with a standard naming convention. +## EXAMPLES + +### Configure with Bicep + +To deploy clusters that pass this rule: + +- Set the `name` property to a string that matches the naming requirements. +- Optionally, consider constraining name parameters with `minLength` and `maxLength` attributes. + +For example: + +```bicep +@minLength(1) +@maxLength(63) +@description('The name of the resource.') +param name string + +@description('The location resources will be deployed.') +param location string = resourceGroup().location + +resource cluster 'Microsoft.ContainerService/managedClusters@2025-07-01' = { + location: location + name: name + identity: { + type: 'UserAssigned' + userAssignedIdentities: { + '${identity.id}': {} + } + } + properties: { + kubernetesVersion: kubernetesVersion + disableLocalAccounts: true + enableRBAC: true + dnsPrefix: dnsPrefix + agentPoolProfiles: allPools + aadProfile: { + managed: true + enableAzureRBAC: true + adminGroupObjectIDs: clusterAdmins + tenantID: subscription().tenantId + } + networkProfile: { + networkPlugin: 'azure' + networkPolicy: 'azure' + loadBalancerSku: 'standard' + serviceCidr: serviceCidr + dnsServiceIP: dnsServiceIP + } + apiServerAccessProfile: { + authorizedIPRanges: [ + '0.0.0.0/32' + ] + } + autoUpgradeProfile: { + upgradeChannel: 'stable' + } + oidcIssuerProfile: { + enabled: true + } + addonProfiles: { + azurepolicy: { + enabled: true + } + omsagent: { + enabled: true + config: { + logAnalyticsWorkspaceResourceID: workspaceId + } + } + azureKeyvaultSecretsProvider: { + enabled: true + config: { + enableSecretRotation: 'true' + } + } + } + } +} +``` + + + +### Configure with Azure template + +To deploy clusters that pass this rule: + +- Set the `name` property to a string that matches the naming requirements. +- Optionally, consider constraining name parameters with `minLength` and `maxLength` attributes. + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "name": { + "type": "string", + "metadata": { + "description": "The name of the AKS cluster." + } + }, + "location": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "Optional. The Azure region to deploy to." + } + } + }, + "resources": [ + { + "type": "Microsoft.ContainerService/managedClusters", + "apiVersion": "2025-07-01", + "name": "[parameters('name')]", + "location": "[parameters('location')]", + "identity": { + "type": "UserAssigned", + "userAssignedIdentities": { + "[format('{0}', resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('identityName')))]": {} + } + }, + "properties": { + "kubernetesVersion": "[parameters('kubernetesVersion')]", + "disableLocalAccounts": true, + "enableRBAC": true, + "dnsPrefix": "[parameters('dnsPrefix')]", + "agentPoolProfiles": "[variables('allPools')]", + "aadProfile": { + "managed": true, + "enableAzureRBAC": true, + "adminGroupObjectIDs": "[parameters('clusterAdmins')]", + "tenantID": "[subscription().tenantId]" + }, + "networkProfile": { + "networkPlugin": "azure", + "networkPolicy": "azure", + "loadBalancerSku": "standard", + "serviceCidr": "[variables('serviceCidr')]", + "dnsServiceIP": "[variables('dnsServiceIP')]" + }, + "apiServerAccessProfile": { + "authorizedIPRanges": [ + "0.0.0.0/32" + ] + }, + "autoUpgradeProfile": { + "upgradeChannel": "stable" + }, + "oidcIssuerProfile": { + "enabled": true + }, + "addonProfiles": { + "azurepolicy": { + "enabled": true + }, + "omsagent": { + "enabled": true, + "config": { + "logAnalyticsWorkspaceResourceID": "[parameters('workspaceId')]" + } + }, + "azureKeyvaultSecretsProvider": { + "enabled": true, + "config": { + "enableSecretRotation": "true" + } + } + } + } + } + ] +} +``` + ## NOTES This rule does not check if cluster names are unique. @@ -43,6 +216,7 @@ The requirements for DNS prefixes are: ## LINKS - [OE:04 Continuous integration](https://learn.microsoft.com/azure/well-architected/operational-excellence/release-engineering-continuous-integration) +- [Operational Excellence: Level 2](https://learn.microsoft.com/azure/well-architected/operational-excellence/maturity-model?tabs=level2) - [Naming rules and restrictions for Azure resources](https://learn.microsoft.com/azure/azure-resource-manager/management/resource-name-rules) - [Recommended abbreviations for Azure resource types](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations) - [Parameters in Bicep](https://learn.microsoft.com/azure/azure-resource-manager/bicep/parameters) diff --git a/docs/en/rules/Azure.AKS.Naming.md b/docs/en/rules/Azure.AKS.Naming.md new file mode 100644 index 0000000000..87412f777f --- /dev/null +++ b/docs/en/rules/Azure.AKS.Naming.md @@ -0,0 +1,247 @@ +--- +reviewed: 2025-10-25 +severity: Awareness +pillar: Operational Excellence +category: OE:04 Tools and processes +resource: Azure Kubernetes Service +resourceType: Microsoft.ContainerService/managedClusters +online version: https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.AKS.Naming/ +--- + +# AKS cluster resources must use standard naming + +## SYNOPSIS + +AKS cluster resources without a standard naming convention may be difficult to identify and manage. + +## DESCRIPTION + +An effective naming convention allows operators to quickly identify resources, related systems, and their purpose. +Identifying resources easily is important to improve operational efficiency, reduce the time to respond to incidents, +and minimize the risk of human error. + +Some of the benefits of using standardized tagging and naming conventions are: + +- They provide consistency and clarity for resource identification and discovery across the Azure Portal, CLIs, and APIs. +- They enable filtering and grouping of resources for billing, monitoring, security, and compliance purposes. +- They support resource lifecycle management, such as provisioning, decommissioning, backup, and recovery. + +For example, if you come upon a security incident, it's critical to quickly identify affected systems, +the functions that those systems support, and the potential business impact. + +For AKS cluster, the Cloud Adoption Framework (CAF) recommends using the `aks-` prefix. + +Requirements for AKS cluster resource names: + +- Between 1 and 63 characters long. +- Can include alphanumeric characters, hyphens, underscores, and periods (restrictions vary by resource type). +- Resource names must be unique within their scope. + +## RECOMMENDATION + +Consider creating AKS cluster resources with a standard name. +Additionally consider using Azure Policy to only permit creation using a standard naming convention. + +## EXAMPLES + +### Configure with Bicep + +To deploy clusters that pass this rule: + +- Set the `name` property to a string that matches the naming requirements. +- Optionally, consider constraining name parameters with `minLength` and `maxLength` attributes. + +For example: + +```bicep +@minLength(1) +@maxLength(63) +@description('The name of the resource.') +param name string + +@description('The location resources will be deployed.') +param location string = resourceGroup().location + +resource cluster 'Microsoft.ContainerService/managedClusters@2025-07-01' = { + location: location + name: name + identity: { + type: 'UserAssigned' + userAssignedIdentities: { + '${identity.id}': {} + } + } + properties: { + kubernetesVersion: kubernetesVersion + disableLocalAccounts: true + enableRBAC: true + dnsPrefix: dnsPrefix + agentPoolProfiles: allPools + aadProfile: { + managed: true + enableAzureRBAC: true + adminGroupObjectIDs: clusterAdmins + tenantID: subscription().tenantId + } + networkProfile: { + networkPlugin: 'azure' + networkPolicy: 'azure' + loadBalancerSku: 'standard' + serviceCidr: serviceCidr + dnsServiceIP: dnsServiceIP + } + apiServerAccessProfile: { + authorizedIPRanges: [ + '0.0.0.0/32' + ] + } + autoUpgradeProfile: { + upgradeChannel: 'stable' + } + oidcIssuerProfile: { + enabled: true + } + addonProfiles: { + azurepolicy: { + enabled: true + } + omsagent: { + enabled: true + config: { + logAnalyticsWorkspaceResourceID: workspaceId + } + } + azureKeyvaultSecretsProvider: { + enabled: true + config: { + enableSecretRotation: 'true' + } + } + } + } +} +``` + + + +### Configure with Azure template + +To deploy clusters that pass this rule: + +- Set the `name` property to a string that matches the naming requirements. +- Optionally, consider constraining name parameters with `minLength` and `maxLength` attributes. + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "name": { + "type": "string", + "metadata": { + "description": "The name of the AKS cluster." + } + }, + "location": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "Optional. The Azure region to deploy to." + } + } + }, + "resources": [ + { + "type": "Microsoft.ContainerService/managedClusters", + "apiVersion": "2025-07-01", + "name": "[parameters('name')]", + "location": "[parameters('location')]", + "identity": { + "type": "UserAssigned", + "userAssignedIdentities": { + "[format('{0}', resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('identityName')))]": {} + } + }, + "properties": { + "kubernetesVersion": "[parameters('kubernetesVersion')]", + "disableLocalAccounts": true, + "enableRBAC": true, + "dnsPrefix": "[parameters('dnsPrefix')]", + "agentPoolProfiles": "[variables('allPools')]", + "aadProfile": { + "managed": true, + "enableAzureRBAC": true, + "adminGroupObjectIDs": "[parameters('clusterAdmins')]", + "tenantID": "[subscription().tenantId]" + }, + "networkProfile": { + "networkPlugin": "azure", + "networkPolicy": "azure", + "loadBalancerSku": "standard", + "serviceCidr": "[variables('serviceCidr')]", + "dnsServiceIP": "[variables('dnsServiceIP')]" + }, + "apiServerAccessProfile": { + "authorizedIPRanges": [ + "0.0.0.0/32" + ] + }, + "autoUpgradeProfile": { + "upgradeChannel": "stable" + }, + "oidcIssuerProfile": { + "enabled": true + }, + "addonProfiles": { + "azurepolicy": { + "enabled": true + }, + "omsagent": { + "enabled": true, + "config": { + "logAnalyticsWorkspaceResourceID": "[parameters('workspaceId')]" + } + }, + "azureKeyvaultSecretsProvider": { + "enabled": true, + "config": { + "enableSecretRotation": "true" + } + } + } + } + } + ] +} +``` + +## NOTES + +This rule does not check if AKS cluster resource names are unique. + + + +### Rule configuration + + + +To configure this rule set the `AZURE_AKS_CLUSTER_NAME_FORMAT` configuration value to a regular expression +that matches the required format. + +For example: + +```yaml +configuration: + AZURE_AKS_CLUSTER_NAME_FORMAT: '^aks-' +``` + +## LINKS + +- [OE:04 Tools and processes](https://learn.microsoft.com/azure/well-architected/operational-excellence/tools-processes) +- [Operational Excellence: Level 2](https://learn.microsoft.com/azure/well-architected/operational-excellence/maturity-model?tabs=level2) +- [Recommended abbreviations for Azure resource types](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations) +- [Naming rules and restrictions for Azure resources](https://learn.microsoft.com/azure/azure-resource-manager/management/resource-name-rules) +- [Define your naming convention](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-naming) +- [Parameters in Bicep](https://learn.microsoft.com/azure/azure-resource-manager/bicep/parameters) +- [Bicep functions](https://learn.microsoft.com/azure/azure-resource-manager/bicep/bicep-functions) +- [Azure deployment reference](https://learn.microsoft.com/azure/templates/microsoft.containerservice/managedclusters) diff --git a/docs/en/rules/Azure.AKS.SystemPoolNaming.md b/docs/en/rules/Azure.AKS.SystemPoolNaming.md new file mode 100644 index 0000000000..973c8ccfc2 --- /dev/null +++ b/docs/en/rules/Azure.AKS.SystemPoolNaming.md @@ -0,0 +1,166 @@ +--- +reviewed: 2025-10-26 +severity: Awareness +pillar: Operational Excellence +category: OE:04 Tools and processes +resource: Azure Kubernetes Service +resourceType: Microsoft.ContainerService/managedClusters,Microsoft.ContainerService/managedClusters/agentPools +online version: https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.AKS.SystemPoolNaming/ +--- + +# AKS system node pool resources must use standard naming + +## SYNOPSIS + +AKS system node pool resources without a standard naming convention may be difficult to identify and manage. + +## DESCRIPTION + +An effective naming convention allows operators to quickly identify resources, related systems, and their purpose. +Identifying resources easily is important to improve operational efficiency, reduce the time to respond to incidents, +and minimize the risk of human error. + +Some of the benefits of using standardized tagging and naming conventions are: + +- They provide consistency and clarity for resource identification and discovery across the Azure Portal, CLIs, and APIs. +- They enable filtering and grouping of resources for billing, monitoring, security, and compliance purposes. +- They support resource lifecycle management, such as provisioning, decommissioning, backup, and recovery. + +For example, if you come upon a security incident, it's critical to quickly identify affected systems, +the functions that those systems support, and the potential business impact. + +For AKS system node pool, the Cloud Adoption Framework (CAF) recommends using the `npsystem` prefix. + +Requirements for AKS system node pool resource names: + +- Between 1 and 12 characters long. +- Lowercase letters and numbers +- Can't start with a number. + +## RECOMMENDATION + +Consider creating AKS system node pool resources with a standard name. +Additionally consider using Azure Policy to only permit creation using a standard naming convention. + +## EXAMPLES + +### Configure with Bicep + +To deploy resources that pass this rule: + +- Set the `name` property to a string that matches the naming requirements. +- Optionally, consider constraining name parameters with `minLength` and `maxLength` attributes. + +For example: + +```bicep +@minLength(1) +@maxLength(12) +@description('The name of the resource.') +param name string + +@description('The location resources will be deployed.') +param location string = resourceGroup().location + +resource system 'Microsoft.ContainerService/managedClusters/agentPools@2025-07-01' = { + parent: cluster + name: name + properties: { + osDiskSizeGB: osDiskSizeGB + minCount: 3 + maxCount: 7 + enableAutoScaling: true + maxPods: systemPoolMaxPods + vmSize: 'Standard_D16ds_v6' + osType: 'Linux' + type: 'VirtualMachineScaleSets' + vnetSubnetID: clusterSubnetId + mode: 'System' + osDiskType: 'Ephemeral' + scaleSetPriority: 'Regular' + } +} +``` + +### Configure with Azure template + +To deploy resources that pass this rule: + +- Set the `name` property to a string that matches the naming requirements. +- Optionally, consider constraining name parameters with `minLength` and `maxLength` attributes. + +For example: + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "name": { + "type": "string", + "metadata": { + "description": "The name of the resource." + } + }, + "location": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "The location resources will be deployed." + } + } + }, + "resources": [ + { + "type": "Microsoft.ContainerService/managedClusters/agentPools", + "apiVersion": "2025-07-01", + "name": "[format('{0}/{1}', parameters('name'), 'system')]", + "properties": { + "osDiskSizeGB": "[parameters('osDiskSizeGB')]", + "minCount": 3, + "maxCount": 7, + "enableAutoScaling": true, + "maxPods": "[parameters('systemPoolMaxPods')]", + "vmSize": "Standard_D16ds_v6", + "osType": "Linux", + "type": "VirtualMachineScaleSets", + "vnetSubnetID": "[parameters('clusterSubnetId')]", + "mode": "System", + "osDiskType": "Ephemeral", + "scaleSetPriority": "Regular" + } + } + ] +} +``` + +## NOTES + +This rule does not check if AKS system node pool resource names are unique. + + + +### Rule configuration + + + +To configure this rule set the `AZURE_AKS_SYSTEM_POOL_NAME_FORMAT` configuration value to a regular expression +that matches the required format. + +For example: + +```yaml +configuration: + AZURE_AKS_SYSTEM_POOL_NAME_FORMAT: '^npsystem' +``` + +## LINKS + +- [OE:04 Tools and processes](https://learn.microsoft.com/azure/well-architected/operational-excellence/tools-processes) +- [Operational Excellence: Level 2](https://learn.microsoft.com/azure/well-architected/operational-excellence/maturity-model?tabs=level2) +- [Recommended abbreviations for Azure resource types](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations) +- [Naming rules and restrictions for Azure resources](https://learn.microsoft.com/azure/azure-resource-manager/management/resource-name-rules) +- [Define your naming convention](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-naming) +- [Parameters in Bicep](https://learn.microsoft.com/azure/azure-resource-manager/bicep/parameters) +- [Bicep functions](https://learn.microsoft.com/azure/azure-resource-manager/bicep/bicep-functions) +- [Azure deployment reference](https://learn.microsoft.com/azure/templates/microsoft.containerservice/managedclusters/agentpools) diff --git a/docs/en/rules/Azure.AKS.UserPoolNaming.md b/docs/en/rules/Azure.AKS.UserPoolNaming.md new file mode 100644 index 0000000000..443de104b6 --- /dev/null +++ b/docs/en/rules/Azure.AKS.UserPoolNaming.md @@ -0,0 +1,166 @@ +--- +reviewed: 2025-10-26 +severity: Awareness +pillar: Operational Excellence +category: OE:04 Tools and processes +resource: Azure Kubernetes Service +resourceType: Microsoft.ContainerService/managedClusters,Microsoft.ContainerService/managedClusters/agentPools +online version: https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.AKS.UserPoolNaming/ +--- + +# AKS user node pool resources must use standard naming + +## SYNOPSIS + +AKS user node pool resources without a standard naming convention may be difficult to identify and manage. + +## DESCRIPTION + +An effective naming convention allows operators to quickly identify resources, related systems, and their purpose. +Identifying resources easily is important to improve operational efficiency, reduce the time to respond to incidents, +and minimize the risk of human error. + +Some of the benefits of using standardized tagging and naming conventions are: + +- They provide consistency and clarity for resource identification and discovery across the Azure Portal, CLIs, and APIs. +- They enable filtering and grouping of resources for billing, monitoring, security, and compliance purposes. +- They support resource lifecycle management, such as provisioning, decommissioning, backup, and recovery. + +For example, if you come upon a security incident, it's critical to quickly identify affected systems, +the functions that those systems support, and the potential business impact. + +For AKS user node pool, the Cloud Adoption Framework (CAF) recommends using the `np` prefix. + +Requirements for AKS user node pool resource names: + +- Between 1 and 12 characters long for Linux, and between 1 and 6 characters long for Windows. +- Lowercase letters and numbers +- Can't start with a number. + +## RECOMMENDATION + +Consider creating AKS user node pool resources with a standard name. +Additionally consider using Azure Policy to only permit creation using a standard naming convention. + +## EXAMPLES + +### Configure with Bicep + +To deploy resources that pass this rule: + +- Set the `name` property to a string that matches the naming requirements. +- Optionally, consider constraining name parameters with `minLength` and `maxLength` attributes. + +For example: + +```bicep +@minLength(1) +@maxLength(12) +@description('The name of the resource.') +param name string + +@description('The location resources will be deployed.') +param location string = resourceGroup().location + +resource user 'Microsoft.ContainerService/managedClusters/agentPools@2025-07-01' = { + parent: cluster + name: name + properties: { + osDiskSizeGB: osDiskSizeGB + minCount: 3 + maxCount: 20 + enableAutoScaling: true + maxPods: 150 + vmSize: 'Standard_D16ds_v6' + osType: 'Linux' + type: 'VirtualMachineScaleSets' + vnetSubnetID: clusterSubnetId + mode: 'User' + osDiskType: 'Ephemeral' + scaleSetPriority: 'Regular' + } +} +``` + +### Configure with Azure template + +To deploy resources that pass this rule: + +- Set the `name` property to a string that matches the naming requirements. +- Optionally, consider constraining name parameters with `minLength` and `maxLength` attributes. + +For example: + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "name": { + "type": "string", + "metadata": { + "description": "The name of the resource." + } + }, + "location": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "The location resources will be deployed." + } + } + }, + "resources": [ + { + "type": "Microsoft.ContainerService/managedClusters/agentPools", + "apiVersion": "2025-07-01", + "name": "[format('{0}/{1}', parameters('name'), 'user')]", + "properties": { + "osDiskSizeGB": "[parameters('osDiskSizeGB')]", + "minCount": 3, + "maxCount": 20, + "enableAutoScaling": true, + "maxPods": 150, + "vmSize": "Standard_D16ds_v6", + "osType": "Linux", + "type": "VirtualMachineScaleSets", + "vnetSubnetID": "[parameters('clusterSubnetId')]", + "mode": "User", + "osDiskType": "Ephemeral", + "scaleSetPriority": "Regular" + } + } + ] +} +``` + +## NOTES + +This rule does not check if AKS user node pool resource names are unique. + + + +### Rule configuration + + + +To configure this rule set the `AZURE_AKS_USER_POOL_NAME_FORMAT` configuration value to a regular expression +that matches the required format. + +For example: + +```yaml +configuration: + AZURE_AKS_USER_POOL_NAME_FORMAT: '^np' +``` + +## LINKS + +- [OE:04 Tools and processes](https://learn.microsoft.com/azure/well-architected/operational-excellence/tools-processes) +- [Operational Excellence: Level 2](https://learn.microsoft.com/azure/well-architected/operational-excellence/maturity-model?tabs=level2) +- [Recommended abbreviations for Azure resource types](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations) +- [Naming rules and restrictions for Azure resources](https://learn.microsoft.com/azure/azure-resource-manager/management/resource-name-rules) +- [Define your naming convention](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-naming) +- [Parameters in Bicep](https://learn.microsoft.com/azure/azure-resource-manager/bicep/parameters) +- [Bicep functions](https://learn.microsoft.com/azure/azure-resource-manager/bicep/bicep-functions) +- [Azure deployment reference](https://learn.microsoft.com/azure/templates/microsoft.containerservice/managedclusters/agentpools) diff --git a/docs/en/rules/Azure.ContainerApp.EnvNaming.md b/docs/en/rules/Azure.ContainerApp.EnvNaming.md new file mode 100644 index 0000000000..83bd5c6018 --- /dev/null +++ b/docs/en/rules/Azure.ContainerApp.EnvNaming.md @@ -0,0 +1,182 @@ +--- +reviewed: 2025-10-26 +severity: Awareness +pillar: Operational Excellence +category: OE:04 Tools and processes +resource: Container App Environment +resourceType: Microsoft.App/managedEnvironments +online version: https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.ContainerApp.EnvNaming/ +--- + +# Container App Environment resources must use standard naming + +## SYNOPSIS + +Container App Environment resources without a standard naming convention may be difficult to identify and manage. + +## DESCRIPTION + +An effective naming convention allows operators to quickly identify resources, related systems, and their purpose. +Identifying resources easily is important to improve operational efficiency, reduce the time to respond to incidents, +and minimize the risk of human error. + +Some of the benefits of using standardized tagging and naming conventions are: + +- They provide consistency and clarity for resource identification and discovery across the Azure Portal, CLIs, and APIs. +- They enable filtering and grouping of resources for billing, monitoring, security, and compliance purposes. +- They support resource lifecycle management, such as provisioning, decommissioning, backup, and recovery. + +For example, if you come upon a security incident, it's critical to quickly identify affected systems, +the functions that those systems support, and the potential business impact. + +For Container App Environment, the Cloud Adoption Framework (CAF) recommends using the `cae-` prefix. + +Requirements for Container App Environment resource names: + +- Between 2 and 60 characters long. +- Lowercase letters, numbers, and hyphens. + +## RECOMMENDATION + +Consider creating Container App Environment resources with a standard name. +Additionally consider using Azure Policy to only permit creation using a standard naming convention. + +## EXAMPLES + +### Configure with Bicep + +To deploy resources that pass this rule: + +- Set the `name` property to a string that matches the naming requirements. +- Optionally, consider constraining name parameters with `minLength` and `maxLength` attributes. + +For example: + +```bicep +@minLength(2) +@maxLength(60) +@description('The name of the resource.') +param name string + +@description('The location resources will be deployed.') +param location string = resourceGroup().location + +resource containerEnv 'Microsoft.App/managedEnvironments@2025-01-01' = { + name: name + location: location + properties: { + appLogsConfiguration: { + destination: 'log-analytics' + logAnalyticsConfiguration: { + customerId: workspace.properties.customerId + sharedKey: workspace.listKeys().primarySharedKey + } + } + zoneRedundant: true + workloadProfiles: [ + { + name: 'Consumption' + workloadProfileType: 'Consumption' + } + ] + vnetConfiguration: { + infrastructureSubnetId: subnetId + internal: true + } + } +} +``` + + + +### Configure with Azure template + +To deploy resources that pass this rule: + +- Set the `name` property to a string that matches the naming requirements. +- Optionally, consider constraining name parameters with `minLength` and `maxLength` attributes. + +For example: + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "name": { + "type": "string", + "minLength": 2, + "maxLength": 60, + "metadata": { + "description": "The name of the resource." + } + }, + "location": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "The location resources will be deployed." + } + } + }, + "resources": [ + { + "type": "Microsoft.App/managedEnvironments", + "apiVersion": "2025-01-01", + "name": "[parameters('name')]", + "location": "[parameters('location')]", + "properties": { + "appLogsConfiguration": { + "destination": "log-analytics", + "logAnalyticsConfiguration": { + "customerId": "[reference(resourceId('Microsoft.OperationalInsights/workspaces', split(parameters('workspaceId'), '/')[8]), '2022-10-01').customerId]", + "sharedKey": "[listKeys(resourceId('Microsoft.OperationalInsights/workspaces', split(parameters('workspaceId'), '/')[8]), '2022-10-01').primarySharedKey]" + } + }, + "zoneRedundant": true, + "workloadProfiles": [ + { + "name": "Consumption", + "workloadProfileType": "Consumption" + } + ], + "vnetConfiguration": { + "infrastructureSubnetId": "[parameters('subnetId')]", + "internal": true + } + } + } + ] +} +``` + +## NOTES + +This rule does not check if Container App Environment resource names are unique. + + + +### Rule configuration + + + +To configure this rule set the `AZURE_CONTAINER_APP_ENVIRONMENT_NAME_FORMAT` configuration value to a regular expression +that matches the required format. + +For example: + +```yaml +configuration: + AZURE_CONTAINER_APP_ENVIRONMENT_NAME_FORMAT: '^cae-' +``` + +## LINKS + +- [OE:04 Tools and processes](https://learn.microsoft.com/azure/well-architected/operational-excellence/tools-processes) +- [Operational Excellence: Level 2](https://learn.microsoft.com/azure/well-architected/operational-excellence/maturity-model?tabs=level2) +- [Recommended abbreviations for Azure resource types](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations) +- [Naming rules and restrictions for Azure resources](https://learn.microsoft.com/azure/azure-resource-manager/management/resource-name-rules) +- [Define your naming convention](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-naming) +- [Parameters in Bicep](https://learn.microsoft.com/azure/azure-resource-manager/bicep/parameters) +- [Bicep functions](https://learn.microsoft.com/azure/azure-resource-manager/bicep/bicep-functions) +- [Azure deployment reference](https://learn.microsoft.com/azure/templates/microsoft.app/managedenvironments) diff --git a/docs/en/rules/Azure.ContainerApp.JobNaming.md b/docs/en/rules/Azure.ContainerApp.JobNaming.md new file mode 100644 index 0000000000..7d95cf2d8d --- /dev/null +++ b/docs/en/rules/Azure.ContainerApp.JobNaming.md @@ -0,0 +1,174 @@ +--- +reviewed: 2025-10-26 +severity: Awareness +pillar: Operational Excellence +category: OE:04 Tools and processes +resource: Container App Job +resourceType: Microsoft.App/jobs +online version: https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.ContainerApp.JobNaming/ +--- + +# Container App Job resources must use standard naming + +## SYNOPSIS + +Container App Job resources without a standard naming convention may be difficult to identify and manage. + +## DESCRIPTION + +An effective naming convention allows operators to quickly identify resources, related systems, and their purpose. +Identifying resources easily is important to improve operational efficiency, reduce the time to respond to incidents, +and minimize the risk of human error. + +Some of the benefits of using standardized tagging and naming conventions are: + +- They provide consistency and clarity for resource identification and discovery across the Azure Portal, CLIs, and APIs. +- They enable filtering and grouping of resources for billing, monitoring, security, and compliance purposes. +- They support resource lifecycle management, such as provisioning, decommissioning, backup, and recovery. + +For example, if you come upon a security incident, it's critical to quickly identify affected systems, +the functions that those systems support, and the potential business impact. + +For Container App Job, the Cloud Adoption Framework (CAF) recommends using the `caj-` prefix. + +Requirements for Container App Job resource names: + +- Between 2 and 32 characters long. +- Lowercase letters, numbers, and hyphens. +- Start with letter and end with alphanumeric. +- Can not contain consecutive hyphens. + +## RECOMMENDATION + +Consider creating Container App Job resources with a standard name. +Additionally consider using Azure Policy to only permit creation using a standard naming convention. + +## EXAMPLES + +### Configure with Bicep + +To deploy resources that pass this rule: + +- Set the `name` property to a string that matches the naming requirements. +- Optionally, consider constraining name parameters with `minLength` and `maxLength` attributes. + +For example: + +```bicep +@minLength(2) +@maxLength(32) +@description('The name of the resource.') +param name string + +@description('The location resources will be deployed.') +param location string = resourceGroup().location + +resource job 'Microsoft.App/jobs@2025-01-01' = { + name: name + location: location + identity: { + type: 'SystemAssigned' + } + properties: { + environmentId: containerEnv.id + template: { + containers: containers + } + workloadProfileName: workloadProfileName + configuration: { + replicaTimeout: 300 + triggerType: 'Manual' + manualTriggerConfig: {} + } + } +} +``` + + + +### Configure with Azure template + +To deploy resources that pass this rule: + +- Set the `name` property to a string that matches the naming requirements. +- Optionally, consider constraining name parameters with `minLength` and `maxLength` attributes. + +For example: + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "name": { + "type": "string", + "minLength": 2, + "maxLength": 32, + "metadata": { + "description": "The name of the resource." + } + }, + "location": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "The location resources will be deployed." + } + } + }, + "resources": [ + { + "type": "Microsoft.App/jobs", + "apiVersion": "2025-01-01", + "name": "[parameters('name')]", + "location": "[parameters('location')]", + "identity": { + "type": "SystemAssigned" + }, + "properties": { + "environmentId": "[resourceId('Microsoft.App/managedEnvironments', parameters('name'))]", + "template": { + "containers": "[variables('containers')]" + }, + "workloadProfileName": "[parameters('workloadProfileName')]", + "configuration": { + "replicaTimeout": 300, + "triggerType": "Manual", + "manualTriggerConfig": {} + } + } + } + ] +} +``` + +## NOTES + +This rule does not check if Container App Job resource names are unique. + + + +### Rule configuration + + + +To configure this rule set the `AZURE_CONTAINER_APP_JOB_NAME_FORMAT` configuration value to a regular expression +that matches the required format. + +For example: + +```yaml +configuration: + AZURE_CONTAINER_APP_JOB_NAME_FORMAT: '^caj-' +``` + +## LINKS + +- [OE:04 Tools and processes](https://learn.microsoft.com/azure/well-architected/operational-excellence/tools-processes) +- [Operational Excellence: Level 2](https://learn.microsoft.com/azure/well-architected/operational-excellence/maturity-model?tabs=level2) +- [Recommended abbreviations for Azure resource types](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations) +- [Naming rules and restrictions for Azure resources](https://learn.microsoft.com/azure/azure-resource-manager/management/resource-name-rules) +- [Define your naming convention](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-naming) +- [Parameters in Bicep](https://learn.microsoft.com/azure/azure-resource-manager/bicep/parameters) +- [Bicep functions](https://learn.microsoft.com/azure/azure-resource-manager/bicep/bicep-functions) +- [Azure deployment reference](https://learn.microsoft.com/azure/templates/microsoft.app/jobs) diff --git a/docs/en/rules/Azure.ContainerApp.Name.md b/docs/en/rules/Azure.ContainerApp.Name.md index 33f29f8dc6..cc4bc50117 100644 --- a/docs/en/rules/Azure.ContainerApp.Name.md +++ b/docs/en/rules/Azure.ContainerApp.Name.md @@ -1,4 +1,5 @@ --- +reviewed: 2025-10-26 severity: Awareness pillar: Operational Excellence category: OE:04 Continuous integration @@ -21,6 +22,7 @@ The requirements for container app names are: - Between 2 and 32 characters long. - Lowercase letters, numbers, and hyphens. - Start with letter and end with alphanumeric. +- Can not contain consecutive hyphens. ## RECOMMENDATION @@ -29,12 +31,57 @@ Additionally consider naming resources with a standard naming convention. ## EXAMPLES +### Configure with Bicep + +To deploy Container Apps that pass this rule: + +- Set the `name` property to a string that matches the naming requirements. +- Optionally, consider constraining name parameters with `minLength` and `maxLength` attributes. + +For example: + +```bicep +@minLength(2) +@maxLength(32) +@description('The name of the container app.') +param appName string + +resource containerApp 'Microsoft.App/containerApps@2025-01-01' = { + name: appName + location: location + identity: { + type: 'SystemAssigned' + } + properties: { + environmentId: containerEnv.id + template: { + revisionSuffix: revision + containers: containers + scale: { + minReplicas: 2 + } + } + configuration: { + ingress: { + allowInsecure: false + external: false + stickySessions: { + affinity: 'none' + } + } + } + } +} +``` + + + ### Configure with Azure template To deploy Container Apps that pass this rule: -- Configuring a `minLength` and `maxLength` constraint for the resource name parameter. -- Optionally, you could also use a `uniqueString()` function to generate a unique name. +- Set the `name` property to a string that matches the naming requirements. +- Optionally, consider constraining name parameters with `minLength` and `maxLength` attributes. For example: @@ -98,7 +145,7 @@ For example: "resources": [ { "type": "Microsoft.App/containerApps", - "apiVersion": "2023-05-01", + "apiVersion": "2025-01-01", "name": "[parameters('appName')]", "location": "[parameters('location')]", "identity": { @@ -116,6 +163,7 @@ For example: "configuration": { "ingress": { "allowInsecure": false, + "external": false, "stickySessions": { "affinity": "none" } @@ -127,50 +175,6 @@ For example: } ``` -### Configure with Bicep - -To deploy Container Apps that pass this rule: - -- Configuring a `minLength` and `maxLength` constraint for the resource name parameter. -- Optionally, you could also use a `uniqueString()` function to generate a unique name. - -For example: - -```bicep -@minLength(2) -@maxLength(32) -@description('The name of the container app.') -param appName string - -resource containerApp 'Microsoft.App/containerApps@2023-05-01' = { - name: appName - location: location - identity: { - type: 'SystemAssigned' - } - properties: { - environmentId: containerEnv.id - template: { - revisionSuffix: revision - containers: containers - scale: { - minReplicas: 2 - } - } - configuration: { - ingress: { - allowInsecure: false - stickySessions: { - affinity: 'none' - } - } - } - } -} -``` - - - ## NOTES This rule does not check if container app names are unique. @@ -178,5 +182,8 @@ This rule does not check if container app names are unique. ## LINKS - [OE:04 Continuous integration](https://learn.microsoft.com/azure/well-architected/operational-excellence/release-engineering-continuous-integration) +- [Operational Excellence: Level 2](https://learn.microsoft.com/azure/well-architected/operational-excellence/maturity-model?tabs=level2) - [Naming rules and restrictions for container app resource](https://learn.microsoft.com/azure/azure-resource-manager/management/resource-name-rules#microsoftapp) +- [Parameters in Bicep](https://learn.microsoft.com/azure/azure-resource-manager/bicep/parameters) +- [Bicep functions](https://learn.microsoft.com/azure/azure-resource-manager/bicep/bicep-functions) - [Azure deployment reference](https://learn.microsoft.com/azure/templates/microsoft.app/containerapps) diff --git a/docs/en/rules/Azure.ContainerApp.Naming.md b/docs/en/rules/Azure.ContainerApp.Naming.md new file mode 100644 index 0000000000..a5e21871e0 --- /dev/null +++ b/docs/en/rules/Azure.ContainerApp.Naming.md @@ -0,0 +1,221 @@ +--- +reviewed: 2025-10-26 +severity: Awareness +pillar: Operational Excellence +category: OE:04 Tools and processes +resource: Container App +resourceType: Microsoft.App/containerApps +online version: https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.ContainerApp.Naming/ +--- + +# Container App resources must use standard naming + +## SYNOPSIS + +Container App resources without a standard naming convention may be difficult to identify and manage. + +## DESCRIPTION + +An effective naming convention allows operators to quickly identify resources, related systems, and their purpose. +Identifying resources easily is important to improve operational efficiency, reduce the time to respond to incidents, +and minimize the risk of human error. + +Some of the benefits of using standardized tagging and naming conventions are: + +- They provide consistency and clarity for resource identification and discovery across the Azure Portal, CLIs, and APIs. +- They enable filtering and grouping of resources for billing, monitoring, security, and compliance purposes. +- They support resource lifecycle management, such as provisioning, decommissioning, backup, and recovery. + +For example, if you come upon a security incident, it's critical to quickly identify affected systems, +the functions that those systems support, and the potential business impact. + +For Container App, the Cloud Adoption Framework (CAF) recommends using the `ca-` prefix. + +Requirements for Container App resource names: + +- Between 2 and 32 characters long. +- Lowercase letters, numbers, and hyphens. +- Start with letter and end with alphanumeric. +- Can not contain consecutive hyphens. + +## RECOMMENDATION + +Consider creating Container App resources with a standard name. +Additionally consider using Azure Policy to only permit creation using a standard naming convention. + +## EXAMPLES + +### Configure with Bicep + +To deploy Container Apps that pass this rule: + +- Set the `name` property to a string that matches the naming requirements. +- Optionally, consider constraining name parameters with `minLength` and `maxLength` attributes. + +For example: + +```bicep +@minLength(2) +@maxLength(32) +@description('The name of the container app.') +param appName string + +resource containerApp 'Microsoft.App/containerApps@2025-01-01' = { + name: appName + location: location + identity: { + type: 'SystemAssigned' + } + properties: { + environmentId: containerEnv.id + template: { + revisionSuffix: revision + containers: containers + scale: { + minReplicas: 2 + } + } + configuration: { + ingress: { + allowInsecure: false + external: false + stickySessions: { + affinity: 'none' + } + } + } + } +} +``` + + + +### Configure with Azure template + +To deploy Container Apps that pass this rule: + +- Set the `name` property to a string that matches the naming requirements. +- Optionally, consider constraining name parameters with `minLength` and `maxLength` attributes. + +For example: + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "envName": { + "type": "string", + "metadata": { + "description": "The name of the app environment." + } + }, + "appName": { + "type": "string", + "minLength": 2, + "maxLength": 32, + "metadata": { + "description": "The name of the container app." + } + }, + "location": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "The location resources will be deployed." + } + }, + "workspaceId": { + "type": "string", + "metadata": { + "description": "The name of a Log Analytics workspace" + } + }, + "subnetId": { + "type": "string", + "metadata": { + "description": "The resource ID of a VNET subnet." + } + }, + "revision": { + "type": "string", + "metadata": { + "description": "The revision of the container app." + } + } + }, + "variables": { + "containers": [ + { + "name": "simple-hello-world-container", + "image": "mcr.microsoft.com/azuredocs/containerapps-helloworld:latest", + "resources": { + "cpu": "[json('0.25')]", + "memory": ".5Gi" + } + } + ] + }, + "resources": [ + { + "type": "Microsoft.App/containerApps", + "apiVersion": "2025-01-01", + "name": "[parameters('appName')]", + "location": "[parameters('location')]", + "identity": { + "type": "SystemAssigned" + }, + "properties": { + "environmentId": "[resourceId('Microsoft.App/managedEnvironments', parameters('envName'))]", + "template": { + "revisionSuffix": "[parameters('revision')]", + "containers": "[variables('containers')]", + "scale": { + "minReplicas": 2 + } + }, + "configuration": { + "ingress": { + "allowInsecure": false, + "external": false, + "stickySessions": { + "affinity": "none" + } + } + } + } + } + ] +} +``` + +## NOTES + +This rule does not check if Container App resource names are unique. + + + +### Rule configuration + + + +To configure this rule set the `AZURE_CONTAINER_APP_NAME_FORMAT` configuration value to a regular expression +that matches the required format. + +For example: + +```yaml +configuration: + AZURE_CONTAINER_APP_NAME_FORMAT: '^ca-' +``` + +## LINKS + +- [OE:04 Tools and processes](https://learn.microsoft.com/azure/well-architected/operational-excellence/tools-processes) +- [Operational Excellence: Level 2](https://learn.microsoft.com/azure/well-architected/operational-excellence/maturity-model?tabs=level2) +- [Recommended abbreviations for Azure resource types](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations) +- [Naming rules and restrictions for Azure resources](https://learn.microsoft.com/azure/azure-resource-manager/management/resource-name-rules) +- [Define your naming convention](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-naming) +- [Parameters in Bicep](https://learn.microsoft.com/azure/azure-resource-manager/bicep/parameters) +- [Bicep functions](https://learn.microsoft.com/azure/azure-resource-manager/bicep/bicep-functions) +- [Azure deployment reference](https://learn.microsoft.com/azure/templates/microsoft.app/containerapps) diff --git a/docs/en/rules/Azure.Cosmos.AccountName.md b/docs/en/rules/Azure.Cosmos.AccountName.md index be45d54d51..fc58e35c62 100644 --- a/docs/en/rules/Azure.Cosmos.AccountName.md +++ b/docs/en/rules/Azure.Cosmos.AccountName.md @@ -1,7 +1,8 @@ --- +reviewed: 2025-11-01 severity: Awareness pillar: Operational Excellence -category: Repeatable infrastructure +category: OE:04 Continuous integration resource: Cosmos DB resourceType: Microsoft.DocumentDB/databaseAccounts online version: https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.Cosmos.AccountName/ @@ -28,13 +29,110 @@ The requirements for Cosmos DB account names are: Consider using names that meet Cosmos DB account naming requirements. Additionally consider naming resources with a standard naming convention. +## EXAMPLES + +### Configure with Bicep + +To deploy accounts that pass this rule: + +- Set the `name` property to a string that matches the naming requirements. +- Optionally, consider constraining name parameters with `minLength` and `maxLength` attributes. + +For example: + +```bicep +@minLength(3) +@maxLength(44) +@description('The name of the resource.') +param name string + +@description('The location resources will be deployed.') +param location string = resourceGroup().location + +resource account 'Microsoft.DocumentDB/databaseAccounts@2025-04-15' = { + name: name + location: location + properties: { + enableFreeTier: false + consistencyPolicy: { + defaultConsistencyLevel: 'Session' + } + databaseAccountOfferType: 'Standard' + locations: [ + { + locationName: location + failoverPriority: 0 + isZoneRedundant: true + } + ] + disableKeyBasedMetadataWriteAccess: true + minimalTlsVersion: 'Tls12' + } +} +``` + + + +### Configure with Azure template + +To deploy accounts that pass this rule: + +- Set the `name` property to a string that matches the naming requirements. +- Optionally, consider constraining name parameters with `minLength` and `maxLength` attributes. + +For example: + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "name": { + "type": "string", + "minLength": 3, + "maxLength": 44, + "metadata": { + "description": "The name of the resource." + } + } + }, + "resources": [ + { + "type": "Microsoft.DocumentDB/databaseAccounts", + "apiVersion": "2025-04-15", + "name": "[parameters('name')]", + "location": "[parameters('location')]", + "properties": { + "enableFreeTier": false, + "consistencyPolicy": { + "defaultConsistencyLevel": "Session" + }, + "databaseAccountOfferType": "Standard", + "locations": [ + { + "locationName": "[parameters('location')]", + "failoverPriority": 0, + "isZoneRedundant": true + } + ], + "disableKeyBasedMetadataWriteAccess": true, + "minimalTlsVersion": "Tls12" + } + } + ] +} +``` + ## NOTES This rule does not check if Cosmos DB account names are unique. ## LINKS -- [Repeatable infrastructure](https://learn.microsoft.com/azure/architecture/framework/devops/automation-infrastructure) -- [Naming rules and restrictions for Azure resources](https://learn.microsoft.com/azure/azure-resource-manager/management/resource-name-rules#microsoftdocumentdb) -- [Azure deployment reference](https://learn.microsoft.com/azure/templates/microsoft.documentdb/databaseaccounts) +- [OE:04 Continuous integration](https://learn.microsoft.com/azure/well-architected/operational-excellence/release-engineering-continuous-integration) +- [Operational Excellence: Level 2](https://learn.microsoft.com/azure/well-architected/operational-excellence/maturity-model?tabs=level2) +- [Naming rules and restrictions for Azure resources](https://learn.microsoft.com/azure/azure-resource-manager/management/resource-name-rules) - [Recommended abbreviations for Azure resource types](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations) +- [Parameters in Bicep](https://learn.microsoft.com/azure/azure-resource-manager/bicep/parameters) +- [Bicep functions](https://learn.microsoft.com/azure/azure-resource-manager/bicep/bicep-functions) +- [Azure deployment reference](https://learn.microsoft.com/azure/templates/microsoft.documentdb/databaseaccounts) diff --git a/docs/en/rules/Azure.Cosmos.CassandraNaming.md b/docs/en/rules/Azure.Cosmos.CassandraNaming.md new file mode 100644 index 0000000000..6aa7af5645 --- /dev/null +++ b/docs/en/rules/Azure.Cosmos.CassandraNaming.md @@ -0,0 +1,193 @@ +--- +reviewed: 2025-11-27 +severity: Awareness +pillar: Operational Excellence +category: OE:04 Tools and processes +resource: Cosmos DB for Apache Cassandra account +resourceType: Microsoft.DocumentDb/databaseAccounts +online version: https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.Cosmos.CassandraNaming/ +--- + +# Cosmos DB for Apache Cassandra account resources must use standard naming + +## SYNOPSIS + +Cosmos DB for Apache Cassandra account resources without a standard naming convention may be difficult to identify and manage. + +## DESCRIPTION + +An effective naming convention allows operators to quickly identify resources, related systems, and their purpose. +Identifying resources easily is important to improve operational efficiency, reduce the time to respond to incidents, +and minimize the risk of human error. + +Some of the benefits of using standardized tagging and naming conventions are: + +- They provide consistency and clarity for resource identification and discovery across the Azure Portal, CLIs, and APIs. +- They enable filtering and grouping of resources for billing, monitoring, security, and compliance purposes. +- They support resource lifecycle management, such as provisioning, decommissioning, backup, and recovery. + +For example, if you come upon a security incident, it's critical to quickly identify affected systems, +the functions that those systems support, and the potential business impact. + +For Cosmos DB for Apache Cassandra account, the Cloud Adoption Framework (CAF) recommends using the `coscas-` prefix. + +Requirements for Cosmos DB for Apache Cassandra account resource names: + +- Between 3 and 44 characters long. +- Can include alphanumeric characters, hyphens, underscores, and periods (restrictions vary by resource type). +- Resource names must be unique within their scope. + +## RECOMMENDATION + +Consider creating Cosmos DB for Apache Cassandra account resources with a standard name. +Additionally consider using Azure Policy to only permit creation using a standard naming convention. + +## EXAMPLES + +### Configure with Bicep + +To deploy accounts that pass this rule: + +- Set the `name` property to a string that matches the naming requirements. +- Optionally, consider constraining name parameters with `minLength` and `maxLength` attributes. + +For example: + +```bicep +@minLength(3) +@maxLength(44) +@description('The name of the resource.') +param name string + +@description('The location resources will be deployed.') +param location string = resourceGroup().location + +resource cassandra 'Microsoft.DocumentDB/databaseAccounts@2025-04-15' = { + name: name + location: location + kind: 'GlobalDocumentDB' + properties: { + capabilities: [ + { + name: 'EnableCassandra' + } + ] + locations: [ + { + locationName: location + failoverPriority: 0 + isZoneRedundant: true + } + ] + databaseAccountOfferType: 'Standard' + minimalTlsVersion: 'Tls12' + backupPolicy: { + type: 'Periodic' + periodicModeProperties: { + backupIntervalInMinutes: 240 + backupRetentionIntervalInHours: 8 + backupStorageRedundancy: 'Geo' + } + } + } +} +``` + + + +### Configure with Azure template + +To deploy accounts that pass this rule: + +- Set the `name` property to a string that matches the naming requirements. +- Optionally, consider constraining name parameters with `minLength` and `maxLength` attributes. + +For example: + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "name": { + "type": "string", + "minLength": 3, + "maxLength": 44, + "metadata": { + "description": "The name of the resource." + } + }, + "location": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "The location resources will be deployed." + } + } + }, + "resources": [ + { + "type": "Microsoft.DocumentDB/databaseAccounts", + "apiVersion": "2025-04-15", + "name": "[parameters('name')]", + "location": "[parameters('location')]", + "kind": "GlobalDocumentDB", + "properties": { + "capabilities": [ + { + "name": "EnableCassandra" + } + ], + "locations": [ + { + "locationName": "[parameters('location')]", + "failoverPriority": 0, + "isZoneRedundant": true + } + ], + "databaseAccountOfferType": "Standard", + "minimalTlsVersion": "Tls12", + "backupPolicy": { + "type": "Periodic", + "periodicModeProperties": { + "backupIntervalInMinutes": 240, + "backupRetentionIntervalInHours": 8, + "backupStorageRedundancy": "Geo" + } + } + } + } + ] +} +``` + +## NOTES + +This rule does not check if Cosmos DB for Apache Cassandra account resource names are unique. + + + +### Rule configuration + + + +To configure this rule set the `AZURE_COSMOS_CASSANDRA_NAME_FORMAT` configuration value to a regular expression +that matches the required format. + +For example: + +```yaml +configuration: + AZURE_COSMOS_CASSANDRA_NAME_FORMAT: '^coscas-' +``` + +## LINKS + +- [OE:04 Tools and processes](https://learn.microsoft.com/azure/well-architected/operational-excellence/tools-processes) +- [Operational Excellence: Level 2](https://learn.microsoft.com/azure/well-architected/operational-excellence/maturity-model?tabs=level2) +- [Recommended abbreviations for Azure resource types](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations) +- [Naming rules and restrictions for Azure resources](https://learn.microsoft.com/azure/azure-resource-manager/management/resource-name-rules) +- [Define your naming convention](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-naming) +- [Parameters in Bicep](https://learn.microsoft.com/azure/azure-resource-manager/bicep/parameters) +- [Bicep functions](https://learn.microsoft.com/azure/azure-resource-manager/bicep/bicep-functions) +- [Azure deployment reference](https://learn.microsoft.com/azure/templates/microsoft.documentdb/databaseaccounts) diff --git a/docs/en/rules/Azure.Cosmos.DatabaseNaming.md b/docs/en/rules/Azure.Cosmos.DatabaseNaming.md new file mode 100644 index 0000000000..4311738f02 --- /dev/null +++ b/docs/en/rules/Azure.Cosmos.DatabaseNaming.md @@ -0,0 +1,162 @@ +--- +reviewed: 2025-11-27 +severity: Awareness +pillar: Operational Excellence +category: OE:04 Tools and processes +resource: Cosmos DB database +resourceType: Microsoft.DocumentDB/databaseAccounts/sqlDatabases +online version: https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.Cosmos.DatabaseNaming/ +--- + +# Cosmos DB database resources must use standard naming + +## SYNOPSIS + +Cosmos DB database resources without a standard naming convention may be difficult to identify and manage. + +## DESCRIPTION + +An effective naming convention allows operators to quickly identify resources, related systems, and their purpose. +Identifying resources easily is important to improve operational efficiency, reduce the time to respond to incidents, +and minimize the risk of human error. + +Some of the benefits of using standardized tagging and naming conventions are: + +- They provide consistency and clarity for resource identification and discovery across the Azure Portal, CLIs, and APIs. +- They enable filtering and grouping of resources for billing, monitoring, security, and compliance purposes. +- They support resource lifecycle management, such as provisioning, decommissioning, backup, and recovery. + +For example, if you come upon a security incident, it's critical to quickly identify affected systems, +the functions that those systems support, and the potential business impact. + +For Cosmos DB database, the Cloud Adoption Framework (CAF) recommends using the `cosmos-` prefix. + +Requirements for Cosmos DB database resource names: + +- Between 1 and 255 characters long. +- Can include alphanumeric characters, hyphens, underscores, and periods (restrictions vary by resource type). +- Resource names must be unique within their scope. + +## RECOMMENDATION + +Consider creating Cosmos DB database resources with a standard name. +Additionally consider using Azure Policy to only permit creation using a standard naming convention. + +## EXAMPLES + +### Configure with Bicep + +To deploy databases that pass this rule: + +- Set the `name` property to a string that matches the naming requirements. +- Optionally, consider constraining name parameters with `minLength` and `maxLength` attributes. + +For example: + +```bicep +@minLength(3) +@maxLength(44) +@description('The name of the Cosmos DB account.') +param accountName string + +@minLength(1) +@maxLength(255) +@description('The name of the database.') +param databaseName string + +@description('The location resources will be deployed.') +param location string = resourceGroup().location + +resource account 'Microsoft.DocumentDB/databaseAccounts@2025-04-15' existing = { + name: accountName +} + +resource database 'Microsoft.DocumentDB/databaseAccounts/sqlDatabases@2025-04-15' = { + parent: account + name: databaseName + properties: { + resource: { + id: databaseName + } + } +} +``` + + + +### Configure with Azure template + +To deploy databases that pass this rule: + +- Set the `name` property to a string that matches the naming requirements. +- Optionally, consider constraining name parameters with `minLength` and `maxLength` attributes. + +For example: + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "accountName": { + "type": "string", + "minLength": 3, + "maxLength": 44, + "metadata": { + "description": "The name of the Cosmos DB account." + } + }, + "databaseName": { + "type": "string", + "minLength": 1, + "maxLength": 255, + "metadata": { + "description": "The name of the database." + } + } + }, + "resources": [ + { + "type": "Microsoft.DocumentDB/databaseAccounts/sqlDatabases", + "apiVersion": "2025-04-15", + "name": "[format('{0}/{1}', parameters('accountName'), parameters('databaseName'))]", + "properties": { + "resource": { + "id": "[parameters('databaseName')]" + } + } + } + ] +} +``` + +## NOTES + +This rule does not check if Cosmos DB database resource names are unique. + + + +### Rule configuration + + + +To configure this rule set the `AZURE_COSMOS_DATABASE_NAME_FORMAT` configuration value to a regular expression +that matches the required format. + +For example: + +```yaml +configuration: + AZURE_COSMOS_DATABASE_NAME_FORMAT: '^cosmos-' +``` + +## LINKS + +- [OE:04 Tools and processes](https://learn.microsoft.com/azure/well-architected/operational-excellence/tools-processes) +- [Operational Excellence: Level 2](https://learn.microsoft.com/azure/well-architected/operational-excellence/maturity-model?tabs=level2) +- [Recommended abbreviations for Azure resource types](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations) +- [Naming rules and restrictions for Azure resources](https://learn.microsoft.com/azure/azure-resource-manager/management/resource-name-rules) +- [Define your naming convention](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-naming) +- [Parameters in Bicep](https://learn.microsoft.com/azure/azure-resource-manager/bicep/parameters) +- [Bicep functions](https://learn.microsoft.com/azure/azure-resource-manager/bicep/bicep-functions) +- [Azure deployment reference](https://learn.microsoft.com/azure/templates/microsoft.documentdb/databaseaccounts) diff --git a/docs/en/rules/Azure.Cosmos.GremlinNaming.md b/docs/en/rules/Azure.Cosmos.GremlinNaming.md new file mode 100644 index 0000000000..f5bff91d69 --- /dev/null +++ b/docs/en/rules/Azure.Cosmos.GremlinNaming.md @@ -0,0 +1,197 @@ +--- +reviewed: 2025-11-24 +severity: Awareness +pillar: Operational Excellence +category: OE:04 Tools and processes +resource: Cosmos DB for Apache Gremlin account +resourceType: Microsoft.DocumentDb/databaseAccounts +online version: https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.Cosmos.GremlinNaming/ +--- + +# Cosmos DB for Apache Gremlin account resources must use standard naming + +## SYNOPSIS + +Cosmos DB for Apache Gremlin account resources without a standard naming convention may be difficult to identify and manage. + +## DESCRIPTION + +An effective naming convention allows operators to quickly identify resources, related systems, and their purpose. +Identifying resources easily is important to improve operational efficiency, reduce the time to respond to incidents, +and minimize the risk of human error. + +Some of the benefits of using standardized tagging and naming conventions are: + +- They provide consistency and clarity for resource identification and discovery across the Azure Portal, CLIs, and APIs. +- They enable filtering and grouping of resources for billing, monitoring, security, and compliance purposes. +- They support resource lifecycle management, such as provisioning, decommissioning, backup, and recovery. + +For example, if you come upon a security incident, it's critical to quickly identify affected systems, +the functions that those systems support, and the potential business impact. + +For Cosmos DB for Apache Gremlin account, the Cloud Adoption Framework (CAF) recommends using the `cosgrm-` prefix. + +Requirements for Cosmos DB for Apache Gremlin account resource names: + +- Between 3 and 44 characters long. +- Can include alphanumeric characters, hyphens, underscores, and periods (restrictions vary by resource type). +- Resource names must be unique within their scope. + +## RECOMMENDATION + +Consider creating Cosmos DB for Apache Gremlin account resources with a standard name. +Additionally consider using Azure Policy to only permit creation using a standard naming convention. + +## EXAMPLES + +### Configure with Bicep + +To deploy accounts that pass this rule: + +- Set the `name` property to a string that matches the naming requirements. +- Optionally, consider constraining name parameters with `minLength` and `maxLength` attributes. + +For example: + +```bicep +@minLength(3) +@maxLength(44) +@description('The name of the resource.') +param name string + +@description('The location resources will be deployed.') +param location string = resourceGroup().location + +resource gremlin 'Microsoft.DocumentDB/databaseAccounts@2025-04-15' = { + name: name + location: location + kind: 'GlobalDocumentDB' + properties: { + capabilities: [ + { + name: 'EnableGremlin' + } + ] + locations: [ + { + locationName: location + failoverPriority: 0 + isZoneRedundant: true + } + ] + databaseAccountOfferType: 'Standard' + minimalTlsVersion: 'Tls12' + backupPolicy: { + type: 'Periodic' + periodicModeProperties: { + backupIntervalInMinutes: 240 + backupRetentionIntervalInHours: 8 + backupStorageRedundancy: 'Geo' + } + } + } + tags: { + defaultExperience: 'Gremlin (graph)' + } +} +``` + + + +### Configure with Azure template + +To deploy accounts that pass this rule: + +- Set the `name` property to a string that matches the naming requirements. +- Optionally, consider constraining name parameters with `minLength` and `maxLength` attributes. + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "name": { + "type": "string", + "minLength": 3, + "maxLength": 44, + "metadata": { + "description": "The name of the resource." + } + }, + "location": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "The location resources will be deployed." + } + } + }, + "resources": [ + { + "type": "Microsoft.DocumentDB/databaseAccounts", + "apiVersion": "2025-04-15", + "name": "[parameters('name')]", + "location": "[parameters('location')]", + "kind": "GlobalDocumentDB", + "properties": { + "capabilities": [ + { + "name": "EnableGremlin" + } + ], + "locations": [ + { + "locationName": "[parameters('location')]", + "failoverPriority": 0, + "isZoneRedundant": true + } + ], + "databaseAccountOfferType": "Standard", + "minimalTlsVersion": "Tls12", + "backupPolicy": { + "type": "Periodic", + "periodicModeProperties": { + "backupIntervalInMinutes": 240, + "backupRetentionIntervalInHours": 8, + "backupStorageRedundancy": "Geo" + } + } + }, + "tags": { + "defaultExperience": "Gremlin (graph)" + } + } + ] +} +``` + +## NOTES + +This rule does not check if Cosmos DB for Apache Gremlin account resource names are unique. + + + +### Rule configuration + + + +To configure this rule set the `AZURE_COSMOS_GREMLIN_NAME_FORMAT` configuration value to a regular expression +that matches the required format. + +For example: + +```yaml +configuration: + AZURE_COSMOS_GREMLIN_NAME_FORMAT: '^cosgrm-' +``` + +## LINKS + +- [OE:04 Tools and processes](https://learn.microsoft.com/azure/well-architected/operational-excellence/tools-processes) +- [Operational Excellence: Level 2](https://learn.microsoft.com/azure/well-architected/operational-excellence/maturity-model?tabs=level2) +- [Recommended abbreviations for Azure resource types](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations) +- [Naming rules and restrictions for Azure resources](https://learn.microsoft.com/azure/azure-resource-manager/management/resource-name-rules) +- [Define your naming convention](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-naming) +- [Parameters in Bicep](https://learn.microsoft.com/azure/azure-resource-manager/bicep/parameters) +- [Bicep functions](https://learn.microsoft.com/azure/azure-resource-manager/bicep/bicep-functions) +- [Azure deployment reference](https://learn.microsoft.com/azure/templates/microsoft.documentdb/databaseaccounts) diff --git a/docs/en/rules/Azure.Cosmos.MongoNaming.md b/docs/en/rules/Azure.Cosmos.MongoNaming.md new file mode 100644 index 0000000000..7fb8b23559 --- /dev/null +++ b/docs/en/rules/Azure.Cosmos.MongoNaming.md @@ -0,0 +1,183 @@ +--- +reviewed: 2025-11-27 +severity: Awareness +pillar: Operational Excellence +category: OE:04 Tools and processes +resource: Cosmos DB for MongoDB account +resourceType: Microsoft.DocumentDb/databaseAccounts +online version: https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.Cosmos.MongoNaming/ +--- + +# Cosmos DB for MongoDB account resources must use standard naming + +## SYNOPSIS + +Cosmos DB for MongoDB account resources without a standard naming convention may be difficult to identify and manage. + +## DESCRIPTION + +An effective naming convention allows operators to quickly identify resources, related systems, and their purpose. +Identifying resources easily is important to improve operational efficiency, reduce the time to respond to incidents, +and minimize the risk of human error. + +Some of the benefits of using standardized tagging and naming conventions are: + +- They provide consistency and clarity for resource identification and discovery across the Azure Portal, CLIs, and APIs. +- They enable filtering and grouping of resources for billing, monitoring, security, and compliance purposes. +- They support resource lifecycle management, such as provisioning, decommissioning, backup, and recovery. + +For example, if you come upon a security incident, it's critical to quickly identify affected systems, +the functions that those systems support, and the potential business impact. + +For Cosmos DB for MongoDB account, the Cloud Adoption Framework (CAF) recommends using the `cosmon-` prefix. + +Requirements for Cosmos DB for MongoDB account resource names: + +- Between 3 and 44 characters long. +- Can include alphanumeric characters, hyphens, underscores, and periods (restrictions vary by resource type). +- Resource names must be unique within their scope. + +## RECOMMENDATION + +Consider creating Cosmos DB for MongoDB account resources with a standard name. +Additionally consider using Azure Policy to only permit creation using a standard naming convention. + +## EXAMPLES + +### Configure with Bicep + +To deploy accounts that pass this rule: + +- Set the `name` property to a string that matches the naming requirements. +- Optionally, consider constraining name parameters with `minLength` and `maxLength` attributes. + +For example: + +```bicep +@minLength(3) +@maxLength(44) +@description('The name of the resource.') +param name string + +@description('The location resources will be deployed.') +param location string = resourceGroup().location + +resource mongo 'Microsoft.DocumentDB/databaseAccounts@2025-04-15' = { + name: name + location: location + kind: 'MongoDB' + properties: { + locations: [ + { + locationName: location + failoverPriority: 0 + isZoneRedundant: true + } + ] + databaseAccountOfferType: 'Standard' + minimalTlsVersion: 'Tls12' + backupPolicy: { + type: 'Periodic' + periodicModeProperties: { + backupIntervalInMinutes: 240 + backupRetentionIntervalInHours: 8 + backupStorageRedundancy: 'Geo' + } + } + } +} +``` + + + +### Configure with Azure template + +To deploy accounts that pass this rule: + +- Set the `name` property to a string that matches the naming requirements. +- Optionally, consider constraining name parameters with `minLength` and `maxLength` attributes. + +For example: + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "name": { + "type": "string", + "minLength": 3, + "maxLength": 44, + "metadata": { + "description": "The name of the resource." + } + }, + "location": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "The location resources will be deployed." + } + } + }, + "resources": [ + { + "type": "Microsoft.DocumentDB/databaseAccounts", + "apiVersion": "2025-04-15", + "name": "[parameters('name')]", + "location": "[parameters('location')]", + "kind": "MongoDB", + "properties": { + "locations": [ + { + "locationName": "[parameters('location')]", + "failoverPriority": 0, + "isZoneRedundant": true + } + ], + "databaseAccountOfferType": "Standard", + "minimalTlsVersion": "Tls12", + "backupPolicy": { + "type": "Periodic", + "periodicModeProperties": { + "backupIntervalInMinutes": 240, + "backupRetentionIntervalInHours": 8, + "backupStorageRedundancy": "Geo" + } + } + } + } + ] +} +``` + +## NOTES + +This rule does not check if Cosmos DB for MongoDB account resource names are unique. + + + +### Rule configuration + + + +To configure this rule set the `AZURE_COSMOS_MONGO_NAME_FORMAT` configuration value to a regular expression +that matches the required format. + +For example: + +```yaml +configuration: + AZURE_COSMOS_MONGO_NAME_FORMAT: '^cosmon-' +``` + +## LINKS + +- [OE:04 Tools and processes](https://learn.microsoft.com/azure/well-architected/operational-excellence/tools-processes) +- [Operational Excellence: Level 2](https://learn.microsoft.com/azure/well-architected/operational-excellence/maturity-model?tabs=level2) +- [Recommended abbreviations for Azure resource types](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations) +- [Naming rules and restrictions for Azure resources](https://learn.microsoft.com/azure/azure-resource-manager/management/resource-name-rules) +- [Define your naming convention](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-naming) +- [Parameters in Bicep](https://learn.microsoft.com/azure/azure-resource-manager/bicep/parameters) +- [Bicep functions](https://learn.microsoft.com/azure/azure-resource-manager/bicep/bicep-functions) +- [Azure deployment reference](https://learn.microsoft.com/azure/templates/microsoft.documentdb/databaseaccounts) diff --git a/docs/en/rules/Azure.Cosmos.NoSQLNaming.md b/docs/en/rules/Azure.Cosmos.NoSQLNaming.md new file mode 100644 index 0000000000..6cf126bb99 --- /dev/null +++ b/docs/en/rules/Azure.Cosmos.NoSQLNaming.md @@ -0,0 +1,193 @@ +--- +reviewed: 2025-11-24 +severity: Awareness +pillar: Operational Excellence +category: OE:04 Tools and processes +resource: Cosmos DB for NoSQL account +resourceType: Microsoft.DocumentDb/databaseAccounts +online version: https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.Cosmos.NoSQLNaming/ +--- + +# Cosmos DB for NoSQL account resources must use standard naming + +## SYNOPSIS + +Cosmos DB for NoSQL account resources without a standard naming convention may be difficult to identify and manage. + +## DESCRIPTION + +An effective naming convention allows operators to quickly identify resources, related systems, and their purpose. +Identifying resources easily is important to improve operational efficiency, reduce the time to respond to incidents, +and minimize the risk of human error. + +Some of the benefits of using standardized tagging and naming conventions are: + +- They provide consistency and clarity for resource identification and discovery across the Azure Portal, CLIs, and APIs. +- They enable filtering and grouping of resources for billing, monitoring, security, and compliance purposes. +- They support resource lifecycle management, such as provisioning, decommissioning, backup, and recovery. + +For example, if you come upon a security incident, it's critical to quickly identify affected systems, +the functions that those systems support, and the potential business impact. + +For Cosmos DB for NoSQL account, the Cloud Adoption Framework (CAF) recommends using the `cosno-` prefix. + +Requirements for Cosmos DB for NoSQL account resource names: + +- Between 3 and 44 characters long. +- Can include alphanumeric characters, hyphens, underscores, and periods (restrictions vary by resource type). +- Resource names must be unique within their scope. + +## RECOMMENDATION + +Consider creating Cosmos DB for NoSQL account resources with a standard name. +Additionally consider using Azure Policy to only permit creation using a standard naming convention. + +## EXAMPLES + +### Configure with Bicep + +To deploy accounts that pass this rule: + +- Set the `name` property to a string that matches the naming requirements. +- Optionally, consider constraining name parameters with `minLength` and `maxLength` attributes. + +For example: + +```bicep +@minLength(3) +@maxLength(44) +@description('The name of the resource.') +param name string + +@description('The location resources will be deployed.') +param location string = resourceGroup().location + +@description('The location of a secondary replica.') +param secondaryLocation string = location + +resource nosql 'Microsoft.DocumentDB/databaseAccounts@2025-04-15' = { + name: name + location: location + properties: { + enableFreeTier: false + consistencyPolicy: { + defaultConsistencyLevel: 'Session' + } + databaseAccountOfferType: 'Standard' + locations: [ + { + locationName: location + failoverPriority: 0 + isZoneRedundant: true + } + { + locationName: secondaryLocation + failoverPriority: 1 + isZoneRedundant: false + } + ] + disableKeyBasedMetadataWriteAccess: true + minimalTlsVersion: 'Tls12' + } +} +``` + + + +### Configure with Azure template + +To deploy accounts that pass this rule: + +- Set the `name` property to a string that matches the naming requirements. +- Optionally, consider constraining name parameters with `minLength` and `maxLength` attributes. + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "name": { + "type": "string", + "minLength": 3, + "maxLength": 44, + "metadata": { + "description": "The name of the resource." + } + }, + "location": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "The location resources will be deployed." + } + }, + "secondaryLocation": { + "type": "string", + "defaultValue": "[parameters('location')]", + "metadata": { + "description": "The location of a secondary replica." + } + } + }, + "resources": [ + { + "type": "Microsoft.DocumentDB/databaseAccounts", + "apiVersion": "2025-04-15", + "name": "[parameters('name')]", + "location": "[parameters('location')]", + "properties": { + "enableFreeTier": false, + "consistencyPolicy": { + "defaultConsistencyLevel": "Session" + }, + "databaseAccountOfferType": "Standard", + "locations": [ + { + "locationName": "[parameters('location')]", + "failoverPriority": 0, + "isZoneRedundant": true + }, + { + "locationName": "[parameters('secondaryLocation')]", + "failoverPriority": 1, + "isZoneRedundant": false + } + ], + "disableKeyBasedMetadataWriteAccess": true, + "minimalTlsVersion": "Tls12" + } + } + ] +} +``` + +## NOTES + +This rule does not check if Cosmos DB for NoSQL account resource names are unique. + + + +### Rule configuration + + + +To configure this rule set the `AZURE_COSMOS_NOSQL_NAME_FORMAT` configuration value to a regular expression +that matches the required format. + +For example: + +```yaml +configuration: + AZURE_COSMOS_NOSQL_NAME_FORMAT: '^cosno-' +``` + +## LINKS + +- [OE:04 Tools and processes](https://learn.microsoft.com/azure/well-architected/operational-excellence/tools-processes) +- [Operational Excellence: Level 2](https://learn.microsoft.com/azure/well-architected/operational-excellence/maturity-model?tabs=level2) +- [Recommended abbreviations for Azure resource types](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations) +- [Naming rules and restrictions for Azure resources](https://learn.microsoft.com/azure/azure-resource-manager/management/resource-name-rules) +- [Define your naming convention](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-naming) +- [Parameters in Bicep](https://learn.microsoft.com/azure/azure-resource-manager/bicep/parameters) +- [Bicep functions](https://learn.microsoft.com/azure/azure-resource-manager/bicep/bicep-functions) +- [Azure deployment reference](https://learn.microsoft.com/azure/templates/microsoft.documentdb/databaseaccounts) diff --git a/docs/en/rules/Azure.Cosmos.PostgreSQLNaming.md b/docs/en/rules/Azure.Cosmos.PostgreSQLNaming.md new file mode 100644 index 0000000000..93d5b8e865 --- /dev/null +++ b/docs/en/rules/Azure.Cosmos.PostgreSQLNaming.md @@ -0,0 +1,174 @@ +--- +reviewed: 2025-11-28 +severity: Awareness +pillar: Operational Excellence +category: OE:04 Tools and processes +resource: Cosmos DB PostgreSQL cluster +resourceType: Microsoft.DBforPostgreSQL/serverGroupsv2 +online version: https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.Cosmos.PostgreSQLNaming/ +--- + +# Cosmos DB PostgreSQL cluster resources must use standard naming + +## SYNOPSIS + +Cosmos DB PostgreSQL cluster resources without a standard naming convention may be difficult to identify and manage. + +## DESCRIPTION + +An effective naming convention allows operators to quickly identify resources, related systems, and their purpose. +Identifying resources easily is important to improve operational efficiency, reduce the time to respond to incidents, +and minimize the risk of human error. + +Some of the benefits of using standardized tagging and naming conventions are: + +- They provide consistency and clarity for resource identification and discovery across the Azure Portal, CLIs, and APIs. +- They enable filtering and grouping of resources for billing, monitoring, security, and compliance purposes. +- They support resource lifecycle management, such as provisioning, decommissioning, backup, and recovery. + +For example, if you come upon a security incident, it's critical to quickly identify affected systems, +the functions that those systems support, and the potential business impact. + +For Cosmos DB PostgreSQL cluster, the Cloud Adoption Framework (CAF) recommends using the `cospos-` prefix. + +Requirements for Cosmos DB PostgreSQL cluster resource names: + +- Between 3 and 63 characters long. +- Can include alphanumeric characters, hyphens, underscores, and periods (restrictions vary by resource type). +- Resource names must be unique within their scope. + +## RECOMMENDATION + +Consider creating Cosmos DB PostgreSQL cluster resources with a standard name. +Additionally consider using Azure Policy to only permit creation using a standard naming convention. + +## EXAMPLES + +### Configure with Bicep + +To deploy clusters that pass this rule: + +- Set the `name` property to a string that matches the naming requirements. +- Optionally, consider constraining name parameters with `minLength` and `maxLength` attributes. + +For example: + +```bicep +@minLength(3) +@maxLength(63) +@description('The name of the resource.') +param name string + +@description('The location resources will be deployed.') +param location string = resourceGroup().location + +@description('The administrator login name.') +param administratorLogin string + +@secure() +@description('The administrator login password.') +param administratorLoginPassword string + +resource postgresCluster 'Microsoft.DBforPostgreSQL/serverGroupsv2@2022-11-08' = { + name: name + location: location + properties: { + administratorLogin: administratorLogin + administratorLoginPassword: administratorLoginPassword + serverCount: 1 + coordinatorVCores: 4 + coordinatorStorageQuotaInMb: 524288 + } +} +``` + +### Configure with Azure template + +To deploy clusters that pass this rule: + +- Set the `name` property to a string that matches the naming requirements. +- Optionally, consider constraining name parameters with `minLength` and `maxLength` attributes. + +For example: + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "name": { + "type": "string", + "minLength": 3, + "maxLength": 63, + "metadata": { + "description": "The name of the resource." + } + }, + "location": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "The location resources will be deployed." + } + }, + "administratorLogin": { + "type": "string", + "metadata": { + "description": "The administrator login name." + } + }, + "administratorLoginPassword": { + "type": "securestring", + "metadata": { + "description": "The administrator login password." + } + } + }, + "resources": [ + { + "type": "Microsoft.DBforPostgreSQL/serverGroupsv2", + "apiVersion": "2022-11-08", + "name": "[parameters('name')]", + "location": "[parameters('location')]", + "properties": { + "administratorLogin": "[parameters('administratorLogin')]", + "administratorLoginPassword": "[parameters('administratorLoginPassword')]", + "serverCount": 1, + "coordinatorVCores": 4, + "coordinatorStorageQuotaInMb": 524288 + } + } + ] +} +``` + +## NOTES + +This rule does not check if Cosmos DB PostgreSQL cluster resource names are unique. + + + +### Rule configuration + + + +To configure this rule set the `AZURE_COSMOS_POSTGRESQL_NAME_FORMAT` configuration value to a regular expression +that matches the required format. + +For example: + +```yaml +configuration: + AZURE_COSMOS_POSTGRESQL_NAME_FORMAT: '^cospos-' +``` + +## LINKS + +- [OE:04 Tools and processes](https://learn.microsoft.com/azure/well-architected/operational-excellence/tools-processes) +- [Operational Excellence: Level 2](https://learn.microsoft.com/azure/well-architected/operational-excellence/maturity-model?tabs=level2) +- [Recommended abbreviations for Azure resource types](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations) +- [Naming rules and restrictions for Azure resources](https://learn.microsoft.com/azure/azure-resource-manager/management/resource-name-rules) +- [Define your naming convention](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-naming) +- [Parameters in Bicep](https://learn.microsoft.com/azure/azure-resource-manager/bicep/parameters) +- [Bicep functions](https://learn.microsoft.com/azure/azure-resource-manager/bicep/bicep-functions) +- [Azure deployment reference](https://learn.microsoft.com/azure/templates/microsoft.dbforpostgresql/servergroupsv2) diff --git a/docs/en/rules/Azure.Cosmos.TableNaming.md b/docs/en/rules/Azure.Cosmos.TableNaming.md new file mode 100644 index 0000000000..897f17bbb6 --- /dev/null +++ b/docs/en/rules/Azure.Cosmos.TableNaming.md @@ -0,0 +1,193 @@ +--- +reviewed: 2025-11-27 +severity: Awareness +pillar: Operational Excellence +category: OE:04 Tools and processes +resource: Cosmos DB for Table account +resourceType: Microsoft.DocumentDb/databaseAccounts +online version: https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.Cosmos.TableNaming/ +--- + +# Cosmos DB for Table account resources must use standard naming + +## SYNOPSIS + +Cosmos DB for Table account resources without a standard naming convention may be difficult to identify and manage. + +## DESCRIPTION + +An effective naming convention allows operators to quickly identify resources, related systems, and their purpose. +Identifying resources easily is important to improve operational efficiency, reduce the time to respond to incidents, +and minimize the risk of human error. + +Some of the benefits of using standardized tagging and naming conventions are: + +- They provide consistency and clarity for resource identification and discovery across the Azure Portal, CLIs, and APIs. +- They enable filtering and grouping of resources for billing, monitoring, security, and compliance purposes. +- They support resource lifecycle management, such as provisioning, decommissioning, backup, and recovery. + +For example, if you come upon a security incident, it's critical to quickly identify affected systems, +the functions that those systems support, and the potential business impact. + +For Cosmos DB for Table account, the Cloud Adoption Framework (CAF) recommends using the `costab-` prefix. + +Requirements for Cosmos DB for Table account resource names: + +- Between 3 and 44 characters long. +- Can include alphanumeric characters, hyphens, underscores, and periods (restrictions vary by resource type). +- Resource names must be unique within their scope. + +## RECOMMENDATION + +Consider creating Cosmos DB for Table account resources with a standard name. +Additionally consider using Azure Policy to only permit creation using a standard naming convention. + +## EXAMPLES + +### Configure with Bicep + +To deploy accounts that pass this rule: + +- Set the `name` property to a string that matches the naming requirements. +- Optionally, consider constraining name parameters with `minLength` and `maxLength` attributes. + +For example: + +```bicep +@minLength(3) +@maxLength(44) +@description('The name of the resource.') +param name string + +@description('The location resources will be deployed.') +param location string = resourceGroup().location + +resource table 'Microsoft.DocumentDB/databaseAccounts@2025-04-15' = { + name: name + location: location + kind: 'GlobalDocumentDB' + properties: { + capabilities: [ + { + name: 'EnableTable' + } + ] + locations: [ + { + locationName: location + failoverPriority: 0 + isZoneRedundant: true + } + ] + databaseAccountOfferType: 'Standard' + minimalTlsVersion: 'Tls12' + backupPolicy: { + type: 'Periodic' + periodicModeProperties: { + backupIntervalInMinutes: 240 + backupRetentionIntervalInHours: 8 + backupStorageRedundancy: 'Geo' + } + } + } +} +``` + + + +### Configure with Azure template + +To deploy accounts that pass this rule: + +- Set the `name` property to a string that matches the naming requirements. +- Optionally, consider constraining name parameters with `minLength` and `maxLength` attributes. + +For example: + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "name": { + "type": "string", + "minLength": 3, + "maxLength": 44, + "metadata": { + "description": "The name of the resource." + } + }, + "location": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "The location resources will be deployed." + } + } + }, + "resources": [ + { + "type": "Microsoft.DocumentDB/databaseAccounts", + "apiVersion": "2025-04-15", + "name": "[parameters('name')]", + "location": "[parameters('location')]", + "kind": "GlobalDocumentDB", + "properties": { + "capabilities": [ + { + "name": "EnableTable" + } + ], + "locations": [ + { + "locationName": "[parameters('location')]", + "failoverPriority": 0, + "isZoneRedundant": true + } + ], + "databaseAccountOfferType": "Standard", + "minimalTlsVersion": "Tls12", + "backupPolicy": { + "type": "Periodic", + "periodicModeProperties": { + "backupIntervalInMinutes": 240, + "backupRetentionIntervalInHours": 8, + "backupStorageRedundancy": "Geo" + } + } + } + } + ] +} +``` + +## NOTES + +This rule does not check if Cosmos DB for Table account resource names are unique. + + + +### Rule configuration + + + +To configure this rule set the `AZURE_COSMOS_TABLE_NAME_FORMAT` configuration value to a regular expression +that matches the required format. + +For example: + +```yaml +configuration: + AZURE_COSMOS_TABLE_NAME_FORMAT: '^costab-' +``` + +## LINKS + +- [OE:04 Tools and processes](https://learn.microsoft.com/azure/well-architected/operational-excellence/tools-processes) +- [Operational Excellence: Level 2](https://learn.microsoft.com/azure/well-architected/operational-excellence/maturity-model?tabs=level2) +- [Recommended abbreviations for Azure resource types](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations) +- [Naming rules and restrictions for Azure resources](https://learn.microsoft.com/azure/azure-resource-manager/management/resource-name-rules) +- [Define your naming convention](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-naming) +- [Parameters in Bicep](https://learn.microsoft.com/azure/azure-resource-manager/bicep/parameters) +- [Bicep functions](https://learn.microsoft.com/azure/azure-resource-manager/bicep/bicep-functions) +- [Azure deployment reference](https://learn.microsoft.com/azure/templates/microsoft.documentdb/databaseaccounts) diff --git a/docs/en/rules/Azure.LB.Name.md b/docs/en/rules/Azure.LB.Name.md index e4b5cf5a8b..3cc183ce83 100644 --- a/docs/en/rules/Azure.LB.Name.md +++ b/docs/en/rules/Azure.LB.Name.md @@ -1,5 +1,5 @@ --- -reviewed: 2025-04-11 +reviewed: 2025-10-25 severity: Awareness pillar: Operational Excellence category: OE:04 Continuous integration @@ -93,13 +93,6 @@ For example: { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.34.44.8038", - "templateHash": "15799925094518670850" - } - }, "parameters": { "name": { "type": "string", @@ -115,18 +108,6 @@ For example: "metadata": { "description": "The location resources will be deployed." } - }, - "subnetId": { - "type": "string", - "metadata": { - "description": "The resource ID of the virtual network subnet." - } - }, - "pipId": { - "type": "string", - "metadata": { - "description": "The resource ID of the public IP address." - } } }, "resources": [ @@ -169,6 +150,7 @@ This rule does not check if Load Balancer names are unique. ## LINKS - [OE:04 Continuous integration](https://learn.microsoft.com/azure/well-architected/operational-excellence/release-engineering-continuous-integration) +- [Operational Excellence: Level 2](https://learn.microsoft.com/azure/well-architected/operational-excellence/maturity-model?tabs=level2) - [Naming rules and restrictions for Azure resources](https://learn.microsoft.com/azure/azure-resource-manager/management/resource-name-rules) - [Recommended abbreviations for Azure resource types](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations) - [Parameters in Bicep](https://learn.microsoft.com/azure/azure-resource-manager/bicep/parameters) diff --git a/docs/en/rules/Azure.MySQL.ServerName.md b/docs/en/rules/Azure.MySQL.ServerName.md index 56ff0eca7b..b47a267344 100644 --- a/docs/en/rules/Azure.MySQL.ServerName.md +++ b/docs/en/rules/Azure.MySQL.ServerName.md @@ -1,7 +1,7 @@ --- severity: Awareness pillar: Operational Excellence -category: Repeatable infrastructure +category: OE:04 Continuous integration resource: Azure Database for MySQL resourceType: Microsoft.DBforMySQL/servers online version: https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.MySQL.ServerName/ @@ -34,5 +34,10 @@ This rule does not check if Azure MySQL DB server names are unique. ## LINKS -- [Repeatable infrastructure](https://learn.microsoft.com/azure/architecture/framework/devops/automation-infrastructure) -- [Naming rules and restrictions for Azure resources](https://learn.microsoft.com/azure/azure-resource-manager/management/resource-name-rules#microsoftdbformysql) +- [OE:04 Continuous integration](https://learn.microsoft.com/azure/well-architected/operational-excellence/release-engineering-continuous-integration) +- [Operational Excellence: Level 2](https://learn.microsoft.com/azure/well-architected/operational-excellence/maturity-model?tabs=level2) +- [Naming rules and restrictions for Azure resources](https://learn.microsoft.com/azure/azure-resource-manager/management/resource-name-rules) +- [Recommended abbreviations for Azure resource types](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations) +- [Parameters in Bicep](https://learn.microsoft.com/azure/azure-resource-manager/bicep/parameters) +- [Bicep functions](https://learn.microsoft.com/azure/azure-resource-manager/bicep/bicep-functions) +- [Azure deployment reference](https://learn.microsoft.com/azure/templates/microsoft.dbformysql/servers) diff --git a/docs/en/rules/Azure.MySQL.ServerNaming.md b/docs/en/rules/Azure.MySQL.ServerNaming.md new file mode 100644 index 0000000000..9e4fff43a5 --- /dev/null +++ b/docs/en/rules/Azure.MySQL.ServerNaming.md @@ -0,0 +1,177 @@ +--- +reviewed: 2025-11-01 +severity: Awareness +pillar: Operational Excellence +category: OE:04 Tools and processes +resource: Azure Database for MySQL +resourceType: Microsoft.DBforMySQL/flexibleServers,Microsoft.DBforMySQL/servers +online version: https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.MySQL.ServerNaming/ +--- + +# MySQL database server resources must use standard naming + +## SYNOPSIS + +MySQL database server resources without a standard naming convention may be difficult to identify and manage. + +## DESCRIPTION + +An effective naming convention allows operators to quickly identify resources, related systems, and their purpose. +Identifying resources easily is important to improve operational efficiency, reduce the time to respond to incidents, +and minimize the risk of human error. + +Some of the benefits of using standardized tagging and naming conventions are: + +- They provide consistency and clarity for resource identification and discovery across the Azure Portal, CLIs, and APIs. +- They enable filtering and grouping of resources for billing, monitoring, security, and compliance purposes. +- They support resource lifecycle management, such as provisioning, decommissioning, backup, and recovery. + +For example, if you come upon a security incident, it's critical to quickly identify affected systems, +the functions that those systems support, and the potential business impact. + +For MySQL database server, the Cloud Adoption Framework (CAF) recommends using the `mysql-` prefix. + +Requirements for MySQL database server resource names: + +- Between 3 and 63 characters long. +- Can include alphanumeric characters, hyphens, underscores, and periods (restrictions vary by resource type). +- Resource names must be unique within their scope. + +## RECOMMENDATION + +Consider creating MySQL database server resources with a standard name. +Additionally consider using Azure Policy to only permit creation using a standard naming convention. + +## EXAMPLES + +### Configure with Bicep + +To deploy servers that pass this rule: + +- Set the `name` property to a string that matches the naming requirements. +- Optionally, consider constraining name parameters with `minLength` and `maxLength` attributes. + +For example: + +```bicep +@minLength(3) +@maxLength(63) +@description('The name of the resource.') +param name string + +@description('The location resources will be deployed.') +param location string = resourceGroup().location + +resource flexible 'Microsoft.DBforMySQL/flexibleServers@2024-12-30' = { + name: name + location: location + sku: { + name: 'Standard_D16as' + tier: 'GeneralPurpose' + } + properties: { + createMode: 'Default' + version: '8.0.21' + administratorLogin: administratorLogin + administratorLoginPassword: administratorLoginPassword + highAvailability: { + mode: 'ZoneRedundant' + } + maintenanceWindow: { + customWindow: 'Enabled' + dayOfWeek: 0 + startHour: 1 + startMinute: 0 + } + } +} +``` + +### Configure with Azure template + +To deploy servers that pass this rule: + +- Set the `name` property to a string that matches the naming requirements. +- Optionally, consider constraining name parameters with `minLength` and `maxLength` attributes. + +For example: + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "name": { + "type": "string", + "minLength": 3, + "maxLength": 63, + "metadata": { + "description": "The name of the resource." + } + }, + "location": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "The location resources will be deployed." + } + } + }, + "resources": [ + { + "type": "Microsoft.DBforMySQL/flexibleServers", + "apiVersion": "2024-12-30", + "name": "[parameters('name')]", + "location": "[parameters('location')]", + "sku": { + "name": "Standard_D16as", + "tier": "GeneralPurpose" + }, + "properties": { + "createMode": "Default", + "version": "8.0.21", + "administratorLogin": "[parameters('administratorLogin')]", + "administratorLoginPassword": "[parameters('administratorLoginPassword')]", + "highAvailability": { + "mode": "ZoneRedundant" + }, + "maintenanceWindow": { + "customWindow": "Enabled", + "dayOfWeek": 0, + "startHour": 1, + "startMinute": 0 + } + } + } + ] +} +``` + +## NOTES + +This rule does not check if MySQL database server resource names are unique. + + + +### Rule configuration + + + +To configure this rule set the `AZURE_MYSQL_SERVER_NAME_FORMAT` configuration value to a regular expression +that matches the required format. + +For example: + +```yaml +configuration: + AZURE_MYSQL_SERVER_NAME_FORMAT: '^mysql-' +``` + +## LINKS + +- [OE:04 Tools and processes](https://learn.microsoft.com/azure/well-architected/operational-excellence/tools-processes) +- [Operational Excellence: Level 2](https://learn.microsoft.com/azure/well-architected/operational-excellence/maturity-model?tabs=level2) +- [Recommended abbreviations for Azure resource types](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations) +- [Naming rules and restrictions for Azure resources](https://learn.microsoft.com/azure/azure-resource-manager/management/resource-name-rules) +- [Define your naming convention](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-naming) +- [Azure deployment reference](https://learn.microsoft.com/azure/templates/microsoft.dbformysql/flexibleservers) diff --git a/docs/en/rules/Azure.PostgreSQL.ServerName.md b/docs/en/rules/Azure.PostgreSQL.ServerName.md index fc85a23fc3..ba7bf20a9e 100644 --- a/docs/en/rules/Azure.PostgreSQL.ServerName.md +++ b/docs/en/rules/Azure.PostgreSQL.ServerName.md @@ -1,7 +1,7 @@ --- severity: Awareness pillar: Operational Excellence -category: Repeatable infrastructure +category: OE:04 Continuous integration resource: Azure Database for PostgreSQL resourceType: Microsoft.DBforPostgreSQL/servers online version: https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.PostgreSQL.ServerName/ @@ -34,5 +34,10 @@ This rule does not check if Azure PostgreSQL DB server names are unique. ## LINKS -- [Repeatable infrastructure](https://learn.microsoft.com/azure/architecture/framework/devops/automation-infrastructure) -- [Naming rules and restrictions for Azure resources](https://learn.microsoft.com/azure/azure-resource-manager/management/resource-name-rules#microsoftdbforpostgresql) +- [OE:04 Continuous integration](https://learn.microsoft.com/azure/well-architected/operational-excellence/release-engineering-continuous-integration) +- [Operational Excellence: Level 2](https://learn.microsoft.com/azure/well-architected/operational-excellence/maturity-model?tabs=level2) +- [Naming rules and restrictions for Azure resources](https://learn.microsoft.com/azure/azure-resource-manager/management/resource-name-rules) +- [Recommended abbreviations for Azure resource types](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations) +- [Parameters in Bicep](https://learn.microsoft.com/azure/azure-resource-manager/bicep/parameters) +- [Bicep functions](https://learn.microsoft.com/azure/azure-resource-manager/bicep/bicep-functions) +- [Azure deployment reference](https://learn.microsoft.com/azure/templates/microsoft.dbforpostgresql/servers) diff --git a/docs/en/rules/Azure.PostgreSQL.ServerNaming.md b/docs/en/rules/Azure.PostgreSQL.ServerNaming.md new file mode 100644 index 0000000000..534882d939 --- /dev/null +++ b/docs/en/rules/Azure.PostgreSQL.ServerNaming.md @@ -0,0 +1,185 @@ +--- +reviewed: 2025-11-01 +severity: Awareness +pillar: Operational Excellence +category: OE:04 Tools and processes +resource: Azure Database for PostgreSQL +resourceType: Microsoft.DBforPostgreSQL/flexibleServers,Microsoft.DBforPostgreSQL/servers +online version: https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.PostgreSQL.ServerNaming/ +--- + +# PostgreSQL database server resources must use standard naming + +## SYNOPSIS + +PostgreSQL database server resources without a standard naming convention may be difficult to identify and manage. + +## DESCRIPTION + +An effective naming convention allows operators to quickly identify resources, related systems, and their purpose. +Identifying resources easily is important to improve operational efficiency, reduce the time to respond to incidents, +and minimize the risk of human error. + +Some of the benefits of using standardized tagging and naming conventions are: + +- They provide consistency and clarity for resource identification and discovery across the Azure Portal, CLIs, and APIs. +- They enable filtering and grouping of resources for billing, monitoring, security, and compliance purposes. +- They support resource lifecycle management, such as provisioning, decommissioning, backup, and recovery. + +For example, if you come upon a security incident, it's critical to quickly identify affected systems, +the functions that those systems support, and the potential business impact. + +For PostgreSQL database server, the Cloud Adoption Framework (CAF) recommends using the `psql-` prefix. + +Requirements for PostgreSQL database server resource names: + +- Between 3 and 63 characters long. +- Can include alphanumeric characters, hyphens, underscores, and periods (restrictions vary by resource type). +- Resource names must be unique within their scope. + +## RECOMMENDATION + +Consider creating PostgreSQL database server resources with a standard name. +Additionally consider using Azure Policy to only permit creation using a standard naming convention. + +## EXAMPLES + +### Configure with Bicep + +To deploy servers that pass this rule: + +- Set the `name` property to a string that matches the naming requirements. +- Optionally, consider constraining name parameters with `minLength` and `maxLength` attributes. + +For example: + +```bicep +@minLength(3) +@maxLength(63) +@description('The name of the resource.') +param name string + +@description('The location resources will be deployed.') +param location string = resourceGroup().location + +resource flexible 'Microsoft.DBforPostgreSQL/flexibleServers@2024-08-01' = { + name: name + location: location + sku: { + name: 'Standard_D2ds_v4' + tier: 'GeneralPurpose' + } + properties: { + createMode: 'Default' + authConfig: { + activeDirectoryAuth: 'Enabled' + passwordAuth: 'Disabled' + tenantId: tenant().tenantId + } + version: '14' + storage: { + storageSizeGB: 32 + } + backup: { + backupRetentionDays: 7 + geoRedundantBackup: 'Enabled' + } + highAvailability: { + mode: 'ZoneRedundant' + } + } +} +``` + +### Configure with Azure template + +To deploy servers that pass this rule: + +- Set the `name` property to a string that matches the naming requirements. +- Optionally, consider constraining name parameters with `minLength` and `maxLength` attributes. + +For example: + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "name": { + "type": "string", + "minLength": 3, + "maxLength": 63, + "metadata": { + "description": "The name of the resource." + } + }, + "location": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "The location resources will be deployed." + } + } + }, + "resources": [ + { + "type": "Microsoft.DBforPostgreSQL/flexibleServers", + "apiVersion": "2024-08-01", + "name": "[parameters('name')]", + "location": "[parameters('location')]", + "sku": { + "name": "Standard_D2ds_v4", + "tier": "GeneralPurpose" + }, + "properties": { + "createMode": "Default", + "authConfig": { + "activeDirectoryAuth": "Enabled", + "passwordAuth": "Disabled", + "tenantId": "[tenant().tenantId]" + }, + "version": "14", + "storage": { + "storageSizeGB": 32 + }, + "backup": { + "backupRetentionDays": 7, + "geoRedundantBackup": "Enabled" + }, + "highAvailability": { + "mode": "ZoneRedundant" + } + } + } + ] +} +``` + +## NOTES + +This rule does not check if PostgreSQL database server resource names are unique. + + + +### Rule configuration + + + +To configure this rule set the `AZURE_POSTGRESQL_SERVER_NAME_FORMAT` configuration value to a regular expression +that matches the required format. + +For example: + +```yaml +configuration: + AZURE_POSTGRESQL_SERVER_NAME_FORMAT: '^psql-' +``` + +## LINKS + +- [OE:04 Tools and processes](https://learn.microsoft.com/azure/well-architected/operational-excellence/tools-processes) +- [Operational Excellence: Level 2](https://learn.microsoft.com/azure/well-architected/operational-excellence/maturity-model?tabs=level2) +- [Recommended abbreviations for Azure resource types](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations) +- [Naming rules and restrictions for Azure resources](https://learn.microsoft.com/azure/azure-resource-manager/management/resource-name-rules) +- [Define your naming convention](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-naming) +- [Azure deployment reference](https://learn.microsoft.com/azure/templates/microsoft.dbforpostgresql/flexibleservers) diff --git a/docs/en/rules/Azure.Redis.Naming.md b/docs/en/rules/Azure.Redis.Naming.md new file mode 100644 index 0000000000..e277643fcc --- /dev/null +++ b/docs/en/rules/Azure.Redis.Naming.md @@ -0,0 +1,184 @@ +--- +reviewed: 2025-10-26 +severity: Awareness +pillar: Operational Excellence +category: OE:04 Tools and processes +resource: Azure Cache for Redis +resourceType: Microsoft.Cache/Redis +online version: https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.Redis.Naming/ +--- + +# Azure Cache for Redis resources must use standard naming + +## SYNOPSIS + +Azure Cache for Redis resources without a standard naming convention may be difficult to identify and manage. + +## DESCRIPTION + +An effective naming convention allows operators to quickly identify resources, related systems, and their purpose. +Identifying resources easily is important to improve operational efficiency, reduce the time to respond to incidents, +and minimize the risk of human error. + +Some of the benefits of using standardized tagging and naming conventions are: + +- They provide consistency and clarity for resource identification and discovery across the Azure Portal, CLIs, and APIs. +- They enable filtering and grouping of resources for billing, monitoring, security, and compliance purposes. +- They support resource lifecycle management, such as provisioning, decommissioning, backup, and recovery. + +For example, if you come upon a security incident, it's critical to quickly identify affected systems, +the functions that those systems support, and the potential business impact. + +For Azure Cache for Redis, the Cloud Adoption Framework (CAF) recommends using the `redis-` prefix. + +Requirements for Azure Cache for Redis resource names: + +- Between 1 and 63 characters long. +- Can include alphanumeric, and hyphen characters. +- Can only start and end with a letter or number. +- Cache names must be globally unique. + +## RECOMMENDATION + +Consider creating Azure Cache for Redis resources with a standard name. +Additionally consider using Azure Policy to only permit creation using a standard naming convention. + +## EXAMPLES + +### Configure with Bicep + +To deploy caches that pass this rule: + +- Set the `name` property to a string that matches the naming requirements. +- Optionally, consider constraining name parameters with `minLength` and `maxLength` attributes. + +For example: + +```bicep +@minLength(1) +@maxLength(63) +@description('The name of the resource.') +param name string + +@description('The location resources will be deployed.') +param location string = resourceGroup().location + +resource cache 'Microsoft.Cache/redis@2024-11-01' = { + name: name + location: location + properties: { + redisVersion: '6' + sku: { + name: 'Premium' + family: 'P' + capacity: 1 + } + redisConfiguration: { + 'aad-enabled': 'True' + 'maxmemory-reserved': '615' + } + enableNonSslPort: false + publicNetworkAccess: 'Disabled' + disableAccessKeyAuthentication: true + } + zones: [ + '1' + '2' + '3' + ] +} +``` + + + +### Configure with Azure template + +To deploy caches that pass this rule: + +- Set the `name` property to a string that matches the naming requirements. +- Optionally, consider constraining name parameters with `minLength` and `maxLength` attributes. + +For example: + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "name": { + "type": "string", + "minLength": 1, + "maxLength": 63, + "metadata": { + "description": "The name of the resource." + } + }, + "location": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "The location resources will be deployed." + } + } + }, + "resources": [ + { + "type": "Microsoft.Cache/redis", + "apiVersion": "2024-11-01", + "name": "[parameters('name')]", + "location": "[parameters('location')]", + "properties": { + "redisVersion": "6", + "sku": { + "name": "Premium", + "family": "P", + "capacity": 1 + }, + "redisConfiguration": { + "aad-enabled": "True", + "maxmemory-reserved": "615" + }, + "enableNonSslPort": false, + "publicNetworkAccess": "Disabled", + "disableAccessKeyAuthentication": true + }, + "zones": [ + "1", + "2", + "3" + ] + } + ] +} +``` + +## NOTES + +This rule does not check if Azure Cache for Redis resource names are unique. + + + +### Rule configuration + + + +To configure this rule set the `AZURE_REDIS_CACHE_NAME_FORMAT` configuration value to a regular expression +that matches the required format. + +For example: + +```yaml +configuration: + AZURE_REDIS_CACHE_NAME_FORMAT: '^redis-' +``` + +## LINKS + +- [OE:04 Tools and processes](https://learn.microsoft.com/azure/well-architected/operational-excellence/tools-processes) +- [Operational Excellence: Level 2](https://learn.microsoft.com/azure/well-architected/operational-excellence/maturity-model?tabs=level2) +- [Recommended abbreviations for Azure resource types](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations) +- [Naming rules and restrictions for Azure resources](https://learn.microsoft.com/azure/azure-resource-manager/management/resource-name-rules) +- [Define your naming convention](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-naming) +- [Parameters in Bicep](https://learn.microsoft.com/azure/azure-resource-manager/bicep/parameters) +- [Bicep functions](https://learn.microsoft.com/azure/azure-resource-manager/bicep/bicep-functions) +- [Azure deployment reference](https://learn.microsoft.com/azure/templates/microsoft.cache/redis) diff --git a/docs/en/rules/Azure.RedisEnterprise.Naming.md b/docs/en/rules/Azure.RedisEnterprise.Naming.md new file mode 100644 index 0000000000..bee08c9ce1 --- /dev/null +++ b/docs/en/rules/Azure.RedisEnterprise.Naming.md @@ -0,0 +1,168 @@ +--- +reviewed: 2025-11-16 +severity: Awareness +pillar: Operational Excellence +category: OE:04 Tools and processes +resource: Azure Cache for Redis Enterprise +resourceType: Microsoft.Cache/redisEnterprise +online version: https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.RedisEnterprise.Naming/ +--- + +# Azure Cache for Redis Enterprise resources must use standard naming + +## SYNOPSIS + +Azure Cache for Redis Enterprise resources without a standard naming convention may be difficult to identify and manage. + +## DESCRIPTION + +An effective naming convention allows operators to quickly identify resources, related systems, and their purpose. +Identifying resources easily is important to improve operational efficiency, reduce the time to respond to incidents, +and minimize the risk of human error. + +Some of the benefits of using standardized tagging and naming conventions are: + +- They provide consistency and clarity for resource identification and discovery across the Azure Portal, CLIs, and APIs. +- They enable filtering and grouping of resources for billing, monitoring, security, and compliance purposes. +- They support resource lifecycle management, such as provisioning, decommissioning, backup, and recovery. + +For example, if you come upon a security incident, it's critical to quickly identify affected systems, +the functions that those systems support, and the potential business impact. + +For Azure Cache for Redis Enterprise, the Cloud Adoption Framework (CAF) recommends using the `redis-` prefix. + +Requirements for Azure Cache for Redis Enterprise resource names: + +- Between 1 and 63 characters long. +- Can include alphanumeric, and hyphen characters. +- Can only start and end with a letter or number. +- Cache names must be globally unique. + +## RECOMMENDATION + +Consider creating Azure Cache for Redis Enterprise resources with a standard name. +Additionally consider using Azure Policy to only permit creation using a standard naming convention. + +## EXAMPLES + +### Configure with Bicep + +To deploy enterprise caches that pass this rule: + +- Set the `name` property to a string that matches the naming requirements. +- Optionally, consider constraining name parameters with `minLength` and `maxLength` attributes. + +For example: + +```bicep +@minLength(1) +@maxLength(63) +@description('The name of the resource.') +param name string + +@description('The location resources will be deployed.') +param location string = resourceGroup().location + +resource cache 'Microsoft.Cache/redisEnterprise@2025-04-01' = { + name: name + location: location + sku: { + name: 'Enterprise_E10' + } + properties: { + minimumTlsVersion: '1.2' + } +} +``` + + + +### Configure with Azure template + +To deploy enterprise caches that pass this rule: + +- Set the `name` property to a string that matches the naming requirements. +- Optionally, consider constraining name parameters with `minLength` and `maxLength` attributes. + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "name": { + "type": "string", + "minLength": 2, + "maxLength": 64, + "metadata": { + "description": "The name of the resource." + } + }, + "location": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "The location resources will be deployed." + } + } + }, + "resources": [ + { + "type": "Microsoft.Cache/redis", + "apiVersion": "2024-11-01", + "name": "[parameters('name')]", + "location": "[parameters('location')]", + "properties": { + "redisVersion": "6", + "sku": { + "name": "Premium", + "family": "P", + "capacity": 1 + }, + "redisConfiguration": { + "aad-enabled": "True", + "maxmemory-reserved": "615" + }, + "enableNonSslPort": false, + "publicNetworkAccess": "Disabled", + "disableAccessKeyAuthentication": true + }, + "zones": [ + "1", + "2", + "3" + ] + } + ] +} +``` + +## NOTES + +This rule does not check if Azure Cache for Redis resource names are unique. + + + +### Rule configuration + + + +To configure this rule set the `AZURE_REDIS_ENTERPRISE_NAME_FORMAT` configuration value to a regular expression +that matches the required format. + +For example: + +```yaml +configuration: + AZURE_REDIS_ENTERPRISE_NAME_FORMAT: '^redis-' +``` + +## LINKS + +- [OE:04 Tools and processes](https://learn.microsoft.com/azure/well-architected/operational-excellence/tools-processes) +- [Operational Excellence: Level 2](https://learn.microsoft.com/azure/well-architected/operational-excellence/maturity-model?tabs=level2) +- [Recommended abbreviations for Azure resource types](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations) +- [Naming rules and restrictions for Azure resources](https://learn.microsoft.com/azure/azure-resource-manager/management/resource-name-rules) +- [Define your naming convention](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-naming) +- [Parameters in Bicep](https://learn.microsoft.com/azure/azure-resource-manager/bicep/parameters) +- [Bicep functions](https://learn.microsoft.com/azure/azure-resource-manager/bicep/bicep-functions) +- [Azure deployment reference](https://learn.microsoft.com/azure/templates/microsoft.cache/redisenterprise) diff --git a/docs/en/rules/Azure.RedisEnterprise.Zones.md b/docs/en/rules/Azure.RedisEnterprise.Zones.md index c6100f576c..ccc09c465e 100644 --- a/docs/en/rules/Azure.RedisEnterprise.Zones.md +++ b/docs/en/rules/Azure.RedisEnterprise.Zones.md @@ -138,6 +138,8 @@ resource testrediscache_default 'Microsoft.Cache/redisEnterprise/databases@2021- } ``` + + ## NOTES This rule fails when cache is not zone redundant(1, 2 and 3) when there are availability zones for the given region. @@ -155,4 +157,4 @@ configuration: - [RE:05 Regions and availability zones](https://learn.microsoft.com/azure/well-architected/reliability/regions-availability-zones) - [Enable zone redundancy for Azure Cache for Redis](https://learn.microsoft.com/azure/azure-cache-for-redis/cache-how-to-zone-redundancy) - [High availability for Azure Cache for Redis](https://learn.microsoft.com/azure/azure-cache-for-redis/cache-high-availability) -- [Azure deployment reference](https://learn.microsoft.com/azure/templates/microsoft.cache/redisenterprise?tabs=json) +- [Azure deployment reference](https://learn.microsoft.com/azure/templates/microsoft.cache/redisenterprise) diff --git a/docs/en/rules/Azure.SQL.DBName.md b/docs/en/rules/Azure.SQL.DBName.md index c73e1a93ba..a6dc0dbb24 100644 --- a/docs/en/rules/Azure.SQL.DBName.md +++ b/docs/en/rules/Azure.SQL.DBName.md @@ -1,7 +1,8 @@ --- +reviewed: 2025-10-26 severity: Awareness pillar: Operational Excellence -category: Repeatable infrastructure +category: OE:04 Continuous integration resource: SQL Database resourceType: Microsoft.Sql/servers/databases online version: https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.SQL.DBName/ @@ -21,7 +22,7 @@ The requirements for SQL Database names are: - Between 1 and 128 characters long. - Letters, numbers, and special characters except: `<>*%&:\/?` - Can't end with period or a space. -- Azure SQL Database names must be unique for each logical server. +- Must be unique for each logical server. The following reserved database names can not be used: @@ -34,11 +35,97 @@ The following reserved database names can not be used: Consider using names that meet Azure SQL Database naming requirements. Additionally consider naming resources with a standard naming convention. +## EXAMPLES + +### Configure with Bicep + +To deploy databases that pass this rule: + +- Set the `name` property to a string that matches the naming requirements. +- Optionally, consider constraining name parameters with `minLength` and `maxLength` attributes. + +For example: + +```bicep +@minLength(1) +@maxLength(128) +@description('The name of the resource.') +param name string + +@description('The location resources will be deployed.') +param location string = resourceGroup().location + +resource database 'Microsoft.Sql/servers/databases@2024-05-01-preview' = { + parent: server + name: name + location: location + properties: { + collation: 'SQL_Latin1_General_CP1_CI_AS' + maxSizeBytes: maxSize + catalogCollation: 'SQL_Latin1_General_CP1_CI_AS' + readScale: 'Disabled' + zoneRedundant: true + } +} +``` + +### Configure with Azure template + +To deploy databases that pass this rule: + +- Set the `name` property to a string that matches the naming requirements. +- Optionally, consider constraining name parameters with `minLength` and `maxLength` attributes. + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "name": { + "type": "string", + "minLength": 1, + "maxLength": 128, + "metadata": { + "description": "The name of the resource." + } + }, + "location": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "The location resources will be deployed." + } + } + }, + "resources": [ + { + "type": "Microsoft.Sql/servers/databases", + "apiVersion": "2024-05-01-preview", + "name": "[format('{0}/{1}', parameters('name'), parameters('name'))]", + "location": "[parameters('location')]", + "properties": { + "collation": "SQL_Latin1_General_CP1_CI_AS", + "maxSizeBytes": "[variables('maxSize')]", + "catalogCollation": "SQL_Latin1_General_CP1_CI_AS", + "readScale": "Disabled", + "zoneRedundant": true + } + } + ] +} +``` + ## NOTES This rule does not check if Azure SQL Database names are unique. ## LINKS -- [Repeatable infrastructure](https://learn.microsoft.com/azure/architecture/framework/devops/automation-infrastructure) -- [Naming rules and restrictions for Azure resources](https://learn.microsoft.com/azure/azure-resource-manager/management/resource-name-rules#microsoftsql) +- [OE:04 Continuous integration](https://learn.microsoft.com/azure/well-architected/operational-excellence/release-engineering-continuous-integration) +- [Operational Excellence: Level 2](https://learn.microsoft.com/azure/well-architected/operational-excellence/maturity-model?tabs=level2) +- [Recommended abbreviations for Azure resource types](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations) +- [Naming rules and restrictions for Azure resources](https://learn.microsoft.com/azure/azure-resource-manager/management/resource-name-rules) +- [Define your naming convention](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-naming) +- [Parameters in Bicep](https://learn.microsoft.com/azure/azure-resource-manager/bicep/parameters) +- [Bicep functions](https://learn.microsoft.com/azure/azure-resource-manager/bicep/bicep-functions) +- [Azure deployment reference](https://learn.microsoft.com/azure/templates/microsoft.sql/servers/databases) diff --git a/docs/en/rules/Azure.SQL.DBNaming.md b/docs/en/rules/Azure.SQL.DBNaming.md new file mode 100644 index 0000000000..4295d51cec --- /dev/null +++ b/docs/en/rules/Azure.SQL.DBNaming.md @@ -0,0 +1,155 @@ +--- +reviewed: 2025-10-26 +severity: Awareness +pillar: Operational Excellence +category: OE:04 Tools and processes +resource: Azure SQL database +resourceType: Microsoft.Sql/servers/databases +online version: https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.SQL.DBNaming/ +--- + +# Azure SQL database resources must use standard naming + +## SYNOPSIS + +Azure SQL database resources without a standard naming convention may be difficult to identify and manage. + +## DESCRIPTION + +An effective naming convention allows operators to quickly identify resources, related systems, and their purpose. +Identifying resources easily is important to improve operational efficiency, reduce the time to respond to incidents, +and minimize the risk of human error. + +Some of the benefits of using standardized tagging and naming conventions are: + +- They provide consistency and clarity for resource identification and discovery across the Azure Portal, CLIs, and APIs. +- They enable filtering and grouping of resources for billing, monitoring, security, and compliance purposes. +- They support resource lifecycle management, such as provisioning, decommissioning, backup, and recovery. + +For example, if you come upon a security incident, it's critical to quickly identify affected systems, +the functions that those systems support, and the potential business impact. + +For Azure SQL database, the Cloud Adoption Framework (CAF) recommends using the `sqldb-` prefix. + +Requirements for Azure SQL database resource names: + +- Between 1 and 128 characters long. +- Letters, numbers, and special characters except: `<>*%&:\/?` +- Can't end with period or a space. +- Must be unique for each logical server. + +## RECOMMENDATION + +Consider creating Azure SQL database resources with a standard name. +Additionally consider using Azure Policy to only permit creation using a standard naming convention. + +## EXAMPLES + +### Configure with Bicep + +To deploy databases that pass this rule: + +- Set the `name` property to a string that matches the naming requirements. +- Optionally, consider constraining name parameters with `minLength` and `maxLength` attributes. + +For example: + +```bicep +@minLength(1) +@maxLength(128) +@description('The name of the resource.') +param name string + +@description('The location resources will be deployed.') +param location string = resourceGroup().location + +resource database 'Microsoft.Sql/servers/databases@2024-05-01-preview' = { + parent: server + name: name + location: location + properties: { + collation: 'SQL_Latin1_General_CP1_CI_AS' + maxSizeBytes: maxSize + catalogCollation: 'SQL_Latin1_General_CP1_CI_AS' + readScale: 'Disabled' + zoneRedundant: true + } +} +``` + +### Configure with Azure template + +To deploy databases that pass this rule: + +- Set the `name` property to a string that matches the naming requirements. +- Optionally, consider constraining name parameters with `minLength` and `maxLength` attributes. + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "name": { + "type": "string", + "minLength": 1, + "maxLength": 128, + "metadata": { + "description": "The name of the resource." + } + }, + "location": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "The location resources will be deployed." + } + } + }, + "resources": [ + { + "type": "Microsoft.Sql/servers/databases", + "apiVersion": "2024-05-01-preview", + "name": "[format('{0}/{1}', parameters('name'), parameters('name'))]", + "location": "[parameters('location')]", + "properties": { + "collation": "SQL_Latin1_General_CP1_CI_AS", + "maxSizeBytes": "[variables('maxSize')]", + "catalogCollation": "SQL_Latin1_General_CP1_CI_AS", + "readScale": "Disabled", + "zoneRedundant": true + } + } + ] +} +``` + +## NOTES + +This rule does not check if Azure SQL database resource names are unique. + + + +### Rule configuration + + + +To configure this rule set the `AZURE_SQL_DATABASE_NAME_FORMAT` configuration value to a regular expression +that matches the required format. + +For example: + +```yaml +configuration: + AZURE_SQL_DATABASE_NAME_FORMAT: '^sqldb-' +``` + +## LINKS + +- [OE:04 Tools and processes](https://learn.microsoft.com/azure/well-architected/operational-excellence/tools-processes) +- [Operational Excellence: Level 2](https://learn.microsoft.com/azure/well-architected/operational-excellence/maturity-model?tabs=level2) +- [Recommended abbreviations for Azure resource types](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations) +- [Naming rules and restrictions for Azure resources](https://learn.microsoft.com/azure/azure-resource-manager/management/resource-name-rules) +- [Define your naming convention](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-naming) +- [Parameters in Bicep](https://learn.microsoft.com/azure/azure-resource-manager/bicep/parameters) +- [Bicep functions](https://learn.microsoft.com/azure/azure-resource-manager/bicep/bicep-functions) +- [Azure deployment reference](https://learn.microsoft.com/azure/templates/microsoft.sql/servers/databases) diff --git a/docs/en/rules/Azure.SQL.ElasticPoolNaming.md b/docs/en/rules/Azure.SQL.ElasticPoolNaming.md new file mode 100644 index 0000000000..0b5977d997 --- /dev/null +++ b/docs/en/rules/Azure.SQL.ElasticPoolNaming.md @@ -0,0 +1,163 @@ +--- +reviewed: 2025-10-26 +severity: Awareness +pillar: Operational Excellence +category: OE:04 Tools and processes +resource: Azure SQL Elastic Pool +resourceType: Microsoft.Sql/servers/elasticPools +online version: https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.SQL.ElasticPoolNaming/ +--- + +# Azure SQL Elastic Pool resources must use standard naming + +## SYNOPSIS + +Azure SQL Elastic Pool resources without a standard naming convention may be difficult to identify and manage. + +## DESCRIPTION + +An effective naming convention allows operators to quickly identify resources, related systems, and their purpose. +Identifying resources easily is important to improve operational efficiency, reduce the time to respond to incidents, +and minimize the risk of human error. + +Some of the benefits of using standardized tagging and naming conventions are: + +- They provide consistency and clarity for resource identification and discovery across the Azure Portal, CLIs, and APIs. +- They enable filtering and grouping of resources for billing, monitoring, security, and compliance purposes. +- They support resource lifecycle management, such as provisioning, decommissioning, backup, and recovery. + +For example, if you come upon a security incident, it's critical to quickly identify affected systems, +the functions that those systems support, and the potential business impact. + +For Azure SQL Elastic Pool, the Cloud Adoption Framework (CAF) recommends using the `sqlep-` prefix. + +Requirements for Azure SQL Elastic Pool resource names: + +- Between 1 and 128 characters long. +- Letters, numbers, and special characters except: `<>*%&:\/?` +- Can't end with period or a space. +- Must be unique for each logical server. + +## RECOMMENDATION + +Consider creating Azure SQL Elastic Pool resources with a standard name. +Additionally consider using Azure Policy to only permit creation using a standard naming convention. + +## EXAMPLES + +### Configure with Bicep + +To deploy resources that pass this rule: + +- Set the `name` property to a string that matches the naming requirements. +- Optionally, consider constraining name parameters with `minLength` and `maxLength` attributes. + +For example: + +```bicep +@minLength(1) +@maxLength(128) +@description('The name of the resource.') +param name string + +@description('The location resources will be deployed.') +param location string = resourceGroup().location + +resource pool 'Microsoft.Sql/servers/elasticPools@2024-05-01-preview' = { + parent: server + name: name + location: location + properties: { + perDatabaseSettings: { + minCapacity: 0 + maxCapacity: 2 + } + maxSizeBytes: 34359738368 + zoneRedundant: true + licenseType: 'BasePrice' + maintenanceConfigurationId: maintenanceConfigurationId + } +} +``` + +### Configure with Azure template + +To deploy resources that pass this rule: + +- Set the `name` property to a string that matches the naming requirements. +- Optionally, consider constraining name parameters with `minLength` and `maxLength` attributes. + +For example: + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "name": { + "type": "string", + "minLength": 1, + "maxLength": 128, + "metadata": { + "description": "The name of the resource." + } + }, + "location": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "The location resources will be deployed." + } + } + }, + "resources": [ + { + "type": "Microsoft.Sql/servers/elasticPools", + "apiVersion": "2024-05-01-preview", + "name": "[format('{0}/{1}', parameters('name'), parameters('name'))]", + "location": "[parameters('location')]", + "properties": { + "perDatabaseSettings": { + "minCapacity": 0, + "maxCapacity": 2 + }, + "maxSizeBytes": 34359738368, + "zoneRedundant": true, + "licenseType": "BasePrice", + "maintenanceConfigurationId": "[parameters('maintenanceConfigurationId')]" + } + } + ] +} +``` + +## NOTES + +This rule does not check if Azure SQL Elastic Pool resource names are unique. + + + +### Rule configuration + + + +To configure this rule set the `AZURE_SQL_ELASTIC_POOL_NAME_FORMAT` configuration value to a regular expression +that matches the required format. + +For example: + +```yaml +configuration: + AZURE_SQL_ELASTIC_POOL_NAME_FORMAT: '^sqlep-' +``` + +## LINKS + +- [OE:04 Tools and processes](https://learn.microsoft.com/azure/well-architected/operational-excellence/tools-processes) +- [Operational Excellence: Level 2](https://learn.microsoft.com/azure/well-architected/operational-excellence/maturity-model?tabs=level2) +- [Recommended abbreviations for Azure resource types](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations) +- [Naming rules and restrictions for Azure resources](https://learn.microsoft.com/azure/azure-resource-manager/management/resource-name-rules) +- [Define your naming convention](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-naming) +- [Parameters in Bicep](https://learn.microsoft.com/azure/azure-resource-manager/bicep/parameters) +- [Bicep functions](https://learn.microsoft.com/azure/azure-resource-manager/bicep/bicep-functions) +- [Azure deployment reference](https://learn.microsoft.com/azure/templates/microsoft.sql/servers/elasticpools) diff --git a/docs/en/rules/Azure.SQL.JobAgentNaming.md b/docs/en/rules/Azure.SQL.JobAgentNaming.md new file mode 100644 index 0000000000..6126c1278c --- /dev/null +++ b/docs/en/rules/Azure.SQL.JobAgentNaming.md @@ -0,0 +1,149 @@ +--- +reviewed: 2025-10-26 +severity: Awareness +pillar: Operational Excellence +category: OE:04 Tools and processes +resource: Azure SQL Elastic Job agent +resourceType: Microsoft.Sql/servers/jobAgents +online version: https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.SQL.JobAgentNaming/ +--- + +# Azure SQL Elastic Job agent resources must use standard naming + +## SYNOPSIS + +Azure SQL Elastic Job agent resources without a standard naming convention may be difficult to identify and manage. + +## DESCRIPTION + +An effective naming convention allows operators to quickly identify resources, related systems, and their purpose. +Identifying resources easily is important to improve operational efficiency, reduce the time to respond to incidents, +and minimize the risk of human error. + +Some of the benefits of using standardized tagging and naming conventions are: + +- They provide consistency and clarity for resource identification and discovery across the Azure Portal, CLIs, and APIs. +- They enable filtering and grouping of resources for billing, monitoring, security, and compliance purposes. +- They support resource lifecycle management, such as provisioning, decommissioning, backup, and recovery. + +For example, if you come upon a security incident, it's critical to quickly identify affected systems, +the functions that those systems support, and the potential business impact. + +For Azure SQL Elastic Job agent, the Cloud Adoption Framework (CAF) recommends using the `sqlja-` prefix. + +Requirements for Azure SQL Elastic Job agent resource names: + +- Between 1 and 128 characters long. +- Letters, numbers, and special characters except: `<>*%&:\/?` +- Can't end with period or a space. +- Must be unique for each logical server. + +## RECOMMENDATION + +Consider creating Azure SQL Elastic Job agent resources with a standard name. +Additionally consider using Azure Policy to only permit creation using a standard naming convention. + +## EXAMPLES + +### Configure with Bicep + +To deploy resources that pass this rule: + +- Set the `name` property to a string that matches the naming requirements. +- Optionally, consider constraining name parameters with `minLength` and `maxLength` attributes. + +For example: + +```bicep +@minLength(1) +@maxLength(128) +@description('The name of the resource.') +param name string + +@description('The location resources will be deployed.') +param location string = resourceGroup().location + +resource agent 'Microsoft.Sql/servers/jobAgents@2024-05-01-preview' = { + parent: server + name: name + location: location + properties: { + databaseId: database.id + } +} +``` + +### Configure with Azure template + +To deploy resources that pass this rule: + +- Set the `name` property to a string that matches the naming requirements. +- Optionally, consider constraining name parameters with `minLength` and `maxLength` attributes. + +For example: + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "name": { + "type": "string", + "minLength": 1, + "maxLength": 128, + "metadata": { + "description": "The name of the resource." + } + }, + "location": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "The location resources will be deployed." + } + } + }, + "resources": [ + { + "type": "Microsoft.Sql/servers/jobAgents", + "apiVersion": "2024-05-01-preview", + "name": "[format('{0}/{1}', parameters('name'), parameters('name'))]", + "location": "[parameters('location')]", + "properties": { + "databaseId": "[resourceId('Microsoft.Sql/servers/databases', parameters('name'), parameters('name'))]" + } + } + ] +} +``` + +## NOTES + +This rule does not check if Azure SQL Elastic Job agent resource names are unique. + + + +### Rule configuration + + + +To configure this rule set the `AZURE_SQL_JOB_AGENT_NAME_FORMAT` configuration value to a regular expression +that matches the required format. + +For example: + +```yaml +configuration: + AZURE_SQL_JOB_AGENT_NAME_FORMAT: '^sqlja-' +``` + +## LINKS + +- [OE:04 Tools and processes](https://learn.microsoft.com/azure/well-architected/operational-excellence/tools-processes) +- [Operational Excellence: Level 2](https://learn.microsoft.com/azure/well-architected/operational-excellence/maturity-model?tabs=level2) +- [Recommended abbreviations for Azure resource types](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations) +- [Naming rules and restrictions for Azure resources](https://learn.microsoft.com/azure/azure-resource-manager/management/resource-name-rules) +- [Define your naming convention](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-naming) +- [Parameters in Bicep](https://learn.microsoft.com/azure/azure-resource-manager/bicep/parameters) +- [Bicep functions](https://learn.microsoft.com/azure/azure-resource-manager/bicep/bicep-functions) +- [Azure deployment reference](https://learn.microsoft.com/azure/templates/microsoft.sql/servers/jobagents) diff --git a/docs/en/rules/Azure.SQL.MaintenanceWindow.md b/docs/en/rules/Azure.SQL.MaintenanceWindow.md index 70f314a1c5..8bc6b3e702 100644 --- a/docs/en/rules/Azure.SQL.MaintenanceWindow.md +++ b/docs/en/rules/Azure.SQL.MaintenanceWindow.md @@ -2,8 +2,8 @@ severity: Important pillar: Reliability category: RE:04 Target metrics -resource: Azure Database -resourceType: Microsoft.Sql/servers',Microsoft.Sql/servers/databases,Microsoft.Sql/servers/elasticPools +resource: SQL Database +resourceType: Microsoft.Sql/servers,Microsoft.Sql/servers/databases,Microsoft.Sql/servers/elasticPools online version: https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.SQL.MaintenanceWindow/ --- diff --git a/docs/en/rules/Azure.SQL.ServerName.md b/docs/en/rules/Azure.SQL.ServerName.md index 76fb09da85..4a6b48c127 100644 --- a/docs/en/rules/Azure.SQL.ServerName.md +++ b/docs/en/rules/Azure.SQL.ServerName.md @@ -1,7 +1,8 @@ --- +reviewed: 2025-10-26 severity: Awareness pillar: Operational Excellence -category: Repeatable infrastructure +category: OE:04 Continuous integration resource: SQL Database resourceType: Microsoft.Sql/servers online version: https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.SQL.ServerName/ @@ -28,11 +29,114 @@ The requirements for SQL logical server names are: Consider using names that meet Azure SQL logical server naming requirements. Additionally consider naming resources with a standard naming convention. +## EXAMPLES + +### Configure with Bicep + +To deploy servers that pass this rule: + +- Set the `name` property to a string that matches the naming requirements. +- Optionally, consider constraining name parameters with `minLength` and `maxLength` attributes. + +For example: + +```bicep +@minLength(1) +@maxLength(63) +@description('The name of the resource.') +param name string + +@description('The location resources will be deployed.') +param location string = resourceGroup().location + +resource server 'Microsoft.Sql/servers@2024-05-01-preview' = { + name: name + location: location + identity: { + type: 'SystemAssigned' + } + properties: { + publicNetworkAccess: 'Disabled' + minimalTlsVersion: '1.3' + administrators: { + azureADOnlyAuthentication: true + administratorType: 'ActiveDirectory' + login: adminLogin + principalType: 'Group' + sid: adminPrincipalId + tenantId: tenant().tenantId + } + } +} +``` + + + +### Configure with Azure template + +To deploy servers that pass this rule: + +- Set the `name` property to a string that matches the naming requirements. +- Optionally, consider constraining name parameters with `minLength` and `maxLength` attributes. + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "name": { + "type": "string", + "minLength": 1, + "maxLength": 63, + "metadata": { + "description": "The name of the resource." + } + }, + "location": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "The location resources will be deployed." + } + } + }, + "resources": [ + { + "type": "Microsoft.Sql/servers", + "apiVersion": "2024-05-01-preview", + "name": "[parameters('name')]", + "location": "[parameters('location')]", + "identity": { + "type": "SystemAssigned" + }, + "properties": { + "publicNetworkAccess": "Disabled", + "minimalTlsVersion": "1.3", + "administrators": { + "azureADOnlyAuthentication": true, + "administratorType": "ActiveDirectory", + "login": "[parameters('adminLogin')]", + "principalType": "Group", + "sid": "[parameters('adminPrincipalId')]", + "tenantId": "[tenant().tenantId]" + } + } + } + ] +} +``` + ## NOTES This rule does not check if Azure SQL logical server names are unique. ## LINKS -- [Repeatable infrastructure](https://learn.microsoft.com/azure/architecture/framework/devops/automation-infrastructure) -- [Naming rules and restrictions for Azure resources](https://learn.microsoft.com/azure/azure-resource-manager/management/resource-name-rules#microsoftsql) +- [OE:04 Continuous integration](https://learn.microsoft.com/azure/well-architected/operational-excellence/release-engineering-continuous-integration) +- [Operational Excellence: Level 2](https://learn.microsoft.com/azure/well-architected/operational-excellence/maturity-model?tabs=level2) +- [Recommended abbreviations for Azure resource types](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations) +- [Naming rules and restrictions for Azure resources](https://learn.microsoft.com/azure/azure-resource-manager/management/resource-name-rules) +- [Define your naming convention](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-naming) +- [Parameters in Bicep](https://learn.microsoft.com/azure/azure-resource-manager/bicep/parameters) +- [Bicep functions](https://learn.microsoft.com/azure/azure-resource-manager/bicep/bicep-functions) +- [Azure deployment reference](https://learn.microsoft.com/azure/templates/microsoft.sql/servers) diff --git a/docs/en/rules/Azure.SQL.ServerNaming.md b/docs/en/rules/Azure.SQL.ServerNaming.md new file mode 100644 index 0000000000..71980651b3 --- /dev/null +++ b/docs/en/rules/Azure.SQL.ServerNaming.md @@ -0,0 +1,171 @@ +--- +reviewed: 2025-10-26 +severity: Awareness +pillar: Operational Excellence +category: OE:04 Tools and processes +resource: Azure SQL Database server +resourceType: Microsoft.Sql/servers +online version: https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.SQL.ServerNaming/ +--- + +# Azure SQL Database server resources must use standard naming + +## SYNOPSIS + +Azure SQL Database server resources without a standard naming convention may be difficult to identify and manage. + +## DESCRIPTION + +An effective naming convention allows operators to quickly identify resources, related systems, and their purpose. +Identifying resources easily is important to improve operational efficiency, reduce the time to respond to incidents, +and minimize the risk of human error. + +Some of the benefits of using standardized tagging and naming conventions are: + +- They provide consistency and clarity for resource identification and discovery across the Azure Portal, CLIs, and APIs. +- They enable filtering and grouping of resources for billing, monitoring, security, and compliance purposes. +- They support resource lifecycle management, such as provisioning, decommissioning, backup, and recovery. + +For example, if you come upon a security incident, it's critical to quickly identify affected systems, +the functions that those systems support, and the potential business impact. + +For Azure SQL Database server, the Cloud Adoption Framework (CAF) recommends using the `sql-` prefix. + +Requirements for Azure SQL Database server resource names: + +- Between 1 and 63 characters long. +- Can include alphanumeric characters, hyphens, underscores, and periods (restrictions vary by resource type). +- Resource names must be unique within their scope. + +## RECOMMENDATION + +Consider creating Azure SQL Database server resources with a standard name. +Additionally consider using Azure Policy to only permit creation using a standard naming convention. + +## EXAMPLES + +### Configure with Bicep + +To deploy servers that pass this rule: + +- Set the `name` property to a string that matches the naming requirements. +- Optionally, consider constraining name parameters with `minLength` and `maxLength` attributes. + +For example: + +```bicep +@minLength(1) +@maxLength(63) +@description('The name of the resource.') +param name string + +@description('The location resources will be deployed.') +param location string = resourceGroup().location + +resource server 'Microsoft.Sql/servers@2024-05-01-preview' = { + name: name + location: location + identity: { + type: 'SystemAssigned' + } + properties: { + publicNetworkAccess: 'Disabled' + minimalTlsVersion: '1.3' + administrators: { + azureADOnlyAuthentication: true + administratorType: 'ActiveDirectory' + login: adminLogin + principalType: 'Group' + sid: adminPrincipalId + tenantId: tenant().tenantId + } + } +} +``` + + + +### Configure with Azure template + +To deploy servers that pass this rule: + +- Set the `name` property to a string that matches the naming requirements. +- Optionally, consider constraining name parameters with `minLength` and `maxLength` attributes. + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "name": { + "type": "string", + "minLength": 1, + "maxLength": 128, + "metadata": { + "description": "The name of the resource." + } + }, + "location": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "The location resources will be deployed." + } + } + }, + "resources": [ + { + "type": "Microsoft.Sql/servers", + "apiVersion": "2024-05-01-preview", + "name": "[parameters('name')]", + "location": "[parameters('location')]", + "identity": { + "type": "SystemAssigned" + }, + "properties": { + "publicNetworkAccess": "Disabled", + "minimalTlsVersion": "1.3", + "administrators": { + "azureADOnlyAuthentication": true, + "administratorType": "ActiveDirectory", + "login": "[parameters('adminLogin')]", + "principalType": "Group", + "sid": "[parameters('adminPrincipalId')]", + "tenantId": "[tenant().tenantId]" + } + } + } + ] +} +``` + +## NOTES + +This rule does not check if Azure SQL Database server resource names are unique. + + + +### Rule configuration + + + +To configure this rule set the `AZURE_SQL_SERVER_NAME_FORMAT` configuration value to a regular expression +that matches the required format. + +For example: + +```yaml +configuration: + AZURE_SQL_SERVER_NAME_FORMAT: '^sql-' +``` + +## LINKS + +- [OE:04 Tools and processes](https://learn.microsoft.com/azure/well-architected/operational-excellence/tools-processes) +- [Operational Excellence: Level 2](https://learn.microsoft.com/azure/well-architected/operational-excellence/maturity-model?tabs=level2) +- [Recommended abbreviations for Azure resource types](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations) +- [Naming rules and restrictions for Azure resources](https://learn.microsoft.com/azure/azure-resource-manager/management/resource-name-rules) +- [Define your naming convention](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-naming) +- [Parameters in Bicep](https://learn.microsoft.com/azure/azure-resource-manager/bicep/parameters) +- [Bicep functions](https://learn.microsoft.com/azure/azure-resource-manager/bicep/bicep-functions) +- [Azure deployment reference](https://learn.microsoft.com/azure/templates/microsoft.sql/servers) diff --git a/docs/en/rules/Azure.SQLMI.ManagedIdentity.md b/docs/en/rules/Azure.SQLMI.ManagedIdentity.md index 0dc49ddd0e..8ba99bbc70 100644 --- a/docs/en/rules/Azure.SQLMI.ManagedIdentity.md +++ b/docs/en/rules/Azure.SQLMI.ManagedIdentity.md @@ -27,7 +27,7 @@ Consider configure a managed identity to allow support for Azure AD authenticati ## EXAMPLES -### Configure with Azure template +### Configure with Bicep To deploy SQL Managed Instances that pass this rule: @@ -36,21 +36,31 @@ To deploy SQL Managed Instances that pass this rule: For example: -```json -{ - "type": "Microsoft.Sql/managedInstances", - "apiVersion": "2022-05-01-preview", - "name": "[parameters('managedInstanceName')]", - "location": "[parameters('location')]", - "identity": { - "type": "SystemAssigned", - "userAssignedIdentities": {} - }, - "properties": {} +```bicep +resource managedInstance 'Microsoft.Sql/managedInstances@2023-08-01' = { + name: name + location: location + identity: { + type: 'SystemAssigned' + } + sku: { + name: 'GP_Gen5' + } + properties: { + administrators: { + administratorType: 'ActiveDirectory' + azureADOnlyAuthentication: true + login: login + sid: sid + principalType: 'Group' + tenantId: tenant().tenantId + } + maintenanceConfigurationId: maintenanceWindow.id + } } ``` - -### Configure with Bicep + +### Configure with Azure template To deploy SQL Managed Instances that pass this rule: @@ -59,17 +69,29 @@ To deploy SQL Managed Instances that pass this rule: For example: -```bicep -resource managedInstance 'Microsoft.Sql/managedInstances@2022-05-01-preview' = { - name: appName - location: location - name: managedInstanceName - location: location - identity: { - type: 'SystemAssigned' - userAssignedIdentities: {} +```json +{ + "type": "Microsoft.Sql/managedInstances", + "apiVersion": "2023-08-01", + "name": "[parameters('name')]", + "location": "[parameters('location')]", + "identity": { + "type": "SystemAssigned" + }, + "sku": { + "name": "GP_Gen5" + }, + "properties": { + "administrators": { + "administratorType": "ActiveDirectory", + "azureADOnlyAuthentication": true, + "login": "[parameters('login')]", + "sid": "[parameters('sid')]", + "principalType": "Group", + "tenantId": "[tenant().tenantId]" + }, + "maintenanceConfigurationId": "[subscriptionResourceId('Microsoft.Maintenance/publicMaintenanceConfigurations', 'SQL_WestEurope_MI_1')]" } - properties: {} } ``` diff --git a/docs/en/rules/Azure.SQLMI.Naming.md b/docs/en/rules/Azure.SQLMI.Naming.md new file mode 100644 index 0000000000..ec6273d188 --- /dev/null +++ b/docs/en/rules/Azure.SQLMI.Naming.md @@ -0,0 +1,176 @@ +--- +reviewed: 2025-11-16 +severity: Awareness +pillar: Operational Excellence +category: OE:04 Tools and processes +resource: SQL Managed Instance +resourceType: Microsoft.Sql/managedInstances +online version: https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.SQLMI.Naming/ +--- + +# SQL Managed Instance resources must use standard naming + +## SYNOPSIS + +SQL Managed Instance resources without a standard naming convention may be difficult to identify and manage. + +## DESCRIPTION + +An effective naming convention allows operators to quickly identify resources, related systems, and their purpose. +Identifying resources easily is important to improve operational efficiency, reduce the time to respond to incidents, +and minimize the risk of human error. + +Some of the benefits of using standardized tagging and naming conventions are: + +- They provide consistency and clarity for resource identification and discovery across the Azure Portal, CLIs, and APIs. +- They enable filtering and grouping of resources for billing, monitoring, security, and compliance purposes. +- They support resource lifecycle management, such as provisioning, decommissioning, backup, and recovery. + +For example, if you come upon a security incident, it's critical to quickly identify affected systems, +the functions that those systems support, and the potential business impact. + +For SQL Managed Instance, the Cloud Adoption Framework (CAF) recommends using the `sqlmi-` prefix. + +Requirements for SQL Managed Instance resource names: + +- Between 1 and 63 characters long. +- Lowercase letters, numbers, and hyphens. +- Can't start or end with a hyphen. +- SQL Managed Instance names must be globally unique. + +## RECOMMENDATION + +Consider creating SQL Managed Instance resources with a standard name. +Additionally consider using Azure Policy to only permit creation using a standard naming convention. + +## EXAMPLES + +### Configure with Bicep + +To deploy resources that pass this rule: + +- Set the `name` property to a string that matches the naming requirements. +- Optionally, consider constraining name parameters with `minLength` and `maxLength` attributes. + +For example: + +```bicep +@minLength(1) +@maxLength(63) +@description('The name of the resource.') +param name string + +@description('The location resources will be deployed.') +param location string = resourceGroup().location + +resource managedInstance 'Microsoft.Sql/managedInstances@2023-08-01' = { + name: name + location: location + identity: { + type: 'SystemAssigned' + } + sku: { + name: 'GP_Gen5' + } + properties: { + administrators: { + administratorType: 'ActiveDirectory' + azureADOnlyAuthentication: true + login: login + sid: sid + principalType: 'Group' + tenantId: tenant().tenantId + } + maintenanceConfigurationId: maintenanceWindow.id + } +} +``` + + + +### Configure with Azure template + +To deploy resources that pass this rule: + +- Set the `name` property to a string that matches the naming requirements. +- Optionally, consider constraining name parameters with `minLength` and `maxLength` attributes. + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "name": { + "type": "string", + "minLength": 1, + "maxLength": 63, + "metadata": { + "description": "The name of the resource." + } + }, + "location": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "The location resources will be deployed." + } + } + }, + "resources": [ + { + "type": "Microsoft.Sql/managedInstances", + "apiVersion": "2023-08-01", + "name": "[parameters('name')]", + "location": "[parameters('location')]", + "identity": { + "type": "SystemAssigned" + }, + "sku": { + "name": "GP_Gen5" + }, + "properties": { + "administrators": { + "administratorType": "ActiveDirectory", + "azureADOnlyAuthentication": true, + "login": "[parameters('login')]", + "sid": "[parameters('sid')]", + "principalType": "Group", + "tenantId": "[tenant().tenantId]" + }, + "maintenanceConfigurationId": "[subscriptionResourceId('Microsoft.Maintenance/publicMaintenanceConfigurations', 'SQL_WestEurope_MI_1')]" + } + } + ] +} +``` + +## NOTES + +This rule does not check if SQL Managed Instance resource names are unique. + + + +### Rule configuration + + + +To configure this rule set the `AZURE_SQL_MI_NAME_FORMAT` configuration value to a regular expression +that matches the required format. + +For example: + +```yaml +configuration: + AZURE_SQL_MI_NAME_FORMAT: '^sqlmi-' +``` + +## LINKS + +- [OE:04 Tools and processes](https://learn.microsoft.com/azure/well-architected/operational-excellence/tools-processes) +- [Operational Excellence: Level 2](https://learn.microsoft.com/azure/well-architected/operational-excellence/maturity-model?tabs=level2) +- [Recommended abbreviations for Azure resource types](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations) +- [Naming rules and restrictions for Azure resources](https://learn.microsoft.com/azure/azure-resource-manager/management/resource-name-rules) +- [Define your naming convention](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-naming) +- [Parameters in Bicep](https://learn.microsoft.com/azure/azure-resource-manager/bicep/parameters) +- [Bicep functions](https://learn.microsoft.com/azure/azure-resource-manager/bicep/bicep-functions) +- [Azure deployment reference](https://learn.microsoft.com/azure/templates/microsoft.sql/managedinstances) diff --git a/docs/en/rules/Azure.ServiceFabric.ManagedNaming.md b/docs/en/rules/Azure.ServiceFabric.ManagedNaming.md new file mode 100644 index 0000000000..783371bd9b --- /dev/null +++ b/docs/en/rules/Azure.ServiceFabric.ManagedNaming.md @@ -0,0 +1,196 @@ +--- +reviewed: 2025-11-16 +severity: Awareness +pillar: Operational Excellence +category: OE:04 Tools and processes +resource: Service Fabric +resourceType: Microsoft.ServiceFabric/managedClusters +online version: https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.ServiceFabric.ManagedNaming/ +--- + +# Service Fabric managed cluster resources must use standard naming + +## SYNOPSIS + +Service Fabric managed cluster resources without a standard naming convention may be difficult to identify and manage. + +## DESCRIPTION + +An effective naming convention allows operators to quickly identify resources, related systems, and their purpose. +Identifying resources easily is important to improve operational efficiency, reduce the time to respond to incidents, +and minimize the risk of human error. + +Some of the benefits of using standardized tagging and naming conventions are: + +- They provide consistency and clarity for resource identification and discovery across the Azure Portal, CLIs, and APIs. +- They enable filtering and grouping of resources for billing, monitoring, security, and compliance purposes. +- They support resource lifecycle management, such as provisioning, decommissioning, backup, and recovery. + +For example, if you come upon a security incident, it's critical to quickly identify affected systems, +the functions that those systems support, and the potential business impact. + +For Service Fabric managed cluster, the Cloud Adoption Framework (CAF) recommends using the `sfmc-` prefix. + +Requirements for Service Fabric managed cluster resource names: + +- Between 4 and 23 characters long. +- Can include alphanumeric characters, hyphens, underscores, and periods (restrictions vary by resource type). +- Resource names must be unique within their scope. + +## RECOMMENDATION + +Consider creating Service Fabric managed cluster resources with a standard name. +Additionally consider using Azure Policy to only permit creation using a standard naming convention. + +## EXAMPLES + +### Configure with Bicep + +To deploy managed clusters that pass this rule: + +- Set the `name` property to a string that matches the naming requirements. +- Optionally, consider constraining name parameters with `minLength` and `maxLength` attributes. + +For example: + +```bicep +@minLength(4) +@maxLength(23) +@description('The name of the resource.') +param name string + +@description('The location resources will be deployed.') +param location string = resourceGroup().location + +resource managed 'Microsoft.ServiceFabric/managedClusters@2024-04-01' = { + name: name + location: location + sku: { + name: 'Standard' + } + properties: { + azureActiveDirectory: { + clientApplication: clientApplication + clusterApplication: clusterApplication + tenantId: tenantId + } + dnsName: toLower(name) + adminUserName: adminUsername + clientConnectionPort: 19000 + httpGatewayConnectionPort: 19080 + clients: [ + { + isAdmin: true + thumbprint: certificateThumbprint + } + ] + loadBalancingRules: [ + { + frontendPort: 8080 + backendPort: 8080 + protocol: 'tcp' + probeProtocol: 'https' + } + ] + } +} + +``` + +### Configure with Azure template + +To deploy managed clusters that pass this rule: + +- Set the `name` property to a string that matches the naming requirements. +- Optionally, consider constraining name parameters with `minLength` and `maxLength` attributes. + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "name": { + "type": "string", + "minLength": 4, + "maxLength": 23, + "metadata": { + "description": "The name of the resource." + } + }, + "location": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "The location resources will be deployed." + } + } + }, + "resources": [ + { + "type": "Microsoft.ServiceFabric/managedClusters", + "apiVersion": "2024-04-01", + "name": "[parameters('name')]", + "location": "[parameters('location')]", + "sku": { + "name": "Standard" + }, + "properties": { + "azureActiveDirectory": { + "clientApplication": "[parameters('clientApplication')]", + "clusterApplication": "[parameters('clusterApplication')]", + "tenantId": "[parameters('tenantId')]" + }, + "dnsName": "[toLower(parameters('name'))]", + "adminUserName": "[parameters('adminUsername')]", + "clientConnectionPort": 19000, + "httpGatewayConnectionPort": 19080, + "clients": [ + { + "isAdmin": true, + "thumbprint": "[parameters('certificateThumbprint')]" + } + ], + "loadBalancingRules": [ + { + "frontendPort": 8080, + "backendPort": 8080, + "protocol": "tcp", + "probeProtocol": "https" + } + ] + } + } + ] +} +``` + +## NOTES + +This rule does not check if Service Fabric managed cluster resource names are unique. + + + +### Rule configuration + + + +To configure this rule set the `AZURE_SERVICE_FABRIC_MANAGED_CLUSTER_NAME_FORMAT` configuration value to a regular expression +that matches the required format. + +For example: + +```yaml +configuration: + AZURE_SERVICE_FABRIC_MANAGED_CLUSTER_NAME_FORMAT: '^sfmc-' +``` + +## LINKS + +- [OE:04 Tools and processes](https://learn.microsoft.com/azure/well-architected/operational-excellence/tools-processes) +- [Operational Excellence: Level 2](https://learn.microsoft.com/azure/well-architected/operational-excellence/maturity-model?tabs=level2) +- [Recommended abbreviations for Azure resource types](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations) +- [Naming rules and restrictions for Azure resources](https://learn.microsoft.com/azure/azure-resource-manager/management/resource-name-rules) +- [Define your naming convention](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-naming) +- [Parameters in Bicep](https://learn.microsoft.com/azure/azure-resource-manager/bicep/parameters) +- [Bicep functions](https://learn.microsoft.com/azure/azure-resource-manager/bicep/bicep-functions) +- [Azure deployment reference](https://learn.microsoft.com/azure/templates/microsoft.servicefabric/managedclusters) diff --git a/docs/en/rules/Azure.ServiceFabric.Naming.md b/docs/en/rules/Azure.ServiceFabric.Naming.md new file mode 100644 index 0000000000..9796688b9e --- /dev/null +++ b/docs/en/rules/Azure.ServiceFabric.Naming.md @@ -0,0 +1,209 @@ +--- +reviewed: 2025-11-16 +severity: Awareness +pillar: Operational Excellence +category: OE:04 Tools and processes +resource: Service Fabric +resourceType: Microsoft.ServiceFabric/clusters +online version: https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.ServiceFabric.Naming/ +--- + +# Service Fabric cluster resources must use standard naming + +## SYNOPSIS + +Service Fabric cluster resources without a standard naming convention may be difficult to identify and manage. + +## DESCRIPTION + +An effective naming convention allows operators to quickly identify resources, related systems, and their purpose. +Identifying resources easily is important to improve operational efficiency, reduce the time to respond to incidents, +and minimize the risk of human error. + +Some of the benefits of using standardized tagging and naming conventions are: + +- They provide consistency and clarity for resource identification and discovery across the Azure Portal, CLIs, and APIs. +- They enable filtering and grouping of resources for billing, monitoring, security, and compliance purposes. +- They support resource lifecycle management, such as provisioning, decommissioning, backup, and recovery. + +For example, if you come upon a security incident, it's critical to quickly identify affected systems, +the functions that those systems support, and the potential business impact. + +For Service Fabric cluster, the Cloud Adoption Framework (CAF) recommends using the `sf-` prefix. + +Requirements for Service Fabric cluster resource names: + +- Between 4 and 23 characters long. +- Can include alphanumeric characters, hyphens, underscores, and periods (restrictions vary by resource type). +- Resource names must be unique within their scope. + +## RECOMMENDATION + +Consider creating Service Fabric cluster resources with a standard name. +Additionally consider using Azure Policy to only permit creation using a standard naming convention. + +## EXAMPLES + +### Configure with Bicep + +To deploy clusters that pass this rule: + +- Set the `name` property to a string that matches the naming requirements. +- Optionally, consider constraining name parameters with `minLength` and `maxLength` attributes. + +For example: + +```bicep +@minLength(4) +@maxLength(23) +@description('The name of the resource.') +param name string + +@description('The location resources will be deployed.') +param location string = resourceGroup().location + +resource cluster 'Microsoft.ServiceFabric/clusters@2023-11-01-preview' = { + name: name + location: location + properties: { + azureActiveDirectory: { + clientApplication: clientApplication + clusterApplication: clusterApplication + tenantId: tenantId + } + certificate: { + thumbprint: certificateThumbprint + x509StoreName: 'My' + } + diagnosticsStorageAccountConfig: { + blobEndpoint: storageAccount.properties.primaryEndpoints.blob + protectedAccountKeyName: 'StorageAccountKey1' + queueEndpoint: storageAccount.properties.primaryEndpoints.queue + storageAccountName: storageAccount.name + tableEndpoint: storageAccount.properties.primaryEndpoints.table + } + fabricSettings: [ + { + parameters: [ + { + name: 'ClusterProtectionLevel' + value: 'EncryptAndSign' + } + ] + name: 'Security' + } + ] + managementEndpoint: endpointUri + nodeTypes: [] + reliabilityLevel: 'Silver' + upgradeMode: 'Automatic' + vmImage: 'Windows' + } +} +``` + + + +### Configure with Azure template + +To deploy clusters that pass this rule: + +- Set the `name` property to a string that matches the naming requirements. +- Optionally, consider constraining name parameters with `minLength` and `maxLength` attributes. + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "name": { + "type": "string", + "minLength": 4, + "maxLength": 23, + "metadata": { + "description": "The name of the resource." + } + }, + "location": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "The location resources will be deployed." + } + } + }, + "resources": [ + { + "type": "Microsoft.ServiceFabric/clusters", + "apiVersion": "2023-11-01-preview", + "name": "[parameters('name')]", + "location": "[parameters('location')]", + "properties": { + "azureActiveDirectory": { + "clientApplication": "[parameters('clientApplication')]", + "clusterApplication": "[parameters('clusterApplication')]", + "tenantId": "[parameters('tenantId')]" + }, + "certificate": { + "thumbprint": "[parameters('certificateThumbprint')]", + "x509StoreName": "My" + }, + "diagnosticsStorageAccountConfig": { + "blobEndpoint": "[reference(resourceId('Microsoft.Storage/storageAccounts', 'storage1'), '2021-01-01').primaryEndpoints.blob]", + "protectedAccountKeyName": "StorageAccountKey1", + "queueEndpoint": "[reference(resourceId('Microsoft.Storage/storageAccounts', 'storage1'), '2021-01-01').primaryEndpoints.queue]", + "storageAccountName": "storage1", + "tableEndpoint": "[reference(resourceId('Microsoft.Storage/storageAccounts', 'storage1'), '2021-01-01').primaryEndpoints.table]" + }, + "fabricSettings": [ + { + "parameters": [ + { + "name": "ClusterProtectionLevel", + "value": "EncryptAndSign" + } + ], + "name": "Security" + } + ], + "managementEndpoint": "[parameters('endpointUri')]", + "nodeTypes": [], + "reliabilityLevel": "Silver", + "upgradeMode": "Automatic", + "vmImage": "Windows" + } + } + ] +} +``` + +## NOTES + +This rule does not check if Service Fabric cluster resource names are unique. + + + +### Rule configuration + + + +To configure this rule set the `AZURE_SERVICE_FABRIC_CLUSTER_NAME_FORMAT` configuration value to a regular expression +that matches the required format. + +For example: + +```yaml +configuration: + AZURE_SERVICE_FABRIC_CLUSTER_NAME_FORMAT: '^sf-' +``` + +## LINKS + +- [OE:04 Tools and processes](https://learn.microsoft.com/azure/well-architected/operational-excellence/tools-processes) +- [Operational Excellence: Level 2](https://learn.microsoft.com/azure/well-architected/operational-excellence/maturity-model?tabs=level2) +- [Recommended abbreviations for Azure resource types](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations) +- [Naming rules and restrictions for Azure resources](https://learn.microsoft.com/azure/azure-resource-manager/management/resource-name-rules) +- [Define your naming convention](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-naming) +- [Parameters in Bicep](https://learn.microsoft.com/azure/azure-resource-manager/bicep/parameters) +- [Bicep functions](https://learn.microsoft.com/azure/azure-resource-manager/bicep/bicep-functions) +- [Azure deployment reference](https://learn.microsoft.com/azure/templates/microsoft.servicefabric/clusters) diff --git a/docs/en/rules/Azure.VM.Name.md b/docs/en/rules/Azure.VM.Name.md index 543134193f..84655ae86f 100644 --- a/docs/en/rules/Azure.VM.Name.md +++ b/docs/en/rules/Azure.VM.Name.md @@ -263,5 +263,8 @@ See `Azure.VM.ComputerName` for details. ## LINKS - [OE:04 Continuous integration](https://learn.microsoft.com/azure/well-architected/operational-excellence/release-engineering-continuous-integration) +- [Operational Excellence: Level 2](https://learn.microsoft.com/azure/well-architected/operational-excellence/maturity-model?tabs=level2) - [Naming rules and restrictions for Azure resources](https://learn.microsoft.com/azure/azure-resource-manager/management/resource-name-rules) +- [Parameters in Bicep](https://learn.microsoft.com/azure/azure-resource-manager/bicep/parameters) +- [Bicep functions](https://learn.microsoft.com/azure/azure-resource-manager/bicep/bicep-functions) - [Azure deployment reference](https://learn.microsoft.com/azure/templates/microsoft.compute/virtualmachines) diff --git a/docs/en/rules/Azure.VM.Naming.md b/docs/en/rules/Azure.VM.Naming.md index 698295470b..3400ac661c 100644 --- a/docs/en/rules/Azure.VM.Naming.md +++ b/docs/en/rules/Azure.VM.Naming.md @@ -1,5 +1,5 @@ --- -reviewed: 2025-04-25 +reviewed: 2025-11-01 severity: Awareness pillar: Operational Excellence category: OE:04 Tools and processes @@ -292,7 +292,10 @@ configuration: ## LINKS - [OE:04 Tools and processes](https://learn.microsoft.com/azure/well-architected/operational-excellence/tools-processes) +- [Operational Excellence: Level 2](https://learn.microsoft.com/azure/well-architected/operational-excellence/maturity-model?tabs=level2) - [Recommended abbreviations for Azure resource types](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations) - [Naming rules and restrictions for Azure resources](https://learn.microsoft.com/azure/azure-resource-manager/management/resource-name-rules) - [Define your naming convention](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-naming) +- [Parameters in Bicep](https://learn.microsoft.com/azure/azure-resource-manager/bicep/parameters) +- [Bicep functions](https://learn.microsoft.com/azure/azure-resource-manager/bicep/bicep-functions) - [Azure deployment reference](https://learn.microsoft.com/azure/templates/microsoft.compute/virtualmachines) diff --git a/docs/en/rules/index.md b/docs/en/rules/index.md index fd59c161b6..cd90d2aa2f 100644 --- a/docs/en/rules/index.md +++ b/docs/en/rules/index.md @@ -324,7 +324,7 @@ AZR-000300 | [Azure.Redis.FirewallIPRange](Azure.Redis.FirewallIPRange.md) | Det AZR-000301 | [Azure.RedisEnterprise.MinTLS](Azure.RedisEnterprise.MinTLS.md) | Redis Cache should reject TLS versions older than 1.2. | GA AZR-000302 | [Azure.AppGwWAF.PreventionMode](Azure.AppGwWAF.PreventionMode.md) | Use protection mode in Application Gateway Web Application Firewall (WAF) policies to protect back end resources. | GA AZR-000303 | [Azure.AppGwWAF.Exclusions](Azure.AppGwWAF.Exclusions.md) | Application Gateway Web Application Firewall (WAF) should have all rules enabled. | GA -AZR-000304 | [Azure.AppGwWAF.RuleGroups](Azure.AppGwWAF.RuleGroups.md) | Use recommended rule groups in Application Gateway Web Application Firewall (WAF) policies to protect back end resources. | GA +AZR-000304 | [Azure.AppGwWAF.RuleGroups](Azure.AppGwWAF.RuleGroups.md) | Application Gateway WAF policies should include both Microsoft Default Rule Set and Bot Manager Rule Set to provide comprehensive protection against web application threats and malicious bot traffic. | GA AZR-000305 | [Azure.FrontDoorWAF.Enabled](Azure.FrontDoorWAF.Enabled.md) | Front Door Web Application Firewall (WAF) policy must be enabled to protect back end resources. | GA AZR-000306 | [Azure.FrontDoorWAF.PreventionMode](Azure.FrontDoorWAF.PreventionMode.md) | Use protection mode in Front Door Web Application Firewall (WAF) policies to protect back end resources. | GA AZR-000307 | [Azure.FrontDoorWAF.Exclusions](Azure.FrontDoorWAF.Exclusions.md) | Use recommended rule groups in Front Door Web Application Firewall (WAF) policies to protect back end resources. Avoid configuring rule exclusions. | GA @@ -518,5 +518,39 @@ AZR-000495 | [Azure.ACR.ExportPolicy](Azure.ACR.ExportPolicy.md) | Export policy AZR-000496 | [Azure.Redis.LocalAuth](Azure.Redis.LocalAuth.md) | Access keys allow depersonalized access to Azure Cache for Redis using a shared secret. | GA AZR-000497 | [Azure.Storage.LocalAuth](Azure.Storage.LocalAuth.md) | Access keys allow depersonalized access to Storage Accounts using a shared secret. | GA AZR-000498 | [Azure.AppConfig.ReplicaLocation](Azure.AppConfig.ReplicaLocation.md) | The replication location determines the country or region where configuration data is stored and processed. | GA +AZR-000499 | [Azure.Cosmos.MongoEntraID](Azure.Cosmos.MongoEntraID.md) | MongoDB vCore clusters should have Microsoft Entra ID authentication enabled. | GA +AZR-000500 | [Azure.ADX.PublicAccess](Azure.ADX.PublicAccess.md) | Azure Data Explorer (ADX) clusters should have public network access disabled. | GA +AZR-000501 | [Azure.Grafana.AvailabilityZone](Azure.Grafana.AvailabilityZone.md) | Use zone redundant Grafana workspaces in supported regions to improve reliability. | GA +AZR-000502 | [Azure.Cosmos.AvailabilityZone](Azure.Cosmos.AvailabilityZone.md) | Use zone redundant Cosmos DB accounts in supported regions to improve reliability. | GA +AZR-000503 | [Azure.Cosmos.MongoAvailabilityZone](Azure.Cosmos.MongoAvailabilityZone.md) | Use zone redundant Cosmos DB vCore clusters in supported regions to improve reliability. | GA +AZR-000504 | [Azure.MICassandra.AvailabilityZone](Azure.MICassandra.AvailabilityZone.md) | Use zone redundant Managed Instance for Apache Cassandra clusters in supported regions to improve reliability. | GA +AZR-000505 | [Azure.ACI.Naming](Azure.ACI.Naming.md) | Container Instance resources without a standard naming convention may be difficult to identify and manage. | GA +AZR-000506 | [Azure.ACR.Naming](Azure.ACR.Naming.md) | Container Registry resources without a standard naming convention may be difficult to identify and manage. | GA +AZR-000507 | [Azure.AKS.Naming](Azure.AKS.Naming.md) | AKS cluster resources without a standard naming convention may be difficult to identify and manage. | GA +AZR-000508 | [Azure.AKS.SystemPoolNaming](Azure.AKS.SystemPoolNaming.md) | AKS system node pool resources without a standard naming convention may be difficult to identify and manage. | GA +AZR-000509 | [Azure.AKS.UserPoolNaming](Azure.AKS.UserPoolNaming.md) | AKS user node pool resources without a standard naming convention may be difficult to identify and manage. | GA +AZR-000510 | [Azure.ContainerApp.Naming](Azure.ContainerApp.Naming.md) | Container App resources without a standard naming convention may be difficult to identify and manage. | GA +AZR-000511 | [Azure.ContainerApp.EnvNaming](Azure.ContainerApp.EnvNaming.md) | Container App Environment resources without a standard naming convention may be difficult to identify and manage. | GA +AZR-000512 | [Azure.ContainerApp.JobNaming](Azure.ContainerApp.JobNaming.md) | Container App Job resources without a standard naming convention may be difficult to identify and manage. | GA +AZR-000513 | [Azure.Cosmos.CassandraNaming](Azure.Cosmos.CassandraNaming.md) | Cosmos DB for Apache Cassandra account resources without a standard naming convention may be difficult to identify and manage. | GA +AZR-000514 | [Azure.Cosmos.MongoNaming](Azure.Cosmos.MongoNaming.md) | Cosmos DB for MongoDB account resources without a standard naming convention may be difficult to identify and manage. | GA +AZR-000515 | [Azure.Cosmos.NoSQLNaming](Azure.Cosmos.NoSQLNaming.md) | Cosmos DB for NoSQL account resources without a standard naming convention may be difficult to identify and manage. | GA +AZR-000516 | [Azure.Cosmos.TableNaming](Azure.Cosmos.TableNaming.md) | Cosmos DB for Table account resources without a standard naming convention may be difficult to identify and manage. | GA +AZR-000517 | [Azure.Cosmos.GremlinNaming](Azure.Cosmos.GremlinNaming.md) | Cosmos DB for Apache Gremlin account resources without a standard naming convention may be difficult to identify and manage. | GA +AZR-000518 | [Azure.Cosmos.PostgreSQLNaming](Azure.Cosmos.PostgreSQLNaming.md) | Cosmos DB PostgreSQL cluster resources without a standard naming convention may be difficult to identify and manage. | GA +AZR-000519 | [Azure.Cosmos.DatabaseNaming](Azure.Cosmos.DatabaseNaming.md) | Cosmos DB database resources without a standard naming convention may be difficult to identify and manage. | GA +AZR-000521 | [Azure.MySQL.ServerNaming](Azure.MySQL.ServerNaming.md) | MySQL database server resources without a standard naming convention may be difficult to identify and manage. | GA +AZR-000522 | [Azure.PostgreSQL.ServerNaming](Azure.PostgreSQL.ServerNaming.md) | PostgreSQL database server resources without a standard naming convention may be difficult to identify and manage. | GA +AZR-000523 | [Azure.Redis.Naming](Azure.Redis.Naming.md) | Azure Cache for Redis resources without a standard naming convention may be difficult to identify and manage. | GA +AZR-000524 | [Azure.RedisEnterprise.Naming](Azure.RedisEnterprise.Naming.md) | Azure Cache for Redis Enterprise resources without a standard naming convention may be difficult to identify and manage. | GA +AZR-000525 | [Azure.SQL.ServerNaming](Azure.SQL.ServerNaming.md) | Azure SQL Database server resources without a standard naming convention may be difficult to identify and manage. | GA +AZR-000526 | [Azure.SQL.DBNaming](Azure.SQL.DBNaming.md) | Azure SQL database resources without a standard naming convention may be difficult to identify and manage. | GA +AZR-000527 | [Azure.SQL.JobAgentNaming](Azure.SQL.JobAgentNaming.md) | Azure SQL Elastic Job agent resources without a standard naming convention may be difficult to identify and manage. | GA +AZR-000528 | [Azure.SQL.ElasticPoolNaming](Azure.SQL.ElasticPoolNaming.md) | Azure SQL Elastic Pool resources without a standard naming convention may be difficult to identify and manage. | GA +AZR-000529 | [Azure.SQLMI.Naming](Azure.SQLMI.Naming.md) | SQL Managed Instance resources without a standard naming convention may be difficult to identify and manage. | GA +AZR-000530 | [Azure.ServiceFabric.Naming](Azure.ServiceFabric.Naming.md) | Service Fabric cluster resources without a standard naming convention may be difficult to identify and manage. | GA +AZR-000531 | [Azure.ServiceFabric.ManagedNaming](Azure.ServiceFabric.ManagedNaming.md) | Service Fabric managed cluster resources without a standard naming convention may be difficult to identify and manage. | GA +AZR-000532 | [Azure.EventHub.AvailabilityZone](Azure.EventHub.AvailabilityZone.md) | Use zone redundant Event Hub namespaces in supported regions to improve reliability. | GA +AZR-000533 | [Azure.Redis.MigrateAMR](Azure.Redis.MigrateAMR.md) | Azure Cache for Redis is being retired. Migrate to Azure Managed Redis. | GA *[GA]: Generally Available — Rules related to a generally available Azure features. diff --git a/docs/en/rules/module.md b/docs/en/rules/module.md index be476d1961..45ade7b8fa 100644 --- a/docs/en/rules/module.md +++ b/docs/en/rules/module.md @@ -113,17 +113,22 @@ Name | Synopsis | Severity | Level [Azure.AppGw.Name](Azure.AppGw.Name.md) | Application Gateways should meet naming requirements. | Awareness | Error [Azure.AppInsights.Name](Azure.AppInsights.Name.md) | Azure Resource Manager (ARM) has requirements for Application Insights resource names. | Awareness | Error [Azure.ContainerApp.Name](Azure.ContainerApp.Name.md) | Container Apps should meet naming requirements. | Awareness | Error +[Azure.Cosmos.AccountName](Azure.Cosmos.AccountName.md) | Cosmos DB account names should meet naming requirements. | Awareness | Error [Azure.Group.Name](Azure.Group.Name.md) | Azure Resource Manager (ARM) has requirements for Resource Groups names. | Awareness | Error [Azure.KeyVault.KeyName](Azure.KeyVault.KeyName.md) | Key Vault Key names should meet naming requirements. | Awareness | Error [Azure.KeyVault.SecretName](Azure.KeyVault.SecretName.md) | Key Vault Secret names should meet naming requirements. | Awareness | Error [Azure.LB.Name](Azure.LB.Name.md) | Load Balancer names should meet naming requirements. | Awareness | Error [Azure.Log.Name](Azure.Log.Name.md) | Azure Resource Manager (ARM) has requirements for Azure Monitor Log workspace names. | Awareness | Error [Azure.MariaDB.DatabaseName](Azure.MariaDB.DatabaseName.md) | Azure Database for MariaDB databases should meet naming requirements. | Awareness | Error +[Azure.MySQL.ServerName](Azure.MySQL.ServerName.md) | Azure MySQL DB server names should meet naming requirements. | Awareness | Error [Azure.NIC.Name](Azure.NIC.Name.md) | Network Interface (NIC) names should meet naming requirements. | Awareness | Error [Azure.NSG.Name](Azure.NSG.Name.md) | Azure Resource Manager (ARM) has requirements for Network Security Group (NSG) names. | Awareness | Error +[Azure.PostgreSQL.ServerName](Azure.PostgreSQL.ServerName.md) | Azure PostgreSQL DB server names should meet naming requirements. | Awareness | Error [Azure.PublicIP.Name](Azure.PublicIP.Name.md) | Azure Resource Manager (ARM) has requirements for Public IP address names. | Awareness | Error [Azure.Route.Name](Azure.Route.Name.md) | Azure Resource Manager (ARM) has requirements for Route table names. | Awareness | Error [Azure.Search.Name](Azure.Search.Name.md) | Azure Resource Manager (ARM) has requirements for AI Search service names. | Awareness | Error +[Azure.SQL.DBName](Azure.SQL.DBName.md) | Azure SQL Database names should meet naming requirements. | Awareness | Error +[Azure.SQL.ServerName](Azure.SQL.ServerName.md) | Azure SQL logical server names should meet naming requirements. | Awareness | Error [Azure.Storage.Name](Azure.Storage.Name.md) | Azure Resource Manager (ARM) has requirements for Storage Account names. | Awareness | Error [Azure.VM.ComputerName](Azure.VM.ComputerName.md) | Virtual Machine (VM) computer name should meet naming requirements. | Awareness | Error [Azure.VM.Name](Azure.VM.Name.md) | Virtual Machine (VM) names should meet naming requirements. | Awareness | Error @@ -137,11 +142,26 @@ Name | Synopsis | Severity | Level Name | Synopsis | Severity | Level ---- | -------- | -------- | ----- +[Azure.ACI.Naming](Azure.ACI.Naming.md) | Container Instance resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error +[Azure.ACR.Naming](Azure.ACR.Naming.md) | Container Registry resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error [Azure.AI.FoundryNaming](Azure.AI.FoundryNaming.md) | Azure AI Foundry accounts without a standard naming convention may be difficult to identify and manage. | Awareness | Error +[Azure.AKS.Naming](Azure.AKS.Naming.md) | AKS cluster resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error +[Azure.AKS.SystemPoolNaming](Azure.AKS.SystemPoolNaming.md) | AKS system node pool resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error +[Azure.AKS.UserPoolNaming](Azure.AKS.UserPoolNaming.md) | AKS user node pool resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error [Azure.APIM.APIDescriptors](Azure.APIM.APIDescriptors.md) | APIs should have a display name and description. | Awareness | Warning [Azure.APIM.ProductDescriptors](Azure.APIM.ProductDescriptors.md) | API Management products should have a display name and description. | Awareness | Warning [Azure.AppInsights.Naming](Azure.AppInsights.Naming.md) | Application Insights resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error [Azure.ContainerApp.APIVersion](Azure.ContainerApp.APIVersion.md) | Migrate from retired API version to a supported version. | Important | Error +[Azure.ContainerApp.EnvNaming](Azure.ContainerApp.EnvNaming.md) | Container App Environment resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error +[Azure.ContainerApp.JobNaming](Azure.ContainerApp.JobNaming.md) | Container App Job resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error +[Azure.ContainerApp.Naming](Azure.ContainerApp.Naming.md) | Container App resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error +[Azure.Cosmos.CassandraNaming](Azure.Cosmos.CassandraNaming.md) | Cosmos DB for Apache Cassandra account resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error +[Azure.Cosmos.DatabaseNaming](Azure.Cosmos.DatabaseNaming.md) | Cosmos DB database resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error +[Azure.Cosmos.GremlinNaming](Azure.Cosmos.GremlinNaming.md) | Cosmos DB for Apache Gremlin account resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error +[Azure.Cosmos.MongoNaming](Azure.Cosmos.MongoNaming.md) | Cosmos DB for MongoDB account resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error +[Azure.Cosmos.NoSQLNaming](Azure.Cosmos.NoSQLNaming.md) | Cosmos DB for NoSQL account resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error +[Azure.Cosmos.PostgreSQLNaming](Azure.Cosmos.PostgreSQLNaming.md) | Cosmos DB PostgreSQL cluster resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error +[Azure.Cosmos.TableNaming](Azure.Cosmos.TableNaming.md) | Cosmos DB for Table account resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error [Azure.EventGrid.DomainNaming](Azure.EventGrid.DomainNaming.md) | Event Grid domains without a standard naming convention may be difficult to identify and manage. | Awareness | Error [Azure.EventGrid.SystemTopicNaming](Azure.EventGrid.SystemTopicNaming.md) | Event Grid system topics without a standard naming convention may be difficult to identify and manage. | Awareness | Error [Azure.EventGrid.TopicNaming](Azure.EventGrid.TopicNaming.md) | Event Grid topics without a standard naming convention may be difficult to identify and manage. | Awareness | Error @@ -149,14 +169,25 @@ Name | Synopsis | Severity | Level [Azure.Group.RequiredTags](Azure.Group.RequiredTags.md) | Resource groups without a standard tagging convention may be difficult to identify and manage. | Awareness | Error [Azure.LB.Naming](Azure.LB.Naming.md) | Load balancer names should use a standard prefix. | Awareness | Error [Azure.Log.Naming](Azure.Log.Naming.md) | Azure Monitor Log workspaces without a standard naming convention may be difficult to identify and manage. | Awareness | Error +[Azure.MySQL.ServerNaming](Azure.MySQL.ServerNaming.md) | MySQL database server resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error [Azure.NSG.Naming](Azure.NSG.Naming.md) | Network security group (NSG) without a standard naming convention may be difficult to identify and manage. | Awareness | Error [Azure.Policy.AssignmentDescriptors](Azure.Policy.AssignmentDescriptors.md) | Policy assignments should use a display name and description. | Awareness | Error [Azure.Policy.Descriptors](Azure.Policy.Descriptors.md) | Policy and initiative definitions should use a display name, description, and category. | Awareness | Error [Azure.Policy.ExemptionDescriptors](Azure.Policy.ExemptionDescriptors.md) | Policy exemptions should use a display name and description. | Awareness | Error +[Azure.PostgreSQL.ServerNaming](Azure.PostgreSQL.ServerNaming.md) | PostgreSQL database server resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error [Azure.PublicIP.Naming](Azure.PublicIP.Naming.md) | Public IP addresses without a standard naming convention may be difficult to identify and manage. | Awareness | Error +[Azure.Redis.Naming](Azure.Redis.Naming.md) | Azure Cache for Redis resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error +[Azure.RedisEnterprise.Naming](Azure.RedisEnterprise.Naming.md) | Azure Cache for Redis Enterprise resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error [Azure.Resource.RequiredTags](Azure.Resource.RequiredTags.md) | Resources without a standard tagging convention may be difficult to identify and manage. | Awareness | Error [Azure.Route.Naming](Azure.Route.Naming.md) | Route tables without a standard naming convention may be difficult to identify and manage. | Awareness | Error [Azure.Search.Naming](Azure.Search.Naming.md) | Azure AI Search services without a standard naming convention may be difficult to identify and manage. | Awareness | Error +[Azure.ServiceFabric.ManagedNaming](Azure.ServiceFabric.ManagedNaming.md) | Service Fabric managed cluster resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error +[Azure.ServiceFabric.Naming](Azure.ServiceFabric.Naming.md) | Service Fabric cluster resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error +[Azure.SQL.DBNaming](Azure.SQL.DBNaming.md) | Azure SQL database resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error +[Azure.SQL.ElasticPoolNaming](Azure.SQL.ElasticPoolNaming.md) | Azure SQL Elastic Pool resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error +[Azure.SQL.JobAgentNaming](Azure.SQL.JobAgentNaming.md) | Azure SQL Elastic Job agent resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error +[Azure.SQL.ServerNaming](Azure.SQL.ServerNaming.md) | Azure SQL Database server resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error +[Azure.SQLMI.Naming](Azure.SQLMI.Naming.md) | SQL Managed Instance resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error [Azure.Storage.Naming](Azure.Storage.Naming.md) | Storage Accounts without a standard naming convention may be difficult to identify and manage. | Awareness | Error [Azure.Subscription.RequiredTags](Azure.Subscription.RequiredTags.md) | Subscriptions without a standard tagging convention may be difficult to identify and manage. | Awareness | Error [Azure.VM.Naming](Azure.VM.Naming.md) | Virtual machines without a standard naming convention may be difficult to identify and manage. | Awareness | Error @@ -170,6 +201,7 @@ Name | Synopsis | Severity | Level Name | Synopsis | Severity | Level ---- | -------- | -------- | ----- +[Azure.Redis.MigrateAMR](Azure.Redis.MigrateAMR.md) | Azure Cache for Redis is being retired. Migrate to Azure Managed Redis. | Important | Error [Azure.Template.ResourceLocation](Azure.Template.ResourceLocation.md) | Resource locations should be an expression or global. | Awareness | Error [Azure.Template.TemplateFile](Azure.Template.TemplateFile.md) | Use ARM template files that are valid. | Important | Error [Azure.Template.ValidSecretRef](Azure.Template.ValidSecretRef.md) | Use a valid secret reference within parameter files. | Awareness | Error @@ -219,7 +251,6 @@ Name | Synopsis | Severity | Level [Azure.ASG.Name](Azure.ASG.Name.md) | Application Security Group (ASG) names should meet naming requirements. | Awareness | Error [Azure.Bastion.Name](Azure.Bastion.Name.md) | Bastion hosts should meet naming requirements. | Awareness | Error [Azure.CDN.EndpointName](Azure.CDN.EndpointName.md) | Azure CDN Endpoint names should meet naming requirements. | Awareness | Error -[Azure.Cosmos.AccountName](Azure.Cosmos.AccountName.md) | Cosmos DB account names should meet naming requirements. | Awareness | Error [Azure.Deployment.Name](Azure.Deployment.Name.md) | Nested deployments should meet naming requirements of deployments. | Awareness | Error [Azure.Firewall.Name](Azure.Firewall.Name.md) | Firewall names should meet naming requirements. | Awareness | Error [Azure.Firewall.PolicyName](Azure.Firewall.PolicyName.md) | Firewall policy names should meet naming requirements. | Awareness | Error @@ -230,18 +261,14 @@ Name | Synopsis | Severity | Level [Azure.MariaDB.FirewallRuleName](Azure.MariaDB.FirewallRuleName.md) | Azure Database for MariaDB firewall rules should meet naming requirements. | Awareness | Error [Azure.MariaDB.ServerName](Azure.MariaDB.ServerName.md) | Azure Database for MariaDB servers should meet naming requirements. | Awareness | Error [Azure.MariaDB.VNETRuleName](Azure.MariaDB.VNETRuleName.md) | Azure Database for MariaDB VNET rules should meet naming requirements. | Awareness | Error -[Azure.MySQL.ServerName](Azure.MySQL.ServerName.md) | Azure MySQL DB server names should meet naming requirements. | Awareness | Error [Azure.NSG.AKSRules](Azure.NSG.AKSRules.md) | AKS Network Security Group (NSG) should not have custom rules. | Awareness | Error [Azure.Policy.AssignmentAssignedBy](Azure.Policy.AssignmentAssignedBy.md) | Policy assignments should use assignedBy metadata. | Awareness | Error -[Azure.PostgreSQL.ServerName](Azure.PostgreSQL.ServerName.md) | Azure PostgreSQL DB server names should meet naming requirements. | Awareness | Error [Azure.PrivateEndpoint.Name](Azure.PrivateEndpoint.Name.md) | Private Endpoint names should meet naming requirements. | Awareness | Error [Azure.PublicIP.DNSLabel](Azure.PublicIP.DNSLabel.md) | Public IP domain name labels should meet naming requirements. | Awareness | Error [Azure.PublicIP.MigrateStandard](Azure.PublicIP.MigrateStandard.md) | Use the Standard SKU for Public IP addresses as the Basic SKU will be retired. | Important | Error [Azure.RSV.Name](Azure.RSV.Name.md) | Recovery Services vaults should meet naming requirements. | Awareness | Error [Azure.SignalR.Name](Azure.SignalR.Name.md) | SignalR service instance names should meet naming requirements. | Awareness | Error -[Azure.SQL.DBName](Azure.SQL.DBName.md) | Azure SQL Database names should meet naming requirements. | Awareness | Error [Azure.SQL.FGName](Azure.SQL.FGName.md) | Azure SQL failover group names should meet naming requirements. | Awareness | Error -[Azure.SQL.ServerName](Azure.SQL.ServerName.md) | Azure SQL logical server names should meet naming requirements. | Awareness | Error [Azure.SQLMI.Name](Azure.SQLMI.Name.md) | SQL Managed Instance names should meet naming requirements. | Awareness | Error [Azure.Template.ExpressionLength](Azure.Template.ExpressionLength.md) | Template expressions should not exceed the maximum length. | Awareness | Error [Azure.Template.ParameterFile](Azure.Template.ParameterFile.md) | Use ARM template parameter files that are valid. | Important | Error @@ -431,7 +458,11 @@ Name | Synopsis | Severity | Level [Azure.AppConfig.GeoReplica](Azure.AppConfig.GeoReplica.md) | Replicate app configuration store across all points of presence for an application. | Important | Error [Azure.ContainerApp.MinReplicas](Azure.ContainerApp.MinReplicas.md) | Use multiple replicas to remove a single point of failure. | Important | Error [Azure.ContainerApp.Storage](Azure.ContainerApp.Storage.md) | Use of Azure Files volume mounts to persistent storage container data. | Awareness | Error +[Azure.Cosmos.AvailabilityZone](Azure.Cosmos.AvailabilityZone.md) | Use zone redundant Cosmos DB accounts in supported regions to improve reliability. | Important | Error +[Azure.Cosmos.MongoAvailabilityZone](Azure.Cosmos.MongoAvailabilityZone.md) | Use zone redundant Cosmos DB vCore clusters in supported regions to improve reliability. | Important | Error +[Azure.EventHub.AvailabilityZone](Azure.EventHub.AvailabilityZone.md) | Use zone redundant Event Hub namespaces in supported regions to improve reliability. | Important | Error [Azure.LB.Probe](Azure.LB.Probe.md) | Use a specific probe for web protocols. | Important | Error +[Azure.MICassandra.AvailabilityZone](Azure.MICassandra.AvailabilityZone.md) | Use zone redundant Managed Instance for Apache Cassandra clusters in supported regions to improve reliability. | Important | Error [Azure.MySQL.UseFlexible](Azure.MySQL.UseFlexible.md) | Use Azure Database for MySQL Flexible Server deployment model. | Important | Warning [Azure.ServiceBus.GeoReplica](Azure.ServiceBus.GeoReplica.md) | Enhance resilience to regional outages by replicating namespaces. | Important | Error [Azure.TrafficManager.Endpoints](Azure.TrafficManager.Endpoints.md) | Traffic Manager should use at lest two enabled endpoints. | Important | Error @@ -453,6 +484,7 @@ Name | Synopsis | Severity | Level [Azure.ASE.AvailabilityZone](Azure.ASE.AvailabilityZone.md) | Deploy app service environments using availability zones in supported regions to ensure high availability and resilience. | Important | Error [Azure.ContainerApp.AvailabilityZone](Azure.ContainerApp.AvailabilityZone.md) | Use Container Apps environments that are zone redundant to improve reliability. | Important | Error [Azure.Firewall.AvailabilityZone](Azure.Firewall.AvailabilityZone.md) | Deploy firewall instances using availability zones in supported regions to ensure high availability and resilience. | Important | Error +[Azure.Grafana.AvailabilityZone](Azure.Grafana.AvailabilityZone.md) | Use zone redundant Grafana workspaces in supported regions to improve reliability. | Important | Error [Azure.LB.AvailabilityZone](Azure.LB.AvailabilityZone.md) | Load balancers deployed with Standard SKU should be zone-redundant for high availability. | Important | Error [Azure.Log.Replication](Azure.Log.Replication.md) | Log Analytics workspaces should have workspace replication enabled to improve service availability. | Important | Error [Azure.MySQL.ZoneRedundantHA](Azure.MySQL.ZoneRedundantHA.md) | Deploy Azure Database for MySQL servers using zone-redundant high availability (HA) in supported regions to ensure high availability and resilience. | Important | Error @@ -600,7 +632,6 @@ Name | Synopsis | Severity | Level [Azure.AppGwWAF.Enabled](Azure.AppGwWAF.Enabled.md) | Application Gateway Web Application Firewall (WAF) must be enabled to protect backend resources. | Critical | Error [Azure.AppGwWAF.Exclusions](Azure.AppGwWAF.Exclusions.md) | Application Gateway Web Application Firewall (WAF) should have all rules enabled. | Critical | Error [Azure.AppGwWAF.PreventionMode](Azure.AppGwWAF.PreventionMode.md) | Use protection mode in Application Gateway Web Application Firewall (WAF) policies to protect back end resources. | Critical | Error -[Azure.AppGwWAF.RuleGroups](Azure.AppGwWAF.RuleGroups.md) | Use recommended rule groups in Application Gateway Web Application Firewall (WAF) policies to protect back end resources. | Critical | Error [Azure.MariaDB.AllowAzureAccess](Azure.MariaDB.AllowAzureAccess.md) | Determine if access from Azure services is required. | Important | Error ### Network segmentation @@ -668,8 +699,9 @@ Name | Synopsis | Severity | Level [Azure.AppInsights.LocalAuth](Azure.AppInsights.LocalAuth.md) | Local authentication allows depersonalized access to store telemetry in Application Insights using a shared identifier. | Critical | Error [Azure.AppService.ManagedIdentity](Azure.AppService.ManagedIdentity.md) | Configure managed identities to access Azure resources. | Important | Error [Azure.ContainerApp.ManagedIdentity](Azure.ContainerApp.ManagedIdentity.md) | Ensure managed identity is used for authentication. | Important | Error -[Azure.Cosmos.DisableLocalAuth](Azure.Cosmos.DisableLocalAuth.md) | Access keys allow depersonalized access to Cosmos DB accounts using a shared secret. | Critical | Error [Azure.Cosmos.DisableMetadataWrite](Azure.Cosmos.DisableMetadataWrite.md) | Use Entra ID identities for management place operations in Azure Cosmos DB. | Important | Error +[Azure.Cosmos.MongoEntraID](Azure.Cosmos.MongoEntraID.md) | MongoDB vCore clusters should have Microsoft Entra ID authentication enabled. | Critical | Error +[Azure.Cosmos.NoSQLLocalAuth](Azure.Cosmos.NoSQLLocalAuth.md) | Access keys allow depersonalized access to Cosmos DB NoSQL API accounts using a shared secret. | Critical | Error [Azure.EventGrid.DisableLocalAuth](Azure.EventGrid.DisableLocalAuth.md) | Authenticate publishing clients with Azure AD identities. | Important | Error [Azure.EventGrid.ManagedIdentity](Azure.EventGrid.ManagedIdentity.md) | Use managed identities to deliver Event Grid Topic events. | Important | Error [Azure.EventHub.DisableLocalAuth](Azure.EventHub.DisableLocalAuth.md) | Authenticate Event Hub publishers and consumers with Entra ID identities. | Important | Error @@ -695,12 +727,14 @@ Name | Synopsis | Severity | Level Name | Synopsis | Severity | Level ---- | -------- | -------- | ----- [Azure.ACR.Firewall](Azure.ACR.Firewall.md) | Container Registry without restrictions can be accessed from any network location including the Internet. | Important | Error +[Azure.ADX.PublicAccess](Azure.ADX.PublicAccess.md) | Azure Data Explorer (ADX) clusters should have public network access disabled. | Critical | Error [Azure.AI.PrivateEndpoints](Azure.AI.PrivateEndpoints.md) | Use Private Endpoints to access Azure AI services accounts. | Important | Error [Azure.AI.PublicAccess](Azure.AI.PublicAccess.md) | Restrict access of Azure AI services to authorized virtual networks. | Important | Error [Azure.AKS.AuthorizedIPs](Azure.AKS.AuthorizedIPs.md) | Restrict access to API server endpoints to authorized IP addresses. | Important | Error [Azure.AKS.HttpAppRouting](Azure.AKS.HttpAppRouting.md) | Disable HTTP application routing add-on in AKS clusters. | Important | Error [Azure.AppGw.UseWAF](Azure.AppGw.UseWAF.md) | Internet accessible Application Gateways should use protect endpoints with WAF. | Critical | Error [Azure.AppGw.WAFEnabled](Azure.AppGw.WAFEnabled.md) | Application Gateway Web Application Firewall (WAF) must be enabled to protect backend resources. | Critical | Error +[Azure.AppGwWAF.RuleGroups](Azure.AppGwWAF.RuleGroups.md) | Application Gateway WAF policies should include both Microsoft Default Rule Set and Bot Manager Rule Set to provide comprehensive protection against web application threats and malicious bot traffic. | Critical | Error [Azure.ContainerApp.ExternalIngress](Azure.ContainerApp.ExternalIngress.md) | Limit inbound communication for Container Apps is limited to callers within the Container Apps Environment. | Important | Error [Azure.ContainerApp.PublicAccess](Azure.ContainerApp.PublicAccess.md) | Ensure public network access for Container Apps environment is disabled. | Important | Error [Azure.ContainerApp.RestrictIngress](Azure.ContainerApp.RestrictIngress.md) | IP ingress restrictions mode should be set to allow action for all rules defined. | Important | Error diff --git a/docs/en/rules/resource.md b/docs/en/rules/resource.md index ec6dc6053b..f96db08ebc 100644 --- a/docs/en/rules/resource.md +++ b/docs/en/rules/resource.md @@ -147,7 +147,7 @@ Name | Synopsis | Severity | Level [Azure.AppGwWAF.Enabled](Azure.AppGwWAF.Enabled.md) | Application Gateway Web Application Firewall (WAF) must be enabled to protect backend resources. | Critical | Error [Azure.AppGwWAF.Exclusions](Azure.AppGwWAF.Exclusions.md) | Application Gateway Web Application Firewall (WAF) should have all rules enabled. | Critical | Error [Azure.AppGwWAF.PreventionMode](Azure.AppGwWAF.PreventionMode.md) | Use protection mode in Application Gateway Web Application Firewall (WAF) policies to protect back end resources. | Critical | Error -[Azure.AppGwWAF.RuleGroups](Azure.AppGwWAF.RuleGroups.md) | Use recommended rule groups in Application Gateway Web Application Firewall (WAF) policies to protect back end resources. | Critical | Error +[Azure.AppGwWAF.RuleGroups](Azure.AppGwWAF.RuleGroups.md) | Application Gateway WAF policies should include both Microsoft Default Rule Set and Bot Manager Rule Set to provide comprehensive protection against web application threats and malicious bot traffic. | Critical | Error ## Application Insights @@ -191,8 +191,10 @@ Name | Synopsis | Severity | Level [Azure.Redis.FirewallRuleCount](Azure.Redis.FirewallRuleCount.md) | Determine if there is an excessive number of firewall rules for the Redis cache. | Awareness | Error [Azure.Redis.LocalAuth](Azure.Redis.LocalAuth.md) | Access keys allow depersonalized access to Azure Cache for Redis using a shared secret. | Important | Error [Azure.Redis.MaxMemoryReserved](Azure.Redis.MaxMemoryReserved.md) | Configure maxmemory-reserved to reserve memory for non-cache operations. | Important | Error +[Azure.Redis.MigrateAMR](Azure.Redis.MigrateAMR.md) | Azure Cache for Redis is being retired. Migrate to Azure Managed Redis. | Important | Error [Azure.Redis.MinSKU](Azure.Redis.MinSKU.md) | Use Azure Cache for Redis instances of at least Standard C1. | Important | Error [Azure.Redis.MinTLS](Azure.Redis.MinTLS.md) | Redis Cache should reject TLS versions older than 1.2. | Critical | Error +[Azure.Redis.Naming](Azure.Redis.Naming.md) | Azure Cache for Redis resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error [Azure.Redis.NonSslPort](Azure.Redis.NonSslPort.md) | Azure Cache for Redis should only accept secure connections. | Critical | Error [Azure.Redis.PublicNetworkAccess](Azure.Redis.PublicNetworkAccess.md) | Redis cache should disable public network access. | Critical | Error [Azure.Redis.Version](Azure.Redis.Version.md) | Azure Cache for Redis should use the latest supported version of Redis. | Important | Error @@ -202,14 +204,9 @@ Name | Synopsis | Severity | Level Name | Synopsis | Severity | Level ---- | -------- | -------- | ----- [Azure.RedisEnterprise.MinTLS](Azure.RedisEnterprise.MinTLS.md) | Redis Cache should reject TLS versions older than 1.2. | Critical | Error +[Azure.RedisEnterprise.Naming](Azure.RedisEnterprise.Naming.md) | Azure Cache for Redis Enterprise resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error [Azure.RedisEnterprise.Zones](Azure.RedisEnterprise.Zones.md) | Enterprise Redis cache should be zone-redundant for high availability. | Important | Error -## Azure Database - -Name | Synopsis | Severity | Level ----- | -------- | -------- | ----- -[Azure.SQL.MaintenanceWindow](Azure.SQL.MaintenanceWindow.md) | Configure a customer-controlled maintenance window for Azure SQL databases. | Important | Error - ## Azure Database for MariaDB Name | Synopsis | Severity | Level @@ -240,6 +237,7 @@ Name | Synopsis | Severity | Level [Azure.MySQL.MaintenanceWindow](Azure.MySQL.MaintenanceWindow.md) | Configure a customer-controlled maintenance window for Azure Database for MySQL servers. | Important | Error [Azure.MySQL.MinTLS](Azure.MySQL.MinTLS.md) | MySQL DB servers should reject TLS versions older than 1.2. | Critical | Error [Azure.MySQL.ServerName](Azure.MySQL.ServerName.md) | Azure MySQL DB server names should meet naming requirements. | Awareness | Error +[Azure.MySQL.ServerNaming](Azure.MySQL.ServerNaming.md) | MySQL database server resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error [Azure.MySQL.UseFlexible](Azure.MySQL.UseFlexible.md) | Use Azure Database for MySQL Flexible Server deployment model. | Important | Warning [Azure.MySQL.UseSSL](Azure.MySQL.UseSSL.md) | Enforce encrypted MySQL connections. | Critical | Error [Azure.MySQL.ZoneRedundantHA](Azure.MySQL.ZoneRedundantHA.md) | Deploy Azure Database for MySQL servers using zone-redundant high availability (HA) in supported regions to ensure high availability and resilience. | Important | Error @@ -258,6 +256,7 @@ Name | Synopsis | Severity | Level [Azure.PostgreSQL.MaintenanceWindow](Azure.PostgreSQL.MaintenanceWindow.md) | Configure a customer-controlled maintenance window for Azure Database for PostgreSQL servers. | Important | Error [Azure.PostgreSQL.MinTLS](Azure.PostgreSQL.MinTLS.md) | PostgreSQL DB servers should reject TLS versions older than 1.2. | Critical | Error [Azure.PostgreSQL.ServerName](Azure.PostgreSQL.ServerName.md) | Azure PostgreSQL DB server names should meet naming requirements. | Awareness | Error +[Azure.PostgreSQL.ServerNaming](Azure.PostgreSQL.ServerNaming.md) | PostgreSQL database server resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error [Azure.PostgreSQL.UseSSL](Azure.PostgreSQL.UseSSL.md) | Enforce encrypted PostgreSQL connections. | Critical | Error [Azure.PostgreSQL.ZoneRedundantHA](Azure.PostgreSQL.ZoneRedundantHA.md) | Deploy Azure Database for PostgreSQL servers using zone-redundant high availability (HA) in supported regions to ensure high availability and resilience. | Important | Error @@ -292,6 +291,7 @@ Name | Synopsis | Severity | Level [Azure.AKS.MinNodeCount](Azure.AKS.MinNodeCount.md) | AKS clusters should have minimum number of system nodes for failover and updates. | Important | Error [Azure.AKS.MinUserPoolNodes](Azure.AKS.MinUserPoolNodes.md) | User node pools in an AKS cluster should have a minimum number of nodes for failover and updates. | Important | Error [Azure.AKS.Name](Azure.AKS.Name.md) | Azure Kubernetes Service (AKS) cluster names should meet naming requirements. | Awareness | Error +[Azure.AKS.Naming](Azure.AKS.Naming.md) | AKS cluster resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error [Azure.AKS.NetworkPolicy](Azure.AKS.NetworkPolicy.md) | AKS clusters without inter-pod network restrictions may be permit unauthorized lateral movement. | Important | Error [Azure.AKS.NodeAutoUpgrade](Azure.AKS.NodeAutoUpgrade.md) | Operating system (OS) security updates should be applied to AKS nodes and rebooted as required to address security vulnerabilities. | Important | Error [Azure.AKS.NodeMinPods](Azure.AKS.NodeMinPods.md) | Azure Kubernetes Cluster (AKS) nodes should use a minimum number of pods. | Important | Error @@ -301,8 +301,10 @@ Name | Synopsis | Severity | Level [Azure.AKS.SecretStore](Azure.AKS.SecretStore.md) | Deploy AKS clusters with Secrets Store CSI Driver and store Secrets in Key Vault. | Important | Error [Azure.AKS.SecretStoreRotation](Azure.AKS.SecretStoreRotation.md) | Enable autorotation of Secrets Store CSI Driver secrets for AKS clusters. | Important | Error [Azure.AKS.StandardLB](Azure.AKS.StandardLB.md) | Azure Kubernetes Clusters (AKS) should use a Standard load balancer SKU. | Important | Error +[Azure.AKS.SystemPoolNaming](Azure.AKS.SystemPoolNaming.md) | AKS system node pool resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error [Azure.AKS.UptimeSLA](Azure.AKS.UptimeSLA.md) | AKS clusters should have Uptime SLA enabled for a financially backed SLA. | Important | Error [Azure.AKS.UseRBAC](Azure.AKS.UseRBAC.md) | Deploy AKS cluster with role-based access control (RBAC) enabled. | Important | Error +[Azure.AKS.UserPoolNaming](Azure.AKS.UserPoolNaming.md) | AKS user node pool resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error [Azure.AKS.Version](Azure.AKS.Version.md) | Older versions of Kubernetes may have known bugs or security vulnerabilities, and may have limited support. | Important | Error ## Azure Managed Grafana @@ -327,6 +329,30 @@ Name | Synopsis | Severity | Level [Azure.Log.ReplicaLocation](Azure.Log.ReplicaLocation.md) | The replication location determines the country or region where the data is stored and processed. | Important | Error [Azure.Log.Replication](Azure.Log.Replication.md) | Log Analytics workspaces should have workspace replication enabled to improve service availability. | Important | Error +## Azure SQL database + +Name | Synopsis | Severity | Level +---- | -------- | -------- | ----- +[Azure.SQL.DBNaming](Azure.SQL.DBNaming.md) | Azure SQL database resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error + +## Azure SQL Database server + +Name | Synopsis | Severity | Level +---- | -------- | -------- | ----- +[Azure.SQL.ServerNaming](Azure.SQL.ServerNaming.md) | Azure SQL Database server resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error + +## Azure SQL Elastic Job agent + +Name | Synopsis | Severity | Level +---- | -------- | -------- | ----- +[Azure.SQL.JobAgentNaming](Azure.SQL.JobAgentNaming.md) | Azure SQL Elastic Job agent resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error + +## Azure SQL Elastic Pool + +Name | Synopsis | Severity | Level +---- | -------- | -------- | ----- +[Azure.SQL.ElasticPoolNaming](Azure.SQL.ElasticPoolNaming.md) | Azure SQL Elastic Pool resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error + ## Azure Virtual Desktop Name | Synopsis | Severity | Level @@ -357,10 +383,29 @@ Name | Synopsis | Severity | Level [Azure.ContainerApp.ManagedIdentity](Azure.ContainerApp.ManagedIdentity.md) | Ensure managed identity is used for authentication. | Important | Error [Azure.ContainerApp.MinReplicas](Azure.ContainerApp.MinReplicas.md) | Use multiple replicas to remove a single point of failure. | Important | Error [Azure.ContainerApp.Name](Azure.ContainerApp.Name.md) | Container Apps should meet naming requirements. | Awareness | Error +[Azure.ContainerApp.Naming](Azure.ContainerApp.Naming.md) | Container App resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error [Azure.ContainerApp.PublicAccess](Azure.ContainerApp.PublicAccess.md) | Ensure public network access for Container Apps environment is disabled. | Important | Error [Azure.ContainerApp.RestrictIngress](Azure.ContainerApp.RestrictIngress.md) | IP ingress restrictions mode should be set to allow action for all rules defined. | Important | Error [Azure.ContainerApp.Storage](Azure.ContainerApp.Storage.md) | Use of Azure Files volume mounts to persistent storage container data. | Awareness | Error +## Container App Environment + +Name | Synopsis | Severity | Level +---- | -------- | -------- | ----- +[Azure.ContainerApp.EnvNaming](Azure.ContainerApp.EnvNaming.md) | Container App Environment resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error + +## Container App Job + +Name | Synopsis | Severity | Level +---- | -------- | -------- | ----- +[Azure.ContainerApp.JobNaming](Azure.ContainerApp.JobNaming.md) | Container App Job resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error + +## Container Instance + +Name | Synopsis | Severity | Level +---- | -------- | -------- | ----- +[Azure.ACI.Naming](Azure.ACI.Naming.md) | Container Instance resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error + ## Container Registry Name | Synopsis | Severity | Level @@ -375,6 +420,7 @@ Name | Synopsis | Severity | Level [Azure.ACR.ImageHealth](Azure.ACR.ImageHealth.md) | Remove container images with known vulnerabilities. | Critical | Error [Azure.ACR.MinSku](Azure.ACR.MinSku.md) | The Basic SKU provides limited performance and features for production container registry workloads. | Important | Error [Azure.ACR.Name](Azure.ACR.Name.md) | Container registry names should meet naming requirements. | Awareness | Error +[Azure.ACR.Naming](Azure.ACR.Naming.md) | Container Registry resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error [Azure.ACR.Quarantine](Azure.ACR.Quarantine.md) | Enable container image quarantine, scan, and mark images as verified. | Important | Error [Azure.ACR.ReplicaLocation](Azure.ACR.ReplicaLocation.md) | The replication location determines the country or region where container images and metadata are stored and processed. | Important | Error [Azure.ACR.Retention](Azure.ACR.Retention.md) | Use a retention policy to cleanup untagged manifests. | Important | Error @@ -394,20 +440,66 @@ Name | Synopsis | Severity | Level Name | Synopsis | Severity | Level ---- | -------- | -------- | ----- [Azure.Cosmos.AccountName](Azure.Cosmos.AccountName.md) | Cosmos DB account names should meet naming requirements. | Awareness | Error +[Azure.Cosmos.AvailabilityZone](Azure.Cosmos.AvailabilityZone.md) | Use zone redundant Cosmos DB accounts in supported regions to improve reliability. | Important | Error [Azure.Cosmos.ContinuousBackup](Azure.Cosmos.ContinuousBackup.md) | Enable continuous backup on Cosmos DB accounts. | Important | Error [Azure.Cosmos.DefenderCloud](Azure.Cosmos.DefenderCloud.md) | Enable Microsoft Defender for Azure Cosmos DB. | Critical | Error -[Azure.Cosmos.DisableLocalAuth](Azure.Cosmos.DisableLocalAuth.md) | Access keys allow depersonalized access to Cosmos DB accounts using a shared secret. | Critical | Error [Azure.Cosmos.DisableMetadataWrite](Azure.Cosmos.DisableMetadataWrite.md) | Use Entra ID identities for management place operations in Azure Cosmos DB. | Important | Error [Azure.Cosmos.MinTLS](Azure.Cosmos.MinTLS.md) | Cosmos DB accounts should reject TLS versions older than 1.2. | Critical | Error +[Azure.Cosmos.MongoAvailabilityZone](Azure.Cosmos.MongoAvailabilityZone.md) | Use zone redundant Cosmos DB vCore clusters in supported regions to improve reliability. | Important | Error +[Azure.Cosmos.MongoEntraID](Azure.Cosmos.MongoEntraID.md) | MongoDB vCore clusters should have Microsoft Entra ID authentication enabled. | Critical | Error +[Azure.Cosmos.NoSQLLocalAuth](Azure.Cosmos.NoSQLLocalAuth.md) | Access keys allow depersonalized access to Cosmos DB NoSQL API accounts using a shared secret. | Critical | Error [Azure.Cosmos.PublicAccess](Azure.Cosmos.PublicAccess.md) | Azure Cosmos DB should have public network access disabled. | Critical | Error [Azure.Cosmos.SLA](Azure.Cosmos.SLA.md) | Use a paid tier to qualify for a Service Level Agreement (SLA). | Important | Error +## Cosmos DB database + +Name | Synopsis | Severity | Level +---- | -------- | -------- | ----- +[Azure.Cosmos.DatabaseNaming](Azure.Cosmos.DatabaseNaming.md) | Cosmos DB database resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error + +## Cosmos DB for Apache Cassandra account + +Name | Synopsis | Severity | Level +---- | -------- | -------- | ----- +[Azure.Cosmos.CassandraNaming](Azure.Cosmos.CassandraNaming.md) | Cosmos DB for Apache Cassandra account resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error + +## Cosmos DB for Apache Gremlin account + +Name | Synopsis | Severity | Level +---- | -------- | -------- | ----- +[Azure.Cosmos.GremlinNaming](Azure.Cosmos.GremlinNaming.md) | Cosmos DB for Apache Gremlin account resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error + +## Cosmos DB for MongoDB account + +Name | Synopsis | Severity | Level +---- | -------- | -------- | ----- +[Azure.Cosmos.MongoNaming](Azure.Cosmos.MongoNaming.md) | Cosmos DB for MongoDB account resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error + +## Cosmos DB for NoSQL account + +Name | Synopsis | Severity | Level +---- | -------- | -------- | ----- +[Azure.Cosmos.NoSQLNaming](Azure.Cosmos.NoSQLNaming.md) | Cosmos DB for NoSQL account resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error + +## Cosmos DB for Table account + +Name | Synopsis | Severity | Level +---- | -------- | -------- | ----- +[Azure.Cosmos.TableNaming](Azure.Cosmos.TableNaming.md) | Cosmos DB for Table account resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error + +## Cosmos DB PostgreSQL cluster + +Name | Synopsis | Severity | Level +---- | -------- | -------- | ----- +[Azure.Cosmos.PostgreSQLNaming](Azure.Cosmos.PostgreSQLNaming.md) | Cosmos DB PostgreSQL cluster resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error + ## Data Explorer Name | Synopsis | Severity | Level ---- | -------- | -------- | ----- [Azure.ADX.DiskEncryption](Azure.ADX.DiskEncryption.md) | Use disk encryption for Azure Data Explorer (ADX) clusters. | Important | Error [Azure.ADX.ManagedIdentity](Azure.ADX.ManagedIdentity.md) | Configure Data Explorer clusters to use managed identities to access Azure resources securely. | Important | Error +[Azure.ADX.PublicAccess](Azure.ADX.PublicAccess.md) | Azure Data Explorer (ADX) clusters should have public network access disabled. | Critical | Error [Azure.ADX.SLA](Azure.ADX.SLA.md) | Use SKUs that include an SLA when configuring Azure Data Explorer (ADX) clusters. | Important | Error [Azure.ADX.Usage](Azure.ADX.Usage.md) | Regularly remove unused resources to reduce costs. | Important | Error @@ -487,6 +579,7 @@ Name | Synopsis | Severity | Level Name | Synopsis | Severity | Level ---- | -------- | -------- | ----- +[Azure.EventHub.AvailabilityZone](Azure.EventHub.AvailabilityZone.md) | Use zone redundant Event Hub namespaces in supported regions to improve reliability. | Important | Error [Azure.EventHub.DisableLocalAuth](Azure.EventHub.DisableLocalAuth.md) | Authenticate Event Hub publishers and consumers with Entra ID identities. | Important | Error [Azure.EventHub.Firewall](Azure.EventHub.Firewall.md) | Access to the namespace endpoints should be restricted to only allowed sources. | Critical | Error [Azure.EventHub.MinTLS](Azure.EventHub.MinTLS.md) | Weak or deprecated transport protocols for client-server communication introduce security vulnerabilities. | Critical | Error @@ -572,6 +665,18 @@ Name | Synopsis | Severity | Level [Azure.ML.PublicAccess](Azure.ML.PublicAccess.md) | Disable public network access from a Azure Machine Learning workspace. | Critical | Error [Azure.ML.UserManagedIdentity](Azure.ML.UserManagedIdentity.md) | ML workspaces should use user-assigned managed identity, rather than the default system-assigned managed identity. | Important | Error +## Managed Grafana + +Name | Synopsis | Severity | Level +---- | -------- | -------- | ----- +[Azure.Grafana.AvailabilityZone](Azure.Grafana.AvailabilityZone.md) | Use zone redundant Grafana workspaces in supported regions to improve reliability. | Important | Error + +## Managed Instance for Apache Cassandra + +Name | Synopsis | Severity | Level +---- | -------- | -------- | ----- +[Azure.MICassandra.AvailabilityZone](Azure.MICassandra.AvailabilityZone.md) | Use zone redundant Managed Instance for Apache Cassandra clusters in supported regions to improve reliability. | Important | Error + ## Microsoft Defender for Cloud Name | Synopsis | Severity | Level @@ -688,6 +793,8 @@ Name | Synopsis | Severity | Level Name | Synopsis | Severity | Level ---- | -------- | -------- | ----- [Azure.ServiceFabric.AAD](Azure.ServiceFabric.AAD.md) | Use Entra ID client authentication for Service Fabric clusters. | Critical | Error +[Azure.ServiceFabric.ManagedNaming](Azure.ServiceFabric.ManagedNaming.md) | Service Fabric managed cluster resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error +[Azure.ServiceFabric.Naming](Azure.ServiceFabric.Naming.md) | Service Fabric cluster resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error [Azure.ServiceFabric.ProtectionLevel](Azure.ServiceFabric.ProtectionLevel.md) | Node to node communication that is not signed and encrypted may be susceptible to man-in-the-middle attacks. | Important | Error ## SignalR Service @@ -711,6 +818,7 @@ Name | Synopsis | Severity | Level [Azure.SQL.FGName](Azure.SQL.FGName.md) | Azure SQL failover group names should meet naming requirements. | Awareness | Error [Azure.SQL.FirewallIPRange](Azure.SQL.FirewallIPRange.md) | Each IP address in the permitted IP list is allowed network access to any databases hosted on the same logical server. | Important | Error [Azure.SQL.FirewallRuleCount](Azure.SQL.FirewallRuleCount.md) | Determine if there is an excessive number of firewall rules. | Awareness | Error +[Azure.SQL.MaintenanceWindow](Azure.SQL.MaintenanceWindow.md) | Configure a customer-controlled maintenance window for Azure SQL databases. | Important | Error [Azure.SQL.MinTLS](Azure.SQL.MinTLS.md) | Azure SQL Database servers should reject TLS versions older than 1.2. | Critical | Error [Azure.SQL.ServerName](Azure.SQL.ServerName.md) | Azure SQL logical server names should meet naming requirements. | Awareness | Error [Azure.SQL.TDE](Azure.SQL.TDE.md) | Use Transparent Data Encryption (TDE) with Azure SQL Database. | Critical | Error @@ -725,6 +833,7 @@ Name | Synopsis | Severity | Level [Azure.SQLMI.MaintenanceWindow](Azure.SQLMI.MaintenanceWindow.md) | Configure a customer-controlled maintenance window for Azure SQL Managed Instances. | Important | Error [Azure.SQLMI.ManagedIdentity](Azure.SQLMI.ManagedIdentity.md) | Ensure managed identity is used to allow support for Azure AD authentication. | Important | Error [Azure.SQLMI.Name](Azure.SQLMI.Name.md) | SQL Managed Instance names should meet naming requirements. | Awareness | Error +[Azure.SQLMI.Naming](Azure.SQLMI.Naming.md) | SQL Managed Instance resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error ## Storage Account diff --git a/docs/es/rules/index.md b/docs/es/rules/index.md index 78137a7fdb..cd90d2aa2f 100644 --- a/docs/es/rules/index.md +++ b/docs/es/rules/index.md @@ -324,7 +324,7 @@ AZR-000300 | [Azure.Redis.FirewallIPRange](Azure.Redis.FirewallIPRange.md) | Det AZR-000301 | [Azure.RedisEnterprise.MinTLS](Azure.RedisEnterprise.MinTLS.md) | Redis Cache should reject TLS versions older than 1.2. | GA AZR-000302 | [Azure.AppGwWAF.PreventionMode](Azure.AppGwWAF.PreventionMode.md) | Use protection mode in Application Gateway Web Application Firewall (WAF) policies to protect back end resources. | GA AZR-000303 | [Azure.AppGwWAF.Exclusions](Azure.AppGwWAF.Exclusions.md) | Application Gateway Web Application Firewall (WAF) should have all rules enabled. | GA -AZR-000304 | [Azure.AppGwWAF.RuleGroups](Azure.AppGwWAF.RuleGroups.md) | Use recommended rule groups in Application Gateway Web Application Firewall (WAF) policies to protect back end resources. | GA +AZR-000304 | [Azure.AppGwWAF.RuleGroups](Azure.AppGwWAF.RuleGroups.md) | Application Gateway WAF policies should include both Microsoft Default Rule Set and Bot Manager Rule Set to provide comprehensive protection against web application threats and malicious bot traffic. | GA AZR-000305 | [Azure.FrontDoorWAF.Enabled](Azure.FrontDoorWAF.Enabled.md) | Front Door Web Application Firewall (WAF) policy must be enabled to protect back end resources. | GA AZR-000306 | [Azure.FrontDoorWAF.PreventionMode](Azure.FrontDoorWAF.PreventionMode.md) | Use protection mode in Front Door Web Application Firewall (WAF) policies to protect back end resources. | GA AZR-000307 | [Azure.FrontDoorWAF.Exclusions](Azure.FrontDoorWAF.Exclusions.md) | Use recommended rule groups in Front Door Web Application Firewall (WAF) policies to protect back end resources. Avoid configuring rule exclusions. | GA @@ -440,7 +440,7 @@ AZR-000416 | [Azure.EntraDS.NTLM](Azure.EntraDS.NTLM.md) | Disable NTLM v1 for M AZR-000417 | [Azure.EntraDS.TLS](Azure.EntraDS.TLS.md) | Disable TLS v1 for Microsoft Entra Domain Services. | GA AZR-000418 | [Azure.EntraDS.RC4](Azure.EntraDS.RC4.md) | Disable RC4 encryption for Microsoft Entra Domain Services. | GA AZR-000419 | [Azure.Cosmos.SLA](Azure.Cosmos.SLA.md) | Use a paid tier to qualify for a Service Level Agreement (SLA). | GA -AZR-000420 | [Azure.Cosmos.DisableLocalAuth](Azure.Cosmos.DisableLocalAuth.md) | Access keys allow depersonalized access to Cosmos DB accounts using a shared secret. | GA +AZR-000420 | [Azure.Cosmos.NoSQLLocalAuth](Azure.Cosmos.NoSQLLocalAuth.md) | Access keys allow depersonalized access to Cosmos DB NoSQL API accounts using a shared secret. | GA AZR-000421 | [Azure.Cosmos.PublicAccess](Azure.Cosmos.PublicAccess.md) | Azure Cosmos DB should have public network access disabled. | GA AZR-000422 | [Azure.EventHub.Firewall](Azure.EventHub.Firewall.md) | Access to the namespace endpoints should be restricted to only allowed sources. | GA AZR-000423 | [Azure.AppGw.MigrateWAFPolicy](Azure.AppGw.MigrateWAFPolicy.md) | Migrate to Application Gateway WAF policy. | GA @@ -518,5 +518,39 @@ AZR-000495 | [Azure.ACR.ExportPolicy](Azure.ACR.ExportPolicy.md) | Export policy AZR-000496 | [Azure.Redis.LocalAuth](Azure.Redis.LocalAuth.md) | Access keys allow depersonalized access to Azure Cache for Redis using a shared secret. | GA AZR-000497 | [Azure.Storage.LocalAuth](Azure.Storage.LocalAuth.md) | Access keys allow depersonalized access to Storage Accounts using a shared secret. | GA AZR-000498 | [Azure.AppConfig.ReplicaLocation](Azure.AppConfig.ReplicaLocation.md) | The replication location determines the country or region where configuration data is stored and processed. | GA +AZR-000499 | [Azure.Cosmos.MongoEntraID](Azure.Cosmos.MongoEntraID.md) | MongoDB vCore clusters should have Microsoft Entra ID authentication enabled. | GA +AZR-000500 | [Azure.ADX.PublicAccess](Azure.ADX.PublicAccess.md) | Azure Data Explorer (ADX) clusters should have public network access disabled. | GA +AZR-000501 | [Azure.Grafana.AvailabilityZone](Azure.Grafana.AvailabilityZone.md) | Use zone redundant Grafana workspaces in supported regions to improve reliability. | GA +AZR-000502 | [Azure.Cosmos.AvailabilityZone](Azure.Cosmos.AvailabilityZone.md) | Use zone redundant Cosmos DB accounts in supported regions to improve reliability. | GA +AZR-000503 | [Azure.Cosmos.MongoAvailabilityZone](Azure.Cosmos.MongoAvailabilityZone.md) | Use zone redundant Cosmos DB vCore clusters in supported regions to improve reliability. | GA +AZR-000504 | [Azure.MICassandra.AvailabilityZone](Azure.MICassandra.AvailabilityZone.md) | Use zone redundant Managed Instance for Apache Cassandra clusters in supported regions to improve reliability. | GA +AZR-000505 | [Azure.ACI.Naming](Azure.ACI.Naming.md) | Container Instance resources without a standard naming convention may be difficult to identify and manage. | GA +AZR-000506 | [Azure.ACR.Naming](Azure.ACR.Naming.md) | Container Registry resources without a standard naming convention may be difficult to identify and manage. | GA +AZR-000507 | [Azure.AKS.Naming](Azure.AKS.Naming.md) | AKS cluster resources without a standard naming convention may be difficult to identify and manage. | GA +AZR-000508 | [Azure.AKS.SystemPoolNaming](Azure.AKS.SystemPoolNaming.md) | AKS system node pool resources without a standard naming convention may be difficult to identify and manage. | GA +AZR-000509 | [Azure.AKS.UserPoolNaming](Azure.AKS.UserPoolNaming.md) | AKS user node pool resources without a standard naming convention may be difficult to identify and manage. | GA +AZR-000510 | [Azure.ContainerApp.Naming](Azure.ContainerApp.Naming.md) | Container App resources without a standard naming convention may be difficult to identify and manage. | GA +AZR-000511 | [Azure.ContainerApp.EnvNaming](Azure.ContainerApp.EnvNaming.md) | Container App Environment resources without a standard naming convention may be difficult to identify and manage. | GA +AZR-000512 | [Azure.ContainerApp.JobNaming](Azure.ContainerApp.JobNaming.md) | Container App Job resources without a standard naming convention may be difficult to identify and manage. | GA +AZR-000513 | [Azure.Cosmos.CassandraNaming](Azure.Cosmos.CassandraNaming.md) | Cosmos DB for Apache Cassandra account resources without a standard naming convention may be difficult to identify and manage. | GA +AZR-000514 | [Azure.Cosmos.MongoNaming](Azure.Cosmos.MongoNaming.md) | Cosmos DB for MongoDB account resources without a standard naming convention may be difficult to identify and manage. | GA +AZR-000515 | [Azure.Cosmos.NoSQLNaming](Azure.Cosmos.NoSQLNaming.md) | Cosmos DB for NoSQL account resources without a standard naming convention may be difficult to identify and manage. | GA +AZR-000516 | [Azure.Cosmos.TableNaming](Azure.Cosmos.TableNaming.md) | Cosmos DB for Table account resources without a standard naming convention may be difficult to identify and manage. | GA +AZR-000517 | [Azure.Cosmos.GremlinNaming](Azure.Cosmos.GremlinNaming.md) | Cosmos DB for Apache Gremlin account resources without a standard naming convention may be difficult to identify and manage. | GA +AZR-000518 | [Azure.Cosmos.PostgreSQLNaming](Azure.Cosmos.PostgreSQLNaming.md) | Cosmos DB PostgreSQL cluster resources without a standard naming convention may be difficult to identify and manage. | GA +AZR-000519 | [Azure.Cosmos.DatabaseNaming](Azure.Cosmos.DatabaseNaming.md) | Cosmos DB database resources without a standard naming convention may be difficult to identify and manage. | GA +AZR-000521 | [Azure.MySQL.ServerNaming](Azure.MySQL.ServerNaming.md) | MySQL database server resources without a standard naming convention may be difficult to identify and manage. | GA +AZR-000522 | [Azure.PostgreSQL.ServerNaming](Azure.PostgreSQL.ServerNaming.md) | PostgreSQL database server resources without a standard naming convention may be difficult to identify and manage. | GA +AZR-000523 | [Azure.Redis.Naming](Azure.Redis.Naming.md) | Azure Cache for Redis resources without a standard naming convention may be difficult to identify and manage. | GA +AZR-000524 | [Azure.RedisEnterprise.Naming](Azure.RedisEnterprise.Naming.md) | Azure Cache for Redis Enterprise resources without a standard naming convention may be difficult to identify and manage. | GA +AZR-000525 | [Azure.SQL.ServerNaming](Azure.SQL.ServerNaming.md) | Azure SQL Database server resources without a standard naming convention may be difficult to identify and manage. | GA +AZR-000526 | [Azure.SQL.DBNaming](Azure.SQL.DBNaming.md) | Azure SQL database resources without a standard naming convention may be difficult to identify and manage. | GA +AZR-000527 | [Azure.SQL.JobAgentNaming](Azure.SQL.JobAgentNaming.md) | Azure SQL Elastic Job agent resources without a standard naming convention may be difficult to identify and manage. | GA +AZR-000528 | [Azure.SQL.ElasticPoolNaming](Azure.SQL.ElasticPoolNaming.md) | Azure SQL Elastic Pool resources without a standard naming convention may be difficult to identify and manage. | GA +AZR-000529 | [Azure.SQLMI.Naming](Azure.SQLMI.Naming.md) | SQL Managed Instance resources without a standard naming convention may be difficult to identify and manage. | GA +AZR-000530 | [Azure.ServiceFabric.Naming](Azure.ServiceFabric.Naming.md) | Service Fabric cluster resources without a standard naming convention may be difficult to identify and manage. | GA +AZR-000531 | [Azure.ServiceFabric.ManagedNaming](Azure.ServiceFabric.ManagedNaming.md) | Service Fabric managed cluster resources without a standard naming convention may be difficult to identify and manage. | GA +AZR-000532 | [Azure.EventHub.AvailabilityZone](Azure.EventHub.AvailabilityZone.md) | Use zone redundant Event Hub namespaces in supported regions to improve reliability. | GA +AZR-000533 | [Azure.Redis.MigrateAMR](Azure.Redis.MigrateAMR.md) | Azure Cache for Redis is being retired. Migrate to Azure Managed Redis. | GA *[GA]: Generally Available — Rules related to a generally available Azure features. diff --git a/docs/es/rules/module.md b/docs/es/rules/module.md index be476d1961..45ade7b8fa 100644 --- a/docs/es/rules/module.md +++ b/docs/es/rules/module.md @@ -113,17 +113,22 @@ Name | Synopsis | Severity | Level [Azure.AppGw.Name](Azure.AppGw.Name.md) | Application Gateways should meet naming requirements. | Awareness | Error [Azure.AppInsights.Name](Azure.AppInsights.Name.md) | Azure Resource Manager (ARM) has requirements for Application Insights resource names. | Awareness | Error [Azure.ContainerApp.Name](Azure.ContainerApp.Name.md) | Container Apps should meet naming requirements. | Awareness | Error +[Azure.Cosmos.AccountName](Azure.Cosmos.AccountName.md) | Cosmos DB account names should meet naming requirements. | Awareness | Error [Azure.Group.Name](Azure.Group.Name.md) | Azure Resource Manager (ARM) has requirements for Resource Groups names. | Awareness | Error [Azure.KeyVault.KeyName](Azure.KeyVault.KeyName.md) | Key Vault Key names should meet naming requirements. | Awareness | Error [Azure.KeyVault.SecretName](Azure.KeyVault.SecretName.md) | Key Vault Secret names should meet naming requirements. | Awareness | Error [Azure.LB.Name](Azure.LB.Name.md) | Load Balancer names should meet naming requirements. | Awareness | Error [Azure.Log.Name](Azure.Log.Name.md) | Azure Resource Manager (ARM) has requirements for Azure Monitor Log workspace names. | Awareness | Error [Azure.MariaDB.DatabaseName](Azure.MariaDB.DatabaseName.md) | Azure Database for MariaDB databases should meet naming requirements. | Awareness | Error +[Azure.MySQL.ServerName](Azure.MySQL.ServerName.md) | Azure MySQL DB server names should meet naming requirements. | Awareness | Error [Azure.NIC.Name](Azure.NIC.Name.md) | Network Interface (NIC) names should meet naming requirements. | Awareness | Error [Azure.NSG.Name](Azure.NSG.Name.md) | Azure Resource Manager (ARM) has requirements for Network Security Group (NSG) names. | Awareness | Error +[Azure.PostgreSQL.ServerName](Azure.PostgreSQL.ServerName.md) | Azure PostgreSQL DB server names should meet naming requirements. | Awareness | Error [Azure.PublicIP.Name](Azure.PublicIP.Name.md) | Azure Resource Manager (ARM) has requirements for Public IP address names. | Awareness | Error [Azure.Route.Name](Azure.Route.Name.md) | Azure Resource Manager (ARM) has requirements for Route table names. | Awareness | Error [Azure.Search.Name](Azure.Search.Name.md) | Azure Resource Manager (ARM) has requirements for AI Search service names. | Awareness | Error +[Azure.SQL.DBName](Azure.SQL.DBName.md) | Azure SQL Database names should meet naming requirements. | Awareness | Error +[Azure.SQL.ServerName](Azure.SQL.ServerName.md) | Azure SQL logical server names should meet naming requirements. | Awareness | Error [Azure.Storage.Name](Azure.Storage.Name.md) | Azure Resource Manager (ARM) has requirements for Storage Account names. | Awareness | Error [Azure.VM.ComputerName](Azure.VM.ComputerName.md) | Virtual Machine (VM) computer name should meet naming requirements. | Awareness | Error [Azure.VM.Name](Azure.VM.Name.md) | Virtual Machine (VM) names should meet naming requirements. | Awareness | Error @@ -137,11 +142,26 @@ Name | Synopsis | Severity | Level Name | Synopsis | Severity | Level ---- | -------- | -------- | ----- +[Azure.ACI.Naming](Azure.ACI.Naming.md) | Container Instance resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error +[Azure.ACR.Naming](Azure.ACR.Naming.md) | Container Registry resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error [Azure.AI.FoundryNaming](Azure.AI.FoundryNaming.md) | Azure AI Foundry accounts without a standard naming convention may be difficult to identify and manage. | Awareness | Error +[Azure.AKS.Naming](Azure.AKS.Naming.md) | AKS cluster resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error +[Azure.AKS.SystemPoolNaming](Azure.AKS.SystemPoolNaming.md) | AKS system node pool resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error +[Azure.AKS.UserPoolNaming](Azure.AKS.UserPoolNaming.md) | AKS user node pool resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error [Azure.APIM.APIDescriptors](Azure.APIM.APIDescriptors.md) | APIs should have a display name and description. | Awareness | Warning [Azure.APIM.ProductDescriptors](Azure.APIM.ProductDescriptors.md) | API Management products should have a display name and description. | Awareness | Warning [Azure.AppInsights.Naming](Azure.AppInsights.Naming.md) | Application Insights resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error [Azure.ContainerApp.APIVersion](Azure.ContainerApp.APIVersion.md) | Migrate from retired API version to a supported version. | Important | Error +[Azure.ContainerApp.EnvNaming](Azure.ContainerApp.EnvNaming.md) | Container App Environment resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error +[Azure.ContainerApp.JobNaming](Azure.ContainerApp.JobNaming.md) | Container App Job resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error +[Azure.ContainerApp.Naming](Azure.ContainerApp.Naming.md) | Container App resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error +[Azure.Cosmos.CassandraNaming](Azure.Cosmos.CassandraNaming.md) | Cosmos DB for Apache Cassandra account resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error +[Azure.Cosmos.DatabaseNaming](Azure.Cosmos.DatabaseNaming.md) | Cosmos DB database resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error +[Azure.Cosmos.GremlinNaming](Azure.Cosmos.GremlinNaming.md) | Cosmos DB for Apache Gremlin account resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error +[Azure.Cosmos.MongoNaming](Azure.Cosmos.MongoNaming.md) | Cosmos DB for MongoDB account resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error +[Azure.Cosmos.NoSQLNaming](Azure.Cosmos.NoSQLNaming.md) | Cosmos DB for NoSQL account resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error +[Azure.Cosmos.PostgreSQLNaming](Azure.Cosmos.PostgreSQLNaming.md) | Cosmos DB PostgreSQL cluster resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error +[Azure.Cosmos.TableNaming](Azure.Cosmos.TableNaming.md) | Cosmos DB for Table account resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error [Azure.EventGrid.DomainNaming](Azure.EventGrid.DomainNaming.md) | Event Grid domains without a standard naming convention may be difficult to identify and manage. | Awareness | Error [Azure.EventGrid.SystemTopicNaming](Azure.EventGrid.SystemTopicNaming.md) | Event Grid system topics without a standard naming convention may be difficult to identify and manage. | Awareness | Error [Azure.EventGrid.TopicNaming](Azure.EventGrid.TopicNaming.md) | Event Grid topics without a standard naming convention may be difficult to identify and manage. | Awareness | Error @@ -149,14 +169,25 @@ Name | Synopsis | Severity | Level [Azure.Group.RequiredTags](Azure.Group.RequiredTags.md) | Resource groups without a standard tagging convention may be difficult to identify and manage. | Awareness | Error [Azure.LB.Naming](Azure.LB.Naming.md) | Load balancer names should use a standard prefix. | Awareness | Error [Azure.Log.Naming](Azure.Log.Naming.md) | Azure Monitor Log workspaces without a standard naming convention may be difficult to identify and manage. | Awareness | Error +[Azure.MySQL.ServerNaming](Azure.MySQL.ServerNaming.md) | MySQL database server resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error [Azure.NSG.Naming](Azure.NSG.Naming.md) | Network security group (NSG) without a standard naming convention may be difficult to identify and manage. | Awareness | Error [Azure.Policy.AssignmentDescriptors](Azure.Policy.AssignmentDescriptors.md) | Policy assignments should use a display name and description. | Awareness | Error [Azure.Policy.Descriptors](Azure.Policy.Descriptors.md) | Policy and initiative definitions should use a display name, description, and category. | Awareness | Error [Azure.Policy.ExemptionDescriptors](Azure.Policy.ExemptionDescriptors.md) | Policy exemptions should use a display name and description. | Awareness | Error +[Azure.PostgreSQL.ServerNaming](Azure.PostgreSQL.ServerNaming.md) | PostgreSQL database server resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error [Azure.PublicIP.Naming](Azure.PublicIP.Naming.md) | Public IP addresses without a standard naming convention may be difficult to identify and manage. | Awareness | Error +[Azure.Redis.Naming](Azure.Redis.Naming.md) | Azure Cache for Redis resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error +[Azure.RedisEnterprise.Naming](Azure.RedisEnterprise.Naming.md) | Azure Cache for Redis Enterprise resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error [Azure.Resource.RequiredTags](Azure.Resource.RequiredTags.md) | Resources without a standard tagging convention may be difficult to identify and manage. | Awareness | Error [Azure.Route.Naming](Azure.Route.Naming.md) | Route tables without a standard naming convention may be difficult to identify and manage. | Awareness | Error [Azure.Search.Naming](Azure.Search.Naming.md) | Azure AI Search services without a standard naming convention may be difficult to identify and manage. | Awareness | Error +[Azure.ServiceFabric.ManagedNaming](Azure.ServiceFabric.ManagedNaming.md) | Service Fabric managed cluster resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error +[Azure.ServiceFabric.Naming](Azure.ServiceFabric.Naming.md) | Service Fabric cluster resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error +[Azure.SQL.DBNaming](Azure.SQL.DBNaming.md) | Azure SQL database resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error +[Azure.SQL.ElasticPoolNaming](Azure.SQL.ElasticPoolNaming.md) | Azure SQL Elastic Pool resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error +[Azure.SQL.JobAgentNaming](Azure.SQL.JobAgentNaming.md) | Azure SQL Elastic Job agent resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error +[Azure.SQL.ServerNaming](Azure.SQL.ServerNaming.md) | Azure SQL Database server resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error +[Azure.SQLMI.Naming](Azure.SQLMI.Naming.md) | SQL Managed Instance resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error [Azure.Storage.Naming](Azure.Storage.Naming.md) | Storage Accounts without a standard naming convention may be difficult to identify and manage. | Awareness | Error [Azure.Subscription.RequiredTags](Azure.Subscription.RequiredTags.md) | Subscriptions without a standard tagging convention may be difficult to identify and manage. | Awareness | Error [Azure.VM.Naming](Azure.VM.Naming.md) | Virtual machines without a standard naming convention may be difficult to identify and manage. | Awareness | Error @@ -170,6 +201,7 @@ Name | Synopsis | Severity | Level Name | Synopsis | Severity | Level ---- | -------- | -------- | ----- +[Azure.Redis.MigrateAMR](Azure.Redis.MigrateAMR.md) | Azure Cache for Redis is being retired. Migrate to Azure Managed Redis. | Important | Error [Azure.Template.ResourceLocation](Azure.Template.ResourceLocation.md) | Resource locations should be an expression or global. | Awareness | Error [Azure.Template.TemplateFile](Azure.Template.TemplateFile.md) | Use ARM template files that are valid. | Important | Error [Azure.Template.ValidSecretRef](Azure.Template.ValidSecretRef.md) | Use a valid secret reference within parameter files. | Awareness | Error @@ -219,7 +251,6 @@ Name | Synopsis | Severity | Level [Azure.ASG.Name](Azure.ASG.Name.md) | Application Security Group (ASG) names should meet naming requirements. | Awareness | Error [Azure.Bastion.Name](Azure.Bastion.Name.md) | Bastion hosts should meet naming requirements. | Awareness | Error [Azure.CDN.EndpointName](Azure.CDN.EndpointName.md) | Azure CDN Endpoint names should meet naming requirements. | Awareness | Error -[Azure.Cosmos.AccountName](Azure.Cosmos.AccountName.md) | Cosmos DB account names should meet naming requirements. | Awareness | Error [Azure.Deployment.Name](Azure.Deployment.Name.md) | Nested deployments should meet naming requirements of deployments. | Awareness | Error [Azure.Firewall.Name](Azure.Firewall.Name.md) | Firewall names should meet naming requirements. | Awareness | Error [Azure.Firewall.PolicyName](Azure.Firewall.PolicyName.md) | Firewall policy names should meet naming requirements. | Awareness | Error @@ -230,18 +261,14 @@ Name | Synopsis | Severity | Level [Azure.MariaDB.FirewallRuleName](Azure.MariaDB.FirewallRuleName.md) | Azure Database for MariaDB firewall rules should meet naming requirements. | Awareness | Error [Azure.MariaDB.ServerName](Azure.MariaDB.ServerName.md) | Azure Database for MariaDB servers should meet naming requirements. | Awareness | Error [Azure.MariaDB.VNETRuleName](Azure.MariaDB.VNETRuleName.md) | Azure Database for MariaDB VNET rules should meet naming requirements. | Awareness | Error -[Azure.MySQL.ServerName](Azure.MySQL.ServerName.md) | Azure MySQL DB server names should meet naming requirements. | Awareness | Error [Azure.NSG.AKSRules](Azure.NSG.AKSRules.md) | AKS Network Security Group (NSG) should not have custom rules. | Awareness | Error [Azure.Policy.AssignmentAssignedBy](Azure.Policy.AssignmentAssignedBy.md) | Policy assignments should use assignedBy metadata. | Awareness | Error -[Azure.PostgreSQL.ServerName](Azure.PostgreSQL.ServerName.md) | Azure PostgreSQL DB server names should meet naming requirements. | Awareness | Error [Azure.PrivateEndpoint.Name](Azure.PrivateEndpoint.Name.md) | Private Endpoint names should meet naming requirements. | Awareness | Error [Azure.PublicIP.DNSLabel](Azure.PublicIP.DNSLabel.md) | Public IP domain name labels should meet naming requirements. | Awareness | Error [Azure.PublicIP.MigrateStandard](Azure.PublicIP.MigrateStandard.md) | Use the Standard SKU for Public IP addresses as the Basic SKU will be retired. | Important | Error [Azure.RSV.Name](Azure.RSV.Name.md) | Recovery Services vaults should meet naming requirements. | Awareness | Error [Azure.SignalR.Name](Azure.SignalR.Name.md) | SignalR service instance names should meet naming requirements. | Awareness | Error -[Azure.SQL.DBName](Azure.SQL.DBName.md) | Azure SQL Database names should meet naming requirements. | Awareness | Error [Azure.SQL.FGName](Azure.SQL.FGName.md) | Azure SQL failover group names should meet naming requirements. | Awareness | Error -[Azure.SQL.ServerName](Azure.SQL.ServerName.md) | Azure SQL logical server names should meet naming requirements. | Awareness | Error [Azure.SQLMI.Name](Azure.SQLMI.Name.md) | SQL Managed Instance names should meet naming requirements. | Awareness | Error [Azure.Template.ExpressionLength](Azure.Template.ExpressionLength.md) | Template expressions should not exceed the maximum length. | Awareness | Error [Azure.Template.ParameterFile](Azure.Template.ParameterFile.md) | Use ARM template parameter files that are valid. | Important | Error @@ -431,7 +458,11 @@ Name | Synopsis | Severity | Level [Azure.AppConfig.GeoReplica](Azure.AppConfig.GeoReplica.md) | Replicate app configuration store across all points of presence for an application. | Important | Error [Azure.ContainerApp.MinReplicas](Azure.ContainerApp.MinReplicas.md) | Use multiple replicas to remove a single point of failure. | Important | Error [Azure.ContainerApp.Storage](Azure.ContainerApp.Storage.md) | Use of Azure Files volume mounts to persistent storage container data. | Awareness | Error +[Azure.Cosmos.AvailabilityZone](Azure.Cosmos.AvailabilityZone.md) | Use zone redundant Cosmos DB accounts in supported regions to improve reliability. | Important | Error +[Azure.Cosmos.MongoAvailabilityZone](Azure.Cosmos.MongoAvailabilityZone.md) | Use zone redundant Cosmos DB vCore clusters in supported regions to improve reliability. | Important | Error +[Azure.EventHub.AvailabilityZone](Azure.EventHub.AvailabilityZone.md) | Use zone redundant Event Hub namespaces in supported regions to improve reliability. | Important | Error [Azure.LB.Probe](Azure.LB.Probe.md) | Use a specific probe for web protocols. | Important | Error +[Azure.MICassandra.AvailabilityZone](Azure.MICassandra.AvailabilityZone.md) | Use zone redundant Managed Instance for Apache Cassandra clusters in supported regions to improve reliability. | Important | Error [Azure.MySQL.UseFlexible](Azure.MySQL.UseFlexible.md) | Use Azure Database for MySQL Flexible Server deployment model. | Important | Warning [Azure.ServiceBus.GeoReplica](Azure.ServiceBus.GeoReplica.md) | Enhance resilience to regional outages by replicating namespaces. | Important | Error [Azure.TrafficManager.Endpoints](Azure.TrafficManager.Endpoints.md) | Traffic Manager should use at lest two enabled endpoints. | Important | Error @@ -453,6 +484,7 @@ Name | Synopsis | Severity | Level [Azure.ASE.AvailabilityZone](Azure.ASE.AvailabilityZone.md) | Deploy app service environments using availability zones in supported regions to ensure high availability and resilience. | Important | Error [Azure.ContainerApp.AvailabilityZone](Azure.ContainerApp.AvailabilityZone.md) | Use Container Apps environments that are zone redundant to improve reliability. | Important | Error [Azure.Firewall.AvailabilityZone](Azure.Firewall.AvailabilityZone.md) | Deploy firewall instances using availability zones in supported regions to ensure high availability and resilience. | Important | Error +[Azure.Grafana.AvailabilityZone](Azure.Grafana.AvailabilityZone.md) | Use zone redundant Grafana workspaces in supported regions to improve reliability. | Important | Error [Azure.LB.AvailabilityZone](Azure.LB.AvailabilityZone.md) | Load balancers deployed with Standard SKU should be zone-redundant for high availability. | Important | Error [Azure.Log.Replication](Azure.Log.Replication.md) | Log Analytics workspaces should have workspace replication enabled to improve service availability. | Important | Error [Azure.MySQL.ZoneRedundantHA](Azure.MySQL.ZoneRedundantHA.md) | Deploy Azure Database for MySQL servers using zone-redundant high availability (HA) in supported regions to ensure high availability and resilience. | Important | Error @@ -600,7 +632,6 @@ Name | Synopsis | Severity | Level [Azure.AppGwWAF.Enabled](Azure.AppGwWAF.Enabled.md) | Application Gateway Web Application Firewall (WAF) must be enabled to protect backend resources. | Critical | Error [Azure.AppGwWAF.Exclusions](Azure.AppGwWAF.Exclusions.md) | Application Gateway Web Application Firewall (WAF) should have all rules enabled. | Critical | Error [Azure.AppGwWAF.PreventionMode](Azure.AppGwWAF.PreventionMode.md) | Use protection mode in Application Gateway Web Application Firewall (WAF) policies to protect back end resources. | Critical | Error -[Azure.AppGwWAF.RuleGroups](Azure.AppGwWAF.RuleGroups.md) | Use recommended rule groups in Application Gateway Web Application Firewall (WAF) policies to protect back end resources. | Critical | Error [Azure.MariaDB.AllowAzureAccess](Azure.MariaDB.AllowAzureAccess.md) | Determine if access from Azure services is required. | Important | Error ### Network segmentation @@ -668,8 +699,9 @@ Name | Synopsis | Severity | Level [Azure.AppInsights.LocalAuth](Azure.AppInsights.LocalAuth.md) | Local authentication allows depersonalized access to store telemetry in Application Insights using a shared identifier. | Critical | Error [Azure.AppService.ManagedIdentity](Azure.AppService.ManagedIdentity.md) | Configure managed identities to access Azure resources. | Important | Error [Azure.ContainerApp.ManagedIdentity](Azure.ContainerApp.ManagedIdentity.md) | Ensure managed identity is used for authentication. | Important | Error -[Azure.Cosmos.DisableLocalAuth](Azure.Cosmos.DisableLocalAuth.md) | Access keys allow depersonalized access to Cosmos DB accounts using a shared secret. | Critical | Error [Azure.Cosmos.DisableMetadataWrite](Azure.Cosmos.DisableMetadataWrite.md) | Use Entra ID identities for management place operations in Azure Cosmos DB. | Important | Error +[Azure.Cosmos.MongoEntraID](Azure.Cosmos.MongoEntraID.md) | MongoDB vCore clusters should have Microsoft Entra ID authentication enabled. | Critical | Error +[Azure.Cosmos.NoSQLLocalAuth](Azure.Cosmos.NoSQLLocalAuth.md) | Access keys allow depersonalized access to Cosmos DB NoSQL API accounts using a shared secret. | Critical | Error [Azure.EventGrid.DisableLocalAuth](Azure.EventGrid.DisableLocalAuth.md) | Authenticate publishing clients with Azure AD identities. | Important | Error [Azure.EventGrid.ManagedIdentity](Azure.EventGrid.ManagedIdentity.md) | Use managed identities to deliver Event Grid Topic events. | Important | Error [Azure.EventHub.DisableLocalAuth](Azure.EventHub.DisableLocalAuth.md) | Authenticate Event Hub publishers and consumers with Entra ID identities. | Important | Error @@ -695,12 +727,14 @@ Name | Synopsis | Severity | Level Name | Synopsis | Severity | Level ---- | -------- | -------- | ----- [Azure.ACR.Firewall](Azure.ACR.Firewall.md) | Container Registry without restrictions can be accessed from any network location including the Internet. | Important | Error +[Azure.ADX.PublicAccess](Azure.ADX.PublicAccess.md) | Azure Data Explorer (ADX) clusters should have public network access disabled. | Critical | Error [Azure.AI.PrivateEndpoints](Azure.AI.PrivateEndpoints.md) | Use Private Endpoints to access Azure AI services accounts. | Important | Error [Azure.AI.PublicAccess](Azure.AI.PublicAccess.md) | Restrict access of Azure AI services to authorized virtual networks. | Important | Error [Azure.AKS.AuthorizedIPs](Azure.AKS.AuthorizedIPs.md) | Restrict access to API server endpoints to authorized IP addresses. | Important | Error [Azure.AKS.HttpAppRouting](Azure.AKS.HttpAppRouting.md) | Disable HTTP application routing add-on in AKS clusters. | Important | Error [Azure.AppGw.UseWAF](Azure.AppGw.UseWAF.md) | Internet accessible Application Gateways should use protect endpoints with WAF. | Critical | Error [Azure.AppGw.WAFEnabled](Azure.AppGw.WAFEnabled.md) | Application Gateway Web Application Firewall (WAF) must be enabled to protect backend resources. | Critical | Error +[Azure.AppGwWAF.RuleGroups](Azure.AppGwWAF.RuleGroups.md) | Application Gateway WAF policies should include both Microsoft Default Rule Set and Bot Manager Rule Set to provide comprehensive protection against web application threats and malicious bot traffic. | Critical | Error [Azure.ContainerApp.ExternalIngress](Azure.ContainerApp.ExternalIngress.md) | Limit inbound communication for Container Apps is limited to callers within the Container Apps Environment. | Important | Error [Azure.ContainerApp.PublicAccess](Azure.ContainerApp.PublicAccess.md) | Ensure public network access for Container Apps environment is disabled. | Important | Error [Azure.ContainerApp.RestrictIngress](Azure.ContainerApp.RestrictIngress.md) | IP ingress restrictions mode should be set to allow action for all rules defined. | Important | Error diff --git a/docs/es/rules/resource.md b/docs/es/rules/resource.md index ec6dc6053b..f96db08ebc 100644 --- a/docs/es/rules/resource.md +++ b/docs/es/rules/resource.md @@ -147,7 +147,7 @@ Name | Synopsis | Severity | Level [Azure.AppGwWAF.Enabled](Azure.AppGwWAF.Enabled.md) | Application Gateway Web Application Firewall (WAF) must be enabled to protect backend resources. | Critical | Error [Azure.AppGwWAF.Exclusions](Azure.AppGwWAF.Exclusions.md) | Application Gateway Web Application Firewall (WAF) should have all rules enabled. | Critical | Error [Azure.AppGwWAF.PreventionMode](Azure.AppGwWAF.PreventionMode.md) | Use protection mode in Application Gateway Web Application Firewall (WAF) policies to protect back end resources. | Critical | Error -[Azure.AppGwWAF.RuleGroups](Azure.AppGwWAF.RuleGroups.md) | Use recommended rule groups in Application Gateway Web Application Firewall (WAF) policies to protect back end resources. | Critical | Error +[Azure.AppGwWAF.RuleGroups](Azure.AppGwWAF.RuleGroups.md) | Application Gateway WAF policies should include both Microsoft Default Rule Set and Bot Manager Rule Set to provide comprehensive protection against web application threats and malicious bot traffic. | Critical | Error ## Application Insights @@ -191,8 +191,10 @@ Name | Synopsis | Severity | Level [Azure.Redis.FirewallRuleCount](Azure.Redis.FirewallRuleCount.md) | Determine if there is an excessive number of firewall rules for the Redis cache. | Awareness | Error [Azure.Redis.LocalAuth](Azure.Redis.LocalAuth.md) | Access keys allow depersonalized access to Azure Cache for Redis using a shared secret. | Important | Error [Azure.Redis.MaxMemoryReserved](Azure.Redis.MaxMemoryReserved.md) | Configure maxmemory-reserved to reserve memory for non-cache operations. | Important | Error +[Azure.Redis.MigrateAMR](Azure.Redis.MigrateAMR.md) | Azure Cache for Redis is being retired. Migrate to Azure Managed Redis. | Important | Error [Azure.Redis.MinSKU](Azure.Redis.MinSKU.md) | Use Azure Cache for Redis instances of at least Standard C1. | Important | Error [Azure.Redis.MinTLS](Azure.Redis.MinTLS.md) | Redis Cache should reject TLS versions older than 1.2. | Critical | Error +[Azure.Redis.Naming](Azure.Redis.Naming.md) | Azure Cache for Redis resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error [Azure.Redis.NonSslPort](Azure.Redis.NonSslPort.md) | Azure Cache for Redis should only accept secure connections. | Critical | Error [Azure.Redis.PublicNetworkAccess](Azure.Redis.PublicNetworkAccess.md) | Redis cache should disable public network access. | Critical | Error [Azure.Redis.Version](Azure.Redis.Version.md) | Azure Cache for Redis should use the latest supported version of Redis. | Important | Error @@ -202,14 +204,9 @@ Name | Synopsis | Severity | Level Name | Synopsis | Severity | Level ---- | -------- | -------- | ----- [Azure.RedisEnterprise.MinTLS](Azure.RedisEnterprise.MinTLS.md) | Redis Cache should reject TLS versions older than 1.2. | Critical | Error +[Azure.RedisEnterprise.Naming](Azure.RedisEnterprise.Naming.md) | Azure Cache for Redis Enterprise resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error [Azure.RedisEnterprise.Zones](Azure.RedisEnterprise.Zones.md) | Enterprise Redis cache should be zone-redundant for high availability. | Important | Error -## Azure Database - -Name | Synopsis | Severity | Level ----- | -------- | -------- | ----- -[Azure.SQL.MaintenanceWindow](Azure.SQL.MaintenanceWindow.md) | Configure a customer-controlled maintenance window for Azure SQL databases. | Important | Error - ## Azure Database for MariaDB Name | Synopsis | Severity | Level @@ -240,6 +237,7 @@ Name | Synopsis | Severity | Level [Azure.MySQL.MaintenanceWindow](Azure.MySQL.MaintenanceWindow.md) | Configure a customer-controlled maintenance window for Azure Database for MySQL servers. | Important | Error [Azure.MySQL.MinTLS](Azure.MySQL.MinTLS.md) | MySQL DB servers should reject TLS versions older than 1.2. | Critical | Error [Azure.MySQL.ServerName](Azure.MySQL.ServerName.md) | Azure MySQL DB server names should meet naming requirements. | Awareness | Error +[Azure.MySQL.ServerNaming](Azure.MySQL.ServerNaming.md) | MySQL database server resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error [Azure.MySQL.UseFlexible](Azure.MySQL.UseFlexible.md) | Use Azure Database for MySQL Flexible Server deployment model. | Important | Warning [Azure.MySQL.UseSSL](Azure.MySQL.UseSSL.md) | Enforce encrypted MySQL connections. | Critical | Error [Azure.MySQL.ZoneRedundantHA](Azure.MySQL.ZoneRedundantHA.md) | Deploy Azure Database for MySQL servers using zone-redundant high availability (HA) in supported regions to ensure high availability and resilience. | Important | Error @@ -258,6 +256,7 @@ Name | Synopsis | Severity | Level [Azure.PostgreSQL.MaintenanceWindow](Azure.PostgreSQL.MaintenanceWindow.md) | Configure a customer-controlled maintenance window for Azure Database for PostgreSQL servers. | Important | Error [Azure.PostgreSQL.MinTLS](Azure.PostgreSQL.MinTLS.md) | PostgreSQL DB servers should reject TLS versions older than 1.2. | Critical | Error [Azure.PostgreSQL.ServerName](Azure.PostgreSQL.ServerName.md) | Azure PostgreSQL DB server names should meet naming requirements. | Awareness | Error +[Azure.PostgreSQL.ServerNaming](Azure.PostgreSQL.ServerNaming.md) | PostgreSQL database server resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error [Azure.PostgreSQL.UseSSL](Azure.PostgreSQL.UseSSL.md) | Enforce encrypted PostgreSQL connections. | Critical | Error [Azure.PostgreSQL.ZoneRedundantHA](Azure.PostgreSQL.ZoneRedundantHA.md) | Deploy Azure Database for PostgreSQL servers using zone-redundant high availability (HA) in supported regions to ensure high availability and resilience. | Important | Error @@ -292,6 +291,7 @@ Name | Synopsis | Severity | Level [Azure.AKS.MinNodeCount](Azure.AKS.MinNodeCount.md) | AKS clusters should have minimum number of system nodes for failover and updates. | Important | Error [Azure.AKS.MinUserPoolNodes](Azure.AKS.MinUserPoolNodes.md) | User node pools in an AKS cluster should have a minimum number of nodes for failover and updates. | Important | Error [Azure.AKS.Name](Azure.AKS.Name.md) | Azure Kubernetes Service (AKS) cluster names should meet naming requirements. | Awareness | Error +[Azure.AKS.Naming](Azure.AKS.Naming.md) | AKS cluster resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error [Azure.AKS.NetworkPolicy](Azure.AKS.NetworkPolicy.md) | AKS clusters without inter-pod network restrictions may be permit unauthorized lateral movement. | Important | Error [Azure.AKS.NodeAutoUpgrade](Azure.AKS.NodeAutoUpgrade.md) | Operating system (OS) security updates should be applied to AKS nodes and rebooted as required to address security vulnerabilities. | Important | Error [Azure.AKS.NodeMinPods](Azure.AKS.NodeMinPods.md) | Azure Kubernetes Cluster (AKS) nodes should use a minimum number of pods. | Important | Error @@ -301,8 +301,10 @@ Name | Synopsis | Severity | Level [Azure.AKS.SecretStore](Azure.AKS.SecretStore.md) | Deploy AKS clusters with Secrets Store CSI Driver and store Secrets in Key Vault. | Important | Error [Azure.AKS.SecretStoreRotation](Azure.AKS.SecretStoreRotation.md) | Enable autorotation of Secrets Store CSI Driver secrets for AKS clusters. | Important | Error [Azure.AKS.StandardLB](Azure.AKS.StandardLB.md) | Azure Kubernetes Clusters (AKS) should use a Standard load balancer SKU. | Important | Error +[Azure.AKS.SystemPoolNaming](Azure.AKS.SystemPoolNaming.md) | AKS system node pool resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error [Azure.AKS.UptimeSLA](Azure.AKS.UptimeSLA.md) | AKS clusters should have Uptime SLA enabled for a financially backed SLA. | Important | Error [Azure.AKS.UseRBAC](Azure.AKS.UseRBAC.md) | Deploy AKS cluster with role-based access control (RBAC) enabled. | Important | Error +[Azure.AKS.UserPoolNaming](Azure.AKS.UserPoolNaming.md) | AKS user node pool resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error [Azure.AKS.Version](Azure.AKS.Version.md) | Older versions of Kubernetes may have known bugs or security vulnerabilities, and may have limited support. | Important | Error ## Azure Managed Grafana @@ -327,6 +329,30 @@ Name | Synopsis | Severity | Level [Azure.Log.ReplicaLocation](Azure.Log.ReplicaLocation.md) | The replication location determines the country or region where the data is stored and processed. | Important | Error [Azure.Log.Replication](Azure.Log.Replication.md) | Log Analytics workspaces should have workspace replication enabled to improve service availability. | Important | Error +## Azure SQL database + +Name | Synopsis | Severity | Level +---- | -------- | -------- | ----- +[Azure.SQL.DBNaming](Azure.SQL.DBNaming.md) | Azure SQL database resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error + +## Azure SQL Database server + +Name | Synopsis | Severity | Level +---- | -------- | -------- | ----- +[Azure.SQL.ServerNaming](Azure.SQL.ServerNaming.md) | Azure SQL Database server resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error + +## Azure SQL Elastic Job agent + +Name | Synopsis | Severity | Level +---- | -------- | -------- | ----- +[Azure.SQL.JobAgentNaming](Azure.SQL.JobAgentNaming.md) | Azure SQL Elastic Job agent resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error + +## Azure SQL Elastic Pool + +Name | Synopsis | Severity | Level +---- | -------- | -------- | ----- +[Azure.SQL.ElasticPoolNaming](Azure.SQL.ElasticPoolNaming.md) | Azure SQL Elastic Pool resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error + ## Azure Virtual Desktop Name | Synopsis | Severity | Level @@ -357,10 +383,29 @@ Name | Synopsis | Severity | Level [Azure.ContainerApp.ManagedIdentity](Azure.ContainerApp.ManagedIdentity.md) | Ensure managed identity is used for authentication. | Important | Error [Azure.ContainerApp.MinReplicas](Azure.ContainerApp.MinReplicas.md) | Use multiple replicas to remove a single point of failure. | Important | Error [Azure.ContainerApp.Name](Azure.ContainerApp.Name.md) | Container Apps should meet naming requirements. | Awareness | Error +[Azure.ContainerApp.Naming](Azure.ContainerApp.Naming.md) | Container App resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error [Azure.ContainerApp.PublicAccess](Azure.ContainerApp.PublicAccess.md) | Ensure public network access for Container Apps environment is disabled. | Important | Error [Azure.ContainerApp.RestrictIngress](Azure.ContainerApp.RestrictIngress.md) | IP ingress restrictions mode should be set to allow action for all rules defined. | Important | Error [Azure.ContainerApp.Storage](Azure.ContainerApp.Storage.md) | Use of Azure Files volume mounts to persistent storage container data. | Awareness | Error +## Container App Environment + +Name | Synopsis | Severity | Level +---- | -------- | -------- | ----- +[Azure.ContainerApp.EnvNaming](Azure.ContainerApp.EnvNaming.md) | Container App Environment resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error + +## Container App Job + +Name | Synopsis | Severity | Level +---- | -------- | -------- | ----- +[Azure.ContainerApp.JobNaming](Azure.ContainerApp.JobNaming.md) | Container App Job resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error + +## Container Instance + +Name | Synopsis | Severity | Level +---- | -------- | -------- | ----- +[Azure.ACI.Naming](Azure.ACI.Naming.md) | Container Instance resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error + ## Container Registry Name | Synopsis | Severity | Level @@ -375,6 +420,7 @@ Name | Synopsis | Severity | Level [Azure.ACR.ImageHealth](Azure.ACR.ImageHealth.md) | Remove container images with known vulnerabilities. | Critical | Error [Azure.ACR.MinSku](Azure.ACR.MinSku.md) | The Basic SKU provides limited performance and features for production container registry workloads. | Important | Error [Azure.ACR.Name](Azure.ACR.Name.md) | Container registry names should meet naming requirements. | Awareness | Error +[Azure.ACR.Naming](Azure.ACR.Naming.md) | Container Registry resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error [Azure.ACR.Quarantine](Azure.ACR.Quarantine.md) | Enable container image quarantine, scan, and mark images as verified. | Important | Error [Azure.ACR.ReplicaLocation](Azure.ACR.ReplicaLocation.md) | The replication location determines the country or region where container images and metadata are stored and processed. | Important | Error [Azure.ACR.Retention](Azure.ACR.Retention.md) | Use a retention policy to cleanup untagged manifests. | Important | Error @@ -394,20 +440,66 @@ Name | Synopsis | Severity | Level Name | Synopsis | Severity | Level ---- | -------- | -------- | ----- [Azure.Cosmos.AccountName](Azure.Cosmos.AccountName.md) | Cosmos DB account names should meet naming requirements. | Awareness | Error +[Azure.Cosmos.AvailabilityZone](Azure.Cosmos.AvailabilityZone.md) | Use zone redundant Cosmos DB accounts in supported regions to improve reliability. | Important | Error [Azure.Cosmos.ContinuousBackup](Azure.Cosmos.ContinuousBackup.md) | Enable continuous backup on Cosmos DB accounts. | Important | Error [Azure.Cosmos.DefenderCloud](Azure.Cosmos.DefenderCloud.md) | Enable Microsoft Defender for Azure Cosmos DB. | Critical | Error -[Azure.Cosmos.DisableLocalAuth](Azure.Cosmos.DisableLocalAuth.md) | Access keys allow depersonalized access to Cosmos DB accounts using a shared secret. | Critical | Error [Azure.Cosmos.DisableMetadataWrite](Azure.Cosmos.DisableMetadataWrite.md) | Use Entra ID identities for management place operations in Azure Cosmos DB. | Important | Error [Azure.Cosmos.MinTLS](Azure.Cosmos.MinTLS.md) | Cosmos DB accounts should reject TLS versions older than 1.2. | Critical | Error +[Azure.Cosmos.MongoAvailabilityZone](Azure.Cosmos.MongoAvailabilityZone.md) | Use zone redundant Cosmos DB vCore clusters in supported regions to improve reliability. | Important | Error +[Azure.Cosmos.MongoEntraID](Azure.Cosmos.MongoEntraID.md) | MongoDB vCore clusters should have Microsoft Entra ID authentication enabled. | Critical | Error +[Azure.Cosmos.NoSQLLocalAuth](Azure.Cosmos.NoSQLLocalAuth.md) | Access keys allow depersonalized access to Cosmos DB NoSQL API accounts using a shared secret. | Critical | Error [Azure.Cosmos.PublicAccess](Azure.Cosmos.PublicAccess.md) | Azure Cosmos DB should have public network access disabled. | Critical | Error [Azure.Cosmos.SLA](Azure.Cosmos.SLA.md) | Use a paid tier to qualify for a Service Level Agreement (SLA). | Important | Error +## Cosmos DB database + +Name | Synopsis | Severity | Level +---- | -------- | -------- | ----- +[Azure.Cosmos.DatabaseNaming](Azure.Cosmos.DatabaseNaming.md) | Cosmos DB database resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error + +## Cosmos DB for Apache Cassandra account + +Name | Synopsis | Severity | Level +---- | -------- | -------- | ----- +[Azure.Cosmos.CassandraNaming](Azure.Cosmos.CassandraNaming.md) | Cosmos DB for Apache Cassandra account resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error + +## Cosmos DB for Apache Gremlin account + +Name | Synopsis | Severity | Level +---- | -------- | -------- | ----- +[Azure.Cosmos.GremlinNaming](Azure.Cosmos.GremlinNaming.md) | Cosmos DB for Apache Gremlin account resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error + +## Cosmos DB for MongoDB account + +Name | Synopsis | Severity | Level +---- | -------- | -------- | ----- +[Azure.Cosmos.MongoNaming](Azure.Cosmos.MongoNaming.md) | Cosmos DB for MongoDB account resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error + +## Cosmos DB for NoSQL account + +Name | Synopsis | Severity | Level +---- | -------- | -------- | ----- +[Azure.Cosmos.NoSQLNaming](Azure.Cosmos.NoSQLNaming.md) | Cosmos DB for NoSQL account resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error + +## Cosmos DB for Table account + +Name | Synopsis | Severity | Level +---- | -------- | -------- | ----- +[Azure.Cosmos.TableNaming](Azure.Cosmos.TableNaming.md) | Cosmos DB for Table account resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error + +## Cosmos DB PostgreSQL cluster + +Name | Synopsis | Severity | Level +---- | -------- | -------- | ----- +[Azure.Cosmos.PostgreSQLNaming](Azure.Cosmos.PostgreSQLNaming.md) | Cosmos DB PostgreSQL cluster resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error + ## Data Explorer Name | Synopsis | Severity | Level ---- | -------- | -------- | ----- [Azure.ADX.DiskEncryption](Azure.ADX.DiskEncryption.md) | Use disk encryption for Azure Data Explorer (ADX) clusters. | Important | Error [Azure.ADX.ManagedIdentity](Azure.ADX.ManagedIdentity.md) | Configure Data Explorer clusters to use managed identities to access Azure resources securely. | Important | Error +[Azure.ADX.PublicAccess](Azure.ADX.PublicAccess.md) | Azure Data Explorer (ADX) clusters should have public network access disabled. | Critical | Error [Azure.ADX.SLA](Azure.ADX.SLA.md) | Use SKUs that include an SLA when configuring Azure Data Explorer (ADX) clusters. | Important | Error [Azure.ADX.Usage](Azure.ADX.Usage.md) | Regularly remove unused resources to reduce costs. | Important | Error @@ -487,6 +579,7 @@ Name | Synopsis | Severity | Level Name | Synopsis | Severity | Level ---- | -------- | -------- | ----- +[Azure.EventHub.AvailabilityZone](Azure.EventHub.AvailabilityZone.md) | Use zone redundant Event Hub namespaces in supported regions to improve reliability. | Important | Error [Azure.EventHub.DisableLocalAuth](Azure.EventHub.DisableLocalAuth.md) | Authenticate Event Hub publishers and consumers with Entra ID identities. | Important | Error [Azure.EventHub.Firewall](Azure.EventHub.Firewall.md) | Access to the namespace endpoints should be restricted to only allowed sources. | Critical | Error [Azure.EventHub.MinTLS](Azure.EventHub.MinTLS.md) | Weak or deprecated transport protocols for client-server communication introduce security vulnerabilities. | Critical | Error @@ -572,6 +665,18 @@ Name | Synopsis | Severity | Level [Azure.ML.PublicAccess](Azure.ML.PublicAccess.md) | Disable public network access from a Azure Machine Learning workspace. | Critical | Error [Azure.ML.UserManagedIdentity](Azure.ML.UserManagedIdentity.md) | ML workspaces should use user-assigned managed identity, rather than the default system-assigned managed identity. | Important | Error +## Managed Grafana + +Name | Synopsis | Severity | Level +---- | -------- | -------- | ----- +[Azure.Grafana.AvailabilityZone](Azure.Grafana.AvailabilityZone.md) | Use zone redundant Grafana workspaces in supported regions to improve reliability. | Important | Error + +## Managed Instance for Apache Cassandra + +Name | Synopsis | Severity | Level +---- | -------- | -------- | ----- +[Azure.MICassandra.AvailabilityZone](Azure.MICassandra.AvailabilityZone.md) | Use zone redundant Managed Instance for Apache Cassandra clusters in supported regions to improve reliability. | Important | Error + ## Microsoft Defender for Cloud Name | Synopsis | Severity | Level @@ -688,6 +793,8 @@ Name | Synopsis | Severity | Level Name | Synopsis | Severity | Level ---- | -------- | -------- | ----- [Azure.ServiceFabric.AAD](Azure.ServiceFabric.AAD.md) | Use Entra ID client authentication for Service Fabric clusters. | Critical | Error +[Azure.ServiceFabric.ManagedNaming](Azure.ServiceFabric.ManagedNaming.md) | Service Fabric managed cluster resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error +[Azure.ServiceFabric.Naming](Azure.ServiceFabric.Naming.md) | Service Fabric cluster resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error [Azure.ServiceFabric.ProtectionLevel](Azure.ServiceFabric.ProtectionLevel.md) | Node to node communication that is not signed and encrypted may be susceptible to man-in-the-middle attacks. | Important | Error ## SignalR Service @@ -711,6 +818,7 @@ Name | Synopsis | Severity | Level [Azure.SQL.FGName](Azure.SQL.FGName.md) | Azure SQL failover group names should meet naming requirements. | Awareness | Error [Azure.SQL.FirewallIPRange](Azure.SQL.FirewallIPRange.md) | Each IP address in the permitted IP list is allowed network access to any databases hosted on the same logical server. | Important | Error [Azure.SQL.FirewallRuleCount](Azure.SQL.FirewallRuleCount.md) | Determine if there is an excessive number of firewall rules. | Awareness | Error +[Azure.SQL.MaintenanceWindow](Azure.SQL.MaintenanceWindow.md) | Configure a customer-controlled maintenance window for Azure SQL databases. | Important | Error [Azure.SQL.MinTLS](Azure.SQL.MinTLS.md) | Azure SQL Database servers should reject TLS versions older than 1.2. | Critical | Error [Azure.SQL.ServerName](Azure.SQL.ServerName.md) | Azure SQL logical server names should meet naming requirements. | Awareness | Error [Azure.SQL.TDE](Azure.SQL.TDE.md) | Use Transparent Data Encryption (TDE) with Azure SQL Database. | Critical | Error @@ -725,6 +833,7 @@ Name | Synopsis | Severity | Level [Azure.SQLMI.MaintenanceWindow](Azure.SQLMI.MaintenanceWindow.md) | Configure a customer-controlled maintenance window for Azure SQL Managed Instances. | Important | Error [Azure.SQLMI.ManagedIdentity](Azure.SQLMI.ManagedIdentity.md) | Ensure managed identity is used to allow support for Azure AD authentication. | Important | Error [Azure.SQLMI.Name](Azure.SQLMI.Name.md) | SQL Managed Instance names should meet naming requirements. | Awareness | Error +[Azure.SQLMI.Naming](Azure.SQLMI.Naming.md) | SQL Managed Instance resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error ## Storage Account diff --git a/docs/examples/resources/aci.bicep b/docs/examples/resources/aci.bicep new file mode 100644 index 0000000000..4b070ea4c9 --- /dev/null +++ b/docs/examples/resources/aci.bicep @@ -0,0 +1,62 @@ +// Copyright (c) Microsoft Corporation. +// Licensed under the MIT License. + +// Bicep documentation examples + +@minLength(1) +@maxLength(63) +@description('The name of the resource.') +param name string + +@description('The location resources will be deployed.') +param location string = resourceGroup().location + +@description('The resource subnet ID.') +param subnetId string + +var containers = [ + { + name: 'mycontainer' + properties: { + image: 'mcr.microsoft.com/azuredocs/aci-helloworld:latest' + ports: [ + { + port: 80 + protocol: 'TCP' + } + ] + resources: { + requests: { + cpu: 1 + memoryInGB: 2 + } + } + } + } +] + +// An example Azure Container Instance with a network profile. +resource containerGroup 'Microsoft.ContainerInstance/containerGroups@2025-09-01' = { + name: name + location: location + properties: { + containers: containers + osType: 'Linux' + sku: 'Standard' + restartPolicy: 'Always' + ipAddress: { + ports: [ + { + port: 80 + protocol: 'TCP' + } + ] + type: 'Private' + } + subnetIds: [ + { + id: subnetId + } + ] + } +} diff --git a/docs/examples/resources/aci.json b/docs/examples/resources/aci.json new file mode 100644 index 0000000000..321b91bd4c --- /dev/null +++ b/docs/examples/resources/aci.json @@ -0,0 +1,84 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "_generator": { + "name": "bicep", + "version": "0.38.33.27573", + "templateHash": "14594933783337124860" + } + }, + "parameters": { + "name": { + "type": "string", + "minLength": 1, + "maxLength": 63, + "metadata": { + "description": "The name of the resource." + } + }, + "location": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "The location resources will be deployed." + } + }, + "subnetId": { + "type": "string", + "metadata": { + "description": "The resource subnet ID." + } + } + }, + "variables": { + "containers": [ + { + "name": "mycontainer", + "properties": { + "image": "mcr.microsoft.com/azuredocs/aci-helloworld:latest", + "ports": [ + { + "port": 80, + "protocol": "TCP" + } + ], + "resources": { + "requests": { + "cpu": 1, + "memoryInGB": 2 + } + } + } + } + ] + }, + "resources": [ + { + "type": "Microsoft.ContainerInstance/containerGroups", + "apiVersion": "2025-09-01", + "name": "[parameters('name')]", + "location": "[parameters('location')]", + "properties": { + "containers": "[variables('containers')]", + "osType": "Linux", + "sku": "Standard", + "restartPolicy": "Always", + "ipAddress": { + "ports": [ + { + "port": 80, + "protocol": "TCP" + } + ], + "type": "Private" + }, + "subnetIds": [ + { + "id": "[parameters('subnetId')]" + } + ] + } + } + ] +} \ No newline at end of file diff --git a/docs/examples/resources/aks.bicep b/docs/examples/resources/aks.bicep index 68a479954d..b989370015 100644 --- a/docs/examples/resources/aks.bicep +++ b/docs/examples/resources/aks.bicep @@ -5,11 +5,11 @@ // Define parameters -@description('The name of the AKS cluster.') +@description('The name of the resource.') param name string @metadata({ - description: 'Optional. The Azure region to deploy to.' + description: 'The location resources will be deployed.' strongType: 'location' example: 'EastUS' ignore: true @@ -126,13 +126,13 @@ var userPools = [ // Define resources // Cluster managed identity -resource identity 'Microsoft.ManagedIdentity/userAssignedIdentities@2023-01-31' = { +resource identity 'Microsoft.ManagedIdentity/userAssignedIdentities@2024-11-30' = { name: identityName location: location } // An example AKS cluster -resource cluster 'Microsoft.ContainerService/managedClusters@2024-10-01' = { +resource cluster 'Microsoft.ContainerService/managedClusters@2025-07-01' = { location: location name: name identity: { @@ -219,7 +219,7 @@ resource auditLogs 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = } // An example AKS cluster with pools defined. -resource clusterWithPools 'Microsoft.ContainerService/managedClusters@2024-02-01' = { +resource clusterWithPools 'Microsoft.ContainerService/managedClusters@2025-07-01' = { location: location name: name identity: { @@ -306,7 +306,7 @@ resource clusterWithPools 'Microsoft.ContainerService/managedClusters@2024-02-01 } // An example private AKS cluster with pools defined. -resource privateCluster 'Microsoft.ContainerService/managedClusters@2024-02-01' = { +resource privateCluster 'Microsoft.ContainerService/managedClusters@2025-07-01' = { location: location name: name identity: { @@ -390,3 +390,43 @@ resource privateCluster 'Microsoft.ContainerService/managedClusters@2024-02-01' } } } + +// An example system node pool. +resource system 'Microsoft.ContainerService/managedClusters/agentPools@2025-07-01' = { + parent: cluster + name: 'system' + properties: { + osDiskSizeGB: osDiskSizeGB + minCount: 3 + maxCount: 7 + enableAutoScaling: true + maxPods: systemPoolMaxPods + vmSize: 'Standard_D16ds_v6' + osType: 'Linux' + type: 'VirtualMachineScaleSets' + vnetSubnetID: clusterSubnetId + mode: 'System' + osDiskType: 'Ephemeral' + scaleSetPriority: 'Regular' + } +} + +// An example user node pool. +resource user 'Microsoft.ContainerService/managedClusters/agentPools@2025-07-01' = { + parent: cluster + name: 'user' + properties: { + osDiskSizeGB: osDiskSizeGB + minCount: 3 + maxCount: 20 + enableAutoScaling: true + maxPods: 150 + vmSize: 'Standard_D16ds_v6' + osType: 'Linux' + type: 'VirtualMachineScaleSets' + vnetSubnetID: clusterSubnetId + mode: 'User' + osDiskType: 'Ephemeral' + scaleSetPriority: 'Regular' + } +} diff --git a/docs/examples/resources/aks.json b/docs/examples/resources/aks.json index c1438dd550..ff8e5ef2f4 100644 --- a/docs/examples/resources/aks.json +++ b/docs/examples/resources/aks.json @@ -4,22 +4,22 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.31.92.45157", - "templateHash": "6019742219031876579" + "version": "0.38.33.27573", + "templateHash": "6176874005941688917" } }, "parameters": { "name": { "type": "string", "metadata": { - "description": "The name of the AKS cluster." + "description": "The name of the resource." } }, "location": { "type": "string", "defaultValue": "[resourceGroup().location]", "metadata": { - "description": "Optional. The Azure region to deploy to.", + "description": "The location resources will be deployed.", "strongType": "location", "example": "EastUS", "ignore": true @@ -172,13 +172,13 @@ "resources": [ { "type": "Microsoft.ManagedIdentity/userAssignedIdentities", - "apiVersion": "2023-01-31", + "apiVersion": "2024-11-30", "name": "[parameters('identityName')]", "location": "[parameters('location')]" }, { "type": "Microsoft.ContainerService/managedClusters", - "apiVersion": "2024-02-01", + "apiVersion": "2025-07-01", "name": "[parameters('name')]", "location": "[parameters('location')]", "identity": { @@ -272,7 +272,7 @@ }, { "type": "Microsoft.ContainerService/managedClusters", - "apiVersion": "2024-02-01", + "apiVersion": "2025-07-01", "name": "[parameters('name')]", "location": "[parameters('location')]", "identity": { @@ -362,7 +362,7 @@ }, { "type": "Microsoft.ContainerService/managedClusters", - "apiVersion": "2024-02-01", + "apiVersion": "2025-07-01", "name": "[parameters('name')]", "location": "[parameters('location')]", "identity": { @@ -448,6 +448,50 @@ "dependsOn": [ "[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('identityName'))]" ] + }, + { + "type": "Microsoft.ContainerService/managedClusters/agentPools", + "apiVersion": "2025-07-01", + "name": "[format('{0}/{1}', parameters('name'), 'system')]", + "properties": { + "osDiskSizeGB": "[parameters('osDiskSizeGB')]", + "minCount": 3, + "maxCount": 7, + "enableAutoScaling": true, + "maxPods": "[parameters('systemPoolMaxPods')]", + "vmSize": "Standard_D16ds_v6", + "osType": "Linux", + "type": "VirtualMachineScaleSets", + "vnetSubnetID": "[parameters('clusterSubnetId')]", + "mode": "System", + "osDiskType": "Ephemeral", + "scaleSetPriority": "Regular" + }, + "dependsOn": [ + "[resourceId('Microsoft.ContainerService/managedClusters', parameters('name'))]" + ] + }, + { + "type": "Microsoft.ContainerService/managedClusters/agentPools", + "apiVersion": "2025-07-01", + "name": "[format('{0}/{1}', parameters('name'), 'user')]", + "properties": { + "osDiskSizeGB": "[parameters('osDiskSizeGB')]", + "minCount": 3, + "maxCount": 20, + "enableAutoScaling": true, + "maxPods": 150, + "vmSize": "Standard_D16ds_v6", + "osType": "Linux", + "type": "VirtualMachineScaleSets", + "vnetSubnetID": "[parameters('clusterSubnetId')]", + "mode": "User", + "osDiskType": "Ephemeral", + "scaleSetPriority": "Regular" + }, + "dependsOn": [ + "[resourceId('Microsoft.ContainerService/managedClusters', parameters('name'))]" + ] } ] -} +} \ No newline at end of file diff --git a/docs/examples/resources/containerapp.bicep b/docs/examples/resources/containerapp.bicep index 5ce3e29fdf..4446a9c8cf 100644 --- a/docs/examples/resources/containerapp.bicep +++ b/docs/examples/resources/containerapp.bicep @@ -3,13 +3,10 @@ // Bicep documentation examples -@description('The name of the app environment.') -param envName string - @minLength(2) @maxLength(32) -@description('The name of the container app.') -param appName string +@description('The name of the resource.') +param name string @description('The location resources will be deployed.') param location string = resourceGroup().location @@ -23,6 +20,9 @@ param subnetId string @description('The revision of the container app.') param revision string +@description('The name of the workload profile to use for the job.') +param workloadProfileName string + resource workspace 'Microsoft.OperationalInsights/workspaces@2022-10-01' existing = { name: split(workspaceId, '/')[8] } @@ -54,8 +54,8 @@ var ipSecurityRestrictions = [ ] // An example App Environment configured with a consumption workload profile. -resource containerEnv 'Microsoft.App/managedEnvironments@2024-03-01' = { - name: envName +resource containerEnv 'Microsoft.App/managedEnvironments@2025-01-01' = { + name: name location: location properties: { appLogsConfiguration: { @@ -80,8 +80,8 @@ resource containerEnv 'Microsoft.App/managedEnvironments@2024-03-01' = { } // An example Container App using a minimum of 2 replicas. -resource containerApp 'Microsoft.App/containerApps@2024-03-01' = { - name: appName +resource containerApp 'Microsoft.App/containerApps@2025-01-01' = { + name: name location: location identity: { type: 'SystemAssigned' @@ -109,8 +109,8 @@ resource containerApp 'Microsoft.App/containerApps@2024-03-01' = { } // An example Container App with IP security restrictions. -resource containerAppWithSecurity 'Microsoft.App/containerApps@2024-03-01' = { - name: appName +resource containerAppWithSecurity 'Microsoft.App/containerApps@2025-01-01' = { + name: name location: location identity: { type: 'SystemAssigned' @@ -148,3 +148,24 @@ resource containerAppWithSecurity 'Microsoft.App/containerApps@2024-03-01' = { } } } + +// An example Container App Job using a workload profile. +resource job 'Microsoft.App/jobs@2025-01-01' = { + name: name + location: location + identity: { + type: 'SystemAssigned' + } + properties: { + environmentId: containerEnv.id + template: { + containers: containers + } + workloadProfileName: workloadProfileName + configuration: { + replicaTimeout: 300 + triggerType: 'Manual' + manualTriggerConfig: {} + } + } +} diff --git a/docs/examples/resources/containerapp.json b/docs/examples/resources/containerapp.json index d208cffef4..8fbcb6bf95 100644 --- a/docs/examples/resources/containerapp.json +++ b/docs/examples/resources/containerapp.json @@ -4,23 +4,17 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.30.23.60470", - "templateHash": "7132667371133705541" + "version": "0.38.33.27573", + "templateHash": "2167050194923568795" } }, "parameters": { - "envName": { - "type": "string", - "metadata": { - "description": "The name of the app environment." - } - }, - "appName": { + "name": { "type": "string", "minLength": 2, "maxLength": 32, "metadata": { - "description": "The name of the container app." + "description": "The name of the resource." } }, "location": { @@ -47,6 +41,12 @@ "metadata": { "description": "The revision of the container app." } + }, + "workloadProfileName": { + "type": "string", + "metadata": { + "description": "The name of the workload profile to use for the job." + } } }, "variables": { @@ -78,8 +78,8 @@ "resources": [ { "type": "Microsoft.App/managedEnvironments", - "apiVersion": "2024-03-01", - "name": "[parameters('envName')]", + "apiVersion": "2025-01-01", + "name": "[parameters('name')]", "location": "[parameters('location')]", "properties": { "appLogsConfiguration": { @@ -104,14 +104,14 @@ }, { "type": "Microsoft.App/containerApps", - "apiVersion": "2024-03-01", - "name": "[parameters('appName')]", + "apiVersion": "2025-01-01", + "name": "[parameters('name')]", "location": "[parameters('location')]", "identity": { "type": "SystemAssigned" }, "properties": { - "environmentId": "[resourceId('Microsoft.App/managedEnvironments', parameters('envName'))]", + "environmentId": "[resourceId('Microsoft.App/managedEnvironments', parameters('name'))]", "template": { "revisionSuffix": "[parameters('revision')]", "containers": "[variables('containers')]", @@ -131,19 +131,19 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.App/managedEnvironments', parameters('envName'))]" + "[resourceId('Microsoft.App/managedEnvironments', parameters('name'))]" ] }, { "type": "Microsoft.App/containerApps", - "apiVersion": "2024-03-01", - "name": "[parameters('appName')]", + "apiVersion": "2025-01-01", + "name": "[parameters('name')]", "location": "[parameters('location')]", "identity": { "type": "SystemAssigned" }, "properties": { - "environmentId": "[resourceId('Microsoft.App/managedEnvironments', parameters('envName'))]", + "environmentId": "[resourceId('Microsoft.App/managedEnvironments', parameters('name'))]", "template": { "revisionSuffix": "[parameters('revision')]", "containers": "[variables('containers')]", @@ -175,7 +175,31 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.App/managedEnvironments', parameters('envName'))]" + "[resourceId('Microsoft.App/managedEnvironments', parameters('name'))]" + ] + }, + { + "type": "Microsoft.App/jobs", + "apiVersion": "2025-01-01", + "name": "[parameters('name')]", + "location": "[parameters('location')]", + "identity": { + "type": "SystemAssigned" + }, + "properties": { + "environmentId": "[resourceId('Microsoft.App/managedEnvironments', parameters('name'))]", + "template": { + "containers": "[variables('containers')]" + }, + "workloadProfileName": "[parameters('workloadProfileName')]", + "configuration": { + "replicaTimeout": 300, + "triggerType": "Manual", + "manualTriggerConfig": {} + } + }, + "dependsOn": [ + "[resourceId('Microsoft.App/managedEnvironments', parameters('name'))]" ] } ] diff --git a/docs/examples/resources/cosmos.bicep b/docs/examples/resources/cosmos.bicep index 529cee6dac..83b3326b89 100644 --- a/docs/examples/resources/cosmos.bicep +++ b/docs/examples/resources/cosmos.bicep @@ -3,14 +3,19 @@ // Bicep documentation examples -@description('The name of the Cosmos database account.') +@minLength(3) +@maxLength(44) +@description('The name of the resource.') param name string @description('The location resources will be deployed.') param location string = resourceGroup().location -@description('A Cosmos DB account using the NoSQL API.') -resource account 'Microsoft.DocumentDB/databaseAccounts@2025-04-15' = { +@description('The location of a secondary replica.') +param secondaryLocation string = location + +// An example Cosmos DB account using the NoSQL API. +resource nosql 'Microsoft.DocumentDB/databaseAccounts@2025-04-15' = { name: name location: location properties: { @@ -25,19 +30,146 @@ resource account 'Microsoft.DocumentDB/databaseAccounts@2025-04-15' = { failoverPriority: 0 isZoneRedundant: true } + { + locationName: secondaryLocation + failoverPriority: 1 + isZoneRedundant: false + } ] disableKeyBasedMetadataWriteAccess: true minimalTlsVersion: 'Tls12' } } -@description('A No SQL API database in a Cosmos DB account.') +// An example No SQL API database in a Cosmos DB account. resource database 'Microsoft.DocumentDB/databaseAccounts/sqlDatabases@2025-04-15' = { name: 'sql-001' - parent: account + parent: nosql properties: { resource: { id: 'sql-001' } } } + +// An example Cosmos DB account using the Gremlin API. +resource gremlin 'Microsoft.DocumentDB/databaseAccounts@2025-04-15' = { + name: name + location: location + kind: 'GlobalDocumentDB' + properties: { + capabilities: [ + { + name: 'EnableGremlin' + } + ] + locations: [ + { + locationName: location + failoverPriority: 0 + isZoneRedundant: true + } + ] + databaseAccountOfferType: 'Standard' + minimalTlsVersion: 'Tls12' + backupPolicy: { + type: 'Periodic' + periodicModeProperties: { + backupIntervalInMinutes: 240 + backupRetentionIntervalInHours: 8 + backupStorageRedundancy: 'Geo' + } + } + } + tags: { + defaultExperience: 'Gremlin (graph)' + } +} + +// An example Cosmos DB account using the Cassandra API. +resource cassandra 'Microsoft.DocumentDB/databaseAccounts@2025-04-15' = { + name: name + location: location + kind: 'GlobalDocumentDB' + properties: { + capabilities: [ + { + name: 'EnableCassandra' + } + ] + locations: [ + { + locationName: location + failoverPriority: 0 + isZoneRedundant: true + } + ] + databaseAccountOfferType: 'Standard' + minimalTlsVersion: 'Tls12' + backupPolicy: { + type: 'Periodic' + periodicModeProperties: { + backupIntervalInMinutes: 240 + backupRetentionIntervalInHours: 8 + backupStorageRedundancy: 'Geo' + } + } + } +} + +// An example Cosmos DB account using the MongoDB API. +resource mongo 'Microsoft.DocumentDB/databaseAccounts@2025-04-15' = { + name: name + location: location + kind: 'MongoDB' + properties: { + locations: [ + { + locationName: location + failoverPriority: 0 + isZoneRedundant: true + } + ] + databaseAccountOfferType: 'Standard' + minimalTlsVersion: 'Tls12' + backupPolicy: { + type: 'Periodic' + periodicModeProperties: { + backupIntervalInMinutes: 240 + backupRetentionIntervalInHours: 8 + backupStorageRedundancy: 'Geo' + } + } + } +} + +// An example Cosmos DB account using the Table API. +resource table 'Microsoft.DocumentDB/databaseAccounts@2025-04-15' = { + name: name + location: location + kind: 'GlobalDocumentDB' + properties: { + capabilities: [ + { + name: 'EnableTable' + } + ] + locations: [ + { + locationName: location + failoverPriority: 0 + isZoneRedundant: true + } + ] + databaseAccountOfferType: 'Standard' + minimalTlsVersion: 'Tls12' + backupPolicy: { + type: 'Periodic' + periodicModeProperties: { + backupIntervalInMinutes: 240 + backupRetentionIntervalInHours: 8 + backupStorageRedundancy: 'Geo' + } + } + } +} diff --git a/docs/examples/resources/cosmos.json b/docs/examples/resources/cosmos.json index 2fc47b3830..70fc4e8a15 100644 --- a/docs/examples/resources/cosmos.json +++ b/docs/examples/resources/cosmos.json @@ -4,15 +4,17 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.38.33.27573", - "templateHash": "15884156970722779622" + "version": "0.39.26.7824", + "templateHash": "13054416509978409621" } }, "parameters": { "name": { "type": "string", + "minLength": 3, + "maxLength": 44, "metadata": { - "description": "The name of the Cosmos database account." + "description": "The name of the resource." } }, "location": { @@ -21,6 +23,13 @@ "metadata": { "description": "The location resources will be deployed." } + }, + "secondaryLocation": { + "type": "string", + "defaultValue": "[parameters('location')]", + "metadata": { + "description": "The location of a secondary replica." + } } }, "resources": [ @@ -40,13 +49,15 @@ "locationName": "[parameters('location')]", "failoverPriority": 0, "isZoneRedundant": true + }, + { + "locationName": "[parameters('secondaryLocation')]", + "failoverPriority": 1, + "isZoneRedundant": false } ], "disableKeyBasedMetadataWriteAccess": true, "minimalTlsVersion": "Tls12" - }, - "metadata": { - "description": "A Cosmos DB account using the NoSQL API." } }, { @@ -60,9 +71,128 @@ }, "dependsOn": [ "[resourceId('Microsoft.DocumentDB/databaseAccounts', parameters('name'))]" - ], - "metadata": { - "description": "A No SQL API database in a Cosmos DB account." + ] + }, + { + "type": "Microsoft.DocumentDB/databaseAccounts", + "apiVersion": "2025-04-15", + "name": "[parameters('name')]", + "location": "[parameters('location')]", + "kind": "GlobalDocumentDB", + "properties": { + "capabilities": [ + { + "name": "EnableGremlin" + } + ], + "locations": [ + { + "locationName": "[parameters('location')]", + "failoverPriority": 0, + "isZoneRedundant": true + } + ], + "databaseAccountOfferType": "Standard", + "minimalTlsVersion": "Tls12", + "backupPolicy": { + "type": "Periodic", + "periodicModeProperties": { + "backupIntervalInMinutes": 240, + "backupRetentionIntervalInHours": 8, + "backupStorageRedundancy": "Geo" + } + } + }, + "tags": { + "defaultExperience": "Gremlin (graph)" + } + }, + { + "type": "Microsoft.DocumentDB/databaseAccounts", + "apiVersion": "2025-04-15", + "name": "[parameters('name')]", + "location": "[parameters('location')]", + "kind": "GlobalDocumentDB", + "properties": { + "capabilities": [ + { + "name": "EnableCassandra" + } + ], + "locations": [ + { + "locationName": "[parameters('location')]", + "failoverPriority": 0, + "isZoneRedundant": true + } + ], + "databaseAccountOfferType": "Standard", + "minimalTlsVersion": "Tls12", + "backupPolicy": { + "type": "Periodic", + "periodicModeProperties": { + "backupIntervalInMinutes": 240, + "backupRetentionIntervalInHours": 8, + "backupStorageRedundancy": "Geo" + } + } + } + }, + { + "type": "Microsoft.DocumentDB/databaseAccounts", + "apiVersion": "2025-04-15", + "name": "[parameters('name')]", + "location": "[parameters('location')]", + "kind": "MongoDB", + "properties": { + "locations": [ + { + "locationName": "[parameters('location')]", + "failoverPriority": 0, + "isZoneRedundant": true + } + ], + "databaseAccountOfferType": "Standard", + "minimalTlsVersion": "Tls12", + "backupPolicy": { + "type": "Periodic", + "periodicModeProperties": { + "backupIntervalInMinutes": 240, + "backupRetentionIntervalInHours": 8, + "backupStorageRedundancy": "Geo" + } + } + } + }, + { + "type": "Microsoft.DocumentDB/databaseAccounts", + "apiVersion": "2025-04-15", + "name": "[parameters('name')]", + "location": "[parameters('location')]", + "kind": "GlobalDocumentDB", + "properties": { + "capabilities": [ + { + "name": "EnableTable" + } + ], + "locations": [ + { + "locationName": "[parameters('location')]", + "failoverPriority": 0, + "isZoneRedundant": true + } + ], + "databaseAccountOfferType": "Standard", + "minimalTlsVersion": "Tls12", + "backupPolicy": { + "type": "Periodic", + "periodicModeProperties": { + "backupIntervalInMinutes": 240, + "backupRetentionIntervalInHours": 8, + "backupStorageRedundancy": "Geo" + } + } } } ] diff --git a/docs/examples/resources/mysql.bicep b/docs/examples/resources/mysql.bicep index 67ca9d2977..4b79cd9e86 100644 --- a/docs/examples/resources/mysql.bicep +++ b/docs/examples/resources/mysql.bicep @@ -3,20 +3,22 @@ // Bicep documentation examples -@sys.description('The name of the resource.') +@minLength(3) +@maxLength(63) +@description('The name of the resource.') param name string -@sys.description('The location resources will be deployed.') +@description('The location resources will be deployed.') param location string = resourceGroup().location -@sys.description('The login for an administrator.') +@description('The login for an administrator.') param administratorLogin string @secure() @description('A default administrator password.') param administratorLoginPassword string -@sys.description('The object GUID for an administrator account.') +@description('The object GUID for an administrator account.') param loginObjectId string // An example Azure Database for MySQL using the single server deployment model. @@ -57,7 +59,7 @@ resource entraForSingleServer 'Microsoft.DBforMySQL/servers/administrators@2017- } } -resource flexibleServer 'Microsoft.DBforMySQL/flexibleServers@2023-12-30' = { +resource flexible 'Microsoft.DBforMySQL/flexibleServers@2024-12-30' = { name: name location: location sku: { diff --git a/docs/examples/resources/mysql.json b/docs/examples/resources/mysql.json index ee0ff17a86..9b0751df0d 100644 --- a/docs/examples/resources/mysql.json +++ b/docs/examples/resources/mysql.json @@ -4,13 +4,15 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.28.1.47646", - "templateHash": "14190762334901930442" + "version": "0.38.33.27573", + "templateHash": "6762710448519896098" } }, "parameters": { "name": { "type": "string", + "minLength": 3, + "maxLength": 63, "metadata": { "description": "The name of the resource." } @@ -85,7 +87,7 @@ }, { "type": "Microsoft.DBforMySQL/flexibleServers", - "apiVersion": "2023-12-30", + "apiVersion": "2024-12-30", "name": "[parameters('name')]", "location": "[parameters('location')]", "sku": { diff --git a/docs/examples/resources/postgresql.bicep b/docs/examples/resources/postgresql.bicep index e40de0c226..f3bbbf40b7 100644 --- a/docs/examples/resources/postgresql.bicep +++ b/docs/examples/resources/postgresql.bicep @@ -3,20 +3,22 @@ // Bicep documentation examples -@sys.description('The name of the resource.') +@minLength(3) +@maxLength(63) +@description('The name of the resource.') param name string -@sys.description('The location resources will be deployed.') +@description('The location resources will be deployed.') param location string = resourceGroup().location -@sys.description('The login for an administrator.') +@description('The login for an administrator.') param localAdministrator string @secure() @description('A default administrator password.') param localAdministratorPassword string -@sys.description('The object GUID for an administrator account.') +@description('The object GUID for an administrator account.') param loginObjectId string // An example PostgreSQL server. @@ -47,7 +49,7 @@ resource single_admin 'Microsoft.DBforPostgreSQL/servers/administrators@2017-12- } // An example PostgreSQL using the flexible server model. -resource flexible 'Microsoft.DBforPostgreSQL/flexibleServers@2022-12-01' = { +resource flexible 'Microsoft.DBforPostgreSQL/flexibleServers@2024-08-01' = { name: name location: location sku: { @@ -76,7 +78,7 @@ resource flexible 'Microsoft.DBforPostgreSQL/flexibleServers@2022-12-01' = { } // Configure administrators for a flexible server. -resource flexible_admin 'Microsoft.DBforPostgreSQL/flexibleServers/administrators@2022-12-01' = { +resource flexible_admin 'Microsoft.DBforPostgreSQL/flexibleServers/administrators@2024-08-01' = { parent: flexible name: loginObjectId properties: { diff --git a/docs/examples/resources/postgresql.json b/docs/examples/resources/postgresql.json index 0c295b4c2b..acfa973d40 100644 --- a/docs/examples/resources/postgresql.json +++ b/docs/examples/resources/postgresql.json @@ -4,13 +4,15 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.25.53.49325", - "templateHash": "1186622257126358354" + "version": "0.38.33.27573", + "templateHash": "7375294002453194062" } }, "parameters": { "name": { "type": "string", + "minLength": 3, + "maxLength": 63, "metadata": { "description": "The name of the resource." } @@ -73,7 +75,7 @@ }, { "type": "Microsoft.DBforPostgreSQL/flexibleServers", - "apiVersion": "2022-12-01", + "apiVersion": "2024-08-01", "name": "[parameters('name')]", "location": "[parameters('location')]", "sku": { @@ -102,7 +104,7 @@ }, { "type": "Microsoft.DBforPostgreSQL/flexibleServers/administrators", - "apiVersion": "2022-12-01", + "apiVersion": "2024-08-01", "name": "[format('{0}/{1}', parameters('name'), parameters('loginObjectId'))]", "properties": { "principalType": "ServicePrincipal", diff --git a/docs/examples/resources/redisenterprise.bicep b/docs/examples/resources/redisenterprise.bicep index 08f0d7b4f4..b1ff87388c 100644 --- a/docs/examples/resources/redisenterprise.bicep +++ b/docs/examples/resources/redisenterprise.bicep @@ -3,6 +3,8 @@ // Bicep documentation examples +@minLength(1) +@maxLength(63) @description('The name of the resource.') param name string @@ -10,7 +12,7 @@ param name string param location string = resourceGroup().location // An example Redis Enterprise cache. -resource cache 'Microsoft.Cache/redisEnterprise@2024-02-01' = { +resource cache 'Microsoft.Cache/redisEnterprise@2025-04-01' = { name: name location: location sku: { diff --git a/docs/examples/resources/redisenterprise.json b/docs/examples/resources/redisenterprise.json index 82ebee6490..7bd4c66520 100644 --- a/docs/examples/resources/redisenterprise.json +++ b/docs/examples/resources/redisenterprise.json @@ -4,13 +4,15 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.30.23.60470", - "templateHash": "18144616178175150817" + "version": "0.38.33.27573", + "templateHash": "17489438504009269923" } }, "parameters": { "name": { "type": "string", + "minLength": 1, + "maxLength": 63, "metadata": { "description": "The name of the resource." } @@ -26,7 +28,7 @@ "resources": [ { "type": "Microsoft.Cache/redisEnterprise", - "apiVersion": "2024-02-01", + "apiVersion": "2025-04-01", "name": "[parameters('name')]", "location": "[parameters('location')]", "sku": { diff --git a/docs/examples/resources/service-fabric.bicep b/docs/examples/resources/service-fabric.bicep index 6db7e4724e..77b342bdf7 100644 --- a/docs/examples/resources/service-fabric.bicep +++ b/docs/examples/resources/service-fabric.bicep @@ -3,6 +3,8 @@ // Bicep documentation examples +@minLength(4) +@maxLength(23) @description('The name of the resource.') param name string @@ -13,6 +15,7 @@ param endpointUri string param tenantId string param clusterApplication string param clientApplication string +param adminUsername string @description('Certificate thumbprint.') param certificateThumbprint string @@ -21,7 +24,7 @@ resource storageAccount 'Microsoft.Storage/storageAccounts@2021-01-01' existing name: 'storage1' } -// An example of a Service Fabric cluster resource. +// An example Service Fabric cluster. resource cluster 'Microsoft.ServiceFabric/clusters@2023-11-01-preview' = { name: name location: location @@ -60,3 +63,37 @@ resource cluster 'Microsoft.ServiceFabric/clusters@2023-11-01-preview' = { vmImage: 'Windows' } } + +// An example Service Fabric managed cluster. +resource managed 'Microsoft.ServiceFabric/managedClusters@2024-04-01' = { + name: name + location: location + sku: { + name: 'Standard' + } + properties: { + azureActiveDirectory: { + clientApplication: clientApplication + clusterApplication: clusterApplication + tenantId: tenantId + } + dnsName: toLower(name) + adminUserName: adminUsername + clientConnectionPort: 19000 + httpGatewayConnectionPort: 19080 + clients: [ + { + isAdmin: true + thumbprint: certificateThumbprint + } + ] + loadBalancingRules: [ + { + frontendPort: 8080 + backendPort: 8080 + protocol: 'tcp' + probeProtocol: 'https' + } + ] + } +} diff --git a/docs/examples/resources/service-fabric.json b/docs/examples/resources/service-fabric.json index c747e91da2..2374763dfc 100644 --- a/docs/examples/resources/service-fabric.json +++ b/docs/examples/resources/service-fabric.json @@ -4,13 +4,15 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.35.1.17967", - "templateHash": "16820822623191152552" + "version": "0.38.33.27573", + "templateHash": "6378535014997672625" } }, "parameters": { "name": { "type": "string", + "minLength": 4, + "maxLength": 23, "metadata": { "description": "The name of the resource." } @@ -34,6 +36,9 @@ "clientApplication": { "type": "string" }, + "adminUsername": { + "type": "string" + }, "certificateThumbprint": { "type": "string", "metadata": { @@ -81,6 +86,40 @@ "upgradeMode": "Automatic", "vmImage": "Windows" } + }, + { + "type": "Microsoft.ServiceFabric/managedClusters", + "apiVersion": "2024-04-01", + "name": "[parameters('name')]", + "location": "[parameters('location')]", + "sku": { + "name": "Standard" + }, + "properties": { + "azureActiveDirectory": { + "clientApplication": "[parameters('clientApplication')]", + "clusterApplication": "[parameters('clusterApplication')]", + "tenantId": "[parameters('tenantId')]" + }, + "dnsName": "[toLower(parameters('name'))]", + "adminUserName": "[parameters('adminUsername')]", + "clientConnectionPort": 19000, + "httpGatewayConnectionPort": 19080, + "clients": [ + { + "isAdmin": true, + "thumbprint": "[parameters('certificateThumbprint')]" + } + ], + "loadBalancingRules": [ + { + "frontendPort": 8080, + "backendPort": 8080, + "protocol": "tcp", + "probeProtocol": "https" + } + ] + } } ] } \ No newline at end of file diff --git a/docs/examples/resources/sql.bicep b/docs/examples/resources/sql.bicep index 5b28caec6c..c935fffe47 100644 --- a/docs/examples/resources/sql.bicep +++ b/docs/examples/resources/sql.bicep @@ -3,6 +3,8 @@ // Bicep documentation examples +@minLength(1) +@maxLength(128) @description('The name of the resource.') param name string @@ -11,6 +13,7 @@ param location string = resourceGroup().location param adminLogin string param adminPrincipalId string +param maintenanceConfigurationId string var maxSize = 32 * 1048576 @@ -23,7 +26,7 @@ resource server 'Microsoft.Sql/servers@2024-05-01-preview' = { } properties: { publicNetworkAccess: 'Disabled' - minimalTlsVersion: '1.2' + minimalTlsVersion: '1.3' administrators: { azureADOnlyAuthentication: true administratorType: 'ActiveDirectory' @@ -102,3 +105,30 @@ resource tde 'Microsoft.Sql/servers/databases/transparentDataEncryption@2024-05- state: 'Enabled' } } + +// An example Azure SQL Job Agent. +resource agent 'Microsoft.Sql/servers/jobAgents@2024-05-01-preview' = { + parent: server + name: name + location: location + properties: { + databaseId: database.id + } +} + +// An example Azure SQL Elastic Pool. +resource pool 'Microsoft.Sql/servers/elasticPools@2024-05-01-preview' = { + parent: server + name: name + location: location + properties: { + perDatabaseSettings: { + minCapacity: 0 + maxCapacity: 2 + } + maxSizeBytes: 34359738368 + zoneRedundant: true + licenseType: 'BasePrice' + maintenanceConfigurationId: maintenanceConfigurationId + } +} diff --git a/docs/examples/resources/sql.json b/docs/examples/resources/sql.json index c77850d40a..af2a1a301f 100644 --- a/docs/examples/resources/sql.json +++ b/docs/examples/resources/sql.json @@ -4,13 +4,15 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.34.1.11899", - "templateHash": "13668357951305686306" + "version": "0.38.33.27573", + "templateHash": "5973132553936234562" } }, "parameters": { "name": { "type": "string", + "minLength": 1, + "maxLength": 128, "metadata": { "description": "The name of the resource." } @@ -27,6 +29,9 @@ }, "adminPrincipalId": { "type": "string" + }, + "maintenanceConfigurationId": { + "type": "string" } }, "variables": { @@ -43,7 +48,7 @@ }, "properties": { "publicNetworkAccess": "Disabled", - "minimalTlsVersion": "1.2", + "minimalTlsVersion": "1.3", "administrators": { "azureADOnlyAuthentication": true, "administratorType": "ActiveDirectory", @@ -133,6 +138,38 @@ "dependsOn": [ "[resourceId('Microsoft.Sql/servers/databases', parameters('name'), parameters('name'))]" ] + }, + { + "type": "Microsoft.Sql/servers/jobAgents", + "apiVersion": "2024-05-01-preview", + "name": "[format('{0}/{1}', parameters('name'), parameters('name'))]", + "location": "[parameters('location')]", + "properties": { + "databaseId": "[resourceId('Microsoft.Sql/servers/databases', parameters('name'), parameters('name'))]" + }, + "dependsOn": [ + "[resourceId('Microsoft.Sql/servers/databases', parameters('name'), parameters('name'))]", + "[resourceId('Microsoft.Sql/servers', parameters('name'))]" + ] + }, + { + "type": "Microsoft.Sql/servers/elasticPools", + "apiVersion": "2024-05-01-preview", + "name": "[format('{0}/{1}', parameters('name'), parameters('name'))]", + "location": "[parameters('location')]", + "properties": { + "perDatabaseSettings": { + "minCapacity": 0, + "maxCapacity": 2 + }, + "maxSizeBytes": 34359738368, + "zoneRedundant": true, + "licenseType": "BasePrice", + "maintenanceConfigurationId": "[parameters('maintenanceConfigurationId')]" + }, + "dependsOn": [ + "[resourceId('Microsoft.Sql/servers', parameters('name'))]" + ] } ] } \ No newline at end of file diff --git a/docs/examples/resources/sqlmi.bicep b/docs/examples/resources/sqlmi.bicep new file mode 100644 index 0000000000..c8e35e4e26 --- /dev/null +++ b/docs/examples/resources/sqlmi.bicep @@ -0,0 +1,43 @@ +// Copyright (c) Microsoft Corporation. +// Licensed under the MIT License. + +// Bicep documentation examples + +@minLength(1) +@maxLength(63) +@description('The name of the resource.') +param name string + +@description('The location resources will be deployed.') +param location string = resourceGroup().location + +param login string +param sid string + +// An example SQL managed instance. +resource managedInstance 'Microsoft.Sql/managedInstances@2023-08-01' = { + name: name + location: location + identity: { + type: 'SystemAssigned' + } + sku: { + name: 'GP_Gen5' + } + properties: { + administrators: { + administratorType: 'ActiveDirectory' + azureADOnlyAuthentication: true + login: login + sid: sid + principalType: 'Group' + tenantId: tenant().tenantId + } + maintenanceConfigurationId: maintenanceWindow.id + } +} + +resource maintenanceWindow 'Microsoft.Maintenance/publicMaintenanceConfigurations@2023-04-01' existing = { + scope: subscription() + name: 'SQL_WestEurope_MI_1' +} diff --git a/docs/examples/resources/sqlmi.json b/docs/examples/resources/sqlmi.json new file mode 100644 index 0000000000..ddda1711db --- /dev/null +++ b/docs/examples/resources/sqlmi.json @@ -0,0 +1,59 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "_generator": { + "name": "bicep", + "version": "0.38.33.27573", + "templateHash": "16665234278863375091" + } + }, + "parameters": { + "name": { + "type": "string", + "minLength": 1, + "maxLength": 63, + "metadata": { + "description": "The name of the resource." + } + }, + "location": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "The location resources will be deployed." + } + }, + "login": { + "type": "string" + }, + "sid": { + "type": "string" + } + }, + "resources": [ + { + "type": "Microsoft.Sql/managedInstances", + "apiVersion": "2023-08-01", + "name": "[parameters('name')]", + "location": "[parameters('location')]", + "identity": { + "type": "SystemAssigned" + }, + "sku": { + "name": "GP_Gen5" + }, + "properties": { + "administrators": { + "administratorType": "ActiveDirectory", + "azureADOnlyAuthentication": true, + "login": "[parameters('login')]", + "sid": "[parameters('sid')]", + "principalType": "Group", + "tenantId": "[tenant().tenantId]" + }, + "maintenanceConfigurationId": "[subscriptionResourceId('Microsoft.Maintenance/publicMaintenanceConfigurations', 'SQL_WestEurope_MI_1')]" + } + } + ] +} \ No newline at end of file diff --git a/docs/setup/setup-naming-and-tagging.md b/docs/setup/setup-naming-and-tagging.md index 2ffb9d0159..17586c053e 100644 --- a/docs/setup/setup-naming-and-tagging.md +++ b/docs/setup/setup-naming-and-tagging.md @@ -225,21 +225,47 @@ To configure the rule for a resource type, set the corresponding configuration v Rule | Resource type | Configuration value ---- | ------------- | ------------------- +`Azure.ACI.Naming` | `Microsoft.ContainerInstance/containerGroups` | `AZURE_CONTAINER_INSTANCE_NAME_FORMAT` +`Azure.ACR.Naming` | `Microsoft.ContainerRegistry/registries` | `AZURE_CONTAINER_REGISTRY_NAME_FORMAT` `Azure.Search.Naming` | `Microsoft.Search/searchServices` | `AZURE_AI_SEARCH_NAME_FORMAT` `Azure.AI.FoundryNaming` | `Microsoft.CognitiveServices/accounts` with `kind` = `AIServices` | `AZURE_AI_SERVICES_NAME_FORMAT` +`Azure.AKS.Naming` | `Microsoft.ContainerService/managedClusters` | `AZURE_AKS_CLUSTER_NAME_FORMAT` +`Azure.AKS.SystemPoolNaming` | `Microsoft.ContainerService/managedClusters/agentPools` with `mode` = `System` | `AZURE_AKS_SYSTEM_POOL_NAME_FORMAT` +`Azure.AKS.UserPoolNaming` | `Microsoft.ContainerService/managedClusters/agentPools` with `mode` = `User` | `AZURE_AKS_USER_POOL_NAME_FORMAT` `Azure.AppInsights.Naming` | `Microsoft.Insights/components` | `AZURE_APP_INSIGHTS_NAME_FORMAT` +`Azure.ContainerApp.Naming` | `Microsoft.App/containerApps` | `AZURE_CONTAINER_APP_NAME_FORMAT` +`Azure.ContainerApp.EnvNaming` | `Microsoft.App/managedEnvironments` | `AZURE_CONTAINER_APP_ENVIRONMENT_NAME_FORMAT` +`Azure.ContainerApp.JobNaming` | `Microsoft.App/jobs` | `AZURE_CONTAINER_APP_JOB_NAME_FORMAT` +`Azure.Cosmos.CassandraNaming` | `Microsoft.DocumentDb/databaseAccounts` with Cassandra API | `AZURE_COSMOS_CASSANDRA_NAME_FORMAT` +`Azure.Cosmos.DatabaseNaming` | `Microsoft.DocumentDB/databaseAccounts/sqlDatabases` | `AZURE_COSMOS_DATABASE_NAME_FORMAT` +`Azure.Cosmos.GremlinNaming` | `Microsoft.DocumentDb/databaseAccounts` with Gremlin API | `AZURE_COSMOS_GREMLIN_NAME_FORMAT` +`Azure.Cosmos.MongoNaming` | `Microsoft.DocumentDb/databaseAccounts` with MongoDB API | `AZURE_COSMOS_MONGO_NAME_FORMAT` +`Azure.Cosmos.NoSQLNaming` | `Microsoft.DocumentDb/databaseAccounts` with NoSQL API | `AZURE_COSMOS_NOSQL_NAME_FORMAT` +`Azure.Cosmos.PostgreSQLNaming` | `Microsoft.DBforPostgreSQL/serverGroupsv2` | `AZURE_COSMOS_POSTGRESQL_NAME_FORMAT` +`Azure.Cosmos.TableNaming` | `Microsoft.DocumentDb/databaseAccounts` with Table API | `AZURE_COSMOS_TABLE_NAME_FORMAT` `Azure.EventGrid.DomainNaming` | `Microsoft.EventGrid/domains` | `AZURE_EVENTGRID_DOMAIN_NAME_FORMAT` `Azure.EventGrid.TopicNaming` | `Microsoft.EventGrid/topics`, `Microsoft.EventGrid/domains/topics` | `AZURE_EVENTGRID_CUSTOM_TOPIC_NAME_FORMAT` `Azure.EventGrid.SystemTopicNaming` | `Microsoft.EventGrid/systemTopics` | `AZURE_EVENTGRID_SYSTEM_TOPIC_NAME_FORMAT` `Azure.VNG.ConnectionNaming` | `Microsoft.Network/connections` | `AZURE_GATEWAY_CONNECTION_NAME_FORMAT` `Azure.LB.Naming` | `Microsoft.Network/loadBalancers` | `AZURE_LOAD_BALANCER_NAME_FORMAT` `Azure.Log.Naming` | `Microsoft.OperationalInsights/workspaces` | `AZURE_LOG_WORKSPACE_NAME_FORMAT` +`Azure.MySQL.Naming` | `Microsoft.DBforMySQL/servers`, `Microsoft.DBforMySQL/flexibleServers` | `AZURE_MYSQL_SERVER_NAME_FORMAT` `Azure.NSG.Naming` | `Microsoft.Network/networkSecurityGroups` | `AZURE_NETWORK_SECURITY_GROUP_NAME_FORMAT` +`Azure.PostgreSQL.Naming` | `Microsoft.DBforPostgreSQL/servers`, `Microsoft.DBforPostgreSQL/flexibleServers` | `AZURE_POSTGRESQL_SERVER_NAME_FORMAT` `Azure.PublicIP.Naming` | `Microsoft.Network/publicIPAddresses` | `AZURE_PUBLIC_IP_ADDRESS_NAME_FORMAT` +`Azure.Redis.Naming` | `Microsoft.Cache/redis` | `AZURE_REDIS_CACHE_NAME_FORMAT` +`Azure.RedisEnterprise.Naming` | `Microsoft.Cache/redisEnterprise` with Enterprise or Enterprise Flash | `AZURE_REDIS_ENTERPRISE_NAME_FORMAT` `Azure.Group.Naming` | `Microsoft.Resources/resourceGroups` | `AZURE_RESOURCE_GROUP_NAME_FORMAT` `Azure.Group.RequiredTags` | `Microsoft.Resources/resourceGroups` | `AZURE_RESOURCE_GROUP_REQUIRED_TAGS` `Azure.Resource.RequiredTags` | Applies to all types that support tags except subscription and resource groups. | `AZURE_RESOURCE_REQUIRED_TAGS` `Azure.Route.Naming` | `Microsoft.Network/routeTables` | `AZURE_ROUTE_TABLE_NAME_FORMAT` +`Azure.ServiceFabric.Naming` | `Microsoft.ServiceFabric/clusters` | `AZURE_SERVICE_FABRIC_CLUSTER_NAME_FORMAT` +`Azure.ServiceFabric.ManagedNaming` | `Microsoft.ServiceFabric/managedClusters` | `AZURE_SERVICE_FABRIC_MANAGED_CLUSTER_NAME_FORMAT` +`Azure.SQL.ServerNaming` | `Microsoft.Sql/servers` | `AZURE_SQL_SERVER_NAME_FORMAT` +`Azure.SQL.DBNaming` | `Microsoft.Sql/servers/databases` | `AZURE_SQL_DATABASE_NAME_FORMAT` +`Azure.SQL.JobAgentNaming` | `Microsoft.Sql/servers/jobAgents` | `AZURE_SQL_JOB_AGENT_NAME_FORMAT` +`Azure.SQL.ElasticPoolNaming` | `Microsoft.Sql/servers/elasticPools` | `AZURE_SQL_ELASTIC_POOL_NAME_FORMAT` +`Azure.SQLMI.Naming` | `Microsoft.Sql/managedInstances` | `AZURE_SQL_MI_NAME_FORMAT` `Azure.Storage.Naming` | `Microsoft.Storage/storageAccounts` | `AZURE_STORAGE_ACCOUNT_NAME_FORMAT` `Azure.Subscription.RequiredTags` | `Microsoft.Subscription/aliases` | `AZURE_SUBSCRIPTION_REQUIRED_TAGS` `Azure.VM.Naming` | `Microsoft.Compute/virtualMachines` | `AZURE_VIRTUAL_MACHINE_NAME_FORMAT` diff --git a/docs/updates/v1.47.md b/docs/updates/v1.47.md new file mode 100644 index 0000000000..4ad60c800c --- /dev/null +++ b/docs/updates/v1.47.md @@ -0,0 +1,68 @@ +--- +date: 2025-11-30 +version: 1.47 +discussion: false +draft: true +--- + +# November 2025 + +Install with: [GitHub Actions](../install.md#with-github-actions) | [Azure Pipelines](../install.md#with-azure-pipelines) | [PowerShell](../install.md#with-powershell) + +--- + +Welcome to the November 2025 release of PSRule for Azure. +This release includes new features, new rules and improvements to existing rules. + +See the [change log][1] or [GitHub history][2] for a complete list of changes. + +## Expanded support for CAF naming + +Support for CAF naming conventions has been expanded with new rules to cover additional resource types. +New resource types supported for enforcing naming conventions include: + +- `Microsoft.ContainerInstance/containerGroups` +- `Microsoft.ContainerRegistry/registries` +- `Microsoft.ContainerService/managedClusters` +- `Microsoft.ContainerService/managedClusters/agentPools` +- `Microsoft.App/containerApps` +- `Microsoft.App/managedEnvironments` +- `Microsoft.App/jobs` +- `Microsoft.DocumentDb/databaseAccounts` +- `Microsoft.DocumentDB/databaseAccounts/sqlDatabases` +- `Microsoft.DBforPostgreSQL/serverGroupsv2` +- `Microsoft.DBforMySQL/servers` +- `Microsoft.DBforMySQL/flexibleServers` +- `Microsoft.DBforPostgreSQL/servers` +- `Microsoft.DBforPostgreSQL/flexibleServers` +- `Microsoft.Cache/redis` +- `Microsoft.Cache/redisEnterprise` +- `Microsoft.ServiceFabric/clusters` +- `Microsoft.ServiceFabric/managedClusters` +- `Microsoft.Sql/servers` +- `Microsoft.Sql/servers/databases` +- `Microsoft.Sql/servers/elasticPools` +- `Microsoft.Sql/servers/jobAgents` +- `Microsoft.Sql/managedInstances` + +## Contributions + +We would like to thank the following contributors for their contributions to this release: + +- @BenjaminEngeset + +## Thank you + +Thanks for your continued support and feedback. +We are always looking for ways to improve the experience of using PSRule for Azure. + +If you have any feedback or suggestions, please reach out to us on [GitHub Discussions][6] or [GitHub Issues][7]. + +If you'd like to contribute to the project, please check out our [contributing guide][8]. +We welcome contributions of all kinds, from rules, code, documentation, and samples. + + [1]: ../changelog.md#v1460 + [2]: https://github.com/Azure/PSRule.Rules.Azure/compare/v1.46.0...v1.47.0 + [6]: https://github.com/Azure/PSRule.Rules.Azure/discussions + [7]: https://github.com/Azure/PSRule.Rules.Azure/issues + [8]: ../license-contributing/get-started-contributing.md diff --git a/pipeline.build.ps1 b/pipeline.build.ps1 index 665b5f5943..d0515f48bf 100644 --- a/pipeline.build.ps1 +++ b/pipeline.build.ps1 @@ -402,6 +402,7 @@ task BuildRuleMetadataCache { Recommendation = $_.Info.Recommendation Pillar = $_.Tag.'Azure.WAF/pillar' Control = $_.Labels.'Azure.MCSB.v1/control' + Maturity = $_.Labels.'Azure.WAF/maturity' Source = "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/$(($_.Source.Path -split '[/\\]')[-1])" } } @@ -430,6 +431,7 @@ task BuildRuleMetadataCache { Recommendation = $_.Info.Recommendation Pillar = $_.Tag.'Azure.WAF/pillar' Control = $_.Labels.'Azure.MCSB.v1/control' + Maturity = $_.Labels.'Azure.WAF/maturity' Source = "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/$(($_.Source.Path -split '[/\\]')[-1])" } } diff --git a/src/PSRule.Rules.Azure/rules/Azure.ACI.Rule.ps1 b/src/PSRule.Rules.Azure/rules/Azure.ACI.Rule.ps1 new file mode 100644 index 0000000000..dc51c488ee --- /dev/null +++ b/src/PSRule.Rules.Azure/rules/Azure.ACI.Rule.ps1 @@ -0,0 +1,15 @@ +# Copyright (c) Microsoft Corporation. +# Licensed under the MIT License. + +# +# Validation rules for Azure Container Instances +# + +#region Rules + +# Synopsis: Container instances without a standard naming convention may be difficult to identify and manage. +Rule 'Azure.ACI.Naming' -Ref 'AZR-000505' -Type 'Microsoft.ContainerInstance/containerGroups' -If { $Configuration['AZURE_CONTAINER_INSTANCE_NAME_FORMAT'] -ne '' } -Tag @{ release = 'GA'; ruleSet = '2025_12'; 'Azure.WAF/pillar' = 'Operational Excellence' } -Labels @{ 'Azure.CAF' = 'naming'; 'Azure.WAF/maturity' = 'L2' } { + $Assert.Match($PSRule, 'TargetName', $Configuration.AZURE_CONTAINER_INSTANCE_NAME_FORMAT, $True); +} + +#endregion Rules diff --git a/src/PSRule.Rules.Azure/rules/Azure.ACR.Rule.ps1 b/src/PSRule.Rules.Azure/rules/Azure.ACR.Rule.ps1 index a4186fb73f..494401883d 100644 --- a/src/PSRule.Rules.Azure/rules/Azure.ACR.Rule.ps1 +++ b/src/PSRule.Rules.Azure/rules/Azure.ACR.Rule.ps1 @@ -75,6 +75,11 @@ Rule 'Azure.ACR.ReplicaLocation' -Ref 'AZR-000494' -Type 'Microsoft.ContainerReg } } +# Synopsis: Container registries without a standard naming convention may be difficult to identify and manage. +Rule 'Azure.ACR.Naming' -Ref 'AZR-000506' -Type 'Microsoft.ContainerRegistry/registries' -If { $Configuration['AZURE_CONTAINER_REGISTRY_NAME_FORMAT'] -ne '' } -Tag @{ release = 'GA'; ruleSet = '2025_12'; 'Azure.WAF/pillar' = 'Operational Excellence' } -Labels @{ 'Azure.CAF' = 'naming'; 'Azure.WAF/maturity' = 'L2' } { + $Assert.Match($PSRule, 'TargetName', $Configuration.AZURE_CONTAINER_REGISTRY_NAME_FORMAT, $True); +} + #endregion Rules #region Helper functions diff --git a/src/PSRule.Rules.Azure/rules/Azure.ACR.Rule.yaml b/src/PSRule.Rules.Azure/rules/Azure.ACR.Rule.yaml index 78accb39d9..c39bd351c3 100644 --- a/src/PSRule.Rules.Azure/rules/Azure.ACR.Rule.yaml +++ b/src/PSRule.Rules.Azure/rules/Azure.ACR.Rule.yaml @@ -62,6 +62,7 @@ metadata: Azure.WAF/pillar: Operational Excellence labels: Azure.CAF: naming + Azure.WAF/maturity: L2 spec: type: - Microsoft.ContainerRegistry/registries diff --git a/src/PSRule.Rules.Azure/rules/Azure.AKS.Rule.ps1 b/src/PSRule.Rules.Azure/rules/Azure.AKS.Rule.ps1 index 67e99aa9da..a6d9b73129 100644 --- a/src/PSRule.Rules.Azure/rules/Azure.AKS.Rule.ps1 +++ b/src/PSRule.Rules.Azure/rules/Azure.AKS.Rule.ps1 @@ -344,6 +344,33 @@ Rule 'Azure.AKS.MaintenanceWindow' -Ref 'AZR-000446' -Type 'Microsoft.ContainerS } } +# Synopsis: AKS clusters without a standard naming convention may be difficult to identify and manage. +Rule 'Azure.AKS.Naming' -Ref 'AZR-000507' -Type 'Microsoft.ContainerService/managedClusters' -If { $Configuration['AZURE_AKS_CLUSTER_NAME_FORMAT'] -ne '' } -Tag @{ release = 'GA'; ruleSet = '2025_12'; 'Azure.WAF/pillar' = 'Operational Excellence' } -Labels @{ 'Azure.CAF' = 'naming'; 'Azure.WAF/maturity' = 'L2' } { + $Assert.Match($PSRule, 'TargetName', $Configuration.AZURE_AKS_CLUSTER_NAME_FORMAT, $True); +} + +# Synopsis: AKS system node pools without a standard naming convention may be difficult to identify and manage. +Rule 'Azure.AKS.SystemPoolNaming' -Ref 'AZR-000508' -Type 'Microsoft.ContainerService/managedClusters', 'Microsoft.ContainerService/managedClusters/agentPools' -If { $Configuration['AZURE_AKS_SYSTEM_POOL_NAME_FORMAT'] -ne '' } -Tag @{ release = 'GA'; ruleSet = '2025_12'; 'Azure.WAF/pillar' = 'Operational Excellence' } -Labels @{ 'Azure.CAF' = 'naming'; 'Azure.WAF/maturity' = 'L2' } { + $agentPools = @(GetAgentPoolProfiles | Where-Object { $_.mode -eq 'System' }); + if ($agentPools.Length -eq 0) { + return $Assert.Pass(); + } + foreach ($agentPool in $agentPools) { + $Assert.Match($agentPool, 'name', $Configuration.AZURE_AKS_SYSTEM_POOL_NAME_FORMAT, $True); + } +} + +# Synopsis: AKS user node pools without a standard naming convention may be difficult to identify and manage. +Rule 'Azure.AKS.UserPoolNaming' -Ref 'AZR-000509' -Type 'Microsoft.ContainerService/managedClusters', 'Microsoft.ContainerService/managedClusters/agentPools' -If { $Configuration['AZURE_AKS_USER_POOL_NAME_FORMAT'] -ne '' } -Tag @{ release = 'GA'; ruleSet = '2025_12'; 'Azure.WAF/pillar' = 'Operational Excellence' } -Labels @{ 'Azure.CAF' = 'naming'; 'Azure.WAF/maturity' = 'L2' } { + $agentPools = @(GetAgentPoolProfiles | Where-Object { $_.mode -eq 'User' }); + if ($agentPools.Length -eq 0) { + return $Assert.Pass(); + } + foreach ($agentPool in $agentPools) { + $Assert.Match($agentPool, 'name', $Configuration.AZURE_AKS_USER_POOL_NAME_FORMAT, $True); + } +} + #region Helper functions function global:GetAgentPoolProfiles { diff --git a/src/PSRule.Rules.Azure/rules/Azure.AKS.Rule.yaml b/src/PSRule.Rules.Azure/rules/Azure.AKS.Rule.yaml index edd49222c9..abdd2c1378 100644 --- a/src/PSRule.Rules.Azure/rules/Azure.AKS.Rule.yaml +++ b/src/PSRule.Rules.Azure/rules/Azure.AKS.Rule.yaml @@ -317,6 +317,7 @@ metadata: Azure.WAF/pillar: Operational Excellence labels: Azure.CAF: naming + Azure.WAF/maturity: L2 spec: type: - Microsoft.ContainerService/managedClusters diff --git a/src/PSRule.Rules.Azure/rules/Azure.ContainerApp.Rule.ps1 b/src/PSRule.Rules.Azure/rules/Azure.ContainerApp.Rule.ps1 index ef19eab818..799a8c8f9a 100644 --- a/src/PSRule.Rules.Azure/rules/Azure.ContainerApp.Rule.ps1 +++ b/src/PSRule.Rules.Azure/rules/Azure.ContainerApp.Rule.ps1 @@ -33,6 +33,21 @@ Rule 'Azure.ContainerApp.AvailabilityZone' -Ref 'AZR-000414' -Type 'Microsoft.Ap $Assert.HasFieldValue($TargetObject, 'properties.vnetConfiguration.infrastructureSubnetId'); } +# Synopsis: Container apps without a standard naming convention may be difficult to identify and manage. +Rule 'Azure.ContainerApp.Naming' -Ref 'AZR-000510' -Type 'Microsoft.App/containerApps' -If { $Configuration['AZURE_CONTAINER_APP_NAME_FORMAT'] -ne '' } -Tag @{ release = 'GA'; ruleSet = '2025_12'; 'Azure.WAF/pillar' = 'Operational Excellence' } -Labels @{ 'Azure.CAF' = 'naming'; 'Azure.WAF/maturity' = 'L2' } { + $Assert.Match($PSRule, 'TargetName', $Configuration.AZURE_CONTAINER_APP_NAME_FORMAT, $True); +} + +# Synopsis: Container apps environments without a standard naming convention may be difficult to identify and manage. +Rule 'Azure.ContainerApp.EnvNaming' -Ref 'AZR-000511' -Type 'Microsoft.App/managedEnvironments' -If { $Configuration['AZURE_CONTAINER_APP_ENVIRONMENT_NAME_FORMAT'] -ne '' } -Tag @{ release = 'GA'; ruleSet = '2025_12'; 'Azure.WAF/pillar' = 'Operational Excellence' } -Labels @{ 'Azure.CAF' = 'naming'; 'Azure.WAF/maturity' = 'L2' } { + $Assert.Match($PSRule, 'TargetName', $Configuration.AZURE_CONTAINER_APP_ENVIRONMENT_NAME_FORMAT, $True); +} + +# Synopsis: Container apps jobs without a standard naming convention may be difficult to identify and manage. +Rule 'Azure.ContainerApp.JobNaming' -Ref 'AZR-000512' -Type 'Microsoft.App/jobs' -If { $Configuration['AZURE_CONTAINER_APP_JOB_NAME_FORMAT'] -ne '' } -Tag @{ release = 'GA'; ruleSet = '2025_12'; 'Azure.WAF/pillar' = 'Operational Excellence' } -Labels @{ 'Azure.CAF' = 'naming'; 'Azure.WAF/maturity' = 'L2' } { + $Assert.Match($PSRule, 'TargetName', $Configuration.AZURE_CONTAINER_APP_JOB_NAME_FORMAT, $True); +} + #endregion Rules #region Helper functions diff --git a/src/PSRule.Rules.Azure/rules/Azure.ContainerApp.Rule.yaml b/src/PSRule.Rules.Azure/rules/Azure.ContainerApp.Rule.yaml index 7cd410809d..1e69c1306b 100644 --- a/src/PSRule.Rules.Azure/rules/Azure.ContainerApp.Rule.yaml +++ b/src/PSRule.Rules.Azure/rules/Azure.ContainerApp.Rule.yaml @@ -66,6 +66,7 @@ metadata: Azure.WAF/pillar: Operational Excellence labels: Azure.CAF: naming + Azure.WAF/maturity: L2 spec: type: - Microsoft.App/containerApps diff --git a/src/PSRule.Rules.Azure/rules/Azure.Cosmos.Rule.ps1 b/src/PSRule.Rules.Azure/rules/Azure.Cosmos.Rule.ps1 index adae0e0410..07755b9aaa 100644 --- a/src/PSRule.Rules.Azure/rules/Azure.Cosmos.Rule.ps1 +++ b/src/PSRule.Rules.Azure/rules/Azure.Cosmos.Rule.ps1 @@ -52,6 +52,41 @@ Rule 'Azure.Cosmos.MongoAvailabilityZone' -Ref 'AZR-000503' -Type 'Microsoft.Doc } } +# Synopsis: Azure Cosmos DB for Apache Cassandra accounts without a standard naming convention may be difficult to identify and manage. +Rule 'Azure.Cosmos.CassandraNaming' -Ref 'AZR-000513' -Type 'Microsoft.DocumentDb/databaseAccounts' -With 'Azure.Cosmos.IsCassandra' -If { $Configuration['AZURE_COSMOS_CASSANDRA_NAME_FORMAT'] -ne '' } -Tag @{ release = 'GA'; ruleSet = '2025_12'; 'Azure.WAF/pillar' = 'Operational Excellence' } -Labels @{ 'Azure.CAF' = 'naming'; 'Azure.WAF/maturity' = 'L2' } { + $Assert.Match($PSRule, 'TargetName', $Configuration.AZURE_COSMOS_CASSANDRA_NAME_FORMAT, $True); +} + +# Synopsis: Azure Cosmos DB for MongoDB accounts without a standard naming convention may be difficult to identify and manage. +Rule 'Azure.Cosmos.MongoNaming' -Ref 'AZR-000514' -Type 'Microsoft.DocumentDb/databaseAccounts' -If { $Configuration['AZURE_COSMOS_MONGO_NAME_FORMAT'] -ne '' -and $TargetObject.kind -eq 'MongoDB' } -Tag @{ release = 'GA'; ruleSet = '2025_12'; 'Azure.WAF/pillar' = 'Operational Excellence' } -Labels @{ 'Azure.CAF' = 'naming'; 'Azure.WAF/maturity' = 'L2' } { + $Assert.Match($PSRule, 'TargetName', $Configuration.AZURE_COSMOS_MONGO_NAME_FORMAT, $True); +} + +# Synopsis: Azure Cosmos DB for NoSQL accounts without a standard naming convention may be difficult to identify and manage. +Rule 'Azure.Cosmos.NoSQLNaming' -Ref 'AZR-000515' -Type 'Microsoft.DocumentDb/databaseAccounts' -If { $Configuration['AZURE_COSMOS_NOSQL_NAME_FORMAT'] -ne '' -and (Test-IsNoSQL) } -Tag @{ release = 'GA'; ruleSet = '2025_12'; 'Azure.WAF/pillar' = 'Operational Excellence' } -Labels @{ 'Azure.CAF' = 'naming'; 'Azure.WAF/maturity' = 'L2' } { + $Assert.Match($PSRule, 'TargetName', $Configuration.AZURE_COSMOS_NOSQL_NAME_FORMAT, $True); +} + +# Synopsis: Azure Cosmos DB for Table accounts without a standard naming convention may be difficult to identify and manage. +Rule 'Azure.Cosmos.TableNaming' -Ref 'AZR-000516' -Type 'Microsoft.DocumentDb/databaseAccounts' -With 'Azure.Cosmos.IsTable' -If { $Configuration['AZURE_COSMOS_TABLE_NAME_FORMAT'] -ne '' } -Tag @{ release = 'GA'; ruleSet = '2025_12'; 'Azure.WAF/pillar' = 'Operational Excellence' } -Labels @{ 'Azure.CAF' = 'naming'; 'Azure.WAF/maturity' = 'L2' } { + $Assert.Match($PSRule, 'TargetName', $Configuration.AZURE_COSMOS_TABLE_NAME_FORMAT, $True); +} + +# Synopsis: Azure Cosmos DB for Apache Gremlin accounts without a standard naming convention may be difficult to identify and manage. +Rule 'Azure.Cosmos.GremlinNaming' -Ref 'AZR-000517' -Type 'Microsoft.DocumentDb/databaseAccounts' -With 'Azure.Cosmos.IsGremlin' -If { $Configuration['AZURE_COSMOS_GREMLIN_NAME_FORMAT'] -ne '' } -Tag @{ release = 'GA'; ruleSet = '2025_12'; 'Azure.WAF/pillar' = 'Operational Excellence' } -Labels @{ 'Azure.CAF' = 'naming'; 'Azure.WAF/maturity' = 'L2' } { + $Assert.Match($PSRule, 'TargetName', $Configuration.AZURE_COSMOS_GREMLIN_NAME_FORMAT, $True); +} + +# Synopsis: Azure Cosmos DB PostgreSQL clusters without a standard naming convention may be difficult to identify and manage. +Rule 'Azure.Cosmos.PostgreSQLNaming' -Ref 'AZR-000518' -Type 'Microsoft.DBforPostgreSQL/serverGroupsv2' -If { $Configuration['AZURE_COSMOS_POSTGRESQL_NAME_FORMAT'] -ne '' } -Tag @{ release = 'GA'; ruleSet = '2025_12'; 'Azure.WAF/pillar' = 'Operational Excellence' } -Labels @{ 'Azure.CAF' = 'naming'; 'Azure.WAF/maturity' = 'L2' } { + $Assert.Match($PSRule, 'TargetName', $Configuration.AZURE_COSMOS_POSTGRESQL_NAME_FORMAT, $True); +} + +# Synopsis: Azure Cosmos DB databases without a standard naming convention may be difficult to identify and manage. +Rule 'Azure.Cosmos.DatabaseNaming' -Ref 'AZR-000519' -Type 'Microsoft.DocumentDB/databaseAccounts/sqlDatabases' -If { $Configuration['AZURE_COSMOS_DATABASE_NAME_FORMAT'] -ne '' } -Tag @{ release = 'GA'; ruleSet = '2025_12'; 'Azure.WAF/pillar' = 'Operational Excellence' } -Labels @{ 'Azure.CAF' = 'naming'; 'Azure.WAF/maturity' = 'L2' } { + $Assert.Match($PSRule, 'TargetName', $Configuration.AZURE_COSMOS_DATABASE_NAME_FORMAT, $True); +} + #endregion Rules #region Helper functions diff --git a/src/PSRule.Rules.Azure/rules/Azure.Cosmos.Rule.yaml b/src/PSRule.Rules.Azure/rules/Azure.Cosmos.Rule.yaml index 4f1b6bae42..f44e2bb2e5 100644 --- a/src/PSRule.Rules.Azure/rules/Azure.Cosmos.Rule.yaml +++ b/src/PSRule.Rules.Azure/rules/Azure.Cosmos.Rule.yaml @@ -40,6 +40,7 @@ metadata: Azure.WAF/pillar: Operational Excellence labels: Azure.CAF: naming + Azure.WAF/maturity: L2 spec: type: - Microsoft.DocumentDb/databaseAccounts diff --git a/src/PSRule.Rules.Azure/rules/Azure.MySQL.Rule.ps1 b/src/PSRule.Rules.Azure/rules/Azure.MySQL.Rule.ps1 index 3b888fc810..146096c63b 100644 --- a/src/PSRule.Rules.Azure/rules/Azure.MySQL.Rule.ps1 +++ b/src/PSRule.Rules.Azure/rules/Azure.MySQL.Rule.ps1 @@ -203,3 +203,12 @@ function global:MySQLSingleServerAAD { } #endregion Helper functions + +#region Naming rules + +# Synopsis: MySQL databases without a standard naming convention may be difficult to identify and manage. +Rule 'Azure.MySQL.ServerNaming' -Ref 'AZR-000521' -Type 'Microsoft.DBforMySQL/servers', 'Microsoft.DBforMySQL/flexibleServers' -If { $Configuration['AZURE_MYSQL_SERVER_NAME_FORMAT'] -ne '' } -Tag @{ release = 'GA'; ruleSet = '2025_12'; 'Azure.WAF/pillar' = 'Operational Excellence' } -Labels @{ 'Azure.CAF' = 'naming'; 'Azure.WAF/maturity' = 'L2' } { + $Assert.Match($PSRule, 'TargetName', $Configuration.AZURE_MYSQL_SERVER_NAME_FORMAT, $True); +} + +#endregion Naming rules diff --git a/src/PSRule.Rules.Azure/rules/Azure.PostgreSQL.Rule.ps1 b/src/PSRule.Rules.Azure/rules/Azure.PostgreSQL.Rule.ps1 index 5fa6650169..7f27d774ad 100644 --- a/src/PSRule.Rules.Azure/rules/Azure.PostgreSQL.Rule.ps1 +++ b/src/PSRule.Rules.Azure/rules/Azure.PostgreSQL.Rule.ps1 @@ -166,3 +166,12 @@ function global:PostgreSQLSingleServerAAD { } #endregion Helper functions + +#region Naming rules + +# Synopsis: PostgreSQL databases without a standard naming convention may be difficult to identify and manage. +Rule 'Azure.PostgreSQL.ServerNaming' -Ref 'AZR-000522' -Type 'Microsoft.DBforPostgreSQL/servers', 'Microsoft.DBforPostgreSQL/flexibleServers' -If { $Configuration['AZURE_POSTGRESQL_SERVER_NAME_FORMAT'] -ne '' } -Tag @{ release = 'GA'; ruleSet = '2025_12'; 'Azure.WAF/pillar' = 'Operational Excellence' } -Labels @{ 'Azure.CAF' = 'naming'; 'Azure.WAF/maturity' = 'L2' } { + $Assert.Match($PSRule, 'TargetName', $Configuration.AZURE_POSTGRESQL_SERVER_NAME_FORMAT, $True); +} + +#endregion Naming rules diff --git a/src/PSRule.Rules.Azure/rules/Azure.Redis.Rule.ps1 b/src/PSRule.Rules.Azure/rules/Azure.Redis.Rule.ps1 index 4e53f43fb6..04f8953b85 100644 --- a/src/PSRule.Rules.Azure/rules/Azure.Redis.Rule.ps1 +++ b/src/PSRule.Rules.Azure/rules/Azure.Redis.Rule.ps1 @@ -192,3 +192,12 @@ function global:HasPublicNetworkAccess { } #endregion Helper functions + +#region Naming rules + +# Synopsis: Azure Cache for Redis instances without a standard naming convention may be difficult to identify and manage. +Rule 'Azure.Redis.Naming' -Ref 'AZR-000523' -Type 'Microsoft.Cache/Redis' -If { $Configuration['AZURE_REDIS_CACHE_NAME_FORMAT'] -ne '' } -Tag @{ release = 'GA'; ruleSet = '2025_12'; 'Azure.WAF/pillar' = 'Operational Excellence' } -Labels @{ 'Azure.CAF' = 'naming'; 'Azure.WAF/maturity' = 'L2' } { + $Assert.Match($PSRule, 'TargetName', $Configuration.AZURE_REDIS_CACHE_NAME_FORMAT, $True); +} + +#endregion Naming rules diff --git a/src/PSRule.Rules.Azure/rules/Azure.Redis.Rule.yaml b/src/PSRule.Rules.Azure/rules/Azure.Redis.Rule.yaml index 8361a54035..0118769afe 100644 --- a/src/PSRule.Rules.Azure/rules/Azure.Redis.Rule.yaml +++ b/src/PSRule.Rules.Azure/rules/Azure.Redis.Rule.yaml @@ -161,4 +161,40 @@ spec: - field: properties.sku.name exists: true +--- +# Synopsis: Azure Cache for Redis with Enterprise SKU. +apiVersion: github.com/microsoft/PSRule/v1 +kind: Selector +metadata: + name: Azure.Redis.IsEnterprise + annotations: + export: false +spec: + if: + allOf: + - type: '.' + equals: Microsoft.Cache/redisEnterprise + - field: sku.name + startsWith: + - 'Enterprise_' + - 'EnterpriseFlash_' + +--- +# Synopsis: Azure Managed Redis. +apiVersion: github.com/microsoft/PSRule/v1 +kind: Selector +metadata: + name: Azure.Redis.IsManaged + annotations: + export: false +spec: + if: + allOf: + - type: '.' + equals: Microsoft.Cache/redisEnterprise + - field: sku.name + notStartsWith: + - 'Enterprise_' + - 'EnterpriseFlash_' + #endregion Selectors diff --git a/src/PSRule.Rules.Azure/rules/Azure.RedisEnterprise.Rule.ps1 b/src/PSRule.Rules.Azure/rules/Azure.RedisEnterprise.Rule.ps1 new file mode 100644 index 0000000000..cf7d1a1fc8 --- /dev/null +++ b/src/PSRule.Rules.Azure/rules/Azure.RedisEnterprise.Rule.ps1 @@ -0,0 +1,15 @@ +# Copyright (c) Microsoft Corporation. +# Licensed under the MIT License. + +# +# Validation rules for Azure Managed Redis (Redis Enterprise) +# + +#region Naming rules + +# Synopsis: Azure Managed Redis instances without a standard naming convention may be difficult to identify and manage. +Rule 'Azure.RedisEnterprise.Naming' -Ref 'AZR-000524' -Type 'Microsoft.Cache/RedisEnterprise' -With 'Azure.Redis.IsEnterprise' -If { $Configuration['AZURE_REDIS_ENTERPRISE_NAME_FORMAT'] -ne '' } -Tag @{ release = 'GA'; ruleSet = '2025_12'; 'Azure.WAF/pillar' = 'Operational Excellence' } -Labels @{ 'Azure.CAF' = 'naming'; 'Azure.WAF/maturity' = 'L2' } { + $Assert.Match($PSRule, 'TargetName', $Configuration.AZURE_REDIS_ENTERPRISE_NAME_FORMAT, $True); +} + +#endregion Naming rules diff --git a/src/PSRule.Rules.Azure/rules/Azure.RedisEnterprise.Rule.yaml b/src/PSRule.Rules.Azure/rules/Azure.RedisEnterprise.Rule.yaml index ca06cf4638..dc32adcbee 100644 --- a/src/PSRule.Rules.Azure/rules/Azure.RedisEnterprise.Rule.yaml +++ b/src/PSRule.Rules.Azure/rules/Azure.RedisEnterprise.Rule.yaml @@ -23,7 +23,9 @@ metadata: Azure.WAF/maturity: L1 spec: type: - - Microsoft.Cache/redisEnterprise + - Microsoft.Cache/redisEnterprise + with: + - Azure.Redis.IsEnterprise condition: field: properties.minimumTlsVersion hasDefault: '1.2' diff --git a/src/PSRule.Rules.Azure/rules/Azure.SQL.Rule.ps1 b/src/PSRule.Rules.Azure/rules/Azure.SQL.Rule.ps1 index b5a8765991..fad5a70dbb 100644 --- a/src/PSRule.Rules.Azure/rules/Azure.SQL.Rule.ps1 +++ b/src/PSRule.Rules.Azure/rules/Azure.SQL.Rule.ps1 @@ -79,7 +79,7 @@ Rule 'Azure.SQL.AAD' -Ref 'AZR-000188' -Type 'Microsoft.Sql/servers', 'Microsoft } # Synopsis: Azure SQL logical server names should meet naming requirements. -Rule 'Azure.SQL.ServerName' -Ref 'AZR-000190' -Type 'Microsoft.Sql/servers' -Tag @{ release = 'GA'; ruleSet = '2020_12'; 'Azure.WAF/pillar' = 'Operational Excellence'; } -Labels @{ 'Azure.CAF' = 'naming' } { +Rule 'Azure.SQL.ServerName' -Ref 'AZR-000190' -Type 'Microsoft.Sql/servers' -Tag @{ release = 'GA'; ruleSet = '2020_12'; 'Azure.WAF/pillar' = 'Operational Excellence'; } -Labels @{ 'Azure.CAF' = 'naming'; 'Azure.WAF/maturity' = 'L2'; } { # https://learn.microsoft.com/azure/azure-resource-manager/management/resource-name-rules#microsoftsql # Between 1 and 63 characters long @@ -151,7 +151,7 @@ Rule 'Azure.SQL.TDE' -Ref 'AZR-000191' -Type 'Microsoft.Sql/servers/databases', } # Synopsis: Azure SQL Database names should meet naming requirements. -Rule 'Azure.SQL.DBName' -Ref 'AZR-000192' -Type 'Microsoft.Sql/servers/databases' -If { !(IsExport) } -Tag @{ release = 'GA'; ruleSet = '2020_12'; 'Azure.WAF/pillar' = 'Operational Excellence'; } -Labels @{ 'Azure.CAF' = 'naming' } { +Rule 'Azure.SQL.DBName' -Ref 'AZR-000192' -Type 'Microsoft.Sql/servers/databases' -If { !(IsExport) } -Tag @{ release = 'GA'; ruleSet = '2020_12'; 'Azure.WAF/pillar' = 'Operational Excellence'; } -Labels @{ 'Azure.CAF' = 'naming'; 'Azure.WAF/maturity' = 'L2'; } { # https://learn.microsoft.com/azure/azure-resource-manager/management/resource-name-rules#microsoftsql $name = $PSRule.TargetName.Split('/', 2, [System.StringSplitOptions]::RemoveEmptyEntries)[-1]; @@ -255,3 +255,27 @@ function global:IsMasterDatabase { } #endregion Helper functions + +#region Naming rules + +# Synopsis: Azure SQL Database servers without a standard naming convention may be difficult to identify and manage. +Rule 'Azure.SQL.ServerNaming' -Ref 'AZR-000525' -Type 'Microsoft.Sql/servers' -If { $Configuration['AZURE_SQL_SERVER_NAME_FORMAT'] -ne '' } -Tag @{ release = 'GA'; ruleSet = '2025_12'; 'Azure.WAF/pillar' = 'Operational Excellence' } -Labels @{ 'Azure.CAF' = 'naming'; 'Azure.WAF/maturity' = 'L2' } { + $Assert.Match($PSRule, 'TargetName', $Configuration.AZURE_SQL_SERVER_NAME_FORMAT, $True); +} + +# Synopsis: Azure SQL databases without a standard naming convention may be difficult to identify and manage. +Rule 'Azure.SQL.DBNaming' -Ref 'AZR-000526' -Type 'Microsoft.Sql/servers/databases' -If { $Configuration['AZURE_SQL_DATABASE_NAME_FORMAT'] -ne '' -and !(IsMasterDatabase) } -Tag @{ release = 'GA'; ruleSet = '2025_12'; 'Azure.WAF/pillar' = 'Operational Excellence' } -Labels @{ 'Azure.CAF' = 'naming'; 'Azure.WAF/maturity' = 'L2' } { + $Assert.Match($PSRule, 'TargetName', $Configuration.AZURE_SQL_DATABASE_NAME_FORMAT, $True); +} + +# Synopsis: Azure SQL Elastic Job agents without a standard naming convention may be difficult to identify and manage. +Rule 'Azure.SQL.JobAgentNaming' -Ref 'AZR-000527' -Type 'Microsoft.Sql/servers/jobAgents' -If { $Configuration['AZURE_SQL_JOB_AGENT_NAME_FORMAT'] -ne '' } -Tag @{ release = 'GA'; ruleSet = '2025_12'; 'Azure.WAF/pillar' = 'Operational Excellence' } -Labels @{ 'Azure.CAF' = 'naming'; 'Azure.WAF/maturity' = 'L2' } { + $Assert.Match($PSRule, 'TargetName', $Configuration.AZURE_SQL_JOB_AGENT_NAME_FORMAT, $True); +} + +# Synopsis: Azure SQL Elastic Pools without a standard naming convention may be difficult to identify and manage. +Rule 'Azure.SQL.ElasticPoolNaming' -Ref 'AZR-000528' -Type 'Microsoft.Sql/servers/elasticPools' -If { $Configuration['AZURE_SQL_ELASTIC_POOL_NAME_FORMAT'] -ne '' } -Tag @{ release = 'GA'; ruleSet = '2025_12'; 'Azure.WAF/pillar' = 'Operational Excellence' } -Labels @{ 'Azure.CAF' = 'naming'; 'Azure.WAF/maturity' = 'L2' } { + $Assert.Match($PSRule, 'TargetName', $Configuration.AZURE_SQL_ELASTIC_POOL_NAME_FORMAT, $True); +} + +#endregion Naming rules diff --git a/src/PSRule.Rules.Azure/rules/Azure.SQLMI.Rule.ps1 b/src/PSRule.Rules.Azure/rules/Azure.SQLMI.Rule.ps1 index c1e7e3fc6a..72e6b3fb01 100644 --- a/src/PSRule.Rules.Azure/rules/Azure.SQLMI.Rule.ps1 +++ b/src/PSRule.Rules.Azure/rules/Azure.SQLMI.Rule.ps1 @@ -62,4 +62,9 @@ Rule 'Azure.SQLMI.MaintenanceWindow' -Ref 'AZR-000441' -Type 'Microsoft.Sql/mana ) } +# Synopsis: SQL Managed Instances without a standard naming convention may be difficult to identify and manage. +Rule 'Azure.SQLMI.Naming' -Ref 'AZR-000529' -Type 'Microsoft.Sql/managedInstances' -If { $Configuration['AZURE_SQL_MI_NAME_FORMAT'] -ne '' } -Tag @{ release = 'GA'; ruleSet = '2025_12'; 'Azure.WAF/pillar' = 'Operational Excellence' } -Labels @{ 'Azure.CAF' = 'naming'; 'Azure.WAF/maturity' = 'L2' } { + $Assert.Match($PSRule, 'TargetName', $Configuration.AZURE_SQL_MI_NAME_FORMAT, $True); +} + #endregion SQL Managed Instance diff --git a/src/PSRule.Rules.Azure/rules/Azure.ServiceFabric.Rule.ps1 b/src/PSRule.Rules.Azure/rules/Azure.ServiceFabric.Rule.ps1 new file mode 100644 index 0000000000..8d1bb086cb --- /dev/null +++ b/src/PSRule.Rules.Azure/rules/Azure.ServiceFabric.Rule.ps1 @@ -0,0 +1,20 @@ +# Copyright (c) Microsoft Corporation. +# Licensed under the MIT License. + +# +# Validation rules for Service Fabric +# + +#region Naming rules + +# Synopsis: Service Fabric clusters without a standard naming convention may be difficult to identify and manage. +Rule 'Azure.ServiceFabric.Naming' -Ref 'AZR-000530' -Type 'Microsoft.ServiceFabric/clusters' -If { $Configuration['AZURE_SERVICE_FABRIC_CLUSTER_NAME_FORMAT'] -ne '' } -Tag @{ release = 'GA'; ruleSet = '2025_12'; 'Azure.WAF/pillar' = 'Operational Excellence' } -Labels @{ 'Azure.CAF' = 'naming'; 'Azure.WAF/maturity' = 'L2' } { + $Assert.Match($PSRule, 'TargetName', $Configuration.AZURE_SERVICE_FABRIC_CLUSTER_NAME_FORMAT, $True); +} + +# Synopsis: Service Fabric managed clusters without a standard naming convention may be difficult to identify and manage. +Rule 'Azure.ServiceFabric.ManagedNaming' -Ref 'AZR-000531' -Type 'Microsoft.ServiceFabric/managedClusters' -If { $Configuration['AZURE_SERVICE_FABRIC_MANAGED_CLUSTER_NAME_FORMAT'] -ne '' } -Tag @{ release = 'GA'; ruleSet = '2025_12'; 'Azure.WAF/pillar' = 'Operational Excellence' } -Labels @{ 'Azure.CAF' = 'naming'; 'Azure.WAF/maturity' = 'L2' } { + $Assert.Match($PSRule, 'TargetName', $Configuration.AZURE_SERVICE_FABRIC_MANAGED_CLUSTER_NAME_FORMAT, $True); +} + +#endregion Naming rules diff --git a/src/PSRule.Rules.Azure/rules/CAF.Rule.yaml b/src/PSRule.Rules.Azure/rules/CAF.Rule.yaml index d882dd7eb1..222db8103a 100644 --- a/src/PSRule.Rules.Azure/rules/CAF.Rule.yaml +++ b/src/PSRule.Rules.Azure/rules/CAF.Rule.yaml @@ -16,6 +16,28 @@ spec: rule: tag: release: GA + ruleSet: + - '2020_06' + - '2020_09' + - '2020_12' + - '2021_03' + - '2021_06' + - '2021_09' + - '2021_12' + - '2022_03' + - '2022_06' + - '2022_09' + - '2022_12' + - '2023_03' + - '2023_06' + - '2023_09' + - '2023_12' + - '2024_03' + - '2024_06' + - '2024_09' + - '2024_12' + - '2025_03' + - '2025_06' labels: Azure.CAF: '*' @@ -52,6 +74,28 @@ spec: rule: tag: release: GA + ruleSet: + - '2020_06' + - '2020_09' + - '2020_12' + - '2021_03' + - '2021_06' + - '2021_09' + - '2021_12' + - '2022_03' + - '2022_06' + - '2022_09' + - '2022_12' + - '2023_03' + - '2023_06' + - '2023_09' + - '2023_12' + - '2024_03' + - '2024_06' + - '2024_09' + - '2024_12' + - '2025_03' + - '2025_06' labels: Azure.CAF: '*' @@ -88,6 +132,28 @@ spec: rule: tag: release: GA + ruleSet: + - '2020_06' + - '2020_09' + - '2020_12' + - '2021_03' + - '2021_06' + - '2021_09' + - '2021_12' + - '2022_03' + - '2022_06' + - '2022_09' + - '2022_12' + - '2023_03' + - '2023_06' + - '2023_09' + - '2023_12' + - '2024_03' + - '2024_06' + - '2024_09' + - '2024_12' + - '2025_03' + - '2025_06' labels: Azure.CAF: '*' @@ -108,3 +174,65 @@ spec: AZURE_VIRTUAL_NETWORK_GATEWAY_NAME_FORMAT: 'vgw-' AZURE_VNET_NAME_FORMAT: '^vnet-' AZURE_VNET_SUBNET_NAME_FORMAT: '^snet-' + +# --- +# # Synopsis: Includes rules related to Azure CAF based on a December 2025 snapshot. +# apiVersion: github.com/microsoft/PSRule/v1 +# kind: Baseline +# metadata: +# name: Azure.CAF_2025_12 +# annotations: +# taxonomy: Azure.CAF +# export: true +# moduleVersion: v1.48.0 +# experimental: true +# spec: +# rule: +# tag: +# release: GA +# labels: +# Azure.CAF: '*' + +# configuration: +# AZURE_AI_SEARCH_NAME_FORMAT: '^srch-' +# AZURE_AI_SERVICES_NAME_FORMAT: '^aif-' +# AZURE_AKS_CLUSTER_NAME_FORMAT: '^aks-' +# AZURE_AKS_SYSTEM_POOL_NAME_FORMAT: '^npsystem' +# AZURE_AKS_USER_POOL_NAME_FORMAT: '^np' +# AZURE_CONTAINER_APP_NAME_FORMAT: '^ca-' +# AZURE_CONTAINER_APP_ENVIRONMENT_NAME_FORMAT: '^cae-' +# AZURE_CONTAINER_APP_JOB_NAME_FORMAT: '^caj-' +# AZURE_CONTAINER_REGISTRY_NAME_FORMAT: '^cr' +# AZURE_CONTAINER_INSTANCE_NAME_FORMAT: '^ci-' +# AZURE_COSMOS_CASSANDRA_NAME_FORMAT: '^coscas-' +# AZURE_COSMOS_MONGO_NAME_FORMAT: '^cosmon-' +# AZURE_COSMOS_NOSQL_NAME_FORMAT: '^cosno-' +# AZURE_COSMOS_TABLE_NAME_FORMAT: '^costab-' +# AZURE_COSMOS_GREMLIN_NAME_FORMAT: '^cosgrm-' +# AZURE_COSMOS_POSTGRESQL_NAME_FORMAT: '^cospos-' +# AZURE_COSMOS_DATABASE_NAME_FORMAT: '^cosmos-' +# AZURE_EVENTGRID_DOMAIN_NAME_FORMAT: '^evgd-' +# AZURE_EVENTGRID_CUSTOM_TOPIC_NAME_FORMAT: '^evgt-' +# AZURE_EVENTGRID_SYSTEM_TOPIC_NAME_FORMAT: '^egst-' +# AZURE_GATEWAY_CONNECTION_NAME_FORMAT: '^con-' +# AZURE_LOAD_BALANCER_NAME_FORMAT: '^(lbi|lbe)-' +# AZURE_MYSQL_SERVER_NAME_FORMAT: '^mysql-' +# AZURE_NETWORK_SECURITY_GROUP_NAME_FORMAT: '^nsg-' +# AZURE_POSTGRESQL_SERVER_NAME_FORMAT: '^psql-' +# AZURE_PUBLIC_IP_ADDRESS_NAME_FORMAT: '^pip-' +# AZURE_REDIS_CACHE_NAME_FORMAT: '^redis-' +# AZURE_REDIS_ENTERPRISE_NAME_FORMAT: '^redis-' +# AZURE_RESOURCE_GROUP_NAME_FORMAT: '^rg-' +# AZURE_ROUTE_TABLE_NAME_FORMAT: '^rt-' +# AZURE_SERVICE_FABRIC_CLUSTER_NAME_FORMAT: '^sf-' +# AZURE_SERVICE_FABRIC_MANAGED_CLUSTER_NAME_FORMAT: '^sfmc-' +# AZURE_SQL_SERVER_NAME_FORMAT: '^sql-' +# AZURE_SQL_DATABASE_NAME_FORMAT: '^sqldb-' +# AZURE_SQL_JOB_AGENT_NAME_FORMAT: '^sqlja-' +# AZURE_SQL_ELASTIC_POOL_NAME_FORMAT: '^sqlep-' +# AZURE_SQL_MI_NAME_FORMAT: '^sqlmi-' +# AZURE_STORAGE_ACCOUNT_NAME_FORMAT: '^(st|stvm)' +# AZURE_VIRTUAL_MACHINE_NAME_FORMAT: '^vm' +# AZURE_VIRTUAL_NETWORK_GATEWAY_NAME_FORMAT: 'vgw-' +# AZURE_VNET_NAME_FORMAT: '^vnet-' +# AZURE_VNET_SUBNET_NAME_FORMAT: '^snet-' diff --git a/src/PSRule.Rules.Azure/rules/Config.Rule.yaml b/src/PSRule.Rules.Azure/rules/Config.Rule.yaml index bce03e1709..0ba9df86ee 100644 --- a/src/PSRule.Rules.Azure/rules/Config.Rule.yaml +++ b/src/PSRule.Rules.Azure/rules/Config.Rule.yaml @@ -91,17 +91,43 @@ spec: # Name format defaults. AZURE_AI_SEARCH_NAME_FORMAT: '' AZURE_AI_SERVICES_NAME_FORMAT: '' + AZURE_AKS_CLUSTER_NAME_FORMAT: '' + AZURE_AKS_SYSTEM_POOL_NAME_FORMAT: '' + AZURE_AKS_USER_POOL_NAME_FORMAT: '' AZURE_APP_INSIGHTS_NAME_FORMAT: '' + AZURE_CONTAINER_APP_NAME_FORMAT: '' + AZURE_CONTAINER_APP_ENVIRONMENT_NAME_FORMAT: '' + AZURE_CONTAINER_APP_JOB_NAME_FORMAT: '' + AZURE_CONTAINER_INSTANCE_NAME_FORMAT: '' + AZURE_CONTAINER_REGISTRY_NAME_FORMAT: '' + AZURE_COSMOS_CASSANDRA_NAME_FORMAT: '' + AZURE_COSMOS_DATABASE_NAME_FORMAT: '' + AZURE_COSMOS_GREMLIN_NAME_FORMAT: '' + AZURE_COSMOS_MONGO_NAME_FORMAT: '' + AZURE_COSMOS_NOSQL_NAME_FORMAT: '' + AZURE_COSMOS_POSTGRESQL_NAME_FORMAT: '' + AZURE_COSMOS_TABLE_NAME_FORMAT: '' AZURE_EVENTGRID_DOMAIN_NAME_FORMAT: '' AZURE_EVENTGRID_CUSTOM_TOPIC_NAME_FORMAT: '' AZURE_EVENTGRID_SYSTEM_TOPIC_NAME_FORMAT: '' AZURE_GATEWAY_CONNECTION_NAME_FORMAT: '' AZURE_LOAD_BALANCER_NAME_FORMAT: '' AZURE_LOG_WORKSPACE_NAME_FORMAT: '' + AZURE_MYSQL_SERVER_NAME_FORMAT: '' AZURE_NETWORK_SECURITY_GROUP_NAME_FORMAT: '' + AZURE_POSTGRESQL_SERVER_NAME_FORMAT: '' AZURE_PUBLIC_IP_ADDRESS_NAME_FORMAT: '' + AZURE_REDIS_CACHE_NAME_FORMAT: '' + AZURE_REDIS_ENTERPRISE_NAME_FORMAT: '' AZURE_RESOURCE_GROUP_NAME_FORMAT: '' AZURE_ROUTE_TABLE_NAME_FORMAT: '' + AZURE_SERVICE_FABRIC_CLUSTER_NAME_FORMAT: '' + AZURE_SERVICE_FABRIC_MANAGED_CLUSTER_NAME_FORMAT: '' + AZURE_SQL_DATABASE_NAME_FORMAT: '' + AZURE_SQL_ELASTIC_POOL_NAME_FORMAT: '' + AZURE_SQL_JOB_AGENT_NAME_FORMAT: '' + AZURE_SQL_MI_NAME_FORMAT: '' + AZURE_SQL_SERVER_NAME_FORMAT: '' AZURE_STORAGE_ACCOUNT_NAME_FORMAT: '' AZURE_VIRTUAL_MACHINE_NAME_FORMAT: '' AZURE_VIRTUAL_NETWORK_GATEWAY_NAME_FORMAT: '' diff --git a/tests/PSRule.Rules.Azure.Tests/Azure.ACI.Tests.ps1 b/tests/PSRule.Rules.Azure.Tests/Azure.ACI.Tests.ps1 new file mode 100644 index 0000000000..0cf2a91de9 --- /dev/null +++ b/tests/PSRule.Rules.Azure.Tests/Azure.ACI.Tests.ps1 @@ -0,0 +1,67 @@ +# Copyright (c) Microsoft Corporation. +# Licensed under the MIT License. + +# +# Unit tests for Container Instances +# + +[CmdletBinding()] +param () + +BeforeAll { + # Setup error handling + $ErrorActionPreference = 'Stop'; + Set-StrictMode -Version latest; + + if ($Env:SYSTEM_DEBUG -eq 'true') { + $VerbosePreference = 'Continue'; + } + + # Setup tests paths + $rootPath = $PWD; + Import-Module (Join-Path -Path $rootPath -ChildPath out/modules/PSRule.Rules.Azure) -Force; + $here = (Resolve-Path $PSScriptRoot).Path; +} + +Describe 'Azure.ACI' -Tag 'ACI' { + Context 'Resource naming' { + BeforeAll { + $invokeParams = @{ + Baseline = 'Azure.All' + Module = 'PSRule.Rules.Azure' + WarningAction = 'Ignore' + ErrorAction = 'Stop' + } + + $option = New-PSRuleOption -Configuration @{ + 'AZURE_CONTAINER_INSTANCE_NAME_FORMAT' = '^ci-' + }; + + $names = @('instance-001', 'ci-001', 'CI-001') + $items = @($names | ForEach-Object { + [PSCustomObject]@{ + Name = $_ + Type = 'Microsoft.ContainerInstance/containerGroups' + } + }); + + $result = $items | Invoke-PSRule @invokeParams -Option $option -Name 'Azure.ACI.Naming' + } + + It 'Azure.ACI.Naming' { + $filteredResult = $result | Where-Object { $_.RuleName -eq 'Azure.ACI.Naming' }; + + # Fail + $ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'Fail' }); + $ruleResult | Should -Not -BeNullOrEmpty; + $ruleResult.Length | Should -Be 2; + $ruleResult.TargetName | Should -BeIn 'instance-001', 'CI-001'; + + # Pass + $ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'Pass' }); + $ruleResult | Should -Not -BeNullOrEmpty; + $ruleResult.Length | Should -Be 1; + $ruleResult.TargetName | Should -Be 'ci-001'; + } + } +} diff --git a/tests/PSRule.Rules.Azure.Tests/Azure.ACR.Tests.ps1 b/tests/PSRule.Rules.Azure.Tests/Azure.ACR.Tests.ps1 index f747fbd08a..2357cdcdbc 100644 --- a/tests/PSRule.Rules.Azure.Tests/Azure.ACR.Tests.ps1 +++ b/tests/PSRule.Rules.Azure.Tests/Azure.ACR.Tests.ps1 @@ -362,4 +362,50 @@ Describe 'Azure.ACR' -Tag 'ACR' { $ruleResult.Detail.Reason.Path | Should -BeIn 'name'; } } + + Context 'Resource naming format' { + BeforeAll { + $invokeParams = @{ + Baseline = 'Azure.All' + Module = 'PSRule.Rules.Azure' + WarningAction = 'Ignore' + ErrorAction = 'Stop' + } + + $option = New-PSRuleOption -Configuration @{ + 'AZURE_CONTAINER_REGISTRY_NAME_FORMAT' = '^cr' + }; + + $names = @( + 'registry001' + 'cr001' + 'CR001' + ) + + $items = @($names | ForEach-Object { + [PSCustomObject]@{ + Name = $_ + Type = 'Microsoft.ContainerRegistry/registries' + } + }); + + $result = $items | Invoke-PSRule @invokeParams -Option $option -Name 'Azure.ACR.Naming' + } + + It 'Azure.ACR.Naming' { + $filteredResult = $result | Where-Object { $_.RuleName -eq 'Azure.ACR.Naming' }; + + # Fail + $ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'Fail' }); + $ruleResult | Should -Not -BeNullOrEmpty; + $ruleResult.Length | Should -Be 2; + $ruleResult.TargetName | Should -BeIn 'registry001', 'CR001'; + + # Pass + $ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'Pass' }); + $ruleResult | Should -Not -BeNullOrEmpty; + $ruleResult.Length | Should -Be 1; + $ruleResult.TargetName | Should -Be 'cr001'; + } + } } diff --git a/tests/PSRule.Rules.Azure.Tests/Azure.AKS.Tests.ps1 b/tests/PSRule.Rules.Azure.Tests/Azure.AKS.Tests.ps1 index 9e507654a8..8402e473cb 100644 --- a/tests/PSRule.Rules.Azure.Tests/Azure.AKS.Tests.ps1 +++ b/tests/PSRule.Rules.Azure.Tests/Azure.AKS.Tests.ps1 @@ -1451,4 +1451,116 @@ Describe 'Azure.AKS' -Tag AKS { $ruleResult.TargetName | Should -BeIn 'cluster-D', 'cluster-J'; } } + + Context 'Resource name' { + BeforeAll { + $invokeParams = @{ + Baseline = 'Azure.All' + Module = 'PSRule.Rules.Azure' + WarningAction = 'Ignore' + ErrorAction = 'Stop' + } + + $option = New-PSRuleOption -Configuration @{ + 'AZURE_AKS_CLUSTER_NAME_FORMAT' = '^aks-' + 'AZURE_AKS_SYSTEM_POOL_NAME_FORMAT' = '^npsystem' + 'AZURE_AKS_USER_POOL_NAME_FORMAT' = '^np' + }; + + $clusterNames = @( + 'cluster-001' + 'aks-001' + 'AKS-001' + ) + + $systemPoolNames = @( + 'agentpool' + 'npsystem001' + 'NPSYSTEM001' + ) + + $userPoolNames = @( + 'userpool' + 'np001' + 'NP001' + ) + + $clusterItems = @($clusterNames | ForEach-Object { + [PSCustomObject]@{ + Name = $_ + Type = 'Microsoft.ContainerService/managedClusters' + } + }); + + $systemPoolItems = @($systemPoolNames | ForEach-Object { + [PSCustomObject]@{ + Name = $_ + Type = 'Microsoft.ContainerService/managedClusters/agentPools' + Properties = @{ + mode = 'System' + } + } + }); + + $userPoolItems = @($userPoolNames | ForEach-Object { + [PSCustomObject]@{ + Name = $_ + Type = 'Microsoft.ContainerService/managedClusters/agentPools' + Properties = @{ + mode = 'User' + } + } + }); + + $result = @($clusterItems + $systemPoolItems + $userPoolItems) | Invoke-PSRule @invokeParams -Option $option + } + + It 'Azure.AKS.Naming' { + $filteredResult = $result | Where-Object { $_.RuleName -eq 'Azure.AKS.Naming' }; + + # Fail + $ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'Fail' }); + $ruleResult | Should -Not -BeNullOrEmpty; + $ruleResult.Length | Should -Be 2; + $ruleResult.TargetName | Should -BeIn 'cluster-001', 'AKS-001'; + + # Pass + $ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'Pass' }); + $ruleResult | Should -Not -BeNullOrEmpty; + $ruleResult.Length | Should -Be 1; + $ruleResult.TargetName | Should -Be 'aks-001'; + } + + It 'Azure.AKS.SystemPoolNaming' { + $filteredResult = $result | Where-Object { $_.RuleName -eq 'Azure.AKS.SystemPoolNaming' }; + + # Fail + $ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'Fail' }); + $ruleResult | Should -Not -BeNullOrEmpty; + $ruleResult.TargetName | Should -Be 'agentpool', 'NPSYSTEM001'; + $ruleResult.Length | Should -Be 2; + + # Pass + $ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'Pass' }); + $ruleResult | Should -Not -BeNullOrEmpty; + $ruleResult.TargetName | Should -BeIn @('cluster-001', 'aks-001', 'AKS-001', 'npsystem001', 'userpool', 'NP001', 'np001'); + $ruleResult.Length | Should -Be 7; + } + + It 'Azure.AKS.UserPoolNaming' { + $filteredResult = $result | Where-Object { $_.RuleName -eq 'Azure.AKS.UserPoolNaming' }; + + # Fail + $ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'Fail' }); + $ruleResult | Should -Not -BeNullOrEmpty; + $ruleResult.Length | Should -Be 2; + $ruleResult.TargetName | Should -BeIn 'userpool', 'NP001'; + + # Pass + $ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'Pass' }); + $ruleResult | Should -Not -BeNullOrEmpty; + $ruleResult.TargetName | Should -BeIn @('cluster-001', 'aks-001', 'AKS-001', 'agentpool', 'npsystem001', 'NPSYSTEM001', 'np001'); + $ruleResult.Length | Should -Be 7; + } + } } diff --git a/tests/PSRule.Rules.Azure.Tests/Azure.ContainerApp.Tests.ps1 b/tests/PSRule.Rules.Azure.Tests/Azure.ContainerApp.Tests.ps1 index 02e7a0657d..9724e10459 100644 --- a/tests/PSRule.Rules.Azure.Tests/Azure.ContainerApp.Tests.ps1 +++ b/tests/PSRule.Rules.Azure.Tests/Azure.ContainerApp.Tests.ps1 @@ -255,4 +255,114 @@ Describe 'Azure.ContainerApp' -Tag 'ContainerApp' { $ruleResult.Outcome | Should -Be 'Fail'; } } + + Context 'Resource naming format' { + BeforeAll { + $invokeParams = @{ + Baseline = 'Azure.All' + Module = 'PSRule.Rules.Azure' + WarningAction = 'Ignore' + ErrorAction = 'Stop' + } + + $option = New-PSRuleOption -Configuration @{ + 'AZURE_CONTAINER_APP_NAME_FORMAT' = '^ca-' + 'AZURE_CONTAINER_APP_ENVIRONMENT_NAME_FORMAT' = '^cae-' + 'AZURE_CONTAINER_APP_JOB_NAME_FORMAT' = '^caj-' + }; + + $appNames = @( + 'app-001' + 'ca-001' + 'CA-001' + ) + + $envNames = @( + 'env-001' + 'cae-001' + 'CAE-001' + ) + + $jobNames = @( + 'job-001' + 'caj-001' + 'CAJ-001' + ) + + $appItems = @($appNames | ForEach-Object { + [PSCustomObject]@{ + Name = $_ + Type = 'Microsoft.App/containerApps' + } + }); + + $envItems = @($envNames | ForEach-Object { + [PSCustomObject]@{ + Name = $_ + Type = 'Microsoft.App/managedEnvironments' + } + }); + + $jobItems = @($jobNames | ForEach-Object { + [PSCustomObject]@{ + Name = $_ + Type = 'Microsoft.App/jobs' + } + }); + + $result = @($appItems + $envItems + $jobItems) | Invoke-PSRule @invokeParams -Option $option -Name @( + 'Azure.ContainerApp.Naming' + 'Azure.ContainerApp.EnvNaming' + 'Azure.ContainerApp.JobNaming' + ) + } + + It 'Azure.ContainerApp.Naming' { + $filteredResult = $result | Where-Object { $_.RuleName -eq 'Azure.ContainerApp.Naming' }; + + # Fail + $ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'Fail' }); + $ruleResult | Should -Not -BeNullOrEmpty; + $ruleResult.Length | Should -Be 2; + $ruleResult.TargetName | Should -BeIn 'app-001', 'CA-001'; + + # Pass + $ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'Pass' }); + $ruleResult | Should -Not -BeNullOrEmpty; + $ruleResult.Length | Should -Be 1; + $ruleResult.TargetName | Should -Be 'ca-001'; + } + + It 'Azure.ContainerApp.EnvNaming' { + $filteredResult = $result | Where-Object { $_.RuleName -eq 'Azure.ContainerApp.EnvNaming' }; + + # Fail + $ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'Fail' }); + $ruleResult | Should -Not -BeNullOrEmpty; + $ruleResult.Length | Should -Be 2; + $ruleResult.TargetName | Should -BeIn 'env-001', 'CAE-001'; + + # Pass + $ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'Pass' }); + $ruleResult | Should -Not -BeNullOrEmpty; + $ruleResult.Length | Should -Be 1; + $ruleResult.TargetName | Should -Be 'cae-001'; + } + + It 'Azure.ContainerApp.JobNaming' { + $filteredResult = $result | Where-Object { $_.RuleName -eq 'Azure.ContainerApp.JobNaming' }; + + # Fail + $ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'Fail' }); + $ruleResult | Should -Not -BeNullOrEmpty; + $ruleResult.Length | Should -Be 2; + $ruleResult.TargetName | Should -BeIn 'job-001', 'CAJ-001'; + + # Pass + $ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'Pass' }); + $ruleResult | Should -Not -BeNullOrEmpty; + $ruleResult.Length | Should -Be 1; + $ruleResult.TargetName | Should -Be 'caj-001'; + } + } } diff --git a/tests/PSRule.Rules.Azure.Tests/Azure.Cosmos.Tests.ps1 b/tests/PSRule.Rules.Azure.Tests/Azure.Cosmos.Tests.ps1 index 0d07b4ce57..9f498bff58 100644 --- a/tests/PSRule.Rules.Azure.Tests/Azure.Cosmos.Tests.ps1 +++ b/tests/PSRule.Rules.Azure.Tests/Azure.Cosmos.Tests.ps1 @@ -277,4 +277,222 @@ Describe 'Azure.Cosmos' -Tag 'Cosmos', 'CosmosDB' { $ruleResult.TargetName | Should -BeIn 'nosql-C'; } } + + Context 'Resource naming' { + BeforeAll { + $invokeParams = @{ + Baseline = 'Azure.All' + Module = 'PSRule.Rules.Azure' + WarningAction = 'Ignore' + ErrorAction = 'Stop' + } + + $option = New-PSRuleOption -Configuration @{ + 'AZURE_COSMOS_NOSQL_NAME_FORMAT' = '^cosno-' + 'AZURE_COSMOS_MONGO_NAME_FORMAT' = '^cosmon-' + 'AZURE_COSMOS_CASSANDRA_NAME_FORMAT' = '^coscas-' + 'AZURE_COSMOS_TABLE_NAME_FORMAT' = '^costab-' + 'AZURE_COSMOS_GREMLIN_NAME_FORMAT' = '^cosgrm-' + 'AZURE_COSMOS_DATABASE_NAME_FORMAT' = '^cosmos-' + 'AZURE_COSMOS_POSTGRESQL_NAME_FORMAT' = '^cospos-' + }; + + $nosqlNames = @('account-001', 'cosno-001', 'COSNO-001') + $mongoNames = @('mongo-001', 'cosmon-001', 'COSMON-001') + $cassandraNames = @('cassandra-001', 'coscas-001', 'COSCAS-001') + $tableNames = @('table-001', 'costab-001', 'COSTAB-001') + $gremlinNames = @('gremlin-001', 'cosgrm-001', 'COSGRM-001') + $dbNames = @('db-001', 'cosmos-001', 'COSMOS-001') + $postgresNames = @('postgres-001', 'cospos-001', 'COSPOS-001') + + $nosqlItems = @($nosqlNames | ForEach-Object { + [PSCustomObject]@{ + Name = $_ + Type = 'Microsoft.DocumentDb/databaseAccounts' + Kind = 'GlobalDocumentDB' + Properties = @{ + capabilities = @() + } + } + }); + + $mongoItems = @($mongoNames | ForEach-Object { + [PSCustomObject]@{ + Name = $_ + Type = 'Microsoft.DocumentDb/databaseAccounts' + Kind = 'MongoDB' + Properties = @{ } + } + }); + + $cassandraItems = @($cassandraNames | ForEach-Object { + [PSCustomObject]@{ + Name = $_ + Type = 'Microsoft.DocumentDb/databaseAccounts' + Kind = 'GlobalDocumentDB' + Properties = @{ + capabilities = @(@{ name = 'EnableCassandra' }) + } + } + }); + + $tableItems = @($tableNames | ForEach-Object { + [PSCustomObject]@{ + Name = $_ + Type = 'Microsoft.DocumentDb/databaseAccounts' + Kind = 'GlobalDocumentDB' + Properties = @{ + capabilities = @(@{ name = 'EnableTable' }) + } + } + }); + + $gremlinItems = @($gremlinNames | ForEach-Object { + [PSCustomObject]@{ + Name = $_ + Type = 'Microsoft.DocumentDb/databaseAccounts' + Kind = 'GlobalDocumentDB' + Properties = @{ + capabilities = @(@{ name = 'EnableGremlin' }) + } + } + }); + + $dbItems = @($dbNames | ForEach-Object { + [PSCustomObject]@{ + Name = $_ + Type = 'Microsoft.DocumentDB/databaseAccounts/sqlDatabases' + } + }); + + $postgresItems = @($postgresNames | ForEach-Object { + [PSCustomObject]@{ + Name = $_ + Type = 'Microsoft.DBforPostgreSQL/serverGroupsv2' + } + }); + + $result = @($nosqlItems + $mongoItems + $cassandraItems + $tableItems + $gremlinItems + $dbItems + $postgresItems) | Invoke-PSRule @invokeParams -Option $option -Name @( + 'Azure.Cosmos.NoSQLNaming' + 'Azure.Cosmos.MongoNaming' + 'Azure.Cosmos.CassandraNaming' + 'Azure.Cosmos.TableNaming' + 'Azure.Cosmos.GremlinNaming' + 'Azure.Cosmos.DatabaseNaming' + 'Azure.Cosmos.PostgreSQLNaming' + ) + } + + It 'Azure.Cosmos.NoSQLNaming' { + $filteredResult = $result | Where-Object { $_.RuleName -eq 'Azure.Cosmos.NoSQLNaming' }; + + # Fail + $ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'Fail' }); + $ruleResult | Should -Not -BeNullOrEmpty; + $ruleResult.Length | Should -Be 2; + $ruleResult.TargetName | Should -BeIn 'account-001', 'COSNO-001'; + + # Pass + $ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'Pass' }); + $ruleResult | Should -Not -BeNullOrEmpty; + $ruleResult.Length | Should -Be 1; + $ruleResult.TargetName | Should -Be 'cosno-001'; + } + + It 'Azure.Cosmos.MongoNaming' { + $filteredResult = $result | Where-Object { $_.RuleName -eq 'Azure.Cosmos.MongoNaming' }; + + # Fail + $ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'Fail' }); + $ruleResult | Should -Not -BeNullOrEmpty; + $ruleResult.Length | Should -Be 2; + $ruleResult.TargetName | Should -BeIn 'mongo-001', 'COSMON-001'; + + # Pass + $ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'Pass' }); + $ruleResult | Should -Not -BeNullOrEmpty; + $ruleResult.Length | Should -Be 1; + $ruleResult.TargetName | Should -Be 'cosmon-001'; + } + + It 'Azure.Cosmos.CassandraNaming' { + $filteredResult = $result | Where-Object { $_.RuleName -eq 'Azure.Cosmos.CassandraNaming' }; + + # Fail + $ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'Fail' }); + $ruleResult | Should -Not -BeNullOrEmpty; + $ruleResult.Length | Should -Be 2; + $ruleResult.TargetName | Should -BeIn 'cassandra-001', 'COSCAS-001'; + + # Pass + $ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'Pass' }); + $ruleResult | Should -Not -BeNullOrEmpty; + $ruleResult.Length | Should -Be 1; + $ruleResult.TargetName | Should -Be 'coscas-001'; + } + + It 'Azure.Cosmos.TableNaming' { + $filteredResult = $result | Where-Object { $_.RuleName -eq 'Azure.Cosmos.TableNaming' }; + + # Fail + $ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'Fail' }); + $ruleResult | Should -Not -BeNullOrEmpty; + $ruleResult.Length | Should -Be 2; + $ruleResult.TargetName | Should -BeIn 'table-001', 'COSTAB-001'; + + # Pass + $ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'Pass' }); + $ruleResult | Should -Not -BeNullOrEmpty; + $ruleResult.Length | Should -Be 1; + $ruleResult.TargetName | Should -Be 'costab-001'; + } + + It 'Azure.Cosmos.GremlinNaming' { + $filteredResult = $result | Where-Object { $_.RuleName -eq 'Azure.Cosmos.GremlinNaming' }; + + # Fail + $ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'Fail' }); + $ruleResult | Should -Not -BeNullOrEmpty; + $ruleResult.Length | Should -Be 2; + $ruleResult.TargetName | Should -BeIn 'gremlin-001', 'COSGRM-001'; + + # Pass + $ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'Pass' }); + $ruleResult | Should -Not -BeNullOrEmpty; + $ruleResult.Length | Should -Be 1; + $ruleResult.TargetName | Should -Be 'cosgrm-001'; + } + + It 'Azure.Cosmos.DatabaseNaming' { + $filteredResult = $result | Where-Object { $_.RuleName -eq 'Azure.Cosmos.DatabaseNaming' }; + + # Fail + $ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'Fail' }); + $ruleResult | Should -Not -BeNullOrEmpty; + $ruleResult.Length | Should -Be 2; + $ruleResult.TargetName | Should -BeIn 'db-001', 'COSMOS-001'; + + # Pass + $ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'Pass' }); + $ruleResult | Should -Not -BeNullOrEmpty; + $ruleResult.Length | Should -Be 1; + $ruleResult.TargetName | Should -Be 'cosmos-001'; + } + + It 'Azure.Cosmos.PostgreSQLNaming' { + $filteredResult = $result | Where-Object { $_.RuleName -eq 'Azure.Cosmos.PostgreSQLNaming' }; + + # Fail + $ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'Fail' }); + $ruleResult | Should -Not -BeNullOrEmpty; + $ruleResult.Length | Should -Be 2; + $ruleResult.TargetName | Should -BeIn 'postgres-001', 'COSPOS-001'; + + # Pass + $ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'Pass' }); + $ruleResult | Should -Not -BeNullOrEmpty; + $ruleResult.Length | Should -Be 1; + $ruleResult.TargetName | Should -Be 'cospos-001'; + } + } } diff --git a/tests/PSRule.Rules.Azure.Tests/Azure.MySQL.Tests.ps1 b/tests/PSRule.Rules.Azure.Tests/Azure.MySQL.Tests.ps1 index 9acede88c8..eb0e5f4377 100644 --- a/tests/PSRule.Rules.Azure.Tests/Azure.MySQL.Tests.ps1 +++ b/tests/PSRule.Rules.Azure.Tests/Azure.MySQL.Tests.ps1 @@ -309,4 +309,45 @@ Describe 'Azure.MySQL' -Tag 'MySql' { $ruleResult.Outcome | Should -Be 'Fail'; } } + + Context 'Resource naming format' { + BeforeAll { + $invokeParams = @{ + Baseline = 'Azure.All' + Module = 'PSRule.Rules.Azure' + WarningAction = 'Ignore' + ErrorAction = 'Stop' + } + + $option = New-PSRuleOption -Configuration @{ + 'AZURE_MYSQL_SERVER_NAME_FORMAT' = '^mysql-' + }; + + $names = @('myserver-001', 'mysql-001', 'MYSQL-001') + $items = @($names | ForEach-Object { + [PSCustomObject]@{ + Name = $_ + Type = 'Microsoft.DBforMySQL/servers' + } + }); + + $result = $items | Invoke-PSRule @invokeParams -Option $option -Name 'Azure.MySQL.ServerNaming' + } + + It 'Azure.MySQL.ServerNaming' { + $filteredResult = $result | Where-Object { $_.RuleName -eq 'Azure.MySQL.ServerNaming' }; + + # Fail + $ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'Fail' }); + $ruleResult | Should -Not -BeNullOrEmpty; + $ruleResult.Length | Should -Be 2; + $ruleResult.TargetName | Should -BeIn 'myserver-001', 'MYSQL-001'; + + # Pass + $ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'Pass' }); + $ruleResult | Should -Not -BeNullOrEmpty; + $ruleResult.Length | Should -Be 1; + $ruleResult.TargetName | Should -Be 'mysql-001'; + } + } } diff --git a/tests/PSRule.Rules.Azure.Tests/Azure.PostgreSQL.Tests.ps1 b/tests/PSRule.Rules.Azure.Tests/Azure.PostgreSQL.Tests.ps1 index 3a3ef7ee7f..8d9f7f3f73 100644 --- a/tests/PSRule.Rules.Azure.Tests/Azure.PostgreSQL.Tests.ps1 +++ b/tests/PSRule.Rules.Azure.Tests/Azure.PostgreSQL.Tests.ps1 @@ -285,4 +285,45 @@ Describe 'Azure.PostgreSQL' -Tag 'PostgreSQL' { $ruleResult.Outcome | Should -Be 'Fail'; } } + + Context 'Resource naming format' { + BeforeAll { + $invokeParams = @{ + Baseline = 'Azure.All' + Module = 'PSRule.Rules.Azure' + WarningAction = 'Ignore' + ErrorAction = 'Stop' + } + + $option = New-PSRuleOption -Configuration @{ + 'AZURE_POSTGRESQL_SERVER_NAME_FORMAT' = '^psql-' + }; + + $names = @('pgserver-001', 'psql-001', 'PSQL-001') + $items = @($names | ForEach-Object { + [PSCustomObject]@{ + Name = $_ + Type = 'Microsoft.DBforPostgreSQL/servers' + } + }); + + $result = $items | Invoke-PSRule @invokeParams -Option $option -Name 'Azure.PostgreSQL.ServerNaming' + } + + It 'Azure.PostgreSQL.ServerNaming' { + $filteredResult = $result | Where-Object { $_.RuleName -eq 'Azure.PostgreSQL.ServerNaming' }; + + # Fail + $ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'Fail' }); + $ruleResult | Should -Not -BeNullOrEmpty; + $ruleResult.Length | Should -Be 2; + $ruleResult.TargetName | Should -BeIn 'pgserver-001', 'PSQL-001'; + + # Pass + $ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'Pass' }); + $ruleResult | Should -Not -BeNullOrEmpty; + $ruleResult.Length | Should -Be 1; + $ruleResult.TargetName | Should -Be 'psql-001'; + } + } } diff --git a/tests/PSRule.Rules.Azure.Tests/Azure.Redis.Tests.ps1 b/tests/PSRule.Rules.Azure.Tests/Azure.Redis.Tests.ps1 index dede38e472..f50fadd545 100644 --- a/tests/PSRule.Rules.Azure.Tests/Azure.Redis.Tests.ps1 +++ b/tests/PSRule.Rules.Azure.Tests/Azure.Redis.Tests.ps1 @@ -534,4 +534,71 @@ Describe 'Azure.Redis' -Tag 'Redis' { $ruleResult.TargetName | Should -Be 'redis-A', 'redis-B', 'redis-C', 'redis-D', 'redis-E', 'redis-F', 'redis-G', 'redis-H', 'redis-I', 'redis-J', 'redis-Q', 'redis-R'; } } + + Context 'Resource naming' { + BeforeAll { + $invokeParams = @{ + Baseline = 'Azure.All' + Module = 'PSRule.Rules.Azure' + WarningAction = 'Ignore' + ErrorAction = 'Stop' + } + + $option = New-PSRuleOption -Configuration @{ + 'AZURE_REDIS_CACHE_NAME_FORMAT' = '^redis-' + 'AZURE_REDIS_ENTERPRISE_NAME_FORMAT' = '^redis-' + }; + + $cacheNames = @('cache-001', 'redis-001', 'REDIS-001') + + $cacheItems = @($cacheNames | ForEach-Object { + [PSCustomObject]@{ + Name = $_ + Type = 'Microsoft.Cache/Redis' + } + + [PSCustomObject]@{ + Name = $_ + Type = 'Microsoft.Cache/RedisEnterprise' + SKU = [PSCustomObject]@{ + Name = "Enterprise_E10" + } + } + }); + + $result = $cacheItems | Invoke-PSRule @invokeParams -Option $option -Name 'Azure.Redis.Naming', 'Azure.RedisEnterprise.Naming' + } + + It 'Azure.Redis.Naming' { + $filteredResult = $result | Where-Object { $_.RuleName -eq 'Azure.Redis.Naming' }; + + # Fail + $ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'Fail' }); + $ruleResult | Should -Not -BeNullOrEmpty; + $ruleResult.Length | Should -Be 2; + $ruleResult.TargetName | Should -BeIn 'cache-001', 'REDIS-001'; + + # Pass + $ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'Pass' }); + $ruleResult | Should -Not -BeNullOrEmpty; + $ruleResult.Length | Should -Be 1; + $ruleResult.TargetName | Should -Be 'redis-001'; + } + + It 'Azure.RedisEnterprise.Naming' { + $filteredResult = $result | Where-Object { $_.RuleName -eq 'Azure.RedisEnterprise.Naming' }; + + # Fail + $ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'Fail' }); + $ruleResult | Should -Not -BeNullOrEmpty; + $ruleResult.TargetName | Should -BeIn 'cache-001', 'REDIS-001'; + $ruleResult.Length | Should -Be 2; + + # Pass + $ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'Pass' }); + $ruleResult | Should -Not -BeNullOrEmpty; + $ruleResult.TargetName | Should -Be 'redis-001'; + $ruleResult.Length | Should -Be 1; + } + } } diff --git a/tests/PSRule.Rules.Azure.Tests/Azure.SQL.Tests.ps1 b/tests/PSRule.Rules.Azure.Tests/Azure.SQL.Tests.ps1 index bf0cbe3dcb..f50bda0b14 100644 --- a/tests/PSRule.Rules.Azure.Tests/Azure.SQL.Tests.ps1 +++ b/tests/PSRule.Rules.Azure.Tests/Azure.SQL.Tests.ps1 @@ -457,4 +457,126 @@ Describe 'Azure.SQL' -Tag 'SQL', 'SQLDB' { $ruleResult.TargetName | Should -BeIn 'sql-sql-01/sqldb-sql-01'; } } + + Context 'Resource naming' { + BeforeAll { + $invokeParams = @{ + Baseline = 'Azure.All' + Module = 'PSRule.Rules.Azure' + WarningAction = 'Ignore' + ErrorAction = 'Stop' + } + + $option = New-PSRuleOption -Configuration @{ + 'AZURE_SQL_SERVER_NAME_FORMAT' = '^sql-' + 'AZURE_SQL_DATABASE_NAME_FORMAT' = '^sqldb-' + 'AZURE_SQL_JOB_AGENT_NAME_FORMAT' = '^sqlja-' + 'AZURE_SQL_ELASTIC_POOL_NAME_FORMAT' = '^sqlep-' + }; + + $serverNames = @('server-001', 'sql-001', 'SQL-001') + $dbNames = @('database-001', 'sqldb-001', 'SQLDB-001') + $jobAgentNames = @('agent-001', 'sqlja-001', 'SQLJA-001') + $poolNames = @('pool-001', 'sqlep-001', 'SQLEP-001') + + $serverItems = @($serverNames | ForEach-Object { + [PSCustomObject]@{ + Name = $_ + Type = 'Microsoft.Sql/servers' + } + }); + + $dbItems = @($dbNames | ForEach-Object { + [PSCustomObject]@{ + Name = $_ + Type = 'Microsoft.Sql/servers/databases' + } + }); + + $jobAgentItems = @($jobAgentNames | ForEach-Object { + [PSCustomObject]@{ + Name = $_ + Type = 'Microsoft.Sql/servers/jobAgents' + } + }); + + $poolItems = @($poolNames | ForEach-Object { + [PSCustomObject]@{ + Name = $_ + Type = 'Microsoft.Sql/servers/elasticPools' + } + }); + + $result = @($serverItems + $dbItems + $jobAgentItems + $poolItems) | Invoke-PSRule @invokeParams -Option $option -Name @( + 'Azure.SQL.ServerNaming' + 'Azure.SQL.DBNaming' + 'Azure.SQL.JobAgentNaming' + 'Azure.SQL.ElasticPoolNaming' + ) + } + + It 'Azure.SQL.ServerNaming' { + $filteredResult = $result | Where-Object { $_.RuleName -eq 'Azure.SQL.ServerNaming' }; + + # Fail + $ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'Fail' }); + $ruleResult | Should -Not -BeNullOrEmpty; + $ruleResult.Length | Should -Be 2; + $ruleResult.TargetName | Should -BeIn 'server-001', 'SQL-001'; + + # Pass + $ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'Pass' }); + $ruleResult | Should -Not -BeNullOrEmpty; + $ruleResult.Length | Should -Be 1; + $ruleResult.TargetName | Should -Be 'sql-001'; + } + + It 'Azure.SQL.DBNaming' { + $filteredResult = $result | Where-Object { $_.RuleName -eq 'Azure.SQL.DBNaming' }; + + # Fail + $ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'Fail' }); + $ruleResult | Should -Not -BeNullOrEmpty; + $ruleResult.Length | Should -Be 2; + $ruleResult.TargetName | Should -BeIn 'database-001', 'SQLDB-001'; + + # Pass + $ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'Pass' }); + $ruleResult | Should -Not -BeNullOrEmpty; + $ruleResult.Length | Should -Be 1; + $ruleResult.TargetName | Should -Be 'sqldb-001'; + } + + It 'Azure.SQL.JobAgentNaming' { + $filteredResult = $result | Where-Object { $_.RuleName -eq 'Azure.SQL.JobAgentNaming' }; + + # Fail + $ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'Fail' }); + $ruleResult | Should -Not -BeNullOrEmpty; + $ruleResult.Length | Should -Be 2; + $ruleResult.TargetName | Should -BeIn 'agent-001', 'SQLJA-001'; + + # Pass + $ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'Pass' }); + $ruleResult | Should -Not -BeNullOrEmpty; + $ruleResult.Length | Should -Be 1; + $ruleResult.TargetName | Should -Be 'sqlja-001'; + } + + It 'Azure.SQL.ElasticPoolNaming' { + $filteredResult = $result | Where-Object { $_.RuleName -eq 'Azure.SQL.ElasticPoolNaming' }; + + # Fail + $ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'Fail' }); + $ruleResult | Should -Not -BeNullOrEmpty; + $ruleResult.Length | Should -Be 2; + $ruleResult.TargetName | Should -BeIn 'pool-001', 'SQLEP-001'; + + # Pass + $ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'Pass' }); + $ruleResult | Should -Not -BeNullOrEmpty; + $ruleResult.Length | Should -Be 1; + $ruleResult.TargetName | Should -Be 'sqlep-001'; + } + } } diff --git a/tests/PSRule.Rules.Azure.Tests/Azure.SQLMI.Tests.ps1 b/tests/PSRule.Rules.Azure.Tests/Azure.SQLMI.Tests.ps1 index 4fae748c71..2fa644bb3f 100644 --- a/tests/PSRule.Rules.Azure.Tests/Azure.SQLMI.Tests.ps1 +++ b/tests/PSRule.Rules.Azure.Tests/Azure.SQLMI.Tests.ps1 @@ -156,4 +156,45 @@ Describe 'Azure.SQLMI' -Tag 'SQLMI' { $ruleResult.Outcome | Should -Be 'Fail'; } } + + Context 'Resource naming format' { + BeforeAll { + $invokeParams = @{ + Baseline = 'Azure.All' + Module = 'PSRule.Rules.Azure' + WarningAction = 'Ignore' + ErrorAction = 'Stop' + } + + $option = New-PSRuleOption -Configuration @{ + 'AZURE_SQL_MI_NAME_FORMAT' = '^sqlmi-' + }; + + $names = @('mi-001', 'sqlmi-001', 'SQLMI-001') + $items = @($names | ForEach-Object { + [PSCustomObject]@{ + Name = $_ + Type = 'Microsoft.Sql/managedInstances' + } + }); + + $result = $items | Invoke-PSRule @invokeParams -Option $option -Name 'Azure.SQLMI.Naming'; + } + + It 'Azure.SQLMI.Naming' { + $filteredResult = $result | Where-Object { $_.RuleName -eq 'Azure.SQLMI.Naming' }; + + # Fail + $ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'Fail' }); + $ruleResult | Should -Not -BeNullOrEmpty; + $ruleResult.Length | Should -Be 2; + $ruleResult.TargetName | Should -BeIn 'mi-001', 'SQLMI-001'; + + # Pass + $ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'Pass' }); + $ruleResult | Should -Not -BeNullOrEmpty; + $ruleResult.Length | Should -Be 1; + $ruleResult.TargetName | Should -Be 'sqlmi-001'; + } + } } diff --git a/tests/PSRule.Rules.Azure.Tests/Azure.ServiceFabric.Tests.ps1 b/tests/PSRule.Rules.Azure.Tests/Azure.ServiceFabric.Tests.ps1 index 07e7e066ea..29ec9fe17e 100644 --- a/tests/PSRule.Rules.Azure.Tests/Azure.ServiceFabric.Tests.ps1 +++ b/tests/PSRule.Rules.Azure.Tests/Azure.ServiceFabric.Tests.ps1 @@ -88,4 +88,74 @@ Describe 'Azure.ServiceFabric' -Tag 'ServiceFabric' { $ruleResult.TargetName | Should -BeIn 'cluster-001'; } } + + Context 'Resource naming' { + BeforeAll { + $invokeParams = @{ + Baseline = 'Azure.All' + Module = 'PSRule.Rules.Azure' + WarningAction = 'Ignore' + ErrorAction = 'Stop' + } + + $option = New-PSRuleOption -Configuration @{ + 'AZURE_SERVICE_FABRIC_CLUSTER_NAME_FORMAT' = '^sf-' + 'AZURE_SERVICE_FABRIC_MANAGED_CLUSTER_NAME_FORMAT' = '^sfmc-' + }; + + $clusterNames = @('cluster-001', 'sf-001', 'SF-001') + $managedClusterNames = @('managed-001', 'sfmc-001', 'SFMC-001') + + $clusterItems = @($clusterNames | ForEach-Object { + [PSCustomObject]@{ + Name = $_ + Type = 'Microsoft.ServiceFabric/clusters' + } + }); + + $managedClusterItems = @($managedClusterNames | ForEach-Object { + [PSCustomObject]@{ + Name = $_ + Type = 'Microsoft.ServiceFabric/managedClusters' + } + }); + + $result = @($clusterItems + $managedClusterItems) | Invoke-PSRule @invokeParams -Option $option -Name @( + 'Azure.ServiceFabric.Naming' + 'Azure.ServiceFabric.ManagedNaming' + ) + } + + It 'Azure.ServiceFabric.Naming' { + $filteredResult = $result | Where-Object { $_.RuleName -eq 'Azure.ServiceFabric.Naming' }; + + # Fail + $ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'Fail' }); + $ruleResult | Should -Not -BeNullOrEmpty; + $ruleResult.Length | Should -Be 2; + $ruleResult.TargetName | Should -BeIn 'cluster-001', 'SF-001'; + + # Pass + $ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'Pass' }); + $ruleResult | Should -Not -BeNullOrEmpty; + $ruleResult.Length | Should -Be 1; + $ruleResult.TargetName | Should -Be 'sf-001'; + } + + It 'Azure.ServiceFabric.ManagedNaming' { + $filteredResult = $result | Where-Object { $_.RuleName -eq 'Azure.ServiceFabric.ManagedNaming' }; + + # Fail + $ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'Fail' }); + $ruleResult | Should -Not -BeNullOrEmpty; + $ruleResult.Length | Should -Be 2; + $ruleResult.TargetName | Should -BeIn 'managed-001', 'SFMC-001'; + + # Pass + $ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'Pass' }); + $ruleResult | Should -Not -BeNullOrEmpty; + $ruleResult.Length | Should -Be 1; + $ruleResult.TargetName | Should -Be 'sfmc-001'; + } + } } diff --git a/tests/PSRule.Rules.Azure.Tests/Resources.Redis.json b/tests/PSRule.Rules.Azure.Tests/Resources.Redis.json index 3b44284613..fddb402eb5 100644 --- a/tests/PSRule.Rules.Azure.Tests/Resources.Redis.json +++ b/tests/PSRule.Rules.Azure.Tests/Resources.Redis.json @@ -1,9 +1,8 @@ [ { "Name": "redis-A", - "ResourceId": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/test-rg/providers/Microsoft.Cache/Redis/redis-A", - "ResourceName": "redis-A", - "ResourceType": "Microsoft.Cache/Redis", + "id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/test-rg/providers/Microsoft.Cache/Redis/redis-A", + "type": "Microsoft.Cache/Redis", "ResourceGroupName": "test-rg", "Location": "australiaeast", "SubscriptionId": "00000000-0000-0000-0000-000000000000", @@ -45,9 +44,8 @@ }, { "Name": "redis-B", - "ResourceId": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/test-rg/providers/Microsoft.Cache/Redis/redis-B", - "ResourceName": "redis-B", - "ResourceType": "Microsoft.Cache/Redis", + "id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/test-rg/providers/Microsoft.Cache/Redis/redis-B", + "type": "Microsoft.Cache/Redis", "ResourceGroupName": "test-rg", "Location": "australiaeast", "SubscriptionId": "00000000-0000-0000-0000-000000000000", @@ -375,7 +373,7 @@ ], "ResourceGroupName": "test-rg", "Type": "Microsoft.Cache/Redis", - "ResourceType": "Microsoft.Cache/Redis", + "type": "Microsoft.Cache/Redis", "ExtensionResourceType": null, "Sku": null, "Tags": null, @@ -554,7 +552,7 @@ ], "ResourceGroupName": "test-rg", "Type": "Microsoft.Cache/Redis", - "ResourceType": "Microsoft.Cache/Redis", + "type": "Microsoft.Cache/Redis", "ExtensionResourceType": null, "Sku": null, "Tags": null, @@ -567,7 +565,7 @@ "Name": "redis-E", "ResourceId": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/test-rg/providers/Microsoft.Cache/Redis/redis-E", "ResourceName": "redis-E", - "ResourceType": "Microsoft.Cache/Redis", + "type": "Microsoft.Cache/Redis", "ResourceGroupName": "test-rg", "Location": "australiaeast", "SubscriptionId": "00000000-0000-0000-0000-000000000000", @@ -737,7 +735,7 @@ "Name": "redis-F", "ResourceId": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/test-rg/providers/Microsoft.Cache/Redis/redis-F", "ResourceName": "redis-F", - "ResourceType": "Microsoft.Cache/Redis", + "type": "Microsoft.Cache/Redis", "ResourceGroupName": "test-rg", "Location": "australiaeast", "SubscriptionId": "00000000-0000-0000-0000-000000000000", @@ -772,7 +770,7 @@ "Name": "redis-G", "ResourceId": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/test-rg/providers/Microsoft.Cache/Redis/redis-G", "ResourceName": "redis-G", - "ResourceType": "Microsoft.Cache/Redis", + "type": "Microsoft.Cache/Redis", "ResourceGroupName": "test-rg", "Location": "australiaeast", "SubscriptionId": "00000000-0000-0000-0000-000000000000", @@ -808,7 +806,7 @@ "Name": "redis-H", "ResourceId": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/test-rg/providers/Microsoft.Cache/Redis/redis-H", "ResourceName": "redis-H", - "ResourceType": "Microsoft.Cache/Redis", + "type": "Microsoft.Cache/Redis", "ResourceGroupName": "test-rg", "Location": "Antarctica North", "SubscriptionId": "00000000-0000-0000-0000-000000000000", @@ -840,7 +838,7 @@ "Name": "redis-I", "ResourceId": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/test-rg/providers/Microsoft.Cache/Redis/redis-I", "ResourceName": "redis-I", - "ResourceType": "Microsoft.Cache/Redis", + "type": "Microsoft.Cache/Redis", "ResourceGroupName": "test-rg", "Location": "antarcticasouth", "SubscriptionId": "00000000-0000-0000-0000-000000000000", @@ -872,7 +870,7 @@ "Name": "redis-J", "ResourceId": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/test-rg/providers/Microsoft.Cache/Redis/redis-G", "ResourceName": "redis-J", - "ResourceType": "Microsoft.Cache/Redis", + "type": "Microsoft.Cache/Redis", "ResourceGroupName": "test-rg", "Location": "australiaeast", "SubscriptionId": "00000000-0000-0000-0000-000000000000", @@ -905,10 +903,9 @@ ] }, { - "Name": "redis-K", - "ResourceId": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/test-rg/providers/Microsoft.Cache/Microsoft.Cache/redisEnterprise/redis-K", - "ResourceName": "redis-K", - "ResourceType": "Microsoft.Cache/redisEnterprise", + "name": "redis-K", + "id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/test-rg/providers/Microsoft.Cache/Microsoft.Cache/redisEnterprise/redis-K", + "type": "Microsoft.Cache/redisEnterprise", "ResourceGroupName": "test-rg", "Location": "australiaeast", "SubscriptionId": "00000000-0000-0000-0000-000000000000", @@ -928,10 +925,9 @@ ] }, { - "Name": "redis-L", - "ResourceId": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/test-rg/providers/Microsoft.Cache/redisEnterprise/redis-L", - "ResourceName": "redis-L", - "ResourceType": "Microsoft.Cache/redisEnterprise", + "name": "redis-L", + "id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/test-rg/providers/Microsoft.Cache/redisEnterprise/redis-L", + "type": "Microsoft.Cache/redisEnterprise", "ResourceGroupName": "test-rg", "Location": "australiaeast", "SubscriptionId": "00000000-0000-0000-0000-000000000000", @@ -947,10 +943,9 @@ "zones": [] }, { - "Name": "redis-M", - "ResourceId": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/test-rg/providers/Microsoft.Cache/redisEnterprise/redis-M", - "ResourceName": "redis-M", - "ResourceType": "Microsoft.Cache/redisEnterprise", + "name": "redis-M", + "id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/test-rg/providers/Microsoft.Cache/redisEnterprise/redis-M", + "type": "Microsoft.Cache/redisEnterprise", "ResourceGroupName": "test-rg", "Location": "Antarctica North", "SubscriptionId": "00000000-0000-0000-0000-000000000000", @@ -966,10 +961,9 @@ "zones": [] }, { - "Name": "redis-N", - "ResourceId": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/test-rg/providers/Microsoft.Cache/redisEnterprise/redis-N", - "ResourceName": "redis-N", - "ResourceType": "Microsoft.Cache/redisEnterprise", + "name": "redis-N", + "id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/test-rg/providers/Microsoft.Cache/redisEnterprise/redis-N", + "type": "Microsoft.Cache/redisEnterprise", "ResourceGroupName": "test-rg", "Location": "antarcticasouth", "SubscriptionId": "00000000-0000-0000-0000-000000000000", @@ -985,10 +979,9 @@ "zones": [] }, { - "Name": "redis-O", - "ResourceId": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/test-rg/providers/Microsoft.Cache/redisEnterprise/redis-O", - "ResourceName": "redis-O", - "ResourceType": "Microsoft.Cache/redisEnterprise", + "name": "redis-O", + "id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/test-rg/providers/Microsoft.Cache/redisEnterprise/redis-O", + "type": "Microsoft.Cache/redisEnterprise", "ResourceGroupName": "test-rg", "Location": "australiaeast", "SubscriptionId": "00000000-0000-0000-0000-000000000000", @@ -1008,10 +1001,9 @@ ] }, { - "Name": "redis-P", - "ResourceId": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/test-rg/providers/Microsoft.Cache/redisEnterprise/redis-P", - "ResourceName": "redis-P", - "ResourceType": "Microsoft.Cache/redisEnterprise", + "name": "redis-P", + "id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/test-rg/providers/Microsoft.Cache/redisEnterprise/redis-P", + "type": "Microsoft.Cache/redisEnterprise", "ResourceGroupName": "test-rg", "Location": "australiaeast", "SubscriptionId": "00000000-0000-0000-0000-000000000000", @@ -1116,7 +1108,7 @@ "Name": "redis-S", "ResourceId": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/test-rg/providers/Microsoft.Cache/redisEnterprise/redis-S", "ResourceName": "redis-S", - "ResourceType": "Microsoft.Cache/redisEnterprise", + "type": "Microsoft.Cache/redisEnterprise", "ResourceGroupName": "test-rg", "Location": "australiaeast", "SubscriptionId": "00000000-0000-0000-0000-000000000000", From bd0034bcf9505c8fd89bc068b6f03987c6bfd4b6 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Fri, 28 Nov 2025 09:09:42 +0000 Subject: [PATCH 10/15] Simplify rule logic with NotLike, remove deprecated note, add AMR test cases Co-authored-by: BenjaminEngeset <99641908+BenjaminEngeset@users.noreply.github.com> --- .../rules/Azure.RedisEnterprise.MigrateAMR.md | 2 - .../rules/Azure.RedisEnterprise.Rule.ps1 | 15 +--- .../Azure.Redis.Tests.ps1 | 56 ++++++++------- .../Resources.Redis.json | 69 +++++++++++++++++++ 4 files changed, 101 insertions(+), 41 deletions(-) diff --git a/docs/en/rules/Azure.RedisEnterprise.MigrateAMR.md b/docs/en/rules/Azure.RedisEnterprise.MigrateAMR.md index fde812b550..e5ac5ee879 100644 --- a/docs/en/rules/Azure.RedisEnterprise.MigrateAMR.md +++ b/docs/en/rules/Azure.RedisEnterprise.MigrateAMR.md @@ -87,8 +87,6 @@ For example: ## NOTES -Azure Cache for Redis Enterprise and Enterprise Flash SKUs `Enterprise_*` and `EnterpriseFlash_*` are deprecated. - Azure Cache for Redis (Basic, Standard, Premium) using the `Microsoft.Cache/redis` resource type is also deprecated and covered by a separate rule. ## LINKS diff --git a/src/PSRule.Rules.Azure/rules/Azure.RedisEnterprise.Rule.ps1 b/src/PSRule.Rules.Azure/rules/Azure.RedisEnterprise.Rule.ps1 index 40ee364b92..9388c8a9e6 100644 --- a/src/PSRule.Rules.Azure/rules/Azure.RedisEnterprise.Rule.ps1 +++ b/src/PSRule.Rules.Azure/rules/Azure.RedisEnterprise.Rule.ps1 @@ -7,18 +7,5 @@ # Synopsis: Azure Cache for Redis Enterprise and Enterprise Flash are being retired. Migrate to Azure Managed Redis. Rule 'Azure.RedisEnterprise.MigrateAMR' -Ref 'AZR-000534' -Type 'Microsoft.Cache/redisEnterprise' -Tag @{ release = 'GA'; ruleSet = '2025_12'; 'Azure.WAF/pillar' = 'Operational Excellence'; } { - $deprecatedSkus = @( - 'Enterprise_E1', - 'Enterprise_E5', - 'Enterprise_E10', - 'Enterprise_E20', - 'Enterprise_E50', - 'Enterprise_E100', - 'Enterprise_E200', - 'Enterprise_E400', - 'EnterpriseFlash_F300', - 'EnterpriseFlash_F700', - 'EnterpriseFlash_F1500' - ) - $Assert.NotIn($TargetObject, 'sku.name', $deprecatedSkus).Reason($LocalizedData.RedisEnterpriseMigrateAMR) + $Assert.NotLike($TargetObject, 'sku.name', @('Enterprise_*', 'EnterpriseFlash_*')).Reason($LocalizedData.RedisEnterpriseMigrateAMR) } diff --git a/tests/PSRule.Rules.Azure.Tests/Azure.Redis.Tests.ps1 b/tests/PSRule.Rules.Azure.Tests/Azure.Redis.Tests.ps1 index 76b9b34034..a12ba8ac88 100644 --- a/tests/PSRule.Rules.Azure.Tests/Azure.Redis.Tests.ps1 +++ b/tests/PSRule.Rules.Azure.Tests/Azure.Redis.Tests.ps1 @@ -80,8 +80,8 @@ Describe 'Azure.Redis' -Tag 'Redis' { # Pass $ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'Pass' }); $ruleResult | Should -Not -BeNullOrEmpty; - $ruleResult.Length | Should -Be 5; - $ruleResult.TargetName | Should -BeIn 'redis-M', 'redis-N', 'redis-O', 'redis-P', 'redis-S'; + $ruleResult.Length | Should -Be 8; + $ruleResult.TargetName | Should -BeIn 'redis-M', 'redis-N', 'redis-O', 'redis-P', 'redis-S', 'redis-T', 'redis-U', 'redis-V'; } It 'Azure.Redis.MinSKU' { @@ -118,8 +118,8 @@ Describe 'Azure.Redis' -Tag 'Redis' { # None $ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'None' }); $ruleResult | Should -Not -BeNullOrEmpty; - $ruleResult.Length | Should -Be 8; - $ruleResult.TargetName | Should -BeIn 'redis-K', 'redis-L', 'redis-M', 'redis-N', 'redis-O', 'redis-P', 'redis-R', 'redis-S'; + $ruleResult.Length | Should -Be 11; + $ruleResult.TargetName | Should -BeIn 'redis-K', 'redis-L', 'redis-M', 'redis-N', 'redis-O', 'redis-P', 'redis-R', 'redis-S', 'redis-T', 'redis-U', 'redis-V'; } It 'Azure.Redis.AvailabilityZone' { @@ -146,8 +146,8 @@ Describe 'Azure.Redis' -Tag 'Redis' { # None $ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'None' }); $ruleResult | Should -Not -BeNullOrEmpty; - $ruleResult.Length | Should -Be 13; - $ruleResult.TargetName | Should -BeIn 'redis-A', 'redis-B', 'redis-C', 'redis-D', 'redis-K', 'redis-L', 'redis-M', 'redis-N', 'redis-O', 'redis-P', 'redis-Q', 'redis-R', 'redis-S'; + $ruleResult.Length | Should -Be 16; + $ruleResult.TargetName | Should -BeIn 'redis-A', 'redis-B', 'redis-C', 'redis-D', 'redis-K', 'redis-L', 'redis-M', 'redis-N', 'redis-O', 'redis-P', 'redis-Q', 'redis-R', 'redis-S', 'redis-T', 'redis-U', 'redis-V'; } It 'Azure.RedisEnterprise.Zones' { @@ -173,8 +173,8 @@ Describe 'Azure.Redis' -Tag 'Redis' { # None $ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'None' }); $ruleResult | Should -Not -BeNullOrEmpty; - $ruleResult.Length | Should -Be 12; - $ruleResult.TargetName | Should -BeIn 'redis-A', 'redis-B', 'redis-C', 'redis-D', 'redis-E', 'redis-F', 'redis-G', 'redis-H', 'redis-I', 'redis-J', 'redis-Q', 'redis-R'; + $ruleResult.Length | Should -Be 15; + $ruleResult.TargetName | Should -BeIn 'redis-A', 'redis-B', 'redis-C', 'redis-D', 'redis-E', 'redis-F', 'redis-G', 'redis-H', 'redis-I', 'redis-J', 'redis-Q', 'redis-R', 'redis-T', 'redis-U', 'redis-V'; } It 'Azure.Redis.PublicNetworkAccess' { @@ -214,8 +214,8 @@ Describe 'Azure.Redis' -Tag 'Redis' { # None $ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'None' }); $ruleResult | Should -Not -BeNullOrEmpty; - $ruleResult.Length | Should -Be 7; - $ruleResult.TargetName | Should -BeIn 'redis-K', 'redis-L', 'redis-M', 'redis-N', 'redis-O', 'redis-P', 'redis-S'; + $ruleResult.Length | Should -Be 10; + $ruleResult.TargetName | Should -BeIn 'redis-K', 'redis-L', 'redis-M', 'redis-N', 'redis-O', 'redis-P', 'redis-S', 'redis-T', 'redis-U', 'redis-V'; } It 'Azure.Redis.FirewallRuleCount' { @@ -253,8 +253,8 @@ Describe 'Azure.Redis' -Tag 'Redis' { # None $ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'None' }); $ruleResult | Should -Not -BeNullOrEmpty - $ruleResult.Length | Should -Be 9; - $ruleResult.TargetName | Should -BeIn 'redis-A', 'redis-F', 'redis-K', 'redis-L', 'redis-M', 'redis-N', 'redis-O', 'redis-P', 'redis-S'; + $ruleResult.Length | Should -Be 12; + $ruleResult.TargetName | Should -BeIn 'redis-A', 'redis-F', 'redis-K', 'redis-L', 'redis-M', 'redis-N', 'redis-O', 'redis-P', 'redis-S', 'redis-T', 'redis-U', 'redis-V'; } It 'Azure.Redis.FirewallIPRange' { @@ -290,8 +290,8 @@ Describe 'Azure.Redis' -Tag 'Redis' { # None $ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'None' }); $ruleResult | Should -Not -BeNullOrEmpty - $ruleResult.Length | Should -Be 9; - $ruleResult.TargetName | Should -BeIn 'redis-A', 'redis-F', 'redis-K', 'redis-L', 'redis-M', 'redis-N', 'redis-O', 'redis-P', 'redis-S'; + $ruleResult.Length | Should -Be 12; + $ruleResult.TargetName | Should -BeIn 'redis-A', 'redis-F', 'redis-K', 'redis-L', 'redis-M', 'redis-N', 'redis-O', 'redis-P', 'redis-S', 'redis-T', 'redis-U', 'redis-V'; } It 'Azure.Redis.Version' { @@ -334,8 +334,8 @@ Describe 'Azure.Redis' -Tag 'Redis' { # None $ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'None' }); - $ruleResult.Length | Should -Be 7; - $ruleResult.TargetName | Should -BeIn 'redis-K', 'redis-L', 'redis-M', 'redis-N', 'redis-O', 'redis-P', 'redis-S'; + $ruleResult.Length | Should -Be 10; + $ruleResult.TargetName | Should -BeIn 'redis-K', 'redis-L', 'redis-M', 'redis-N', 'redis-O', 'redis-P', 'redis-S', 'redis-T', 'redis-U', 'redis-V'; } It 'Azure.Redis.LocalAuth' { @@ -369,13 +369,19 @@ Describe 'Azure.Redis' -Tag 'Redis' { It 'Azure.RedisEnterprise.MigrateAMR' { $filteredResult = $result | Where-Object { $_.RuleName -eq 'Azure.RedisEnterprise.MigrateAMR' }; - # Fail - all redisEnterprise instances should fail + # Fail - Enterprise and EnterpriseFlash SKUs should fail $ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'Fail' }); $ruleResult | Should -Not -BeNullOrEmpty; $ruleResult.Length | Should -Be 7; $ruleResult.TargetName | Should -BeIn 'redis-K', 'redis-L', 'redis-M', 'redis-N', 'redis-O', 'redis-P', 'redis-S'; $ruleResult[0].Reason | Should -BeExactly "Azure Cache for Redis Enterprise and Enterprise Flash are being retired. Migrate to Azure Managed Redis."; + + # Pass - Azure Managed Redis SKUs should pass + $ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'Pass' }); + $ruleResult | Should -Not -BeNullOrEmpty; + $ruleResult.Length | Should -Be 3; + $ruleResult.TargetName | Should -BeIn 'redis-T', 'redis-U', 'redis-V'; } } @@ -433,8 +439,8 @@ Describe 'Azure.Redis' -Tag 'Redis' { # None $ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'None' }); $ruleResult | Should -Not -BeNullOrEmpty; - $ruleResult.Length | Should -Be 13; - $ruleResult.TargetName | Should -Be 'redis-A', 'redis-B', 'redis-C', 'redis-D', 'redis-K', 'redis-L', 'redis-M', 'redis-N', 'redis-O', 'redis-P', 'redis-Q', 'redis-R', 'redis-S'; + $ruleResult.Length | Should -Be 16; + $ruleResult.TargetName | Should -Be 'redis-A', 'redis-B', 'redis-C', 'redis-D', 'redis-K', 'redis-L', 'redis-M', 'redis-N', 'redis-O', 'redis-P', 'redis-Q', 'redis-R', 'redis-S', 'redis-T', 'redis-U', 'redis-V'; } It 'Azure.Redis.AvailabilityZone - YAML file option' { @@ -467,8 +473,8 @@ Describe 'Azure.Redis' -Tag 'Redis' { # None $ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'None' }); $ruleResult | Should -Not -BeNullOrEmpty; - $ruleResult.Length | Should -Be 13; - $ruleResult.TargetName | Should -Be 'redis-A', 'redis-B', 'redis-C', 'redis-D', 'redis-K', 'redis-L', 'redis-M', 'redis-N', 'redis-O', 'redis-P', 'redis-Q', 'redis-R', 'redis-S'; + $ruleResult.Length | Should -Be 16; + $ruleResult.TargetName | Should -Be 'redis-A', 'redis-B', 'redis-C', 'redis-D', 'redis-K', 'redis-L', 'redis-M', 'redis-N', 'redis-O', 'redis-P', 'redis-Q', 'redis-R', 'redis-S', 'redis-T', 'redis-U', 'redis-V'; } It 'Azure.RedisEnterprise.Zones - HashTable option' { @@ -510,8 +516,8 @@ Describe 'Azure.Redis' -Tag 'Redis' { # None $ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'None' }); $ruleResult | Should -Not -BeNullOrEmpty; - $ruleResult.Length | Should -Be 12; - $ruleResult.TargetName | Should -Be 'redis-A', 'redis-B', 'redis-C', 'redis-D', 'redis-E', 'redis-F', 'redis-G', 'redis-H', 'redis-I', 'redis-J', 'redis-Q', 'redis-R'; + $ruleResult.Length | Should -Be 15; + $ruleResult.TargetName | Should -Be 'redis-A', 'redis-B', 'redis-C', 'redis-D', 'redis-E', 'redis-F', 'redis-G', 'redis-H', 'redis-I', 'redis-J', 'redis-Q', 'redis-R', 'redis-T', 'redis-U', 'redis-V'; } It 'Azure.RedisEnterprise.Zones - YAML file option' { @@ -542,8 +548,8 @@ Describe 'Azure.Redis' -Tag 'Redis' { # None $ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'None' }); $ruleResult | Should -Not -BeNullOrEmpty; - $ruleResult.Length | Should -Be 12; - $ruleResult.TargetName | Should -Be 'redis-A', 'redis-B', 'redis-C', 'redis-D', 'redis-E', 'redis-F', 'redis-G', 'redis-H', 'redis-I', 'redis-J', 'redis-Q', 'redis-R'; + $ruleResult.Length | Should -Be 15; + $ruleResult.TargetName | Should -Be 'redis-A', 'redis-B', 'redis-C', 'redis-D', 'redis-E', 'redis-F', 'redis-G', 'redis-H', 'redis-I', 'redis-J', 'redis-Q', 'redis-R', 'redis-T', 'redis-U', 'redis-V'; } } } diff --git a/tests/PSRule.Rules.Azure.Tests/Resources.Redis.json b/tests/PSRule.Rules.Azure.Tests/Resources.Redis.json index 3b44284613..a4ef6e0155 100644 --- a/tests/PSRule.Rules.Azure.Tests/Resources.Redis.json +++ b/tests/PSRule.Rules.Azure.Tests/Resources.Redis.json @@ -1129,5 +1129,74 @@ "capacity": 15 }, "zones": [] + }, + { + "Name": "redis-T", + "ResourceId": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/test-rg/providers/Microsoft.Cache/redisEnterprise/redis-T", + "ResourceName": "redis-T", + "ResourceType": "Microsoft.Cache/redisEnterprise", + "ResourceGroupName": "test-rg", + "Location": "australiaeast", + "SubscriptionId": "00000000-0000-0000-0000-000000000000", + "Tags": {}, + "Properties": { + "minimumTlsVersion": "1.2", + "hostName": "redis-T.redis.cache.windows.net" + }, + "sku": { + "name": "Balanced_B10", + "capacity": 2 + }, + "zones": [ + "1", + "2", + "3" + ] + }, + { + "Name": "redis-U", + "ResourceId": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/test-rg/providers/Microsoft.Cache/redisEnterprise/redis-U", + "ResourceName": "redis-U", + "ResourceType": "Microsoft.Cache/redisEnterprise", + "ResourceGroupName": "test-rg", + "Location": "australiaeast", + "SubscriptionId": "00000000-0000-0000-0000-000000000000", + "Tags": {}, + "Properties": { + "minimumTlsVersion": "1.2", + "hostName": "redis-U.redis.cache.windows.net" + }, + "sku": { + "name": "MemoryOptimized_M10", + "capacity": 2 + }, + "zones": [ + "1", + "2", + "3" + ] + }, + { + "Name": "redis-V", + "ResourceId": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/test-rg/providers/Microsoft.Cache/redisEnterprise/redis-V", + "ResourceName": "redis-V", + "ResourceType": "Microsoft.Cache/redisEnterprise", + "ResourceGroupName": "test-rg", + "Location": "australiaeast", + "SubscriptionId": "00000000-0000-0000-0000-000000000000", + "Tags": {}, + "Properties": { + "minimumTlsVersion": "1.2", + "hostName": "redis-V.redis.cache.windows.net" + }, + "sku": { + "name": "ComputeOptimized_X10", + "capacity": 2 + }, + "zones": [ + "1", + "2", + "3" + ] } ] From af618d3ab03edb8163080d4c96ad529cc7b1cdc5 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Fri, 28 Nov 2025 11:11:07 +0000 Subject: [PATCH 11/15] Update reviewed date and add Operational Excellence Level 4 link Co-authored-by: BenjaminEngeset <99641908+BenjaminEngeset@users.noreply.github.com> --- docs/en/rules/Azure.RedisEnterprise.MigrateAMR.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/docs/en/rules/Azure.RedisEnterprise.MigrateAMR.md b/docs/en/rules/Azure.RedisEnterprise.MigrateAMR.md index e5ac5ee879..09ddfdab85 100644 --- a/docs/en/rules/Azure.RedisEnterprise.MigrateAMR.md +++ b/docs/en/rules/Azure.RedisEnterprise.MigrateAMR.md @@ -1,5 +1,5 @@ --- -reviewed: 2025-11-24 +reviewed: 2025-11-28 severity: Important pillar: Operational Excellence category: OE:05 Infrastructure as code @@ -92,6 +92,7 @@ Azure Cache for Redis (Basic, Standard, Premium) using the `Microsoft.Cache/redi ## LINKS - [OE:05 Infrastructure as code](https://learn.microsoft.com/azure/architecture/framework/devops/automation-infrastructure) +- [Operational Excellence: Level 4](https://learn.microsoft.com/azure/well-architected/operational-excellence/maturity-model?tabs=level4) - [Azure Cache for Redis retirement: What to know and how to prepare](https://techcommunity.microsoft.com/blog/azure-managed-redis/azure-cache-for-redis-retirement-what-to-know-and-how-to-prepare/4458721) - [Azure Cache for Redis retirement FAQ](https://learn.microsoft.com/azure/azure-cache-for-redis/retirement-faq) - [Azure Managed Redis documentation](https://learn.microsoft.com/azure/azure-cache-for-redis/managed-redis/managed-redis-overview) From 56eda38d1e5f2c871cc3ee6c5e90c3334231717f Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Fri, 28 Nov 2025 11:54:33 +0000 Subject: [PATCH 12/15] Fix changelog to sync with main and avoid merge conflicts Co-authored-by: BenjaminEngeset <99641908+BenjaminEngeset@users.noreply.github.com> --- docs/changelog.md | 77 +++++++++++++++++++++++++++++++++++++++++++++-- 1 file changed, 74 insertions(+), 3 deletions(-) diff --git a/docs/changelog.md b/docs/changelog.md index 7e7105fd3e..376df3e009 100644 --- a/docs/changelog.md +++ b/docs/changelog.md @@ -31,18 +31,57 @@ See [upgrade notes][1] for helpful information when upgrading from previous vers ## Unreleased - New rules: + - Added naming format rules for AKS, Container Apps, Service Fabric, Cosmos DB, Redis, and SQL resources. + [#3548](https://github.com/Azure/PSRule.Rules.Azure/issues/3548) - App Configuration: - Check that replica locations are in allowed regions by @BernieWhite. [#3441](https://github.com/Azure/PSRule.Rules.Azure/issues/3441) - Azure Cache for Redis: - Check for legacy Azure Cache for Redis instances by @BenjaminEngeset. [#3605](https://github.com/Azure/PSRule.Rules.Azure/issues/3605) + - Check resources naming matches configured name format by @BernieWhite. + [#3548](https://github.com/Azure/PSRule.Rules.Azure/issues/3548) + - The name format can be configured by the following configuration options: + - `AZURE_REDIS_CACHE_NAME_FORMAT` + - `AZURE_REDIS_ENTERPRISE_NAME_FORMAT` + - Added configured name format by @BernieWhite. - Azure Cache for Redis Enterprise and Enterprise Flash: - Check for deprecated Redis Enterprise and Enterprise Flash SKUs by @BenjaminEngeset. [#3606](https://github.com/Azure/PSRule.Rules.Azure/issues/3606) - - Managed Instance for Apache Cassandra: - - Check that Managed Instance for Apache Cassandra clusters have availability zones enabled by @BenjaminEngeset. - [#3592](https://github.com/Azure/PSRule.Rules.Azure/issues/3592) + - Azure Database for MySQL: + - Check resources naming matches configured name format by @BernieWhite. + [#3548](https://github.com/Azure/PSRule.Rules.Azure/issues/3548) + - The name format can be configured by the following configuration options: + - `AZURE_MYSQL_SERVER_NAME_FORMAT` + - Azure Database for PostgreSQL: + - Check resources naming matches configured name format by @BernieWhite. + [#3548](https://github.com/Azure/PSRule.Rules.Azure/issues/3548) + - The name format can be configured by the following configuration options: + - `AZURE_POSTGRESQL_SERVER_NAME_FORMAT` + - Azure Kubernetes Service: + - Check resources naming matches configured name format by @BernieWhite. + [#3548](https://github.com/Azure/PSRule.Rules.Azure/issues/3548) + - The name format can be configured by the following configuration options: + - `AZURE_AKS_CLUSTER_NAME_FORMAT` + - `AZURE_AKS_SYSTEM_POOL_NAME_FORMAT` + - `AZURE_AKS_USER_POOL_NAME_FORMAT` + - Container Apps: + - Check resources naming matches configured name format by @BernieWhite. + [#3548](https://github.com/Azure/PSRule.Rules.Azure/issues/3548) + - The name format can be configured by the following configuration options: + - `AZURE_CONTAINER_APP_NAME_FORMAT` + - `AZURE_CONTAINER_APP_ENVIRONMENT_NAME_FORMAT` + - `AZURE_CONTAINER_APP_JOB_NAME_FORMAT` + - Container Instance: + - Check resources naming matches configured name format by @BernieWhite. + [#3548](https://github.com/Azure/PSRule.Rules.Azure/issues/3548) + - The name format can be configured by the following configuration option: + - `AZURE_CONTAINER_INSTANCE_NAME_FORMAT` + - Container Registry: + - Check resources naming matches configured name format by @BernieWhite. + [#3548](https://github.com/Azure/PSRule.Rules.Azure/issues/3548) + - The name format can be configured by the following configuration option: + - `AZURE_CONTAINER_REGISTRY_NAME_FORMAT` - Cosmos DB: - Check that Cosmos DB accounts have availability zones enabled by @BenjaminEngeset. [#3055](https://github.com/Azure/PSRule.Rules.Azure/issues/3055) @@ -50,15 +89,47 @@ See [upgrade notes][1] for helpful information when upgrading from previous vers [#3369](https://github.com/Azure/PSRule.Rules.Azure/issues/3369) - Check that MongoDB vCore clusters have availability zones enabled by @BenjaminEngeset. [#3586](https://github.com/Azure/PSRule.Rules.Azure/issues/3586) + - Check resources naming matches configured name format by @BernieWhite. + [#3548](https://github.com/Azure/PSRule.Rules.Azure/issues/3548) + - The name format can be configured by the following configuration options: + - `AZURE_COSMOS_CASSANDRA_NAME_FORMAT` + - `AZURE_COSMOS_DATABASE_NAME_FORMAT` + - `AZURE_COSMOS_GREMLIN_NAME_FORMAT` + - `AZURE_COSMOS_MONGO_NAME_FORMAT` + - `AZURE_COSMOS_NOSQL_NAME_FORMAT` + - `AZURE_COSMOS_POSTGRESQL_NAME_FORMAT` + - `AZURE_COSMOS_TABLE_NAME_FORMAT` - Data Explorer: - Check that public network access is disabled by @BenjaminEngeset. [#3114](https://github.com/Azure/PSRule.Rules.Azure/issues/3114) - Event Hub: - Check that zone redundancy is enabled for Event Hub namespaces in supported regions by @BenjaminEngeset. [#3029](https://github.com/Azure/PSRule.Rules.Azure/issues/3029) + - Managed Instance for Apache Cassandra: + - Check that Managed Instance for Apache Cassandra clusters have availability zones enabled by @BenjaminEngeset. + [#3592](https://github.com/Azure/PSRule.Rules.Azure/issues/3592) - Managed Grafana: - Check that zone redundancy is enabled for Grafana workspaces in supported regions by @BenjaminEngeset. [#3294](https://github.com/Azure/PSRule.Rules.Azure/issues/3294) + - Service Fabric: + - Check resources naming matches configured name format by @BernieWhite. + [#3548](https://github.com/Azure/PSRule.Rules.Azure/issues/3548) + - The name format can be configured by the following configuration option: + - `AZURE_SERVICE_FABRIC_CLUSTER_NAME_FORMAT` + - `AZURE_SERVICE_FABRIC_MANAGED_CLUSTER_NAME_FORMAT` + - SQL Database: + - Check resources naming matches configured name format by @BernieWhite. + [#3548](https://github.com/Azure/PSRule.Rules.Azure/issues/3548) + - The name format can be configured by the following configuration option: + - `AZURE_SQL_DATABASE_NAME_FORMAT` + - `AZURE_SQL_SERVER_NAME_FORMAT` + - `AZURE_SQL_ELASTIC_POOL_NAME_FORMAT` + - `AZURE_SQL_JOB_AGENT_NAME_FORMAT` + - SQL Managed Instance: + - Check resources naming matches configured name format by @BernieWhite. + [#3548](https://github.com/Azure/PSRule.Rules.Azure/issues/3548) + - The name format can be configured by the following configuration option: + - `AZURE_SQL_MI_NAME_FORMAT` - Updated rules: - Application Gateway Policy: - Updated `Azure.AppGwWAF.RuleGroups` to use Microsoft Default Rule Set instead of legacy OWASP rule set by @BenjaminEngeset. From b091e2c4890429f7d633c342ab2114196b14c1e0 Mon Sep 17 00:00:00 2001 From: Benjamin Engeset Date: Fri, 28 Nov 2025 13:11:00 +0100 Subject: [PATCH 13/15] resource type --- docs/en/rules/Azure.RedisEnterprise.MigrateAMR.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/en/rules/Azure.RedisEnterprise.MigrateAMR.md b/docs/en/rules/Azure.RedisEnterprise.MigrateAMR.md index 09ddfdab85..405d5ce931 100644 --- a/docs/en/rules/Azure.RedisEnterprise.MigrateAMR.md +++ b/docs/en/rules/Azure.RedisEnterprise.MigrateAMR.md @@ -3,7 +3,7 @@ reviewed: 2025-11-28 severity: Important pillar: Operational Excellence category: OE:05 Infrastructure as code -resource: Redis Enterprise +resource: Azure Cache for Redis Enterprise resourceType: Microsoft.Cache/redisEnterprise online version: https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.RedisEnterprise.MigrateAMR/ --- From 395929082b14f7addaf3b3dc2af6bf7f0a2234f8 Mon Sep 17 00:00:00 2001 From: Benjamin Engeset Date: Fri, 28 Nov 2025 13:17:41 +0100 Subject: [PATCH 14/15] validation --- src/PSRule.Rules.Azure/rules/Azure.RedisEnterprise.Rule.ps1 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/PSRule.Rules.Azure/rules/Azure.RedisEnterprise.Rule.ps1 b/src/PSRule.Rules.Azure/rules/Azure.RedisEnterprise.Rule.ps1 index 38a1d0c224..9f3dc41cec 100644 --- a/src/PSRule.Rules.Azure/rules/Azure.RedisEnterprise.Rule.ps1 +++ b/src/PSRule.Rules.Azure/rules/Azure.RedisEnterprise.Rule.ps1 @@ -2,7 +2,7 @@ # Licensed under the MIT License. # -# Validation rules for Azure Cache for Redis Enterprise and Enterprise Flash +# Validation rules for Azure Managed Redis (Redis Enterprise) # #region Naming rules From cd2f2b930a5137fa4ef17757307ecad0dc38fd44 Mon Sep 17 00:00:00 2001 From: Bernie White Date: Sun, 30 Nov 2025 03:53:25 +0000 Subject: [PATCH 15/15] Updtae Azure.RedisEnterprise.MinTLS test --- tests/PSRule.Rules.Azure.Tests/Azure.Redis.Tests.ps1 | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tests/PSRule.Rules.Azure.Tests/Azure.Redis.Tests.ps1 b/tests/PSRule.Rules.Azure.Tests/Azure.Redis.Tests.ps1 index 85b4b489fe..daef8018b0 100644 --- a/tests/PSRule.Rules.Azure.Tests/Azure.Redis.Tests.ps1 +++ b/tests/PSRule.Rules.Azure.Tests/Azure.Redis.Tests.ps1 @@ -80,8 +80,8 @@ Describe 'Azure.Redis' -Tag 'Redis' { # Pass $ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'Pass' }); $ruleResult | Should -Not -BeNullOrEmpty; - $ruleResult.Length | Should -Be 8; - $ruleResult.TargetName | Should -BeIn 'redis-M', 'redis-N', 'redis-O', 'redis-P', 'redis-S', 'redis-T', 'redis-U', 'redis-V'; + $ruleResult.Length | Should -Be 5; + $ruleResult.TargetName | Should -BeIn 'redis-M', 'redis-N', 'redis-O', 'redis-P', 'redis-S'; } It 'Azure.Redis.MinSKU' {