diff --git a/docs/CHANGELOG-v1.md b/docs/CHANGELOG-v1.md index 893a6b6a322..156ee452737 100644 --- a/docs/CHANGELOG-v1.md +++ b/docs/CHANGELOG-v1.md @@ -31,8 +31,11 @@ See [upgrade notes][1] for helpful information when upgrading from previous vers What's changed since pre-release v1.40.0-B0147: +- Engineering: + - Quality updates to rule documentation by @BernieWhite. + [#3102](https://github.com/Azure/PSRule.Rules.Azure/issues/3102) - Bug fixes: - - Fixed evaluation of APIM policies when using embedded C# with quotes by #BernieWhite. + - Fixed evaluation of APIM policies when using embedded C# with quotes by @BernieWhite. [#3184](https://github.com/Azure/PSRule.Rules.Azure/issues/3184) ## v1.40.0-B0147 (pre-release) diff --git a/docs/en/rules/Azure.Monitor.ServiceHealth.md b/docs/en/rules/Azure.Monitor.ServiceHealth.md index a904505cb69..ee5f4460861 100644 --- a/docs/en/rules/Azure.Monitor.ServiceHealth.md +++ b/docs/en/rules/Azure.Monitor.ServiceHealth.md @@ -1,7 +1,7 @@ --- severity: Important -pillar: Operational Excellence -category: Monitoring +pillar: Reliability +category: RE:10 Monitoring and alerting resource: Monitor online version: https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.Monitor.ServiceHealth/ --- @@ -27,5 +27,6 @@ Consider configuring an alert to notify administrators when services you are usi ## LINKS +- [RE:10 Monitoring and alerting](https://learn.microsoft.com/azure/well-architected/reliability/monitoring-alerting-strategy) - [Service Health overview](https://learn.microsoft.com/azure/service-health/service-health-overview) - [Create activity log alerts on service notifications](https://learn.microsoft.com/azure/service-health/alerts-activity-log-service-notifications) diff --git a/docs/en/rules/Azure.VM.PublicKey.md b/docs/en/rules/Azure.VM.PublicKey.md index ab89da9b7d7..df80678e9d6 100644 --- a/docs/en/rules/Azure.VM.PublicKey.md +++ b/docs/en/rules/Azure.VM.PublicKey.md @@ -1,12 +1,12 @@ --- severity: Important pillar: Security -category: Identity and access management +category: SE:08 Hardening resources resource: Virtual Machine online version: https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.VM.PublicKey/ --- -# Use public keys for Linux +# VM password-based authentication is enabled ## SYNOPSIS @@ -14,8 +14,134 @@ Linux virtual machines should use public keys. ## DESCRIPTION -Linux virtual machines support either password or public key based authentication for the default administrator account. +Linux virtual machines should have password authentication disabled to help with eliminating password-based attacks. ## RECOMMENDATION -Consider using public key based authentication instead of passwords. +Consider disabling password-based authentication on Linux virtual machines and instead use public keys. + +## EXAMPLES + +### Configure with Azure template + +To deploy virtual machines that pass this rule: + +- Set the `properties.osProfile.linuxConfiguration.disablePasswordAuthentication` property to `true`. + +For example: + +```json +{ + "type": "Microsoft.Compute/virtualMachines", + "apiVersion": "2024-03-01", + "name": "[parameters('name')]", + "location": "[parameters('location')]", + "identity": { + "type": "SystemAssigned" + }, + "properties": { + "hardwareProfile": { + "vmSize": "Standard_D8d_v5" + }, + "osProfile": { + "computerName": "[parameters('name')]", + "adminUsername": "[parameters('adminUsername')]", + "linuxConfiguration": { + "disablePasswordAuthentication": true + } + }, + "storageProfile": { + "imageReference": { + "publisher": "MicrosoftCblMariner", + "offer": "Cbl-Mariner", + "sku": "cbl-mariner-2-gen2", + "version": "latest" + }, + "osDisk": { + "name": "[format('{0}-disk0', parameters('name'))]", + "caching": "ReadWrite", + "createOption": "FromImage", + "managedDisk": { + "storageAccountType": "Premium_LRS" + } + } + }, + "networkProfile": { + "networkInterfaces": [ + { + "id": "[resourceId('Microsoft.Network/networkInterfaces', parameters('nicName'))]" + } + ] + } + }, + "zones": [ + "1" + ], + "dependsOn": [ + "[resourceId('Microsoft.Network/networkInterfaces', parameters('nicName'))]" + ] +} +``` + +### Configure with Bicep + +To deploy virtual machines that pass this rule: + +- Set the `properties.osProfile.linuxConfiguration.disablePasswordAuthentication` property to `true`. + +For example: + +```bicep +resource linux 'Microsoft.Compute/virtualMachines@2024-03-01' = { + name: name + location: location + identity: { + type: 'SystemAssigned' + } + properties: { + hardwareProfile: { + vmSize: 'Standard_D8d_v5' + } + osProfile: { + computerName: name + adminUsername: adminUsername + linuxConfiguration: { + disablePasswordAuthentication: true + } + } + storageProfile: { + imageReference: { + publisher: 'MicrosoftCblMariner' + offer: 'Cbl-Mariner' + sku: 'cbl-mariner-2-gen2' + version: 'latest' + } + osDisk: { + name: '${name}-disk0' + caching: 'ReadWrite' + createOption: 'FromImage' + managedDisk: { + storageAccountType: 'Premium_LRS' + } + } + } + networkProfile: { + networkInterfaces: [ + { + id: nic.id + } + ] + } + } + zones: [ + '1' + ] +} +``` + +## LINKS + +- [SE:08 Hardening resources](https://learn.microsoft.com/azure/well-architected/security/harden-resources) +- [Azure security baseline for Linux Virtual Machines](https://learn.microsoft.com/security/benchmark/azure/baselines/virtual-machines-linux-security-baseline) +- [Detailed steps: Create and manage SSH keys for authentication to a Linux VM in Azure](https://learn.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed) +- [Azure deployment reference](https://learn.microsoft.com/azure/templates/microsoft.compute/virtualmachines) diff --git a/docs/en/rules/Azure.VMSS.PublicKey.md b/docs/en/rules/Azure.VMSS.PublicKey.md index bfe87a34002..a1273825541 100644 --- a/docs/en/rules/Azure.VMSS.PublicKey.md +++ b/docs/en/rules/Azure.VMSS.PublicKey.md @@ -1,12 +1,12 @@ --- severity: Important pillar: Security -category: Identity and access management +category: SE:08 Hardening resources resource: Virtual Machine Scale Sets online version: https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.VMSS.PublicKey/ --- -# Disable password authentication +# VMSS password-based authentication is enabled ## SYNOPSIS @@ -16,11 +16,9 @@ Use SSH keys instead of common credentials to secure virtual machine scale sets Linux virtual machine scale sets should have password authentication disabled to help with eliminating password-based attacks. -A common tactic observed used by adversaries against customers running Linux Virtual Machines (VMs) in Azure is password-based attacks. - ## RECOMMENDATION -Linux virtual machine scale sets should have password authentication disabled and instead use SSH keys. +Consider disabling password-based authentication on Linux VM scale sets and instead use public keys. ## EXAMPLES @@ -28,47 +26,48 @@ Linux virtual machine scale sets should have password authentication disabled an To deploy an virtual machine scale set that pass this rule: -- Set `properties.virtualMachineProfile.OsProfile.linuxConfiguration.disablePasswordAuthentication` to `true`. +- Set the `properties.virtualMachineProfile.OsProfile.linuxConfiguration.disablePasswordAuthentication` property to `true`. For example: ```json { - "type": "Microsoft.Compute/virtualMachineScaleSets", - "apiVersion": "2021-11-01", - "name": "vmss-01", - "location": "[resourceGroup().location]", - "sku": { - "name": "b2ms", - "tier": "Standard", - "capacity": 1 + "type": "Microsoft.Compute/virtualMachineScaleSets", + "apiVersion": "2024-07-01", + "name": "[parameters('name')]", + "location": "[parameters('location')]", + "identity": { + "type": "SystemAssigned" + }, + "sku": { + "name": "Standard_D8d_v5", + "tier": "Standard", + "capacity": 3 + }, + "properties": { + "overprovision": true, + "upgradePolicy": { + "mode": "Automatic" }, - "properties": { - "overprovision": true, - "upgradePolicy": { - "mode": "Automatic" - }, - "singlePlacementGroup": true, - "platformFaultDomainCount": 3, - "virtualMachineProfile": { - "storageProfile": { - "osDisk": { - "caching": "ReadWrite", - "createOption": "FromImage" - }, - "imageReference": { - "publisher": "microsoft-aks", - "offer": "aks", - "sku": "aks-ubuntu-1804-202208", - "version": "2022.08.29" - } + "singlePlacementGroup": true, + "virtualMachineProfile": { + "storageProfile": { + "osDisk": { + "caching": "ReadWrite", + "createOption": "FromImage" }, - "osProfile": { - "adminUsername": "azureuser", - "computerNamePrefix": "vmss-01", - "linuxConfiguration": { - "disablePasswordAuthentication": true - }, + "imageReference": { + "publisher": "MicrosoftCblMariner", + "offer": "Cbl-Mariner", + "sku": "cbl-mariner-2-gen2", + "version": "latest" + } + }, + "osProfile": { + "adminUsername": "[parameters('adminUsername')]", + "computerNamePrefix": "vmss-01", + "linuxConfiguration": { + "disablePasswordAuthentication": true, "provisionVMAgent": true, "ssh": { "publicKeys": [ @@ -77,59 +76,65 @@ For example: } ] } - }, - "networkProfile": { - "networkInterfaceConfigurations": [ - { - "name": "vmss-001", - "properties": { - "primary": true, - "enableAcceleratedNetworking": true, - "networkSecurityGroup": { - "id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/test-rg/providers/Microsoft.Network/networkSecurityGroups/nsg-001" - }, - "ipConfigurations": [ - { - "name": "ipconfig1", - "properties": { - "primary": true, - "subnet": { - "id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/test-rg/providers/Microsoft.Network/virtualNetworks/vnet-001/subnets/subnet-001" - }, - "privateIPAddressVersion": "IPv4", - "loadBalancerBackendAddressPools": [ - { - "id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/test-rg/providers/Microsoft.Network/loadBalancers/kubernetes/backendAddressPools/kubernetes" - } - ] - } + } + }, + "networkProfile": { + "networkInterfaceConfigurations": [ + { + "name": "vmss-001", + "properties": { + "primary": true, + "enableAcceleratedNetworking": true, + "ipConfigurations": [ + { + "name": "ipconfig1", + "properties": { + "primary": true, + "subnet": { + "id": "[parameters('subnetId')]" + }, + "privateIPAddressVersion": "IPv4", + "loadBalancerBackendAddressPools": [ + { + "id": "[parameters('backendPoolId')]" + } + ] } - ] - } + } + ] } - ] - } + } + ] } } - } + }, + "zones": [ + "1", + "2", + "3" + ] +} ``` ### Configure with Bicep To deploy an virtual machine scale set that pass this rule: -- Set `properties.virtualMachineProfile.OsProfile.linuxConfiguration.disablePasswordAuthentication` to `true`. +- Set the `properties.virtualMachineProfile.OsProfile.linuxConfiguration.disablePasswordAuthentication` property to `true`. For example: ```bicep -resource vmScaleSet 'Microsoft.Compute/virtualMachineScaleSets@2021-11-01' = { - name: 'vmss-01' - location: resourceGroup().location +resource vmss 'Microsoft.Compute/virtualMachineScaleSets@2024-07-01' = { + name: name + location: location + identity: { + type: 'SystemAssigned' + } sku: { - name: 'b2ms' + name: 'Standard_D8d_v5' tier: 'Standard' - capacity: 1 + capacity: 3 } properties: { overprovision: true @@ -137,7 +142,6 @@ resource vmScaleSet 'Microsoft.Compute/virtualMachineScaleSets@2021-11-01' = { mode: 'Automatic' } singlePlacementGroup: true - platformFaultDomainCount: 3 virtualMachineProfile: { storageProfile: { osDisk: { @@ -145,18 +149,17 @@ resource vmScaleSet 'Microsoft.Compute/virtualMachineScaleSets@2021-11-01' = { createOption: 'FromImage' } imageReference: { - publisher: 'microsoft-aks' - offer: 'aks' - sku: 'aks-ubuntu-1804-202208' - version: '2022.08.29' - } + publisher: 'MicrosoftCblMariner' + offer: 'Cbl-Mariner' + sku: 'cbl-mariner-2-gen2' + version: 'latest' + } } osProfile: { - adminUsername: 'azureuser' + adminUsername: adminUsername computerNamePrefix: 'vmss-01' linuxConfiguration: { disablePasswordAuthentication: true - } provisionVMAgent: true ssh: { publicKeys: [ @@ -166,6 +169,7 @@ resource vmScaleSet 'Microsoft.Compute/virtualMachineScaleSets@2021-11-01' = { ] } } + } networkProfile: { networkInterfaceConfigurations: [ { @@ -173,21 +177,18 @@ resource vmScaleSet 'Microsoft.Compute/virtualMachineScaleSets@2021-11-01' = { properties: { primary: true enableAcceleratedNetworking: true - networkSecurityGroup: { - id: '/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/test-rg/providers/Microsoft.Network/networkSecurityGroups/nsg-001' - } ipConfigurations: [ { name: 'ipconfig1' properties: { primary: true subnet: { - id: '/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/test-rg/providers/Microsoft.Network/virtualNetworks/vnet-001/subnets/subnet-001' + id: subnetId } privateIPAddressVersion: 'IPv4' loadBalancerBackendAddressPools: [ { - id: '/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/test-rg/providers/Microsoft.Network/loadBalancers/kubernetes/backendAddressPools/kubernetes' + id: backendPoolId } ] } @@ -199,12 +200,17 @@ resource vmScaleSet 'Microsoft.Compute/virtualMachineScaleSets@2021-11-01' = { } } } + zones: [ + '1' + '2' + '3' + ] } ``` ## LINKS -- [Identity and access management](https://learn.microsoft.com/azure/architecture/framework/security/design-identity) +- [SE:08 Hardening resources](https://learn.microsoft.com/azure/well-architected/security/harden-resources) - [Azure security baseline for Linux Virtual Machines](https://learn.microsoft.com/security/benchmark/azure/baselines/virtual-machines-linux-security-baseline) - [Detailed steps: Create and manage SSH keys for authentication to a Linux VM in Azure](https://learn.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed) - [Azure deployment reference](https://learn.microsoft.com/azure/templates/microsoft.compute/virtualmachinescalesets) diff --git a/docs/examples/resources/vm.bicep b/docs/examples/resources/vm.bicep index c5885f2d2ee..4859774f8b4 100644 --- a/docs/examples/resources/vm.bicep +++ b/docs/examples/resources/vm.bicep @@ -30,9 +30,9 @@ param amaIdentityId string resource vm 'Microsoft.Compute/virtualMachines@2024-03-01' = { name: name location: location - zones: [ - '1' - ] + identity: { + type: 'SystemAssigned' + } properties: { hardwareProfile: { vmSize: 'Standard_D2s_v3' @@ -75,6 +75,9 @@ resource vm 'Microsoft.Compute/virtualMachines@2024-03-01' = { ] } } + zones: [ + '1' + ] } // An example of a VM managed disk. @@ -205,3 +208,50 @@ resource nic 'Microsoft.Network/networkInterfaces@2023-06-01' = { ] } } + +// An example virtual machine running Azure Linux. +resource linux 'Microsoft.Compute/virtualMachines@2024-03-01' = { + name: name + location: location + identity: { + type: 'SystemAssigned' + } + properties: { + hardwareProfile: { + vmSize: 'Standard_D8d_v5' + } + osProfile: { + computerName: name + adminUsername: adminUsername + linuxConfiguration: { + disablePasswordAuthentication: true + } + } + storageProfile: { + imageReference: { + publisher: 'MicrosoftCblMariner' + offer: 'Cbl-Mariner' + sku: 'cbl-mariner-2-gen2' + version: 'latest' + } + osDisk: { + name: '${name}-disk0' + caching: 'ReadWrite' + createOption: 'FromImage' + managedDisk: { + storageAccountType: 'Premium_LRS' + } + } + } + networkProfile: { + networkInterfaces: [ + { + id: nic.id + } + ] + } + } + zones: [ + '1' + ] +} diff --git a/docs/examples/resources/vm.json b/docs/examples/resources/vm.json index dcbe31f76df..ba0f2b05a36 100644 --- a/docs/examples/resources/vm.json +++ b/docs/examples/resources/vm.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.28.1.47646", - "templateHash": "14523451418990638896" + "version": "0.31.92.45157", + "templateHash": "1657333872264934230" } }, "parameters": { @@ -67,9 +67,9 @@ "apiVersion": "2024-03-01", "name": "[parameters('name')]", "location": "[parameters('location')]", - "zones": [ - "1" - ], + "identity": { + "type": "SystemAssigned" + }, "properties": { "hardwareProfile": { "vmSize": "Standard_D2s_v3" @@ -112,6 +112,9 @@ ] } }, + "zones": [ + "1" + ], "dependsOn": [ "[resourceId('Microsoft.Compute/disks', parameters('name'))]", "[resourceId('Microsoft.Network/networkInterfaces', parameters('nicName'))]" @@ -249,6 +252,56 @@ } ] } + }, + { + "type": "Microsoft.Compute/virtualMachines", + "apiVersion": "2024-03-01", + "name": "[parameters('name')]", + "location": "[parameters('location')]", + "identity": { + "type": "SystemAssigned" + }, + "properties": { + "hardwareProfile": { + "vmSize": "Standard_D8d_v5" + }, + "osProfile": { + "computerName": "[parameters('name')]", + "adminUsername": "[parameters('adminUsername')]", + "linuxConfiguration": { + "disablePasswordAuthentication": true + } + }, + "storageProfile": { + "imageReference": { + "publisher": "MicrosoftCblMariner", + "offer": "Cbl-Mariner", + "sku": "cbl-mariner-2-gen2", + "version": "latest" + }, + "osDisk": { + "name": "[format('{0}-disk0', parameters('name'))]", + "caching": "ReadWrite", + "createOption": "FromImage", + "managedDisk": { + "storageAccountType": "Premium_LRS" + } + } + }, + "networkProfile": { + "networkInterfaces": [ + { + "id": "[resourceId('Microsoft.Network/networkInterfaces', parameters('nicName'))]" + } + ] + } + }, + "zones": [ + "1" + ], + "dependsOn": [ + "[resourceId('Microsoft.Network/networkInterfaces', parameters('nicName'))]" + ] } ] } \ No newline at end of file diff --git a/docs/examples/resources/vmss.bicep b/docs/examples/resources/vmss.bicep index b1a169ea93f..dbdc8b25018 100644 --- a/docs/examples/resources/vmss.bicep +++ b/docs/examples/resources/vmss.bicep @@ -3,13 +3,31 @@ // An example simple Linux VMSS -resource vmScaleSet 'Microsoft.Compute/virtualMachineScaleSets@2021-11-01' = { - name: 'vmss-01' - location: resourceGroup().location +@description('The name of the resource.') +param name string + +@description('The location resources will be deployed.') +param location string = resourceGroup().location + +@description('A unique identifier for the VNET subnet.') +param subnetId string + +@description('A unique identifier for the load balancer backend pool.') +param backendPoolId string + +@description('The admin username used for each VM instance.') +param adminUsername string + +resource vmss 'Microsoft.Compute/virtualMachineScaleSets@2024-07-01' = { + name: name + location: location + identity: { + type: 'SystemAssigned' + } sku: { - name: 'b2ms' + name: 'Standard_D8d_v5' tier: 'Standard' - capacity: 1 + capacity: 3 } properties: { overprovision: true @@ -17,7 +35,6 @@ resource vmScaleSet 'Microsoft.Compute/virtualMachineScaleSets@2021-11-01' = { mode: 'Automatic' } singlePlacementGroup: true - platformFaultDomainCount: 3 virtualMachineProfile: { storageProfile: { osDisk: { @@ -25,18 +42,17 @@ resource vmScaleSet 'Microsoft.Compute/virtualMachineScaleSets@2021-11-01' = { createOption: 'FromImage' } imageReference: { - publisher: 'microsoft-aks' - offer: 'aks' - sku: 'aks-ubuntu-1804-202208' - version: '2022.08.29' - } + publisher: 'MicrosoftCblMariner' + offer: 'Cbl-Mariner' + sku: 'cbl-mariner-2-gen2' + version: 'latest' + } } osProfile: { - adminUsername: 'azureuser' + adminUsername: adminUsername computerNamePrefix: 'vmss-01' linuxConfiguration: { disablePasswordAuthentication: true - } provisionVMAgent: true ssh: { publicKeys: [ @@ -46,6 +62,7 @@ resource vmScaleSet 'Microsoft.Compute/virtualMachineScaleSets@2021-11-01' = { ] } } + } networkProfile: { networkInterfaceConfigurations: [ { @@ -53,21 +70,18 @@ resource vmScaleSet 'Microsoft.Compute/virtualMachineScaleSets@2021-11-01' = { properties: { primary: true enableAcceleratedNetworking: true - networkSecurityGroup: { - id: '/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/test-rg/providers/Microsoft.Network/networkSecurityGroups/nsg-001' - } ipConfigurations: [ { name: 'ipconfig1' properties: { primary: true subnet: { - id: '/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/test-rg/providers/Microsoft.Network/virtualNetworks/vnet-001/subnets/subnet-001' + id: subnetId } privateIPAddressVersion: 'IPv4' loadBalancerBackendAddressPools: [ { - id: '/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/test-rg/providers/Microsoft.Network/loadBalancers/kubernetes/backendAddressPools/kubernetes' + id: backendPoolId } ] } @@ -79,4 +93,9 @@ resource vmScaleSet 'Microsoft.Compute/virtualMachineScaleSets@2021-11-01' = { } } } + zones: [ + '1' + '2' + '3' + ] } diff --git a/docs/examples/resources/vmss.json b/docs/examples/resources/vmss.json index e58b6ceb7f4..7c0ab4e286a 100644 --- a/docs/examples/resources/vmss.json +++ b/docs/examples/resources/vmss.json @@ -4,20 +4,56 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.10.13.619", - "templateHash": "13184112879507545069" + "version": "0.31.92.45157", + "templateHash": "18183969840754772084" + } + }, + "parameters": { + "name": { + "type": "string", + "metadata": { + "description": "The name of the resource." + } + }, + "location": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "The location resources will be deployed." + } + }, + "subnetId": { + "type": "string", + "metadata": { + "description": "A unique identifier for the VNET subnet." + } + }, + "backendPoolId": { + "type": "string", + "metadata": { + "description": "A unique identifier for the load balancer backend pool." + } + }, + "adminUsername": { + "type": "string", + "metadata": { + "description": "The admin username used for each VM instance." + } } }, "resources": [ { "type": "Microsoft.Compute/virtualMachineScaleSets", - "apiVersion": "2021-11-01", - "name": "vmss-01", - "location": "[resourceGroup().location]", + "apiVersion": "2024-07-01", + "name": "[parameters('name')]", + "location": "[parameters('location')]", + "identity": { + "type": "SystemAssigned" + }, "sku": { - "name": "b2ms", + "name": "Standard_D8d_v5", "tier": "Standard", - "capacity": 1 + "capacity": 3 }, "properties": { "overprovision": true, @@ -25,7 +61,6 @@ "mode": "Automatic" }, "singlePlacementGroup": true, - "platformFaultDomainCount": 3, "virtualMachineProfile": { "storageProfile": { "osDisk": { @@ -33,25 +68,25 @@ "createOption": "FromImage" }, "imageReference": { - "publisher": "microsoft-aks", - "offer": "aks", - "sku": "aks-ubuntu-1804-202208", - "version": "2022.08.29" + "publisher": "MicrosoftCblMariner", + "offer": "Cbl-Mariner", + "sku": "cbl-mariner-2-gen2", + "version": "latest" } }, "osProfile": { - "adminUsername": "azureuser", + "adminUsername": "[parameters('adminUsername')]", "computerNamePrefix": "vmss-01", "linuxConfiguration": { - "disablePasswordAuthentication": true - }, - "provisionVMAgent": true, - "ssh": { - "publicKeys": [ - { - "path": "/home/azureuser/.ssh/authorized_keys" - } - ] + "disablePasswordAuthentication": true, + "provisionVMAgent": true, + "ssh": { + "publicKeys": [ + { + "path": "/home/azureuser/.ssh/authorized_keys" + } + ] + } } }, "networkProfile": { @@ -61,21 +96,18 @@ "properties": { "primary": true, "enableAcceleratedNetworking": true, - "networkSecurityGroup": { - "id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/test-rg/providers/Microsoft.Network/networkSecurityGroups/nsg-001" - }, "ipConfigurations": [ { "name": "ipconfig1", "properties": { "primary": true, "subnet": { - "id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/test-rg/providers/Microsoft.Network/virtualNetworks/vnet-001/subnets/subnet-001" + "id": "[parameters('subnetId')]" }, "privateIPAddressVersion": "IPv4", "loadBalancerBackendAddressPools": [ { - "id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/test-rg/providers/Microsoft.Network/loadBalancers/kubernetes/backendAddressPools/kubernetes" + "id": "[parameters('backendPoolId')]" } ] } @@ -86,7 +118,12 @@ ] } } - } + }, + "zones": [ + "1", + "2", + "3" + ] } ] -} +} \ No newline at end of file diff --git a/docs/license-contributing/first-contributors-guide.md b/docs/license-contributing/get-started-contributing.md similarity index 100% rename from docs/license-contributing/first-contributors-guide.md rename to docs/license-contributing/get-started-contributing.md diff --git a/mkdocs.yml b/mkdocs.yml index 3df816cf0e3..8d46765d694 100755 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -75,7 +75,7 @@ nav: - Samples: samples.md - License and contributing: - Index: license-contributing/index.md - - Get started contributing: license-contributing/first-contributors-guide.md + - Get started contributing: license-contributing/get-started-contributing.md - Writing documentation: license-contributing/writing-documentation.md - Past hackathons: license-contributing/hackathons.md - Related projects: related-projects.md diff --git a/src/PSRule.Rules.Azure/rules/Azure.Subscription.Rule.ps1 b/src/PSRule.Rules.Azure/rules/Azure.Subscription.Rule.ps1 index d1969b06b57..9c3dc67c157 100644 --- a/src/PSRule.Rules.Azure/rules/Azure.Subscription.Rule.ps1 +++ b/src/PSRule.Rules.Azure/rules/Azure.Subscription.Rule.ps1 @@ -80,7 +80,7 @@ Rule 'Azure.RBAC.PIM' -Ref 'AZR-000208' -Type 'Microsoft.Subscription' -Tag @{ r #region Monitor # Synopsis: Configure Azure service logs -Rule 'Azure.Monitor.ServiceHealth' -Ref 'AZR-000211' -Type 'Microsoft.Subscription' -Tag @{ release = 'GA'; ruleSet = '2020_06'; 'Azure.WAF/pillar' = 'Security'; } -Labels @{ 'Azure.MCSB.v1/control' = 'LT-4' } { +Rule 'Azure.Monitor.ServiceHealth' -Ref 'AZR-000211' -Type 'Microsoft.Subscription' -Tag @{ release = 'GA'; ruleSet = '2020_06'; 'Azure.WAF/pillar' = 'Reliability'; } { $alerts = @(GetSubResources -ResourceType 'microsoft.insights/activityLogAlerts' | Where-Object { @($_.Properties.condition.allOf | Where-Object { $_.field -eq 'category' -and $_.equals -eq 'ServiceHealth' }).Length -gt 0 });