From 4c69e67ad7e2a8345785e535012790b1e6a9824b Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Mon, 6 Oct 2025 05:16:25 +0000 Subject: [PATCH 01/32] Initial plan From 6ad5ab481324e528d4b49ca3f1aab1d596670141 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Mon, 6 Oct 2025 05:30:44 +0000 Subject: [PATCH 02/32] Add new naming format rules for containers, databases and infrastructure services Co-authored-by: BernieWhite <13513058+BernieWhite@users.noreply.github.com> --- .../rules/Azure.ACR.Rule.ps1 | 5 ++ .../rules/Azure.AKS.Rule.ps1 | 15 ++++++ .../rules/Azure.CI.Rule.ps1 | 15 ++++++ .../rules/Azure.ContainerApp.Rule.ps1 | 15 ++++++ .../rules/Azure.Cosmos.Rule.ps1 | 36 ++++++++++++++ .../rules/Azure.MySQL.Rule.ps1 | 9 ++++ .../rules/Azure.PostgreSQL.Rule.ps1 | 9 ++++ .../rules/Azure.Redis.Rule.ps1 | 14 ++++++ .../rules/Azure.SQL.Rule.ps1 | 29 +++++++++++ .../rules/Azure.SQLMI.Rule.ps1 | 5 ++ .../rules/Azure.ServiceFabric.Rule.yaml | 48 +++++++++++++++++++ 11 files changed, 200 insertions(+) create mode 100644 src/PSRule.Rules.Azure/rules/Azure.CI.Rule.ps1 diff --git a/src/PSRule.Rules.Azure/rules/Azure.ACR.Rule.ps1 b/src/PSRule.Rules.Azure/rules/Azure.ACR.Rule.ps1 index a4186fb73f9..4d2999d914b 100644 --- a/src/PSRule.Rules.Azure/rules/Azure.ACR.Rule.ps1 +++ b/src/PSRule.Rules.Azure/rules/Azure.ACR.Rule.ps1 @@ -75,6 +75,11 @@ Rule 'Azure.ACR.ReplicaLocation' -Ref 'AZR-000494' -Type 'Microsoft.ContainerReg } } +# Synopsis: Container registries without a standard naming convention may be difficult to identify and manage. +Rule 'Azure.ACR.Naming' -Ref 'AZR-000504' -Type 'Microsoft.ContainerRegistry/registries' -If { $Configuration['AZURE_CONTAINER_REGISTRY_NAME_FORMAT'] -ne '' } -Tag @{ release = 'GA'; ruleSet = '2025_12'; 'Azure.WAF/pillar' = 'Operational Excellence' } -Labels @{ 'Azure.CAF' = 'naming' } { + $Assert.Match($PSRule, 'TargetName', $Configuration.AZURE_CONTAINER_REGISTRY_NAME_FORMAT, $True); +} + #endregion Rules #region Helper functions diff --git a/src/PSRule.Rules.Azure/rules/Azure.AKS.Rule.ps1 b/src/PSRule.Rules.Azure/rules/Azure.AKS.Rule.ps1 index 67e99aa9da0..fb8cee80b47 100644 --- a/src/PSRule.Rules.Azure/rules/Azure.AKS.Rule.ps1 +++ b/src/PSRule.Rules.Azure/rules/Azure.AKS.Rule.ps1 @@ -344,6 +344,21 @@ Rule 'Azure.AKS.MaintenanceWindow' -Ref 'AZR-000446' -Type 'Microsoft.ContainerS } } +# Synopsis: AKS clusters without a standard naming convention may be difficult to identify and manage. +Rule 'Azure.AKS.Naming' -Ref 'AZR-000498' -Type 'Microsoft.ContainerService/managedClusters' -If { $Configuration['AZURE_AKS_CLUSTER_NAME_FORMAT'] -ne '' } -Tag @{ release = 'GA'; ruleSet = '2025_12'; 'Azure.WAF/pillar' = 'Operational Excellence' } -Labels @{ 'Azure.CAF' = 'naming' } { + $Assert.Match($PSRule, 'TargetName', $Configuration.AZURE_AKS_CLUSTER_NAME_FORMAT, $True); +} + +# Synopsis: AKS system node pools without a standard naming convention may be difficult to identify and manage. +Rule 'Azure.AKS.SystemPoolNaming' -Ref 'AZR-000499' -Type 'Microsoft.ContainerService/managedClusters/agentPools' -If { $Configuration['AZURE_AKS_SYSTEM_POOL_NAME_FORMAT'] -ne '' -and $TargetObject.properties.mode -eq 'System' } -Tag @{ release = 'GA'; ruleSet = '2025_12'; 'Azure.WAF/pillar' = 'Operational Excellence' } -Labels @{ 'Azure.CAF' = 'naming' } { + $Assert.Match($PSRule, 'TargetName', $Configuration.AZURE_AKS_SYSTEM_POOL_NAME_FORMAT, $True); +} + +# Synopsis: AKS user node pools without a standard naming convention may be difficult to identify and manage. +Rule 'Azure.AKS.UserPoolNaming' -Ref 'AZR-000500' -Type 'Microsoft.ContainerService/managedClusters/agentPools' -If { $Configuration['AZURE_AKS_USER_POOL_NAME_FORMAT'] -ne '' -and $TargetObject.properties.mode -eq 'User' } -Tag @{ release = 'GA'; ruleSet = '2025_12'; 'Azure.WAF/pillar' = 'Operational Excellence' } -Labels @{ 'Azure.CAF' = 'naming' } { + $Assert.Match($PSRule, 'TargetName', $Configuration.AZURE_AKS_USER_POOL_NAME_FORMAT, $True); +} + #region Helper functions function global:GetAgentPoolProfiles { diff --git a/src/PSRule.Rules.Azure/rules/Azure.CI.Rule.ps1 b/src/PSRule.Rules.Azure/rules/Azure.CI.Rule.ps1 new file mode 100644 index 00000000000..22bca3099b5 --- /dev/null +++ b/src/PSRule.Rules.Azure/rules/Azure.CI.Rule.ps1 @@ -0,0 +1,15 @@ +# Copyright (c) Microsoft Corporation. +# Licensed under the MIT License. + +# +# Validation rules for Azure Container Instances +# + +#region Rules + +# Synopsis: Container instances without a standard naming convention may be difficult to identify and manage. +Rule 'Azure.CI.Naming' -Ref 'AZR-000505' -Type 'Microsoft.ContainerInstance/containerGroups' -If { $Configuration['AZURE_CONTAINER_INSTANCE_NAME_FORMAT'] -ne '' } -Tag @{ release = 'GA'; ruleSet = '2025_12'; 'Azure.WAF/pillar' = 'Operational Excellence' } -Labels @{ 'Azure.CAF' = 'naming' } { + $Assert.Match($PSRule, 'TargetName', $Configuration.AZURE_CONTAINER_INSTANCE_NAME_FORMAT, $True); +} + +#endregion Rules diff --git a/src/PSRule.Rules.Azure/rules/Azure.ContainerApp.Rule.ps1 b/src/PSRule.Rules.Azure/rules/Azure.ContainerApp.Rule.ps1 index ef19eab818d..38f681f498b 100644 --- a/src/PSRule.Rules.Azure/rules/Azure.ContainerApp.Rule.ps1 +++ b/src/PSRule.Rules.Azure/rules/Azure.ContainerApp.Rule.ps1 @@ -33,6 +33,21 @@ Rule 'Azure.ContainerApp.AvailabilityZone' -Ref 'AZR-000414' -Type 'Microsoft.Ap $Assert.HasFieldValue($TargetObject, 'properties.vnetConfiguration.infrastructureSubnetId'); } +# Synopsis: Container apps without a standard naming convention may be difficult to identify and manage. +Rule 'Azure.ContainerApp.Naming' -Ref 'AZR-000501' -Type 'Microsoft.App/containerApps' -If { $Configuration['AZURE_CONTAINER_APP_NAME_FORMAT'] -ne '' } -Tag @{ release = 'GA'; ruleSet = '2025_12'; 'Azure.WAF/pillar' = 'Operational Excellence' } -Labels @{ 'Azure.CAF' = 'naming' } { + $Assert.Match($PSRule, 'TargetName', $Configuration.AZURE_CONTAINER_APP_NAME_FORMAT, $True); +} + +# Synopsis: Container apps environments without a standard naming convention may be difficult to identify and manage. +Rule 'Azure.ContainerApp.EnvironmentNaming' -Ref 'AZR-000502' -Type 'Microsoft.App/managedEnvironments' -If { $Configuration['AZURE_CONTAINER_APP_ENVIRONMENT_NAME_FORMAT'] -ne '' } -Tag @{ release = 'GA'; ruleSet = '2025_12'; 'Azure.WAF/pillar' = 'Operational Excellence' } -Labels @{ 'Azure.CAF' = 'naming' } { + $Assert.Match($PSRule, 'TargetName', $Configuration.AZURE_CONTAINER_APP_ENVIRONMENT_NAME_FORMAT, $True); +} + +# Synopsis: Container apps jobs without a standard naming convention may be difficult to identify and manage. +Rule 'Azure.ContainerApp.JobNaming' -Ref 'AZR-000503' -Type 'Microsoft.App/jobs' -If { $Configuration['AZURE_CONTAINER_APP_JOB_NAME_FORMAT'] -ne '' } -Tag @{ release = 'GA'; ruleSet = '2025_12'; 'Azure.WAF/pillar' = 'Operational Excellence' } -Labels @{ 'Azure.CAF' = 'naming' } { + $Assert.Match($PSRule, 'TargetName', $Configuration.AZURE_CONTAINER_APP_JOB_NAME_FORMAT, $True); +} + #endregion Rules #region Helper functions diff --git a/src/PSRule.Rules.Azure/rules/Azure.Cosmos.Rule.ps1 b/src/PSRule.Rules.Azure/rules/Azure.Cosmos.Rule.ps1 index 854c14ec92b..78ac71bf9ec 100644 --- a/src/PSRule.Rules.Azure/rules/Azure.Cosmos.Rule.ps1 +++ b/src/PSRule.Rules.Azure/rules/Azure.Cosmos.Rule.ps1 @@ -17,6 +17,42 @@ Rule 'Azure.Cosmos.DefenderCloud' -Ref 'AZR-000382' -Type 'Microsoft.DocumentDb/ Rule 'Azure.Cosmos.DisableLocalAuth' -Ref 'AZR-000420' -Type 'Microsoft.DocumentDb/databaseAccounts' -If { Test-IsNoSQL } -Tag @{ release = 'GA'; ruleSet = '2024_06'; 'Azure.WAF/pillar' = 'Security'; } -Labels @{ 'Azure.MCSB.v1/control' = 'IM-1'; 'Azure.WAF/maturity' = 'L1' } { $Assert.HasFieldValue($TargetObject, 'properties.DisableLocalAuth', $true) } + +# Synopsis: Azure Cosmos DB for Apache Cassandra accounts without a standard naming convention may be difficult to identify and manage. +Rule 'Azure.Cosmos.CassandraNaming' -Ref 'AZR-000508' -Type 'Microsoft.DocumentDb/databaseAccounts' -If { $Configuration['AZURE_COSMOS_CASSANDRA_NAME_FORMAT'] -ne '' -and $TargetObject.kind -eq 'GlobalDocumentDB' -and $TargetObject.properties.capabilities | Where-Object { $_.name -eq 'EnableCassandra' } } -Tag @{ release = 'GA'; ruleSet = '2025_12'; 'Azure.WAF/pillar' = 'Operational Excellence' } -Labels @{ 'Azure.CAF' = 'naming' } { + $Assert.Match($PSRule, 'TargetName', $Configuration.AZURE_COSMOS_CASSANDRA_NAME_FORMAT, $True); +} + +# Synopsis: Azure Cosmos DB for MongoDB accounts without a standard naming convention may be difficult to identify and manage. +Rule 'Azure.Cosmos.MongoNaming' -Ref 'AZR-000509' -Type 'Microsoft.DocumentDb/databaseAccounts' -If { $Configuration['AZURE_COSMOS_MONGO_NAME_FORMAT'] -ne '' -and $TargetObject.kind -eq 'MongoDB' } -Tag @{ release = 'GA'; ruleSet = '2025_12'; 'Azure.WAF/pillar' = 'Operational Excellence' } -Labels @{ 'Azure.CAF' = 'naming' } { + $Assert.Match($PSRule, 'TargetName', $Configuration.AZURE_COSMOS_MONGO_NAME_FORMAT, $True); +} + +# Synopsis: Azure Cosmos DB for NoSQL accounts without a standard naming convention may be difficult to identify and manage. +Rule 'Azure.Cosmos.NoSQLNaming' -Ref 'AZR-000510' -Type 'Microsoft.DocumentDb/databaseAccounts' -If { $Configuration['AZURE_COSMOS_NOSQL_NAME_FORMAT'] -ne '' -and Test-IsNoSQL } -Tag @{ release = 'GA'; ruleSet = '2025_12'; 'Azure.WAF/pillar' = 'Operational Excellence' } -Labels @{ 'Azure.CAF' = 'naming' } { + $Assert.Match($PSRule, 'TargetName', $Configuration.AZURE_COSMOS_NOSQL_NAME_FORMAT, $True); +} + +# Synopsis: Azure Cosmos DB for Table accounts without a standard naming convention may be difficult to identify and manage. +Rule 'Azure.Cosmos.TableNaming' -Ref 'AZR-000511' -Type 'Microsoft.DocumentDb/databaseAccounts' -If { $Configuration['AZURE_COSMOS_TABLE_NAME_FORMAT'] -ne '' -and $TargetObject.kind -eq 'GlobalDocumentDB' -and $TargetObject.properties.capabilities | Where-Object { $_.name -eq 'EnableTable' } } -Tag @{ release = 'GA'; ruleSet = '2025_12'; 'Azure.WAF/pillar' = 'Operational Excellence' } -Labels @{ 'Azure.CAF' = 'naming' } { + $Assert.Match($PSRule, 'TargetName', $Configuration.AZURE_COSMOS_TABLE_NAME_FORMAT, $True); +} + +# Synopsis: Azure Cosmos DB for Apache Gremlin accounts without a standard naming convention may be difficult to identify and manage. +Rule 'Azure.Cosmos.GremlinNaming' -Ref 'AZR-000512' -Type 'Microsoft.DocumentDb/databaseAccounts' -If { $Configuration['AZURE_COSMOS_GREMLIN_NAME_FORMAT'] -ne '' -and $TargetObject.kind -eq 'GlobalDocumentDB' -and $TargetObject.properties.capabilities | Where-Object { $_.name -eq 'EnableGremlin' } } -Tag @{ release = 'GA'; ruleSet = '2025_12'; 'Azure.WAF/pillar' = 'Operational Excellence' } -Labels @{ 'Azure.CAF' = 'naming' } { + $Assert.Match($PSRule, 'TargetName', $Configuration.AZURE_COSMOS_GREMLIN_NAME_FORMAT, $True); +} + +# Synopsis: Azure Cosmos DB PostgreSQL clusters without a standard naming convention may be difficult to identify and manage. +Rule 'Azure.Cosmos.PostgreSQLNaming' -Ref 'AZR-000513' -Type 'Microsoft.DBforPostgreSQL/serverGroupsv2' -If { $Configuration['AZURE_COSMOS_POSTGRESQL_NAME_FORMAT'] -ne '' } -Tag @{ release = 'GA'; ruleSet = '2025_12'; 'Azure.WAF/pillar' = 'Operational Excellence' } -Labels @{ 'Azure.CAF' = 'naming' } { + $Assert.Match($PSRule, 'TargetName', $Configuration.AZURE_COSMOS_POSTGRESQL_NAME_FORMAT, $True); +} + +# Synopsis: Azure Cosmos DB databases without a standard naming convention may be difficult to identify and manage. +Rule 'Azure.Cosmos.DatabaseNaming' -Ref 'AZR-000514' -Type 'Microsoft.DocumentDB/databaseAccounts/sqlDatabases' -If { $Configuration['AZURE_COSMOS_DATABASE_NAME_FORMAT'] -ne '' } -Tag @{ release = 'GA'; ruleSet = '2025_12'; 'Azure.WAF/pillar' = 'Operational Excellence' } -Labels @{ 'Azure.CAF' = 'naming' } { + $Assert.Match($PSRule, 'TargetName', $Configuration.AZURE_COSMOS_DATABASE_NAME_FORMAT, $True); +} + #endregion Rules #region Helper functions diff --git a/src/PSRule.Rules.Azure/rules/Azure.MySQL.Rule.ps1 b/src/PSRule.Rules.Azure/rules/Azure.MySQL.Rule.ps1 index 3b888fc8100..b9f7096ed25 100644 --- a/src/PSRule.Rules.Azure/rules/Azure.MySQL.Rule.ps1 +++ b/src/PSRule.Rules.Azure/rules/Azure.MySQL.Rule.ps1 @@ -203,3 +203,12 @@ function global:MySQLSingleServerAAD { } #endregion Helper functions + +#region Naming rules + +# Synopsis: MySQL databases without a standard naming convention may be difficult to identify and manage. +Rule 'Azure.MySQL.Naming' -Ref 'AZR-000521' -Type 'Microsoft.DBforMySQL/servers', 'Microsoft.DBforMySQL/flexibleServers' -If { $Configuration['AZURE_MYSQL_SERVER_NAME_FORMAT'] -ne '' } -Tag @{ release = 'GA'; ruleSet = '2025_12'; 'Azure.WAF/pillar' = 'Operational Excellence' } -Labels @{ 'Azure.CAF' = 'naming' } { + $Assert.Match($PSRule, 'TargetName', $Configuration.AZURE_MYSQL_SERVER_NAME_FORMAT, $True); +} + +#endregion Naming rules diff --git a/src/PSRule.Rules.Azure/rules/Azure.PostgreSQL.Rule.ps1 b/src/PSRule.Rules.Azure/rules/Azure.PostgreSQL.Rule.ps1 index 5fa6650169e..16974e44e3a 100644 --- a/src/PSRule.Rules.Azure/rules/Azure.PostgreSQL.Rule.ps1 +++ b/src/PSRule.Rules.Azure/rules/Azure.PostgreSQL.Rule.ps1 @@ -166,3 +166,12 @@ function global:PostgreSQLSingleServerAAD { } #endregion Helper functions + +#region Naming rules + +# Synopsis: PostgreSQL databases without a standard naming convention may be difficult to identify and manage. +Rule 'Azure.PostgreSQL.Naming' -Ref 'AZR-000522' -Type 'Microsoft.DBforPostgreSQL/servers', 'Microsoft.DBforPostgreSQL/flexibleServers' -If { $Configuration['AZURE_POSTGRESQL_SERVER_NAME_FORMAT'] -ne '' } -Tag @{ release = 'GA'; ruleSet = '2025_12'; 'Azure.WAF/pillar' = 'Operational Excellence' } -Labels @{ 'Azure.CAF' = 'naming' } { + $Assert.Match($PSRule, 'TargetName', $Configuration.AZURE_POSTGRESQL_SERVER_NAME_FORMAT, $True); +} + +#endregion Naming rules diff --git a/src/PSRule.Rules.Azure/rules/Azure.Redis.Rule.ps1 b/src/PSRule.Rules.Azure/rules/Azure.Redis.Rule.ps1 index caba1003df9..6b586cd8599 100644 --- a/src/PSRule.Rules.Azure/rules/Azure.Redis.Rule.ps1 +++ b/src/PSRule.Rules.Azure/rules/Azure.Redis.Rule.ps1 @@ -187,3 +187,17 @@ function global:HasPublicNetworkAccess { } #endregion Helper functions + +#region Naming rules + +# Synopsis: Azure Cache for Redis instances without a standard naming convention may be difficult to identify and manage. +Rule 'Azure.Redis.Naming' -Ref 'AZR-000515' -Type 'Microsoft.Cache/Redis' -If { $Configuration['AZURE_REDIS_CACHE_NAME_FORMAT'] -ne '' } -Tag @{ release = 'GA'; ruleSet = '2025_12'; 'Azure.WAF/pillar' = 'Operational Excellence' } -Labels @{ 'Azure.CAF' = 'naming' } { + $Assert.Match($PSRule, 'TargetName', $Configuration.AZURE_REDIS_CACHE_NAME_FORMAT, $True); +} + +# Synopsis: Azure Managed Redis instances without a standard naming convention may be difficult to identify and manage. +Rule 'Azure.RedisEnterprise.Naming' -Ref 'AZR-000516' -Type 'Microsoft.Cache/RedisEnterprise' -If { $Configuration['AZURE_REDIS_ENTERPRISE_NAME_FORMAT'] -ne '' } -Tag @{ release = 'GA'; ruleSet = '2025_12'; 'Azure.WAF/pillar' = 'Operational Excellence' } -Labels @{ 'Azure.CAF' = 'naming' } { + $Assert.Match($PSRule, 'TargetName', $Configuration.AZURE_REDIS_ENTERPRISE_NAME_FORMAT, $True); +} + +#endregion Naming rules diff --git a/src/PSRule.Rules.Azure/rules/Azure.SQL.Rule.ps1 b/src/PSRule.Rules.Azure/rules/Azure.SQL.Rule.ps1 index b5a87659912..a67c0b8bca6 100644 --- a/src/PSRule.Rules.Azure/rules/Azure.SQL.Rule.ps1 +++ b/src/PSRule.Rules.Azure/rules/Azure.SQL.Rule.ps1 @@ -255,3 +255,32 @@ function global:IsMasterDatabase { } #endregion Helper functions + +#region Naming rules + +# Synopsis: Azure SQL Database servers without a standard naming convention may be difficult to identify and manage. +Rule 'Azure.SQL.ServerNaming' -Ref 'AZR-000517' -Type 'Microsoft.Sql/servers' -If { $Configuration['AZURE_SQL_SERVER_NAME_FORMAT'] -ne '' } -Tag @{ release = 'GA'; ruleSet = '2025_12'; 'Azure.WAF/pillar' = 'Operational Excellence' } -Labels @{ 'Azure.CAF' = 'naming' } { + $Assert.Match($PSRule, 'TargetName', $Configuration.AZURE_SQL_SERVER_NAME_FORMAT, $True); +} + +# Synopsis: Azure SQL databases without a standard naming convention may be difficult to identify and manage. +Rule 'Azure.SQL.DatabaseNaming' -Ref 'AZR-000518' -Type 'Microsoft.Sql/servers/databases' -If { $Configuration['AZURE_SQL_DATABASE_NAME_FORMAT'] -ne '' -and !(IsMasterDatabase) } -Tag @{ release = 'GA'; ruleSet = '2025_12'; 'Azure.WAF/pillar' = 'Operational Excellence' } -Labels @{ 'Azure.CAF' = 'naming' } { + $Assert.Match($PSRule, 'TargetName', $Configuration.AZURE_SQL_DATABASE_NAME_FORMAT, $True); +} + +# Synopsis: Azure SQL Elastic Job agents without a standard naming convention may be difficult to identify and manage. +Rule 'Azure.SQL.JobAgentNaming' -Ref 'AZR-000519' -Type 'Microsoft.Sql/servers/jobAgents' -If { $Configuration['AZURE_SQL_JOB_AGENT_NAME_FORMAT'] -ne '' } -Tag @{ release = 'GA'; ruleSet = '2025_12'; 'Azure.WAF/pillar' = 'Operational Excellence' } -Labels @{ 'Azure.CAF' = 'naming' } { + $Assert.Match($PSRule, 'TargetName', $Configuration.AZURE_SQL_JOB_AGENT_NAME_FORMAT, $True); +} + +# Synopsis: Azure SQL Elastic Pools without a standard naming convention may be difficult to identify and manage. +Rule 'Azure.SQL.ElasticPoolNaming' -Ref 'AZR-000520' -Type 'Microsoft.Sql/servers/elasticPools' -If { $Configuration['AZURE_SQL_ELASTIC_POOL_NAME_FORMAT'] -ne '' } -Tag @{ release = 'GA'; ruleSet = '2025_12'; 'Azure.WAF/pillar' = 'Operational Excellence' } -Labels @{ 'Azure.CAF' = 'naming' } { + $Assert.Match($PSRule, 'TargetName', $Configuration.AZURE_SQL_ELASTIC_POOL_NAME_FORMAT, $True); +} + +# Synopsis: SQL Server Stretch Databases without a standard naming convention may be difficult to identify and manage. +Rule 'Azure.SQL.StretchDBNaming' -Ref 'AZR-000524' -Type 'Microsoft.Sql/servers/databases' -If { $Configuration['AZURE_SQL_STRETCH_DB_NAME_FORMAT'] -ne '' -and $TargetObject.properties.requestedServiceObjectiveName -eq 'DataWarehouse' } -Tag @{ release = 'GA'; ruleSet = '2025_12'; 'Azure.WAF/pillar' = 'Operational Excellence' } -Labels @{ 'Azure.CAF' = 'naming' } { + $Assert.Match($PSRule, 'TargetName', $Configuration.AZURE_SQL_STRETCH_DB_NAME_FORMAT, $True); +} + +#endregion Naming rules diff --git a/src/PSRule.Rules.Azure/rules/Azure.SQLMI.Rule.ps1 b/src/PSRule.Rules.Azure/rules/Azure.SQLMI.Rule.ps1 index c1e7e3fc6a4..51ae1c6c6e8 100644 --- a/src/PSRule.Rules.Azure/rules/Azure.SQLMI.Rule.ps1 +++ b/src/PSRule.Rules.Azure/rules/Azure.SQLMI.Rule.ps1 @@ -62,4 +62,9 @@ Rule 'Azure.SQLMI.MaintenanceWindow' -Ref 'AZR-000441' -Type 'Microsoft.Sql/mana ) } +# Synopsis: SQL Managed Instances without a standard naming convention may be difficult to identify and manage. +Rule 'Azure.SQLMI.Naming' -Ref 'AZR-000523' -Type 'Microsoft.Sql/managedInstances' -If { $Configuration['AZURE_SQL_MI_NAME_FORMAT'] -ne '' } -Tag @{ release = 'GA'; ruleSet = '2025_12'; 'Azure.WAF/pillar' = 'Operational Excellence' } -Labels @{ 'Azure.CAF' = 'naming' } { + $Assert.Match($PSRule, 'TargetName', $Configuration.AZURE_SQL_MI_NAME_FORMAT, $True); +} + #endregion SQL Managed Instance diff --git a/src/PSRule.Rules.Azure/rules/Azure.ServiceFabric.Rule.yaml b/src/PSRule.Rules.Azure/rules/Azure.ServiceFabric.Rule.yaml index 5512aabd3dc..30cd9eed02d 100644 --- a/src/PSRule.Rules.Azure/rules/Azure.ServiceFabric.Rule.yaml +++ b/src/PSRule.Rules.Azure/rules/Azure.ServiceFabric.Rule.yaml @@ -55,3 +55,51 @@ spec: count: 1 #endregion Rules + +#region Naming rules + +--- +# Synopsis: Service Fabric clusters without a standard naming convention may be difficult to identify and manage. +apiVersion: github.com/microsoft/PSRule/v1 +kind: Rule +metadata: + name: Azure.ServiceFabric.Naming + ref: AZR-000506 + tags: + release: GA + ruleSet: 2025_12 + Azure.WAF/pillar: Operational Excellence + labels: + Azure.CAF: naming +spec: + type: + - Microsoft.ServiceFabric/clusters + with: + - AZURE_SERVICE_FABRIC_CLUSTER_NAME_FORMAT + condition: + name: '.' + match: true + +--- +# Synopsis: Service Fabric managed clusters without a standard naming convention may be difficult to identify and manage. +apiVersion: github.com/microsoft/PSRule/v1 +kind: Rule +metadata: + name: Azure.ServiceFabric.ManagedNaming + ref: AZR-000507 + tags: + release: GA + ruleSet: 2025_12 + Azure.WAF/pillar: Operational Excellence + labels: + Azure.CAF: naming +spec: + type: + - Microsoft.ServiceFabric/managedClusters + with: + - AZURE_SERVICE_FABRIC_MANAGED_CLUSTER_NAME_FORMAT + condition: + name: '.' + match: true + +#endregion Naming rules From cd9c82ec75fc8bab831f5ca0c424a0af33c9c237 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Mon, 6 Oct 2025 05:33:04 +0000 Subject: [PATCH 03/32] Update documentation for new naming format rules Co-authored-by: BernieWhite <13513058+BernieWhite@users.noreply.github.com> --- docs/changelog.md | 4 ++ docs/setup/setup-naming-and-tagging.md | 27 ++++++++++ src/PSRule.Rules.Azure/rules/CAF.Rule.yaml | 63 ++++++++++++++++++++++ 3 files changed, 94 insertions(+) diff --git a/docs/changelog.md b/docs/changelog.md index 91b2adface8..25af72beb95 100644 --- a/docs/changelog.md +++ b/docs/changelog.md @@ -30,6 +30,10 @@ See [upgrade notes][1] for helpful information when upgrading from previous vers ## Unreleased +- New rules: + - Added naming format rules for AKS, Container Apps, Service Fabric, Cosmos DB, Redis, and SQL resources. + [#3638](https://github.com/Azure/PSRule.Rules.Azure/issues/3638) + ## v1.46.0-B0050 (pre-release) What's changed since v1.45.2: diff --git a/docs/setup/setup-naming-and-tagging.md b/docs/setup/setup-naming-and-tagging.md index 2ffb9d01593..65934143f66 100644 --- a/docs/setup/setup-naming-and-tagging.md +++ b/docs/setup/setup-naming-and-tagging.md @@ -225,21 +225,48 @@ To configure the rule for a resource type, set the corresponding configuration v Rule | Resource type | Configuration value ---- | ------------- | ------------------- +`Azure.ACR.Naming` | `Microsoft.ContainerRegistry/registries` | `AZURE_CONTAINER_REGISTRY_NAME_FORMAT` `Azure.Search.Naming` | `Microsoft.Search/searchServices` | `AZURE_AI_SEARCH_NAME_FORMAT` `Azure.AI.FoundryNaming` | `Microsoft.CognitiveServices/accounts` with `kind` = `AIServices` | `AZURE_AI_SERVICES_NAME_FORMAT` +`Azure.AKS.Naming` | `Microsoft.ContainerService/managedClusters` | `AZURE_AKS_CLUSTER_NAME_FORMAT` +`Azure.AKS.SystemPoolNaming` | `Microsoft.ContainerService/managedClusters/agentPools` with `mode` = `System` | `AZURE_AKS_SYSTEM_POOL_NAME_FORMAT` +`Azure.AKS.UserPoolNaming` | `Microsoft.ContainerService/managedClusters/agentPools` with `mode` = `User` | `AZURE_AKS_USER_POOL_NAME_FORMAT` `Azure.AppInsights.Naming` | `Microsoft.Insights/components` | `AZURE_APP_INSIGHTS_NAME_FORMAT` +`Azure.CI.Naming` | `Microsoft.ContainerInstance/containerGroups` | `AZURE_CONTAINER_INSTANCE_NAME_FORMAT` +`Azure.ContainerApp.Naming` | `Microsoft.App/containerApps` | `AZURE_CONTAINER_APP_NAME_FORMAT` +`Azure.ContainerApp.EnvironmentNaming` | `Microsoft.App/managedEnvironments` | `AZURE_CONTAINER_APP_ENVIRONMENT_NAME_FORMAT` +`Azure.ContainerApp.JobNaming` | `Microsoft.App/jobs` | `AZURE_CONTAINER_APP_JOB_NAME_FORMAT` +`Azure.Cosmos.CassandraNaming` | `Microsoft.DocumentDb/databaseAccounts` with Cassandra API | `AZURE_COSMOS_CASSANDRA_NAME_FORMAT` +`Azure.Cosmos.DatabaseNaming` | `Microsoft.DocumentDB/databaseAccounts/sqlDatabases` | `AZURE_COSMOS_DATABASE_NAME_FORMAT` +`Azure.Cosmos.GremlinNaming` | `Microsoft.DocumentDb/databaseAccounts` with Gremlin API | `AZURE_COSMOS_GREMLIN_NAME_FORMAT` +`Azure.Cosmos.MongoNaming` | `Microsoft.DocumentDb/databaseAccounts` with MongoDB API | `AZURE_COSMOS_MONGO_NAME_FORMAT` +`Azure.Cosmos.NoSQLNaming` | `Microsoft.DocumentDb/databaseAccounts` with NoSQL API | `AZURE_COSMOS_NOSQL_NAME_FORMAT` +`Azure.Cosmos.PostgreSQLNaming` | `Microsoft.DBforPostgreSQL/serverGroupsv2` | `AZURE_COSMOS_POSTGRESQL_NAME_FORMAT` +`Azure.Cosmos.TableNaming` | `Microsoft.DocumentDb/databaseAccounts` with Table API | `AZURE_COSMOS_TABLE_NAME_FORMAT` `Azure.EventGrid.DomainNaming` | `Microsoft.EventGrid/domains` | `AZURE_EVENTGRID_DOMAIN_NAME_FORMAT` `Azure.EventGrid.TopicNaming` | `Microsoft.EventGrid/topics`, `Microsoft.EventGrid/domains/topics` | `AZURE_EVENTGRID_CUSTOM_TOPIC_NAME_FORMAT` `Azure.EventGrid.SystemTopicNaming` | `Microsoft.EventGrid/systemTopics` | `AZURE_EVENTGRID_SYSTEM_TOPIC_NAME_FORMAT` `Azure.VNG.ConnectionNaming` | `Microsoft.Network/connections` | `AZURE_GATEWAY_CONNECTION_NAME_FORMAT` `Azure.LB.Naming` | `Microsoft.Network/loadBalancers` | `AZURE_LOAD_BALANCER_NAME_FORMAT` `Azure.Log.Naming` | `Microsoft.OperationalInsights/workspaces` | `AZURE_LOG_WORKSPACE_NAME_FORMAT` +`Azure.MySQL.Naming` | `Microsoft.DBforMySQL/servers`, `Microsoft.DBforMySQL/flexibleServers` | `AZURE_MYSQL_SERVER_NAME_FORMAT` `Azure.NSG.Naming` | `Microsoft.Network/networkSecurityGroups` | `AZURE_NETWORK_SECURITY_GROUP_NAME_FORMAT` +`Azure.PostgreSQL.Naming` | `Microsoft.DBforPostgreSQL/servers`, `Microsoft.DBforPostgreSQL/flexibleServers` | `AZURE_POSTGRESQL_SERVER_NAME_FORMAT` `Azure.PublicIP.Naming` | `Microsoft.Network/publicIPAddresses` | `AZURE_PUBLIC_IP_ADDRESS_NAME_FORMAT` +`Azure.Redis.Naming` | `Microsoft.Cache/Redis` | `AZURE_REDIS_CACHE_NAME_FORMAT` +`Azure.RedisEnterprise.Naming` | `Microsoft.Cache/RedisEnterprise` | `AZURE_REDIS_ENTERPRISE_NAME_FORMAT` `Azure.Group.Naming` | `Microsoft.Resources/resourceGroups` | `AZURE_RESOURCE_GROUP_NAME_FORMAT` `Azure.Group.RequiredTags` | `Microsoft.Resources/resourceGroups` | `AZURE_RESOURCE_GROUP_REQUIRED_TAGS` `Azure.Resource.RequiredTags` | Applies to all types that support tags except subscription and resource groups. | `AZURE_RESOURCE_REQUIRED_TAGS` `Azure.Route.Naming` | `Microsoft.Network/routeTables` | `AZURE_ROUTE_TABLE_NAME_FORMAT` +`Azure.ServiceFabric.Naming` | `Microsoft.ServiceFabric/clusters` | `AZURE_SERVICE_FABRIC_CLUSTER_NAME_FORMAT` +`Azure.ServiceFabric.ManagedNaming` | `Microsoft.ServiceFabric/managedClusters` | `AZURE_SERVICE_FABRIC_MANAGED_CLUSTER_NAME_FORMAT` +`Azure.SQL.ServerNaming` | `Microsoft.Sql/servers` | `AZURE_SQL_SERVER_NAME_FORMAT` +`Azure.SQL.DatabaseNaming` | `Microsoft.Sql/servers/databases` | `AZURE_SQL_DATABASE_NAME_FORMAT` +`Azure.SQL.JobAgentNaming` | `Microsoft.Sql/servers/jobAgents` | `AZURE_SQL_JOB_AGENT_NAME_FORMAT` +`Azure.SQL.ElasticPoolNaming` | `Microsoft.Sql/servers/elasticPools` | `AZURE_SQL_ELASTIC_POOL_NAME_FORMAT` +`Azure.SQL.StretchDBNaming` | `Microsoft.Sql/servers/databases` with Data Warehouse service objective | `AZURE_SQL_STRETCH_DB_NAME_FORMAT` +`Azure.SQLMI.Naming` | `Microsoft.Sql/managedInstances` | `AZURE_SQL_MI_NAME_FORMAT` `Azure.Storage.Naming` | `Microsoft.Storage/storageAccounts` | `AZURE_STORAGE_ACCOUNT_NAME_FORMAT` `Azure.Subscription.RequiredTags` | `Microsoft.Subscription/aliases` | `AZURE_SUBSCRIPTION_REQUIRED_TAGS` `Azure.VM.Naming` | `Microsoft.Compute/virtualMachines` | `AZURE_VIRTUAL_MACHINE_NAME_FORMAT` diff --git a/src/PSRule.Rules.Azure/rules/CAF.Rule.yaml b/src/PSRule.Rules.Azure/rules/CAF.Rule.yaml index d882dd7eb16..1ac16e03463 100644 --- a/src/PSRule.Rules.Azure/rules/CAF.Rule.yaml +++ b/src/PSRule.Rules.Azure/rules/CAF.Rule.yaml @@ -108,3 +108,66 @@ spec: AZURE_VIRTUAL_NETWORK_GATEWAY_NAME_FORMAT: 'vgw-' AZURE_VNET_NAME_FORMAT: '^vnet-' AZURE_VNET_SUBNET_NAME_FORMAT: '^snet-' + +--- +# Synopsis: Includes rules related to Azure CAF based on a December 2025 snapshot. +apiVersion: github.com/microsoft/PSRule/v1 +kind: Baseline +metadata: + name: Azure.CAF_2025_12 + annotations: + taxonomy: Azure.CAF + export: true + moduleVersion: v1.48.0 + experimental: true +spec: + rule: + tag: + release: GA + labels: + Azure.CAF: '*' + + configuration: + AZURE_AI_SEARCH_NAME_FORMAT: '^srch-' + AZURE_AI_SERVICES_NAME_FORMAT: '^aif-' + AZURE_AKS_CLUSTER_NAME_FORMAT: '^aks-' + AZURE_AKS_SYSTEM_POOL_NAME_FORMAT: '^npsystem' + AZURE_AKS_USER_POOL_NAME_FORMAT: '^np' + AZURE_CONTAINER_APP_NAME_FORMAT: '^ca-' + AZURE_CONTAINER_APP_ENVIRONMENT_NAME_FORMAT: '^cae-' + AZURE_CONTAINER_APP_JOB_NAME_FORMAT: '^caj-' + AZURE_CONTAINER_REGISTRY_NAME_FORMAT: '^cr' + AZURE_CONTAINER_INSTANCE_NAME_FORMAT: '^ci-' + AZURE_COSMOS_CASSANDRA_NAME_FORMAT: '^coscas-' + AZURE_COSMOS_MONGO_NAME_FORMAT: '^cosmon-' + AZURE_COSMOS_NOSQL_NAME_FORMAT: '^cosno-' + AZURE_COSMOS_TABLE_NAME_FORMAT: '^costab-' + AZURE_COSMOS_GREMLIN_NAME_FORMAT: '^cosgrm-' + AZURE_COSMOS_POSTGRESQL_NAME_FORMAT: '^cospos-' + AZURE_COSMOS_DATABASE_NAME_FORMAT: '^cosmos-' + AZURE_EVENTGRID_DOMAIN_NAME_FORMAT: '^evgd-' + AZURE_EVENTGRID_CUSTOM_TOPIC_NAME_FORMAT: '^evgt-' + AZURE_EVENTGRID_SYSTEM_TOPIC_NAME_FORMAT: '^egst-' + AZURE_GATEWAY_CONNECTION_NAME_FORMAT: '^con-' + AZURE_LOAD_BALANCER_NAME_FORMAT: '^(lbi|lbe)-' + AZURE_MYSQL_SERVER_NAME_FORMAT: '^mysql-' + AZURE_NETWORK_SECURITY_GROUP_NAME_FORMAT: '^nsg-' + AZURE_POSTGRESQL_SERVER_NAME_FORMAT: '^psql-' + AZURE_PUBLIC_IP_ADDRESS_NAME_FORMAT: '^pip-' + AZURE_REDIS_CACHE_NAME_FORMAT: '^redis-' + AZURE_REDIS_ENTERPRISE_NAME_FORMAT: '^amr-' + AZURE_RESOURCE_GROUP_NAME_FORMAT: '^rg-' + AZURE_ROUTE_TABLE_NAME_FORMAT: '^rt-' + AZURE_SERVICE_FABRIC_CLUSTER_NAME_FORMAT: '^sf-' + AZURE_SERVICE_FABRIC_MANAGED_CLUSTER_NAME_FORMAT: '^sfmc-' + AZURE_SQL_SERVER_NAME_FORMAT: '^sql-' + AZURE_SQL_DATABASE_NAME_FORMAT: '^sqldb-' + AZURE_SQL_JOB_AGENT_NAME_FORMAT: '^sqlja-' + AZURE_SQL_ELASTIC_POOL_NAME_FORMAT: '^sqlep-' + AZURE_SQL_STRETCH_DB_NAME_FORMAT: '^sqlstrdb-' + AZURE_SQL_MI_NAME_FORMAT: '^sqlmi-' + AZURE_STORAGE_ACCOUNT_NAME_FORMAT: '^(st|stvm)' + AZURE_VIRTUAL_MACHINE_NAME_FORMAT: '^vm' + AZURE_VIRTUAL_NETWORK_GATEWAY_NAME_FORMAT: 'vgw-' + AZURE_VNET_NAME_FORMAT: '^vnet-' + AZURE_VNET_SUBNET_NAME_FORMAT: '^snet-' From 289756138a6df79e97a55a65bcccb8a90be4174c Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Mon, 6 Oct 2025 05:37:20 +0000 Subject: [PATCH 04/32] Add test cases for new naming format rules Co-authored-by: BernieWhite <13513058+BernieWhite@users.noreply.github.com> --- .../Azure.ACR.Tests.ps1 | 46 ++ .../Azure.AKS.Tests.ps1 | 112 +++++ .../Azure.ContainerApp.Tests.ps1 | 106 ++++ .../Azure.NamingRules.Tests.ps1 | 466 ++++++++++++++++++ 4 files changed, 730 insertions(+) create mode 100644 tests/PSRule.Rules.Azure.Tests/Azure.NamingRules.Tests.ps1 diff --git a/tests/PSRule.Rules.Azure.Tests/Azure.ACR.Tests.ps1 b/tests/PSRule.Rules.Azure.Tests/Azure.ACR.Tests.ps1 index f747fbd08a0..083c8c410fc 100644 --- a/tests/PSRule.Rules.Azure.Tests/Azure.ACR.Tests.ps1 +++ b/tests/PSRule.Rules.Azure.Tests/Azure.ACR.Tests.ps1 @@ -362,4 +362,50 @@ Describe 'Azure.ACR' -Tag 'ACR' { $ruleResult.Detail.Reason.Path | Should -BeIn 'name'; } } + + Context 'Resource naming format' { + BeforeAll { + $invokeParams = @{ + Baseline = 'Azure.All' + Module = 'PSRule.Rules.Azure' + WarningAction = 'Ignore' + ErrorAction = 'Stop' + } + + $option = New-PSRuleOption -Configuration @{ + 'AZURE_CONTAINER_REGISTRY_NAME_FORMAT' = '^cr' + }; + + $names = @( + 'registry001' + 'cr001' + 'CR001' + ) + + $items = @($names | ForEach-Object { + [PSCustomObject]@{ + Name = $_ + Type = 'Microsoft.ContainerRegistry/registries' + } + }); + + $result = $items | Invoke-PSRule @invokeParams -Option $option + } + + It 'Azure.ACR.Naming' { + $filteredResult = $result | Where-Object { $_.RuleName -eq 'Azure.ACR.Naming' }; + + # Fail + $ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'Fail' }); + $ruleResult | Should -Not -BeNullOrEmpty; + $ruleResult.Length | Should -Be 2; + $ruleResult.TargetName | Should -BeIn 'registry001', 'CR001'; + + # Pass + $ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'Pass' }); + $ruleResult | Should -Not -BeNullOrEmpty; + $ruleResult.Length | Should -Be 1; + $ruleResult.TargetName | Should -Be 'cr001'; + } + } } diff --git a/tests/PSRule.Rules.Azure.Tests/Azure.AKS.Tests.ps1 b/tests/PSRule.Rules.Azure.Tests/Azure.AKS.Tests.ps1 index 9e507654a8e..74257c46aa9 100644 --- a/tests/PSRule.Rules.Azure.Tests/Azure.AKS.Tests.ps1 +++ b/tests/PSRule.Rules.Azure.Tests/Azure.AKS.Tests.ps1 @@ -1451,4 +1451,116 @@ Describe 'Azure.AKS' -Tag AKS { $ruleResult.TargetName | Should -BeIn 'cluster-D', 'cluster-J'; } } + + Context 'Resource name' { + BeforeAll { + $invokeParams = @{ + Baseline = 'Azure.All' + Module = 'PSRule.Rules.Azure' + WarningAction = 'Ignore' + ErrorAction = 'Stop' + } + + $option = New-PSRuleOption -Configuration @{ + 'AZURE_AKS_CLUSTER_NAME_FORMAT' = '^aks-' + 'AZURE_AKS_SYSTEM_POOL_NAME_FORMAT' = '^npsystem' + 'AZURE_AKS_USER_POOL_NAME_FORMAT' = '^np' + }; + + $clusterNames = @( + 'cluster-001' + 'aks-001' + 'AKS-001' + ) + + $systemPoolNames = @( + 'agentpool' + 'npsystem001' + 'npsystem' + ) + + $userPoolNames = @( + 'userpool' + 'np001' + 'NP001' + ) + + $clusterItems = @($clusterNames | ForEach-Object { + [PSCustomObject]@{ + Name = $_ + Type = 'Microsoft.ContainerService/managedClusters' + } + }); + + $systemPoolItems = @($systemPoolNames | ForEach-Object { + [PSCustomObject]@{ + Name = $_ + Type = 'Microsoft.ContainerService/managedClusters/agentPools' + Properties = @{ + mode = 'System' + } + } + }); + + $userPoolItems = @($userPoolNames | ForEach-Object { + [PSCustomObject]@{ + Name = $_ + Type = 'Microsoft.ContainerService/managedClusters/agentPools' + Properties = @{ + mode = 'User' + } + } + }); + + $result = @($clusterItems + $systemPoolItems + $userPoolItems) | Invoke-PSRule @invokeParams -Option $option + } + + It 'Azure.AKS.Naming' { + $filteredResult = $result | Where-Object { $_.RuleName -eq 'Azure.AKS.Naming' }; + + # Fail + $ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'Fail' }); + $ruleResult | Should -Not -BeNullOrEmpty; + $ruleResult.Length | Should -Be 2; + $ruleResult.TargetName | Should -BeIn 'cluster-001', 'AKS-001'; + + # Pass + $ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'Pass' }); + $ruleResult | Should -Not -BeNullOrEmpty; + $ruleResult.Length | Should -Be 1; + $ruleResult.TargetName | Should -Be 'aks-001'; + } + + It 'Azure.AKS.SystemPoolNaming' { + $filteredResult = $result | Where-Object { $_.RuleName -eq 'Azure.AKS.SystemPoolNaming' }; + + # Fail + $ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'Fail' }); + $ruleResult | Should -Not -BeNullOrEmpty; + $ruleResult.Length | Should -Be 1; + $ruleResult.TargetName | Should -Be 'agentpool'; + + # Pass + $ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'Pass' }); + $ruleResult | Should -Not -BeNullOrEmpty; + $ruleResult.Length | Should -Be 2; + $ruleResult.TargetName | Should -BeIn 'npsystem001', 'npsystem'; + } + + It 'Azure.AKS.UserPoolNaming' { + $filteredResult = $result | Where-Object { $_.RuleName -eq 'Azure.AKS.UserPoolNaming' }; + + # Fail + $ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'Fail' }); + $ruleResult | Should -Not -BeNullOrEmpty; + $ruleResult.Length | Should -Be 2; + $ruleResult.TargetName | Should -BeIn 'userpool', 'NP001'; + + # Pass + $ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'Pass' }); + $ruleResult | Should -Not -BeNullOrEmpty; + $ruleResult.Length | Should -Be 1; + $ruleResult.TargetName | Should -Be 'np001'; + } + } } diff --git a/tests/PSRule.Rules.Azure.Tests/Azure.ContainerApp.Tests.ps1 b/tests/PSRule.Rules.Azure.Tests/Azure.ContainerApp.Tests.ps1 index 02e7a0657d0..98d59679b10 100644 --- a/tests/PSRule.Rules.Azure.Tests/Azure.ContainerApp.Tests.ps1 +++ b/tests/PSRule.Rules.Azure.Tests/Azure.ContainerApp.Tests.ps1 @@ -255,4 +255,110 @@ Describe 'Azure.ContainerApp' -Tag 'ContainerApp' { $ruleResult.Outcome | Should -Be 'Fail'; } } + + Context 'Resource naming format' { + BeforeAll { + $invokeParams = @{ + Baseline = 'Azure.All' + Module = 'PSRule.Rules.Azure' + WarningAction = 'Ignore' + ErrorAction = 'Stop' + } + + $option = New-PSRuleOption -Configuration @{ + 'AZURE_CONTAINER_APP_NAME_FORMAT' = '^ca-' + 'AZURE_CONTAINER_APP_ENVIRONMENT_NAME_FORMAT' = '^cae-' + 'AZURE_CONTAINER_APP_JOB_NAME_FORMAT' = '^caj-' + }; + + $appNames = @( + 'app-001' + 'ca-001' + 'CA-001' + ) + + $envNames = @( + 'env-001' + 'cae-001' + 'CAE-001' + ) + + $jobNames = @( + 'job-001' + 'caj-001' + 'CAJ-001' + ) + + $appItems = @($appNames | ForEach-Object { + [PSCustomObject]@{ + Name = $_ + Type = 'Microsoft.App/containerApps' + } + }); + + $envItems = @($envNames | ForEach-Object { + [PSCustomObject]@{ + Name = $_ + Type = 'Microsoft.App/managedEnvironments' + } + }); + + $jobItems = @($jobNames | ForEach-Object { + [PSCustomObject]@{ + Name = $_ + Type = 'Microsoft.App/jobs' + } + }); + + $result = @($appItems + $envItems + $jobItems) | Invoke-PSRule @invokeParams -Option $option + } + + It 'Azure.ContainerApp.Naming' { + $filteredResult = $result | Where-Object { $_.RuleName -eq 'Azure.ContainerApp.Naming' }; + + # Fail + $ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'Fail' }); + $ruleResult | Should -Not -BeNullOrEmpty; + $ruleResult.Length | Should -Be 2; + $ruleResult.TargetName | Should -BeIn 'app-001', 'CA-001'; + + # Pass + $ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'Pass' }); + $ruleResult | Should -Not -BeNullOrEmpty; + $ruleResult.Length | Should -Be 1; + $ruleResult.TargetName | Should -Be 'ca-001'; + } + + It 'Azure.ContainerApp.EnvironmentNaming' { + $filteredResult = $result | Where-Object { $_.RuleName -eq 'Azure.ContainerApp.EnvironmentNaming' }; + + # Fail + $ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'Fail' }); + $ruleResult | Should -Not -BeNullOrEmpty; + $ruleResult.Length | Should -Be 2; + $ruleResult.TargetName | Should -BeIn 'env-001', 'CAE-001'; + + # Pass + $ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'Pass' }); + $ruleResult | Should -Not -BeNullOrEmpty; + $ruleResult.Length | Should -Be 1; + $ruleResult.TargetName | Should -Be 'cae-001'; + } + + It 'Azure.ContainerApp.JobNaming' { + $filteredResult = $result | Where-Object { $_.RuleName -eq 'Azure.ContainerApp.JobNaming' }; + + # Fail + $ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'Fail' }); + $ruleResult | Should -Not -BeNullOrEmpty; + $ruleResult.Length | Should -Be 2; + $ruleResult.TargetName | Should -BeIn 'job-001', 'CAJ-001'; + + # Pass + $ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'Pass' }); + $ruleResult | Should -Not -BeNullOrEmpty; + $ruleResult.Length | Should -Be 1; + $ruleResult.TargetName | Should -Be 'caj-001'; + } + } } diff --git a/tests/PSRule.Rules.Azure.Tests/Azure.NamingRules.Tests.ps1 b/tests/PSRule.Rules.Azure.Tests/Azure.NamingRules.Tests.ps1 new file mode 100644 index 00000000000..fb8502cc380 --- /dev/null +++ b/tests/PSRule.Rules.Azure.Tests/Azure.NamingRules.Tests.ps1 @@ -0,0 +1,466 @@ +# Copyright (c) Microsoft Corporation. +# Licensed under the MIT License. + +# +# Unit tests for new naming rules +# + +[CmdletBinding()] +param () + +BeforeAll { + # Setup error handling + $ErrorActionPreference = 'Stop'; + Set-StrictMode -Version latest; + + if ($Env:SYSTEM_DEBUG -eq 'true') { + $VerbosePreference = 'Continue'; + } + + # Setup tests paths + $rootPath = $PWD; + Import-Module (Join-Path -Path $rootPath -ChildPath out/modules/PSRule.Rules.Azure) -Force; + $here = (Resolve-Path $PSScriptRoot).Path; +} + +Describe 'Azure.Naming' -Tag 'Naming' { + Context 'Container Instance naming' { + BeforeAll { + $invokeParams = @{ + Baseline = 'Azure.All' + Module = 'PSRule.Rules.Azure' + WarningAction = 'Ignore' + ErrorAction = 'Stop' + } + + $option = New-PSRuleOption -Configuration @{ + 'AZURE_CONTAINER_INSTANCE_NAME_FORMAT' = '^ci-' + }; + + $names = @('instance-001', 'ci-001', 'CI-001') + $items = @($names | ForEach-Object { + [PSCustomObject]@{ + Name = $_ + Type = 'Microsoft.ContainerInstance/containerGroups' + } + }); + + $result = $items | Invoke-PSRule @invokeParams -Option $option + } + + It 'Azure.CI.Naming' { + $filteredResult = $result | Where-Object { $_.RuleName -eq 'Azure.CI.Naming' }; + + # Fail + $ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'Fail' }); + $ruleResult | Should -Not -BeNullOrEmpty; + $ruleResult.Length | Should -Be 2; + $ruleResult.TargetName | Should -BeIn 'instance-001', 'CI-001'; + + # Pass + $ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'Pass' }); + $ruleResult | Should -Not -BeNullOrEmpty; + $ruleResult.Length | Should -Be 1; + $ruleResult.TargetName | Should -Be 'ci-001'; + } + } + + Context 'Service Fabric naming' { + BeforeAll { + $invokeParams = @{ + Baseline = 'Azure.All' + Module = 'PSRule.Rules.Azure' + WarningAction = 'Ignore' + ErrorAction = 'Stop' + } + + $option = New-PSRuleOption -Configuration @{ + 'AZURE_SERVICE_FABRIC_CLUSTER_NAME_FORMAT' = '^sf-' + 'AZURE_SERVICE_FABRIC_MANAGED_CLUSTER_NAME_FORMAT' = '^sfmc-' + }; + + $clusterNames = @('cluster-001', 'sf-001', 'SF-001') + $managedClusterNames = @('managed-001', 'sfmc-001', 'SFMC-001') + + $clusterItems = @($clusterNames | ForEach-Object { + [PSCustomObject]@{ + Name = $_ + Type = 'Microsoft.ServiceFabric/clusters' + } + }); + + $managedClusterItems = @($managedClusterNames | ForEach-Object { + [PSCustomObject]@{ + Name = $_ + Type = 'Microsoft.ServiceFabric/managedClusters' + } + }); + + $result = @($clusterItems + $managedClusterItems) | Invoke-PSRule @invokeParams -Option $option + } + + It 'Azure.ServiceFabric.Naming' { + $filteredResult = $result | Where-Object { $_.RuleName -eq 'Azure.ServiceFabric.Naming' }; + + # Fail + $ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'Fail' }); + $ruleResult | Should -Not -BeNullOrEmpty; + $ruleResult.Length | Should -Be 2; + $ruleResult.TargetName | Should -BeIn 'cluster-001', 'SF-001'; + + # Pass + $ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'Pass' }); + $ruleResult | Should -Not -BeNullOrEmpty; + $ruleResult.Length | Should -Be 1; + $ruleResult.TargetName | Should -Be 'sf-001'; + } + + It 'Azure.ServiceFabric.ManagedNaming' { + $filteredResult = $result | Where-Object { $_.RuleName -eq 'Azure.ServiceFabric.ManagedNaming' }; + + # Fail + $ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'Fail' }); + $ruleResult | Should -Not -BeNullOrEmpty; + $ruleResult.Length | Should -Be 2; + $ruleResult.TargetName | Should -BeIn 'managed-001', 'SFMC-001'; + + # Pass + $ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'Pass' }); + $ruleResult | Should -Not -BeNullOrEmpty; + $ruleResult.Length | Should -Be 1; + $ruleResult.TargetName | Should -Be 'sfmc-001'; + } + } + + Context 'Cosmos DB naming' { + BeforeAll { + $invokeParams = @{ + Baseline = 'Azure.All' + Module = 'PSRule.Rules.Azure' + WarningAction = 'Ignore' + ErrorAction = 'Stop' + } + + $option = New-PSRuleOption -Configuration @{ + 'AZURE_COSMOS_NOSQL_NAME_FORMAT' = '^cosno-' + 'AZURE_COSMOS_MONGO_NAME_FORMAT' = '^cosmon-' + 'AZURE_COSMOS_DATABASE_NAME_FORMAT' = '^cosmos-' + 'AZURE_COSMOS_POSTGRESQL_NAME_FORMAT' = '^cospos-' + }; + + $nosqlNames = @('account-001', 'cosno-001', 'COSNO-001') + $mongoNames = @('mongo-001', 'cosmon-001', 'COSMON-001') + $dbNames = @('db-001', 'cosmos-001', 'COSMOS-001') + $postgresNames = @('postgres-001', 'cospos-001', 'COSPOS-001') + + $nosqlItems = @($nosqlNames | ForEach-Object { + [PSCustomObject]@{ + Name = $_ + Type = 'Microsoft.DocumentDb/databaseAccounts' + Kind = 'GlobalDocumentDB' + Properties = @{ + capabilities = @() + } + } + }); + + $mongoItems = @($mongoNames | ForEach-Object { + [PSCustomObject]@{ + Name = $_ + Type = 'Microsoft.DocumentDb/databaseAccounts' + Kind = 'MongoDB' + Properties = @{ } + } + }); + + $dbItems = @($dbNames | ForEach-Object { + [PSCustomObject]@{ + Name = $_ + Type = 'Microsoft.DocumentDB/databaseAccounts/sqlDatabases' + } + }); + + $postgresItems = @($postgresNames | ForEach-Object { + [PSCustomObject]@{ + Name = $_ + Type = 'Microsoft.DBforPostgreSQL/serverGroupsv2' + } + }); + + $result = @($nosqlItems + $mongoItems + $dbItems + $postgresItems) | Invoke-PSRule @invokeParams -Option $option + } + + It 'Azure.Cosmos.NoSQLNaming' { + $filteredResult = $result | Where-Object { $_.RuleName -eq 'Azure.Cosmos.NoSQLNaming' }; + + # Fail + $ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'Fail' }); + $ruleResult | Should -Not -BeNullOrEmpty; + $ruleResult.Length | Should -Be 2; + $ruleResult.TargetName | Should -BeIn 'account-001', 'COSNO-001'; + + # Pass + $ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'Pass' }); + $ruleResult | Should -Not -BeNullOrEmpty; + $ruleResult.Length | Should -Be 1; + $ruleResult.TargetName | Should -Be 'cosno-001'; + } + + It 'Azure.Cosmos.MongoNaming' { + $filteredResult = $result | Where-Object { $_.RuleName -eq 'Azure.Cosmos.MongoNaming' }; + + # Fail + $ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'Fail' }); + $ruleResult | Should -Not -BeNullOrEmpty; + $ruleResult.Length | Should -Be 2; + $ruleResult.TargetName | Should -BeIn 'mongo-001', 'COSMON-001'; + + # Pass + $ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'Pass' }); + $ruleResult | Should -Not -BeNullOrEmpty; + $ruleResult.Length | Should -Be 1; + $ruleResult.TargetName | Should -Be 'cosmon-001'; + } + + It 'Azure.Cosmos.DatabaseNaming' { + $filteredResult = $result | Where-Object { $_.RuleName -eq 'Azure.Cosmos.DatabaseNaming' }; + + # Fail + $ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'Fail' }); + $ruleResult | Should -Not -BeNullOrEmpty; + $ruleResult.Length | Should -Be 2; + $ruleResult.TargetName | Should -BeIn 'db-001', 'COSMOS-001'; + + # Pass + $ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'Pass' }); + $ruleResult | Should -Not -BeNullOrEmpty; + $ruleResult.Length | Should -Be 1; + $ruleResult.TargetName | Should -Be 'cosmos-001'; + } + + It 'Azure.Cosmos.PostgreSQLNaming' { + $filteredResult = $result | Where-Object { $_.RuleName -eq 'Azure.Cosmos.PostgreSQLNaming' }; + + # Fail + $ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'Fail' }); + $ruleResult | Should -Not -BeNullOrEmpty; + $ruleResult.Length | Should -Be 2; + $ruleResult.TargetName | Should -BeIn 'postgres-001', 'COSPOS-001'; + + # Pass + $ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'Pass' }); + $ruleResult | Should -Not -BeNullOrEmpty; + $ruleResult.Length | Should -Be 1; + $ruleResult.TargetName | Should -Be 'cospos-001'; + } + } + + Context 'Redis naming' { + BeforeAll { + $invokeParams = @{ + Baseline = 'Azure.All' + Module = 'PSRule.Rules.Azure' + WarningAction = 'Ignore' + ErrorAction = 'Stop' + } + + $option = New-PSRuleOption -Configuration @{ + 'AZURE_REDIS_CACHE_NAME_FORMAT' = '^redis-' + 'AZURE_REDIS_ENTERPRISE_NAME_FORMAT' = '^amr-' + }; + + $cacheNames = @('cache-001', 'redis-001', 'REDIS-001') + $enterpriseNames = @('enterprise-001', 'amr-001', 'AMR-001') + + $cacheItems = @($cacheNames | ForEach-Object { + [PSCustomObject]@{ + Name = $_ + Type = 'Microsoft.Cache/Redis' + } + }); + + $enterpriseItems = @($enterpriseNames | ForEach-Object { + [PSCustomObject]@{ + Name = $_ + Type = 'Microsoft.Cache/RedisEnterprise' + } + }); + + $result = @($cacheItems + $enterpriseItems) | Invoke-PSRule @invokeParams -Option $option + } + + It 'Azure.Redis.Naming' { + $filteredResult = $result | Where-Object { $_.RuleName -eq 'Azure.Redis.Naming' }; + + # Fail + $ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'Fail' }); + $ruleResult | Should -Not -BeNullOrEmpty; + $ruleResult.Length | Should -Be 2; + $ruleResult.TargetName | Should -BeIn 'cache-001', 'REDIS-001'; + + # Pass + $ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'Pass' }); + $ruleResult | Should -Not -BeNullOrEmpty; + $ruleResult.Length | Should -Be 1; + $ruleResult.TargetName | Should -Be 'redis-001'; + } + + It 'Azure.RedisEnterprise.Naming' { + $filteredResult = $result | Where-Object { $_.RuleName -eq 'Azure.RedisEnterprise.Naming' }; + + # Fail + $ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'Fail' }); + $ruleResult | Should -Not -BeNullOrEmpty; + $ruleResult.Length | Should -Be 2; + $ruleResult.TargetName | Should -BeIn 'enterprise-001', 'AMR-001'; + + # Pass + $ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'Pass' }); + $ruleResult | Should -Not -BeNullOrEmpty; + $ruleResult.Length | Should -Be 1; + $ruleResult.TargetName | Should -Be 'amr-001'; + } + } + + Context 'SQL naming' { + BeforeAll { + $invokeParams = @{ + Baseline = 'Azure.All' + Module = 'PSRule.Rules.Azure' + WarningAction = 'Ignore' + ErrorAction = 'Stop' + } + + $option = New-PSRuleOption -Configuration @{ + 'AZURE_SQL_SERVER_NAME_FORMAT' = '^sql-' + 'AZURE_SQL_DATABASE_NAME_FORMAT' = '^sqldb-' + 'AZURE_SQL_MI_NAME_FORMAT' = '^sqlmi-' + 'AZURE_MYSQL_SERVER_NAME_FORMAT' = '^mysql-' + 'AZURE_POSTGRESQL_SERVER_NAME_FORMAT'= '^psql-' + }; + + $serverNames = @('server-001', 'sql-001', 'SQL-001') + $dbNames = @('database-001', 'sqldb-001', 'SQLDB-001') + $miNames = @('mi-001', 'sqlmi-001', 'SQLMI-001') + $mysqlNames = @('myserver-001', 'mysql-001', 'MYSQL-001') + $postgresNames = @('pgserver-001', 'psql-001', 'PSQL-001') + + $serverItems = @($serverNames | ForEach-Object { + [PSCustomObject]@{ + Name = $_ + Type = 'Microsoft.Sql/servers' + } + }); + + $dbItems = @($dbNames | ForEach-Object { + [PSCustomObject]@{ + Name = $_ + Type = 'Microsoft.Sql/servers/databases' + } + }); + + $miItems = @($miNames | ForEach-Object { + [PSCustomObject]@{ + Name = $_ + Type = 'Microsoft.Sql/managedInstances' + } + }); + + $mysqlItems = @($mysqlNames | ForEach-Object { + [PSCustomObject]@{ + Name = $_ + Type = 'Microsoft.DBforMySQL/servers' + } + }); + + $postgresItems = @($postgresNames | ForEach-Object { + [PSCustomObject]@{ + Name = $_ + Type = 'Microsoft.DBforPostgreSQL/servers' + } + }); + + $result = @($serverItems + $dbItems + $miItems + $mysqlItems + $postgresItems) | Invoke-PSRule @invokeParams -Option $option + } + + It 'Azure.SQL.ServerNaming' { + $filteredResult = $result | Where-Object { $_.RuleName -eq 'Azure.SQL.ServerNaming' }; + + # Fail + $ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'Fail' }); + $ruleResult | Should -Not -BeNullOrEmpty; + $ruleResult.Length | Should -Be 2; + $ruleResult.TargetName | Should -BeIn 'server-001', 'SQL-001'; + + # Pass + $ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'Pass' }); + $ruleResult | Should -Not -BeNullOrEmpty; + $ruleResult.Length | Should -Be 1; + $ruleResult.TargetName | Should -Be 'sql-001'; + } + + It 'Azure.SQL.DatabaseNaming' { + $filteredResult = $result | Where-Object { $_.RuleName -eq 'Azure.SQL.DatabaseNaming' }; + + # Fail + $ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'Fail' }); + $ruleResult | Should -Not -BeNullOrEmpty; + $ruleResult.Length | Should -Be 2; + $ruleResult.TargetName | Should -BeIn 'database-001', 'SQLDB-001'; + + # Pass + $ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'Pass' }); + $ruleResult | Should -Not -BeNullOrEmpty; + $ruleResult.Length | Should -Be 1; + $ruleResult.TargetName | Should -Be 'sqldb-001'; + } + + It 'Azure.SQLMI.Naming' { + $filteredResult = $result | Where-Object { $_.RuleName -eq 'Azure.SQLMI.Naming' }; + + # Fail + $ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'Fail' }); + $ruleResult | Should -Not -BeNullOrEmpty; + $ruleResult.Length | Should -Be 2; + $ruleResult.TargetName | Should -BeIn 'mi-001', 'SQLMI-001'; + + # Pass + $ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'Pass' }); + $ruleResult | Should -Not -BeNullOrEmpty; + $ruleResult.Length | Should -Be 1; + $ruleResult.TargetName | Should -Be 'sqlmi-001'; + } + + It 'Azure.MySQL.Naming' { + $filteredResult = $result | Where-Object { $_.RuleName -eq 'Azure.MySQL.Naming' }; + + # Fail + $ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'Fail' }); + $ruleResult | Should -Not -BeNullOrEmpty; + $ruleResult.Length | Should -Be 2; + $ruleResult.TargetName | Should -BeIn 'myserver-001', 'MYSQL-001'; + + # Pass + $ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'Pass' }); + $ruleResult | Should -Not -BeNullOrEmpty; + $ruleResult.Length | Should -Be 1; + $ruleResult.TargetName | Should -Be 'mysql-001'; + } + + It 'Azure.PostgreSQL.Naming' { + $filteredResult = $result | Where-Object { $_.RuleName -eq 'Azure.PostgreSQL.Naming' }; + + # Fail + $ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'Fail' }); + $ruleResult | Should -Not -BeNullOrEmpty; + $ruleResult.Length | Should -Be 2; + $ruleResult.TargetName | Should -BeIn 'pgserver-001', 'PSQL-001'; + + # Pass + $ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'Pass' }); + $ruleResult | Should -Not -BeNullOrEmpty; + $ruleResult.Length | Should -Be 1; + $ruleResult.TargetName | Should -Be 'psql-001'; + } + } +} From df5fbbd626154497d10d76007b0bdca9e70b61cd Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Mon, 6 Oct 2025 05:39:02 +0000 Subject: [PATCH 05/32] Update Service Fabric rules with proper annotations Co-authored-by: BernieWhite <13513058+BernieWhite@users.noreply.github.com> --- .../rules/Azure.ServiceFabric.Rule.yaml | 16 ++++++++++++++-- 1 file changed, 14 insertions(+), 2 deletions(-) diff --git a/src/PSRule.Rules.Azure/rules/Azure.ServiceFabric.Rule.yaml b/src/PSRule.Rules.Azure/rules/Azure.ServiceFabric.Rule.yaml index 30cd9eed02d..1f66cb60f53 100644 --- a/src/PSRule.Rules.Azure/rules/Azure.ServiceFabric.Rule.yaml +++ b/src/PSRule.Rules.Azure/rules/Azure.ServiceFabric.Rule.yaml @@ -59,12 +59,18 @@ spec: #region Naming rules --- -# Synopsis: Service Fabric clusters without a standard naming convention may be difficult to identify and manage. +# Synopsis: Service Fabric clusters should use standard naming format. apiVersion: github.com/microsoft/PSRule/v1 kind: Rule metadata: name: Azure.ServiceFabric.Naming ref: AZR-000506 + annotations: + severity: Awareness + pillar: Operational Excellence + category: OE:04 Tools and processes + resource: Service Fabric Cluster + online version: https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.ServiceFabric.Naming/ tags: release: GA ruleSet: 2025_12 @@ -81,12 +87,18 @@ spec: match: true --- -# Synopsis: Service Fabric managed clusters without a standard naming convention may be difficult to identify and manage. +# Synopsis: Service Fabric managed clusters should use standard naming format. apiVersion: github.com/microsoft/PSRule/v1 kind: Rule metadata: name: Azure.ServiceFabric.ManagedNaming ref: AZR-000507 + annotations: + severity: Awareness + pillar: Operational Excellence + category: OE:04 Tools and processes + resource: Service Fabric Managed Cluster + online version: https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.ServiceFabric.ManagedNaming/ tags: release: GA ruleSet: 2025_12 From fd7291f57025a8d65cbcb6fe657bf4b7a2de9106 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Fri, 10 Oct 2025 13:55:58 +0000 Subject: [PATCH 06/32] Refactor naming rules and tests based on review feedback - Update AKS node pool naming rules to use GetAgentPoolProfiles for both inline and nested pools - Move Redis Enterprise naming rule to separate Azure.RedisEnterprise.Rule.ps1 file - Convert Service Fabric naming rules from YAML to PowerShell - Distribute tests from Azure.NamingRules.Tests.ps1 to individual service test files - Delete consolidated Azure.NamingRules.Tests.ps1 file Co-authored-by: BernieWhite <13513058+BernieWhite@users.noreply.github.com> --- .../rules/Azure.AKS.Rule.ps1 | 20 +- .../rules/Azure.Redis.Rule.ps1 | 5 - .../rules/Azure.RedisEnterprise.Rule.ps1 | 15 + .../rules/Azure.ServiceFabric.Rule.ps1 | 20 + .../rules/Azure.ServiceFabric.Rule.yaml | 60 --- .../Azure.CI.Tests.ps1 | 67 +++ .../Azure.Cosmos.Tests.ps1 | 210 ++++++++ .../Azure.MySQL.Tests.ps1 | 41 ++ .../Azure.NamingRules.Tests.ps1 | 466 ------------------ .../Azure.PostgreSQL.Tests.ps1 | 41 ++ .../Azure.Redis.Tests.ps1 | 67 +++ .../Azure.SQL.Tests.ps1 | 117 +++++ .../Azure.SQLMI.Tests.ps1 | 41 ++ .../Azure.ServiceFabric.Tests.ps1 | 67 +++ 14 files changed, 702 insertions(+), 535 deletions(-) create mode 100644 src/PSRule.Rules.Azure/rules/Azure.RedisEnterprise.Rule.ps1 create mode 100644 src/PSRule.Rules.Azure/rules/Azure.ServiceFabric.Rule.ps1 create mode 100644 tests/PSRule.Rules.Azure.Tests/Azure.CI.Tests.ps1 delete mode 100644 tests/PSRule.Rules.Azure.Tests/Azure.NamingRules.Tests.ps1 diff --git a/src/PSRule.Rules.Azure/rules/Azure.AKS.Rule.ps1 b/src/PSRule.Rules.Azure/rules/Azure.AKS.Rule.ps1 index fb8cee80b47..b00e372b6a8 100644 --- a/src/PSRule.Rules.Azure/rules/Azure.AKS.Rule.ps1 +++ b/src/PSRule.Rules.Azure/rules/Azure.AKS.Rule.ps1 @@ -350,13 +350,25 @@ Rule 'Azure.AKS.Naming' -Ref 'AZR-000498' -Type 'Microsoft.ContainerService/mana } # Synopsis: AKS system node pools without a standard naming convention may be difficult to identify and manage. -Rule 'Azure.AKS.SystemPoolNaming' -Ref 'AZR-000499' -Type 'Microsoft.ContainerService/managedClusters/agentPools' -If { $Configuration['AZURE_AKS_SYSTEM_POOL_NAME_FORMAT'] -ne '' -and $TargetObject.properties.mode -eq 'System' } -Tag @{ release = 'GA'; ruleSet = '2025_12'; 'Azure.WAF/pillar' = 'Operational Excellence' } -Labels @{ 'Azure.CAF' = 'naming' } { - $Assert.Match($PSRule, 'TargetName', $Configuration.AZURE_AKS_SYSTEM_POOL_NAME_FORMAT, $True); +Rule 'Azure.AKS.SystemPoolNaming' -Ref 'AZR-000499' -Type 'Microsoft.ContainerService/managedClusters', 'Microsoft.ContainerService/managedClusters/agentPools' -If { $Configuration['AZURE_AKS_SYSTEM_POOL_NAME_FORMAT'] -ne '' } -Tag @{ release = 'GA'; ruleSet = '2025_12'; 'Azure.WAF/pillar' = 'Operational Excellence' } -Labels @{ 'Azure.CAF' = 'naming' } { + $agentPools = @(GetAgentPoolProfiles | Where-Object { $_.mode -eq 'System' }); + if ($agentPools.Length -eq 0) { + return $Assert.Pass(); + } + foreach ($agentPool in $agentPools) { + $Assert.Match($agentPool, 'name', $Configuration.AZURE_AKS_SYSTEM_POOL_NAME_FORMAT, $True); + } } # Synopsis: AKS user node pools without a standard naming convention may be difficult to identify and manage. -Rule 'Azure.AKS.UserPoolNaming' -Ref 'AZR-000500' -Type 'Microsoft.ContainerService/managedClusters/agentPools' -If { $Configuration['AZURE_AKS_USER_POOL_NAME_FORMAT'] -ne '' -and $TargetObject.properties.mode -eq 'User' } -Tag @{ release = 'GA'; ruleSet = '2025_12'; 'Azure.WAF/pillar' = 'Operational Excellence' } -Labels @{ 'Azure.CAF' = 'naming' } { - $Assert.Match($PSRule, 'TargetName', $Configuration.AZURE_AKS_USER_POOL_NAME_FORMAT, $True); +Rule 'Azure.AKS.UserPoolNaming' -Ref 'AZR-000500' -Type 'Microsoft.ContainerService/managedClusters', 'Microsoft.ContainerService/managedClusters/agentPools' -If { $Configuration['AZURE_AKS_USER_POOL_NAME_FORMAT'] -ne '' } -Tag @{ release = 'GA'; ruleSet = '2025_12'; 'Azure.WAF/pillar' = 'Operational Excellence' } -Labels @{ 'Azure.CAF' = 'naming' } { + $agentPools = @(GetAgentPoolProfiles | Where-Object { $_.mode -eq 'User' }); + if ($agentPools.Length -eq 0) { + return $Assert.Pass(); + } + foreach ($agentPool in $agentPools) { + $Assert.Match($agentPool, 'name', $Configuration.AZURE_AKS_USER_POOL_NAME_FORMAT, $True); + } } #region Helper functions diff --git a/src/PSRule.Rules.Azure/rules/Azure.Redis.Rule.ps1 b/src/PSRule.Rules.Azure/rules/Azure.Redis.Rule.ps1 index 6b586cd8599..e6038ef13e8 100644 --- a/src/PSRule.Rules.Azure/rules/Azure.Redis.Rule.ps1 +++ b/src/PSRule.Rules.Azure/rules/Azure.Redis.Rule.ps1 @@ -195,9 +195,4 @@ Rule 'Azure.Redis.Naming' -Ref 'AZR-000515' -Type 'Microsoft.Cache/Redis' -If { $Assert.Match($PSRule, 'TargetName', $Configuration.AZURE_REDIS_CACHE_NAME_FORMAT, $True); } -# Synopsis: Azure Managed Redis instances without a standard naming convention may be difficult to identify and manage. -Rule 'Azure.RedisEnterprise.Naming' -Ref 'AZR-000516' -Type 'Microsoft.Cache/RedisEnterprise' -If { $Configuration['AZURE_REDIS_ENTERPRISE_NAME_FORMAT'] -ne '' } -Tag @{ release = 'GA'; ruleSet = '2025_12'; 'Azure.WAF/pillar' = 'Operational Excellence' } -Labels @{ 'Azure.CAF' = 'naming' } { - $Assert.Match($PSRule, 'TargetName', $Configuration.AZURE_REDIS_ENTERPRISE_NAME_FORMAT, $True); -} - #endregion Naming rules diff --git a/src/PSRule.Rules.Azure/rules/Azure.RedisEnterprise.Rule.ps1 b/src/PSRule.Rules.Azure/rules/Azure.RedisEnterprise.Rule.ps1 new file mode 100644 index 00000000000..a1ce72be7b6 --- /dev/null +++ b/src/PSRule.Rules.Azure/rules/Azure.RedisEnterprise.Rule.ps1 @@ -0,0 +1,15 @@ +# Copyright (c) Microsoft Corporation. +# Licensed under the MIT License. + +# +# Validation rules for Azure Managed Redis (Redis Enterprise) +# + +#region Naming rules + +# Synopsis: Azure Managed Redis instances without a standard naming convention may be difficult to identify and manage. +Rule 'Azure.RedisEnterprise.Naming' -Ref 'AZR-000516' -Type 'Microsoft.Cache/RedisEnterprise' -If { $Configuration['AZURE_REDIS_ENTERPRISE_NAME_FORMAT'] -ne '' } -Tag @{ release = 'GA'; ruleSet = '2025_12'; 'Azure.WAF/pillar' = 'Operational Excellence' } -Labels @{ 'Azure.CAF' = 'naming' } { + $Assert.Match($PSRule, 'TargetName', $Configuration.AZURE_REDIS_ENTERPRISE_NAME_FORMAT, $True); +} + +#endregion Naming rules diff --git a/src/PSRule.Rules.Azure/rules/Azure.ServiceFabric.Rule.ps1 b/src/PSRule.Rules.Azure/rules/Azure.ServiceFabric.Rule.ps1 new file mode 100644 index 00000000000..6228bc6b358 --- /dev/null +++ b/src/PSRule.Rules.Azure/rules/Azure.ServiceFabric.Rule.ps1 @@ -0,0 +1,20 @@ +# Copyright (c) Microsoft Corporation. +# Licensed under the MIT License. + +# +# Validation rules for Service Fabric +# + +#region Naming rules + +# Synopsis: Service Fabric clusters without a standard naming convention may be difficult to identify and manage. +Rule 'Azure.ServiceFabric.Naming' -Ref 'AZR-000506' -Type 'Microsoft.ServiceFabric/clusters' -If { $Configuration['AZURE_SERVICE_FABRIC_CLUSTER_NAME_FORMAT'] -ne '' } -Tag @{ release = 'GA'; ruleSet = '2025_12'; 'Azure.WAF/pillar' = 'Operational Excellence' } -Labels @{ 'Azure.CAF' = 'naming' } { + $Assert.Match($PSRule, 'TargetName', $Configuration.AZURE_SERVICE_FABRIC_CLUSTER_NAME_FORMAT, $True); +} + +# Synopsis: Service Fabric managed clusters without a standard naming convention may be difficult to identify and manage. +Rule 'Azure.ServiceFabric.ManagedNaming' -Ref 'AZR-000507' -Type 'Microsoft.ServiceFabric/managedClusters' -If { $Configuration['AZURE_SERVICE_FABRIC_MANAGED_CLUSTER_NAME_FORMAT'] -ne '' } -Tag @{ release = 'GA'; ruleSet = '2025_12'; 'Azure.WAF/pillar' = 'Operational Excellence' } -Labels @{ 'Azure.CAF' = 'naming' } { + $Assert.Match($PSRule, 'TargetName', $Configuration.AZURE_SERVICE_FABRIC_MANAGED_CLUSTER_NAME_FORMAT, $True); +} + +#endregion Naming rules diff --git a/src/PSRule.Rules.Azure/rules/Azure.ServiceFabric.Rule.yaml b/src/PSRule.Rules.Azure/rules/Azure.ServiceFabric.Rule.yaml index 1f66cb60f53..5512aabd3dc 100644 --- a/src/PSRule.Rules.Azure/rules/Azure.ServiceFabric.Rule.yaml +++ b/src/PSRule.Rules.Azure/rules/Azure.ServiceFabric.Rule.yaml @@ -55,63 +55,3 @@ spec: count: 1 #endregion Rules - -#region Naming rules - ---- -# Synopsis: Service Fabric clusters should use standard naming format. -apiVersion: github.com/microsoft/PSRule/v1 -kind: Rule -metadata: - name: Azure.ServiceFabric.Naming - ref: AZR-000506 - annotations: - severity: Awareness - pillar: Operational Excellence - category: OE:04 Tools and processes - resource: Service Fabric Cluster - online version: https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.ServiceFabric.Naming/ - tags: - release: GA - ruleSet: 2025_12 - Azure.WAF/pillar: Operational Excellence - labels: - Azure.CAF: naming -spec: - type: - - Microsoft.ServiceFabric/clusters - with: - - AZURE_SERVICE_FABRIC_CLUSTER_NAME_FORMAT - condition: - name: '.' - match: true - ---- -# Synopsis: Service Fabric managed clusters should use standard naming format. -apiVersion: github.com/microsoft/PSRule/v1 -kind: Rule -metadata: - name: Azure.ServiceFabric.ManagedNaming - ref: AZR-000507 - annotations: - severity: Awareness - pillar: Operational Excellence - category: OE:04 Tools and processes - resource: Service Fabric Managed Cluster - online version: https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.ServiceFabric.ManagedNaming/ - tags: - release: GA - ruleSet: 2025_12 - Azure.WAF/pillar: Operational Excellence - labels: - Azure.CAF: naming -spec: - type: - - Microsoft.ServiceFabric/managedClusters - with: - - AZURE_SERVICE_FABRIC_MANAGED_CLUSTER_NAME_FORMAT - condition: - name: '.' - match: true - -#endregion Naming rules diff --git a/tests/PSRule.Rules.Azure.Tests/Azure.CI.Tests.ps1 b/tests/PSRule.Rules.Azure.Tests/Azure.CI.Tests.ps1 new file mode 100644 index 00000000000..57bfbea01b4 --- /dev/null +++ b/tests/PSRule.Rules.Azure.Tests/Azure.CI.Tests.ps1 @@ -0,0 +1,67 @@ +# Copyright (c) Microsoft Corporation. +# Licensed under the MIT License. + +# +# Unit tests for Container Instances +# + +[CmdletBinding()] +param () + +BeforeAll { + # Setup error handling + $ErrorActionPreference = 'Stop'; + Set-StrictMode -Version latest; + + if ($Env:SYSTEM_DEBUG -eq 'true') { + $VerbosePreference = 'Continue'; + } + + # Setup tests paths + $rootPath = $PWD; + Import-Module (Join-Path -Path $rootPath -ChildPath out/modules/PSRule.Rules.Azure) -Force; + $here = (Resolve-Path $PSScriptRoot).Path; +} + +Describe 'Azure.CI' -Tag 'CI' { + Context 'Resource naming' { + BeforeAll { + $invokeParams = @{ + Baseline = 'Azure.All' + Module = 'PSRule.Rules.Azure' + WarningAction = 'Ignore' + ErrorAction = 'Stop' + } + + $option = New-PSRuleOption -Configuration @{ + 'AZURE_CONTAINER_INSTANCE_NAME_FORMAT' = '^ci-' + }; + + $names = @('instance-001', 'ci-001', 'CI-001') + $items = @($names | ForEach-Object { + [PSCustomObject]@{ + Name = $_ + Type = 'Microsoft.ContainerInstance/containerGroups' + } + }); + + $result = $items | Invoke-PSRule @invokeParams -Option $option + } + + It 'Azure.CI.Naming' { + $filteredResult = $result | Where-Object { $_.RuleName -eq 'Azure.CI.Naming' }; + + # Fail + $ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'Fail' }); + $ruleResult | Should -Not -BeNullOrEmpty; + $ruleResult.Length | Should -Be 2; + $ruleResult.TargetName | Should -BeIn 'instance-001', 'CI-001'; + + # Pass + $ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'Pass' }); + $ruleResult | Should -Not -BeNullOrEmpty; + $ruleResult.Length | Should -Be 1; + $ruleResult.TargetName | Should -Be 'ci-001'; + } + } +} diff --git a/tests/PSRule.Rules.Azure.Tests/Azure.Cosmos.Tests.ps1 b/tests/PSRule.Rules.Azure.Tests/Azure.Cosmos.Tests.ps1 index 2fed0b27846..7539cbce84e 100644 --- a/tests/PSRule.Rules.Azure.Tests/Azure.Cosmos.Tests.ps1 +++ b/tests/PSRule.Rules.Azure.Tests/Azure.Cosmos.Tests.ps1 @@ -226,4 +226,214 @@ Describe 'Azure.Cosmos' -Tag 'Cosmos', 'CosmosDB' { $ruleResult.TargetName | Should -BeIn 'nosql-C'; } } + + Context 'Resource naming' { + BeforeAll { + $invokeParams = @{ + Baseline = 'Azure.All' + Module = 'PSRule.Rules.Azure' + WarningAction = 'Ignore' + ErrorAction = 'Stop' + } + + $option = New-PSRuleOption -Configuration @{ + 'AZURE_COSMOS_NOSQL_NAME_FORMAT' = '^cosno-' + 'AZURE_COSMOS_MONGO_NAME_FORMAT' = '^cosmon-' + 'AZURE_COSMOS_CASSANDRA_NAME_FORMAT' = '^coscas-' + 'AZURE_COSMOS_TABLE_NAME_FORMAT' = '^costab-' + 'AZURE_COSMOS_GREMLIN_NAME_FORMAT' = '^cosgrm-' + 'AZURE_COSMOS_DATABASE_NAME_FORMAT' = '^cosmos-' + 'AZURE_COSMOS_POSTGRESQL_NAME_FORMAT' = '^cospos-' + }; + + $nosqlNames = @('account-001', 'cosno-001', 'COSNO-001') + $mongoNames = @('mongo-001', 'cosmon-001', 'COSMON-001') + $cassandraNames = @('cassandra-001', 'coscas-001', 'COSCAS-001') + $tableNames = @('table-001', 'costab-001', 'COSTAB-001') + $gremlinNames = @('gremlin-001', 'cosgrm-001', 'COSGRM-001') + $dbNames = @('db-001', 'cosmos-001', 'COSMOS-001') + $postgresNames = @('postgres-001', 'cospos-001', 'COSPOS-001') + + $nosqlItems = @($nosqlNames | ForEach-Object { + [PSCustomObject]@{ + Name = $_ + Type = 'Microsoft.DocumentDb/databaseAccounts' + Kind = 'GlobalDocumentDB' + Properties = @{ + capabilities = @() + } + } + }); + + $mongoItems = @($mongoNames | ForEach-Object { + [PSCustomObject]@{ + Name = $_ + Type = 'Microsoft.DocumentDb/databaseAccounts' + Kind = 'MongoDB' + Properties = @{ } + } + }); + + $cassandraItems = @($cassandraNames | ForEach-Object { + [PSCustomObject]@{ + Name = $_ + Type = 'Microsoft.DocumentDb/databaseAccounts' + Kind = 'GlobalDocumentDB' + Properties = @{ + capabilities = @(@{ name = 'EnableCassandra' }) + } + } + }); + + $tableItems = @($tableNames | ForEach-Object { + [PSCustomObject]@{ + Name = $_ + Type = 'Microsoft.DocumentDb/databaseAccounts' + Kind = 'GlobalDocumentDB' + Properties = @{ + capabilities = @(@{ name = 'EnableTable' }) + } + } + }); + + $gremlinItems = @($gremlinNames | ForEach-Object { + [PSCustomObject]@{ + Name = $_ + Type = 'Microsoft.DocumentDb/databaseAccounts' + Kind = 'GlobalDocumentDB' + Properties = @{ + capabilities = @(@{ name = 'EnableGremlin' }) + } + } + }); + + $dbItems = @($dbNames | ForEach-Object { + [PSCustomObject]@{ + Name = $_ + Type = 'Microsoft.DocumentDB/databaseAccounts/sqlDatabases' + } + }); + + $postgresItems = @($postgresNames | ForEach-Object { + [PSCustomObject]@{ + Name = $_ + Type = 'Microsoft.DBforPostgreSQL/serverGroupsv2' + } + }); + + $result = @($nosqlItems + $mongoItems + $cassandraItems + $tableItems + $gremlinItems + $dbItems + $postgresItems) | Invoke-PSRule @invokeParams -Option $option + } + + It 'Azure.Cosmos.NoSQLNaming' { + $filteredResult = $result | Where-Object { $_.RuleName -eq 'Azure.Cosmos.NoSQLNaming' }; + + # Fail + $ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'Fail' }); + $ruleResult | Should -Not -BeNullOrEmpty; + $ruleResult.Length | Should -Be 2; + $ruleResult.TargetName | Should -BeIn 'account-001', 'COSNO-001'; + + # Pass + $ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'Pass' }); + $ruleResult | Should -Not -BeNullOrEmpty; + $ruleResult.Length | Should -Be 1; + $ruleResult.TargetName | Should -Be 'cosno-001'; + } + + It 'Azure.Cosmos.MongoNaming' { + $filteredResult = $result | Where-Object { $_.RuleName -eq 'Azure.Cosmos.MongoNaming' }; + + # Fail + $ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'Fail' }); + $ruleResult | Should -Not -BeNullOrEmpty; + $ruleResult.Length | Should -Be 2; + $ruleResult.TargetName | Should -BeIn 'mongo-001', 'COSMON-001'; + + # Pass + $ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'Pass' }); + $ruleResult | Should -Not -BeNullOrEmpty; + $ruleResult.Length | Should -Be 1; + $ruleResult.TargetName | Should -Be 'cosmon-001'; + } + + It 'Azure.Cosmos.CassandraNaming' { + $filteredResult = $result | Where-Object { $_.RuleName -eq 'Azure.Cosmos.CassandraNaming' }; + + # Fail + $ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'Fail' }); + $ruleResult | Should -Not -BeNullOrEmpty; + $ruleResult.Length | Should -Be 2; + $ruleResult.TargetName | Should -BeIn 'cassandra-001', 'COSCAS-001'; + + # Pass + $ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'Pass' }); + $ruleResult | Should -Not -BeNullOrEmpty; + $ruleResult.Length | Should -Be 1; + $ruleResult.TargetName | Should -Be 'coscas-001'; + } + + It 'Azure.Cosmos.TableNaming' { + $filteredResult = $result | Where-Object { $_.RuleName -eq 'Azure.Cosmos.TableNaming' }; + + # Fail + $ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'Fail' }); + $ruleResult | Should -Not -BeNullOrEmpty; + $ruleResult.Length | Should -Be 2; + $ruleResult.TargetName | Should -BeIn 'table-001', 'COSTAB-001'; + + # Pass + $ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'Pass' }); + $ruleResult | Should -Not -BeNullOrEmpty; + $ruleResult.Length | Should -Be 1; + $ruleResult.TargetName | Should -Be 'costab-001'; + } + + It 'Azure.Cosmos.GremlinNaming' { + $filteredResult = $result | Where-Object { $_.RuleName -eq 'Azure.Cosmos.GremlinNaming' }; + + # Fail + $ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'Fail' }); + $ruleResult | Should -Not -BeNullOrEmpty; + $ruleResult.Length | Should -Be 2; + $ruleResult.TargetName | Should -BeIn 'gremlin-001', 'COSGRM-001'; + + # Pass + $ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'Pass' }); + $ruleResult | Should -Not -BeNullOrEmpty; + $ruleResult.Length | Should -Be 1; + $ruleResult.TargetName | Should -Be 'cosgrm-001'; + } + + It 'Azure.Cosmos.DatabaseNaming' { + $filteredResult = $result | Where-Object { $_.RuleName -eq 'Azure.Cosmos.DatabaseNaming' }; + + # Fail + $ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'Fail' }); + $ruleResult | Should -Not -BeNullOrEmpty; + $ruleResult.Length | Should -Be 2; + $ruleResult.TargetName | Should -BeIn 'db-001', 'COSMOS-001'; + + # Pass + $ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'Pass' }); + $ruleResult | Should -Not -BeNullOrEmpty; + $ruleResult.Length | Should -Be 1; + $ruleResult.TargetName | Should -Be 'cosmos-001'; + } + + It 'Azure.Cosmos.PostgreSQLNaming' { + $filteredResult = $result | Where-Object { $_.RuleName -eq 'Azure.Cosmos.PostgreSQLNaming' }; + + # Fail + $ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'Fail' }); + $ruleResult | Should -Not -BeNullOrEmpty; + $ruleResult.Length | Should -Be 2; + $ruleResult.TargetName | Should -BeIn 'postgres-001', 'COSPOS-001'; + + # Pass + $ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'Pass' }); + $ruleResult | Should -Not -BeNullOrEmpty; + $ruleResult.Length | Should -Be 1; + $ruleResult.TargetName | Should -Be 'cospos-001'; + } + } } diff --git a/tests/PSRule.Rules.Azure.Tests/Azure.MySQL.Tests.ps1 b/tests/PSRule.Rules.Azure.Tests/Azure.MySQL.Tests.ps1 index 9acede88c88..f8f14939da7 100644 --- a/tests/PSRule.Rules.Azure.Tests/Azure.MySQL.Tests.ps1 +++ b/tests/PSRule.Rules.Azure.Tests/Azure.MySQL.Tests.ps1 @@ -309,4 +309,45 @@ Describe 'Azure.MySQL' -Tag 'MySql' { $ruleResult.Outcome | Should -Be 'Fail'; } } + + Context 'Resource naming format' { + BeforeAll { + $invokeParams = @{ + Baseline = 'Azure.All' + Module = 'PSRule.Rules.Azure' + WarningAction = 'Ignore' + ErrorAction = 'Stop' + } + + $option = New-PSRuleOption -Configuration @{ + 'AZURE_MYSQL_SERVER_NAME_FORMAT' = '^mysql-' + }; + + $names = @('myserver-001', 'mysql-001', 'MYSQL-001') + $items = @($names | ForEach-Object { + [PSCustomObject]@{ + Name = $_ + Type = 'Microsoft.DBforMySQL/servers' + } + }); + + $result = $items | Invoke-PSRule @invokeParams -Option $option + } + + It 'Azure.MySQL.Naming' { + $filteredResult = $result | Where-Object { $_.RuleName -eq 'Azure.MySQL.Naming' }; + + # Fail + $ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'Fail' }); + $ruleResult | Should -Not -BeNullOrEmpty; + $ruleResult.Length | Should -Be 2; + $ruleResult.TargetName | Should -BeIn 'myserver-001', 'MYSQL-001'; + + # Pass + $ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'Pass' }); + $ruleResult | Should -Not -BeNullOrEmpty; + $ruleResult.Length | Should -Be 1; + $ruleResult.TargetName | Should -Be 'mysql-001'; + } + } } diff --git a/tests/PSRule.Rules.Azure.Tests/Azure.NamingRules.Tests.ps1 b/tests/PSRule.Rules.Azure.Tests/Azure.NamingRules.Tests.ps1 deleted file mode 100644 index fb8502cc380..00000000000 --- a/tests/PSRule.Rules.Azure.Tests/Azure.NamingRules.Tests.ps1 +++ /dev/null @@ -1,466 +0,0 @@ -# Copyright (c) Microsoft Corporation. -# Licensed under the MIT License. - -# -# Unit tests for new naming rules -# - -[CmdletBinding()] -param () - -BeforeAll { - # Setup error handling - $ErrorActionPreference = 'Stop'; - Set-StrictMode -Version latest; - - if ($Env:SYSTEM_DEBUG -eq 'true') { - $VerbosePreference = 'Continue'; - } - - # Setup tests paths - $rootPath = $PWD; - Import-Module (Join-Path -Path $rootPath -ChildPath out/modules/PSRule.Rules.Azure) -Force; - $here = (Resolve-Path $PSScriptRoot).Path; -} - -Describe 'Azure.Naming' -Tag 'Naming' { - Context 'Container Instance naming' { - BeforeAll { - $invokeParams = @{ - Baseline = 'Azure.All' - Module = 'PSRule.Rules.Azure' - WarningAction = 'Ignore' - ErrorAction = 'Stop' - } - - $option = New-PSRuleOption -Configuration @{ - 'AZURE_CONTAINER_INSTANCE_NAME_FORMAT' = '^ci-' - }; - - $names = @('instance-001', 'ci-001', 'CI-001') - $items = @($names | ForEach-Object { - [PSCustomObject]@{ - Name = $_ - Type = 'Microsoft.ContainerInstance/containerGroups' - } - }); - - $result = $items | Invoke-PSRule @invokeParams -Option $option - } - - It 'Azure.CI.Naming' { - $filteredResult = $result | Where-Object { $_.RuleName -eq 'Azure.CI.Naming' }; - - # Fail - $ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'Fail' }); - $ruleResult | Should -Not -BeNullOrEmpty; - $ruleResult.Length | Should -Be 2; - $ruleResult.TargetName | Should -BeIn 'instance-001', 'CI-001'; - - # Pass - $ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'Pass' }); - $ruleResult | Should -Not -BeNullOrEmpty; - $ruleResult.Length | Should -Be 1; - $ruleResult.TargetName | Should -Be 'ci-001'; - } - } - - Context 'Service Fabric naming' { - BeforeAll { - $invokeParams = @{ - Baseline = 'Azure.All' - Module = 'PSRule.Rules.Azure' - WarningAction = 'Ignore' - ErrorAction = 'Stop' - } - - $option = New-PSRuleOption -Configuration @{ - 'AZURE_SERVICE_FABRIC_CLUSTER_NAME_FORMAT' = '^sf-' - 'AZURE_SERVICE_FABRIC_MANAGED_CLUSTER_NAME_FORMAT' = '^sfmc-' - }; - - $clusterNames = @('cluster-001', 'sf-001', 'SF-001') - $managedClusterNames = @('managed-001', 'sfmc-001', 'SFMC-001') - - $clusterItems = @($clusterNames | ForEach-Object { - [PSCustomObject]@{ - Name = $_ - Type = 'Microsoft.ServiceFabric/clusters' - } - }); - - $managedClusterItems = @($managedClusterNames | ForEach-Object { - [PSCustomObject]@{ - Name = $_ - Type = 'Microsoft.ServiceFabric/managedClusters' - } - }); - - $result = @($clusterItems + $managedClusterItems) | Invoke-PSRule @invokeParams -Option $option - } - - It 'Azure.ServiceFabric.Naming' { - $filteredResult = $result | Where-Object { $_.RuleName -eq 'Azure.ServiceFabric.Naming' }; - - # Fail - $ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'Fail' }); - $ruleResult | Should -Not -BeNullOrEmpty; - $ruleResult.Length | Should -Be 2; - $ruleResult.TargetName | Should -BeIn 'cluster-001', 'SF-001'; - - # Pass - $ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'Pass' }); - $ruleResult | Should -Not -BeNullOrEmpty; - $ruleResult.Length | Should -Be 1; - $ruleResult.TargetName | Should -Be 'sf-001'; - } - - It 'Azure.ServiceFabric.ManagedNaming' { - $filteredResult = $result | Where-Object { $_.RuleName -eq 'Azure.ServiceFabric.ManagedNaming' }; - - # Fail - $ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'Fail' }); - $ruleResult | Should -Not -BeNullOrEmpty; - $ruleResult.Length | Should -Be 2; - $ruleResult.TargetName | Should -BeIn 'managed-001', 'SFMC-001'; - - # Pass - $ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'Pass' }); - $ruleResult | Should -Not -BeNullOrEmpty; - $ruleResult.Length | Should -Be 1; - $ruleResult.TargetName | Should -Be 'sfmc-001'; - } - } - - Context 'Cosmos DB naming' { - BeforeAll { - $invokeParams = @{ - Baseline = 'Azure.All' - Module = 'PSRule.Rules.Azure' - WarningAction = 'Ignore' - ErrorAction = 'Stop' - } - - $option = New-PSRuleOption -Configuration @{ - 'AZURE_COSMOS_NOSQL_NAME_FORMAT' = '^cosno-' - 'AZURE_COSMOS_MONGO_NAME_FORMAT' = '^cosmon-' - 'AZURE_COSMOS_DATABASE_NAME_FORMAT' = '^cosmos-' - 'AZURE_COSMOS_POSTGRESQL_NAME_FORMAT' = '^cospos-' - }; - - $nosqlNames = @('account-001', 'cosno-001', 'COSNO-001') - $mongoNames = @('mongo-001', 'cosmon-001', 'COSMON-001') - $dbNames = @('db-001', 'cosmos-001', 'COSMOS-001') - $postgresNames = @('postgres-001', 'cospos-001', 'COSPOS-001') - - $nosqlItems = @($nosqlNames | ForEach-Object { - [PSCustomObject]@{ - Name = $_ - Type = 'Microsoft.DocumentDb/databaseAccounts' - Kind = 'GlobalDocumentDB' - Properties = @{ - capabilities = @() - } - } - }); - - $mongoItems = @($mongoNames | ForEach-Object { - [PSCustomObject]@{ - Name = $_ - Type = 'Microsoft.DocumentDb/databaseAccounts' - Kind = 'MongoDB' - Properties = @{ } - } - }); - - $dbItems = @($dbNames | ForEach-Object { - [PSCustomObject]@{ - Name = $_ - Type = 'Microsoft.DocumentDB/databaseAccounts/sqlDatabases' - } - }); - - $postgresItems = @($postgresNames | ForEach-Object { - [PSCustomObject]@{ - Name = $_ - Type = 'Microsoft.DBforPostgreSQL/serverGroupsv2' - } - }); - - $result = @($nosqlItems + $mongoItems + $dbItems + $postgresItems) | Invoke-PSRule @invokeParams -Option $option - } - - It 'Azure.Cosmos.NoSQLNaming' { - $filteredResult = $result | Where-Object { $_.RuleName -eq 'Azure.Cosmos.NoSQLNaming' }; - - # Fail - $ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'Fail' }); - $ruleResult | Should -Not -BeNullOrEmpty; - $ruleResult.Length | Should -Be 2; - $ruleResult.TargetName | Should -BeIn 'account-001', 'COSNO-001'; - - # Pass - $ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'Pass' }); - $ruleResult | Should -Not -BeNullOrEmpty; - $ruleResult.Length | Should -Be 1; - $ruleResult.TargetName | Should -Be 'cosno-001'; - } - - It 'Azure.Cosmos.MongoNaming' { - $filteredResult = $result | Where-Object { $_.RuleName -eq 'Azure.Cosmos.MongoNaming' }; - - # Fail - $ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'Fail' }); - $ruleResult | Should -Not -BeNullOrEmpty; - $ruleResult.Length | Should -Be 2; - $ruleResult.TargetName | Should -BeIn 'mongo-001', 'COSMON-001'; - - # Pass - $ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'Pass' }); - $ruleResult | Should -Not -BeNullOrEmpty; - $ruleResult.Length | Should -Be 1; - $ruleResult.TargetName | Should -Be 'cosmon-001'; - } - - It 'Azure.Cosmos.DatabaseNaming' { - $filteredResult = $result | Where-Object { $_.RuleName -eq 'Azure.Cosmos.DatabaseNaming' }; - - # Fail - $ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'Fail' }); - $ruleResult | Should -Not -BeNullOrEmpty; - $ruleResult.Length | Should -Be 2; - $ruleResult.TargetName | Should -BeIn 'db-001', 'COSMOS-001'; - - # Pass - $ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'Pass' }); - $ruleResult | Should -Not -BeNullOrEmpty; - $ruleResult.Length | Should -Be 1; - $ruleResult.TargetName | Should -Be 'cosmos-001'; - } - - It 'Azure.Cosmos.PostgreSQLNaming' { - $filteredResult = $result | Where-Object { $_.RuleName -eq 'Azure.Cosmos.PostgreSQLNaming' }; - - # Fail - $ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'Fail' }); - $ruleResult | Should -Not -BeNullOrEmpty; - $ruleResult.Length | Should -Be 2; - $ruleResult.TargetName | Should -BeIn 'postgres-001', 'COSPOS-001'; - - # Pass - $ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'Pass' }); - $ruleResult | Should -Not -BeNullOrEmpty; - $ruleResult.Length | Should -Be 1; - $ruleResult.TargetName | Should -Be 'cospos-001'; - } - } - - Context 'Redis naming' { - BeforeAll { - $invokeParams = @{ - Baseline = 'Azure.All' - Module = 'PSRule.Rules.Azure' - WarningAction = 'Ignore' - ErrorAction = 'Stop' - } - - $option = New-PSRuleOption -Configuration @{ - 'AZURE_REDIS_CACHE_NAME_FORMAT' = '^redis-' - 'AZURE_REDIS_ENTERPRISE_NAME_FORMAT' = '^amr-' - }; - - $cacheNames = @('cache-001', 'redis-001', 'REDIS-001') - $enterpriseNames = @('enterprise-001', 'amr-001', 'AMR-001') - - $cacheItems = @($cacheNames | ForEach-Object { - [PSCustomObject]@{ - Name = $_ - Type = 'Microsoft.Cache/Redis' - } - }); - - $enterpriseItems = @($enterpriseNames | ForEach-Object { - [PSCustomObject]@{ - Name = $_ - Type = 'Microsoft.Cache/RedisEnterprise' - } - }); - - $result = @($cacheItems + $enterpriseItems) | Invoke-PSRule @invokeParams -Option $option - } - - It 'Azure.Redis.Naming' { - $filteredResult = $result | Where-Object { $_.RuleName -eq 'Azure.Redis.Naming' }; - - # Fail - $ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'Fail' }); - $ruleResult | Should -Not -BeNullOrEmpty; - $ruleResult.Length | Should -Be 2; - $ruleResult.TargetName | Should -BeIn 'cache-001', 'REDIS-001'; - - # Pass - $ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'Pass' }); - $ruleResult | Should -Not -BeNullOrEmpty; - $ruleResult.Length | Should -Be 1; - $ruleResult.TargetName | Should -Be 'redis-001'; - } - - It 'Azure.RedisEnterprise.Naming' { - $filteredResult = $result | Where-Object { $_.RuleName -eq 'Azure.RedisEnterprise.Naming' }; - - # Fail - $ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'Fail' }); - $ruleResult | Should -Not -BeNullOrEmpty; - $ruleResult.Length | Should -Be 2; - $ruleResult.TargetName | Should -BeIn 'enterprise-001', 'AMR-001'; - - # Pass - $ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'Pass' }); - $ruleResult | Should -Not -BeNullOrEmpty; - $ruleResult.Length | Should -Be 1; - $ruleResult.TargetName | Should -Be 'amr-001'; - } - } - - Context 'SQL naming' { - BeforeAll { - $invokeParams = @{ - Baseline = 'Azure.All' - Module = 'PSRule.Rules.Azure' - WarningAction = 'Ignore' - ErrorAction = 'Stop' - } - - $option = New-PSRuleOption -Configuration @{ - 'AZURE_SQL_SERVER_NAME_FORMAT' = '^sql-' - 'AZURE_SQL_DATABASE_NAME_FORMAT' = '^sqldb-' - 'AZURE_SQL_MI_NAME_FORMAT' = '^sqlmi-' - 'AZURE_MYSQL_SERVER_NAME_FORMAT' = '^mysql-' - 'AZURE_POSTGRESQL_SERVER_NAME_FORMAT'= '^psql-' - }; - - $serverNames = @('server-001', 'sql-001', 'SQL-001') - $dbNames = @('database-001', 'sqldb-001', 'SQLDB-001') - $miNames = @('mi-001', 'sqlmi-001', 'SQLMI-001') - $mysqlNames = @('myserver-001', 'mysql-001', 'MYSQL-001') - $postgresNames = @('pgserver-001', 'psql-001', 'PSQL-001') - - $serverItems = @($serverNames | ForEach-Object { - [PSCustomObject]@{ - Name = $_ - Type = 'Microsoft.Sql/servers' - } - }); - - $dbItems = @($dbNames | ForEach-Object { - [PSCustomObject]@{ - Name = $_ - Type = 'Microsoft.Sql/servers/databases' - } - }); - - $miItems = @($miNames | ForEach-Object { - [PSCustomObject]@{ - Name = $_ - Type = 'Microsoft.Sql/managedInstances' - } - }); - - $mysqlItems = @($mysqlNames | ForEach-Object { - [PSCustomObject]@{ - Name = $_ - Type = 'Microsoft.DBforMySQL/servers' - } - }); - - $postgresItems = @($postgresNames | ForEach-Object { - [PSCustomObject]@{ - Name = $_ - Type = 'Microsoft.DBforPostgreSQL/servers' - } - }); - - $result = @($serverItems + $dbItems + $miItems + $mysqlItems + $postgresItems) | Invoke-PSRule @invokeParams -Option $option - } - - It 'Azure.SQL.ServerNaming' { - $filteredResult = $result | Where-Object { $_.RuleName -eq 'Azure.SQL.ServerNaming' }; - - # Fail - $ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'Fail' }); - $ruleResult | Should -Not -BeNullOrEmpty; - $ruleResult.Length | Should -Be 2; - $ruleResult.TargetName | Should -BeIn 'server-001', 'SQL-001'; - - # Pass - $ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'Pass' }); - $ruleResult | Should -Not -BeNullOrEmpty; - $ruleResult.Length | Should -Be 1; - $ruleResult.TargetName | Should -Be 'sql-001'; - } - - It 'Azure.SQL.DatabaseNaming' { - $filteredResult = $result | Where-Object { $_.RuleName -eq 'Azure.SQL.DatabaseNaming' }; - - # Fail - $ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'Fail' }); - $ruleResult | Should -Not -BeNullOrEmpty; - $ruleResult.Length | Should -Be 2; - $ruleResult.TargetName | Should -BeIn 'database-001', 'SQLDB-001'; - - # Pass - $ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'Pass' }); - $ruleResult | Should -Not -BeNullOrEmpty; - $ruleResult.Length | Should -Be 1; - $ruleResult.TargetName | Should -Be 'sqldb-001'; - } - - It 'Azure.SQLMI.Naming' { - $filteredResult = $result | Where-Object { $_.RuleName -eq 'Azure.SQLMI.Naming' }; - - # Fail - $ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'Fail' }); - $ruleResult | Should -Not -BeNullOrEmpty; - $ruleResult.Length | Should -Be 2; - $ruleResult.TargetName | Should -BeIn 'mi-001', 'SQLMI-001'; - - # Pass - $ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'Pass' }); - $ruleResult | Should -Not -BeNullOrEmpty; - $ruleResult.Length | Should -Be 1; - $ruleResult.TargetName | Should -Be 'sqlmi-001'; - } - - It 'Azure.MySQL.Naming' { - $filteredResult = $result | Where-Object { $_.RuleName -eq 'Azure.MySQL.Naming' }; - - # Fail - $ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'Fail' }); - $ruleResult | Should -Not -BeNullOrEmpty; - $ruleResult.Length | Should -Be 2; - $ruleResult.TargetName | Should -BeIn 'myserver-001', 'MYSQL-001'; - - # Pass - $ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'Pass' }); - $ruleResult | Should -Not -BeNullOrEmpty; - $ruleResult.Length | Should -Be 1; - $ruleResult.TargetName | Should -Be 'mysql-001'; - } - - It 'Azure.PostgreSQL.Naming' { - $filteredResult = $result | Where-Object { $_.RuleName -eq 'Azure.PostgreSQL.Naming' }; - - # Fail - $ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'Fail' }); - $ruleResult | Should -Not -BeNullOrEmpty; - $ruleResult.Length | Should -Be 2; - $ruleResult.TargetName | Should -BeIn 'pgserver-001', 'PSQL-001'; - - # Pass - $ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'Pass' }); - $ruleResult | Should -Not -BeNullOrEmpty; - $ruleResult.Length | Should -Be 1; - $ruleResult.TargetName | Should -Be 'psql-001'; - } - } -} diff --git a/tests/PSRule.Rules.Azure.Tests/Azure.PostgreSQL.Tests.ps1 b/tests/PSRule.Rules.Azure.Tests/Azure.PostgreSQL.Tests.ps1 index 3a3ef7ee7f6..5477531c8dc 100644 --- a/tests/PSRule.Rules.Azure.Tests/Azure.PostgreSQL.Tests.ps1 +++ b/tests/PSRule.Rules.Azure.Tests/Azure.PostgreSQL.Tests.ps1 @@ -285,4 +285,45 @@ Describe 'Azure.PostgreSQL' -Tag 'PostgreSQL' { $ruleResult.Outcome | Should -Be 'Fail'; } } + + Context 'Resource naming format' { + BeforeAll { + $invokeParams = @{ + Baseline = 'Azure.All' + Module = 'PSRule.Rules.Azure' + WarningAction = 'Ignore' + ErrorAction = 'Stop' + } + + $option = New-PSRuleOption -Configuration @{ + 'AZURE_POSTGRESQL_SERVER_NAME_FORMAT' = '^psql-' + }; + + $names = @('pgserver-001', 'psql-001', 'PSQL-001') + $items = @($names | ForEach-Object { + [PSCustomObject]@{ + Name = $_ + Type = 'Microsoft.DBforPostgreSQL/servers' + } + }); + + $result = $items | Invoke-PSRule @invokeParams -Option $option + } + + It 'Azure.PostgreSQL.Naming' { + $filteredResult = $result | Where-Object { $_.RuleName -eq 'Azure.PostgreSQL.Naming' }; + + # Fail + $ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'Fail' }); + $ruleResult | Should -Not -BeNullOrEmpty; + $ruleResult.Length | Should -Be 2; + $ruleResult.TargetName | Should -BeIn 'pgserver-001', 'PSQL-001'; + + # Pass + $ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'Pass' }); + $ruleResult | Should -Not -BeNullOrEmpty; + $ruleResult.Length | Should -Be 1; + $ruleResult.TargetName | Should -Be 'psql-001'; + } + } } diff --git a/tests/PSRule.Rules.Azure.Tests/Azure.Redis.Tests.ps1 b/tests/PSRule.Rules.Azure.Tests/Azure.Redis.Tests.ps1 index 44bbcbeaac3..8b28a9cc106 100644 --- a/tests/PSRule.Rules.Azure.Tests/Azure.Redis.Tests.ps1 +++ b/tests/PSRule.Rules.Azure.Tests/Azure.Redis.Tests.ps1 @@ -522,4 +522,71 @@ Describe 'Azure.Redis' -Tag 'Redis' { $ruleResult.TargetName | Should -Be 'redis-A', 'redis-B', 'redis-C', 'redis-D', 'redis-E', 'redis-F', 'redis-G', 'redis-H', 'redis-I', 'redis-J', 'redis-Q', 'redis-R'; } } + + Context 'Resource naming' { + BeforeAll { + $invokeParams = @{ + Baseline = 'Azure.All' + Module = 'PSRule.Rules.Azure' + WarningAction = 'Ignore' + ErrorAction = 'Stop' + } + + $option = New-PSRuleOption -Configuration @{ + 'AZURE_REDIS_CACHE_NAME_FORMAT' = '^redis-' + 'AZURE_REDIS_ENTERPRISE_NAME_FORMAT' = '^amr-' + }; + + $cacheNames = @('cache-001', 'redis-001', 'REDIS-001') + $enterpriseNames = @('enterprise-001', 'amr-001', 'AMR-001') + + $cacheItems = @($cacheNames | ForEach-Object { + [PSCustomObject]@{ + Name = $_ + Type = 'Microsoft.Cache/Redis' + } + }); + + $enterpriseItems = @($enterpriseNames | ForEach-Object { + [PSCustomObject]@{ + Name = $_ + Type = 'Microsoft.Cache/RedisEnterprise' + } + }); + + $result = @($cacheItems + $enterpriseItems) | Invoke-PSRule @invokeParams -Option $option + } + + It 'Azure.Redis.Naming' { + $filteredResult = $result | Where-Object { $_.RuleName -eq 'Azure.Redis.Naming' }; + + # Fail + $ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'Fail' }); + $ruleResult | Should -Not -BeNullOrEmpty; + $ruleResult.Length | Should -Be 2; + $ruleResult.TargetName | Should -BeIn 'cache-001', 'REDIS-001'; + + # Pass + $ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'Pass' }); + $ruleResult | Should -Not -BeNullOrEmpty; + $ruleResult.Length | Should -Be 1; + $ruleResult.TargetName | Should -Be 'redis-001'; + } + + It 'Azure.RedisEnterprise.Naming' { + $filteredResult = $result | Where-Object { $_.RuleName -eq 'Azure.RedisEnterprise.Naming' }; + + # Fail + $ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'Fail' }); + $ruleResult | Should -Not -BeNullOrEmpty; + $ruleResult.Length | Should -Be 2; + $ruleResult.TargetName | Should -BeIn 'enterprise-001', 'AMR-001'; + + # Pass + $ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'Pass' }); + $ruleResult | Should -Not -BeNullOrEmpty; + $ruleResult.Length | Should -Be 1; + $ruleResult.TargetName | Should -Be 'amr-001'; + } + } } diff --git a/tests/PSRule.Rules.Azure.Tests/Azure.SQL.Tests.ps1 b/tests/PSRule.Rules.Azure.Tests/Azure.SQL.Tests.ps1 index bf0cbe3dcb5..fe2fdf4d9e9 100644 --- a/tests/PSRule.Rules.Azure.Tests/Azure.SQL.Tests.ps1 +++ b/tests/PSRule.Rules.Azure.Tests/Azure.SQL.Tests.ps1 @@ -457,4 +457,121 @@ Describe 'Azure.SQL' -Tag 'SQL', 'SQLDB' { $ruleResult.TargetName | Should -BeIn 'sql-sql-01/sqldb-sql-01'; } } + + Context 'Resource naming' { + BeforeAll { + $invokeParams = @{ + Baseline = 'Azure.All' + Module = 'PSRule.Rules.Azure' + WarningAction = 'Ignore' + ErrorAction = 'Stop' + } + + $option = New-PSRuleOption -Configuration @{ + 'AZURE_SQL_SERVER_NAME_FORMAT' = '^sql-' + 'AZURE_SQL_DATABASE_NAME_FORMAT' = '^sqldb-' + 'AZURE_SQL_JOB_AGENT_NAME_FORMAT' = '^sqlja-' + 'AZURE_SQL_ELASTIC_POOL_NAME_FORMAT' = '^sqlep-' + }; + + $serverNames = @('server-001', 'sql-001', 'SQL-001') + $dbNames = @('database-001', 'sqldb-001', 'SQLDB-001') + $jobAgentNames = @('agent-001', 'sqlja-001', 'SQLJA-001') + $poolNames = @('pool-001', 'sqlep-001', 'SQLEP-001') + + $serverItems = @($serverNames | ForEach-Object { + [PSCustomObject]@{ + Name = $_ + Type = 'Microsoft.Sql/servers' + } + }); + + $dbItems = @($dbNames | ForEach-Object { + [PSCustomObject]@{ + Name = $_ + Type = 'Microsoft.Sql/servers/databases' + } + }); + + $jobAgentItems = @($jobAgentNames | ForEach-Object { + [PSCustomObject]@{ + Name = $_ + Type = 'Microsoft.Sql/servers/jobAgents' + } + }); + + $poolItems = @($poolNames | ForEach-Object { + [PSCustomObject]@{ + Name = $_ + Type = 'Microsoft.Sql/servers/elasticPools' + } + }); + + $result = @($serverItems + $dbItems + $jobAgentItems + $poolItems) | Invoke-PSRule @invokeParams -Option $option + } + + It 'Azure.SQL.ServerNaming' { + $filteredResult = $result | Where-Object { $_.RuleName -eq 'Azure.SQL.ServerNaming' }; + + # Fail + $ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'Fail' }); + $ruleResult | Should -Not -BeNullOrEmpty; + $ruleResult.Length | Should -Be 2; + $ruleResult.TargetName | Should -BeIn 'server-001', 'SQL-001'; + + # Pass + $ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'Pass' }); + $ruleResult | Should -Not -BeNullOrEmpty; + $ruleResult.Length | Should -Be 1; + $ruleResult.TargetName | Should -Be 'sql-001'; + } + + It 'Azure.SQL.DatabaseNaming' { + $filteredResult = $result | Where-Object { $_.RuleName -eq 'Azure.SQL.DatabaseNaming' }; + + # Fail + $ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'Fail' }); + $ruleResult | Should -Not -BeNullOrEmpty; + $ruleResult.Length | Should -Be 2; + $ruleResult.TargetName | Should -BeIn 'database-001', 'SQLDB-001'; + + # Pass + $ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'Pass' }); + $ruleResult | Should -Not -BeNullOrEmpty; + $ruleResult.Length | Should -Be 1; + $ruleResult.TargetName | Should -Be 'sqldb-001'; + } + + It 'Azure.SQL.JobAgentNaming' { + $filteredResult = $result | Where-Object { $_.RuleName -eq 'Azure.SQL.JobAgentNaming' }; + + # Fail + $ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'Fail' }); + $ruleResult | Should -Not -BeNullOrEmpty; + $ruleResult.Length | Should -Be 2; + $ruleResult.TargetName | Should -BeIn 'agent-001', 'SQLJA-001'; + + # Pass + $ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'Pass' }); + $ruleResult | Should -Not -BeNullOrEmpty; + $ruleResult.Length | Should -Be 1; + $ruleResult.TargetName | Should -Be 'sqlja-001'; + } + + It 'Azure.SQL.ElasticPoolNaming' { + $filteredResult = $result | Where-Object { $_.RuleName -eq 'Azure.SQL.ElasticPoolNaming' }; + + # Fail + $ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'Fail' }); + $ruleResult | Should -Not -BeNullOrEmpty; + $ruleResult.Length | Should -Be 2; + $ruleResult.TargetName | Should -BeIn 'pool-001', 'SQLEP-001'; + + # Pass + $ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'Pass' }); + $ruleResult | Should -Not -BeNullOrEmpty; + $ruleResult.Length | Should -Be 1; + $ruleResult.TargetName | Should -Be 'sqlep-001'; + } + } } diff --git a/tests/PSRule.Rules.Azure.Tests/Azure.SQLMI.Tests.ps1 b/tests/PSRule.Rules.Azure.Tests/Azure.SQLMI.Tests.ps1 index 4fae748c716..c79ae9abbf5 100644 --- a/tests/PSRule.Rules.Azure.Tests/Azure.SQLMI.Tests.ps1 +++ b/tests/PSRule.Rules.Azure.Tests/Azure.SQLMI.Tests.ps1 @@ -156,4 +156,45 @@ Describe 'Azure.SQLMI' -Tag 'SQLMI' { $ruleResult.Outcome | Should -Be 'Fail'; } } + + Context 'Resource naming format' { + BeforeAll { + $invokeParams = @{ + Baseline = 'Azure.All' + Module = 'PSRule.Rules.Azure' + WarningAction = 'Ignore' + ErrorAction = 'Stop' + } + + $option = New-PSRuleOption -Configuration @{ + 'AZURE_SQL_MI_NAME_FORMAT' = '^sqlmi-' + }; + + $names = @('mi-001', 'sqlmi-001', 'SQLMI-001') + $items = @($names | ForEach-Object { + [PSCustomObject]@{ + Name = $_ + Type = 'Microsoft.Sql/managedInstances' + } + }); + + $result = $items | Invoke-PSRule @invokeParams -Option $option + } + + It 'Azure.SQLMI.Naming' { + $filteredResult = $result | Where-Object { $_.RuleName -eq 'Azure.SQLMI.Naming' }; + + # Fail + $ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'Fail' }); + $ruleResult | Should -Not -BeNullOrEmpty; + $ruleResult.Length | Should -Be 2; + $ruleResult.TargetName | Should -BeIn 'mi-001', 'SQLMI-001'; + + # Pass + $ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'Pass' }); + $ruleResult | Should -Not -BeNullOrEmpty; + $ruleResult.Length | Should -Be 1; + $ruleResult.TargetName | Should -Be 'sqlmi-001'; + } + } } diff --git a/tests/PSRule.Rules.Azure.Tests/Azure.ServiceFabric.Tests.ps1 b/tests/PSRule.Rules.Azure.Tests/Azure.ServiceFabric.Tests.ps1 index 07e7e066ea7..02989caf099 100644 --- a/tests/PSRule.Rules.Azure.Tests/Azure.ServiceFabric.Tests.ps1 +++ b/tests/PSRule.Rules.Azure.Tests/Azure.ServiceFabric.Tests.ps1 @@ -88,4 +88,71 @@ Describe 'Azure.ServiceFabric' -Tag 'ServiceFabric' { $ruleResult.TargetName | Should -BeIn 'cluster-001'; } } + + Context 'Resource naming' { + BeforeAll { + $invokeParams = @{ + Baseline = 'Azure.All' + Module = 'PSRule.Rules.Azure' + WarningAction = 'Ignore' + ErrorAction = 'Stop' + } + + $option = New-PSRuleOption -Configuration @{ + 'AZURE_SERVICE_FABRIC_CLUSTER_NAME_FORMAT' = '^sf-' + 'AZURE_SERVICE_FABRIC_MANAGED_CLUSTER_NAME_FORMAT' = '^sfmc-' + }; + + $clusterNames = @('cluster-001', 'sf-001', 'SF-001') + $managedClusterNames = @('managed-001', 'sfmc-001', 'SFMC-001') + + $clusterItems = @($clusterNames | ForEach-Object { + [PSCustomObject]@{ + Name = $_ + Type = 'Microsoft.ServiceFabric/clusters' + } + }); + + $managedClusterItems = @($managedClusterNames | ForEach-Object { + [PSCustomObject]@{ + Name = $_ + Type = 'Microsoft.ServiceFabric/managedClusters' + } + }); + + $result = @($clusterItems + $managedClusterItems) | Invoke-PSRule @invokeParams -Option $option + } + + It 'Azure.ServiceFabric.Naming' { + $filteredResult = $result | Where-Object { $_.RuleName -eq 'Azure.ServiceFabric.Naming' }; + + # Fail + $ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'Fail' }); + $ruleResult | Should -Not -BeNullOrEmpty; + $ruleResult.Length | Should -Be 2; + $ruleResult.TargetName | Should -BeIn 'cluster-001', 'SF-001'; + + # Pass + $ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'Pass' }); + $ruleResult | Should -Not -BeNullOrEmpty; + $ruleResult.Length | Should -Be 1; + $ruleResult.TargetName | Should -Be 'sf-001'; + } + + It 'Azure.ServiceFabric.ManagedNaming' { + $filteredResult = $result | Where-Object { $_.RuleName -eq 'Azure.ServiceFabric.ManagedNaming' }; + + # Fail + $ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'Fail' }); + $ruleResult | Should -Not -BeNullOrEmpty; + $ruleResult.Length | Should -Be 2; + $ruleResult.TargetName | Should -BeIn 'managed-001', 'SFMC-001'; + + # Pass + $ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'Pass' }); + $ruleResult | Should -Not -BeNullOrEmpty; + $ruleResult.Length | Should -Be 1; + $ruleResult.TargetName | Should -Be 'sfmc-001'; + } + } } From 8497b4220c4a7161d364985fe34e980b67ed477b Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Fri, 10 Oct 2025 14:01:34 +0000 Subject: [PATCH 07/32] Add rule documentation for all 27 new naming rules Created comprehensive markdown documentation for: - AKS cluster and node pools (3 rules) - Container resources: ACR, CI, Container Apps (5 rules) - Service Fabric clusters (2 rules) - Cosmos DB accounts and databases (7 rules) - Redis instances (2 rules) - SQL and database servers (8 rules) Each documentation file includes: - Synopsis and description - CAF naming recommendations - Configuration examples - Bicep/ARM template examples - Links to relevant Azure documentation Co-authored-by: BernieWhite <13513058+BernieWhite@users.noreply.github.com> --- docs/en/rules/Azure.ACR.Naming.md | 100 ++++++++++++++++++ docs/en/rules/Azure.AKS.Naming.md | 100 ++++++++++++++++++ docs/en/rules/Azure.AKS.SystemPoolNaming.md | 100 ++++++++++++++++++ docs/en/rules/Azure.AKS.UserPoolNaming.md | 100 ++++++++++++++++++ docs/en/rules/Azure.CI.Naming.md | 100 ++++++++++++++++++ .../Azure.ContainerApp.EnvironmentNaming.md | 100 ++++++++++++++++++ docs/en/rules/Azure.ContainerApp.JobNaming.md | 100 ++++++++++++++++++ docs/en/rules/Azure.ContainerApp.Naming.md | 100 ++++++++++++++++++ docs/en/rules/Azure.Cosmos.CassandraNaming.md | 100 ++++++++++++++++++ docs/en/rules/Azure.Cosmos.DatabaseNaming.md | 100 ++++++++++++++++++ docs/en/rules/Azure.Cosmos.GremlinNaming.md | 100 ++++++++++++++++++ docs/en/rules/Azure.Cosmos.MongoNaming.md | 100 ++++++++++++++++++ docs/en/rules/Azure.Cosmos.NoSQLNaming.md | 100 ++++++++++++++++++ .../en/rules/Azure.Cosmos.PostgreSQLNaming.md | 100 ++++++++++++++++++ docs/en/rules/Azure.Cosmos.TableNaming.md | 100 ++++++++++++++++++ docs/en/rules/Azure.MySQL.Naming.md | 100 ++++++++++++++++++ docs/en/rules/Azure.PostgreSQL.Naming.md | 100 ++++++++++++++++++ docs/en/rules/Azure.Redis.Naming.md | 100 ++++++++++++++++++ docs/en/rules/Azure.RedisEnterprise.Naming.md | 100 ++++++++++++++++++ docs/en/rules/Azure.SQL.DatabaseNaming.md | 100 ++++++++++++++++++ docs/en/rules/Azure.SQL.ElasticPoolNaming.md | 100 ++++++++++++++++++ docs/en/rules/Azure.SQL.JobAgentNaming.md | 100 ++++++++++++++++++ docs/en/rules/Azure.SQL.ServerNaming.md | 100 ++++++++++++++++++ docs/en/rules/Azure.SQL.StretchDBNaming.md | 100 ++++++++++++++++++ docs/en/rules/Azure.SQLMI.Naming.md | 100 ++++++++++++++++++ .../Azure.ServiceFabric.ManagedNaming.md | 100 ++++++++++++++++++ docs/en/rules/Azure.ServiceFabric.Naming.md | 100 ++++++++++++++++++ 27 files changed, 2700 insertions(+) create mode 100644 docs/en/rules/Azure.ACR.Naming.md create mode 100644 docs/en/rules/Azure.AKS.Naming.md create mode 100644 docs/en/rules/Azure.AKS.SystemPoolNaming.md create mode 100644 docs/en/rules/Azure.AKS.UserPoolNaming.md create mode 100644 docs/en/rules/Azure.CI.Naming.md create mode 100644 docs/en/rules/Azure.ContainerApp.EnvironmentNaming.md create mode 100644 docs/en/rules/Azure.ContainerApp.JobNaming.md create mode 100644 docs/en/rules/Azure.ContainerApp.Naming.md create mode 100644 docs/en/rules/Azure.Cosmos.CassandraNaming.md create mode 100644 docs/en/rules/Azure.Cosmos.DatabaseNaming.md create mode 100644 docs/en/rules/Azure.Cosmos.GremlinNaming.md create mode 100644 docs/en/rules/Azure.Cosmos.MongoNaming.md create mode 100644 docs/en/rules/Azure.Cosmos.NoSQLNaming.md create mode 100644 docs/en/rules/Azure.Cosmos.PostgreSQLNaming.md create mode 100644 docs/en/rules/Azure.Cosmos.TableNaming.md create mode 100644 docs/en/rules/Azure.MySQL.Naming.md create mode 100644 docs/en/rules/Azure.PostgreSQL.Naming.md create mode 100644 docs/en/rules/Azure.Redis.Naming.md create mode 100644 docs/en/rules/Azure.RedisEnterprise.Naming.md create mode 100644 docs/en/rules/Azure.SQL.DatabaseNaming.md create mode 100644 docs/en/rules/Azure.SQL.ElasticPoolNaming.md create mode 100644 docs/en/rules/Azure.SQL.JobAgentNaming.md create mode 100644 docs/en/rules/Azure.SQL.ServerNaming.md create mode 100644 docs/en/rules/Azure.SQL.StretchDBNaming.md create mode 100644 docs/en/rules/Azure.SQLMI.Naming.md create mode 100644 docs/en/rules/Azure.ServiceFabric.ManagedNaming.md create mode 100644 docs/en/rules/Azure.ServiceFabric.Naming.md diff --git a/docs/en/rules/Azure.ACR.Naming.md b/docs/en/rules/Azure.ACR.Naming.md new file mode 100644 index 00000000000..ae819a17ebf --- /dev/null +++ b/docs/en/rules/Azure.ACR.Naming.md @@ -0,0 +1,100 @@ +--- +reviewed: 2025-10-10 +severity: Awareness +pillar: Operational Excellence +category: OE:04 Tools and processes +resource: Container Registry +resourceType: Microsoft.ContainerRegistry/registries +online version: https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.ACR.Naming/ +--- + +# Container Registry resources must use standard naming + +## SYNOPSIS + +Container Registry resources without a standard naming convention may be difficult to identify and manage. + +## DESCRIPTION + +An effective naming convention allows operators to quickly identify resources, related systems, and their purpose. +Identifying resources easily is important to improve operational efficiency, reduce the time to respond to incidents, +and minimize the risk of human error. + +Some of the benefits of using standardized tagging and naming conventions are: + +- They provide consistency and clarity for resource identification and discovery across the Azure Portal, CLIs, and APIs. +- They enable filtering and grouping of resources for billing, monitoring, security, and compliance purposes. +- They support resource lifecycle management, such as provisioning, decommissioning, backup, and recovery. + +For example, if you come upon a security incident, it's critical to quickly identify affected systems, +the functions that those systems support, and the potential business impact. + +For Container Registry, the Cloud Adoption Framework (CAF) recommends using the `cr` prefix. + +Requirements for Container Registry resource names: + +- Between 5 and 50 characters long. +- Can include alphanumeric characters, hyphens, underscores, and periods (restrictions vary by resource type). +- Resource names must be unique within their scope. + +## RECOMMENDATION + +Consider creating Container Registry resources with a standard name. +Additionally consider using Azure Policy to only permit creation using a standard naming convention. + +## EXAMPLES + +### Configure with Bicep + +To deploy resources that pass this rule: + +- Set the `name` property to a string that matches the naming requirements. +- Optionally, consider constraining name parameters with `minLength` and `maxLength` attributes. + +For example: + +```bicep +@minLength(5) +@maxLength(50) +@description('The name of the resource.') +param name string + +@description('The location resources will be deployed.') +param location string = resourceGroup().location + +// Example resource deployment +``` + +### Configure with Azure template + +To deploy resources that pass this rule: + +- Set the `name` property to a string that matches the naming requirements. +- Optionally, consider constraining name parameters with `minLength` and `maxLength` attributes. + +## NOTES + +This rule does not check if Container Registry resource names are unique. + + + +### Rule configuration + + + +To configure this rule set the `AZURE_CONTAINER_REGISTRY_NAME_FORMAT` configuration value to a regular expression +that matches the required format. + +For example: + +```yaml +configuration: + AZURE_CONTAINER_REGISTRY_NAME_FORMAT: '^cr' +``` + +## LINKS + +- [OE:04 Tools and processes](https://learn.microsoft.com/azure/well-architected/operational-excellence/tools-processes) +- [Recommended abbreviations for Azure resource types](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations) +- [Naming rules and restrictions for Azure resources](https://learn.microsoft.com/azure/azure-resource-manager/management/resource-name-rules) +- [Define your naming convention](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-naming) diff --git a/docs/en/rules/Azure.AKS.Naming.md b/docs/en/rules/Azure.AKS.Naming.md new file mode 100644 index 00000000000..8c3ee02c227 --- /dev/null +++ b/docs/en/rules/Azure.AKS.Naming.md @@ -0,0 +1,100 @@ +--- +reviewed: 2025-10-10 +severity: Awareness +pillar: Operational Excellence +category: OE:04 Tools and processes +resource: AKS cluster +resourceType: Microsoft.ContainerService/managedClusters +online version: https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.AKS.Naming/ +--- + +# AKS cluster resources must use standard naming + +## SYNOPSIS + +AKS cluster resources without a standard naming convention may be difficult to identify and manage. + +## DESCRIPTION + +An effective naming convention allows operators to quickly identify resources, related systems, and their purpose. +Identifying resources easily is important to improve operational efficiency, reduce the time to respond to incidents, +and minimize the risk of human error. + +Some of the benefits of using standardized tagging and naming conventions are: + +- They provide consistency and clarity for resource identification and discovery across the Azure Portal, CLIs, and APIs. +- They enable filtering and grouping of resources for billing, monitoring, security, and compliance purposes. +- They support resource lifecycle management, such as provisioning, decommissioning, backup, and recovery. + +For example, if you come upon a security incident, it's critical to quickly identify affected systems, +the functions that those systems support, and the potential business impact. + +For AKS cluster, the Cloud Adoption Framework (CAF) recommends using the `aks-` prefix. + +Requirements for AKS cluster resource names: + +- Between 1 and 63 characters long. +- Can include alphanumeric characters, hyphens, underscores, and periods (restrictions vary by resource type). +- Resource names must be unique within their scope. + +## RECOMMENDATION + +Consider creating AKS cluster resources with a standard name. +Additionally consider using Azure Policy to only permit creation using a standard naming convention. + +## EXAMPLES + +### Configure with Bicep + +To deploy resources that pass this rule: + +- Set the `name` property to a string that matches the naming requirements. +- Optionally, consider constraining name parameters with `minLength` and `maxLength` attributes. + +For example: + +```bicep +@minLength(1) +@maxLength(63) +@description('The name of the resource.') +param name string + +@description('The location resources will be deployed.') +param location string = resourceGroup().location + +// Example resource deployment +``` + +### Configure with Azure template + +To deploy resources that pass this rule: + +- Set the `name` property to a string that matches the naming requirements. +- Optionally, consider constraining name parameters with `minLength` and `maxLength` attributes. + +## NOTES + +This rule does not check if AKS cluster resource names are unique. + + + +### Rule configuration + + + +To configure this rule set the `AZURE_AKS_CLUSTER_NAME_FORMAT` configuration value to a regular expression +that matches the required format. + +For example: + +```yaml +configuration: + AZURE_AKS_CLUSTER_NAME_FORMAT: '^aks-' +``` + +## LINKS + +- [OE:04 Tools and processes](https://learn.microsoft.com/azure/well-architected/operational-excellence/tools-processes) +- [Recommended abbreviations for Azure resource types](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations) +- [Naming rules and restrictions for Azure resources](https://learn.microsoft.com/azure/azure-resource-manager/management/resource-name-rules) +- [Define your naming convention](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-naming) diff --git a/docs/en/rules/Azure.AKS.SystemPoolNaming.md b/docs/en/rules/Azure.AKS.SystemPoolNaming.md new file mode 100644 index 00000000000..14661d33222 --- /dev/null +++ b/docs/en/rules/Azure.AKS.SystemPoolNaming.md @@ -0,0 +1,100 @@ +--- +reviewed: 2025-10-10 +severity: Awareness +pillar: Operational Excellence +category: OE:04 Tools and processes +resource: AKS system node pool +resourceType: Microsoft.ContainerService/managedClusters/agentPools +online version: https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.AKS.SystemPoolNaming/ +--- + +# AKS system node pool resources must use standard naming + +## SYNOPSIS + +AKS system node pool resources without a standard naming convention may be difficult to identify and manage. + +## DESCRIPTION + +An effective naming convention allows operators to quickly identify resources, related systems, and their purpose. +Identifying resources easily is important to improve operational efficiency, reduce the time to respond to incidents, +and minimize the risk of human error. + +Some of the benefits of using standardized tagging and naming conventions are: + +- They provide consistency and clarity for resource identification and discovery across the Azure Portal, CLIs, and APIs. +- They enable filtering and grouping of resources for billing, monitoring, security, and compliance purposes. +- They support resource lifecycle management, such as provisioning, decommissioning, backup, and recovery. + +For example, if you come upon a security incident, it's critical to quickly identify affected systems, +the functions that those systems support, and the potential business impact. + +For AKS system node pool, the Cloud Adoption Framework (CAF) recommends using the `npsystem` prefix. + +Requirements for AKS system node pool resource names: + +- Between 1 and 12 characters long. +- Can include alphanumeric characters, hyphens, underscores, and periods (restrictions vary by resource type). +- Resource names must be unique within their scope. + +## RECOMMENDATION + +Consider creating AKS system node pool resources with a standard name. +Additionally consider using Azure Policy to only permit creation using a standard naming convention. + +## EXAMPLES + +### Configure with Bicep + +To deploy resources that pass this rule: + +- Set the `name` property to a string that matches the naming requirements. +- Optionally, consider constraining name parameters with `minLength` and `maxLength` attributes. + +For example: + +```bicep +@minLength(1) +@maxLength(12) +@description('The name of the resource.') +param name string + +@description('The location resources will be deployed.') +param location string = resourceGroup().location + +// Example resource deployment +``` + +### Configure with Azure template + +To deploy resources that pass this rule: + +- Set the `name` property to a string that matches the naming requirements. +- Optionally, consider constraining name parameters with `minLength` and `maxLength` attributes. + +## NOTES + +This rule does not check if AKS system node pool resource names are unique. + + + +### Rule configuration + + + +To configure this rule set the `AZURE_AKS_SYSTEM_POOL_NAME_FORMAT` configuration value to a regular expression +that matches the required format. + +For example: + +```yaml +configuration: + AZURE_AKS_SYSTEM_POOL_NAME_FORMAT: '^npsystem' +``` + +## LINKS + +- [OE:04 Tools and processes](https://learn.microsoft.com/azure/well-architected/operational-excellence/tools-processes) +- [Recommended abbreviations for Azure resource types](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations) +- [Naming rules and restrictions for Azure resources](https://learn.microsoft.com/azure/azure-resource-manager/management/resource-name-rules) +- [Define your naming convention](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-naming) diff --git a/docs/en/rules/Azure.AKS.UserPoolNaming.md b/docs/en/rules/Azure.AKS.UserPoolNaming.md new file mode 100644 index 00000000000..0a6a1d0cd31 --- /dev/null +++ b/docs/en/rules/Azure.AKS.UserPoolNaming.md @@ -0,0 +1,100 @@ +--- +reviewed: 2025-10-10 +severity: Awareness +pillar: Operational Excellence +category: OE:04 Tools and processes +resource: AKS user node pool +resourceType: Microsoft.ContainerService/managedClusters/agentPools +online version: https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.AKS.UserPoolNaming/ +--- + +# AKS user node pool resources must use standard naming + +## SYNOPSIS + +AKS user node pool resources without a standard naming convention may be difficult to identify and manage. + +## DESCRIPTION + +An effective naming convention allows operators to quickly identify resources, related systems, and their purpose. +Identifying resources easily is important to improve operational efficiency, reduce the time to respond to incidents, +and minimize the risk of human error. + +Some of the benefits of using standardized tagging and naming conventions are: + +- They provide consistency and clarity for resource identification and discovery across the Azure Portal, CLIs, and APIs. +- They enable filtering and grouping of resources for billing, monitoring, security, and compliance purposes. +- They support resource lifecycle management, such as provisioning, decommissioning, backup, and recovery. + +For example, if you come upon a security incident, it's critical to quickly identify affected systems, +the functions that those systems support, and the potential business impact. + +For AKS user node pool, the Cloud Adoption Framework (CAF) recommends using the `np` prefix. + +Requirements for AKS user node pool resource names: + +- Between 1 and 12 characters long. +- Can include alphanumeric characters, hyphens, underscores, and periods (restrictions vary by resource type). +- Resource names must be unique within their scope. + +## RECOMMENDATION + +Consider creating AKS user node pool resources with a standard name. +Additionally consider using Azure Policy to only permit creation using a standard naming convention. + +## EXAMPLES + +### Configure with Bicep + +To deploy resources that pass this rule: + +- Set the `name` property to a string that matches the naming requirements. +- Optionally, consider constraining name parameters with `minLength` and `maxLength` attributes. + +For example: + +```bicep +@minLength(1) +@maxLength(12) +@description('The name of the resource.') +param name string + +@description('The location resources will be deployed.') +param location string = resourceGroup().location + +// Example resource deployment +``` + +### Configure with Azure template + +To deploy resources that pass this rule: + +- Set the `name` property to a string that matches the naming requirements. +- Optionally, consider constraining name parameters with `minLength` and `maxLength` attributes. + +## NOTES + +This rule does not check if AKS user node pool resource names are unique. + + + +### Rule configuration + + + +To configure this rule set the `AZURE_AKS_USER_POOL_NAME_FORMAT` configuration value to a regular expression +that matches the required format. + +For example: + +```yaml +configuration: + AZURE_AKS_USER_POOL_NAME_FORMAT: '^np' +``` + +## LINKS + +- [OE:04 Tools and processes](https://learn.microsoft.com/azure/well-architected/operational-excellence/tools-processes) +- [Recommended abbreviations for Azure resource types](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations) +- [Naming rules and restrictions for Azure resources](https://learn.microsoft.com/azure/azure-resource-manager/management/resource-name-rules) +- [Define your naming convention](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-naming) diff --git a/docs/en/rules/Azure.CI.Naming.md b/docs/en/rules/Azure.CI.Naming.md new file mode 100644 index 00000000000..5619d559525 --- /dev/null +++ b/docs/en/rules/Azure.CI.Naming.md @@ -0,0 +1,100 @@ +--- +reviewed: 2025-10-10 +severity: Awareness +pillar: Operational Excellence +category: OE:04 Tools and processes +resource: Container Instance +resourceType: Microsoft.ContainerInstance/containerGroups +online version: https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.CI.Naming/ +--- + +# Container Instance resources must use standard naming + +## SYNOPSIS + +Container Instance resources without a standard naming convention may be difficult to identify and manage. + +## DESCRIPTION + +An effective naming convention allows operators to quickly identify resources, related systems, and their purpose. +Identifying resources easily is important to improve operational efficiency, reduce the time to respond to incidents, +and minimize the risk of human error. + +Some of the benefits of using standardized tagging and naming conventions are: + +- They provide consistency and clarity for resource identification and discovery across the Azure Portal, CLIs, and APIs. +- They enable filtering and grouping of resources for billing, monitoring, security, and compliance purposes. +- They support resource lifecycle management, such as provisioning, decommissioning, backup, and recovery. + +For example, if you come upon a security incident, it's critical to quickly identify affected systems, +the functions that those systems support, and the potential business impact. + +For Container Instance, the Cloud Adoption Framework (CAF) recommends using the `ci-` prefix. + +Requirements for Container Instance resource names: + +- Between 1 and 63 characters long. +- Can include alphanumeric characters, hyphens, underscores, and periods (restrictions vary by resource type). +- Resource names must be unique within their scope. + +## RECOMMENDATION + +Consider creating Container Instance resources with a standard name. +Additionally consider using Azure Policy to only permit creation using a standard naming convention. + +## EXAMPLES + +### Configure with Bicep + +To deploy resources that pass this rule: + +- Set the `name` property to a string that matches the naming requirements. +- Optionally, consider constraining name parameters with `minLength` and `maxLength` attributes. + +For example: + +```bicep +@minLength(1) +@maxLength(63) +@description('The name of the resource.') +param name string + +@description('The location resources will be deployed.') +param location string = resourceGroup().location + +// Example resource deployment +``` + +### Configure with Azure template + +To deploy resources that pass this rule: + +- Set the `name` property to a string that matches the naming requirements. +- Optionally, consider constraining name parameters with `minLength` and `maxLength` attributes. + +## NOTES + +This rule does not check if Container Instance resource names are unique. + + + +### Rule configuration + + + +To configure this rule set the `AZURE_CONTAINER_INSTANCE_NAME_FORMAT` configuration value to a regular expression +that matches the required format. + +For example: + +```yaml +configuration: + AZURE_CONTAINER_INSTANCE_NAME_FORMAT: '^ci-' +``` + +## LINKS + +- [OE:04 Tools and processes](https://learn.microsoft.com/azure/well-architected/operational-excellence/tools-processes) +- [Recommended abbreviations for Azure resource types](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations) +- [Naming rules and restrictions for Azure resources](https://learn.microsoft.com/azure/azure-resource-manager/management/resource-name-rules) +- [Define your naming convention](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-naming) diff --git a/docs/en/rules/Azure.ContainerApp.EnvironmentNaming.md b/docs/en/rules/Azure.ContainerApp.EnvironmentNaming.md new file mode 100644 index 00000000000..00360028013 --- /dev/null +++ b/docs/en/rules/Azure.ContainerApp.EnvironmentNaming.md @@ -0,0 +1,100 @@ +--- +reviewed: 2025-10-10 +severity: Awareness +pillar: Operational Excellence +category: OE:04 Tools and processes +resource: Container App Environment +resourceType: Microsoft.App/managedEnvironments +online version: https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.ContainerApp.EnvironmentNaming/ +--- + +# Container App Environment resources must use standard naming + +## SYNOPSIS + +Container App Environment resources without a standard naming convention may be difficult to identify and manage. + +## DESCRIPTION + +An effective naming convention allows operators to quickly identify resources, related systems, and their purpose. +Identifying resources easily is important to improve operational efficiency, reduce the time to respond to incidents, +and minimize the risk of human error. + +Some of the benefits of using standardized tagging and naming conventions are: + +- They provide consistency and clarity for resource identification and discovery across the Azure Portal, CLIs, and APIs. +- They enable filtering and grouping of resources for billing, monitoring, security, and compliance purposes. +- They support resource lifecycle management, such as provisioning, decommissioning, backup, and recovery. + +For example, if you come upon a security incident, it's critical to quickly identify affected systems, +the functions that those systems support, and the potential business impact. + +For Container App Environment, the Cloud Adoption Framework (CAF) recommends using the `cae-` prefix. + +Requirements for Container App Environment resource names: + +- Between 2 and 64 characters long. +- Can include alphanumeric characters, hyphens, underscores, and periods (restrictions vary by resource type). +- Resource names must be unique within their scope. + +## RECOMMENDATION + +Consider creating Container App Environment resources with a standard name. +Additionally consider using Azure Policy to only permit creation using a standard naming convention. + +## EXAMPLES + +### Configure with Bicep + +To deploy resources that pass this rule: + +- Set the `name` property to a string that matches the naming requirements. +- Optionally, consider constraining name parameters with `minLength` and `maxLength` attributes. + +For example: + +```bicep +@minLength(2) +@maxLength(64) +@description('The name of the resource.') +param name string + +@description('The location resources will be deployed.') +param location string = resourceGroup().location + +// Example resource deployment +``` + +### Configure with Azure template + +To deploy resources that pass this rule: + +- Set the `name` property to a string that matches the naming requirements. +- Optionally, consider constraining name parameters with `minLength` and `maxLength` attributes. + +## NOTES + +This rule does not check if Container App Environment resource names are unique. + + + +### Rule configuration + + + +To configure this rule set the `AZURE_CONTAINER_APP_ENVIRONMENT_NAME_FORMAT` configuration value to a regular expression +that matches the required format. + +For example: + +```yaml +configuration: + AZURE_CONTAINER_APP_ENVIRONMENT_NAME_FORMAT: '^cae-' +``` + +## LINKS + +- [OE:04 Tools and processes](https://learn.microsoft.com/azure/well-architected/operational-excellence/tools-processes) +- [Recommended abbreviations for Azure resource types](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations) +- [Naming rules and restrictions for Azure resources](https://learn.microsoft.com/azure/azure-resource-manager/management/resource-name-rules) +- [Define your naming convention](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-naming) diff --git a/docs/en/rules/Azure.ContainerApp.JobNaming.md b/docs/en/rules/Azure.ContainerApp.JobNaming.md new file mode 100644 index 00000000000..2752def2121 --- /dev/null +++ b/docs/en/rules/Azure.ContainerApp.JobNaming.md @@ -0,0 +1,100 @@ +--- +reviewed: 2025-10-10 +severity: Awareness +pillar: Operational Excellence +category: OE:04 Tools and processes +resource: Container App Job +resourceType: Microsoft.App/jobs +online version: https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.ContainerApp.JobNaming/ +--- + +# Container App Job resources must use standard naming + +## SYNOPSIS + +Container App Job resources without a standard naming convention may be difficult to identify and manage. + +## DESCRIPTION + +An effective naming convention allows operators to quickly identify resources, related systems, and their purpose. +Identifying resources easily is important to improve operational efficiency, reduce the time to respond to incidents, +and minimize the risk of human error. + +Some of the benefits of using standardized tagging and naming conventions are: + +- They provide consistency and clarity for resource identification and discovery across the Azure Portal, CLIs, and APIs. +- They enable filtering and grouping of resources for billing, monitoring, security, and compliance purposes. +- They support resource lifecycle management, such as provisioning, decommissioning, backup, and recovery. + +For example, if you come upon a security incident, it's critical to quickly identify affected systems, +the functions that those systems support, and the potential business impact. + +For Container App Job, the Cloud Adoption Framework (CAF) recommends using the `caj-` prefix. + +Requirements for Container App Job resource names: + +- Between 2 and 32 characters long. +- Can include alphanumeric characters, hyphens, underscores, and periods (restrictions vary by resource type). +- Resource names must be unique within their scope. + +## RECOMMENDATION + +Consider creating Container App Job resources with a standard name. +Additionally consider using Azure Policy to only permit creation using a standard naming convention. + +## EXAMPLES + +### Configure with Bicep + +To deploy resources that pass this rule: + +- Set the `name` property to a string that matches the naming requirements. +- Optionally, consider constraining name parameters with `minLength` and `maxLength` attributes. + +For example: + +```bicep +@minLength(2) +@maxLength(32) +@description('The name of the resource.') +param name string + +@description('The location resources will be deployed.') +param location string = resourceGroup().location + +// Example resource deployment +``` + +### Configure with Azure template + +To deploy resources that pass this rule: + +- Set the `name` property to a string that matches the naming requirements. +- Optionally, consider constraining name parameters with `minLength` and `maxLength` attributes. + +## NOTES + +This rule does not check if Container App Job resource names are unique. + + + +### Rule configuration + + + +To configure this rule set the `AZURE_CONTAINER_APP_JOB_NAME_FORMAT` configuration value to a regular expression +that matches the required format. + +For example: + +```yaml +configuration: + AZURE_CONTAINER_APP_JOB_NAME_FORMAT: '^caj-' +``` + +## LINKS + +- [OE:04 Tools and processes](https://learn.microsoft.com/azure/well-architected/operational-excellence/tools-processes) +- [Recommended abbreviations for Azure resource types](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations) +- [Naming rules and restrictions for Azure resources](https://learn.microsoft.com/azure/azure-resource-manager/management/resource-name-rules) +- [Define your naming convention](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-naming) diff --git a/docs/en/rules/Azure.ContainerApp.Naming.md b/docs/en/rules/Azure.ContainerApp.Naming.md new file mode 100644 index 00000000000..cc187f5bd96 --- /dev/null +++ b/docs/en/rules/Azure.ContainerApp.Naming.md @@ -0,0 +1,100 @@ +--- +reviewed: 2025-10-10 +severity: Awareness +pillar: Operational Excellence +category: OE:04 Tools and processes +resource: Container App +resourceType: Microsoft.App/containerApps +online version: https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.ContainerApp.Naming/ +--- + +# Container App resources must use standard naming + +## SYNOPSIS + +Container App resources without a standard naming convention may be difficult to identify and manage. + +## DESCRIPTION + +An effective naming convention allows operators to quickly identify resources, related systems, and their purpose. +Identifying resources easily is important to improve operational efficiency, reduce the time to respond to incidents, +and minimize the risk of human error. + +Some of the benefits of using standardized tagging and naming conventions are: + +- They provide consistency and clarity for resource identification and discovery across the Azure Portal, CLIs, and APIs. +- They enable filtering and grouping of resources for billing, monitoring, security, and compliance purposes. +- They support resource lifecycle management, such as provisioning, decommissioning, backup, and recovery. + +For example, if you come upon a security incident, it's critical to quickly identify affected systems, +the functions that those systems support, and the potential business impact. + +For Container App, the Cloud Adoption Framework (CAF) recommends using the `ca-` prefix. + +Requirements for Container App resource names: + +- Between 2 and 32 characters long. +- Can include alphanumeric characters, hyphens, underscores, and periods (restrictions vary by resource type). +- Resource names must be unique within their scope. + +## RECOMMENDATION + +Consider creating Container App resources with a standard name. +Additionally consider using Azure Policy to only permit creation using a standard naming convention. + +## EXAMPLES + +### Configure with Bicep + +To deploy resources that pass this rule: + +- Set the `name` property to a string that matches the naming requirements. +- Optionally, consider constraining name parameters with `minLength` and `maxLength` attributes. + +For example: + +```bicep +@minLength(2) +@maxLength(32) +@description('The name of the resource.') +param name string + +@description('The location resources will be deployed.') +param location string = resourceGroup().location + +// Example resource deployment +``` + +### Configure with Azure template + +To deploy resources that pass this rule: + +- Set the `name` property to a string that matches the naming requirements. +- Optionally, consider constraining name parameters with `minLength` and `maxLength` attributes. + +## NOTES + +This rule does not check if Container App resource names are unique. + + + +### Rule configuration + + + +To configure this rule set the `AZURE_CONTAINER_APP_NAME_FORMAT` configuration value to a regular expression +that matches the required format. + +For example: + +```yaml +configuration: + AZURE_CONTAINER_APP_NAME_FORMAT: '^ca-' +``` + +## LINKS + +- [OE:04 Tools and processes](https://learn.microsoft.com/azure/well-architected/operational-excellence/tools-processes) +- [Recommended abbreviations for Azure resource types](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations) +- [Naming rules and restrictions for Azure resources](https://learn.microsoft.com/azure/azure-resource-manager/management/resource-name-rules) +- [Define your naming convention](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-naming) diff --git a/docs/en/rules/Azure.Cosmos.CassandraNaming.md b/docs/en/rules/Azure.Cosmos.CassandraNaming.md new file mode 100644 index 00000000000..6ee350654ed --- /dev/null +++ b/docs/en/rules/Azure.Cosmos.CassandraNaming.md @@ -0,0 +1,100 @@ +--- +reviewed: 2025-10-10 +severity: Awareness +pillar: Operational Excellence +category: OE:04 Tools and processes +resource: Cosmos DB for Apache Cassandra account +resourceType: Microsoft.DocumentDb/databaseAccounts +online version: https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.Cosmos.CassandraNaming/ +--- + +# Cosmos DB for Apache Cassandra account resources must use standard naming + +## SYNOPSIS + +Cosmos DB for Apache Cassandra account resources without a standard naming convention may be difficult to identify and manage. + +## DESCRIPTION + +An effective naming convention allows operators to quickly identify resources, related systems, and their purpose. +Identifying resources easily is important to improve operational efficiency, reduce the time to respond to incidents, +and minimize the risk of human error. + +Some of the benefits of using standardized tagging and naming conventions are: + +- They provide consistency and clarity for resource identification and discovery across the Azure Portal, CLIs, and APIs. +- They enable filtering and grouping of resources for billing, monitoring, security, and compliance purposes. +- They support resource lifecycle management, such as provisioning, decommissioning, backup, and recovery. + +For example, if you come upon a security incident, it's critical to quickly identify affected systems, +the functions that those systems support, and the potential business impact. + +For Cosmos DB for Apache Cassandra account, the Cloud Adoption Framework (CAF) recommends using the `coscas-` prefix. + +Requirements for Cosmos DB for Apache Cassandra account resource names: + +- Between 3 and 44 characters long. +- Can include alphanumeric characters, hyphens, underscores, and periods (restrictions vary by resource type). +- Resource names must be unique within their scope. + +## RECOMMENDATION + +Consider creating Cosmos DB for Apache Cassandra account resources with a standard name. +Additionally consider using Azure Policy to only permit creation using a standard naming convention. + +## EXAMPLES + +### Configure with Bicep + +To deploy resources that pass this rule: + +- Set the `name` property to a string that matches the naming requirements. +- Optionally, consider constraining name parameters with `minLength` and `maxLength` attributes. + +For example: + +```bicep +@minLength(3) +@maxLength(44) +@description('The name of the resource.') +param name string + +@description('The location resources will be deployed.') +param location string = resourceGroup().location + +// Example resource deployment +``` + +### Configure with Azure template + +To deploy resources that pass this rule: + +- Set the `name` property to a string that matches the naming requirements. +- Optionally, consider constraining name parameters with `minLength` and `maxLength` attributes. + +## NOTES + +This rule does not check if Cosmos DB for Apache Cassandra account resource names are unique. + + + +### Rule configuration + + + +To configure this rule set the `AZURE_COSMOS_CASSANDRA_NAME_FORMAT` configuration value to a regular expression +that matches the required format. + +For example: + +```yaml +configuration: + AZURE_COSMOS_CASSANDRA_NAME_FORMAT: '^coscas-' +``` + +## LINKS + +- [OE:04 Tools and processes](https://learn.microsoft.com/azure/well-architected/operational-excellence/tools-processes) +- [Recommended abbreviations for Azure resource types](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations) +- [Naming rules and restrictions for Azure resources](https://learn.microsoft.com/azure/azure-resource-manager/management/resource-name-rules) +- [Define your naming convention](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-naming) diff --git a/docs/en/rules/Azure.Cosmos.DatabaseNaming.md b/docs/en/rules/Azure.Cosmos.DatabaseNaming.md new file mode 100644 index 00000000000..53361452f16 --- /dev/null +++ b/docs/en/rules/Azure.Cosmos.DatabaseNaming.md @@ -0,0 +1,100 @@ +--- +reviewed: 2025-10-10 +severity: Awareness +pillar: Operational Excellence +category: OE:04 Tools and processes +resource: Cosmos DB database +resourceType: Microsoft.DocumentDB/databaseAccounts/sqlDatabases +online version: https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.Cosmos.DatabaseNaming/ +--- + +# Cosmos DB database resources must use standard naming + +## SYNOPSIS + +Cosmos DB database resources without a standard naming convention may be difficult to identify and manage. + +## DESCRIPTION + +An effective naming convention allows operators to quickly identify resources, related systems, and their purpose. +Identifying resources easily is important to improve operational efficiency, reduce the time to respond to incidents, +and minimize the risk of human error. + +Some of the benefits of using standardized tagging and naming conventions are: + +- They provide consistency and clarity for resource identification and discovery across the Azure Portal, CLIs, and APIs. +- They enable filtering and grouping of resources for billing, monitoring, security, and compliance purposes. +- They support resource lifecycle management, such as provisioning, decommissioning, backup, and recovery. + +For example, if you come upon a security incident, it's critical to quickly identify affected systems, +the functions that those systems support, and the potential business impact. + +For Cosmos DB database, the Cloud Adoption Framework (CAF) recommends using the `cosmos-` prefix. + +Requirements for Cosmos DB database resource names: + +- Between 1 and 255 characters long. +- Can include alphanumeric characters, hyphens, underscores, and periods (restrictions vary by resource type). +- Resource names must be unique within their scope. + +## RECOMMENDATION + +Consider creating Cosmos DB database resources with a standard name. +Additionally consider using Azure Policy to only permit creation using a standard naming convention. + +## EXAMPLES + +### Configure with Bicep + +To deploy resources that pass this rule: + +- Set the `name` property to a string that matches the naming requirements. +- Optionally, consider constraining name parameters with `minLength` and `maxLength` attributes. + +For example: + +```bicep +@minLength(1) +@maxLength(255) +@description('The name of the resource.') +param name string + +@description('The location resources will be deployed.') +param location string = resourceGroup().location + +// Example resource deployment +``` + +### Configure with Azure template + +To deploy resources that pass this rule: + +- Set the `name` property to a string that matches the naming requirements. +- Optionally, consider constraining name parameters with `minLength` and `maxLength` attributes. + +## NOTES + +This rule does not check if Cosmos DB database resource names are unique. + + + +### Rule configuration + + + +To configure this rule set the `AZURE_COSMOS_DATABASE_NAME_FORMAT` configuration value to a regular expression +that matches the required format. + +For example: + +```yaml +configuration: + AZURE_COSMOS_DATABASE_NAME_FORMAT: '^cosmos-' +``` + +## LINKS + +- [OE:04 Tools and processes](https://learn.microsoft.com/azure/well-architected/operational-excellence/tools-processes) +- [Recommended abbreviations for Azure resource types](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations) +- [Naming rules and restrictions for Azure resources](https://learn.microsoft.com/azure/azure-resource-manager/management/resource-name-rules) +- [Define your naming convention](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-naming) diff --git a/docs/en/rules/Azure.Cosmos.GremlinNaming.md b/docs/en/rules/Azure.Cosmos.GremlinNaming.md new file mode 100644 index 00000000000..064661eb33d --- /dev/null +++ b/docs/en/rules/Azure.Cosmos.GremlinNaming.md @@ -0,0 +1,100 @@ +--- +reviewed: 2025-10-10 +severity: Awareness +pillar: Operational Excellence +category: OE:04 Tools and processes +resource: Cosmos DB for Apache Gremlin account +resourceType: Microsoft.DocumentDb/databaseAccounts +online version: https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.Cosmos.GremlinNaming/ +--- + +# Cosmos DB for Apache Gremlin account resources must use standard naming + +## SYNOPSIS + +Cosmos DB for Apache Gremlin account resources without a standard naming convention may be difficult to identify and manage. + +## DESCRIPTION + +An effective naming convention allows operators to quickly identify resources, related systems, and their purpose. +Identifying resources easily is important to improve operational efficiency, reduce the time to respond to incidents, +and minimize the risk of human error. + +Some of the benefits of using standardized tagging and naming conventions are: + +- They provide consistency and clarity for resource identification and discovery across the Azure Portal, CLIs, and APIs. +- They enable filtering and grouping of resources for billing, monitoring, security, and compliance purposes. +- They support resource lifecycle management, such as provisioning, decommissioning, backup, and recovery. + +For example, if you come upon a security incident, it's critical to quickly identify affected systems, +the functions that those systems support, and the potential business impact. + +For Cosmos DB for Apache Gremlin account, the Cloud Adoption Framework (CAF) recommends using the `cosgrm-` prefix. + +Requirements for Cosmos DB for Apache Gremlin account resource names: + +- Between 3 and 44 characters long. +- Can include alphanumeric characters, hyphens, underscores, and periods (restrictions vary by resource type). +- Resource names must be unique within their scope. + +## RECOMMENDATION + +Consider creating Cosmos DB for Apache Gremlin account resources with a standard name. +Additionally consider using Azure Policy to only permit creation using a standard naming convention. + +## EXAMPLES + +### Configure with Bicep + +To deploy resources that pass this rule: + +- Set the `name` property to a string that matches the naming requirements. +- Optionally, consider constraining name parameters with `minLength` and `maxLength` attributes. + +For example: + +```bicep +@minLength(3) +@maxLength(44) +@description('The name of the resource.') +param name string + +@description('The location resources will be deployed.') +param location string = resourceGroup().location + +// Example resource deployment +``` + +### Configure with Azure template + +To deploy resources that pass this rule: + +- Set the `name` property to a string that matches the naming requirements. +- Optionally, consider constraining name parameters with `minLength` and `maxLength` attributes. + +## NOTES + +This rule does not check if Cosmos DB for Apache Gremlin account resource names are unique. + + + +### Rule configuration + + + +To configure this rule set the `AZURE_COSMOS_GREMLIN_NAME_FORMAT` configuration value to a regular expression +that matches the required format. + +For example: + +```yaml +configuration: + AZURE_COSMOS_GREMLIN_NAME_FORMAT: '^cosgrm-' +``` + +## LINKS + +- [OE:04 Tools and processes](https://learn.microsoft.com/azure/well-architected/operational-excellence/tools-processes) +- [Recommended abbreviations for Azure resource types](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations) +- [Naming rules and restrictions for Azure resources](https://learn.microsoft.com/azure/azure-resource-manager/management/resource-name-rules) +- [Define your naming convention](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-naming) diff --git a/docs/en/rules/Azure.Cosmos.MongoNaming.md b/docs/en/rules/Azure.Cosmos.MongoNaming.md new file mode 100644 index 00000000000..652776ebc1c --- /dev/null +++ b/docs/en/rules/Azure.Cosmos.MongoNaming.md @@ -0,0 +1,100 @@ +--- +reviewed: 2025-10-10 +severity: Awareness +pillar: Operational Excellence +category: OE:04 Tools and processes +resource: Cosmos DB for MongoDB account +resourceType: Microsoft.DocumentDb/databaseAccounts +online version: https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.Cosmos.MongoNaming/ +--- + +# Cosmos DB for MongoDB account resources must use standard naming + +## SYNOPSIS + +Cosmos DB for MongoDB account resources without a standard naming convention may be difficult to identify and manage. + +## DESCRIPTION + +An effective naming convention allows operators to quickly identify resources, related systems, and their purpose. +Identifying resources easily is important to improve operational efficiency, reduce the time to respond to incidents, +and minimize the risk of human error. + +Some of the benefits of using standardized tagging and naming conventions are: + +- They provide consistency and clarity for resource identification and discovery across the Azure Portal, CLIs, and APIs. +- They enable filtering and grouping of resources for billing, monitoring, security, and compliance purposes. +- They support resource lifecycle management, such as provisioning, decommissioning, backup, and recovery. + +For example, if you come upon a security incident, it's critical to quickly identify affected systems, +the functions that those systems support, and the potential business impact. + +For Cosmos DB for MongoDB account, the Cloud Adoption Framework (CAF) recommends using the `cosmon-` prefix. + +Requirements for Cosmos DB for MongoDB account resource names: + +- Between 3 and 44 characters long. +- Can include alphanumeric characters, hyphens, underscores, and periods (restrictions vary by resource type). +- Resource names must be unique within their scope. + +## RECOMMENDATION + +Consider creating Cosmos DB for MongoDB account resources with a standard name. +Additionally consider using Azure Policy to only permit creation using a standard naming convention. + +## EXAMPLES + +### Configure with Bicep + +To deploy resources that pass this rule: + +- Set the `name` property to a string that matches the naming requirements. +- Optionally, consider constraining name parameters with `minLength` and `maxLength` attributes. + +For example: + +```bicep +@minLength(3) +@maxLength(44) +@description('The name of the resource.') +param name string + +@description('The location resources will be deployed.') +param location string = resourceGroup().location + +// Example resource deployment +``` + +### Configure with Azure template + +To deploy resources that pass this rule: + +- Set the `name` property to a string that matches the naming requirements. +- Optionally, consider constraining name parameters with `minLength` and `maxLength` attributes. + +## NOTES + +This rule does not check if Cosmos DB for MongoDB account resource names are unique. + + + +### Rule configuration + + + +To configure this rule set the `AZURE_COSMOS_MONGO_NAME_FORMAT` configuration value to a regular expression +that matches the required format. + +For example: + +```yaml +configuration: + AZURE_COSMOS_MONGO_NAME_FORMAT: '^cosmon-' +``` + +## LINKS + +- [OE:04 Tools and processes](https://learn.microsoft.com/azure/well-architected/operational-excellence/tools-processes) +- [Recommended abbreviations for Azure resource types](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations) +- [Naming rules and restrictions for Azure resources](https://learn.microsoft.com/azure/azure-resource-manager/management/resource-name-rules) +- [Define your naming convention](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-naming) diff --git a/docs/en/rules/Azure.Cosmos.NoSQLNaming.md b/docs/en/rules/Azure.Cosmos.NoSQLNaming.md new file mode 100644 index 00000000000..28cdef5e104 --- /dev/null +++ b/docs/en/rules/Azure.Cosmos.NoSQLNaming.md @@ -0,0 +1,100 @@ +--- +reviewed: 2025-10-10 +severity: Awareness +pillar: Operational Excellence +category: OE:04 Tools and processes +resource: Cosmos DB for NoSQL account +resourceType: Microsoft.DocumentDb/databaseAccounts +online version: https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.Cosmos.NoSQLNaming/ +--- + +# Cosmos DB for NoSQL account resources must use standard naming + +## SYNOPSIS + +Cosmos DB for NoSQL account resources without a standard naming convention may be difficult to identify and manage. + +## DESCRIPTION + +An effective naming convention allows operators to quickly identify resources, related systems, and their purpose. +Identifying resources easily is important to improve operational efficiency, reduce the time to respond to incidents, +and minimize the risk of human error. + +Some of the benefits of using standardized tagging and naming conventions are: + +- They provide consistency and clarity for resource identification and discovery across the Azure Portal, CLIs, and APIs. +- They enable filtering and grouping of resources for billing, monitoring, security, and compliance purposes. +- They support resource lifecycle management, such as provisioning, decommissioning, backup, and recovery. + +For example, if you come upon a security incident, it's critical to quickly identify affected systems, +the functions that those systems support, and the potential business impact. + +For Cosmos DB for NoSQL account, the Cloud Adoption Framework (CAF) recommends using the `cosno-` prefix. + +Requirements for Cosmos DB for NoSQL account resource names: + +- Between 3 and 44 characters long. +- Can include alphanumeric characters, hyphens, underscores, and periods (restrictions vary by resource type). +- Resource names must be unique within their scope. + +## RECOMMENDATION + +Consider creating Cosmos DB for NoSQL account resources with a standard name. +Additionally consider using Azure Policy to only permit creation using a standard naming convention. + +## EXAMPLES + +### Configure with Bicep + +To deploy resources that pass this rule: + +- Set the `name` property to a string that matches the naming requirements. +- Optionally, consider constraining name parameters with `minLength` and `maxLength` attributes. + +For example: + +```bicep +@minLength(3) +@maxLength(44) +@description('The name of the resource.') +param name string + +@description('The location resources will be deployed.') +param location string = resourceGroup().location + +// Example resource deployment +``` + +### Configure with Azure template + +To deploy resources that pass this rule: + +- Set the `name` property to a string that matches the naming requirements. +- Optionally, consider constraining name parameters with `minLength` and `maxLength` attributes. + +## NOTES + +This rule does not check if Cosmos DB for NoSQL account resource names are unique. + + + +### Rule configuration + + + +To configure this rule set the `AZURE_COSMOS_NOSQL_NAME_FORMAT` configuration value to a regular expression +that matches the required format. + +For example: + +```yaml +configuration: + AZURE_COSMOS_NOSQL_NAME_FORMAT: '^cosno-' +``` + +## LINKS + +- [OE:04 Tools and processes](https://learn.microsoft.com/azure/well-architected/operational-excellence/tools-processes) +- [Recommended abbreviations for Azure resource types](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations) +- [Naming rules and restrictions for Azure resources](https://learn.microsoft.com/azure/azure-resource-manager/management/resource-name-rules) +- [Define your naming convention](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-naming) diff --git a/docs/en/rules/Azure.Cosmos.PostgreSQLNaming.md b/docs/en/rules/Azure.Cosmos.PostgreSQLNaming.md new file mode 100644 index 00000000000..d442ff3d52f --- /dev/null +++ b/docs/en/rules/Azure.Cosmos.PostgreSQLNaming.md @@ -0,0 +1,100 @@ +--- +reviewed: 2025-10-10 +severity: Awareness +pillar: Operational Excellence +category: OE:04 Tools and processes +resource: Cosmos DB PostgreSQL cluster +resourceType: Microsoft.DBforPostgreSQL/serverGroupsv2 +online version: https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.Cosmos.PostgreSQLNaming/ +--- + +# Cosmos DB PostgreSQL cluster resources must use standard naming + +## SYNOPSIS + +Cosmos DB PostgreSQL cluster resources without a standard naming convention may be difficult to identify and manage. + +## DESCRIPTION + +An effective naming convention allows operators to quickly identify resources, related systems, and their purpose. +Identifying resources easily is important to improve operational efficiency, reduce the time to respond to incidents, +and minimize the risk of human error. + +Some of the benefits of using standardized tagging and naming conventions are: + +- They provide consistency and clarity for resource identification and discovery across the Azure Portal, CLIs, and APIs. +- They enable filtering and grouping of resources for billing, monitoring, security, and compliance purposes. +- They support resource lifecycle management, such as provisioning, decommissioning, backup, and recovery. + +For example, if you come upon a security incident, it's critical to quickly identify affected systems, +the functions that those systems support, and the potential business impact. + +For Cosmos DB PostgreSQL cluster, the Cloud Adoption Framework (CAF) recommends using the `cospos-` prefix. + +Requirements for Cosmos DB PostgreSQL cluster resource names: + +- Between 3 and 63 characters long. +- Can include alphanumeric characters, hyphens, underscores, and periods (restrictions vary by resource type). +- Resource names must be unique within their scope. + +## RECOMMENDATION + +Consider creating Cosmos DB PostgreSQL cluster resources with a standard name. +Additionally consider using Azure Policy to only permit creation using a standard naming convention. + +## EXAMPLES + +### Configure with Bicep + +To deploy resources that pass this rule: + +- Set the `name` property to a string that matches the naming requirements. +- Optionally, consider constraining name parameters with `minLength` and `maxLength` attributes. + +For example: + +```bicep +@minLength(3) +@maxLength(63) +@description('The name of the resource.') +param name string + +@description('The location resources will be deployed.') +param location string = resourceGroup().location + +// Example resource deployment +``` + +### Configure with Azure template + +To deploy resources that pass this rule: + +- Set the `name` property to a string that matches the naming requirements. +- Optionally, consider constraining name parameters with `minLength` and `maxLength` attributes. + +## NOTES + +This rule does not check if Cosmos DB PostgreSQL cluster resource names are unique. + + + +### Rule configuration + + + +To configure this rule set the `AZURE_COSMOS_POSTGRESQL_NAME_FORMAT` configuration value to a regular expression +that matches the required format. + +For example: + +```yaml +configuration: + AZURE_COSMOS_POSTGRESQL_NAME_FORMAT: '^cospos-' +``` + +## LINKS + +- [OE:04 Tools and processes](https://learn.microsoft.com/azure/well-architected/operational-excellence/tools-processes) +- [Recommended abbreviations for Azure resource types](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations) +- [Naming rules and restrictions for Azure resources](https://learn.microsoft.com/azure/azure-resource-manager/management/resource-name-rules) +- [Define your naming convention](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-naming) diff --git a/docs/en/rules/Azure.Cosmos.TableNaming.md b/docs/en/rules/Azure.Cosmos.TableNaming.md new file mode 100644 index 00000000000..dce28434bc8 --- /dev/null +++ b/docs/en/rules/Azure.Cosmos.TableNaming.md @@ -0,0 +1,100 @@ +--- +reviewed: 2025-10-10 +severity: Awareness +pillar: Operational Excellence +category: OE:04 Tools and processes +resource: Cosmos DB for Table account +resourceType: Microsoft.DocumentDb/databaseAccounts +online version: https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.Cosmos.TableNaming/ +--- + +# Cosmos DB for Table account resources must use standard naming + +## SYNOPSIS + +Cosmos DB for Table account resources without a standard naming convention may be difficult to identify and manage. + +## DESCRIPTION + +An effective naming convention allows operators to quickly identify resources, related systems, and their purpose. +Identifying resources easily is important to improve operational efficiency, reduce the time to respond to incidents, +and minimize the risk of human error. + +Some of the benefits of using standardized tagging and naming conventions are: + +- They provide consistency and clarity for resource identification and discovery across the Azure Portal, CLIs, and APIs. +- They enable filtering and grouping of resources for billing, monitoring, security, and compliance purposes. +- They support resource lifecycle management, such as provisioning, decommissioning, backup, and recovery. + +For example, if you come upon a security incident, it's critical to quickly identify affected systems, +the functions that those systems support, and the potential business impact. + +For Cosmos DB for Table account, the Cloud Adoption Framework (CAF) recommends using the `costab-` prefix. + +Requirements for Cosmos DB for Table account resource names: + +- Between 3 and 44 characters long. +- Can include alphanumeric characters, hyphens, underscores, and periods (restrictions vary by resource type). +- Resource names must be unique within their scope. + +## RECOMMENDATION + +Consider creating Cosmos DB for Table account resources with a standard name. +Additionally consider using Azure Policy to only permit creation using a standard naming convention. + +## EXAMPLES + +### Configure with Bicep + +To deploy resources that pass this rule: + +- Set the `name` property to a string that matches the naming requirements. +- Optionally, consider constraining name parameters with `minLength` and `maxLength` attributes. + +For example: + +```bicep +@minLength(3) +@maxLength(44) +@description('The name of the resource.') +param name string + +@description('The location resources will be deployed.') +param location string = resourceGroup().location + +// Example resource deployment +``` + +### Configure with Azure template + +To deploy resources that pass this rule: + +- Set the `name` property to a string that matches the naming requirements. +- Optionally, consider constraining name parameters with `minLength` and `maxLength` attributes. + +## NOTES + +This rule does not check if Cosmos DB for Table account resource names are unique. + + + +### Rule configuration + + + +To configure this rule set the `AZURE_COSMOS_TABLE_NAME_FORMAT` configuration value to a regular expression +that matches the required format. + +For example: + +```yaml +configuration: + AZURE_COSMOS_TABLE_NAME_FORMAT: '^costab-' +``` + +## LINKS + +- [OE:04 Tools and processes](https://learn.microsoft.com/azure/well-architected/operational-excellence/tools-processes) +- [Recommended abbreviations for Azure resource types](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations) +- [Naming rules and restrictions for Azure resources](https://learn.microsoft.com/azure/azure-resource-manager/management/resource-name-rules) +- [Define your naming convention](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-naming) diff --git a/docs/en/rules/Azure.MySQL.Naming.md b/docs/en/rules/Azure.MySQL.Naming.md new file mode 100644 index 00000000000..d649ea7ef9b --- /dev/null +++ b/docs/en/rules/Azure.MySQL.Naming.md @@ -0,0 +1,100 @@ +--- +reviewed: 2025-10-10 +severity: Awareness +pillar: Operational Excellence +category: OE:04 Tools and processes +resource: MySQL database server +resourceType: Microsoft.DBforMySQL/servers +online version: https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.MySQL.Naming/ +--- + +# MySQL database server resources must use standard naming + +## SYNOPSIS + +MySQL database server resources without a standard naming convention may be difficult to identify and manage. + +## DESCRIPTION + +An effective naming convention allows operators to quickly identify resources, related systems, and their purpose. +Identifying resources easily is important to improve operational efficiency, reduce the time to respond to incidents, +and minimize the risk of human error. + +Some of the benefits of using standardized tagging and naming conventions are: + +- They provide consistency and clarity for resource identification and discovery across the Azure Portal, CLIs, and APIs. +- They enable filtering and grouping of resources for billing, monitoring, security, and compliance purposes. +- They support resource lifecycle management, such as provisioning, decommissioning, backup, and recovery. + +For example, if you come upon a security incident, it's critical to quickly identify affected systems, +the functions that those systems support, and the potential business impact. + +For MySQL database server, the Cloud Adoption Framework (CAF) recommends using the `mysql-` prefix. + +Requirements for MySQL database server resource names: + +- Between 3 and 63 characters long. +- Can include alphanumeric characters, hyphens, underscores, and periods (restrictions vary by resource type). +- Resource names must be unique within their scope. + +## RECOMMENDATION + +Consider creating MySQL database server resources with a standard name. +Additionally consider using Azure Policy to only permit creation using a standard naming convention. + +## EXAMPLES + +### Configure with Bicep + +To deploy resources that pass this rule: + +- Set the `name` property to a string that matches the naming requirements. +- Optionally, consider constraining name parameters with `minLength` and `maxLength` attributes. + +For example: + +```bicep +@minLength(3) +@maxLength(63) +@description('The name of the resource.') +param name string + +@description('The location resources will be deployed.') +param location string = resourceGroup().location + +// Example resource deployment +``` + +### Configure with Azure template + +To deploy resources that pass this rule: + +- Set the `name` property to a string that matches the naming requirements. +- Optionally, consider constraining name parameters with `minLength` and `maxLength` attributes. + +## NOTES + +This rule does not check if MySQL database server resource names are unique. + + + +### Rule configuration + + + +To configure this rule set the `AZURE_MYSQL_SERVER_NAME_FORMAT` configuration value to a regular expression +that matches the required format. + +For example: + +```yaml +configuration: + AZURE_MYSQL_SERVER_NAME_FORMAT: '^mysql-' +``` + +## LINKS + +- [OE:04 Tools and processes](https://learn.microsoft.com/azure/well-architected/operational-excellence/tools-processes) +- [Recommended abbreviations for Azure resource types](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations) +- [Naming rules and restrictions for Azure resources](https://learn.microsoft.com/azure/azure-resource-manager/management/resource-name-rules) +- [Define your naming convention](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-naming) diff --git a/docs/en/rules/Azure.PostgreSQL.Naming.md b/docs/en/rules/Azure.PostgreSQL.Naming.md new file mode 100644 index 00000000000..701d6ab2017 --- /dev/null +++ b/docs/en/rules/Azure.PostgreSQL.Naming.md @@ -0,0 +1,100 @@ +--- +reviewed: 2025-10-10 +severity: Awareness +pillar: Operational Excellence +category: OE:04 Tools and processes +resource: PostgreSQL database server +resourceType: Microsoft.DBforPostgreSQL/servers +online version: https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.PostgreSQL.Naming/ +--- + +# PostgreSQL database server resources must use standard naming + +## SYNOPSIS + +PostgreSQL database server resources without a standard naming convention may be difficult to identify and manage. + +## DESCRIPTION + +An effective naming convention allows operators to quickly identify resources, related systems, and their purpose. +Identifying resources easily is important to improve operational efficiency, reduce the time to respond to incidents, +and minimize the risk of human error. + +Some of the benefits of using standardized tagging and naming conventions are: + +- They provide consistency and clarity for resource identification and discovery across the Azure Portal, CLIs, and APIs. +- They enable filtering and grouping of resources for billing, monitoring, security, and compliance purposes. +- They support resource lifecycle management, such as provisioning, decommissioning, backup, and recovery. + +For example, if you come upon a security incident, it's critical to quickly identify affected systems, +the functions that those systems support, and the potential business impact. + +For PostgreSQL database server, the Cloud Adoption Framework (CAF) recommends using the `psql-` prefix. + +Requirements for PostgreSQL database server resource names: + +- Between 3 and 63 characters long. +- Can include alphanumeric characters, hyphens, underscores, and periods (restrictions vary by resource type). +- Resource names must be unique within their scope. + +## RECOMMENDATION + +Consider creating PostgreSQL database server resources with a standard name. +Additionally consider using Azure Policy to only permit creation using a standard naming convention. + +## EXAMPLES + +### Configure with Bicep + +To deploy resources that pass this rule: + +- Set the `name` property to a string that matches the naming requirements. +- Optionally, consider constraining name parameters with `minLength` and `maxLength` attributes. + +For example: + +```bicep +@minLength(3) +@maxLength(63) +@description('The name of the resource.') +param name string + +@description('The location resources will be deployed.') +param location string = resourceGroup().location + +// Example resource deployment +``` + +### Configure with Azure template + +To deploy resources that pass this rule: + +- Set the `name` property to a string that matches the naming requirements. +- Optionally, consider constraining name parameters with `minLength` and `maxLength` attributes. + +## NOTES + +This rule does not check if PostgreSQL database server resource names are unique. + + + +### Rule configuration + + + +To configure this rule set the `AZURE_POSTGRESQL_SERVER_NAME_FORMAT` configuration value to a regular expression +that matches the required format. + +For example: + +```yaml +configuration: + AZURE_POSTGRESQL_SERVER_NAME_FORMAT: '^psql-' +``` + +## LINKS + +- [OE:04 Tools and processes](https://learn.microsoft.com/azure/well-architected/operational-excellence/tools-processes) +- [Recommended abbreviations for Azure resource types](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations) +- [Naming rules and restrictions for Azure resources](https://learn.microsoft.com/azure/azure-resource-manager/management/resource-name-rules) +- [Define your naming convention](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-naming) diff --git a/docs/en/rules/Azure.Redis.Naming.md b/docs/en/rules/Azure.Redis.Naming.md new file mode 100644 index 00000000000..52c6c5985de --- /dev/null +++ b/docs/en/rules/Azure.Redis.Naming.md @@ -0,0 +1,100 @@ +--- +reviewed: 2025-10-10 +severity: Awareness +pillar: Operational Excellence +category: OE:04 Tools and processes +resource: Azure Cache for Redis +resourceType: Microsoft.Cache/Redis +online version: https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.Redis.Naming/ +--- + +# Azure Cache for Redis resources must use standard naming + +## SYNOPSIS + +Azure Cache for Redis resources without a standard naming convention may be difficult to identify and manage. + +## DESCRIPTION + +An effective naming convention allows operators to quickly identify resources, related systems, and their purpose. +Identifying resources easily is important to improve operational efficiency, reduce the time to respond to incidents, +and minimize the risk of human error. + +Some of the benefits of using standardized tagging and naming conventions are: + +- They provide consistency and clarity for resource identification and discovery across the Azure Portal, CLIs, and APIs. +- They enable filtering and grouping of resources for billing, monitoring, security, and compliance purposes. +- They support resource lifecycle management, such as provisioning, decommissioning, backup, and recovery. + +For example, if you come upon a security incident, it's critical to quickly identify affected systems, +the functions that those systems support, and the potential business impact. + +For Azure Cache for Redis, the Cloud Adoption Framework (CAF) recommends using the `redis-` prefix. + +Requirements for Azure Cache for Redis resource names: + +- Between 1 and 63 characters long. +- Can include alphanumeric characters, hyphens, underscores, and periods (restrictions vary by resource type). +- Resource names must be unique within their scope. + +## RECOMMENDATION + +Consider creating Azure Cache for Redis resources with a standard name. +Additionally consider using Azure Policy to only permit creation using a standard naming convention. + +## EXAMPLES + +### Configure with Bicep + +To deploy resources that pass this rule: + +- Set the `name` property to a string that matches the naming requirements. +- Optionally, consider constraining name parameters with `minLength` and `maxLength` attributes. + +For example: + +```bicep +@minLength(1) +@maxLength(63) +@description('The name of the resource.') +param name string + +@description('The location resources will be deployed.') +param location string = resourceGroup().location + +// Example resource deployment +``` + +### Configure with Azure template + +To deploy resources that pass this rule: + +- Set the `name` property to a string that matches the naming requirements. +- Optionally, consider constraining name parameters with `minLength` and `maxLength` attributes. + +## NOTES + +This rule does not check if Azure Cache for Redis resource names are unique. + + + +### Rule configuration + + + +To configure this rule set the `AZURE_REDIS_CACHE_NAME_FORMAT` configuration value to a regular expression +that matches the required format. + +For example: + +```yaml +configuration: + AZURE_REDIS_CACHE_NAME_FORMAT: '^redis-' +``` + +## LINKS + +- [OE:04 Tools and processes](https://learn.microsoft.com/azure/well-architected/operational-excellence/tools-processes) +- [Recommended abbreviations for Azure resource types](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations) +- [Naming rules and restrictions for Azure resources](https://learn.microsoft.com/azure/azure-resource-manager/management/resource-name-rules) +- [Define your naming convention](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-naming) diff --git a/docs/en/rules/Azure.RedisEnterprise.Naming.md b/docs/en/rules/Azure.RedisEnterprise.Naming.md new file mode 100644 index 00000000000..d3527501460 --- /dev/null +++ b/docs/en/rules/Azure.RedisEnterprise.Naming.md @@ -0,0 +1,100 @@ +--- +reviewed: 2025-10-10 +severity: Awareness +pillar: Operational Excellence +category: OE:04 Tools and processes +resource: Azure Managed Redis +resourceType: Microsoft.Cache/RedisEnterprise +online version: https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.RedisEnterprise.Naming/ +--- + +# Azure Managed Redis resources must use standard naming + +## SYNOPSIS + +Azure Managed Redis resources without a standard naming convention may be difficult to identify and manage. + +## DESCRIPTION + +An effective naming convention allows operators to quickly identify resources, related systems, and their purpose. +Identifying resources easily is important to improve operational efficiency, reduce the time to respond to incidents, +and minimize the risk of human error. + +Some of the benefits of using standardized tagging and naming conventions are: + +- They provide consistency and clarity for resource identification and discovery across the Azure Portal, CLIs, and APIs. +- They enable filtering and grouping of resources for billing, monitoring, security, and compliance purposes. +- They support resource lifecycle management, such as provisioning, decommissioning, backup, and recovery. + +For example, if you come upon a security incident, it's critical to quickly identify affected systems, +the functions that those systems support, and the potential business impact. + +For Azure Managed Redis, the Cloud Adoption Framework (CAF) recommends using the `amr-` prefix. + +Requirements for Azure Managed Redis resource names: + +- Between 1 and 80 characters long. +- Can include alphanumeric characters, hyphens, underscores, and periods (restrictions vary by resource type). +- Resource names must be unique within their scope. + +## RECOMMENDATION + +Consider creating Azure Managed Redis resources with a standard name. +Additionally consider using Azure Policy to only permit creation using a standard naming convention. + +## EXAMPLES + +### Configure with Bicep + +To deploy resources that pass this rule: + +- Set the `name` property to a string that matches the naming requirements. +- Optionally, consider constraining name parameters with `minLength` and `maxLength` attributes. + +For example: + +```bicep +@minLength(1) +@maxLength(80) +@description('The name of the resource.') +param name string + +@description('The location resources will be deployed.') +param location string = resourceGroup().location + +// Example resource deployment +``` + +### Configure with Azure template + +To deploy resources that pass this rule: + +- Set the `name` property to a string that matches the naming requirements. +- Optionally, consider constraining name parameters with `minLength` and `maxLength` attributes. + +## NOTES + +This rule does not check if Azure Managed Redis resource names are unique. + + + +### Rule configuration + + + +To configure this rule set the `AZURE_REDIS_ENTERPRISE_NAME_FORMAT` configuration value to a regular expression +that matches the required format. + +For example: + +```yaml +configuration: + AZURE_REDIS_ENTERPRISE_NAME_FORMAT: '^amr-' +``` + +## LINKS + +- [OE:04 Tools and processes](https://learn.microsoft.com/azure/well-architected/operational-excellence/tools-processes) +- [Recommended abbreviations for Azure resource types](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations) +- [Naming rules and restrictions for Azure resources](https://learn.microsoft.com/azure/azure-resource-manager/management/resource-name-rules) +- [Define your naming convention](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-naming) diff --git a/docs/en/rules/Azure.SQL.DatabaseNaming.md b/docs/en/rules/Azure.SQL.DatabaseNaming.md new file mode 100644 index 00000000000..cafb56b44ed --- /dev/null +++ b/docs/en/rules/Azure.SQL.DatabaseNaming.md @@ -0,0 +1,100 @@ +--- +reviewed: 2025-10-10 +severity: Awareness +pillar: Operational Excellence +category: OE:04 Tools and processes +resource: Azure SQL database +resourceType: Microsoft.Sql/servers/databases +online version: https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.SQL.DatabaseNaming/ +--- + +# Azure SQL database resources must use standard naming + +## SYNOPSIS + +Azure SQL database resources without a standard naming convention may be difficult to identify and manage. + +## DESCRIPTION + +An effective naming convention allows operators to quickly identify resources, related systems, and their purpose. +Identifying resources easily is important to improve operational efficiency, reduce the time to respond to incidents, +and minimize the risk of human error. + +Some of the benefits of using standardized tagging and naming conventions are: + +- They provide consistency and clarity for resource identification and discovery across the Azure Portal, CLIs, and APIs. +- They enable filtering and grouping of resources for billing, monitoring, security, and compliance purposes. +- They support resource lifecycle management, such as provisioning, decommissioning, backup, and recovery. + +For example, if you come upon a security incident, it's critical to quickly identify affected systems, +the functions that those systems support, and the potential business impact. + +For Azure SQL database, the Cloud Adoption Framework (CAF) recommends using the `sqldb-` prefix. + +Requirements for Azure SQL database resource names: + +- Between 1 and 128 characters long. +- Can include alphanumeric characters, hyphens, underscores, and periods (restrictions vary by resource type). +- Resource names must be unique within their scope. + +## RECOMMENDATION + +Consider creating Azure SQL database resources with a standard name. +Additionally consider using Azure Policy to only permit creation using a standard naming convention. + +## EXAMPLES + +### Configure with Bicep + +To deploy resources that pass this rule: + +- Set the `name` property to a string that matches the naming requirements. +- Optionally, consider constraining name parameters with `minLength` and `maxLength` attributes. + +For example: + +```bicep +@minLength(1) +@maxLength(128) +@description('The name of the resource.') +param name string + +@description('The location resources will be deployed.') +param location string = resourceGroup().location + +// Example resource deployment +``` + +### Configure with Azure template + +To deploy resources that pass this rule: + +- Set the `name` property to a string that matches the naming requirements. +- Optionally, consider constraining name parameters with `minLength` and `maxLength` attributes. + +## NOTES + +This rule does not check if Azure SQL database resource names are unique. + + + +### Rule configuration + + + +To configure this rule set the `AZURE_SQL_DATABASE_NAME_FORMAT` configuration value to a regular expression +that matches the required format. + +For example: + +```yaml +configuration: + AZURE_SQL_DATABASE_NAME_FORMAT: '^sqldb-' +``` + +## LINKS + +- [OE:04 Tools and processes](https://learn.microsoft.com/azure/well-architected/operational-excellence/tools-processes) +- [Recommended abbreviations for Azure resource types](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations) +- [Naming rules and restrictions for Azure resources](https://learn.microsoft.com/azure/azure-resource-manager/management/resource-name-rules) +- [Define your naming convention](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-naming) diff --git a/docs/en/rules/Azure.SQL.ElasticPoolNaming.md b/docs/en/rules/Azure.SQL.ElasticPoolNaming.md new file mode 100644 index 00000000000..8e514007497 --- /dev/null +++ b/docs/en/rules/Azure.SQL.ElasticPoolNaming.md @@ -0,0 +1,100 @@ +--- +reviewed: 2025-10-10 +severity: Awareness +pillar: Operational Excellence +category: OE:04 Tools and processes +resource: Azure SQL Elastic Pool +resourceType: Microsoft.Sql/servers/elasticPools +online version: https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.SQL.ElasticPoolNaming/ +--- + +# Azure SQL Elastic Pool resources must use standard naming + +## SYNOPSIS + +Azure SQL Elastic Pool resources without a standard naming convention may be difficult to identify and manage. + +## DESCRIPTION + +An effective naming convention allows operators to quickly identify resources, related systems, and their purpose. +Identifying resources easily is important to improve operational efficiency, reduce the time to respond to incidents, +and minimize the risk of human error. + +Some of the benefits of using standardized tagging and naming conventions are: + +- They provide consistency and clarity for resource identification and discovery across the Azure Portal, CLIs, and APIs. +- They enable filtering and grouping of resources for billing, monitoring, security, and compliance purposes. +- They support resource lifecycle management, such as provisioning, decommissioning, backup, and recovery. + +For example, if you come upon a security incident, it's critical to quickly identify affected systems, +the functions that those systems support, and the potential business impact. + +For Azure SQL Elastic Pool, the Cloud Adoption Framework (CAF) recommends using the `sqlep-` prefix. + +Requirements for Azure SQL Elastic Pool resource names: + +- Between 1 and 128 characters long. +- Can include alphanumeric characters, hyphens, underscores, and periods (restrictions vary by resource type). +- Resource names must be unique within their scope. + +## RECOMMENDATION + +Consider creating Azure SQL Elastic Pool resources with a standard name. +Additionally consider using Azure Policy to only permit creation using a standard naming convention. + +## EXAMPLES + +### Configure with Bicep + +To deploy resources that pass this rule: + +- Set the `name` property to a string that matches the naming requirements. +- Optionally, consider constraining name parameters with `minLength` and `maxLength` attributes. + +For example: + +```bicep +@minLength(1) +@maxLength(128) +@description('The name of the resource.') +param name string + +@description('The location resources will be deployed.') +param location string = resourceGroup().location + +// Example resource deployment +``` + +### Configure with Azure template + +To deploy resources that pass this rule: + +- Set the `name` property to a string that matches the naming requirements. +- Optionally, consider constraining name parameters with `minLength` and `maxLength` attributes. + +## NOTES + +This rule does not check if Azure SQL Elastic Pool resource names are unique. + + + +### Rule configuration + + + +To configure this rule set the `AZURE_SQL_ELASTIC_POOL_NAME_FORMAT` configuration value to a regular expression +that matches the required format. + +For example: + +```yaml +configuration: + AZURE_SQL_ELASTIC_POOL_NAME_FORMAT: '^sqlep-' +``` + +## LINKS + +- [OE:04 Tools and processes](https://learn.microsoft.com/azure/well-architected/operational-excellence/tools-processes) +- [Recommended abbreviations for Azure resource types](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations) +- [Naming rules and restrictions for Azure resources](https://learn.microsoft.com/azure/azure-resource-manager/management/resource-name-rules) +- [Define your naming convention](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-naming) diff --git a/docs/en/rules/Azure.SQL.JobAgentNaming.md b/docs/en/rules/Azure.SQL.JobAgentNaming.md new file mode 100644 index 00000000000..400cfa81b9d --- /dev/null +++ b/docs/en/rules/Azure.SQL.JobAgentNaming.md @@ -0,0 +1,100 @@ +--- +reviewed: 2025-10-10 +severity: Awareness +pillar: Operational Excellence +category: OE:04 Tools and processes +resource: Azure SQL Elastic Job agent +resourceType: Microsoft.Sql/servers/jobAgents +online version: https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.SQL.JobAgentNaming/ +--- + +# Azure SQL Elastic Job agent resources must use standard naming + +## SYNOPSIS + +Azure SQL Elastic Job agent resources without a standard naming convention may be difficult to identify and manage. + +## DESCRIPTION + +An effective naming convention allows operators to quickly identify resources, related systems, and their purpose. +Identifying resources easily is important to improve operational efficiency, reduce the time to respond to incidents, +and minimize the risk of human error. + +Some of the benefits of using standardized tagging and naming conventions are: + +- They provide consistency and clarity for resource identification and discovery across the Azure Portal, CLIs, and APIs. +- They enable filtering and grouping of resources for billing, monitoring, security, and compliance purposes. +- They support resource lifecycle management, such as provisioning, decommissioning, backup, and recovery. + +For example, if you come upon a security incident, it's critical to quickly identify affected systems, +the functions that those systems support, and the potential business impact. + +For Azure SQL Elastic Job agent, the Cloud Adoption Framework (CAF) recommends using the `sqlja-` prefix. + +Requirements for Azure SQL Elastic Job agent resource names: + +- Between 1 and 128 characters long. +- Can include alphanumeric characters, hyphens, underscores, and periods (restrictions vary by resource type). +- Resource names must be unique within their scope. + +## RECOMMENDATION + +Consider creating Azure SQL Elastic Job agent resources with a standard name. +Additionally consider using Azure Policy to only permit creation using a standard naming convention. + +## EXAMPLES + +### Configure with Bicep + +To deploy resources that pass this rule: + +- Set the `name` property to a string that matches the naming requirements. +- Optionally, consider constraining name parameters with `minLength` and `maxLength` attributes. + +For example: + +```bicep +@minLength(1) +@maxLength(128) +@description('The name of the resource.') +param name string + +@description('The location resources will be deployed.') +param location string = resourceGroup().location + +// Example resource deployment +``` + +### Configure with Azure template + +To deploy resources that pass this rule: + +- Set the `name` property to a string that matches the naming requirements. +- Optionally, consider constraining name parameters with `minLength` and `maxLength` attributes. + +## NOTES + +This rule does not check if Azure SQL Elastic Job agent resource names are unique. + + + +### Rule configuration + + + +To configure this rule set the `AZURE_SQL_JOB_AGENT_NAME_FORMAT` configuration value to a regular expression +that matches the required format. + +For example: + +```yaml +configuration: + AZURE_SQL_JOB_AGENT_NAME_FORMAT: '^sqlja-' +``` + +## LINKS + +- [OE:04 Tools and processes](https://learn.microsoft.com/azure/well-architected/operational-excellence/tools-processes) +- [Recommended abbreviations for Azure resource types](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations) +- [Naming rules and restrictions for Azure resources](https://learn.microsoft.com/azure/azure-resource-manager/management/resource-name-rules) +- [Define your naming convention](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-naming) diff --git a/docs/en/rules/Azure.SQL.ServerNaming.md b/docs/en/rules/Azure.SQL.ServerNaming.md new file mode 100644 index 00000000000..673f4bbd4a4 --- /dev/null +++ b/docs/en/rules/Azure.SQL.ServerNaming.md @@ -0,0 +1,100 @@ +--- +reviewed: 2025-10-10 +severity: Awareness +pillar: Operational Excellence +category: OE:04 Tools and processes +resource: Azure SQL Database server +resourceType: Microsoft.Sql/servers +online version: https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.SQL.ServerNaming/ +--- + +# Azure SQL Database server resources must use standard naming + +## SYNOPSIS + +Azure SQL Database server resources without a standard naming convention may be difficult to identify and manage. + +## DESCRIPTION + +An effective naming convention allows operators to quickly identify resources, related systems, and their purpose. +Identifying resources easily is important to improve operational efficiency, reduce the time to respond to incidents, +and minimize the risk of human error. + +Some of the benefits of using standardized tagging and naming conventions are: + +- They provide consistency and clarity for resource identification and discovery across the Azure Portal, CLIs, and APIs. +- They enable filtering and grouping of resources for billing, monitoring, security, and compliance purposes. +- They support resource lifecycle management, such as provisioning, decommissioning, backup, and recovery. + +For example, if you come upon a security incident, it's critical to quickly identify affected systems, +the functions that those systems support, and the potential business impact. + +For Azure SQL Database server, the Cloud Adoption Framework (CAF) recommends using the `sql-` prefix. + +Requirements for Azure SQL Database server resource names: + +- Between 1 and 63 characters long. +- Can include alphanumeric characters, hyphens, underscores, and periods (restrictions vary by resource type). +- Resource names must be unique within their scope. + +## RECOMMENDATION + +Consider creating Azure SQL Database server resources with a standard name. +Additionally consider using Azure Policy to only permit creation using a standard naming convention. + +## EXAMPLES + +### Configure with Bicep + +To deploy resources that pass this rule: + +- Set the `name` property to a string that matches the naming requirements. +- Optionally, consider constraining name parameters with `minLength` and `maxLength` attributes. + +For example: + +```bicep +@minLength(1) +@maxLength(63) +@description('The name of the resource.') +param name string + +@description('The location resources will be deployed.') +param location string = resourceGroup().location + +// Example resource deployment +``` + +### Configure with Azure template + +To deploy resources that pass this rule: + +- Set the `name` property to a string that matches the naming requirements. +- Optionally, consider constraining name parameters with `minLength` and `maxLength` attributes. + +## NOTES + +This rule does not check if Azure SQL Database server resource names are unique. + + + +### Rule configuration + + + +To configure this rule set the `AZURE_SQL_SERVER_NAME_FORMAT` configuration value to a regular expression +that matches the required format. + +For example: + +```yaml +configuration: + AZURE_SQL_SERVER_NAME_FORMAT: '^sql-' +``` + +## LINKS + +- [OE:04 Tools and processes](https://learn.microsoft.com/azure/well-architected/operational-excellence/tools-processes) +- [Recommended abbreviations for Azure resource types](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations) +- [Naming rules and restrictions for Azure resources](https://learn.microsoft.com/azure/azure-resource-manager/management/resource-name-rules) +- [Define your naming convention](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-naming) diff --git a/docs/en/rules/Azure.SQL.StretchDBNaming.md b/docs/en/rules/Azure.SQL.StretchDBNaming.md new file mode 100644 index 00000000000..1568dec17d7 --- /dev/null +++ b/docs/en/rules/Azure.SQL.StretchDBNaming.md @@ -0,0 +1,100 @@ +--- +reviewed: 2025-10-10 +severity: Awareness +pillar: Operational Excellence +category: OE:04 Tools and processes +resource: SQL Server Stretch Database +resourceType: Microsoft.Sql/servers/databases +online version: https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.SQL.StretchDBNaming/ +--- + +# SQL Server Stretch Database resources must use standard naming + +## SYNOPSIS + +SQL Server Stretch Database resources without a standard naming convention may be difficult to identify and manage. + +## DESCRIPTION + +An effective naming convention allows operators to quickly identify resources, related systems, and their purpose. +Identifying resources easily is important to improve operational efficiency, reduce the time to respond to incidents, +and minimize the risk of human error. + +Some of the benefits of using standardized tagging and naming conventions are: + +- They provide consistency and clarity for resource identification and discovery across the Azure Portal, CLIs, and APIs. +- They enable filtering and grouping of resources for billing, monitoring, security, and compliance purposes. +- They support resource lifecycle management, such as provisioning, decommissioning, backup, and recovery. + +For example, if you come upon a security incident, it's critical to quickly identify affected systems, +the functions that those systems support, and the potential business impact. + +For SQL Server Stretch Database, the Cloud Adoption Framework (CAF) recommends using the `sqlstrdb-` prefix. + +Requirements for SQL Server Stretch Database resource names: + +- Between 1 and 128 characters long. +- Can include alphanumeric characters, hyphens, underscores, and periods (restrictions vary by resource type). +- Resource names must be unique within their scope. + +## RECOMMENDATION + +Consider creating SQL Server Stretch Database resources with a standard name. +Additionally consider using Azure Policy to only permit creation using a standard naming convention. + +## EXAMPLES + +### Configure with Bicep + +To deploy resources that pass this rule: + +- Set the `name` property to a string that matches the naming requirements. +- Optionally, consider constraining name parameters with `minLength` and `maxLength` attributes. + +For example: + +```bicep +@minLength(1) +@maxLength(128) +@description('The name of the resource.') +param name string + +@description('The location resources will be deployed.') +param location string = resourceGroup().location + +// Example resource deployment +``` + +### Configure with Azure template + +To deploy resources that pass this rule: + +- Set the `name` property to a string that matches the naming requirements. +- Optionally, consider constraining name parameters with `minLength` and `maxLength` attributes. + +## NOTES + +This rule does not check if SQL Server Stretch Database resource names are unique. + + + +### Rule configuration + + + +To configure this rule set the `AZURE_SQL_STRETCH_DB_NAME_FORMAT` configuration value to a regular expression +that matches the required format. + +For example: + +```yaml +configuration: + AZURE_SQL_STRETCH_DB_NAME_FORMAT: '^sqlstrdb-' +``` + +## LINKS + +- [OE:04 Tools and processes](https://learn.microsoft.com/azure/well-architected/operational-excellence/tools-processes) +- [Recommended abbreviations for Azure resource types](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations) +- [Naming rules and restrictions for Azure resources](https://learn.microsoft.com/azure/azure-resource-manager/management/resource-name-rules) +- [Define your naming convention](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-naming) diff --git a/docs/en/rules/Azure.SQLMI.Naming.md b/docs/en/rules/Azure.SQLMI.Naming.md new file mode 100644 index 00000000000..9b1a7d8cfbd --- /dev/null +++ b/docs/en/rules/Azure.SQLMI.Naming.md @@ -0,0 +1,100 @@ +--- +reviewed: 2025-10-10 +severity: Awareness +pillar: Operational Excellence +category: OE:04 Tools and processes +resource: SQL Managed Instance +resourceType: Microsoft.Sql/managedInstances +online version: https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.SQLMI.Naming/ +--- + +# SQL Managed Instance resources must use standard naming + +## SYNOPSIS + +SQL Managed Instance resources without a standard naming convention may be difficult to identify and manage. + +## DESCRIPTION + +An effective naming convention allows operators to quickly identify resources, related systems, and their purpose. +Identifying resources easily is important to improve operational efficiency, reduce the time to respond to incidents, +and minimize the risk of human error. + +Some of the benefits of using standardized tagging and naming conventions are: + +- They provide consistency and clarity for resource identification and discovery across the Azure Portal, CLIs, and APIs. +- They enable filtering and grouping of resources for billing, monitoring, security, and compliance purposes. +- They support resource lifecycle management, such as provisioning, decommissioning, backup, and recovery. + +For example, if you come upon a security incident, it's critical to quickly identify affected systems, +the functions that those systems support, and the potential business impact. + +For SQL Managed Instance, the Cloud Adoption Framework (CAF) recommends using the `sqlmi-` prefix. + +Requirements for SQL Managed Instance resource names: + +- Between 1 and 63 characters long. +- Can include alphanumeric characters, hyphens, underscores, and periods (restrictions vary by resource type). +- Resource names must be unique within their scope. + +## RECOMMENDATION + +Consider creating SQL Managed Instance resources with a standard name. +Additionally consider using Azure Policy to only permit creation using a standard naming convention. + +## EXAMPLES + +### Configure with Bicep + +To deploy resources that pass this rule: + +- Set the `name` property to a string that matches the naming requirements. +- Optionally, consider constraining name parameters with `minLength` and `maxLength` attributes. + +For example: + +```bicep +@minLength(1) +@maxLength(63) +@description('The name of the resource.') +param name string + +@description('The location resources will be deployed.') +param location string = resourceGroup().location + +// Example resource deployment +``` + +### Configure with Azure template + +To deploy resources that pass this rule: + +- Set the `name` property to a string that matches the naming requirements. +- Optionally, consider constraining name parameters with `minLength` and `maxLength` attributes. + +## NOTES + +This rule does not check if SQL Managed Instance resource names are unique. + + + +### Rule configuration + + + +To configure this rule set the `AZURE_SQL_MI_NAME_FORMAT` configuration value to a regular expression +that matches the required format. + +For example: + +```yaml +configuration: + AZURE_SQL_MI_NAME_FORMAT: '^sqlmi-' +``` + +## LINKS + +- [OE:04 Tools and processes](https://learn.microsoft.com/azure/well-architected/operational-excellence/tools-processes) +- [Recommended abbreviations for Azure resource types](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations) +- [Naming rules and restrictions for Azure resources](https://learn.microsoft.com/azure/azure-resource-manager/management/resource-name-rules) +- [Define your naming convention](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-naming) diff --git a/docs/en/rules/Azure.ServiceFabric.ManagedNaming.md b/docs/en/rules/Azure.ServiceFabric.ManagedNaming.md new file mode 100644 index 00000000000..945a331a644 --- /dev/null +++ b/docs/en/rules/Azure.ServiceFabric.ManagedNaming.md @@ -0,0 +1,100 @@ +--- +reviewed: 2025-10-10 +severity: Awareness +pillar: Operational Excellence +category: OE:04 Tools and processes +resource: Service Fabric managed cluster +resourceType: Microsoft.ServiceFabric/managedClusters +online version: https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.ServiceFabric.ManagedNaming/ +--- + +# Service Fabric managed cluster resources must use standard naming + +## SYNOPSIS + +Service Fabric managed cluster resources without a standard naming convention may be difficult to identify and manage. + +## DESCRIPTION + +An effective naming convention allows operators to quickly identify resources, related systems, and their purpose. +Identifying resources easily is important to improve operational efficiency, reduce the time to respond to incidents, +and minimize the risk of human error. + +Some of the benefits of using standardized tagging and naming conventions are: + +- They provide consistency and clarity for resource identification and discovery across the Azure Portal, CLIs, and APIs. +- They enable filtering and grouping of resources for billing, monitoring, security, and compliance purposes. +- They support resource lifecycle management, such as provisioning, decommissioning, backup, and recovery. + +For example, if you come upon a security incident, it's critical to quickly identify affected systems, +the functions that those systems support, and the potential business impact. + +For Service Fabric managed cluster, the Cloud Adoption Framework (CAF) recommends using the `sfmc-` prefix. + +Requirements for Service Fabric managed cluster resource names: + +- Between 4 and 23 characters long. +- Can include alphanumeric characters, hyphens, underscores, and periods (restrictions vary by resource type). +- Resource names must be unique within their scope. + +## RECOMMENDATION + +Consider creating Service Fabric managed cluster resources with a standard name. +Additionally consider using Azure Policy to only permit creation using a standard naming convention. + +## EXAMPLES + +### Configure with Bicep + +To deploy resources that pass this rule: + +- Set the `name` property to a string that matches the naming requirements. +- Optionally, consider constraining name parameters with `minLength` and `maxLength` attributes. + +For example: + +```bicep +@minLength(4) +@maxLength(23) +@description('The name of the resource.') +param name string + +@description('The location resources will be deployed.') +param location string = resourceGroup().location + +// Example resource deployment +``` + +### Configure with Azure template + +To deploy resources that pass this rule: + +- Set the `name` property to a string that matches the naming requirements. +- Optionally, consider constraining name parameters with `minLength` and `maxLength` attributes. + +## NOTES + +This rule does not check if Service Fabric managed cluster resource names are unique. + + + +### Rule configuration + + + +To configure this rule set the `AZURE_SERVICE_FABRIC_MANAGED_CLUSTER_NAME_FORMAT` configuration value to a regular expression +that matches the required format. + +For example: + +```yaml +configuration: + AZURE_SERVICE_FABRIC_MANAGED_CLUSTER_NAME_FORMAT: '^sfmc-' +``` + +## LINKS + +- [OE:04 Tools and processes](https://learn.microsoft.com/azure/well-architected/operational-excellence/tools-processes) +- [Recommended abbreviations for Azure resource types](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations) +- [Naming rules and restrictions for Azure resources](https://learn.microsoft.com/azure/azure-resource-manager/management/resource-name-rules) +- [Define your naming convention](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-naming) diff --git a/docs/en/rules/Azure.ServiceFabric.Naming.md b/docs/en/rules/Azure.ServiceFabric.Naming.md new file mode 100644 index 00000000000..8fd19b68e98 --- /dev/null +++ b/docs/en/rules/Azure.ServiceFabric.Naming.md @@ -0,0 +1,100 @@ +--- +reviewed: 2025-10-10 +severity: Awareness +pillar: Operational Excellence +category: OE:04 Tools and processes +resource: Service Fabric cluster +resourceType: Microsoft.ServiceFabric/clusters +online version: https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.ServiceFabric.Naming/ +--- + +# Service Fabric cluster resources must use standard naming + +## SYNOPSIS + +Service Fabric cluster resources without a standard naming convention may be difficult to identify and manage. + +## DESCRIPTION + +An effective naming convention allows operators to quickly identify resources, related systems, and their purpose. +Identifying resources easily is important to improve operational efficiency, reduce the time to respond to incidents, +and minimize the risk of human error. + +Some of the benefits of using standardized tagging and naming conventions are: + +- They provide consistency and clarity for resource identification and discovery across the Azure Portal, CLIs, and APIs. +- They enable filtering and grouping of resources for billing, monitoring, security, and compliance purposes. +- They support resource lifecycle management, such as provisioning, decommissioning, backup, and recovery. + +For example, if you come upon a security incident, it's critical to quickly identify affected systems, +the functions that those systems support, and the potential business impact. + +For Service Fabric cluster, the Cloud Adoption Framework (CAF) recommends using the `sf-` prefix. + +Requirements for Service Fabric cluster resource names: + +- Between 4 and 23 characters long. +- Can include alphanumeric characters, hyphens, underscores, and periods (restrictions vary by resource type). +- Resource names must be unique within their scope. + +## RECOMMENDATION + +Consider creating Service Fabric cluster resources with a standard name. +Additionally consider using Azure Policy to only permit creation using a standard naming convention. + +## EXAMPLES + +### Configure with Bicep + +To deploy resources that pass this rule: + +- Set the `name` property to a string that matches the naming requirements. +- Optionally, consider constraining name parameters with `minLength` and `maxLength` attributes. + +For example: + +```bicep +@minLength(4) +@maxLength(23) +@description('The name of the resource.') +param name string + +@description('The location resources will be deployed.') +param location string = resourceGroup().location + +// Example resource deployment +``` + +### Configure with Azure template + +To deploy resources that pass this rule: + +- Set the `name` property to a string that matches the naming requirements. +- Optionally, consider constraining name parameters with `minLength` and `maxLength` attributes. + +## NOTES + +This rule does not check if Service Fabric cluster resource names are unique. + + + +### Rule configuration + + + +To configure this rule set the `AZURE_SERVICE_FABRIC_CLUSTER_NAME_FORMAT` configuration value to a regular expression +that matches the required format. + +For example: + +```yaml +configuration: + AZURE_SERVICE_FABRIC_CLUSTER_NAME_FORMAT: '^sf-' +``` + +## LINKS + +- [OE:04 Tools and processes](https://learn.microsoft.com/azure/well-architected/operational-excellence/tools-processes) +- [Recommended abbreviations for Azure resource types](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations) +- [Naming rules and restrictions for Azure resources](https://learn.microsoft.com/azure/azure-resource-manager/management/resource-name-rules) +- [Define your naming convention](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-naming) From 92e95fe5fcbfe3ca62d2dc85adb34bf2759a76e0 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Sat, 11 Oct 2025 04:10:04 +0000 Subject: [PATCH 08/32] Add Azure.WAF/maturity label (L2) and maturity model link to all naming rules - Added Azure.WAF/maturity label set to L2 for all 27 naming rules across all rule files - Updated all 27 rule documentation files to include link to Operational Excellence maturity model - Changes apply to: AKS, Container Apps, Container Registry, Container Instances, Service Fabric, Cosmos DB, Redis, SQL, MySQL, PostgreSQL, and SQL MI naming rules Co-authored-by: BernieWhite <13513058+BernieWhite@users.noreply.github.com> --- docs/en/rules/Azure.ACR.Naming.md | 1 + docs/en/rules/Azure.AKS.Naming.md | 1 + docs/en/rules/Azure.AKS.SystemPoolNaming.md | 1 + docs/en/rules/Azure.AKS.UserPoolNaming.md | 1 + docs/en/rules/Azure.CI.Naming.md | 1 + .../rules/Azure.ContainerApp.EnvironmentNaming.md | 1 + docs/en/rules/Azure.ContainerApp.JobNaming.md | 1 + docs/en/rules/Azure.ContainerApp.Naming.md | 1 + docs/en/rules/Azure.Cosmos.CassandraNaming.md | 1 + docs/en/rules/Azure.Cosmos.DatabaseNaming.md | 1 + docs/en/rules/Azure.Cosmos.GremlinNaming.md | 1 + docs/en/rules/Azure.Cosmos.MongoNaming.md | 1 + docs/en/rules/Azure.Cosmos.NoSQLNaming.md | 1 + docs/en/rules/Azure.Cosmos.PostgreSQLNaming.md | 1 + docs/en/rules/Azure.Cosmos.TableNaming.md | 1 + docs/en/rules/Azure.MySQL.Naming.md | 1 + docs/en/rules/Azure.PostgreSQL.Naming.md | 1 + docs/en/rules/Azure.Redis.Naming.md | 1 + docs/en/rules/Azure.RedisEnterprise.Naming.md | 1 + docs/en/rules/Azure.SQL.DatabaseNaming.md | 1 + docs/en/rules/Azure.SQL.ElasticPoolNaming.md | 1 + docs/en/rules/Azure.SQL.JobAgentNaming.md | 1 + docs/en/rules/Azure.SQL.ServerNaming.md | 1 + docs/en/rules/Azure.SQL.StretchDBNaming.md | 1 + docs/en/rules/Azure.SQLMI.Naming.md | 1 + docs/en/rules/Azure.ServiceFabric.ManagedNaming.md | 1 + docs/en/rules/Azure.ServiceFabric.Naming.md | 1 + src/PSRule.Rules.Azure/rules/Azure.ACR.Rule.ps1 | 2 +- src/PSRule.Rules.Azure/rules/Azure.AKS.Rule.ps1 | 6 +++--- src/PSRule.Rules.Azure/rules/Azure.CI.Rule.ps1 | 2 +- .../rules/Azure.ContainerApp.Rule.ps1 | 6 +++--- src/PSRule.Rules.Azure/rules/Azure.Cosmos.Rule.ps1 | 14 +++++++------- src/PSRule.Rules.Azure/rules/Azure.MySQL.Rule.ps1 | 2 +- .../rules/Azure.PostgreSQL.Rule.ps1 | 2 +- src/PSRule.Rules.Azure/rules/Azure.Redis.Rule.ps1 | 2 +- .../rules/Azure.RedisEnterprise.Rule.ps1 | 2 +- src/PSRule.Rules.Azure/rules/Azure.SQL.Rule.ps1 | 10 +++++----- src/PSRule.Rules.Azure/rules/Azure.SQLMI.Rule.ps1 | 2 +- .../rules/Azure.ServiceFabric.Rule.ps1 | 4 ++-- 39 files changed, 54 insertions(+), 27 deletions(-) diff --git a/docs/en/rules/Azure.ACR.Naming.md b/docs/en/rules/Azure.ACR.Naming.md index ae819a17ebf..b13cbae5fa5 100644 --- a/docs/en/rules/Azure.ACR.Naming.md +++ b/docs/en/rules/Azure.ACR.Naming.md @@ -95,6 +95,7 @@ configuration: ## LINKS - [OE:04 Tools and processes](https://learn.microsoft.com/azure/well-architected/operational-excellence/tools-processes) +- [Operational Excellence maturity model](https://learn.microsoft.com/azure/well-architected/operational-excellence/maturity-model?tabs=level2) - [Recommended abbreviations for Azure resource types](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations) - [Naming rules and restrictions for Azure resources](https://learn.microsoft.com/azure/azure-resource-manager/management/resource-name-rules) - [Define your naming convention](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-naming) diff --git a/docs/en/rules/Azure.AKS.Naming.md b/docs/en/rules/Azure.AKS.Naming.md index 8c3ee02c227..c86b4669f9c 100644 --- a/docs/en/rules/Azure.AKS.Naming.md +++ b/docs/en/rules/Azure.AKS.Naming.md @@ -95,6 +95,7 @@ configuration: ## LINKS - [OE:04 Tools and processes](https://learn.microsoft.com/azure/well-architected/operational-excellence/tools-processes) +- [Operational Excellence maturity model](https://learn.microsoft.com/azure/well-architected/operational-excellence/maturity-model?tabs=level2) - [Recommended abbreviations for Azure resource types](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations) - [Naming rules and restrictions for Azure resources](https://learn.microsoft.com/azure/azure-resource-manager/management/resource-name-rules) - [Define your naming convention](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-naming) diff --git a/docs/en/rules/Azure.AKS.SystemPoolNaming.md b/docs/en/rules/Azure.AKS.SystemPoolNaming.md index 14661d33222..925151f6077 100644 --- a/docs/en/rules/Azure.AKS.SystemPoolNaming.md +++ b/docs/en/rules/Azure.AKS.SystemPoolNaming.md @@ -95,6 +95,7 @@ configuration: ## LINKS - [OE:04 Tools and processes](https://learn.microsoft.com/azure/well-architected/operational-excellence/tools-processes) +- [Operational Excellence maturity model](https://learn.microsoft.com/azure/well-architected/operational-excellence/maturity-model?tabs=level2) - [Recommended abbreviations for Azure resource types](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations) - [Naming rules and restrictions for Azure resources](https://learn.microsoft.com/azure/azure-resource-manager/management/resource-name-rules) - [Define your naming convention](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-naming) diff --git a/docs/en/rules/Azure.AKS.UserPoolNaming.md b/docs/en/rules/Azure.AKS.UserPoolNaming.md index 0a6a1d0cd31..4caf40e51c9 100644 --- a/docs/en/rules/Azure.AKS.UserPoolNaming.md +++ b/docs/en/rules/Azure.AKS.UserPoolNaming.md @@ -95,6 +95,7 @@ configuration: ## LINKS - [OE:04 Tools and processes](https://learn.microsoft.com/azure/well-architected/operational-excellence/tools-processes) +- [Operational Excellence maturity model](https://learn.microsoft.com/azure/well-architected/operational-excellence/maturity-model?tabs=level2) - [Recommended abbreviations for Azure resource types](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations) - [Naming rules and restrictions for Azure resources](https://learn.microsoft.com/azure/azure-resource-manager/management/resource-name-rules) - [Define your naming convention](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-naming) diff --git a/docs/en/rules/Azure.CI.Naming.md b/docs/en/rules/Azure.CI.Naming.md index 5619d559525..17a360a25bf 100644 --- a/docs/en/rules/Azure.CI.Naming.md +++ b/docs/en/rules/Azure.CI.Naming.md @@ -95,6 +95,7 @@ configuration: ## LINKS - [OE:04 Tools and processes](https://learn.microsoft.com/azure/well-architected/operational-excellence/tools-processes) +- [Operational Excellence maturity model](https://learn.microsoft.com/azure/well-architected/operational-excellence/maturity-model?tabs=level2) - [Recommended abbreviations for Azure resource types](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations) - [Naming rules and restrictions for Azure resources](https://learn.microsoft.com/azure/azure-resource-manager/management/resource-name-rules) - [Define your naming convention](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-naming) diff --git a/docs/en/rules/Azure.ContainerApp.EnvironmentNaming.md b/docs/en/rules/Azure.ContainerApp.EnvironmentNaming.md index 00360028013..91aa4dbde42 100644 --- a/docs/en/rules/Azure.ContainerApp.EnvironmentNaming.md +++ b/docs/en/rules/Azure.ContainerApp.EnvironmentNaming.md @@ -95,6 +95,7 @@ configuration: ## LINKS - [OE:04 Tools and processes](https://learn.microsoft.com/azure/well-architected/operational-excellence/tools-processes) +- [Operational Excellence maturity model](https://learn.microsoft.com/azure/well-architected/operational-excellence/maturity-model?tabs=level2) - [Recommended abbreviations for Azure resource types](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations) - [Naming rules and restrictions for Azure resources](https://learn.microsoft.com/azure/azure-resource-manager/management/resource-name-rules) - [Define your naming convention](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-naming) diff --git a/docs/en/rules/Azure.ContainerApp.JobNaming.md b/docs/en/rules/Azure.ContainerApp.JobNaming.md index 2752def2121..e3f043d5fc2 100644 --- a/docs/en/rules/Azure.ContainerApp.JobNaming.md +++ b/docs/en/rules/Azure.ContainerApp.JobNaming.md @@ -95,6 +95,7 @@ configuration: ## LINKS - [OE:04 Tools and processes](https://learn.microsoft.com/azure/well-architected/operational-excellence/tools-processes) +- [Operational Excellence maturity model](https://learn.microsoft.com/azure/well-architected/operational-excellence/maturity-model?tabs=level2) - [Recommended abbreviations for Azure resource types](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations) - [Naming rules and restrictions for Azure resources](https://learn.microsoft.com/azure/azure-resource-manager/management/resource-name-rules) - [Define your naming convention](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-naming) diff --git a/docs/en/rules/Azure.ContainerApp.Naming.md b/docs/en/rules/Azure.ContainerApp.Naming.md index cc187f5bd96..5cf8dc09c0a 100644 --- a/docs/en/rules/Azure.ContainerApp.Naming.md +++ b/docs/en/rules/Azure.ContainerApp.Naming.md @@ -95,6 +95,7 @@ configuration: ## LINKS - [OE:04 Tools and processes](https://learn.microsoft.com/azure/well-architected/operational-excellence/tools-processes) +- [Operational Excellence maturity model](https://learn.microsoft.com/azure/well-architected/operational-excellence/maturity-model?tabs=level2) - [Recommended abbreviations for Azure resource types](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations) - [Naming rules and restrictions for Azure resources](https://learn.microsoft.com/azure/azure-resource-manager/management/resource-name-rules) - [Define your naming convention](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-naming) diff --git a/docs/en/rules/Azure.Cosmos.CassandraNaming.md b/docs/en/rules/Azure.Cosmos.CassandraNaming.md index 6ee350654ed..ba31e25863e 100644 --- a/docs/en/rules/Azure.Cosmos.CassandraNaming.md +++ b/docs/en/rules/Azure.Cosmos.CassandraNaming.md @@ -95,6 +95,7 @@ configuration: ## LINKS - [OE:04 Tools and processes](https://learn.microsoft.com/azure/well-architected/operational-excellence/tools-processes) +- [Operational Excellence maturity model](https://learn.microsoft.com/azure/well-architected/operational-excellence/maturity-model?tabs=level2) - [Recommended abbreviations for Azure resource types](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations) - [Naming rules and restrictions for Azure resources](https://learn.microsoft.com/azure/azure-resource-manager/management/resource-name-rules) - [Define your naming convention](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-naming) diff --git a/docs/en/rules/Azure.Cosmos.DatabaseNaming.md b/docs/en/rules/Azure.Cosmos.DatabaseNaming.md index 53361452f16..646f3e19a71 100644 --- a/docs/en/rules/Azure.Cosmos.DatabaseNaming.md +++ b/docs/en/rules/Azure.Cosmos.DatabaseNaming.md @@ -95,6 +95,7 @@ configuration: ## LINKS - [OE:04 Tools and processes](https://learn.microsoft.com/azure/well-architected/operational-excellence/tools-processes) +- [Operational Excellence maturity model](https://learn.microsoft.com/azure/well-architected/operational-excellence/maturity-model?tabs=level2) - [Recommended abbreviations for Azure resource types](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations) - [Naming rules and restrictions for Azure resources](https://learn.microsoft.com/azure/azure-resource-manager/management/resource-name-rules) - [Define your naming convention](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-naming) diff --git a/docs/en/rules/Azure.Cosmos.GremlinNaming.md b/docs/en/rules/Azure.Cosmos.GremlinNaming.md index 064661eb33d..a41685f7a23 100644 --- a/docs/en/rules/Azure.Cosmos.GremlinNaming.md +++ b/docs/en/rules/Azure.Cosmos.GremlinNaming.md @@ -95,6 +95,7 @@ configuration: ## LINKS - [OE:04 Tools and processes](https://learn.microsoft.com/azure/well-architected/operational-excellence/tools-processes) +- [Operational Excellence maturity model](https://learn.microsoft.com/azure/well-architected/operational-excellence/maturity-model?tabs=level2) - [Recommended abbreviations for Azure resource types](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations) - [Naming rules and restrictions for Azure resources](https://learn.microsoft.com/azure/azure-resource-manager/management/resource-name-rules) - [Define your naming convention](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-naming) diff --git a/docs/en/rules/Azure.Cosmos.MongoNaming.md b/docs/en/rules/Azure.Cosmos.MongoNaming.md index 652776ebc1c..8370100fd21 100644 --- a/docs/en/rules/Azure.Cosmos.MongoNaming.md +++ b/docs/en/rules/Azure.Cosmos.MongoNaming.md @@ -95,6 +95,7 @@ configuration: ## LINKS - [OE:04 Tools and processes](https://learn.microsoft.com/azure/well-architected/operational-excellence/tools-processes) +- [Operational Excellence maturity model](https://learn.microsoft.com/azure/well-architected/operational-excellence/maturity-model?tabs=level2) - [Recommended abbreviations for Azure resource types](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations) - [Naming rules and restrictions for Azure resources](https://learn.microsoft.com/azure/azure-resource-manager/management/resource-name-rules) - [Define your naming convention](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-naming) diff --git a/docs/en/rules/Azure.Cosmos.NoSQLNaming.md b/docs/en/rules/Azure.Cosmos.NoSQLNaming.md index 28cdef5e104..69486178309 100644 --- a/docs/en/rules/Azure.Cosmos.NoSQLNaming.md +++ b/docs/en/rules/Azure.Cosmos.NoSQLNaming.md @@ -95,6 +95,7 @@ configuration: ## LINKS - [OE:04 Tools and processes](https://learn.microsoft.com/azure/well-architected/operational-excellence/tools-processes) +- [Operational Excellence maturity model](https://learn.microsoft.com/azure/well-architected/operational-excellence/maturity-model?tabs=level2) - [Recommended abbreviations for Azure resource types](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations) - [Naming rules and restrictions for Azure resources](https://learn.microsoft.com/azure/azure-resource-manager/management/resource-name-rules) - [Define your naming convention](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-naming) diff --git a/docs/en/rules/Azure.Cosmos.PostgreSQLNaming.md b/docs/en/rules/Azure.Cosmos.PostgreSQLNaming.md index d442ff3d52f..4a2b1afe4f9 100644 --- a/docs/en/rules/Azure.Cosmos.PostgreSQLNaming.md +++ b/docs/en/rules/Azure.Cosmos.PostgreSQLNaming.md @@ -95,6 +95,7 @@ configuration: ## LINKS - [OE:04 Tools and processes](https://learn.microsoft.com/azure/well-architected/operational-excellence/tools-processes) +- [Operational Excellence maturity model](https://learn.microsoft.com/azure/well-architected/operational-excellence/maturity-model?tabs=level2) - [Recommended abbreviations for Azure resource types](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations) - [Naming rules and restrictions for Azure resources](https://learn.microsoft.com/azure/azure-resource-manager/management/resource-name-rules) - [Define your naming convention](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-naming) diff --git a/docs/en/rules/Azure.Cosmos.TableNaming.md b/docs/en/rules/Azure.Cosmos.TableNaming.md index dce28434bc8..e6a281e423b 100644 --- a/docs/en/rules/Azure.Cosmos.TableNaming.md +++ b/docs/en/rules/Azure.Cosmos.TableNaming.md @@ -95,6 +95,7 @@ configuration: ## LINKS - [OE:04 Tools and processes](https://learn.microsoft.com/azure/well-architected/operational-excellence/tools-processes) +- [Operational Excellence maturity model](https://learn.microsoft.com/azure/well-architected/operational-excellence/maturity-model?tabs=level2) - [Recommended abbreviations for Azure resource types](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations) - [Naming rules and restrictions for Azure resources](https://learn.microsoft.com/azure/azure-resource-manager/management/resource-name-rules) - [Define your naming convention](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-naming) diff --git a/docs/en/rules/Azure.MySQL.Naming.md b/docs/en/rules/Azure.MySQL.Naming.md index d649ea7ef9b..37be2efd2c5 100644 --- a/docs/en/rules/Azure.MySQL.Naming.md +++ b/docs/en/rules/Azure.MySQL.Naming.md @@ -95,6 +95,7 @@ configuration: ## LINKS - [OE:04 Tools and processes](https://learn.microsoft.com/azure/well-architected/operational-excellence/tools-processes) +- [Operational Excellence maturity model](https://learn.microsoft.com/azure/well-architected/operational-excellence/maturity-model?tabs=level2) - [Recommended abbreviations for Azure resource types](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations) - [Naming rules and restrictions for Azure resources](https://learn.microsoft.com/azure/azure-resource-manager/management/resource-name-rules) - [Define your naming convention](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-naming) diff --git a/docs/en/rules/Azure.PostgreSQL.Naming.md b/docs/en/rules/Azure.PostgreSQL.Naming.md index 701d6ab2017..e6eb4b89538 100644 --- a/docs/en/rules/Azure.PostgreSQL.Naming.md +++ b/docs/en/rules/Azure.PostgreSQL.Naming.md @@ -95,6 +95,7 @@ configuration: ## LINKS - [OE:04 Tools and processes](https://learn.microsoft.com/azure/well-architected/operational-excellence/tools-processes) +- [Operational Excellence maturity model](https://learn.microsoft.com/azure/well-architected/operational-excellence/maturity-model?tabs=level2) - [Recommended abbreviations for Azure resource types](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations) - [Naming rules and restrictions for Azure resources](https://learn.microsoft.com/azure/azure-resource-manager/management/resource-name-rules) - [Define your naming convention](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-naming) diff --git a/docs/en/rules/Azure.Redis.Naming.md b/docs/en/rules/Azure.Redis.Naming.md index 52c6c5985de..5edbb7661a8 100644 --- a/docs/en/rules/Azure.Redis.Naming.md +++ b/docs/en/rules/Azure.Redis.Naming.md @@ -95,6 +95,7 @@ configuration: ## LINKS - [OE:04 Tools and processes](https://learn.microsoft.com/azure/well-architected/operational-excellence/tools-processes) +- [Operational Excellence maturity model](https://learn.microsoft.com/azure/well-architected/operational-excellence/maturity-model?tabs=level2) - [Recommended abbreviations for Azure resource types](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations) - [Naming rules and restrictions for Azure resources](https://learn.microsoft.com/azure/azure-resource-manager/management/resource-name-rules) - [Define your naming convention](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-naming) diff --git a/docs/en/rules/Azure.RedisEnterprise.Naming.md b/docs/en/rules/Azure.RedisEnterprise.Naming.md index d3527501460..7a62545e8b2 100644 --- a/docs/en/rules/Azure.RedisEnterprise.Naming.md +++ b/docs/en/rules/Azure.RedisEnterprise.Naming.md @@ -95,6 +95,7 @@ configuration: ## LINKS - [OE:04 Tools and processes](https://learn.microsoft.com/azure/well-architected/operational-excellence/tools-processes) +- [Operational Excellence maturity model](https://learn.microsoft.com/azure/well-architected/operational-excellence/maturity-model?tabs=level2) - [Recommended abbreviations for Azure resource types](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations) - [Naming rules and restrictions for Azure resources](https://learn.microsoft.com/azure/azure-resource-manager/management/resource-name-rules) - [Define your naming convention](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-naming) diff --git a/docs/en/rules/Azure.SQL.DatabaseNaming.md b/docs/en/rules/Azure.SQL.DatabaseNaming.md index cafb56b44ed..edd3ad2ea92 100644 --- a/docs/en/rules/Azure.SQL.DatabaseNaming.md +++ b/docs/en/rules/Azure.SQL.DatabaseNaming.md @@ -95,6 +95,7 @@ configuration: ## LINKS - [OE:04 Tools and processes](https://learn.microsoft.com/azure/well-architected/operational-excellence/tools-processes) +- [Operational Excellence maturity model](https://learn.microsoft.com/azure/well-architected/operational-excellence/maturity-model?tabs=level2) - [Recommended abbreviations for Azure resource types](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations) - [Naming rules and restrictions for Azure resources](https://learn.microsoft.com/azure/azure-resource-manager/management/resource-name-rules) - [Define your naming convention](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-naming) diff --git a/docs/en/rules/Azure.SQL.ElasticPoolNaming.md b/docs/en/rules/Azure.SQL.ElasticPoolNaming.md index 8e514007497..a185f9e8c95 100644 --- a/docs/en/rules/Azure.SQL.ElasticPoolNaming.md +++ b/docs/en/rules/Azure.SQL.ElasticPoolNaming.md @@ -95,6 +95,7 @@ configuration: ## LINKS - [OE:04 Tools and processes](https://learn.microsoft.com/azure/well-architected/operational-excellence/tools-processes) +- [Operational Excellence maturity model](https://learn.microsoft.com/azure/well-architected/operational-excellence/maturity-model?tabs=level2) - [Recommended abbreviations for Azure resource types](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations) - [Naming rules and restrictions for Azure resources](https://learn.microsoft.com/azure/azure-resource-manager/management/resource-name-rules) - [Define your naming convention](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-naming) diff --git a/docs/en/rules/Azure.SQL.JobAgentNaming.md b/docs/en/rules/Azure.SQL.JobAgentNaming.md index 400cfa81b9d..9cb6a3f51e0 100644 --- a/docs/en/rules/Azure.SQL.JobAgentNaming.md +++ b/docs/en/rules/Azure.SQL.JobAgentNaming.md @@ -95,6 +95,7 @@ configuration: ## LINKS - [OE:04 Tools and processes](https://learn.microsoft.com/azure/well-architected/operational-excellence/tools-processes) +- [Operational Excellence maturity model](https://learn.microsoft.com/azure/well-architected/operational-excellence/maturity-model?tabs=level2) - [Recommended abbreviations for Azure resource types](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations) - [Naming rules and restrictions for Azure resources](https://learn.microsoft.com/azure/azure-resource-manager/management/resource-name-rules) - [Define your naming convention](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-naming) diff --git a/docs/en/rules/Azure.SQL.ServerNaming.md b/docs/en/rules/Azure.SQL.ServerNaming.md index 673f4bbd4a4..c19d8d6c7c3 100644 --- a/docs/en/rules/Azure.SQL.ServerNaming.md +++ b/docs/en/rules/Azure.SQL.ServerNaming.md @@ -95,6 +95,7 @@ configuration: ## LINKS - [OE:04 Tools and processes](https://learn.microsoft.com/azure/well-architected/operational-excellence/tools-processes) +- [Operational Excellence maturity model](https://learn.microsoft.com/azure/well-architected/operational-excellence/maturity-model?tabs=level2) - [Recommended abbreviations for Azure resource types](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations) - [Naming rules and restrictions for Azure resources](https://learn.microsoft.com/azure/azure-resource-manager/management/resource-name-rules) - [Define your naming convention](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-naming) diff --git a/docs/en/rules/Azure.SQL.StretchDBNaming.md b/docs/en/rules/Azure.SQL.StretchDBNaming.md index 1568dec17d7..589b9e0d8a5 100644 --- a/docs/en/rules/Azure.SQL.StretchDBNaming.md +++ b/docs/en/rules/Azure.SQL.StretchDBNaming.md @@ -95,6 +95,7 @@ configuration: ## LINKS - [OE:04 Tools and processes](https://learn.microsoft.com/azure/well-architected/operational-excellence/tools-processes) +- [Operational Excellence maturity model](https://learn.microsoft.com/azure/well-architected/operational-excellence/maturity-model?tabs=level2) - [Recommended abbreviations for Azure resource types](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations) - [Naming rules and restrictions for Azure resources](https://learn.microsoft.com/azure/azure-resource-manager/management/resource-name-rules) - [Define your naming convention](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-naming) diff --git a/docs/en/rules/Azure.SQLMI.Naming.md b/docs/en/rules/Azure.SQLMI.Naming.md index 9b1a7d8cfbd..b17eaa47ac1 100644 --- a/docs/en/rules/Azure.SQLMI.Naming.md +++ b/docs/en/rules/Azure.SQLMI.Naming.md @@ -95,6 +95,7 @@ configuration: ## LINKS - [OE:04 Tools and processes](https://learn.microsoft.com/azure/well-architected/operational-excellence/tools-processes) +- [Operational Excellence maturity model](https://learn.microsoft.com/azure/well-architected/operational-excellence/maturity-model?tabs=level2) - [Recommended abbreviations for Azure resource types](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations) - [Naming rules and restrictions for Azure resources](https://learn.microsoft.com/azure/azure-resource-manager/management/resource-name-rules) - [Define your naming convention](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-naming) diff --git a/docs/en/rules/Azure.ServiceFabric.ManagedNaming.md b/docs/en/rules/Azure.ServiceFabric.ManagedNaming.md index 945a331a644..0189613d07f 100644 --- a/docs/en/rules/Azure.ServiceFabric.ManagedNaming.md +++ b/docs/en/rules/Azure.ServiceFabric.ManagedNaming.md @@ -95,6 +95,7 @@ configuration: ## LINKS - [OE:04 Tools and processes](https://learn.microsoft.com/azure/well-architected/operational-excellence/tools-processes) +- [Operational Excellence maturity model](https://learn.microsoft.com/azure/well-architected/operational-excellence/maturity-model?tabs=level2) - [Recommended abbreviations for Azure resource types](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations) - [Naming rules and restrictions for Azure resources](https://learn.microsoft.com/azure/azure-resource-manager/management/resource-name-rules) - [Define your naming convention](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-naming) diff --git a/docs/en/rules/Azure.ServiceFabric.Naming.md b/docs/en/rules/Azure.ServiceFabric.Naming.md index 8fd19b68e98..16241ca13c4 100644 --- a/docs/en/rules/Azure.ServiceFabric.Naming.md +++ b/docs/en/rules/Azure.ServiceFabric.Naming.md @@ -95,6 +95,7 @@ configuration: ## LINKS - [OE:04 Tools and processes](https://learn.microsoft.com/azure/well-architected/operational-excellence/tools-processes) +- [Operational Excellence maturity model](https://learn.microsoft.com/azure/well-architected/operational-excellence/maturity-model?tabs=level2) - [Recommended abbreviations for Azure resource types](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations) - [Naming rules and restrictions for Azure resources](https://learn.microsoft.com/azure/azure-resource-manager/management/resource-name-rules) - [Define your naming convention](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-naming) diff --git a/src/PSRule.Rules.Azure/rules/Azure.ACR.Rule.ps1 b/src/PSRule.Rules.Azure/rules/Azure.ACR.Rule.ps1 index 4d2999d914b..dbbe9e86055 100644 --- a/src/PSRule.Rules.Azure/rules/Azure.ACR.Rule.ps1 +++ b/src/PSRule.Rules.Azure/rules/Azure.ACR.Rule.ps1 @@ -76,7 +76,7 @@ Rule 'Azure.ACR.ReplicaLocation' -Ref 'AZR-000494' -Type 'Microsoft.ContainerReg } # Synopsis: Container registries without a standard naming convention may be difficult to identify and manage. -Rule 'Azure.ACR.Naming' -Ref 'AZR-000504' -Type 'Microsoft.ContainerRegistry/registries' -If { $Configuration['AZURE_CONTAINER_REGISTRY_NAME_FORMAT'] -ne '' } -Tag @{ release = 'GA'; ruleSet = '2025_12'; 'Azure.WAF/pillar' = 'Operational Excellence' } -Labels @{ 'Azure.CAF' = 'naming' } { +Rule 'Azure.ACR.Naming' -Ref 'AZR-000504' -Type 'Microsoft.ContainerRegistry/registries' -If { $Configuration['AZURE_CONTAINER_REGISTRY_NAME_FORMAT'] -ne '' } -Tag @{ release = 'GA'; ruleSet = '2025_12'; 'Azure.WAF/pillar' = 'Operational Excellence' } -Labels @{ 'Azure.CAF' = 'naming'; 'Azure.WAF/maturity' = 'L2' } { $Assert.Match($PSRule, 'TargetName', $Configuration.AZURE_CONTAINER_REGISTRY_NAME_FORMAT, $True); } diff --git a/src/PSRule.Rules.Azure/rules/Azure.AKS.Rule.ps1 b/src/PSRule.Rules.Azure/rules/Azure.AKS.Rule.ps1 index b00e372b6a8..105c4d4fb71 100644 --- a/src/PSRule.Rules.Azure/rules/Azure.AKS.Rule.ps1 +++ b/src/PSRule.Rules.Azure/rules/Azure.AKS.Rule.ps1 @@ -345,12 +345,12 @@ Rule 'Azure.AKS.MaintenanceWindow' -Ref 'AZR-000446' -Type 'Microsoft.ContainerS } # Synopsis: AKS clusters without a standard naming convention may be difficult to identify and manage. -Rule 'Azure.AKS.Naming' -Ref 'AZR-000498' -Type 'Microsoft.ContainerService/managedClusters' -If { $Configuration['AZURE_AKS_CLUSTER_NAME_FORMAT'] -ne '' } -Tag @{ release = 'GA'; ruleSet = '2025_12'; 'Azure.WAF/pillar' = 'Operational Excellence' } -Labels @{ 'Azure.CAF' = 'naming' } { +Rule 'Azure.AKS.Naming' -Ref 'AZR-000498' -Type 'Microsoft.ContainerService/managedClusters' -If { $Configuration['AZURE_AKS_CLUSTER_NAME_FORMAT'] -ne '' } -Tag @{ release = 'GA'; ruleSet = '2025_12'; 'Azure.WAF/pillar' = 'Operational Excellence' } -Labels @{ 'Azure.CAF' = 'naming'; 'Azure.WAF/maturity' = 'L2' } { $Assert.Match($PSRule, 'TargetName', $Configuration.AZURE_AKS_CLUSTER_NAME_FORMAT, $True); } # Synopsis: AKS system node pools without a standard naming convention may be difficult to identify and manage. -Rule 'Azure.AKS.SystemPoolNaming' -Ref 'AZR-000499' -Type 'Microsoft.ContainerService/managedClusters', 'Microsoft.ContainerService/managedClusters/agentPools' -If { $Configuration['AZURE_AKS_SYSTEM_POOL_NAME_FORMAT'] -ne '' } -Tag @{ release = 'GA'; ruleSet = '2025_12'; 'Azure.WAF/pillar' = 'Operational Excellence' } -Labels @{ 'Azure.CAF' = 'naming' } { +Rule 'Azure.AKS.SystemPoolNaming' -Ref 'AZR-000499' -Type 'Microsoft.ContainerService/managedClusters', 'Microsoft.ContainerService/managedClusters/agentPools' -If { $Configuration['AZURE_AKS_SYSTEM_POOL_NAME_FORMAT'] -ne '' } -Tag @{ release = 'GA'; ruleSet = '2025_12'; 'Azure.WAF/pillar' = 'Operational Excellence' } -Labels @{ 'Azure.CAF' = 'naming'; 'Azure.WAF/maturity' = 'L2' } { $agentPools = @(GetAgentPoolProfiles | Where-Object { $_.mode -eq 'System' }); if ($agentPools.Length -eq 0) { return $Assert.Pass(); @@ -361,7 +361,7 @@ Rule 'Azure.AKS.SystemPoolNaming' -Ref 'AZR-000499' -Type 'Microsoft.ContainerSe } # Synopsis: AKS user node pools without a standard naming convention may be difficult to identify and manage. -Rule 'Azure.AKS.UserPoolNaming' -Ref 'AZR-000500' -Type 'Microsoft.ContainerService/managedClusters', 'Microsoft.ContainerService/managedClusters/agentPools' -If { $Configuration['AZURE_AKS_USER_POOL_NAME_FORMAT'] -ne '' } -Tag @{ release = 'GA'; ruleSet = '2025_12'; 'Azure.WAF/pillar' = 'Operational Excellence' } -Labels @{ 'Azure.CAF' = 'naming' } { +Rule 'Azure.AKS.UserPoolNaming' -Ref 'AZR-000500' -Type 'Microsoft.ContainerService/managedClusters', 'Microsoft.ContainerService/managedClusters/agentPools' -If { $Configuration['AZURE_AKS_USER_POOL_NAME_FORMAT'] -ne '' } -Tag @{ release = 'GA'; ruleSet = '2025_12'; 'Azure.WAF/pillar' = 'Operational Excellence' } -Labels @{ 'Azure.CAF' = 'naming'; 'Azure.WAF/maturity' = 'L2' } { $agentPools = @(GetAgentPoolProfiles | Where-Object { $_.mode -eq 'User' }); if ($agentPools.Length -eq 0) { return $Assert.Pass(); diff --git a/src/PSRule.Rules.Azure/rules/Azure.CI.Rule.ps1 b/src/PSRule.Rules.Azure/rules/Azure.CI.Rule.ps1 index 22bca3099b5..5b46a7e5d05 100644 --- a/src/PSRule.Rules.Azure/rules/Azure.CI.Rule.ps1 +++ b/src/PSRule.Rules.Azure/rules/Azure.CI.Rule.ps1 @@ -8,7 +8,7 @@ #region Rules # Synopsis: Container instances without a standard naming convention may be difficult to identify and manage. -Rule 'Azure.CI.Naming' -Ref 'AZR-000505' -Type 'Microsoft.ContainerInstance/containerGroups' -If { $Configuration['AZURE_CONTAINER_INSTANCE_NAME_FORMAT'] -ne '' } -Tag @{ release = 'GA'; ruleSet = '2025_12'; 'Azure.WAF/pillar' = 'Operational Excellence' } -Labels @{ 'Azure.CAF' = 'naming' } { +Rule 'Azure.CI.Naming' -Ref 'AZR-000505' -Type 'Microsoft.ContainerInstance/containerGroups' -If { $Configuration['AZURE_CONTAINER_INSTANCE_NAME_FORMAT'] -ne '' } -Tag @{ release = 'GA'; ruleSet = '2025_12'; 'Azure.WAF/pillar' = 'Operational Excellence' } -Labels @{ 'Azure.CAF' = 'naming'; 'Azure.WAF/maturity' = 'L2' } { $Assert.Match($PSRule, 'TargetName', $Configuration.AZURE_CONTAINER_INSTANCE_NAME_FORMAT, $True); } diff --git a/src/PSRule.Rules.Azure/rules/Azure.ContainerApp.Rule.ps1 b/src/PSRule.Rules.Azure/rules/Azure.ContainerApp.Rule.ps1 index 38f681f498b..255c0651e0e 100644 --- a/src/PSRule.Rules.Azure/rules/Azure.ContainerApp.Rule.ps1 +++ b/src/PSRule.Rules.Azure/rules/Azure.ContainerApp.Rule.ps1 @@ -34,17 +34,17 @@ Rule 'Azure.ContainerApp.AvailabilityZone' -Ref 'AZR-000414' -Type 'Microsoft.Ap } # Synopsis: Container apps without a standard naming convention may be difficult to identify and manage. -Rule 'Azure.ContainerApp.Naming' -Ref 'AZR-000501' -Type 'Microsoft.App/containerApps' -If { $Configuration['AZURE_CONTAINER_APP_NAME_FORMAT'] -ne '' } -Tag @{ release = 'GA'; ruleSet = '2025_12'; 'Azure.WAF/pillar' = 'Operational Excellence' } -Labels @{ 'Azure.CAF' = 'naming' } { +Rule 'Azure.ContainerApp.Naming' -Ref 'AZR-000501' -Type 'Microsoft.App/containerApps' -If { $Configuration['AZURE_CONTAINER_APP_NAME_FORMAT'] -ne '' } -Tag @{ release = 'GA'; ruleSet = '2025_12'; 'Azure.WAF/pillar' = 'Operational Excellence' } -Labels @{ 'Azure.CAF' = 'naming'; 'Azure.WAF/maturity' = 'L2' } { $Assert.Match($PSRule, 'TargetName', $Configuration.AZURE_CONTAINER_APP_NAME_FORMAT, $True); } # Synopsis: Container apps environments without a standard naming convention may be difficult to identify and manage. -Rule 'Azure.ContainerApp.EnvironmentNaming' -Ref 'AZR-000502' -Type 'Microsoft.App/managedEnvironments' -If { $Configuration['AZURE_CONTAINER_APP_ENVIRONMENT_NAME_FORMAT'] -ne '' } -Tag @{ release = 'GA'; ruleSet = '2025_12'; 'Azure.WAF/pillar' = 'Operational Excellence' } -Labels @{ 'Azure.CAF' = 'naming' } { +Rule 'Azure.ContainerApp.EnvironmentNaming' -Ref 'AZR-000502' -Type 'Microsoft.App/managedEnvironments' -If { $Configuration['AZURE_CONTAINER_APP_ENVIRONMENT_NAME_FORMAT'] -ne '' } -Tag @{ release = 'GA'; ruleSet = '2025_12'; 'Azure.WAF/pillar' = 'Operational Excellence' } -Labels @{ 'Azure.CAF' = 'naming'; 'Azure.WAF/maturity' = 'L2' } { $Assert.Match($PSRule, 'TargetName', $Configuration.AZURE_CONTAINER_APP_ENVIRONMENT_NAME_FORMAT, $True); } # Synopsis: Container apps jobs without a standard naming convention may be difficult to identify and manage. -Rule 'Azure.ContainerApp.JobNaming' -Ref 'AZR-000503' -Type 'Microsoft.App/jobs' -If { $Configuration['AZURE_CONTAINER_APP_JOB_NAME_FORMAT'] -ne '' } -Tag @{ release = 'GA'; ruleSet = '2025_12'; 'Azure.WAF/pillar' = 'Operational Excellence' } -Labels @{ 'Azure.CAF' = 'naming' } { +Rule 'Azure.ContainerApp.JobNaming' -Ref 'AZR-000503' -Type 'Microsoft.App/jobs' -If { $Configuration['AZURE_CONTAINER_APP_JOB_NAME_FORMAT'] -ne '' } -Tag @{ release = 'GA'; ruleSet = '2025_12'; 'Azure.WAF/pillar' = 'Operational Excellence' } -Labels @{ 'Azure.CAF' = 'naming'; 'Azure.WAF/maturity' = 'L2' } { $Assert.Match($PSRule, 'TargetName', $Configuration.AZURE_CONTAINER_APP_JOB_NAME_FORMAT, $True); } diff --git a/src/PSRule.Rules.Azure/rules/Azure.Cosmos.Rule.ps1 b/src/PSRule.Rules.Azure/rules/Azure.Cosmos.Rule.ps1 index 78ac71bf9ec..7251b248e00 100644 --- a/src/PSRule.Rules.Azure/rules/Azure.Cosmos.Rule.ps1 +++ b/src/PSRule.Rules.Azure/rules/Azure.Cosmos.Rule.ps1 @@ -19,37 +19,37 @@ Rule 'Azure.Cosmos.DisableLocalAuth' -Ref 'AZR-000420' -Type 'Microsoft.Document } # Synopsis: Azure Cosmos DB for Apache Cassandra accounts without a standard naming convention may be difficult to identify and manage. -Rule 'Azure.Cosmos.CassandraNaming' -Ref 'AZR-000508' -Type 'Microsoft.DocumentDb/databaseAccounts' -If { $Configuration['AZURE_COSMOS_CASSANDRA_NAME_FORMAT'] -ne '' -and $TargetObject.kind -eq 'GlobalDocumentDB' -and $TargetObject.properties.capabilities | Where-Object { $_.name -eq 'EnableCassandra' } } -Tag @{ release = 'GA'; ruleSet = '2025_12'; 'Azure.WAF/pillar' = 'Operational Excellence' } -Labels @{ 'Azure.CAF' = 'naming' } { +Rule 'Azure.Cosmos.CassandraNaming' -Ref 'AZR-000508' -Type 'Microsoft.DocumentDb/databaseAccounts' -If { $Configuration['AZURE_COSMOS_CASSANDRA_NAME_FORMAT'] -ne '' -and $TargetObject.kind -eq 'GlobalDocumentDB' -and $TargetObject.properties.capabilities | Where-Object { $_.name -eq 'EnableCassandra' } } -Tag @{ release = 'GA'; ruleSet = '2025_12'; 'Azure.WAF/pillar' = 'Operational Excellence' } -Labels @{ 'Azure.CAF' = 'naming'; 'Azure.WAF/maturity' = 'L2' } { $Assert.Match($PSRule, 'TargetName', $Configuration.AZURE_COSMOS_CASSANDRA_NAME_FORMAT, $True); } # Synopsis: Azure Cosmos DB for MongoDB accounts without a standard naming convention may be difficult to identify and manage. -Rule 'Azure.Cosmos.MongoNaming' -Ref 'AZR-000509' -Type 'Microsoft.DocumentDb/databaseAccounts' -If { $Configuration['AZURE_COSMOS_MONGO_NAME_FORMAT'] -ne '' -and $TargetObject.kind -eq 'MongoDB' } -Tag @{ release = 'GA'; ruleSet = '2025_12'; 'Azure.WAF/pillar' = 'Operational Excellence' } -Labels @{ 'Azure.CAF' = 'naming' } { +Rule 'Azure.Cosmos.MongoNaming' -Ref 'AZR-000509' -Type 'Microsoft.DocumentDb/databaseAccounts' -If { $Configuration['AZURE_COSMOS_MONGO_NAME_FORMAT'] -ne '' -and $TargetObject.kind -eq 'MongoDB' } -Tag @{ release = 'GA'; ruleSet = '2025_12'; 'Azure.WAF/pillar' = 'Operational Excellence' } -Labels @{ 'Azure.CAF' = 'naming'; 'Azure.WAF/maturity' = 'L2' } { $Assert.Match($PSRule, 'TargetName', $Configuration.AZURE_COSMOS_MONGO_NAME_FORMAT, $True); } # Synopsis: Azure Cosmos DB for NoSQL accounts without a standard naming convention may be difficult to identify and manage. -Rule 'Azure.Cosmos.NoSQLNaming' -Ref 'AZR-000510' -Type 'Microsoft.DocumentDb/databaseAccounts' -If { $Configuration['AZURE_COSMOS_NOSQL_NAME_FORMAT'] -ne '' -and Test-IsNoSQL } -Tag @{ release = 'GA'; ruleSet = '2025_12'; 'Azure.WAF/pillar' = 'Operational Excellence' } -Labels @{ 'Azure.CAF' = 'naming' } { +Rule 'Azure.Cosmos.NoSQLNaming' -Ref 'AZR-000510' -Type 'Microsoft.DocumentDb/databaseAccounts' -If { $Configuration['AZURE_COSMOS_NOSQL_NAME_FORMAT'] -ne '' -and Test-IsNoSQL } -Tag @{ release = 'GA'; ruleSet = '2025_12'; 'Azure.WAF/pillar' = 'Operational Excellence' } -Labels @{ 'Azure.CAF' = 'naming'; 'Azure.WAF/maturity' = 'L2' } { $Assert.Match($PSRule, 'TargetName', $Configuration.AZURE_COSMOS_NOSQL_NAME_FORMAT, $True); } # Synopsis: Azure Cosmos DB for Table accounts without a standard naming convention may be difficult to identify and manage. -Rule 'Azure.Cosmos.TableNaming' -Ref 'AZR-000511' -Type 'Microsoft.DocumentDb/databaseAccounts' -If { $Configuration['AZURE_COSMOS_TABLE_NAME_FORMAT'] -ne '' -and $TargetObject.kind -eq 'GlobalDocumentDB' -and $TargetObject.properties.capabilities | Where-Object { $_.name -eq 'EnableTable' } } -Tag @{ release = 'GA'; ruleSet = '2025_12'; 'Azure.WAF/pillar' = 'Operational Excellence' } -Labels @{ 'Azure.CAF' = 'naming' } { +Rule 'Azure.Cosmos.TableNaming' -Ref 'AZR-000511' -Type 'Microsoft.DocumentDb/databaseAccounts' -If { $Configuration['AZURE_COSMOS_TABLE_NAME_FORMAT'] -ne '' -and $TargetObject.kind -eq 'GlobalDocumentDB' -and $TargetObject.properties.capabilities | Where-Object { $_.name -eq 'EnableTable' } } -Tag @{ release = 'GA'; ruleSet = '2025_12'; 'Azure.WAF/pillar' = 'Operational Excellence' } -Labels @{ 'Azure.CAF' = 'naming'; 'Azure.WAF/maturity' = 'L2' } { $Assert.Match($PSRule, 'TargetName', $Configuration.AZURE_COSMOS_TABLE_NAME_FORMAT, $True); } # Synopsis: Azure Cosmos DB for Apache Gremlin accounts without a standard naming convention may be difficult to identify and manage. -Rule 'Azure.Cosmos.GremlinNaming' -Ref 'AZR-000512' -Type 'Microsoft.DocumentDb/databaseAccounts' -If { $Configuration['AZURE_COSMOS_GREMLIN_NAME_FORMAT'] -ne '' -and $TargetObject.kind -eq 'GlobalDocumentDB' -and $TargetObject.properties.capabilities | Where-Object { $_.name -eq 'EnableGremlin' } } -Tag @{ release = 'GA'; ruleSet = '2025_12'; 'Azure.WAF/pillar' = 'Operational Excellence' } -Labels @{ 'Azure.CAF' = 'naming' } { +Rule 'Azure.Cosmos.GremlinNaming' -Ref 'AZR-000512' -Type 'Microsoft.DocumentDb/databaseAccounts' -If { $Configuration['AZURE_COSMOS_GREMLIN_NAME_FORMAT'] -ne '' -and $TargetObject.kind -eq 'GlobalDocumentDB' -and $TargetObject.properties.capabilities | Where-Object { $_.name -eq 'EnableGremlin' } } -Tag @{ release = 'GA'; ruleSet = '2025_12'; 'Azure.WAF/pillar' = 'Operational Excellence' } -Labels @{ 'Azure.CAF' = 'naming'; 'Azure.WAF/maturity' = 'L2' } { $Assert.Match($PSRule, 'TargetName', $Configuration.AZURE_COSMOS_GREMLIN_NAME_FORMAT, $True); } # Synopsis: Azure Cosmos DB PostgreSQL clusters without a standard naming convention may be difficult to identify and manage. -Rule 'Azure.Cosmos.PostgreSQLNaming' -Ref 'AZR-000513' -Type 'Microsoft.DBforPostgreSQL/serverGroupsv2' -If { $Configuration['AZURE_COSMOS_POSTGRESQL_NAME_FORMAT'] -ne '' } -Tag @{ release = 'GA'; ruleSet = '2025_12'; 'Azure.WAF/pillar' = 'Operational Excellence' } -Labels @{ 'Azure.CAF' = 'naming' } { +Rule 'Azure.Cosmos.PostgreSQLNaming' -Ref 'AZR-000513' -Type 'Microsoft.DBforPostgreSQL/serverGroupsv2' -If { $Configuration['AZURE_COSMOS_POSTGRESQL_NAME_FORMAT'] -ne '' } -Tag @{ release = 'GA'; ruleSet = '2025_12'; 'Azure.WAF/pillar' = 'Operational Excellence' } -Labels @{ 'Azure.CAF' = 'naming'; 'Azure.WAF/maturity' = 'L2' } { $Assert.Match($PSRule, 'TargetName', $Configuration.AZURE_COSMOS_POSTGRESQL_NAME_FORMAT, $True); } # Synopsis: Azure Cosmos DB databases without a standard naming convention may be difficult to identify and manage. -Rule 'Azure.Cosmos.DatabaseNaming' -Ref 'AZR-000514' -Type 'Microsoft.DocumentDB/databaseAccounts/sqlDatabases' -If { $Configuration['AZURE_COSMOS_DATABASE_NAME_FORMAT'] -ne '' } -Tag @{ release = 'GA'; ruleSet = '2025_12'; 'Azure.WAF/pillar' = 'Operational Excellence' } -Labels @{ 'Azure.CAF' = 'naming' } { +Rule 'Azure.Cosmos.DatabaseNaming' -Ref 'AZR-000514' -Type 'Microsoft.DocumentDB/databaseAccounts/sqlDatabases' -If { $Configuration['AZURE_COSMOS_DATABASE_NAME_FORMAT'] -ne '' } -Tag @{ release = 'GA'; ruleSet = '2025_12'; 'Azure.WAF/pillar' = 'Operational Excellence' } -Labels @{ 'Azure.CAF' = 'naming'; 'Azure.WAF/maturity' = 'L2' } { $Assert.Match($PSRule, 'TargetName', $Configuration.AZURE_COSMOS_DATABASE_NAME_FORMAT, $True); } diff --git a/src/PSRule.Rules.Azure/rules/Azure.MySQL.Rule.ps1 b/src/PSRule.Rules.Azure/rules/Azure.MySQL.Rule.ps1 index b9f7096ed25..a6eb42eabbc 100644 --- a/src/PSRule.Rules.Azure/rules/Azure.MySQL.Rule.ps1 +++ b/src/PSRule.Rules.Azure/rules/Azure.MySQL.Rule.ps1 @@ -207,7 +207,7 @@ function global:MySQLSingleServerAAD { #region Naming rules # Synopsis: MySQL databases without a standard naming convention may be difficult to identify and manage. -Rule 'Azure.MySQL.Naming' -Ref 'AZR-000521' -Type 'Microsoft.DBforMySQL/servers', 'Microsoft.DBforMySQL/flexibleServers' -If { $Configuration['AZURE_MYSQL_SERVER_NAME_FORMAT'] -ne '' } -Tag @{ release = 'GA'; ruleSet = '2025_12'; 'Azure.WAF/pillar' = 'Operational Excellence' } -Labels @{ 'Azure.CAF' = 'naming' } { +Rule 'Azure.MySQL.Naming' -Ref 'AZR-000521' -Type 'Microsoft.DBforMySQL/servers', 'Microsoft.DBforMySQL/flexibleServers' -If { $Configuration['AZURE_MYSQL_SERVER_NAME_FORMAT'] -ne '' } -Tag @{ release = 'GA'; ruleSet = '2025_12'; 'Azure.WAF/pillar' = 'Operational Excellence' } -Labels @{ 'Azure.CAF' = 'naming'; 'Azure.WAF/maturity' = 'L2' } { $Assert.Match($PSRule, 'TargetName', $Configuration.AZURE_MYSQL_SERVER_NAME_FORMAT, $True); } diff --git a/src/PSRule.Rules.Azure/rules/Azure.PostgreSQL.Rule.ps1 b/src/PSRule.Rules.Azure/rules/Azure.PostgreSQL.Rule.ps1 index 16974e44e3a..dd922740d2a 100644 --- a/src/PSRule.Rules.Azure/rules/Azure.PostgreSQL.Rule.ps1 +++ b/src/PSRule.Rules.Azure/rules/Azure.PostgreSQL.Rule.ps1 @@ -170,7 +170,7 @@ function global:PostgreSQLSingleServerAAD { #region Naming rules # Synopsis: PostgreSQL databases without a standard naming convention may be difficult to identify and manage. -Rule 'Azure.PostgreSQL.Naming' -Ref 'AZR-000522' -Type 'Microsoft.DBforPostgreSQL/servers', 'Microsoft.DBforPostgreSQL/flexibleServers' -If { $Configuration['AZURE_POSTGRESQL_SERVER_NAME_FORMAT'] -ne '' } -Tag @{ release = 'GA'; ruleSet = '2025_12'; 'Azure.WAF/pillar' = 'Operational Excellence' } -Labels @{ 'Azure.CAF' = 'naming' } { +Rule 'Azure.PostgreSQL.Naming' -Ref 'AZR-000522' -Type 'Microsoft.DBforPostgreSQL/servers', 'Microsoft.DBforPostgreSQL/flexibleServers' -If { $Configuration['AZURE_POSTGRESQL_SERVER_NAME_FORMAT'] -ne '' } -Tag @{ release = 'GA'; ruleSet = '2025_12'; 'Azure.WAF/pillar' = 'Operational Excellence' } -Labels @{ 'Azure.CAF' = 'naming'; 'Azure.WAF/maturity' = 'L2' } { $Assert.Match($PSRule, 'TargetName', $Configuration.AZURE_POSTGRESQL_SERVER_NAME_FORMAT, $True); } diff --git a/src/PSRule.Rules.Azure/rules/Azure.Redis.Rule.ps1 b/src/PSRule.Rules.Azure/rules/Azure.Redis.Rule.ps1 index e6038ef13e8..b8d92ad6a94 100644 --- a/src/PSRule.Rules.Azure/rules/Azure.Redis.Rule.ps1 +++ b/src/PSRule.Rules.Azure/rules/Azure.Redis.Rule.ps1 @@ -191,7 +191,7 @@ function global:HasPublicNetworkAccess { #region Naming rules # Synopsis: Azure Cache for Redis instances without a standard naming convention may be difficult to identify and manage. -Rule 'Azure.Redis.Naming' -Ref 'AZR-000515' -Type 'Microsoft.Cache/Redis' -If { $Configuration['AZURE_REDIS_CACHE_NAME_FORMAT'] -ne '' } -Tag @{ release = 'GA'; ruleSet = '2025_12'; 'Azure.WAF/pillar' = 'Operational Excellence' } -Labels @{ 'Azure.CAF' = 'naming' } { +Rule 'Azure.Redis.Naming' -Ref 'AZR-000515' -Type 'Microsoft.Cache/Redis' -If { $Configuration['AZURE_REDIS_CACHE_NAME_FORMAT'] -ne '' } -Tag @{ release = 'GA'; ruleSet = '2025_12'; 'Azure.WAF/pillar' = 'Operational Excellence' } -Labels @{ 'Azure.CAF' = 'naming'; 'Azure.WAF/maturity' = 'L2' } { $Assert.Match($PSRule, 'TargetName', $Configuration.AZURE_REDIS_CACHE_NAME_FORMAT, $True); } diff --git a/src/PSRule.Rules.Azure/rules/Azure.RedisEnterprise.Rule.ps1 b/src/PSRule.Rules.Azure/rules/Azure.RedisEnterprise.Rule.ps1 index a1ce72be7b6..2a884d72b74 100644 --- a/src/PSRule.Rules.Azure/rules/Azure.RedisEnterprise.Rule.ps1 +++ b/src/PSRule.Rules.Azure/rules/Azure.RedisEnterprise.Rule.ps1 @@ -8,7 +8,7 @@ #region Naming rules # Synopsis: Azure Managed Redis instances without a standard naming convention may be difficult to identify and manage. -Rule 'Azure.RedisEnterprise.Naming' -Ref 'AZR-000516' -Type 'Microsoft.Cache/RedisEnterprise' -If { $Configuration['AZURE_REDIS_ENTERPRISE_NAME_FORMAT'] -ne '' } -Tag @{ release = 'GA'; ruleSet = '2025_12'; 'Azure.WAF/pillar' = 'Operational Excellence' } -Labels @{ 'Azure.CAF' = 'naming' } { +Rule 'Azure.RedisEnterprise.Naming' -Ref 'AZR-000516' -Type 'Microsoft.Cache/RedisEnterprise' -If { $Configuration['AZURE_REDIS_ENTERPRISE_NAME_FORMAT'] -ne '' } -Tag @{ release = 'GA'; ruleSet = '2025_12'; 'Azure.WAF/pillar' = 'Operational Excellence' } -Labels @{ 'Azure.CAF' = 'naming'; 'Azure.WAF/maturity' = 'L2' } { $Assert.Match($PSRule, 'TargetName', $Configuration.AZURE_REDIS_ENTERPRISE_NAME_FORMAT, $True); } diff --git a/src/PSRule.Rules.Azure/rules/Azure.SQL.Rule.ps1 b/src/PSRule.Rules.Azure/rules/Azure.SQL.Rule.ps1 index a67c0b8bca6..fef3ad73691 100644 --- a/src/PSRule.Rules.Azure/rules/Azure.SQL.Rule.ps1 +++ b/src/PSRule.Rules.Azure/rules/Azure.SQL.Rule.ps1 @@ -259,27 +259,27 @@ function global:IsMasterDatabase { #region Naming rules # Synopsis: Azure SQL Database servers without a standard naming convention may be difficult to identify and manage. -Rule 'Azure.SQL.ServerNaming' -Ref 'AZR-000517' -Type 'Microsoft.Sql/servers' -If { $Configuration['AZURE_SQL_SERVER_NAME_FORMAT'] -ne '' } -Tag @{ release = 'GA'; ruleSet = '2025_12'; 'Azure.WAF/pillar' = 'Operational Excellence' } -Labels @{ 'Azure.CAF' = 'naming' } { +Rule 'Azure.SQL.ServerNaming' -Ref 'AZR-000517' -Type 'Microsoft.Sql/servers' -If { $Configuration['AZURE_SQL_SERVER_NAME_FORMAT'] -ne '' } -Tag @{ release = 'GA'; ruleSet = '2025_12'; 'Azure.WAF/pillar' = 'Operational Excellence' } -Labels @{ 'Azure.CAF' = 'naming'; 'Azure.WAF/maturity' = 'L2' } { $Assert.Match($PSRule, 'TargetName', $Configuration.AZURE_SQL_SERVER_NAME_FORMAT, $True); } # Synopsis: Azure SQL databases without a standard naming convention may be difficult to identify and manage. -Rule 'Azure.SQL.DatabaseNaming' -Ref 'AZR-000518' -Type 'Microsoft.Sql/servers/databases' -If { $Configuration['AZURE_SQL_DATABASE_NAME_FORMAT'] -ne '' -and !(IsMasterDatabase) } -Tag @{ release = 'GA'; ruleSet = '2025_12'; 'Azure.WAF/pillar' = 'Operational Excellence' } -Labels @{ 'Azure.CAF' = 'naming' } { +Rule 'Azure.SQL.DatabaseNaming' -Ref 'AZR-000518' -Type 'Microsoft.Sql/servers/databases' -If { $Configuration['AZURE_SQL_DATABASE_NAME_FORMAT'] -ne '' -and !(IsMasterDatabase) } -Tag @{ release = 'GA'; ruleSet = '2025_12'; 'Azure.WAF/pillar' = 'Operational Excellence' } -Labels @{ 'Azure.CAF' = 'naming'; 'Azure.WAF/maturity' = 'L2' } { $Assert.Match($PSRule, 'TargetName', $Configuration.AZURE_SQL_DATABASE_NAME_FORMAT, $True); } # Synopsis: Azure SQL Elastic Job agents without a standard naming convention may be difficult to identify and manage. -Rule 'Azure.SQL.JobAgentNaming' -Ref 'AZR-000519' -Type 'Microsoft.Sql/servers/jobAgents' -If { $Configuration['AZURE_SQL_JOB_AGENT_NAME_FORMAT'] -ne '' } -Tag @{ release = 'GA'; ruleSet = '2025_12'; 'Azure.WAF/pillar' = 'Operational Excellence' } -Labels @{ 'Azure.CAF' = 'naming' } { +Rule 'Azure.SQL.JobAgentNaming' -Ref 'AZR-000519' -Type 'Microsoft.Sql/servers/jobAgents' -If { $Configuration['AZURE_SQL_JOB_AGENT_NAME_FORMAT'] -ne '' } -Tag @{ release = 'GA'; ruleSet = '2025_12'; 'Azure.WAF/pillar' = 'Operational Excellence' } -Labels @{ 'Azure.CAF' = 'naming'; 'Azure.WAF/maturity' = 'L2' } { $Assert.Match($PSRule, 'TargetName', $Configuration.AZURE_SQL_JOB_AGENT_NAME_FORMAT, $True); } # Synopsis: Azure SQL Elastic Pools without a standard naming convention may be difficult to identify and manage. -Rule 'Azure.SQL.ElasticPoolNaming' -Ref 'AZR-000520' -Type 'Microsoft.Sql/servers/elasticPools' -If { $Configuration['AZURE_SQL_ELASTIC_POOL_NAME_FORMAT'] -ne '' } -Tag @{ release = 'GA'; ruleSet = '2025_12'; 'Azure.WAF/pillar' = 'Operational Excellence' } -Labels @{ 'Azure.CAF' = 'naming' } { +Rule 'Azure.SQL.ElasticPoolNaming' -Ref 'AZR-000520' -Type 'Microsoft.Sql/servers/elasticPools' -If { $Configuration['AZURE_SQL_ELASTIC_POOL_NAME_FORMAT'] -ne '' } -Tag @{ release = 'GA'; ruleSet = '2025_12'; 'Azure.WAF/pillar' = 'Operational Excellence' } -Labels @{ 'Azure.CAF' = 'naming'; 'Azure.WAF/maturity' = 'L2' } { $Assert.Match($PSRule, 'TargetName', $Configuration.AZURE_SQL_ELASTIC_POOL_NAME_FORMAT, $True); } # Synopsis: SQL Server Stretch Databases without a standard naming convention may be difficult to identify and manage. -Rule 'Azure.SQL.StretchDBNaming' -Ref 'AZR-000524' -Type 'Microsoft.Sql/servers/databases' -If { $Configuration['AZURE_SQL_STRETCH_DB_NAME_FORMAT'] -ne '' -and $TargetObject.properties.requestedServiceObjectiveName -eq 'DataWarehouse' } -Tag @{ release = 'GA'; ruleSet = '2025_12'; 'Azure.WAF/pillar' = 'Operational Excellence' } -Labels @{ 'Azure.CAF' = 'naming' } { +Rule 'Azure.SQL.StretchDBNaming' -Ref 'AZR-000524' -Type 'Microsoft.Sql/servers/databases' -If { $Configuration['AZURE_SQL_STRETCH_DB_NAME_FORMAT'] -ne '' -and $TargetObject.properties.requestedServiceObjectiveName -eq 'DataWarehouse' } -Tag @{ release = 'GA'; ruleSet = '2025_12'; 'Azure.WAF/pillar' = 'Operational Excellence' } -Labels @{ 'Azure.CAF' = 'naming'; 'Azure.WAF/maturity' = 'L2' } { $Assert.Match($PSRule, 'TargetName', $Configuration.AZURE_SQL_STRETCH_DB_NAME_FORMAT, $True); } diff --git a/src/PSRule.Rules.Azure/rules/Azure.SQLMI.Rule.ps1 b/src/PSRule.Rules.Azure/rules/Azure.SQLMI.Rule.ps1 index 51ae1c6c6e8..f7bee064ba7 100644 --- a/src/PSRule.Rules.Azure/rules/Azure.SQLMI.Rule.ps1 +++ b/src/PSRule.Rules.Azure/rules/Azure.SQLMI.Rule.ps1 @@ -63,7 +63,7 @@ Rule 'Azure.SQLMI.MaintenanceWindow' -Ref 'AZR-000441' -Type 'Microsoft.Sql/mana } # Synopsis: SQL Managed Instances without a standard naming convention may be difficult to identify and manage. -Rule 'Azure.SQLMI.Naming' -Ref 'AZR-000523' -Type 'Microsoft.Sql/managedInstances' -If { $Configuration['AZURE_SQL_MI_NAME_FORMAT'] -ne '' } -Tag @{ release = 'GA'; ruleSet = '2025_12'; 'Azure.WAF/pillar' = 'Operational Excellence' } -Labels @{ 'Azure.CAF' = 'naming' } { +Rule 'Azure.SQLMI.Naming' -Ref 'AZR-000523' -Type 'Microsoft.Sql/managedInstances' -If { $Configuration['AZURE_SQL_MI_NAME_FORMAT'] -ne '' } -Tag @{ release = 'GA'; ruleSet = '2025_12'; 'Azure.WAF/pillar' = 'Operational Excellence' } -Labels @{ 'Azure.CAF' = 'naming'; 'Azure.WAF/maturity' = 'L2' } { $Assert.Match($PSRule, 'TargetName', $Configuration.AZURE_SQL_MI_NAME_FORMAT, $True); } diff --git a/src/PSRule.Rules.Azure/rules/Azure.ServiceFabric.Rule.ps1 b/src/PSRule.Rules.Azure/rules/Azure.ServiceFabric.Rule.ps1 index 6228bc6b358..d385f06cb45 100644 --- a/src/PSRule.Rules.Azure/rules/Azure.ServiceFabric.Rule.ps1 +++ b/src/PSRule.Rules.Azure/rules/Azure.ServiceFabric.Rule.ps1 @@ -8,12 +8,12 @@ #region Naming rules # Synopsis: Service Fabric clusters without a standard naming convention may be difficult to identify and manage. -Rule 'Azure.ServiceFabric.Naming' -Ref 'AZR-000506' -Type 'Microsoft.ServiceFabric/clusters' -If { $Configuration['AZURE_SERVICE_FABRIC_CLUSTER_NAME_FORMAT'] -ne '' } -Tag @{ release = 'GA'; ruleSet = '2025_12'; 'Azure.WAF/pillar' = 'Operational Excellence' } -Labels @{ 'Azure.CAF' = 'naming' } { +Rule 'Azure.ServiceFabric.Naming' -Ref 'AZR-000506' -Type 'Microsoft.ServiceFabric/clusters' -If { $Configuration['AZURE_SERVICE_FABRIC_CLUSTER_NAME_FORMAT'] -ne '' } -Tag @{ release = 'GA'; ruleSet = '2025_12'; 'Azure.WAF/pillar' = 'Operational Excellence' } -Labels @{ 'Azure.CAF' = 'naming'; 'Azure.WAF/maturity' = 'L2' } { $Assert.Match($PSRule, 'TargetName', $Configuration.AZURE_SERVICE_FABRIC_CLUSTER_NAME_FORMAT, $True); } # Synopsis: Service Fabric managed clusters without a standard naming convention may be difficult to identify and manage. -Rule 'Azure.ServiceFabric.ManagedNaming' -Ref 'AZR-000507' -Type 'Microsoft.ServiceFabric/managedClusters' -If { $Configuration['AZURE_SERVICE_FABRIC_MANAGED_CLUSTER_NAME_FORMAT'] -ne '' } -Tag @{ release = 'GA'; ruleSet = '2025_12'; 'Azure.WAF/pillar' = 'Operational Excellence' } -Labels @{ 'Azure.CAF' = 'naming' } { +Rule 'Azure.ServiceFabric.ManagedNaming' -Ref 'AZR-000507' -Type 'Microsoft.ServiceFabric/managedClusters' -If { $Configuration['AZURE_SERVICE_FABRIC_MANAGED_CLUSTER_NAME_FORMAT'] -ne '' } -Tag @{ release = 'GA'; ruleSet = '2025_12'; 'Azure.WAF/pillar' = 'Operational Excellence' } -Labels @{ 'Azure.CAF' = 'naming'; 'Azure.WAF/maturity' = 'L2' } { $Assert.Match($PSRule, 'TargetName', $Configuration.AZURE_SERVICE_FABRIC_MANAGED_CLUSTER_NAME_FORMAT, $True); } From f037ec2d60f1d8aadbc72f59023e4b69a69f2acb Mon Sep 17 00:00:00 2001 From: Bernie White Date: Sat, 25 Oct 2025 12:45:11 +0000 Subject: [PATCH 09/32] Updates --- docs/en/rules/Azure.ACR.Name.md | 123 ++++++------ docs/en/rules/Azure.ACR.Naming.md | 106 ++++++++++- docs/en/rules/Azure.AI.FoundryNaming.md | 5 +- docs/en/rules/Azure.AKS.Name.md | 176 +++++++++++++++++- docs/en/rules/Azure.AKS.Naming.md | 156 +++++++++++++++- docs/en/rules/Azure.ContainerApp.Name.md | 100 +++++----- docs/en/rules/Azure.ContainerApp.Naming.md | 139 +++++++++++++- docs/en/rules/Azure.LB.Name.md | 3 +- docs/en/rules/Azure.VM.Name.md | 3 + docs/en/rules/Azure.VM.Naming.md | 3 + docs/examples/resources/aks.bicep | 8 +- docs/examples/resources/aks.json | 14 +- docs/examples/resources/containerapp.bicep | 4 +- docs/examples/resources/containerapp.json | 8 +- .../rules/Azure.ACR.Rule.yaml | 1 + .../rules/Azure.AKS.Rule.yaml | 1 + .../rules/Azure.ContainerApp.Rule.yaml | 1 + src/PSRule.Rules.Azure/rules/Config.Rule.yaml | 3 + 18 files changed, 716 insertions(+), 138 deletions(-) diff --git a/docs/en/rules/Azure.ACR.Name.md b/docs/en/rules/Azure.ACR.Name.md index 00c1db14d94..6925202193a 100644 --- a/docs/en/rules/Azure.ACR.Name.md +++ b/docs/en/rules/Azure.ACR.Name.md @@ -1,5 +1,5 @@ --- -reviewed: 2023-12-01 +reviewed: 2025-10-25 severity: Awareness pillar: Operational Excellence category: OE:04 Continuous integration @@ -30,12 +30,66 @@ Additionally consider naming resources with a standard naming convention. ## EXAMPLES +### Configure with Bicep + +To deploy registries that pass this rule, consider: + +- Set the `name` property to a string that matches the naming requirements. +- Optionally, consider constraining name parameters with `minLength` and `maxLength` attributes. + +For example: + +```bicep +@minLength(5) +@maxLength(50) +@description('The name of the resource.') +param name string + +@description('The location resources will be deployed.') +param location string = resourceGroup().location + +resource registry 'Microsoft.ContainerRegistry/registries@2025-05-01-preview' = { + name: name + location: location + sku: { + name: 'Premium' + } + identity: { + type: 'SystemAssigned' + } + properties: { + adminUserEnabled: false + anonymousPullEnabled: false + publicNetworkAccess: 'Disabled' + zoneRedundancy: 'Enabled' + policies: { + quarantinePolicy: { + status: 'enabled' + } + retentionPolicy: { + days: 30 + status: 'enabled' + } + softDeletePolicy: { + retentionDays: 90 + status: 'enabled' + } + exportPolicy: { + status: 'disabled' + } + } + } +} +``` + + + ### Configure with Azure template To deploy registries that pass this rule, consider: -- Configuring a `minLength` and `maxLength` constraint for the resource name parameter. -- Optionally, you could also use a `uniqueString()` function to generate a unique name. +- Set the `name` property to a string that matches the naming requirements. +- Optionally, consider constraining name parameters with `minLength` and `maxLength` attributes. For example: @@ -63,7 +117,7 @@ For example: "resources": [ { "type": "Microsoft.ContainerRegistry/registries", - "apiVersion": "2023-08-01-preview", + "apiVersion": "2025-05-01-preview", "name": "[parameters('name')]", "location": "[parameters('location')]", "sku": { @@ -74,14 +128,23 @@ For example: }, "properties": { "adminUserEnabled": false, + "anonymousPullEnabled": false, + "publicNetworkAccess": "Disabled", + "zoneRedundancy": "Enabled", "policies": { - "trustPolicy": { - "status": "enabled", - "type": "Notary" + "quarantinePolicy": { + "status": "enabled" }, "retentionPolicy": { "days": 30, "status": "enabled" + }, + "softDeletePolicy": { + "retentionDays": 90, + "status": "enabled" + }, + "exportPolicy": { + "status": "disabled" } } } @@ -90,51 +153,6 @@ For example: } ``` -### Configure with Bicep - -To deploy registries that pass this rule, consider: - -- Configuring a `minLength` and `maxLength` constraint for the resource name parameter. -- Optionally, you could also use a `uniqueString()` function to generate a unique name. - -For example: - -```bicep -@minLength(5) -@maxLength(50) -@sys.description('The name of the resource.') -param name string - -@sys.description('The location resources will be deployed.') -param location string = resourceGroup().location - -resource registry 'Microsoft.ContainerRegistry/registries@2023-08-01-preview' = { - name: name - location: location - sku: { - name: 'Premium' - } - identity: { - type: 'SystemAssigned' - } - properties: { - adminUserEnabled: false - policies: { - trustPolicy: { - status: 'enabled' - type: 'Notary' - } - retentionPolicy: { - days: 30 - status: 'enabled' - } - } - } -} -``` - - - ## NOTES This rule does not check if container registry names are unique. @@ -142,6 +160,7 @@ This rule does not check if container registry names are unique. ## LINKS - [OE:04 Continuous integration](https://learn.microsoft.com/azure/well-architected/operational-excellence/release-engineering-continuous-integration) +- [Operational Excellence maturity model](https://learn.microsoft.com/azure/well-architected/operational-excellence/maturity-model?tabs=level2) - [Naming rules and restrictions for Azure resources](https://learn.microsoft.com/azure/azure-resource-manager/management/resource-name-rules) - [Recommended abbreviations for Azure resource types](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations) - [Parameters in Bicep](https://learn.microsoft.com/azure/azure-resource-manager/bicep/parameters) diff --git a/docs/en/rules/Azure.ACR.Naming.md b/docs/en/rules/Azure.ACR.Naming.md index b13cbae5fa5..e3763b1a3f3 100644 --- a/docs/en/rules/Azure.ACR.Naming.md +++ b/docs/en/rules/Azure.ACR.Naming.md @@ -1,5 +1,5 @@ --- -reviewed: 2025-10-10 +reviewed: 2025-10-25 severity: Awareness pillar: Operational Excellence category: OE:04 Tools and processes @@ -34,8 +34,8 @@ For Container Registry, the Cloud Adoption Framework (CAF) recommends using the Requirements for Container Registry resource names: - Between 5 and 50 characters long. -- Can include alphanumeric characters, hyphens, underscores, and periods (restrictions vary by resource type). -- Resource names must be unique within their scope. +- Alphanumerics. +- Container registry names must be globally unique. ## RECOMMENDATION @@ -62,9 +62,42 @@ param name string @description('The location resources will be deployed.') param location string = resourceGroup().location -// Example resource deployment +resource registry 'Microsoft.ContainerRegistry/registries@2025-05-01-preview' = { + name: name + location: location + sku: { + name: 'Premium' + } + identity: { + type: 'SystemAssigned' + } + properties: { + adminUserEnabled: false + anonymousPullEnabled: false + publicNetworkAccess: 'Disabled' + zoneRedundancy: 'Enabled' + policies: { + quarantinePolicy: { + status: 'enabled' + } + retentionPolicy: { + days: 30 + status: 'enabled' + } + softDeletePolicy: { + retentionDays: 90 + status: 'enabled' + } + exportPolicy: { + status: 'disabled' + } + } + } +} ``` + + ### Configure with Azure template To deploy resources that pass this rule: @@ -72,6 +105,68 @@ To deploy resources that pass this rule: - Set the `name` property to a string that matches the naming requirements. - Optionally, consider constraining name parameters with `minLength` and `maxLength` attributes. +For example: + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "name": { + "type": "string", + "minLength": 5, + "maxLength": 50, + "metadata": { + "description": "The name of the resource." + } + }, + "location": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "The location resources will be deployed." + } + } + }, + "resources": [ + { + "type": "Microsoft.ContainerRegistry/registries", + "apiVersion": "2025-05-01-preview", + "name": "[parameters('name')]", + "location": "[parameters('location')]", + "sku": { + "name": "Premium" + }, + "identity": { + "type": "SystemAssigned" + }, + "properties": { + "adminUserEnabled": false, + "anonymousPullEnabled": false, + "publicNetworkAccess": "Disabled", + "zoneRedundancy": "Enabled", + "policies": { + "quarantinePolicy": { + "status": "enabled" + }, + "retentionPolicy": { + "days": 30, + "status": "enabled" + }, + "softDeletePolicy": { + "retentionDays": 90, + "status": "enabled" + }, + "exportPolicy": { + "status": "disabled" + } + } + } + } + ] +} +``` + ## NOTES This rule does not check if Container Registry resource names are unique. @@ -99,3 +194,6 @@ configuration: - [Recommended abbreviations for Azure resource types](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations) - [Naming rules and restrictions for Azure resources](https://learn.microsoft.com/azure/azure-resource-manager/management/resource-name-rules) - [Define your naming convention](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-naming) +- [Parameters in Bicep](https://learn.microsoft.com/azure/azure-resource-manager/bicep/parameters) +- [Bicep functions](https://learn.microsoft.com/azure/azure-resource-manager/bicep/bicep-functions) +- [Azure deployment reference](https://learn.microsoft.com/azure/templates/microsoft.containerregistry/registries) diff --git a/docs/en/rules/Azure.AI.FoundryNaming.md b/docs/en/rules/Azure.AI.FoundryNaming.md index 4cc3adc150e..55599b07235 100644 --- a/docs/en/rules/Azure.AI.FoundryNaming.md +++ b/docs/en/rules/Azure.AI.FoundryNaming.md @@ -1,5 +1,5 @@ --- -reviewed: 2025-007-10 +reviewed: 2025-10-25 severity: Awareness pillar: Operational Excellence category: OE:04 Tools and processes @@ -166,7 +166,10 @@ configuration: ## LINKS - [OE:04 Tools and processes](https://learn.microsoft.com/azure/well-architected/operational-excellence/tools-processes) +- [Operational Excellence maturity model](https://learn.microsoft.com/azure/well-architected/operational-excellence/maturity-model?tabs=level2) - [Recommended abbreviations for Azure resource types](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations) - [Naming rules and restrictions for Azure resources](https://learn.microsoft.com/azure/azure-resource-manager/management/resource-name-rules) - [Define your naming convention](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-naming) +- [Parameters in Bicep](https://learn.microsoft.com/azure/azure-resource-manager/bicep/parameters) +- [Bicep functions](https://learn.microsoft.com/azure/azure-resource-manager/bicep/bicep-functions) - [Azure deployment reference](https://learn.microsoft.com/azure/templates/microsoft.cognitiveservices/accounts) diff --git a/docs/en/rules/Azure.AKS.Name.md b/docs/en/rules/Azure.AKS.Name.md index c2ab7a81f0b..794e16fca3a 100644 --- a/docs/en/rules/Azure.AKS.Name.md +++ b/docs/en/rules/Azure.AKS.Name.md @@ -1,5 +1,5 @@ --- -reviewed: 2023-12-01 +reviewed: 2025-10-25 severity: Awareness pillar: Operational Excellence category: OE:04 Continuous integration @@ -29,6 +29,179 @@ The requirements for AKS cluster names are: Consider using names that meet AKS cluster naming requirements. Additionally consider naming resources with a standard naming convention. +## EXAMPLES + +### Configure with Bicep + +To deploy clusters that pass this rule: + +- Set the `name` property to a string that matches the naming requirements. +- Optionally, consider constraining name parameters with `minLength` and `maxLength` attributes. + +For example: + +```bicep +@minLength(1) +@maxLength(63) +@description('The name of the resource.') +param name string + +@description('The location resources will be deployed.') +param location string = resourceGroup().location + +resource cluster 'Microsoft.ContainerService/managedClusters@2025-07-01' = { + location: location + name: name + identity: { + type: 'UserAssigned' + userAssignedIdentities: { + '${identity.id}': {} + } + } + properties: { + kubernetesVersion: kubernetesVersion + disableLocalAccounts: true + enableRBAC: true + dnsPrefix: dnsPrefix + agentPoolProfiles: allPools + aadProfile: { + managed: true + enableAzureRBAC: true + adminGroupObjectIDs: clusterAdmins + tenantID: subscription().tenantId + } + networkProfile: { + networkPlugin: 'azure' + networkPolicy: 'azure' + loadBalancerSku: 'standard' + serviceCidr: serviceCidr + dnsServiceIP: dnsServiceIP + } + apiServerAccessProfile: { + authorizedIPRanges: [ + '0.0.0.0/32' + ] + } + autoUpgradeProfile: { + upgradeChannel: 'stable' + } + oidcIssuerProfile: { + enabled: true + } + addonProfiles: { + azurepolicy: { + enabled: true + } + omsagent: { + enabled: true + config: { + logAnalyticsWorkspaceResourceID: workspaceId + } + } + azureKeyvaultSecretsProvider: { + enabled: true + config: { + enableSecretRotation: 'true' + } + } + } + } +} +``` + + + +### Configure with Azure template + +To deploy clusters that pass this rule: + +- Set the `name` property to a string that matches the naming requirements. +- Optionally, consider constraining name parameters with `minLength` and `maxLength` attributes. + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "name": { + "type": "string", + "metadata": { + "description": "The name of the AKS cluster." + } + }, + "location": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "Optional. The Azure region to deploy to." + } + } + }, + "resources": [ + { + "type": "Microsoft.ContainerService/managedClusters", + "apiVersion": "2025-07-01", + "name": "[parameters('name')]", + "location": "[parameters('location')]", + "identity": { + "type": "UserAssigned", + "userAssignedIdentities": { + "[format('{0}', resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('identityName')))]": {} + } + }, + "properties": { + "kubernetesVersion": "[parameters('kubernetesVersion')]", + "disableLocalAccounts": true, + "enableRBAC": true, + "dnsPrefix": "[parameters('dnsPrefix')]", + "agentPoolProfiles": "[variables('allPools')]", + "aadProfile": { + "managed": true, + "enableAzureRBAC": true, + "adminGroupObjectIDs": "[parameters('clusterAdmins')]", + "tenantID": "[subscription().tenantId]" + }, + "networkProfile": { + "networkPlugin": "azure", + "networkPolicy": "azure", + "loadBalancerSku": "standard", + "serviceCidr": "[variables('serviceCidr')]", + "dnsServiceIP": "[variables('dnsServiceIP')]" + }, + "apiServerAccessProfile": { + "authorizedIPRanges": [ + "0.0.0.0/32" + ] + }, + "autoUpgradeProfile": { + "upgradeChannel": "stable" + }, + "oidcIssuerProfile": { + "enabled": true + }, + "addonProfiles": { + "azurepolicy": { + "enabled": true + }, + "omsagent": { + "enabled": true, + "config": { + "logAnalyticsWorkspaceResourceID": "[parameters('workspaceId')]" + } + }, + "azureKeyvaultSecretsProvider": { + "enabled": true, + "config": { + "enableSecretRotation": "true" + } + } + } + } + } + ] +} +``` + ## NOTES This rule does not check if cluster names are unique. @@ -43,6 +216,7 @@ The requirements for DNS prefixes are: ## LINKS - [OE:04 Continuous integration](https://learn.microsoft.com/azure/well-architected/operational-excellence/release-engineering-continuous-integration) +- [Operational Excellence maturity model](https://learn.microsoft.com/azure/well-architected/operational-excellence/maturity-model?tabs=level2) - [Naming rules and restrictions for Azure resources](https://learn.microsoft.com/azure/azure-resource-manager/management/resource-name-rules) - [Recommended abbreviations for Azure resource types](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations) - [Parameters in Bicep](https://learn.microsoft.com/azure/azure-resource-manager/bicep/parameters) diff --git a/docs/en/rules/Azure.AKS.Naming.md b/docs/en/rules/Azure.AKS.Naming.md index c86b4669f9c..9a0cbb3c306 100644 --- a/docs/en/rules/Azure.AKS.Naming.md +++ b/docs/en/rules/Azure.AKS.Naming.md @@ -1,9 +1,9 @@ --- -reviewed: 2025-10-10 +reviewed: 2025-10-25 severity: Awareness pillar: Operational Excellence category: OE:04 Tools and processes -resource: AKS cluster +resource: Azure Kubernetes Service resourceType: Microsoft.ContainerService/managedClusters online version: https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.AKS.Naming/ --- @@ -46,7 +46,7 @@ Additionally consider using Azure Policy to only permit creation using a standar ### Configure with Bicep -To deploy resources that pass this rule: +To deploy clusters that pass this rule: - Set the `name` property to a string that matches the naming requirements. - Optionally, consider constraining name parameters with `minLength` and `maxLength` attributes. @@ -62,16 +62,159 @@ param name string @description('The location resources will be deployed.') param location string = resourceGroup().location -// Example resource deployment +resource cluster 'Microsoft.ContainerService/managedClusters@2025-07-01' = { + location: location + name: name + identity: { + type: 'UserAssigned' + userAssignedIdentities: { + '${identity.id}': {} + } + } + properties: { + kubernetesVersion: kubernetesVersion + disableLocalAccounts: true + enableRBAC: true + dnsPrefix: dnsPrefix + agentPoolProfiles: allPools + aadProfile: { + managed: true + enableAzureRBAC: true + adminGroupObjectIDs: clusterAdmins + tenantID: subscription().tenantId + } + networkProfile: { + networkPlugin: 'azure' + networkPolicy: 'azure' + loadBalancerSku: 'standard' + serviceCidr: serviceCidr + dnsServiceIP: dnsServiceIP + } + apiServerAccessProfile: { + authorizedIPRanges: [ + '0.0.0.0/32' + ] + } + autoUpgradeProfile: { + upgradeChannel: 'stable' + } + oidcIssuerProfile: { + enabled: true + } + addonProfiles: { + azurepolicy: { + enabled: true + } + omsagent: { + enabled: true + config: { + logAnalyticsWorkspaceResourceID: workspaceId + } + } + azureKeyvaultSecretsProvider: { + enabled: true + config: { + enableSecretRotation: 'true' + } + } + } + } +} ``` + + ### Configure with Azure template -To deploy resources that pass this rule: +To deploy clusters that pass this rule: - Set the `name` property to a string that matches the naming requirements. - Optionally, consider constraining name parameters with `minLength` and `maxLength` attributes. +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "name": { + "type": "string", + "metadata": { + "description": "The name of the AKS cluster." + } + }, + "location": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "Optional. The Azure region to deploy to." + } + } + }, + "resources": [ + { + "type": "Microsoft.ContainerService/managedClusters", + "apiVersion": "2025-07-01", + "name": "[parameters('name')]", + "location": "[parameters('location')]", + "identity": { + "type": "UserAssigned", + "userAssignedIdentities": { + "[format('{0}', resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('identityName')))]": {} + } + }, + "properties": { + "kubernetesVersion": "[parameters('kubernetesVersion')]", + "disableLocalAccounts": true, + "enableRBAC": true, + "dnsPrefix": "[parameters('dnsPrefix')]", + "agentPoolProfiles": "[variables('allPools')]", + "aadProfile": { + "managed": true, + "enableAzureRBAC": true, + "adminGroupObjectIDs": "[parameters('clusterAdmins')]", + "tenantID": "[subscription().tenantId]" + }, + "networkProfile": { + "networkPlugin": "azure", + "networkPolicy": "azure", + "loadBalancerSku": "standard", + "serviceCidr": "[variables('serviceCidr')]", + "dnsServiceIP": "[variables('dnsServiceIP')]" + }, + "apiServerAccessProfile": { + "authorizedIPRanges": [ + "0.0.0.0/32" + ] + }, + "autoUpgradeProfile": { + "upgradeChannel": "stable" + }, + "oidcIssuerProfile": { + "enabled": true + }, + "addonProfiles": { + "azurepolicy": { + "enabled": true + }, + "omsagent": { + "enabled": true, + "config": { + "logAnalyticsWorkspaceResourceID": "[parameters('workspaceId')]" + } + }, + "azureKeyvaultSecretsProvider": { + "enabled": true, + "config": { + "enableSecretRotation": "true" + } + } + } + } + } + ] +} +``` + ## NOTES This rule does not check if AKS cluster resource names are unique. @@ -99,3 +242,6 @@ configuration: - [Recommended abbreviations for Azure resource types](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations) - [Naming rules and restrictions for Azure resources](https://learn.microsoft.com/azure/azure-resource-manager/management/resource-name-rules) - [Define your naming convention](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-naming) +- [Parameters in Bicep](https://learn.microsoft.com/azure/azure-resource-manager/bicep/parameters) +- [Bicep functions](https://learn.microsoft.com/azure/azure-resource-manager/bicep/bicep-functions) +- [Azure deployment reference](https://learn.microsoft.com/azure/templates/microsoft.containerservice/managedclusters) diff --git a/docs/en/rules/Azure.ContainerApp.Name.md b/docs/en/rules/Azure.ContainerApp.Name.md index 33f29f8dc6e..aa5c8de1677 100644 --- a/docs/en/rules/Azure.ContainerApp.Name.md +++ b/docs/en/rules/Azure.ContainerApp.Name.md @@ -1,4 +1,5 @@ --- +reviewed: 2025-10-25 severity: Awareness pillar: Operational Excellence category: OE:04 Continuous integration @@ -29,12 +30,57 @@ Additionally consider naming resources with a standard naming convention. ## EXAMPLES +### Configure with Bicep + +To deploy Container Apps that pass this rule: + +- Set the `name` property to a string that matches the naming requirements. +- Optionally, consider constraining name parameters with `minLength` and `maxLength` attributes. + +For example: + +```bicep +@minLength(2) +@maxLength(32) +@description('The name of the container app.') +param appName string + +resource containerApp 'Microsoft.App/containerApps@2025-01-01' = { + name: appName + location: location + identity: { + type: 'SystemAssigned' + } + properties: { + environmentId: containerEnv.id + template: { + revisionSuffix: revision + containers: containers + scale: { + minReplicas: 2 + } + } + configuration: { + ingress: { + allowInsecure: false + external: false + stickySessions: { + affinity: 'none' + } + } + } + } +} +``` + + + ### Configure with Azure template To deploy Container Apps that pass this rule: -- Configuring a `minLength` and `maxLength` constraint for the resource name parameter. -- Optionally, you could also use a `uniqueString()` function to generate a unique name. +- Set the `name` property to a string that matches the naming requirements. +- Optionally, consider constraining name parameters with `minLength` and `maxLength` attributes. For example: @@ -98,7 +144,7 @@ For example: "resources": [ { "type": "Microsoft.App/containerApps", - "apiVersion": "2023-05-01", + "apiVersion": "2025-01-01", "name": "[parameters('appName')]", "location": "[parameters('location')]", "identity": { @@ -116,6 +162,7 @@ For example: "configuration": { "ingress": { "allowInsecure": false, + "external": false, "stickySessions": { "affinity": "none" } @@ -127,50 +174,6 @@ For example: } ``` -### Configure with Bicep - -To deploy Container Apps that pass this rule: - -- Configuring a `minLength` and `maxLength` constraint for the resource name parameter. -- Optionally, you could also use a `uniqueString()` function to generate a unique name. - -For example: - -```bicep -@minLength(2) -@maxLength(32) -@description('The name of the container app.') -param appName string - -resource containerApp 'Microsoft.App/containerApps@2023-05-01' = { - name: appName - location: location - identity: { - type: 'SystemAssigned' - } - properties: { - environmentId: containerEnv.id - template: { - revisionSuffix: revision - containers: containers - scale: { - minReplicas: 2 - } - } - configuration: { - ingress: { - allowInsecure: false - stickySessions: { - affinity: 'none' - } - } - } - } -} -``` - - - ## NOTES This rule does not check if container app names are unique. @@ -178,5 +181,8 @@ This rule does not check if container app names are unique. ## LINKS - [OE:04 Continuous integration](https://learn.microsoft.com/azure/well-architected/operational-excellence/release-engineering-continuous-integration) +- [Operational Excellence maturity model](https://learn.microsoft.com/azure/well-architected/operational-excellence/maturity-model?tabs=level2) - [Naming rules and restrictions for container app resource](https://learn.microsoft.com/azure/azure-resource-manager/management/resource-name-rules#microsoftapp) +- [Parameters in Bicep](https://learn.microsoft.com/azure/azure-resource-manager/bicep/parameters) +- [Bicep functions](https://learn.microsoft.com/azure/azure-resource-manager/bicep/bicep-functions) - [Azure deployment reference](https://learn.microsoft.com/azure/templates/microsoft.app/containerapps) diff --git a/docs/en/rules/Azure.ContainerApp.Naming.md b/docs/en/rules/Azure.ContainerApp.Naming.md index 5cf8dc09c0a..bfce2cd70af 100644 --- a/docs/en/rules/Azure.ContainerApp.Naming.md +++ b/docs/en/rules/Azure.ContainerApp.Naming.md @@ -1,5 +1,5 @@ --- -reviewed: 2025-10-10 +reviewed: 2025-10-25 severity: Awareness pillar: Operational Excellence category: OE:04 Tools and processes @@ -46,7 +46,7 @@ Additionally consider using Azure Policy to only permit creation using a standar ### Configure with Bicep -To deploy resources that pass this rule: +To deploy Container Apps that pass this rule: - Set the `name` property to a string that matches the naming requirements. - Optionally, consider constraining name parameters with `minLength` and `maxLength` attributes. @@ -56,22 +56,138 @@ For example: ```bicep @minLength(2) @maxLength(32) -@description('The name of the resource.') -param name string - -@description('The location resources will be deployed.') -param location string = resourceGroup().location - -// Example resource deployment +@description('The name of the container app.') +param appName string + +resource containerApp 'Microsoft.App/containerApps@2025-01-01' = { + name: appName + location: location + identity: { + type: 'SystemAssigned' + } + properties: { + environmentId: containerEnv.id + template: { + revisionSuffix: revision + containers: containers + scale: { + minReplicas: 2 + } + } + configuration: { + ingress: { + allowInsecure: false + external: false + stickySessions: { + affinity: 'none' + } + } + } + } +} ``` + + ### Configure with Azure template -To deploy resources that pass this rule: +To deploy Container Apps that pass this rule: - Set the `name` property to a string that matches the naming requirements. - Optionally, consider constraining name parameters with `minLength` and `maxLength` attributes. +For example: + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "envName": { + "type": "string", + "metadata": { + "description": "The name of the app environment." + } + }, + "appName": { + "type": "string", + "minLength": 2, + "maxLength": 32, + "metadata": { + "description": "The name of the container app." + } + }, + "location": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "The location resources will be deployed." + } + }, + "workspaceId": { + "type": "string", + "metadata": { + "description": "The name of a Log Analytics workspace" + } + }, + "subnetId": { + "type": "string", + "metadata": { + "description": "The resource ID of a VNET subnet." + } + }, + "revision": { + "type": "string", + "metadata": { + "description": "The revision of the container app." + } + } + }, + "variables": { + "containers": [ + { + "name": "simple-hello-world-container", + "image": "mcr.microsoft.com/azuredocs/containerapps-helloworld:latest", + "resources": { + "cpu": "[json('0.25')]", + "memory": ".5Gi" + } + } + ] + }, + "resources": [ + { + "type": "Microsoft.App/containerApps", + "apiVersion": "2025-01-01", + "name": "[parameters('appName')]", + "location": "[parameters('location')]", + "identity": { + "type": "SystemAssigned" + }, + "properties": { + "environmentId": "[resourceId('Microsoft.App/managedEnvironments', parameters('envName'))]", + "template": { + "revisionSuffix": "[parameters('revision')]", + "containers": "[variables('containers')]", + "scale": { + "minReplicas": 2 + } + }, + "configuration": { + "ingress": { + "allowInsecure": false, + "external": false, + "stickySessions": { + "affinity": "none" + } + } + } + } + } + ] +} +``` + ## NOTES This rule does not check if Container App resource names are unique. @@ -99,3 +215,6 @@ configuration: - [Recommended abbreviations for Azure resource types](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations) - [Naming rules and restrictions for Azure resources](https://learn.microsoft.com/azure/azure-resource-manager/management/resource-name-rules) - [Define your naming convention](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-naming) +- [Parameters in Bicep](https://learn.microsoft.com/azure/azure-resource-manager/bicep/parameters) +- [Bicep functions](https://learn.microsoft.com/azure/azure-resource-manager/bicep/bicep-functions) +- [Azure deployment reference](https://learn.microsoft.com/azure/templates/microsoft.app/containerapps) diff --git a/docs/en/rules/Azure.LB.Name.md b/docs/en/rules/Azure.LB.Name.md index e4b5cf5a8b5..8ce8ab868f4 100644 --- a/docs/en/rules/Azure.LB.Name.md +++ b/docs/en/rules/Azure.LB.Name.md @@ -1,5 +1,5 @@ --- -reviewed: 2025-04-11 +reviewed: 2025-10-25 severity: Awareness pillar: Operational Excellence category: OE:04 Continuous integration @@ -169,6 +169,7 @@ This rule does not check if Load Balancer names are unique. ## LINKS - [OE:04 Continuous integration](https://learn.microsoft.com/azure/well-architected/operational-excellence/release-engineering-continuous-integration) +- [Operational Excellence maturity model](https://learn.microsoft.com/azure/well-architected/operational-excellence/maturity-model?tabs=level2) - [Naming rules and restrictions for Azure resources](https://learn.microsoft.com/azure/azure-resource-manager/management/resource-name-rules) - [Recommended abbreviations for Azure resource types](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations) - [Parameters in Bicep](https://learn.microsoft.com/azure/azure-resource-manager/bicep/parameters) diff --git a/docs/en/rules/Azure.VM.Name.md b/docs/en/rules/Azure.VM.Name.md index 543134193f7..3cbf32a941d 100644 --- a/docs/en/rules/Azure.VM.Name.md +++ b/docs/en/rules/Azure.VM.Name.md @@ -263,5 +263,8 @@ See `Azure.VM.ComputerName` for details. ## LINKS - [OE:04 Continuous integration](https://learn.microsoft.com/azure/well-architected/operational-excellence/release-engineering-continuous-integration) +- [Operational Excellence maturity model](https://learn.microsoft.com/azure/well-architected/operational-excellence/maturity-model?tabs=level2) - [Naming rules and restrictions for Azure resources](https://learn.microsoft.com/azure/azure-resource-manager/management/resource-name-rules) +- [Parameters in Bicep](https://learn.microsoft.com/azure/azure-resource-manager/bicep/parameters) +- [Bicep functions](https://learn.microsoft.com/azure/azure-resource-manager/bicep/bicep-functions) - [Azure deployment reference](https://learn.microsoft.com/azure/templates/microsoft.compute/virtualmachines) diff --git a/docs/en/rules/Azure.VM.Naming.md b/docs/en/rules/Azure.VM.Naming.md index 698295470b9..3b8d7bafb3e 100644 --- a/docs/en/rules/Azure.VM.Naming.md +++ b/docs/en/rules/Azure.VM.Naming.md @@ -292,7 +292,10 @@ configuration: ## LINKS - [OE:04 Tools and processes](https://learn.microsoft.com/azure/well-architected/operational-excellence/tools-processes) +- [Operational Excellence maturity model](https://learn.microsoft.com/azure/well-architected/operational-excellence/maturity-model?tabs=level2) - [Recommended abbreviations for Azure resource types](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations) - [Naming rules and restrictions for Azure resources](https://learn.microsoft.com/azure/azure-resource-manager/management/resource-name-rules) - [Define your naming convention](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-naming) +- [Parameters in Bicep](https://learn.microsoft.com/azure/azure-resource-manager/bicep/parameters) +- [Bicep functions](https://learn.microsoft.com/azure/azure-resource-manager/bicep/bicep-functions) - [Azure deployment reference](https://learn.microsoft.com/azure/templates/microsoft.compute/virtualmachines) diff --git a/docs/examples/resources/aks.bicep b/docs/examples/resources/aks.bicep index 68a479954dc..9e6a625aae5 100644 --- a/docs/examples/resources/aks.bicep +++ b/docs/examples/resources/aks.bicep @@ -126,13 +126,13 @@ var userPools = [ // Define resources // Cluster managed identity -resource identity 'Microsoft.ManagedIdentity/userAssignedIdentities@2023-01-31' = { +resource identity 'Microsoft.ManagedIdentity/userAssignedIdentities@2024-11-30' = { name: identityName location: location } // An example AKS cluster -resource cluster 'Microsoft.ContainerService/managedClusters@2024-10-01' = { +resource cluster 'Microsoft.ContainerService/managedClusters@2025-07-01' = { location: location name: name identity: { @@ -219,7 +219,7 @@ resource auditLogs 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = } // An example AKS cluster with pools defined. -resource clusterWithPools 'Microsoft.ContainerService/managedClusters@2024-02-01' = { +resource clusterWithPools 'Microsoft.ContainerService/managedClusters@2025-07-01' = { location: location name: name identity: { @@ -306,7 +306,7 @@ resource clusterWithPools 'Microsoft.ContainerService/managedClusters@2024-02-01 } // An example private AKS cluster with pools defined. -resource privateCluster 'Microsoft.ContainerService/managedClusters@2024-02-01' = { +resource privateCluster 'Microsoft.ContainerService/managedClusters@2025-07-01' = { location: location name: name identity: { diff --git a/docs/examples/resources/aks.json b/docs/examples/resources/aks.json index c1438dd5507..73966aa87e9 100644 --- a/docs/examples/resources/aks.json +++ b/docs/examples/resources/aks.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.31.92.45157", - "templateHash": "6019742219031876579" + "version": "0.38.33.27573", + "templateHash": "16939269083538591353" } }, "parameters": { @@ -172,13 +172,13 @@ "resources": [ { "type": "Microsoft.ManagedIdentity/userAssignedIdentities", - "apiVersion": "2023-01-31", + "apiVersion": "2024-11-30", "name": "[parameters('identityName')]", "location": "[parameters('location')]" }, { "type": "Microsoft.ContainerService/managedClusters", - "apiVersion": "2024-02-01", + "apiVersion": "2025-07-01", "name": "[parameters('name')]", "location": "[parameters('location')]", "identity": { @@ -272,7 +272,7 @@ }, { "type": "Microsoft.ContainerService/managedClusters", - "apiVersion": "2024-02-01", + "apiVersion": "2025-07-01", "name": "[parameters('name')]", "location": "[parameters('location')]", "identity": { @@ -362,7 +362,7 @@ }, { "type": "Microsoft.ContainerService/managedClusters", - "apiVersion": "2024-02-01", + "apiVersion": "2025-07-01", "name": "[parameters('name')]", "location": "[parameters('location')]", "identity": { @@ -450,4 +450,4 @@ ] } ] -} +} \ No newline at end of file diff --git a/docs/examples/resources/containerapp.bicep b/docs/examples/resources/containerapp.bicep index 5ce3e29fdf3..7577b88f886 100644 --- a/docs/examples/resources/containerapp.bicep +++ b/docs/examples/resources/containerapp.bicep @@ -80,7 +80,7 @@ resource containerEnv 'Microsoft.App/managedEnvironments@2024-03-01' = { } // An example Container App using a minimum of 2 replicas. -resource containerApp 'Microsoft.App/containerApps@2024-03-01' = { +resource containerApp 'Microsoft.App/containerApps@2025-01-01' = { name: appName location: location identity: { @@ -109,7 +109,7 @@ resource containerApp 'Microsoft.App/containerApps@2024-03-01' = { } // An example Container App with IP security restrictions. -resource containerAppWithSecurity 'Microsoft.App/containerApps@2024-03-01' = { +resource containerAppWithSecurity 'Microsoft.App/containerApps@2025-01-01' = { name: appName location: location identity: { diff --git a/docs/examples/resources/containerapp.json b/docs/examples/resources/containerapp.json index d208cffef41..48b1cbbebdb 100644 --- a/docs/examples/resources/containerapp.json +++ b/docs/examples/resources/containerapp.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.30.23.60470", - "templateHash": "7132667371133705541" + "version": "0.38.33.27573", + "templateHash": "14874746802953279604" } }, "parameters": { @@ -104,7 +104,7 @@ }, { "type": "Microsoft.App/containerApps", - "apiVersion": "2024-03-01", + "apiVersion": "2025-01-01", "name": "[parameters('appName')]", "location": "[parameters('location')]", "identity": { @@ -136,7 +136,7 @@ }, { "type": "Microsoft.App/containerApps", - "apiVersion": "2024-03-01", + "apiVersion": "2025-01-01", "name": "[parameters('appName')]", "location": "[parameters('location')]", "identity": { diff --git a/src/PSRule.Rules.Azure/rules/Azure.ACR.Rule.yaml b/src/PSRule.Rules.Azure/rules/Azure.ACR.Rule.yaml index 78accb39d98..c39bd351c3e 100644 --- a/src/PSRule.Rules.Azure/rules/Azure.ACR.Rule.yaml +++ b/src/PSRule.Rules.Azure/rules/Azure.ACR.Rule.yaml @@ -62,6 +62,7 @@ metadata: Azure.WAF/pillar: Operational Excellence labels: Azure.CAF: naming + Azure.WAF/maturity: L2 spec: type: - Microsoft.ContainerRegistry/registries diff --git a/src/PSRule.Rules.Azure/rules/Azure.AKS.Rule.yaml b/src/PSRule.Rules.Azure/rules/Azure.AKS.Rule.yaml index edd49222c9d..abdd2c13780 100644 --- a/src/PSRule.Rules.Azure/rules/Azure.AKS.Rule.yaml +++ b/src/PSRule.Rules.Azure/rules/Azure.AKS.Rule.yaml @@ -317,6 +317,7 @@ metadata: Azure.WAF/pillar: Operational Excellence labels: Azure.CAF: naming + Azure.WAF/maturity: L2 spec: type: - Microsoft.ContainerService/managedClusters diff --git a/src/PSRule.Rules.Azure/rules/Azure.ContainerApp.Rule.yaml b/src/PSRule.Rules.Azure/rules/Azure.ContainerApp.Rule.yaml index 7cd410809db..1e69c1306b3 100644 --- a/src/PSRule.Rules.Azure/rules/Azure.ContainerApp.Rule.yaml +++ b/src/PSRule.Rules.Azure/rules/Azure.ContainerApp.Rule.yaml @@ -66,6 +66,7 @@ metadata: Azure.WAF/pillar: Operational Excellence labels: Azure.CAF: naming + Azure.WAF/maturity: L2 spec: type: - Microsoft.App/containerApps diff --git a/src/PSRule.Rules.Azure/rules/Config.Rule.yaml b/src/PSRule.Rules.Azure/rules/Config.Rule.yaml index bce03e1709e..439ffd1bfca 100644 --- a/src/PSRule.Rules.Azure/rules/Config.Rule.yaml +++ b/src/PSRule.Rules.Azure/rules/Config.Rule.yaml @@ -91,7 +91,10 @@ spec: # Name format defaults. AZURE_AI_SEARCH_NAME_FORMAT: '' AZURE_AI_SERVICES_NAME_FORMAT: '' + AZURE_AKS_CLUSTER_NAME_FORMAT: '' AZURE_APP_INSIGHTS_NAME_FORMAT: '' + AZURE_CONTAINER_APP_NAME_FORMAT: '' + AZURE_CONTAINER_REGISTRY_NAME_FORMAT: '' AZURE_EVENTGRID_DOMAIN_NAME_FORMAT: '' AZURE_EVENTGRID_CUSTOM_TOPIC_NAME_FORMAT: '' AZURE_EVENTGRID_SYSTEM_TOPIC_NAME_FORMAT: '' From 020177db066dda61432ac3205379a44cf653ebe2 Mon Sep 17 00:00:00 2001 From: Bernie White Date: Sun, 26 Oct 2025 02:33:53 +0000 Subject: [PATCH 10/32] Updates --- ...ing.md => Azure.ContainerApp.EnvNaming.md} | 95 ++++++++++++++-- docs/en/rules/Azure.ContainerApp.JobNaming.md | 81 +++++++++++++- docs/en/rules/Azure.ContainerApp.Name.md | 3 +- docs/en/rules/Azure.ContainerApp.Naming.md | 7 +- docs/en/rules/Azure.Redis.Naming.md | 102 ++++++++++++++++-- docs/examples/resources/containerapp.bicep | 39 +++++-- docs/examples/resources/containerapp.json | 58 +++++++--- .../rules/Azure.ContainerApp.Rule.ps1 | 2 +- src/PSRule.Rules.Azure/rules/Config.Rule.yaml | 3 + .../Azure.ContainerApp.Tests.ps1 | 4 +- 10 files changed, 344 insertions(+), 50 deletions(-) rename docs/en/rules/{Azure.ContainerApp.EnvironmentNaming.md => Azure.ContainerApp.EnvNaming.md} (57%) diff --git a/docs/en/rules/Azure.ContainerApp.EnvironmentNaming.md b/docs/en/rules/Azure.ContainerApp.EnvNaming.md similarity index 57% rename from docs/en/rules/Azure.ContainerApp.EnvironmentNaming.md rename to docs/en/rules/Azure.ContainerApp.EnvNaming.md index 91aa4dbde42..50ba6fcbc3d 100644 --- a/docs/en/rules/Azure.ContainerApp.EnvironmentNaming.md +++ b/docs/en/rules/Azure.ContainerApp.EnvNaming.md @@ -1,11 +1,11 @@ --- -reviewed: 2025-10-10 +reviewed: 2025-10-26 severity: Awareness pillar: Operational Excellence category: OE:04 Tools and processes resource: Container App Environment resourceType: Microsoft.App/managedEnvironments -online version: https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.ContainerApp.EnvironmentNaming/ +online version: https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.ContainerApp.EnvNaming/ --- # Container App Environment resources must use standard naming @@ -33,9 +33,8 @@ For Container App Environment, the Cloud Adoption Framework (CAF) recommends usi Requirements for Container App Environment resource names: -- Between 2 and 64 characters long. -- Can include alphanumeric characters, hyphens, underscores, and periods (restrictions vary by resource type). -- Resource names must be unique within their scope. +- Between 2 and 60 characters long. +- Lowercase letters, numbers, and hyphens. ## RECOMMENDATION @@ -55,16 +54,41 @@ For example: ```bicep @minLength(2) -@maxLength(64) +@maxLength(60) @description('The name of the resource.') param name string @description('The location resources will be deployed.') param location string = resourceGroup().location -// Example resource deployment +resource containerEnv 'Microsoft.App/managedEnvironments@2025-01-01' = { + name: name + location: location + properties: { + appLogsConfiguration: { + destination: 'log-analytics' + logAnalyticsConfiguration: { + customerId: workspace.properties.customerId + sharedKey: workspace.listKeys().primarySharedKey + } + } + zoneRedundant: true + workloadProfiles: [ + { + name: 'Consumption' + workloadProfileType: 'Consumption' + } + ] + vnetConfiguration: { + infrastructureSubnetId: subnetId + internal: true + } + } +} ``` + + ### Configure with Azure template To deploy resources that pass this rule: @@ -72,6 +96,60 @@ To deploy resources that pass this rule: - Set the `name` property to a string that matches the naming requirements. - Optionally, consider constraining name parameters with `minLength` and `maxLength` attributes. +For example: + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "name": { + "type": "string", + "minLength": 2, + "maxLength": 60, + "metadata": { + "description": "The name of the resource." + } + }, + "location": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "The location resources will be deployed." + } + } + }, + "resources": [ + { + "type": "Microsoft.App/managedEnvironments", + "apiVersion": "2025-01-01", + "name": "[parameters('name')]", + "location": "[parameters('location')]", + "properties": { + "appLogsConfiguration": { + "destination": "log-analytics", + "logAnalyticsConfiguration": { + "customerId": "[reference(resourceId('Microsoft.OperationalInsights/workspaces', split(parameters('workspaceId'), '/')[8]), '2022-10-01').customerId]", + "sharedKey": "[listKeys(resourceId('Microsoft.OperationalInsights/workspaces', split(parameters('workspaceId'), '/')[8]), '2022-10-01').primarySharedKey]" + } + }, + "zoneRedundant": true, + "workloadProfiles": [ + { + "name": "Consumption", + "workloadProfileType": "Consumption" + } + ], + "vnetConfiguration": { + "infrastructureSubnetId": "[parameters('subnetId')]", + "internal": true + } + } + } + ] +} +``` + ## NOTES This rule does not check if Container App Environment resource names are unique. @@ -99,3 +177,6 @@ configuration: - [Recommended abbreviations for Azure resource types](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations) - [Naming rules and restrictions for Azure resources](https://learn.microsoft.com/azure/azure-resource-manager/management/resource-name-rules) - [Define your naming convention](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-naming) +- [Parameters in Bicep](https://learn.microsoft.com/azure/azure-resource-manager/bicep/parameters) +- [Bicep functions](https://learn.microsoft.com/azure/azure-resource-manager/bicep/bicep-functions) +- [Azure deployment reference](https://learn.microsoft.com/azure/templates/microsoft.app/managedenvironments) diff --git a/docs/en/rules/Azure.ContainerApp.JobNaming.md b/docs/en/rules/Azure.ContainerApp.JobNaming.md index e3f043d5fc2..ca384bbce97 100644 --- a/docs/en/rules/Azure.ContainerApp.JobNaming.md +++ b/docs/en/rules/Azure.ContainerApp.JobNaming.md @@ -1,5 +1,5 @@ --- -reviewed: 2025-10-10 +reviewed: 2025-10-26 severity: Awareness pillar: Operational Excellence category: OE:04 Tools and processes @@ -34,8 +34,9 @@ For Container App Job, the Cloud Adoption Framework (CAF) recommends using the ` Requirements for Container App Job resource names: - Between 2 and 32 characters long. -- Can include alphanumeric characters, hyphens, underscores, and periods (restrictions vary by resource type). -- Resource names must be unique within their scope. +- Lowercase letters, numbers, and hyphens. +- Start with letter and end with alphanumeric. +- Can not contain consecutive hyphens. ## RECOMMENDATION @@ -62,9 +63,29 @@ param name string @description('The location resources will be deployed.') param location string = resourceGroup().location -// Example resource deployment +resource job 'Microsoft.App/jobs@2025-01-01' = { + name: name + location: location + identity: { + type: 'SystemAssigned' + } + properties: { + environmentId: containerEnv.id + template: { + containers: containers + } + workloadProfileName: workloadProfileName + configuration: { + replicaTimeout: 300 + triggerType: 'Manual' + manualTriggerConfig: {} + } + } +} ``` + + ### Configure with Azure template To deploy resources that pass this rule: @@ -72,6 +93,55 @@ To deploy resources that pass this rule: - Set the `name` property to a string that matches the naming requirements. - Optionally, consider constraining name parameters with `minLength` and `maxLength` attributes. +For example: + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "name": { + "type": "string", + "minLength": 2, + "maxLength": 32, + "metadata": { + "description": "The name of the resource." + } + }, + "location": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "The location resources will be deployed." + } + } + }, + "resources": [ + { + "type": "Microsoft.App/jobs", + "apiVersion": "2025-01-01", + "name": "[parameters('name')]", + "location": "[parameters('location')]", + "identity": { + "type": "SystemAssigned" + }, + "properties": { + "environmentId": "[resourceId('Microsoft.App/managedEnvironments', parameters('name'))]", + "template": { + "containers": "[variables('containers')]" + }, + "workloadProfileName": "[parameters('workloadProfileName')]", + "configuration": { + "replicaTimeout": 300, + "triggerType": "Manual", + "manualTriggerConfig": {} + } + } + } + ] +} +``` + ## NOTES This rule does not check if Container App Job resource names are unique. @@ -99,3 +169,6 @@ configuration: - [Recommended abbreviations for Azure resource types](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations) - [Naming rules and restrictions for Azure resources](https://learn.microsoft.com/azure/azure-resource-manager/management/resource-name-rules) - [Define your naming convention](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-naming) +- [Parameters in Bicep](https://learn.microsoft.com/azure/azure-resource-manager/bicep/parameters) +- [Bicep functions](https://learn.microsoft.com/azure/azure-resource-manager/bicep/bicep-functions) +- [Azure deployment reference](https://learn.microsoft.com/azure/templates/microsoft.app/jobs) diff --git a/docs/en/rules/Azure.ContainerApp.Name.md b/docs/en/rules/Azure.ContainerApp.Name.md index aa5c8de1677..72995ff8d2c 100644 --- a/docs/en/rules/Azure.ContainerApp.Name.md +++ b/docs/en/rules/Azure.ContainerApp.Name.md @@ -1,5 +1,5 @@ --- -reviewed: 2025-10-25 +reviewed: 2025-10-26 severity: Awareness pillar: Operational Excellence category: OE:04 Continuous integration @@ -22,6 +22,7 @@ The requirements for container app names are: - Between 2 and 32 characters long. - Lowercase letters, numbers, and hyphens. - Start with letter and end with alphanumeric. +- Can not contain consecutive hyphens. ## RECOMMENDATION diff --git a/docs/en/rules/Azure.ContainerApp.Naming.md b/docs/en/rules/Azure.ContainerApp.Naming.md index bfce2cd70af..facacc6fb04 100644 --- a/docs/en/rules/Azure.ContainerApp.Naming.md +++ b/docs/en/rules/Azure.ContainerApp.Naming.md @@ -1,5 +1,5 @@ --- -reviewed: 2025-10-25 +reviewed: 2025-10-26 severity: Awareness pillar: Operational Excellence category: OE:04 Tools and processes @@ -34,8 +34,9 @@ For Container App, the Cloud Adoption Framework (CAF) recommends using the `ca-` Requirements for Container App resource names: - Between 2 and 32 characters long. -- Can include alphanumeric characters, hyphens, underscores, and periods (restrictions vary by resource type). -- Resource names must be unique within their scope. +- Lowercase letters, numbers, and hyphens. +- Start with letter and end with alphanumeric. +- Can not contain consecutive hyphens. ## RECOMMENDATION diff --git a/docs/en/rules/Azure.Redis.Naming.md b/docs/en/rules/Azure.Redis.Naming.md index 5edbb7661a8..7cc99cc4bd6 100644 --- a/docs/en/rules/Azure.Redis.Naming.md +++ b/docs/en/rules/Azure.Redis.Naming.md @@ -1,5 +1,5 @@ --- -reviewed: 2025-10-10 +reviewed: 2025-10-26 severity: Awareness pillar: Operational Excellence category: OE:04 Tools and processes @@ -34,8 +34,9 @@ For Azure Cache for Redis, the Cloud Adoption Framework (CAF) recommends using t Requirements for Azure Cache for Redis resource names: - Between 1 and 63 characters long. -- Can include alphanumeric characters, hyphens, underscores, and periods (restrictions vary by resource type). -- Resource names must be unique within their scope. +- Can include alphanumeric, and hyphen characters. +- Can only start and end with a letter or number. +- Cache names must be globally unique. ## RECOMMENDATION @@ -46,7 +47,7 @@ Additionally consider using Azure Policy to only permit creation using a standar ### Configure with Bicep -To deploy resources that pass this rule: +To deploy caches that pass this rule: - Set the `name` property to a string that matches the naming requirements. - Optionally, consider constraining name parameters with `minLength` and `maxLength` attributes. @@ -62,16 +63,102 @@ param name string @description('The location resources will be deployed.') param location string = resourceGroup().location -// Example resource deployment +resource cache 'Microsoft.Cache/redis@2024-11-01' = { + name: name + location: location + properties: { + redisVersion: '6' + sku: { + name: 'Premium' + family: 'P' + capacity: 1 + } + redisConfiguration: { + 'aad-enabled': 'True' + 'maxmemory-reserved': '615' + } + enableNonSslPort: false + publicNetworkAccess: 'Disabled' + disableAccessKeyAuthentication: true + } + zones: [ + '1' + '2' + '3' + ] +} ``` + + ### Configure with Azure template -To deploy resources that pass this rule: +To deploy caches that pass this rule: - Set the `name` property to a string that matches the naming requirements. - Optionally, consider constraining name parameters with `minLength` and `maxLength` attributes. +For example: + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "_generator": { + "name": "bicep", + "version": "0.34.44.8038", + "templateHash": "1334073252436312734" + } + }, + "parameters": { + "name": { + "type": "string", + "minLength": 2, + "maxLength": 64, + "metadata": { + "description": "The name of the resource." + } + }, + "location": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "The location resources will be deployed." + } + } + }, + "resources": [ + { + "type": "Microsoft.Cache/redis", + "apiVersion": "2024-11-01", + "name": "[parameters('name')]", + "location": "[parameters('location')]", + "properties": { + "redisVersion": "6", + "sku": { + "name": "Premium", + "family": "P", + "capacity": 1 + }, + "redisConfiguration": { + "aad-enabled": "True", + "maxmemory-reserved": "615" + }, + "enableNonSslPort": false, + "publicNetworkAccess": "Disabled", + "disableAccessKeyAuthentication": true + }, + "zones": [ + "1", + "2", + "3" + ] + } + ] +} +``` + ## NOTES This rule does not check if Azure Cache for Redis resource names are unique. @@ -99,3 +186,6 @@ configuration: - [Recommended abbreviations for Azure resource types](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations) - [Naming rules and restrictions for Azure resources](https://learn.microsoft.com/azure/azure-resource-manager/management/resource-name-rules) - [Define your naming convention](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-naming) +- [Parameters in Bicep](https://learn.microsoft.com/azure/azure-resource-manager/bicep/parameters) +- [Bicep functions](https://learn.microsoft.com/azure/azure-resource-manager/bicep/bicep-functions) +- [Azure deployment reference](https://learn.microsoft.com/azure/templates/microsoft.cache/redis) diff --git a/docs/examples/resources/containerapp.bicep b/docs/examples/resources/containerapp.bicep index 7577b88f886..4446a9c8cf4 100644 --- a/docs/examples/resources/containerapp.bicep +++ b/docs/examples/resources/containerapp.bicep @@ -3,13 +3,10 @@ // Bicep documentation examples -@description('The name of the app environment.') -param envName string - @minLength(2) @maxLength(32) -@description('The name of the container app.') -param appName string +@description('The name of the resource.') +param name string @description('The location resources will be deployed.') param location string = resourceGroup().location @@ -23,6 +20,9 @@ param subnetId string @description('The revision of the container app.') param revision string +@description('The name of the workload profile to use for the job.') +param workloadProfileName string + resource workspace 'Microsoft.OperationalInsights/workspaces@2022-10-01' existing = { name: split(workspaceId, '/')[8] } @@ -54,8 +54,8 @@ var ipSecurityRestrictions = [ ] // An example App Environment configured with a consumption workload profile. -resource containerEnv 'Microsoft.App/managedEnvironments@2024-03-01' = { - name: envName +resource containerEnv 'Microsoft.App/managedEnvironments@2025-01-01' = { + name: name location: location properties: { appLogsConfiguration: { @@ -81,7 +81,7 @@ resource containerEnv 'Microsoft.App/managedEnvironments@2024-03-01' = { // An example Container App using a minimum of 2 replicas. resource containerApp 'Microsoft.App/containerApps@2025-01-01' = { - name: appName + name: name location: location identity: { type: 'SystemAssigned' @@ -110,7 +110,7 @@ resource containerApp 'Microsoft.App/containerApps@2025-01-01' = { // An example Container App with IP security restrictions. resource containerAppWithSecurity 'Microsoft.App/containerApps@2025-01-01' = { - name: appName + name: name location: location identity: { type: 'SystemAssigned' @@ -148,3 +148,24 @@ resource containerAppWithSecurity 'Microsoft.App/containerApps@2025-01-01' = { } } } + +// An example Container App Job using a workload profile. +resource job 'Microsoft.App/jobs@2025-01-01' = { + name: name + location: location + identity: { + type: 'SystemAssigned' + } + properties: { + environmentId: containerEnv.id + template: { + containers: containers + } + workloadProfileName: workloadProfileName + configuration: { + replicaTimeout: 300 + triggerType: 'Manual' + manualTriggerConfig: {} + } + } +} diff --git a/docs/examples/resources/containerapp.json b/docs/examples/resources/containerapp.json index 48b1cbbebdb..8fbcb6bf95f 100644 --- a/docs/examples/resources/containerapp.json +++ b/docs/examples/resources/containerapp.json @@ -5,22 +5,16 @@ "_generator": { "name": "bicep", "version": "0.38.33.27573", - "templateHash": "14874746802953279604" + "templateHash": "2167050194923568795" } }, "parameters": { - "envName": { - "type": "string", - "metadata": { - "description": "The name of the app environment." - } - }, - "appName": { + "name": { "type": "string", "minLength": 2, "maxLength": 32, "metadata": { - "description": "The name of the container app." + "description": "The name of the resource." } }, "location": { @@ -47,6 +41,12 @@ "metadata": { "description": "The revision of the container app." } + }, + "workloadProfileName": { + "type": "string", + "metadata": { + "description": "The name of the workload profile to use for the job." + } } }, "variables": { @@ -78,8 +78,8 @@ "resources": [ { "type": "Microsoft.App/managedEnvironments", - "apiVersion": "2024-03-01", - "name": "[parameters('envName')]", + "apiVersion": "2025-01-01", + "name": "[parameters('name')]", "location": "[parameters('location')]", "properties": { "appLogsConfiguration": { @@ -105,13 +105,13 @@ { "type": "Microsoft.App/containerApps", "apiVersion": "2025-01-01", - "name": "[parameters('appName')]", + "name": "[parameters('name')]", "location": "[parameters('location')]", "identity": { "type": "SystemAssigned" }, "properties": { - "environmentId": "[resourceId('Microsoft.App/managedEnvironments', parameters('envName'))]", + "environmentId": "[resourceId('Microsoft.App/managedEnvironments', parameters('name'))]", "template": { "revisionSuffix": "[parameters('revision')]", "containers": "[variables('containers')]", @@ -131,19 +131,19 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.App/managedEnvironments', parameters('envName'))]" + "[resourceId('Microsoft.App/managedEnvironments', parameters('name'))]" ] }, { "type": "Microsoft.App/containerApps", "apiVersion": "2025-01-01", - "name": "[parameters('appName')]", + "name": "[parameters('name')]", "location": "[parameters('location')]", "identity": { "type": "SystemAssigned" }, "properties": { - "environmentId": "[resourceId('Microsoft.App/managedEnvironments', parameters('envName'))]", + "environmentId": "[resourceId('Microsoft.App/managedEnvironments', parameters('name'))]", "template": { "revisionSuffix": "[parameters('revision')]", "containers": "[variables('containers')]", @@ -175,7 +175,31 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.App/managedEnvironments', parameters('envName'))]" + "[resourceId('Microsoft.App/managedEnvironments', parameters('name'))]" + ] + }, + { + "type": "Microsoft.App/jobs", + "apiVersion": "2025-01-01", + "name": "[parameters('name')]", + "location": "[parameters('location')]", + "identity": { + "type": "SystemAssigned" + }, + "properties": { + "environmentId": "[resourceId('Microsoft.App/managedEnvironments', parameters('name'))]", + "template": { + "containers": "[variables('containers')]" + }, + "workloadProfileName": "[parameters('workloadProfileName')]", + "configuration": { + "replicaTimeout": 300, + "triggerType": "Manual", + "manualTriggerConfig": {} + } + }, + "dependsOn": [ + "[resourceId('Microsoft.App/managedEnvironments', parameters('name'))]" ] } ] diff --git a/src/PSRule.Rules.Azure/rules/Azure.ContainerApp.Rule.ps1 b/src/PSRule.Rules.Azure/rules/Azure.ContainerApp.Rule.ps1 index 255c0651e0e..bb7a58ecc06 100644 --- a/src/PSRule.Rules.Azure/rules/Azure.ContainerApp.Rule.ps1 +++ b/src/PSRule.Rules.Azure/rules/Azure.ContainerApp.Rule.ps1 @@ -39,7 +39,7 @@ Rule 'Azure.ContainerApp.Naming' -Ref 'AZR-000501' -Type 'Microsoft.App/containe } # Synopsis: Container apps environments without a standard naming convention may be difficult to identify and manage. -Rule 'Azure.ContainerApp.EnvironmentNaming' -Ref 'AZR-000502' -Type 'Microsoft.App/managedEnvironments' -If { $Configuration['AZURE_CONTAINER_APP_ENVIRONMENT_NAME_FORMAT'] -ne '' } -Tag @{ release = 'GA'; ruleSet = '2025_12'; 'Azure.WAF/pillar' = 'Operational Excellence' } -Labels @{ 'Azure.CAF' = 'naming'; 'Azure.WAF/maturity' = 'L2' } { +Rule 'Azure.ContainerApp.EnvNaming' -Ref 'AZR-000502' -Type 'Microsoft.App/managedEnvironments' -If { $Configuration['AZURE_CONTAINER_APP_ENVIRONMENT_NAME_FORMAT'] -ne '' } -Tag @{ release = 'GA'; ruleSet = '2025_12'; 'Azure.WAF/pillar' = 'Operational Excellence' } -Labels @{ 'Azure.CAF' = 'naming'; 'Azure.WAF/maturity' = 'L2' } { $Assert.Match($PSRule, 'TargetName', $Configuration.AZURE_CONTAINER_APP_ENVIRONMENT_NAME_FORMAT, $True); } diff --git a/src/PSRule.Rules.Azure/rules/Config.Rule.yaml b/src/PSRule.Rules.Azure/rules/Config.Rule.yaml index 439ffd1bfca..c042d493e38 100644 --- a/src/PSRule.Rules.Azure/rules/Config.Rule.yaml +++ b/src/PSRule.Rules.Azure/rules/Config.Rule.yaml @@ -94,6 +94,8 @@ spec: AZURE_AKS_CLUSTER_NAME_FORMAT: '' AZURE_APP_INSIGHTS_NAME_FORMAT: '' AZURE_CONTAINER_APP_NAME_FORMAT: '' + AZURE_CONTAINER_APP_ENVIRONMENT_NAME_FORMAT: '' + AZURE_CONTAINER_APP_JOB_NAME_FORMAT: '' AZURE_CONTAINER_REGISTRY_NAME_FORMAT: '' AZURE_EVENTGRID_DOMAIN_NAME_FORMAT: '' AZURE_EVENTGRID_CUSTOM_TOPIC_NAME_FORMAT: '' @@ -103,6 +105,7 @@ spec: AZURE_LOG_WORKSPACE_NAME_FORMAT: '' AZURE_NETWORK_SECURITY_GROUP_NAME_FORMAT: '' AZURE_PUBLIC_IP_ADDRESS_NAME_FORMAT: '' + AZURE_REDIS_CACHE_NAME_FORMAT: '' AZURE_RESOURCE_GROUP_NAME_FORMAT: '' AZURE_ROUTE_TABLE_NAME_FORMAT: '' AZURE_STORAGE_ACCOUNT_NAME_FORMAT: '' diff --git a/tests/PSRule.Rules.Azure.Tests/Azure.ContainerApp.Tests.ps1 b/tests/PSRule.Rules.Azure.Tests/Azure.ContainerApp.Tests.ps1 index 98d59679b10..111b85531bf 100644 --- a/tests/PSRule.Rules.Azure.Tests/Azure.ContainerApp.Tests.ps1 +++ b/tests/PSRule.Rules.Azure.Tests/Azure.ContainerApp.Tests.ps1 @@ -329,8 +329,8 @@ Describe 'Azure.ContainerApp' -Tag 'ContainerApp' { $ruleResult.TargetName | Should -Be 'ca-001'; } - It 'Azure.ContainerApp.EnvironmentNaming' { - $filteredResult = $result | Where-Object { $_.RuleName -eq 'Azure.ContainerApp.EnvironmentNaming' }; + It 'Azure.ContainerApp.EnvNaming' { + $filteredResult = $result | Where-Object { $_.RuleName -eq 'Azure.ContainerApp.EnvNaming' }; # Fail $ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'Fail' }); From 0763115229499b4f9b777faa24652c13fff20e63 Mon Sep 17 00:00:00 2001 From: Bernie White Date: Sun, 26 Oct 2025 03:10:53 +0000 Subject: [PATCH 11/32] Updates --- ...Azure.CI.Naming.md => Azure.ACI.Naming.md} | 91 ++++++++++++++++++- docs/examples/resources/aci.bicep | 62 +++++++++++++ docs/examples/resources/aci.json | 84 +++++++++++++++++ .../{Azure.CI.Rule.ps1 => Azure.ACI.Rule.ps1} | 2 +- .../rules/Azure.Cosmos.Rule.ps1 | 6 +- src/PSRule.Rules.Azure/rules/Config.Rule.yaml | 1 + ...Azure.CI.Tests.ps1 => Azure.ACI.Tests.ps1} | 6 +- 7 files changed, 240 insertions(+), 12 deletions(-) rename docs/en/rules/{Azure.CI.Naming.md => Azure.ACI.Naming.md} (62%) create mode 100644 docs/examples/resources/aci.bicep create mode 100644 docs/examples/resources/aci.json rename src/PSRule.Rules.Azure/rules/{Azure.CI.Rule.ps1 => Azure.ACI.Rule.ps1} (53%) rename tests/PSRule.Rules.Azure.Tests/{Azure.CI.Tests.ps1 => Azure.ACI.Tests.ps1} (95%) diff --git a/docs/en/rules/Azure.CI.Naming.md b/docs/en/rules/Azure.ACI.Naming.md similarity index 62% rename from docs/en/rules/Azure.CI.Naming.md rename to docs/en/rules/Azure.ACI.Naming.md index 17a360a25bf..2f7136e3fc3 100644 --- a/docs/en/rules/Azure.CI.Naming.md +++ b/docs/en/rules/Azure.ACI.Naming.md @@ -1,11 +1,11 @@ --- -reviewed: 2025-10-10 +reviewed: 2025-10-26 severity: Awareness pillar: Operational Excellence category: OE:04 Tools and processes resource: Container Instance resourceType: Microsoft.ContainerInstance/containerGroups -online version: https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.CI.Naming/ +online version: https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.ACI.Naming/ --- # Container Instance resources must use standard naming @@ -34,8 +34,9 @@ For Container Instance, the Cloud Adoption Framework (CAF) recommends using the Requirements for Container Instance resource names: - Between 1 and 63 characters long. -- Can include alphanumeric characters, hyphens, underscores, and periods (restrictions vary by resource type). -- Resource names must be unique within their scope. +- Lowercase letters, numbers, and hyphens. +- Start with letter and end with alphanumeric. +- Can not contain consecutive hyphens. ## RECOMMENDATION @@ -62,7 +63,30 @@ param name string @description('The location resources will be deployed.') param location string = resourceGroup().location -// Example resource deployment +resource containerGroup 'Microsoft.ContainerInstance/containerGroups@2025-09-01' = { + name: name + location: location + properties: { + containers: containers + osType: 'Linux' + sku: 'Standard' + restartPolicy: 'Always' + ipAddress: { + ports: [ + { + port: 80 + protocol: 'TCP' + } + ] + type: 'Private' + } + subnetIds: [ + { + id: subnetId + } + ] + } +} ``` ### Configure with Azure template @@ -72,6 +96,60 @@ To deploy resources that pass this rule: - Set the `name` property to a string that matches the naming requirements. - Optionally, consider constraining name parameters with `minLength` and `maxLength` attributes. +For example: + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "name": { + "type": "string", + "minLength": 1, + "maxLength": 63, + "metadata": { + "description": "The name of the resource." + } + }, + "location": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "The location resources will be deployed." + } + }, + }, + "resources": [ + { + "type": "Microsoft.ContainerInstance/containerGroups", + "apiVersion": "2025-09-01", + "name": "[parameters('name')]", + "location": "[parameters('location')]", + "properties": { + "containers": "[variables('containers')]", + "osType": "Linux", + "sku": "Standard", + "restartPolicy": "Always", + "ipAddress": { + "ports": [ + { + "port": 80, + "protocol": "TCP" + } + ], + "type": "Private" + }, + "subnetIds": [ + { + "id": "[parameters('subnetId')]" + } + ] + } + } + ] +} +``` + ## NOTES This rule does not check if Container Instance resource names are unique. @@ -99,3 +177,6 @@ configuration: - [Recommended abbreviations for Azure resource types](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations) - [Naming rules and restrictions for Azure resources](https://learn.microsoft.com/azure/azure-resource-manager/management/resource-name-rules) - [Define your naming convention](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-naming) +- [Parameters in Bicep](https://learn.microsoft.com/azure/azure-resource-manager/bicep/parameters) +- [Bicep functions](https://learn.microsoft.com/azure/azure-resource-manager/bicep/bicep-functions) +- [Azure deployment reference](https://learn.microsoft.com/azure/templates/microsoft.containerinstance/containergroups) diff --git a/docs/examples/resources/aci.bicep b/docs/examples/resources/aci.bicep new file mode 100644 index 00000000000..4b070ea4c95 --- /dev/null +++ b/docs/examples/resources/aci.bicep @@ -0,0 +1,62 @@ +// Copyright (c) Microsoft Corporation. +// Licensed under the MIT License. + +// Bicep documentation examples + +@minLength(1) +@maxLength(63) +@description('The name of the resource.') +param name string + +@description('The location resources will be deployed.') +param location string = resourceGroup().location + +@description('The resource subnet ID.') +param subnetId string + +var containers = [ + { + name: 'mycontainer' + properties: { + image: 'mcr.microsoft.com/azuredocs/aci-helloworld:latest' + ports: [ + { + port: 80 + protocol: 'TCP' + } + ] + resources: { + requests: { + cpu: 1 + memoryInGB: 2 + } + } + } + } +] + +// An example Azure Container Instance with a network profile. +resource containerGroup 'Microsoft.ContainerInstance/containerGroups@2025-09-01' = { + name: name + location: location + properties: { + containers: containers + osType: 'Linux' + sku: 'Standard' + restartPolicy: 'Always' + ipAddress: { + ports: [ + { + port: 80 + protocol: 'TCP' + } + ] + type: 'Private' + } + subnetIds: [ + { + id: subnetId + } + ] + } +} diff --git a/docs/examples/resources/aci.json b/docs/examples/resources/aci.json new file mode 100644 index 00000000000..321b91bd4c6 --- /dev/null +++ b/docs/examples/resources/aci.json @@ -0,0 +1,84 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "_generator": { + "name": "bicep", + "version": "0.38.33.27573", + "templateHash": "14594933783337124860" + } + }, + "parameters": { + "name": { + "type": "string", + "minLength": 1, + "maxLength": 63, + "metadata": { + "description": "The name of the resource." + } + }, + "location": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "The location resources will be deployed." + } + }, + "subnetId": { + "type": "string", + "metadata": { + "description": "The resource subnet ID." + } + } + }, + "variables": { + "containers": [ + { + "name": "mycontainer", + "properties": { + "image": "mcr.microsoft.com/azuredocs/aci-helloworld:latest", + "ports": [ + { + "port": 80, + "protocol": "TCP" + } + ], + "resources": { + "requests": { + "cpu": 1, + "memoryInGB": 2 + } + } + } + } + ] + }, + "resources": [ + { + "type": "Microsoft.ContainerInstance/containerGroups", + "apiVersion": "2025-09-01", + "name": "[parameters('name')]", + "location": "[parameters('location')]", + "properties": { + "containers": "[variables('containers')]", + "osType": "Linux", + "sku": "Standard", + "restartPolicy": "Always", + "ipAddress": { + "ports": [ + { + "port": 80, + "protocol": "TCP" + } + ], + "type": "Private" + }, + "subnetIds": [ + { + "id": "[parameters('subnetId')]" + } + ] + } + } + ] +} \ No newline at end of file diff --git a/src/PSRule.Rules.Azure/rules/Azure.CI.Rule.ps1 b/src/PSRule.Rules.Azure/rules/Azure.ACI.Rule.ps1 similarity index 53% rename from src/PSRule.Rules.Azure/rules/Azure.CI.Rule.ps1 rename to src/PSRule.Rules.Azure/rules/Azure.ACI.Rule.ps1 index 5b46a7e5d05..dc51c488eea 100644 --- a/src/PSRule.Rules.Azure/rules/Azure.CI.Rule.ps1 +++ b/src/PSRule.Rules.Azure/rules/Azure.ACI.Rule.ps1 @@ -8,7 +8,7 @@ #region Rules # Synopsis: Container instances without a standard naming convention may be difficult to identify and manage. -Rule 'Azure.CI.Naming' -Ref 'AZR-000505' -Type 'Microsoft.ContainerInstance/containerGroups' -If { $Configuration['AZURE_CONTAINER_INSTANCE_NAME_FORMAT'] -ne '' } -Tag @{ release = 'GA'; ruleSet = '2025_12'; 'Azure.WAF/pillar' = 'Operational Excellence' } -Labels @{ 'Azure.CAF' = 'naming'; 'Azure.WAF/maturity' = 'L2' } { +Rule 'Azure.ACI.Naming' -Ref 'AZR-000505' -Type 'Microsoft.ContainerInstance/containerGroups' -If { $Configuration['AZURE_CONTAINER_INSTANCE_NAME_FORMAT'] -ne '' } -Tag @{ release = 'GA'; ruleSet = '2025_12'; 'Azure.WAF/pillar' = 'Operational Excellence' } -Labels @{ 'Azure.CAF' = 'naming'; 'Azure.WAF/maturity' = 'L2' } { $Assert.Match($PSRule, 'TargetName', $Configuration.AZURE_CONTAINER_INSTANCE_NAME_FORMAT, $True); } diff --git a/src/PSRule.Rules.Azure/rules/Azure.Cosmos.Rule.ps1 b/src/PSRule.Rules.Azure/rules/Azure.Cosmos.Rule.ps1 index 7251b248e00..11bbb3aa028 100644 --- a/src/PSRule.Rules.Azure/rules/Azure.Cosmos.Rule.ps1 +++ b/src/PSRule.Rules.Azure/rules/Azure.Cosmos.Rule.ps1 @@ -19,7 +19,7 @@ Rule 'Azure.Cosmos.DisableLocalAuth' -Ref 'AZR-000420' -Type 'Microsoft.Document } # Synopsis: Azure Cosmos DB for Apache Cassandra accounts without a standard naming convention may be difficult to identify and manage. -Rule 'Azure.Cosmos.CassandraNaming' -Ref 'AZR-000508' -Type 'Microsoft.DocumentDb/databaseAccounts' -If { $Configuration['AZURE_COSMOS_CASSANDRA_NAME_FORMAT'] -ne '' -and $TargetObject.kind -eq 'GlobalDocumentDB' -and $TargetObject.properties.capabilities | Where-Object { $_.name -eq 'EnableCassandra' } } -Tag @{ release = 'GA'; ruleSet = '2025_12'; 'Azure.WAF/pillar' = 'Operational Excellence' } -Labels @{ 'Azure.CAF' = 'naming'; 'Azure.WAF/maturity' = 'L2' } { +Rule 'Azure.Cosmos.CassandraNaming' -Ref 'AZR-000508' -Type 'Microsoft.DocumentDb/databaseAccounts' -If { $Configuration['AZURE_COSMOS_CASSANDRA_NAME_FORMAT'] -ne '' -and $TargetObject.kind -eq 'GlobalDocumentDB' -and ($TargetObject.properties.capabilities | Where-Object { $_.name -eq 'EnableCassandra' }) } -Tag @{ release = 'GA'; ruleSet = '2025_12'; 'Azure.WAF/pillar' = 'Operational Excellence' } -Labels @{ 'Azure.CAF' = 'naming'; 'Azure.WAF/maturity' = 'L2' } { $Assert.Match($PSRule, 'TargetName', $Configuration.AZURE_COSMOS_CASSANDRA_NAME_FORMAT, $True); } @@ -34,12 +34,12 @@ Rule 'Azure.Cosmos.NoSQLNaming' -Ref 'AZR-000510' -Type 'Microsoft.DocumentDb/da } # Synopsis: Azure Cosmos DB for Table accounts without a standard naming convention may be difficult to identify and manage. -Rule 'Azure.Cosmos.TableNaming' -Ref 'AZR-000511' -Type 'Microsoft.DocumentDb/databaseAccounts' -If { $Configuration['AZURE_COSMOS_TABLE_NAME_FORMAT'] -ne '' -and $TargetObject.kind -eq 'GlobalDocumentDB' -and $TargetObject.properties.capabilities | Where-Object { $_.name -eq 'EnableTable' } } -Tag @{ release = 'GA'; ruleSet = '2025_12'; 'Azure.WAF/pillar' = 'Operational Excellence' } -Labels @{ 'Azure.CAF' = 'naming'; 'Azure.WAF/maturity' = 'L2' } { +Rule 'Azure.Cosmos.TableNaming' -Ref 'AZR-000511' -Type 'Microsoft.DocumentDb/databaseAccounts' -If { $Configuration['AZURE_COSMOS_TABLE_NAME_FORMAT'] -ne '' -and $TargetObject.kind -eq 'GlobalDocumentDB' -and ($TargetObject.properties.capabilities | Where-Object { $_.name -eq 'EnableTable' }) } -Tag @{ release = 'GA'; ruleSet = '2025_12'; 'Azure.WAF/pillar' = 'Operational Excellence' } -Labels @{ 'Azure.CAF' = 'naming'; 'Azure.WAF/maturity' = 'L2' } { $Assert.Match($PSRule, 'TargetName', $Configuration.AZURE_COSMOS_TABLE_NAME_FORMAT, $True); } # Synopsis: Azure Cosmos DB for Apache Gremlin accounts without a standard naming convention may be difficult to identify and manage. -Rule 'Azure.Cosmos.GremlinNaming' -Ref 'AZR-000512' -Type 'Microsoft.DocumentDb/databaseAccounts' -If { $Configuration['AZURE_COSMOS_GREMLIN_NAME_FORMAT'] -ne '' -and $TargetObject.kind -eq 'GlobalDocumentDB' -and $TargetObject.properties.capabilities | Where-Object { $_.name -eq 'EnableGremlin' } } -Tag @{ release = 'GA'; ruleSet = '2025_12'; 'Azure.WAF/pillar' = 'Operational Excellence' } -Labels @{ 'Azure.CAF' = 'naming'; 'Azure.WAF/maturity' = 'L2' } { +Rule 'Azure.Cosmos.GremlinNaming' -Ref 'AZR-000512' -Type 'Microsoft.DocumentDb/databaseAccounts' -If { $Configuration['AZURE_COSMOS_GREMLIN_NAME_FORMAT'] -ne '' -and $TargetObject.kind -eq 'GlobalDocumentDB' -and ($TargetObject.properties.capabilities | Where-Object { $_.name -eq 'EnableGremlin' }) } -Tag @{ release = 'GA'; ruleSet = '2025_12'; 'Azure.WAF/pillar' = 'Operational Excellence' } -Labels @{ 'Azure.CAF' = 'naming'; 'Azure.WAF/maturity' = 'L2' } { $Assert.Match($PSRule, 'TargetName', $Configuration.AZURE_COSMOS_GREMLIN_NAME_FORMAT, $True); } diff --git a/src/PSRule.Rules.Azure/rules/Config.Rule.yaml b/src/PSRule.Rules.Azure/rules/Config.Rule.yaml index c042d493e38..dc0bd0347d3 100644 --- a/src/PSRule.Rules.Azure/rules/Config.Rule.yaml +++ b/src/PSRule.Rules.Azure/rules/Config.Rule.yaml @@ -96,6 +96,7 @@ spec: AZURE_CONTAINER_APP_NAME_FORMAT: '' AZURE_CONTAINER_APP_ENVIRONMENT_NAME_FORMAT: '' AZURE_CONTAINER_APP_JOB_NAME_FORMAT: '' + AZURE_CONTAINER_INSTANCE_NAME_FORMAT: '' AZURE_CONTAINER_REGISTRY_NAME_FORMAT: '' AZURE_EVENTGRID_DOMAIN_NAME_FORMAT: '' AZURE_EVENTGRID_CUSTOM_TOPIC_NAME_FORMAT: '' diff --git a/tests/PSRule.Rules.Azure.Tests/Azure.CI.Tests.ps1 b/tests/PSRule.Rules.Azure.Tests/Azure.ACI.Tests.ps1 similarity index 95% rename from tests/PSRule.Rules.Azure.Tests/Azure.CI.Tests.ps1 rename to tests/PSRule.Rules.Azure.Tests/Azure.ACI.Tests.ps1 index 57bfbea01b4..c03749dcad3 100644 --- a/tests/PSRule.Rules.Azure.Tests/Azure.CI.Tests.ps1 +++ b/tests/PSRule.Rules.Azure.Tests/Azure.ACI.Tests.ps1 @@ -23,7 +23,7 @@ BeforeAll { $here = (Resolve-Path $PSScriptRoot).Path; } -Describe 'Azure.CI' -Tag 'CI' { +Describe 'Azure.ACI' -Tag 'ACI' { Context 'Resource naming' { BeforeAll { $invokeParams = @{ @@ -48,8 +48,8 @@ Describe 'Azure.CI' -Tag 'CI' { $result = $items | Invoke-PSRule @invokeParams -Option $option } - It 'Azure.CI.Naming' { - $filteredResult = $result | Where-Object { $_.RuleName -eq 'Azure.CI.Naming' }; + It 'Azure.ACI.Naming' { + $filteredResult = $result | Where-Object { $_.RuleName -eq 'Azure.ACI.Naming' }; # Fail $ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'Fail' }); From cc159f5f589c3f569ac30de76085daa8f3d08908 Mon Sep 17 00:00:00 2001 From: Bernie White Date: Sun, 26 Oct 2025 03:27:11 +0000 Subject: [PATCH 12/32] Update --- src/PSRule.Rules.Azure/rules/Azure.Cosmos.Rule.ps1 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/PSRule.Rules.Azure/rules/Azure.Cosmos.Rule.ps1 b/src/PSRule.Rules.Azure/rules/Azure.Cosmos.Rule.ps1 index 11bbb3aa028..d4ddef28fb5 100644 --- a/src/PSRule.Rules.Azure/rules/Azure.Cosmos.Rule.ps1 +++ b/src/PSRule.Rules.Azure/rules/Azure.Cosmos.Rule.ps1 @@ -29,7 +29,7 @@ Rule 'Azure.Cosmos.MongoNaming' -Ref 'AZR-000509' -Type 'Microsoft.DocumentDb/da } # Synopsis: Azure Cosmos DB for NoSQL accounts without a standard naming convention may be difficult to identify and manage. -Rule 'Azure.Cosmos.NoSQLNaming' -Ref 'AZR-000510' -Type 'Microsoft.DocumentDb/databaseAccounts' -If { $Configuration['AZURE_COSMOS_NOSQL_NAME_FORMAT'] -ne '' -and Test-IsNoSQL } -Tag @{ release = 'GA'; ruleSet = '2025_12'; 'Azure.WAF/pillar' = 'Operational Excellence' } -Labels @{ 'Azure.CAF' = 'naming'; 'Azure.WAF/maturity' = 'L2' } { +Rule 'Azure.Cosmos.NoSQLNaming' -Ref 'AZR-000510' -Type 'Microsoft.DocumentDb/databaseAccounts' -If { $Configuration['AZURE_COSMOS_NOSQL_NAME_FORMAT'] -ne '' -and (Test-IsNoSQL) } -Tag @{ release = 'GA'; ruleSet = '2025_12'; 'Azure.WAF/pillar' = 'Operational Excellence' } -Labels @{ 'Azure.CAF' = 'naming'; 'Azure.WAF/maturity' = 'L2' } { $Assert.Match($PSRule, 'TargetName', $Configuration.AZURE_COSMOS_NOSQL_NAME_FORMAT, $True); } From f61455138135bb549c4f0de199b1103ecd8395f7 Mon Sep 17 00:00:00 2001 From: Bernie White Date: Sun, 26 Oct 2025 04:19:05 +0000 Subject: [PATCH 13/32] Updates --- docs/en/baselines/Azure.All.csv | 33 ++- docs/en/baselines/Azure.All.md | 29 ++- docs/en/baselines/Azure.CAF_2025_03.csv | 6 +- docs/en/baselines/Azure.CAF_2025_06.csv | 6 +- docs/en/baselines/Azure.CAF_Compatibility.csv | 6 +- docs/en/baselines/Azure.Default.csv | 33 ++- docs/en/baselines/Azure.Default.md | 29 ++- docs/en/baselines/Azure.GA_2020_06.csv | 4 +- docs/en/baselines/Azure.GA_2020_09.csv | 4 +- docs/en/baselines/Azure.GA_2020_12.csv | 4 +- docs/en/baselines/Azure.GA_2021_03.csv | 4 +- docs/en/baselines/Azure.GA_2021_06.csv | 4 +- docs/en/baselines/Azure.GA_2021_09.csv | 4 +- docs/en/baselines/Azure.GA_2021_12.csv | 4 +- docs/en/baselines/Azure.GA_2022_03.csv | 4 +- docs/en/baselines/Azure.GA_2022_06.csv | 4 +- docs/en/baselines/Azure.GA_2022_09.csv | 4 +- docs/en/baselines/Azure.GA_2022_12.csv | 4 +- docs/en/baselines/Azure.GA_2023_03.csv | 6 +- docs/en/baselines/Azure.GA_2023_06.csv | 6 +- docs/en/baselines/Azure.GA_2023_09.csv | 6 +- docs/en/baselines/Azure.GA_2023_12.csv | 6 +- docs/en/baselines/Azure.GA_2024_03.csv | 6 +- docs/en/baselines/Azure.GA_2024_06.csv | 6 +- docs/en/baselines/Azure.GA_2024_09.csv | 6 +- docs/en/baselines/Azure.GA_2024_12.csv | 6 +- docs/en/baselines/Azure.GA_2025_03.csv | 6 +- docs/en/baselines/Azure.GA_2025_06.csv | 6 +- docs/en/baselines/Azure.GA_2025_09.csv | 6 +- .../Azure.Pillar.OperationalExcellence.csv | 33 ++- .../Azure.Pillar.OperationalExcellence.md | 35 +++- docs/en/baselines/Azure.Preview.csv | 33 ++- docs/en/baselines/Azure.Preview.md | 29 ++- docs/en/rules/Azure.AKS.SystemPoolNaming.md | 77 ++++++- docs/en/rules/Azure.AKS.UserPoolNaming.md | 79 +++++++- docs/en/rules/index.md | 27 +++ docs/en/rules/module.md | 27 +++ docs/en/rules/resource.md | 127 ++++++++++++ docs/es/rules/index.md | 27 +++ docs/es/rules/module.md | 27 +++ docs/es/rules/resource.md | 127 ++++++++++++ docs/examples/resources/aks.bicep | 44 +++- docs/examples/resources/aks.json | 50 ++++- .../rules/Azure.AKS.Rule.ps1 | 4 +- src/PSRule.Rules.Azure/rules/CAF.Rule.yaml | 188 ++++++++++++------ src/PSRule.Rules.Azure/rules/Config.Rule.yaml | 2 + 46 files changed, 1024 insertions(+), 164 deletions(-) diff --git a/docs/en/baselines/Azure.All.csv b/docs/en/baselines/Azure.All.csv index 145ccdfc3af..9a20e13c719 100644 --- a/docs/en/baselines/Azure.All.csv +++ b/docs/en/baselines/Azure.All.csv @@ -1,4 +1,5 @@ "Name","Synopsis","Severity","Pillar","Maturity" +"Azure.ACI.Naming","Container Instance resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" "Azure.ACR.AdminUser","The local admin account allows depersonalized access to a container registry using a shared secret.","Critical","Security","L1" "Azure.ACR.AnonymousAccess","Anonymous pull access allows unidentified downloading of images and metadata from a container registry.","Important","Security","-" "Azure.ACR.ContainerScan","Container images or their base images may have vulnerabilities discovered after they are built.","Critical","Security","-" @@ -8,7 +9,8 @@ "Azure.ACR.GeoReplica","Applications or infrastructure relying on a container image may fail if the registry is not available at the time they start.","Important","Reliability","-" "Azure.ACR.ImageHealth","Remove container images with known vulnerabilities.","Critical","Security","L2" "Azure.ACR.MinSku","The Basic SKU provides limited performance and features for production container registry workloads.","Important","Reliability","-" -"Azure.ACR.Name","Container registry names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.ACR.Name","Container registry names should meet naming requirements.","Awareness","Operational Excellence","L2" +"Azure.ACR.Naming","Container Registry resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" "Azure.ACR.Quarantine","Enable container image quarantine, scan, and mark images as verified.","Important","Security","-" "Azure.ACR.ReplicaLocation","The replication location determines the country or region where container images and metadata are stored and processed.","Important","Security","-" "Azure.ACR.Retention","Use a retention policy to cleanup untagged manifests.","Important","Cost Optimization","-" @@ -43,7 +45,8 @@ "Azure.AKS.ManagedIdentity","Configure AKS clusters to use managed identities for managing cluster infrastructure.","Important","Security","L1" "Azure.AKS.MinNodeCount","AKS clusters should have minimum number of system nodes for failover and updates.","Important","Reliability","-" "Azure.AKS.MinUserPoolNodes","User node pools in an AKS cluster should have a minimum number of nodes for failover and updates.","Important","Reliability","-" -"Azure.AKS.Name","Azure Kubernetes Service (AKS) cluster names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.AKS.Name","Azure Kubernetes Service (AKS) cluster names should meet naming requirements.","Awareness","Operational Excellence","L2" +"Azure.AKS.Naming","AKS cluster resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" "Azure.AKS.NetworkPolicy","AKS clusters without inter-pod network restrictions may be permit unauthorized lateral movement.","Important","Security","-" "Azure.AKS.NodeAutoUpgrade","Operating system (OS) security updates should be applied to AKS nodes and rebooted as required to address security vulnerabilities.","Important","Security","-" "Azure.AKS.NodeMinPods","Azure Kubernetes Cluster (AKS) nodes should use a minimum number of pods.","Important","Performance Efficiency","-" @@ -53,8 +56,10 @@ "Azure.AKS.SecretStore","Deploy AKS clusters with Secrets Store CSI Driver and store Secrets in Key Vault.","Important","Security","-" "Azure.AKS.SecretStoreRotation","Enable autorotation of Secrets Store CSI Driver secrets for AKS clusters.","Important","Security","-" "Azure.AKS.StandardLB","Azure Kubernetes Clusters (AKS) should use a Standard load balancer SKU.","Important","Performance Efficiency","-" +"Azure.AKS.SystemPoolNaming","AKS system node pool resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" "Azure.AKS.UptimeSLA","AKS clusters should have Uptime SLA enabled for a financially backed SLA.","Important","Reliability","-" "Azure.AKS.UseRBAC","Deploy AKS cluster with role-based access control (RBAC) enabled.","Important","Security","-" +"Azure.AKS.UserPoolNaming","AKS user node pool resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" "Azure.AKS.Version","Older versions of Kubernetes may have known bugs or security vulnerabilities, and may have limited support.","Important","Reliability","-" "Azure.Alert.HighFrequencyQuery","High frequency scheduled queries are changed as a higher rate than low frequency queries.","Important","Cost Optimization","-" "Azure.Alert.MetricAutoMitigate","Alerts that require manual intervention for mitigation can lead to increased personnel time and effort.","Important","Cost Optimization","-" @@ -144,22 +149,32 @@ "Azure.ContainerApp.APIVersion","Migrate from retired API version to a supported version.","Important","Operational Excellence","-" "Azure.ContainerApp.AvailabilityZone","Use Container Apps environments that are zone redundant to improve reliability.","Important","Reliability","-" "Azure.ContainerApp.DisableAffinity","Disable session affinity to prevent unbalanced distribution.","Awareness","Performance Efficiency","-" +"Azure.ContainerApp.EnvNaming","Container App Environment resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" "Azure.ContainerApp.ExternalIngress","Limit inbound communication for Container Apps is limited to callers within the Container Apps Environment.","Important","Security","-" "Azure.ContainerApp.Insecure","Ensure insecure inbound traffic is not permitted to the container app.","Important","Security","L1" +"Azure.ContainerApp.JobNaming","Container App Job resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" "Azure.ContainerApp.ManagedIdentity","Ensure managed identity is used for authentication.","Important","Security","L1" "Azure.ContainerApp.MinReplicas","Use multiple replicas to remove a single point of failure.","Important","Reliability","-" -"Azure.ContainerApp.Name","Container Apps should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.ContainerApp.Name","Container Apps should meet naming requirements.","Awareness","Operational Excellence","L2" +"Azure.ContainerApp.Naming","Container App resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" "Azure.ContainerApp.PublicAccess","Ensure public network access for Container Apps environment is disabled.","Important","Security","-" "Azure.ContainerApp.RestrictIngress","IP ingress restrictions mode should be set to allow action for all rules defined.","Important","Security","-" "Azure.ContainerApp.Storage","Use of Azure Files volume mounts to persistent storage container data.","Awareness","Reliability","-" "Azure.Cosmos.AccountName","Cosmos DB account names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.Cosmos.CassandraNaming","Cosmos DB for Apache Cassandra account resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" "Azure.Cosmos.ContinuousBackup","Enable continuous backup on Cosmos DB accounts.","Important","Reliability","-" +"Azure.Cosmos.DatabaseNaming","Cosmos DB database resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" "Azure.Cosmos.DefenderCloud","Enable Microsoft Defender for Azure Cosmos DB.","Critical","Security","-" "Azure.Cosmos.DisableLocalAuth","Access keys allow depersonalized access to Cosmos DB accounts using a shared secret.","Critical","Security","L1" "Azure.Cosmos.DisableMetadataWrite","Use Entra ID identities for management place operations in Azure Cosmos DB.","Important","Security","-" +"Azure.Cosmos.GremlinNaming","Cosmos DB for Apache Gremlin account resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" "Azure.Cosmos.MinTLS","Cosmos DB accounts should reject TLS versions older than 1.2.","Critical","Security","L1" +"Azure.Cosmos.MongoNaming","Cosmos DB for MongoDB account resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" +"Azure.Cosmos.NoSQLNaming","Cosmos DB for NoSQL account resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" +"Azure.Cosmos.PostgreSQLNaming","Cosmos DB PostgreSQL cluster resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" "Azure.Cosmos.PublicAccess","Azure Cosmos DB should have public network access disabled.","Critical","Security","-" "Azure.Cosmos.SLA","Use a paid tier to qualify for a Service Level Agreement (SLA).","Important","Reliability","-" +"Azure.Cosmos.TableNaming","Cosmos DB for Table account resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" "Azure.Databricks.PublicAccess","Azure Databricks workspaces should disable public network access.","Critical","Security","-" "Azure.Databricks.SecureConnectivity","Use Databricks workspaces configured for secure cluster connectivity.","Critical","Security","-" "Azure.Databricks.SKU","Ensure Databricks workspaces are non-trial SKUs for production workloads.","Critical","Performance Efficiency","-" @@ -286,6 +301,7 @@ "Azure.MySQL.GeoRedundantBackup","Azure Database for MySQL should store backups in a geo-redundant storage.","Important","Reliability","-" "Azure.MySQL.MaintenanceWindow","Configure a customer-controlled maintenance window for Azure Database for MySQL servers.","Important","Reliability","-" "Azure.MySQL.MinTLS","MySQL DB servers should reject TLS versions older than 1.2.","Critical","Security","L1" +"Azure.MySQL.Naming","MySQL database server resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" "Azure.MySQL.ServerName","Azure MySQL DB server names should meet naming requirements.","Awareness","Operational Excellence","-" "Azure.MySQL.UseFlexible","Use Azure Database for MySQL Flexible Server deployment model.","Important","Reliability","-" "Azure.MySQL.UseSSL","Enforce encrypted MySQL connections.","Critical","Security","L1" @@ -314,6 +330,7 @@ "Azure.PostgreSQL.GeoRedundantBackup","Azure Database for PostgreSQL should store backups in a geo-redundant storage.","Important","Reliability","-" "Azure.PostgreSQL.MaintenanceWindow","Configure a customer-controlled maintenance window for Azure Database for PostgreSQL servers.","Important","Reliability","-" "Azure.PostgreSQL.MinTLS","PostgreSQL DB servers should reject TLS versions older than 1.2.","Critical","Security","L1" +"Azure.PostgreSQL.Naming","PostgreSQL database server resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" "Azure.PostgreSQL.ServerName","Azure PostgreSQL DB server names should meet naming requirements.","Awareness","Operational Excellence","-" "Azure.PostgreSQL.UseSSL","Enforce encrypted PostgreSQL connections.","Critical","Security","L1" "Azure.PostgreSQL.ZoneRedundantHA","Deploy Azure Database for PostgreSQL servers using zone-redundant high availability (HA) in supported regions to ensure high availability and resilience.","Important","Reliability","-" @@ -339,10 +356,12 @@ "Azure.Redis.MaxMemoryReserved","Configure maxmemory-reserved to reserve memory for non-cache operations.","Important","Performance Efficiency","-" "Azure.Redis.MinSKU","Use Azure Cache for Redis instances of at least Standard C1.","Important","Performance Efficiency","-" "Azure.Redis.MinTLS","Redis Cache should reject TLS versions older than 1.2.","Critical","Security","L1" +"Azure.Redis.Naming","Azure Cache for Redis resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" "Azure.Redis.NonSslPort","Azure Cache for Redis should only accept secure connections.","Critical","Security","L1" "Azure.Redis.PublicNetworkAccess","Redis cache should disable public network access.","Critical","Security","-" "Azure.Redis.Version","Azure Cache for Redis should use the latest supported version of Redis.","Important","Reliability","-" "Azure.RedisEnterprise.MinTLS","Redis Cache should reject TLS versions older than 1.2.","Critical","Security","L1" +"Azure.RedisEnterprise.Naming","Azure Managed Redis resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" "Azure.RedisEnterprise.Zones","Enterprise Redis cache should be zone-redundant for high availability.","Important","Reliability","-" "Azure.Resource.AllowedRegions","The deployment location of a resource determines the country or region where metadata and data is stored and processed.","Important","Security","-" "Azure.Resource.RequiredTags","Resources without a standard tagging convention may be difficult to identify and manage.","Awareness","Operational Excellence","-" @@ -365,6 +384,8 @@ "Azure.ServiceBus.MinTLS","Service Bus namespaces should reject TLS versions older than 1.2.","Important","Security","L1" "Azure.ServiceBus.Usage","Regularly remove unused resources to reduce costs.","Important","Cost Optimization","-" "Azure.ServiceFabric.AAD","Use Entra ID client authentication for Service Fabric clusters.","Critical","Security","L1" +"Azure.ServiceFabric.ManagedNaming","Service Fabric managed cluster resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" +"Azure.ServiceFabric.Naming","Service Fabric cluster resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" "Azure.ServiceFabric.ProtectionLevel","Node to node communication that is not signed and encrypted may be susceptible to man-in-the-middle attacks.","Important","Security","L1" "Azure.SignalR.ManagedIdentity","Configure SignalR Services to use managed identities to access Azure resources securely.","Important","Security","L1" "Azure.SignalR.Name","SignalR service instance names should meet naming requirements.","Awareness","Operational Excellence","-" @@ -373,14 +394,19 @@ "Azure.SQL.AADOnly","Ensure Entra ID only authentication is enabled with Azure SQL Database.","Important","Security","L1" "Azure.SQL.AllowAzureAccess","Determine if access from Azure services is required.","Important","Security","-" "Azure.SQL.Auditing","Enable auditing for Azure SQL logical server.","Important","Security","-" +"Azure.SQL.DatabaseNaming","Azure SQL database resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" "Azure.SQL.DBName","Azure SQL Database names should meet naming requirements.","Awareness","Operational Excellence","-" "Azure.SQL.DefenderCloud","Enable Microsoft Defender for Azure SQL logical server.","Important","Security","-" +"Azure.SQL.ElasticPoolNaming","Azure SQL Elastic Pool resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" "Azure.SQL.FGName","Azure SQL failover group names should meet naming requirements.","Awareness","Operational Excellence","-" "Azure.SQL.FirewallIPRange","Each IP address in the permitted IP list is allowed network access to any databases hosted on the same logical server.","Important","Security","-" "Azure.SQL.FirewallRuleCount","Determine if there is an excessive number of firewall rules.","Awareness","Security","-" +"Azure.SQL.JobAgentNaming","Azure SQL Elastic Job agent resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" "Azure.SQL.MaintenanceWindow","Configure a customer-controlled maintenance window for Azure SQL databases.","Important","Reliability","-" "Azure.SQL.MinTLS","Azure SQL Database servers should reject TLS versions older than 1.2.","Critical","Security","L1" "Azure.SQL.ServerName","Azure SQL logical server names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.SQL.ServerNaming","Azure SQL Database server resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" +"Azure.SQL.StretchDBNaming","SQL Server Stretch Database resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" "Azure.SQL.TDE","Use Transparent Data Encryption (TDE) with Azure SQL Database.","Critical","Security","L1" "Azure.SQL.VAScan","SQL Databases may have configuration vulnerabilities discovered after they are deployed.","Important","Security","-" "Azure.SQLMI.AAD","Use Azure Active Directory (AAD) authentication with Azure SQL Managed Instance.","Critical","Security","L1" @@ -388,6 +414,7 @@ "Azure.SQLMI.MaintenanceWindow","Configure a customer-controlled maintenance window for Azure SQL Managed Instances.","Important","Reliability","-" "Azure.SQLMI.ManagedIdentity","Ensure managed identity is used to allow support for Azure AD authentication.","Important","Security","L1" "Azure.SQLMI.Name","SQL Managed Instance names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.SQLMI.Naming","SQL Managed Instance resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" "Azure.Storage.BlobAccessType","Use containers configured with a private access type that requires authorization.","Important","Security","-" "Azure.Storage.BlobPublicAccess","Storage Accounts should only accept authorized requests.","Important","Security","-" "Azure.Storage.ContainerSoftDelete","Enable container soft delete on Storage Accounts.","Important","Reliability","-" diff --git a/docs/en/baselines/Azure.All.md b/docs/en/baselines/Azure.All.md index 0a243d0f513..8c29f0c32ab 100644 --- a/docs/en/baselines/Azure.All.md +++ b/docs/en/baselines/Azure.All.md @@ -10,10 +10,11 @@ Includes all Azure rules. The following rules are included within the `Azure.All` baseline. -This baseline includes a total of 496 rules. +This baseline includes a total of 523 rules. Name | Synopsis | Severity ---- | -------- | -------- +[Azure.ACI.Naming](../rules/Azure.ACI.Naming.md) | Container Instance resources without a standard naming convention may be difficult to identify and manage. | Awareness [Azure.ACR.AdminUser](../rules/Azure.ACR.AdminUser.md) | The local admin account allows depersonalized access to a container registry using a shared secret. | Critical [Azure.ACR.AnonymousAccess](../rules/Azure.ACR.AnonymousAccess.md) | Anonymous pull access allows unidentified downloading of images and metadata from a container registry. | Important [Azure.ACR.ContainerScan](../rules/Azure.ACR.ContainerScan.md) | Container images or their base images may have vulnerabilities discovered after they are built. | Critical @@ -24,6 +25,7 @@ Name | Synopsis | Severity [Azure.ACR.ImageHealth](../rules/Azure.ACR.ImageHealth.md) | Remove container images with known vulnerabilities. | Critical [Azure.ACR.MinSku](../rules/Azure.ACR.MinSku.md) | The Basic SKU provides limited performance and features for production container registry workloads. | Important [Azure.ACR.Name](../rules/Azure.ACR.Name.md) | Container registry names should meet naming requirements. | Awareness +[Azure.ACR.Naming](../rules/Azure.ACR.Naming.md) | Container Registry resources without a standard naming convention may be difficult to identify and manage. | Awareness [Azure.ACR.Quarantine](../rules/Azure.ACR.Quarantine.md) | Enable container image quarantine, scan, and mark images as verified. | Important [Azure.ACR.ReplicaLocation](../rules/Azure.ACR.ReplicaLocation.md) | The replication location determines the country or region where container images and metadata are stored and processed. | Important [Azure.ACR.Retention](../rules/Azure.ACR.Retention.md) | Use a retention policy to cleanup untagged manifests. | Important @@ -59,6 +61,7 @@ Name | Synopsis | Severity [Azure.AKS.MinNodeCount](../rules/Azure.AKS.MinNodeCount.md) | AKS clusters should have minimum number of system nodes for failover and updates. | Important [Azure.AKS.MinUserPoolNodes](../rules/Azure.AKS.MinUserPoolNodes.md) | User node pools in an AKS cluster should have a minimum number of nodes for failover and updates. | Important [Azure.AKS.Name](../rules/Azure.AKS.Name.md) | Azure Kubernetes Service (AKS) cluster names should meet naming requirements. | Awareness +[Azure.AKS.Naming](../rules/Azure.AKS.Naming.md) | AKS cluster resources without a standard naming convention may be difficult to identify and manage. | Awareness [Azure.AKS.NetworkPolicy](../rules/Azure.AKS.NetworkPolicy.md) | AKS clusters without inter-pod network restrictions may be permit unauthorized lateral movement. | Important [Azure.AKS.NodeAutoUpgrade](../rules/Azure.AKS.NodeAutoUpgrade.md) | Operating system (OS) security updates should be applied to AKS nodes and rebooted as required to address security vulnerabilities. | Important [Azure.AKS.NodeMinPods](../rules/Azure.AKS.NodeMinPods.md) | Azure Kubernetes Cluster (AKS) nodes should use a minimum number of pods. | Important @@ -68,8 +71,10 @@ Name | Synopsis | Severity [Azure.AKS.SecretStore](../rules/Azure.AKS.SecretStore.md) | Deploy AKS clusters with Secrets Store CSI Driver and store Secrets in Key Vault. | Important [Azure.AKS.SecretStoreRotation](../rules/Azure.AKS.SecretStoreRotation.md) | Enable autorotation of Secrets Store CSI Driver secrets for AKS clusters. | Important [Azure.AKS.StandardLB](../rules/Azure.AKS.StandardLB.md) | Azure Kubernetes Clusters (AKS) should use a Standard load balancer SKU. | Important +[Azure.AKS.SystemPoolNaming](../rules/Azure.AKS.SystemPoolNaming.md) | AKS system node pool resources without a standard naming convention may be difficult to identify and manage. | Awareness [Azure.AKS.UptimeSLA](../rules/Azure.AKS.UptimeSLA.md) | AKS clusters should have Uptime SLA enabled for a financially backed SLA. | Important [Azure.AKS.UseRBAC](../rules/Azure.AKS.UseRBAC.md) | Deploy AKS cluster with role-based access control (RBAC) enabled. | Important +[Azure.AKS.UserPoolNaming](../rules/Azure.AKS.UserPoolNaming.md) | AKS user node pool resources without a standard naming convention may be difficult to identify and manage. | Awareness [Azure.AKS.Version](../rules/Azure.AKS.Version.md) | Older versions of Kubernetes may have known bugs or security vulnerabilities, and may have limited support. | Important [Azure.Alert.HighFrequencyQuery](../rules/Azure.Alert.HighFrequencyQuery.md) | High frequency scheduled queries are changed as a higher rate than low frequency queries. | Important [Azure.Alert.MetricAutoMitigate](../rules/Azure.Alert.MetricAutoMitigate.md) | Alerts that require manual intervention for mitigation can lead to increased personnel time and effort. | Important @@ -159,22 +164,32 @@ Name | Synopsis | Severity [Azure.ContainerApp.APIVersion](../rules/Azure.ContainerApp.APIVersion.md) | Migrate from retired API version to a supported version. | Important [Azure.ContainerApp.AvailabilityZone](../rules/Azure.ContainerApp.AvailabilityZone.md) | Use Container Apps environments that are zone redundant to improve reliability. | Important [Azure.ContainerApp.DisableAffinity](../rules/Azure.ContainerApp.DisableAffinity.md) | Disable session affinity to prevent unbalanced distribution. | Awareness +[Azure.ContainerApp.EnvNaming](../rules/Azure.ContainerApp.EnvNaming.md) | Container App Environment resources without a standard naming convention may be difficult to identify and manage. | Awareness [Azure.ContainerApp.ExternalIngress](../rules/Azure.ContainerApp.ExternalIngress.md) | Limit inbound communication for Container Apps is limited to callers within the Container Apps Environment. | Important [Azure.ContainerApp.Insecure](../rules/Azure.ContainerApp.Insecure.md) | Ensure insecure inbound traffic is not permitted to the container app. | Important +[Azure.ContainerApp.JobNaming](../rules/Azure.ContainerApp.JobNaming.md) | Container App Job resources without a standard naming convention may be difficult to identify and manage. | Awareness [Azure.ContainerApp.ManagedIdentity](../rules/Azure.ContainerApp.ManagedIdentity.md) | Ensure managed identity is used for authentication. | Important [Azure.ContainerApp.MinReplicas](../rules/Azure.ContainerApp.MinReplicas.md) | Use multiple replicas to remove a single point of failure. | Important [Azure.ContainerApp.Name](../rules/Azure.ContainerApp.Name.md) | Container Apps should meet naming requirements. | Awareness +[Azure.ContainerApp.Naming](../rules/Azure.ContainerApp.Naming.md) | Container App resources without a standard naming convention may be difficult to identify and manage. | Awareness [Azure.ContainerApp.PublicAccess](../rules/Azure.ContainerApp.PublicAccess.md) | Ensure public network access for Container Apps environment is disabled. | Important [Azure.ContainerApp.RestrictIngress](../rules/Azure.ContainerApp.RestrictIngress.md) | IP ingress restrictions mode should be set to allow action for all rules defined. | Important [Azure.ContainerApp.Storage](../rules/Azure.ContainerApp.Storage.md) | Use of Azure Files volume mounts to persistent storage container data. | Awareness [Azure.Cosmos.AccountName](../rules/Azure.Cosmos.AccountName.md) | Cosmos DB account names should meet naming requirements. | Awareness +[Azure.Cosmos.CassandraNaming](../rules/Azure.Cosmos.CassandraNaming.md) | Cosmos DB for Apache Cassandra account resources without a standard naming convention may be difficult to identify and manage. | Awareness [Azure.Cosmos.ContinuousBackup](../rules/Azure.Cosmos.ContinuousBackup.md) | Enable continuous backup on Cosmos DB accounts. | Important +[Azure.Cosmos.DatabaseNaming](../rules/Azure.Cosmos.DatabaseNaming.md) | Cosmos DB database resources without a standard naming convention may be difficult to identify and manage. | Awareness [Azure.Cosmos.DefenderCloud](../rules/Azure.Cosmos.DefenderCloud.md) | Enable Microsoft Defender for Azure Cosmos DB. | Critical [Azure.Cosmos.DisableLocalAuth](../rules/Azure.Cosmos.DisableLocalAuth.md) | Access keys allow depersonalized access to Cosmos DB accounts using a shared secret. | Critical [Azure.Cosmos.DisableMetadataWrite](../rules/Azure.Cosmos.DisableMetadataWrite.md) | Use Entra ID identities for management place operations in Azure Cosmos DB. | Important +[Azure.Cosmos.GremlinNaming](../rules/Azure.Cosmos.GremlinNaming.md) | Cosmos DB for Apache Gremlin account resources without a standard naming convention may be difficult to identify and manage. | Awareness [Azure.Cosmos.MinTLS](../rules/Azure.Cosmos.MinTLS.md) | Cosmos DB accounts should reject TLS versions older than 1.2. | Critical +[Azure.Cosmos.MongoNaming](../rules/Azure.Cosmos.MongoNaming.md) | Cosmos DB for MongoDB account resources without a standard naming convention may be difficult to identify and manage. | Awareness +[Azure.Cosmos.NoSQLNaming](../rules/Azure.Cosmos.NoSQLNaming.md) | Cosmos DB for NoSQL account resources without a standard naming convention may be difficult to identify and manage. | Awareness +[Azure.Cosmos.PostgreSQLNaming](../rules/Azure.Cosmos.PostgreSQLNaming.md) | Cosmos DB PostgreSQL cluster resources without a standard naming convention may be difficult to identify and manage. | Awareness [Azure.Cosmos.PublicAccess](../rules/Azure.Cosmos.PublicAccess.md) | Azure Cosmos DB should have public network access disabled. | Critical [Azure.Cosmos.SLA](../rules/Azure.Cosmos.SLA.md) | Use a paid tier to qualify for a Service Level Agreement (SLA). | Important +[Azure.Cosmos.TableNaming](../rules/Azure.Cosmos.TableNaming.md) | Cosmos DB for Table account resources without a standard naming convention may be difficult to identify and manage. | Awareness [Azure.Databricks.PublicAccess](../rules/Azure.Databricks.PublicAccess.md) | Azure Databricks workspaces should disable public network access. | Critical [Azure.Databricks.SecureConnectivity](../rules/Azure.Databricks.SecureConnectivity.md) | Use Databricks workspaces configured for secure cluster connectivity. | Critical [Azure.Databricks.SKU](../rules/Azure.Databricks.SKU.md) | Ensure Databricks workspaces are non-trial SKUs for production workloads. | Critical @@ -301,6 +316,7 @@ Name | Synopsis | Severity [Azure.MySQL.GeoRedundantBackup](../rules/Azure.MySQL.GeoRedundantBackup.md) | Azure Database for MySQL should store backups in a geo-redundant storage. | Important [Azure.MySQL.MaintenanceWindow](../rules/Azure.MySQL.MaintenanceWindow.md) | Configure a customer-controlled maintenance window for Azure Database for MySQL servers. | Important [Azure.MySQL.MinTLS](../rules/Azure.MySQL.MinTLS.md) | MySQL DB servers should reject TLS versions older than 1.2. | Critical +[Azure.MySQL.Naming](../rules/Azure.MySQL.Naming.md) | MySQL database server resources without a standard naming convention may be difficult to identify and manage. | Awareness [Azure.MySQL.ServerName](../rules/Azure.MySQL.ServerName.md) | Azure MySQL DB server names should meet naming requirements. | Awareness [Azure.MySQL.UseFlexible](../rules/Azure.MySQL.UseFlexible.md) | Use Azure Database for MySQL Flexible Server deployment model. | Important [Azure.MySQL.UseSSL](../rules/Azure.MySQL.UseSSL.md) | Enforce encrypted MySQL connections. | Critical @@ -329,6 +345,7 @@ Name | Synopsis | Severity [Azure.PostgreSQL.GeoRedundantBackup](../rules/Azure.PostgreSQL.GeoRedundantBackup.md) | Azure Database for PostgreSQL should store backups in a geo-redundant storage. | Important [Azure.PostgreSQL.MaintenanceWindow](../rules/Azure.PostgreSQL.MaintenanceWindow.md) | Configure a customer-controlled maintenance window for Azure Database for PostgreSQL servers. | Important [Azure.PostgreSQL.MinTLS](../rules/Azure.PostgreSQL.MinTLS.md) | PostgreSQL DB servers should reject TLS versions older than 1.2. | Critical +[Azure.PostgreSQL.Naming](../rules/Azure.PostgreSQL.Naming.md) | PostgreSQL database server resources without a standard naming convention may be difficult to identify and manage. | Awareness [Azure.PostgreSQL.ServerName](../rules/Azure.PostgreSQL.ServerName.md) | Azure PostgreSQL DB server names should meet naming requirements. | Awareness [Azure.PostgreSQL.UseSSL](../rules/Azure.PostgreSQL.UseSSL.md) | Enforce encrypted PostgreSQL connections. | Critical [Azure.PostgreSQL.ZoneRedundantHA](../rules/Azure.PostgreSQL.ZoneRedundantHA.md) | Deploy Azure Database for PostgreSQL servers using zone-redundant high availability (HA) in supported regions to ensure high availability and resilience. | Important @@ -354,10 +371,12 @@ Name | Synopsis | Severity [Azure.Redis.MaxMemoryReserved](../rules/Azure.Redis.MaxMemoryReserved.md) | Configure maxmemory-reserved to reserve memory for non-cache operations. | Important [Azure.Redis.MinSKU](../rules/Azure.Redis.MinSKU.md) | Use Azure Cache for Redis instances of at least Standard C1. | Important [Azure.Redis.MinTLS](../rules/Azure.Redis.MinTLS.md) | Redis Cache should reject TLS versions older than 1.2. | Critical +[Azure.Redis.Naming](../rules/Azure.Redis.Naming.md) | Azure Cache for Redis resources without a standard naming convention may be difficult to identify and manage. | Awareness [Azure.Redis.NonSslPort](../rules/Azure.Redis.NonSslPort.md) | Azure Cache for Redis should only accept secure connections. | Critical [Azure.Redis.PublicNetworkAccess](../rules/Azure.Redis.PublicNetworkAccess.md) | Redis cache should disable public network access. | Critical [Azure.Redis.Version](../rules/Azure.Redis.Version.md) | Azure Cache for Redis should use the latest supported version of Redis. | Important [Azure.RedisEnterprise.MinTLS](../rules/Azure.RedisEnterprise.MinTLS.md) | Redis Cache should reject TLS versions older than 1.2. | Critical +[Azure.RedisEnterprise.Naming](../rules/Azure.RedisEnterprise.Naming.md) | Azure Managed Redis resources without a standard naming convention may be difficult to identify and manage. | Awareness [Azure.RedisEnterprise.Zones](../rules/Azure.RedisEnterprise.Zones.md) | Enterprise Redis cache should be zone-redundant for high availability. | Important [Azure.Resource.AllowedRegions](../rules/Azure.Resource.AllowedRegions.md) | The deployment location of a resource determines the country or region where metadata and data is stored and processed. | Important [Azure.Resource.RequiredTags](../rules/Azure.Resource.RequiredTags.md) | Resources without a standard tagging convention may be difficult to identify and manage. | Awareness @@ -380,6 +399,8 @@ Name | Synopsis | Severity [Azure.ServiceBus.MinTLS](../rules/Azure.ServiceBus.MinTLS.md) | Service Bus namespaces should reject TLS versions older than 1.2. | Important [Azure.ServiceBus.Usage](../rules/Azure.ServiceBus.Usage.md) | Regularly remove unused resources to reduce costs. | Important [Azure.ServiceFabric.AAD](../rules/Azure.ServiceFabric.AAD.md) | Use Entra ID client authentication for Service Fabric clusters. | Critical +[Azure.ServiceFabric.ManagedNaming](../rules/Azure.ServiceFabric.ManagedNaming.md) | Service Fabric managed cluster resources without a standard naming convention may be difficult to identify and manage. | Awareness +[Azure.ServiceFabric.Naming](../rules/Azure.ServiceFabric.Naming.md) | Service Fabric cluster resources without a standard naming convention may be difficult to identify and manage. | Awareness [Azure.ServiceFabric.ProtectionLevel](../rules/Azure.ServiceFabric.ProtectionLevel.md) | Node to node communication that is not signed and encrypted may be susceptible to man-in-the-middle attacks. | Important [Azure.SignalR.ManagedIdentity](../rules/Azure.SignalR.ManagedIdentity.md) | Configure SignalR Services to use managed identities to access Azure resources securely. | Important [Azure.SignalR.Name](../rules/Azure.SignalR.Name.md) | SignalR service instance names should meet naming requirements. | Awareness @@ -388,14 +409,19 @@ Name | Synopsis | Severity [Azure.SQL.AADOnly](../rules/Azure.SQL.AADOnly.md) | Ensure Entra ID only authentication is enabled with Azure SQL Database. | Important [Azure.SQL.AllowAzureAccess](../rules/Azure.SQL.AllowAzureAccess.md) | Determine if access from Azure services is required. | Important [Azure.SQL.Auditing](../rules/Azure.SQL.Auditing.md) | Enable auditing for Azure SQL logical server. | Important +[Azure.SQL.DatabaseNaming](../rules/Azure.SQL.DatabaseNaming.md) | Azure SQL database resources without a standard naming convention may be difficult to identify and manage. | Awareness [Azure.SQL.DBName](../rules/Azure.SQL.DBName.md) | Azure SQL Database names should meet naming requirements. | Awareness [Azure.SQL.DefenderCloud](../rules/Azure.SQL.DefenderCloud.md) | Enable Microsoft Defender for Azure SQL logical server. | Important +[Azure.SQL.ElasticPoolNaming](../rules/Azure.SQL.ElasticPoolNaming.md) | Azure SQL Elastic Pool resources without a standard naming convention may be difficult to identify and manage. | Awareness [Azure.SQL.FGName](../rules/Azure.SQL.FGName.md) | Azure SQL failover group names should meet naming requirements. | Awareness [Azure.SQL.FirewallIPRange](../rules/Azure.SQL.FirewallIPRange.md) | Each IP address in the permitted IP list is allowed network access to any databases hosted on the same logical server. | Important [Azure.SQL.FirewallRuleCount](../rules/Azure.SQL.FirewallRuleCount.md) | Determine if there is an excessive number of firewall rules. | Awareness +[Azure.SQL.JobAgentNaming](../rules/Azure.SQL.JobAgentNaming.md) | Azure SQL Elastic Job agent resources without a standard naming convention may be difficult to identify and manage. | Awareness [Azure.SQL.MaintenanceWindow](../rules/Azure.SQL.MaintenanceWindow.md) | Configure a customer-controlled maintenance window for Azure SQL databases. | Important [Azure.SQL.MinTLS](../rules/Azure.SQL.MinTLS.md) | Azure SQL Database servers should reject TLS versions older than 1.2. | Critical [Azure.SQL.ServerName](../rules/Azure.SQL.ServerName.md) | Azure SQL logical server names should meet naming requirements. | Awareness +[Azure.SQL.ServerNaming](../rules/Azure.SQL.ServerNaming.md) | Azure SQL Database server resources without a standard naming convention may be difficult to identify and manage. | Awareness +[Azure.SQL.StretchDBNaming](../rules/Azure.SQL.StretchDBNaming.md) | SQL Server Stretch Database resources without a standard naming convention may be difficult to identify and manage. | Awareness [Azure.SQL.TDE](../rules/Azure.SQL.TDE.md) | Use Transparent Data Encryption (TDE) with Azure SQL Database. | Critical [Azure.SQL.VAScan](../rules/Azure.SQL.VAScan.md) | SQL Databases may have configuration vulnerabilities discovered after they are deployed. | Important [Azure.SQLMI.AAD](../rules/Azure.SQLMI.AAD.md) | Use Azure Active Directory (AAD) authentication with Azure SQL Managed Instance. | Critical @@ -403,6 +429,7 @@ Name | Synopsis | Severity [Azure.SQLMI.MaintenanceWindow](../rules/Azure.SQLMI.MaintenanceWindow.md) | Configure a customer-controlled maintenance window for Azure SQL Managed Instances. | Important [Azure.SQLMI.ManagedIdentity](../rules/Azure.SQLMI.ManagedIdentity.md) | Ensure managed identity is used to allow support for Azure AD authentication. | Important [Azure.SQLMI.Name](../rules/Azure.SQLMI.Name.md) | SQL Managed Instance names should meet naming requirements. | Awareness +[Azure.SQLMI.Naming](../rules/Azure.SQLMI.Naming.md) | SQL Managed Instance resources without a standard naming convention may be difficult to identify and manage. | Awareness [Azure.Storage.BlobAccessType](../rules/Azure.Storage.BlobAccessType.md) | Use containers configured with a private access type that requires authorization. | Important [Azure.Storage.BlobPublicAccess](../rules/Azure.Storage.BlobPublicAccess.md) | Storage Accounts should only accept authorized requests. | Important [Azure.Storage.ContainerSoftDelete](../rules/Azure.Storage.ContainerSoftDelete.md) | Enable container soft delete on Storage Accounts. | Important diff --git a/docs/en/baselines/Azure.CAF_2025_03.csv b/docs/en/baselines/Azure.CAF_2025_03.csv index 81e5e076da4..845a551c6d9 100644 --- a/docs/en/baselines/Azure.CAF_2025_03.csv +++ b/docs/en/baselines/Azure.CAF_2025_03.csv @@ -1,7 +1,7 @@ "Name","Synopsis","Severity","Pillar","Maturity" -"Azure.ACR.Name","Container registry names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.ACR.Name","Container registry names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.AI.FoundryNaming","Azure AI Foundry accounts without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","-" -"Azure.AKS.Name","Azure Kubernetes Service (AKS) cluster names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.AKS.Name","Azure Kubernetes Service (AKS) cluster names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.APIM.Name","API Management service names should meet naming requirements.","Awareness","Operational Excellence","-" "Azure.AppConfig.Name","App Configuration store names should meet naming requirements.","Awareness","Operational Excellence","-" "Azure.AppGw.Name","Application Gateways should meet naming requirements.","Awareness","Operational Excellence","-" @@ -10,7 +10,7 @@ "Azure.ASG.Name","Application Security Group (ASG) names should meet naming requirements.","Awareness","Operational Excellence","-" "Azure.Bastion.Name","Bastion hosts should meet naming requirements.","Awareness","Operational Excellence","-" "Azure.CDN.EndpointName","Azure CDN Endpoint names should meet naming requirements.","Awareness","Operational Excellence","-" -"Azure.ContainerApp.Name","Container Apps should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.ContainerApp.Name","Container Apps should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.Cosmos.AccountName","Cosmos DB account names should meet naming requirements.","Awareness","Operational Excellence","-" "Azure.Deployment.Name","Nested deployments should meet naming requirements of deployments.","Awareness","Operational Excellence","-" "Azure.EventGrid.DomainNaming","Event Grid domains without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","-" diff --git a/docs/en/baselines/Azure.CAF_2025_06.csv b/docs/en/baselines/Azure.CAF_2025_06.csv index 81e5e076da4..845a551c6d9 100644 --- a/docs/en/baselines/Azure.CAF_2025_06.csv +++ b/docs/en/baselines/Azure.CAF_2025_06.csv @@ -1,7 +1,7 @@ "Name","Synopsis","Severity","Pillar","Maturity" -"Azure.ACR.Name","Container registry names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.ACR.Name","Container registry names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.AI.FoundryNaming","Azure AI Foundry accounts without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","-" -"Azure.AKS.Name","Azure Kubernetes Service (AKS) cluster names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.AKS.Name","Azure Kubernetes Service (AKS) cluster names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.APIM.Name","API Management service names should meet naming requirements.","Awareness","Operational Excellence","-" "Azure.AppConfig.Name","App Configuration store names should meet naming requirements.","Awareness","Operational Excellence","-" "Azure.AppGw.Name","Application Gateways should meet naming requirements.","Awareness","Operational Excellence","-" @@ -10,7 +10,7 @@ "Azure.ASG.Name","Application Security Group (ASG) names should meet naming requirements.","Awareness","Operational Excellence","-" "Azure.Bastion.Name","Bastion hosts should meet naming requirements.","Awareness","Operational Excellence","-" "Azure.CDN.EndpointName","Azure CDN Endpoint names should meet naming requirements.","Awareness","Operational Excellence","-" -"Azure.ContainerApp.Name","Container Apps should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.ContainerApp.Name","Container Apps should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.Cosmos.AccountName","Cosmos DB account names should meet naming requirements.","Awareness","Operational Excellence","-" "Azure.Deployment.Name","Nested deployments should meet naming requirements of deployments.","Awareness","Operational Excellence","-" "Azure.EventGrid.DomainNaming","Event Grid domains without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","-" diff --git a/docs/en/baselines/Azure.CAF_Compatibility.csv b/docs/en/baselines/Azure.CAF_Compatibility.csv index 81e5e076da4..845a551c6d9 100644 --- a/docs/en/baselines/Azure.CAF_Compatibility.csv +++ b/docs/en/baselines/Azure.CAF_Compatibility.csv @@ -1,7 +1,7 @@ "Name","Synopsis","Severity","Pillar","Maturity" -"Azure.ACR.Name","Container registry names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.ACR.Name","Container registry names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.AI.FoundryNaming","Azure AI Foundry accounts without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","-" -"Azure.AKS.Name","Azure Kubernetes Service (AKS) cluster names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.AKS.Name","Azure Kubernetes Service (AKS) cluster names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.APIM.Name","API Management service names should meet naming requirements.","Awareness","Operational Excellence","-" "Azure.AppConfig.Name","App Configuration store names should meet naming requirements.","Awareness","Operational Excellence","-" "Azure.AppGw.Name","Application Gateways should meet naming requirements.","Awareness","Operational Excellence","-" @@ -10,7 +10,7 @@ "Azure.ASG.Name","Application Security Group (ASG) names should meet naming requirements.","Awareness","Operational Excellence","-" "Azure.Bastion.Name","Bastion hosts should meet naming requirements.","Awareness","Operational Excellence","-" "Azure.CDN.EndpointName","Azure CDN Endpoint names should meet naming requirements.","Awareness","Operational Excellence","-" -"Azure.ContainerApp.Name","Container Apps should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.ContainerApp.Name","Container Apps should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.Cosmos.AccountName","Cosmos DB account names should meet naming requirements.","Awareness","Operational Excellence","-" "Azure.Deployment.Name","Nested deployments should meet naming requirements of deployments.","Awareness","Operational Excellence","-" "Azure.EventGrid.DomainNaming","Event Grid domains without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","-" diff --git a/docs/en/baselines/Azure.Default.csv b/docs/en/baselines/Azure.Default.csv index e55d5dbcd5b..7278cbfd2c7 100644 --- a/docs/en/baselines/Azure.Default.csv +++ b/docs/en/baselines/Azure.Default.csv @@ -1,4 +1,5 @@ "Name","Synopsis","Severity","Pillar","Maturity" +"Azure.ACI.Naming","Container Instance resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" "Azure.ACR.AdminUser","The local admin account allows depersonalized access to a container registry using a shared secret.","Critical","Security","L1" "Azure.ACR.AnonymousAccess","Anonymous pull access allows unidentified downloading of images and metadata from a container registry.","Important","Security","-" "Azure.ACR.ContainerScan","Container images or their base images may have vulnerabilities discovered after they are built.","Critical","Security","-" @@ -7,7 +8,8 @@ "Azure.ACR.GeoReplica","Applications or infrastructure relying on a container image may fail if the registry is not available at the time they start.","Important","Reliability","-" "Azure.ACR.ImageHealth","Remove container images with known vulnerabilities.","Critical","Security","L2" "Azure.ACR.MinSku","The Basic SKU provides limited performance and features for production container registry workloads.","Important","Reliability","-" -"Azure.ACR.Name","Container registry names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.ACR.Name","Container registry names should meet naming requirements.","Awareness","Operational Excellence","L2" +"Azure.ACR.Naming","Container Registry resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" "Azure.ACR.ReplicaLocation","The replication location determines the country or region where container images and metadata are stored and processed.","Important","Security","-" "Azure.ACR.Usage","Regularly remove deprecated and unneeded images to reduce storage usage.","Important","Cost Optimization","-" "Azure.ADX.DiskEncryption","Use disk encryption for Azure Data Explorer (ADX) clusters.","Important","Security","L1" @@ -39,7 +41,8 @@ "Azure.AKS.ManagedIdentity","Configure AKS clusters to use managed identities for managing cluster infrastructure.","Important","Security","L1" "Azure.AKS.MinNodeCount","AKS clusters should have minimum number of system nodes for failover and updates.","Important","Reliability","-" "Azure.AKS.MinUserPoolNodes","User node pools in an AKS cluster should have a minimum number of nodes for failover and updates.","Important","Reliability","-" -"Azure.AKS.Name","Azure Kubernetes Service (AKS) cluster names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.AKS.Name","Azure Kubernetes Service (AKS) cluster names should meet naming requirements.","Awareness","Operational Excellence","L2" +"Azure.AKS.Naming","AKS cluster resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" "Azure.AKS.NetworkPolicy","AKS clusters without inter-pod network restrictions may be permit unauthorized lateral movement.","Important","Security","-" "Azure.AKS.NodeAutoUpgrade","Operating system (OS) security updates should be applied to AKS nodes and rebooted as required to address security vulnerabilities.","Important","Security","-" "Azure.AKS.NodeMinPods","Azure Kubernetes Cluster (AKS) nodes should use a minimum number of pods.","Important","Performance Efficiency","-" @@ -49,8 +52,10 @@ "Azure.AKS.SecretStore","Deploy AKS clusters with Secrets Store CSI Driver and store Secrets in Key Vault.","Important","Security","-" "Azure.AKS.SecretStoreRotation","Enable autorotation of Secrets Store CSI Driver secrets for AKS clusters.","Important","Security","-" "Azure.AKS.StandardLB","Azure Kubernetes Clusters (AKS) should use a Standard load balancer SKU.","Important","Performance Efficiency","-" +"Azure.AKS.SystemPoolNaming","AKS system node pool resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" "Azure.AKS.UptimeSLA","AKS clusters should have Uptime SLA enabled for a financially backed SLA.","Important","Reliability","-" "Azure.AKS.UseRBAC","Deploy AKS cluster with role-based access control (RBAC) enabled.","Important","Security","-" +"Azure.AKS.UserPoolNaming","AKS user node pool resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" "Azure.AKS.Version","Older versions of Kubernetes may have known bugs or security vulnerabilities, and may have limited support.","Important","Reliability","-" "Azure.Alert.HighFrequencyQuery","High frequency scheduled queries are changed as a higher rate than low frequency queries.","Important","Cost Optimization","-" "Azure.Alert.MetricAutoMitigate","Alerts that require manual intervention for mitigation can lead to increased personnel time and effort.","Important","Cost Optimization","-" @@ -137,22 +142,32 @@ "Azure.ContainerApp.APIVersion","Migrate from retired API version to a supported version.","Important","Operational Excellence","-" "Azure.ContainerApp.AvailabilityZone","Use Container Apps environments that are zone redundant to improve reliability.","Important","Reliability","-" "Azure.ContainerApp.DisableAffinity","Disable session affinity to prevent unbalanced distribution.","Awareness","Performance Efficiency","-" +"Azure.ContainerApp.EnvNaming","Container App Environment resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" "Azure.ContainerApp.ExternalIngress","Limit inbound communication for Container Apps is limited to callers within the Container Apps Environment.","Important","Security","-" "Azure.ContainerApp.Insecure","Ensure insecure inbound traffic is not permitted to the container app.","Important","Security","L1" +"Azure.ContainerApp.JobNaming","Container App Job resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" "Azure.ContainerApp.ManagedIdentity","Ensure managed identity is used for authentication.","Important","Security","L1" "Azure.ContainerApp.MinReplicas","Use multiple replicas to remove a single point of failure.","Important","Reliability","-" -"Azure.ContainerApp.Name","Container Apps should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.ContainerApp.Name","Container Apps should meet naming requirements.","Awareness","Operational Excellence","L2" +"Azure.ContainerApp.Naming","Container App resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" "Azure.ContainerApp.PublicAccess","Ensure public network access for Container Apps environment is disabled.","Important","Security","-" "Azure.ContainerApp.RestrictIngress","IP ingress restrictions mode should be set to allow action for all rules defined.","Important","Security","-" "Azure.ContainerApp.Storage","Use of Azure Files volume mounts to persistent storage container data.","Awareness","Reliability","-" "Azure.Cosmos.AccountName","Cosmos DB account names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.Cosmos.CassandraNaming","Cosmos DB for Apache Cassandra account resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" "Azure.Cosmos.ContinuousBackup","Enable continuous backup on Cosmos DB accounts.","Important","Reliability","-" +"Azure.Cosmos.DatabaseNaming","Cosmos DB database resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" "Azure.Cosmos.DefenderCloud","Enable Microsoft Defender for Azure Cosmos DB.","Critical","Security","-" "Azure.Cosmos.DisableLocalAuth","Access keys allow depersonalized access to Cosmos DB accounts using a shared secret.","Critical","Security","L1" "Azure.Cosmos.DisableMetadataWrite","Use Entra ID identities for management place operations in Azure Cosmos DB.","Important","Security","-" +"Azure.Cosmos.GremlinNaming","Cosmos DB for Apache Gremlin account resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" "Azure.Cosmos.MinTLS","Cosmos DB accounts should reject TLS versions older than 1.2.","Critical","Security","L1" +"Azure.Cosmos.MongoNaming","Cosmos DB for MongoDB account resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" +"Azure.Cosmos.NoSQLNaming","Cosmos DB for NoSQL account resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" +"Azure.Cosmos.PostgreSQLNaming","Cosmos DB PostgreSQL cluster resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" "Azure.Cosmos.PublicAccess","Azure Cosmos DB should have public network access disabled.","Critical","Security","-" "Azure.Cosmos.SLA","Use a paid tier to qualify for a Service Level Agreement (SLA).","Important","Reliability","-" +"Azure.Cosmos.TableNaming","Cosmos DB for Table account resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" "Azure.Databricks.PublicAccess","Azure Databricks workspaces should disable public network access.","Critical","Security","-" "Azure.Databricks.SecureConnectivity","Use Databricks workspaces configured for secure cluster connectivity.","Critical","Security","-" "Azure.Databricks.SKU","Ensure Databricks workspaces are non-trial SKUs for production workloads.","Critical","Performance Efficiency","-" @@ -278,6 +293,7 @@ "Azure.MySQL.GeoRedundantBackup","Azure Database for MySQL should store backups in a geo-redundant storage.","Important","Reliability","-" "Azure.MySQL.MaintenanceWindow","Configure a customer-controlled maintenance window for Azure Database for MySQL servers.","Important","Reliability","-" "Azure.MySQL.MinTLS","MySQL DB servers should reject TLS versions older than 1.2.","Critical","Security","L1" +"Azure.MySQL.Naming","MySQL database server resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" "Azure.MySQL.ServerName","Azure MySQL DB server names should meet naming requirements.","Awareness","Operational Excellence","-" "Azure.MySQL.UseFlexible","Use Azure Database for MySQL Flexible Server deployment model.","Important","Reliability","-" "Azure.MySQL.UseSSL","Enforce encrypted MySQL connections.","Critical","Security","L1" @@ -306,6 +322,7 @@ "Azure.PostgreSQL.GeoRedundantBackup","Azure Database for PostgreSQL should store backups in a geo-redundant storage.","Important","Reliability","-" "Azure.PostgreSQL.MaintenanceWindow","Configure a customer-controlled maintenance window for Azure Database for PostgreSQL servers.","Important","Reliability","-" "Azure.PostgreSQL.MinTLS","PostgreSQL DB servers should reject TLS versions older than 1.2.","Critical","Security","L1" +"Azure.PostgreSQL.Naming","PostgreSQL database server resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" "Azure.PostgreSQL.ServerName","Azure PostgreSQL DB server names should meet naming requirements.","Awareness","Operational Excellence","-" "Azure.PostgreSQL.UseSSL","Enforce encrypted PostgreSQL connections.","Critical","Security","L1" "Azure.PostgreSQL.ZoneRedundantHA","Deploy Azure Database for PostgreSQL servers using zone-redundant high availability (HA) in supported regions to ensure high availability and resilience.","Important","Reliability","-" @@ -331,10 +348,12 @@ "Azure.Redis.MaxMemoryReserved","Configure maxmemory-reserved to reserve memory for non-cache operations.","Important","Performance Efficiency","-" "Azure.Redis.MinSKU","Use Azure Cache for Redis instances of at least Standard C1.","Important","Performance Efficiency","-" "Azure.Redis.MinTLS","Redis Cache should reject TLS versions older than 1.2.","Critical","Security","L1" +"Azure.Redis.Naming","Azure Cache for Redis resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" "Azure.Redis.NonSslPort","Azure Cache for Redis should only accept secure connections.","Critical","Security","L1" "Azure.Redis.PublicNetworkAccess","Redis cache should disable public network access.","Critical","Security","-" "Azure.Redis.Version","Azure Cache for Redis should use the latest supported version of Redis.","Important","Reliability","-" "Azure.RedisEnterprise.MinTLS","Redis Cache should reject TLS versions older than 1.2.","Critical","Security","L1" +"Azure.RedisEnterprise.Naming","Azure Managed Redis resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" "Azure.RedisEnterprise.Zones","Enterprise Redis cache should be zone-redundant for high availability.","Important","Reliability","-" "Azure.Resource.AllowedRegions","The deployment location of a resource determines the country or region where metadata and data is stored and processed.","Important","Security","-" "Azure.Resource.RequiredTags","Resources without a standard tagging convention may be difficult to identify and manage.","Awareness","Operational Excellence","-" @@ -356,6 +375,8 @@ "Azure.ServiceBus.MinTLS","Service Bus namespaces should reject TLS versions older than 1.2.","Important","Security","L1" "Azure.ServiceBus.Usage","Regularly remove unused resources to reduce costs.","Important","Cost Optimization","-" "Azure.ServiceFabric.AAD","Use Entra ID client authentication for Service Fabric clusters.","Critical","Security","L1" +"Azure.ServiceFabric.ManagedNaming","Service Fabric managed cluster resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" +"Azure.ServiceFabric.Naming","Service Fabric cluster resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" "Azure.ServiceFabric.ProtectionLevel","Node to node communication that is not signed and encrypted may be susceptible to man-in-the-middle attacks.","Important","Security","L1" "Azure.SignalR.ManagedIdentity","Configure SignalR Services to use managed identities to access Azure resources securely.","Important","Security","L1" "Azure.SignalR.Name","SignalR service instance names should meet naming requirements.","Awareness","Operational Excellence","-" @@ -364,14 +385,19 @@ "Azure.SQL.AADOnly","Ensure Entra ID only authentication is enabled with Azure SQL Database.","Important","Security","L1" "Azure.SQL.AllowAzureAccess","Determine if access from Azure services is required.","Important","Security","-" "Azure.SQL.Auditing","Enable auditing for Azure SQL logical server.","Important","Security","-" +"Azure.SQL.DatabaseNaming","Azure SQL database resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" "Azure.SQL.DBName","Azure SQL Database names should meet naming requirements.","Awareness","Operational Excellence","-" "Azure.SQL.DefenderCloud","Enable Microsoft Defender for Azure SQL logical server.","Important","Security","-" +"Azure.SQL.ElasticPoolNaming","Azure SQL Elastic Pool resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" "Azure.SQL.FGName","Azure SQL failover group names should meet naming requirements.","Awareness","Operational Excellence","-" "Azure.SQL.FirewallIPRange","Each IP address in the permitted IP list is allowed network access to any databases hosted on the same logical server.","Important","Security","-" "Azure.SQL.FirewallRuleCount","Determine if there is an excessive number of firewall rules.","Awareness","Security","-" +"Azure.SQL.JobAgentNaming","Azure SQL Elastic Job agent resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" "Azure.SQL.MaintenanceWindow","Configure a customer-controlled maintenance window for Azure SQL databases.","Important","Reliability","-" "Azure.SQL.MinTLS","Azure SQL Database servers should reject TLS versions older than 1.2.","Critical","Security","L1" "Azure.SQL.ServerName","Azure SQL logical server names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.SQL.ServerNaming","Azure SQL Database server resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" +"Azure.SQL.StretchDBNaming","SQL Server Stretch Database resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" "Azure.SQL.TDE","Use Transparent Data Encryption (TDE) with Azure SQL Database.","Critical","Security","L1" "Azure.SQL.VAScan","SQL Databases may have configuration vulnerabilities discovered after they are deployed.","Important","Security","-" "Azure.SQLMI.AAD","Use Azure Active Directory (AAD) authentication with Azure SQL Managed Instance.","Critical","Security","L1" @@ -379,6 +405,7 @@ "Azure.SQLMI.MaintenanceWindow","Configure a customer-controlled maintenance window for Azure SQL Managed Instances.","Important","Reliability","-" "Azure.SQLMI.ManagedIdentity","Ensure managed identity is used to allow support for Azure AD authentication.","Important","Security","L1" "Azure.SQLMI.Name","SQL Managed Instance names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.SQLMI.Naming","SQL Managed Instance resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" "Azure.Storage.BlobAccessType","Use containers configured with a private access type that requires authorization.","Important","Security","-" "Azure.Storage.BlobPublicAccess","Storage Accounts should only accept authorized requests.","Important","Security","-" "Azure.Storage.ContainerSoftDelete","Enable container soft delete on Storage Accounts.","Important","Reliability","-" diff --git a/docs/en/baselines/Azure.Default.md b/docs/en/baselines/Azure.Default.md index 9c8463f3cdb..5d3e7e794fb 100644 --- a/docs/en/baselines/Azure.Default.md +++ b/docs/en/baselines/Azure.Default.md @@ -10,10 +10,11 @@ Default baseline for that includes the latest rules for Azure GA features that i The following rules are included within the `Azure.Default` baseline. -This baseline includes a total of 482 rules. +This baseline includes a total of 509 rules. Name | Synopsis | Severity ---- | -------- | -------- +[Azure.ACI.Naming](../rules/Azure.ACI.Naming.md) | Container Instance resources without a standard naming convention may be difficult to identify and manage. | Awareness [Azure.ACR.AdminUser](../rules/Azure.ACR.AdminUser.md) | The local admin account allows depersonalized access to a container registry using a shared secret. | Critical [Azure.ACR.AnonymousAccess](../rules/Azure.ACR.AnonymousAccess.md) | Anonymous pull access allows unidentified downloading of images and metadata from a container registry. | Important [Azure.ACR.ContainerScan](../rules/Azure.ACR.ContainerScan.md) | Container images or their base images may have vulnerabilities discovered after they are built. | Critical @@ -23,6 +24,7 @@ Name | Synopsis | Severity [Azure.ACR.ImageHealth](../rules/Azure.ACR.ImageHealth.md) | Remove container images with known vulnerabilities. | Critical [Azure.ACR.MinSku](../rules/Azure.ACR.MinSku.md) | The Basic SKU provides limited performance and features for production container registry workloads. | Important [Azure.ACR.Name](../rules/Azure.ACR.Name.md) | Container registry names should meet naming requirements. | Awareness +[Azure.ACR.Naming](../rules/Azure.ACR.Naming.md) | Container Registry resources without a standard naming convention may be difficult to identify and manage. | Awareness [Azure.ACR.ReplicaLocation](../rules/Azure.ACR.ReplicaLocation.md) | The replication location determines the country or region where container images and metadata are stored and processed. | Important [Azure.ACR.Usage](../rules/Azure.ACR.Usage.md) | Regularly remove deprecated and unneeded images to reduce storage usage. | Important [Azure.ADX.DiskEncryption](../rules/Azure.ADX.DiskEncryption.md) | Use disk encryption for Azure Data Explorer (ADX) clusters. | Important @@ -55,6 +57,7 @@ Name | Synopsis | Severity [Azure.AKS.MinNodeCount](../rules/Azure.AKS.MinNodeCount.md) | AKS clusters should have minimum number of system nodes for failover and updates. | Important [Azure.AKS.MinUserPoolNodes](../rules/Azure.AKS.MinUserPoolNodes.md) | User node pools in an AKS cluster should have a minimum number of nodes for failover and updates. | Important [Azure.AKS.Name](../rules/Azure.AKS.Name.md) | Azure Kubernetes Service (AKS) cluster names should meet naming requirements. | Awareness +[Azure.AKS.Naming](../rules/Azure.AKS.Naming.md) | AKS cluster resources without a standard naming convention may be difficult to identify and manage. | Awareness [Azure.AKS.NetworkPolicy](../rules/Azure.AKS.NetworkPolicy.md) | AKS clusters without inter-pod network restrictions may be permit unauthorized lateral movement. | Important [Azure.AKS.NodeAutoUpgrade](../rules/Azure.AKS.NodeAutoUpgrade.md) | Operating system (OS) security updates should be applied to AKS nodes and rebooted as required to address security vulnerabilities. | Important [Azure.AKS.NodeMinPods](../rules/Azure.AKS.NodeMinPods.md) | Azure Kubernetes Cluster (AKS) nodes should use a minimum number of pods. | Important @@ -64,8 +67,10 @@ Name | Synopsis | Severity [Azure.AKS.SecretStore](../rules/Azure.AKS.SecretStore.md) | Deploy AKS clusters with Secrets Store CSI Driver and store Secrets in Key Vault. | Important [Azure.AKS.SecretStoreRotation](../rules/Azure.AKS.SecretStoreRotation.md) | Enable autorotation of Secrets Store CSI Driver secrets for AKS clusters. | Important [Azure.AKS.StandardLB](../rules/Azure.AKS.StandardLB.md) | Azure Kubernetes Clusters (AKS) should use a Standard load balancer SKU. | Important +[Azure.AKS.SystemPoolNaming](../rules/Azure.AKS.SystemPoolNaming.md) | AKS system node pool resources without a standard naming convention may be difficult to identify and manage. | Awareness [Azure.AKS.UptimeSLA](../rules/Azure.AKS.UptimeSLA.md) | AKS clusters should have Uptime SLA enabled for a financially backed SLA. | Important [Azure.AKS.UseRBAC](../rules/Azure.AKS.UseRBAC.md) | Deploy AKS cluster with role-based access control (RBAC) enabled. | Important +[Azure.AKS.UserPoolNaming](../rules/Azure.AKS.UserPoolNaming.md) | AKS user node pool resources without a standard naming convention may be difficult to identify and manage. | Awareness [Azure.AKS.Version](../rules/Azure.AKS.Version.md) | Older versions of Kubernetes may have known bugs or security vulnerabilities, and may have limited support. | Important [Azure.Alert.HighFrequencyQuery](../rules/Azure.Alert.HighFrequencyQuery.md) | High frequency scheduled queries are changed as a higher rate than low frequency queries. | Important [Azure.Alert.MetricAutoMitigate](../rules/Azure.Alert.MetricAutoMitigate.md) | Alerts that require manual intervention for mitigation can lead to increased personnel time and effort. | Important @@ -152,22 +157,32 @@ Name | Synopsis | Severity [Azure.ContainerApp.APIVersion](../rules/Azure.ContainerApp.APIVersion.md) | Migrate from retired API version to a supported version. | Important [Azure.ContainerApp.AvailabilityZone](../rules/Azure.ContainerApp.AvailabilityZone.md) | Use Container Apps environments that are zone redundant to improve reliability. | Important [Azure.ContainerApp.DisableAffinity](../rules/Azure.ContainerApp.DisableAffinity.md) | Disable session affinity to prevent unbalanced distribution. | Awareness +[Azure.ContainerApp.EnvNaming](../rules/Azure.ContainerApp.EnvNaming.md) | Container App Environment resources without a standard naming convention may be difficult to identify and manage. | Awareness [Azure.ContainerApp.ExternalIngress](../rules/Azure.ContainerApp.ExternalIngress.md) | Limit inbound communication for Container Apps is limited to callers within the Container Apps Environment. | Important [Azure.ContainerApp.Insecure](../rules/Azure.ContainerApp.Insecure.md) | Ensure insecure inbound traffic is not permitted to the container app. | Important +[Azure.ContainerApp.JobNaming](../rules/Azure.ContainerApp.JobNaming.md) | Container App Job resources without a standard naming convention may be difficult to identify and manage. | Awareness [Azure.ContainerApp.ManagedIdentity](../rules/Azure.ContainerApp.ManagedIdentity.md) | Ensure managed identity is used for authentication. | Important [Azure.ContainerApp.MinReplicas](../rules/Azure.ContainerApp.MinReplicas.md) | Use multiple replicas to remove a single point of failure. | Important [Azure.ContainerApp.Name](../rules/Azure.ContainerApp.Name.md) | Container Apps should meet naming requirements. | Awareness +[Azure.ContainerApp.Naming](../rules/Azure.ContainerApp.Naming.md) | Container App resources without a standard naming convention may be difficult to identify and manage. | Awareness [Azure.ContainerApp.PublicAccess](../rules/Azure.ContainerApp.PublicAccess.md) | Ensure public network access for Container Apps environment is disabled. | Important [Azure.ContainerApp.RestrictIngress](../rules/Azure.ContainerApp.RestrictIngress.md) | IP ingress restrictions mode should be set to allow action for all rules defined. | Important [Azure.ContainerApp.Storage](../rules/Azure.ContainerApp.Storage.md) | Use of Azure Files volume mounts to persistent storage container data. | Awareness [Azure.Cosmos.AccountName](../rules/Azure.Cosmos.AccountName.md) | Cosmos DB account names should meet naming requirements. | Awareness +[Azure.Cosmos.CassandraNaming](../rules/Azure.Cosmos.CassandraNaming.md) | Cosmos DB for Apache Cassandra account resources without a standard naming convention may be difficult to identify and manage. | Awareness [Azure.Cosmos.ContinuousBackup](../rules/Azure.Cosmos.ContinuousBackup.md) | Enable continuous backup on Cosmos DB accounts. | Important +[Azure.Cosmos.DatabaseNaming](../rules/Azure.Cosmos.DatabaseNaming.md) | Cosmos DB database resources without a standard naming convention may be difficult to identify and manage. | Awareness [Azure.Cosmos.DefenderCloud](../rules/Azure.Cosmos.DefenderCloud.md) | Enable Microsoft Defender for Azure Cosmos DB. | Critical [Azure.Cosmos.DisableLocalAuth](../rules/Azure.Cosmos.DisableLocalAuth.md) | Access keys allow depersonalized access to Cosmos DB accounts using a shared secret. | Critical [Azure.Cosmos.DisableMetadataWrite](../rules/Azure.Cosmos.DisableMetadataWrite.md) | Use Entra ID identities for management place operations in Azure Cosmos DB. | Important +[Azure.Cosmos.GremlinNaming](../rules/Azure.Cosmos.GremlinNaming.md) | Cosmos DB for Apache Gremlin account resources without a standard naming convention may be difficult to identify and manage. | Awareness [Azure.Cosmos.MinTLS](../rules/Azure.Cosmos.MinTLS.md) | Cosmos DB accounts should reject TLS versions older than 1.2. | Critical +[Azure.Cosmos.MongoNaming](../rules/Azure.Cosmos.MongoNaming.md) | Cosmos DB for MongoDB account resources without a standard naming convention may be difficult to identify and manage. | Awareness +[Azure.Cosmos.NoSQLNaming](../rules/Azure.Cosmos.NoSQLNaming.md) | Cosmos DB for NoSQL account resources without a standard naming convention may be difficult to identify and manage. | Awareness +[Azure.Cosmos.PostgreSQLNaming](../rules/Azure.Cosmos.PostgreSQLNaming.md) | Cosmos DB PostgreSQL cluster resources without a standard naming convention may be difficult to identify and manage. | Awareness [Azure.Cosmos.PublicAccess](../rules/Azure.Cosmos.PublicAccess.md) | Azure Cosmos DB should have public network access disabled. | Critical [Azure.Cosmos.SLA](../rules/Azure.Cosmos.SLA.md) | Use a paid tier to qualify for a Service Level Agreement (SLA). | Important +[Azure.Cosmos.TableNaming](../rules/Azure.Cosmos.TableNaming.md) | Cosmos DB for Table account resources without a standard naming convention may be difficult to identify and manage. | Awareness [Azure.Databricks.PublicAccess](../rules/Azure.Databricks.PublicAccess.md) | Azure Databricks workspaces should disable public network access. | Critical [Azure.Databricks.SecureConnectivity](../rules/Azure.Databricks.SecureConnectivity.md) | Use Databricks workspaces configured for secure cluster connectivity. | Critical [Azure.Databricks.SKU](../rules/Azure.Databricks.SKU.md) | Ensure Databricks workspaces are non-trial SKUs for production workloads. | Critical @@ -293,6 +308,7 @@ Name | Synopsis | Severity [Azure.MySQL.GeoRedundantBackup](../rules/Azure.MySQL.GeoRedundantBackup.md) | Azure Database for MySQL should store backups in a geo-redundant storage. | Important [Azure.MySQL.MaintenanceWindow](../rules/Azure.MySQL.MaintenanceWindow.md) | Configure a customer-controlled maintenance window for Azure Database for MySQL servers. | Important [Azure.MySQL.MinTLS](../rules/Azure.MySQL.MinTLS.md) | MySQL DB servers should reject TLS versions older than 1.2. | Critical +[Azure.MySQL.Naming](../rules/Azure.MySQL.Naming.md) | MySQL database server resources without a standard naming convention may be difficult to identify and manage. | Awareness [Azure.MySQL.ServerName](../rules/Azure.MySQL.ServerName.md) | Azure MySQL DB server names should meet naming requirements. | Awareness [Azure.MySQL.UseFlexible](../rules/Azure.MySQL.UseFlexible.md) | Use Azure Database for MySQL Flexible Server deployment model. | Important [Azure.MySQL.UseSSL](../rules/Azure.MySQL.UseSSL.md) | Enforce encrypted MySQL connections. | Critical @@ -321,6 +337,7 @@ Name | Synopsis | Severity [Azure.PostgreSQL.GeoRedundantBackup](../rules/Azure.PostgreSQL.GeoRedundantBackup.md) | Azure Database for PostgreSQL should store backups in a geo-redundant storage. | Important [Azure.PostgreSQL.MaintenanceWindow](../rules/Azure.PostgreSQL.MaintenanceWindow.md) | Configure a customer-controlled maintenance window for Azure Database for PostgreSQL servers. | Important [Azure.PostgreSQL.MinTLS](../rules/Azure.PostgreSQL.MinTLS.md) | PostgreSQL DB servers should reject TLS versions older than 1.2. | Critical +[Azure.PostgreSQL.Naming](../rules/Azure.PostgreSQL.Naming.md) | PostgreSQL database server resources without a standard naming convention may be difficult to identify and manage. | Awareness [Azure.PostgreSQL.ServerName](../rules/Azure.PostgreSQL.ServerName.md) | Azure PostgreSQL DB server names should meet naming requirements. | Awareness [Azure.PostgreSQL.UseSSL](../rules/Azure.PostgreSQL.UseSSL.md) | Enforce encrypted PostgreSQL connections. | Critical [Azure.PostgreSQL.ZoneRedundantHA](../rules/Azure.PostgreSQL.ZoneRedundantHA.md) | Deploy Azure Database for PostgreSQL servers using zone-redundant high availability (HA) in supported regions to ensure high availability and resilience. | Important @@ -346,10 +363,12 @@ Name | Synopsis | Severity [Azure.Redis.MaxMemoryReserved](../rules/Azure.Redis.MaxMemoryReserved.md) | Configure maxmemory-reserved to reserve memory for non-cache operations. | Important [Azure.Redis.MinSKU](../rules/Azure.Redis.MinSKU.md) | Use Azure Cache for Redis instances of at least Standard C1. | Important [Azure.Redis.MinTLS](../rules/Azure.Redis.MinTLS.md) | Redis Cache should reject TLS versions older than 1.2. | Critical +[Azure.Redis.Naming](../rules/Azure.Redis.Naming.md) | Azure Cache for Redis resources without a standard naming convention may be difficult to identify and manage. | Awareness [Azure.Redis.NonSslPort](../rules/Azure.Redis.NonSslPort.md) | Azure Cache for Redis should only accept secure connections. | Critical [Azure.Redis.PublicNetworkAccess](../rules/Azure.Redis.PublicNetworkAccess.md) | Redis cache should disable public network access. | Critical [Azure.Redis.Version](../rules/Azure.Redis.Version.md) | Azure Cache for Redis should use the latest supported version of Redis. | Important [Azure.RedisEnterprise.MinTLS](../rules/Azure.RedisEnterprise.MinTLS.md) | Redis Cache should reject TLS versions older than 1.2. | Critical +[Azure.RedisEnterprise.Naming](../rules/Azure.RedisEnterprise.Naming.md) | Azure Managed Redis resources without a standard naming convention may be difficult to identify and manage. | Awareness [Azure.RedisEnterprise.Zones](../rules/Azure.RedisEnterprise.Zones.md) | Enterprise Redis cache should be zone-redundant for high availability. | Important [Azure.Resource.AllowedRegions](../rules/Azure.Resource.AllowedRegions.md) | The deployment location of a resource determines the country or region where metadata and data is stored and processed. | Important [Azure.Resource.RequiredTags](../rules/Azure.Resource.RequiredTags.md) | Resources without a standard tagging convention may be difficult to identify and manage. | Awareness @@ -371,6 +390,8 @@ Name | Synopsis | Severity [Azure.ServiceBus.MinTLS](../rules/Azure.ServiceBus.MinTLS.md) | Service Bus namespaces should reject TLS versions older than 1.2. | Important [Azure.ServiceBus.Usage](../rules/Azure.ServiceBus.Usage.md) | Regularly remove unused resources to reduce costs. | Important [Azure.ServiceFabric.AAD](../rules/Azure.ServiceFabric.AAD.md) | Use Entra ID client authentication for Service Fabric clusters. | Critical +[Azure.ServiceFabric.ManagedNaming](../rules/Azure.ServiceFabric.ManagedNaming.md) | Service Fabric managed cluster resources without a standard naming convention may be difficult to identify and manage. | Awareness +[Azure.ServiceFabric.Naming](../rules/Azure.ServiceFabric.Naming.md) | Service Fabric cluster resources without a standard naming convention may be difficult to identify and manage. | Awareness [Azure.ServiceFabric.ProtectionLevel](../rules/Azure.ServiceFabric.ProtectionLevel.md) | Node to node communication that is not signed and encrypted may be susceptible to man-in-the-middle attacks. | Important [Azure.SignalR.ManagedIdentity](../rules/Azure.SignalR.ManagedIdentity.md) | Configure SignalR Services to use managed identities to access Azure resources securely. | Important [Azure.SignalR.Name](../rules/Azure.SignalR.Name.md) | SignalR service instance names should meet naming requirements. | Awareness @@ -379,14 +400,19 @@ Name | Synopsis | Severity [Azure.SQL.AADOnly](../rules/Azure.SQL.AADOnly.md) | Ensure Entra ID only authentication is enabled with Azure SQL Database. | Important [Azure.SQL.AllowAzureAccess](../rules/Azure.SQL.AllowAzureAccess.md) | Determine if access from Azure services is required. | Important [Azure.SQL.Auditing](../rules/Azure.SQL.Auditing.md) | Enable auditing for Azure SQL logical server. | Important +[Azure.SQL.DatabaseNaming](../rules/Azure.SQL.DatabaseNaming.md) | Azure SQL database resources without a standard naming convention may be difficult to identify and manage. | Awareness [Azure.SQL.DBName](../rules/Azure.SQL.DBName.md) | Azure SQL Database names should meet naming requirements. | Awareness [Azure.SQL.DefenderCloud](../rules/Azure.SQL.DefenderCloud.md) | Enable Microsoft Defender for Azure SQL logical server. | Important +[Azure.SQL.ElasticPoolNaming](../rules/Azure.SQL.ElasticPoolNaming.md) | Azure SQL Elastic Pool resources without a standard naming convention may be difficult to identify and manage. | Awareness [Azure.SQL.FGName](../rules/Azure.SQL.FGName.md) | Azure SQL failover group names should meet naming requirements. | Awareness [Azure.SQL.FirewallIPRange](../rules/Azure.SQL.FirewallIPRange.md) | Each IP address in the permitted IP list is allowed network access to any databases hosted on the same logical server. | Important [Azure.SQL.FirewallRuleCount](../rules/Azure.SQL.FirewallRuleCount.md) | Determine if there is an excessive number of firewall rules. | Awareness +[Azure.SQL.JobAgentNaming](../rules/Azure.SQL.JobAgentNaming.md) | Azure SQL Elastic Job agent resources without a standard naming convention may be difficult to identify and manage. | Awareness [Azure.SQL.MaintenanceWindow](../rules/Azure.SQL.MaintenanceWindow.md) | Configure a customer-controlled maintenance window for Azure SQL databases. | Important [Azure.SQL.MinTLS](../rules/Azure.SQL.MinTLS.md) | Azure SQL Database servers should reject TLS versions older than 1.2. | Critical [Azure.SQL.ServerName](../rules/Azure.SQL.ServerName.md) | Azure SQL logical server names should meet naming requirements. | Awareness +[Azure.SQL.ServerNaming](../rules/Azure.SQL.ServerNaming.md) | Azure SQL Database server resources without a standard naming convention may be difficult to identify and manage. | Awareness +[Azure.SQL.StretchDBNaming](../rules/Azure.SQL.StretchDBNaming.md) | SQL Server Stretch Database resources without a standard naming convention may be difficult to identify and manage. | Awareness [Azure.SQL.TDE](../rules/Azure.SQL.TDE.md) | Use Transparent Data Encryption (TDE) with Azure SQL Database. | Critical [Azure.SQL.VAScan](../rules/Azure.SQL.VAScan.md) | SQL Databases may have configuration vulnerabilities discovered after they are deployed. | Important [Azure.SQLMI.AAD](../rules/Azure.SQLMI.AAD.md) | Use Azure Active Directory (AAD) authentication with Azure SQL Managed Instance. | Critical @@ -394,6 +420,7 @@ Name | Synopsis | Severity [Azure.SQLMI.MaintenanceWindow](../rules/Azure.SQLMI.MaintenanceWindow.md) | Configure a customer-controlled maintenance window for Azure SQL Managed Instances. | Important [Azure.SQLMI.ManagedIdentity](../rules/Azure.SQLMI.ManagedIdentity.md) | Ensure managed identity is used to allow support for Azure AD authentication. | Important [Azure.SQLMI.Name](../rules/Azure.SQLMI.Name.md) | SQL Managed Instance names should meet naming requirements. | Awareness +[Azure.SQLMI.Naming](../rules/Azure.SQLMI.Naming.md) | SQL Managed Instance resources without a standard naming convention may be difficult to identify and manage. | Awareness [Azure.Storage.BlobAccessType](../rules/Azure.Storage.BlobAccessType.md) | Use containers configured with a private access type that requires authorization. | Important [Azure.Storage.BlobPublicAccess](../rules/Azure.Storage.BlobPublicAccess.md) | Storage Accounts should only accept authorized requests. | Important [Azure.Storage.ContainerSoftDelete](../rules/Azure.Storage.ContainerSoftDelete.md) | Enable container soft delete on Storage Accounts. | Important diff --git a/docs/en/baselines/Azure.GA_2020_06.csv b/docs/en/baselines/Azure.GA_2020_06.csv index 716d32d2848..f0394d1237d 100644 --- a/docs/en/baselines/Azure.GA_2020_06.csv +++ b/docs/en/baselines/Azure.GA_2020_06.csv @@ -1,11 +1,11 @@ "Name","Synopsis","Severity","Pillar","Maturity" "Azure.ACR.AdminUser","The local admin account allows depersonalized access to a container registry using a shared secret.","Critical","Security","L1" "Azure.ACR.MinSku","The Basic SKU provides limited performance and features for production container registry workloads.","Important","Reliability","-" -"Azure.ACR.Name","Container registry names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.ACR.Name","Container registry names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.AKS.DNSPrefix","Azure Kubernetes Service (AKS) cluster DNS prefix should meet naming requirements.","Awareness","Operational Excellence","-" "Azure.AKS.ManagedIdentity","Configure AKS clusters to use managed identities for managing cluster infrastructure.","Important","Security","L1" "Azure.AKS.MinNodeCount","AKS clusters should have minimum number of system nodes for failover and updates.","Important","Reliability","-" -"Azure.AKS.Name","Azure Kubernetes Service (AKS) cluster names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.AKS.Name","Azure Kubernetes Service (AKS) cluster names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.AKS.NetworkPolicy","AKS clusters without inter-pod network restrictions may be permit unauthorized lateral movement.","Important","Security","-" "Azure.AKS.NodeMinPods","Azure Kubernetes Cluster (AKS) nodes should use a minimum number of pods.","Important","Performance Efficiency","-" "Azure.AKS.PoolScaleSet","Deploy AKS clusters with nodes pools based on VM scale sets.","Important","Performance Efficiency","-" diff --git a/docs/en/baselines/Azure.GA_2020_09.csv b/docs/en/baselines/Azure.GA_2020_09.csv index 67b92c02310..c05c90dc458 100644 --- a/docs/en/baselines/Azure.GA_2020_09.csv +++ b/docs/en/baselines/Azure.GA_2020_09.csv @@ -1,11 +1,11 @@ "Name","Synopsis","Severity","Pillar","Maturity" "Azure.ACR.AdminUser","The local admin account allows depersonalized access to a container registry using a shared secret.","Critical","Security","L1" "Azure.ACR.MinSku","The Basic SKU provides limited performance and features for production container registry workloads.","Important","Reliability","-" -"Azure.ACR.Name","Container registry names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.ACR.Name","Container registry names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.AKS.DNSPrefix","Azure Kubernetes Service (AKS) cluster DNS prefix should meet naming requirements.","Awareness","Operational Excellence","-" "Azure.AKS.ManagedIdentity","Configure AKS clusters to use managed identities for managing cluster infrastructure.","Important","Security","L1" "Azure.AKS.MinNodeCount","AKS clusters should have minimum number of system nodes for failover and updates.","Important","Reliability","-" -"Azure.AKS.Name","Azure Kubernetes Service (AKS) cluster names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.AKS.Name","Azure Kubernetes Service (AKS) cluster names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.AKS.NetworkPolicy","AKS clusters without inter-pod network restrictions may be permit unauthorized lateral movement.","Important","Security","-" "Azure.AKS.NodeMinPods","Azure Kubernetes Cluster (AKS) nodes should use a minimum number of pods.","Important","Performance Efficiency","-" "Azure.AKS.PoolScaleSet","Deploy AKS clusters with nodes pools based on VM scale sets.","Important","Performance Efficiency","-" diff --git a/docs/en/baselines/Azure.GA_2020_12.csv b/docs/en/baselines/Azure.GA_2020_12.csv index af6e64485cd..95ba856cc3c 100644 --- a/docs/en/baselines/Azure.GA_2020_12.csv +++ b/docs/en/baselines/Azure.GA_2020_12.csv @@ -3,13 +3,13 @@ "Azure.ACR.ContainerScan","Container images or their base images may have vulnerabilities discovered after they are built.","Critical","Security","-" "Azure.ACR.ImageHealth","Remove container images with known vulnerabilities.","Critical","Security","L2" "Azure.ACR.MinSku","The Basic SKU provides limited performance and features for production container registry workloads.","Important","Reliability","-" -"Azure.ACR.Name","Container registry names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.ACR.Name","Container registry names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.ACR.Usage","Regularly remove deprecated and unneeded images to reduce storage usage.","Important","Cost Optimization","-" "Azure.AKS.AzurePolicyAddOn","Configure Azure Kubernetes Service (AKS) clusters to use Azure Policy Add-on for Kubernetes.","Important","Security","-" "Azure.AKS.DNSPrefix","Azure Kubernetes Service (AKS) cluster DNS prefix should meet naming requirements.","Awareness","Operational Excellence","-" "Azure.AKS.ManagedIdentity","Configure AKS clusters to use managed identities for managing cluster infrastructure.","Important","Security","L1" "Azure.AKS.MinNodeCount","AKS clusters should have minimum number of system nodes for failover and updates.","Important","Reliability","-" -"Azure.AKS.Name","Azure Kubernetes Service (AKS) cluster names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.AKS.Name","Azure Kubernetes Service (AKS) cluster names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.AKS.NetworkPolicy","AKS clusters without inter-pod network restrictions may be permit unauthorized lateral movement.","Important","Security","-" "Azure.AKS.NodeMinPods","Azure Kubernetes Cluster (AKS) nodes should use a minimum number of pods.","Important","Performance Efficiency","-" "Azure.AKS.PoolScaleSet","Deploy AKS clusters with nodes pools based on VM scale sets.","Important","Performance Efficiency","-" diff --git a/docs/en/baselines/Azure.GA_2021_03.csv b/docs/en/baselines/Azure.GA_2021_03.csv index 8df454ec716..12a93408fa0 100644 --- a/docs/en/baselines/Azure.GA_2021_03.csv +++ b/docs/en/baselines/Azure.GA_2021_03.csv @@ -3,13 +3,13 @@ "Azure.ACR.ContainerScan","Container images or their base images may have vulnerabilities discovered after they are built.","Critical","Security","-" "Azure.ACR.ImageHealth","Remove container images with known vulnerabilities.","Critical","Security","L2" "Azure.ACR.MinSku","The Basic SKU provides limited performance and features for production container registry workloads.","Important","Reliability","-" -"Azure.ACR.Name","Container registry names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.ACR.Name","Container registry names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.ACR.Usage","Regularly remove deprecated and unneeded images to reduce storage usage.","Important","Cost Optimization","-" "Azure.AKS.AzurePolicyAddOn","Configure Azure Kubernetes Service (AKS) clusters to use Azure Policy Add-on for Kubernetes.","Important","Security","-" "Azure.AKS.DNSPrefix","Azure Kubernetes Service (AKS) cluster DNS prefix should meet naming requirements.","Awareness","Operational Excellence","-" "Azure.AKS.ManagedIdentity","Configure AKS clusters to use managed identities for managing cluster infrastructure.","Important","Security","L1" "Azure.AKS.MinNodeCount","AKS clusters should have minimum number of system nodes for failover and updates.","Important","Reliability","-" -"Azure.AKS.Name","Azure Kubernetes Service (AKS) cluster names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.AKS.Name","Azure Kubernetes Service (AKS) cluster names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.AKS.NetworkPolicy","AKS clusters without inter-pod network restrictions may be permit unauthorized lateral movement.","Important","Security","-" "Azure.AKS.NodeMinPods","Azure Kubernetes Cluster (AKS) nodes should use a minimum number of pods.","Important","Performance Efficiency","-" "Azure.AKS.PoolScaleSet","Deploy AKS clusters with nodes pools based on VM scale sets.","Important","Performance Efficiency","-" diff --git a/docs/en/baselines/Azure.GA_2021_06.csv b/docs/en/baselines/Azure.GA_2021_06.csv index 76be59d2ef2..607d754c620 100644 --- a/docs/en/baselines/Azure.GA_2021_06.csv +++ b/docs/en/baselines/Azure.GA_2021_06.csv @@ -3,7 +3,7 @@ "Azure.ACR.ContainerScan","Container images or their base images may have vulnerabilities discovered after they are built.","Critical","Security","-" "Azure.ACR.ImageHealth","Remove container images with known vulnerabilities.","Critical","Security","L2" "Azure.ACR.MinSku","The Basic SKU provides limited performance and features for production container registry workloads.","Important","Reliability","-" -"Azure.ACR.Name","Container registry names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.ACR.Name","Container registry names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.ACR.Usage","Regularly remove deprecated and unneeded images to reduce storage usage.","Important","Cost Optimization","-" "Azure.AKS.AuthorizedIPs","Restrict access to API server endpoints to authorized IP addresses.","Important","Security","-" "Azure.AKS.AzurePolicyAddOn","Configure Azure Kubernetes Service (AKS) clusters to use Azure Policy Add-on for Kubernetes.","Important","Security","-" @@ -12,7 +12,7 @@ "Azure.AKS.ManagedAAD","Use AKS-managed Azure AD to simplify authorization and improve security.","Important","Security","L1" "Azure.AKS.ManagedIdentity","Configure AKS clusters to use managed identities for managing cluster infrastructure.","Important","Security","L1" "Azure.AKS.MinNodeCount","AKS clusters should have minimum number of system nodes for failover and updates.","Important","Reliability","-" -"Azure.AKS.Name","Azure Kubernetes Service (AKS) cluster names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.AKS.Name","Azure Kubernetes Service (AKS) cluster names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.AKS.NetworkPolicy","AKS clusters without inter-pod network restrictions may be permit unauthorized lateral movement.","Important","Security","-" "Azure.AKS.NodeMinPods","Azure Kubernetes Cluster (AKS) nodes should use a minimum number of pods.","Important","Performance Efficiency","-" "Azure.AKS.PoolScaleSet","Deploy AKS clusters with nodes pools based on VM scale sets.","Important","Performance Efficiency","-" diff --git a/docs/en/baselines/Azure.GA_2021_09.csv b/docs/en/baselines/Azure.GA_2021_09.csv index 1857e1a33f3..811d7809f67 100644 --- a/docs/en/baselines/Azure.GA_2021_09.csv +++ b/docs/en/baselines/Azure.GA_2021_09.csv @@ -3,7 +3,7 @@ "Azure.ACR.ContainerScan","Container images or their base images may have vulnerabilities discovered after they are built.","Critical","Security","-" "Azure.ACR.ImageHealth","Remove container images with known vulnerabilities.","Critical","Security","L2" "Azure.ACR.MinSku","The Basic SKU provides limited performance and features for production container registry workloads.","Important","Reliability","-" -"Azure.ACR.Name","Container registry names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.ACR.Name","Container registry names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.ACR.Usage","Regularly remove deprecated and unneeded images to reduce storage usage.","Important","Cost Optimization","-" "Azure.AKS.AuditLogs","AKS clusters should collect security-based audit logs to assess and monitor the compliance status of workloads.","Important","Security","L1" "Azure.AKS.AuthorizedIPs","Restrict access to API server endpoints to authorized IP addresses.","Important","Security","-" @@ -17,7 +17,7 @@ "Azure.AKS.ManagedAAD","Use AKS-managed Azure AD to simplify authorization and improve security.","Important","Security","L1" "Azure.AKS.ManagedIdentity","Configure AKS clusters to use managed identities for managing cluster infrastructure.","Important","Security","L1" "Azure.AKS.MinNodeCount","AKS clusters should have minimum number of system nodes for failover and updates.","Important","Reliability","-" -"Azure.AKS.Name","Azure Kubernetes Service (AKS) cluster names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.AKS.Name","Azure Kubernetes Service (AKS) cluster names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.AKS.NetworkPolicy","AKS clusters without inter-pod network restrictions may be permit unauthorized lateral movement.","Important","Security","-" "Azure.AKS.NodeMinPods","Azure Kubernetes Cluster (AKS) nodes should use a minimum number of pods.","Important","Performance Efficiency","-" "Azure.AKS.PlatformLogs","AKS clusters should collect platform diagnostic logs to monitor the state of workloads.","Important","Operational Excellence","-" diff --git a/docs/en/baselines/Azure.GA_2021_12.csv b/docs/en/baselines/Azure.GA_2021_12.csv index 8c7f0c2f5f6..597a4f1c2c0 100644 --- a/docs/en/baselines/Azure.GA_2021_12.csv +++ b/docs/en/baselines/Azure.GA_2021_12.csv @@ -3,7 +3,7 @@ "Azure.ACR.ContainerScan","Container images or their base images may have vulnerabilities discovered after they are built.","Critical","Security","-" "Azure.ACR.ImageHealth","Remove container images with known vulnerabilities.","Critical","Security","L2" "Azure.ACR.MinSku","The Basic SKU provides limited performance and features for production container registry workloads.","Important","Reliability","-" -"Azure.ACR.Name","Container registry names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.ACR.Name","Container registry names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.ACR.Usage","Regularly remove deprecated and unneeded images to reduce storage usage.","Important","Cost Optimization","-" "Azure.AKS.AuditLogs","AKS clusters should collect security-based audit logs to assess and monitor the compliance status of workloads.","Important","Security","L1" "Azure.AKS.AuthorizedIPs","Restrict access to API server endpoints to authorized IP addresses.","Important","Security","-" @@ -19,7 +19,7 @@ "Azure.AKS.ManagedAAD","Use AKS-managed Azure AD to simplify authorization and improve security.","Important","Security","L1" "Azure.AKS.ManagedIdentity","Configure AKS clusters to use managed identities for managing cluster infrastructure.","Important","Security","L1" "Azure.AKS.MinNodeCount","AKS clusters should have minimum number of system nodes for failover and updates.","Important","Reliability","-" -"Azure.AKS.Name","Azure Kubernetes Service (AKS) cluster names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.AKS.Name","Azure Kubernetes Service (AKS) cluster names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.AKS.NetworkPolicy","AKS clusters without inter-pod network restrictions may be permit unauthorized lateral movement.","Important","Security","-" "Azure.AKS.NodeMinPods","Azure Kubernetes Cluster (AKS) nodes should use a minimum number of pods.","Important","Performance Efficiency","-" "Azure.AKS.PlatformLogs","AKS clusters should collect platform diagnostic logs to monitor the state of workloads.","Important","Operational Excellence","-" diff --git a/docs/en/baselines/Azure.GA_2022_03.csv b/docs/en/baselines/Azure.GA_2022_03.csv index 7cb76cf059d..87505cbefe9 100644 --- a/docs/en/baselines/Azure.GA_2022_03.csv +++ b/docs/en/baselines/Azure.GA_2022_03.csv @@ -3,7 +3,7 @@ "Azure.ACR.ContainerScan","Container images or their base images may have vulnerabilities discovered after they are built.","Critical","Security","-" "Azure.ACR.ImageHealth","Remove container images with known vulnerabilities.","Critical","Security","L2" "Azure.ACR.MinSku","The Basic SKU provides limited performance and features for production container registry workloads.","Important","Reliability","-" -"Azure.ACR.Name","Container registry names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.ACR.Name","Container registry names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.ACR.Usage","Regularly remove deprecated and unneeded images to reduce storage usage.","Important","Cost Optimization","-" "Azure.ADX.DiskEncryption","Use disk encryption for Azure Data Explorer (ADX) clusters.","Important","Security","L1" "Azure.ADX.ManagedIdentity","Configure Data Explorer clusters to use managed identities to access Azure resources securely.","Important","Security","L1" @@ -23,7 +23,7 @@ "Azure.AKS.ManagedAAD","Use AKS-managed Azure AD to simplify authorization and improve security.","Important","Security","L1" "Azure.AKS.ManagedIdentity","Configure AKS clusters to use managed identities for managing cluster infrastructure.","Important","Security","L1" "Azure.AKS.MinNodeCount","AKS clusters should have minimum number of system nodes for failover and updates.","Important","Reliability","-" -"Azure.AKS.Name","Azure Kubernetes Service (AKS) cluster names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.AKS.Name","Azure Kubernetes Service (AKS) cluster names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.AKS.NetworkPolicy","AKS clusters without inter-pod network restrictions may be permit unauthorized lateral movement.","Important","Security","-" "Azure.AKS.NodeMinPods","Azure Kubernetes Cluster (AKS) nodes should use a minimum number of pods.","Important","Performance Efficiency","-" "Azure.AKS.PlatformLogs","AKS clusters should collect platform diagnostic logs to monitor the state of workloads.","Important","Operational Excellence","-" diff --git a/docs/en/baselines/Azure.GA_2022_06.csv b/docs/en/baselines/Azure.GA_2022_06.csv index fe1e6615695..e2d3ef65c06 100644 --- a/docs/en/baselines/Azure.GA_2022_06.csv +++ b/docs/en/baselines/Azure.GA_2022_06.csv @@ -3,7 +3,7 @@ "Azure.ACR.ContainerScan","Container images or their base images may have vulnerabilities discovered after they are built.","Critical","Security","-" "Azure.ACR.ImageHealth","Remove container images with known vulnerabilities.","Critical","Security","L2" "Azure.ACR.MinSku","The Basic SKU provides limited performance and features for production container registry workloads.","Important","Reliability","-" -"Azure.ACR.Name","Container registry names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.ACR.Name","Container registry names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.ACR.Usage","Regularly remove deprecated and unneeded images to reduce storage usage.","Important","Cost Optimization","-" "Azure.ADX.DiskEncryption","Use disk encryption for Azure Data Explorer (ADX) clusters.","Important","Security","L1" "Azure.ADX.ManagedIdentity","Configure Data Explorer clusters to use managed identities to access Azure resources securely.","Important","Security","L1" @@ -23,7 +23,7 @@ "Azure.AKS.ManagedAAD","Use AKS-managed Azure AD to simplify authorization and improve security.","Important","Security","L1" "Azure.AKS.ManagedIdentity","Configure AKS clusters to use managed identities for managing cluster infrastructure.","Important","Security","L1" "Azure.AKS.MinNodeCount","AKS clusters should have minimum number of system nodes for failover and updates.","Important","Reliability","-" -"Azure.AKS.Name","Azure Kubernetes Service (AKS) cluster names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.AKS.Name","Azure Kubernetes Service (AKS) cluster names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.AKS.NetworkPolicy","AKS clusters without inter-pod network restrictions may be permit unauthorized lateral movement.","Important","Security","-" "Azure.AKS.NodeMinPods","Azure Kubernetes Cluster (AKS) nodes should use a minimum number of pods.","Important","Performance Efficiency","-" "Azure.AKS.PlatformLogs","AKS clusters should collect platform diagnostic logs to monitor the state of workloads.","Important","Operational Excellence","-" diff --git a/docs/en/baselines/Azure.GA_2022_09.csv b/docs/en/baselines/Azure.GA_2022_09.csv index ad35c4b7ca3..bdd38ed2705 100644 --- a/docs/en/baselines/Azure.GA_2022_09.csv +++ b/docs/en/baselines/Azure.GA_2022_09.csv @@ -3,7 +3,7 @@ "Azure.ACR.ContainerScan","Container images or their base images may have vulnerabilities discovered after they are built.","Critical","Security","-" "Azure.ACR.ImageHealth","Remove container images with known vulnerabilities.","Critical","Security","L2" "Azure.ACR.MinSku","The Basic SKU provides limited performance and features for production container registry workloads.","Important","Reliability","-" -"Azure.ACR.Name","Container registry names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.ACR.Name","Container registry names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.ACR.Usage","Regularly remove deprecated and unneeded images to reduce storage usage.","Important","Cost Optimization","-" "Azure.ADX.DiskEncryption","Use disk encryption for Azure Data Explorer (ADX) clusters.","Important","Security","L1" "Azure.ADX.ManagedIdentity","Configure Data Explorer clusters to use managed identities to access Azure resources securely.","Important","Security","L1" @@ -28,7 +28,7 @@ "Azure.AKS.ManagedAAD","Use AKS-managed Azure AD to simplify authorization and improve security.","Important","Security","L1" "Azure.AKS.ManagedIdentity","Configure AKS clusters to use managed identities for managing cluster infrastructure.","Important","Security","L1" "Azure.AKS.MinNodeCount","AKS clusters should have minimum number of system nodes for failover and updates.","Important","Reliability","-" -"Azure.AKS.Name","Azure Kubernetes Service (AKS) cluster names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.AKS.Name","Azure Kubernetes Service (AKS) cluster names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.AKS.NetworkPolicy","AKS clusters without inter-pod network restrictions may be permit unauthorized lateral movement.","Important","Security","-" "Azure.AKS.NodeMinPods","Azure Kubernetes Cluster (AKS) nodes should use a minimum number of pods.","Important","Performance Efficiency","-" "Azure.AKS.PlatformLogs","AKS clusters should collect platform diagnostic logs to monitor the state of workloads.","Important","Operational Excellence","-" diff --git a/docs/en/baselines/Azure.GA_2022_12.csv b/docs/en/baselines/Azure.GA_2022_12.csv index 10a05f7cc7b..869c83576e1 100644 --- a/docs/en/baselines/Azure.GA_2022_12.csv +++ b/docs/en/baselines/Azure.GA_2022_12.csv @@ -3,7 +3,7 @@ "Azure.ACR.ContainerScan","Container images or their base images may have vulnerabilities discovered after they are built.","Critical","Security","-" "Azure.ACR.ImageHealth","Remove container images with known vulnerabilities.","Critical","Security","L2" "Azure.ACR.MinSku","The Basic SKU provides limited performance and features for production container registry workloads.","Important","Reliability","-" -"Azure.ACR.Name","Container registry names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.ACR.Name","Container registry names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.ACR.Usage","Regularly remove deprecated and unneeded images to reduce storage usage.","Important","Cost Optimization","-" "Azure.ADX.DiskEncryption","Use disk encryption for Azure Data Explorer (ADX) clusters.","Important","Security","L1" "Azure.ADX.ManagedIdentity","Configure Data Explorer clusters to use managed identities to access Azure resources securely.","Important","Security","L1" @@ -28,7 +28,7 @@ "Azure.AKS.ManagedAAD","Use AKS-managed Azure AD to simplify authorization and improve security.","Important","Security","L1" "Azure.AKS.ManagedIdentity","Configure AKS clusters to use managed identities for managing cluster infrastructure.","Important","Security","L1" "Azure.AKS.MinNodeCount","AKS clusters should have minimum number of system nodes for failover and updates.","Important","Reliability","-" -"Azure.AKS.Name","Azure Kubernetes Service (AKS) cluster names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.AKS.Name","Azure Kubernetes Service (AKS) cluster names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.AKS.NetworkPolicy","AKS clusters without inter-pod network restrictions may be permit unauthorized lateral movement.","Important","Security","-" "Azure.AKS.NodeMinPods","Azure Kubernetes Cluster (AKS) nodes should use a minimum number of pods.","Important","Performance Efficiency","-" "Azure.AKS.PlatformLogs","AKS clusters should collect platform diagnostic logs to monitor the state of workloads.","Important","Operational Excellence","-" diff --git a/docs/en/baselines/Azure.GA_2023_03.csv b/docs/en/baselines/Azure.GA_2023_03.csv index 50e6d053a04..dc7ab7f54b9 100644 --- a/docs/en/baselines/Azure.GA_2023_03.csv +++ b/docs/en/baselines/Azure.GA_2023_03.csv @@ -3,7 +3,7 @@ "Azure.ACR.ContainerScan","Container images or their base images may have vulnerabilities discovered after they are built.","Critical","Security","-" "Azure.ACR.ImageHealth","Remove container images with known vulnerabilities.","Critical","Security","L2" "Azure.ACR.MinSku","The Basic SKU provides limited performance and features for production container registry workloads.","Important","Reliability","-" -"Azure.ACR.Name","Container registry names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.ACR.Name","Container registry names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.ACR.Usage","Regularly remove deprecated and unneeded images to reduce storage usage.","Important","Cost Optimization","-" "Azure.ADX.DiskEncryption","Use disk encryption for Azure Data Explorer (ADX) clusters.","Important","Security","L1" "Azure.ADX.ManagedIdentity","Configure Data Explorer clusters to use managed identities to access Azure resources securely.","Important","Security","L1" @@ -29,7 +29,7 @@ "Azure.AKS.ManagedAAD","Use AKS-managed Azure AD to simplify authorization and improve security.","Important","Security","L1" "Azure.AKS.ManagedIdentity","Configure AKS clusters to use managed identities for managing cluster infrastructure.","Important","Security","L1" "Azure.AKS.MinNodeCount","AKS clusters should have minimum number of system nodes for failover and updates.","Important","Reliability","-" -"Azure.AKS.Name","Azure Kubernetes Service (AKS) cluster names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.AKS.Name","Azure Kubernetes Service (AKS) cluster names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.AKS.NetworkPolicy","AKS clusters without inter-pod network restrictions may be permit unauthorized lateral movement.","Important","Security","-" "Azure.AKS.NodeMinPods","Azure Kubernetes Cluster (AKS) nodes should use a minimum number of pods.","Important","Performance Efficiency","-" "Azure.AKS.PlatformLogs","AKS clusters should collect platform diagnostic logs to monitor the state of workloads.","Important","Operational Excellence","-" @@ -103,7 +103,7 @@ "Azure.CDN.UseFrontDoor","Use Azure Front Door Standard or Premium SKU to improve the performance of web pages with dynamic content and overall capabilities.","Important","Performance Efficiency","-" "Azure.ContainerApp.ExternalIngress","Limit inbound communication for Container Apps is limited to callers within the Container Apps Environment.","Important","Security","-" "Azure.ContainerApp.ManagedIdentity","Ensure managed identity is used for authentication.","Important","Security","L1" -"Azure.ContainerApp.Name","Container Apps should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.ContainerApp.Name","Container Apps should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.ContainerApp.PublicAccess","Ensure public network access for Container Apps environment is disabled.","Important","Security","-" "Azure.ContainerApp.Storage","Use of Azure Files volume mounts to persistent storage container data.","Awareness","Reliability","-" "Azure.Cosmos.AccountName","Cosmos DB account names should meet naming requirements.","Awareness","Operational Excellence","-" diff --git a/docs/en/baselines/Azure.GA_2023_06.csv b/docs/en/baselines/Azure.GA_2023_06.csv index 585ba58664b..c56278ebd5f 100644 --- a/docs/en/baselines/Azure.GA_2023_06.csv +++ b/docs/en/baselines/Azure.GA_2023_06.csv @@ -3,7 +3,7 @@ "Azure.ACR.ContainerScan","Container images or their base images may have vulnerabilities discovered after they are built.","Critical","Security","-" "Azure.ACR.ImageHealth","Remove container images with known vulnerabilities.","Critical","Security","L2" "Azure.ACR.MinSku","The Basic SKU provides limited performance and features for production container registry workloads.","Important","Reliability","-" -"Azure.ACR.Name","Container registry names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.ACR.Name","Container registry names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.ACR.Usage","Regularly remove deprecated and unneeded images to reduce storage usage.","Important","Cost Optimization","-" "Azure.ADX.DiskEncryption","Use disk encryption for Azure Data Explorer (ADX) clusters.","Important","Security","L1" "Azure.ADX.ManagedIdentity","Configure Data Explorer clusters to use managed identities to access Azure resources securely.","Important","Security","L1" @@ -29,7 +29,7 @@ "Azure.AKS.ManagedAAD","Use AKS-managed Azure AD to simplify authorization and improve security.","Important","Security","L1" "Azure.AKS.ManagedIdentity","Configure AKS clusters to use managed identities for managing cluster infrastructure.","Important","Security","L1" "Azure.AKS.MinNodeCount","AKS clusters should have minimum number of system nodes for failover and updates.","Important","Reliability","-" -"Azure.AKS.Name","Azure Kubernetes Service (AKS) cluster names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.AKS.Name","Azure Kubernetes Service (AKS) cluster names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.AKS.NetworkPolicy","AKS clusters without inter-pod network restrictions may be permit unauthorized lateral movement.","Important","Security","-" "Azure.AKS.NodeMinPods","Azure Kubernetes Cluster (AKS) nodes should use a minimum number of pods.","Important","Performance Efficiency","-" "Azure.AKS.PlatformLogs","AKS clusters should collect platform diagnostic logs to monitor the state of workloads.","Important","Operational Excellence","-" @@ -107,7 +107,7 @@ "Azure.ContainerApp.ExternalIngress","Limit inbound communication for Container Apps is limited to callers within the Container Apps Environment.","Important","Security","-" "Azure.ContainerApp.Insecure","Ensure insecure inbound traffic is not permitted to the container app.","Important","Security","L1" "Azure.ContainerApp.ManagedIdentity","Ensure managed identity is used for authentication.","Important","Security","L1" -"Azure.ContainerApp.Name","Container Apps should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.ContainerApp.Name","Container Apps should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.ContainerApp.PublicAccess","Ensure public network access for Container Apps environment is disabled.","Important","Security","-" "Azure.ContainerApp.RestrictIngress","IP ingress restrictions mode should be set to allow action for all rules defined.","Important","Security","-" "Azure.ContainerApp.Storage","Use of Azure Files volume mounts to persistent storage container data.","Awareness","Reliability","-" diff --git a/docs/en/baselines/Azure.GA_2023_09.csv b/docs/en/baselines/Azure.GA_2023_09.csv index 703d2a4cc64..117210e5d6b 100644 --- a/docs/en/baselines/Azure.GA_2023_09.csv +++ b/docs/en/baselines/Azure.GA_2023_09.csv @@ -4,7 +4,7 @@ "Azure.ACR.Firewall","Container Registry without restrictions can be accessed from any network location including the Internet.","Important","Security","-" "Azure.ACR.ImageHealth","Remove container images with known vulnerabilities.","Critical","Security","L2" "Azure.ACR.MinSku","The Basic SKU provides limited performance and features for production container registry workloads.","Important","Reliability","-" -"Azure.ACR.Name","Container registry names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.ACR.Name","Container registry names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.ACR.Usage","Regularly remove deprecated and unneeded images to reduce storage usage.","Important","Cost Optimization","-" "Azure.ADX.DiskEncryption","Use disk encryption for Azure Data Explorer (ADX) clusters.","Important","Security","L1" "Azure.ADX.ManagedIdentity","Configure Data Explorer clusters to use managed identities to access Azure resources securely.","Important","Security","L1" @@ -31,7 +31,7 @@ "Azure.AKS.ManagedAAD","Use AKS-managed Azure AD to simplify authorization and improve security.","Important","Security","L1" "Azure.AKS.ManagedIdentity","Configure AKS clusters to use managed identities for managing cluster infrastructure.","Important","Security","L1" "Azure.AKS.MinNodeCount","AKS clusters should have minimum number of system nodes for failover and updates.","Important","Reliability","-" -"Azure.AKS.Name","Azure Kubernetes Service (AKS) cluster names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.AKS.Name","Azure Kubernetes Service (AKS) cluster names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.AKS.NetworkPolicy","AKS clusters without inter-pod network restrictions may be permit unauthorized lateral movement.","Important","Security","-" "Azure.AKS.NodeMinPods","Azure Kubernetes Cluster (AKS) nodes should use a minimum number of pods.","Important","Performance Efficiency","-" "Azure.AKS.PlatformLogs","AKS clusters should collect platform diagnostic logs to monitor the state of workloads.","Important","Operational Excellence","-" @@ -112,7 +112,7 @@ "Azure.ContainerApp.ExternalIngress","Limit inbound communication for Container Apps is limited to callers within the Container Apps Environment.","Important","Security","-" "Azure.ContainerApp.Insecure","Ensure insecure inbound traffic is not permitted to the container app.","Important","Security","L1" "Azure.ContainerApp.ManagedIdentity","Ensure managed identity is used for authentication.","Important","Security","L1" -"Azure.ContainerApp.Name","Container Apps should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.ContainerApp.Name","Container Apps should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.ContainerApp.PublicAccess","Ensure public network access for Container Apps environment is disabled.","Important","Security","-" "Azure.ContainerApp.RestrictIngress","IP ingress restrictions mode should be set to allow action for all rules defined.","Important","Security","-" "Azure.ContainerApp.Storage","Use of Azure Files volume mounts to persistent storage container data.","Awareness","Reliability","-" diff --git a/docs/en/baselines/Azure.GA_2023_12.csv b/docs/en/baselines/Azure.GA_2023_12.csv index 653f23ca95f..0dc86d47a8a 100644 --- a/docs/en/baselines/Azure.GA_2023_12.csv +++ b/docs/en/baselines/Azure.GA_2023_12.csv @@ -4,7 +4,7 @@ "Azure.ACR.Firewall","Container Registry without restrictions can be accessed from any network location including the Internet.","Important","Security","-" "Azure.ACR.ImageHealth","Remove container images with known vulnerabilities.","Critical","Security","L2" "Azure.ACR.MinSku","The Basic SKU provides limited performance and features for production container registry workloads.","Important","Reliability","-" -"Azure.ACR.Name","Container registry names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.ACR.Name","Container registry names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.ACR.Usage","Regularly remove deprecated and unneeded images to reduce storage usage.","Important","Cost Optimization","-" "Azure.ADX.DiskEncryption","Use disk encryption for Azure Data Explorer (ADX) clusters.","Important","Security","L1" "Azure.ADX.ManagedIdentity","Configure Data Explorer clusters to use managed identities to access Azure resources securely.","Important","Security","L1" @@ -31,7 +31,7 @@ "Azure.AKS.ManagedAAD","Use AKS-managed Azure AD to simplify authorization and improve security.","Important","Security","L1" "Azure.AKS.ManagedIdentity","Configure AKS clusters to use managed identities for managing cluster infrastructure.","Important","Security","L1" "Azure.AKS.MinNodeCount","AKS clusters should have minimum number of system nodes for failover and updates.","Important","Reliability","-" -"Azure.AKS.Name","Azure Kubernetes Service (AKS) cluster names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.AKS.Name","Azure Kubernetes Service (AKS) cluster names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.AKS.NetworkPolicy","AKS clusters without inter-pod network restrictions may be permit unauthorized lateral movement.","Important","Security","-" "Azure.AKS.NodeMinPods","Azure Kubernetes Cluster (AKS) nodes should use a minimum number of pods.","Important","Performance Efficiency","-" "Azure.AKS.PlatformLogs","AKS clusters should collect platform diagnostic logs to monitor the state of workloads.","Important","Operational Excellence","-" @@ -114,7 +114,7 @@ "Azure.ContainerApp.ExternalIngress","Limit inbound communication for Container Apps is limited to callers within the Container Apps Environment.","Important","Security","-" "Azure.ContainerApp.Insecure","Ensure insecure inbound traffic is not permitted to the container app.","Important","Security","L1" "Azure.ContainerApp.ManagedIdentity","Ensure managed identity is used for authentication.","Important","Security","L1" -"Azure.ContainerApp.Name","Container Apps should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.ContainerApp.Name","Container Apps should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.ContainerApp.PublicAccess","Ensure public network access for Container Apps environment is disabled.","Important","Security","-" "Azure.ContainerApp.RestrictIngress","IP ingress restrictions mode should be set to allow action for all rules defined.","Important","Security","-" "Azure.ContainerApp.Storage","Use of Azure Files volume mounts to persistent storage container data.","Awareness","Reliability","-" diff --git a/docs/en/baselines/Azure.GA_2024_03.csv b/docs/en/baselines/Azure.GA_2024_03.csv index 7a2a6120895..da5f1d458d7 100644 --- a/docs/en/baselines/Azure.GA_2024_03.csv +++ b/docs/en/baselines/Azure.GA_2024_03.csv @@ -4,7 +4,7 @@ "Azure.ACR.Firewall","Container Registry without restrictions can be accessed from any network location including the Internet.","Important","Security","-" "Azure.ACR.ImageHealth","Remove container images with known vulnerabilities.","Critical","Security","L2" "Azure.ACR.MinSku","The Basic SKU provides limited performance and features for production container registry workloads.","Important","Reliability","-" -"Azure.ACR.Name","Container registry names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.ACR.Name","Container registry names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.ACR.Usage","Regularly remove deprecated and unneeded images to reduce storage usage.","Important","Cost Optimization","-" "Azure.ADX.DiskEncryption","Use disk encryption for Azure Data Explorer (ADX) clusters.","Important","Security","L1" "Azure.ADX.ManagedIdentity","Configure Data Explorer clusters to use managed identities to access Azure resources securely.","Important","Security","L1" @@ -32,7 +32,7 @@ "Azure.AKS.ManagedIdentity","Configure AKS clusters to use managed identities for managing cluster infrastructure.","Important","Security","L1" "Azure.AKS.MinNodeCount","AKS clusters should have minimum number of system nodes for failover and updates.","Important","Reliability","-" "Azure.AKS.MinUserPoolNodes","User node pools in an AKS cluster should have a minimum number of nodes for failover and updates.","Important","Reliability","-" -"Azure.AKS.Name","Azure Kubernetes Service (AKS) cluster names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.AKS.Name","Azure Kubernetes Service (AKS) cluster names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.AKS.NetworkPolicy","AKS clusters without inter-pod network restrictions may be permit unauthorized lateral movement.","Important","Security","-" "Azure.AKS.NodeMinPods","Azure Kubernetes Cluster (AKS) nodes should use a minimum number of pods.","Important","Performance Efficiency","-" "Azure.AKS.PlatformLogs","AKS clusters should collect platform diagnostic logs to monitor the state of workloads.","Important","Operational Excellence","-" @@ -118,7 +118,7 @@ "Azure.ContainerApp.ExternalIngress","Limit inbound communication for Container Apps is limited to callers within the Container Apps Environment.","Important","Security","-" "Azure.ContainerApp.Insecure","Ensure insecure inbound traffic is not permitted to the container app.","Important","Security","L1" "Azure.ContainerApp.ManagedIdentity","Ensure managed identity is used for authentication.","Important","Security","L1" -"Azure.ContainerApp.Name","Container Apps should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.ContainerApp.Name","Container Apps should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.ContainerApp.PublicAccess","Ensure public network access for Container Apps environment is disabled.","Important","Security","-" "Azure.ContainerApp.RestrictIngress","IP ingress restrictions mode should be set to allow action for all rules defined.","Important","Security","-" "Azure.ContainerApp.Storage","Use of Azure Files volume mounts to persistent storage container data.","Awareness","Reliability","-" diff --git a/docs/en/baselines/Azure.GA_2024_06.csv b/docs/en/baselines/Azure.GA_2024_06.csv index 33f14b72cb3..7248de54a6a 100644 --- a/docs/en/baselines/Azure.GA_2024_06.csv +++ b/docs/en/baselines/Azure.GA_2024_06.csv @@ -4,7 +4,7 @@ "Azure.ACR.Firewall","Container Registry without restrictions can be accessed from any network location including the Internet.","Important","Security","-" "Azure.ACR.ImageHealth","Remove container images with known vulnerabilities.","Critical","Security","L2" "Azure.ACR.MinSku","The Basic SKU provides limited performance and features for production container registry workloads.","Important","Reliability","-" -"Azure.ACR.Name","Container registry names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.ACR.Name","Container registry names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.ACR.Usage","Regularly remove deprecated and unneeded images to reduce storage usage.","Important","Cost Optimization","-" "Azure.ADX.DiskEncryption","Use disk encryption for Azure Data Explorer (ADX) clusters.","Important","Security","L1" "Azure.ADX.ManagedIdentity","Configure Data Explorer clusters to use managed identities to access Azure resources securely.","Important","Security","L1" @@ -32,7 +32,7 @@ "Azure.AKS.ManagedIdentity","Configure AKS clusters to use managed identities for managing cluster infrastructure.","Important","Security","L1" "Azure.AKS.MinNodeCount","AKS clusters should have minimum number of system nodes for failover and updates.","Important","Reliability","-" "Azure.AKS.MinUserPoolNodes","User node pools in an AKS cluster should have a minimum number of nodes for failover and updates.","Important","Reliability","-" -"Azure.AKS.Name","Azure Kubernetes Service (AKS) cluster names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.AKS.Name","Azure Kubernetes Service (AKS) cluster names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.AKS.NetworkPolicy","AKS clusters without inter-pod network restrictions may be permit unauthorized lateral movement.","Important","Security","-" "Azure.AKS.NodeAutoUpgrade","Operating system (OS) security updates should be applied to AKS nodes and rebooted as required to address security vulnerabilities.","Important","Security","-" "Azure.AKS.NodeMinPods","Azure Kubernetes Cluster (AKS) nodes should use a minimum number of pods.","Important","Performance Efficiency","-" @@ -126,7 +126,7 @@ "Azure.ContainerApp.Insecure","Ensure insecure inbound traffic is not permitted to the container app.","Important","Security","L1" "Azure.ContainerApp.ManagedIdentity","Ensure managed identity is used for authentication.","Important","Security","L1" "Azure.ContainerApp.MinReplicas","Use multiple replicas to remove a single point of failure.","Important","Reliability","-" -"Azure.ContainerApp.Name","Container Apps should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.ContainerApp.Name","Container Apps should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.ContainerApp.PublicAccess","Ensure public network access for Container Apps environment is disabled.","Important","Security","-" "Azure.ContainerApp.RestrictIngress","IP ingress restrictions mode should be set to allow action for all rules defined.","Important","Security","-" "Azure.ContainerApp.Storage","Use of Azure Files volume mounts to persistent storage container data.","Awareness","Reliability","-" diff --git a/docs/en/baselines/Azure.GA_2024_09.csv b/docs/en/baselines/Azure.GA_2024_09.csv index b75a54929a4..bf899e346fe 100644 --- a/docs/en/baselines/Azure.GA_2024_09.csv +++ b/docs/en/baselines/Azure.GA_2024_09.csv @@ -4,7 +4,7 @@ "Azure.ACR.Firewall","Container Registry without restrictions can be accessed from any network location including the Internet.","Important","Security","-" "Azure.ACR.ImageHealth","Remove container images with known vulnerabilities.","Critical","Security","L2" "Azure.ACR.MinSku","The Basic SKU provides limited performance and features for production container registry workloads.","Important","Reliability","-" -"Azure.ACR.Name","Container registry names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.ACR.Name","Container registry names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.ACR.Usage","Regularly remove deprecated and unneeded images to reduce storage usage.","Important","Cost Optimization","-" "Azure.ADX.DiskEncryption","Use disk encryption for Azure Data Explorer (ADX) clusters.","Important","Security","L1" "Azure.ADX.ManagedIdentity","Configure Data Explorer clusters to use managed identities to access Azure resources securely.","Important","Security","L1" @@ -34,7 +34,7 @@ "Azure.AKS.ManagedIdentity","Configure AKS clusters to use managed identities for managing cluster infrastructure.","Important","Security","L1" "Azure.AKS.MinNodeCount","AKS clusters should have minimum number of system nodes for failover and updates.","Important","Reliability","-" "Azure.AKS.MinUserPoolNodes","User node pools in an AKS cluster should have a minimum number of nodes for failover and updates.","Important","Reliability","-" -"Azure.AKS.Name","Azure Kubernetes Service (AKS) cluster names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.AKS.Name","Azure Kubernetes Service (AKS) cluster names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.AKS.NetworkPolicy","AKS clusters without inter-pod network restrictions may be permit unauthorized lateral movement.","Important","Security","-" "Azure.AKS.NodeAutoUpgrade","Operating system (OS) security updates should be applied to AKS nodes and rebooted as required to address security vulnerabilities.","Important","Security","-" "Azure.AKS.NodeMinPods","Azure Kubernetes Cluster (AKS) nodes should use a minimum number of pods.","Important","Performance Efficiency","-" @@ -130,7 +130,7 @@ "Azure.ContainerApp.Insecure","Ensure insecure inbound traffic is not permitted to the container app.","Important","Security","L1" "Azure.ContainerApp.ManagedIdentity","Ensure managed identity is used for authentication.","Important","Security","L1" "Azure.ContainerApp.MinReplicas","Use multiple replicas to remove a single point of failure.","Important","Reliability","-" -"Azure.ContainerApp.Name","Container Apps should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.ContainerApp.Name","Container Apps should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.ContainerApp.PublicAccess","Ensure public network access for Container Apps environment is disabled.","Important","Security","-" "Azure.ContainerApp.RestrictIngress","IP ingress restrictions mode should be set to allow action for all rules defined.","Important","Security","-" "Azure.ContainerApp.Storage","Use of Azure Files volume mounts to persistent storage container data.","Awareness","Reliability","-" diff --git a/docs/en/baselines/Azure.GA_2024_12.csv b/docs/en/baselines/Azure.GA_2024_12.csv index 1bdcae2854a..3de3c49e520 100644 --- a/docs/en/baselines/Azure.GA_2024_12.csv +++ b/docs/en/baselines/Azure.GA_2024_12.csv @@ -5,7 +5,7 @@ "Azure.ACR.Firewall","Container Registry without restrictions can be accessed from any network location including the Internet.","Important","Security","-" "Azure.ACR.ImageHealth","Remove container images with known vulnerabilities.","Critical","Security","L2" "Azure.ACR.MinSku","The Basic SKU provides limited performance and features for production container registry workloads.","Important","Reliability","-" -"Azure.ACR.Name","Container registry names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.ACR.Name","Container registry names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.ACR.Usage","Regularly remove deprecated and unneeded images to reduce storage usage.","Important","Cost Optimization","-" "Azure.ADX.DiskEncryption","Use disk encryption for Azure Data Explorer (ADX) clusters.","Important","Security","L1" "Azure.ADX.ManagedIdentity","Configure Data Explorer clusters to use managed identities to access Azure resources securely.","Important","Security","L1" @@ -35,7 +35,7 @@ "Azure.AKS.ManagedIdentity","Configure AKS clusters to use managed identities for managing cluster infrastructure.","Important","Security","L1" "Azure.AKS.MinNodeCount","AKS clusters should have minimum number of system nodes for failover and updates.","Important","Reliability","-" "Azure.AKS.MinUserPoolNodes","User node pools in an AKS cluster should have a minimum number of nodes for failover and updates.","Important","Reliability","-" -"Azure.AKS.Name","Azure Kubernetes Service (AKS) cluster names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.AKS.Name","Azure Kubernetes Service (AKS) cluster names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.AKS.NetworkPolicy","AKS clusters without inter-pod network restrictions may be permit unauthorized lateral movement.","Important","Security","-" "Azure.AKS.NodeAutoUpgrade","Operating system (OS) security updates should be applied to AKS nodes and rebooted as required to address security vulnerabilities.","Important","Security","-" "Azure.AKS.NodeMinPods","Azure Kubernetes Cluster (AKS) nodes should use a minimum number of pods.","Important","Performance Efficiency","-" @@ -131,7 +131,7 @@ "Azure.ContainerApp.Insecure","Ensure insecure inbound traffic is not permitted to the container app.","Important","Security","L1" "Azure.ContainerApp.ManagedIdentity","Ensure managed identity is used for authentication.","Important","Security","L1" "Azure.ContainerApp.MinReplicas","Use multiple replicas to remove a single point of failure.","Important","Reliability","-" -"Azure.ContainerApp.Name","Container Apps should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.ContainerApp.Name","Container Apps should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.ContainerApp.PublicAccess","Ensure public network access for Container Apps environment is disabled.","Important","Security","-" "Azure.ContainerApp.RestrictIngress","IP ingress restrictions mode should be set to allow action for all rules defined.","Important","Security","-" "Azure.ContainerApp.Storage","Use of Azure Files volume mounts to persistent storage container data.","Awareness","Reliability","-" diff --git a/docs/en/baselines/Azure.GA_2025_03.csv b/docs/en/baselines/Azure.GA_2025_03.csv index 55d7ae10a17..ca8c2dce8a0 100644 --- a/docs/en/baselines/Azure.GA_2025_03.csv +++ b/docs/en/baselines/Azure.GA_2025_03.csv @@ -5,7 +5,7 @@ "Azure.ACR.Firewall","Container Registry without restrictions can be accessed from any network location including the Internet.","Important","Security","-" "Azure.ACR.ImageHealth","Remove container images with known vulnerabilities.","Critical","Security","L2" "Azure.ACR.MinSku","The Basic SKU provides limited performance and features for production container registry workloads.","Important","Reliability","-" -"Azure.ACR.Name","Container registry names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.ACR.Name","Container registry names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.ACR.Usage","Regularly remove deprecated and unneeded images to reduce storage usage.","Important","Cost Optimization","-" "Azure.ADX.DiskEncryption","Use disk encryption for Azure Data Explorer (ADX) clusters.","Important","Security","L1" "Azure.ADX.ManagedIdentity","Configure Data Explorer clusters to use managed identities to access Azure resources securely.","Important","Security","L1" @@ -35,7 +35,7 @@ "Azure.AKS.ManagedIdentity","Configure AKS clusters to use managed identities for managing cluster infrastructure.","Important","Security","L1" "Azure.AKS.MinNodeCount","AKS clusters should have minimum number of system nodes for failover and updates.","Important","Reliability","-" "Azure.AKS.MinUserPoolNodes","User node pools in an AKS cluster should have a minimum number of nodes for failover and updates.","Important","Reliability","-" -"Azure.AKS.Name","Azure Kubernetes Service (AKS) cluster names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.AKS.Name","Azure Kubernetes Service (AKS) cluster names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.AKS.NetworkPolicy","AKS clusters without inter-pod network restrictions may be permit unauthorized lateral movement.","Important","Security","-" "Azure.AKS.NodeAutoUpgrade","Operating system (OS) security updates should be applied to AKS nodes and rebooted as required to address security vulnerabilities.","Important","Security","-" "Azure.AKS.NodeMinPods","Azure Kubernetes Cluster (AKS) nodes should use a minimum number of pods.","Important","Performance Efficiency","-" @@ -131,7 +131,7 @@ "Azure.ContainerApp.Insecure","Ensure insecure inbound traffic is not permitted to the container app.","Important","Security","L1" "Azure.ContainerApp.ManagedIdentity","Ensure managed identity is used for authentication.","Important","Security","L1" "Azure.ContainerApp.MinReplicas","Use multiple replicas to remove a single point of failure.","Important","Reliability","-" -"Azure.ContainerApp.Name","Container Apps should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.ContainerApp.Name","Container Apps should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.ContainerApp.PublicAccess","Ensure public network access for Container Apps environment is disabled.","Important","Security","-" "Azure.ContainerApp.RestrictIngress","IP ingress restrictions mode should be set to allow action for all rules defined.","Important","Security","-" "Azure.ContainerApp.Storage","Use of Azure Files volume mounts to persistent storage container data.","Awareness","Reliability","-" diff --git a/docs/en/baselines/Azure.GA_2025_06.csv b/docs/en/baselines/Azure.GA_2025_06.csv index c929eff5e87..82c1c521c8f 100644 --- a/docs/en/baselines/Azure.GA_2025_06.csv +++ b/docs/en/baselines/Azure.GA_2025_06.csv @@ -5,7 +5,7 @@ "Azure.ACR.Firewall","Container Registry without restrictions can be accessed from any network location including the Internet.","Important","Security","-" "Azure.ACR.ImageHealth","Remove container images with known vulnerabilities.","Critical","Security","L2" "Azure.ACR.MinSku","The Basic SKU provides limited performance and features for production container registry workloads.","Important","Reliability","-" -"Azure.ACR.Name","Container registry names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.ACR.Name","Container registry names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.ACR.Usage","Regularly remove deprecated and unneeded images to reduce storage usage.","Important","Cost Optimization","-" "Azure.ADX.DiskEncryption","Use disk encryption for Azure Data Explorer (ADX) clusters.","Important","Security","L1" "Azure.ADX.ManagedIdentity","Configure Data Explorer clusters to use managed identities to access Azure resources securely.","Important","Security","L1" @@ -36,7 +36,7 @@ "Azure.AKS.ManagedIdentity","Configure AKS clusters to use managed identities for managing cluster infrastructure.","Important","Security","L1" "Azure.AKS.MinNodeCount","AKS clusters should have minimum number of system nodes for failover and updates.","Important","Reliability","-" "Azure.AKS.MinUserPoolNodes","User node pools in an AKS cluster should have a minimum number of nodes for failover and updates.","Important","Reliability","-" -"Azure.AKS.Name","Azure Kubernetes Service (AKS) cluster names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.AKS.Name","Azure Kubernetes Service (AKS) cluster names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.AKS.NetworkPolicy","AKS clusters without inter-pod network restrictions may be permit unauthorized lateral movement.","Important","Security","-" "Azure.AKS.NodeAutoUpgrade","Operating system (OS) security updates should be applied to AKS nodes and rebooted as required to address security vulnerabilities.","Important","Security","-" "Azure.AKS.NodeMinPods","Azure Kubernetes Cluster (AKS) nodes should use a minimum number of pods.","Important","Performance Efficiency","-" @@ -137,7 +137,7 @@ "Azure.ContainerApp.Insecure","Ensure insecure inbound traffic is not permitted to the container app.","Important","Security","L1" "Azure.ContainerApp.ManagedIdentity","Ensure managed identity is used for authentication.","Important","Security","L1" "Azure.ContainerApp.MinReplicas","Use multiple replicas to remove a single point of failure.","Important","Reliability","-" -"Azure.ContainerApp.Name","Container Apps should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.ContainerApp.Name","Container Apps should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.ContainerApp.PublicAccess","Ensure public network access for Container Apps environment is disabled.","Important","Security","-" "Azure.ContainerApp.RestrictIngress","IP ingress restrictions mode should be set to allow action for all rules defined.","Important","Security","-" "Azure.ContainerApp.Storage","Use of Azure Files volume mounts to persistent storage container data.","Awareness","Reliability","-" diff --git a/docs/en/baselines/Azure.GA_2025_09.csv b/docs/en/baselines/Azure.GA_2025_09.csv index 3d9e8a22683..aca29228722 100644 --- a/docs/en/baselines/Azure.GA_2025_09.csv +++ b/docs/en/baselines/Azure.GA_2025_09.csv @@ -7,7 +7,7 @@ "Azure.ACR.GeoReplica","Applications or infrastructure relying on a container image may fail if the registry is not available at the time they start.","Important","Reliability","-" "Azure.ACR.ImageHealth","Remove container images with known vulnerabilities.","Critical","Security","L2" "Azure.ACR.MinSku","The Basic SKU provides limited performance and features for production container registry workloads.","Important","Reliability","-" -"Azure.ACR.Name","Container registry names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.ACR.Name","Container registry names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.ACR.ReplicaLocation","The replication location determines the country or region where container images and metadata are stored and processed.","Important","Security","-" "Azure.ACR.Usage","Regularly remove deprecated and unneeded images to reduce storage usage.","Important","Cost Optimization","-" "Azure.ADX.DiskEncryption","Use disk encryption for Azure Data Explorer (ADX) clusters.","Important","Security","L1" @@ -39,7 +39,7 @@ "Azure.AKS.ManagedIdentity","Configure AKS clusters to use managed identities for managing cluster infrastructure.","Important","Security","L1" "Azure.AKS.MinNodeCount","AKS clusters should have minimum number of system nodes for failover and updates.","Important","Reliability","-" "Azure.AKS.MinUserPoolNodes","User node pools in an AKS cluster should have a minimum number of nodes for failover and updates.","Important","Reliability","-" -"Azure.AKS.Name","Azure Kubernetes Service (AKS) cluster names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.AKS.Name","Azure Kubernetes Service (AKS) cluster names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.AKS.NetworkPolicy","AKS clusters without inter-pod network restrictions may be permit unauthorized lateral movement.","Important","Security","-" "Azure.AKS.NodeAutoUpgrade","Operating system (OS) security updates should be applied to AKS nodes and rebooted as required to address security vulnerabilities.","Important","Security","-" "Azure.AKS.NodeMinPods","Azure Kubernetes Cluster (AKS) nodes should use a minimum number of pods.","Important","Performance Efficiency","-" @@ -140,7 +140,7 @@ "Azure.ContainerApp.Insecure","Ensure insecure inbound traffic is not permitted to the container app.","Important","Security","L1" "Azure.ContainerApp.ManagedIdentity","Ensure managed identity is used for authentication.","Important","Security","L1" "Azure.ContainerApp.MinReplicas","Use multiple replicas to remove a single point of failure.","Important","Reliability","-" -"Azure.ContainerApp.Name","Container Apps should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.ContainerApp.Name","Container Apps should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.ContainerApp.PublicAccess","Ensure public network access for Container Apps environment is disabled.","Important","Security","-" "Azure.ContainerApp.RestrictIngress","IP ingress restrictions mode should be set to allow action for all rules defined.","Important","Security","-" "Azure.ContainerApp.Storage","Use of Azure Files volume mounts to persistent storage container data.","Awareness","Reliability","-" diff --git a/docs/en/baselines/Azure.Pillar.OperationalExcellence.csv b/docs/en/baselines/Azure.Pillar.OperationalExcellence.csv index 7c892adc7bf..a5d0bcfa7aa 100644 --- a/docs/en/baselines/Azure.Pillar.OperationalExcellence.csv +++ b/docs/en/baselines/Azure.Pillar.OperationalExcellence.csv @@ -1,10 +1,15 @@ "Name","Synopsis","Severity","Pillar","Maturity" -"Azure.ACR.Name","Container registry names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.ACI.Naming","Container Instance resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" +"Azure.ACR.Name","Container registry names should meet naming requirements.","Awareness","Operational Excellence","L2" +"Azure.ACR.Naming","Container Registry resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" "Azure.AI.FoundryNaming","Azure AI Foundry accounts without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","-" "Azure.AKS.ContainerInsights","Enable Container insights to monitor AKS cluster workloads.","Important","Operational Excellence","-" "Azure.AKS.DNSPrefix","Azure Kubernetes Service (AKS) cluster DNS prefix should meet naming requirements.","Awareness","Operational Excellence","-" -"Azure.AKS.Name","Azure Kubernetes Service (AKS) cluster names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.AKS.Name","Azure Kubernetes Service (AKS) cluster names should meet naming requirements.","Awareness","Operational Excellence","L2" +"Azure.AKS.Naming","AKS cluster resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" "Azure.AKS.PlatformLogs","AKS clusters should collect platform diagnostic logs to monitor the state of workloads.","Important","Operational Excellence","-" +"Azure.AKS.SystemPoolNaming","AKS system node pool resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" +"Azure.AKS.UserPoolNaming","AKS user node pool resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" "Azure.APIM.APIDescriptors","APIs should have a display name and description.","Awareness","Operational Excellence","-" "Azure.APIM.MinAPIVersion","API Management instances should limit control plane API calls to API Management with version '2021-08-01' or newer.","Important","Operational Excellence","-" "Azure.APIM.Name","API Management service names should meet naming requirements.","Awareness","Operational Excellence","-" @@ -22,8 +27,18 @@ "Azure.Bastion.Name","Bastion hosts should meet naming requirements.","Awareness","Operational Excellence","-" "Azure.CDN.EndpointName","Azure CDN Endpoint names should meet naming requirements.","Awareness","Operational Excellence","-" "Azure.ContainerApp.APIVersion","Migrate from retired API version to a supported version.","Important","Operational Excellence","-" -"Azure.ContainerApp.Name","Container Apps should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.ContainerApp.EnvNaming","Container App Environment resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" +"Azure.ContainerApp.JobNaming","Container App Job resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" +"Azure.ContainerApp.Name","Container Apps should meet naming requirements.","Awareness","Operational Excellence","L2" +"Azure.ContainerApp.Naming","Container App resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" "Azure.Cosmos.AccountName","Cosmos DB account names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.Cosmos.CassandraNaming","Cosmos DB for Apache Cassandra account resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" +"Azure.Cosmos.DatabaseNaming","Cosmos DB database resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" +"Azure.Cosmos.GremlinNaming","Cosmos DB for Apache Gremlin account resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" +"Azure.Cosmos.MongoNaming","Cosmos DB for MongoDB account resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" +"Azure.Cosmos.NoSQLNaming","Cosmos DB for NoSQL account resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" +"Azure.Cosmos.PostgreSQLNaming","Cosmos DB PostgreSQL cluster resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" +"Azure.Cosmos.TableNaming","Cosmos DB for Table account resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" "Azure.Deployment.Name","Nested deployments should meet naming requirements of deployments.","Awareness","Operational Excellence","-" "Azure.EventGrid.DomainNaming","Event Grid domains without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","-" "Azure.EventGrid.SystemTopicNaming","Event Grid system topics without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","-" @@ -47,6 +62,7 @@ "Azure.MariaDB.FirewallRuleName","Azure Database for MariaDB firewall rules should meet naming requirements.","Awareness","Operational Excellence","-" "Azure.MariaDB.ServerName","Azure Database for MariaDB servers should meet naming requirements.","Awareness","Operational Excellence","-" "Azure.MariaDB.VNETRuleName","Azure Database for MariaDB VNET rules should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.MySQL.Naming","MySQL database server resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" "Azure.MySQL.ServerName","Azure MySQL DB server names should meet naming requirements.","Awareness","Operational Excellence","-" "Azure.NIC.Name","Network Interface (NIC) names should meet naming requirements.","Awareness","Operational Excellence","-" "Azure.NSG.AKSRules","AKS Network Security Group (NSG) should not have custom rules.","Awareness","Operational Excellence","-" @@ -56,23 +72,34 @@ "Azure.Policy.AssignmentDescriptors","Policy assignments should use a display name and description.","Awareness","Operational Excellence","-" "Azure.Policy.Descriptors","Policy and initiative definitions should use a display name, description, and category.","Awareness","Operational Excellence","-" "Azure.Policy.ExemptionDescriptors","Policy exemptions should use a display name and description.","Awareness","Operational Excellence","-" +"Azure.PostgreSQL.Naming","PostgreSQL database server resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" "Azure.PostgreSQL.ServerName","Azure PostgreSQL DB server names should meet naming requirements.","Awareness","Operational Excellence","-" "Azure.PrivateEndpoint.Name","Private Endpoint names should meet naming requirements.","Awareness","Operational Excellence","-" "Azure.PublicIP.DNSLabel","Public IP domain name labels should meet naming requirements.","Awareness","Operational Excellence","-" "Azure.PublicIP.MigrateStandard","Use the Standard SKU for Public IP addresses as the Basic SKU will be retired.","Important","Operational Excellence","-" "Azure.PublicIP.Name","Azure Resource Manager (ARM) has requirements for Public IP address names.","Awareness","Operational Excellence","-" "Azure.PublicIP.Naming","Public IP addresses without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","-" +"Azure.Redis.Naming","Azure Cache for Redis resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" +"Azure.RedisEnterprise.Naming","Azure Managed Redis resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" "Azure.Resource.RequiredTags","Resources without a standard tagging convention may be difficult to identify and manage.","Awareness","Operational Excellence","-" "Azure.Route.Name","Azure Resource Manager (ARM) has requirements for Route table names.","Awareness","Operational Excellence","-" "Azure.Route.Naming","Route tables without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","-" "Azure.RSV.Name","Recovery Services vaults should meet naming requirements.","Awareness","Operational Excellence","-" "Azure.Search.Name","Azure Resource Manager (ARM) has requirements for AI Search service names.","Awareness","Operational Excellence","-" "Azure.Search.Naming","Azure AI Search services without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","-" +"Azure.ServiceFabric.ManagedNaming","Service Fabric managed cluster resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" +"Azure.ServiceFabric.Naming","Service Fabric cluster resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" "Azure.SignalR.Name","SignalR service instance names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.SQL.DatabaseNaming","Azure SQL database resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" "Azure.SQL.DBName","Azure SQL Database names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.SQL.ElasticPoolNaming","Azure SQL Elastic Pool resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" "Azure.SQL.FGName","Azure SQL failover group names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.SQL.JobAgentNaming","Azure SQL Elastic Job agent resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" "Azure.SQL.ServerName","Azure SQL logical server names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.SQL.ServerNaming","Azure SQL Database server resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" +"Azure.SQL.StretchDBNaming","SQL Server Stretch Database resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" "Azure.SQLMI.Name","SQL Managed Instance names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.SQLMI.Naming","SQL Managed Instance resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" "Azure.Storage.Name","Azure Resource Manager (ARM) has requirements for Storage Account names.","Awareness","Operational Excellence","-" "Azure.Storage.Naming","Storage Accounts without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","-" "Azure.Subscription.RequiredTags","Subscriptions without a standard tagging convention may be difficult to identify and manage.","Awareness","Operational Excellence","-" diff --git a/docs/en/baselines/Azure.Pillar.OperationalExcellence.md b/docs/en/baselines/Azure.Pillar.OperationalExcellence.md index 70c453ea4bc..2327fd42d97 100644 --- a/docs/en/baselines/Azure.Pillar.OperationalExcellence.md +++ b/docs/en/baselines/Azure.Pillar.OperationalExcellence.md @@ -14,16 +14,21 @@ Microsoft Azure Well-Architected Framework - Operational Excellence pillar speci The following rules are included within the `Azure.Pillar.OperationalExcellence` baseline. -This baseline includes a total of 119 rules. +This baseline includes a total of 146 rules. Name | Synopsis | Severity | Maturity ---- | -------- | -------- | -------- -[Azure.ACR.Name](../rules/Azure.ACR.Name.md) | Container registry names should meet naming requirements. | Awareness | - +[Azure.ACI.Naming](../rules/Azure.ACI.Naming.md) | Container Instance resources without a standard naming convention may be difficult to identify and manage. | Awareness | L2 +[Azure.ACR.Name](../rules/Azure.ACR.Name.md) | Container registry names should meet naming requirements. | Awareness | L2 +[Azure.ACR.Naming](../rules/Azure.ACR.Naming.md) | Container Registry resources without a standard naming convention may be difficult to identify and manage. | Awareness | L2 [Azure.AI.FoundryNaming](../rules/Azure.AI.FoundryNaming.md) | Azure AI Foundry accounts without a standard naming convention may be difficult to identify and manage. | Awareness | - [Azure.AKS.ContainerInsights](../rules/Azure.AKS.ContainerInsights.md) | Enable Container insights to monitor AKS cluster workloads. | Important | - [Azure.AKS.DNSPrefix](../rules/Azure.AKS.DNSPrefix.md) | Azure Kubernetes Service (AKS) cluster DNS prefix should meet naming requirements. | Awareness | - -[Azure.AKS.Name](../rules/Azure.AKS.Name.md) | Azure Kubernetes Service (AKS) cluster names should meet naming requirements. | Awareness | - +[Azure.AKS.Name](../rules/Azure.AKS.Name.md) | Azure Kubernetes Service (AKS) cluster names should meet naming requirements. | Awareness | L2 +[Azure.AKS.Naming](../rules/Azure.AKS.Naming.md) | AKS cluster resources without a standard naming convention may be difficult to identify and manage. | Awareness | L2 [Azure.AKS.PlatformLogs](../rules/Azure.AKS.PlatformLogs.md) | AKS clusters should collect platform diagnostic logs to monitor the state of workloads. | Important | - +[Azure.AKS.SystemPoolNaming](../rules/Azure.AKS.SystemPoolNaming.md) | AKS system node pool resources without a standard naming convention may be difficult to identify and manage. | Awareness | L2 +[Azure.AKS.UserPoolNaming](../rules/Azure.AKS.UserPoolNaming.md) | AKS user node pool resources without a standard naming convention may be difficult to identify and manage. | Awareness | L2 [Azure.APIM.APIDescriptors](../rules/Azure.APIM.APIDescriptors.md) | APIs should have a display name and description. | Awareness | - [Azure.APIM.MinAPIVersion](../rules/Azure.APIM.MinAPIVersion.md) | API Management instances should limit control plane API calls to API Management with version '2021-08-01' or newer. | Important | - [Azure.APIM.Name](../rules/Azure.APIM.Name.md) | API Management service names should meet naming requirements. | Awareness | - @@ -41,8 +46,18 @@ Name | Synopsis | Severity | Maturity [Azure.Bastion.Name](../rules/Azure.Bastion.Name.md) | Bastion hosts should meet naming requirements. | Awareness | - [Azure.CDN.EndpointName](../rules/Azure.CDN.EndpointName.md) | Azure CDN Endpoint names should meet naming requirements. | Awareness | - [Azure.ContainerApp.APIVersion](../rules/Azure.ContainerApp.APIVersion.md) | Migrate from retired API version to a supported version. | Important | - -[Azure.ContainerApp.Name](../rules/Azure.ContainerApp.Name.md) | Container Apps should meet naming requirements. | Awareness | - +[Azure.ContainerApp.EnvNaming](../rules/Azure.ContainerApp.EnvNaming.md) | Container App Environment resources without a standard naming convention may be difficult to identify and manage. | Awareness | L2 +[Azure.ContainerApp.JobNaming](../rules/Azure.ContainerApp.JobNaming.md) | Container App Job resources without a standard naming convention may be difficult to identify and manage. | Awareness | L2 +[Azure.ContainerApp.Name](../rules/Azure.ContainerApp.Name.md) | Container Apps should meet naming requirements. | Awareness | L2 +[Azure.ContainerApp.Naming](../rules/Azure.ContainerApp.Naming.md) | Container App resources without a standard naming convention may be difficult to identify and manage. | Awareness | L2 [Azure.Cosmos.AccountName](../rules/Azure.Cosmos.AccountName.md) | Cosmos DB account names should meet naming requirements. | Awareness | - +[Azure.Cosmos.CassandraNaming](../rules/Azure.Cosmos.CassandraNaming.md) | Cosmos DB for Apache Cassandra account resources without a standard naming convention may be difficult to identify and manage. | Awareness | L2 +[Azure.Cosmos.DatabaseNaming](../rules/Azure.Cosmos.DatabaseNaming.md) | Cosmos DB database resources without a standard naming convention may be difficult to identify and manage. | Awareness | L2 +[Azure.Cosmos.GremlinNaming](../rules/Azure.Cosmos.GremlinNaming.md) | Cosmos DB for Apache Gremlin account resources without a standard naming convention may be difficult to identify and manage. | Awareness | L2 +[Azure.Cosmos.MongoNaming](../rules/Azure.Cosmos.MongoNaming.md) | Cosmos DB for MongoDB account resources without a standard naming convention may be difficult to identify and manage. | Awareness | L2 +[Azure.Cosmos.NoSQLNaming](../rules/Azure.Cosmos.NoSQLNaming.md) | Cosmos DB for NoSQL account resources without a standard naming convention may be difficult to identify and manage. | Awareness | L2 +[Azure.Cosmos.PostgreSQLNaming](../rules/Azure.Cosmos.PostgreSQLNaming.md) | Cosmos DB PostgreSQL cluster resources without a standard naming convention may be difficult to identify and manage. | Awareness | L2 +[Azure.Cosmos.TableNaming](../rules/Azure.Cosmos.TableNaming.md) | Cosmos DB for Table account resources without a standard naming convention may be difficult to identify and manage. | Awareness | L2 [Azure.Deployment.Name](../rules/Azure.Deployment.Name.md) | Nested deployments should meet naming requirements of deployments. | Awareness | - [Azure.EventGrid.DomainNaming](../rules/Azure.EventGrid.DomainNaming.md) | Event Grid domains without a standard naming convention may be difficult to identify and manage. | Awareness | - [Azure.EventGrid.SystemTopicNaming](../rules/Azure.EventGrid.SystemTopicNaming.md) | Event Grid system topics without a standard naming convention may be difficult to identify and manage. | Awareness | - @@ -66,6 +81,7 @@ Name | Synopsis | Severity | Maturity [Azure.MariaDB.FirewallRuleName](../rules/Azure.MariaDB.FirewallRuleName.md) | Azure Database for MariaDB firewall rules should meet naming requirements. | Awareness | - [Azure.MariaDB.ServerName](../rules/Azure.MariaDB.ServerName.md) | Azure Database for MariaDB servers should meet naming requirements. | Awareness | - [Azure.MariaDB.VNETRuleName](../rules/Azure.MariaDB.VNETRuleName.md) | Azure Database for MariaDB VNET rules should meet naming requirements. | Awareness | - +[Azure.MySQL.Naming](../rules/Azure.MySQL.Naming.md) | MySQL database server resources without a standard naming convention may be difficult to identify and manage. | Awareness | L2 [Azure.MySQL.ServerName](../rules/Azure.MySQL.ServerName.md) | Azure MySQL DB server names should meet naming requirements. | Awareness | - [Azure.NIC.Name](../rules/Azure.NIC.Name.md) | Network Interface (NIC) names should meet naming requirements. | Awareness | - [Azure.NSG.AKSRules](../rules/Azure.NSG.AKSRules.md) | AKS Network Security Group (NSG) should not have custom rules. | Awareness | - @@ -75,23 +91,34 @@ Name | Synopsis | Severity | Maturity [Azure.Policy.AssignmentDescriptors](../rules/Azure.Policy.AssignmentDescriptors.md) | Policy assignments should use a display name and description. | Awareness | - [Azure.Policy.Descriptors](../rules/Azure.Policy.Descriptors.md) | Policy and initiative definitions should use a display name, description, and category. | Awareness | - [Azure.Policy.ExemptionDescriptors](../rules/Azure.Policy.ExemptionDescriptors.md) | Policy exemptions should use a display name and description. | Awareness | - +[Azure.PostgreSQL.Naming](../rules/Azure.PostgreSQL.Naming.md) | PostgreSQL database server resources without a standard naming convention may be difficult to identify and manage. | Awareness | L2 [Azure.PostgreSQL.ServerName](../rules/Azure.PostgreSQL.ServerName.md) | Azure PostgreSQL DB server names should meet naming requirements. | Awareness | - [Azure.PrivateEndpoint.Name](../rules/Azure.PrivateEndpoint.Name.md) | Private Endpoint names should meet naming requirements. | Awareness | - [Azure.PublicIP.DNSLabel](../rules/Azure.PublicIP.DNSLabel.md) | Public IP domain name labels should meet naming requirements. | Awareness | - [Azure.PublicIP.MigrateStandard](../rules/Azure.PublicIP.MigrateStandard.md) | Use the Standard SKU for Public IP addresses as the Basic SKU will be retired. | Important | - [Azure.PublicIP.Name](../rules/Azure.PublicIP.Name.md) | Azure Resource Manager (ARM) has requirements for Public IP address names. | Awareness | - [Azure.PublicIP.Naming](../rules/Azure.PublicIP.Naming.md) | Public IP addresses without a standard naming convention may be difficult to identify and manage. | Awareness | - +[Azure.Redis.Naming](../rules/Azure.Redis.Naming.md) | Azure Cache for Redis resources without a standard naming convention may be difficult to identify and manage. | Awareness | L2 +[Azure.RedisEnterprise.Naming](../rules/Azure.RedisEnterprise.Naming.md) | Azure Managed Redis resources without a standard naming convention may be difficult to identify and manage. | Awareness | L2 [Azure.Resource.RequiredTags](../rules/Azure.Resource.RequiredTags.md) | Resources without a standard tagging convention may be difficult to identify and manage. | Awareness | - [Azure.Route.Name](../rules/Azure.Route.Name.md) | Azure Resource Manager (ARM) has requirements for Route table names. | Awareness | - [Azure.Route.Naming](../rules/Azure.Route.Naming.md) | Route tables without a standard naming convention may be difficult to identify and manage. | Awareness | - [Azure.RSV.Name](../rules/Azure.RSV.Name.md) | Recovery Services vaults should meet naming requirements. | Awareness | - [Azure.Search.Name](../rules/Azure.Search.Name.md) | Azure Resource Manager (ARM) has requirements for AI Search service names. | Awareness | - [Azure.Search.Naming](../rules/Azure.Search.Naming.md) | Azure AI Search services without a standard naming convention may be difficult to identify and manage. | Awareness | - +[Azure.ServiceFabric.ManagedNaming](../rules/Azure.ServiceFabric.ManagedNaming.md) | Service Fabric managed cluster resources without a standard naming convention may be difficult to identify and manage. | Awareness | L2 +[Azure.ServiceFabric.Naming](../rules/Azure.ServiceFabric.Naming.md) | Service Fabric cluster resources without a standard naming convention may be difficult to identify and manage. | Awareness | L2 [Azure.SignalR.Name](../rules/Azure.SignalR.Name.md) | SignalR service instance names should meet naming requirements. | Awareness | - +[Azure.SQL.DatabaseNaming](../rules/Azure.SQL.DatabaseNaming.md) | Azure SQL database resources without a standard naming convention may be difficult to identify and manage. | Awareness | L2 [Azure.SQL.DBName](../rules/Azure.SQL.DBName.md) | Azure SQL Database names should meet naming requirements. | Awareness | - +[Azure.SQL.ElasticPoolNaming](../rules/Azure.SQL.ElasticPoolNaming.md) | Azure SQL Elastic Pool resources without a standard naming convention may be difficult to identify and manage. | Awareness | L2 [Azure.SQL.FGName](../rules/Azure.SQL.FGName.md) | Azure SQL failover group names should meet naming requirements. | Awareness | - +[Azure.SQL.JobAgentNaming](../rules/Azure.SQL.JobAgentNaming.md) | Azure SQL Elastic Job agent resources without a standard naming convention may be difficult to identify and manage. | Awareness | L2 [Azure.SQL.ServerName](../rules/Azure.SQL.ServerName.md) | Azure SQL logical server names should meet naming requirements. | Awareness | - +[Azure.SQL.ServerNaming](../rules/Azure.SQL.ServerNaming.md) | Azure SQL Database server resources without a standard naming convention may be difficult to identify and manage. | Awareness | L2 +[Azure.SQL.StretchDBNaming](../rules/Azure.SQL.StretchDBNaming.md) | SQL Server Stretch Database resources without a standard naming convention may be difficult to identify and manage. | Awareness | L2 [Azure.SQLMI.Name](../rules/Azure.SQLMI.Name.md) | SQL Managed Instance names should meet naming requirements. | Awareness | - +[Azure.SQLMI.Naming](../rules/Azure.SQLMI.Naming.md) | SQL Managed Instance resources without a standard naming convention may be difficult to identify and manage. | Awareness | L2 [Azure.Storage.Name](../rules/Azure.Storage.Name.md) | Azure Resource Manager (ARM) has requirements for Storage Account names. | Awareness | - [Azure.Storage.Naming](../rules/Azure.Storage.Naming.md) | Storage Accounts without a standard naming convention may be difficult to identify and manage. | Awareness | - [Azure.Subscription.RequiredTags](../rules/Azure.Subscription.RequiredTags.md) | Subscriptions without a standard tagging convention may be difficult to identify and manage. | Awareness | - diff --git a/docs/en/baselines/Azure.Preview.csv b/docs/en/baselines/Azure.Preview.csv index d8b6801ed85..e60b9b179c4 100644 --- a/docs/en/baselines/Azure.Preview.csv +++ b/docs/en/baselines/Azure.Preview.csv @@ -1,4 +1,5 @@ "Name","Synopsis","Severity","Pillar","Maturity" +"Azure.ACI.Naming","Container Instance resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" "Azure.ACR.AdminUser","The local admin account allows depersonalized access to a container registry using a shared secret.","Critical","Security","L1" "Azure.ACR.AnonymousAccess","Anonymous pull access allows unidentified downloading of images and metadata from a container registry.","Important","Security","-" "Azure.ACR.ContainerScan","Container images or their base images may have vulnerabilities discovered after they are built.","Critical","Security","-" @@ -7,7 +8,8 @@ "Azure.ACR.GeoReplica","Applications or infrastructure relying on a container image may fail if the registry is not available at the time they start.","Important","Reliability","-" "Azure.ACR.ImageHealth","Remove container images with known vulnerabilities.","Critical","Security","L2" "Azure.ACR.MinSku","The Basic SKU provides limited performance and features for production container registry workloads.","Important","Reliability","-" -"Azure.ACR.Name","Container registry names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.ACR.Name","Container registry names should meet naming requirements.","Awareness","Operational Excellence","L2" +"Azure.ACR.Naming","Container Registry resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" "Azure.ACR.Quarantine","Enable container image quarantine, scan, and mark images as verified.","Important","Security","-" "Azure.ACR.ReplicaLocation","The replication location determines the country or region where container images and metadata are stored and processed.","Important","Security","-" "Azure.ACR.Retention","Use a retention policy to cleanup untagged manifests.","Important","Cost Optimization","-" @@ -42,7 +44,8 @@ "Azure.AKS.ManagedIdentity","Configure AKS clusters to use managed identities for managing cluster infrastructure.","Important","Security","L1" "Azure.AKS.MinNodeCount","AKS clusters should have minimum number of system nodes for failover and updates.","Important","Reliability","-" "Azure.AKS.MinUserPoolNodes","User node pools in an AKS cluster should have a minimum number of nodes for failover and updates.","Important","Reliability","-" -"Azure.AKS.Name","Azure Kubernetes Service (AKS) cluster names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.AKS.Name","Azure Kubernetes Service (AKS) cluster names should meet naming requirements.","Awareness","Operational Excellence","L2" +"Azure.AKS.Naming","AKS cluster resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" "Azure.AKS.NetworkPolicy","AKS clusters without inter-pod network restrictions may be permit unauthorized lateral movement.","Important","Security","-" "Azure.AKS.NodeAutoUpgrade","Operating system (OS) security updates should be applied to AKS nodes and rebooted as required to address security vulnerabilities.","Important","Security","-" "Azure.AKS.NodeMinPods","Azure Kubernetes Cluster (AKS) nodes should use a minimum number of pods.","Important","Performance Efficiency","-" @@ -52,8 +55,10 @@ "Azure.AKS.SecretStore","Deploy AKS clusters with Secrets Store CSI Driver and store Secrets in Key Vault.","Important","Security","-" "Azure.AKS.SecretStoreRotation","Enable autorotation of Secrets Store CSI Driver secrets for AKS clusters.","Important","Security","-" "Azure.AKS.StandardLB","Azure Kubernetes Clusters (AKS) should use a Standard load balancer SKU.","Important","Performance Efficiency","-" +"Azure.AKS.SystemPoolNaming","AKS system node pool resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" "Azure.AKS.UptimeSLA","AKS clusters should have Uptime SLA enabled for a financially backed SLA.","Important","Reliability","-" "Azure.AKS.UseRBAC","Deploy AKS cluster with role-based access control (RBAC) enabled.","Important","Security","-" +"Azure.AKS.UserPoolNaming","AKS user node pool resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" "Azure.AKS.Version","Older versions of Kubernetes may have known bugs or security vulnerabilities, and may have limited support.","Important","Reliability","-" "Azure.Alert.HighFrequencyQuery","High frequency scheduled queries are changed as a higher rate than low frequency queries.","Important","Cost Optimization","-" "Azure.Alert.MetricAutoMitigate","Alerts that require manual intervention for mitigation can lead to increased personnel time and effort.","Important","Cost Optimization","-" @@ -142,22 +147,32 @@ "Azure.ContainerApp.APIVersion","Migrate from retired API version to a supported version.","Important","Operational Excellence","-" "Azure.ContainerApp.AvailabilityZone","Use Container Apps environments that are zone redundant to improve reliability.","Important","Reliability","-" "Azure.ContainerApp.DisableAffinity","Disable session affinity to prevent unbalanced distribution.","Awareness","Performance Efficiency","-" +"Azure.ContainerApp.EnvNaming","Container App Environment resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" "Azure.ContainerApp.ExternalIngress","Limit inbound communication for Container Apps is limited to callers within the Container Apps Environment.","Important","Security","-" "Azure.ContainerApp.Insecure","Ensure insecure inbound traffic is not permitted to the container app.","Important","Security","L1" +"Azure.ContainerApp.JobNaming","Container App Job resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" "Azure.ContainerApp.ManagedIdentity","Ensure managed identity is used for authentication.","Important","Security","L1" "Azure.ContainerApp.MinReplicas","Use multiple replicas to remove a single point of failure.","Important","Reliability","-" -"Azure.ContainerApp.Name","Container Apps should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.ContainerApp.Name","Container Apps should meet naming requirements.","Awareness","Operational Excellence","L2" +"Azure.ContainerApp.Naming","Container App resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" "Azure.ContainerApp.PublicAccess","Ensure public network access for Container Apps environment is disabled.","Important","Security","-" "Azure.ContainerApp.RestrictIngress","IP ingress restrictions mode should be set to allow action for all rules defined.","Important","Security","-" "Azure.ContainerApp.Storage","Use of Azure Files volume mounts to persistent storage container data.","Awareness","Reliability","-" "Azure.Cosmos.AccountName","Cosmos DB account names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.Cosmos.CassandraNaming","Cosmos DB for Apache Cassandra account resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" "Azure.Cosmos.ContinuousBackup","Enable continuous backup on Cosmos DB accounts.","Important","Reliability","-" +"Azure.Cosmos.DatabaseNaming","Cosmos DB database resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" "Azure.Cosmos.DefenderCloud","Enable Microsoft Defender for Azure Cosmos DB.","Critical","Security","-" "Azure.Cosmos.DisableLocalAuth","Access keys allow depersonalized access to Cosmos DB accounts using a shared secret.","Critical","Security","L1" "Azure.Cosmos.DisableMetadataWrite","Use Entra ID identities for management place operations in Azure Cosmos DB.","Important","Security","-" +"Azure.Cosmos.GremlinNaming","Cosmos DB for Apache Gremlin account resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" "Azure.Cosmos.MinTLS","Cosmos DB accounts should reject TLS versions older than 1.2.","Critical","Security","L1" +"Azure.Cosmos.MongoNaming","Cosmos DB for MongoDB account resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" +"Azure.Cosmos.NoSQLNaming","Cosmos DB for NoSQL account resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" +"Azure.Cosmos.PostgreSQLNaming","Cosmos DB PostgreSQL cluster resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" "Azure.Cosmos.PublicAccess","Azure Cosmos DB should have public network access disabled.","Critical","Security","-" "Azure.Cosmos.SLA","Use a paid tier to qualify for a Service Level Agreement (SLA).","Important","Reliability","-" +"Azure.Cosmos.TableNaming","Cosmos DB for Table account resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" "Azure.Databricks.PublicAccess","Azure Databricks workspaces should disable public network access.","Critical","Security","-" "Azure.Databricks.SecureConnectivity","Use Databricks workspaces configured for secure cluster connectivity.","Critical","Security","-" "Azure.Databricks.SKU","Ensure Databricks workspaces are non-trial SKUs for production workloads.","Critical","Performance Efficiency","-" @@ -284,6 +299,7 @@ "Azure.MySQL.GeoRedundantBackup","Azure Database for MySQL should store backups in a geo-redundant storage.","Important","Reliability","-" "Azure.MySQL.MaintenanceWindow","Configure a customer-controlled maintenance window for Azure Database for MySQL servers.","Important","Reliability","-" "Azure.MySQL.MinTLS","MySQL DB servers should reject TLS versions older than 1.2.","Critical","Security","L1" +"Azure.MySQL.Naming","MySQL database server resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" "Azure.MySQL.ServerName","Azure MySQL DB server names should meet naming requirements.","Awareness","Operational Excellence","-" "Azure.MySQL.UseFlexible","Use Azure Database for MySQL Flexible Server deployment model.","Important","Reliability","-" "Azure.MySQL.UseSSL","Enforce encrypted MySQL connections.","Critical","Security","L1" @@ -312,6 +328,7 @@ "Azure.PostgreSQL.GeoRedundantBackup","Azure Database for PostgreSQL should store backups in a geo-redundant storage.","Important","Reliability","-" "Azure.PostgreSQL.MaintenanceWindow","Configure a customer-controlled maintenance window for Azure Database for PostgreSQL servers.","Important","Reliability","-" "Azure.PostgreSQL.MinTLS","PostgreSQL DB servers should reject TLS versions older than 1.2.","Critical","Security","L1" +"Azure.PostgreSQL.Naming","PostgreSQL database server resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" "Azure.PostgreSQL.ServerName","Azure PostgreSQL DB server names should meet naming requirements.","Awareness","Operational Excellence","-" "Azure.PostgreSQL.UseSSL","Enforce encrypted PostgreSQL connections.","Critical","Security","L1" "Azure.PostgreSQL.ZoneRedundantHA","Deploy Azure Database for PostgreSQL servers using zone-redundant high availability (HA) in supported regions to ensure high availability and resilience.","Important","Reliability","-" @@ -337,10 +354,12 @@ "Azure.Redis.MaxMemoryReserved","Configure maxmemory-reserved to reserve memory for non-cache operations.","Important","Performance Efficiency","-" "Azure.Redis.MinSKU","Use Azure Cache for Redis instances of at least Standard C1.","Important","Performance Efficiency","-" "Azure.Redis.MinTLS","Redis Cache should reject TLS versions older than 1.2.","Critical","Security","L1" +"Azure.Redis.Naming","Azure Cache for Redis resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" "Azure.Redis.NonSslPort","Azure Cache for Redis should only accept secure connections.","Critical","Security","L1" "Azure.Redis.PublicNetworkAccess","Redis cache should disable public network access.","Critical","Security","-" "Azure.Redis.Version","Azure Cache for Redis should use the latest supported version of Redis.","Important","Reliability","-" "Azure.RedisEnterprise.MinTLS","Redis Cache should reject TLS versions older than 1.2.","Critical","Security","L1" +"Azure.RedisEnterprise.Naming","Azure Managed Redis resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" "Azure.RedisEnterprise.Zones","Enterprise Redis cache should be zone-redundant for high availability.","Important","Reliability","-" "Azure.Resource.AllowedRegions","The deployment location of a resource determines the country or region where metadata and data is stored and processed.","Important","Security","-" "Azure.Resource.RequiredTags","Resources without a standard tagging convention may be difficult to identify and manage.","Awareness","Operational Excellence","-" @@ -363,6 +382,8 @@ "Azure.ServiceBus.MinTLS","Service Bus namespaces should reject TLS versions older than 1.2.","Important","Security","L1" "Azure.ServiceBus.Usage","Regularly remove unused resources to reduce costs.","Important","Cost Optimization","-" "Azure.ServiceFabric.AAD","Use Entra ID client authentication for Service Fabric clusters.","Critical","Security","L1" +"Azure.ServiceFabric.ManagedNaming","Service Fabric managed cluster resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" +"Azure.ServiceFabric.Naming","Service Fabric cluster resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" "Azure.ServiceFabric.ProtectionLevel","Node to node communication that is not signed and encrypted may be susceptible to man-in-the-middle attacks.","Important","Security","L1" "Azure.SignalR.ManagedIdentity","Configure SignalR Services to use managed identities to access Azure resources securely.","Important","Security","L1" "Azure.SignalR.Name","SignalR service instance names should meet naming requirements.","Awareness","Operational Excellence","-" @@ -371,14 +392,19 @@ "Azure.SQL.AADOnly","Ensure Entra ID only authentication is enabled with Azure SQL Database.","Important","Security","L1" "Azure.SQL.AllowAzureAccess","Determine if access from Azure services is required.","Important","Security","-" "Azure.SQL.Auditing","Enable auditing for Azure SQL logical server.","Important","Security","-" +"Azure.SQL.DatabaseNaming","Azure SQL database resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" "Azure.SQL.DBName","Azure SQL Database names should meet naming requirements.","Awareness","Operational Excellence","-" "Azure.SQL.DefenderCloud","Enable Microsoft Defender for Azure SQL logical server.","Important","Security","-" +"Azure.SQL.ElasticPoolNaming","Azure SQL Elastic Pool resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" "Azure.SQL.FGName","Azure SQL failover group names should meet naming requirements.","Awareness","Operational Excellence","-" "Azure.SQL.FirewallIPRange","Each IP address in the permitted IP list is allowed network access to any databases hosted on the same logical server.","Important","Security","-" "Azure.SQL.FirewallRuleCount","Determine if there is an excessive number of firewall rules.","Awareness","Security","-" +"Azure.SQL.JobAgentNaming","Azure SQL Elastic Job agent resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" "Azure.SQL.MaintenanceWindow","Configure a customer-controlled maintenance window for Azure SQL databases.","Important","Reliability","-" "Azure.SQL.MinTLS","Azure SQL Database servers should reject TLS versions older than 1.2.","Critical","Security","L1" "Azure.SQL.ServerName","Azure SQL logical server names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.SQL.ServerNaming","Azure SQL Database server resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" +"Azure.SQL.StretchDBNaming","SQL Server Stretch Database resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" "Azure.SQL.TDE","Use Transparent Data Encryption (TDE) with Azure SQL Database.","Critical","Security","L1" "Azure.SQL.VAScan","SQL Databases may have configuration vulnerabilities discovered after they are deployed.","Important","Security","-" "Azure.SQLMI.AAD","Use Azure Active Directory (AAD) authentication with Azure SQL Managed Instance.","Critical","Security","L1" @@ -386,6 +412,7 @@ "Azure.SQLMI.MaintenanceWindow","Configure a customer-controlled maintenance window for Azure SQL Managed Instances.","Important","Reliability","-" "Azure.SQLMI.ManagedIdentity","Ensure managed identity is used to allow support for Azure AD authentication.","Important","Security","L1" "Azure.SQLMI.Name","SQL Managed Instance names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.SQLMI.Naming","SQL Managed Instance resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" "Azure.Storage.BlobAccessType","Use containers configured with a private access type that requires authorization.","Important","Security","-" "Azure.Storage.BlobPublicAccess","Storage Accounts should only accept authorized requests.","Important","Security","-" "Azure.Storage.ContainerSoftDelete","Enable container soft delete on Storage Accounts.","Important","Reliability","-" diff --git a/docs/en/baselines/Azure.Preview.md b/docs/en/baselines/Azure.Preview.md index dc284019354..7cb01f7ef36 100644 --- a/docs/en/baselines/Azure.Preview.md +++ b/docs/en/baselines/Azure.Preview.md @@ -10,10 +10,11 @@ Includes the latest rules for Azure GA and preview features that is updated each The following rules are included within the `Azure.Preview` baseline. -This baseline includes a total of 490 rules. +This baseline includes a total of 517 rules. Name | Synopsis | Severity ---- | -------- | -------- +[Azure.ACI.Naming](../rules/Azure.ACI.Naming.md) | Container Instance resources without a standard naming convention may be difficult to identify and manage. | Awareness [Azure.ACR.AdminUser](../rules/Azure.ACR.AdminUser.md) | The local admin account allows depersonalized access to a container registry using a shared secret. | Critical [Azure.ACR.AnonymousAccess](../rules/Azure.ACR.AnonymousAccess.md) | Anonymous pull access allows unidentified downloading of images and metadata from a container registry. | Important [Azure.ACR.ContainerScan](../rules/Azure.ACR.ContainerScan.md) | Container images or their base images may have vulnerabilities discovered after they are built. | Critical @@ -23,6 +24,7 @@ Name | Synopsis | Severity [Azure.ACR.ImageHealth](../rules/Azure.ACR.ImageHealth.md) | Remove container images with known vulnerabilities. | Critical [Azure.ACR.MinSku](../rules/Azure.ACR.MinSku.md) | The Basic SKU provides limited performance and features for production container registry workloads. | Important [Azure.ACR.Name](../rules/Azure.ACR.Name.md) | Container registry names should meet naming requirements. | Awareness +[Azure.ACR.Naming](../rules/Azure.ACR.Naming.md) | Container Registry resources without a standard naming convention may be difficult to identify and manage. | Awareness [Azure.ACR.Quarantine](../rules/Azure.ACR.Quarantine.md) | Enable container image quarantine, scan, and mark images as verified. | Important [Azure.ACR.ReplicaLocation](../rules/Azure.ACR.ReplicaLocation.md) | The replication location determines the country or region where container images and metadata are stored and processed. | Important [Azure.ACR.Retention](../rules/Azure.ACR.Retention.md) | Use a retention policy to cleanup untagged manifests. | Important @@ -58,6 +60,7 @@ Name | Synopsis | Severity [Azure.AKS.MinNodeCount](../rules/Azure.AKS.MinNodeCount.md) | AKS clusters should have minimum number of system nodes for failover and updates. | Important [Azure.AKS.MinUserPoolNodes](../rules/Azure.AKS.MinUserPoolNodes.md) | User node pools in an AKS cluster should have a minimum number of nodes for failover and updates. | Important [Azure.AKS.Name](../rules/Azure.AKS.Name.md) | Azure Kubernetes Service (AKS) cluster names should meet naming requirements. | Awareness +[Azure.AKS.Naming](../rules/Azure.AKS.Naming.md) | AKS cluster resources without a standard naming convention may be difficult to identify and manage. | Awareness [Azure.AKS.NetworkPolicy](../rules/Azure.AKS.NetworkPolicy.md) | AKS clusters without inter-pod network restrictions may be permit unauthorized lateral movement. | Important [Azure.AKS.NodeAutoUpgrade](../rules/Azure.AKS.NodeAutoUpgrade.md) | Operating system (OS) security updates should be applied to AKS nodes and rebooted as required to address security vulnerabilities. | Important [Azure.AKS.NodeMinPods](../rules/Azure.AKS.NodeMinPods.md) | Azure Kubernetes Cluster (AKS) nodes should use a minimum number of pods. | Important @@ -67,8 +70,10 @@ Name | Synopsis | Severity [Azure.AKS.SecretStore](../rules/Azure.AKS.SecretStore.md) | Deploy AKS clusters with Secrets Store CSI Driver and store Secrets in Key Vault. | Important [Azure.AKS.SecretStoreRotation](../rules/Azure.AKS.SecretStoreRotation.md) | Enable autorotation of Secrets Store CSI Driver secrets for AKS clusters. | Important [Azure.AKS.StandardLB](../rules/Azure.AKS.StandardLB.md) | Azure Kubernetes Clusters (AKS) should use a Standard load balancer SKU. | Important +[Azure.AKS.SystemPoolNaming](../rules/Azure.AKS.SystemPoolNaming.md) | AKS system node pool resources without a standard naming convention may be difficult to identify and manage. | Awareness [Azure.AKS.UptimeSLA](../rules/Azure.AKS.UptimeSLA.md) | AKS clusters should have Uptime SLA enabled for a financially backed SLA. | Important [Azure.AKS.UseRBAC](../rules/Azure.AKS.UseRBAC.md) | Deploy AKS cluster with role-based access control (RBAC) enabled. | Important +[Azure.AKS.UserPoolNaming](../rules/Azure.AKS.UserPoolNaming.md) | AKS user node pool resources without a standard naming convention may be difficult to identify and manage. | Awareness [Azure.AKS.Version](../rules/Azure.AKS.Version.md) | Older versions of Kubernetes may have known bugs or security vulnerabilities, and may have limited support. | Important [Azure.Alert.HighFrequencyQuery](../rules/Azure.Alert.HighFrequencyQuery.md) | High frequency scheduled queries are changed as a higher rate than low frequency queries. | Important [Azure.Alert.MetricAutoMitigate](../rules/Azure.Alert.MetricAutoMitigate.md) | Alerts that require manual intervention for mitigation can lead to increased personnel time and effort. | Important @@ -157,22 +162,32 @@ Name | Synopsis | Severity [Azure.ContainerApp.APIVersion](../rules/Azure.ContainerApp.APIVersion.md) | Migrate from retired API version to a supported version. | Important [Azure.ContainerApp.AvailabilityZone](../rules/Azure.ContainerApp.AvailabilityZone.md) | Use Container Apps environments that are zone redundant to improve reliability. | Important [Azure.ContainerApp.DisableAffinity](../rules/Azure.ContainerApp.DisableAffinity.md) | Disable session affinity to prevent unbalanced distribution. | Awareness +[Azure.ContainerApp.EnvNaming](../rules/Azure.ContainerApp.EnvNaming.md) | Container App Environment resources without a standard naming convention may be difficult to identify and manage. | Awareness [Azure.ContainerApp.ExternalIngress](../rules/Azure.ContainerApp.ExternalIngress.md) | Limit inbound communication for Container Apps is limited to callers within the Container Apps Environment. | Important [Azure.ContainerApp.Insecure](../rules/Azure.ContainerApp.Insecure.md) | Ensure insecure inbound traffic is not permitted to the container app. | Important +[Azure.ContainerApp.JobNaming](../rules/Azure.ContainerApp.JobNaming.md) | Container App Job resources without a standard naming convention may be difficult to identify and manage. | Awareness [Azure.ContainerApp.ManagedIdentity](../rules/Azure.ContainerApp.ManagedIdentity.md) | Ensure managed identity is used for authentication. | Important [Azure.ContainerApp.MinReplicas](../rules/Azure.ContainerApp.MinReplicas.md) | Use multiple replicas to remove a single point of failure. | Important [Azure.ContainerApp.Name](../rules/Azure.ContainerApp.Name.md) | Container Apps should meet naming requirements. | Awareness +[Azure.ContainerApp.Naming](../rules/Azure.ContainerApp.Naming.md) | Container App resources without a standard naming convention may be difficult to identify and manage. | Awareness [Azure.ContainerApp.PublicAccess](../rules/Azure.ContainerApp.PublicAccess.md) | Ensure public network access for Container Apps environment is disabled. | Important [Azure.ContainerApp.RestrictIngress](../rules/Azure.ContainerApp.RestrictIngress.md) | IP ingress restrictions mode should be set to allow action for all rules defined. | Important [Azure.ContainerApp.Storage](../rules/Azure.ContainerApp.Storage.md) | Use of Azure Files volume mounts to persistent storage container data. | Awareness [Azure.Cosmos.AccountName](../rules/Azure.Cosmos.AccountName.md) | Cosmos DB account names should meet naming requirements. | Awareness +[Azure.Cosmos.CassandraNaming](../rules/Azure.Cosmos.CassandraNaming.md) | Cosmos DB for Apache Cassandra account resources without a standard naming convention may be difficult to identify and manage. | Awareness [Azure.Cosmos.ContinuousBackup](../rules/Azure.Cosmos.ContinuousBackup.md) | Enable continuous backup on Cosmos DB accounts. | Important +[Azure.Cosmos.DatabaseNaming](../rules/Azure.Cosmos.DatabaseNaming.md) | Cosmos DB database resources without a standard naming convention may be difficult to identify and manage. | Awareness [Azure.Cosmos.DefenderCloud](../rules/Azure.Cosmos.DefenderCloud.md) | Enable Microsoft Defender for Azure Cosmos DB. | Critical [Azure.Cosmos.DisableLocalAuth](../rules/Azure.Cosmos.DisableLocalAuth.md) | Access keys allow depersonalized access to Cosmos DB accounts using a shared secret. | Critical [Azure.Cosmos.DisableMetadataWrite](../rules/Azure.Cosmos.DisableMetadataWrite.md) | Use Entra ID identities for management place operations in Azure Cosmos DB. | Important +[Azure.Cosmos.GremlinNaming](../rules/Azure.Cosmos.GremlinNaming.md) | Cosmos DB for Apache Gremlin account resources without a standard naming convention may be difficult to identify and manage. | Awareness [Azure.Cosmos.MinTLS](../rules/Azure.Cosmos.MinTLS.md) | Cosmos DB accounts should reject TLS versions older than 1.2. | Critical +[Azure.Cosmos.MongoNaming](../rules/Azure.Cosmos.MongoNaming.md) | Cosmos DB for MongoDB account resources without a standard naming convention may be difficult to identify and manage. | Awareness +[Azure.Cosmos.NoSQLNaming](../rules/Azure.Cosmos.NoSQLNaming.md) | Cosmos DB for NoSQL account resources without a standard naming convention may be difficult to identify and manage. | Awareness +[Azure.Cosmos.PostgreSQLNaming](../rules/Azure.Cosmos.PostgreSQLNaming.md) | Cosmos DB PostgreSQL cluster resources without a standard naming convention may be difficult to identify and manage. | Awareness [Azure.Cosmos.PublicAccess](../rules/Azure.Cosmos.PublicAccess.md) | Azure Cosmos DB should have public network access disabled. | Critical [Azure.Cosmos.SLA](../rules/Azure.Cosmos.SLA.md) | Use a paid tier to qualify for a Service Level Agreement (SLA). | Important +[Azure.Cosmos.TableNaming](../rules/Azure.Cosmos.TableNaming.md) | Cosmos DB for Table account resources without a standard naming convention may be difficult to identify and manage. | Awareness [Azure.Databricks.PublicAccess](../rules/Azure.Databricks.PublicAccess.md) | Azure Databricks workspaces should disable public network access. | Critical [Azure.Databricks.SecureConnectivity](../rules/Azure.Databricks.SecureConnectivity.md) | Use Databricks workspaces configured for secure cluster connectivity. | Critical [Azure.Databricks.SKU](../rules/Azure.Databricks.SKU.md) | Ensure Databricks workspaces are non-trial SKUs for production workloads. | Critical @@ -299,6 +314,7 @@ Name | Synopsis | Severity [Azure.MySQL.GeoRedundantBackup](../rules/Azure.MySQL.GeoRedundantBackup.md) | Azure Database for MySQL should store backups in a geo-redundant storage. | Important [Azure.MySQL.MaintenanceWindow](../rules/Azure.MySQL.MaintenanceWindow.md) | Configure a customer-controlled maintenance window for Azure Database for MySQL servers. | Important [Azure.MySQL.MinTLS](../rules/Azure.MySQL.MinTLS.md) | MySQL DB servers should reject TLS versions older than 1.2. | Critical +[Azure.MySQL.Naming](../rules/Azure.MySQL.Naming.md) | MySQL database server resources without a standard naming convention may be difficult to identify and manage. | Awareness [Azure.MySQL.ServerName](../rules/Azure.MySQL.ServerName.md) | Azure MySQL DB server names should meet naming requirements. | Awareness [Azure.MySQL.UseFlexible](../rules/Azure.MySQL.UseFlexible.md) | Use Azure Database for MySQL Flexible Server deployment model. | Important [Azure.MySQL.UseSSL](../rules/Azure.MySQL.UseSSL.md) | Enforce encrypted MySQL connections. | Critical @@ -327,6 +343,7 @@ Name | Synopsis | Severity [Azure.PostgreSQL.GeoRedundantBackup](../rules/Azure.PostgreSQL.GeoRedundantBackup.md) | Azure Database for PostgreSQL should store backups in a geo-redundant storage. | Important [Azure.PostgreSQL.MaintenanceWindow](../rules/Azure.PostgreSQL.MaintenanceWindow.md) | Configure a customer-controlled maintenance window for Azure Database for PostgreSQL servers. | Important [Azure.PostgreSQL.MinTLS](../rules/Azure.PostgreSQL.MinTLS.md) | PostgreSQL DB servers should reject TLS versions older than 1.2. | Critical +[Azure.PostgreSQL.Naming](../rules/Azure.PostgreSQL.Naming.md) | PostgreSQL database server resources without a standard naming convention may be difficult to identify and manage. | Awareness [Azure.PostgreSQL.ServerName](../rules/Azure.PostgreSQL.ServerName.md) | Azure PostgreSQL DB server names should meet naming requirements. | Awareness [Azure.PostgreSQL.UseSSL](../rules/Azure.PostgreSQL.UseSSL.md) | Enforce encrypted PostgreSQL connections. | Critical [Azure.PostgreSQL.ZoneRedundantHA](../rules/Azure.PostgreSQL.ZoneRedundantHA.md) | Deploy Azure Database for PostgreSQL servers using zone-redundant high availability (HA) in supported regions to ensure high availability and resilience. | Important @@ -352,10 +369,12 @@ Name | Synopsis | Severity [Azure.Redis.MaxMemoryReserved](../rules/Azure.Redis.MaxMemoryReserved.md) | Configure maxmemory-reserved to reserve memory for non-cache operations. | Important [Azure.Redis.MinSKU](../rules/Azure.Redis.MinSKU.md) | Use Azure Cache for Redis instances of at least Standard C1. | Important [Azure.Redis.MinTLS](../rules/Azure.Redis.MinTLS.md) | Redis Cache should reject TLS versions older than 1.2. | Critical +[Azure.Redis.Naming](../rules/Azure.Redis.Naming.md) | Azure Cache for Redis resources without a standard naming convention may be difficult to identify and manage. | Awareness [Azure.Redis.NonSslPort](../rules/Azure.Redis.NonSslPort.md) | Azure Cache for Redis should only accept secure connections. | Critical [Azure.Redis.PublicNetworkAccess](../rules/Azure.Redis.PublicNetworkAccess.md) | Redis cache should disable public network access. | Critical [Azure.Redis.Version](../rules/Azure.Redis.Version.md) | Azure Cache for Redis should use the latest supported version of Redis. | Important [Azure.RedisEnterprise.MinTLS](../rules/Azure.RedisEnterprise.MinTLS.md) | Redis Cache should reject TLS versions older than 1.2. | Critical +[Azure.RedisEnterprise.Naming](../rules/Azure.RedisEnterprise.Naming.md) | Azure Managed Redis resources without a standard naming convention may be difficult to identify and manage. | Awareness [Azure.RedisEnterprise.Zones](../rules/Azure.RedisEnterprise.Zones.md) | Enterprise Redis cache should be zone-redundant for high availability. | Important [Azure.Resource.AllowedRegions](../rules/Azure.Resource.AllowedRegions.md) | The deployment location of a resource determines the country or region where metadata and data is stored and processed. | Important [Azure.Resource.RequiredTags](../rules/Azure.Resource.RequiredTags.md) | Resources without a standard tagging convention may be difficult to identify and manage. | Awareness @@ -378,6 +397,8 @@ Name | Synopsis | Severity [Azure.ServiceBus.MinTLS](../rules/Azure.ServiceBus.MinTLS.md) | Service Bus namespaces should reject TLS versions older than 1.2. | Important [Azure.ServiceBus.Usage](../rules/Azure.ServiceBus.Usage.md) | Regularly remove unused resources to reduce costs. | Important [Azure.ServiceFabric.AAD](../rules/Azure.ServiceFabric.AAD.md) | Use Entra ID client authentication for Service Fabric clusters. | Critical +[Azure.ServiceFabric.ManagedNaming](../rules/Azure.ServiceFabric.ManagedNaming.md) | Service Fabric managed cluster resources without a standard naming convention may be difficult to identify and manage. | Awareness +[Azure.ServiceFabric.Naming](../rules/Azure.ServiceFabric.Naming.md) | Service Fabric cluster resources without a standard naming convention may be difficult to identify and manage. | Awareness [Azure.ServiceFabric.ProtectionLevel](../rules/Azure.ServiceFabric.ProtectionLevel.md) | Node to node communication that is not signed and encrypted may be susceptible to man-in-the-middle attacks. | Important [Azure.SignalR.ManagedIdentity](../rules/Azure.SignalR.ManagedIdentity.md) | Configure SignalR Services to use managed identities to access Azure resources securely. | Important [Azure.SignalR.Name](../rules/Azure.SignalR.Name.md) | SignalR service instance names should meet naming requirements. | Awareness @@ -386,14 +407,19 @@ Name | Synopsis | Severity [Azure.SQL.AADOnly](../rules/Azure.SQL.AADOnly.md) | Ensure Entra ID only authentication is enabled with Azure SQL Database. | Important [Azure.SQL.AllowAzureAccess](../rules/Azure.SQL.AllowAzureAccess.md) | Determine if access from Azure services is required. | Important [Azure.SQL.Auditing](../rules/Azure.SQL.Auditing.md) | Enable auditing for Azure SQL logical server. | Important +[Azure.SQL.DatabaseNaming](../rules/Azure.SQL.DatabaseNaming.md) | Azure SQL database resources without a standard naming convention may be difficult to identify and manage. | Awareness [Azure.SQL.DBName](../rules/Azure.SQL.DBName.md) | Azure SQL Database names should meet naming requirements. | Awareness [Azure.SQL.DefenderCloud](../rules/Azure.SQL.DefenderCloud.md) | Enable Microsoft Defender for Azure SQL logical server. | Important +[Azure.SQL.ElasticPoolNaming](../rules/Azure.SQL.ElasticPoolNaming.md) | Azure SQL Elastic Pool resources without a standard naming convention may be difficult to identify and manage. | Awareness [Azure.SQL.FGName](../rules/Azure.SQL.FGName.md) | Azure SQL failover group names should meet naming requirements. | Awareness [Azure.SQL.FirewallIPRange](../rules/Azure.SQL.FirewallIPRange.md) | Each IP address in the permitted IP list is allowed network access to any databases hosted on the same logical server. | Important [Azure.SQL.FirewallRuleCount](../rules/Azure.SQL.FirewallRuleCount.md) | Determine if there is an excessive number of firewall rules. | Awareness +[Azure.SQL.JobAgentNaming](../rules/Azure.SQL.JobAgentNaming.md) | Azure SQL Elastic Job agent resources without a standard naming convention may be difficult to identify and manage. | Awareness [Azure.SQL.MaintenanceWindow](../rules/Azure.SQL.MaintenanceWindow.md) | Configure a customer-controlled maintenance window for Azure SQL databases. | Important [Azure.SQL.MinTLS](../rules/Azure.SQL.MinTLS.md) | Azure SQL Database servers should reject TLS versions older than 1.2. | Critical [Azure.SQL.ServerName](../rules/Azure.SQL.ServerName.md) | Azure SQL logical server names should meet naming requirements. | Awareness +[Azure.SQL.ServerNaming](../rules/Azure.SQL.ServerNaming.md) | Azure SQL Database server resources without a standard naming convention may be difficult to identify and manage. | Awareness +[Azure.SQL.StretchDBNaming](../rules/Azure.SQL.StretchDBNaming.md) | SQL Server Stretch Database resources without a standard naming convention may be difficult to identify and manage. | Awareness [Azure.SQL.TDE](../rules/Azure.SQL.TDE.md) | Use Transparent Data Encryption (TDE) with Azure SQL Database. | Critical [Azure.SQL.VAScan](../rules/Azure.SQL.VAScan.md) | SQL Databases may have configuration vulnerabilities discovered after they are deployed. | Important [Azure.SQLMI.AAD](../rules/Azure.SQLMI.AAD.md) | Use Azure Active Directory (AAD) authentication with Azure SQL Managed Instance. | Critical @@ -401,6 +427,7 @@ Name | Synopsis | Severity [Azure.SQLMI.MaintenanceWindow](../rules/Azure.SQLMI.MaintenanceWindow.md) | Configure a customer-controlled maintenance window for Azure SQL Managed Instances. | Important [Azure.SQLMI.ManagedIdentity](../rules/Azure.SQLMI.ManagedIdentity.md) | Ensure managed identity is used to allow support for Azure AD authentication. | Important [Azure.SQLMI.Name](../rules/Azure.SQLMI.Name.md) | SQL Managed Instance names should meet naming requirements. | Awareness +[Azure.SQLMI.Naming](../rules/Azure.SQLMI.Naming.md) | SQL Managed Instance resources without a standard naming convention may be difficult to identify and manage. | Awareness [Azure.Storage.BlobAccessType](../rules/Azure.Storage.BlobAccessType.md) | Use containers configured with a private access type that requires authorization. | Important [Azure.Storage.BlobPublicAccess](../rules/Azure.Storage.BlobPublicAccess.md) | Storage Accounts should only accept authorized requests. | Important [Azure.Storage.ContainerSoftDelete](../rules/Azure.Storage.ContainerSoftDelete.md) | Enable container soft delete on Storage Accounts. | Important diff --git a/docs/en/rules/Azure.AKS.SystemPoolNaming.md b/docs/en/rules/Azure.AKS.SystemPoolNaming.md index 925151f6077..06f751c3c7d 100644 --- a/docs/en/rules/Azure.AKS.SystemPoolNaming.md +++ b/docs/en/rules/Azure.AKS.SystemPoolNaming.md @@ -1,10 +1,10 @@ --- -reviewed: 2025-10-10 +reviewed: 2025-10-26 severity: Awareness pillar: Operational Excellence category: OE:04 Tools and processes -resource: AKS system node pool -resourceType: Microsoft.ContainerService/managedClusters/agentPools +resource: Azure Kubernetes Service +resourceType: Microsoft.ContainerService/managedClusters,Microsoft.ContainerService/managedClusters/agentPools online version: https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.AKS.SystemPoolNaming/ --- @@ -34,8 +34,8 @@ For AKS system node pool, the Cloud Adoption Framework (CAF) recommends using th Requirements for AKS system node pool resource names: - Between 1 and 12 characters long. -- Can include alphanumeric characters, hyphens, underscores, and periods (restrictions vary by resource type). -- Resource names must be unique within their scope. +- Lowercase letters and numbers +- Can't start with a number. ## RECOMMENDATION @@ -62,7 +62,24 @@ param name string @description('The location resources will be deployed.') param location string = resourceGroup().location -// Example resource deployment +resource system 'Microsoft.ContainerService/managedClusters/agentPools@2025-07-01' = { + parent: cluster + name: name + properties: { + osDiskSizeGB: osDiskSizeGB + minCount: 3 + maxCount: 7 + enableAutoScaling: true + maxPods: systemPoolMaxPods + vmSize: 'Standard_D16ds_v6' + osType: 'Linux' + type: 'VirtualMachineScaleSets' + vnetSubnetID: clusterSubnetId + mode: 'System' + osDiskType: 'Ephemeral' + scaleSetPriority: 'Regular' + } +} ``` ### Configure with Azure template @@ -72,6 +89,51 @@ To deploy resources that pass this rule: - Set the `name` property to a string that matches the naming requirements. - Optionally, consider constraining name parameters with `minLength` and `maxLength` attributes. +For example: + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "name": { + "type": "string", + "metadata": { + "description": "The name of the resource." + } + }, + "location": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "The location resources will be deployed." + } + } + }, + "resources": [ + { + "type": "Microsoft.ContainerService/managedClusters/agentPools", + "apiVersion": "2025-07-01", + "name": "[format('{0}/{1}', parameters('name'), 'system')]", + "properties": { + "osDiskSizeGB": "[parameters('osDiskSizeGB')]", + "minCount": 3, + "maxCount": 7, + "enableAutoScaling": true, + "maxPods": "[parameters('systemPoolMaxPods')]", + "vmSize": "Standard_D16ds_v6", + "osType": "Linux", + "type": "VirtualMachineScaleSets", + "vnetSubnetID": "[parameters('clusterSubnetId')]", + "mode": "System", + "osDiskType": "Ephemeral", + "scaleSetPriority": "Regular" + } + } + ] +} +``` + ## NOTES This rule does not check if AKS system node pool resource names are unique. @@ -99,3 +161,6 @@ configuration: - [Recommended abbreviations for Azure resource types](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations) - [Naming rules and restrictions for Azure resources](https://learn.microsoft.com/azure/azure-resource-manager/management/resource-name-rules) - [Define your naming convention](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-naming) +- [Parameters in Bicep](https://learn.microsoft.com/azure/azure-resource-manager/bicep/parameters) +- [Bicep functions](https://learn.microsoft.com/azure/azure-resource-manager/bicep/bicep-functions) +- [Azure deployment reference](https://learn.microsoft.com/azure/templates/microsoft.containerservice/managedclusters/agentpools) diff --git a/docs/en/rules/Azure.AKS.UserPoolNaming.md b/docs/en/rules/Azure.AKS.UserPoolNaming.md index 4caf40e51c9..b27e1d8ec4d 100644 --- a/docs/en/rules/Azure.AKS.UserPoolNaming.md +++ b/docs/en/rules/Azure.AKS.UserPoolNaming.md @@ -1,10 +1,10 @@ --- -reviewed: 2025-10-10 +reviewed: 2025-10-26 severity: Awareness pillar: Operational Excellence category: OE:04 Tools and processes -resource: AKS user node pool -resourceType: Microsoft.ContainerService/managedClusters/agentPools +resource: Azure Kubernetes Service +resourceType: Microsoft.ContainerService/managedClusters,Microsoft.ContainerService/managedClusters/agentPools online version: https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.AKS.UserPoolNaming/ --- @@ -33,9 +33,9 @@ For AKS user node pool, the Cloud Adoption Framework (CAF) recommends using the Requirements for AKS user node pool resource names: -- Between 1 and 12 characters long. -- Can include alphanumeric characters, hyphens, underscores, and periods (restrictions vary by resource type). -- Resource names must be unique within their scope. +- Between 1 and 12 characters long for Linux, and between 1 and 6 characters long for Windows. +- Lowercase letters and numbers +- Can't start with a number. ## RECOMMENDATION @@ -62,7 +62,24 @@ param name string @description('The location resources will be deployed.') param location string = resourceGroup().location -// Example resource deployment +resource user 'Microsoft.ContainerService/managedClusters/agentPools@2025-07-01' = { + parent: cluster + name: name + properties: { + osDiskSizeGB: osDiskSizeGB + minCount: 3 + maxCount: 20 + enableAutoScaling: true + maxPods: 150 + vmSize: 'Standard_D16ds_v6' + osType: 'Linux' + type: 'VirtualMachineScaleSets' + vnetSubnetID: clusterSubnetId + mode: 'User' + osDiskType: 'Ephemeral' + scaleSetPriority: 'Regular' + } +} ``` ### Configure with Azure template @@ -72,6 +89,51 @@ To deploy resources that pass this rule: - Set the `name` property to a string that matches the naming requirements. - Optionally, consider constraining name parameters with `minLength` and `maxLength` attributes. +For example: + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "name": { + "type": "string", + "metadata": { + "description": "The name of the resource." + } + }, + "location": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "The location resources will be deployed." + } + } + }, + "resources": [ + { + "type": "Microsoft.ContainerService/managedClusters/agentPools", + "apiVersion": "2025-07-01", + "name": "[format('{0}/{1}', parameters('name'), 'user')]", + "properties": { + "osDiskSizeGB": "[parameters('osDiskSizeGB')]", + "minCount": 3, + "maxCount": 20, + "enableAutoScaling": true, + "maxPods": 150, + "vmSize": "Standard_D16ds_v6", + "osType": "Linux", + "type": "VirtualMachineScaleSets", + "vnetSubnetID": "[parameters('clusterSubnetId')]", + "mode": "User", + "osDiskType": "Ephemeral", + "scaleSetPriority": "Regular" + } + } + ] +} +``` + ## NOTES This rule does not check if AKS user node pool resource names are unique. @@ -99,3 +161,6 @@ configuration: - [Recommended abbreviations for Azure resource types](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations) - [Naming rules and restrictions for Azure resources](https://learn.microsoft.com/azure/azure-resource-manager/management/resource-name-rules) - [Define your naming convention](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-naming) +- [Parameters in Bicep](https://learn.microsoft.com/azure/azure-resource-manager/bicep/parameters) +- [Bicep functions](https://learn.microsoft.com/azure/azure-resource-manager/bicep/bicep-functions) +- [Azure deployment reference](https://learn.microsoft.com/azure/templates/microsoft.containerservice/managedclusters/agentpools) diff --git a/docs/en/rules/index.md b/docs/en/rules/index.md index 78137a7fdb2..16f3b57cd22 100644 --- a/docs/en/rules/index.md +++ b/docs/en/rules/index.md @@ -518,5 +518,32 @@ AZR-000495 | [Azure.ACR.ExportPolicy](Azure.ACR.ExportPolicy.md) | Export policy AZR-000496 | [Azure.Redis.LocalAuth](Azure.Redis.LocalAuth.md) | Access keys allow depersonalized access to Azure Cache for Redis using a shared secret. | GA AZR-000497 | [Azure.Storage.LocalAuth](Azure.Storage.LocalAuth.md) | Access keys allow depersonalized access to Storage Accounts using a shared secret. | GA AZR-000498 | [Azure.AppConfig.ReplicaLocation](Azure.AppConfig.ReplicaLocation.md) | The replication location determines the country or region where configuration data is stored and processed. | GA +AZR-000499 | [Azure.AKS.Naming](Azure.AKS.Naming.md) | AKS cluster resources without a standard naming convention may be difficult to identify and manage. | GA +AZR-000500 | [Azure.AKS.UserPoolNaming](Azure.AKS.UserPoolNaming.md) | AKS user node pool resources without a standard naming convention may be difficult to identify and manage. | GA +AZR-000501 | [Azure.ContainerApp.Naming](Azure.ContainerApp.Naming.md) | Container App resources without a standard naming convention may be difficult to identify and manage. | GA +AZR-000502 | [Azure.ContainerApp.EnvNaming](Azure.ContainerApp.EnvNaming.md) | Container App Environment resources without a standard naming convention may be difficult to identify and manage. | GA +AZR-000503 | [Azure.ContainerApp.JobNaming](Azure.ContainerApp.JobNaming.md) | Container App Job resources without a standard naming convention may be difficult to identify and manage. | GA +AZR-000504 | [Azure.ACR.Naming](Azure.ACR.Naming.md) | Container Registry resources without a standard naming convention may be difficult to identify and manage. | GA +AZR-000505 | [Azure.ACI.Naming](Azure.ACI.Naming.md) | Container Instance resources without a standard naming convention may be difficult to identify and manage. | GA +AZR-000506 | [Azure.ServiceFabric.Naming](Azure.ServiceFabric.Naming.md) | Service Fabric cluster resources without a standard naming convention may be difficult to identify and manage. | GA +AZR-000507 | [Azure.ServiceFabric.ManagedNaming](Azure.ServiceFabric.ManagedNaming.md) | Service Fabric managed cluster resources without a standard naming convention may be difficult to identify and manage. | GA +AZR-000508 | [Azure.Cosmos.CassandraNaming](Azure.Cosmos.CassandraNaming.md) | Cosmos DB for Apache Cassandra account resources without a standard naming convention may be difficult to identify and manage. | GA +AZR-000509 | [Azure.Cosmos.MongoNaming](Azure.Cosmos.MongoNaming.md) | Cosmos DB for MongoDB account resources without a standard naming convention may be difficult to identify and manage. | GA +AZR-000510 | [Azure.Cosmos.NoSQLNaming](Azure.Cosmos.NoSQLNaming.md) | Cosmos DB for NoSQL account resources without a standard naming convention may be difficult to identify and manage. | GA +AZR-000511 | [Azure.Cosmos.TableNaming](Azure.Cosmos.TableNaming.md) | Cosmos DB for Table account resources without a standard naming convention may be difficult to identify and manage. | GA +AZR-000512 | [Azure.Cosmos.GremlinNaming](Azure.Cosmos.GremlinNaming.md) | Cosmos DB for Apache Gremlin account resources without a standard naming convention may be difficult to identify and manage. | GA +AZR-000513 | [Azure.Cosmos.PostgreSQLNaming](Azure.Cosmos.PostgreSQLNaming.md) | Cosmos DB PostgreSQL cluster resources without a standard naming convention may be difficult to identify and manage. | GA +AZR-000514 | [Azure.Cosmos.DatabaseNaming](Azure.Cosmos.DatabaseNaming.md) | Cosmos DB database resources without a standard naming convention may be difficult to identify and manage. | GA +AZR-000515 | [Azure.Redis.Naming](Azure.Redis.Naming.md) | Azure Cache for Redis resources without a standard naming convention may be difficult to identify and manage. | GA +AZR-000516 | [Azure.RedisEnterprise.Naming](Azure.RedisEnterprise.Naming.md) | Azure Managed Redis resources without a standard naming convention may be difficult to identify and manage. | GA +AZR-000517 | [Azure.SQL.ServerNaming](Azure.SQL.ServerNaming.md) | Azure SQL Database server resources without a standard naming convention may be difficult to identify and manage. | GA +AZR-000518 | [Azure.SQL.DatabaseNaming](Azure.SQL.DatabaseNaming.md) | Azure SQL database resources without a standard naming convention may be difficult to identify and manage. | GA +AZR-000519 | [Azure.SQL.JobAgentNaming](Azure.SQL.JobAgentNaming.md) | Azure SQL Elastic Job agent resources without a standard naming convention may be difficult to identify and manage. | GA +AZR-000520 | [Azure.SQL.ElasticPoolNaming](Azure.SQL.ElasticPoolNaming.md) | Azure SQL Elastic Pool resources without a standard naming convention may be difficult to identify and manage. | GA +AZR-000521 | [Azure.MySQL.Naming](Azure.MySQL.Naming.md) | MySQL database server resources without a standard naming convention may be difficult to identify and manage. | GA +AZR-000522 | [Azure.PostgreSQL.Naming](Azure.PostgreSQL.Naming.md) | PostgreSQL database server resources without a standard naming convention may be difficult to identify and manage. | GA +AZR-000523 | [Azure.SQLMI.Naming](Azure.SQLMI.Naming.md) | SQL Managed Instance resources without a standard naming convention may be difficult to identify and manage. | GA +AZR-000524 | [Azure.SQL.StretchDBNaming](Azure.SQL.StretchDBNaming.md) | SQL Server Stretch Database resources without a standard naming convention may be difficult to identify and manage. | GA +AZR-000525 | [Azure.AKS.SystemPoolNaming](Azure.AKS.SystemPoolNaming.md) | AKS system node pool resources without a standard naming convention may be difficult to identify and manage. | GA *[GA]: Generally Available — Rules related to a generally available Azure features. diff --git a/docs/en/rules/module.md b/docs/en/rules/module.md index be476d19615..a80e6f300a6 100644 --- a/docs/en/rules/module.md +++ b/docs/en/rules/module.md @@ -137,11 +137,26 @@ Name | Synopsis | Severity | Level Name | Synopsis | Severity | Level ---- | -------- | -------- | ----- +[Azure.ACI.Naming](Azure.ACI.Naming.md) | Container Instance resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error +[Azure.ACR.Naming](Azure.ACR.Naming.md) | Container Registry resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error [Azure.AI.FoundryNaming](Azure.AI.FoundryNaming.md) | Azure AI Foundry accounts without a standard naming convention may be difficult to identify and manage. | Awareness | Error +[Azure.AKS.Naming](Azure.AKS.Naming.md) | AKS cluster resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error +[Azure.AKS.SystemPoolNaming](Azure.AKS.SystemPoolNaming.md) | AKS system node pool resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error +[Azure.AKS.UserPoolNaming](Azure.AKS.UserPoolNaming.md) | AKS user node pool resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error [Azure.APIM.APIDescriptors](Azure.APIM.APIDescriptors.md) | APIs should have a display name and description. | Awareness | Warning [Azure.APIM.ProductDescriptors](Azure.APIM.ProductDescriptors.md) | API Management products should have a display name and description. | Awareness | Warning [Azure.AppInsights.Naming](Azure.AppInsights.Naming.md) | Application Insights resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error [Azure.ContainerApp.APIVersion](Azure.ContainerApp.APIVersion.md) | Migrate from retired API version to a supported version. | Important | Error +[Azure.ContainerApp.EnvNaming](Azure.ContainerApp.EnvNaming.md) | Container App Environment resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error +[Azure.ContainerApp.JobNaming](Azure.ContainerApp.JobNaming.md) | Container App Job resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error +[Azure.ContainerApp.Naming](Azure.ContainerApp.Naming.md) | Container App resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error +[Azure.Cosmos.CassandraNaming](Azure.Cosmos.CassandraNaming.md) | Cosmos DB for Apache Cassandra account resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error +[Azure.Cosmos.DatabaseNaming](Azure.Cosmos.DatabaseNaming.md) | Cosmos DB database resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error +[Azure.Cosmos.GremlinNaming](Azure.Cosmos.GremlinNaming.md) | Cosmos DB for Apache Gremlin account resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error +[Azure.Cosmos.MongoNaming](Azure.Cosmos.MongoNaming.md) | Cosmos DB for MongoDB account resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error +[Azure.Cosmos.NoSQLNaming](Azure.Cosmos.NoSQLNaming.md) | Cosmos DB for NoSQL account resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error +[Azure.Cosmos.PostgreSQLNaming](Azure.Cosmos.PostgreSQLNaming.md) | Cosmos DB PostgreSQL cluster resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error +[Azure.Cosmos.TableNaming](Azure.Cosmos.TableNaming.md) | Cosmos DB for Table account resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error [Azure.EventGrid.DomainNaming](Azure.EventGrid.DomainNaming.md) | Event Grid domains without a standard naming convention may be difficult to identify and manage. | Awareness | Error [Azure.EventGrid.SystemTopicNaming](Azure.EventGrid.SystemTopicNaming.md) | Event Grid system topics without a standard naming convention may be difficult to identify and manage. | Awareness | Error [Azure.EventGrid.TopicNaming](Azure.EventGrid.TopicNaming.md) | Event Grid topics without a standard naming convention may be difficult to identify and manage. | Awareness | Error @@ -149,14 +164,26 @@ Name | Synopsis | Severity | Level [Azure.Group.RequiredTags](Azure.Group.RequiredTags.md) | Resource groups without a standard tagging convention may be difficult to identify and manage. | Awareness | Error [Azure.LB.Naming](Azure.LB.Naming.md) | Load balancer names should use a standard prefix. | Awareness | Error [Azure.Log.Naming](Azure.Log.Naming.md) | Azure Monitor Log workspaces without a standard naming convention may be difficult to identify and manage. | Awareness | Error +[Azure.MySQL.Naming](Azure.MySQL.Naming.md) | MySQL database server resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error [Azure.NSG.Naming](Azure.NSG.Naming.md) | Network security group (NSG) without a standard naming convention may be difficult to identify and manage. | Awareness | Error [Azure.Policy.AssignmentDescriptors](Azure.Policy.AssignmentDescriptors.md) | Policy assignments should use a display name and description. | Awareness | Error [Azure.Policy.Descriptors](Azure.Policy.Descriptors.md) | Policy and initiative definitions should use a display name, description, and category. | Awareness | Error [Azure.Policy.ExemptionDescriptors](Azure.Policy.ExemptionDescriptors.md) | Policy exemptions should use a display name and description. | Awareness | Error +[Azure.PostgreSQL.Naming](Azure.PostgreSQL.Naming.md) | PostgreSQL database server resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error [Azure.PublicIP.Naming](Azure.PublicIP.Naming.md) | Public IP addresses without a standard naming convention may be difficult to identify and manage. | Awareness | Error +[Azure.Redis.Naming](Azure.Redis.Naming.md) | Azure Cache for Redis resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error +[Azure.RedisEnterprise.Naming](Azure.RedisEnterprise.Naming.md) | Azure Managed Redis resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error [Azure.Resource.RequiredTags](Azure.Resource.RequiredTags.md) | Resources without a standard tagging convention may be difficult to identify and manage. | Awareness | Error [Azure.Route.Naming](Azure.Route.Naming.md) | Route tables without a standard naming convention may be difficult to identify and manage. | Awareness | Error [Azure.Search.Naming](Azure.Search.Naming.md) | Azure AI Search services without a standard naming convention may be difficult to identify and manage. | Awareness | Error +[Azure.ServiceFabric.ManagedNaming](Azure.ServiceFabric.ManagedNaming.md) | Service Fabric managed cluster resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error +[Azure.ServiceFabric.Naming](Azure.ServiceFabric.Naming.md) | Service Fabric cluster resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error +[Azure.SQL.DatabaseNaming](Azure.SQL.DatabaseNaming.md) | Azure SQL database resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error +[Azure.SQL.ElasticPoolNaming](Azure.SQL.ElasticPoolNaming.md) | Azure SQL Elastic Pool resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error +[Azure.SQL.JobAgentNaming](Azure.SQL.JobAgentNaming.md) | Azure SQL Elastic Job agent resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error +[Azure.SQL.ServerNaming](Azure.SQL.ServerNaming.md) | Azure SQL Database server resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error +[Azure.SQL.StretchDBNaming](Azure.SQL.StretchDBNaming.md) | SQL Server Stretch Database resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error +[Azure.SQLMI.Naming](Azure.SQLMI.Naming.md) | SQL Managed Instance resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error [Azure.Storage.Naming](Azure.Storage.Naming.md) | Storage Accounts without a standard naming convention may be difficult to identify and manage. | Awareness | Error [Azure.Subscription.RequiredTags](Azure.Subscription.RequiredTags.md) | Subscriptions without a standard tagging convention may be difficult to identify and manage. | Awareness | Error [Azure.VM.Naming](Azure.VM.Naming.md) | Virtual machines without a standard naming convention may be difficult to identify and manage. | Awareness | Error diff --git a/docs/en/rules/resource.md b/docs/en/rules/resource.md index ec6dc6053b0..e378bf03acb 100644 --- a/docs/en/rules/resource.md +++ b/docs/en/rules/resource.md @@ -193,6 +193,7 @@ Name | Synopsis | Severity | Level [Azure.Redis.MaxMemoryReserved](Azure.Redis.MaxMemoryReserved.md) | Configure maxmemory-reserved to reserve memory for non-cache operations. | Important | Error [Azure.Redis.MinSKU](Azure.Redis.MinSKU.md) | Use Azure Cache for Redis instances of at least Standard C1. | Important | Error [Azure.Redis.MinTLS](Azure.Redis.MinTLS.md) | Redis Cache should reject TLS versions older than 1.2. | Critical | Error +[Azure.Redis.Naming](Azure.Redis.Naming.md) | Azure Cache for Redis resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error [Azure.Redis.NonSslPort](Azure.Redis.NonSslPort.md) | Azure Cache for Redis should only accept secure connections. | Critical | Error [Azure.Redis.PublicNetworkAccess](Azure.Redis.PublicNetworkAccess.md) | Redis cache should disable public network access. | Critical | Error [Azure.Redis.Version](Azure.Redis.Version.md) | Azure Cache for Redis should use the latest supported version of Redis. | Important | Error @@ -292,6 +293,7 @@ Name | Synopsis | Severity | Level [Azure.AKS.MinNodeCount](Azure.AKS.MinNodeCount.md) | AKS clusters should have minimum number of system nodes for failover and updates. | Important | Error [Azure.AKS.MinUserPoolNodes](Azure.AKS.MinUserPoolNodes.md) | User node pools in an AKS cluster should have a minimum number of nodes for failover and updates. | Important | Error [Azure.AKS.Name](Azure.AKS.Name.md) | Azure Kubernetes Service (AKS) cluster names should meet naming requirements. | Awareness | Error +[Azure.AKS.Naming](Azure.AKS.Naming.md) | AKS cluster resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error [Azure.AKS.NetworkPolicy](Azure.AKS.NetworkPolicy.md) | AKS clusters without inter-pod network restrictions may be permit unauthorized lateral movement. | Important | Error [Azure.AKS.NodeAutoUpgrade](Azure.AKS.NodeAutoUpgrade.md) | Operating system (OS) security updates should be applied to AKS nodes and rebooted as required to address security vulnerabilities. | Important | Error [Azure.AKS.NodeMinPods](Azure.AKS.NodeMinPods.md) | Azure Kubernetes Cluster (AKS) nodes should use a minimum number of pods. | Important | Error @@ -301,8 +303,10 @@ Name | Synopsis | Severity | Level [Azure.AKS.SecretStore](Azure.AKS.SecretStore.md) | Deploy AKS clusters with Secrets Store CSI Driver and store Secrets in Key Vault. | Important | Error [Azure.AKS.SecretStoreRotation](Azure.AKS.SecretStoreRotation.md) | Enable autorotation of Secrets Store CSI Driver secrets for AKS clusters. | Important | Error [Azure.AKS.StandardLB](Azure.AKS.StandardLB.md) | Azure Kubernetes Clusters (AKS) should use a Standard load balancer SKU. | Important | Error +[Azure.AKS.SystemPoolNaming](Azure.AKS.SystemPoolNaming.md) | AKS system node pool resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error [Azure.AKS.UptimeSLA](Azure.AKS.UptimeSLA.md) | AKS clusters should have Uptime SLA enabled for a financially backed SLA. | Important | Error [Azure.AKS.UseRBAC](Azure.AKS.UseRBAC.md) | Deploy AKS cluster with role-based access control (RBAC) enabled. | Important | Error +[Azure.AKS.UserPoolNaming](Azure.AKS.UserPoolNaming.md) | AKS user node pool resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error [Azure.AKS.Version](Azure.AKS.Version.md) | Older versions of Kubernetes may have known bugs or security vulnerabilities, and may have limited support. | Important | Error ## Azure Managed Grafana @@ -311,6 +315,12 @@ Name | Synopsis | Severity | Level ---- | -------- | -------- | ----- [Azure.Grafana.Version](Azure.Grafana.Version.md) | Grafana workspaces should be on Grafana version 10. | Important | Error +## Azure Managed Redis + +Name | Synopsis | Severity | Level +---- | -------- | -------- | ----- +[Azure.RedisEnterprise.Naming](Azure.RedisEnterprise.Naming.md) | Azure Managed Redis resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error + ## Azure Monitor Alerts Name | Synopsis | Severity | Level @@ -327,6 +337,30 @@ Name | Synopsis | Severity | Level [Azure.Log.ReplicaLocation](Azure.Log.ReplicaLocation.md) | The replication location determines the country or region where the data is stored and processed. | Important | Error [Azure.Log.Replication](Azure.Log.Replication.md) | Log Analytics workspaces should have workspace replication enabled to improve service availability. | Important | Error +## Azure SQL database + +Name | Synopsis | Severity | Level +---- | -------- | -------- | ----- +[Azure.SQL.DatabaseNaming](Azure.SQL.DatabaseNaming.md) | Azure SQL database resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error + +## Azure SQL Database server + +Name | Synopsis | Severity | Level +---- | -------- | -------- | ----- +[Azure.SQL.ServerNaming](Azure.SQL.ServerNaming.md) | Azure SQL Database server resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error + +## Azure SQL Elastic Job agent + +Name | Synopsis | Severity | Level +---- | -------- | -------- | ----- +[Azure.SQL.JobAgentNaming](Azure.SQL.JobAgentNaming.md) | Azure SQL Elastic Job agent resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error + +## Azure SQL Elastic Pool + +Name | Synopsis | Severity | Level +---- | -------- | -------- | ----- +[Azure.SQL.ElasticPoolNaming](Azure.SQL.ElasticPoolNaming.md) | Azure SQL Elastic Pool resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error + ## Azure Virtual Desktop Name | Synopsis | Severity | Level @@ -357,10 +391,29 @@ Name | Synopsis | Severity | Level [Azure.ContainerApp.ManagedIdentity](Azure.ContainerApp.ManagedIdentity.md) | Ensure managed identity is used for authentication. | Important | Error [Azure.ContainerApp.MinReplicas](Azure.ContainerApp.MinReplicas.md) | Use multiple replicas to remove a single point of failure. | Important | Error [Azure.ContainerApp.Name](Azure.ContainerApp.Name.md) | Container Apps should meet naming requirements. | Awareness | Error +[Azure.ContainerApp.Naming](Azure.ContainerApp.Naming.md) | Container App resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error [Azure.ContainerApp.PublicAccess](Azure.ContainerApp.PublicAccess.md) | Ensure public network access for Container Apps environment is disabled. | Important | Error [Azure.ContainerApp.RestrictIngress](Azure.ContainerApp.RestrictIngress.md) | IP ingress restrictions mode should be set to allow action for all rules defined. | Important | Error [Azure.ContainerApp.Storage](Azure.ContainerApp.Storage.md) | Use of Azure Files volume mounts to persistent storage container data. | Awareness | Error +## Container App Environment + +Name | Synopsis | Severity | Level +---- | -------- | -------- | ----- +[Azure.ContainerApp.EnvNaming](Azure.ContainerApp.EnvNaming.md) | Container App Environment resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error + +## Container App Job + +Name | Synopsis | Severity | Level +---- | -------- | -------- | ----- +[Azure.ContainerApp.JobNaming](Azure.ContainerApp.JobNaming.md) | Container App Job resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error + +## Container Instance + +Name | Synopsis | Severity | Level +---- | -------- | -------- | ----- +[Azure.ACI.Naming](Azure.ACI.Naming.md) | Container Instance resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error + ## Container Registry Name | Synopsis | Severity | Level @@ -375,6 +428,7 @@ Name | Synopsis | Severity | Level [Azure.ACR.ImageHealth](Azure.ACR.ImageHealth.md) | Remove container images with known vulnerabilities. | Critical | Error [Azure.ACR.MinSku](Azure.ACR.MinSku.md) | The Basic SKU provides limited performance and features for production container registry workloads. | Important | Error [Azure.ACR.Name](Azure.ACR.Name.md) | Container registry names should meet naming requirements. | Awareness | Error +[Azure.ACR.Naming](Azure.ACR.Naming.md) | Container Registry resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error [Azure.ACR.Quarantine](Azure.ACR.Quarantine.md) | Enable container image quarantine, scan, and mark images as verified. | Important | Error [Azure.ACR.ReplicaLocation](Azure.ACR.ReplicaLocation.md) | The replication location determines the country or region where container images and metadata are stored and processed. | Important | Error [Azure.ACR.Retention](Azure.ACR.Retention.md) | Use a retention policy to cleanup untagged manifests. | Important | Error @@ -402,6 +456,48 @@ Name | Synopsis | Severity | Level [Azure.Cosmos.PublicAccess](Azure.Cosmos.PublicAccess.md) | Azure Cosmos DB should have public network access disabled. | Critical | Error [Azure.Cosmos.SLA](Azure.Cosmos.SLA.md) | Use a paid tier to qualify for a Service Level Agreement (SLA). | Important | Error +## Cosmos DB database + +Name | Synopsis | Severity | Level +---- | -------- | -------- | ----- +[Azure.Cosmos.DatabaseNaming](Azure.Cosmos.DatabaseNaming.md) | Cosmos DB database resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error + +## Cosmos DB for Apache Cassandra account + +Name | Synopsis | Severity | Level +---- | -------- | -------- | ----- +[Azure.Cosmos.CassandraNaming](Azure.Cosmos.CassandraNaming.md) | Cosmos DB for Apache Cassandra account resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error + +## Cosmos DB for Apache Gremlin account + +Name | Synopsis | Severity | Level +---- | -------- | -------- | ----- +[Azure.Cosmos.GremlinNaming](Azure.Cosmos.GremlinNaming.md) | Cosmos DB for Apache Gremlin account resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error + +## Cosmos DB for MongoDB account + +Name | Synopsis | Severity | Level +---- | -------- | -------- | ----- +[Azure.Cosmos.MongoNaming](Azure.Cosmos.MongoNaming.md) | Cosmos DB for MongoDB account resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error + +## Cosmos DB for NoSQL account + +Name | Synopsis | Severity | Level +---- | -------- | -------- | ----- +[Azure.Cosmos.NoSQLNaming](Azure.Cosmos.NoSQLNaming.md) | Cosmos DB for NoSQL account resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error + +## Cosmos DB for Table account + +Name | Synopsis | Severity | Level +---- | -------- | -------- | ----- +[Azure.Cosmos.TableNaming](Azure.Cosmos.TableNaming.md) | Cosmos DB for Table account resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error + +## Cosmos DB PostgreSQL cluster + +Name | Synopsis | Severity | Level +---- | -------- | -------- | ----- +[Azure.Cosmos.PostgreSQLNaming](Azure.Cosmos.PostgreSQLNaming.md) | Cosmos DB PostgreSQL cluster resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error + ## Data Explorer Name | Synopsis | Severity | Level @@ -601,6 +697,12 @@ Name | Synopsis | Severity | Level ---- | -------- | -------- | ----- [Azure.Monitor.ServiceHealth](Azure.Monitor.ServiceHealth.md) | Configure Service Health alerts to notify administrators. | Important | Error +## MySQL database server + +Name | Synopsis | Severity | Level +---- | -------- | -------- | ----- +[Azure.MySQL.Naming](Azure.MySQL.Naming.md) | MySQL database server resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error + ## Network Interface Name | Synopsis | Severity | Level @@ -631,6 +733,12 @@ Name | Synopsis | Severity | Level [Azure.Policy.ExemptionDescriptors](Azure.Policy.ExemptionDescriptors.md) | Policy exemptions should use a display name and description. | Awareness | Error [Azure.Policy.WaiverExpiry](Azure.Policy.WaiverExpiry.md) | Configure policy waiver exemptions to expire. | Awareness | Error +## PostgreSQL database server + +Name | Synopsis | Severity | Level +---- | -------- | -------- | ----- +[Azure.PostgreSQL.Naming](Azure.PostgreSQL.Naming.md) | PostgreSQL database server resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error + ## Private Endpoint Name | Synopsis | Severity | Level @@ -690,6 +798,18 @@ Name | Synopsis | Severity | Level [Azure.ServiceFabric.AAD](Azure.ServiceFabric.AAD.md) | Use Entra ID client authentication for Service Fabric clusters. | Critical | Error [Azure.ServiceFabric.ProtectionLevel](Azure.ServiceFabric.ProtectionLevel.md) | Node to node communication that is not signed and encrypted may be susceptible to man-in-the-middle attacks. | Important | Error +## Service Fabric cluster + +Name | Synopsis | Severity | Level +---- | -------- | -------- | ----- +[Azure.ServiceFabric.Naming](Azure.ServiceFabric.Naming.md) | Service Fabric cluster resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error + +## Service Fabric managed cluster + +Name | Synopsis | Severity | Level +---- | -------- | -------- | ----- +[Azure.ServiceFabric.ManagedNaming](Azure.ServiceFabric.ManagedNaming.md) | Service Fabric managed cluster resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error + ## SignalR Service Name | Synopsis | Severity | Level @@ -725,6 +845,13 @@ Name | Synopsis | Severity | Level [Azure.SQLMI.MaintenanceWindow](Azure.SQLMI.MaintenanceWindow.md) | Configure a customer-controlled maintenance window for Azure SQL Managed Instances. | Important | Error [Azure.SQLMI.ManagedIdentity](Azure.SQLMI.ManagedIdentity.md) | Ensure managed identity is used to allow support for Azure AD authentication. | Important | Error [Azure.SQLMI.Name](Azure.SQLMI.Name.md) | SQL Managed Instance names should meet naming requirements. | Awareness | Error +[Azure.SQLMI.Naming](Azure.SQLMI.Naming.md) | SQL Managed Instance resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error + +## SQL Server Stretch Database + +Name | Synopsis | Severity | Level +---- | -------- | -------- | ----- +[Azure.SQL.StretchDBNaming](Azure.SQL.StretchDBNaming.md) | SQL Server Stretch Database resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error ## Storage Account diff --git a/docs/es/rules/index.md b/docs/es/rules/index.md index 78137a7fdb2..16f3b57cd22 100644 --- a/docs/es/rules/index.md +++ b/docs/es/rules/index.md @@ -518,5 +518,32 @@ AZR-000495 | [Azure.ACR.ExportPolicy](Azure.ACR.ExportPolicy.md) | Export policy AZR-000496 | [Azure.Redis.LocalAuth](Azure.Redis.LocalAuth.md) | Access keys allow depersonalized access to Azure Cache for Redis using a shared secret. | GA AZR-000497 | [Azure.Storage.LocalAuth](Azure.Storage.LocalAuth.md) | Access keys allow depersonalized access to Storage Accounts using a shared secret. | GA AZR-000498 | [Azure.AppConfig.ReplicaLocation](Azure.AppConfig.ReplicaLocation.md) | The replication location determines the country or region where configuration data is stored and processed. | GA +AZR-000499 | [Azure.AKS.Naming](Azure.AKS.Naming.md) | AKS cluster resources without a standard naming convention may be difficult to identify and manage. | GA +AZR-000500 | [Azure.AKS.UserPoolNaming](Azure.AKS.UserPoolNaming.md) | AKS user node pool resources without a standard naming convention may be difficult to identify and manage. | GA +AZR-000501 | [Azure.ContainerApp.Naming](Azure.ContainerApp.Naming.md) | Container App resources without a standard naming convention may be difficult to identify and manage. | GA +AZR-000502 | [Azure.ContainerApp.EnvNaming](Azure.ContainerApp.EnvNaming.md) | Container App Environment resources without a standard naming convention may be difficult to identify and manage. | GA +AZR-000503 | [Azure.ContainerApp.JobNaming](Azure.ContainerApp.JobNaming.md) | Container App Job resources without a standard naming convention may be difficult to identify and manage. | GA +AZR-000504 | [Azure.ACR.Naming](Azure.ACR.Naming.md) | Container Registry resources without a standard naming convention may be difficult to identify and manage. | GA +AZR-000505 | [Azure.ACI.Naming](Azure.ACI.Naming.md) | Container Instance resources without a standard naming convention may be difficult to identify and manage. | GA +AZR-000506 | [Azure.ServiceFabric.Naming](Azure.ServiceFabric.Naming.md) | Service Fabric cluster resources without a standard naming convention may be difficult to identify and manage. | GA +AZR-000507 | [Azure.ServiceFabric.ManagedNaming](Azure.ServiceFabric.ManagedNaming.md) | Service Fabric managed cluster resources without a standard naming convention may be difficult to identify and manage. | GA +AZR-000508 | [Azure.Cosmos.CassandraNaming](Azure.Cosmos.CassandraNaming.md) | Cosmos DB for Apache Cassandra account resources without a standard naming convention may be difficult to identify and manage. | GA +AZR-000509 | [Azure.Cosmos.MongoNaming](Azure.Cosmos.MongoNaming.md) | Cosmos DB for MongoDB account resources without a standard naming convention may be difficult to identify and manage. | GA +AZR-000510 | [Azure.Cosmos.NoSQLNaming](Azure.Cosmos.NoSQLNaming.md) | Cosmos DB for NoSQL account resources without a standard naming convention may be difficult to identify and manage. | GA +AZR-000511 | [Azure.Cosmos.TableNaming](Azure.Cosmos.TableNaming.md) | Cosmos DB for Table account resources without a standard naming convention may be difficult to identify and manage. | GA +AZR-000512 | [Azure.Cosmos.GremlinNaming](Azure.Cosmos.GremlinNaming.md) | Cosmos DB for Apache Gremlin account resources without a standard naming convention may be difficult to identify and manage. | GA +AZR-000513 | [Azure.Cosmos.PostgreSQLNaming](Azure.Cosmos.PostgreSQLNaming.md) | Cosmos DB PostgreSQL cluster resources without a standard naming convention may be difficult to identify and manage. | GA +AZR-000514 | [Azure.Cosmos.DatabaseNaming](Azure.Cosmos.DatabaseNaming.md) | Cosmos DB database resources without a standard naming convention may be difficult to identify and manage. | GA +AZR-000515 | [Azure.Redis.Naming](Azure.Redis.Naming.md) | Azure Cache for Redis resources without a standard naming convention may be difficult to identify and manage. | GA +AZR-000516 | [Azure.RedisEnterprise.Naming](Azure.RedisEnterprise.Naming.md) | Azure Managed Redis resources without a standard naming convention may be difficult to identify and manage. | GA +AZR-000517 | [Azure.SQL.ServerNaming](Azure.SQL.ServerNaming.md) | Azure SQL Database server resources without a standard naming convention may be difficult to identify and manage. | GA +AZR-000518 | [Azure.SQL.DatabaseNaming](Azure.SQL.DatabaseNaming.md) | Azure SQL database resources without a standard naming convention may be difficult to identify and manage. | GA +AZR-000519 | [Azure.SQL.JobAgentNaming](Azure.SQL.JobAgentNaming.md) | Azure SQL Elastic Job agent resources without a standard naming convention may be difficult to identify and manage. | GA +AZR-000520 | [Azure.SQL.ElasticPoolNaming](Azure.SQL.ElasticPoolNaming.md) | Azure SQL Elastic Pool resources without a standard naming convention may be difficult to identify and manage. | GA +AZR-000521 | [Azure.MySQL.Naming](Azure.MySQL.Naming.md) | MySQL database server resources without a standard naming convention may be difficult to identify and manage. | GA +AZR-000522 | [Azure.PostgreSQL.Naming](Azure.PostgreSQL.Naming.md) | PostgreSQL database server resources without a standard naming convention may be difficult to identify and manage. | GA +AZR-000523 | [Azure.SQLMI.Naming](Azure.SQLMI.Naming.md) | SQL Managed Instance resources without a standard naming convention may be difficult to identify and manage. | GA +AZR-000524 | [Azure.SQL.StretchDBNaming](Azure.SQL.StretchDBNaming.md) | SQL Server Stretch Database resources without a standard naming convention may be difficult to identify and manage. | GA +AZR-000525 | [Azure.AKS.SystemPoolNaming](Azure.AKS.SystemPoolNaming.md) | AKS system node pool resources without a standard naming convention may be difficult to identify and manage. | GA *[GA]: Generally Available — Rules related to a generally available Azure features. diff --git a/docs/es/rules/module.md b/docs/es/rules/module.md index be476d19615..a80e6f300a6 100644 --- a/docs/es/rules/module.md +++ b/docs/es/rules/module.md @@ -137,11 +137,26 @@ Name | Synopsis | Severity | Level Name | Synopsis | Severity | Level ---- | -------- | -------- | ----- +[Azure.ACI.Naming](Azure.ACI.Naming.md) | Container Instance resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error +[Azure.ACR.Naming](Azure.ACR.Naming.md) | Container Registry resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error [Azure.AI.FoundryNaming](Azure.AI.FoundryNaming.md) | Azure AI Foundry accounts without a standard naming convention may be difficult to identify and manage. | Awareness | Error +[Azure.AKS.Naming](Azure.AKS.Naming.md) | AKS cluster resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error +[Azure.AKS.SystemPoolNaming](Azure.AKS.SystemPoolNaming.md) | AKS system node pool resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error +[Azure.AKS.UserPoolNaming](Azure.AKS.UserPoolNaming.md) | AKS user node pool resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error [Azure.APIM.APIDescriptors](Azure.APIM.APIDescriptors.md) | APIs should have a display name and description. | Awareness | Warning [Azure.APIM.ProductDescriptors](Azure.APIM.ProductDescriptors.md) | API Management products should have a display name and description. | Awareness | Warning [Azure.AppInsights.Naming](Azure.AppInsights.Naming.md) | Application Insights resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error [Azure.ContainerApp.APIVersion](Azure.ContainerApp.APIVersion.md) | Migrate from retired API version to a supported version. | Important | Error +[Azure.ContainerApp.EnvNaming](Azure.ContainerApp.EnvNaming.md) | Container App Environment resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error +[Azure.ContainerApp.JobNaming](Azure.ContainerApp.JobNaming.md) | Container App Job resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error +[Azure.ContainerApp.Naming](Azure.ContainerApp.Naming.md) | Container App resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error +[Azure.Cosmos.CassandraNaming](Azure.Cosmos.CassandraNaming.md) | Cosmos DB for Apache Cassandra account resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error +[Azure.Cosmos.DatabaseNaming](Azure.Cosmos.DatabaseNaming.md) | Cosmos DB database resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error +[Azure.Cosmos.GremlinNaming](Azure.Cosmos.GremlinNaming.md) | Cosmos DB for Apache Gremlin account resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error +[Azure.Cosmos.MongoNaming](Azure.Cosmos.MongoNaming.md) | Cosmos DB for MongoDB account resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error +[Azure.Cosmos.NoSQLNaming](Azure.Cosmos.NoSQLNaming.md) | Cosmos DB for NoSQL account resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error +[Azure.Cosmos.PostgreSQLNaming](Azure.Cosmos.PostgreSQLNaming.md) | Cosmos DB PostgreSQL cluster resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error +[Azure.Cosmos.TableNaming](Azure.Cosmos.TableNaming.md) | Cosmos DB for Table account resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error [Azure.EventGrid.DomainNaming](Azure.EventGrid.DomainNaming.md) | Event Grid domains without a standard naming convention may be difficult to identify and manage. | Awareness | Error [Azure.EventGrid.SystemTopicNaming](Azure.EventGrid.SystemTopicNaming.md) | Event Grid system topics without a standard naming convention may be difficult to identify and manage. | Awareness | Error [Azure.EventGrid.TopicNaming](Azure.EventGrid.TopicNaming.md) | Event Grid topics without a standard naming convention may be difficult to identify and manage. | Awareness | Error @@ -149,14 +164,26 @@ Name | Synopsis | Severity | Level [Azure.Group.RequiredTags](Azure.Group.RequiredTags.md) | Resource groups without a standard tagging convention may be difficult to identify and manage. | Awareness | Error [Azure.LB.Naming](Azure.LB.Naming.md) | Load balancer names should use a standard prefix. | Awareness | Error [Azure.Log.Naming](Azure.Log.Naming.md) | Azure Monitor Log workspaces without a standard naming convention may be difficult to identify and manage. | Awareness | Error +[Azure.MySQL.Naming](Azure.MySQL.Naming.md) | MySQL database server resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error [Azure.NSG.Naming](Azure.NSG.Naming.md) | Network security group (NSG) without a standard naming convention may be difficult to identify and manage. | Awareness | Error [Azure.Policy.AssignmentDescriptors](Azure.Policy.AssignmentDescriptors.md) | Policy assignments should use a display name and description. | Awareness | Error [Azure.Policy.Descriptors](Azure.Policy.Descriptors.md) | Policy and initiative definitions should use a display name, description, and category. | Awareness | Error [Azure.Policy.ExemptionDescriptors](Azure.Policy.ExemptionDescriptors.md) | Policy exemptions should use a display name and description. | Awareness | Error +[Azure.PostgreSQL.Naming](Azure.PostgreSQL.Naming.md) | PostgreSQL database server resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error [Azure.PublicIP.Naming](Azure.PublicIP.Naming.md) | Public IP addresses without a standard naming convention may be difficult to identify and manage. | Awareness | Error +[Azure.Redis.Naming](Azure.Redis.Naming.md) | Azure Cache for Redis resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error +[Azure.RedisEnterprise.Naming](Azure.RedisEnterprise.Naming.md) | Azure Managed Redis resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error [Azure.Resource.RequiredTags](Azure.Resource.RequiredTags.md) | Resources without a standard tagging convention may be difficult to identify and manage. | Awareness | Error [Azure.Route.Naming](Azure.Route.Naming.md) | Route tables without a standard naming convention may be difficult to identify and manage. | Awareness | Error [Azure.Search.Naming](Azure.Search.Naming.md) | Azure AI Search services without a standard naming convention may be difficult to identify and manage. | Awareness | Error +[Azure.ServiceFabric.ManagedNaming](Azure.ServiceFabric.ManagedNaming.md) | Service Fabric managed cluster resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error +[Azure.ServiceFabric.Naming](Azure.ServiceFabric.Naming.md) | Service Fabric cluster resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error +[Azure.SQL.DatabaseNaming](Azure.SQL.DatabaseNaming.md) | Azure SQL database resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error +[Azure.SQL.ElasticPoolNaming](Azure.SQL.ElasticPoolNaming.md) | Azure SQL Elastic Pool resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error +[Azure.SQL.JobAgentNaming](Azure.SQL.JobAgentNaming.md) | Azure SQL Elastic Job agent resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error +[Azure.SQL.ServerNaming](Azure.SQL.ServerNaming.md) | Azure SQL Database server resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error +[Azure.SQL.StretchDBNaming](Azure.SQL.StretchDBNaming.md) | SQL Server Stretch Database resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error +[Azure.SQLMI.Naming](Azure.SQLMI.Naming.md) | SQL Managed Instance resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error [Azure.Storage.Naming](Azure.Storage.Naming.md) | Storage Accounts without a standard naming convention may be difficult to identify and manage. | Awareness | Error [Azure.Subscription.RequiredTags](Azure.Subscription.RequiredTags.md) | Subscriptions without a standard tagging convention may be difficult to identify and manage. | Awareness | Error [Azure.VM.Naming](Azure.VM.Naming.md) | Virtual machines without a standard naming convention may be difficult to identify and manage. | Awareness | Error diff --git a/docs/es/rules/resource.md b/docs/es/rules/resource.md index ec6dc6053b0..e378bf03acb 100644 --- a/docs/es/rules/resource.md +++ b/docs/es/rules/resource.md @@ -193,6 +193,7 @@ Name | Synopsis | Severity | Level [Azure.Redis.MaxMemoryReserved](Azure.Redis.MaxMemoryReserved.md) | Configure maxmemory-reserved to reserve memory for non-cache operations. | Important | Error [Azure.Redis.MinSKU](Azure.Redis.MinSKU.md) | Use Azure Cache for Redis instances of at least Standard C1. | Important | Error [Azure.Redis.MinTLS](Azure.Redis.MinTLS.md) | Redis Cache should reject TLS versions older than 1.2. | Critical | Error +[Azure.Redis.Naming](Azure.Redis.Naming.md) | Azure Cache for Redis resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error [Azure.Redis.NonSslPort](Azure.Redis.NonSslPort.md) | Azure Cache for Redis should only accept secure connections. | Critical | Error [Azure.Redis.PublicNetworkAccess](Azure.Redis.PublicNetworkAccess.md) | Redis cache should disable public network access. | Critical | Error [Azure.Redis.Version](Azure.Redis.Version.md) | Azure Cache for Redis should use the latest supported version of Redis. | Important | Error @@ -292,6 +293,7 @@ Name | Synopsis | Severity | Level [Azure.AKS.MinNodeCount](Azure.AKS.MinNodeCount.md) | AKS clusters should have minimum number of system nodes for failover and updates. | Important | Error [Azure.AKS.MinUserPoolNodes](Azure.AKS.MinUserPoolNodes.md) | User node pools in an AKS cluster should have a minimum number of nodes for failover and updates. | Important | Error [Azure.AKS.Name](Azure.AKS.Name.md) | Azure Kubernetes Service (AKS) cluster names should meet naming requirements. | Awareness | Error +[Azure.AKS.Naming](Azure.AKS.Naming.md) | AKS cluster resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error [Azure.AKS.NetworkPolicy](Azure.AKS.NetworkPolicy.md) | AKS clusters without inter-pod network restrictions may be permit unauthorized lateral movement. | Important | Error [Azure.AKS.NodeAutoUpgrade](Azure.AKS.NodeAutoUpgrade.md) | Operating system (OS) security updates should be applied to AKS nodes and rebooted as required to address security vulnerabilities. | Important | Error [Azure.AKS.NodeMinPods](Azure.AKS.NodeMinPods.md) | Azure Kubernetes Cluster (AKS) nodes should use a minimum number of pods. | Important | Error @@ -301,8 +303,10 @@ Name | Synopsis | Severity | Level [Azure.AKS.SecretStore](Azure.AKS.SecretStore.md) | Deploy AKS clusters with Secrets Store CSI Driver and store Secrets in Key Vault. | Important | Error [Azure.AKS.SecretStoreRotation](Azure.AKS.SecretStoreRotation.md) | Enable autorotation of Secrets Store CSI Driver secrets for AKS clusters. | Important | Error [Azure.AKS.StandardLB](Azure.AKS.StandardLB.md) | Azure Kubernetes Clusters (AKS) should use a Standard load balancer SKU. | Important | Error +[Azure.AKS.SystemPoolNaming](Azure.AKS.SystemPoolNaming.md) | AKS system node pool resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error [Azure.AKS.UptimeSLA](Azure.AKS.UptimeSLA.md) | AKS clusters should have Uptime SLA enabled for a financially backed SLA. | Important | Error [Azure.AKS.UseRBAC](Azure.AKS.UseRBAC.md) | Deploy AKS cluster with role-based access control (RBAC) enabled. | Important | Error +[Azure.AKS.UserPoolNaming](Azure.AKS.UserPoolNaming.md) | AKS user node pool resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error [Azure.AKS.Version](Azure.AKS.Version.md) | Older versions of Kubernetes may have known bugs or security vulnerabilities, and may have limited support. | Important | Error ## Azure Managed Grafana @@ -311,6 +315,12 @@ Name | Synopsis | Severity | Level ---- | -------- | -------- | ----- [Azure.Grafana.Version](Azure.Grafana.Version.md) | Grafana workspaces should be on Grafana version 10. | Important | Error +## Azure Managed Redis + +Name | Synopsis | Severity | Level +---- | -------- | -------- | ----- +[Azure.RedisEnterprise.Naming](Azure.RedisEnterprise.Naming.md) | Azure Managed Redis resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error + ## Azure Monitor Alerts Name | Synopsis | Severity | Level @@ -327,6 +337,30 @@ Name | Synopsis | Severity | Level [Azure.Log.ReplicaLocation](Azure.Log.ReplicaLocation.md) | The replication location determines the country or region where the data is stored and processed. | Important | Error [Azure.Log.Replication](Azure.Log.Replication.md) | Log Analytics workspaces should have workspace replication enabled to improve service availability. | Important | Error +## Azure SQL database + +Name | Synopsis | Severity | Level +---- | -------- | -------- | ----- +[Azure.SQL.DatabaseNaming](Azure.SQL.DatabaseNaming.md) | Azure SQL database resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error + +## Azure SQL Database server + +Name | Synopsis | Severity | Level +---- | -------- | -------- | ----- +[Azure.SQL.ServerNaming](Azure.SQL.ServerNaming.md) | Azure SQL Database server resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error + +## Azure SQL Elastic Job agent + +Name | Synopsis | Severity | Level +---- | -------- | -------- | ----- +[Azure.SQL.JobAgentNaming](Azure.SQL.JobAgentNaming.md) | Azure SQL Elastic Job agent resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error + +## Azure SQL Elastic Pool + +Name | Synopsis | Severity | Level +---- | -------- | -------- | ----- +[Azure.SQL.ElasticPoolNaming](Azure.SQL.ElasticPoolNaming.md) | Azure SQL Elastic Pool resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error + ## Azure Virtual Desktop Name | Synopsis | Severity | Level @@ -357,10 +391,29 @@ Name | Synopsis | Severity | Level [Azure.ContainerApp.ManagedIdentity](Azure.ContainerApp.ManagedIdentity.md) | Ensure managed identity is used for authentication. | Important | Error [Azure.ContainerApp.MinReplicas](Azure.ContainerApp.MinReplicas.md) | Use multiple replicas to remove a single point of failure. | Important | Error [Azure.ContainerApp.Name](Azure.ContainerApp.Name.md) | Container Apps should meet naming requirements. | Awareness | Error +[Azure.ContainerApp.Naming](Azure.ContainerApp.Naming.md) | Container App resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error [Azure.ContainerApp.PublicAccess](Azure.ContainerApp.PublicAccess.md) | Ensure public network access for Container Apps environment is disabled. | Important | Error [Azure.ContainerApp.RestrictIngress](Azure.ContainerApp.RestrictIngress.md) | IP ingress restrictions mode should be set to allow action for all rules defined. | Important | Error [Azure.ContainerApp.Storage](Azure.ContainerApp.Storage.md) | Use of Azure Files volume mounts to persistent storage container data. | Awareness | Error +## Container App Environment + +Name | Synopsis | Severity | Level +---- | -------- | -------- | ----- +[Azure.ContainerApp.EnvNaming](Azure.ContainerApp.EnvNaming.md) | Container App Environment resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error + +## Container App Job + +Name | Synopsis | Severity | Level +---- | -------- | -------- | ----- +[Azure.ContainerApp.JobNaming](Azure.ContainerApp.JobNaming.md) | Container App Job resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error + +## Container Instance + +Name | Synopsis | Severity | Level +---- | -------- | -------- | ----- +[Azure.ACI.Naming](Azure.ACI.Naming.md) | Container Instance resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error + ## Container Registry Name | Synopsis | Severity | Level @@ -375,6 +428,7 @@ Name | Synopsis | Severity | Level [Azure.ACR.ImageHealth](Azure.ACR.ImageHealth.md) | Remove container images with known vulnerabilities. | Critical | Error [Azure.ACR.MinSku](Azure.ACR.MinSku.md) | The Basic SKU provides limited performance and features for production container registry workloads. | Important | Error [Azure.ACR.Name](Azure.ACR.Name.md) | Container registry names should meet naming requirements. | Awareness | Error +[Azure.ACR.Naming](Azure.ACR.Naming.md) | Container Registry resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error [Azure.ACR.Quarantine](Azure.ACR.Quarantine.md) | Enable container image quarantine, scan, and mark images as verified. | Important | Error [Azure.ACR.ReplicaLocation](Azure.ACR.ReplicaLocation.md) | The replication location determines the country or region where container images and metadata are stored and processed. | Important | Error [Azure.ACR.Retention](Azure.ACR.Retention.md) | Use a retention policy to cleanup untagged manifests. | Important | Error @@ -402,6 +456,48 @@ Name | Synopsis | Severity | Level [Azure.Cosmos.PublicAccess](Azure.Cosmos.PublicAccess.md) | Azure Cosmos DB should have public network access disabled. | Critical | Error [Azure.Cosmos.SLA](Azure.Cosmos.SLA.md) | Use a paid tier to qualify for a Service Level Agreement (SLA). | Important | Error +## Cosmos DB database + +Name | Synopsis | Severity | Level +---- | -------- | -------- | ----- +[Azure.Cosmos.DatabaseNaming](Azure.Cosmos.DatabaseNaming.md) | Cosmos DB database resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error + +## Cosmos DB for Apache Cassandra account + +Name | Synopsis | Severity | Level +---- | -------- | -------- | ----- +[Azure.Cosmos.CassandraNaming](Azure.Cosmos.CassandraNaming.md) | Cosmos DB for Apache Cassandra account resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error + +## Cosmos DB for Apache Gremlin account + +Name | Synopsis | Severity | Level +---- | -------- | -------- | ----- +[Azure.Cosmos.GremlinNaming](Azure.Cosmos.GremlinNaming.md) | Cosmos DB for Apache Gremlin account resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error + +## Cosmos DB for MongoDB account + +Name | Synopsis | Severity | Level +---- | -------- | -------- | ----- +[Azure.Cosmos.MongoNaming](Azure.Cosmos.MongoNaming.md) | Cosmos DB for MongoDB account resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error + +## Cosmos DB for NoSQL account + +Name | Synopsis | Severity | Level +---- | -------- | -------- | ----- +[Azure.Cosmos.NoSQLNaming](Azure.Cosmos.NoSQLNaming.md) | Cosmos DB for NoSQL account resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error + +## Cosmos DB for Table account + +Name | Synopsis | Severity | Level +---- | -------- | -------- | ----- +[Azure.Cosmos.TableNaming](Azure.Cosmos.TableNaming.md) | Cosmos DB for Table account resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error + +## Cosmos DB PostgreSQL cluster + +Name | Synopsis | Severity | Level +---- | -------- | -------- | ----- +[Azure.Cosmos.PostgreSQLNaming](Azure.Cosmos.PostgreSQLNaming.md) | Cosmos DB PostgreSQL cluster resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error + ## Data Explorer Name | Synopsis | Severity | Level @@ -601,6 +697,12 @@ Name | Synopsis | Severity | Level ---- | -------- | -------- | ----- [Azure.Monitor.ServiceHealth](Azure.Monitor.ServiceHealth.md) | Configure Service Health alerts to notify administrators. | Important | Error +## MySQL database server + +Name | Synopsis | Severity | Level +---- | -------- | -------- | ----- +[Azure.MySQL.Naming](Azure.MySQL.Naming.md) | MySQL database server resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error + ## Network Interface Name | Synopsis | Severity | Level @@ -631,6 +733,12 @@ Name | Synopsis | Severity | Level [Azure.Policy.ExemptionDescriptors](Azure.Policy.ExemptionDescriptors.md) | Policy exemptions should use a display name and description. | Awareness | Error [Azure.Policy.WaiverExpiry](Azure.Policy.WaiverExpiry.md) | Configure policy waiver exemptions to expire. | Awareness | Error +## PostgreSQL database server + +Name | Synopsis | Severity | Level +---- | -------- | -------- | ----- +[Azure.PostgreSQL.Naming](Azure.PostgreSQL.Naming.md) | PostgreSQL database server resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error + ## Private Endpoint Name | Synopsis | Severity | Level @@ -690,6 +798,18 @@ Name | Synopsis | Severity | Level [Azure.ServiceFabric.AAD](Azure.ServiceFabric.AAD.md) | Use Entra ID client authentication for Service Fabric clusters. | Critical | Error [Azure.ServiceFabric.ProtectionLevel](Azure.ServiceFabric.ProtectionLevel.md) | Node to node communication that is not signed and encrypted may be susceptible to man-in-the-middle attacks. | Important | Error +## Service Fabric cluster + +Name | Synopsis | Severity | Level +---- | -------- | -------- | ----- +[Azure.ServiceFabric.Naming](Azure.ServiceFabric.Naming.md) | Service Fabric cluster resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error + +## Service Fabric managed cluster + +Name | Synopsis | Severity | Level +---- | -------- | -------- | ----- +[Azure.ServiceFabric.ManagedNaming](Azure.ServiceFabric.ManagedNaming.md) | Service Fabric managed cluster resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error + ## SignalR Service Name | Synopsis | Severity | Level @@ -725,6 +845,13 @@ Name | Synopsis | Severity | Level [Azure.SQLMI.MaintenanceWindow](Azure.SQLMI.MaintenanceWindow.md) | Configure a customer-controlled maintenance window for Azure SQL Managed Instances. | Important | Error [Azure.SQLMI.ManagedIdentity](Azure.SQLMI.ManagedIdentity.md) | Ensure managed identity is used to allow support for Azure AD authentication. | Important | Error [Azure.SQLMI.Name](Azure.SQLMI.Name.md) | SQL Managed Instance names should meet naming requirements. | Awareness | Error +[Azure.SQLMI.Naming](Azure.SQLMI.Naming.md) | SQL Managed Instance resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error + +## SQL Server Stretch Database + +Name | Synopsis | Severity | Level +---- | -------- | -------- | ----- +[Azure.SQL.StretchDBNaming](Azure.SQL.StretchDBNaming.md) | SQL Server Stretch Database resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error ## Storage Account diff --git a/docs/examples/resources/aks.bicep b/docs/examples/resources/aks.bicep index 9e6a625aae5..b9893700150 100644 --- a/docs/examples/resources/aks.bicep +++ b/docs/examples/resources/aks.bicep @@ -5,11 +5,11 @@ // Define parameters -@description('The name of the AKS cluster.') +@description('The name of the resource.') param name string @metadata({ - description: 'Optional. The Azure region to deploy to.' + description: 'The location resources will be deployed.' strongType: 'location' example: 'EastUS' ignore: true @@ -390,3 +390,43 @@ resource privateCluster 'Microsoft.ContainerService/managedClusters@2025-07-01' } } } + +// An example system node pool. +resource system 'Microsoft.ContainerService/managedClusters/agentPools@2025-07-01' = { + parent: cluster + name: 'system' + properties: { + osDiskSizeGB: osDiskSizeGB + minCount: 3 + maxCount: 7 + enableAutoScaling: true + maxPods: systemPoolMaxPods + vmSize: 'Standard_D16ds_v6' + osType: 'Linux' + type: 'VirtualMachineScaleSets' + vnetSubnetID: clusterSubnetId + mode: 'System' + osDiskType: 'Ephemeral' + scaleSetPriority: 'Regular' + } +} + +// An example user node pool. +resource user 'Microsoft.ContainerService/managedClusters/agentPools@2025-07-01' = { + parent: cluster + name: 'user' + properties: { + osDiskSizeGB: osDiskSizeGB + minCount: 3 + maxCount: 20 + enableAutoScaling: true + maxPods: 150 + vmSize: 'Standard_D16ds_v6' + osType: 'Linux' + type: 'VirtualMachineScaleSets' + vnetSubnetID: clusterSubnetId + mode: 'User' + osDiskType: 'Ephemeral' + scaleSetPriority: 'Regular' + } +} diff --git a/docs/examples/resources/aks.json b/docs/examples/resources/aks.json index 73966aa87e9..ff8e5ef2f41 100644 --- a/docs/examples/resources/aks.json +++ b/docs/examples/resources/aks.json @@ -5,21 +5,21 @@ "_generator": { "name": "bicep", "version": "0.38.33.27573", - "templateHash": "16939269083538591353" + "templateHash": "6176874005941688917" } }, "parameters": { "name": { "type": "string", "metadata": { - "description": "The name of the AKS cluster." + "description": "The name of the resource." } }, "location": { "type": "string", "defaultValue": "[resourceGroup().location]", "metadata": { - "description": "Optional. The Azure region to deploy to.", + "description": "The location resources will be deployed.", "strongType": "location", "example": "EastUS", "ignore": true @@ -448,6 +448,50 @@ "dependsOn": [ "[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('identityName'))]" ] + }, + { + "type": "Microsoft.ContainerService/managedClusters/agentPools", + "apiVersion": "2025-07-01", + "name": "[format('{0}/{1}', parameters('name'), 'system')]", + "properties": { + "osDiskSizeGB": "[parameters('osDiskSizeGB')]", + "minCount": 3, + "maxCount": 7, + "enableAutoScaling": true, + "maxPods": "[parameters('systemPoolMaxPods')]", + "vmSize": "Standard_D16ds_v6", + "osType": "Linux", + "type": "VirtualMachineScaleSets", + "vnetSubnetID": "[parameters('clusterSubnetId')]", + "mode": "System", + "osDiskType": "Ephemeral", + "scaleSetPriority": "Regular" + }, + "dependsOn": [ + "[resourceId('Microsoft.ContainerService/managedClusters', parameters('name'))]" + ] + }, + { + "type": "Microsoft.ContainerService/managedClusters/agentPools", + "apiVersion": "2025-07-01", + "name": "[format('{0}/{1}', parameters('name'), 'user')]", + "properties": { + "osDiskSizeGB": "[parameters('osDiskSizeGB')]", + "minCount": 3, + "maxCount": 20, + "enableAutoScaling": true, + "maxPods": 150, + "vmSize": "Standard_D16ds_v6", + "osType": "Linux", + "type": "VirtualMachineScaleSets", + "vnetSubnetID": "[parameters('clusterSubnetId')]", + "mode": "User", + "osDiskType": "Ephemeral", + "scaleSetPriority": "Regular" + }, + "dependsOn": [ + "[resourceId('Microsoft.ContainerService/managedClusters', parameters('name'))]" + ] } ] } \ No newline at end of file diff --git a/src/PSRule.Rules.Azure/rules/Azure.AKS.Rule.ps1 b/src/PSRule.Rules.Azure/rules/Azure.AKS.Rule.ps1 index 105c4d4fb71..6f494095f1c 100644 --- a/src/PSRule.Rules.Azure/rules/Azure.AKS.Rule.ps1 +++ b/src/PSRule.Rules.Azure/rules/Azure.AKS.Rule.ps1 @@ -345,12 +345,12 @@ Rule 'Azure.AKS.MaintenanceWindow' -Ref 'AZR-000446' -Type 'Microsoft.ContainerS } # Synopsis: AKS clusters without a standard naming convention may be difficult to identify and manage. -Rule 'Azure.AKS.Naming' -Ref 'AZR-000498' -Type 'Microsoft.ContainerService/managedClusters' -If { $Configuration['AZURE_AKS_CLUSTER_NAME_FORMAT'] -ne '' } -Tag @{ release = 'GA'; ruleSet = '2025_12'; 'Azure.WAF/pillar' = 'Operational Excellence' } -Labels @{ 'Azure.CAF' = 'naming'; 'Azure.WAF/maturity' = 'L2' } { +Rule 'Azure.AKS.Naming' -Ref 'AZR-000499' -Type 'Microsoft.ContainerService/managedClusters' -If { $Configuration['AZURE_AKS_CLUSTER_NAME_FORMAT'] -ne '' } -Tag @{ release = 'GA'; ruleSet = '2025_12'; 'Azure.WAF/pillar' = 'Operational Excellence' } -Labels @{ 'Azure.CAF' = 'naming'; 'Azure.WAF/maturity' = 'L2' } { $Assert.Match($PSRule, 'TargetName', $Configuration.AZURE_AKS_CLUSTER_NAME_FORMAT, $True); } # Synopsis: AKS system node pools without a standard naming convention may be difficult to identify and manage. -Rule 'Azure.AKS.SystemPoolNaming' -Ref 'AZR-000499' -Type 'Microsoft.ContainerService/managedClusters', 'Microsoft.ContainerService/managedClusters/agentPools' -If { $Configuration['AZURE_AKS_SYSTEM_POOL_NAME_FORMAT'] -ne '' } -Tag @{ release = 'GA'; ruleSet = '2025_12'; 'Azure.WAF/pillar' = 'Operational Excellence' } -Labels @{ 'Azure.CAF' = 'naming'; 'Azure.WAF/maturity' = 'L2' } { +Rule 'Azure.AKS.SystemPoolNaming' -Ref 'AZR-000525' -Type 'Microsoft.ContainerService/managedClusters', 'Microsoft.ContainerService/managedClusters/agentPools' -If { $Configuration['AZURE_AKS_SYSTEM_POOL_NAME_FORMAT'] -ne '' } -Tag @{ release = 'GA'; ruleSet = '2025_12'; 'Azure.WAF/pillar' = 'Operational Excellence' } -Labels @{ 'Azure.CAF' = 'naming'; 'Azure.WAF/maturity' = 'L2' } { $agentPools = @(GetAgentPoolProfiles | Where-Object { $_.mode -eq 'System' }); if ($agentPools.Length -eq 0) { return $Assert.Pass(); diff --git a/src/PSRule.Rules.Azure/rules/CAF.Rule.yaml b/src/PSRule.Rules.Azure/rules/CAF.Rule.yaml index 1ac16e03463..4311ae9d93b 100644 --- a/src/PSRule.Rules.Azure/rules/CAF.Rule.yaml +++ b/src/PSRule.Rules.Azure/rules/CAF.Rule.yaml @@ -16,6 +16,28 @@ spec: rule: tag: release: GA + ruleSet: + - '2020_06' + - '2020_09' + - '2020_12' + - '2021_03' + - '2021_06' + - '2021_09' + - '2021_12' + - '2022_03' + - '2022_06' + - '2022_09' + - '2022_12' + - '2023_03' + - '2023_06' + - '2023_09' + - '2023_12' + - '2024_03' + - '2024_06' + - '2024_09' + - '2024_12' + - '2025_03' + - '2025_06' labels: Azure.CAF: '*' @@ -52,6 +74,28 @@ spec: rule: tag: release: GA + ruleSet: + - '2020_06' + - '2020_09' + - '2020_12' + - '2021_03' + - '2021_06' + - '2021_09' + - '2021_12' + - '2022_03' + - '2022_06' + - '2022_09' + - '2022_12' + - '2023_03' + - '2023_06' + - '2023_09' + - '2023_12' + - '2024_03' + - '2024_06' + - '2024_09' + - '2024_12' + - '2025_03' + - '2025_06' labels: Azure.CAF: '*' @@ -88,6 +132,28 @@ spec: rule: tag: release: GA + ruleSet: + - '2020_06' + - '2020_09' + - '2020_12' + - '2021_03' + - '2021_06' + - '2021_09' + - '2021_12' + - '2022_03' + - '2022_06' + - '2022_09' + - '2022_12' + - '2023_03' + - '2023_06' + - '2023_09' + - '2023_12' + - '2024_03' + - '2024_06' + - '2024_09' + - '2024_12' + - '2025_03' + - '2025_06' labels: Azure.CAF: '*' @@ -109,65 +175,65 @@ spec: AZURE_VNET_NAME_FORMAT: '^vnet-' AZURE_VNET_SUBNET_NAME_FORMAT: '^snet-' ---- -# Synopsis: Includes rules related to Azure CAF based on a December 2025 snapshot. -apiVersion: github.com/microsoft/PSRule/v1 -kind: Baseline -metadata: - name: Azure.CAF_2025_12 - annotations: - taxonomy: Azure.CAF - export: true - moduleVersion: v1.48.0 - experimental: true -spec: - rule: - tag: - release: GA - labels: - Azure.CAF: '*' +# --- +# # Synopsis: Includes rules related to Azure CAF based on a December 2025 snapshot. +# apiVersion: github.com/microsoft/PSRule/v1 +# kind: Baseline +# metadata: +# name: Azure.CAF_2025_12 +# annotations: +# taxonomy: Azure.CAF +# export: true +# moduleVersion: v1.48.0 +# experimental: true +# spec: +# rule: +# tag: +# release: GA +# labels: +# Azure.CAF: '*' - configuration: - AZURE_AI_SEARCH_NAME_FORMAT: '^srch-' - AZURE_AI_SERVICES_NAME_FORMAT: '^aif-' - AZURE_AKS_CLUSTER_NAME_FORMAT: '^aks-' - AZURE_AKS_SYSTEM_POOL_NAME_FORMAT: '^npsystem' - AZURE_AKS_USER_POOL_NAME_FORMAT: '^np' - AZURE_CONTAINER_APP_NAME_FORMAT: '^ca-' - AZURE_CONTAINER_APP_ENVIRONMENT_NAME_FORMAT: '^cae-' - AZURE_CONTAINER_APP_JOB_NAME_FORMAT: '^caj-' - AZURE_CONTAINER_REGISTRY_NAME_FORMAT: '^cr' - AZURE_CONTAINER_INSTANCE_NAME_FORMAT: '^ci-' - AZURE_COSMOS_CASSANDRA_NAME_FORMAT: '^coscas-' - AZURE_COSMOS_MONGO_NAME_FORMAT: '^cosmon-' - AZURE_COSMOS_NOSQL_NAME_FORMAT: '^cosno-' - AZURE_COSMOS_TABLE_NAME_FORMAT: '^costab-' - AZURE_COSMOS_GREMLIN_NAME_FORMAT: '^cosgrm-' - AZURE_COSMOS_POSTGRESQL_NAME_FORMAT: '^cospos-' - AZURE_COSMOS_DATABASE_NAME_FORMAT: '^cosmos-' - AZURE_EVENTGRID_DOMAIN_NAME_FORMAT: '^evgd-' - AZURE_EVENTGRID_CUSTOM_TOPIC_NAME_FORMAT: '^evgt-' - AZURE_EVENTGRID_SYSTEM_TOPIC_NAME_FORMAT: '^egst-' - AZURE_GATEWAY_CONNECTION_NAME_FORMAT: '^con-' - AZURE_LOAD_BALANCER_NAME_FORMAT: '^(lbi|lbe)-' - AZURE_MYSQL_SERVER_NAME_FORMAT: '^mysql-' - AZURE_NETWORK_SECURITY_GROUP_NAME_FORMAT: '^nsg-' - AZURE_POSTGRESQL_SERVER_NAME_FORMAT: '^psql-' - AZURE_PUBLIC_IP_ADDRESS_NAME_FORMAT: '^pip-' - AZURE_REDIS_CACHE_NAME_FORMAT: '^redis-' - AZURE_REDIS_ENTERPRISE_NAME_FORMAT: '^amr-' - AZURE_RESOURCE_GROUP_NAME_FORMAT: '^rg-' - AZURE_ROUTE_TABLE_NAME_FORMAT: '^rt-' - AZURE_SERVICE_FABRIC_CLUSTER_NAME_FORMAT: '^sf-' - AZURE_SERVICE_FABRIC_MANAGED_CLUSTER_NAME_FORMAT: '^sfmc-' - AZURE_SQL_SERVER_NAME_FORMAT: '^sql-' - AZURE_SQL_DATABASE_NAME_FORMAT: '^sqldb-' - AZURE_SQL_JOB_AGENT_NAME_FORMAT: '^sqlja-' - AZURE_SQL_ELASTIC_POOL_NAME_FORMAT: '^sqlep-' - AZURE_SQL_STRETCH_DB_NAME_FORMAT: '^sqlstrdb-' - AZURE_SQL_MI_NAME_FORMAT: '^sqlmi-' - AZURE_STORAGE_ACCOUNT_NAME_FORMAT: '^(st|stvm)' - AZURE_VIRTUAL_MACHINE_NAME_FORMAT: '^vm' - AZURE_VIRTUAL_NETWORK_GATEWAY_NAME_FORMAT: 'vgw-' - AZURE_VNET_NAME_FORMAT: '^vnet-' - AZURE_VNET_SUBNET_NAME_FORMAT: '^snet-' +# configuration: +# AZURE_AI_SEARCH_NAME_FORMAT: '^srch-' +# AZURE_AI_SERVICES_NAME_FORMAT: '^aif-' +# AZURE_AKS_CLUSTER_NAME_FORMAT: '^aks-' +# AZURE_AKS_SYSTEM_POOL_NAME_FORMAT: '^npsystem' +# AZURE_AKS_USER_POOL_NAME_FORMAT: '^np' +# AZURE_CONTAINER_APP_NAME_FORMAT: '^ca-' +# AZURE_CONTAINER_APP_ENVIRONMENT_NAME_FORMAT: '^cae-' +# AZURE_CONTAINER_APP_JOB_NAME_FORMAT: '^caj-' +# AZURE_CONTAINER_REGISTRY_NAME_FORMAT: '^cr' +# AZURE_CONTAINER_INSTANCE_NAME_FORMAT: '^ci-' +# AZURE_COSMOS_CASSANDRA_NAME_FORMAT: '^coscas-' +# AZURE_COSMOS_MONGO_NAME_FORMAT: '^cosmon-' +# AZURE_COSMOS_NOSQL_NAME_FORMAT: '^cosno-' +# AZURE_COSMOS_TABLE_NAME_FORMAT: '^costab-' +# AZURE_COSMOS_GREMLIN_NAME_FORMAT: '^cosgrm-' +# AZURE_COSMOS_POSTGRESQL_NAME_FORMAT: '^cospos-' +# AZURE_COSMOS_DATABASE_NAME_FORMAT: '^cosmos-' +# AZURE_EVENTGRID_DOMAIN_NAME_FORMAT: '^evgd-' +# AZURE_EVENTGRID_CUSTOM_TOPIC_NAME_FORMAT: '^evgt-' +# AZURE_EVENTGRID_SYSTEM_TOPIC_NAME_FORMAT: '^egst-' +# AZURE_GATEWAY_CONNECTION_NAME_FORMAT: '^con-' +# AZURE_LOAD_BALANCER_NAME_FORMAT: '^(lbi|lbe)-' +# AZURE_MYSQL_SERVER_NAME_FORMAT: '^mysql-' +# AZURE_NETWORK_SECURITY_GROUP_NAME_FORMAT: '^nsg-' +# AZURE_POSTGRESQL_SERVER_NAME_FORMAT: '^psql-' +# AZURE_PUBLIC_IP_ADDRESS_NAME_FORMAT: '^pip-' +# AZURE_REDIS_CACHE_NAME_FORMAT: '^redis-' +# AZURE_REDIS_ENTERPRISE_NAME_FORMAT: '^amr-' +# AZURE_RESOURCE_GROUP_NAME_FORMAT: '^rg-' +# AZURE_ROUTE_TABLE_NAME_FORMAT: '^rt-' +# AZURE_SERVICE_FABRIC_CLUSTER_NAME_FORMAT: '^sf-' +# AZURE_SERVICE_FABRIC_MANAGED_CLUSTER_NAME_FORMAT: '^sfmc-' +# AZURE_SQL_SERVER_NAME_FORMAT: '^sql-' +# AZURE_SQL_DATABASE_NAME_FORMAT: '^sqldb-' +# AZURE_SQL_JOB_AGENT_NAME_FORMAT: '^sqlja-' +# AZURE_SQL_ELASTIC_POOL_NAME_FORMAT: '^sqlep-' +# AZURE_SQL_STRETCH_DB_NAME_FORMAT: '^sqlstrdb-' +# AZURE_SQL_MI_NAME_FORMAT: '^sqlmi-' +# AZURE_STORAGE_ACCOUNT_NAME_FORMAT: '^(st|stvm)' +# AZURE_VIRTUAL_MACHINE_NAME_FORMAT: '^vm' +# AZURE_VIRTUAL_NETWORK_GATEWAY_NAME_FORMAT: 'vgw-' +# AZURE_VNET_NAME_FORMAT: '^vnet-' +# AZURE_VNET_SUBNET_NAME_FORMAT: '^snet-' diff --git a/src/PSRule.Rules.Azure/rules/Config.Rule.yaml b/src/PSRule.Rules.Azure/rules/Config.Rule.yaml index dc0bd0347d3..ec285fbf888 100644 --- a/src/PSRule.Rules.Azure/rules/Config.Rule.yaml +++ b/src/PSRule.Rules.Azure/rules/Config.Rule.yaml @@ -92,6 +92,8 @@ spec: AZURE_AI_SEARCH_NAME_FORMAT: '' AZURE_AI_SERVICES_NAME_FORMAT: '' AZURE_AKS_CLUSTER_NAME_FORMAT: '' + AZURE_AKS_SYSTEM_POOL_NAME_FORMAT: '' + AZURE_AKS_USER_POOL_NAME_FORMAT: '' AZURE_APP_INSIGHTS_NAME_FORMAT: '' AZURE_CONTAINER_APP_NAME_FORMAT: '' AZURE_CONTAINER_APP_ENVIRONMENT_NAME_FORMAT: '' From 174cbe6ae615dfe63f2d798aac7435e6cd7be641 Mon Sep 17 00:00:00 2001 From: Bernie White Date: Sun, 26 Oct 2025 04:30:08 +0000 Subject: [PATCH 14/32] Updates --- docs/en/rules/Azure.SQL.DBName.md | 93 ++++++++++++++- ...atabaseNaming.md => Azure.SQL.DBNaming.md} | 63 +++++++++- docs/en/rules/Azure.SQL.ServerName.md | 108 +++++++++++++++++- docs/en/rules/Azure.SQL.ServerNaming.md | 76 +++++++++++- docs/examples/resources/sql.bicep | 4 +- docs/examples/resources/sql.json | 8 +- docs/setup/setup-naming-and-tagging.md | 6 +- .../rules/Azure.Cosmos.Rule.ps1 | 6 +- .../rules/Azure.SQL.Rule.ps1 | 6 +- src/PSRule.Rules.Azure/rules/Config.Rule.yaml | 2 + 10 files changed, 344 insertions(+), 28 deletions(-) rename docs/en/rules/{Azure.SQL.DatabaseNaming.md => Azure.SQL.DBNaming.md} (67%) diff --git a/docs/en/rules/Azure.SQL.DBName.md b/docs/en/rules/Azure.SQL.DBName.md index c73e1a93ba2..12e9e79ea1d 100644 --- a/docs/en/rules/Azure.SQL.DBName.md +++ b/docs/en/rules/Azure.SQL.DBName.md @@ -1,7 +1,8 @@ --- +reviewed: 2025-10-26 severity: Awareness pillar: Operational Excellence -category: Repeatable infrastructure +category: OE:04 Continuous integration resource: SQL Database resourceType: Microsoft.Sql/servers/databases online version: https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.SQL.DBName/ @@ -34,11 +35,97 @@ The following reserved database names can not be used: Consider using names that meet Azure SQL Database naming requirements. Additionally consider naming resources with a standard naming convention. +## EXAMPLES + +### Configure with Bicep + +To deploy databases that pass this rule: + +- Set the `name` property to a string that matches the naming requirements. +- Optionally, consider constraining name parameters with `minLength` and `maxLength` attributes. + +For example: + +```bicep +@minLength(1) +@maxLength(128) +@description('The name of the resource.') +param name string + +@description('The location resources will be deployed.') +param location string = resourceGroup().location + +resource database 'Microsoft.Sql/servers/databases@2024-05-01-preview' = { + parent: server + name: name + location: location + properties: { + collation: 'SQL_Latin1_General_CP1_CI_AS' + maxSizeBytes: maxSize + catalogCollation: 'SQL_Latin1_General_CP1_CI_AS' + readScale: 'Disabled' + zoneRedundant: true + } +} +``` + +### Configure with Azure template + +To deploy databases that pass this rule: + +- Set the `name` property to a string that matches the naming requirements. +- Optionally, consider constraining name parameters with `minLength` and `maxLength` attributes. + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "name": { + "type": "string", + "minLength": 1, + "maxLength": 128, + "metadata": { + "description": "The name of the resource." + } + }, + "location": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "The location resources will be deployed." + } + } + }, + "resources": [ + { + "type": "Microsoft.Sql/servers/databases", + "apiVersion": "2024-05-01-preview", + "name": "[format('{0}/{1}', parameters('name'), parameters('name'))]", + "location": "[parameters('location')]", + "properties": { + "collation": "SQL_Latin1_General_CP1_CI_AS", + "maxSizeBytes": "[variables('maxSize')]", + "catalogCollation": "SQL_Latin1_General_CP1_CI_AS", + "readScale": "Disabled", + "zoneRedundant": true + } + } + ] +} +``` + ## NOTES This rule does not check if Azure SQL Database names are unique. ## LINKS -- [Repeatable infrastructure](https://learn.microsoft.com/azure/architecture/framework/devops/automation-infrastructure) -- [Naming rules and restrictions for Azure resources](https://learn.microsoft.com/azure/azure-resource-manager/management/resource-name-rules#microsoftsql) +- [OE:04 Continuous integration](https://learn.microsoft.com/azure/well-architected/operational-excellence/release-engineering-continuous-integration) +- [Operational Excellence maturity model](https://learn.microsoft.com/azure/well-architected/operational-excellence/maturity-model?tabs=level2) +- [Recommended abbreviations for Azure resource types](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations) +- [Naming rules and restrictions for Azure resources](https://learn.microsoft.com/azure/azure-resource-manager/management/resource-name-rules) +- [Define your naming convention](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-naming) +- [Parameters in Bicep](https://learn.microsoft.com/azure/azure-resource-manager/bicep/parameters) +- [Bicep functions](https://learn.microsoft.com/azure/azure-resource-manager/bicep/bicep-functions) +- [Azure deployment reference](https://learn.microsoft.com/azure/templates/microsoft.sql/servers/databases) diff --git a/docs/en/rules/Azure.SQL.DatabaseNaming.md b/docs/en/rules/Azure.SQL.DBNaming.md similarity index 67% rename from docs/en/rules/Azure.SQL.DatabaseNaming.md rename to docs/en/rules/Azure.SQL.DBNaming.md index edd3ad2ea92..5b713146e73 100644 --- a/docs/en/rules/Azure.SQL.DatabaseNaming.md +++ b/docs/en/rules/Azure.SQL.DBNaming.md @@ -1,11 +1,11 @@ --- -reviewed: 2025-10-10 +reviewed: 2025-10-26 severity: Awareness pillar: Operational Excellence category: OE:04 Tools and processes resource: Azure SQL database resourceType: Microsoft.Sql/servers/databases -online version: https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.SQL.DatabaseNaming/ +online version: https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.SQL.DBNaming/ --- # Azure SQL database resources must use standard naming @@ -46,7 +46,7 @@ Additionally consider using Azure Policy to only permit creation using a standar ### Configure with Bicep -To deploy resources that pass this rule: +To deploy databases that pass this rule: - Set the `name` property to a string that matches the naming requirements. - Optionally, consider constraining name parameters with `minLength` and `maxLength` attributes. @@ -62,16 +62,66 @@ param name string @description('The location resources will be deployed.') param location string = resourceGroup().location -// Example resource deployment +resource database 'Microsoft.Sql/servers/databases@2024-05-01-preview' = { + parent: server + name: name + location: location + properties: { + collation: 'SQL_Latin1_General_CP1_CI_AS' + maxSizeBytes: maxSize + catalogCollation: 'SQL_Latin1_General_CP1_CI_AS' + readScale: 'Disabled' + zoneRedundant: true + } +} ``` ### Configure with Azure template -To deploy resources that pass this rule: +To deploy databases that pass this rule: - Set the `name` property to a string that matches the naming requirements. - Optionally, consider constraining name parameters with `minLength` and `maxLength` attributes. +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "name": { + "type": "string", + "minLength": 1, + "maxLength": 128, + "metadata": { + "description": "The name of the resource." + } + }, + "location": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "The location resources will be deployed." + } + } + }, + "resources": [ + { + "type": "Microsoft.Sql/servers/databases", + "apiVersion": "2024-05-01-preview", + "name": "[format('{0}/{1}', parameters('name'), parameters('name'))]", + "location": "[parameters('location')]", + "properties": { + "collation": "SQL_Latin1_General_CP1_CI_AS", + "maxSizeBytes": "[variables('maxSize')]", + "catalogCollation": "SQL_Latin1_General_CP1_CI_AS", + "readScale": "Disabled", + "zoneRedundant": true + } + } + ] +} +``` + ## NOTES This rule does not check if Azure SQL database resource names are unique. @@ -99,3 +149,6 @@ configuration: - [Recommended abbreviations for Azure resource types](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations) - [Naming rules and restrictions for Azure resources](https://learn.microsoft.com/azure/azure-resource-manager/management/resource-name-rules) - [Define your naming convention](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-naming) +- [Parameters in Bicep](https://learn.microsoft.com/azure/azure-resource-manager/bicep/parameters) +- [Bicep functions](https://learn.microsoft.com/azure/azure-resource-manager/bicep/bicep-functions) +- [Azure deployment reference](https://learn.microsoft.com/azure/templates/microsoft.sql/servers/databases) diff --git a/docs/en/rules/Azure.SQL.ServerName.md b/docs/en/rules/Azure.SQL.ServerName.md index 76fb09da852..fe1a9713beb 100644 --- a/docs/en/rules/Azure.SQL.ServerName.md +++ b/docs/en/rules/Azure.SQL.ServerName.md @@ -1,7 +1,8 @@ --- +reviewed: 2025-10-26 severity: Awareness pillar: Operational Excellence -category: Repeatable infrastructure +category: OE:04 Continuous integration resource: SQL Database resourceType: Microsoft.Sql/servers online version: https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.SQL.ServerName/ @@ -28,11 +29,112 @@ The requirements for SQL logical server names are: Consider using names that meet Azure SQL logical server naming requirements. Additionally consider naming resources with a standard naming convention. +## EXAMPLES + +### Configure with Bicep + +To deploy servers that pass this rule: + +- Set the `name` property to a string that matches the naming requirements. +- Optionally, consider constraining name parameters with `minLength` and `maxLength` attributes. + +For example: + +```bicep +@minLength(1) +@maxLength(63) +@description('The name of the resource.') +param name string + +@description('The location resources will be deployed.') +param location string = resourceGroup().location + +resource server 'Microsoft.Sql/servers@2024-05-01-preview' = { + name: name + location: location + identity: { + type: 'SystemAssigned' + } + properties: { + publicNetworkAccess: 'Disabled' + minimalTlsVersion: '1.3' + administrators: { + azureADOnlyAuthentication: true + administratorType: 'ActiveDirectory' + login: adminLogin + principalType: 'Group' + sid: adminPrincipalId + tenantId: tenant().tenantId + } + } +} +``` + +### Configure with Azure template + +To deploy servers that pass this rule: + +- Set the `name` property to a string that matches the naming requirements. +- Optionally, consider constraining name parameters with `minLength` and `maxLength` attributes. + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "name": { + "type": "string", + "minLength": 1, + "maxLength": 63, + "metadata": { + "description": "The name of the resource." + } + }, + "location": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "The location resources will be deployed." + } + } + }, + "resources": [ + { + "type": "Microsoft.Sql/servers", + "apiVersion": "2024-05-01-preview", + "name": "[parameters('name')]", + "location": "[parameters('location')]", + "identity": { + "type": "SystemAssigned" + }, + "properties": { + "publicNetworkAccess": "Disabled", + "minimalTlsVersion": "1.3", + "administrators": { + "azureADOnlyAuthentication": true, + "administratorType": "ActiveDirectory", + "login": "[parameters('adminLogin')]", + "principalType": "Group", + "sid": "[parameters('adminPrincipalId')]", + "tenantId": "[tenant().tenantId]" + } + } + } + ] +} +``` + ## NOTES This rule does not check if Azure SQL logical server names are unique. ## LINKS -- [Repeatable infrastructure](https://learn.microsoft.com/azure/architecture/framework/devops/automation-infrastructure) -- [Naming rules and restrictions for Azure resources](https://learn.microsoft.com/azure/azure-resource-manager/management/resource-name-rules#microsoftsql) +- [OE:04 Continuous integration](https://learn.microsoft.com/azure/well-architected/operational-excellence/release-engineering-continuous-integration) +- [Operational Excellence maturity model](https://learn.microsoft.com/azure/well-architected/operational-excellence/maturity-model?tabs=level2) +- [Recommended abbreviations for Azure resource types](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations) +- [Naming rules and restrictions for Azure resources](https://learn.microsoft.com/azure/azure-resource-manager/management/resource-name-rules) +- [Define your naming convention](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-naming) +- [Parameters in Bicep](https://learn.microsoft.com/azure/azure-resource-manager/bicep/parameters) +- [Bicep functions](https://learn.microsoft.com/azure/azure-resource-manager/bicep/bicep-functions) +- [Azure deployment reference](https://learn.microsoft.com/azure/templates/microsoft.sql/servers) diff --git a/docs/en/rules/Azure.SQL.ServerNaming.md b/docs/en/rules/Azure.SQL.ServerNaming.md index c19d8d6c7c3..164459a73d5 100644 --- a/docs/en/rules/Azure.SQL.ServerNaming.md +++ b/docs/en/rules/Azure.SQL.ServerNaming.md @@ -1,5 +1,5 @@ --- -reviewed: 2025-10-10 +reviewed: 2025-10-26 severity: Awareness pillar: Operational Excellence category: OE:04 Tools and processes @@ -46,7 +46,7 @@ Additionally consider using Azure Policy to only permit creation using a standar ### Configure with Bicep -To deploy resources that pass this rule: +To deploy servers that pass this rule: - Set the `name` property to a string that matches the naming requirements. - Optionally, consider constraining name parameters with `minLength` and `maxLength` attributes. @@ -62,16 +62,81 @@ param name string @description('The location resources will be deployed.') param location string = resourceGroup().location -// Example resource deployment +resource server 'Microsoft.Sql/servers@2024-05-01-preview' = { + name: name + location: location + identity: { + type: 'SystemAssigned' + } + properties: { + publicNetworkAccess: 'Disabled' + minimalTlsVersion: '1.3' + administrators: { + azureADOnlyAuthentication: true + administratorType: 'ActiveDirectory' + login: adminLogin + principalType: 'Group' + sid: adminPrincipalId + tenantId: tenant().tenantId + } + } +} ``` ### Configure with Azure template -To deploy resources that pass this rule: +To deploy servers that pass this rule: - Set the `name` property to a string that matches the naming requirements. - Optionally, consider constraining name parameters with `minLength` and `maxLength` attributes. +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "name": { + "type": "string", + "minLength": 1, + "maxLength": 128, + "metadata": { + "description": "The name of the resource." + } + }, + "location": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "The location resources will be deployed." + } + } + }, + "resources": [ + { + "type": "Microsoft.Sql/servers", + "apiVersion": "2024-05-01-preview", + "name": "[parameters('name')]", + "location": "[parameters('location')]", + "identity": { + "type": "SystemAssigned" + }, + "properties": { + "publicNetworkAccess": "Disabled", + "minimalTlsVersion": "1.3", + "administrators": { + "azureADOnlyAuthentication": true, + "administratorType": "ActiveDirectory", + "login": "[parameters('adminLogin')]", + "principalType": "Group", + "sid": "[parameters('adminPrincipalId')]", + "tenantId": "[tenant().tenantId]" + } + } + } + ] +} +``` + ## NOTES This rule does not check if Azure SQL Database server resource names are unique. @@ -99,3 +164,6 @@ configuration: - [Recommended abbreviations for Azure resource types](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations) - [Naming rules and restrictions for Azure resources](https://learn.microsoft.com/azure/azure-resource-manager/management/resource-name-rules) - [Define your naming convention](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-naming) +- [Parameters in Bicep](https://learn.microsoft.com/azure/azure-resource-manager/bicep/parameters) +- [Bicep functions](https://learn.microsoft.com/azure/azure-resource-manager/bicep/bicep-functions) +- [Azure deployment reference](https://learn.microsoft.com/azure/templates/microsoft.sql/servers) diff --git a/docs/examples/resources/sql.bicep b/docs/examples/resources/sql.bicep index 5b28caec6c9..b79428a9069 100644 --- a/docs/examples/resources/sql.bicep +++ b/docs/examples/resources/sql.bicep @@ -3,6 +3,8 @@ // Bicep documentation examples +@minLength(1) +@maxLength(128) @description('The name of the resource.') param name string @@ -23,7 +25,7 @@ resource server 'Microsoft.Sql/servers@2024-05-01-preview' = { } properties: { publicNetworkAccess: 'Disabled' - minimalTlsVersion: '1.2' + minimalTlsVersion: '1.3' administrators: { azureADOnlyAuthentication: true administratorType: 'ActiveDirectory' diff --git a/docs/examples/resources/sql.json b/docs/examples/resources/sql.json index c77850d40af..98d3a1883ff 100644 --- a/docs/examples/resources/sql.json +++ b/docs/examples/resources/sql.json @@ -4,13 +4,15 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.34.1.11899", - "templateHash": "13668357951305686306" + "version": "0.38.33.27573", + "templateHash": "7050584599187305805" } }, "parameters": { "name": { "type": "string", + "minLength": 1, + "maxLength": 128, "metadata": { "description": "The name of the resource." } @@ -43,7 +45,7 @@ }, "properties": { "publicNetworkAccess": "Disabled", - "minimalTlsVersion": "1.2", + "minimalTlsVersion": "1.3", "administrators": { "azureADOnlyAuthentication": true, "administratorType": "ActiveDirectory", diff --git a/docs/setup/setup-naming-and-tagging.md b/docs/setup/setup-naming-and-tagging.md index 65934143f66..901a3d4a8a0 100644 --- a/docs/setup/setup-naming-and-tagging.md +++ b/docs/setup/setup-naming-and-tagging.md @@ -225,6 +225,7 @@ To configure the rule for a resource type, set the corresponding configuration v Rule | Resource type | Configuration value ---- | ------------- | ------------------- +`Azure.ACI.Naming` | `Microsoft.ContainerInstance/containerGroups` | `AZURE_CONTAINER_INSTANCE_NAME_FORMAT` `Azure.ACR.Naming` | `Microsoft.ContainerRegistry/registries` | `AZURE_CONTAINER_REGISTRY_NAME_FORMAT` `Azure.Search.Naming` | `Microsoft.Search/searchServices` | `AZURE_AI_SEARCH_NAME_FORMAT` `Azure.AI.FoundryNaming` | `Microsoft.CognitiveServices/accounts` with `kind` = `AIServices` | `AZURE_AI_SERVICES_NAME_FORMAT` @@ -232,9 +233,8 @@ Rule | Resource type `Azure.AKS.SystemPoolNaming` | `Microsoft.ContainerService/managedClusters/agentPools` with `mode` = `System` | `AZURE_AKS_SYSTEM_POOL_NAME_FORMAT` `Azure.AKS.UserPoolNaming` | `Microsoft.ContainerService/managedClusters/agentPools` with `mode` = `User` | `AZURE_AKS_USER_POOL_NAME_FORMAT` `Azure.AppInsights.Naming` | `Microsoft.Insights/components` | `AZURE_APP_INSIGHTS_NAME_FORMAT` -`Azure.CI.Naming` | `Microsoft.ContainerInstance/containerGroups` | `AZURE_CONTAINER_INSTANCE_NAME_FORMAT` `Azure.ContainerApp.Naming` | `Microsoft.App/containerApps` | `AZURE_CONTAINER_APP_NAME_FORMAT` -`Azure.ContainerApp.EnvironmentNaming` | `Microsoft.App/managedEnvironments` | `AZURE_CONTAINER_APP_ENVIRONMENT_NAME_FORMAT` +`Azure.ContainerApp.EnvNaming` | `Microsoft.App/managedEnvironments` | `AZURE_CONTAINER_APP_ENVIRONMENT_NAME_FORMAT` `Azure.ContainerApp.JobNaming` | `Microsoft.App/jobs` | `AZURE_CONTAINER_APP_JOB_NAME_FORMAT` `Azure.Cosmos.CassandraNaming` | `Microsoft.DocumentDb/databaseAccounts` with Cassandra API | `AZURE_COSMOS_CASSANDRA_NAME_FORMAT` `Azure.Cosmos.DatabaseNaming` | `Microsoft.DocumentDB/databaseAccounts/sqlDatabases` | `AZURE_COSMOS_DATABASE_NAME_FORMAT` @@ -262,7 +262,7 @@ Rule | Resource type `Azure.ServiceFabric.Naming` | `Microsoft.ServiceFabric/clusters` | `AZURE_SERVICE_FABRIC_CLUSTER_NAME_FORMAT` `Azure.ServiceFabric.ManagedNaming` | `Microsoft.ServiceFabric/managedClusters` | `AZURE_SERVICE_FABRIC_MANAGED_CLUSTER_NAME_FORMAT` `Azure.SQL.ServerNaming` | `Microsoft.Sql/servers` | `AZURE_SQL_SERVER_NAME_FORMAT` -`Azure.SQL.DatabaseNaming` | `Microsoft.Sql/servers/databases` | `AZURE_SQL_DATABASE_NAME_FORMAT` +`Azure.SQL.DBNaming` | `Microsoft.Sql/servers/databases` | `AZURE_SQL_DATABASE_NAME_FORMAT` `Azure.SQL.JobAgentNaming` | `Microsoft.Sql/servers/jobAgents` | `AZURE_SQL_JOB_AGENT_NAME_FORMAT` `Azure.SQL.ElasticPoolNaming` | `Microsoft.Sql/servers/elasticPools` | `AZURE_SQL_ELASTIC_POOL_NAME_FORMAT` `Azure.SQL.StretchDBNaming` | `Microsoft.Sql/servers/databases` with Data Warehouse service objective | `AZURE_SQL_STRETCH_DB_NAME_FORMAT` diff --git a/src/PSRule.Rules.Azure/rules/Azure.Cosmos.Rule.ps1 b/src/PSRule.Rules.Azure/rules/Azure.Cosmos.Rule.ps1 index d4ddef28fb5..70b6afbc734 100644 --- a/src/PSRule.Rules.Azure/rules/Azure.Cosmos.Rule.ps1 +++ b/src/PSRule.Rules.Azure/rules/Azure.Cosmos.Rule.ps1 @@ -19,7 +19,7 @@ Rule 'Azure.Cosmos.DisableLocalAuth' -Ref 'AZR-000420' -Type 'Microsoft.Document } # Synopsis: Azure Cosmos DB for Apache Cassandra accounts without a standard naming convention may be difficult to identify and manage. -Rule 'Azure.Cosmos.CassandraNaming' -Ref 'AZR-000508' -Type 'Microsoft.DocumentDb/databaseAccounts' -If { $Configuration['AZURE_COSMOS_CASSANDRA_NAME_FORMAT'] -ne '' -and $TargetObject.kind -eq 'GlobalDocumentDB' -and ($TargetObject.properties.capabilities | Where-Object { $_.name -eq 'EnableCassandra' }) } -Tag @{ release = 'GA'; ruleSet = '2025_12'; 'Azure.WAF/pillar' = 'Operational Excellence' } -Labels @{ 'Azure.CAF' = 'naming'; 'Azure.WAF/maturity' = 'L2' } { +Rule 'Azure.Cosmos.CassandraNaming' -Ref 'AZR-000508' -Type 'Microsoft.DocumentDb/databaseAccounts' -With 'Azure.Cosmos.IsCassandra' -If { $Configuration['AZURE_COSMOS_CASSANDRA_NAME_FORMAT'] -ne '' } -Tag @{ release = 'GA'; ruleSet = '2025_12'; 'Azure.WAF/pillar' = 'Operational Excellence' } -Labels @{ 'Azure.CAF' = 'naming'; 'Azure.WAF/maturity' = 'L2' } { $Assert.Match($PSRule, 'TargetName', $Configuration.AZURE_COSMOS_CASSANDRA_NAME_FORMAT, $True); } @@ -34,12 +34,12 @@ Rule 'Azure.Cosmos.NoSQLNaming' -Ref 'AZR-000510' -Type 'Microsoft.DocumentDb/da } # Synopsis: Azure Cosmos DB for Table accounts without a standard naming convention may be difficult to identify and manage. -Rule 'Azure.Cosmos.TableNaming' -Ref 'AZR-000511' -Type 'Microsoft.DocumentDb/databaseAccounts' -If { $Configuration['AZURE_COSMOS_TABLE_NAME_FORMAT'] -ne '' -and $TargetObject.kind -eq 'GlobalDocumentDB' -and ($TargetObject.properties.capabilities | Where-Object { $_.name -eq 'EnableTable' }) } -Tag @{ release = 'GA'; ruleSet = '2025_12'; 'Azure.WAF/pillar' = 'Operational Excellence' } -Labels @{ 'Azure.CAF' = 'naming'; 'Azure.WAF/maturity' = 'L2' } { +Rule 'Azure.Cosmos.TableNaming' -Ref 'AZR-000511' -Type 'Microsoft.DocumentDb/databaseAccounts' -With 'Azure.Cosmos.IsTable' -If { $Configuration['AZURE_COSMOS_TABLE_NAME_FORMAT'] -ne '' } -Tag @{ release = 'GA'; ruleSet = '2025_12'; 'Azure.WAF/pillar' = 'Operational Excellence' } -Labels @{ 'Azure.CAF' = 'naming'; 'Azure.WAF/maturity' = 'L2' } { $Assert.Match($PSRule, 'TargetName', $Configuration.AZURE_COSMOS_TABLE_NAME_FORMAT, $True); } # Synopsis: Azure Cosmos DB for Apache Gremlin accounts without a standard naming convention may be difficult to identify and manage. -Rule 'Azure.Cosmos.GremlinNaming' -Ref 'AZR-000512' -Type 'Microsoft.DocumentDb/databaseAccounts' -If { $Configuration['AZURE_COSMOS_GREMLIN_NAME_FORMAT'] -ne '' -and $TargetObject.kind -eq 'GlobalDocumentDB' -and ($TargetObject.properties.capabilities | Where-Object { $_.name -eq 'EnableGremlin' }) } -Tag @{ release = 'GA'; ruleSet = '2025_12'; 'Azure.WAF/pillar' = 'Operational Excellence' } -Labels @{ 'Azure.CAF' = 'naming'; 'Azure.WAF/maturity' = 'L2' } { +Rule 'Azure.Cosmos.GremlinNaming' -Ref 'AZR-000512' -Type 'Microsoft.DocumentDb/databaseAccounts' -With 'Azure.Cosmos.IsGremlin' -If { $Configuration['AZURE_COSMOS_GREMLIN_NAME_FORMAT'] -ne '' } -Tag @{ release = 'GA'; ruleSet = '2025_12'; 'Azure.WAF/pillar' = 'Operational Excellence' } -Labels @{ 'Azure.CAF' = 'naming'; 'Azure.WAF/maturity' = 'L2' } { $Assert.Match($PSRule, 'TargetName', $Configuration.AZURE_COSMOS_GREMLIN_NAME_FORMAT, $True); } diff --git a/src/PSRule.Rules.Azure/rules/Azure.SQL.Rule.ps1 b/src/PSRule.Rules.Azure/rules/Azure.SQL.Rule.ps1 index fef3ad73691..b8724869341 100644 --- a/src/PSRule.Rules.Azure/rules/Azure.SQL.Rule.ps1 +++ b/src/PSRule.Rules.Azure/rules/Azure.SQL.Rule.ps1 @@ -79,7 +79,7 @@ Rule 'Azure.SQL.AAD' -Ref 'AZR-000188' -Type 'Microsoft.Sql/servers', 'Microsoft } # Synopsis: Azure SQL logical server names should meet naming requirements. -Rule 'Azure.SQL.ServerName' -Ref 'AZR-000190' -Type 'Microsoft.Sql/servers' -Tag @{ release = 'GA'; ruleSet = '2020_12'; 'Azure.WAF/pillar' = 'Operational Excellence'; } -Labels @{ 'Azure.CAF' = 'naming' } { +Rule 'Azure.SQL.ServerName' -Ref 'AZR-000190' -Type 'Microsoft.Sql/servers' -Tag @{ release = 'GA'; ruleSet = '2020_12'; 'Azure.WAF/pillar' = 'Operational Excellence'; } -Labels @{ 'Azure.CAF' = 'naming'; 'Azure.WAF/maturity' = 'L2'; } { # https://learn.microsoft.com/azure/azure-resource-manager/management/resource-name-rules#microsoftsql # Between 1 and 63 characters long @@ -151,7 +151,7 @@ Rule 'Azure.SQL.TDE' -Ref 'AZR-000191' -Type 'Microsoft.Sql/servers/databases', } # Synopsis: Azure SQL Database names should meet naming requirements. -Rule 'Azure.SQL.DBName' -Ref 'AZR-000192' -Type 'Microsoft.Sql/servers/databases' -If { !(IsExport) } -Tag @{ release = 'GA'; ruleSet = '2020_12'; 'Azure.WAF/pillar' = 'Operational Excellence'; } -Labels @{ 'Azure.CAF' = 'naming' } { +Rule 'Azure.SQL.DBName' -Ref 'AZR-000192' -Type 'Microsoft.Sql/servers/databases' -If { !(IsExport) } -Tag @{ release = 'GA'; ruleSet = '2020_12'; 'Azure.WAF/pillar' = 'Operational Excellence'; } -Labels @{ 'Azure.CAF' = 'naming'; 'Azure.WAF/maturity' = 'L2'; } { # https://learn.microsoft.com/azure/azure-resource-manager/management/resource-name-rules#microsoftsql $name = $PSRule.TargetName.Split('/', 2, [System.StringSplitOptions]::RemoveEmptyEntries)[-1]; @@ -264,7 +264,7 @@ Rule 'Azure.SQL.ServerNaming' -Ref 'AZR-000517' -Type 'Microsoft.Sql/servers' -I } # Synopsis: Azure SQL databases without a standard naming convention may be difficult to identify and manage. -Rule 'Azure.SQL.DatabaseNaming' -Ref 'AZR-000518' -Type 'Microsoft.Sql/servers/databases' -If { $Configuration['AZURE_SQL_DATABASE_NAME_FORMAT'] -ne '' -and !(IsMasterDatabase) } -Tag @{ release = 'GA'; ruleSet = '2025_12'; 'Azure.WAF/pillar' = 'Operational Excellence' } -Labels @{ 'Azure.CAF' = 'naming'; 'Azure.WAF/maturity' = 'L2' } { +Rule 'Azure.SQL.DBNaming' -Ref 'AZR-000518' -Type 'Microsoft.Sql/servers/databases' -If { $Configuration['AZURE_SQL_DATABASE_NAME_FORMAT'] -ne '' -and !(IsMasterDatabase) } -Tag @{ release = 'GA'; ruleSet = '2025_12'; 'Azure.WAF/pillar' = 'Operational Excellence' } -Labels @{ 'Azure.CAF' = 'naming'; 'Azure.WAF/maturity' = 'L2' } { $Assert.Match($PSRule, 'TargetName', $Configuration.AZURE_SQL_DATABASE_NAME_FORMAT, $True); } diff --git a/src/PSRule.Rules.Azure/rules/Config.Rule.yaml b/src/PSRule.Rules.Azure/rules/Config.Rule.yaml index ec285fbf888..4b96e29b9e3 100644 --- a/src/PSRule.Rules.Azure/rules/Config.Rule.yaml +++ b/src/PSRule.Rules.Azure/rules/Config.Rule.yaml @@ -111,6 +111,8 @@ spec: AZURE_REDIS_CACHE_NAME_FORMAT: '' AZURE_RESOURCE_GROUP_NAME_FORMAT: '' AZURE_ROUTE_TABLE_NAME_FORMAT: '' + AZURE_SQL_DATABASE_NAME_FORMAT: '' + AZURE_SQL_SERVER_NAME_FORMAT: '' AZURE_STORAGE_ACCOUNT_NAME_FORMAT: '' AZURE_VIRTUAL_MACHINE_NAME_FORMAT: '' AZURE_VIRTUAL_NETWORK_GATEWAY_NAME_FORMAT: '' From 4029043db1bb9bce01a281391627b808b9f0f2f4 Mon Sep 17 00:00:00 2001 From: Bernie White Date: Sun, 26 Oct 2025 11:24:16 +0000 Subject: [PATCH 15/32] Updates --- docs/en/rules/Azure.SQL.DBName.md | 2 +- docs/en/rules/Azure.SQL.DBNaming.md | 5 +- docs/en/rules/Azure.SQL.ElasticPoolNaming.md | 70 +++++++++++- docs/en/rules/Azure.SQL.JobAgentNaming.md | 56 +++++++++- docs/en/rules/Azure.SQL.ServerName.md | 2 + docs/en/rules/Azure.SQL.ServerNaming.md | 2 + docs/en/rules/Azure.SQL.StretchDBNaming.md | 101 ------------------ docs/en/rules/Azure.SQLMI.Naming.md | 2 + docs/examples/resources/sql.bicep | 28 +++++ docs/examples/resources/sql.json | 37 ++++++- .../rules/Azure.AKS.Rule.ps1 | 2 +- .../rules/Azure.SQL.Rule.ps1 | 5 - src/PSRule.Rules.Azure/rules/CAF.Rule.yaml | 1 - src/PSRule.Rules.Azure/rules/Config.Rule.yaml | 2 + .../Azure.SQL.Tests.ps1 | 6 +- 15 files changed, 198 insertions(+), 123 deletions(-) delete mode 100644 docs/en/rules/Azure.SQL.StretchDBNaming.md diff --git a/docs/en/rules/Azure.SQL.DBName.md b/docs/en/rules/Azure.SQL.DBName.md index 12e9e79ea1d..44df8e4507c 100644 --- a/docs/en/rules/Azure.SQL.DBName.md +++ b/docs/en/rules/Azure.SQL.DBName.md @@ -22,7 +22,7 @@ The requirements for SQL Database names are: - Between 1 and 128 characters long. - Letters, numbers, and special characters except: `<>*%&:\/?` - Can't end with period or a space. -- Azure SQL Database names must be unique for each logical server. +- Must be unique for each logical server. The following reserved database names can not be used: diff --git a/docs/en/rules/Azure.SQL.DBNaming.md b/docs/en/rules/Azure.SQL.DBNaming.md index 5b713146e73..d0c4cddb255 100644 --- a/docs/en/rules/Azure.SQL.DBNaming.md +++ b/docs/en/rules/Azure.SQL.DBNaming.md @@ -34,8 +34,9 @@ For Azure SQL database, the Cloud Adoption Framework (CAF) recommends using the Requirements for Azure SQL database resource names: - Between 1 and 128 characters long. -- Can include alphanumeric characters, hyphens, underscores, and periods (restrictions vary by resource type). -- Resource names must be unique within their scope. +- Letters, numbers, and special characters except: `<>*%&:\/?` +- Can't end with period or a space. +- Must be unique for each logical server. ## RECOMMENDATION diff --git a/docs/en/rules/Azure.SQL.ElasticPoolNaming.md b/docs/en/rules/Azure.SQL.ElasticPoolNaming.md index a185f9e8c95..dfc43c4e25d 100644 --- a/docs/en/rules/Azure.SQL.ElasticPoolNaming.md +++ b/docs/en/rules/Azure.SQL.ElasticPoolNaming.md @@ -1,5 +1,5 @@ --- -reviewed: 2025-10-10 +reviewed: 2025-10-26 severity: Awareness pillar: Operational Excellence category: OE:04 Tools and processes @@ -34,8 +34,9 @@ For Azure SQL Elastic Pool, the Cloud Adoption Framework (CAF) recommends using Requirements for Azure SQL Elastic Pool resource names: - Between 1 and 128 characters long. -- Can include alphanumeric characters, hyphens, underscores, and periods (restrictions vary by resource type). -- Resource names must be unique within their scope. +- Letters, numbers, and special characters except: `<>*%&:\/?` +- Can't end with period or a space. +- Must be unique for each logical server. ## RECOMMENDATION @@ -62,7 +63,21 @@ param name string @description('The location resources will be deployed.') param location string = resourceGroup().location -// Example resource deployment +resource pool 'Microsoft.Sql/servers/elasticPools@2024-05-01-preview' = { + parent: server + name: name + location: location + properties: { + perDatabaseSettings: { + minCapacity: 0 + maxCapacity: 2 + } + maxSizeBytes: 34359738368 + zoneRedundant: true + licenseType: 'BasePrice' + maintenanceConfigurationId: maintenanceConfigurationId + } +} ``` ### Configure with Azure template @@ -72,6 +87,50 @@ To deploy resources that pass this rule: - Set the `name` property to a string that matches the naming requirements. - Optionally, consider constraining name parameters with `minLength` and `maxLength` attributes. +For example: + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "name": { + "type": "string", + "minLength": 1, + "maxLength": 128, + "metadata": { + "description": "The name of the resource." + } + }, + "location": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "The location resources will be deployed." + } + } + }, + "resources": [ + { + "type": "Microsoft.Sql/servers/elasticPools", + "apiVersion": "2024-05-01-preview", + "name": "[format('{0}/{1}', parameters('name'), parameters('name'))]", + "location": "[parameters('location')]", + "properties": { + "perDatabaseSettings": { + "minCapacity": 0, + "maxCapacity": 2 + }, + "maxSizeBytes": 34359738368, + "zoneRedundant": true, + "licenseType": "BasePrice", + "maintenanceConfigurationId": "[parameters('maintenanceConfigurationId')]" + } + } + ] +} +``` + ## NOTES This rule does not check if Azure SQL Elastic Pool resource names are unique. @@ -99,3 +158,6 @@ configuration: - [Recommended abbreviations for Azure resource types](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations) - [Naming rules and restrictions for Azure resources](https://learn.microsoft.com/azure/azure-resource-manager/management/resource-name-rules) - [Define your naming convention](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-naming) +- [Parameters in Bicep](https://learn.microsoft.com/azure/azure-resource-manager/bicep/parameters) +- [Bicep functions](https://learn.microsoft.com/azure/azure-resource-manager/bicep/bicep-functions) +- [Azure deployment reference](https://learn.microsoft.com/azure/templates/microsoft.sql/servers/elasticpools) diff --git a/docs/en/rules/Azure.SQL.JobAgentNaming.md b/docs/en/rules/Azure.SQL.JobAgentNaming.md index 9cb6a3f51e0..7b11db1850b 100644 --- a/docs/en/rules/Azure.SQL.JobAgentNaming.md +++ b/docs/en/rules/Azure.SQL.JobAgentNaming.md @@ -1,5 +1,5 @@ --- -reviewed: 2025-10-10 +reviewed: 2025-10-26 severity: Awareness pillar: Operational Excellence category: OE:04 Tools and processes @@ -34,8 +34,9 @@ For Azure SQL Elastic Job agent, the Cloud Adoption Framework (CAF) recommends u Requirements for Azure SQL Elastic Job agent resource names: - Between 1 and 128 characters long. -- Can include alphanumeric characters, hyphens, underscores, and periods (restrictions vary by resource type). -- Resource names must be unique within their scope. +- Letters, numbers, and special characters except: `<>*%&:\/?` +- Can't end with period or a space. +- Must be unique for each logical server. ## RECOMMENDATION @@ -62,7 +63,14 @@ param name string @description('The location resources will be deployed.') param location string = resourceGroup().location -// Example resource deployment +resource agent 'Microsoft.Sql/servers/jobAgents@2024-05-01-preview' = { + parent: server + name: name + location: location + properties: { + databaseId: database.id + } +} ``` ### Configure with Azure template @@ -72,6 +80,43 @@ To deploy resources that pass this rule: - Set the `name` property to a string that matches the naming requirements. - Optionally, consider constraining name parameters with `minLength` and `maxLength` attributes. +For example: + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "name": { + "type": "string", + "minLength": 1, + "maxLength": 128, + "metadata": { + "description": "The name of the resource." + } + }, + "location": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "The location resources will be deployed." + } + } + }, + "resources": [ + { + "type": "Microsoft.Sql/servers/jobAgents", + "apiVersion": "2024-05-01-preview", + "name": "[format('{0}/{1}', parameters('name'), parameters('name'))]", + "location": "[parameters('location')]", + "properties": { + "databaseId": "[resourceId('Microsoft.Sql/servers/databases', parameters('name'), parameters('name'))]" + } + } + ] +} +``` + ## NOTES This rule does not check if Azure SQL Elastic Job agent resource names are unique. @@ -99,3 +144,6 @@ configuration: - [Recommended abbreviations for Azure resource types](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations) - [Naming rules and restrictions for Azure resources](https://learn.microsoft.com/azure/azure-resource-manager/management/resource-name-rules) - [Define your naming convention](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-naming) +- [Parameters in Bicep](https://learn.microsoft.com/azure/azure-resource-manager/bicep/parameters) +- [Bicep functions](https://learn.microsoft.com/azure/azure-resource-manager/bicep/bicep-functions) +- [Azure deployment reference](https://learn.microsoft.com/azure/templates/microsoft.sql/servers/jobagents) diff --git a/docs/en/rules/Azure.SQL.ServerName.md b/docs/en/rules/Azure.SQL.ServerName.md index fe1a9713beb..d263b7adce8 100644 --- a/docs/en/rules/Azure.SQL.ServerName.md +++ b/docs/en/rules/Azure.SQL.ServerName.md @@ -70,6 +70,8 @@ resource server 'Microsoft.Sql/servers@2024-05-01-preview' = { } ``` + + ### Configure with Azure template To deploy servers that pass this rule: diff --git a/docs/en/rules/Azure.SQL.ServerNaming.md b/docs/en/rules/Azure.SQL.ServerNaming.md index 164459a73d5..adff4e8920c 100644 --- a/docs/en/rules/Azure.SQL.ServerNaming.md +++ b/docs/en/rules/Azure.SQL.ServerNaming.md @@ -83,6 +83,8 @@ resource server 'Microsoft.Sql/servers@2024-05-01-preview' = { } ``` + + ### Configure with Azure template To deploy servers that pass this rule: diff --git a/docs/en/rules/Azure.SQL.StretchDBNaming.md b/docs/en/rules/Azure.SQL.StretchDBNaming.md deleted file mode 100644 index 589b9e0d8a5..00000000000 --- a/docs/en/rules/Azure.SQL.StretchDBNaming.md +++ /dev/null @@ -1,101 +0,0 @@ ---- -reviewed: 2025-10-10 -severity: Awareness -pillar: Operational Excellence -category: OE:04 Tools and processes -resource: SQL Server Stretch Database -resourceType: Microsoft.Sql/servers/databases -online version: https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.SQL.StretchDBNaming/ ---- - -# SQL Server Stretch Database resources must use standard naming - -## SYNOPSIS - -SQL Server Stretch Database resources without a standard naming convention may be difficult to identify and manage. - -## DESCRIPTION - -An effective naming convention allows operators to quickly identify resources, related systems, and their purpose. -Identifying resources easily is important to improve operational efficiency, reduce the time to respond to incidents, -and minimize the risk of human error. - -Some of the benefits of using standardized tagging and naming conventions are: - -- They provide consistency and clarity for resource identification and discovery across the Azure Portal, CLIs, and APIs. -- They enable filtering and grouping of resources for billing, monitoring, security, and compliance purposes. -- They support resource lifecycle management, such as provisioning, decommissioning, backup, and recovery. - -For example, if you come upon a security incident, it's critical to quickly identify affected systems, -the functions that those systems support, and the potential business impact. - -For SQL Server Stretch Database, the Cloud Adoption Framework (CAF) recommends using the `sqlstrdb-` prefix. - -Requirements for SQL Server Stretch Database resource names: - -- Between 1 and 128 characters long. -- Can include alphanumeric characters, hyphens, underscores, and periods (restrictions vary by resource type). -- Resource names must be unique within their scope. - -## RECOMMENDATION - -Consider creating SQL Server Stretch Database resources with a standard name. -Additionally consider using Azure Policy to only permit creation using a standard naming convention. - -## EXAMPLES - -### Configure with Bicep - -To deploy resources that pass this rule: - -- Set the `name` property to a string that matches the naming requirements. -- Optionally, consider constraining name parameters with `minLength` and `maxLength` attributes. - -For example: - -```bicep -@minLength(1) -@maxLength(128) -@description('The name of the resource.') -param name string - -@description('The location resources will be deployed.') -param location string = resourceGroup().location - -// Example resource deployment -``` - -### Configure with Azure template - -To deploy resources that pass this rule: - -- Set the `name` property to a string that matches the naming requirements. -- Optionally, consider constraining name parameters with `minLength` and `maxLength` attributes. - -## NOTES - -This rule does not check if SQL Server Stretch Database resource names are unique. - - - -### Rule configuration - - - -To configure this rule set the `AZURE_SQL_STRETCH_DB_NAME_FORMAT` configuration value to a regular expression -that matches the required format. - -For example: - -```yaml -configuration: - AZURE_SQL_STRETCH_DB_NAME_FORMAT: '^sqlstrdb-' -``` - -## LINKS - -- [OE:04 Tools and processes](https://learn.microsoft.com/azure/well-architected/operational-excellence/tools-processes) -- [Operational Excellence maturity model](https://learn.microsoft.com/azure/well-architected/operational-excellence/maturity-model?tabs=level2) -- [Recommended abbreviations for Azure resource types](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations) -- [Naming rules and restrictions for Azure resources](https://learn.microsoft.com/azure/azure-resource-manager/management/resource-name-rules) -- [Define your naming convention](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-naming) diff --git a/docs/en/rules/Azure.SQLMI.Naming.md b/docs/en/rules/Azure.SQLMI.Naming.md index b17eaa47ac1..81a92643ff8 100644 --- a/docs/en/rules/Azure.SQLMI.Naming.md +++ b/docs/en/rules/Azure.SQLMI.Naming.md @@ -65,6 +65,8 @@ param location string = resourceGroup().location // Example resource deployment ``` + + ### Configure with Azure template To deploy resources that pass this rule: diff --git a/docs/examples/resources/sql.bicep b/docs/examples/resources/sql.bicep index b79428a9069..c935fffe479 100644 --- a/docs/examples/resources/sql.bicep +++ b/docs/examples/resources/sql.bicep @@ -13,6 +13,7 @@ param location string = resourceGroup().location param adminLogin string param adminPrincipalId string +param maintenanceConfigurationId string var maxSize = 32 * 1048576 @@ -104,3 +105,30 @@ resource tde 'Microsoft.Sql/servers/databases/transparentDataEncryption@2024-05- state: 'Enabled' } } + +// An example Azure SQL Job Agent. +resource agent 'Microsoft.Sql/servers/jobAgents@2024-05-01-preview' = { + parent: server + name: name + location: location + properties: { + databaseId: database.id + } +} + +// An example Azure SQL Elastic Pool. +resource pool 'Microsoft.Sql/servers/elasticPools@2024-05-01-preview' = { + parent: server + name: name + location: location + properties: { + perDatabaseSettings: { + minCapacity: 0 + maxCapacity: 2 + } + maxSizeBytes: 34359738368 + zoneRedundant: true + licenseType: 'BasePrice' + maintenanceConfigurationId: maintenanceConfigurationId + } +} diff --git a/docs/examples/resources/sql.json b/docs/examples/resources/sql.json index 98d3a1883ff..af2a1a301fe 100644 --- a/docs/examples/resources/sql.json +++ b/docs/examples/resources/sql.json @@ -5,7 +5,7 @@ "_generator": { "name": "bicep", "version": "0.38.33.27573", - "templateHash": "7050584599187305805" + "templateHash": "5973132553936234562" } }, "parameters": { @@ -29,6 +29,9 @@ }, "adminPrincipalId": { "type": "string" + }, + "maintenanceConfigurationId": { + "type": "string" } }, "variables": { @@ -135,6 +138,38 @@ "dependsOn": [ "[resourceId('Microsoft.Sql/servers/databases', parameters('name'), parameters('name'))]" ] + }, + { + "type": "Microsoft.Sql/servers/jobAgents", + "apiVersion": "2024-05-01-preview", + "name": "[format('{0}/{1}', parameters('name'), parameters('name'))]", + "location": "[parameters('location')]", + "properties": { + "databaseId": "[resourceId('Microsoft.Sql/servers/databases', parameters('name'), parameters('name'))]" + }, + "dependsOn": [ + "[resourceId('Microsoft.Sql/servers/databases', parameters('name'), parameters('name'))]", + "[resourceId('Microsoft.Sql/servers', parameters('name'))]" + ] + }, + { + "type": "Microsoft.Sql/servers/elasticPools", + "apiVersion": "2024-05-01-preview", + "name": "[format('{0}/{1}', parameters('name'), parameters('name'))]", + "location": "[parameters('location')]", + "properties": { + "perDatabaseSettings": { + "minCapacity": 0, + "maxCapacity": 2 + }, + "maxSizeBytes": 34359738368, + "zoneRedundant": true, + "licenseType": "BasePrice", + "maintenanceConfigurationId": "[parameters('maintenanceConfigurationId')]" + }, + "dependsOn": [ + "[resourceId('Microsoft.Sql/servers', parameters('name'))]" + ] } ] } \ No newline at end of file diff --git a/src/PSRule.Rules.Azure/rules/Azure.AKS.Rule.ps1 b/src/PSRule.Rules.Azure/rules/Azure.AKS.Rule.ps1 index 6f494095f1c..aae4d21251e 100644 --- a/src/PSRule.Rules.Azure/rules/Azure.AKS.Rule.ps1 +++ b/src/PSRule.Rules.Azure/rules/Azure.AKS.Rule.ps1 @@ -350,7 +350,7 @@ Rule 'Azure.AKS.Naming' -Ref 'AZR-000499' -Type 'Microsoft.ContainerService/mana } # Synopsis: AKS system node pools without a standard naming convention may be difficult to identify and manage. -Rule 'Azure.AKS.SystemPoolNaming' -Ref 'AZR-000525' -Type 'Microsoft.ContainerService/managedClusters', 'Microsoft.ContainerService/managedClusters/agentPools' -If { $Configuration['AZURE_AKS_SYSTEM_POOL_NAME_FORMAT'] -ne '' } -Tag @{ release = 'GA'; ruleSet = '2025_12'; 'Azure.WAF/pillar' = 'Operational Excellence' } -Labels @{ 'Azure.CAF' = 'naming'; 'Azure.WAF/maturity' = 'L2' } { +Rule 'Azure.AKS.SystemPoolNaming' -Ref 'AZR-000524' -Type 'Microsoft.ContainerService/managedClusters', 'Microsoft.ContainerService/managedClusters/agentPools' -If { $Configuration['AZURE_AKS_SYSTEM_POOL_NAME_FORMAT'] -ne '' } -Tag @{ release = 'GA'; ruleSet = '2025_12'; 'Azure.WAF/pillar' = 'Operational Excellence' } -Labels @{ 'Azure.CAF' = 'naming'; 'Azure.WAF/maturity' = 'L2' } { $agentPools = @(GetAgentPoolProfiles | Where-Object { $_.mode -eq 'System' }); if ($agentPools.Length -eq 0) { return $Assert.Pass(); diff --git a/src/PSRule.Rules.Azure/rules/Azure.SQL.Rule.ps1 b/src/PSRule.Rules.Azure/rules/Azure.SQL.Rule.ps1 index b8724869341..495e705ad28 100644 --- a/src/PSRule.Rules.Azure/rules/Azure.SQL.Rule.ps1 +++ b/src/PSRule.Rules.Azure/rules/Azure.SQL.Rule.ps1 @@ -278,9 +278,4 @@ Rule 'Azure.SQL.ElasticPoolNaming' -Ref 'AZR-000520' -Type 'Microsoft.Sql/server $Assert.Match($PSRule, 'TargetName', $Configuration.AZURE_SQL_ELASTIC_POOL_NAME_FORMAT, $True); } -# Synopsis: SQL Server Stretch Databases without a standard naming convention may be difficult to identify and manage. -Rule 'Azure.SQL.StretchDBNaming' -Ref 'AZR-000524' -Type 'Microsoft.Sql/servers/databases' -If { $Configuration['AZURE_SQL_STRETCH_DB_NAME_FORMAT'] -ne '' -and $TargetObject.properties.requestedServiceObjectiveName -eq 'DataWarehouse' } -Tag @{ release = 'GA'; ruleSet = '2025_12'; 'Azure.WAF/pillar' = 'Operational Excellence' } -Labels @{ 'Azure.CAF' = 'naming'; 'Azure.WAF/maturity' = 'L2' } { - $Assert.Match($PSRule, 'TargetName', $Configuration.AZURE_SQL_STRETCH_DB_NAME_FORMAT, $True); -} - #endregion Naming rules diff --git a/src/PSRule.Rules.Azure/rules/CAF.Rule.yaml b/src/PSRule.Rules.Azure/rules/CAF.Rule.yaml index 4311ae9d93b..ceb12803c52 100644 --- a/src/PSRule.Rules.Azure/rules/CAF.Rule.yaml +++ b/src/PSRule.Rules.Azure/rules/CAF.Rule.yaml @@ -230,7 +230,6 @@ spec: # AZURE_SQL_DATABASE_NAME_FORMAT: '^sqldb-' # AZURE_SQL_JOB_AGENT_NAME_FORMAT: '^sqlja-' # AZURE_SQL_ELASTIC_POOL_NAME_FORMAT: '^sqlep-' -# AZURE_SQL_STRETCH_DB_NAME_FORMAT: '^sqlstrdb-' # AZURE_SQL_MI_NAME_FORMAT: '^sqlmi-' # AZURE_STORAGE_ACCOUNT_NAME_FORMAT: '^(st|stvm)' # AZURE_VIRTUAL_MACHINE_NAME_FORMAT: '^vm' diff --git a/src/PSRule.Rules.Azure/rules/Config.Rule.yaml b/src/PSRule.Rules.Azure/rules/Config.Rule.yaml index 4b96e29b9e3..4eff525254b 100644 --- a/src/PSRule.Rules.Azure/rules/Config.Rule.yaml +++ b/src/PSRule.Rules.Azure/rules/Config.Rule.yaml @@ -112,6 +112,8 @@ spec: AZURE_RESOURCE_GROUP_NAME_FORMAT: '' AZURE_ROUTE_TABLE_NAME_FORMAT: '' AZURE_SQL_DATABASE_NAME_FORMAT: '' + AZURE_SQL_ELASTIC_POOL_NAME_FORMAT: '' + AZURE_SQL_JOB_AGENT_NAME_FORMAT: '' AZURE_SQL_SERVER_NAME_FORMAT: '' AZURE_STORAGE_ACCOUNT_NAME_FORMAT: '' AZURE_VIRTUAL_MACHINE_NAME_FORMAT: '' diff --git a/tests/PSRule.Rules.Azure.Tests/Azure.SQL.Tests.ps1 b/tests/PSRule.Rules.Azure.Tests/Azure.SQL.Tests.ps1 index fe2fdf4d9e9..132c53d7654 100644 --- a/tests/PSRule.Rules.Azure.Tests/Azure.SQL.Tests.ps1 +++ b/tests/PSRule.Rules.Azure.Tests/Azure.SQL.Tests.ps1 @@ -526,9 +526,9 @@ Describe 'Azure.SQL' -Tag 'SQL', 'SQLDB' { $ruleResult.TargetName | Should -Be 'sql-001'; } - It 'Azure.SQL.DatabaseNaming' { - $filteredResult = $result | Where-Object { $_.RuleName -eq 'Azure.SQL.DatabaseNaming' }; - + It 'Azure.SQL.DBNaming' { + $filteredResult = $result | Where-Object { $_.RuleName -eq 'Azure.SQL.DBNaming' }; + # Fail $ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'Fail' }); $ruleResult | Should -Not -BeNullOrEmpty; From 4aa521f3c2533bfd1aca6b1b770e3ec879642991 Mon Sep 17 00:00:00 2001 From: Bernie White Date: Sat, 1 Nov 2025 04:46:36 +0000 Subject: [PATCH 16/32] Updates --- docs/en/rules/Azure.ACI.Naming.md | 2 +- docs/en/rules/Azure.ACR.Name.md | 2 +- docs/en/rules/Azure.ACR.Naming.md | 2 +- docs/en/rules/Azure.AI.FoundryNaming.md | 2 +- docs/en/rules/Azure.AKS.Name.md | 2 +- docs/en/rules/Azure.AKS.Naming.md | 2 +- docs/en/rules/Azure.AKS.SystemPoolNaming.md | 2 +- docs/en/rules/Azure.AKS.UserPoolNaming.md | 2 +- docs/en/rules/Azure.ContainerApp.EnvNaming.md | 2 +- docs/en/rules/Azure.ContainerApp.JobNaming.md | 2 +- docs/en/rules/Azure.ContainerApp.Name.md | 2 +- docs/en/rules/Azure.ContainerApp.Naming.md | 2 +- docs/en/rules/Azure.Cosmos.AccountName.md | 106 +++++++++++++++++- docs/en/rules/Azure.Cosmos.CassandraNaming.md | 2 +- docs/en/rules/Azure.Cosmos.DatabaseNaming.md | 2 +- docs/en/rules/Azure.Cosmos.GremlinNaming.md | 2 +- docs/en/rules/Azure.Cosmos.MongoNaming.md | 2 +- docs/en/rules/Azure.Cosmos.NoSQLNaming.md | 2 +- .../en/rules/Azure.Cosmos.PostgreSQLNaming.md | 2 +- docs/en/rules/Azure.Cosmos.TableNaming.md | 2 +- docs/en/rules/Azure.LB.Name.md | 21 +--- docs/en/rules/Azure.MySQL.Naming.md | 2 +- docs/en/rules/Azure.PostgreSQL.Naming.md | 2 +- docs/en/rules/Azure.Redis.Naming.md | 2 +- docs/en/rules/Azure.RedisEnterprise.Naming.md | 2 +- docs/en/rules/Azure.SQL.DBName.md | 2 +- docs/en/rules/Azure.SQL.DBNaming.md | 2 +- docs/en/rules/Azure.SQL.ElasticPoolNaming.md | 2 +- docs/en/rules/Azure.SQL.JobAgentNaming.md | 2 +- docs/en/rules/Azure.SQL.ServerName.md | 2 +- docs/en/rules/Azure.SQL.ServerNaming.md | 2 +- docs/en/rules/Azure.SQLMI.Naming.md | 2 +- .../Azure.ServiceFabric.ManagedNaming.md | 2 +- docs/en/rules/Azure.ServiceFabric.Naming.md | 2 +- docs/en/rules/Azure.VM.Name.md | 2 +- docs/en/rules/Azure.VM.Naming.md | 2 +- docs/examples/resources/cosmos.bicep | 12 +- docs/examples/resources/cosmos.json | 20 ++-- .../rules/Azure.Cosmos.Rule.yaml | 1 + .../Azure.ACI.Tests.ps1 | 2 +- .../Azure.SQL.Tests.ps1 | 49 ++++---- 41 files changed, 181 insertions(+), 98 deletions(-) diff --git a/docs/en/rules/Azure.ACI.Naming.md b/docs/en/rules/Azure.ACI.Naming.md index 2f7136e3fc3..0abdb69ea5b 100644 --- a/docs/en/rules/Azure.ACI.Naming.md +++ b/docs/en/rules/Azure.ACI.Naming.md @@ -173,7 +173,7 @@ configuration: ## LINKS - [OE:04 Tools and processes](https://learn.microsoft.com/azure/well-architected/operational-excellence/tools-processes) -- [Operational Excellence maturity model](https://learn.microsoft.com/azure/well-architected/operational-excellence/maturity-model?tabs=level2) +- [Operational Excellence: Level 2](https://learn.microsoft.com/azure/well-architected/operational-excellence/maturity-model?tabs=level2) - [Recommended abbreviations for Azure resource types](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations) - [Naming rules and restrictions for Azure resources](https://learn.microsoft.com/azure/azure-resource-manager/management/resource-name-rules) - [Define your naming convention](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-naming) diff --git a/docs/en/rules/Azure.ACR.Name.md b/docs/en/rules/Azure.ACR.Name.md index 6925202193a..f566a4df778 100644 --- a/docs/en/rules/Azure.ACR.Name.md +++ b/docs/en/rules/Azure.ACR.Name.md @@ -160,7 +160,7 @@ This rule does not check if container registry names are unique. ## LINKS - [OE:04 Continuous integration](https://learn.microsoft.com/azure/well-architected/operational-excellence/release-engineering-continuous-integration) -- [Operational Excellence maturity model](https://learn.microsoft.com/azure/well-architected/operational-excellence/maturity-model?tabs=level2) +- [Operational Excellence: Level 2](https://learn.microsoft.com/azure/well-architected/operational-excellence/maturity-model?tabs=level2) - [Naming rules and restrictions for Azure resources](https://learn.microsoft.com/azure/azure-resource-manager/management/resource-name-rules) - [Recommended abbreviations for Azure resource types](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations) - [Parameters in Bicep](https://learn.microsoft.com/azure/azure-resource-manager/bicep/parameters) diff --git a/docs/en/rules/Azure.ACR.Naming.md b/docs/en/rules/Azure.ACR.Naming.md index e3763b1a3f3..b9d9345f1b1 100644 --- a/docs/en/rules/Azure.ACR.Naming.md +++ b/docs/en/rules/Azure.ACR.Naming.md @@ -190,7 +190,7 @@ configuration: ## LINKS - [OE:04 Tools and processes](https://learn.microsoft.com/azure/well-architected/operational-excellence/tools-processes) -- [Operational Excellence maturity model](https://learn.microsoft.com/azure/well-architected/operational-excellence/maturity-model?tabs=level2) +- [Operational Excellence: Level 2](https://learn.microsoft.com/azure/well-architected/operational-excellence/maturity-model?tabs=level2) - [Recommended abbreviations for Azure resource types](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations) - [Naming rules and restrictions for Azure resources](https://learn.microsoft.com/azure/azure-resource-manager/management/resource-name-rules) - [Define your naming convention](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-naming) diff --git a/docs/en/rules/Azure.AI.FoundryNaming.md b/docs/en/rules/Azure.AI.FoundryNaming.md index 55599b07235..0b2392fab53 100644 --- a/docs/en/rules/Azure.AI.FoundryNaming.md +++ b/docs/en/rules/Azure.AI.FoundryNaming.md @@ -166,7 +166,7 @@ configuration: ## LINKS - [OE:04 Tools and processes](https://learn.microsoft.com/azure/well-architected/operational-excellence/tools-processes) -- [Operational Excellence maturity model](https://learn.microsoft.com/azure/well-architected/operational-excellence/maturity-model?tabs=level2) +- [Operational Excellence: Level 2](https://learn.microsoft.com/azure/well-architected/operational-excellence/maturity-model?tabs=level2) - [Recommended abbreviations for Azure resource types](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations) - [Naming rules and restrictions for Azure resources](https://learn.microsoft.com/azure/azure-resource-manager/management/resource-name-rules) - [Define your naming convention](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-naming) diff --git a/docs/en/rules/Azure.AKS.Name.md b/docs/en/rules/Azure.AKS.Name.md index 794e16fca3a..18388c50f9a 100644 --- a/docs/en/rules/Azure.AKS.Name.md +++ b/docs/en/rules/Azure.AKS.Name.md @@ -216,7 +216,7 @@ The requirements for DNS prefixes are: ## LINKS - [OE:04 Continuous integration](https://learn.microsoft.com/azure/well-architected/operational-excellence/release-engineering-continuous-integration) -- [Operational Excellence maturity model](https://learn.microsoft.com/azure/well-architected/operational-excellence/maturity-model?tabs=level2) +- [Operational Excellence: Level 2](https://learn.microsoft.com/azure/well-architected/operational-excellence/maturity-model?tabs=level2) - [Naming rules and restrictions for Azure resources](https://learn.microsoft.com/azure/azure-resource-manager/management/resource-name-rules) - [Recommended abbreviations for Azure resource types](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations) - [Parameters in Bicep](https://learn.microsoft.com/azure/azure-resource-manager/bicep/parameters) diff --git a/docs/en/rules/Azure.AKS.Naming.md b/docs/en/rules/Azure.AKS.Naming.md index 9a0cbb3c306..87412f777f6 100644 --- a/docs/en/rules/Azure.AKS.Naming.md +++ b/docs/en/rules/Azure.AKS.Naming.md @@ -238,7 +238,7 @@ configuration: ## LINKS - [OE:04 Tools and processes](https://learn.microsoft.com/azure/well-architected/operational-excellence/tools-processes) -- [Operational Excellence maturity model](https://learn.microsoft.com/azure/well-architected/operational-excellence/maturity-model?tabs=level2) +- [Operational Excellence: Level 2](https://learn.microsoft.com/azure/well-architected/operational-excellence/maturity-model?tabs=level2) - [Recommended abbreviations for Azure resource types](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations) - [Naming rules and restrictions for Azure resources](https://learn.microsoft.com/azure/azure-resource-manager/management/resource-name-rules) - [Define your naming convention](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-naming) diff --git a/docs/en/rules/Azure.AKS.SystemPoolNaming.md b/docs/en/rules/Azure.AKS.SystemPoolNaming.md index 06f751c3c7d..973c8ccfc2d 100644 --- a/docs/en/rules/Azure.AKS.SystemPoolNaming.md +++ b/docs/en/rules/Azure.AKS.SystemPoolNaming.md @@ -157,7 +157,7 @@ configuration: ## LINKS - [OE:04 Tools and processes](https://learn.microsoft.com/azure/well-architected/operational-excellence/tools-processes) -- [Operational Excellence maturity model](https://learn.microsoft.com/azure/well-architected/operational-excellence/maturity-model?tabs=level2) +- [Operational Excellence: Level 2](https://learn.microsoft.com/azure/well-architected/operational-excellence/maturity-model?tabs=level2) - [Recommended abbreviations for Azure resource types](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations) - [Naming rules and restrictions for Azure resources](https://learn.microsoft.com/azure/azure-resource-manager/management/resource-name-rules) - [Define your naming convention](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-naming) diff --git a/docs/en/rules/Azure.AKS.UserPoolNaming.md b/docs/en/rules/Azure.AKS.UserPoolNaming.md index b27e1d8ec4d..443de104b67 100644 --- a/docs/en/rules/Azure.AKS.UserPoolNaming.md +++ b/docs/en/rules/Azure.AKS.UserPoolNaming.md @@ -157,7 +157,7 @@ configuration: ## LINKS - [OE:04 Tools and processes](https://learn.microsoft.com/azure/well-architected/operational-excellence/tools-processes) -- [Operational Excellence maturity model](https://learn.microsoft.com/azure/well-architected/operational-excellence/maturity-model?tabs=level2) +- [Operational Excellence: Level 2](https://learn.microsoft.com/azure/well-architected/operational-excellence/maturity-model?tabs=level2) - [Recommended abbreviations for Azure resource types](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations) - [Naming rules and restrictions for Azure resources](https://learn.microsoft.com/azure/azure-resource-manager/management/resource-name-rules) - [Define your naming convention](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-naming) diff --git a/docs/en/rules/Azure.ContainerApp.EnvNaming.md b/docs/en/rules/Azure.ContainerApp.EnvNaming.md index 50ba6fcbc3d..83bd5c60186 100644 --- a/docs/en/rules/Azure.ContainerApp.EnvNaming.md +++ b/docs/en/rules/Azure.ContainerApp.EnvNaming.md @@ -173,7 +173,7 @@ configuration: ## LINKS - [OE:04 Tools and processes](https://learn.microsoft.com/azure/well-architected/operational-excellence/tools-processes) -- [Operational Excellence maturity model](https://learn.microsoft.com/azure/well-architected/operational-excellence/maturity-model?tabs=level2) +- [Operational Excellence: Level 2](https://learn.microsoft.com/azure/well-architected/operational-excellence/maturity-model?tabs=level2) - [Recommended abbreviations for Azure resource types](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations) - [Naming rules and restrictions for Azure resources](https://learn.microsoft.com/azure/azure-resource-manager/management/resource-name-rules) - [Define your naming convention](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-naming) diff --git a/docs/en/rules/Azure.ContainerApp.JobNaming.md b/docs/en/rules/Azure.ContainerApp.JobNaming.md index ca384bbce97..7d95cf2d8d5 100644 --- a/docs/en/rules/Azure.ContainerApp.JobNaming.md +++ b/docs/en/rules/Azure.ContainerApp.JobNaming.md @@ -165,7 +165,7 @@ configuration: ## LINKS - [OE:04 Tools and processes](https://learn.microsoft.com/azure/well-architected/operational-excellence/tools-processes) -- [Operational Excellence maturity model](https://learn.microsoft.com/azure/well-architected/operational-excellence/maturity-model?tabs=level2) +- [Operational Excellence: Level 2](https://learn.microsoft.com/azure/well-architected/operational-excellence/maturity-model?tabs=level2) - [Recommended abbreviations for Azure resource types](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations) - [Naming rules and restrictions for Azure resources](https://learn.microsoft.com/azure/azure-resource-manager/management/resource-name-rules) - [Define your naming convention](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-naming) diff --git a/docs/en/rules/Azure.ContainerApp.Name.md b/docs/en/rules/Azure.ContainerApp.Name.md index 72995ff8d2c..cc4bc501175 100644 --- a/docs/en/rules/Azure.ContainerApp.Name.md +++ b/docs/en/rules/Azure.ContainerApp.Name.md @@ -182,7 +182,7 @@ This rule does not check if container app names are unique. ## LINKS - [OE:04 Continuous integration](https://learn.microsoft.com/azure/well-architected/operational-excellence/release-engineering-continuous-integration) -- [Operational Excellence maturity model](https://learn.microsoft.com/azure/well-architected/operational-excellence/maturity-model?tabs=level2) +- [Operational Excellence: Level 2](https://learn.microsoft.com/azure/well-architected/operational-excellence/maturity-model?tabs=level2) - [Naming rules and restrictions for container app resource](https://learn.microsoft.com/azure/azure-resource-manager/management/resource-name-rules#microsoftapp) - [Parameters in Bicep](https://learn.microsoft.com/azure/azure-resource-manager/bicep/parameters) - [Bicep functions](https://learn.microsoft.com/azure/azure-resource-manager/bicep/bicep-functions) diff --git a/docs/en/rules/Azure.ContainerApp.Naming.md b/docs/en/rules/Azure.ContainerApp.Naming.md index facacc6fb04..a5e21871e00 100644 --- a/docs/en/rules/Azure.ContainerApp.Naming.md +++ b/docs/en/rules/Azure.ContainerApp.Naming.md @@ -212,7 +212,7 @@ configuration: ## LINKS - [OE:04 Tools and processes](https://learn.microsoft.com/azure/well-architected/operational-excellence/tools-processes) -- [Operational Excellence maturity model](https://learn.microsoft.com/azure/well-architected/operational-excellence/maturity-model?tabs=level2) +- [Operational Excellence: Level 2](https://learn.microsoft.com/azure/well-architected/operational-excellence/maturity-model?tabs=level2) - [Recommended abbreviations for Azure resource types](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations) - [Naming rules and restrictions for Azure resources](https://learn.microsoft.com/azure/azure-resource-manager/management/resource-name-rules) - [Define your naming convention](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-naming) diff --git a/docs/en/rules/Azure.Cosmos.AccountName.md b/docs/en/rules/Azure.Cosmos.AccountName.md index be45d54d511..fc58e35c62d 100644 --- a/docs/en/rules/Azure.Cosmos.AccountName.md +++ b/docs/en/rules/Azure.Cosmos.AccountName.md @@ -1,7 +1,8 @@ --- +reviewed: 2025-11-01 severity: Awareness pillar: Operational Excellence -category: Repeatable infrastructure +category: OE:04 Continuous integration resource: Cosmos DB resourceType: Microsoft.DocumentDB/databaseAccounts online version: https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.Cosmos.AccountName/ @@ -28,13 +29,110 @@ The requirements for Cosmos DB account names are: Consider using names that meet Cosmos DB account naming requirements. Additionally consider naming resources with a standard naming convention. +## EXAMPLES + +### Configure with Bicep + +To deploy accounts that pass this rule: + +- Set the `name` property to a string that matches the naming requirements. +- Optionally, consider constraining name parameters with `minLength` and `maxLength` attributes. + +For example: + +```bicep +@minLength(3) +@maxLength(44) +@description('The name of the resource.') +param name string + +@description('The location resources will be deployed.') +param location string = resourceGroup().location + +resource account 'Microsoft.DocumentDB/databaseAccounts@2025-04-15' = { + name: name + location: location + properties: { + enableFreeTier: false + consistencyPolicy: { + defaultConsistencyLevel: 'Session' + } + databaseAccountOfferType: 'Standard' + locations: [ + { + locationName: location + failoverPriority: 0 + isZoneRedundant: true + } + ] + disableKeyBasedMetadataWriteAccess: true + minimalTlsVersion: 'Tls12' + } +} +``` + + + +### Configure with Azure template + +To deploy accounts that pass this rule: + +- Set the `name` property to a string that matches the naming requirements. +- Optionally, consider constraining name parameters with `minLength` and `maxLength` attributes. + +For example: + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "name": { + "type": "string", + "minLength": 3, + "maxLength": 44, + "metadata": { + "description": "The name of the resource." + } + } + }, + "resources": [ + { + "type": "Microsoft.DocumentDB/databaseAccounts", + "apiVersion": "2025-04-15", + "name": "[parameters('name')]", + "location": "[parameters('location')]", + "properties": { + "enableFreeTier": false, + "consistencyPolicy": { + "defaultConsistencyLevel": "Session" + }, + "databaseAccountOfferType": "Standard", + "locations": [ + { + "locationName": "[parameters('location')]", + "failoverPriority": 0, + "isZoneRedundant": true + } + ], + "disableKeyBasedMetadataWriteAccess": true, + "minimalTlsVersion": "Tls12" + } + } + ] +} +``` + ## NOTES This rule does not check if Cosmos DB account names are unique. ## LINKS -- [Repeatable infrastructure](https://learn.microsoft.com/azure/architecture/framework/devops/automation-infrastructure) -- [Naming rules and restrictions for Azure resources](https://learn.microsoft.com/azure/azure-resource-manager/management/resource-name-rules#microsoftdocumentdb) -- [Azure deployment reference](https://learn.microsoft.com/azure/templates/microsoft.documentdb/databaseaccounts) +- [OE:04 Continuous integration](https://learn.microsoft.com/azure/well-architected/operational-excellence/release-engineering-continuous-integration) +- [Operational Excellence: Level 2](https://learn.microsoft.com/azure/well-architected/operational-excellence/maturity-model?tabs=level2) +- [Naming rules and restrictions for Azure resources](https://learn.microsoft.com/azure/azure-resource-manager/management/resource-name-rules) - [Recommended abbreviations for Azure resource types](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations) +- [Parameters in Bicep](https://learn.microsoft.com/azure/azure-resource-manager/bicep/parameters) +- [Bicep functions](https://learn.microsoft.com/azure/azure-resource-manager/bicep/bicep-functions) +- [Azure deployment reference](https://learn.microsoft.com/azure/templates/microsoft.documentdb/databaseaccounts) diff --git a/docs/en/rules/Azure.Cosmos.CassandraNaming.md b/docs/en/rules/Azure.Cosmos.CassandraNaming.md index ba31e25863e..6632cc919b9 100644 --- a/docs/en/rules/Azure.Cosmos.CassandraNaming.md +++ b/docs/en/rules/Azure.Cosmos.CassandraNaming.md @@ -95,7 +95,7 @@ configuration: ## LINKS - [OE:04 Tools and processes](https://learn.microsoft.com/azure/well-architected/operational-excellence/tools-processes) -- [Operational Excellence maturity model](https://learn.microsoft.com/azure/well-architected/operational-excellence/maturity-model?tabs=level2) +- [Operational Excellence: Level 2](https://learn.microsoft.com/azure/well-architected/operational-excellence/maturity-model?tabs=level2) - [Recommended abbreviations for Azure resource types](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations) - [Naming rules and restrictions for Azure resources](https://learn.microsoft.com/azure/azure-resource-manager/management/resource-name-rules) - [Define your naming convention](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-naming) diff --git a/docs/en/rules/Azure.Cosmos.DatabaseNaming.md b/docs/en/rules/Azure.Cosmos.DatabaseNaming.md index 646f3e19a71..bddaf116cec 100644 --- a/docs/en/rules/Azure.Cosmos.DatabaseNaming.md +++ b/docs/en/rules/Azure.Cosmos.DatabaseNaming.md @@ -95,7 +95,7 @@ configuration: ## LINKS - [OE:04 Tools and processes](https://learn.microsoft.com/azure/well-architected/operational-excellence/tools-processes) -- [Operational Excellence maturity model](https://learn.microsoft.com/azure/well-architected/operational-excellence/maturity-model?tabs=level2) +- [Operational Excellence: Level 2](https://learn.microsoft.com/azure/well-architected/operational-excellence/maturity-model?tabs=level2) - [Recommended abbreviations for Azure resource types](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations) - [Naming rules and restrictions for Azure resources](https://learn.microsoft.com/azure/azure-resource-manager/management/resource-name-rules) - [Define your naming convention](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-naming) diff --git a/docs/en/rules/Azure.Cosmos.GremlinNaming.md b/docs/en/rules/Azure.Cosmos.GremlinNaming.md index a41685f7a23..326c07aef4c 100644 --- a/docs/en/rules/Azure.Cosmos.GremlinNaming.md +++ b/docs/en/rules/Azure.Cosmos.GremlinNaming.md @@ -95,7 +95,7 @@ configuration: ## LINKS - [OE:04 Tools and processes](https://learn.microsoft.com/azure/well-architected/operational-excellence/tools-processes) -- [Operational Excellence maturity model](https://learn.microsoft.com/azure/well-architected/operational-excellence/maturity-model?tabs=level2) +- [Operational Excellence: Level 2](https://learn.microsoft.com/azure/well-architected/operational-excellence/maturity-model?tabs=level2) - [Recommended abbreviations for Azure resource types](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations) - [Naming rules and restrictions for Azure resources](https://learn.microsoft.com/azure/azure-resource-manager/management/resource-name-rules) - [Define your naming convention](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-naming) diff --git a/docs/en/rules/Azure.Cosmos.MongoNaming.md b/docs/en/rules/Azure.Cosmos.MongoNaming.md index 8370100fd21..94730f97bbc 100644 --- a/docs/en/rules/Azure.Cosmos.MongoNaming.md +++ b/docs/en/rules/Azure.Cosmos.MongoNaming.md @@ -95,7 +95,7 @@ configuration: ## LINKS - [OE:04 Tools and processes](https://learn.microsoft.com/azure/well-architected/operational-excellence/tools-processes) -- [Operational Excellence maturity model](https://learn.microsoft.com/azure/well-architected/operational-excellence/maturity-model?tabs=level2) +- [Operational Excellence: Level 2](https://learn.microsoft.com/azure/well-architected/operational-excellence/maturity-model?tabs=level2) - [Recommended abbreviations for Azure resource types](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations) - [Naming rules and restrictions for Azure resources](https://learn.microsoft.com/azure/azure-resource-manager/management/resource-name-rules) - [Define your naming convention](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-naming) diff --git a/docs/en/rules/Azure.Cosmos.NoSQLNaming.md b/docs/en/rules/Azure.Cosmos.NoSQLNaming.md index 69486178309..4df6ea941a0 100644 --- a/docs/en/rules/Azure.Cosmos.NoSQLNaming.md +++ b/docs/en/rules/Azure.Cosmos.NoSQLNaming.md @@ -95,7 +95,7 @@ configuration: ## LINKS - [OE:04 Tools and processes](https://learn.microsoft.com/azure/well-architected/operational-excellence/tools-processes) -- [Operational Excellence maturity model](https://learn.microsoft.com/azure/well-architected/operational-excellence/maturity-model?tabs=level2) +- [Operational Excellence: Level 2](https://learn.microsoft.com/azure/well-architected/operational-excellence/maturity-model?tabs=level2) - [Recommended abbreviations for Azure resource types](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations) - [Naming rules and restrictions for Azure resources](https://learn.microsoft.com/azure/azure-resource-manager/management/resource-name-rules) - [Define your naming convention](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-naming) diff --git a/docs/en/rules/Azure.Cosmos.PostgreSQLNaming.md b/docs/en/rules/Azure.Cosmos.PostgreSQLNaming.md index 4a2b1afe4f9..c36a92abbdf 100644 --- a/docs/en/rules/Azure.Cosmos.PostgreSQLNaming.md +++ b/docs/en/rules/Azure.Cosmos.PostgreSQLNaming.md @@ -95,7 +95,7 @@ configuration: ## LINKS - [OE:04 Tools and processes](https://learn.microsoft.com/azure/well-architected/operational-excellence/tools-processes) -- [Operational Excellence maturity model](https://learn.microsoft.com/azure/well-architected/operational-excellence/maturity-model?tabs=level2) +- [Operational Excellence: Level 2](https://learn.microsoft.com/azure/well-architected/operational-excellence/maturity-model?tabs=level2) - [Recommended abbreviations for Azure resource types](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations) - [Naming rules and restrictions for Azure resources](https://learn.microsoft.com/azure/azure-resource-manager/management/resource-name-rules) - [Define your naming convention](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-naming) diff --git a/docs/en/rules/Azure.Cosmos.TableNaming.md b/docs/en/rules/Azure.Cosmos.TableNaming.md index e6a281e423b..b2901d3b647 100644 --- a/docs/en/rules/Azure.Cosmos.TableNaming.md +++ b/docs/en/rules/Azure.Cosmos.TableNaming.md @@ -95,7 +95,7 @@ configuration: ## LINKS - [OE:04 Tools and processes](https://learn.microsoft.com/azure/well-architected/operational-excellence/tools-processes) -- [Operational Excellence maturity model](https://learn.microsoft.com/azure/well-architected/operational-excellence/maturity-model?tabs=level2) +- [Operational Excellence: Level 2](https://learn.microsoft.com/azure/well-architected/operational-excellence/maturity-model?tabs=level2) - [Recommended abbreviations for Azure resource types](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations) - [Naming rules and restrictions for Azure resources](https://learn.microsoft.com/azure/azure-resource-manager/management/resource-name-rules) - [Define your naming convention](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-naming) diff --git a/docs/en/rules/Azure.LB.Name.md b/docs/en/rules/Azure.LB.Name.md index 8ce8ab868f4..3cc183ce830 100644 --- a/docs/en/rules/Azure.LB.Name.md +++ b/docs/en/rules/Azure.LB.Name.md @@ -93,13 +93,6 @@ For example: { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.34.44.8038", - "templateHash": "15799925094518670850" - } - }, "parameters": { "name": { "type": "string", @@ -115,18 +108,6 @@ For example: "metadata": { "description": "The location resources will be deployed." } - }, - "subnetId": { - "type": "string", - "metadata": { - "description": "The resource ID of the virtual network subnet." - } - }, - "pipId": { - "type": "string", - "metadata": { - "description": "The resource ID of the public IP address." - } } }, "resources": [ @@ -169,7 +150,7 @@ This rule does not check if Load Balancer names are unique. ## LINKS - [OE:04 Continuous integration](https://learn.microsoft.com/azure/well-architected/operational-excellence/release-engineering-continuous-integration) -- [Operational Excellence maturity model](https://learn.microsoft.com/azure/well-architected/operational-excellence/maturity-model?tabs=level2) +- [Operational Excellence: Level 2](https://learn.microsoft.com/azure/well-architected/operational-excellence/maturity-model?tabs=level2) - [Naming rules and restrictions for Azure resources](https://learn.microsoft.com/azure/azure-resource-manager/management/resource-name-rules) - [Recommended abbreviations for Azure resource types](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations) - [Parameters in Bicep](https://learn.microsoft.com/azure/azure-resource-manager/bicep/parameters) diff --git a/docs/en/rules/Azure.MySQL.Naming.md b/docs/en/rules/Azure.MySQL.Naming.md index 37be2efd2c5..5ea4379aeab 100644 --- a/docs/en/rules/Azure.MySQL.Naming.md +++ b/docs/en/rules/Azure.MySQL.Naming.md @@ -95,7 +95,7 @@ configuration: ## LINKS - [OE:04 Tools and processes](https://learn.microsoft.com/azure/well-architected/operational-excellence/tools-processes) -- [Operational Excellence maturity model](https://learn.microsoft.com/azure/well-architected/operational-excellence/maturity-model?tabs=level2) +- [Operational Excellence: Level 2](https://learn.microsoft.com/azure/well-architected/operational-excellence/maturity-model?tabs=level2) - [Recommended abbreviations for Azure resource types](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations) - [Naming rules and restrictions for Azure resources](https://learn.microsoft.com/azure/azure-resource-manager/management/resource-name-rules) - [Define your naming convention](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-naming) diff --git a/docs/en/rules/Azure.PostgreSQL.Naming.md b/docs/en/rules/Azure.PostgreSQL.Naming.md index e6eb4b89538..7f14b1e07ef 100644 --- a/docs/en/rules/Azure.PostgreSQL.Naming.md +++ b/docs/en/rules/Azure.PostgreSQL.Naming.md @@ -95,7 +95,7 @@ configuration: ## LINKS - [OE:04 Tools and processes](https://learn.microsoft.com/azure/well-architected/operational-excellence/tools-processes) -- [Operational Excellence maturity model](https://learn.microsoft.com/azure/well-architected/operational-excellence/maturity-model?tabs=level2) +- [Operational Excellence: Level 2](https://learn.microsoft.com/azure/well-architected/operational-excellence/maturity-model?tabs=level2) - [Recommended abbreviations for Azure resource types](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations) - [Naming rules and restrictions for Azure resources](https://learn.microsoft.com/azure/azure-resource-manager/management/resource-name-rules) - [Define your naming convention](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-naming) diff --git a/docs/en/rules/Azure.Redis.Naming.md b/docs/en/rules/Azure.Redis.Naming.md index 7cc99cc4bd6..2baec42449c 100644 --- a/docs/en/rules/Azure.Redis.Naming.md +++ b/docs/en/rules/Azure.Redis.Naming.md @@ -182,7 +182,7 @@ configuration: ## LINKS - [OE:04 Tools and processes](https://learn.microsoft.com/azure/well-architected/operational-excellence/tools-processes) -- [Operational Excellence maturity model](https://learn.microsoft.com/azure/well-architected/operational-excellence/maturity-model?tabs=level2) +- [Operational Excellence: Level 2](https://learn.microsoft.com/azure/well-architected/operational-excellence/maturity-model?tabs=level2) - [Recommended abbreviations for Azure resource types](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations) - [Naming rules and restrictions for Azure resources](https://learn.microsoft.com/azure/azure-resource-manager/management/resource-name-rules) - [Define your naming convention](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-naming) diff --git a/docs/en/rules/Azure.RedisEnterprise.Naming.md b/docs/en/rules/Azure.RedisEnterprise.Naming.md index 7a62545e8b2..a46ef405d2b 100644 --- a/docs/en/rules/Azure.RedisEnterprise.Naming.md +++ b/docs/en/rules/Azure.RedisEnterprise.Naming.md @@ -95,7 +95,7 @@ configuration: ## LINKS - [OE:04 Tools and processes](https://learn.microsoft.com/azure/well-architected/operational-excellence/tools-processes) -- [Operational Excellence maturity model](https://learn.microsoft.com/azure/well-architected/operational-excellence/maturity-model?tabs=level2) +- [Operational Excellence: Level 2](https://learn.microsoft.com/azure/well-architected/operational-excellence/maturity-model?tabs=level2) - [Recommended abbreviations for Azure resource types](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations) - [Naming rules and restrictions for Azure resources](https://learn.microsoft.com/azure/azure-resource-manager/management/resource-name-rules) - [Define your naming convention](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-naming) diff --git a/docs/en/rules/Azure.SQL.DBName.md b/docs/en/rules/Azure.SQL.DBName.md index 44df8e4507c..a6dc0dbb248 100644 --- a/docs/en/rules/Azure.SQL.DBName.md +++ b/docs/en/rules/Azure.SQL.DBName.md @@ -122,7 +122,7 @@ This rule does not check if Azure SQL Database names are unique. ## LINKS - [OE:04 Continuous integration](https://learn.microsoft.com/azure/well-architected/operational-excellence/release-engineering-continuous-integration) -- [Operational Excellence maturity model](https://learn.microsoft.com/azure/well-architected/operational-excellence/maturity-model?tabs=level2) +- [Operational Excellence: Level 2](https://learn.microsoft.com/azure/well-architected/operational-excellence/maturity-model?tabs=level2) - [Recommended abbreviations for Azure resource types](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations) - [Naming rules and restrictions for Azure resources](https://learn.microsoft.com/azure/azure-resource-manager/management/resource-name-rules) - [Define your naming convention](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-naming) diff --git a/docs/en/rules/Azure.SQL.DBNaming.md b/docs/en/rules/Azure.SQL.DBNaming.md index d0c4cddb255..4295d51cec4 100644 --- a/docs/en/rules/Azure.SQL.DBNaming.md +++ b/docs/en/rules/Azure.SQL.DBNaming.md @@ -146,7 +146,7 @@ configuration: ## LINKS - [OE:04 Tools and processes](https://learn.microsoft.com/azure/well-architected/operational-excellence/tools-processes) -- [Operational Excellence maturity model](https://learn.microsoft.com/azure/well-architected/operational-excellence/maturity-model?tabs=level2) +- [Operational Excellence: Level 2](https://learn.microsoft.com/azure/well-architected/operational-excellence/maturity-model?tabs=level2) - [Recommended abbreviations for Azure resource types](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations) - [Naming rules and restrictions for Azure resources](https://learn.microsoft.com/azure/azure-resource-manager/management/resource-name-rules) - [Define your naming convention](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-naming) diff --git a/docs/en/rules/Azure.SQL.ElasticPoolNaming.md b/docs/en/rules/Azure.SQL.ElasticPoolNaming.md index dfc43c4e25d..0b5977d997f 100644 --- a/docs/en/rules/Azure.SQL.ElasticPoolNaming.md +++ b/docs/en/rules/Azure.SQL.ElasticPoolNaming.md @@ -154,7 +154,7 @@ configuration: ## LINKS - [OE:04 Tools and processes](https://learn.microsoft.com/azure/well-architected/operational-excellence/tools-processes) -- [Operational Excellence maturity model](https://learn.microsoft.com/azure/well-architected/operational-excellence/maturity-model?tabs=level2) +- [Operational Excellence: Level 2](https://learn.microsoft.com/azure/well-architected/operational-excellence/maturity-model?tabs=level2) - [Recommended abbreviations for Azure resource types](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations) - [Naming rules and restrictions for Azure resources](https://learn.microsoft.com/azure/azure-resource-manager/management/resource-name-rules) - [Define your naming convention](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-naming) diff --git a/docs/en/rules/Azure.SQL.JobAgentNaming.md b/docs/en/rules/Azure.SQL.JobAgentNaming.md index 7b11db1850b..6126c1278c2 100644 --- a/docs/en/rules/Azure.SQL.JobAgentNaming.md +++ b/docs/en/rules/Azure.SQL.JobAgentNaming.md @@ -140,7 +140,7 @@ configuration: ## LINKS - [OE:04 Tools and processes](https://learn.microsoft.com/azure/well-architected/operational-excellence/tools-processes) -- [Operational Excellence maturity model](https://learn.microsoft.com/azure/well-architected/operational-excellence/maturity-model?tabs=level2) +- [Operational Excellence: Level 2](https://learn.microsoft.com/azure/well-architected/operational-excellence/maturity-model?tabs=level2) - [Recommended abbreviations for Azure resource types](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations) - [Naming rules and restrictions for Azure resources](https://learn.microsoft.com/azure/azure-resource-manager/management/resource-name-rules) - [Define your naming convention](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-naming) diff --git a/docs/en/rules/Azure.SQL.ServerName.md b/docs/en/rules/Azure.SQL.ServerName.md index d263b7adce8..4a6b48c127a 100644 --- a/docs/en/rules/Azure.SQL.ServerName.md +++ b/docs/en/rules/Azure.SQL.ServerName.md @@ -133,7 +133,7 @@ This rule does not check if Azure SQL logical server names are unique. ## LINKS - [OE:04 Continuous integration](https://learn.microsoft.com/azure/well-architected/operational-excellence/release-engineering-continuous-integration) -- [Operational Excellence maturity model](https://learn.microsoft.com/azure/well-architected/operational-excellence/maturity-model?tabs=level2) +- [Operational Excellence: Level 2](https://learn.microsoft.com/azure/well-architected/operational-excellence/maturity-model?tabs=level2) - [Recommended abbreviations for Azure resource types](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations) - [Naming rules and restrictions for Azure resources](https://learn.microsoft.com/azure/azure-resource-manager/management/resource-name-rules) - [Define your naming convention](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-naming) diff --git a/docs/en/rules/Azure.SQL.ServerNaming.md b/docs/en/rules/Azure.SQL.ServerNaming.md index adff4e8920c..71980651b38 100644 --- a/docs/en/rules/Azure.SQL.ServerNaming.md +++ b/docs/en/rules/Azure.SQL.ServerNaming.md @@ -162,7 +162,7 @@ configuration: ## LINKS - [OE:04 Tools and processes](https://learn.microsoft.com/azure/well-architected/operational-excellence/tools-processes) -- [Operational Excellence maturity model](https://learn.microsoft.com/azure/well-architected/operational-excellence/maturity-model?tabs=level2) +- [Operational Excellence: Level 2](https://learn.microsoft.com/azure/well-architected/operational-excellence/maturity-model?tabs=level2) - [Recommended abbreviations for Azure resource types](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations) - [Naming rules and restrictions for Azure resources](https://learn.microsoft.com/azure/azure-resource-manager/management/resource-name-rules) - [Define your naming convention](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-naming) diff --git a/docs/en/rules/Azure.SQLMI.Naming.md b/docs/en/rules/Azure.SQLMI.Naming.md index 81a92643ff8..c2c86f4ea62 100644 --- a/docs/en/rules/Azure.SQLMI.Naming.md +++ b/docs/en/rules/Azure.SQLMI.Naming.md @@ -97,7 +97,7 @@ configuration: ## LINKS - [OE:04 Tools and processes](https://learn.microsoft.com/azure/well-architected/operational-excellence/tools-processes) -- [Operational Excellence maturity model](https://learn.microsoft.com/azure/well-architected/operational-excellence/maturity-model?tabs=level2) +- [Operational Excellence: Level 2](https://learn.microsoft.com/azure/well-architected/operational-excellence/maturity-model?tabs=level2) - [Recommended abbreviations for Azure resource types](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations) - [Naming rules and restrictions for Azure resources](https://learn.microsoft.com/azure/azure-resource-manager/management/resource-name-rules) - [Define your naming convention](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-naming) diff --git a/docs/en/rules/Azure.ServiceFabric.ManagedNaming.md b/docs/en/rules/Azure.ServiceFabric.ManagedNaming.md index 0189613d07f..5479ac41fef 100644 --- a/docs/en/rules/Azure.ServiceFabric.ManagedNaming.md +++ b/docs/en/rules/Azure.ServiceFabric.ManagedNaming.md @@ -95,7 +95,7 @@ configuration: ## LINKS - [OE:04 Tools and processes](https://learn.microsoft.com/azure/well-architected/operational-excellence/tools-processes) -- [Operational Excellence maturity model](https://learn.microsoft.com/azure/well-architected/operational-excellence/maturity-model?tabs=level2) +- [Operational Excellence: Level 2](https://learn.microsoft.com/azure/well-architected/operational-excellence/maturity-model?tabs=level2) - [Recommended abbreviations for Azure resource types](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations) - [Naming rules and restrictions for Azure resources](https://learn.microsoft.com/azure/azure-resource-manager/management/resource-name-rules) - [Define your naming convention](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-naming) diff --git a/docs/en/rules/Azure.ServiceFabric.Naming.md b/docs/en/rules/Azure.ServiceFabric.Naming.md index 16241ca13c4..c98e926859d 100644 --- a/docs/en/rules/Azure.ServiceFabric.Naming.md +++ b/docs/en/rules/Azure.ServiceFabric.Naming.md @@ -95,7 +95,7 @@ configuration: ## LINKS - [OE:04 Tools and processes](https://learn.microsoft.com/azure/well-architected/operational-excellence/tools-processes) -- [Operational Excellence maturity model](https://learn.microsoft.com/azure/well-architected/operational-excellence/maturity-model?tabs=level2) +- [Operational Excellence: Level 2](https://learn.microsoft.com/azure/well-architected/operational-excellence/maturity-model?tabs=level2) - [Recommended abbreviations for Azure resource types](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations) - [Naming rules and restrictions for Azure resources](https://learn.microsoft.com/azure/azure-resource-manager/management/resource-name-rules) - [Define your naming convention](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-naming) diff --git a/docs/en/rules/Azure.VM.Name.md b/docs/en/rules/Azure.VM.Name.md index 3cbf32a941d..84655ae86f8 100644 --- a/docs/en/rules/Azure.VM.Name.md +++ b/docs/en/rules/Azure.VM.Name.md @@ -263,7 +263,7 @@ See `Azure.VM.ComputerName` for details. ## LINKS - [OE:04 Continuous integration](https://learn.microsoft.com/azure/well-architected/operational-excellence/release-engineering-continuous-integration) -- [Operational Excellence maturity model](https://learn.microsoft.com/azure/well-architected/operational-excellence/maturity-model?tabs=level2) +- [Operational Excellence: Level 2](https://learn.microsoft.com/azure/well-architected/operational-excellence/maturity-model?tabs=level2) - [Naming rules and restrictions for Azure resources](https://learn.microsoft.com/azure/azure-resource-manager/management/resource-name-rules) - [Parameters in Bicep](https://learn.microsoft.com/azure/azure-resource-manager/bicep/parameters) - [Bicep functions](https://learn.microsoft.com/azure/azure-resource-manager/bicep/bicep-functions) diff --git a/docs/en/rules/Azure.VM.Naming.md b/docs/en/rules/Azure.VM.Naming.md index 3b8d7bafb3e..e36536bbd3c 100644 --- a/docs/en/rules/Azure.VM.Naming.md +++ b/docs/en/rules/Azure.VM.Naming.md @@ -292,7 +292,7 @@ configuration: ## LINKS - [OE:04 Tools and processes](https://learn.microsoft.com/azure/well-architected/operational-excellence/tools-processes) -- [Operational Excellence maturity model](https://learn.microsoft.com/azure/well-architected/operational-excellence/maturity-model?tabs=level2) +- [Operational Excellence: Level 2](https://learn.microsoft.com/azure/well-architected/operational-excellence/maturity-model?tabs=level2) - [Recommended abbreviations for Azure resource types](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations) - [Naming rules and restrictions for Azure resources](https://learn.microsoft.com/azure/azure-resource-manager/management/resource-name-rules) - [Define your naming convention](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-naming) diff --git a/docs/examples/resources/cosmos.bicep b/docs/examples/resources/cosmos.bicep index 96c52a36b37..db6fe798afa 100644 --- a/docs/examples/resources/cosmos.bicep +++ b/docs/examples/resources/cosmos.bicep @@ -3,14 +3,16 @@ // Bicep documentation examples -@description('The name of the Cosmos database account.') +@minLength(3) +@maxLength(44) +@description('The name of the resource.') param name string @description('The location resources will be deployed.') param location string = resourceGroup().location -@description('A Cosmos DB account using the NoSQL API.') -resource account 'Microsoft.DocumentDB/databaseAccounts@2023-11-15' = { +// An example Cosmos DB account using the NoSQL API. +resource account 'Microsoft.DocumentDB/databaseAccounts@2025-04-15' = { name: name location: location properties: { @@ -31,8 +33,8 @@ resource account 'Microsoft.DocumentDB/databaseAccounts@2023-11-15' = { } } -@description('A No SQL API database in a Cosmos DB account.') -resource database 'Microsoft.DocumentDB/databaseAccounts/sqlDatabases@2023-11-15' = { +// An example No SQL API database in a Cosmos DB account. +resource database 'Microsoft.DocumentDB/databaseAccounts/sqlDatabases@2025-04-15' = { name: 'sql-001' parent: account properties: { diff --git a/docs/examples/resources/cosmos.json b/docs/examples/resources/cosmos.json index 3361cd1346b..bff2b3c58e2 100644 --- a/docs/examples/resources/cosmos.json +++ b/docs/examples/resources/cosmos.json @@ -4,15 +4,17 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.26.170.59819", - "templateHash": "14244543187074389953" + "version": "0.38.33.27573", + "templateHash": "2704156339140852790" } }, "parameters": { "name": { "type": "string", + "minLength": 3, + "maxLength": 44, "metadata": { - "description": "The name of the Cosmos database account." + "description": "The name of the resource." } }, "location": { @@ -26,7 +28,7 @@ "resources": [ { "type": "Microsoft.DocumentDB/databaseAccounts", - "apiVersion": "2023-11-15", + "apiVersion": "2025-04-15", "name": "[parameters('name')]", "location": "[parameters('location')]", "properties": { @@ -44,14 +46,11 @@ ], "disableKeyBasedMetadataWriteAccess": true, "minimalTlsVersion": "Tls12" - }, - "metadata": { - "description": "A Cosmos DB account using the NoSQL API." } }, { "type": "Microsoft.DocumentDB/databaseAccounts/sqlDatabases", - "apiVersion": "2023-11-15", + "apiVersion": "2025-04-15", "name": "[format('{0}/{1}', parameters('name'), 'sql-001')]", "properties": { "resource": { @@ -60,10 +59,7 @@ }, "dependsOn": [ "[resourceId('Microsoft.DocumentDB/databaseAccounts', parameters('name'))]" - ], - "metadata": { - "description": "A No SQL API database in a Cosmos DB account." - } + ] } ] } \ No newline at end of file diff --git a/src/PSRule.Rules.Azure/rules/Azure.Cosmos.Rule.yaml b/src/PSRule.Rules.Azure/rules/Azure.Cosmos.Rule.yaml index 5aa221b49d7..af19bc96b27 100644 --- a/src/PSRule.Rules.Azure/rules/Azure.Cosmos.Rule.yaml +++ b/src/PSRule.Rules.Azure/rules/Azure.Cosmos.Rule.yaml @@ -40,6 +40,7 @@ metadata: Azure.WAF/pillar: Operational Excellence labels: Azure.CAF: naming + Azure.WAF/maturity: L2 spec: type: - Microsoft.DocumentDb/databaseAccounts diff --git a/tests/PSRule.Rules.Azure.Tests/Azure.ACI.Tests.ps1 b/tests/PSRule.Rules.Azure.Tests/Azure.ACI.Tests.ps1 index c03749dcad3..0cf2a91de96 100644 --- a/tests/PSRule.Rules.Azure.Tests/Azure.ACI.Tests.ps1 +++ b/tests/PSRule.Rules.Azure.Tests/Azure.ACI.Tests.ps1 @@ -45,7 +45,7 @@ Describe 'Azure.ACI' -Tag 'ACI' { } }); - $result = $items | Invoke-PSRule @invokeParams -Option $option + $result = $items | Invoke-PSRule @invokeParams -Option $option -Name 'Azure.ACI.Naming' } It 'Azure.ACI.Naming' { diff --git a/tests/PSRule.Rules.Azure.Tests/Azure.SQL.Tests.ps1 b/tests/PSRule.Rules.Azure.Tests/Azure.SQL.Tests.ps1 index 132c53d7654..f50bda0b146 100644 --- a/tests/PSRule.Rules.Azure.Tests/Azure.SQL.Tests.ps1 +++ b/tests/PSRule.Rules.Azure.Tests/Azure.SQL.Tests.ps1 @@ -480,34 +480,39 @@ Describe 'Azure.SQL' -Tag 'SQL', 'SQLDB' { $poolNames = @('pool-001', 'sqlep-001', 'SQLEP-001') $serverItems = @($serverNames | ForEach-Object { - [PSCustomObject]@{ - Name = $_ - Type = 'Microsoft.Sql/servers' - } - }); + [PSCustomObject]@{ + Name = $_ + Type = 'Microsoft.Sql/servers' + } + }); $dbItems = @($dbNames | ForEach-Object { - [PSCustomObject]@{ - Name = $_ - Type = 'Microsoft.Sql/servers/databases' - } - }); + [PSCustomObject]@{ + Name = $_ + Type = 'Microsoft.Sql/servers/databases' + } + }); $jobAgentItems = @($jobAgentNames | ForEach-Object { - [PSCustomObject]@{ - Name = $_ - Type = 'Microsoft.Sql/servers/jobAgents' - } - }); + [PSCustomObject]@{ + Name = $_ + Type = 'Microsoft.Sql/servers/jobAgents' + } + }); $poolItems = @($poolNames | ForEach-Object { - [PSCustomObject]@{ - Name = $_ - Type = 'Microsoft.Sql/servers/elasticPools' - } - }); - - $result = @($serverItems + $dbItems + $jobAgentItems + $poolItems) | Invoke-PSRule @invokeParams -Option $option + [PSCustomObject]@{ + Name = $_ + Type = 'Microsoft.Sql/servers/elasticPools' + } + }); + + $result = @($serverItems + $dbItems + $jobAgentItems + $poolItems) | Invoke-PSRule @invokeParams -Option $option -Name @( + 'Azure.SQL.ServerNaming' + 'Azure.SQL.DBNaming' + 'Azure.SQL.JobAgentNaming' + 'Azure.SQL.ElasticPoolNaming' + ) } It 'Azure.SQL.ServerNaming' { From dbcd0ab195a668b32030e5139649c934db993168 Mon Sep 17 00:00:00 2001 From: Bernie White Date: Sat, 1 Nov 2025 05:42:29 +0000 Subject: [PATCH 17/32] Updates --- docs/en/rules/Azure.MySQL.ServerName.md | 11 ++- ....Naming.md => Azure.MySQL.ServerNaming.md} | 88 +++++++++++++++-- docs/en/rules/Azure.PostgreSQL.ServerName.md | 11 ++- ...ng.md => Azure.PostgreSQL.ServerNaming.md} | 96 +++++++++++++++++-- docs/en/rules/Azure.VM.Naming.md | 2 +- docs/examples/resources/mysql.bicep | 12 ++- docs/examples/resources/mysql.json | 8 +- docs/examples/resources/postgresql.bicep | 14 +-- docs/examples/resources/postgresql.json | 10 +- pipeline.build.ps1 | 2 + .../rules/Azure.MySQL.Rule.ps1 | 2 +- .../rules/Azure.PostgreSQL.Rule.ps1 | 2 +- src/PSRule.Rules.Azure/rules/Config.Rule.yaml | 2 + .../Azure.MySQL.Tests.ps1 | 8 +- .../Azure.PostgreSQL.Tests.ps1 | 8 +- 15 files changed, 229 insertions(+), 47 deletions(-) rename docs/en/rules/{Azure.MySQL.Naming.md => Azure.MySQL.ServerNaming.md} (62%) rename docs/en/rules/{Azure.PostgreSQL.Naming.md => Azure.PostgreSQL.ServerNaming.md} (61%) diff --git a/docs/en/rules/Azure.MySQL.ServerName.md b/docs/en/rules/Azure.MySQL.ServerName.md index 56ff0eca7b8..b47a267344b 100644 --- a/docs/en/rules/Azure.MySQL.ServerName.md +++ b/docs/en/rules/Azure.MySQL.ServerName.md @@ -1,7 +1,7 @@ --- severity: Awareness pillar: Operational Excellence -category: Repeatable infrastructure +category: OE:04 Continuous integration resource: Azure Database for MySQL resourceType: Microsoft.DBforMySQL/servers online version: https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.MySQL.ServerName/ @@ -34,5 +34,10 @@ This rule does not check if Azure MySQL DB server names are unique. ## LINKS -- [Repeatable infrastructure](https://learn.microsoft.com/azure/architecture/framework/devops/automation-infrastructure) -- [Naming rules and restrictions for Azure resources](https://learn.microsoft.com/azure/azure-resource-manager/management/resource-name-rules#microsoftdbformysql) +- [OE:04 Continuous integration](https://learn.microsoft.com/azure/well-architected/operational-excellence/release-engineering-continuous-integration) +- [Operational Excellence: Level 2](https://learn.microsoft.com/azure/well-architected/operational-excellence/maturity-model?tabs=level2) +- [Naming rules and restrictions for Azure resources](https://learn.microsoft.com/azure/azure-resource-manager/management/resource-name-rules) +- [Recommended abbreviations for Azure resource types](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations) +- [Parameters in Bicep](https://learn.microsoft.com/azure/azure-resource-manager/bicep/parameters) +- [Bicep functions](https://learn.microsoft.com/azure/azure-resource-manager/bicep/bicep-functions) +- [Azure deployment reference](https://learn.microsoft.com/azure/templates/microsoft.dbformysql/servers) diff --git a/docs/en/rules/Azure.MySQL.Naming.md b/docs/en/rules/Azure.MySQL.ServerNaming.md similarity index 62% rename from docs/en/rules/Azure.MySQL.Naming.md rename to docs/en/rules/Azure.MySQL.ServerNaming.md index 5ea4379aeab..1ea71d20f57 100644 --- a/docs/en/rules/Azure.MySQL.Naming.md +++ b/docs/en/rules/Azure.MySQL.ServerNaming.md @@ -1,10 +1,10 @@ --- -reviewed: 2025-10-10 +reviewed: 2025-11-01 severity: Awareness pillar: Operational Excellence category: OE:04 Tools and processes -resource: MySQL database server -resourceType: Microsoft.DBforMySQL/servers +resource: Azure Database for MySQL +resourceType: Microsoft.DBforMySQL/flexibleServers,Microsoft.DBforMySQL/servers online version: https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.MySQL.Naming/ --- @@ -46,7 +46,7 @@ Additionally consider using Azure Policy to only permit creation using a standar ### Configure with Bicep -To deploy resources that pass this rule: +To deploy servers that pass this rule: - Set the `name` property to a string that matches the naming requirements. - Optionally, consider constraining name parameters with `minLength` and `maxLength` attributes. @@ -62,16 +62,91 @@ param name string @description('The location resources will be deployed.') param location string = resourceGroup().location -// Example resource deployment +resource flexible 'Microsoft.DBforMySQL/flexibleServers@2024-12-30' = { + name: name + location: location + sku: { + name: 'Standard_D16as' + tier: 'GeneralPurpose' + } + properties: { + createMode: 'Default' + version: '8.0.21' + administratorLogin: administratorLogin + administratorLoginPassword: administratorLoginPassword + highAvailability: { + mode: 'ZoneRedundant' + } + maintenanceWindow: { + customWindow: 'Enabled' + dayOfWeek: 0 + startHour: 1 + startMinute: 0 + } + } +} ``` ### Configure with Azure template -To deploy resources that pass this rule: +To deploy servers that pass this rule: - Set the `name` property to a string that matches the naming requirements. - Optionally, consider constraining name parameters with `minLength` and `maxLength` attributes. +For example: + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "name": { + "type": "string", + "minLength": 3, + "maxLength": 63, + "metadata": { + "description": "The name of the resource." + } + }, + "location": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "The location resources will be deployed." + } + } + }, + "resources": [ + { + "type": "Microsoft.DBforMySQL/flexibleServers", + "apiVersion": "2024-12-30", + "name": "[parameters('name')]", + "location": "[parameters('location')]", + "sku": { + "name": "Standard_D16as", + "tier": "GeneralPurpose" + }, + "properties": { + "createMode": "Default", + "version": "8.0.21", + "administratorLogin": "[parameters('administratorLogin')]", + "administratorLoginPassword": "[parameters('administratorLoginPassword')]", + "highAvailability": { + "mode": "ZoneRedundant" + }, + "maintenanceWindow": { + "customWindow": "Enabled", + "dayOfWeek": 0, + "startHour": 1, + "startMinute": 0 + } + } + } + ] +} +``` + ## NOTES This rule does not check if MySQL database server resource names are unique. @@ -99,3 +174,4 @@ configuration: - [Recommended abbreviations for Azure resource types](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations) - [Naming rules and restrictions for Azure resources](https://learn.microsoft.com/azure/azure-resource-manager/management/resource-name-rules) - [Define your naming convention](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-naming) +- [Azure deployment reference](https://learn.microsoft.com/azure/templates/microsoft.dbformysql/flexibleservers) diff --git a/docs/en/rules/Azure.PostgreSQL.ServerName.md b/docs/en/rules/Azure.PostgreSQL.ServerName.md index fc85a23fc3a..ba7bf20a9e2 100644 --- a/docs/en/rules/Azure.PostgreSQL.ServerName.md +++ b/docs/en/rules/Azure.PostgreSQL.ServerName.md @@ -1,7 +1,7 @@ --- severity: Awareness pillar: Operational Excellence -category: Repeatable infrastructure +category: OE:04 Continuous integration resource: Azure Database for PostgreSQL resourceType: Microsoft.DBforPostgreSQL/servers online version: https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.PostgreSQL.ServerName/ @@ -34,5 +34,10 @@ This rule does not check if Azure PostgreSQL DB server names are unique. ## LINKS -- [Repeatable infrastructure](https://learn.microsoft.com/azure/architecture/framework/devops/automation-infrastructure) -- [Naming rules and restrictions for Azure resources](https://learn.microsoft.com/azure/azure-resource-manager/management/resource-name-rules#microsoftdbforpostgresql) +- [OE:04 Continuous integration](https://learn.microsoft.com/azure/well-architected/operational-excellence/release-engineering-continuous-integration) +- [Operational Excellence: Level 2](https://learn.microsoft.com/azure/well-architected/operational-excellence/maturity-model?tabs=level2) +- [Naming rules and restrictions for Azure resources](https://learn.microsoft.com/azure/azure-resource-manager/management/resource-name-rules) +- [Recommended abbreviations for Azure resource types](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations) +- [Parameters in Bicep](https://learn.microsoft.com/azure/azure-resource-manager/bicep/parameters) +- [Bicep functions](https://learn.microsoft.com/azure/azure-resource-manager/bicep/bicep-functions) +- [Azure deployment reference](https://learn.microsoft.com/azure/templates/microsoft.dbforpostgresql/servers) diff --git a/docs/en/rules/Azure.PostgreSQL.Naming.md b/docs/en/rules/Azure.PostgreSQL.ServerNaming.md similarity index 61% rename from docs/en/rules/Azure.PostgreSQL.Naming.md rename to docs/en/rules/Azure.PostgreSQL.ServerNaming.md index 7f14b1e07ef..2bbef5ae469 100644 --- a/docs/en/rules/Azure.PostgreSQL.Naming.md +++ b/docs/en/rules/Azure.PostgreSQL.ServerNaming.md @@ -1,10 +1,10 @@ --- -reviewed: 2025-10-10 +reviewed: 2025-11-01 severity: Awareness pillar: Operational Excellence category: OE:04 Tools and processes -resource: PostgreSQL database server -resourceType: Microsoft.DBforPostgreSQL/servers +resource: Azure Database for PostgreSQL +resourceType: Microsoft.DBforPostgreSQL/flexibleServers,Microsoft.DBforPostgreSQL/servers online version: https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.PostgreSQL.Naming/ --- @@ -46,7 +46,7 @@ Additionally consider using Azure Policy to only permit creation using a standar ### Configure with Bicep -To deploy resources that pass this rule: +To deploy servers that pass this rule: - Set the `name` property to a string that matches the naming requirements. - Optionally, consider constraining name parameters with `minLength` and `maxLength` attributes. @@ -62,16 +62,99 @@ param name string @description('The location resources will be deployed.') param location string = resourceGroup().location -// Example resource deployment +resource flexible 'Microsoft.DBforPostgreSQL/flexibleServers@2024-08-01' = { + name: name + location: location + sku: { + name: 'Standard_D2ds_v4' + tier: 'GeneralPurpose' + } + properties: { + createMode: 'Default' + authConfig: { + activeDirectoryAuth: 'Enabled' + passwordAuth: 'Disabled' + tenantId: tenant().tenantId + } + version: '14' + storage: { + storageSizeGB: 32 + } + backup: { + backupRetentionDays: 7 + geoRedundantBackup: 'Enabled' + } + highAvailability: { + mode: 'ZoneRedundant' + } + } +} ``` ### Configure with Azure template -To deploy resources that pass this rule: +To deploy servers that pass this rule: - Set the `name` property to a string that matches the naming requirements. - Optionally, consider constraining name parameters with `minLength` and `maxLength` attributes. +For example: + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "name": { + "type": "string", + "minLength": 3, + "maxLength": 63, + "metadata": { + "description": "The name of the resource." + } + }, + "location": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "The location resources will be deployed." + } + } + }, + "resources": [ + { + "type": "Microsoft.DBforPostgreSQL/flexibleServers", + "apiVersion": "2024-08-01", + "name": "[parameters('name')]", + "location": "[parameters('location')]", + "sku": { + "name": "Standard_D2ds_v4", + "tier": "GeneralPurpose" + }, + "properties": { + "createMode": "Default", + "authConfig": { + "activeDirectoryAuth": "Enabled", + "passwordAuth": "Disabled", + "tenantId": "[tenant().tenantId]" + }, + "version": "14", + "storage": { + "storageSizeGB": 32 + }, + "backup": { + "backupRetentionDays": 7, + "geoRedundantBackup": "Enabled" + }, + "highAvailability": { + "mode": "ZoneRedundant" + } + } + } + ] +} +``` + ## NOTES This rule does not check if PostgreSQL database server resource names are unique. @@ -99,3 +182,4 @@ configuration: - [Recommended abbreviations for Azure resource types](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations) - [Naming rules and restrictions for Azure resources](https://learn.microsoft.com/azure/azure-resource-manager/management/resource-name-rules) - [Define your naming convention](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-naming) +- [Azure deployment reference](https://learn.microsoft.com/azure/templates/microsoft.dbforpostgresql/flexibleservers) diff --git a/docs/en/rules/Azure.VM.Naming.md b/docs/en/rules/Azure.VM.Naming.md index e36536bbd3c..3400ac661cf 100644 --- a/docs/en/rules/Azure.VM.Naming.md +++ b/docs/en/rules/Azure.VM.Naming.md @@ -1,5 +1,5 @@ --- -reviewed: 2025-04-25 +reviewed: 2025-11-01 severity: Awareness pillar: Operational Excellence category: OE:04 Tools and processes diff --git a/docs/examples/resources/mysql.bicep b/docs/examples/resources/mysql.bicep index 67ca9d29770..4b79cd9e86d 100644 --- a/docs/examples/resources/mysql.bicep +++ b/docs/examples/resources/mysql.bicep @@ -3,20 +3,22 @@ // Bicep documentation examples -@sys.description('The name of the resource.') +@minLength(3) +@maxLength(63) +@description('The name of the resource.') param name string -@sys.description('The location resources will be deployed.') +@description('The location resources will be deployed.') param location string = resourceGroup().location -@sys.description('The login for an administrator.') +@description('The login for an administrator.') param administratorLogin string @secure() @description('A default administrator password.') param administratorLoginPassword string -@sys.description('The object GUID for an administrator account.') +@description('The object GUID for an administrator account.') param loginObjectId string // An example Azure Database for MySQL using the single server deployment model. @@ -57,7 +59,7 @@ resource entraForSingleServer 'Microsoft.DBforMySQL/servers/administrators@2017- } } -resource flexibleServer 'Microsoft.DBforMySQL/flexibleServers@2023-12-30' = { +resource flexible 'Microsoft.DBforMySQL/flexibleServers@2024-12-30' = { name: name location: location sku: { diff --git a/docs/examples/resources/mysql.json b/docs/examples/resources/mysql.json index ee0ff17a861..9b0751df0dc 100644 --- a/docs/examples/resources/mysql.json +++ b/docs/examples/resources/mysql.json @@ -4,13 +4,15 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.28.1.47646", - "templateHash": "14190762334901930442" + "version": "0.38.33.27573", + "templateHash": "6762710448519896098" } }, "parameters": { "name": { "type": "string", + "minLength": 3, + "maxLength": 63, "metadata": { "description": "The name of the resource." } @@ -85,7 +87,7 @@ }, { "type": "Microsoft.DBforMySQL/flexibleServers", - "apiVersion": "2023-12-30", + "apiVersion": "2024-12-30", "name": "[parameters('name')]", "location": "[parameters('location')]", "sku": { diff --git a/docs/examples/resources/postgresql.bicep b/docs/examples/resources/postgresql.bicep index e40de0c226a..f3bbbf40b7a 100644 --- a/docs/examples/resources/postgresql.bicep +++ b/docs/examples/resources/postgresql.bicep @@ -3,20 +3,22 @@ // Bicep documentation examples -@sys.description('The name of the resource.') +@minLength(3) +@maxLength(63) +@description('The name of the resource.') param name string -@sys.description('The location resources will be deployed.') +@description('The location resources will be deployed.') param location string = resourceGroup().location -@sys.description('The login for an administrator.') +@description('The login for an administrator.') param localAdministrator string @secure() @description('A default administrator password.') param localAdministratorPassword string -@sys.description('The object GUID for an administrator account.') +@description('The object GUID for an administrator account.') param loginObjectId string // An example PostgreSQL server. @@ -47,7 +49,7 @@ resource single_admin 'Microsoft.DBforPostgreSQL/servers/administrators@2017-12- } // An example PostgreSQL using the flexible server model. -resource flexible 'Microsoft.DBforPostgreSQL/flexibleServers@2022-12-01' = { +resource flexible 'Microsoft.DBforPostgreSQL/flexibleServers@2024-08-01' = { name: name location: location sku: { @@ -76,7 +78,7 @@ resource flexible 'Microsoft.DBforPostgreSQL/flexibleServers@2022-12-01' = { } // Configure administrators for a flexible server. -resource flexible_admin 'Microsoft.DBforPostgreSQL/flexibleServers/administrators@2022-12-01' = { +resource flexible_admin 'Microsoft.DBforPostgreSQL/flexibleServers/administrators@2024-08-01' = { parent: flexible name: loginObjectId properties: { diff --git a/docs/examples/resources/postgresql.json b/docs/examples/resources/postgresql.json index 0c295b4c2bf..acfa973d40d 100644 --- a/docs/examples/resources/postgresql.json +++ b/docs/examples/resources/postgresql.json @@ -4,13 +4,15 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.25.53.49325", - "templateHash": "1186622257126358354" + "version": "0.38.33.27573", + "templateHash": "7375294002453194062" } }, "parameters": { "name": { "type": "string", + "minLength": 3, + "maxLength": 63, "metadata": { "description": "The name of the resource." } @@ -73,7 +75,7 @@ }, { "type": "Microsoft.DBforPostgreSQL/flexibleServers", - "apiVersion": "2022-12-01", + "apiVersion": "2024-08-01", "name": "[parameters('name')]", "location": "[parameters('location')]", "sku": { @@ -102,7 +104,7 @@ }, { "type": "Microsoft.DBforPostgreSQL/flexibleServers/administrators", - "apiVersion": "2022-12-01", + "apiVersion": "2024-08-01", "name": "[format('{0}/{1}', parameters('name'), parameters('loginObjectId'))]", "properties": { "principalType": "ServicePrincipal", diff --git a/pipeline.build.ps1 b/pipeline.build.ps1 index 665b5f5943f..d0515f48bf5 100644 --- a/pipeline.build.ps1 +++ b/pipeline.build.ps1 @@ -402,6 +402,7 @@ task BuildRuleMetadataCache { Recommendation = $_.Info.Recommendation Pillar = $_.Tag.'Azure.WAF/pillar' Control = $_.Labels.'Azure.MCSB.v1/control' + Maturity = $_.Labels.'Azure.WAF/maturity' Source = "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/$(($_.Source.Path -split '[/\\]')[-1])" } } @@ -430,6 +431,7 @@ task BuildRuleMetadataCache { Recommendation = $_.Info.Recommendation Pillar = $_.Tag.'Azure.WAF/pillar' Control = $_.Labels.'Azure.MCSB.v1/control' + Maturity = $_.Labels.'Azure.WAF/maturity' Source = "https://github.com/Azure/PSRule.Rules.Azure/blob/main/src/PSRule.Rules.Azure/rules/$(($_.Source.Path -split '[/\\]')[-1])" } } diff --git a/src/PSRule.Rules.Azure/rules/Azure.MySQL.Rule.ps1 b/src/PSRule.Rules.Azure/rules/Azure.MySQL.Rule.ps1 index a6eb42eabbc..146096c63bf 100644 --- a/src/PSRule.Rules.Azure/rules/Azure.MySQL.Rule.ps1 +++ b/src/PSRule.Rules.Azure/rules/Azure.MySQL.Rule.ps1 @@ -207,7 +207,7 @@ function global:MySQLSingleServerAAD { #region Naming rules # Synopsis: MySQL databases without a standard naming convention may be difficult to identify and manage. -Rule 'Azure.MySQL.Naming' -Ref 'AZR-000521' -Type 'Microsoft.DBforMySQL/servers', 'Microsoft.DBforMySQL/flexibleServers' -If { $Configuration['AZURE_MYSQL_SERVER_NAME_FORMAT'] -ne '' } -Tag @{ release = 'GA'; ruleSet = '2025_12'; 'Azure.WAF/pillar' = 'Operational Excellence' } -Labels @{ 'Azure.CAF' = 'naming'; 'Azure.WAF/maturity' = 'L2' } { +Rule 'Azure.MySQL.ServerNaming' -Ref 'AZR-000521' -Type 'Microsoft.DBforMySQL/servers', 'Microsoft.DBforMySQL/flexibleServers' -If { $Configuration['AZURE_MYSQL_SERVER_NAME_FORMAT'] -ne '' } -Tag @{ release = 'GA'; ruleSet = '2025_12'; 'Azure.WAF/pillar' = 'Operational Excellence' } -Labels @{ 'Azure.CAF' = 'naming'; 'Azure.WAF/maturity' = 'L2' } { $Assert.Match($PSRule, 'TargetName', $Configuration.AZURE_MYSQL_SERVER_NAME_FORMAT, $True); } diff --git a/src/PSRule.Rules.Azure/rules/Azure.PostgreSQL.Rule.ps1 b/src/PSRule.Rules.Azure/rules/Azure.PostgreSQL.Rule.ps1 index dd922740d2a..7f27d774adf 100644 --- a/src/PSRule.Rules.Azure/rules/Azure.PostgreSQL.Rule.ps1 +++ b/src/PSRule.Rules.Azure/rules/Azure.PostgreSQL.Rule.ps1 @@ -170,7 +170,7 @@ function global:PostgreSQLSingleServerAAD { #region Naming rules # Synopsis: PostgreSQL databases without a standard naming convention may be difficult to identify and manage. -Rule 'Azure.PostgreSQL.Naming' -Ref 'AZR-000522' -Type 'Microsoft.DBforPostgreSQL/servers', 'Microsoft.DBforPostgreSQL/flexibleServers' -If { $Configuration['AZURE_POSTGRESQL_SERVER_NAME_FORMAT'] -ne '' } -Tag @{ release = 'GA'; ruleSet = '2025_12'; 'Azure.WAF/pillar' = 'Operational Excellence' } -Labels @{ 'Azure.CAF' = 'naming'; 'Azure.WAF/maturity' = 'L2' } { +Rule 'Azure.PostgreSQL.ServerNaming' -Ref 'AZR-000522' -Type 'Microsoft.DBforPostgreSQL/servers', 'Microsoft.DBforPostgreSQL/flexibleServers' -If { $Configuration['AZURE_POSTGRESQL_SERVER_NAME_FORMAT'] -ne '' } -Tag @{ release = 'GA'; ruleSet = '2025_12'; 'Azure.WAF/pillar' = 'Operational Excellence' } -Labels @{ 'Azure.CAF' = 'naming'; 'Azure.WAF/maturity' = 'L2' } { $Assert.Match($PSRule, 'TargetName', $Configuration.AZURE_POSTGRESQL_SERVER_NAME_FORMAT, $True); } diff --git a/src/PSRule.Rules.Azure/rules/Config.Rule.yaml b/src/PSRule.Rules.Azure/rules/Config.Rule.yaml index 4eff525254b..f4b77f2e604 100644 --- a/src/PSRule.Rules.Azure/rules/Config.Rule.yaml +++ b/src/PSRule.Rules.Azure/rules/Config.Rule.yaml @@ -106,7 +106,9 @@ spec: AZURE_GATEWAY_CONNECTION_NAME_FORMAT: '' AZURE_LOAD_BALANCER_NAME_FORMAT: '' AZURE_LOG_WORKSPACE_NAME_FORMAT: '' + AZURE_MYSQL_SERVER_NAME_FORMAT: '' AZURE_NETWORK_SECURITY_GROUP_NAME_FORMAT: '' + AZURE_POSTGRESQL_SERVER_NAME_FORMAT: '' AZURE_PUBLIC_IP_ADDRESS_NAME_FORMAT: '' AZURE_REDIS_CACHE_NAME_FORMAT: '' AZURE_RESOURCE_GROUP_NAME_FORMAT: '' diff --git a/tests/PSRule.Rules.Azure.Tests/Azure.MySQL.Tests.ps1 b/tests/PSRule.Rules.Azure.Tests/Azure.MySQL.Tests.ps1 index f8f14939da7..eb0e5f43777 100644 --- a/tests/PSRule.Rules.Azure.Tests/Azure.MySQL.Tests.ps1 +++ b/tests/PSRule.Rules.Azure.Tests/Azure.MySQL.Tests.ps1 @@ -331,12 +331,12 @@ Describe 'Azure.MySQL' -Tag 'MySql' { } }); - $result = $items | Invoke-PSRule @invokeParams -Option $option + $result = $items | Invoke-PSRule @invokeParams -Option $option -Name 'Azure.MySQL.ServerNaming' } - It 'Azure.MySQL.Naming' { - $filteredResult = $result | Where-Object { $_.RuleName -eq 'Azure.MySQL.Naming' }; - + It 'Azure.MySQL.ServerNaming' { + $filteredResult = $result | Where-Object { $_.RuleName -eq 'Azure.MySQL.ServerNaming' }; + # Fail $ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'Fail' }); $ruleResult | Should -Not -BeNullOrEmpty; diff --git a/tests/PSRule.Rules.Azure.Tests/Azure.PostgreSQL.Tests.ps1 b/tests/PSRule.Rules.Azure.Tests/Azure.PostgreSQL.Tests.ps1 index 5477531c8dc..8d9f7f3f73f 100644 --- a/tests/PSRule.Rules.Azure.Tests/Azure.PostgreSQL.Tests.ps1 +++ b/tests/PSRule.Rules.Azure.Tests/Azure.PostgreSQL.Tests.ps1 @@ -307,12 +307,12 @@ Describe 'Azure.PostgreSQL' -Tag 'PostgreSQL' { } }); - $result = $items | Invoke-PSRule @invokeParams -Option $option + $result = $items | Invoke-PSRule @invokeParams -Option $option -Name 'Azure.PostgreSQL.ServerNaming' } - It 'Azure.PostgreSQL.Naming' { - $filteredResult = $result | Where-Object { $_.RuleName -eq 'Azure.PostgreSQL.Naming' }; - + It 'Azure.PostgreSQL.ServerNaming' { + $filteredResult = $result | Where-Object { $_.RuleName -eq 'Azure.PostgreSQL.ServerNaming' }; + # Fail $ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'Fail' }); $ruleResult | Should -Not -BeNullOrEmpty; From b8b7ffa869fdd4537c7dd1faa8c1b0efaee0ef59 Mon Sep 17 00:00:00 2001 From: Bernie White Date: Sat, 1 Nov 2025 05:46:31 +0000 Subject: [PATCH 18/32] Updates --- docs/en/rules/Azure.MySQL.ServerNaming.md | 2 +- docs/en/rules/Azure.PostgreSQL.ServerNaming.md | 2 +- docs/en/rules/Azure.RedisEnterprise.Naming.md | 3 ++- docs/en/rules/Azure.RedisEnterprise.Zones.md | 2 +- docs/examples/resources/redisenterprise.bicep | 2 +- 5 files changed, 6 insertions(+), 5 deletions(-) diff --git a/docs/en/rules/Azure.MySQL.ServerNaming.md b/docs/en/rules/Azure.MySQL.ServerNaming.md index 1ea71d20f57..9e4fff43a56 100644 --- a/docs/en/rules/Azure.MySQL.ServerNaming.md +++ b/docs/en/rules/Azure.MySQL.ServerNaming.md @@ -5,7 +5,7 @@ pillar: Operational Excellence category: OE:04 Tools and processes resource: Azure Database for MySQL resourceType: Microsoft.DBforMySQL/flexibleServers,Microsoft.DBforMySQL/servers -online version: https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.MySQL.Naming/ +online version: https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.MySQL.ServerNaming/ --- # MySQL database server resources must use standard naming diff --git a/docs/en/rules/Azure.PostgreSQL.ServerNaming.md b/docs/en/rules/Azure.PostgreSQL.ServerNaming.md index 2bbef5ae469..534882d9393 100644 --- a/docs/en/rules/Azure.PostgreSQL.ServerNaming.md +++ b/docs/en/rules/Azure.PostgreSQL.ServerNaming.md @@ -5,7 +5,7 @@ pillar: Operational Excellence category: OE:04 Tools and processes resource: Azure Database for PostgreSQL resourceType: Microsoft.DBforPostgreSQL/flexibleServers,Microsoft.DBforPostgreSQL/servers -online version: https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.PostgreSQL.Naming/ +online version: https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.PostgreSQL.ServerNaming/ --- # PostgreSQL database server resources must use standard naming diff --git a/docs/en/rules/Azure.RedisEnterprise.Naming.md b/docs/en/rules/Azure.RedisEnterprise.Naming.md index a46ef405d2b..8407425f469 100644 --- a/docs/en/rules/Azure.RedisEnterprise.Naming.md +++ b/docs/en/rules/Azure.RedisEnterprise.Naming.md @@ -4,7 +4,7 @@ severity: Awareness pillar: Operational Excellence category: OE:04 Tools and processes resource: Azure Managed Redis -resourceType: Microsoft.Cache/RedisEnterprise +resourceType: Microsoft.Cache/redisEnterprise online version: https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.RedisEnterprise.Naming/ --- @@ -99,3 +99,4 @@ configuration: - [Recommended abbreviations for Azure resource types](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations) - [Naming rules and restrictions for Azure resources](https://learn.microsoft.com/azure/azure-resource-manager/management/resource-name-rules) - [Define your naming convention](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-naming) +- [Azure deployment reference](https://learn.microsoft.com/azure/templates/microsoft.cache/redisenterprise) diff --git a/docs/en/rules/Azure.RedisEnterprise.Zones.md b/docs/en/rules/Azure.RedisEnterprise.Zones.md index c6100f576c1..027e837b49f 100644 --- a/docs/en/rules/Azure.RedisEnterprise.Zones.md +++ b/docs/en/rules/Azure.RedisEnterprise.Zones.md @@ -155,4 +155,4 @@ configuration: - [RE:05 Regions and availability zones](https://learn.microsoft.com/azure/well-architected/reliability/regions-availability-zones) - [Enable zone redundancy for Azure Cache for Redis](https://learn.microsoft.com/azure/azure-cache-for-redis/cache-how-to-zone-redundancy) - [High availability for Azure Cache for Redis](https://learn.microsoft.com/azure/azure-cache-for-redis/cache-high-availability) -- [Azure deployment reference](https://learn.microsoft.com/azure/templates/microsoft.cache/redisenterprise?tabs=json) +- [Azure deployment reference](https://learn.microsoft.com/azure/templates/microsoft.cache/redisenterprise) diff --git a/docs/examples/resources/redisenterprise.bicep b/docs/examples/resources/redisenterprise.bicep index 08f0d7b4f4b..7421182fd75 100644 --- a/docs/examples/resources/redisenterprise.bicep +++ b/docs/examples/resources/redisenterprise.bicep @@ -10,7 +10,7 @@ param name string param location string = resourceGroup().location // An example Redis Enterprise cache. -resource cache 'Microsoft.Cache/redisEnterprise@2024-02-01' = { +resource cache 'Microsoft.Cache/redisEnterprise@2025-04-01' = { name: name location: location sku: { From f57cde4741298de7bd69cd3dd7caa49f727eb565 Mon Sep 17 00:00:00 2001 From: Bernie White Date: Sat, 15 Nov 2025 14:47:05 +0000 Subject: [PATCH 19/32] Updates --- src/PSRule.Rules.Azure/rules/Azure.ACR.Rule.ps1 | 2 +- src/PSRule.Rules.Azure/rules/Azure.AKS.Rule.ps1 | 6 +++--- .../rules/Azure.ContainerApp.Rule.ps1 | 6 +++--- src/PSRule.Rules.Azure/rules/Azure.Cosmos.Rule.ps1 | 14 +++++++------- src/PSRule.Rules.Azure/rules/Azure.Redis.Rule.ps1 | 2 +- .../rules/Azure.RedisEnterprise.Rule.ps1 | 2 +- src/PSRule.Rules.Azure/rules/Azure.SQL.Rule.ps1 | 8 ++++---- src/PSRule.Rules.Azure/rules/Azure.SQLMI.Rule.ps1 | 2 +- .../rules/Azure.ServiceFabric.Rule.ps1 | 4 ++-- 9 files changed, 23 insertions(+), 23 deletions(-) diff --git a/src/PSRule.Rules.Azure/rules/Azure.ACR.Rule.ps1 b/src/PSRule.Rules.Azure/rules/Azure.ACR.Rule.ps1 index dbbe9e86055..494401883dc 100644 --- a/src/PSRule.Rules.Azure/rules/Azure.ACR.Rule.ps1 +++ b/src/PSRule.Rules.Azure/rules/Azure.ACR.Rule.ps1 @@ -76,7 +76,7 @@ Rule 'Azure.ACR.ReplicaLocation' -Ref 'AZR-000494' -Type 'Microsoft.ContainerReg } # Synopsis: Container registries without a standard naming convention may be difficult to identify and manage. -Rule 'Azure.ACR.Naming' -Ref 'AZR-000504' -Type 'Microsoft.ContainerRegistry/registries' -If { $Configuration['AZURE_CONTAINER_REGISTRY_NAME_FORMAT'] -ne '' } -Tag @{ release = 'GA'; ruleSet = '2025_12'; 'Azure.WAF/pillar' = 'Operational Excellence' } -Labels @{ 'Azure.CAF' = 'naming'; 'Azure.WAF/maturity' = 'L2' } { +Rule 'Azure.ACR.Naming' -Ref 'AZR-000506' -Type 'Microsoft.ContainerRegistry/registries' -If { $Configuration['AZURE_CONTAINER_REGISTRY_NAME_FORMAT'] -ne '' } -Tag @{ release = 'GA'; ruleSet = '2025_12'; 'Azure.WAF/pillar' = 'Operational Excellence' } -Labels @{ 'Azure.CAF' = 'naming'; 'Azure.WAF/maturity' = 'L2' } { $Assert.Match($PSRule, 'TargetName', $Configuration.AZURE_CONTAINER_REGISTRY_NAME_FORMAT, $True); } diff --git a/src/PSRule.Rules.Azure/rules/Azure.AKS.Rule.ps1 b/src/PSRule.Rules.Azure/rules/Azure.AKS.Rule.ps1 index aae4d21251e..a6d9b73129e 100644 --- a/src/PSRule.Rules.Azure/rules/Azure.AKS.Rule.ps1 +++ b/src/PSRule.Rules.Azure/rules/Azure.AKS.Rule.ps1 @@ -345,12 +345,12 @@ Rule 'Azure.AKS.MaintenanceWindow' -Ref 'AZR-000446' -Type 'Microsoft.ContainerS } # Synopsis: AKS clusters without a standard naming convention may be difficult to identify and manage. -Rule 'Azure.AKS.Naming' -Ref 'AZR-000499' -Type 'Microsoft.ContainerService/managedClusters' -If { $Configuration['AZURE_AKS_CLUSTER_NAME_FORMAT'] -ne '' } -Tag @{ release = 'GA'; ruleSet = '2025_12'; 'Azure.WAF/pillar' = 'Operational Excellence' } -Labels @{ 'Azure.CAF' = 'naming'; 'Azure.WAF/maturity' = 'L2' } { +Rule 'Azure.AKS.Naming' -Ref 'AZR-000507' -Type 'Microsoft.ContainerService/managedClusters' -If { $Configuration['AZURE_AKS_CLUSTER_NAME_FORMAT'] -ne '' } -Tag @{ release = 'GA'; ruleSet = '2025_12'; 'Azure.WAF/pillar' = 'Operational Excellence' } -Labels @{ 'Azure.CAF' = 'naming'; 'Azure.WAF/maturity' = 'L2' } { $Assert.Match($PSRule, 'TargetName', $Configuration.AZURE_AKS_CLUSTER_NAME_FORMAT, $True); } # Synopsis: AKS system node pools without a standard naming convention may be difficult to identify and manage. -Rule 'Azure.AKS.SystemPoolNaming' -Ref 'AZR-000524' -Type 'Microsoft.ContainerService/managedClusters', 'Microsoft.ContainerService/managedClusters/agentPools' -If { $Configuration['AZURE_AKS_SYSTEM_POOL_NAME_FORMAT'] -ne '' } -Tag @{ release = 'GA'; ruleSet = '2025_12'; 'Azure.WAF/pillar' = 'Operational Excellence' } -Labels @{ 'Azure.CAF' = 'naming'; 'Azure.WAF/maturity' = 'L2' } { +Rule 'Azure.AKS.SystemPoolNaming' -Ref 'AZR-000508' -Type 'Microsoft.ContainerService/managedClusters', 'Microsoft.ContainerService/managedClusters/agentPools' -If { $Configuration['AZURE_AKS_SYSTEM_POOL_NAME_FORMAT'] -ne '' } -Tag @{ release = 'GA'; ruleSet = '2025_12'; 'Azure.WAF/pillar' = 'Operational Excellence' } -Labels @{ 'Azure.CAF' = 'naming'; 'Azure.WAF/maturity' = 'L2' } { $agentPools = @(GetAgentPoolProfiles | Where-Object { $_.mode -eq 'System' }); if ($agentPools.Length -eq 0) { return $Assert.Pass(); @@ -361,7 +361,7 @@ Rule 'Azure.AKS.SystemPoolNaming' -Ref 'AZR-000524' -Type 'Microsoft.ContainerSe } # Synopsis: AKS user node pools without a standard naming convention may be difficult to identify and manage. -Rule 'Azure.AKS.UserPoolNaming' -Ref 'AZR-000500' -Type 'Microsoft.ContainerService/managedClusters', 'Microsoft.ContainerService/managedClusters/agentPools' -If { $Configuration['AZURE_AKS_USER_POOL_NAME_FORMAT'] -ne '' } -Tag @{ release = 'GA'; ruleSet = '2025_12'; 'Azure.WAF/pillar' = 'Operational Excellence' } -Labels @{ 'Azure.CAF' = 'naming'; 'Azure.WAF/maturity' = 'L2' } { +Rule 'Azure.AKS.UserPoolNaming' -Ref 'AZR-000509' -Type 'Microsoft.ContainerService/managedClusters', 'Microsoft.ContainerService/managedClusters/agentPools' -If { $Configuration['AZURE_AKS_USER_POOL_NAME_FORMAT'] -ne '' } -Tag @{ release = 'GA'; ruleSet = '2025_12'; 'Azure.WAF/pillar' = 'Operational Excellence' } -Labels @{ 'Azure.CAF' = 'naming'; 'Azure.WAF/maturity' = 'L2' } { $agentPools = @(GetAgentPoolProfiles | Where-Object { $_.mode -eq 'User' }); if ($agentPools.Length -eq 0) { return $Assert.Pass(); diff --git a/src/PSRule.Rules.Azure/rules/Azure.ContainerApp.Rule.ps1 b/src/PSRule.Rules.Azure/rules/Azure.ContainerApp.Rule.ps1 index bb7a58ecc06..799a8c8f9ab 100644 --- a/src/PSRule.Rules.Azure/rules/Azure.ContainerApp.Rule.ps1 +++ b/src/PSRule.Rules.Azure/rules/Azure.ContainerApp.Rule.ps1 @@ -34,17 +34,17 @@ Rule 'Azure.ContainerApp.AvailabilityZone' -Ref 'AZR-000414' -Type 'Microsoft.Ap } # Synopsis: Container apps without a standard naming convention may be difficult to identify and manage. -Rule 'Azure.ContainerApp.Naming' -Ref 'AZR-000501' -Type 'Microsoft.App/containerApps' -If { $Configuration['AZURE_CONTAINER_APP_NAME_FORMAT'] -ne '' } -Tag @{ release = 'GA'; ruleSet = '2025_12'; 'Azure.WAF/pillar' = 'Operational Excellence' } -Labels @{ 'Azure.CAF' = 'naming'; 'Azure.WAF/maturity' = 'L2' } { +Rule 'Azure.ContainerApp.Naming' -Ref 'AZR-000510' -Type 'Microsoft.App/containerApps' -If { $Configuration['AZURE_CONTAINER_APP_NAME_FORMAT'] -ne '' } -Tag @{ release = 'GA'; ruleSet = '2025_12'; 'Azure.WAF/pillar' = 'Operational Excellence' } -Labels @{ 'Azure.CAF' = 'naming'; 'Azure.WAF/maturity' = 'L2' } { $Assert.Match($PSRule, 'TargetName', $Configuration.AZURE_CONTAINER_APP_NAME_FORMAT, $True); } # Synopsis: Container apps environments without a standard naming convention may be difficult to identify and manage. -Rule 'Azure.ContainerApp.EnvNaming' -Ref 'AZR-000502' -Type 'Microsoft.App/managedEnvironments' -If { $Configuration['AZURE_CONTAINER_APP_ENVIRONMENT_NAME_FORMAT'] -ne '' } -Tag @{ release = 'GA'; ruleSet = '2025_12'; 'Azure.WAF/pillar' = 'Operational Excellence' } -Labels @{ 'Azure.CAF' = 'naming'; 'Azure.WAF/maturity' = 'L2' } { +Rule 'Azure.ContainerApp.EnvNaming' -Ref 'AZR-000511' -Type 'Microsoft.App/managedEnvironments' -If { $Configuration['AZURE_CONTAINER_APP_ENVIRONMENT_NAME_FORMAT'] -ne '' } -Tag @{ release = 'GA'; ruleSet = '2025_12'; 'Azure.WAF/pillar' = 'Operational Excellence' } -Labels @{ 'Azure.CAF' = 'naming'; 'Azure.WAF/maturity' = 'L2' } { $Assert.Match($PSRule, 'TargetName', $Configuration.AZURE_CONTAINER_APP_ENVIRONMENT_NAME_FORMAT, $True); } # Synopsis: Container apps jobs without a standard naming convention may be difficult to identify and manage. -Rule 'Azure.ContainerApp.JobNaming' -Ref 'AZR-000503' -Type 'Microsoft.App/jobs' -If { $Configuration['AZURE_CONTAINER_APP_JOB_NAME_FORMAT'] -ne '' } -Tag @{ release = 'GA'; ruleSet = '2025_12'; 'Azure.WAF/pillar' = 'Operational Excellence' } -Labels @{ 'Azure.CAF' = 'naming'; 'Azure.WAF/maturity' = 'L2' } { +Rule 'Azure.ContainerApp.JobNaming' -Ref 'AZR-000512' -Type 'Microsoft.App/jobs' -If { $Configuration['AZURE_CONTAINER_APP_JOB_NAME_FORMAT'] -ne '' } -Tag @{ release = 'GA'; ruleSet = '2025_12'; 'Azure.WAF/pillar' = 'Operational Excellence' } -Labels @{ 'Azure.CAF' = 'naming'; 'Azure.WAF/maturity' = 'L2' } { $Assert.Match($PSRule, 'TargetName', $Configuration.AZURE_CONTAINER_APP_JOB_NAME_FORMAT, $True); } diff --git a/src/PSRule.Rules.Azure/rules/Azure.Cosmos.Rule.ps1 b/src/PSRule.Rules.Azure/rules/Azure.Cosmos.Rule.ps1 index 70b6afbc734..5a25b0120e2 100644 --- a/src/PSRule.Rules.Azure/rules/Azure.Cosmos.Rule.ps1 +++ b/src/PSRule.Rules.Azure/rules/Azure.Cosmos.Rule.ps1 @@ -19,37 +19,37 @@ Rule 'Azure.Cosmos.DisableLocalAuth' -Ref 'AZR-000420' -Type 'Microsoft.Document } # Synopsis: Azure Cosmos DB for Apache Cassandra accounts without a standard naming convention may be difficult to identify and manage. -Rule 'Azure.Cosmos.CassandraNaming' -Ref 'AZR-000508' -Type 'Microsoft.DocumentDb/databaseAccounts' -With 'Azure.Cosmos.IsCassandra' -If { $Configuration['AZURE_COSMOS_CASSANDRA_NAME_FORMAT'] -ne '' } -Tag @{ release = 'GA'; ruleSet = '2025_12'; 'Azure.WAF/pillar' = 'Operational Excellence' } -Labels @{ 'Azure.CAF' = 'naming'; 'Azure.WAF/maturity' = 'L2' } { +Rule 'Azure.Cosmos.CassandraNaming' -Ref 'AZR-000513' -Type 'Microsoft.DocumentDb/databaseAccounts' -With 'Azure.Cosmos.IsCassandra' -If { $Configuration['AZURE_COSMOS_CASSANDRA_NAME_FORMAT'] -ne '' } -Tag @{ release = 'GA'; ruleSet = '2025_12'; 'Azure.WAF/pillar' = 'Operational Excellence' } -Labels @{ 'Azure.CAF' = 'naming'; 'Azure.WAF/maturity' = 'L2' } { $Assert.Match($PSRule, 'TargetName', $Configuration.AZURE_COSMOS_CASSANDRA_NAME_FORMAT, $True); } # Synopsis: Azure Cosmos DB for MongoDB accounts without a standard naming convention may be difficult to identify and manage. -Rule 'Azure.Cosmos.MongoNaming' -Ref 'AZR-000509' -Type 'Microsoft.DocumentDb/databaseAccounts' -If { $Configuration['AZURE_COSMOS_MONGO_NAME_FORMAT'] -ne '' -and $TargetObject.kind -eq 'MongoDB' } -Tag @{ release = 'GA'; ruleSet = '2025_12'; 'Azure.WAF/pillar' = 'Operational Excellence' } -Labels @{ 'Azure.CAF' = 'naming'; 'Azure.WAF/maturity' = 'L2' } { +Rule 'Azure.Cosmos.MongoNaming' -Ref 'AZR-000514' -Type 'Microsoft.DocumentDb/databaseAccounts' -If { $Configuration['AZURE_COSMOS_MONGO_NAME_FORMAT'] -ne '' -and $TargetObject.kind -eq 'MongoDB' } -Tag @{ release = 'GA'; ruleSet = '2025_12'; 'Azure.WAF/pillar' = 'Operational Excellence' } -Labels @{ 'Azure.CAF' = 'naming'; 'Azure.WAF/maturity' = 'L2' } { $Assert.Match($PSRule, 'TargetName', $Configuration.AZURE_COSMOS_MONGO_NAME_FORMAT, $True); } # Synopsis: Azure Cosmos DB for NoSQL accounts without a standard naming convention may be difficult to identify and manage. -Rule 'Azure.Cosmos.NoSQLNaming' -Ref 'AZR-000510' -Type 'Microsoft.DocumentDb/databaseAccounts' -If { $Configuration['AZURE_COSMOS_NOSQL_NAME_FORMAT'] -ne '' -and (Test-IsNoSQL) } -Tag @{ release = 'GA'; ruleSet = '2025_12'; 'Azure.WAF/pillar' = 'Operational Excellence' } -Labels @{ 'Azure.CAF' = 'naming'; 'Azure.WAF/maturity' = 'L2' } { +Rule 'Azure.Cosmos.NoSQLNaming' -Ref 'AZR-000515' -Type 'Microsoft.DocumentDb/databaseAccounts' -If { $Configuration['AZURE_COSMOS_NOSQL_NAME_FORMAT'] -ne '' -and (Test-IsNoSQL) } -Tag @{ release = 'GA'; ruleSet = '2025_12'; 'Azure.WAF/pillar' = 'Operational Excellence' } -Labels @{ 'Azure.CAF' = 'naming'; 'Azure.WAF/maturity' = 'L2' } { $Assert.Match($PSRule, 'TargetName', $Configuration.AZURE_COSMOS_NOSQL_NAME_FORMAT, $True); } # Synopsis: Azure Cosmos DB for Table accounts without a standard naming convention may be difficult to identify and manage. -Rule 'Azure.Cosmos.TableNaming' -Ref 'AZR-000511' -Type 'Microsoft.DocumentDb/databaseAccounts' -With 'Azure.Cosmos.IsTable' -If { $Configuration['AZURE_COSMOS_TABLE_NAME_FORMAT'] -ne '' } -Tag @{ release = 'GA'; ruleSet = '2025_12'; 'Azure.WAF/pillar' = 'Operational Excellence' } -Labels @{ 'Azure.CAF' = 'naming'; 'Azure.WAF/maturity' = 'L2' } { +Rule 'Azure.Cosmos.TableNaming' -Ref 'AZR-000516' -Type 'Microsoft.DocumentDb/databaseAccounts' -With 'Azure.Cosmos.IsTable' -If { $Configuration['AZURE_COSMOS_TABLE_NAME_FORMAT'] -ne '' } -Tag @{ release = 'GA'; ruleSet = '2025_12'; 'Azure.WAF/pillar' = 'Operational Excellence' } -Labels @{ 'Azure.CAF' = 'naming'; 'Azure.WAF/maturity' = 'L2' } { $Assert.Match($PSRule, 'TargetName', $Configuration.AZURE_COSMOS_TABLE_NAME_FORMAT, $True); } # Synopsis: Azure Cosmos DB for Apache Gremlin accounts without a standard naming convention may be difficult to identify and manage. -Rule 'Azure.Cosmos.GremlinNaming' -Ref 'AZR-000512' -Type 'Microsoft.DocumentDb/databaseAccounts' -With 'Azure.Cosmos.IsGremlin' -If { $Configuration['AZURE_COSMOS_GREMLIN_NAME_FORMAT'] -ne '' } -Tag @{ release = 'GA'; ruleSet = '2025_12'; 'Azure.WAF/pillar' = 'Operational Excellence' } -Labels @{ 'Azure.CAF' = 'naming'; 'Azure.WAF/maturity' = 'L2' } { +Rule 'Azure.Cosmos.GremlinNaming' -Ref 'AZR-000517' -Type 'Microsoft.DocumentDb/databaseAccounts' -With 'Azure.Cosmos.IsGremlin' -If { $Configuration['AZURE_COSMOS_GREMLIN_NAME_FORMAT'] -ne '' } -Tag @{ release = 'GA'; ruleSet = '2025_12'; 'Azure.WAF/pillar' = 'Operational Excellence' } -Labels @{ 'Azure.CAF' = 'naming'; 'Azure.WAF/maturity' = 'L2' } { $Assert.Match($PSRule, 'TargetName', $Configuration.AZURE_COSMOS_GREMLIN_NAME_FORMAT, $True); } # Synopsis: Azure Cosmos DB PostgreSQL clusters without a standard naming convention may be difficult to identify and manage. -Rule 'Azure.Cosmos.PostgreSQLNaming' -Ref 'AZR-000513' -Type 'Microsoft.DBforPostgreSQL/serverGroupsv2' -If { $Configuration['AZURE_COSMOS_POSTGRESQL_NAME_FORMAT'] -ne '' } -Tag @{ release = 'GA'; ruleSet = '2025_12'; 'Azure.WAF/pillar' = 'Operational Excellence' } -Labels @{ 'Azure.CAF' = 'naming'; 'Azure.WAF/maturity' = 'L2' } { +Rule 'Azure.Cosmos.PostgreSQLNaming' -Ref 'AZR-000518' -Type 'Microsoft.DBforPostgreSQL/serverGroupsv2' -If { $Configuration['AZURE_COSMOS_POSTGRESQL_NAME_FORMAT'] -ne '' } -Tag @{ release = 'GA'; ruleSet = '2025_12'; 'Azure.WAF/pillar' = 'Operational Excellence' } -Labels @{ 'Azure.CAF' = 'naming'; 'Azure.WAF/maturity' = 'L2' } { $Assert.Match($PSRule, 'TargetName', $Configuration.AZURE_COSMOS_POSTGRESQL_NAME_FORMAT, $True); } # Synopsis: Azure Cosmos DB databases without a standard naming convention may be difficult to identify and manage. -Rule 'Azure.Cosmos.DatabaseNaming' -Ref 'AZR-000514' -Type 'Microsoft.DocumentDB/databaseAccounts/sqlDatabases' -If { $Configuration['AZURE_COSMOS_DATABASE_NAME_FORMAT'] -ne '' } -Tag @{ release = 'GA'; ruleSet = '2025_12'; 'Azure.WAF/pillar' = 'Operational Excellence' } -Labels @{ 'Azure.CAF' = 'naming'; 'Azure.WAF/maturity' = 'L2' } { +Rule 'Azure.Cosmos.DatabaseNaming' -Ref 'AZR-000519' -Type 'Microsoft.DocumentDB/databaseAccounts/sqlDatabases' -If { $Configuration['AZURE_COSMOS_DATABASE_NAME_FORMAT'] -ne '' } -Tag @{ release = 'GA'; ruleSet = '2025_12'; 'Azure.WAF/pillar' = 'Operational Excellence' } -Labels @{ 'Azure.CAF' = 'naming'; 'Azure.WAF/maturity' = 'L2' } { $Assert.Match($PSRule, 'TargetName', $Configuration.AZURE_COSMOS_DATABASE_NAME_FORMAT, $True); } diff --git a/src/PSRule.Rules.Azure/rules/Azure.Redis.Rule.ps1 b/src/PSRule.Rules.Azure/rules/Azure.Redis.Rule.ps1 index b8d92ad6a94..8c5ce1619b4 100644 --- a/src/PSRule.Rules.Azure/rules/Azure.Redis.Rule.ps1 +++ b/src/PSRule.Rules.Azure/rules/Azure.Redis.Rule.ps1 @@ -191,7 +191,7 @@ function global:HasPublicNetworkAccess { #region Naming rules # Synopsis: Azure Cache for Redis instances without a standard naming convention may be difficult to identify and manage. -Rule 'Azure.Redis.Naming' -Ref 'AZR-000515' -Type 'Microsoft.Cache/Redis' -If { $Configuration['AZURE_REDIS_CACHE_NAME_FORMAT'] -ne '' } -Tag @{ release = 'GA'; ruleSet = '2025_12'; 'Azure.WAF/pillar' = 'Operational Excellence' } -Labels @{ 'Azure.CAF' = 'naming'; 'Azure.WAF/maturity' = 'L2' } { +Rule 'Azure.Redis.Naming' -Ref 'AZR-000523' -Type 'Microsoft.Cache/Redis' -If { $Configuration['AZURE_REDIS_CACHE_NAME_FORMAT'] -ne '' } -Tag @{ release = 'GA'; ruleSet = '2025_12'; 'Azure.WAF/pillar' = 'Operational Excellence' } -Labels @{ 'Azure.CAF' = 'naming'; 'Azure.WAF/maturity' = 'L2' } { $Assert.Match($PSRule, 'TargetName', $Configuration.AZURE_REDIS_CACHE_NAME_FORMAT, $True); } diff --git a/src/PSRule.Rules.Azure/rules/Azure.RedisEnterprise.Rule.ps1 b/src/PSRule.Rules.Azure/rules/Azure.RedisEnterprise.Rule.ps1 index 2a884d72b74..1bdb435ca85 100644 --- a/src/PSRule.Rules.Azure/rules/Azure.RedisEnterprise.Rule.ps1 +++ b/src/PSRule.Rules.Azure/rules/Azure.RedisEnterprise.Rule.ps1 @@ -8,7 +8,7 @@ #region Naming rules # Synopsis: Azure Managed Redis instances without a standard naming convention may be difficult to identify and manage. -Rule 'Azure.RedisEnterprise.Naming' -Ref 'AZR-000516' -Type 'Microsoft.Cache/RedisEnterprise' -If { $Configuration['AZURE_REDIS_ENTERPRISE_NAME_FORMAT'] -ne '' } -Tag @{ release = 'GA'; ruleSet = '2025_12'; 'Azure.WAF/pillar' = 'Operational Excellence' } -Labels @{ 'Azure.CAF' = 'naming'; 'Azure.WAF/maturity' = 'L2' } { +Rule 'Azure.RedisEnterprise.Naming' -Ref 'AZR-000524' -Type 'Microsoft.Cache/RedisEnterprise' -If { $Configuration['AZURE_REDIS_ENTERPRISE_NAME_FORMAT'] -ne '' } -Tag @{ release = 'GA'; ruleSet = '2025_12'; 'Azure.WAF/pillar' = 'Operational Excellence' } -Labels @{ 'Azure.CAF' = 'naming'; 'Azure.WAF/maturity' = 'L2' } { $Assert.Match($PSRule, 'TargetName', $Configuration.AZURE_REDIS_ENTERPRISE_NAME_FORMAT, $True); } diff --git a/src/PSRule.Rules.Azure/rules/Azure.SQL.Rule.ps1 b/src/PSRule.Rules.Azure/rules/Azure.SQL.Rule.ps1 index 495e705ad28..fad5a70dbbf 100644 --- a/src/PSRule.Rules.Azure/rules/Azure.SQL.Rule.ps1 +++ b/src/PSRule.Rules.Azure/rules/Azure.SQL.Rule.ps1 @@ -259,22 +259,22 @@ function global:IsMasterDatabase { #region Naming rules # Synopsis: Azure SQL Database servers without a standard naming convention may be difficult to identify and manage. -Rule 'Azure.SQL.ServerNaming' -Ref 'AZR-000517' -Type 'Microsoft.Sql/servers' -If { $Configuration['AZURE_SQL_SERVER_NAME_FORMAT'] -ne '' } -Tag @{ release = 'GA'; ruleSet = '2025_12'; 'Azure.WAF/pillar' = 'Operational Excellence' } -Labels @{ 'Azure.CAF' = 'naming'; 'Azure.WAF/maturity' = 'L2' } { +Rule 'Azure.SQL.ServerNaming' -Ref 'AZR-000525' -Type 'Microsoft.Sql/servers' -If { $Configuration['AZURE_SQL_SERVER_NAME_FORMAT'] -ne '' } -Tag @{ release = 'GA'; ruleSet = '2025_12'; 'Azure.WAF/pillar' = 'Operational Excellence' } -Labels @{ 'Azure.CAF' = 'naming'; 'Azure.WAF/maturity' = 'L2' } { $Assert.Match($PSRule, 'TargetName', $Configuration.AZURE_SQL_SERVER_NAME_FORMAT, $True); } # Synopsis: Azure SQL databases without a standard naming convention may be difficult to identify and manage. -Rule 'Azure.SQL.DBNaming' -Ref 'AZR-000518' -Type 'Microsoft.Sql/servers/databases' -If { $Configuration['AZURE_SQL_DATABASE_NAME_FORMAT'] -ne '' -and !(IsMasterDatabase) } -Tag @{ release = 'GA'; ruleSet = '2025_12'; 'Azure.WAF/pillar' = 'Operational Excellence' } -Labels @{ 'Azure.CAF' = 'naming'; 'Azure.WAF/maturity' = 'L2' } { +Rule 'Azure.SQL.DBNaming' -Ref 'AZR-000526' -Type 'Microsoft.Sql/servers/databases' -If { $Configuration['AZURE_SQL_DATABASE_NAME_FORMAT'] -ne '' -and !(IsMasterDatabase) } -Tag @{ release = 'GA'; ruleSet = '2025_12'; 'Azure.WAF/pillar' = 'Operational Excellence' } -Labels @{ 'Azure.CAF' = 'naming'; 'Azure.WAF/maturity' = 'L2' } { $Assert.Match($PSRule, 'TargetName', $Configuration.AZURE_SQL_DATABASE_NAME_FORMAT, $True); } # Synopsis: Azure SQL Elastic Job agents without a standard naming convention may be difficult to identify and manage. -Rule 'Azure.SQL.JobAgentNaming' -Ref 'AZR-000519' -Type 'Microsoft.Sql/servers/jobAgents' -If { $Configuration['AZURE_SQL_JOB_AGENT_NAME_FORMAT'] -ne '' } -Tag @{ release = 'GA'; ruleSet = '2025_12'; 'Azure.WAF/pillar' = 'Operational Excellence' } -Labels @{ 'Azure.CAF' = 'naming'; 'Azure.WAF/maturity' = 'L2' } { +Rule 'Azure.SQL.JobAgentNaming' -Ref 'AZR-000527' -Type 'Microsoft.Sql/servers/jobAgents' -If { $Configuration['AZURE_SQL_JOB_AGENT_NAME_FORMAT'] -ne '' } -Tag @{ release = 'GA'; ruleSet = '2025_12'; 'Azure.WAF/pillar' = 'Operational Excellence' } -Labels @{ 'Azure.CAF' = 'naming'; 'Azure.WAF/maturity' = 'L2' } { $Assert.Match($PSRule, 'TargetName', $Configuration.AZURE_SQL_JOB_AGENT_NAME_FORMAT, $True); } # Synopsis: Azure SQL Elastic Pools without a standard naming convention may be difficult to identify and manage. -Rule 'Azure.SQL.ElasticPoolNaming' -Ref 'AZR-000520' -Type 'Microsoft.Sql/servers/elasticPools' -If { $Configuration['AZURE_SQL_ELASTIC_POOL_NAME_FORMAT'] -ne '' } -Tag @{ release = 'GA'; ruleSet = '2025_12'; 'Azure.WAF/pillar' = 'Operational Excellence' } -Labels @{ 'Azure.CAF' = 'naming'; 'Azure.WAF/maturity' = 'L2' } { +Rule 'Azure.SQL.ElasticPoolNaming' -Ref 'AZR-000528' -Type 'Microsoft.Sql/servers/elasticPools' -If { $Configuration['AZURE_SQL_ELASTIC_POOL_NAME_FORMAT'] -ne '' } -Tag @{ release = 'GA'; ruleSet = '2025_12'; 'Azure.WAF/pillar' = 'Operational Excellence' } -Labels @{ 'Azure.CAF' = 'naming'; 'Azure.WAF/maturity' = 'L2' } { $Assert.Match($PSRule, 'TargetName', $Configuration.AZURE_SQL_ELASTIC_POOL_NAME_FORMAT, $True); } diff --git a/src/PSRule.Rules.Azure/rules/Azure.SQLMI.Rule.ps1 b/src/PSRule.Rules.Azure/rules/Azure.SQLMI.Rule.ps1 index f7bee064ba7..72e6b3fb016 100644 --- a/src/PSRule.Rules.Azure/rules/Azure.SQLMI.Rule.ps1 +++ b/src/PSRule.Rules.Azure/rules/Azure.SQLMI.Rule.ps1 @@ -63,7 +63,7 @@ Rule 'Azure.SQLMI.MaintenanceWindow' -Ref 'AZR-000441' -Type 'Microsoft.Sql/mana } # Synopsis: SQL Managed Instances without a standard naming convention may be difficult to identify and manage. -Rule 'Azure.SQLMI.Naming' -Ref 'AZR-000523' -Type 'Microsoft.Sql/managedInstances' -If { $Configuration['AZURE_SQL_MI_NAME_FORMAT'] -ne '' } -Tag @{ release = 'GA'; ruleSet = '2025_12'; 'Azure.WAF/pillar' = 'Operational Excellence' } -Labels @{ 'Azure.CAF' = 'naming'; 'Azure.WAF/maturity' = 'L2' } { +Rule 'Azure.SQLMI.Naming' -Ref 'AZR-000529' -Type 'Microsoft.Sql/managedInstances' -If { $Configuration['AZURE_SQL_MI_NAME_FORMAT'] -ne '' } -Tag @{ release = 'GA'; ruleSet = '2025_12'; 'Azure.WAF/pillar' = 'Operational Excellence' } -Labels @{ 'Azure.CAF' = 'naming'; 'Azure.WAF/maturity' = 'L2' } { $Assert.Match($PSRule, 'TargetName', $Configuration.AZURE_SQL_MI_NAME_FORMAT, $True); } diff --git a/src/PSRule.Rules.Azure/rules/Azure.ServiceFabric.Rule.ps1 b/src/PSRule.Rules.Azure/rules/Azure.ServiceFabric.Rule.ps1 index d385f06cb45..8d1bb086cb7 100644 --- a/src/PSRule.Rules.Azure/rules/Azure.ServiceFabric.Rule.ps1 +++ b/src/PSRule.Rules.Azure/rules/Azure.ServiceFabric.Rule.ps1 @@ -8,12 +8,12 @@ #region Naming rules # Synopsis: Service Fabric clusters without a standard naming convention may be difficult to identify and manage. -Rule 'Azure.ServiceFabric.Naming' -Ref 'AZR-000506' -Type 'Microsoft.ServiceFabric/clusters' -If { $Configuration['AZURE_SERVICE_FABRIC_CLUSTER_NAME_FORMAT'] -ne '' } -Tag @{ release = 'GA'; ruleSet = '2025_12'; 'Azure.WAF/pillar' = 'Operational Excellence' } -Labels @{ 'Azure.CAF' = 'naming'; 'Azure.WAF/maturity' = 'L2' } { +Rule 'Azure.ServiceFabric.Naming' -Ref 'AZR-000530' -Type 'Microsoft.ServiceFabric/clusters' -If { $Configuration['AZURE_SERVICE_FABRIC_CLUSTER_NAME_FORMAT'] -ne '' } -Tag @{ release = 'GA'; ruleSet = '2025_12'; 'Azure.WAF/pillar' = 'Operational Excellence' } -Labels @{ 'Azure.CAF' = 'naming'; 'Azure.WAF/maturity' = 'L2' } { $Assert.Match($PSRule, 'TargetName', $Configuration.AZURE_SERVICE_FABRIC_CLUSTER_NAME_FORMAT, $True); } # Synopsis: Service Fabric managed clusters without a standard naming convention may be difficult to identify and manage. -Rule 'Azure.ServiceFabric.ManagedNaming' -Ref 'AZR-000507' -Type 'Microsoft.ServiceFabric/managedClusters' -If { $Configuration['AZURE_SERVICE_FABRIC_MANAGED_CLUSTER_NAME_FORMAT'] -ne '' } -Tag @{ release = 'GA'; ruleSet = '2025_12'; 'Azure.WAF/pillar' = 'Operational Excellence' } -Labels @{ 'Azure.CAF' = 'naming'; 'Azure.WAF/maturity' = 'L2' } { +Rule 'Azure.ServiceFabric.ManagedNaming' -Ref 'AZR-000531' -Type 'Microsoft.ServiceFabric/managedClusters' -If { $Configuration['AZURE_SERVICE_FABRIC_MANAGED_CLUSTER_NAME_FORMAT'] -ne '' } -Tag @{ release = 'GA'; ruleSet = '2025_12'; 'Azure.WAF/pillar' = 'Operational Excellence' } -Labels @{ 'Azure.CAF' = 'naming'; 'Azure.WAF/maturity' = 'L2' } { $Assert.Match($PSRule, 'TargetName', $Configuration.AZURE_SERVICE_FABRIC_MANAGED_CLUSTER_NAME_FORMAT, $True); } From fedfad46a5dd6a7ce8bf8ba6e34fa925931d3907 Mon Sep 17 00:00:00 2001 From: Bernie White Date: Sat, 15 Nov 2025 15:33:38 +0000 Subject: [PATCH 20/32] Updates --- docs/en/rules/Azure.Redis.Naming.md | 11 +-- docs/en/rules/Azure.RedisEnterprise.Naming.md | 96 +++++++++++++++---- docs/en/rules/Azure.RedisEnterprise.Zones.md | 2 + docs/examples/resources/redisenterprise.bicep | 2 + docs/examples/resources/redisenterprise.json | 8 +- docs/setup/setup-naming-and-tagging.md | 2 +- .../rules/Azure.Redis.Rule.yaml | 32 +++++++ .../rules/Azure.RedisEnterprise.Rule.ps1 | 2 +- .../rules/Azure.RedisEnterprise.Rule.yaml | 4 +- src/PSRule.Rules.Azure/rules/CAF.Rule.yaml | 2 +- src/PSRule.Rules.Azure/rules/Config.Rule.yaml | 1 + 11 files changed, 130 insertions(+), 32 deletions(-) diff --git a/docs/en/rules/Azure.Redis.Naming.md b/docs/en/rules/Azure.Redis.Naming.md index 2baec42449c..e277643fcc7 100644 --- a/docs/en/rules/Azure.Redis.Naming.md +++ b/docs/en/rules/Azure.Redis.Naming.md @@ -104,18 +104,11 @@ For example: { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.34.44.8038", - "templateHash": "1334073252436312734" - } - }, "parameters": { "name": { "type": "string", - "minLength": 2, - "maxLength": 64, + "minLength": 1, + "maxLength": 63, "metadata": { "description": "The name of the resource." } diff --git a/docs/en/rules/Azure.RedisEnterprise.Naming.md b/docs/en/rules/Azure.RedisEnterprise.Naming.md index 8407425f469..927aec1f06a 100644 --- a/docs/en/rules/Azure.RedisEnterprise.Naming.md +++ b/docs/en/rules/Azure.RedisEnterprise.Naming.md @@ -1,18 +1,18 @@ --- -reviewed: 2025-10-10 +reviewed: 2025-11-16 severity: Awareness pillar: Operational Excellence category: OE:04 Tools and processes -resource: Azure Managed Redis +resource: Azure Cache for Redis Enterprise resourceType: Microsoft.Cache/redisEnterprise online version: https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.RedisEnterprise.Naming/ --- -# Azure Managed Redis resources must use standard naming +# Azure Cache for Redis Enterprise resources must use standard naming ## SYNOPSIS -Azure Managed Redis resources without a standard naming convention may be difficult to identify and manage. +Azure Cache for Redis Enterprise resources without a standard naming convention may be difficult to identify and manage. ## DESCRIPTION @@ -29,24 +29,25 @@ Some of the benefits of using standardized tagging and naming conventions are: For example, if you come upon a security incident, it's critical to quickly identify affected systems, the functions that those systems support, and the potential business impact. -For Azure Managed Redis, the Cloud Adoption Framework (CAF) recommends using the `amr-` prefix. +For Azure Cache for Redis Enterprise, the Cloud Adoption Framework (CAF) recommends using the `amr-` prefix. -Requirements for Azure Managed Redis resource names: +Requirements for Azure Cache for Redis Enterprise resource names: -- Between 1 and 80 characters long. -- Can include alphanumeric characters, hyphens, underscores, and periods (restrictions vary by resource type). -- Resource names must be unique within their scope. +- Between 1 and 63 characters long. +- Can include alphanumeric, and hyphen characters. +- Can only start and end with a letter or number. +- Cache names must be globally unique. ## RECOMMENDATION -Consider creating Azure Managed Redis resources with a standard name. +Consider creating Azure Cache for Redis Enterprise resources with a standard name. Additionally consider using Azure Policy to only permit creation using a standard naming convention. ## EXAMPLES ### Configure with Bicep -To deploy resources that pass this rule: +To deploy enterprise caches that pass this rule: - Set the `name` property to a string that matches the naming requirements. - Optionally, consider constraining name parameters with `minLength` and `maxLength` attributes. @@ -55,26 +56,89 @@ For example: ```bicep @minLength(1) -@maxLength(80) +@maxLength(63) @description('The name of the resource.') param name string @description('The location resources will be deployed.') param location string = resourceGroup().location -// Example resource deployment +resource cache 'Microsoft.Cache/redisEnterprise@2025-04-01' = { + name: name + location: location + sku: { + name: 'Enterprise_E10' + } + properties: { + minimumTlsVersion: '1.2' + } +} ``` + + ### Configure with Azure template -To deploy resources that pass this rule: +To deploy enterprise caches that pass this rule: - Set the `name` property to a string that matches the naming requirements. - Optionally, consider constraining name parameters with `minLength` and `maxLength` attributes. +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "name": { + "type": "string", + "minLength": 2, + "maxLength": 64, + "metadata": { + "description": "The name of the resource." + } + }, + "location": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "The location resources will be deployed." + } + } + }, + "resources": [ + { + "type": "Microsoft.Cache/redis", + "apiVersion": "2024-11-01", + "name": "[parameters('name')]", + "location": "[parameters('location')]", + "properties": { + "redisVersion": "6", + "sku": { + "name": "Premium", + "family": "P", + "capacity": 1 + }, + "redisConfiguration": { + "aad-enabled": "True", + "maxmemory-reserved": "615" + }, + "enableNonSslPort": false, + "publicNetworkAccess": "Disabled", + "disableAccessKeyAuthentication": true + }, + "zones": [ + "1", + "2", + "3" + ] + } + ] +} +``` + ## NOTES -This rule does not check if Azure Managed Redis resource names are unique. +This rule does not check if Azure Cache for Redis resource names are unique. @@ -89,7 +153,7 @@ For example: ```yaml configuration: - AZURE_REDIS_ENTERPRISE_NAME_FORMAT: '^amr-' + AZURE_REDIS_ENTERPRISE_NAME_FORMAT: '^redis-' ``` ## LINKS diff --git a/docs/en/rules/Azure.RedisEnterprise.Zones.md b/docs/en/rules/Azure.RedisEnterprise.Zones.md index 027e837b49f..ccc09c465eb 100644 --- a/docs/en/rules/Azure.RedisEnterprise.Zones.md +++ b/docs/en/rules/Azure.RedisEnterprise.Zones.md @@ -138,6 +138,8 @@ resource testrediscache_default 'Microsoft.Cache/redisEnterprise/databases@2021- } ``` + + ## NOTES This rule fails when cache is not zone redundant(1, 2 and 3) when there are availability zones for the given region. diff --git a/docs/examples/resources/redisenterprise.bicep b/docs/examples/resources/redisenterprise.bicep index 7421182fd75..b1ff87388c9 100644 --- a/docs/examples/resources/redisenterprise.bicep +++ b/docs/examples/resources/redisenterprise.bicep @@ -3,6 +3,8 @@ // Bicep documentation examples +@minLength(1) +@maxLength(63) @description('The name of the resource.') param name string diff --git a/docs/examples/resources/redisenterprise.json b/docs/examples/resources/redisenterprise.json index 82ebee64902..7bd4c66520d 100644 --- a/docs/examples/resources/redisenterprise.json +++ b/docs/examples/resources/redisenterprise.json @@ -4,13 +4,15 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.30.23.60470", - "templateHash": "18144616178175150817" + "version": "0.38.33.27573", + "templateHash": "17489438504009269923" } }, "parameters": { "name": { "type": "string", + "minLength": 1, + "maxLength": 63, "metadata": { "description": "The name of the resource." } @@ -26,7 +28,7 @@ "resources": [ { "type": "Microsoft.Cache/redisEnterprise", - "apiVersion": "2024-02-01", + "apiVersion": "2025-04-01", "name": "[parameters('name')]", "location": "[parameters('location')]", "sku": { diff --git a/docs/setup/setup-naming-and-tagging.md b/docs/setup/setup-naming-and-tagging.md index 901a3d4a8a0..55b613c344c 100644 --- a/docs/setup/setup-naming-and-tagging.md +++ b/docs/setup/setup-naming-and-tagging.md @@ -254,7 +254,7 @@ Rule | Resource type `Azure.PostgreSQL.Naming` | `Microsoft.DBforPostgreSQL/servers`, `Microsoft.DBforPostgreSQL/flexibleServers` | `AZURE_POSTGRESQL_SERVER_NAME_FORMAT` `Azure.PublicIP.Naming` | `Microsoft.Network/publicIPAddresses` | `AZURE_PUBLIC_IP_ADDRESS_NAME_FORMAT` `Azure.Redis.Naming` | `Microsoft.Cache/Redis` | `AZURE_REDIS_CACHE_NAME_FORMAT` -`Azure.RedisEnterprise.Naming` | `Microsoft.Cache/RedisEnterprise` | `AZURE_REDIS_ENTERPRISE_NAME_FORMAT` +`Azure.RedisEnterprise.Naming` | `Microsoft.Cache/RedisEnterprise` with Enterprise or Enterprise Flash | `AZURE_REDIS_ENTERPRISE_NAME_FORMAT` `Azure.Group.Naming` | `Microsoft.Resources/resourceGroups` | `AZURE_RESOURCE_GROUP_NAME_FORMAT` `Azure.Group.RequiredTags` | `Microsoft.Resources/resourceGroups` | `AZURE_RESOURCE_GROUP_REQUIRED_TAGS` `Azure.Resource.RequiredTags` | Applies to all types that support tags except subscription and resource groups. | `AZURE_RESOURCE_REQUIRED_TAGS` diff --git a/src/PSRule.Rules.Azure/rules/Azure.Redis.Rule.yaml b/src/PSRule.Rules.Azure/rules/Azure.Redis.Rule.yaml index 8361a540355..2698db7b1c8 100644 --- a/src/PSRule.Rules.Azure/rules/Azure.Redis.Rule.yaml +++ b/src/PSRule.Rules.Azure/rules/Azure.Redis.Rule.yaml @@ -161,4 +161,36 @@ spec: - field: properties.sku.name exists: true +--- +# Synopsis: Azure Cache for Redis with Enterprise SKU. +apiVersion: github.com/microsoft/PSRule/2025-01-01 +kind: Selector +metadata: + name: Azure.Redis.IsEnterprise +spec: + if: + allOf: + - type: . + equals: Microsoft.Cache/redisEnterprise + - field: sku.name + startsWith: + - 'Enterprise_' + - 'EnterpriseFlash_' + +--- +# Synopsis: Azure Managed Redis. +apiVersion: github.com/microsoft/PSRule/2025-01-01 +kind: Selector +metadata: + name: Azure.Redis.IsManaged +spec: + if: + allOf: + - type: . + equals: Microsoft.Cache/redisEnterprise + - field: sku.name + notStartsWith: + - 'Enterprise_' + - 'EnterpriseFlash_' + #endregion Selectors diff --git a/src/PSRule.Rules.Azure/rules/Azure.RedisEnterprise.Rule.ps1 b/src/PSRule.Rules.Azure/rules/Azure.RedisEnterprise.Rule.ps1 index 1bdb435ca85..cf7d1a1fc84 100644 --- a/src/PSRule.Rules.Azure/rules/Azure.RedisEnterprise.Rule.ps1 +++ b/src/PSRule.Rules.Azure/rules/Azure.RedisEnterprise.Rule.ps1 @@ -8,7 +8,7 @@ #region Naming rules # Synopsis: Azure Managed Redis instances without a standard naming convention may be difficult to identify and manage. -Rule 'Azure.RedisEnterprise.Naming' -Ref 'AZR-000524' -Type 'Microsoft.Cache/RedisEnterprise' -If { $Configuration['AZURE_REDIS_ENTERPRISE_NAME_FORMAT'] -ne '' } -Tag @{ release = 'GA'; ruleSet = '2025_12'; 'Azure.WAF/pillar' = 'Operational Excellence' } -Labels @{ 'Azure.CAF' = 'naming'; 'Azure.WAF/maturity' = 'L2' } { +Rule 'Azure.RedisEnterprise.Naming' -Ref 'AZR-000524' -Type 'Microsoft.Cache/RedisEnterprise' -With 'Azure.Redis.IsEnterprise' -If { $Configuration['AZURE_REDIS_ENTERPRISE_NAME_FORMAT'] -ne '' } -Tag @{ release = 'GA'; ruleSet = '2025_12'; 'Azure.WAF/pillar' = 'Operational Excellence' } -Labels @{ 'Azure.CAF' = 'naming'; 'Azure.WAF/maturity' = 'L2' } { $Assert.Match($PSRule, 'TargetName', $Configuration.AZURE_REDIS_ENTERPRISE_NAME_FORMAT, $True); } diff --git a/src/PSRule.Rules.Azure/rules/Azure.RedisEnterprise.Rule.yaml b/src/PSRule.Rules.Azure/rules/Azure.RedisEnterprise.Rule.yaml index ca06cf46381..dc32adcbee9 100644 --- a/src/PSRule.Rules.Azure/rules/Azure.RedisEnterprise.Rule.yaml +++ b/src/PSRule.Rules.Azure/rules/Azure.RedisEnterprise.Rule.yaml @@ -23,7 +23,9 @@ metadata: Azure.WAF/maturity: L1 spec: type: - - Microsoft.Cache/redisEnterprise + - Microsoft.Cache/redisEnterprise + with: + - Azure.Redis.IsEnterprise condition: field: properties.minimumTlsVersion hasDefault: '1.2' diff --git a/src/PSRule.Rules.Azure/rules/CAF.Rule.yaml b/src/PSRule.Rules.Azure/rules/CAF.Rule.yaml index ceb12803c52..222db8103a5 100644 --- a/src/PSRule.Rules.Azure/rules/CAF.Rule.yaml +++ b/src/PSRule.Rules.Azure/rules/CAF.Rule.yaml @@ -221,7 +221,7 @@ spec: # AZURE_POSTGRESQL_SERVER_NAME_FORMAT: '^psql-' # AZURE_PUBLIC_IP_ADDRESS_NAME_FORMAT: '^pip-' # AZURE_REDIS_CACHE_NAME_FORMAT: '^redis-' -# AZURE_REDIS_ENTERPRISE_NAME_FORMAT: '^amr-' +# AZURE_REDIS_ENTERPRISE_NAME_FORMAT: '^redis-' # AZURE_RESOURCE_GROUP_NAME_FORMAT: '^rg-' # AZURE_ROUTE_TABLE_NAME_FORMAT: '^rt-' # AZURE_SERVICE_FABRIC_CLUSTER_NAME_FORMAT: '^sf-' diff --git a/src/PSRule.Rules.Azure/rules/Config.Rule.yaml b/src/PSRule.Rules.Azure/rules/Config.Rule.yaml index f4b77f2e604..8290626aca3 100644 --- a/src/PSRule.Rules.Azure/rules/Config.Rule.yaml +++ b/src/PSRule.Rules.Azure/rules/Config.Rule.yaml @@ -111,6 +111,7 @@ spec: AZURE_POSTGRESQL_SERVER_NAME_FORMAT: '' AZURE_PUBLIC_IP_ADDRESS_NAME_FORMAT: '' AZURE_REDIS_CACHE_NAME_FORMAT: '' + AZURE_REDIS_ENTERPRISE_NAME_FORMAT: '' AZURE_RESOURCE_GROUP_NAME_FORMAT: '' AZURE_ROUTE_TABLE_NAME_FORMAT: '' AZURE_SQL_DATABASE_NAME_FORMAT: '' From 62d510be1273c955f5973f6061aa49874c042eca Mon Sep 17 00:00:00 2001 From: Bernie White Date: Sat, 15 Nov 2025 16:02:26 +0000 Subject: [PATCH 21/32] Fixes --- .../Azure.Redis.Tests.ps1 | 11 +-- .../Resources.Redis.json | 70 ++++++++----------- 2 files changed, 38 insertions(+), 43 deletions(-) diff --git a/tests/PSRule.Rules.Azure.Tests/Azure.Redis.Tests.ps1 b/tests/PSRule.Rules.Azure.Tests/Azure.Redis.Tests.ps1 index 8b28a9cc106..7989070b216 100644 --- a/tests/PSRule.Rules.Azure.Tests/Azure.Redis.Tests.ps1 +++ b/tests/PSRule.Rules.Azure.Tests/Azure.Redis.Tests.ps1 @@ -534,11 +534,11 @@ Describe 'Azure.Redis' -Tag 'Redis' { $option = New-PSRuleOption -Configuration @{ 'AZURE_REDIS_CACHE_NAME_FORMAT' = '^redis-' - 'AZURE_REDIS_ENTERPRISE_NAME_FORMAT' = '^amr-' + 'AZURE_REDIS_ENTERPRISE_NAME_FORMAT' = '^redis-' }; $cacheNames = @('cache-001', 'redis-001', 'REDIS-001') - $enterpriseNames = @('enterprise-001', 'amr-001', 'AMR-001') + $enterpriseNames = @('enterprise-001', 'redis-001', 'REDIS-001') $cacheItems = @($cacheNames | ForEach-Object { [PSCustomObject]@{ @@ -551,6 +551,9 @@ Describe 'Azure.Redis' -Tag 'Redis' { [PSCustomObject]@{ Name = $_ Type = 'Microsoft.Cache/RedisEnterprise' + SKU = [PSCustomObject]@{ + Name = "Enterprise_E10" + } } }); @@ -580,13 +583,13 @@ Describe 'Azure.Redis' -Tag 'Redis' { $ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'Fail' }); $ruleResult | Should -Not -BeNullOrEmpty; $ruleResult.Length | Should -Be 2; - $ruleResult.TargetName | Should -BeIn 'enterprise-001', 'AMR-001'; + $ruleResult.TargetName | Should -BeIn 'enterprise-001', 'REDIS-001'; # Pass $ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'Pass' }); $ruleResult | Should -Not -BeNullOrEmpty; $ruleResult.Length | Should -Be 1; - $ruleResult.TargetName | Should -Be 'amr-001'; + $ruleResult.TargetName | Should -Be 'redis-001'; } } } diff --git a/tests/PSRule.Rules.Azure.Tests/Resources.Redis.json b/tests/PSRule.Rules.Azure.Tests/Resources.Redis.json index 3b44284613a..fddb402eb55 100644 --- a/tests/PSRule.Rules.Azure.Tests/Resources.Redis.json +++ b/tests/PSRule.Rules.Azure.Tests/Resources.Redis.json @@ -1,9 +1,8 @@ [ { "Name": "redis-A", - "ResourceId": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/test-rg/providers/Microsoft.Cache/Redis/redis-A", - "ResourceName": "redis-A", - "ResourceType": "Microsoft.Cache/Redis", + "id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/test-rg/providers/Microsoft.Cache/Redis/redis-A", + "type": "Microsoft.Cache/Redis", "ResourceGroupName": "test-rg", "Location": "australiaeast", "SubscriptionId": "00000000-0000-0000-0000-000000000000", @@ -45,9 +44,8 @@ }, { "Name": "redis-B", - "ResourceId": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/test-rg/providers/Microsoft.Cache/Redis/redis-B", - "ResourceName": "redis-B", - "ResourceType": "Microsoft.Cache/Redis", + "id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/test-rg/providers/Microsoft.Cache/Redis/redis-B", + "type": "Microsoft.Cache/Redis", "ResourceGroupName": "test-rg", "Location": "australiaeast", "SubscriptionId": "00000000-0000-0000-0000-000000000000", @@ -375,7 +373,7 @@ ], "ResourceGroupName": "test-rg", "Type": "Microsoft.Cache/Redis", - "ResourceType": "Microsoft.Cache/Redis", + "type": "Microsoft.Cache/Redis", "ExtensionResourceType": null, "Sku": null, "Tags": null, @@ -554,7 +552,7 @@ ], "ResourceGroupName": "test-rg", "Type": "Microsoft.Cache/Redis", - "ResourceType": "Microsoft.Cache/Redis", + "type": "Microsoft.Cache/Redis", "ExtensionResourceType": null, "Sku": null, "Tags": null, @@ -567,7 +565,7 @@ "Name": "redis-E", "ResourceId": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/test-rg/providers/Microsoft.Cache/Redis/redis-E", "ResourceName": "redis-E", - "ResourceType": "Microsoft.Cache/Redis", + "type": "Microsoft.Cache/Redis", "ResourceGroupName": "test-rg", "Location": "australiaeast", "SubscriptionId": "00000000-0000-0000-0000-000000000000", @@ -737,7 +735,7 @@ "Name": "redis-F", "ResourceId": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/test-rg/providers/Microsoft.Cache/Redis/redis-F", "ResourceName": "redis-F", - "ResourceType": "Microsoft.Cache/Redis", + "type": "Microsoft.Cache/Redis", "ResourceGroupName": "test-rg", "Location": "australiaeast", "SubscriptionId": "00000000-0000-0000-0000-000000000000", @@ -772,7 +770,7 @@ "Name": "redis-G", "ResourceId": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/test-rg/providers/Microsoft.Cache/Redis/redis-G", "ResourceName": "redis-G", - "ResourceType": "Microsoft.Cache/Redis", + "type": "Microsoft.Cache/Redis", "ResourceGroupName": "test-rg", "Location": "australiaeast", "SubscriptionId": "00000000-0000-0000-0000-000000000000", @@ -808,7 +806,7 @@ "Name": "redis-H", "ResourceId": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/test-rg/providers/Microsoft.Cache/Redis/redis-H", "ResourceName": "redis-H", - "ResourceType": "Microsoft.Cache/Redis", + "type": "Microsoft.Cache/Redis", "ResourceGroupName": "test-rg", "Location": "Antarctica North", "SubscriptionId": "00000000-0000-0000-0000-000000000000", @@ -840,7 +838,7 @@ "Name": "redis-I", "ResourceId": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/test-rg/providers/Microsoft.Cache/Redis/redis-I", "ResourceName": "redis-I", - "ResourceType": "Microsoft.Cache/Redis", + "type": "Microsoft.Cache/Redis", "ResourceGroupName": "test-rg", "Location": "antarcticasouth", "SubscriptionId": "00000000-0000-0000-0000-000000000000", @@ -872,7 +870,7 @@ "Name": "redis-J", "ResourceId": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/test-rg/providers/Microsoft.Cache/Redis/redis-G", "ResourceName": "redis-J", - "ResourceType": "Microsoft.Cache/Redis", + "type": "Microsoft.Cache/Redis", "ResourceGroupName": "test-rg", "Location": "australiaeast", "SubscriptionId": "00000000-0000-0000-0000-000000000000", @@ -905,10 +903,9 @@ ] }, { - "Name": "redis-K", - "ResourceId": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/test-rg/providers/Microsoft.Cache/Microsoft.Cache/redisEnterprise/redis-K", - "ResourceName": "redis-K", - "ResourceType": "Microsoft.Cache/redisEnterprise", + "name": "redis-K", + "id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/test-rg/providers/Microsoft.Cache/Microsoft.Cache/redisEnterprise/redis-K", + "type": "Microsoft.Cache/redisEnterprise", "ResourceGroupName": "test-rg", "Location": "australiaeast", "SubscriptionId": "00000000-0000-0000-0000-000000000000", @@ -928,10 +925,9 @@ ] }, { - "Name": "redis-L", - "ResourceId": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/test-rg/providers/Microsoft.Cache/redisEnterprise/redis-L", - "ResourceName": "redis-L", - "ResourceType": "Microsoft.Cache/redisEnterprise", + "name": "redis-L", + "id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/test-rg/providers/Microsoft.Cache/redisEnterprise/redis-L", + "type": "Microsoft.Cache/redisEnterprise", "ResourceGroupName": "test-rg", "Location": "australiaeast", "SubscriptionId": "00000000-0000-0000-0000-000000000000", @@ -947,10 +943,9 @@ "zones": [] }, { - "Name": "redis-M", - "ResourceId": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/test-rg/providers/Microsoft.Cache/redisEnterprise/redis-M", - "ResourceName": "redis-M", - "ResourceType": "Microsoft.Cache/redisEnterprise", + "name": "redis-M", + "id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/test-rg/providers/Microsoft.Cache/redisEnterprise/redis-M", + "type": "Microsoft.Cache/redisEnterprise", "ResourceGroupName": "test-rg", "Location": "Antarctica North", "SubscriptionId": "00000000-0000-0000-0000-000000000000", @@ -966,10 +961,9 @@ "zones": [] }, { - "Name": "redis-N", - "ResourceId": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/test-rg/providers/Microsoft.Cache/redisEnterprise/redis-N", - "ResourceName": "redis-N", - "ResourceType": "Microsoft.Cache/redisEnterprise", + "name": "redis-N", + "id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/test-rg/providers/Microsoft.Cache/redisEnterprise/redis-N", + "type": "Microsoft.Cache/redisEnterprise", "ResourceGroupName": "test-rg", "Location": "antarcticasouth", "SubscriptionId": "00000000-0000-0000-0000-000000000000", @@ -985,10 +979,9 @@ "zones": [] }, { - "Name": "redis-O", - "ResourceId": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/test-rg/providers/Microsoft.Cache/redisEnterprise/redis-O", - "ResourceName": "redis-O", - "ResourceType": "Microsoft.Cache/redisEnterprise", + "name": "redis-O", + "id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/test-rg/providers/Microsoft.Cache/redisEnterprise/redis-O", + "type": "Microsoft.Cache/redisEnterprise", "ResourceGroupName": "test-rg", "Location": "australiaeast", "SubscriptionId": "00000000-0000-0000-0000-000000000000", @@ -1008,10 +1001,9 @@ ] }, { - "Name": "redis-P", - "ResourceId": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/test-rg/providers/Microsoft.Cache/redisEnterprise/redis-P", - "ResourceName": "redis-P", - "ResourceType": "Microsoft.Cache/redisEnterprise", + "name": "redis-P", + "id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/test-rg/providers/Microsoft.Cache/redisEnterprise/redis-P", + "type": "Microsoft.Cache/redisEnterprise", "ResourceGroupName": "test-rg", "Location": "australiaeast", "SubscriptionId": "00000000-0000-0000-0000-000000000000", @@ -1116,7 +1108,7 @@ "Name": "redis-S", "ResourceId": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/test-rg/providers/Microsoft.Cache/redisEnterprise/redis-S", "ResourceName": "redis-S", - "ResourceType": "Microsoft.Cache/redisEnterprise", + "type": "Microsoft.Cache/redisEnterprise", "ResourceGroupName": "test-rg", "Location": "australiaeast", "SubscriptionId": "00000000-0000-0000-0000-000000000000", From 7ec873f82f7f1ae6e97ce7c4e9b7b7f7b62cb2bd Mon Sep 17 00:00:00 2001 From: Bernie White Date: Sat, 15 Nov 2025 16:25:42 +0000 Subject: [PATCH 22/32] Updates --- docs/en/rules/Azure.RedisEnterprise.Naming.md | 2 +- docs/en/rules/Azure.SQLMI.ManagedIdentity.md | 70 +++++++++++------ docs/en/rules/Azure.SQLMI.Naming.md | 78 ++++++++++++++++++- docs/examples/resources/sqlmi.bicep | 43 ++++++++++ docs/examples/resources/sqlmi.json | 59 ++++++++++++++ .../rules/Azure.Redis.Rule.yaml | 12 ++- src/PSRule.Rules.Azure/rules/Config.Rule.yaml | 1 + .../Azure.Redis.Tests.ps1 | 5 +- 8 files changed, 233 insertions(+), 37 deletions(-) create mode 100644 docs/examples/resources/sqlmi.bicep create mode 100644 docs/examples/resources/sqlmi.json diff --git a/docs/en/rules/Azure.RedisEnterprise.Naming.md b/docs/en/rules/Azure.RedisEnterprise.Naming.md index 927aec1f06a..841e441424c 100644 --- a/docs/en/rules/Azure.RedisEnterprise.Naming.md +++ b/docs/en/rules/Azure.RedisEnterprise.Naming.md @@ -29,7 +29,7 @@ Some of the benefits of using standardized tagging and naming conventions are: For example, if you come upon a security incident, it's critical to quickly identify affected systems, the functions that those systems support, and the potential business impact. -For Azure Cache for Redis Enterprise, the Cloud Adoption Framework (CAF) recommends using the `amr-` prefix. +For Azure Cache for Redis Enterprise, the Cloud Adoption Framework (CAF) recommends using the `redis-` prefix. Requirements for Azure Cache for Redis Enterprise resource names: diff --git a/docs/en/rules/Azure.SQLMI.ManagedIdentity.md b/docs/en/rules/Azure.SQLMI.ManagedIdentity.md index 0dc49ddd0e4..8ba99bbc703 100644 --- a/docs/en/rules/Azure.SQLMI.ManagedIdentity.md +++ b/docs/en/rules/Azure.SQLMI.ManagedIdentity.md @@ -27,7 +27,7 @@ Consider configure a managed identity to allow support for Azure AD authenticati ## EXAMPLES -### Configure with Azure template +### Configure with Bicep To deploy SQL Managed Instances that pass this rule: @@ -36,21 +36,31 @@ To deploy SQL Managed Instances that pass this rule: For example: -```json -{ - "type": "Microsoft.Sql/managedInstances", - "apiVersion": "2022-05-01-preview", - "name": "[parameters('managedInstanceName')]", - "location": "[parameters('location')]", - "identity": { - "type": "SystemAssigned", - "userAssignedIdentities": {} - }, - "properties": {} +```bicep +resource managedInstance 'Microsoft.Sql/managedInstances@2023-08-01' = { + name: name + location: location + identity: { + type: 'SystemAssigned' + } + sku: { + name: 'GP_Gen5' + } + properties: { + administrators: { + administratorType: 'ActiveDirectory' + azureADOnlyAuthentication: true + login: login + sid: sid + principalType: 'Group' + tenantId: tenant().tenantId + } + maintenanceConfigurationId: maintenanceWindow.id + } } ``` - -### Configure with Bicep + +### Configure with Azure template To deploy SQL Managed Instances that pass this rule: @@ -59,17 +69,29 @@ To deploy SQL Managed Instances that pass this rule: For example: -```bicep -resource managedInstance 'Microsoft.Sql/managedInstances@2022-05-01-preview' = { - name: appName - location: location - name: managedInstanceName - location: location - identity: { - type: 'SystemAssigned' - userAssignedIdentities: {} +```json +{ + "type": "Microsoft.Sql/managedInstances", + "apiVersion": "2023-08-01", + "name": "[parameters('name')]", + "location": "[parameters('location')]", + "identity": { + "type": "SystemAssigned" + }, + "sku": { + "name": "GP_Gen5" + }, + "properties": { + "administrators": { + "administratorType": "ActiveDirectory", + "azureADOnlyAuthentication": true, + "login": "[parameters('login')]", + "sid": "[parameters('sid')]", + "principalType": "Group", + "tenantId": "[tenant().tenantId]" + }, + "maintenanceConfigurationId": "[subscriptionResourceId('Microsoft.Maintenance/publicMaintenanceConfigurations', 'SQL_WestEurope_MI_1')]" } - properties: {} } ``` diff --git a/docs/en/rules/Azure.SQLMI.Naming.md b/docs/en/rules/Azure.SQLMI.Naming.md index c2c86f4ea62..89f95091509 100644 --- a/docs/en/rules/Azure.SQLMI.Naming.md +++ b/docs/en/rules/Azure.SQLMI.Naming.md @@ -1,5 +1,5 @@ --- -reviewed: 2025-10-10 +reviewed: 2025-11-16 severity: Awareness pillar: Operational Excellence category: OE:04 Tools and processes @@ -34,8 +34,9 @@ For SQL Managed Instance, the Cloud Adoption Framework (CAF) recommends using th Requirements for SQL Managed Instance resource names: - Between 1 and 63 characters long. -- Can include alphanumeric characters, hyphens, underscores, and periods (restrictions vary by resource type). -- Resource names must be unique within their scope. +- Lowercase letters, numbers, and hyphens. +- Can't start or end with a hyphen. +- SQL Managed Instance names must be globally unique. ## RECOMMENDATION @@ -62,7 +63,27 @@ param name string @description('The location resources will be deployed.') param location string = resourceGroup().location -// Example resource deployment +resource managedInstance 'Microsoft.Sql/managedInstances@2023-08-01' = { + name: name + location: location + identity: { + type: 'SystemAssigned' + } + sku: { + name: 'GP_Gen5' + } + properties: { + administrators: { + administratorType: 'ActiveDirectory' + azureADOnlyAuthentication: true + login: login + sid: sid + principalType: 'Group' + tenantId: tenant().tenantId + } + maintenanceConfigurationId: maintenanceWindow.id + } +} ``` @@ -74,6 +95,55 @@ To deploy resources that pass this rule: - Set the `name` property to a string that matches the naming requirements. - Optionally, consider constraining name parameters with `minLength` and `maxLength` attributes. +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "name": { + "type": "string", + "minLength": 1, + "maxLength": 63, + "metadata": { + "description": "The name of the resource." + } + }, + "location": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "The location resources will be deployed." + } + } + }, + "resources": [ + { + "type": "Microsoft.Sql/managedInstances", + "apiVersion": "2023-08-01", + "name": "[parameters('name')]", + "location": "[parameters('location')]", + "identity": { + "type": "SystemAssigned" + }, + "sku": { + "name": "GP_Gen5" + }, + "properties": { + "administrators": { + "administratorType": "ActiveDirectory", + "azureADOnlyAuthentication": true, + "login": "[parameters('login')]", + "sid": "[parameters('sid')]", + "principalType": "Group", + "tenantId": "[tenant().tenantId]" + }, + "maintenanceConfigurationId": "[subscriptionResourceId('Microsoft.Maintenance/publicMaintenanceConfigurations', 'SQL_WestEurope_MI_1')]" + } + } + ] +} +``` + ## NOTES This rule does not check if SQL Managed Instance resource names are unique. diff --git a/docs/examples/resources/sqlmi.bicep b/docs/examples/resources/sqlmi.bicep new file mode 100644 index 00000000000..c8e35e4e268 --- /dev/null +++ b/docs/examples/resources/sqlmi.bicep @@ -0,0 +1,43 @@ +// Copyright (c) Microsoft Corporation. +// Licensed under the MIT License. + +// Bicep documentation examples + +@minLength(1) +@maxLength(63) +@description('The name of the resource.') +param name string + +@description('The location resources will be deployed.') +param location string = resourceGroup().location + +param login string +param sid string + +// An example SQL managed instance. +resource managedInstance 'Microsoft.Sql/managedInstances@2023-08-01' = { + name: name + location: location + identity: { + type: 'SystemAssigned' + } + sku: { + name: 'GP_Gen5' + } + properties: { + administrators: { + administratorType: 'ActiveDirectory' + azureADOnlyAuthentication: true + login: login + sid: sid + principalType: 'Group' + tenantId: tenant().tenantId + } + maintenanceConfigurationId: maintenanceWindow.id + } +} + +resource maintenanceWindow 'Microsoft.Maintenance/publicMaintenanceConfigurations@2023-04-01' existing = { + scope: subscription() + name: 'SQL_WestEurope_MI_1' +} diff --git a/docs/examples/resources/sqlmi.json b/docs/examples/resources/sqlmi.json new file mode 100644 index 00000000000..ddda1711db9 --- /dev/null +++ b/docs/examples/resources/sqlmi.json @@ -0,0 +1,59 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "_generator": { + "name": "bicep", + "version": "0.38.33.27573", + "templateHash": "16665234278863375091" + } + }, + "parameters": { + "name": { + "type": "string", + "minLength": 1, + "maxLength": 63, + "metadata": { + "description": "The name of the resource." + } + }, + "location": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "The location resources will be deployed." + } + }, + "login": { + "type": "string" + }, + "sid": { + "type": "string" + } + }, + "resources": [ + { + "type": "Microsoft.Sql/managedInstances", + "apiVersion": "2023-08-01", + "name": "[parameters('name')]", + "location": "[parameters('location')]", + "identity": { + "type": "SystemAssigned" + }, + "sku": { + "name": "GP_Gen5" + }, + "properties": { + "administrators": { + "administratorType": "ActiveDirectory", + "azureADOnlyAuthentication": true, + "login": "[parameters('login')]", + "sid": "[parameters('sid')]", + "principalType": "Group", + "tenantId": "[tenant().tenantId]" + }, + "maintenanceConfigurationId": "[subscriptionResourceId('Microsoft.Maintenance/publicMaintenanceConfigurations', 'SQL_WestEurope_MI_1')]" + } + } + ] +} \ No newline at end of file diff --git a/src/PSRule.Rules.Azure/rules/Azure.Redis.Rule.yaml b/src/PSRule.Rules.Azure/rules/Azure.Redis.Rule.yaml index 2698db7b1c8..0118769afea 100644 --- a/src/PSRule.Rules.Azure/rules/Azure.Redis.Rule.yaml +++ b/src/PSRule.Rules.Azure/rules/Azure.Redis.Rule.yaml @@ -163,14 +163,16 @@ spec: --- # Synopsis: Azure Cache for Redis with Enterprise SKU. -apiVersion: github.com/microsoft/PSRule/2025-01-01 +apiVersion: github.com/microsoft/PSRule/v1 kind: Selector metadata: name: Azure.Redis.IsEnterprise + annotations: + export: false spec: if: allOf: - - type: . + - type: '.' equals: Microsoft.Cache/redisEnterprise - field: sku.name startsWith: @@ -179,14 +181,16 @@ spec: --- # Synopsis: Azure Managed Redis. -apiVersion: github.com/microsoft/PSRule/2025-01-01 +apiVersion: github.com/microsoft/PSRule/v1 kind: Selector metadata: name: Azure.Redis.IsManaged + annotations: + export: false spec: if: allOf: - - type: . + - type: '.' equals: Microsoft.Cache/redisEnterprise - field: sku.name notStartsWith: diff --git a/src/PSRule.Rules.Azure/rules/Config.Rule.yaml b/src/PSRule.Rules.Azure/rules/Config.Rule.yaml index 8290626aca3..8d658700c77 100644 --- a/src/PSRule.Rules.Azure/rules/Config.Rule.yaml +++ b/src/PSRule.Rules.Azure/rules/Config.Rule.yaml @@ -117,6 +117,7 @@ spec: AZURE_SQL_DATABASE_NAME_FORMAT: '' AZURE_SQL_ELASTIC_POOL_NAME_FORMAT: '' AZURE_SQL_JOB_AGENT_NAME_FORMAT: '' + AZURE_SQL_MI_NAME_FORMAT: '' AZURE_SQL_SERVER_NAME_FORMAT: '' AZURE_STORAGE_ACCOUNT_NAME_FORMAT: '' AZURE_VIRTUAL_MACHINE_NAME_FORMAT: '' diff --git a/tests/PSRule.Rules.Azure.Tests/Azure.Redis.Tests.ps1 b/tests/PSRule.Rules.Azure.Tests/Azure.Redis.Tests.ps1 index 7989070b216..56cba6e2d63 100644 --- a/tests/PSRule.Rules.Azure.Tests/Azure.Redis.Tests.ps1 +++ b/tests/PSRule.Rules.Azure.Tests/Azure.Redis.Tests.ps1 @@ -538,16 +538,13 @@ Describe 'Azure.Redis' -Tag 'Redis' { }; $cacheNames = @('cache-001', 'redis-001', 'REDIS-001') - $enterpriseNames = @('enterprise-001', 'redis-001', 'REDIS-001') $cacheItems = @($cacheNames | ForEach-Object { [PSCustomObject]@{ Name = $_ Type = 'Microsoft.Cache/Redis' } - }); - $enterpriseItems = @($enterpriseNames | ForEach-Object { [PSCustomObject]@{ Name = $_ Type = 'Microsoft.Cache/RedisEnterprise' @@ -557,7 +554,7 @@ Describe 'Azure.Redis' -Tag 'Redis' { } }); - $result = @($cacheItems + $enterpriseItems) | Invoke-PSRule @invokeParams -Option $option + $result = $cacheItems | Invoke-PSRule @invokeParams -Option $option -Name 'Azure.Redis.Naming', 'Azure.RedisEnterprise.Naming' } It 'Azure.Redis.Naming' { From 28b77b75493f4fff7d2af2955e14c3eb814c209d Mon Sep 17 00:00:00 2001 From: Bernie White Date: Sat, 15 Nov 2025 16:59:55 +0000 Subject: [PATCH 23/32] Updates --- docs/en/rules/Azure.RedisEnterprise.Naming.md | 2 + docs/en/rules/Azure.SQLMI.Naming.md | 3 + .../Azure.ServiceFabric.ManagedNaming.md | 105 +++++++++++++++- docs/en/rules/Azure.ServiceFabric.Naming.md | 118 +++++++++++++++++- docs/examples/resources/service-fabric.bicep | 39 +++++- docs/examples/resources/service-fabric.json | 43 ++++++- src/PSRule.Rules.Azure/rules/Config.Rule.yaml | 2 + 7 files changed, 299 insertions(+), 13 deletions(-) diff --git a/docs/en/rules/Azure.RedisEnterprise.Naming.md b/docs/en/rules/Azure.RedisEnterprise.Naming.md index 841e441424c..bee08c9ce18 100644 --- a/docs/en/rules/Azure.RedisEnterprise.Naming.md +++ b/docs/en/rules/Azure.RedisEnterprise.Naming.md @@ -163,4 +163,6 @@ configuration: - [Recommended abbreviations for Azure resource types](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations) - [Naming rules and restrictions for Azure resources](https://learn.microsoft.com/azure/azure-resource-manager/management/resource-name-rules) - [Define your naming convention](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-naming) +- [Parameters in Bicep](https://learn.microsoft.com/azure/azure-resource-manager/bicep/parameters) +- [Bicep functions](https://learn.microsoft.com/azure/azure-resource-manager/bicep/bicep-functions) - [Azure deployment reference](https://learn.microsoft.com/azure/templates/microsoft.cache/redisenterprise) diff --git a/docs/en/rules/Azure.SQLMI.Naming.md b/docs/en/rules/Azure.SQLMI.Naming.md index 89f95091509..ec6273d1885 100644 --- a/docs/en/rules/Azure.SQLMI.Naming.md +++ b/docs/en/rules/Azure.SQLMI.Naming.md @@ -171,3 +171,6 @@ configuration: - [Recommended abbreviations for Azure resource types](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations) - [Naming rules and restrictions for Azure resources](https://learn.microsoft.com/azure/azure-resource-manager/management/resource-name-rules) - [Define your naming convention](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-naming) +- [Parameters in Bicep](https://learn.microsoft.com/azure/azure-resource-manager/bicep/parameters) +- [Bicep functions](https://learn.microsoft.com/azure/azure-resource-manager/bicep/bicep-functions) +- [Azure deployment reference](https://learn.microsoft.com/azure/templates/microsoft.sql/managedinstances) diff --git a/docs/en/rules/Azure.ServiceFabric.ManagedNaming.md b/docs/en/rules/Azure.ServiceFabric.ManagedNaming.md index 5479ac41fef..783371bd9bf 100644 --- a/docs/en/rules/Azure.ServiceFabric.ManagedNaming.md +++ b/docs/en/rules/Azure.ServiceFabric.ManagedNaming.md @@ -1,9 +1,9 @@ --- -reviewed: 2025-10-10 +reviewed: 2025-11-16 severity: Awareness pillar: Operational Excellence category: OE:04 Tools and processes -resource: Service Fabric managed cluster +resource: Service Fabric resourceType: Microsoft.ServiceFabric/managedClusters online version: https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.ServiceFabric.ManagedNaming/ --- @@ -46,7 +46,7 @@ Additionally consider using Azure Policy to only permit creation using a standar ### Configure with Bicep -To deploy resources that pass this rule: +To deploy managed clusters that pass this rule: - Set the `name` property to a string that matches the naming requirements. - Optionally, consider constraining name parameters with `minLength` and `maxLength` attributes. @@ -62,16 +62,108 @@ param name string @description('The location resources will be deployed.') param location string = resourceGroup().location -// Example resource deployment +resource managed 'Microsoft.ServiceFabric/managedClusters@2024-04-01' = { + name: name + location: location + sku: { + name: 'Standard' + } + properties: { + azureActiveDirectory: { + clientApplication: clientApplication + clusterApplication: clusterApplication + tenantId: tenantId + } + dnsName: toLower(name) + adminUserName: adminUsername + clientConnectionPort: 19000 + httpGatewayConnectionPort: 19080 + clients: [ + { + isAdmin: true + thumbprint: certificateThumbprint + } + ] + loadBalancingRules: [ + { + frontendPort: 8080 + backendPort: 8080 + protocol: 'tcp' + probeProtocol: 'https' + } + ] + } +} + ``` ### Configure with Azure template -To deploy resources that pass this rule: +To deploy managed clusters that pass this rule: - Set the `name` property to a string that matches the naming requirements. - Optionally, consider constraining name parameters with `minLength` and `maxLength` attributes. +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "name": { + "type": "string", + "minLength": 4, + "maxLength": 23, + "metadata": { + "description": "The name of the resource." + } + }, + "location": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "The location resources will be deployed." + } + } + }, + "resources": [ + { + "type": "Microsoft.ServiceFabric/managedClusters", + "apiVersion": "2024-04-01", + "name": "[parameters('name')]", + "location": "[parameters('location')]", + "sku": { + "name": "Standard" + }, + "properties": { + "azureActiveDirectory": { + "clientApplication": "[parameters('clientApplication')]", + "clusterApplication": "[parameters('clusterApplication')]", + "tenantId": "[parameters('tenantId')]" + }, + "dnsName": "[toLower(parameters('name'))]", + "adminUserName": "[parameters('adminUsername')]", + "clientConnectionPort": 19000, + "httpGatewayConnectionPort": 19080, + "clients": [ + { + "isAdmin": true, + "thumbprint": "[parameters('certificateThumbprint')]" + } + ], + "loadBalancingRules": [ + { + "frontendPort": 8080, + "backendPort": 8080, + "protocol": "tcp", + "probeProtocol": "https" + } + ] + } + } + ] +} +``` + ## NOTES This rule does not check if Service Fabric managed cluster resource names are unique. @@ -99,3 +191,6 @@ configuration: - [Recommended abbreviations for Azure resource types](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations) - [Naming rules and restrictions for Azure resources](https://learn.microsoft.com/azure/azure-resource-manager/management/resource-name-rules) - [Define your naming convention](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-naming) +- [Parameters in Bicep](https://learn.microsoft.com/azure/azure-resource-manager/bicep/parameters) +- [Bicep functions](https://learn.microsoft.com/azure/azure-resource-manager/bicep/bicep-functions) +- [Azure deployment reference](https://learn.microsoft.com/azure/templates/microsoft.servicefabric/managedclusters) diff --git a/docs/en/rules/Azure.ServiceFabric.Naming.md b/docs/en/rules/Azure.ServiceFabric.Naming.md index c98e926859d..9796688b9e7 100644 --- a/docs/en/rules/Azure.ServiceFabric.Naming.md +++ b/docs/en/rules/Azure.ServiceFabric.Naming.md @@ -1,9 +1,9 @@ --- -reviewed: 2025-10-10 +reviewed: 2025-11-16 severity: Awareness pillar: Operational Excellence category: OE:04 Tools and processes -resource: Service Fabric cluster +resource: Service Fabric resourceType: Microsoft.ServiceFabric/clusters online version: https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.ServiceFabric.Naming/ --- @@ -46,7 +46,7 @@ Additionally consider using Azure Policy to only permit creation using a standar ### Configure with Bicep -To deploy resources that pass this rule: +To deploy clusters that pass this rule: - Set the `name` property to a string that matches the naming requirements. - Optionally, consider constraining name parameters with `minLength` and `maxLength` attributes. @@ -62,16 +62,121 @@ param name string @description('The location resources will be deployed.') param location string = resourceGroup().location -// Example resource deployment +resource cluster 'Microsoft.ServiceFabric/clusters@2023-11-01-preview' = { + name: name + location: location + properties: { + azureActiveDirectory: { + clientApplication: clientApplication + clusterApplication: clusterApplication + tenantId: tenantId + } + certificate: { + thumbprint: certificateThumbprint + x509StoreName: 'My' + } + diagnosticsStorageAccountConfig: { + blobEndpoint: storageAccount.properties.primaryEndpoints.blob + protectedAccountKeyName: 'StorageAccountKey1' + queueEndpoint: storageAccount.properties.primaryEndpoints.queue + storageAccountName: storageAccount.name + tableEndpoint: storageAccount.properties.primaryEndpoints.table + } + fabricSettings: [ + { + parameters: [ + { + name: 'ClusterProtectionLevel' + value: 'EncryptAndSign' + } + ] + name: 'Security' + } + ] + managementEndpoint: endpointUri + nodeTypes: [] + reliabilityLevel: 'Silver' + upgradeMode: 'Automatic' + vmImage: 'Windows' + } +} ``` + + ### Configure with Azure template -To deploy resources that pass this rule: +To deploy clusters that pass this rule: - Set the `name` property to a string that matches the naming requirements. - Optionally, consider constraining name parameters with `minLength` and `maxLength` attributes. +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "name": { + "type": "string", + "minLength": 4, + "maxLength": 23, + "metadata": { + "description": "The name of the resource." + } + }, + "location": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "The location resources will be deployed." + } + } + }, + "resources": [ + { + "type": "Microsoft.ServiceFabric/clusters", + "apiVersion": "2023-11-01-preview", + "name": "[parameters('name')]", + "location": "[parameters('location')]", + "properties": { + "azureActiveDirectory": { + "clientApplication": "[parameters('clientApplication')]", + "clusterApplication": "[parameters('clusterApplication')]", + "tenantId": "[parameters('tenantId')]" + }, + "certificate": { + "thumbprint": "[parameters('certificateThumbprint')]", + "x509StoreName": "My" + }, + "diagnosticsStorageAccountConfig": { + "blobEndpoint": "[reference(resourceId('Microsoft.Storage/storageAccounts', 'storage1'), '2021-01-01').primaryEndpoints.blob]", + "protectedAccountKeyName": "StorageAccountKey1", + "queueEndpoint": "[reference(resourceId('Microsoft.Storage/storageAccounts', 'storage1'), '2021-01-01').primaryEndpoints.queue]", + "storageAccountName": "storage1", + "tableEndpoint": "[reference(resourceId('Microsoft.Storage/storageAccounts', 'storage1'), '2021-01-01').primaryEndpoints.table]" + }, + "fabricSettings": [ + { + "parameters": [ + { + "name": "ClusterProtectionLevel", + "value": "EncryptAndSign" + } + ], + "name": "Security" + } + ], + "managementEndpoint": "[parameters('endpointUri')]", + "nodeTypes": [], + "reliabilityLevel": "Silver", + "upgradeMode": "Automatic", + "vmImage": "Windows" + } + } + ] +} +``` + ## NOTES This rule does not check if Service Fabric cluster resource names are unique. @@ -99,3 +204,6 @@ configuration: - [Recommended abbreviations for Azure resource types](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations) - [Naming rules and restrictions for Azure resources](https://learn.microsoft.com/azure/azure-resource-manager/management/resource-name-rules) - [Define your naming convention](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-naming) +- [Parameters in Bicep](https://learn.microsoft.com/azure/azure-resource-manager/bicep/parameters) +- [Bicep functions](https://learn.microsoft.com/azure/azure-resource-manager/bicep/bicep-functions) +- [Azure deployment reference](https://learn.microsoft.com/azure/templates/microsoft.servicefabric/clusters) diff --git a/docs/examples/resources/service-fabric.bicep b/docs/examples/resources/service-fabric.bicep index 6db7e4724e9..77b342bdf70 100644 --- a/docs/examples/resources/service-fabric.bicep +++ b/docs/examples/resources/service-fabric.bicep @@ -3,6 +3,8 @@ // Bicep documentation examples +@minLength(4) +@maxLength(23) @description('The name of the resource.') param name string @@ -13,6 +15,7 @@ param endpointUri string param tenantId string param clusterApplication string param clientApplication string +param adminUsername string @description('Certificate thumbprint.') param certificateThumbprint string @@ -21,7 +24,7 @@ resource storageAccount 'Microsoft.Storage/storageAccounts@2021-01-01' existing name: 'storage1' } -// An example of a Service Fabric cluster resource. +// An example Service Fabric cluster. resource cluster 'Microsoft.ServiceFabric/clusters@2023-11-01-preview' = { name: name location: location @@ -60,3 +63,37 @@ resource cluster 'Microsoft.ServiceFabric/clusters@2023-11-01-preview' = { vmImage: 'Windows' } } + +// An example Service Fabric managed cluster. +resource managed 'Microsoft.ServiceFabric/managedClusters@2024-04-01' = { + name: name + location: location + sku: { + name: 'Standard' + } + properties: { + azureActiveDirectory: { + clientApplication: clientApplication + clusterApplication: clusterApplication + tenantId: tenantId + } + dnsName: toLower(name) + adminUserName: adminUsername + clientConnectionPort: 19000 + httpGatewayConnectionPort: 19080 + clients: [ + { + isAdmin: true + thumbprint: certificateThumbprint + } + ] + loadBalancingRules: [ + { + frontendPort: 8080 + backendPort: 8080 + protocol: 'tcp' + probeProtocol: 'https' + } + ] + } +} diff --git a/docs/examples/resources/service-fabric.json b/docs/examples/resources/service-fabric.json index c747e91da28..2374763dfce 100644 --- a/docs/examples/resources/service-fabric.json +++ b/docs/examples/resources/service-fabric.json @@ -4,13 +4,15 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.35.1.17967", - "templateHash": "16820822623191152552" + "version": "0.38.33.27573", + "templateHash": "6378535014997672625" } }, "parameters": { "name": { "type": "string", + "minLength": 4, + "maxLength": 23, "metadata": { "description": "The name of the resource." } @@ -34,6 +36,9 @@ "clientApplication": { "type": "string" }, + "adminUsername": { + "type": "string" + }, "certificateThumbprint": { "type": "string", "metadata": { @@ -81,6 +86,40 @@ "upgradeMode": "Automatic", "vmImage": "Windows" } + }, + { + "type": "Microsoft.ServiceFabric/managedClusters", + "apiVersion": "2024-04-01", + "name": "[parameters('name')]", + "location": "[parameters('location')]", + "sku": { + "name": "Standard" + }, + "properties": { + "azureActiveDirectory": { + "clientApplication": "[parameters('clientApplication')]", + "clusterApplication": "[parameters('clusterApplication')]", + "tenantId": "[parameters('tenantId')]" + }, + "dnsName": "[toLower(parameters('name'))]", + "adminUserName": "[parameters('adminUsername')]", + "clientConnectionPort": 19000, + "httpGatewayConnectionPort": 19080, + "clients": [ + { + "isAdmin": true, + "thumbprint": "[parameters('certificateThumbprint')]" + } + ], + "loadBalancingRules": [ + { + "frontendPort": 8080, + "backendPort": 8080, + "protocol": "tcp", + "probeProtocol": "https" + } + ] + } } ] } \ No newline at end of file diff --git a/src/PSRule.Rules.Azure/rules/Config.Rule.yaml b/src/PSRule.Rules.Azure/rules/Config.Rule.yaml index 8d658700c77..90123536ca9 100644 --- a/src/PSRule.Rules.Azure/rules/Config.Rule.yaml +++ b/src/PSRule.Rules.Azure/rules/Config.Rule.yaml @@ -114,6 +114,8 @@ spec: AZURE_REDIS_ENTERPRISE_NAME_FORMAT: '' AZURE_RESOURCE_GROUP_NAME_FORMAT: '' AZURE_ROUTE_TABLE_NAME_FORMAT: '' + AZURE_SERVICE_FABRIC_CLUSTER_NAME_FORMAT: '' + AZURE_SERVICE_FABRIC_MANAGED_CLUSTER_NAME_FORMAT: '' AZURE_SQL_DATABASE_NAME_FORMAT: '' AZURE_SQL_ELASTIC_POOL_NAME_FORMAT: '' AZURE_SQL_JOB_AGENT_NAME_FORMAT: '' From 98ec54587941890a1077bab0f869468359161841 Mon Sep 17 00:00:00 2001 From: Bernie White Date: Sat, 15 Nov 2025 17:05:42 +0000 Subject: [PATCH 24/32] Updates --- docs/en/baselines/Azure.All.csv | 23 ++++--- docs/en/baselines/Azure.All.md | 19 +++--- docs/en/baselines/Azure.CAF_2025_03.csv | 6 +- docs/en/baselines/Azure.CAF_2025_06.csv | 6 +- docs/en/baselines/Azure.CAF_Compatibility.csv | 6 +- docs/en/baselines/Azure.Default.csv | 23 ++++--- docs/en/baselines/Azure.Default.md | 19 +++--- docs/en/baselines/Azure.GA_2020_12.csv | 4 +- docs/en/baselines/Azure.GA_2021_03.csv | 4 +- docs/en/baselines/Azure.GA_2021_06.csv | 4 +- docs/en/baselines/Azure.GA_2021_09.csv | 6 +- docs/en/baselines/Azure.GA_2021_12.csv | 6 +- docs/en/baselines/Azure.GA_2022_03.csv | 6 +- docs/en/baselines/Azure.GA_2022_06.csv | 6 +- docs/en/baselines/Azure.GA_2022_09.csv | 6 +- docs/en/baselines/Azure.GA_2022_12.csv | 6 +- docs/en/baselines/Azure.GA_2023_03.csv | 6 +- docs/en/baselines/Azure.GA_2023_06.csv | 6 +- docs/en/baselines/Azure.GA_2023_09.csv | 6 +- docs/en/baselines/Azure.GA_2023_12.csv | 6 +- docs/en/baselines/Azure.GA_2024_03.csv | 7 +-- docs/en/baselines/Azure.GA_2024_03.md | 3 +- docs/en/baselines/Azure.GA_2024_06.csv | 7 +-- docs/en/baselines/Azure.GA_2024_06.md | 3 +- docs/en/baselines/Azure.GA_2024_09.csv | 7 +-- docs/en/baselines/Azure.GA_2024_09.md | 3 +- docs/en/baselines/Azure.GA_2024_12.csv | 7 +-- docs/en/baselines/Azure.GA_2024_12.md | 3 +- docs/en/baselines/Azure.GA_2025_03.csv | 7 +-- docs/en/baselines/Azure.GA_2025_03.md | 3 +- docs/en/baselines/Azure.GA_2025_06.csv | 7 +-- docs/en/baselines/Azure.GA_2025_06.md | 3 +- docs/en/baselines/Azure.GA_2025_09.csv | 7 +-- docs/en/baselines/Azure.GA_2025_09.md | 3 +- docs/en/baselines/Azure.MCSB.v1.csv | 2 + docs/en/baselines/Azure.MCSB.v1.md | 4 +- .../Azure.Pillar.OperationalExcellence.csv | 15 +++-- .../Azure.Pillar.OperationalExcellence.md | 17 +++--- .../en/baselines/Azure.Pillar.Reliability.csv | 4 ++ docs/en/baselines/Azure.Pillar.Reliability.md | 6 +- .../en/baselines/Azure.Pillar.Security.L1.csv | 1 + docs/en/baselines/Azure.Pillar.Security.L1.md | 3 +- docs/en/baselines/Azure.Pillar.Security.csv | 4 +- docs/en/baselines/Azure.Pillar.Security.md | 6 +- docs/en/baselines/Azure.Preview.csv | 23 ++++--- docs/en/baselines/Azure.Preview.md | 19 +++--- docs/en/rules/index.md | 59 ++++++++++-------- docs/en/rules/module.md | 27 ++++---- docs/en/rules/resource.md | 61 +++++++------------ docs/es/rules/index.md | 59 ++++++++++-------- docs/es/rules/module.md | 27 ++++---- docs/es/rules/resource.md | 61 +++++++------------ 52 files changed, 332 insertions(+), 310 deletions(-) diff --git a/docs/en/baselines/Azure.All.csv b/docs/en/baselines/Azure.All.csv index 9a20e13c719..cd0752eb302 100644 --- a/docs/en/baselines/Azure.All.csv +++ b/docs/en/baselines/Azure.All.csv @@ -18,6 +18,7 @@ "Azure.ACR.Usage","Regularly remove deprecated and unneeded images to reduce storage usage.","Important","Cost Optimization","-" "Azure.ADX.DiskEncryption","Use disk encryption for Azure Data Explorer (ADX) clusters.","Important","Security","L1" "Azure.ADX.ManagedIdentity","Configure Data Explorer clusters to use managed identities to access Azure resources securely.","Important","Security","L1" +"Azure.ADX.PublicAccess","Azure Data Explorer (ADX) clusters should have public network access disabled.","Critical","Security","L4" "Azure.ADX.SLA","Use SKUs that include an SLA when configuring Azure Data Explorer (ADX) clusters.","Important","Reliability","-" "Azure.ADX.Usage","Regularly remove unused resources to reduce costs.","Important","Cost Optimization","-" "Azure.AI.DisableLocalAuth","Access keys allow depersonalized access to Azure AI using a shared secret.","Important","Security","L1" @@ -108,7 +109,7 @@ "Azure.AppGwWAF.Enabled","Application Gateway Web Application Firewall (WAF) must be enabled to protect backend resources.","Critical","Security","-" "Azure.AppGwWAF.Exclusions","Application Gateway Web Application Firewall (WAF) should have all rules enabled.","Critical","Security","-" "Azure.AppGwWAF.PreventionMode","Use protection mode in Application Gateway Web Application Firewall (WAF) policies to protect back end resources.","Critical","Security","-" -"Azure.AppGwWAF.RuleGroups","Use recommended rule groups in Application Gateway Web Application Firewall (WAF) policies to protect back end resources.","Critical","Security","-" +"Azure.AppGwWAF.RuleGroups","Application Gateway WAF policies should include both Microsoft Default Rule Set and Bot Manager Rule Set to provide comprehensive protection against web application threats and malicious bot traffic.","Critical","Security","L2" "Azure.AppInsights.LocalAuth","Local authentication allows depersonalized access to store telemetry in Application Insights using a shared identifier.","Critical","Security","L1" "Azure.AppInsights.Name","Azure Resource Manager (ARM) has requirements for Application Insights resource names.","Awareness","Operational Excellence","-" "Azure.AppInsights.Naming","Application Insights resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","-" @@ -160,7 +161,8 @@ "Azure.ContainerApp.PublicAccess","Ensure public network access for Container Apps environment is disabled.","Important","Security","-" "Azure.ContainerApp.RestrictIngress","IP ingress restrictions mode should be set to allow action for all rules defined.","Important","Security","-" "Azure.ContainerApp.Storage","Use of Azure Files volume mounts to persistent storage container data.","Awareness","Reliability","-" -"Azure.Cosmos.AccountName","Cosmos DB account names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.Cosmos.AccountName","Cosmos DB account names should meet naming requirements.","Awareness","Operational Excellence","L2" +"Azure.Cosmos.AvailabilityZone","Use zone redundant Cosmos DB accounts in supported regions to improve reliability.","Important","Reliability","L1" "Azure.Cosmos.CassandraNaming","Cosmos DB for Apache Cassandra account resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" "Azure.Cosmos.ContinuousBackup","Enable continuous backup on Cosmos DB accounts.","Important","Reliability","-" "Azure.Cosmos.DatabaseNaming","Cosmos DB database resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" @@ -169,6 +171,8 @@ "Azure.Cosmos.DisableMetadataWrite","Use Entra ID identities for management place operations in Azure Cosmos DB.","Important","Security","-" "Azure.Cosmos.GremlinNaming","Cosmos DB for Apache Gremlin account resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" "Azure.Cosmos.MinTLS","Cosmos DB accounts should reject TLS versions older than 1.2.","Critical","Security","L1" +"Azure.Cosmos.MongoAvailabilityZone","Use zone redundant Cosmos DB vCore clusters in supported regions to improve reliability.","Important","Reliability","L1" +"Azure.Cosmos.MongoEntraID","MongoDB vCore clusters should have Microsoft Entra ID authentication enabled.","Critical","Security","L1" "Azure.Cosmos.MongoNaming","Cosmos DB for MongoDB account resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" "Azure.Cosmos.NoSQLNaming","Cosmos DB for NoSQL account resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" "Azure.Cosmos.PostgreSQLNaming","Cosmos DB PostgreSQL cluster resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" @@ -247,6 +251,7 @@ "Azure.FrontDoorWAF.Exclusions","Use recommended rule groups in Front Door Web Application Firewall (WAF) policies to protect back end resources. Avoid configuring rule exclusions.","Critical","Security","-" "Azure.FrontDoorWAF.PreventionMode","Use protection mode in Front Door Web Application Firewall (WAF) policies to protect back end resources.","Critical","Security","-" "Azure.FrontDoorWAF.RuleGroups","Use recommended rule groups in Front Door Web Application Firewall (WAF) policies to protect back end resources.","Critical","Security","-" +"Azure.Grafana.AvailabilityZone","Use zone redundant Grafana workspaces in supported regions to improve reliability.","Important","Reliability","L1" "Azure.Grafana.Version","Grafana workspaces should be on Grafana version 10.","Important","Reliability","-" "Azure.Group.Name","Azure Resource Manager (ARM) has requirements for Resource Groups names.","Awareness","Operational Excellence","-" "Azure.Group.Naming","Resource Groups without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","-" @@ -286,6 +291,7 @@ "Azure.MariaDB.ServerName","Azure Database for MariaDB servers should meet naming requirements.","Awareness","Operational Excellence","-" "Azure.MariaDB.UseSSL","Azure Database for MariaDB servers should only accept encrypted connections.","Critical","Security","L1" "Azure.MariaDB.VNETRuleName","Azure Database for MariaDB VNET rules should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.MICassandra.AvailabilityZone","Use zone redundant Managed Instance for Apache Cassandra clusters in supported regions to improve reliability.","Important","Reliability","L1" "Azure.ML.ComputeIdleShutdown","Configure an idle shutdown timeout for Machine Learning compute instances.","Critical","Cost Optimization","-" "Azure.ML.ComputeVnet","Azure Machine Learning Computes should be hosted in a virtual network (VNet).","Critical","Security","-" "Azure.ML.DisableLocalAuth","Azure Machine Learning compute resources should have local authentication methods disabled.","Critical","Security","L1" @@ -301,8 +307,8 @@ "Azure.MySQL.GeoRedundantBackup","Azure Database for MySQL should store backups in a geo-redundant storage.","Important","Reliability","-" "Azure.MySQL.MaintenanceWindow","Configure a customer-controlled maintenance window for Azure Database for MySQL servers.","Important","Reliability","-" "Azure.MySQL.MinTLS","MySQL DB servers should reject TLS versions older than 1.2.","Critical","Security","L1" -"Azure.MySQL.Naming","MySQL database server resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" "Azure.MySQL.ServerName","Azure MySQL DB server names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.MySQL.ServerNaming","MySQL database server resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" "Azure.MySQL.UseFlexible","Use Azure Database for MySQL Flexible Server deployment model.","Important","Reliability","-" "Azure.MySQL.UseSSL","Enforce encrypted MySQL connections.","Critical","Security","L1" "Azure.MySQL.ZoneRedundantHA","Deploy Azure Database for MySQL servers using zone-redundant high availability (HA) in supported regions to ensure high availability and resilience.","Important","Reliability","-" @@ -330,8 +336,8 @@ "Azure.PostgreSQL.GeoRedundantBackup","Azure Database for PostgreSQL should store backups in a geo-redundant storage.","Important","Reliability","-" "Azure.PostgreSQL.MaintenanceWindow","Configure a customer-controlled maintenance window for Azure Database for PostgreSQL servers.","Important","Reliability","-" "Azure.PostgreSQL.MinTLS","PostgreSQL DB servers should reject TLS versions older than 1.2.","Critical","Security","L1" -"Azure.PostgreSQL.Naming","PostgreSQL database server resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" "Azure.PostgreSQL.ServerName","Azure PostgreSQL DB server names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.PostgreSQL.ServerNaming","PostgreSQL database server resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" "Azure.PostgreSQL.UseSSL","Enforce encrypted PostgreSQL connections.","Critical","Security","L1" "Azure.PostgreSQL.ZoneRedundantHA","Deploy Azure Database for PostgreSQL servers using zone-redundant high availability (HA) in supported regions to ensure high availability and resilience.","Important","Reliability","-" "Azure.PrivateEndpoint.Name","Private Endpoint names should meet naming requirements.","Awareness","Operational Excellence","-" @@ -361,7 +367,7 @@ "Azure.Redis.PublicNetworkAccess","Redis cache should disable public network access.","Critical","Security","-" "Azure.Redis.Version","Azure Cache for Redis should use the latest supported version of Redis.","Important","Reliability","-" "Azure.RedisEnterprise.MinTLS","Redis Cache should reject TLS versions older than 1.2.","Critical","Security","L1" -"Azure.RedisEnterprise.Naming","Azure Managed Redis resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" +"Azure.RedisEnterprise.Naming","Azure Cache for Redis Enterprise resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" "Azure.RedisEnterprise.Zones","Enterprise Redis cache should be zone-redundant for high availability.","Important","Reliability","-" "Azure.Resource.AllowedRegions","The deployment location of a resource determines the country or region where metadata and data is stored and processed.","Important","Security","-" "Azure.Resource.RequiredTags","Resources without a standard tagging convention may be difficult to identify and manage.","Awareness","Operational Excellence","-" @@ -394,8 +400,8 @@ "Azure.SQL.AADOnly","Ensure Entra ID only authentication is enabled with Azure SQL Database.","Important","Security","L1" "Azure.SQL.AllowAzureAccess","Determine if access from Azure services is required.","Important","Security","-" "Azure.SQL.Auditing","Enable auditing for Azure SQL logical server.","Important","Security","-" -"Azure.SQL.DatabaseNaming","Azure SQL database resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" -"Azure.SQL.DBName","Azure SQL Database names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.SQL.DBName","Azure SQL Database names should meet naming requirements.","Awareness","Operational Excellence","L2" +"Azure.SQL.DBNaming","Azure SQL database resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" "Azure.SQL.DefenderCloud","Enable Microsoft Defender for Azure SQL logical server.","Important","Security","-" "Azure.SQL.ElasticPoolNaming","Azure SQL Elastic Pool resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" "Azure.SQL.FGName","Azure SQL failover group names should meet naming requirements.","Awareness","Operational Excellence","-" @@ -404,9 +410,8 @@ "Azure.SQL.JobAgentNaming","Azure SQL Elastic Job agent resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" "Azure.SQL.MaintenanceWindow","Configure a customer-controlled maintenance window for Azure SQL databases.","Important","Reliability","-" "Azure.SQL.MinTLS","Azure SQL Database servers should reject TLS versions older than 1.2.","Critical","Security","L1" -"Azure.SQL.ServerName","Azure SQL logical server names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.SQL.ServerName","Azure SQL logical server names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.SQL.ServerNaming","Azure SQL Database server resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" -"Azure.SQL.StretchDBNaming","SQL Server Stretch Database resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" "Azure.SQL.TDE","Use Transparent Data Encryption (TDE) with Azure SQL Database.","Critical","Security","L1" "Azure.SQL.VAScan","SQL Databases may have configuration vulnerabilities discovered after they are deployed.","Important","Security","-" "Azure.SQLMI.AAD","Use Azure Active Directory (AAD) authentication with Azure SQL Managed Instance.","Critical","Security","L1" diff --git a/docs/en/baselines/Azure.All.md b/docs/en/baselines/Azure.All.md index 8c29f0c32ab..1e63e6ce96b 100644 --- a/docs/en/baselines/Azure.All.md +++ b/docs/en/baselines/Azure.All.md @@ -10,7 +10,7 @@ Includes all Azure rules. The following rules are included within the `Azure.All` baseline. -This baseline includes a total of 523 rules. +This baseline includes a total of 528 rules. Name | Synopsis | Severity ---- | -------- | -------- @@ -33,6 +33,7 @@ Name | Synopsis | Severity [Azure.ACR.Usage](../rules/Azure.ACR.Usage.md) | Regularly remove deprecated and unneeded images to reduce storage usage. | Important [Azure.ADX.DiskEncryption](../rules/Azure.ADX.DiskEncryption.md) | Use disk encryption for Azure Data Explorer (ADX) clusters. | Important [Azure.ADX.ManagedIdentity](../rules/Azure.ADX.ManagedIdentity.md) | Configure Data Explorer clusters to use managed identities to access Azure resources securely. | Important +[Azure.ADX.PublicAccess](../rules/Azure.ADX.PublicAccess.md) | Azure Data Explorer (ADX) clusters should have public network access disabled. | Critical [Azure.ADX.SLA](../rules/Azure.ADX.SLA.md) | Use SKUs that include an SLA when configuring Azure Data Explorer (ADX) clusters. | Important [Azure.ADX.Usage](../rules/Azure.ADX.Usage.md) | Regularly remove unused resources to reduce costs. | Important [Azure.AI.DisableLocalAuth](../rules/Azure.AI.DisableLocalAuth.md) | Access keys allow depersonalized access to Azure AI using a shared secret. | Important @@ -123,7 +124,7 @@ Name | Synopsis | Severity [Azure.AppGwWAF.Enabled](../rules/Azure.AppGwWAF.Enabled.md) | Application Gateway Web Application Firewall (WAF) must be enabled to protect backend resources. | Critical [Azure.AppGwWAF.Exclusions](../rules/Azure.AppGwWAF.Exclusions.md) | Application Gateway Web Application Firewall (WAF) should have all rules enabled. | Critical [Azure.AppGwWAF.PreventionMode](../rules/Azure.AppGwWAF.PreventionMode.md) | Use protection mode in Application Gateway Web Application Firewall (WAF) policies to protect back end resources. | Critical -[Azure.AppGwWAF.RuleGroups](../rules/Azure.AppGwWAF.RuleGroups.md) | Use recommended rule groups in Application Gateway Web Application Firewall (WAF) policies to protect back end resources. | Critical +[Azure.AppGwWAF.RuleGroups](../rules/Azure.AppGwWAF.RuleGroups.md) | Application Gateway WAF policies should include both Microsoft Default Rule Set and Bot Manager Rule Set to provide comprehensive protection against web application threats and malicious bot traffic. | Critical [Azure.AppInsights.LocalAuth](../rules/Azure.AppInsights.LocalAuth.md) | Local authentication allows depersonalized access to store telemetry in Application Insights using a shared identifier. | Critical [Azure.AppInsights.Name](../rules/Azure.AppInsights.Name.md) | Azure Resource Manager (ARM) has requirements for Application Insights resource names. | Awareness [Azure.AppInsights.Naming](../rules/Azure.AppInsights.Naming.md) | Application Insights resources without a standard naming convention may be difficult to identify and manage. | Awareness @@ -176,6 +177,7 @@ Name | Synopsis | Severity [Azure.ContainerApp.RestrictIngress](../rules/Azure.ContainerApp.RestrictIngress.md) | IP ingress restrictions mode should be set to allow action for all rules defined. | Important [Azure.ContainerApp.Storage](../rules/Azure.ContainerApp.Storage.md) | Use of Azure Files volume mounts to persistent storage container data. | Awareness [Azure.Cosmos.AccountName](../rules/Azure.Cosmos.AccountName.md) | Cosmos DB account names should meet naming requirements. | Awareness +[Azure.Cosmos.AvailabilityZone](../rules/Azure.Cosmos.AvailabilityZone.md) | Use zone redundant Cosmos DB accounts in supported regions to improve reliability. | Important [Azure.Cosmos.CassandraNaming](../rules/Azure.Cosmos.CassandraNaming.md) | Cosmos DB for Apache Cassandra account resources without a standard naming convention may be difficult to identify and manage. | Awareness [Azure.Cosmos.ContinuousBackup](../rules/Azure.Cosmos.ContinuousBackup.md) | Enable continuous backup on Cosmos DB accounts. | Important [Azure.Cosmos.DatabaseNaming](../rules/Azure.Cosmos.DatabaseNaming.md) | Cosmos DB database resources without a standard naming convention may be difficult to identify and manage. | Awareness @@ -184,6 +186,8 @@ Name | Synopsis | Severity [Azure.Cosmos.DisableMetadataWrite](../rules/Azure.Cosmos.DisableMetadataWrite.md) | Use Entra ID identities for management place operations in Azure Cosmos DB. | Important [Azure.Cosmos.GremlinNaming](../rules/Azure.Cosmos.GremlinNaming.md) | Cosmos DB for Apache Gremlin account resources without a standard naming convention may be difficult to identify and manage. | Awareness [Azure.Cosmos.MinTLS](../rules/Azure.Cosmos.MinTLS.md) | Cosmos DB accounts should reject TLS versions older than 1.2. | Critical +[Azure.Cosmos.MongoAvailabilityZone](../rules/Azure.Cosmos.MongoAvailabilityZone.md) | Use zone redundant Cosmos DB vCore clusters in supported regions to improve reliability. | Important +[Azure.Cosmos.MongoEntraID](../rules/Azure.Cosmos.MongoEntraID.md) | MongoDB vCore clusters should have Microsoft Entra ID authentication enabled. | Critical [Azure.Cosmos.MongoNaming](../rules/Azure.Cosmos.MongoNaming.md) | Cosmos DB for MongoDB account resources without a standard naming convention may be difficult to identify and manage. | Awareness [Azure.Cosmos.NoSQLNaming](../rules/Azure.Cosmos.NoSQLNaming.md) | Cosmos DB for NoSQL account resources without a standard naming convention may be difficult to identify and manage. | Awareness [Azure.Cosmos.PostgreSQLNaming](../rules/Azure.Cosmos.PostgreSQLNaming.md) | Cosmos DB PostgreSQL cluster resources without a standard naming convention may be difficult to identify and manage. | Awareness @@ -262,6 +266,7 @@ Name | Synopsis | Severity [Azure.FrontDoorWAF.Exclusions](../rules/Azure.FrontDoorWAF.Exclusions.md) | Use recommended rule groups in Front Door Web Application Firewall (WAF) policies to protect back end resources. Avoid configuring rule exclusions. | Critical [Azure.FrontDoorWAF.PreventionMode](../rules/Azure.FrontDoorWAF.PreventionMode.md) | Use protection mode in Front Door Web Application Firewall (WAF) policies to protect back end resources. | Critical [Azure.FrontDoorWAF.RuleGroups](../rules/Azure.FrontDoorWAF.RuleGroups.md) | Use recommended rule groups in Front Door Web Application Firewall (WAF) policies to protect back end resources. | Critical +[Azure.Grafana.AvailabilityZone](../rules/Azure.Grafana.AvailabilityZone.md) | Use zone redundant Grafana workspaces in supported regions to improve reliability. | Important [Azure.Grafana.Version](../rules/Azure.Grafana.Version.md) | Grafana workspaces should be on Grafana version 10. | Important [Azure.Group.Name](../rules/Azure.Group.Name.md) | Azure Resource Manager (ARM) has requirements for Resource Groups names. | Awareness [Azure.Group.Naming](../rules/Azure.Group.Naming.md) | Resource Groups without a standard naming convention may be difficult to identify and manage. | Awareness @@ -301,6 +306,7 @@ Name | Synopsis | Severity [Azure.MariaDB.ServerName](../rules/Azure.MariaDB.ServerName.md) | Azure Database for MariaDB servers should meet naming requirements. | Awareness [Azure.MariaDB.UseSSL](../rules/Azure.MariaDB.UseSSL.md) | Azure Database for MariaDB servers should only accept encrypted connections. | Critical [Azure.MariaDB.VNETRuleName](../rules/Azure.MariaDB.VNETRuleName.md) | Azure Database for MariaDB VNET rules should meet naming requirements. | Awareness +[Azure.MICassandra.AvailabilityZone](../rules/Azure.MICassandra.AvailabilityZone.md) | Use zone redundant Managed Instance for Apache Cassandra clusters in supported regions to improve reliability. | Important [Azure.ML.ComputeIdleShutdown](../rules/Azure.ML.ComputeIdleShutdown.md) | Configure an idle shutdown timeout for Machine Learning compute instances. | Critical [Azure.ML.ComputeVnet](../rules/Azure.ML.ComputeVnet.md) | Azure Machine Learning Computes should be hosted in a virtual network (VNet). | Critical [Azure.ML.DisableLocalAuth](../rules/Azure.ML.DisableLocalAuth.md) | Azure Machine Learning compute resources should have local authentication methods disabled. | Critical @@ -316,8 +322,8 @@ Name | Synopsis | Severity [Azure.MySQL.GeoRedundantBackup](../rules/Azure.MySQL.GeoRedundantBackup.md) | Azure Database for MySQL should store backups in a geo-redundant storage. | Important [Azure.MySQL.MaintenanceWindow](../rules/Azure.MySQL.MaintenanceWindow.md) | Configure a customer-controlled maintenance window for Azure Database for MySQL servers. | Important [Azure.MySQL.MinTLS](../rules/Azure.MySQL.MinTLS.md) | MySQL DB servers should reject TLS versions older than 1.2. | Critical -[Azure.MySQL.Naming](../rules/Azure.MySQL.Naming.md) | MySQL database server resources without a standard naming convention may be difficult to identify and manage. | Awareness [Azure.MySQL.ServerName](../rules/Azure.MySQL.ServerName.md) | Azure MySQL DB server names should meet naming requirements. | Awareness +[Azure.MySQL.ServerNaming](../rules/Azure.MySQL.ServerNaming.md) | MySQL database server resources without a standard naming convention may be difficult to identify and manage. | Awareness [Azure.MySQL.UseFlexible](../rules/Azure.MySQL.UseFlexible.md) | Use Azure Database for MySQL Flexible Server deployment model. | Important [Azure.MySQL.UseSSL](../rules/Azure.MySQL.UseSSL.md) | Enforce encrypted MySQL connections. | Critical [Azure.MySQL.ZoneRedundantHA](../rules/Azure.MySQL.ZoneRedundantHA.md) | Deploy Azure Database for MySQL servers using zone-redundant high availability (HA) in supported regions to ensure high availability and resilience. | Important @@ -345,8 +351,8 @@ Name | Synopsis | Severity [Azure.PostgreSQL.GeoRedundantBackup](../rules/Azure.PostgreSQL.GeoRedundantBackup.md) | Azure Database for PostgreSQL should store backups in a geo-redundant storage. | Important [Azure.PostgreSQL.MaintenanceWindow](../rules/Azure.PostgreSQL.MaintenanceWindow.md) | Configure a customer-controlled maintenance window for Azure Database for PostgreSQL servers. | Important [Azure.PostgreSQL.MinTLS](../rules/Azure.PostgreSQL.MinTLS.md) | PostgreSQL DB servers should reject TLS versions older than 1.2. | Critical -[Azure.PostgreSQL.Naming](../rules/Azure.PostgreSQL.Naming.md) | PostgreSQL database server resources without a standard naming convention may be difficult to identify and manage. | Awareness [Azure.PostgreSQL.ServerName](../rules/Azure.PostgreSQL.ServerName.md) | Azure PostgreSQL DB server names should meet naming requirements. | Awareness +[Azure.PostgreSQL.ServerNaming](../rules/Azure.PostgreSQL.ServerNaming.md) | PostgreSQL database server resources without a standard naming convention may be difficult to identify and manage. | Awareness [Azure.PostgreSQL.UseSSL](../rules/Azure.PostgreSQL.UseSSL.md) | Enforce encrypted PostgreSQL connections. | Critical [Azure.PostgreSQL.ZoneRedundantHA](../rules/Azure.PostgreSQL.ZoneRedundantHA.md) | Deploy Azure Database for PostgreSQL servers using zone-redundant high availability (HA) in supported regions to ensure high availability and resilience. | Important [Azure.PrivateEndpoint.Name](../rules/Azure.PrivateEndpoint.Name.md) | Private Endpoint names should meet naming requirements. | Awareness @@ -376,7 +382,7 @@ Name | Synopsis | Severity [Azure.Redis.PublicNetworkAccess](../rules/Azure.Redis.PublicNetworkAccess.md) | Redis cache should disable public network access. | Critical [Azure.Redis.Version](../rules/Azure.Redis.Version.md) | Azure Cache for Redis should use the latest supported version of Redis. | Important [Azure.RedisEnterprise.MinTLS](../rules/Azure.RedisEnterprise.MinTLS.md) | Redis Cache should reject TLS versions older than 1.2. | Critical -[Azure.RedisEnterprise.Naming](../rules/Azure.RedisEnterprise.Naming.md) | Azure Managed Redis resources without a standard naming convention may be difficult to identify and manage. | Awareness +[Azure.RedisEnterprise.Naming](../rules/Azure.RedisEnterprise.Naming.md) | Azure Cache for Redis Enterprise resources without a standard naming convention may be difficult to identify and manage. | Awareness [Azure.RedisEnterprise.Zones](../rules/Azure.RedisEnterprise.Zones.md) | Enterprise Redis cache should be zone-redundant for high availability. | Important [Azure.Resource.AllowedRegions](../rules/Azure.Resource.AllowedRegions.md) | The deployment location of a resource determines the country or region where metadata and data is stored and processed. | Important [Azure.Resource.RequiredTags](../rules/Azure.Resource.RequiredTags.md) | Resources without a standard tagging convention may be difficult to identify and manage. | Awareness @@ -409,8 +415,8 @@ Name | Synopsis | Severity [Azure.SQL.AADOnly](../rules/Azure.SQL.AADOnly.md) | Ensure Entra ID only authentication is enabled with Azure SQL Database. | Important [Azure.SQL.AllowAzureAccess](../rules/Azure.SQL.AllowAzureAccess.md) | Determine if access from Azure services is required. | Important [Azure.SQL.Auditing](../rules/Azure.SQL.Auditing.md) | Enable auditing for Azure SQL logical server. | Important -[Azure.SQL.DatabaseNaming](../rules/Azure.SQL.DatabaseNaming.md) | Azure SQL database resources without a standard naming convention may be difficult to identify and manage. | Awareness [Azure.SQL.DBName](../rules/Azure.SQL.DBName.md) | Azure SQL Database names should meet naming requirements. | Awareness +[Azure.SQL.DBNaming](../rules/Azure.SQL.DBNaming.md) | Azure SQL database resources without a standard naming convention may be difficult to identify and manage. | Awareness [Azure.SQL.DefenderCloud](../rules/Azure.SQL.DefenderCloud.md) | Enable Microsoft Defender for Azure SQL logical server. | Important [Azure.SQL.ElasticPoolNaming](../rules/Azure.SQL.ElasticPoolNaming.md) | Azure SQL Elastic Pool resources without a standard naming convention may be difficult to identify and manage. | Awareness [Azure.SQL.FGName](../rules/Azure.SQL.FGName.md) | Azure SQL failover group names should meet naming requirements. | Awareness @@ -421,7 +427,6 @@ Name | Synopsis | Severity [Azure.SQL.MinTLS](../rules/Azure.SQL.MinTLS.md) | Azure SQL Database servers should reject TLS versions older than 1.2. | Critical [Azure.SQL.ServerName](../rules/Azure.SQL.ServerName.md) | Azure SQL logical server names should meet naming requirements. | Awareness [Azure.SQL.ServerNaming](../rules/Azure.SQL.ServerNaming.md) | Azure SQL Database server resources without a standard naming convention may be difficult to identify and manage. | Awareness -[Azure.SQL.StretchDBNaming](../rules/Azure.SQL.StretchDBNaming.md) | SQL Server Stretch Database resources without a standard naming convention may be difficult to identify and manage. | Awareness [Azure.SQL.TDE](../rules/Azure.SQL.TDE.md) | Use Transparent Data Encryption (TDE) with Azure SQL Database. | Critical [Azure.SQL.VAScan](../rules/Azure.SQL.VAScan.md) | SQL Databases may have configuration vulnerabilities discovered after they are deployed. | Important [Azure.SQLMI.AAD](../rules/Azure.SQLMI.AAD.md) | Use Azure Active Directory (AAD) authentication with Azure SQL Managed Instance. | Critical diff --git a/docs/en/baselines/Azure.CAF_2025_03.csv b/docs/en/baselines/Azure.CAF_2025_03.csv index 845a551c6d9..0172a53a7bf 100644 --- a/docs/en/baselines/Azure.CAF_2025_03.csv +++ b/docs/en/baselines/Azure.CAF_2025_03.csv @@ -11,7 +11,7 @@ "Azure.Bastion.Name","Bastion hosts should meet naming requirements.","Awareness","Operational Excellence","-" "Azure.CDN.EndpointName","Azure CDN Endpoint names should meet naming requirements.","Awareness","Operational Excellence","-" "Azure.ContainerApp.Name","Container Apps should meet naming requirements.","Awareness","Operational Excellence","L2" -"Azure.Cosmos.AccountName","Cosmos DB account names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.Cosmos.AccountName","Cosmos DB account names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.Deployment.Name","Nested deployments should meet naming requirements of deployments.","Awareness","Operational Excellence","-" "Azure.EventGrid.DomainNaming","Event Grid domains without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","-" "Azure.EventGrid.SystemTopicNaming","Event Grid system topics without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","-" @@ -49,9 +49,9 @@ "Azure.Search.Name","Azure Resource Manager (ARM) has requirements for AI Search service names.","Awareness","Operational Excellence","-" "Azure.Search.Naming","Azure AI Search services without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","-" "Azure.SignalR.Name","SignalR service instance names should meet naming requirements.","Awareness","Operational Excellence","-" -"Azure.SQL.DBName","Azure SQL Database names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.SQL.DBName","Azure SQL Database names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.SQL.FGName","Azure SQL failover group names should meet naming requirements.","Awareness","Operational Excellence","-" -"Azure.SQL.ServerName","Azure SQL logical server names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.SQL.ServerName","Azure SQL logical server names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.SQLMI.Name","SQL Managed Instance names should meet naming requirements.","Awareness","Operational Excellence","-" "Azure.Storage.Name","Azure Resource Manager (ARM) has requirements for Storage Account names.","Awareness","Operational Excellence","-" "Azure.Storage.Naming","Storage Accounts without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","-" diff --git a/docs/en/baselines/Azure.CAF_2025_06.csv b/docs/en/baselines/Azure.CAF_2025_06.csv index 845a551c6d9..0172a53a7bf 100644 --- a/docs/en/baselines/Azure.CAF_2025_06.csv +++ b/docs/en/baselines/Azure.CAF_2025_06.csv @@ -11,7 +11,7 @@ "Azure.Bastion.Name","Bastion hosts should meet naming requirements.","Awareness","Operational Excellence","-" "Azure.CDN.EndpointName","Azure CDN Endpoint names should meet naming requirements.","Awareness","Operational Excellence","-" "Azure.ContainerApp.Name","Container Apps should meet naming requirements.","Awareness","Operational Excellence","L2" -"Azure.Cosmos.AccountName","Cosmos DB account names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.Cosmos.AccountName","Cosmos DB account names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.Deployment.Name","Nested deployments should meet naming requirements of deployments.","Awareness","Operational Excellence","-" "Azure.EventGrid.DomainNaming","Event Grid domains without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","-" "Azure.EventGrid.SystemTopicNaming","Event Grid system topics without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","-" @@ -49,9 +49,9 @@ "Azure.Search.Name","Azure Resource Manager (ARM) has requirements for AI Search service names.","Awareness","Operational Excellence","-" "Azure.Search.Naming","Azure AI Search services without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","-" "Azure.SignalR.Name","SignalR service instance names should meet naming requirements.","Awareness","Operational Excellence","-" -"Azure.SQL.DBName","Azure SQL Database names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.SQL.DBName","Azure SQL Database names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.SQL.FGName","Azure SQL failover group names should meet naming requirements.","Awareness","Operational Excellence","-" -"Azure.SQL.ServerName","Azure SQL logical server names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.SQL.ServerName","Azure SQL logical server names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.SQLMI.Name","SQL Managed Instance names should meet naming requirements.","Awareness","Operational Excellence","-" "Azure.Storage.Name","Azure Resource Manager (ARM) has requirements for Storage Account names.","Awareness","Operational Excellence","-" "Azure.Storage.Naming","Storage Accounts without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","-" diff --git a/docs/en/baselines/Azure.CAF_Compatibility.csv b/docs/en/baselines/Azure.CAF_Compatibility.csv index 845a551c6d9..0172a53a7bf 100644 --- a/docs/en/baselines/Azure.CAF_Compatibility.csv +++ b/docs/en/baselines/Azure.CAF_Compatibility.csv @@ -11,7 +11,7 @@ "Azure.Bastion.Name","Bastion hosts should meet naming requirements.","Awareness","Operational Excellence","-" "Azure.CDN.EndpointName","Azure CDN Endpoint names should meet naming requirements.","Awareness","Operational Excellence","-" "Azure.ContainerApp.Name","Container Apps should meet naming requirements.","Awareness","Operational Excellence","L2" -"Azure.Cosmos.AccountName","Cosmos DB account names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.Cosmos.AccountName","Cosmos DB account names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.Deployment.Name","Nested deployments should meet naming requirements of deployments.","Awareness","Operational Excellence","-" "Azure.EventGrid.DomainNaming","Event Grid domains without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","-" "Azure.EventGrid.SystemTopicNaming","Event Grid system topics without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","-" @@ -49,9 +49,9 @@ "Azure.Search.Name","Azure Resource Manager (ARM) has requirements for AI Search service names.","Awareness","Operational Excellence","-" "Azure.Search.Naming","Azure AI Search services without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","-" "Azure.SignalR.Name","SignalR service instance names should meet naming requirements.","Awareness","Operational Excellence","-" -"Azure.SQL.DBName","Azure SQL Database names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.SQL.DBName","Azure SQL Database names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.SQL.FGName","Azure SQL failover group names should meet naming requirements.","Awareness","Operational Excellence","-" -"Azure.SQL.ServerName","Azure SQL logical server names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.SQL.ServerName","Azure SQL logical server names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.SQLMI.Name","SQL Managed Instance names should meet naming requirements.","Awareness","Operational Excellence","-" "Azure.Storage.Name","Azure Resource Manager (ARM) has requirements for Storage Account names.","Awareness","Operational Excellence","-" "Azure.Storage.Naming","Storage Accounts without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","-" diff --git a/docs/en/baselines/Azure.Default.csv b/docs/en/baselines/Azure.Default.csv index 7278cbfd2c7..f2cb8586242 100644 --- a/docs/en/baselines/Azure.Default.csv +++ b/docs/en/baselines/Azure.Default.csv @@ -14,6 +14,7 @@ "Azure.ACR.Usage","Regularly remove deprecated and unneeded images to reduce storage usage.","Important","Cost Optimization","-" "Azure.ADX.DiskEncryption","Use disk encryption for Azure Data Explorer (ADX) clusters.","Important","Security","L1" "Azure.ADX.ManagedIdentity","Configure Data Explorer clusters to use managed identities to access Azure resources securely.","Important","Security","L1" +"Azure.ADX.PublicAccess","Azure Data Explorer (ADX) clusters should have public network access disabled.","Critical","Security","L4" "Azure.ADX.SLA","Use SKUs that include an SLA when configuring Azure Data Explorer (ADX) clusters.","Important","Reliability","-" "Azure.ADX.Usage","Regularly remove unused resources to reduce costs.","Important","Cost Optimization","-" "Azure.AI.DisableLocalAuth","Access keys allow depersonalized access to Azure AI using a shared secret.","Important","Security","L1" @@ -103,7 +104,7 @@ "Azure.AppGwWAF.Enabled","Application Gateway Web Application Firewall (WAF) must be enabled to protect backend resources.","Critical","Security","-" "Azure.AppGwWAF.Exclusions","Application Gateway Web Application Firewall (WAF) should have all rules enabled.","Critical","Security","-" "Azure.AppGwWAF.PreventionMode","Use protection mode in Application Gateway Web Application Firewall (WAF) policies to protect back end resources.","Critical","Security","-" -"Azure.AppGwWAF.RuleGroups","Use recommended rule groups in Application Gateway Web Application Firewall (WAF) policies to protect back end resources.","Critical","Security","-" +"Azure.AppGwWAF.RuleGroups","Application Gateway WAF policies should include both Microsoft Default Rule Set and Bot Manager Rule Set to provide comprehensive protection against web application threats and malicious bot traffic.","Critical","Security","L2" "Azure.AppInsights.LocalAuth","Local authentication allows depersonalized access to store telemetry in Application Insights using a shared identifier.","Critical","Security","L1" "Azure.AppInsights.Name","Azure Resource Manager (ARM) has requirements for Application Insights resource names.","Awareness","Operational Excellence","-" "Azure.AppInsights.Naming","Application Insights resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","-" @@ -153,7 +154,8 @@ "Azure.ContainerApp.PublicAccess","Ensure public network access for Container Apps environment is disabled.","Important","Security","-" "Azure.ContainerApp.RestrictIngress","IP ingress restrictions mode should be set to allow action for all rules defined.","Important","Security","-" "Azure.ContainerApp.Storage","Use of Azure Files volume mounts to persistent storage container data.","Awareness","Reliability","-" -"Azure.Cosmos.AccountName","Cosmos DB account names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.Cosmos.AccountName","Cosmos DB account names should meet naming requirements.","Awareness","Operational Excellence","L2" +"Azure.Cosmos.AvailabilityZone","Use zone redundant Cosmos DB accounts in supported regions to improve reliability.","Important","Reliability","L1" "Azure.Cosmos.CassandraNaming","Cosmos DB for Apache Cassandra account resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" "Azure.Cosmos.ContinuousBackup","Enable continuous backup on Cosmos DB accounts.","Important","Reliability","-" "Azure.Cosmos.DatabaseNaming","Cosmos DB database resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" @@ -162,6 +164,8 @@ "Azure.Cosmos.DisableMetadataWrite","Use Entra ID identities for management place operations in Azure Cosmos DB.","Important","Security","-" "Azure.Cosmos.GremlinNaming","Cosmos DB for Apache Gremlin account resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" "Azure.Cosmos.MinTLS","Cosmos DB accounts should reject TLS versions older than 1.2.","Critical","Security","L1" +"Azure.Cosmos.MongoAvailabilityZone","Use zone redundant Cosmos DB vCore clusters in supported regions to improve reliability.","Important","Reliability","L1" +"Azure.Cosmos.MongoEntraID","MongoDB vCore clusters should have Microsoft Entra ID authentication enabled.","Critical","Security","L1" "Azure.Cosmos.MongoNaming","Cosmos DB for MongoDB account resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" "Azure.Cosmos.NoSQLNaming","Cosmos DB for NoSQL account resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" "Azure.Cosmos.PostgreSQLNaming","Cosmos DB PostgreSQL cluster resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" @@ -239,6 +243,7 @@ "Azure.FrontDoorWAF.Exclusions","Use recommended rule groups in Front Door Web Application Firewall (WAF) policies to protect back end resources. Avoid configuring rule exclusions.","Critical","Security","-" "Azure.FrontDoorWAF.PreventionMode","Use protection mode in Front Door Web Application Firewall (WAF) policies to protect back end resources.","Critical","Security","-" "Azure.FrontDoorWAF.RuleGroups","Use recommended rule groups in Front Door Web Application Firewall (WAF) policies to protect back end resources.","Critical","Security","-" +"Azure.Grafana.AvailabilityZone","Use zone redundant Grafana workspaces in supported regions to improve reliability.","Important","Reliability","L1" "Azure.Grafana.Version","Grafana workspaces should be on Grafana version 10.","Important","Reliability","-" "Azure.Group.Name","Azure Resource Manager (ARM) has requirements for Resource Groups names.","Awareness","Operational Excellence","-" "Azure.Group.Naming","Resource Groups without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","-" @@ -278,6 +283,7 @@ "Azure.MariaDB.ServerName","Azure Database for MariaDB servers should meet naming requirements.","Awareness","Operational Excellence","-" "Azure.MariaDB.UseSSL","Azure Database for MariaDB servers should only accept encrypted connections.","Critical","Security","L1" "Azure.MariaDB.VNETRuleName","Azure Database for MariaDB VNET rules should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.MICassandra.AvailabilityZone","Use zone redundant Managed Instance for Apache Cassandra clusters in supported regions to improve reliability.","Important","Reliability","L1" "Azure.ML.ComputeIdleShutdown","Configure an idle shutdown timeout for Machine Learning compute instances.","Critical","Cost Optimization","-" "Azure.ML.ComputeVnet","Azure Machine Learning Computes should be hosted in a virtual network (VNet).","Critical","Security","-" "Azure.ML.DisableLocalAuth","Azure Machine Learning compute resources should have local authentication methods disabled.","Critical","Security","L1" @@ -293,8 +299,8 @@ "Azure.MySQL.GeoRedundantBackup","Azure Database for MySQL should store backups in a geo-redundant storage.","Important","Reliability","-" "Azure.MySQL.MaintenanceWindow","Configure a customer-controlled maintenance window for Azure Database for MySQL servers.","Important","Reliability","-" "Azure.MySQL.MinTLS","MySQL DB servers should reject TLS versions older than 1.2.","Critical","Security","L1" -"Azure.MySQL.Naming","MySQL database server resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" "Azure.MySQL.ServerName","Azure MySQL DB server names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.MySQL.ServerNaming","MySQL database server resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" "Azure.MySQL.UseFlexible","Use Azure Database for MySQL Flexible Server deployment model.","Important","Reliability","-" "Azure.MySQL.UseSSL","Enforce encrypted MySQL connections.","Critical","Security","L1" "Azure.MySQL.ZoneRedundantHA","Deploy Azure Database for MySQL servers using zone-redundant high availability (HA) in supported regions to ensure high availability and resilience.","Important","Reliability","-" @@ -322,8 +328,8 @@ "Azure.PostgreSQL.GeoRedundantBackup","Azure Database for PostgreSQL should store backups in a geo-redundant storage.","Important","Reliability","-" "Azure.PostgreSQL.MaintenanceWindow","Configure a customer-controlled maintenance window for Azure Database for PostgreSQL servers.","Important","Reliability","-" "Azure.PostgreSQL.MinTLS","PostgreSQL DB servers should reject TLS versions older than 1.2.","Critical","Security","L1" -"Azure.PostgreSQL.Naming","PostgreSQL database server resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" "Azure.PostgreSQL.ServerName","Azure PostgreSQL DB server names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.PostgreSQL.ServerNaming","PostgreSQL database server resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" "Azure.PostgreSQL.UseSSL","Enforce encrypted PostgreSQL connections.","Critical","Security","L1" "Azure.PostgreSQL.ZoneRedundantHA","Deploy Azure Database for PostgreSQL servers using zone-redundant high availability (HA) in supported regions to ensure high availability and resilience.","Important","Reliability","-" "Azure.PrivateEndpoint.Name","Private Endpoint names should meet naming requirements.","Awareness","Operational Excellence","-" @@ -353,7 +359,7 @@ "Azure.Redis.PublicNetworkAccess","Redis cache should disable public network access.","Critical","Security","-" "Azure.Redis.Version","Azure Cache for Redis should use the latest supported version of Redis.","Important","Reliability","-" "Azure.RedisEnterprise.MinTLS","Redis Cache should reject TLS versions older than 1.2.","Critical","Security","L1" -"Azure.RedisEnterprise.Naming","Azure Managed Redis resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" +"Azure.RedisEnterprise.Naming","Azure Cache for Redis Enterprise resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" "Azure.RedisEnterprise.Zones","Enterprise Redis cache should be zone-redundant for high availability.","Important","Reliability","-" "Azure.Resource.AllowedRegions","The deployment location of a resource determines the country or region where metadata and data is stored and processed.","Important","Security","-" "Azure.Resource.RequiredTags","Resources without a standard tagging convention may be difficult to identify and manage.","Awareness","Operational Excellence","-" @@ -385,8 +391,8 @@ "Azure.SQL.AADOnly","Ensure Entra ID only authentication is enabled with Azure SQL Database.","Important","Security","L1" "Azure.SQL.AllowAzureAccess","Determine if access from Azure services is required.","Important","Security","-" "Azure.SQL.Auditing","Enable auditing for Azure SQL logical server.","Important","Security","-" -"Azure.SQL.DatabaseNaming","Azure SQL database resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" -"Azure.SQL.DBName","Azure SQL Database names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.SQL.DBName","Azure SQL Database names should meet naming requirements.","Awareness","Operational Excellence","L2" +"Azure.SQL.DBNaming","Azure SQL database resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" "Azure.SQL.DefenderCloud","Enable Microsoft Defender for Azure SQL logical server.","Important","Security","-" "Azure.SQL.ElasticPoolNaming","Azure SQL Elastic Pool resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" "Azure.SQL.FGName","Azure SQL failover group names should meet naming requirements.","Awareness","Operational Excellence","-" @@ -395,9 +401,8 @@ "Azure.SQL.JobAgentNaming","Azure SQL Elastic Job agent resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" "Azure.SQL.MaintenanceWindow","Configure a customer-controlled maintenance window for Azure SQL databases.","Important","Reliability","-" "Azure.SQL.MinTLS","Azure SQL Database servers should reject TLS versions older than 1.2.","Critical","Security","L1" -"Azure.SQL.ServerName","Azure SQL logical server names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.SQL.ServerName","Azure SQL logical server names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.SQL.ServerNaming","Azure SQL Database server resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" -"Azure.SQL.StretchDBNaming","SQL Server Stretch Database resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" "Azure.SQL.TDE","Use Transparent Data Encryption (TDE) with Azure SQL Database.","Critical","Security","L1" "Azure.SQL.VAScan","SQL Databases may have configuration vulnerabilities discovered after they are deployed.","Important","Security","-" "Azure.SQLMI.AAD","Use Azure Active Directory (AAD) authentication with Azure SQL Managed Instance.","Critical","Security","L1" diff --git a/docs/en/baselines/Azure.Default.md b/docs/en/baselines/Azure.Default.md index 5d3e7e794fb..800b8c2508d 100644 --- a/docs/en/baselines/Azure.Default.md +++ b/docs/en/baselines/Azure.Default.md @@ -10,7 +10,7 @@ Default baseline for that includes the latest rules for Azure GA features that i The following rules are included within the `Azure.Default` baseline. -This baseline includes a total of 509 rules. +This baseline includes a total of 514 rules. Name | Synopsis | Severity ---- | -------- | -------- @@ -29,6 +29,7 @@ Name | Synopsis | Severity [Azure.ACR.Usage](../rules/Azure.ACR.Usage.md) | Regularly remove deprecated and unneeded images to reduce storage usage. | Important [Azure.ADX.DiskEncryption](../rules/Azure.ADX.DiskEncryption.md) | Use disk encryption for Azure Data Explorer (ADX) clusters. | Important [Azure.ADX.ManagedIdentity](../rules/Azure.ADX.ManagedIdentity.md) | Configure Data Explorer clusters to use managed identities to access Azure resources securely. | Important +[Azure.ADX.PublicAccess](../rules/Azure.ADX.PublicAccess.md) | Azure Data Explorer (ADX) clusters should have public network access disabled. | Critical [Azure.ADX.SLA](../rules/Azure.ADX.SLA.md) | Use SKUs that include an SLA when configuring Azure Data Explorer (ADX) clusters. | Important [Azure.ADX.Usage](../rules/Azure.ADX.Usage.md) | Regularly remove unused resources to reduce costs. | Important [Azure.AI.DisableLocalAuth](../rules/Azure.AI.DisableLocalAuth.md) | Access keys allow depersonalized access to Azure AI using a shared secret. | Important @@ -118,7 +119,7 @@ Name | Synopsis | Severity [Azure.AppGwWAF.Enabled](../rules/Azure.AppGwWAF.Enabled.md) | Application Gateway Web Application Firewall (WAF) must be enabled to protect backend resources. | Critical [Azure.AppGwWAF.Exclusions](../rules/Azure.AppGwWAF.Exclusions.md) | Application Gateway Web Application Firewall (WAF) should have all rules enabled. | Critical [Azure.AppGwWAF.PreventionMode](../rules/Azure.AppGwWAF.PreventionMode.md) | Use protection mode in Application Gateway Web Application Firewall (WAF) policies to protect back end resources. | Critical -[Azure.AppGwWAF.RuleGroups](../rules/Azure.AppGwWAF.RuleGroups.md) | Use recommended rule groups in Application Gateway Web Application Firewall (WAF) policies to protect back end resources. | Critical +[Azure.AppGwWAF.RuleGroups](../rules/Azure.AppGwWAF.RuleGroups.md) | Application Gateway WAF policies should include both Microsoft Default Rule Set and Bot Manager Rule Set to provide comprehensive protection against web application threats and malicious bot traffic. | Critical [Azure.AppInsights.LocalAuth](../rules/Azure.AppInsights.LocalAuth.md) | Local authentication allows depersonalized access to store telemetry in Application Insights using a shared identifier. | Critical [Azure.AppInsights.Name](../rules/Azure.AppInsights.Name.md) | Azure Resource Manager (ARM) has requirements for Application Insights resource names. | Awareness [Azure.AppInsights.Naming](../rules/Azure.AppInsights.Naming.md) | Application Insights resources without a standard naming convention may be difficult to identify and manage. | Awareness @@ -169,6 +170,7 @@ Name | Synopsis | Severity [Azure.ContainerApp.RestrictIngress](../rules/Azure.ContainerApp.RestrictIngress.md) | IP ingress restrictions mode should be set to allow action for all rules defined. | Important [Azure.ContainerApp.Storage](../rules/Azure.ContainerApp.Storage.md) | Use of Azure Files volume mounts to persistent storage container data. | Awareness [Azure.Cosmos.AccountName](../rules/Azure.Cosmos.AccountName.md) | Cosmos DB account names should meet naming requirements. | Awareness +[Azure.Cosmos.AvailabilityZone](../rules/Azure.Cosmos.AvailabilityZone.md) | Use zone redundant Cosmos DB accounts in supported regions to improve reliability. | Important [Azure.Cosmos.CassandraNaming](../rules/Azure.Cosmos.CassandraNaming.md) | Cosmos DB for Apache Cassandra account resources without a standard naming convention may be difficult to identify and manage. | Awareness [Azure.Cosmos.ContinuousBackup](../rules/Azure.Cosmos.ContinuousBackup.md) | Enable continuous backup on Cosmos DB accounts. | Important [Azure.Cosmos.DatabaseNaming](../rules/Azure.Cosmos.DatabaseNaming.md) | Cosmos DB database resources without a standard naming convention may be difficult to identify and manage. | Awareness @@ -177,6 +179,8 @@ Name | Synopsis | Severity [Azure.Cosmos.DisableMetadataWrite](../rules/Azure.Cosmos.DisableMetadataWrite.md) | Use Entra ID identities for management place operations in Azure Cosmos DB. | Important [Azure.Cosmos.GremlinNaming](../rules/Azure.Cosmos.GremlinNaming.md) | Cosmos DB for Apache Gremlin account resources without a standard naming convention may be difficult to identify and manage. | Awareness [Azure.Cosmos.MinTLS](../rules/Azure.Cosmos.MinTLS.md) | Cosmos DB accounts should reject TLS versions older than 1.2. | Critical +[Azure.Cosmos.MongoAvailabilityZone](../rules/Azure.Cosmos.MongoAvailabilityZone.md) | Use zone redundant Cosmos DB vCore clusters in supported regions to improve reliability. | Important +[Azure.Cosmos.MongoEntraID](../rules/Azure.Cosmos.MongoEntraID.md) | MongoDB vCore clusters should have Microsoft Entra ID authentication enabled. | Critical [Azure.Cosmos.MongoNaming](../rules/Azure.Cosmos.MongoNaming.md) | Cosmos DB for MongoDB account resources without a standard naming convention may be difficult to identify and manage. | Awareness [Azure.Cosmos.NoSQLNaming](../rules/Azure.Cosmos.NoSQLNaming.md) | Cosmos DB for NoSQL account resources without a standard naming convention may be difficult to identify and manage. | Awareness [Azure.Cosmos.PostgreSQLNaming](../rules/Azure.Cosmos.PostgreSQLNaming.md) | Cosmos DB PostgreSQL cluster resources without a standard naming convention may be difficult to identify and manage. | Awareness @@ -254,6 +258,7 @@ Name | Synopsis | Severity [Azure.FrontDoorWAF.Exclusions](../rules/Azure.FrontDoorWAF.Exclusions.md) | Use recommended rule groups in Front Door Web Application Firewall (WAF) policies to protect back end resources. Avoid configuring rule exclusions. | Critical [Azure.FrontDoorWAF.PreventionMode](../rules/Azure.FrontDoorWAF.PreventionMode.md) | Use protection mode in Front Door Web Application Firewall (WAF) policies to protect back end resources. | Critical [Azure.FrontDoorWAF.RuleGroups](../rules/Azure.FrontDoorWAF.RuleGroups.md) | Use recommended rule groups in Front Door Web Application Firewall (WAF) policies to protect back end resources. | Critical +[Azure.Grafana.AvailabilityZone](../rules/Azure.Grafana.AvailabilityZone.md) | Use zone redundant Grafana workspaces in supported regions to improve reliability. | Important [Azure.Grafana.Version](../rules/Azure.Grafana.Version.md) | Grafana workspaces should be on Grafana version 10. | Important [Azure.Group.Name](../rules/Azure.Group.Name.md) | Azure Resource Manager (ARM) has requirements for Resource Groups names. | Awareness [Azure.Group.Naming](../rules/Azure.Group.Naming.md) | Resource Groups without a standard naming convention may be difficult to identify and manage. | Awareness @@ -293,6 +298,7 @@ Name | Synopsis | Severity [Azure.MariaDB.ServerName](../rules/Azure.MariaDB.ServerName.md) | Azure Database for MariaDB servers should meet naming requirements. | Awareness [Azure.MariaDB.UseSSL](../rules/Azure.MariaDB.UseSSL.md) | Azure Database for MariaDB servers should only accept encrypted connections. | Critical [Azure.MariaDB.VNETRuleName](../rules/Azure.MariaDB.VNETRuleName.md) | Azure Database for MariaDB VNET rules should meet naming requirements. | Awareness +[Azure.MICassandra.AvailabilityZone](../rules/Azure.MICassandra.AvailabilityZone.md) | Use zone redundant Managed Instance for Apache Cassandra clusters in supported regions to improve reliability. | Important [Azure.ML.ComputeIdleShutdown](../rules/Azure.ML.ComputeIdleShutdown.md) | Configure an idle shutdown timeout for Machine Learning compute instances. | Critical [Azure.ML.ComputeVnet](../rules/Azure.ML.ComputeVnet.md) | Azure Machine Learning Computes should be hosted in a virtual network (VNet). | Critical [Azure.ML.DisableLocalAuth](../rules/Azure.ML.DisableLocalAuth.md) | Azure Machine Learning compute resources should have local authentication methods disabled. | Critical @@ -308,8 +314,8 @@ Name | Synopsis | Severity [Azure.MySQL.GeoRedundantBackup](../rules/Azure.MySQL.GeoRedundantBackup.md) | Azure Database for MySQL should store backups in a geo-redundant storage. | Important [Azure.MySQL.MaintenanceWindow](../rules/Azure.MySQL.MaintenanceWindow.md) | Configure a customer-controlled maintenance window for Azure Database for MySQL servers. | Important [Azure.MySQL.MinTLS](../rules/Azure.MySQL.MinTLS.md) | MySQL DB servers should reject TLS versions older than 1.2. | Critical -[Azure.MySQL.Naming](../rules/Azure.MySQL.Naming.md) | MySQL database server resources without a standard naming convention may be difficult to identify and manage. | Awareness [Azure.MySQL.ServerName](../rules/Azure.MySQL.ServerName.md) | Azure MySQL DB server names should meet naming requirements. | Awareness +[Azure.MySQL.ServerNaming](../rules/Azure.MySQL.ServerNaming.md) | MySQL database server resources without a standard naming convention may be difficult to identify and manage. | Awareness [Azure.MySQL.UseFlexible](../rules/Azure.MySQL.UseFlexible.md) | Use Azure Database for MySQL Flexible Server deployment model. | Important [Azure.MySQL.UseSSL](../rules/Azure.MySQL.UseSSL.md) | Enforce encrypted MySQL connections. | Critical [Azure.MySQL.ZoneRedundantHA](../rules/Azure.MySQL.ZoneRedundantHA.md) | Deploy Azure Database for MySQL servers using zone-redundant high availability (HA) in supported regions to ensure high availability and resilience. | Important @@ -337,8 +343,8 @@ Name | Synopsis | Severity [Azure.PostgreSQL.GeoRedundantBackup](../rules/Azure.PostgreSQL.GeoRedundantBackup.md) | Azure Database for PostgreSQL should store backups in a geo-redundant storage. | Important [Azure.PostgreSQL.MaintenanceWindow](../rules/Azure.PostgreSQL.MaintenanceWindow.md) | Configure a customer-controlled maintenance window for Azure Database for PostgreSQL servers. | Important [Azure.PostgreSQL.MinTLS](../rules/Azure.PostgreSQL.MinTLS.md) | PostgreSQL DB servers should reject TLS versions older than 1.2. | Critical -[Azure.PostgreSQL.Naming](../rules/Azure.PostgreSQL.Naming.md) | PostgreSQL database server resources without a standard naming convention may be difficult to identify and manage. | Awareness [Azure.PostgreSQL.ServerName](../rules/Azure.PostgreSQL.ServerName.md) | Azure PostgreSQL DB server names should meet naming requirements. | Awareness +[Azure.PostgreSQL.ServerNaming](../rules/Azure.PostgreSQL.ServerNaming.md) | PostgreSQL database server resources without a standard naming convention may be difficult to identify and manage. | Awareness [Azure.PostgreSQL.UseSSL](../rules/Azure.PostgreSQL.UseSSL.md) | Enforce encrypted PostgreSQL connections. | Critical [Azure.PostgreSQL.ZoneRedundantHA](../rules/Azure.PostgreSQL.ZoneRedundantHA.md) | Deploy Azure Database for PostgreSQL servers using zone-redundant high availability (HA) in supported regions to ensure high availability and resilience. | Important [Azure.PrivateEndpoint.Name](../rules/Azure.PrivateEndpoint.Name.md) | Private Endpoint names should meet naming requirements. | Awareness @@ -368,7 +374,7 @@ Name | Synopsis | Severity [Azure.Redis.PublicNetworkAccess](../rules/Azure.Redis.PublicNetworkAccess.md) | Redis cache should disable public network access. | Critical [Azure.Redis.Version](../rules/Azure.Redis.Version.md) | Azure Cache for Redis should use the latest supported version of Redis. | Important [Azure.RedisEnterprise.MinTLS](../rules/Azure.RedisEnterprise.MinTLS.md) | Redis Cache should reject TLS versions older than 1.2. | Critical -[Azure.RedisEnterprise.Naming](../rules/Azure.RedisEnterprise.Naming.md) | Azure Managed Redis resources without a standard naming convention may be difficult to identify and manage. | Awareness +[Azure.RedisEnterprise.Naming](../rules/Azure.RedisEnterprise.Naming.md) | Azure Cache for Redis Enterprise resources without a standard naming convention may be difficult to identify and manage. | Awareness [Azure.RedisEnterprise.Zones](../rules/Azure.RedisEnterprise.Zones.md) | Enterprise Redis cache should be zone-redundant for high availability. | Important [Azure.Resource.AllowedRegions](../rules/Azure.Resource.AllowedRegions.md) | The deployment location of a resource determines the country or region where metadata and data is stored and processed. | Important [Azure.Resource.RequiredTags](../rules/Azure.Resource.RequiredTags.md) | Resources without a standard tagging convention may be difficult to identify and manage. | Awareness @@ -400,8 +406,8 @@ Name | Synopsis | Severity [Azure.SQL.AADOnly](../rules/Azure.SQL.AADOnly.md) | Ensure Entra ID only authentication is enabled with Azure SQL Database. | Important [Azure.SQL.AllowAzureAccess](../rules/Azure.SQL.AllowAzureAccess.md) | Determine if access from Azure services is required. | Important [Azure.SQL.Auditing](../rules/Azure.SQL.Auditing.md) | Enable auditing for Azure SQL logical server. | Important -[Azure.SQL.DatabaseNaming](../rules/Azure.SQL.DatabaseNaming.md) | Azure SQL database resources without a standard naming convention may be difficult to identify and manage. | Awareness [Azure.SQL.DBName](../rules/Azure.SQL.DBName.md) | Azure SQL Database names should meet naming requirements. | Awareness +[Azure.SQL.DBNaming](../rules/Azure.SQL.DBNaming.md) | Azure SQL database resources without a standard naming convention may be difficult to identify and manage. | Awareness [Azure.SQL.DefenderCloud](../rules/Azure.SQL.DefenderCloud.md) | Enable Microsoft Defender for Azure SQL logical server. | Important [Azure.SQL.ElasticPoolNaming](../rules/Azure.SQL.ElasticPoolNaming.md) | Azure SQL Elastic Pool resources without a standard naming convention may be difficult to identify and manage. | Awareness [Azure.SQL.FGName](../rules/Azure.SQL.FGName.md) | Azure SQL failover group names should meet naming requirements. | Awareness @@ -412,7 +418,6 @@ Name | Synopsis | Severity [Azure.SQL.MinTLS](../rules/Azure.SQL.MinTLS.md) | Azure SQL Database servers should reject TLS versions older than 1.2. | Critical [Azure.SQL.ServerName](../rules/Azure.SQL.ServerName.md) | Azure SQL logical server names should meet naming requirements. | Awareness [Azure.SQL.ServerNaming](../rules/Azure.SQL.ServerNaming.md) | Azure SQL Database server resources without a standard naming convention may be difficult to identify and manage. | Awareness -[Azure.SQL.StretchDBNaming](../rules/Azure.SQL.StretchDBNaming.md) | SQL Server Stretch Database resources without a standard naming convention may be difficult to identify and manage. | Awareness [Azure.SQL.TDE](../rules/Azure.SQL.TDE.md) | Use Transparent Data Encryption (TDE) with Azure SQL Database. | Critical [Azure.SQL.VAScan](../rules/Azure.SQL.VAScan.md) | SQL Databases may have configuration vulnerabilities discovered after they are deployed. | Important [Azure.SQLMI.AAD](../rules/Azure.SQLMI.AAD.md) | Use Azure Active Directory (AAD) authentication with Azure SQL Managed Instance. | Critical diff --git a/docs/en/baselines/Azure.GA_2020_12.csv b/docs/en/baselines/Azure.GA_2020_12.csv index 95ba856cc3c..823f7f46bfd 100644 --- a/docs/en/baselines/Azure.GA_2020_12.csv +++ b/docs/en/baselines/Azure.GA_2020_12.csv @@ -112,13 +112,13 @@ "Azure.SQL.AAD","Use Entra ID authentication with Azure SQL databases.","Critical","Security","L1" "Azure.SQL.AllowAzureAccess","Determine if access from Azure services is required.","Important","Security","-" "Azure.SQL.Auditing","Enable auditing for Azure SQL logical server.","Important","Security","-" -"Azure.SQL.DBName","Azure SQL Database names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.SQL.DBName","Azure SQL Database names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.SQL.DefenderCloud","Enable Microsoft Defender for Azure SQL logical server.","Important","Security","-" "Azure.SQL.FGName","Azure SQL failover group names should meet naming requirements.","Awareness","Operational Excellence","-" "Azure.SQL.FirewallIPRange","Each IP address in the permitted IP list is allowed network access to any databases hosted on the same logical server.","Important","Security","-" "Azure.SQL.FirewallRuleCount","Determine if there is an excessive number of firewall rules.","Awareness","Security","-" "Azure.SQL.MinTLS","Azure SQL Database servers should reject TLS versions older than 1.2.","Critical","Security","L1" -"Azure.SQL.ServerName","Azure SQL logical server names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.SQL.ServerName","Azure SQL logical server names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.SQL.TDE","Use Transparent Data Encryption (TDE) with Azure SQL Database.","Critical","Security","L1" "Azure.SQLMI.Name","SQL Managed Instance names should meet naming requirements.","Awareness","Operational Excellence","-" "Azure.Storage.BlobAccessType","Use containers configured with a private access type that requires authorization.","Important","Security","-" diff --git a/docs/en/baselines/Azure.GA_2021_03.csv b/docs/en/baselines/Azure.GA_2021_03.csv index 12a93408fa0..c4a8413c773 100644 --- a/docs/en/baselines/Azure.GA_2021_03.csv +++ b/docs/en/baselines/Azure.GA_2021_03.csv @@ -119,13 +119,13 @@ "Azure.SQL.AAD","Use Entra ID authentication with Azure SQL databases.","Critical","Security","L1" "Azure.SQL.AllowAzureAccess","Determine if access from Azure services is required.","Important","Security","-" "Azure.SQL.Auditing","Enable auditing for Azure SQL logical server.","Important","Security","-" -"Azure.SQL.DBName","Azure SQL Database names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.SQL.DBName","Azure SQL Database names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.SQL.DefenderCloud","Enable Microsoft Defender for Azure SQL logical server.","Important","Security","-" "Azure.SQL.FGName","Azure SQL failover group names should meet naming requirements.","Awareness","Operational Excellence","-" "Azure.SQL.FirewallIPRange","Each IP address in the permitted IP list is allowed network access to any databases hosted on the same logical server.","Important","Security","-" "Azure.SQL.FirewallRuleCount","Determine if there is an excessive number of firewall rules.","Awareness","Security","-" "Azure.SQL.MinTLS","Azure SQL Database servers should reject TLS versions older than 1.2.","Critical","Security","L1" -"Azure.SQL.ServerName","Azure SQL logical server names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.SQL.ServerName","Azure SQL logical server names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.SQL.TDE","Use Transparent Data Encryption (TDE) with Azure SQL Database.","Critical","Security","L1" "Azure.SQLMI.Name","SQL Managed Instance names should meet naming requirements.","Awareness","Operational Excellence","-" "Azure.Storage.BlobAccessType","Use containers configured with a private access type that requires authorization.","Important","Security","-" diff --git a/docs/en/baselines/Azure.GA_2021_06.csv b/docs/en/baselines/Azure.GA_2021_06.csv index 607d754c620..0dcccdf6c4e 100644 --- a/docs/en/baselines/Azure.GA_2021_06.csv +++ b/docs/en/baselines/Azure.GA_2021_06.csv @@ -133,13 +133,13 @@ "Azure.SQL.AAD","Use Entra ID authentication with Azure SQL databases.","Critical","Security","L1" "Azure.SQL.AllowAzureAccess","Determine if access from Azure services is required.","Important","Security","-" "Azure.SQL.Auditing","Enable auditing for Azure SQL logical server.","Important","Security","-" -"Azure.SQL.DBName","Azure SQL Database names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.SQL.DBName","Azure SQL Database names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.SQL.DefenderCloud","Enable Microsoft Defender for Azure SQL logical server.","Important","Security","-" "Azure.SQL.FGName","Azure SQL failover group names should meet naming requirements.","Awareness","Operational Excellence","-" "Azure.SQL.FirewallIPRange","Each IP address in the permitted IP list is allowed network access to any databases hosted on the same logical server.","Important","Security","-" "Azure.SQL.FirewallRuleCount","Determine if there is an excessive number of firewall rules.","Awareness","Security","-" "Azure.SQL.MinTLS","Azure SQL Database servers should reject TLS versions older than 1.2.","Critical","Security","L1" -"Azure.SQL.ServerName","Azure SQL logical server names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.SQL.ServerName","Azure SQL logical server names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.SQL.TDE","Use Transparent Data Encryption (TDE) with Azure SQL Database.","Critical","Security","L1" "Azure.SQLMI.Name","SQL Managed Instance names should meet naming requirements.","Awareness","Operational Excellence","-" "Azure.Storage.BlobAccessType","Use containers configured with a private access type that requires authorization.","Important","Security","-" diff --git a/docs/en/baselines/Azure.GA_2021_09.csv b/docs/en/baselines/Azure.GA_2021_09.csv index 811d7809f67..38fc5daa6d5 100644 --- a/docs/en/baselines/Azure.GA_2021_09.csv +++ b/docs/en/baselines/Azure.GA_2021_09.csv @@ -65,7 +65,7 @@ "Azure.CDN.EndpointName","Azure CDN Endpoint names should meet naming requirements.","Awareness","Operational Excellence","-" "Azure.CDN.HTTP","Unencrypted communication could allow disclosure of information to an untrusted party.","Important","Security","-" "Azure.CDN.MinTLS","Azure CDN endpoints should reject TLS versions older than 1.2.","Important","Security","L1" -"Azure.Cosmos.AccountName","Cosmos DB account names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.Cosmos.AccountName","Cosmos DB account names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.Cosmos.DisableMetadataWrite","Use Entra ID identities for management place operations in Azure Cosmos DB.","Important","Security","-" "Azure.DataFactory.Version","Consider migrating to DataFactory v2.","Awareness","Reliability","-" "Azure.DefenderCloud.Provisioning","Enable auto-provisioning on to improve Microsoft Defender for Cloud insights.","Important","Security","-" @@ -145,13 +145,13 @@ "Azure.SQL.AAD","Use Entra ID authentication with Azure SQL databases.","Critical","Security","L1" "Azure.SQL.AllowAzureAccess","Determine if access from Azure services is required.","Important","Security","-" "Azure.SQL.Auditing","Enable auditing for Azure SQL logical server.","Important","Security","-" -"Azure.SQL.DBName","Azure SQL Database names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.SQL.DBName","Azure SQL Database names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.SQL.DefenderCloud","Enable Microsoft Defender for Azure SQL logical server.","Important","Security","-" "Azure.SQL.FGName","Azure SQL failover group names should meet naming requirements.","Awareness","Operational Excellence","-" "Azure.SQL.FirewallIPRange","Each IP address in the permitted IP list is allowed network access to any databases hosted on the same logical server.","Important","Security","-" "Azure.SQL.FirewallRuleCount","Determine if there is an excessive number of firewall rules.","Awareness","Security","-" "Azure.SQL.MinTLS","Azure SQL Database servers should reject TLS versions older than 1.2.","Critical","Security","L1" -"Azure.SQL.ServerName","Azure SQL logical server names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.SQL.ServerName","Azure SQL logical server names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.SQL.TDE","Use Transparent Data Encryption (TDE) with Azure SQL Database.","Critical","Security","L1" "Azure.SQLMI.Name","SQL Managed Instance names should meet naming requirements.","Awareness","Operational Excellence","-" "Azure.Storage.BlobAccessType","Use containers configured with a private access type that requires authorization.","Important","Security","-" diff --git a/docs/en/baselines/Azure.GA_2021_12.csv b/docs/en/baselines/Azure.GA_2021_12.csv index 597a4f1c2c0..118ad1ca0dd 100644 --- a/docs/en/baselines/Azure.GA_2021_12.csv +++ b/docs/en/baselines/Azure.GA_2021_12.csv @@ -73,7 +73,7 @@ "Azure.CDN.EndpointName","Azure CDN Endpoint names should meet naming requirements.","Awareness","Operational Excellence","-" "Azure.CDN.HTTP","Unencrypted communication could allow disclosure of information to an untrusted party.","Important","Security","-" "Azure.CDN.MinTLS","Azure CDN endpoints should reject TLS versions older than 1.2.","Important","Security","L1" -"Azure.Cosmos.AccountName","Cosmos DB account names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.Cosmos.AccountName","Cosmos DB account names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.Cosmos.DisableMetadataWrite","Use Entra ID identities for management place operations in Azure Cosmos DB.","Important","Security","-" "Azure.DataFactory.Version","Consider migrating to DataFactory v2.","Awareness","Reliability","-" "Azure.DefenderCloud.Provisioning","Enable auto-provisioning on to improve Microsoft Defender for Cloud insights.","Important","Security","-" @@ -163,13 +163,13 @@ "Azure.SQL.AAD","Use Entra ID authentication with Azure SQL databases.","Critical","Security","L1" "Azure.SQL.AllowAzureAccess","Determine if access from Azure services is required.","Important","Security","-" "Azure.SQL.Auditing","Enable auditing for Azure SQL logical server.","Important","Security","-" -"Azure.SQL.DBName","Azure SQL Database names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.SQL.DBName","Azure SQL Database names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.SQL.DefenderCloud","Enable Microsoft Defender for Azure SQL logical server.","Important","Security","-" "Azure.SQL.FGName","Azure SQL failover group names should meet naming requirements.","Awareness","Operational Excellence","-" "Azure.SQL.FirewallIPRange","Each IP address in the permitted IP list is allowed network access to any databases hosted on the same logical server.","Important","Security","-" "Azure.SQL.FirewallRuleCount","Determine if there is an excessive number of firewall rules.","Awareness","Security","-" "Azure.SQL.MinTLS","Azure SQL Database servers should reject TLS versions older than 1.2.","Critical","Security","L1" -"Azure.SQL.ServerName","Azure SQL logical server names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.SQL.ServerName","Azure SQL logical server names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.SQL.TDE","Use Transparent Data Encryption (TDE) with Azure SQL Database.","Critical","Security","L1" "Azure.SQLMI.Name","SQL Managed Instance names should meet naming requirements.","Awareness","Operational Excellence","-" "Azure.Storage.BlobAccessType","Use containers configured with a private access type that requires authorization.","Important","Security","-" diff --git a/docs/en/baselines/Azure.GA_2022_03.csv b/docs/en/baselines/Azure.GA_2022_03.csv index 87505cbefe9..7d2de8d42fe 100644 --- a/docs/en/baselines/Azure.GA_2022_03.csv +++ b/docs/en/baselines/Azure.GA_2022_03.csv @@ -78,7 +78,7 @@ "Azure.CDN.EndpointName","Azure CDN Endpoint names should meet naming requirements.","Awareness","Operational Excellence","-" "Azure.CDN.HTTP","Unencrypted communication could allow disclosure of information to an untrusted party.","Important","Security","-" "Azure.CDN.MinTLS","Azure CDN endpoints should reject TLS versions older than 1.2.","Important","Security","L1" -"Azure.Cosmos.AccountName","Cosmos DB account names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.Cosmos.AccountName","Cosmos DB account names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.Cosmos.DisableMetadataWrite","Use Entra ID identities for management place operations in Azure Cosmos DB.","Important","Security","-" "Azure.DataFactory.Version","Consider migrating to DataFactory v2.","Awareness","Reliability","-" "Azure.DefenderCloud.Provisioning","Enable auto-provisioning on to improve Microsoft Defender for Cloud insights.","Important","Security","-" @@ -177,13 +177,13 @@ "Azure.SQL.AAD","Use Entra ID authentication with Azure SQL databases.","Critical","Security","L1" "Azure.SQL.AllowAzureAccess","Determine if access from Azure services is required.","Important","Security","-" "Azure.SQL.Auditing","Enable auditing for Azure SQL logical server.","Important","Security","-" -"Azure.SQL.DBName","Azure SQL Database names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.SQL.DBName","Azure SQL Database names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.SQL.DefenderCloud","Enable Microsoft Defender for Azure SQL logical server.","Important","Security","-" "Azure.SQL.FGName","Azure SQL failover group names should meet naming requirements.","Awareness","Operational Excellence","-" "Azure.SQL.FirewallIPRange","Each IP address in the permitted IP list is allowed network access to any databases hosted on the same logical server.","Important","Security","-" "Azure.SQL.FirewallRuleCount","Determine if there is an excessive number of firewall rules.","Awareness","Security","-" "Azure.SQL.MinTLS","Azure SQL Database servers should reject TLS versions older than 1.2.","Critical","Security","L1" -"Azure.SQL.ServerName","Azure SQL logical server names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.SQL.ServerName","Azure SQL logical server names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.SQL.TDE","Use Transparent Data Encryption (TDE) with Azure SQL Database.","Critical","Security","L1" "Azure.SQLMI.Name","SQL Managed Instance names should meet naming requirements.","Awareness","Operational Excellence","-" "Azure.Storage.BlobAccessType","Use containers configured with a private access type that requires authorization.","Important","Security","-" diff --git a/docs/en/baselines/Azure.GA_2022_06.csv b/docs/en/baselines/Azure.GA_2022_06.csv index e2d3ef65c06..ec28b90a884 100644 --- a/docs/en/baselines/Azure.GA_2022_06.csv +++ b/docs/en/baselines/Azure.GA_2022_06.csv @@ -81,7 +81,7 @@ "Azure.CDN.EndpointName","Azure CDN Endpoint names should meet naming requirements.","Awareness","Operational Excellence","-" "Azure.CDN.HTTP","Unencrypted communication could allow disclosure of information to an untrusted party.","Important","Security","-" "Azure.CDN.MinTLS","Azure CDN endpoints should reject TLS versions older than 1.2.","Important","Security","L1" -"Azure.Cosmos.AccountName","Cosmos DB account names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.Cosmos.AccountName","Cosmos DB account names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.Cosmos.DisableMetadataWrite","Use Entra ID identities for management place operations in Azure Cosmos DB.","Important","Security","-" "Azure.DataFactory.Version","Consider migrating to DataFactory v2.","Awareness","Reliability","-" "Azure.DefenderCloud.Provisioning","Enable auto-provisioning on to improve Microsoft Defender for Cloud insights.","Important","Security","-" @@ -181,13 +181,13 @@ "Azure.SQL.AAD","Use Entra ID authentication with Azure SQL databases.","Critical","Security","L1" "Azure.SQL.AllowAzureAccess","Determine if access from Azure services is required.","Important","Security","-" "Azure.SQL.Auditing","Enable auditing for Azure SQL logical server.","Important","Security","-" -"Azure.SQL.DBName","Azure SQL Database names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.SQL.DBName","Azure SQL Database names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.SQL.DefenderCloud","Enable Microsoft Defender for Azure SQL logical server.","Important","Security","-" "Azure.SQL.FGName","Azure SQL failover group names should meet naming requirements.","Awareness","Operational Excellence","-" "Azure.SQL.FirewallIPRange","Each IP address in the permitted IP list is allowed network access to any databases hosted on the same logical server.","Important","Security","-" "Azure.SQL.FirewallRuleCount","Determine if there is an excessive number of firewall rules.","Awareness","Security","-" "Azure.SQL.MinTLS","Azure SQL Database servers should reject TLS versions older than 1.2.","Critical","Security","L1" -"Azure.SQL.ServerName","Azure SQL logical server names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.SQL.ServerName","Azure SQL logical server names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.SQL.TDE","Use Transparent Data Encryption (TDE) with Azure SQL Database.","Critical","Security","L1" "Azure.SQLMI.Name","SQL Managed Instance names should meet naming requirements.","Awareness","Operational Excellence","-" "Azure.Storage.BlobAccessType","Use containers configured with a private access type that requires authorization.","Important","Security","-" diff --git a/docs/en/baselines/Azure.GA_2022_09.csv b/docs/en/baselines/Azure.GA_2022_09.csv index bdd38ed2705..1cf370fc25c 100644 --- a/docs/en/baselines/Azure.GA_2022_09.csv +++ b/docs/en/baselines/Azure.GA_2022_09.csv @@ -93,7 +93,7 @@ "Azure.CDN.HTTP","Unencrypted communication could allow disclosure of information to an untrusted party.","Important","Security","-" "Azure.CDN.MinTLS","Azure CDN endpoints should reject TLS versions older than 1.2.","Important","Security","L1" "Azure.CDN.UseFrontDoor","Use Azure Front Door Standard or Premium SKU to improve the performance of web pages with dynamic content and overall capabilities.","Important","Performance Efficiency","-" -"Azure.Cosmos.AccountName","Cosmos DB account names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.Cosmos.AccountName","Cosmos DB account names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.Cosmos.DisableMetadataWrite","Use Entra ID identities for management place operations in Azure Cosmos DB.","Important","Security","-" "Azure.DataFactory.Version","Consider migrating to DataFactory v2.","Awareness","Reliability","-" "Azure.Defender.AppServices","Enable Microsoft Defender for App Service.","Critical","Security","-" @@ -209,13 +209,13 @@ "Azure.SQL.AAD","Use Entra ID authentication with Azure SQL databases.","Critical","Security","L1" "Azure.SQL.AllowAzureAccess","Determine if access from Azure services is required.","Important","Security","-" "Azure.SQL.Auditing","Enable auditing for Azure SQL logical server.","Important","Security","-" -"Azure.SQL.DBName","Azure SQL Database names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.SQL.DBName","Azure SQL Database names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.SQL.DefenderCloud","Enable Microsoft Defender for Azure SQL logical server.","Important","Security","-" "Azure.SQL.FGName","Azure SQL failover group names should meet naming requirements.","Awareness","Operational Excellence","-" "Azure.SQL.FirewallIPRange","Each IP address in the permitted IP list is allowed network access to any databases hosted on the same logical server.","Important","Security","-" "Azure.SQL.FirewallRuleCount","Determine if there is an excessive number of firewall rules.","Awareness","Security","-" "Azure.SQL.MinTLS","Azure SQL Database servers should reject TLS versions older than 1.2.","Critical","Security","L1" -"Azure.SQL.ServerName","Azure SQL logical server names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.SQL.ServerName","Azure SQL logical server names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.SQL.TDE","Use Transparent Data Encryption (TDE) with Azure SQL Database.","Critical","Security","L1" "Azure.SQLMI.Name","SQL Managed Instance names should meet naming requirements.","Awareness","Operational Excellence","-" "Azure.Storage.BlobAccessType","Use containers configured with a private access type that requires authorization.","Important","Security","-" diff --git a/docs/en/baselines/Azure.GA_2022_12.csv b/docs/en/baselines/Azure.GA_2022_12.csv index 869c83576e1..91b145b1d64 100644 --- a/docs/en/baselines/Azure.GA_2022_12.csv +++ b/docs/en/baselines/Azure.GA_2022_12.csv @@ -99,7 +99,7 @@ "Azure.CDN.HTTP","Unencrypted communication could allow disclosure of information to an untrusted party.","Important","Security","-" "Azure.CDN.MinTLS","Azure CDN endpoints should reject TLS versions older than 1.2.","Important","Security","L1" "Azure.CDN.UseFrontDoor","Use Azure Front Door Standard or Premium SKU to improve the performance of web pages with dynamic content and overall capabilities.","Important","Performance Efficiency","-" -"Azure.Cosmos.AccountName","Cosmos DB account names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.Cosmos.AccountName","Cosmos DB account names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.Cosmos.DisableMetadataWrite","Use Entra ID identities for management place operations in Azure Cosmos DB.","Important","Security","-" "Azure.DataFactory.Version","Consider migrating to DataFactory v2.","Awareness","Reliability","-" "Azure.Defender.AppServices","Enable Microsoft Defender for App Service.","Critical","Security","-" @@ -236,13 +236,13 @@ "Azure.SQL.AAD","Use Entra ID authentication with Azure SQL databases.","Critical","Security","L1" "Azure.SQL.AllowAzureAccess","Determine if access from Azure services is required.","Important","Security","-" "Azure.SQL.Auditing","Enable auditing for Azure SQL logical server.","Important","Security","-" -"Azure.SQL.DBName","Azure SQL Database names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.SQL.DBName","Azure SQL Database names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.SQL.DefenderCloud","Enable Microsoft Defender for Azure SQL logical server.","Important","Security","-" "Azure.SQL.FGName","Azure SQL failover group names should meet naming requirements.","Awareness","Operational Excellence","-" "Azure.SQL.FirewallIPRange","Each IP address in the permitted IP list is allowed network access to any databases hosted on the same logical server.","Important","Security","-" "Azure.SQL.FirewallRuleCount","Determine if there is an excessive number of firewall rules.","Awareness","Security","-" "Azure.SQL.MinTLS","Azure SQL Database servers should reject TLS versions older than 1.2.","Critical","Security","L1" -"Azure.SQL.ServerName","Azure SQL logical server names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.SQL.ServerName","Azure SQL logical server names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.SQL.TDE","Use Transparent Data Encryption (TDE) with Azure SQL Database.","Critical","Security","L1" "Azure.SQLMI.Name","SQL Managed Instance names should meet naming requirements.","Awareness","Operational Excellence","-" "Azure.Storage.BlobAccessType","Use containers configured with a private access type that requires authorization.","Important","Security","-" diff --git a/docs/en/baselines/Azure.GA_2023_03.csv b/docs/en/baselines/Azure.GA_2023_03.csv index dc7ab7f54b9..ae02e25a615 100644 --- a/docs/en/baselines/Azure.GA_2023_03.csv +++ b/docs/en/baselines/Azure.GA_2023_03.csv @@ -106,7 +106,7 @@ "Azure.ContainerApp.Name","Container Apps should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.ContainerApp.PublicAccess","Ensure public network access for Container Apps environment is disabled.","Important","Security","-" "Azure.ContainerApp.Storage","Use of Azure Files volume mounts to persistent storage container data.","Awareness","Reliability","-" -"Azure.Cosmos.AccountName","Cosmos DB account names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.Cosmos.AccountName","Cosmos DB account names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.Cosmos.DisableMetadataWrite","Use Entra ID identities for management place operations in Azure Cosmos DB.","Important","Security","-" "Azure.DataFactory.Version","Consider migrating to DataFactory v2.","Awareness","Reliability","-" "Azure.Defender.AppServices","Enable Microsoft Defender for App Service.","Critical","Security","-" @@ -252,13 +252,13 @@ "Azure.SQL.AADOnly","Ensure Entra ID only authentication is enabled with Azure SQL Database.","Important","Security","L1" "Azure.SQL.AllowAzureAccess","Determine if access from Azure services is required.","Important","Security","-" "Azure.SQL.Auditing","Enable auditing for Azure SQL logical server.","Important","Security","-" -"Azure.SQL.DBName","Azure SQL Database names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.SQL.DBName","Azure SQL Database names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.SQL.DefenderCloud","Enable Microsoft Defender for Azure SQL logical server.","Important","Security","-" "Azure.SQL.FGName","Azure SQL failover group names should meet naming requirements.","Awareness","Operational Excellence","-" "Azure.SQL.FirewallIPRange","Each IP address in the permitted IP list is allowed network access to any databases hosted on the same logical server.","Important","Security","-" "Azure.SQL.FirewallRuleCount","Determine if there is an excessive number of firewall rules.","Awareness","Security","-" "Azure.SQL.MinTLS","Azure SQL Database servers should reject TLS versions older than 1.2.","Critical","Security","L1" -"Azure.SQL.ServerName","Azure SQL logical server names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.SQL.ServerName","Azure SQL logical server names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.SQL.TDE","Use Transparent Data Encryption (TDE) with Azure SQL Database.","Critical","Security","L1" "Azure.SQLMI.AAD","Use Azure Active Directory (AAD) authentication with Azure SQL Managed Instance.","Critical","Security","L1" "Azure.SQLMI.AADOnly","Ensure Azure AD-only authentication is enabled with Azure SQL Managed Instance.","Important","Security","L1" diff --git a/docs/en/baselines/Azure.GA_2023_06.csv b/docs/en/baselines/Azure.GA_2023_06.csv index c56278ebd5f..b85c09df9e9 100644 --- a/docs/en/baselines/Azure.GA_2023_06.csv +++ b/docs/en/baselines/Azure.GA_2023_06.csv @@ -111,7 +111,7 @@ "Azure.ContainerApp.PublicAccess","Ensure public network access for Container Apps environment is disabled.","Important","Security","-" "Azure.ContainerApp.RestrictIngress","IP ingress restrictions mode should be set to allow action for all rules defined.","Important","Security","-" "Azure.ContainerApp.Storage","Use of Azure Files volume mounts to persistent storage container data.","Awareness","Reliability","-" -"Azure.Cosmos.AccountName","Cosmos DB account names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.Cosmos.AccountName","Cosmos DB account names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.Cosmos.DefenderCloud","Enable Microsoft Defender for Azure Cosmos DB.","Critical","Security","-" "Azure.Cosmos.DisableMetadataWrite","Use Entra ID identities for management place operations in Azure Cosmos DB.","Important","Security","-" "Azure.DataFactory.Version","Consider migrating to DataFactory v2.","Awareness","Reliability","-" @@ -266,13 +266,13 @@ "Azure.SQL.AADOnly","Ensure Entra ID only authentication is enabled with Azure SQL Database.","Important","Security","L1" "Azure.SQL.AllowAzureAccess","Determine if access from Azure services is required.","Important","Security","-" "Azure.SQL.Auditing","Enable auditing for Azure SQL logical server.","Important","Security","-" -"Azure.SQL.DBName","Azure SQL Database names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.SQL.DBName","Azure SQL Database names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.SQL.DefenderCloud","Enable Microsoft Defender for Azure SQL logical server.","Important","Security","-" "Azure.SQL.FGName","Azure SQL failover group names should meet naming requirements.","Awareness","Operational Excellence","-" "Azure.SQL.FirewallIPRange","Each IP address in the permitted IP list is allowed network access to any databases hosted on the same logical server.","Important","Security","-" "Azure.SQL.FirewallRuleCount","Determine if there is an excessive number of firewall rules.","Awareness","Security","-" "Azure.SQL.MinTLS","Azure SQL Database servers should reject TLS versions older than 1.2.","Critical","Security","L1" -"Azure.SQL.ServerName","Azure SQL logical server names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.SQL.ServerName","Azure SQL logical server names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.SQL.TDE","Use Transparent Data Encryption (TDE) with Azure SQL Database.","Critical","Security","L1" "Azure.SQLMI.AAD","Use Azure Active Directory (AAD) authentication with Azure SQL Managed Instance.","Critical","Security","L1" "Azure.SQLMI.AADOnly","Ensure Azure AD-only authentication is enabled with Azure SQL Managed Instance.","Important","Security","L1" diff --git a/docs/en/baselines/Azure.GA_2023_09.csv b/docs/en/baselines/Azure.GA_2023_09.csv index 117210e5d6b..da3391e9885 100644 --- a/docs/en/baselines/Azure.GA_2023_09.csv +++ b/docs/en/baselines/Azure.GA_2023_09.csv @@ -116,7 +116,7 @@ "Azure.ContainerApp.PublicAccess","Ensure public network access for Container Apps environment is disabled.","Important","Security","-" "Azure.ContainerApp.RestrictIngress","IP ingress restrictions mode should be set to allow action for all rules defined.","Important","Security","-" "Azure.ContainerApp.Storage","Use of Azure Files volume mounts to persistent storage container data.","Awareness","Reliability","-" -"Azure.Cosmos.AccountName","Cosmos DB account names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.Cosmos.AccountName","Cosmos DB account names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.Cosmos.DefenderCloud","Enable Microsoft Defender for Azure Cosmos DB.","Critical","Security","-" "Azure.Cosmos.DisableMetadataWrite","Use Entra ID identities for management place operations in Azure Cosmos DB.","Important","Security","-" "Azure.Databricks.SecureConnectivity","Use Databricks workspaces configured for secure cluster connectivity.","Critical","Security","-" @@ -277,13 +277,13 @@ "Azure.SQL.AADOnly","Ensure Entra ID only authentication is enabled with Azure SQL Database.","Important","Security","L1" "Azure.SQL.AllowAzureAccess","Determine if access from Azure services is required.","Important","Security","-" "Azure.SQL.Auditing","Enable auditing for Azure SQL logical server.","Important","Security","-" -"Azure.SQL.DBName","Azure SQL Database names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.SQL.DBName","Azure SQL Database names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.SQL.DefenderCloud","Enable Microsoft Defender for Azure SQL logical server.","Important","Security","-" "Azure.SQL.FGName","Azure SQL failover group names should meet naming requirements.","Awareness","Operational Excellence","-" "Azure.SQL.FirewallIPRange","Each IP address in the permitted IP list is allowed network access to any databases hosted on the same logical server.","Important","Security","-" "Azure.SQL.FirewallRuleCount","Determine if there is an excessive number of firewall rules.","Awareness","Security","-" "Azure.SQL.MinTLS","Azure SQL Database servers should reject TLS versions older than 1.2.","Critical","Security","L1" -"Azure.SQL.ServerName","Azure SQL logical server names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.SQL.ServerName","Azure SQL logical server names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.SQL.TDE","Use Transparent Data Encryption (TDE) with Azure SQL Database.","Critical","Security","L1" "Azure.SQLMI.AAD","Use Azure Active Directory (AAD) authentication with Azure SQL Managed Instance.","Critical","Security","L1" "Azure.SQLMI.AADOnly","Ensure Azure AD-only authentication is enabled with Azure SQL Managed Instance.","Important","Security","L1" diff --git a/docs/en/baselines/Azure.GA_2023_12.csv b/docs/en/baselines/Azure.GA_2023_12.csv index 0dc86d47a8a..c5422f29d14 100644 --- a/docs/en/baselines/Azure.GA_2023_12.csv +++ b/docs/en/baselines/Azure.GA_2023_12.csv @@ -118,7 +118,7 @@ "Azure.ContainerApp.PublicAccess","Ensure public network access for Container Apps environment is disabled.","Important","Security","-" "Azure.ContainerApp.RestrictIngress","IP ingress restrictions mode should be set to allow action for all rules defined.","Important","Security","-" "Azure.ContainerApp.Storage","Use of Azure Files volume mounts to persistent storage container data.","Awareness","Reliability","-" -"Azure.Cosmos.AccountName","Cosmos DB account names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.Cosmos.AccountName","Cosmos DB account names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.Cosmos.DefenderCloud","Enable Microsoft Defender for Azure Cosmos DB.","Critical","Security","-" "Azure.Cosmos.DisableMetadataWrite","Use Entra ID identities for management place operations in Azure Cosmos DB.","Important","Security","-" "Azure.Databricks.SecureConnectivity","Use Databricks workspaces configured for secure cluster connectivity.","Critical","Security","-" @@ -286,13 +286,13 @@ "Azure.SQL.AADOnly","Ensure Entra ID only authentication is enabled with Azure SQL Database.","Important","Security","L1" "Azure.SQL.AllowAzureAccess","Determine if access from Azure services is required.","Important","Security","-" "Azure.SQL.Auditing","Enable auditing for Azure SQL logical server.","Important","Security","-" -"Azure.SQL.DBName","Azure SQL Database names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.SQL.DBName","Azure SQL Database names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.SQL.DefenderCloud","Enable Microsoft Defender for Azure SQL logical server.","Important","Security","-" "Azure.SQL.FGName","Azure SQL failover group names should meet naming requirements.","Awareness","Operational Excellence","-" "Azure.SQL.FirewallIPRange","Each IP address in the permitted IP list is allowed network access to any databases hosted on the same logical server.","Important","Security","-" "Azure.SQL.FirewallRuleCount","Determine if there is an excessive number of firewall rules.","Awareness","Security","-" "Azure.SQL.MinTLS","Azure SQL Database servers should reject TLS versions older than 1.2.","Critical","Security","L1" -"Azure.SQL.ServerName","Azure SQL logical server names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.SQL.ServerName","Azure SQL logical server names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.SQL.TDE","Use Transparent Data Encryption (TDE) with Azure SQL Database.","Critical","Security","L1" "Azure.SQLMI.AAD","Use Azure Active Directory (AAD) authentication with Azure SQL Managed Instance.","Critical","Security","L1" "Azure.SQLMI.AADOnly","Ensure Azure AD-only authentication is enabled with Azure SQL Managed Instance.","Important","Security","L1" diff --git a/docs/en/baselines/Azure.GA_2024_03.csv b/docs/en/baselines/Azure.GA_2024_03.csv index da5f1d458d7..ecb0fd2c9b8 100644 --- a/docs/en/baselines/Azure.GA_2024_03.csv +++ b/docs/en/baselines/Azure.GA_2024_03.csv @@ -83,7 +83,6 @@ "Azure.AppGwWAF.Enabled","Application Gateway Web Application Firewall (WAF) must be enabled to protect backend resources.","Critical","Security","-" "Azure.AppGwWAF.Exclusions","Application Gateway Web Application Firewall (WAF) should have all rules enabled.","Critical","Security","-" "Azure.AppGwWAF.PreventionMode","Use protection mode in Application Gateway Web Application Firewall (WAF) policies to protect back end resources.","Critical","Security","-" -"Azure.AppGwWAF.RuleGroups","Use recommended rule groups in Application Gateway Web Application Firewall (WAF) policies to protect back end resources.","Critical","Security","-" "Azure.AppInsights.Name","Azure Resource Manager (ARM) has requirements for Application Insights resource names.","Awareness","Operational Excellence","-" "Azure.AppInsights.Workspace","Configure Application Insights resources to store data in a workspace.","Important","Operational Excellence","-" "Azure.AppService.AlwaysOn","Configure Always On for App Service apps.","Important","Reliability","-" @@ -122,7 +121,7 @@ "Azure.ContainerApp.PublicAccess","Ensure public network access for Container Apps environment is disabled.","Important","Security","-" "Azure.ContainerApp.RestrictIngress","IP ingress restrictions mode should be set to allow action for all rules defined.","Important","Security","-" "Azure.ContainerApp.Storage","Use of Azure Files volume mounts to persistent storage container data.","Awareness","Reliability","-" -"Azure.Cosmos.AccountName","Cosmos DB account names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.Cosmos.AccountName","Cosmos DB account names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.Cosmos.DefenderCloud","Enable Microsoft Defender for Azure Cosmos DB.","Critical","Security","-" "Azure.Cosmos.DisableMetadataWrite","Use Entra ID identities for management place operations in Azure Cosmos DB.","Important","Security","-" "Azure.Databricks.PublicAccess","Azure Databricks workspaces should disable public network access.","Critical","Security","-" @@ -295,13 +294,13 @@ "Azure.SQL.AADOnly","Ensure Entra ID only authentication is enabled with Azure SQL Database.","Important","Security","L1" "Azure.SQL.AllowAzureAccess","Determine if access from Azure services is required.","Important","Security","-" "Azure.SQL.Auditing","Enable auditing for Azure SQL logical server.","Important","Security","-" -"Azure.SQL.DBName","Azure SQL Database names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.SQL.DBName","Azure SQL Database names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.SQL.DefenderCloud","Enable Microsoft Defender for Azure SQL logical server.","Important","Security","-" "Azure.SQL.FGName","Azure SQL failover group names should meet naming requirements.","Awareness","Operational Excellence","-" "Azure.SQL.FirewallIPRange","Each IP address in the permitted IP list is allowed network access to any databases hosted on the same logical server.","Important","Security","-" "Azure.SQL.FirewallRuleCount","Determine if there is an excessive number of firewall rules.","Awareness","Security","-" "Azure.SQL.MinTLS","Azure SQL Database servers should reject TLS versions older than 1.2.","Critical","Security","L1" -"Azure.SQL.ServerName","Azure SQL logical server names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.SQL.ServerName","Azure SQL logical server names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.SQL.TDE","Use Transparent Data Encryption (TDE) with Azure SQL Database.","Critical","Security","L1" "Azure.SQLMI.AAD","Use Azure Active Directory (AAD) authentication with Azure SQL Managed Instance.","Critical","Security","L1" "Azure.SQLMI.AADOnly","Ensure Azure AD-only authentication is enabled with Azure SQL Managed Instance.","Important","Security","L1" diff --git a/docs/en/baselines/Azure.GA_2024_03.md b/docs/en/baselines/Azure.GA_2024_03.md index 7ec555d74b6..8ea340d81db 100644 --- a/docs/en/baselines/Azure.GA_2024_03.md +++ b/docs/en/baselines/Azure.GA_2024_03.md @@ -15,7 +15,7 @@ Include rules released March 2024 or prior for Azure GA features. The following rules are included within the `Azure.GA_2024_03` baseline. -This baseline includes a total of 391 rules. +This baseline includes a total of 390 rules. Name | Synopsis | Severity ---- | -------- | -------- @@ -103,7 +103,6 @@ Name | Synopsis | Severity [Azure.AppGwWAF.Enabled](../rules/Azure.AppGwWAF.Enabled.md) | Application Gateway Web Application Firewall (WAF) must be enabled to protect backend resources. | Critical [Azure.AppGwWAF.Exclusions](../rules/Azure.AppGwWAF.Exclusions.md) | Application Gateway Web Application Firewall (WAF) should have all rules enabled. | Critical [Azure.AppGwWAF.PreventionMode](../rules/Azure.AppGwWAF.PreventionMode.md) | Use protection mode in Application Gateway Web Application Firewall (WAF) policies to protect back end resources. | Critical -[Azure.AppGwWAF.RuleGroups](../rules/Azure.AppGwWAF.RuleGroups.md) | Use recommended rule groups in Application Gateway Web Application Firewall (WAF) policies to protect back end resources. | Critical [Azure.AppInsights.Name](../rules/Azure.AppInsights.Name.md) | Azure Resource Manager (ARM) has requirements for Application Insights resource names. | Awareness [Azure.AppInsights.Workspace](../rules/Azure.AppInsights.Workspace.md) | Configure Application Insights resources to store data in a workspace. | Important [Azure.AppService.AlwaysOn](../rules/Azure.AppService.AlwaysOn.md) | Configure Always On for App Service apps. | Important diff --git a/docs/en/baselines/Azure.GA_2024_06.csv b/docs/en/baselines/Azure.GA_2024_06.csv index 7248de54a6a..bd3587b7a6a 100644 --- a/docs/en/baselines/Azure.GA_2024_06.csv +++ b/docs/en/baselines/Azure.GA_2024_06.csv @@ -87,7 +87,6 @@ "Azure.AppGwWAF.Enabled","Application Gateway Web Application Firewall (WAF) must be enabled to protect backend resources.","Critical","Security","-" "Azure.AppGwWAF.Exclusions","Application Gateway Web Application Firewall (WAF) should have all rules enabled.","Critical","Security","-" "Azure.AppGwWAF.PreventionMode","Use protection mode in Application Gateway Web Application Firewall (WAF) policies to protect back end resources.","Critical","Security","-" -"Azure.AppGwWAF.RuleGroups","Use recommended rule groups in Application Gateway Web Application Firewall (WAF) policies to protect back end resources.","Critical","Security","-" "Azure.AppInsights.Name","Azure Resource Manager (ARM) has requirements for Application Insights resource names.","Awareness","Operational Excellence","-" "Azure.AppInsights.Workspace","Configure Application Insights resources to store data in a workspace.","Important","Operational Excellence","-" "Azure.AppService.AlwaysOn","Configure Always On for App Service apps.","Important","Reliability","-" @@ -130,7 +129,7 @@ "Azure.ContainerApp.PublicAccess","Ensure public network access for Container Apps environment is disabled.","Important","Security","-" "Azure.ContainerApp.RestrictIngress","IP ingress restrictions mode should be set to allow action for all rules defined.","Important","Security","-" "Azure.ContainerApp.Storage","Use of Azure Files volume mounts to persistent storage container data.","Awareness","Reliability","-" -"Azure.Cosmos.AccountName","Cosmos DB account names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.Cosmos.AccountName","Cosmos DB account names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.Cosmos.DefenderCloud","Enable Microsoft Defender for Azure Cosmos DB.","Critical","Security","-" "Azure.Cosmos.DisableLocalAuth","Access keys allow depersonalized access to Cosmos DB accounts using a shared secret.","Critical","Security","L1" "Azure.Cosmos.DisableMetadataWrite","Use Entra ID identities for management place operations in Azure Cosmos DB.","Important","Security","-" @@ -314,13 +313,13 @@ "Azure.SQL.AADOnly","Ensure Entra ID only authentication is enabled with Azure SQL Database.","Important","Security","L1" "Azure.SQL.AllowAzureAccess","Determine if access from Azure services is required.","Important","Security","-" "Azure.SQL.Auditing","Enable auditing for Azure SQL logical server.","Important","Security","-" -"Azure.SQL.DBName","Azure SQL Database names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.SQL.DBName","Azure SQL Database names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.SQL.DefenderCloud","Enable Microsoft Defender for Azure SQL logical server.","Important","Security","-" "Azure.SQL.FGName","Azure SQL failover group names should meet naming requirements.","Awareness","Operational Excellence","-" "Azure.SQL.FirewallIPRange","Each IP address in the permitted IP list is allowed network access to any databases hosted on the same logical server.","Important","Security","-" "Azure.SQL.FirewallRuleCount","Determine if there is an excessive number of firewall rules.","Awareness","Security","-" "Azure.SQL.MinTLS","Azure SQL Database servers should reject TLS versions older than 1.2.","Critical","Security","L1" -"Azure.SQL.ServerName","Azure SQL logical server names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.SQL.ServerName","Azure SQL logical server names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.SQL.TDE","Use Transparent Data Encryption (TDE) with Azure SQL Database.","Critical","Security","L1" "Azure.SQLMI.AAD","Use Azure Active Directory (AAD) authentication with Azure SQL Managed Instance.","Critical","Security","L1" "Azure.SQLMI.AADOnly","Ensure Azure AD-only authentication is enabled with Azure SQL Managed Instance.","Important","Security","L1" diff --git a/docs/en/baselines/Azure.GA_2024_06.md b/docs/en/baselines/Azure.GA_2024_06.md index f8bca1a7db7..8bb0fb182d2 100644 --- a/docs/en/baselines/Azure.GA_2024_06.md +++ b/docs/en/baselines/Azure.GA_2024_06.md @@ -15,7 +15,7 @@ Include rules released June 2024 or prior for Azure GA features. The following rules are included within the `Azure.GA_2024_06` baseline. -This baseline includes a total of 411 rules. +This baseline includes a total of 410 rules. Name | Synopsis | Severity ---- | -------- | -------- @@ -107,7 +107,6 @@ Name | Synopsis | Severity [Azure.AppGwWAF.Enabled](../rules/Azure.AppGwWAF.Enabled.md) | Application Gateway Web Application Firewall (WAF) must be enabled to protect backend resources. | Critical [Azure.AppGwWAF.Exclusions](../rules/Azure.AppGwWAF.Exclusions.md) | Application Gateway Web Application Firewall (WAF) should have all rules enabled. | Critical [Azure.AppGwWAF.PreventionMode](../rules/Azure.AppGwWAF.PreventionMode.md) | Use protection mode in Application Gateway Web Application Firewall (WAF) policies to protect back end resources. | Critical -[Azure.AppGwWAF.RuleGroups](../rules/Azure.AppGwWAF.RuleGroups.md) | Use recommended rule groups in Application Gateway Web Application Firewall (WAF) policies to protect back end resources. | Critical [Azure.AppInsights.Name](../rules/Azure.AppInsights.Name.md) | Azure Resource Manager (ARM) has requirements for Application Insights resource names. | Awareness [Azure.AppInsights.Workspace](../rules/Azure.AppInsights.Workspace.md) | Configure Application Insights resources to store data in a workspace. | Important [Azure.AppService.AlwaysOn](../rules/Azure.AppService.AlwaysOn.md) | Configure Always On for App Service apps. | Important diff --git a/docs/en/baselines/Azure.GA_2024_09.csv b/docs/en/baselines/Azure.GA_2024_09.csv index bf899e346fe..d9a62491a3e 100644 --- a/docs/en/baselines/Azure.GA_2024_09.csv +++ b/docs/en/baselines/Azure.GA_2024_09.csv @@ -89,7 +89,6 @@ "Azure.AppGwWAF.Enabled","Application Gateway Web Application Firewall (WAF) must be enabled to protect backend resources.","Critical","Security","-" "Azure.AppGwWAF.Exclusions","Application Gateway Web Application Firewall (WAF) should have all rules enabled.","Critical","Security","-" "Azure.AppGwWAF.PreventionMode","Use protection mode in Application Gateway Web Application Firewall (WAF) policies to protect back end resources.","Critical","Security","-" -"Azure.AppGwWAF.RuleGroups","Use recommended rule groups in Application Gateway Web Application Firewall (WAF) policies to protect back end resources.","Critical","Security","-" "Azure.AppInsights.Name","Azure Resource Manager (ARM) has requirements for Application Insights resource names.","Awareness","Operational Excellence","-" "Azure.AppInsights.Workspace","Configure Application Insights resources to store data in a workspace.","Important","Operational Excellence","-" "Azure.AppService.AlwaysOn","Configure Always On for App Service apps.","Important","Reliability","-" @@ -134,7 +133,7 @@ "Azure.ContainerApp.PublicAccess","Ensure public network access for Container Apps environment is disabled.","Important","Security","-" "Azure.ContainerApp.RestrictIngress","IP ingress restrictions mode should be set to allow action for all rules defined.","Important","Security","-" "Azure.ContainerApp.Storage","Use of Azure Files volume mounts to persistent storage container data.","Awareness","Reliability","-" -"Azure.Cosmos.AccountName","Cosmos DB account names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.Cosmos.AccountName","Cosmos DB account names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.Cosmos.ContinuousBackup","Enable continuous backup on Cosmos DB accounts.","Important","Reliability","-" "Azure.Cosmos.DefenderCloud","Enable Microsoft Defender for Azure Cosmos DB.","Critical","Security","-" "Azure.Cosmos.DisableLocalAuth","Access keys allow depersonalized access to Cosmos DB accounts using a shared secret.","Critical","Security","L1" @@ -322,14 +321,14 @@ "Azure.SQL.AADOnly","Ensure Entra ID only authentication is enabled with Azure SQL Database.","Important","Security","L1" "Azure.SQL.AllowAzureAccess","Determine if access from Azure services is required.","Important","Security","-" "Azure.SQL.Auditing","Enable auditing for Azure SQL logical server.","Important","Security","-" -"Azure.SQL.DBName","Azure SQL Database names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.SQL.DBName","Azure SQL Database names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.SQL.DefenderCloud","Enable Microsoft Defender for Azure SQL logical server.","Important","Security","-" "Azure.SQL.FGName","Azure SQL failover group names should meet naming requirements.","Awareness","Operational Excellence","-" "Azure.SQL.FirewallIPRange","Each IP address in the permitted IP list is allowed network access to any databases hosted on the same logical server.","Important","Security","-" "Azure.SQL.FirewallRuleCount","Determine if there is an excessive number of firewall rules.","Awareness","Security","-" "Azure.SQL.MaintenanceWindow","Configure a customer-controlled maintenance window for Azure SQL databases.","Important","Reliability","-" "Azure.SQL.MinTLS","Azure SQL Database servers should reject TLS versions older than 1.2.","Critical","Security","L1" -"Azure.SQL.ServerName","Azure SQL logical server names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.SQL.ServerName","Azure SQL logical server names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.SQL.TDE","Use Transparent Data Encryption (TDE) with Azure SQL Database.","Critical","Security","L1" "Azure.SQLMI.AAD","Use Azure Active Directory (AAD) authentication with Azure SQL Managed Instance.","Critical","Security","L1" "Azure.SQLMI.AADOnly","Ensure Azure AD-only authentication is enabled with Azure SQL Managed Instance.","Important","Security","L1" diff --git a/docs/en/baselines/Azure.GA_2024_09.md b/docs/en/baselines/Azure.GA_2024_09.md index b3110e9207a..93550525260 100644 --- a/docs/en/baselines/Azure.GA_2024_09.md +++ b/docs/en/baselines/Azure.GA_2024_09.md @@ -15,7 +15,7 @@ Include rules released September 2024 or prior for Azure GA features. The following rules are included within the `Azure.GA_2024_09` baseline. -This baseline includes a total of 428 rules. +This baseline includes a total of 427 rules. Name | Synopsis | Severity ---- | -------- | -------- @@ -109,7 +109,6 @@ Name | Synopsis | Severity [Azure.AppGwWAF.Enabled](../rules/Azure.AppGwWAF.Enabled.md) | Application Gateway Web Application Firewall (WAF) must be enabled to protect backend resources. | Critical [Azure.AppGwWAF.Exclusions](../rules/Azure.AppGwWAF.Exclusions.md) | Application Gateway Web Application Firewall (WAF) should have all rules enabled. | Critical [Azure.AppGwWAF.PreventionMode](../rules/Azure.AppGwWAF.PreventionMode.md) | Use protection mode in Application Gateway Web Application Firewall (WAF) policies to protect back end resources. | Critical -[Azure.AppGwWAF.RuleGroups](../rules/Azure.AppGwWAF.RuleGroups.md) | Use recommended rule groups in Application Gateway Web Application Firewall (WAF) policies to protect back end resources. | Critical [Azure.AppInsights.Name](../rules/Azure.AppInsights.Name.md) | Azure Resource Manager (ARM) has requirements for Application Insights resource names. | Awareness [Azure.AppInsights.Workspace](../rules/Azure.AppInsights.Workspace.md) | Configure Application Insights resources to store data in a workspace. | Important [Azure.AppService.AlwaysOn](../rules/Azure.AppService.AlwaysOn.md) | Configure Always On for App Service apps. | Important diff --git a/docs/en/baselines/Azure.GA_2024_12.csv b/docs/en/baselines/Azure.GA_2024_12.csv index 3de3c49e520..304364e84d4 100644 --- a/docs/en/baselines/Azure.GA_2024_12.csv +++ b/docs/en/baselines/Azure.GA_2024_12.csv @@ -90,7 +90,6 @@ "Azure.AppGwWAF.Enabled","Application Gateway Web Application Firewall (WAF) must be enabled to protect backend resources.","Critical","Security","-" "Azure.AppGwWAF.Exclusions","Application Gateway Web Application Firewall (WAF) should have all rules enabled.","Critical","Security","-" "Azure.AppGwWAF.PreventionMode","Use protection mode in Application Gateway Web Application Firewall (WAF) policies to protect back end resources.","Critical","Security","-" -"Azure.AppGwWAF.RuleGroups","Use recommended rule groups in Application Gateway Web Application Firewall (WAF) policies to protect back end resources.","Critical","Security","-" "Azure.AppInsights.Name","Azure Resource Manager (ARM) has requirements for Application Insights resource names.","Awareness","Operational Excellence","-" "Azure.AppInsights.Workspace","Configure Application Insights resources to store data in a workspace.","Important","Operational Excellence","-" "Azure.AppService.AlwaysOn","Configure Always On for App Service apps.","Important","Reliability","-" @@ -135,7 +134,7 @@ "Azure.ContainerApp.PublicAccess","Ensure public network access for Container Apps environment is disabled.","Important","Security","-" "Azure.ContainerApp.RestrictIngress","IP ingress restrictions mode should be set to allow action for all rules defined.","Important","Security","-" "Azure.ContainerApp.Storage","Use of Azure Files volume mounts to persistent storage container data.","Awareness","Reliability","-" -"Azure.Cosmos.AccountName","Cosmos DB account names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.Cosmos.AccountName","Cosmos DB account names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.Cosmos.ContinuousBackup","Enable continuous backup on Cosmos DB accounts.","Important","Reliability","-" "Azure.Cosmos.DefenderCloud","Enable Microsoft Defender for Azure Cosmos DB.","Critical","Security","-" "Azure.Cosmos.DisableLocalAuth","Access keys allow depersonalized access to Cosmos DB accounts using a shared secret.","Critical","Security","L1" @@ -325,14 +324,14 @@ "Azure.SQL.AADOnly","Ensure Entra ID only authentication is enabled with Azure SQL Database.","Important","Security","L1" "Azure.SQL.AllowAzureAccess","Determine if access from Azure services is required.","Important","Security","-" "Azure.SQL.Auditing","Enable auditing for Azure SQL logical server.","Important","Security","-" -"Azure.SQL.DBName","Azure SQL Database names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.SQL.DBName","Azure SQL Database names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.SQL.DefenderCloud","Enable Microsoft Defender for Azure SQL logical server.","Important","Security","-" "Azure.SQL.FGName","Azure SQL failover group names should meet naming requirements.","Awareness","Operational Excellence","-" "Azure.SQL.FirewallIPRange","Each IP address in the permitted IP list is allowed network access to any databases hosted on the same logical server.","Important","Security","-" "Azure.SQL.FirewallRuleCount","Determine if there is an excessive number of firewall rules.","Awareness","Security","-" "Azure.SQL.MaintenanceWindow","Configure a customer-controlled maintenance window for Azure SQL databases.","Important","Reliability","-" "Azure.SQL.MinTLS","Azure SQL Database servers should reject TLS versions older than 1.2.","Critical","Security","L1" -"Azure.SQL.ServerName","Azure SQL logical server names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.SQL.ServerName","Azure SQL logical server names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.SQL.TDE","Use Transparent Data Encryption (TDE) with Azure SQL Database.","Critical","Security","L1" "Azure.SQLMI.AAD","Use Azure Active Directory (AAD) authentication with Azure SQL Managed Instance.","Critical","Security","L1" "Azure.SQLMI.AADOnly","Ensure Azure AD-only authentication is enabled with Azure SQL Managed Instance.","Important","Security","L1" diff --git a/docs/en/baselines/Azure.GA_2024_12.md b/docs/en/baselines/Azure.GA_2024_12.md index 658d33ebc5f..24e0babcce8 100644 --- a/docs/en/baselines/Azure.GA_2024_12.md +++ b/docs/en/baselines/Azure.GA_2024_12.md @@ -15,7 +15,7 @@ Include rules released December 2024 or prior for Azure GA features. The following rules are included within the `Azure.GA_2024_12` baseline. -This baseline includes a total of 431 rules. +This baseline includes a total of 430 rules. Name | Synopsis | Severity ---- | -------- | -------- @@ -110,7 +110,6 @@ Name | Synopsis | Severity [Azure.AppGwWAF.Enabled](../rules/Azure.AppGwWAF.Enabled.md) | Application Gateway Web Application Firewall (WAF) must be enabled to protect backend resources. | Critical [Azure.AppGwWAF.Exclusions](../rules/Azure.AppGwWAF.Exclusions.md) | Application Gateway Web Application Firewall (WAF) should have all rules enabled. | Critical [Azure.AppGwWAF.PreventionMode](../rules/Azure.AppGwWAF.PreventionMode.md) | Use protection mode in Application Gateway Web Application Firewall (WAF) policies to protect back end resources. | Critical -[Azure.AppGwWAF.RuleGroups](../rules/Azure.AppGwWAF.RuleGroups.md) | Use recommended rule groups in Application Gateway Web Application Firewall (WAF) policies to protect back end resources. | Critical [Azure.AppInsights.Name](../rules/Azure.AppInsights.Name.md) | Azure Resource Manager (ARM) has requirements for Application Insights resource names. | Awareness [Azure.AppInsights.Workspace](../rules/Azure.AppInsights.Workspace.md) | Configure Application Insights resources to store data in a workspace. | Important [Azure.AppService.AlwaysOn](../rules/Azure.AppService.AlwaysOn.md) | Configure Always On for App Service apps. | Important diff --git a/docs/en/baselines/Azure.GA_2025_03.csv b/docs/en/baselines/Azure.GA_2025_03.csv index ca8c2dce8a0..b83a5cb4538 100644 --- a/docs/en/baselines/Azure.GA_2025_03.csv +++ b/docs/en/baselines/Azure.GA_2025_03.csv @@ -90,7 +90,6 @@ "Azure.AppGwWAF.Enabled","Application Gateway Web Application Firewall (WAF) must be enabled to protect backend resources.","Critical","Security","-" "Azure.AppGwWAF.Exclusions","Application Gateway Web Application Firewall (WAF) should have all rules enabled.","Critical","Security","-" "Azure.AppGwWAF.PreventionMode","Use protection mode in Application Gateway Web Application Firewall (WAF) policies to protect back end resources.","Critical","Security","-" -"Azure.AppGwWAF.RuleGroups","Use recommended rule groups in Application Gateway Web Application Firewall (WAF) policies to protect back end resources.","Critical","Security","-" "Azure.AppInsights.Name","Azure Resource Manager (ARM) has requirements for Application Insights resource names.","Awareness","Operational Excellence","-" "Azure.AppInsights.Workspace","Configure Application Insights resources to store data in a workspace.","Important","Operational Excellence","-" "Azure.AppService.AlwaysOn","Configure Always On for App Service apps.","Important","Reliability","-" @@ -135,7 +134,7 @@ "Azure.ContainerApp.PublicAccess","Ensure public network access for Container Apps environment is disabled.","Important","Security","-" "Azure.ContainerApp.RestrictIngress","IP ingress restrictions mode should be set to allow action for all rules defined.","Important","Security","-" "Azure.ContainerApp.Storage","Use of Azure Files volume mounts to persistent storage container data.","Awareness","Reliability","-" -"Azure.Cosmos.AccountName","Cosmos DB account names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.Cosmos.AccountName","Cosmos DB account names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.Cosmos.ContinuousBackup","Enable continuous backup on Cosmos DB accounts.","Important","Reliability","-" "Azure.Cosmos.DefenderCloud","Enable Microsoft Defender for Azure Cosmos DB.","Critical","Security","-" "Azure.Cosmos.DisableLocalAuth","Access keys allow depersonalized access to Cosmos DB accounts using a shared secret.","Critical","Security","L1" @@ -331,14 +330,14 @@ "Azure.SQL.AADOnly","Ensure Entra ID only authentication is enabled with Azure SQL Database.","Important","Security","L1" "Azure.SQL.AllowAzureAccess","Determine if access from Azure services is required.","Important","Security","-" "Azure.SQL.Auditing","Enable auditing for Azure SQL logical server.","Important","Security","-" -"Azure.SQL.DBName","Azure SQL Database names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.SQL.DBName","Azure SQL Database names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.SQL.DefenderCloud","Enable Microsoft Defender for Azure SQL logical server.","Important","Security","-" "Azure.SQL.FGName","Azure SQL failover group names should meet naming requirements.","Awareness","Operational Excellence","-" "Azure.SQL.FirewallIPRange","Each IP address in the permitted IP list is allowed network access to any databases hosted on the same logical server.","Important","Security","-" "Azure.SQL.FirewallRuleCount","Determine if there is an excessive number of firewall rules.","Awareness","Security","-" "Azure.SQL.MaintenanceWindow","Configure a customer-controlled maintenance window for Azure SQL databases.","Important","Reliability","-" "Azure.SQL.MinTLS","Azure SQL Database servers should reject TLS versions older than 1.2.","Critical","Security","L1" -"Azure.SQL.ServerName","Azure SQL logical server names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.SQL.ServerName","Azure SQL logical server names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.SQL.TDE","Use Transparent Data Encryption (TDE) with Azure SQL Database.","Critical","Security","L1" "Azure.SQL.VAScan","SQL Databases may have configuration vulnerabilities discovered after they are deployed.","Important","Security","-" "Azure.SQLMI.AAD","Use Azure Active Directory (AAD) authentication with Azure SQL Managed Instance.","Critical","Security","L1" diff --git a/docs/en/baselines/Azure.GA_2025_03.md b/docs/en/baselines/Azure.GA_2025_03.md index 86a4d602c6b..7a086bd5415 100644 --- a/docs/en/baselines/Azure.GA_2025_03.md +++ b/docs/en/baselines/Azure.GA_2025_03.md @@ -15,7 +15,7 @@ Include rules released March 2025 or prior for Azure GA features. The following rules are included within the `Azure.GA_2025_03` baseline. -This baseline includes a total of 438 rules. +This baseline includes a total of 437 rules. Name | Synopsis | Severity ---- | -------- | -------- @@ -110,7 +110,6 @@ Name | Synopsis | Severity [Azure.AppGwWAF.Enabled](../rules/Azure.AppGwWAF.Enabled.md) | Application Gateway Web Application Firewall (WAF) must be enabled to protect backend resources. | Critical [Azure.AppGwWAF.Exclusions](../rules/Azure.AppGwWAF.Exclusions.md) | Application Gateway Web Application Firewall (WAF) should have all rules enabled. | Critical [Azure.AppGwWAF.PreventionMode](../rules/Azure.AppGwWAF.PreventionMode.md) | Use protection mode in Application Gateway Web Application Firewall (WAF) policies to protect back end resources. | Critical -[Azure.AppGwWAF.RuleGroups](../rules/Azure.AppGwWAF.RuleGroups.md) | Use recommended rule groups in Application Gateway Web Application Firewall (WAF) policies to protect back end resources. | Critical [Azure.AppInsights.Name](../rules/Azure.AppInsights.Name.md) | Azure Resource Manager (ARM) has requirements for Application Insights resource names. | Awareness [Azure.AppInsights.Workspace](../rules/Azure.AppInsights.Workspace.md) | Configure Application Insights resources to store data in a workspace. | Important [Azure.AppService.AlwaysOn](../rules/Azure.AppService.AlwaysOn.md) | Configure Always On for App Service apps. | Important diff --git a/docs/en/baselines/Azure.GA_2025_06.csv b/docs/en/baselines/Azure.GA_2025_06.csv index 82c1c521c8f..979b29c85dc 100644 --- a/docs/en/baselines/Azure.GA_2025_06.csv +++ b/docs/en/baselines/Azure.GA_2025_06.csv @@ -94,7 +94,6 @@ "Azure.AppGwWAF.Enabled","Application Gateway Web Application Firewall (WAF) must be enabled to protect backend resources.","Critical","Security","-" "Azure.AppGwWAF.Exclusions","Application Gateway Web Application Firewall (WAF) should have all rules enabled.","Critical","Security","-" "Azure.AppGwWAF.PreventionMode","Use protection mode in Application Gateway Web Application Firewall (WAF) policies to protect back end resources.","Critical","Security","-" -"Azure.AppGwWAF.RuleGroups","Use recommended rule groups in Application Gateway Web Application Firewall (WAF) policies to protect back end resources.","Critical","Security","-" "Azure.AppInsights.LocalAuth","Local authentication allows depersonalized access to store telemetry in Application Insights using a shared identifier.","Critical","Security","L1" "Azure.AppInsights.Name","Azure Resource Manager (ARM) has requirements for Application Insights resource names.","Awareness","Operational Excellence","-" "Azure.AppInsights.Naming","Application Insights resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","-" @@ -141,7 +140,7 @@ "Azure.ContainerApp.PublicAccess","Ensure public network access for Container Apps environment is disabled.","Important","Security","-" "Azure.ContainerApp.RestrictIngress","IP ingress restrictions mode should be set to allow action for all rules defined.","Important","Security","-" "Azure.ContainerApp.Storage","Use of Azure Files volume mounts to persistent storage container data.","Awareness","Reliability","-" -"Azure.Cosmos.AccountName","Cosmos DB account names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.Cosmos.AccountName","Cosmos DB account names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.Cosmos.ContinuousBackup","Enable continuous backup on Cosmos DB accounts.","Important","Reliability","-" "Azure.Cosmos.DefenderCloud","Enable Microsoft Defender for Azure Cosmos DB.","Critical","Security","-" "Azure.Cosmos.DisableLocalAuth","Access keys allow depersonalized access to Cosmos DB accounts using a shared secret.","Critical","Security","L1" @@ -359,14 +358,14 @@ "Azure.SQL.AADOnly","Ensure Entra ID only authentication is enabled with Azure SQL Database.","Important","Security","L1" "Azure.SQL.AllowAzureAccess","Determine if access from Azure services is required.","Important","Security","-" "Azure.SQL.Auditing","Enable auditing for Azure SQL logical server.","Important","Security","-" -"Azure.SQL.DBName","Azure SQL Database names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.SQL.DBName","Azure SQL Database names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.SQL.DefenderCloud","Enable Microsoft Defender for Azure SQL logical server.","Important","Security","-" "Azure.SQL.FGName","Azure SQL failover group names should meet naming requirements.","Awareness","Operational Excellence","-" "Azure.SQL.FirewallIPRange","Each IP address in the permitted IP list is allowed network access to any databases hosted on the same logical server.","Important","Security","-" "Azure.SQL.FirewallRuleCount","Determine if there is an excessive number of firewall rules.","Awareness","Security","-" "Azure.SQL.MaintenanceWindow","Configure a customer-controlled maintenance window for Azure SQL databases.","Important","Reliability","-" "Azure.SQL.MinTLS","Azure SQL Database servers should reject TLS versions older than 1.2.","Critical","Security","L1" -"Azure.SQL.ServerName","Azure SQL logical server names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.SQL.ServerName","Azure SQL logical server names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.SQL.TDE","Use Transparent Data Encryption (TDE) with Azure SQL Database.","Critical","Security","L1" "Azure.SQL.VAScan","SQL Databases may have configuration vulnerabilities discovered after they are deployed.","Important","Security","-" "Azure.SQLMI.AAD","Use Azure Active Directory (AAD) authentication with Azure SQL Managed Instance.","Critical","Security","L1" diff --git a/docs/en/baselines/Azure.GA_2025_06.md b/docs/en/baselines/Azure.GA_2025_06.md index b8111e7911c..81f5778edd5 100644 --- a/docs/en/baselines/Azure.GA_2025_06.md +++ b/docs/en/baselines/Azure.GA_2025_06.md @@ -15,7 +15,7 @@ Include rules released June 2025 or prior for Azure GA features. The following rules are included within the `Azure.GA_2025_06` baseline. -This baseline includes a total of 476 rules. +This baseline includes a total of 475 rules. Name | Synopsis | Severity ---- | -------- | -------- @@ -114,7 +114,6 @@ Name | Synopsis | Severity [Azure.AppGwWAF.Enabled](../rules/Azure.AppGwWAF.Enabled.md) | Application Gateway Web Application Firewall (WAF) must be enabled to protect backend resources. | Critical [Azure.AppGwWAF.Exclusions](../rules/Azure.AppGwWAF.Exclusions.md) | Application Gateway Web Application Firewall (WAF) should have all rules enabled. | Critical [Azure.AppGwWAF.PreventionMode](../rules/Azure.AppGwWAF.PreventionMode.md) | Use protection mode in Application Gateway Web Application Firewall (WAF) policies to protect back end resources. | Critical -[Azure.AppGwWAF.RuleGroups](../rules/Azure.AppGwWAF.RuleGroups.md) | Use recommended rule groups in Application Gateway Web Application Firewall (WAF) policies to protect back end resources. | Critical [Azure.AppInsights.LocalAuth](../rules/Azure.AppInsights.LocalAuth.md) | Local authentication allows depersonalized access to store telemetry in Application Insights using a shared identifier. | Critical [Azure.AppInsights.Name](../rules/Azure.AppInsights.Name.md) | Azure Resource Manager (ARM) has requirements for Application Insights resource names. | Awareness [Azure.AppInsights.Naming](../rules/Azure.AppInsights.Naming.md) | Application Insights resources without a standard naming convention may be difficult to identify and manage. | Awareness diff --git a/docs/en/baselines/Azure.GA_2025_09.csv b/docs/en/baselines/Azure.GA_2025_09.csv index aca29228722..320b72308a8 100644 --- a/docs/en/baselines/Azure.GA_2025_09.csv +++ b/docs/en/baselines/Azure.GA_2025_09.csv @@ -97,7 +97,6 @@ "Azure.AppGwWAF.Enabled","Application Gateway Web Application Firewall (WAF) must be enabled to protect backend resources.","Critical","Security","-" "Azure.AppGwWAF.Exclusions","Application Gateway Web Application Firewall (WAF) should have all rules enabled.","Critical","Security","-" "Azure.AppGwWAF.PreventionMode","Use protection mode in Application Gateway Web Application Firewall (WAF) policies to protect back end resources.","Critical","Security","-" -"Azure.AppGwWAF.RuleGroups","Use recommended rule groups in Application Gateway Web Application Firewall (WAF) policies to protect back end resources.","Critical","Security","-" "Azure.AppInsights.LocalAuth","Local authentication allows depersonalized access to store telemetry in Application Insights using a shared identifier.","Critical","Security","L1" "Azure.AppInsights.Name","Azure Resource Manager (ARM) has requirements for Application Insights resource names.","Awareness","Operational Excellence","-" "Azure.AppInsights.Naming","Application Insights resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","-" @@ -144,7 +143,7 @@ "Azure.ContainerApp.PublicAccess","Ensure public network access for Container Apps environment is disabled.","Important","Security","-" "Azure.ContainerApp.RestrictIngress","IP ingress restrictions mode should be set to allow action for all rules defined.","Important","Security","-" "Azure.ContainerApp.Storage","Use of Azure Files volume mounts to persistent storage container data.","Awareness","Reliability","-" -"Azure.Cosmos.AccountName","Cosmos DB account names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.Cosmos.AccountName","Cosmos DB account names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.Cosmos.ContinuousBackup","Enable continuous backup on Cosmos DB accounts.","Important","Reliability","-" "Azure.Cosmos.DefenderCloud","Enable Microsoft Defender for Azure Cosmos DB.","Critical","Security","-" "Azure.Cosmos.DisableLocalAuth","Access keys allow depersonalized access to Cosmos DB accounts using a shared secret.","Critical","Security","L1" @@ -363,14 +362,14 @@ "Azure.SQL.AADOnly","Ensure Entra ID only authentication is enabled with Azure SQL Database.","Important","Security","L1" "Azure.SQL.AllowAzureAccess","Determine if access from Azure services is required.","Important","Security","-" "Azure.SQL.Auditing","Enable auditing for Azure SQL logical server.","Important","Security","-" -"Azure.SQL.DBName","Azure SQL Database names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.SQL.DBName","Azure SQL Database names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.SQL.DefenderCloud","Enable Microsoft Defender for Azure SQL logical server.","Important","Security","-" "Azure.SQL.FGName","Azure SQL failover group names should meet naming requirements.","Awareness","Operational Excellence","-" "Azure.SQL.FirewallIPRange","Each IP address in the permitted IP list is allowed network access to any databases hosted on the same logical server.","Important","Security","-" "Azure.SQL.FirewallRuleCount","Determine if there is an excessive number of firewall rules.","Awareness","Security","-" "Azure.SQL.MaintenanceWindow","Configure a customer-controlled maintenance window for Azure SQL databases.","Important","Reliability","-" "Azure.SQL.MinTLS","Azure SQL Database servers should reject TLS versions older than 1.2.","Critical","Security","L1" -"Azure.SQL.ServerName","Azure SQL logical server names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.SQL.ServerName","Azure SQL logical server names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.SQL.TDE","Use Transparent Data Encryption (TDE) with Azure SQL Database.","Critical","Security","L1" "Azure.SQL.VAScan","SQL Databases may have configuration vulnerabilities discovered after they are deployed.","Important","Security","-" "Azure.SQLMI.AAD","Use Azure Active Directory (AAD) authentication with Azure SQL Managed Instance.","Critical","Security","L1" diff --git a/docs/en/baselines/Azure.GA_2025_09.md b/docs/en/baselines/Azure.GA_2025_09.md index 5f3afb555f4..dffcb68cc41 100644 --- a/docs/en/baselines/Azure.GA_2025_09.md +++ b/docs/en/baselines/Azure.GA_2025_09.md @@ -12,7 +12,7 @@ Include rules released September 2025 or prior for Azure GA features. The following rules are included within the `Azure.GA_2025_09` baseline. -This baseline includes a total of 481 rules. +This baseline includes a total of 480 rules. Name | Synopsis | Severity ---- | -------- | -------- @@ -114,7 +114,6 @@ Name | Synopsis | Severity [Azure.AppGwWAF.Enabled](../rules/Azure.AppGwWAF.Enabled.md) | Application Gateway Web Application Firewall (WAF) must be enabled to protect backend resources. | Critical [Azure.AppGwWAF.Exclusions](../rules/Azure.AppGwWAF.Exclusions.md) | Application Gateway Web Application Firewall (WAF) should have all rules enabled. | Critical [Azure.AppGwWAF.PreventionMode](../rules/Azure.AppGwWAF.PreventionMode.md) | Use protection mode in Application Gateway Web Application Firewall (WAF) policies to protect back end resources. | Critical -[Azure.AppGwWAF.RuleGroups](../rules/Azure.AppGwWAF.RuleGroups.md) | Use recommended rule groups in Application Gateway Web Application Firewall (WAF) policies to protect back end resources. | Critical [Azure.AppInsights.LocalAuth](../rules/Azure.AppInsights.LocalAuth.md) | Local authentication allows depersonalized access to store telemetry in Application Insights using a shared identifier. | Critical [Azure.AppInsights.Name](../rules/Azure.AppInsights.Name.md) | Azure Resource Manager (ARM) has requirements for Application Insights resource names. | Awareness [Azure.AppInsights.Naming](../rules/Azure.AppInsights.Naming.md) | Application Insights resources without a standard naming convention may be difficult to identify and manage. | Awareness diff --git a/docs/en/baselines/Azure.MCSB.v1.csv b/docs/en/baselines/Azure.MCSB.v1.csv index 65ede0dc856..767ed7d2161 100644 --- a/docs/en/baselines/Azure.MCSB.v1.csv +++ b/docs/en/baselines/Azure.MCSB.v1.csv @@ -7,6 +7,7 @@ "Azure.ACR.ImageHealth","Remove container images with known vulnerabilities.","Critical","Security","L2" "Azure.ADX.DiskEncryption","Use disk encryption for Azure Data Explorer (ADX) clusters.","Important","Security","L1" "Azure.ADX.ManagedIdentity","Configure Data Explorer clusters to use managed identities to access Azure resources securely.","Important","Security","L1" +"Azure.ADX.PublicAccess","Azure Data Explorer (ADX) clusters should have public network access disabled.","Critical","Security","L4" "Azure.AI.DisableLocalAuth","Access keys allow depersonalized access to Azure AI using a shared secret.","Important","Security","L1" "Azure.AI.ManagedIdentity","Configure managed identities to access Azure resources.","Important","Security","L1" "Azure.AI.PrivateEndpoints","Use Private Endpoints to access Azure AI services accounts.","Important","Security","-" @@ -59,6 +60,7 @@ "Azure.Cosmos.DefenderCloud","Enable Microsoft Defender for Azure Cosmos DB.","Critical","Security","-" "Azure.Cosmos.DisableLocalAuth","Access keys allow depersonalized access to Cosmos DB accounts using a shared secret.","Critical","Security","L1" "Azure.Cosmos.DisableMetadataWrite","Use Entra ID identities for management place operations in Azure Cosmos DB.","Important","Security","-" +"Azure.Cosmos.MongoEntraID","MongoDB vCore clusters should have Microsoft Entra ID authentication enabled.","Critical","Security","L1" "Azure.Cosmos.PublicAccess","Azure Cosmos DB should have public network access disabled.","Critical","Security","-" "Azure.Defender.Api","Enable Microsoft Defender for APIs.","Critical","Security","-" "Azure.Defender.AppServices","Enable Microsoft Defender for App Service.","Critical","Security","-" diff --git a/docs/en/baselines/Azure.MCSB.v1.md b/docs/en/baselines/Azure.MCSB.v1.md index 83b87ba2f3c..b47a0d5948a 100644 --- a/docs/en/baselines/Azure.MCSB.v1.md +++ b/docs/en/baselines/Azure.MCSB.v1.md @@ -16,7 +16,7 @@ Rules for GA Azure features that align to the Microsoft Cloud Security Benchmark The following rules are included within the `Azure.MCSB.v1` baseline. -This baseline includes a total of 143 rules. +This baseline includes a total of 145 rules. Name | Synopsis | Severity ---- | -------- | -------- @@ -28,6 +28,7 @@ Name | Synopsis | Severity [Azure.ACR.ImageHealth](../rules/Azure.ACR.ImageHealth.md) | Remove container images with known vulnerabilities. | Critical [Azure.ADX.DiskEncryption](../rules/Azure.ADX.DiskEncryption.md) | Use disk encryption for Azure Data Explorer (ADX) clusters. | Important [Azure.ADX.ManagedIdentity](../rules/Azure.ADX.ManagedIdentity.md) | Configure Data Explorer clusters to use managed identities to access Azure resources securely. | Important +[Azure.ADX.PublicAccess](../rules/Azure.ADX.PublicAccess.md) | Azure Data Explorer (ADX) clusters should have public network access disabled. | Critical [Azure.AI.DisableLocalAuth](../rules/Azure.AI.DisableLocalAuth.md) | Access keys allow depersonalized access to Azure AI using a shared secret. | Important [Azure.AI.ManagedIdentity](../rules/Azure.AI.ManagedIdentity.md) | Configure managed identities to access Azure resources. | Important [Azure.AI.PrivateEndpoints](../rules/Azure.AI.PrivateEndpoints.md) | Use Private Endpoints to access Azure AI services accounts. | Important @@ -80,6 +81,7 @@ Name | Synopsis | Severity [Azure.Cosmos.DefenderCloud](../rules/Azure.Cosmos.DefenderCloud.md) | Enable Microsoft Defender for Azure Cosmos DB. | Critical [Azure.Cosmos.DisableLocalAuth](../rules/Azure.Cosmos.DisableLocalAuth.md) | Access keys allow depersonalized access to Cosmos DB accounts using a shared secret. | Critical [Azure.Cosmos.DisableMetadataWrite](../rules/Azure.Cosmos.DisableMetadataWrite.md) | Use Entra ID identities for management place operations in Azure Cosmos DB. | Important +[Azure.Cosmos.MongoEntraID](../rules/Azure.Cosmos.MongoEntraID.md) | MongoDB vCore clusters should have Microsoft Entra ID authentication enabled. | Critical [Azure.Cosmos.PublicAccess](../rules/Azure.Cosmos.PublicAccess.md) | Azure Cosmos DB should have public network access disabled. | Critical [Azure.Defender.Api](../rules/Azure.Defender.Api.md) | Enable Microsoft Defender for APIs. | Critical [Azure.Defender.AppServices](../rules/Azure.Defender.AppServices.md) | Enable Microsoft Defender for App Service. | Critical diff --git a/docs/en/baselines/Azure.Pillar.OperationalExcellence.csv b/docs/en/baselines/Azure.Pillar.OperationalExcellence.csv index a5d0bcfa7aa..2c86cda38ca 100644 --- a/docs/en/baselines/Azure.Pillar.OperationalExcellence.csv +++ b/docs/en/baselines/Azure.Pillar.OperationalExcellence.csv @@ -31,7 +31,7 @@ "Azure.ContainerApp.JobNaming","Container App Job resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" "Azure.ContainerApp.Name","Container Apps should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.ContainerApp.Naming","Container App resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" -"Azure.Cosmos.AccountName","Cosmos DB account names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.Cosmos.AccountName","Cosmos DB account names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.Cosmos.CassandraNaming","Cosmos DB for Apache Cassandra account resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" "Azure.Cosmos.DatabaseNaming","Cosmos DB database resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" "Azure.Cosmos.GremlinNaming","Cosmos DB for Apache Gremlin account resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" @@ -62,8 +62,8 @@ "Azure.MariaDB.FirewallRuleName","Azure Database for MariaDB firewall rules should meet naming requirements.","Awareness","Operational Excellence","-" "Azure.MariaDB.ServerName","Azure Database for MariaDB servers should meet naming requirements.","Awareness","Operational Excellence","-" "Azure.MariaDB.VNETRuleName","Azure Database for MariaDB VNET rules should meet naming requirements.","Awareness","Operational Excellence","-" -"Azure.MySQL.Naming","MySQL database server resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" "Azure.MySQL.ServerName","Azure MySQL DB server names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.MySQL.ServerNaming","MySQL database server resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" "Azure.NIC.Name","Network Interface (NIC) names should meet naming requirements.","Awareness","Operational Excellence","-" "Azure.NSG.AKSRules","AKS Network Security Group (NSG) should not have custom rules.","Awareness","Operational Excellence","-" "Azure.NSG.Name","Azure Resource Manager (ARM) has requirements for Network Security Group (NSG) names.","Awareness","Operational Excellence","-" @@ -72,15 +72,15 @@ "Azure.Policy.AssignmentDescriptors","Policy assignments should use a display name and description.","Awareness","Operational Excellence","-" "Azure.Policy.Descriptors","Policy and initiative definitions should use a display name, description, and category.","Awareness","Operational Excellence","-" "Azure.Policy.ExemptionDescriptors","Policy exemptions should use a display name and description.","Awareness","Operational Excellence","-" -"Azure.PostgreSQL.Naming","PostgreSQL database server resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" "Azure.PostgreSQL.ServerName","Azure PostgreSQL DB server names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.PostgreSQL.ServerNaming","PostgreSQL database server resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" "Azure.PrivateEndpoint.Name","Private Endpoint names should meet naming requirements.","Awareness","Operational Excellence","-" "Azure.PublicIP.DNSLabel","Public IP domain name labels should meet naming requirements.","Awareness","Operational Excellence","-" "Azure.PublicIP.MigrateStandard","Use the Standard SKU for Public IP addresses as the Basic SKU will be retired.","Important","Operational Excellence","-" "Azure.PublicIP.Name","Azure Resource Manager (ARM) has requirements for Public IP address names.","Awareness","Operational Excellence","-" "Azure.PublicIP.Naming","Public IP addresses without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","-" "Azure.Redis.Naming","Azure Cache for Redis resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" -"Azure.RedisEnterprise.Naming","Azure Managed Redis resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" +"Azure.RedisEnterprise.Naming","Azure Cache for Redis Enterprise resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" "Azure.Resource.RequiredTags","Resources without a standard tagging convention may be difficult to identify and manage.","Awareness","Operational Excellence","-" "Azure.Route.Name","Azure Resource Manager (ARM) has requirements for Route table names.","Awareness","Operational Excellence","-" "Azure.Route.Naming","Route tables without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","-" @@ -90,14 +90,13 @@ "Azure.ServiceFabric.ManagedNaming","Service Fabric managed cluster resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" "Azure.ServiceFabric.Naming","Service Fabric cluster resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" "Azure.SignalR.Name","SignalR service instance names should meet naming requirements.","Awareness","Operational Excellence","-" -"Azure.SQL.DatabaseNaming","Azure SQL database resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" -"Azure.SQL.DBName","Azure SQL Database names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.SQL.DBName","Azure SQL Database names should meet naming requirements.","Awareness","Operational Excellence","L2" +"Azure.SQL.DBNaming","Azure SQL database resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" "Azure.SQL.ElasticPoolNaming","Azure SQL Elastic Pool resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" "Azure.SQL.FGName","Azure SQL failover group names should meet naming requirements.","Awareness","Operational Excellence","-" "Azure.SQL.JobAgentNaming","Azure SQL Elastic Job agent resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" -"Azure.SQL.ServerName","Azure SQL logical server names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.SQL.ServerName","Azure SQL logical server names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.SQL.ServerNaming","Azure SQL Database server resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" -"Azure.SQL.StretchDBNaming","SQL Server Stretch Database resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" "Azure.SQLMI.Name","SQL Managed Instance names should meet naming requirements.","Awareness","Operational Excellence","-" "Azure.SQLMI.Naming","SQL Managed Instance resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" "Azure.Storage.Name","Azure Resource Manager (ARM) has requirements for Storage Account names.","Awareness","Operational Excellence","-" diff --git a/docs/en/baselines/Azure.Pillar.OperationalExcellence.md b/docs/en/baselines/Azure.Pillar.OperationalExcellence.md index 2327fd42d97..921b508bf82 100644 --- a/docs/en/baselines/Azure.Pillar.OperationalExcellence.md +++ b/docs/en/baselines/Azure.Pillar.OperationalExcellence.md @@ -14,7 +14,7 @@ Microsoft Azure Well-Architected Framework - Operational Excellence pillar speci The following rules are included within the `Azure.Pillar.OperationalExcellence` baseline. -This baseline includes a total of 146 rules. +This baseline includes a total of 145 rules. Name | Synopsis | Severity | Maturity ---- | -------- | -------- | -------- @@ -50,7 +50,7 @@ Name | Synopsis | Severity | Maturity [Azure.ContainerApp.JobNaming](../rules/Azure.ContainerApp.JobNaming.md) | Container App Job resources without a standard naming convention may be difficult to identify and manage. | Awareness | L2 [Azure.ContainerApp.Name](../rules/Azure.ContainerApp.Name.md) | Container Apps should meet naming requirements. | Awareness | L2 [Azure.ContainerApp.Naming](../rules/Azure.ContainerApp.Naming.md) | Container App resources without a standard naming convention may be difficult to identify and manage. | Awareness | L2 -[Azure.Cosmos.AccountName](../rules/Azure.Cosmos.AccountName.md) | Cosmos DB account names should meet naming requirements. | Awareness | - +[Azure.Cosmos.AccountName](../rules/Azure.Cosmos.AccountName.md) | Cosmos DB account names should meet naming requirements. | Awareness | L2 [Azure.Cosmos.CassandraNaming](../rules/Azure.Cosmos.CassandraNaming.md) | Cosmos DB for Apache Cassandra account resources without a standard naming convention may be difficult to identify and manage. | Awareness | L2 [Azure.Cosmos.DatabaseNaming](../rules/Azure.Cosmos.DatabaseNaming.md) | Cosmos DB database resources without a standard naming convention may be difficult to identify and manage. | Awareness | L2 [Azure.Cosmos.GremlinNaming](../rules/Azure.Cosmos.GremlinNaming.md) | Cosmos DB for Apache Gremlin account resources without a standard naming convention may be difficult to identify and manage. | Awareness | L2 @@ -81,8 +81,8 @@ Name | Synopsis | Severity | Maturity [Azure.MariaDB.FirewallRuleName](../rules/Azure.MariaDB.FirewallRuleName.md) | Azure Database for MariaDB firewall rules should meet naming requirements. | Awareness | - [Azure.MariaDB.ServerName](../rules/Azure.MariaDB.ServerName.md) | Azure Database for MariaDB servers should meet naming requirements. | Awareness | - [Azure.MariaDB.VNETRuleName](../rules/Azure.MariaDB.VNETRuleName.md) | Azure Database for MariaDB VNET rules should meet naming requirements. | Awareness | - -[Azure.MySQL.Naming](../rules/Azure.MySQL.Naming.md) | MySQL database server resources without a standard naming convention may be difficult to identify and manage. | Awareness | L2 [Azure.MySQL.ServerName](../rules/Azure.MySQL.ServerName.md) | Azure MySQL DB server names should meet naming requirements. | Awareness | - +[Azure.MySQL.ServerNaming](../rules/Azure.MySQL.ServerNaming.md) | MySQL database server resources without a standard naming convention may be difficult to identify and manage. | Awareness | L2 [Azure.NIC.Name](../rules/Azure.NIC.Name.md) | Network Interface (NIC) names should meet naming requirements. | Awareness | - [Azure.NSG.AKSRules](../rules/Azure.NSG.AKSRules.md) | AKS Network Security Group (NSG) should not have custom rules. | Awareness | - [Azure.NSG.Name](../rules/Azure.NSG.Name.md) | Azure Resource Manager (ARM) has requirements for Network Security Group (NSG) names. | Awareness | - @@ -91,15 +91,15 @@ Name | Synopsis | Severity | Maturity [Azure.Policy.AssignmentDescriptors](../rules/Azure.Policy.AssignmentDescriptors.md) | Policy assignments should use a display name and description. | Awareness | - [Azure.Policy.Descriptors](../rules/Azure.Policy.Descriptors.md) | Policy and initiative definitions should use a display name, description, and category. | Awareness | - [Azure.Policy.ExemptionDescriptors](../rules/Azure.Policy.ExemptionDescriptors.md) | Policy exemptions should use a display name and description. | Awareness | - -[Azure.PostgreSQL.Naming](../rules/Azure.PostgreSQL.Naming.md) | PostgreSQL database server resources without a standard naming convention may be difficult to identify and manage. | Awareness | L2 [Azure.PostgreSQL.ServerName](../rules/Azure.PostgreSQL.ServerName.md) | Azure PostgreSQL DB server names should meet naming requirements. | Awareness | - +[Azure.PostgreSQL.ServerNaming](../rules/Azure.PostgreSQL.ServerNaming.md) | PostgreSQL database server resources without a standard naming convention may be difficult to identify and manage. | Awareness | L2 [Azure.PrivateEndpoint.Name](../rules/Azure.PrivateEndpoint.Name.md) | Private Endpoint names should meet naming requirements. | Awareness | - [Azure.PublicIP.DNSLabel](../rules/Azure.PublicIP.DNSLabel.md) | Public IP domain name labels should meet naming requirements. | Awareness | - [Azure.PublicIP.MigrateStandard](../rules/Azure.PublicIP.MigrateStandard.md) | Use the Standard SKU for Public IP addresses as the Basic SKU will be retired. | Important | - [Azure.PublicIP.Name](../rules/Azure.PublicIP.Name.md) | Azure Resource Manager (ARM) has requirements for Public IP address names. | Awareness | - [Azure.PublicIP.Naming](../rules/Azure.PublicIP.Naming.md) | Public IP addresses without a standard naming convention may be difficult to identify and manage. | Awareness | - [Azure.Redis.Naming](../rules/Azure.Redis.Naming.md) | Azure Cache for Redis resources without a standard naming convention may be difficult to identify and manage. | Awareness | L2 -[Azure.RedisEnterprise.Naming](../rules/Azure.RedisEnterprise.Naming.md) | Azure Managed Redis resources without a standard naming convention may be difficult to identify and manage. | Awareness | L2 +[Azure.RedisEnterprise.Naming](../rules/Azure.RedisEnterprise.Naming.md) | Azure Cache for Redis Enterprise resources without a standard naming convention may be difficult to identify and manage. | Awareness | L2 [Azure.Resource.RequiredTags](../rules/Azure.Resource.RequiredTags.md) | Resources without a standard tagging convention may be difficult to identify and manage. | Awareness | - [Azure.Route.Name](../rules/Azure.Route.Name.md) | Azure Resource Manager (ARM) has requirements for Route table names. | Awareness | - [Azure.Route.Naming](../rules/Azure.Route.Naming.md) | Route tables without a standard naming convention may be difficult to identify and manage. | Awareness | - @@ -109,14 +109,13 @@ Name | Synopsis | Severity | Maturity [Azure.ServiceFabric.ManagedNaming](../rules/Azure.ServiceFabric.ManagedNaming.md) | Service Fabric managed cluster resources without a standard naming convention may be difficult to identify and manage. | Awareness | L2 [Azure.ServiceFabric.Naming](../rules/Azure.ServiceFabric.Naming.md) | Service Fabric cluster resources without a standard naming convention may be difficult to identify and manage. | Awareness | L2 [Azure.SignalR.Name](../rules/Azure.SignalR.Name.md) | SignalR service instance names should meet naming requirements. | Awareness | - -[Azure.SQL.DatabaseNaming](../rules/Azure.SQL.DatabaseNaming.md) | Azure SQL database resources without a standard naming convention may be difficult to identify and manage. | Awareness | L2 -[Azure.SQL.DBName](../rules/Azure.SQL.DBName.md) | Azure SQL Database names should meet naming requirements. | Awareness | - +[Azure.SQL.DBName](../rules/Azure.SQL.DBName.md) | Azure SQL Database names should meet naming requirements. | Awareness | L2 +[Azure.SQL.DBNaming](../rules/Azure.SQL.DBNaming.md) | Azure SQL database resources without a standard naming convention may be difficult to identify and manage. | Awareness | L2 [Azure.SQL.ElasticPoolNaming](../rules/Azure.SQL.ElasticPoolNaming.md) | Azure SQL Elastic Pool resources without a standard naming convention may be difficult to identify and manage. | Awareness | L2 [Azure.SQL.FGName](../rules/Azure.SQL.FGName.md) | Azure SQL failover group names should meet naming requirements. | Awareness | - [Azure.SQL.JobAgentNaming](../rules/Azure.SQL.JobAgentNaming.md) | Azure SQL Elastic Job agent resources without a standard naming convention may be difficult to identify and manage. | Awareness | L2 -[Azure.SQL.ServerName](../rules/Azure.SQL.ServerName.md) | Azure SQL logical server names should meet naming requirements. | Awareness | - +[Azure.SQL.ServerName](../rules/Azure.SQL.ServerName.md) | Azure SQL logical server names should meet naming requirements. | Awareness | L2 [Azure.SQL.ServerNaming](../rules/Azure.SQL.ServerNaming.md) | Azure SQL Database server resources without a standard naming convention may be difficult to identify and manage. | Awareness | L2 -[Azure.SQL.StretchDBNaming](../rules/Azure.SQL.StretchDBNaming.md) | SQL Server Stretch Database resources without a standard naming convention may be difficult to identify and manage. | Awareness | L2 [Azure.SQLMI.Name](../rules/Azure.SQLMI.Name.md) | SQL Managed Instance names should meet naming requirements. | Awareness | - [Azure.SQLMI.Naming](../rules/Azure.SQLMI.Naming.md) | SQL Managed Instance resources without a standard naming convention may be difficult to identify and manage. | Awareness | L2 [Azure.Storage.Name](../rules/Azure.Storage.Name.md) | Azure Resource Manager (ARM) has requirements for Storage Account names. | Awareness | - diff --git a/docs/en/baselines/Azure.Pillar.Reliability.csv b/docs/en/baselines/Azure.Pillar.Reliability.csv index 7c2172b95d1..b903718b3c0 100644 --- a/docs/en/baselines/Azure.Pillar.Reliability.csv +++ b/docs/en/baselines/Azure.Pillar.Reliability.csv @@ -30,7 +30,9 @@ "Azure.ContainerApp.AvailabilityZone","Use Container Apps environments that are zone redundant to improve reliability.","Important","Reliability","-" "Azure.ContainerApp.MinReplicas","Use multiple replicas to remove a single point of failure.","Important","Reliability","-" "Azure.ContainerApp.Storage","Use of Azure Files volume mounts to persistent storage container data.","Awareness","Reliability","-" +"Azure.Cosmos.AvailabilityZone","Use zone redundant Cosmos DB accounts in supported regions to improve reliability.","Important","Reliability","L1" "Azure.Cosmos.ContinuousBackup","Enable continuous backup on Cosmos DB accounts.","Important","Reliability","-" +"Azure.Cosmos.MongoAvailabilityZone","Use zone redundant Cosmos DB vCore clusters in supported regions to improve reliability.","Important","Reliability","L1" "Azure.Cosmos.SLA","Use a paid tier to qualify for a Service Level Agreement (SLA).","Important","Reliability","-" "Azure.DataFactory.Version","Consider migrating to DataFactory v2.","Awareness","Reliability","-" "Azure.EntraDS.MinReplicas","Applications or infrastructure relying on a managed domain may fail if the domain is not available.","Important","Reliability","-" @@ -39,6 +41,7 @@ "Azure.FrontDoor.Probe","Use health probes to check the health of each backend.","Important","Reliability","-" "Azure.FrontDoor.ProbeMethod","Configure health probes to use HEAD requests to reduce performance overhead.","Important","Reliability","-" "Azure.FrontDoor.ProbePath","Configure a dedicated path for health probe requests.","Important","Reliability","-" +"Azure.Grafana.AvailabilityZone","Use zone redundant Grafana workspaces in supported regions to improve reliability.","Important","Reliability","L1" "Azure.Grafana.Version","Grafana workspaces should be on Grafana version 10.","Important","Reliability","-" "Azure.KeyVault.PurgeProtect","Enable Purge Protection on Key Vaults to prevent early purge of vaults and vault items.","Important","Reliability","-" "Azure.KeyVault.SoftDelete","Enable Soft Delete on Key Vaults to protect vaults and vault items from accidental deletion.","Important","Reliability","-" @@ -47,6 +50,7 @@ "Azure.LB.StandardSKU","Load balancers should be deployed with Standard SKU for production workloads.","Important","Reliability","-" "Azure.Log.Replication","Log Analytics workspaces should have workspace replication enabled to improve service availability.","Important","Reliability","-" "Azure.MariaDB.GeoRedundantBackup","Azure Database for MariaDB should store backups in a geo-redundant storage.","Important","Reliability","-" +"Azure.MICassandra.AvailabilityZone","Use zone redundant Managed Instance for Apache Cassandra clusters in supported regions to improve reliability.","Important","Reliability","L1" "Azure.Monitor.ServiceHealth","Configure Service Health alerts to notify administrators.","Important","Reliability","-" "Azure.MySQL.GeoRedundantBackup","Azure Database for MySQL should store backups in a geo-redundant storage.","Important","Reliability","-" "Azure.MySQL.MaintenanceWindow","Configure a customer-controlled maintenance window for Azure Database for MySQL servers.","Important","Reliability","-" diff --git a/docs/en/baselines/Azure.Pillar.Reliability.md b/docs/en/baselines/Azure.Pillar.Reliability.md index 0c2e09c0562..b80fd2cbf29 100644 --- a/docs/en/baselines/Azure.Pillar.Reliability.md +++ b/docs/en/baselines/Azure.Pillar.Reliability.md @@ -14,7 +14,7 @@ Microsoft Azure Well-Architected Framework - Reliability pillar specific baselin The following rules are included within the `Azure.Pillar.Reliability` baseline. -This baseline includes a total of 96 rules. +This baseline includes a total of 100 rules. Name | Synopsis | Severity | Maturity ---- | -------- | -------- | -------- @@ -49,7 +49,9 @@ Name | Synopsis | Severity | Maturity [Azure.ContainerApp.AvailabilityZone](../rules/Azure.ContainerApp.AvailabilityZone.md) | Use Container Apps environments that are zone redundant to improve reliability. | Important | - [Azure.ContainerApp.MinReplicas](../rules/Azure.ContainerApp.MinReplicas.md) | Use multiple replicas to remove a single point of failure. | Important | - [Azure.ContainerApp.Storage](../rules/Azure.ContainerApp.Storage.md) | Use of Azure Files volume mounts to persistent storage container data. | Awareness | - +[Azure.Cosmos.AvailabilityZone](../rules/Azure.Cosmos.AvailabilityZone.md) | Use zone redundant Cosmos DB accounts in supported regions to improve reliability. | Important | L1 [Azure.Cosmos.ContinuousBackup](../rules/Azure.Cosmos.ContinuousBackup.md) | Enable continuous backup on Cosmos DB accounts. | Important | - +[Azure.Cosmos.MongoAvailabilityZone](../rules/Azure.Cosmos.MongoAvailabilityZone.md) | Use zone redundant Cosmos DB vCore clusters in supported regions to improve reliability. | Important | L1 [Azure.Cosmos.SLA](../rules/Azure.Cosmos.SLA.md) | Use a paid tier to qualify for a Service Level Agreement (SLA). | Important | - [Azure.DataFactory.Version](../rules/Azure.DataFactory.Version.md) | Consider migrating to DataFactory v2. | Awareness | - [Azure.EntraDS.MinReplicas](../rules/Azure.EntraDS.MinReplicas.md) | Applications or infrastructure relying on a managed domain may fail if the domain is not available. | Important | - @@ -58,6 +60,7 @@ Name | Synopsis | Severity | Maturity [Azure.FrontDoor.Probe](../rules/Azure.FrontDoor.Probe.md) | Use health probes to check the health of each backend. | Important | - [Azure.FrontDoor.ProbeMethod](../rules/Azure.FrontDoor.ProbeMethod.md) | Configure health probes to use HEAD requests to reduce performance overhead. | Important | - [Azure.FrontDoor.ProbePath](../rules/Azure.FrontDoor.ProbePath.md) | Configure a dedicated path for health probe requests. | Important | - +[Azure.Grafana.AvailabilityZone](../rules/Azure.Grafana.AvailabilityZone.md) | Use zone redundant Grafana workspaces in supported regions to improve reliability. | Important | L1 [Azure.Grafana.Version](../rules/Azure.Grafana.Version.md) | Grafana workspaces should be on Grafana version 10. | Important | - [Azure.KeyVault.PurgeProtect](../rules/Azure.KeyVault.PurgeProtect.md) | Enable Purge Protection on Key Vaults to prevent early purge of vaults and vault items. | Important | - [Azure.KeyVault.SoftDelete](../rules/Azure.KeyVault.SoftDelete.md) | Enable Soft Delete on Key Vaults to protect vaults and vault items from accidental deletion. | Important | - @@ -66,6 +69,7 @@ Name | Synopsis | Severity | Maturity [Azure.LB.StandardSKU](../rules/Azure.LB.StandardSKU.md) | Load balancers should be deployed with Standard SKU for production workloads. | Important | - [Azure.Log.Replication](../rules/Azure.Log.Replication.md) | Log Analytics workspaces should have workspace replication enabled to improve service availability. | Important | - [Azure.MariaDB.GeoRedundantBackup](../rules/Azure.MariaDB.GeoRedundantBackup.md) | Azure Database for MariaDB should store backups in a geo-redundant storage. | Important | - +[Azure.MICassandra.AvailabilityZone](../rules/Azure.MICassandra.AvailabilityZone.md) | Use zone redundant Managed Instance for Apache Cassandra clusters in supported regions to improve reliability. | Important | L1 [Azure.Monitor.ServiceHealth](../rules/Azure.Monitor.ServiceHealth.md) | Configure Service Health alerts to notify administrators. | Important | - [Azure.MySQL.GeoRedundantBackup](../rules/Azure.MySQL.GeoRedundantBackup.md) | Azure Database for MySQL should store backups in a geo-redundant storage. | Important | - [Azure.MySQL.MaintenanceWindow](../rules/Azure.MySQL.MaintenanceWindow.md) | Configure a customer-controlled maintenance window for Azure Database for MySQL servers. | Important | - diff --git a/docs/en/baselines/Azure.Pillar.Security.L1.csv b/docs/en/baselines/Azure.Pillar.Security.L1.csv index 6a7ea459dd0..8ee86156a22 100644 --- a/docs/en/baselines/Azure.Pillar.Security.L1.csv +++ b/docs/en/baselines/Azure.Pillar.Security.L1.csv @@ -30,6 +30,7 @@ "Azure.ContainerApp.ManagedIdentity","Ensure managed identity is used for authentication.","Important","Security","L1" "Azure.Cosmos.DisableLocalAuth","Access keys allow depersonalized access to Cosmos DB accounts using a shared secret.","Critical","Security","L1" "Azure.Cosmos.MinTLS","Cosmos DB accounts should reject TLS versions older than 1.2.","Critical","Security","L1" +"Azure.Cosmos.MongoEntraID","MongoDB vCore clusters should have Microsoft Entra ID authentication enabled.","Critical","Security","L1" "Azure.EntraDS.NTLM","Disable NTLM v1 for Microsoft Entra Domain Services.","Critical","Security","L1" "Azure.EntraDS.RC4","Disable RC4 encryption for Microsoft Entra Domain Services.","Critical","Security","L1" "Azure.EntraDS.TLS","Disable TLS v1 for Microsoft Entra Domain Services.","Critical","Security","L1" diff --git a/docs/en/baselines/Azure.Pillar.Security.L1.md b/docs/en/baselines/Azure.Pillar.Security.L1.md index 02a3a765ad2..cc3eaae11b1 100644 --- a/docs/en/baselines/Azure.Pillar.Security.L1.md +++ b/docs/en/baselines/Azure.Pillar.Security.L1.md @@ -16,7 +16,7 @@ Microsoft Azure Well-Architected Framework - Security pillar Level 1 maturity ba The following rules are included within the `Azure.Pillar.Security.L1` baseline. -This baseline includes a total of 84 rules. +This baseline includes a total of 85 rules. Name | Synopsis | Severity | Maturity ---- | -------- | -------- | -------- @@ -51,6 +51,7 @@ Name | Synopsis | Severity | Maturity [Azure.ContainerApp.ManagedIdentity](../rules/Azure.ContainerApp.ManagedIdentity.md) | Ensure managed identity is used for authentication. | Important | L1 [Azure.Cosmos.DisableLocalAuth](../rules/Azure.Cosmos.DisableLocalAuth.md) | Access keys allow depersonalized access to Cosmos DB accounts using a shared secret. | Critical | L1 [Azure.Cosmos.MinTLS](../rules/Azure.Cosmos.MinTLS.md) | Cosmos DB accounts should reject TLS versions older than 1.2. | Critical | L1 +[Azure.Cosmos.MongoEntraID](../rules/Azure.Cosmos.MongoEntraID.md) | MongoDB vCore clusters should have Microsoft Entra ID authentication enabled. | Critical | L1 [Azure.EntraDS.NTLM](../rules/Azure.EntraDS.NTLM.md) | Disable NTLM v1 for Microsoft Entra Domain Services. | Critical | L1 [Azure.EntraDS.RC4](../rules/Azure.EntraDS.RC4.md) | Disable RC4 encryption for Microsoft Entra Domain Services. | Critical | L1 [Azure.EntraDS.TLS](../rules/Azure.EntraDS.TLS.md) | Disable TLS v1 for Microsoft Entra Domain Services. | Critical | L1 diff --git a/docs/en/baselines/Azure.Pillar.Security.csv b/docs/en/baselines/Azure.Pillar.Security.csv index 7eb3b5e7154..065c01cfc68 100644 --- a/docs/en/baselines/Azure.Pillar.Security.csv +++ b/docs/en/baselines/Azure.Pillar.Security.csv @@ -8,6 +8,7 @@ "Azure.ACR.ReplicaLocation","The replication location determines the country or region where container images and metadata are stored and processed.","Important","Security","-" "Azure.ADX.DiskEncryption","Use disk encryption for Azure Data Explorer (ADX) clusters.","Important","Security","L1" "Azure.ADX.ManagedIdentity","Configure Data Explorer clusters to use managed identities to access Azure resources securely.","Important","Security","L1" +"Azure.ADX.PublicAccess","Azure Data Explorer (ADX) clusters should have public network access disabled.","Critical","Security","L4" "Azure.AI.DisableLocalAuth","Access keys allow depersonalized access to Azure AI using a shared secret.","Important","Security","L1" "Azure.AI.ManagedIdentity","Configure managed identities to access Azure resources.","Important","Security","L1" "Azure.AI.PrivateEndpoints","Use Private Endpoints to access Azure AI services accounts.","Important","Security","-" @@ -53,7 +54,7 @@ "Azure.AppGwWAF.Enabled","Application Gateway Web Application Firewall (WAF) must be enabled to protect backend resources.","Critical","Security","-" "Azure.AppGwWAF.Exclusions","Application Gateway Web Application Firewall (WAF) should have all rules enabled.","Critical","Security","-" "Azure.AppGwWAF.PreventionMode","Use protection mode in Application Gateway Web Application Firewall (WAF) policies to protect back end resources.","Critical","Security","-" -"Azure.AppGwWAF.RuleGroups","Use recommended rule groups in Application Gateway Web Application Firewall (WAF) policies to protect back end resources.","Critical","Security","-" +"Azure.AppGwWAF.RuleGroups","Application Gateway WAF policies should include both Microsoft Default Rule Set and Bot Manager Rule Set to provide comprehensive protection against web application threats and malicious bot traffic.","Critical","Security","L2" "Azure.AppInsights.LocalAuth","Local authentication allows depersonalized access to store telemetry in Application Insights using a shared identifier.","Critical","Security","L1" "Azure.AppService.ManagedIdentity","Configure managed identities to access Azure resources.","Important","Security","L1" "Azure.AppService.MinTLS","App Service should not accept weak or deprecated transport protocols for client-server communication.","Critical","Security","L1" @@ -79,6 +80,7 @@ "Azure.Cosmos.DisableLocalAuth","Access keys allow depersonalized access to Cosmos DB accounts using a shared secret.","Critical","Security","L1" "Azure.Cosmos.DisableMetadataWrite","Use Entra ID identities for management place operations in Azure Cosmos DB.","Important","Security","-" "Azure.Cosmos.MinTLS","Cosmos DB accounts should reject TLS versions older than 1.2.","Critical","Security","L1" +"Azure.Cosmos.MongoEntraID","MongoDB vCore clusters should have Microsoft Entra ID authentication enabled.","Critical","Security","L1" "Azure.Cosmos.PublicAccess","Azure Cosmos DB should have public network access disabled.","Critical","Security","-" "Azure.Databricks.PublicAccess","Azure Databricks workspaces should disable public network access.","Critical","Security","-" "Azure.Databricks.SecureConnectivity","Use Databricks workspaces configured for secure cluster connectivity.","Critical","Security","-" diff --git a/docs/en/baselines/Azure.Pillar.Security.md b/docs/en/baselines/Azure.Pillar.Security.md index 530260453f5..88467e78261 100644 --- a/docs/en/baselines/Azure.Pillar.Security.md +++ b/docs/en/baselines/Azure.Pillar.Security.md @@ -14,7 +14,7 @@ Microsoft Azure Well-Architected Framework - Security pillar specific baseline. The following rules are included within the `Azure.Pillar.Security` baseline. -This baseline includes a total of 230 rules. +This baseline includes a total of 232 rules. Name | Synopsis | Severity | Maturity ---- | -------- | -------- | -------- @@ -27,6 +27,7 @@ Name | Synopsis | Severity | Maturity [Azure.ACR.ReplicaLocation](../rules/Azure.ACR.ReplicaLocation.md) | The replication location determines the country or region where container images and metadata are stored and processed. | Important | - [Azure.ADX.DiskEncryption](../rules/Azure.ADX.DiskEncryption.md) | Use disk encryption for Azure Data Explorer (ADX) clusters. | Important | L1 [Azure.ADX.ManagedIdentity](../rules/Azure.ADX.ManagedIdentity.md) | Configure Data Explorer clusters to use managed identities to access Azure resources securely. | Important | L1 +[Azure.ADX.PublicAccess](../rules/Azure.ADX.PublicAccess.md) | Azure Data Explorer (ADX) clusters should have public network access disabled. | Critical | L4 [Azure.AI.DisableLocalAuth](../rules/Azure.AI.DisableLocalAuth.md) | Access keys allow depersonalized access to Azure AI using a shared secret. | Important | L1 [Azure.AI.ManagedIdentity](../rules/Azure.AI.ManagedIdentity.md) | Configure managed identities to access Azure resources. | Important | L1 [Azure.AI.PrivateEndpoints](../rules/Azure.AI.PrivateEndpoints.md) | Use Private Endpoints to access Azure AI services accounts. | Important | - @@ -72,7 +73,7 @@ Name | Synopsis | Severity | Maturity [Azure.AppGwWAF.Enabled](../rules/Azure.AppGwWAF.Enabled.md) | Application Gateway Web Application Firewall (WAF) must be enabled to protect backend resources. | Critical | - [Azure.AppGwWAF.Exclusions](../rules/Azure.AppGwWAF.Exclusions.md) | Application Gateway Web Application Firewall (WAF) should have all rules enabled. | Critical | - [Azure.AppGwWAF.PreventionMode](../rules/Azure.AppGwWAF.PreventionMode.md) | Use protection mode in Application Gateway Web Application Firewall (WAF) policies to protect back end resources. | Critical | - -[Azure.AppGwWAF.RuleGroups](../rules/Azure.AppGwWAF.RuleGroups.md) | Use recommended rule groups in Application Gateway Web Application Firewall (WAF) policies to protect back end resources. | Critical | - +[Azure.AppGwWAF.RuleGroups](../rules/Azure.AppGwWAF.RuleGroups.md) | Application Gateway WAF policies should include both Microsoft Default Rule Set and Bot Manager Rule Set to provide comprehensive protection against web application threats and malicious bot traffic. | Critical | L2 [Azure.AppInsights.LocalAuth](../rules/Azure.AppInsights.LocalAuth.md) | Local authentication allows depersonalized access to store telemetry in Application Insights using a shared identifier. | Critical | L1 [Azure.AppService.ManagedIdentity](../rules/Azure.AppService.ManagedIdentity.md) | Configure managed identities to access Azure resources. | Important | L1 [Azure.AppService.MinTLS](../rules/Azure.AppService.MinTLS.md) | App Service should not accept weak or deprecated transport protocols for client-server communication. | Critical | L1 @@ -98,6 +99,7 @@ Name | Synopsis | Severity | Maturity [Azure.Cosmos.DisableLocalAuth](../rules/Azure.Cosmos.DisableLocalAuth.md) | Access keys allow depersonalized access to Cosmos DB accounts using a shared secret. | Critical | L1 [Azure.Cosmos.DisableMetadataWrite](../rules/Azure.Cosmos.DisableMetadataWrite.md) | Use Entra ID identities for management place operations in Azure Cosmos DB. | Important | - [Azure.Cosmos.MinTLS](../rules/Azure.Cosmos.MinTLS.md) | Cosmos DB accounts should reject TLS versions older than 1.2. | Critical | L1 +[Azure.Cosmos.MongoEntraID](../rules/Azure.Cosmos.MongoEntraID.md) | MongoDB vCore clusters should have Microsoft Entra ID authentication enabled. | Critical | L1 [Azure.Cosmos.PublicAccess](../rules/Azure.Cosmos.PublicAccess.md) | Azure Cosmos DB should have public network access disabled. | Critical | - [Azure.Databricks.PublicAccess](../rules/Azure.Databricks.PublicAccess.md) | Azure Databricks workspaces should disable public network access. | Critical | - [Azure.Databricks.SecureConnectivity](../rules/Azure.Databricks.SecureConnectivity.md) | Use Databricks workspaces configured for secure cluster connectivity. | Critical | - diff --git a/docs/en/baselines/Azure.Preview.csv b/docs/en/baselines/Azure.Preview.csv index e60b9b179c4..ed67f0675fc 100644 --- a/docs/en/baselines/Azure.Preview.csv +++ b/docs/en/baselines/Azure.Preview.csv @@ -17,6 +17,7 @@ "Azure.ACR.Usage","Regularly remove deprecated and unneeded images to reduce storage usage.","Important","Cost Optimization","-" "Azure.ADX.DiskEncryption","Use disk encryption for Azure Data Explorer (ADX) clusters.","Important","Security","L1" "Azure.ADX.ManagedIdentity","Configure Data Explorer clusters to use managed identities to access Azure resources securely.","Important","Security","L1" +"Azure.ADX.PublicAccess","Azure Data Explorer (ADX) clusters should have public network access disabled.","Critical","Security","L4" "Azure.ADX.SLA","Use SKUs that include an SLA when configuring Azure Data Explorer (ADX) clusters.","Important","Reliability","-" "Azure.ADX.Usage","Regularly remove unused resources to reduce costs.","Important","Cost Optimization","-" "Azure.AI.DisableLocalAuth","Access keys allow depersonalized access to Azure AI using a shared secret.","Important","Security","L1" @@ -106,7 +107,7 @@ "Azure.AppGwWAF.Enabled","Application Gateway Web Application Firewall (WAF) must be enabled to protect backend resources.","Critical","Security","-" "Azure.AppGwWAF.Exclusions","Application Gateway Web Application Firewall (WAF) should have all rules enabled.","Critical","Security","-" "Azure.AppGwWAF.PreventionMode","Use protection mode in Application Gateway Web Application Firewall (WAF) policies to protect back end resources.","Critical","Security","-" -"Azure.AppGwWAF.RuleGroups","Use recommended rule groups in Application Gateway Web Application Firewall (WAF) policies to protect back end resources.","Critical","Security","-" +"Azure.AppGwWAF.RuleGroups","Application Gateway WAF policies should include both Microsoft Default Rule Set and Bot Manager Rule Set to provide comprehensive protection against web application threats and malicious bot traffic.","Critical","Security","L2" "Azure.AppInsights.LocalAuth","Local authentication allows depersonalized access to store telemetry in Application Insights using a shared identifier.","Critical","Security","L1" "Azure.AppInsights.Name","Azure Resource Manager (ARM) has requirements for Application Insights resource names.","Awareness","Operational Excellence","-" "Azure.AppInsights.Naming","Application Insights resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","-" @@ -158,7 +159,8 @@ "Azure.ContainerApp.PublicAccess","Ensure public network access for Container Apps environment is disabled.","Important","Security","-" "Azure.ContainerApp.RestrictIngress","IP ingress restrictions mode should be set to allow action for all rules defined.","Important","Security","-" "Azure.ContainerApp.Storage","Use of Azure Files volume mounts to persistent storage container data.","Awareness","Reliability","-" -"Azure.Cosmos.AccountName","Cosmos DB account names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.Cosmos.AccountName","Cosmos DB account names should meet naming requirements.","Awareness","Operational Excellence","L2" +"Azure.Cosmos.AvailabilityZone","Use zone redundant Cosmos DB accounts in supported regions to improve reliability.","Important","Reliability","L1" "Azure.Cosmos.CassandraNaming","Cosmos DB for Apache Cassandra account resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" "Azure.Cosmos.ContinuousBackup","Enable continuous backup on Cosmos DB accounts.","Important","Reliability","-" "Azure.Cosmos.DatabaseNaming","Cosmos DB database resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" @@ -167,6 +169,8 @@ "Azure.Cosmos.DisableMetadataWrite","Use Entra ID identities for management place operations in Azure Cosmos DB.","Important","Security","-" "Azure.Cosmos.GremlinNaming","Cosmos DB for Apache Gremlin account resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" "Azure.Cosmos.MinTLS","Cosmos DB accounts should reject TLS versions older than 1.2.","Critical","Security","L1" +"Azure.Cosmos.MongoAvailabilityZone","Use zone redundant Cosmos DB vCore clusters in supported regions to improve reliability.","Important","Reliability","L1" +"Azure.Cosmos.MongoEntraID","MongoDB vCore clusters should have Microsoft Entra ID authentication enabled.","Critical","Security","L1" "Azure.Cosmos.MongoNaming","Cosmos DB for MongoDB account resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" "Azure.Cosmos.NoSQLNaming","Cosmos DB for NoSQL account resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" "Azure.Cosmos.PostgreSQLNaming","Cosmos DB PostgreSQL cluster resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" @@ -245,6 +249,7 @@ "Azure.FrontDoorWAF.Exclusions","Use recommended rule groups in Front Door Web Application Firewall (WAF) policies to protect back end resources. Avoid configuring rule exclusions.","Critical","Security","-" "Azure.FrontDoorWAF.PreventionMode","Use protection mode in Front Door Web Application Firewall (WAF) policies to protect back end resources.","Critical","Security","-" "Azure.FrontDoorWAF.RuleGroups","Use recommended rule groups in Front Door Web Application Firewall (WAF) policies to protect back end resources.","Critical","Security","-" +"Azure.Grafana.AvailabilityZone","Use zone redundant Grafana workspaces in supported regions to improve reliability.","Important","Reliability","L1" "Azure.Grafana.Version","Grafana workspaces should be on Grafana version 10.","Important","Reliability","-" "Azure.Group.Name","Azure Resource Manager (ARM) has requirements for Resource Groups names.","Awareness","Operational Excellence","-" "Azure.Group.Naming","Resource Groups without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","-" @@ -284,6 +289,7 @@ "Azure.MariaDB.ServerName","Azure Database for MariaDB servers should meet naming requirements.","Awareness","Operational Excellence","-" "Azure.MariaDB.UseSSL","Azure Database for MariaDB servers should only accept encrypted connections.","Critical","Security","L1" "Azure.MariaDB.VNETRuleName","Azure Database for MariaDB VNET rules should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.MICassandra.AvailabilityZone","Use zone redundant Managed Instance for Apache Cassandra clusters in supported regions to improve reliability.","Important","Reliability","L1" "Azure.ML.ComputeIdleShutdown","Configure an idle shutdown timeout for Machine Learning compute instances.","Critical","Cost Optimization","-" "Azure.ML.ComputeVnet","Azure Machine Learning Computes should be hosted in a virtual network (VNet).","Critical","Security","-" "Azure.ML.DisableLocalAuth","Azure Machine Learning compute resources should have local authentication methods disabled.","Critical","Security","L1" @@ -299,8 +305,8 @@ "Azure.MySQL.GeoRedundantBackup","Azure Database for MySQL should store backups in a geo-redundant storage.","Important","Reliability","-" "Azure.MySQL.MaintenanceWindow","Configure a customer-controlled maintenance window for Azure Database for MySQL servers.","Important","Reliability","-" "Azure.MySQL.MinTLS","MySQL DB servers should reject TLS versions older than 1.2.","Critical","Security","L1" -"Azure.MySQL.Naming","MySQL database server resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" "Azure.MySQL.ServerName","Azure MySQL DB server names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.MySQL.ServerNaming","MySQL database server resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" "Azure.MySQL.UseFlexible","Use Azure Database for MySQL Flexible Server deployment model.","Important","Reliability","-" "Azure.MySQL.UseSSL","Enforce encrypted MySQL connections.","Critical","Security","L1" "Azure.MySQL.ZoneRedundantHA","Deploy Azure Database for MySQL servers using zone-redundant high availability (HA) in supported regions to ensure high availability and resilience.","Important","Reliability","-" @@ -328,8 +334,8 @@ "Azure.PostgreSQL.GeoRedundantBackup","Azure Database for PostgreSQL should store backups in a geo-redundant storage.","Important","Reliability","-" "Azure.PostgreSQL.MaintenanceWindow","Configure a customer-controlled maintenance window for Azure Database for PostgreSQL servers.","Important","Reliability","-" "Azure.PostgreSQL.MinTLS","PostgreSQL DB servers should reject TLS versions older than 1.2.","Critical","Security","L1" -"Azure.PostgreSQL.Naming","PostgreSQL database server resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" "Azure.PostgreSQL.ServerName","Azure PostgreSQL DB server names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.PostgreSQL.ServerNaming","PostgreSQL database server resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" "Azure.PostgreSQL.UseSSL","Enforce encrypted PostgreSQL connections.","Critical","Security","L1" "Azure.PostgreSQL.ZoneRedundantHA","Deploy Azure Database for PostgreSQL servers using zone-redundant high availability (HA) in supported regions to ensure high availability and resilience.","Important","Reliability","-" "Azure.PrivateEndpoint.Name","Private Endpoint names should meet naming requirements.","Awareness","Operational Excellence","-" @@ -359,7 +365,7 @@ "Azure.Redis.PublicNetworkAccess","Redis cache should disable public network access.","Critical","Security","-" "Azure.Redis.Version","Azure Cache for Redis should use the latest supported version of Redis.","Important","Reliability","-" "Azure.RedisEnterprise.MinTLS","Redis Cache should reject TLS versions older than 1.2.","Critical","Security","L1" -"Azure.RedisEnterprise.Naming","Azure Managed Redis resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" +"Azure.RedisEnterprise.Naming","Azure Cache for Redis Enterprise resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" "Azure.RedisEnterprise.Zones","Enterprise Redis cache should be zone-redundant for high availability.","Important","Reliability","-" "Azure.Resource.AllowedRegions","The deployment location of a resource determines the country or region where metadata and data is stored and processed.","Important","Security","-" "Azure.Resource.RequiredTags","Resources without a standard tagging convention may be difficult to identify and manage.","Awareness","Operational Excellence","-" @@ -392,8 +398,8 @@ "Azure.SQL.AADOnly","Ensure Entra ID only authentication is enabled with Azure SQL Database.","Important","Security","L1" "Azure.SQL.AllowAzureAccess","Determine if access from Azure services is required.","Important","Security","-" "Azure.SQL.Auditing","Enable auditing for Azure SQL logical server.","Important","Security","-" -"Azure.SQL.DatabaseNaming","Azure SQL database resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" -"Azure.SQL.DBName","Azure SQL Database names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.SQL.DBName","Azure SQL Database names should meet naming requirements.","Awareness","Operational Excellence","L2" +"Azure.SQL.DBNaming","Azure SQL database resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" "Azure.SQL.DefenderCloud","Enable Microsoft Defender for Azure SQL logical server.","Important","Security","-" "Azure.SQL.ElasticPoolNaming","Azure SQL Elastic Pool resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" "Azure.SQL.FGName","Azure SQL failover group names should meet naming requirements.","Awareness","Operational Excellence","-" @@ -402,9 +408,8 @@ "Azure.SQL.JobAgentNaming","Azure SQL Elastic Job agent resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" "Azure.SQL.MaintenanceWindow","Configure a customer-controlled maintenance window for Azure SQL databases.","Important","Reliability","-" "Azure.SQL.MinTLS","Azure SQL Database servers should reject TLS versions older than 1.2.","Critical","Security","L1" -"Azure.SQL.ServerName","Azure SQL logical server names should meet naming requirements.","Awareness","Operational Excellence","-" +"Azure.SQL.ServerName","Azure SQL logical server names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.SQL.ServerNaming","Azure SQL Database server resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" -"Azure.SQL.StretchDBNaming","SQL Server Stretch Database resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" "Azure.SQL.TDE","Use Transparent Data Encryption (TDE) with Azure SQL Database.","Critical","Security","L1" "Azure.SQL.VAScan","SQL Databases may have configuration vulnerabilities discovered after they are deployed.","Important","Security","-" "Azure.SQLMI.AAD","Use Azure Active Directory (AAD) authentication with Azure SQL Managed Instance.","Critical","Security","L1" diff --git a/docs/en/baselines/Azure.Preview.md b/docs/en/baselines/Azure.Preview.md index 7cb01f7ef36..c57df8a3d35 100644 --- a/docs/en/baselines/Azure.Preview.md +++ b/docs/en/baselines/Azure.Preview.md @@ -10,7 +10,7 @@ Includes the latest rules for Azure GA and preview features that is updated each The following rules are included within the `Azure.Preview` baseline. -This baseline includes a total of 517 rules. +This baseline includes a total of 522 rules. Name | Synopsis | Severity ---- | -------- | -------- @@ -32,6 +32,7 @@ Name | Synopsis | Severity [Azure.ACR.Usage](../rules/Azure.ACR.Usage.md) | Regularly remove deprecated and unneeded images to reduce storage usage. | Important [Azure.ADX.DiskEncryption](../rules/Azure.ADX.DiskEncryption.md) | Use disk encryption for Azure Data Explorer (ADX) clusters. | Important [Azure.ADX.ManagedIdentity](../rules/Azure.ADX.ManagedIdentity.md) | Configure Data Explorer clusters to use managed identities to access Azure resources securely. | Important +[Azure.ADX.PublicAccess](../rules/Azure.ADX.PublicAccess.md) | Azure Data Explorer (ADX) clusters should have public network access disabled. | Critical [Azure.ADX.SLA](../rules/Azure.ADX.SLA.md) | Use SKUs that include an SLA when configuring Azure Data Explorer (ADX) clusters. | Important [Azure.ADX.Usage](../rules/Azure.ADX.Usage.md) | Regularly remove unused resources to reduce costs. | Important [Azure.AI.DisableLocalAuth](../rules/Azure.AI.DisableLocalAuth.md) | Access keys allow depersonalized access to Azure AI using a shared secret. | Important @@ -121,7 +122,7 @@ Name | Synopsis | Severity [Azure.AppGwWAF.Enabled](../rules/Azure.AppGwWAF.Enabled.md) | Application Gateway Web Application Firewall (WAF) must be enabled to protect backend resources. | Critical [Azure.AppGwWAF.Exclusions](../rules/Azure.AppGwWAF.Exclusions.md) | Application Gateway Web Application Firewall (WAF) should have all rules enabled. | Critical [Azure.AppGwWAF.PreventionMode](../rules/Azure.AppGwWAF.PreventionMode.md) | Use protection mode in Application Gateway Web Application Firewall (WAF) policies to protect back end resources. | Critical -[Azure.AppGwWAF.RuleGroups](../rules/Azure.AppGwWAF.RuleGroups.md) | Use recommended rule groups in Application Gateway Web Application Firewall (WAF) policies to protect back end resources. | Critical +[Azure.AppGwWAF.RuleGroups](../rules/Azure.AppGwWAF.RuleGroups.md) | Application Gateway WAF policies should include both Microsoft Default Rule Set and Bot Manager Rule Set to provide comprehensive protection against web application threats and malicious bot traffic. | Critical [Azure.AppInsights.LocalAuth](../rules/Azure.AppInsights.LocalAuth.md) | Local authentication allows depersonalized access to store telemetry in Application Insights using a shared identifier. | Critical [Azure.AppInsights.Name](../rules/Azure.AppInsights.Name.md) | Azure Resource Manager (ARM) has requirements for Application Insights resource names. | Awareness [Azure.AppInsights.Naming](../rules/Azure.AppInsights.Naming.md) | Application Insights resources without a standard naming convention may be difficult to identify and manage. | Awareness @@ -174,6 +175,7 @@ Name | Synopsis | Severity [Azure.ContainerApp.RestrictIngress](../rules/Azure.ContainerApp.RestrictIngress.md) | IP ingress restrictions mode should be set to allow action for all rules defined. | Important [Azure.ContainerApp.Storage](../rules/Azure.ContainerApp.Storage.md) | Use of Azure Files volume mounts to persistent storage container data. | Awareness [Azure.Cosmos.AccountName](../rules/Azure.Cosmos.AccountName.md) | Cosmos DB account names should meet naming requirements. | Awareness +[Azure.Cosmos.AvailabilityZone](../rules/Azure.Cosmos.AvailabilityZone.md) | Use zone redundant Cosmos DB accounts in supported regions to improve reliability. | Important [Azure.Cosmos.CassandraNaming](../rules/Azure.Cosmos.CassandraNaming.md) | Cosmos DB for Apache Cassandra account resources without a standard naming convention may be difficult to identify and manage. | Awareness [Azure.Cosmos.ContinuousBackup](../rules/Azure.Cosmos.ContinuousBackup.md) | Enable continuous backup on Cosmos DB accounts. | Important [Azure.Cosmos.DatabaseNaming](../rules/Azure.Cosmos.DatabaseNaming.md) | Cosmos DB database resources without a standard naming convention may be difficult to identify and manage. | Awareness @@ -182,6 +184,8 @@ Name | Synopsis | Severity [Azure.Cosmos.DisableMetadataWrite](../rules/Azure.Cosmos.DisableMetadataWrite.md) | Use Entra ID identities for management place operations in Azure Cosmos DB. | Important [Azure.Cosmos.GremlinNaming](../rules/Azure.Cosmos.GremlinNaming.md) | Cosmos DB for Apache Gremlin account resources without a standard naming convention may be difficult to identify and manage. | Awareness [Azure.Cosmos.MinTLS](../rules/Azure.Cosmos.MinTLS.md) | Cosmos DB accounts should reject TLS versions older than 1.2. | Critical +[Azure.Cosmos.MongoAvailabilityZone](../rules/Azure.Cosmos.MongoAvailabilityZone.md) | Use zone redundant Cosmos DB vCore clusters in supported regions to improve reliability. | Important +[Azure.Cosmos.MongoEntraID](../rules/Azure.Cosmos.MongoEntraID.md) | MongoDB vCore clusters should have Microsoft Entra ID authentication enabled. | Critical [Azure.Cosmos.MongoNaming](../rules/Azure.Cosmos.MongoNaming.md) | Cosmos DB for MongoDB account resources without a standard naming convention may be difficult to identify and manage. | Awareness [Azure.Cosmos.NoSQLNaming](../rules/Azure.Cosmos.NoSQLNaming.md) | Cosmos DB for NoSQL account resources without a standard naming convention may be difficult to identify and manage. | Awareness [Azure.Cosmos.PostgreSQLNaming](../rules/Azure.Cosmos.PostgreSQLNaming.md) | Cosmos DB PostgreSQL cluster resources without a standard naming convention may be difficult to identify and manage. | Awareness @@ -260,6 +264,7 @@ Name | Synopsis | Severity [Azure.FrontDoorWAF.Exclusions](../rules/Azure.FrontDoorWAF.Exclusions.md) | Use recommended rule groups in Front Door Web Application Firewall (WAF) policies to protect back end resources. Avoid configuring rule exclusions. | Critical [Azure.FrontDoorWAF.PreventionMode](../rules/Azure.FrontDoorWAF.PreventionMode.md) | Use protection mode in Front Door Web Application Firewall (WAF) policies to protect back end resources. | Critical [Azure.FrontDoorWAF.RuleGroups](../rules/Azure.FrontDoorWAF.RuleGroups.md) | Use recommended rule groups in Front Door Web Application Firewall (WAF) policies to protect back end resources. | Critical +[Azure.Grafana.AvailabilityZone](../rules/Azure.Grafana.AvailabilityZone.md) | Use zone redundant Grafana workspaces in supported regions to improve reliability. | Important [Azure.Grafana.Version](../rules/Azure.Grafana.Version.md) | Grafana workspaces should be on Grafana version 10. | Important [Azure.Group.Name](../rules/Azure.Group.Name.md) | Azure Resource Manager (ARM) has requirements for Resource Groups names. | Awareness [Azure.Group.Naming](../rules/Azure.Group.Naming.md) | Resource Groups without a standard naming convention may be difficult to identify and manage. | Awareness @@ -299,6 +304,7 @@ Name | Synopsis | Severity [Azure.MariaDB.ServerName](../rules/Azure.MariaDB.ServerName.md) | Azure Database for MariaDB servers should meet naming requirements. | Awareness [Azure.MariaDB.UseSSL](../rules/Azure.MariaDB.UseSSL.md) | Azure Database for MariaDB servers should only accept encrypted connections. | Critical [Azure.MariaDB.VNETRuleName](../rules/Azure.MariaDB.VNETRuleName.md) | Azure Database for MariaDB VNET rules should meet naming requirements. | Awareness +[Azure.MICassandra.AvailabilityZone](../rules/Azure.MICassandra.AvailabilityZone.md) | Use zone redundant Managed Instance for Apache Cassandra clusters in supported regions to improve reliability. | Important [Azure.ML.ComputeIdleShutdown](../rules/Azure.ML.ComputeIdleShutdown.md) | Configure an idle shutdown timeout for Machine Learning compute instances. | Critical [Azure.ML.ComputeVnet](../rules/Azure.ML.ComputeVnet.md) | Azure Machine Learning Computes should be hosted in a virtual network (VNet). | Critical [Azure.ML.DisableLocalAuth](../rules/Azure.ML.DisableLocalAuth.md) | Azure Machine Learning compute resources should have local authentication methods disabled. | Critical @@ -314,8 +320,8 @@ Name | Synopsis | Severity [Azure.MySQL.GeoRedundantBackup](../rules/Azure.MySQL.GeoRedundantBackup.md) | Azure Database for MySQL should store backups in a geo-redundant storage. | Important [Azure.MySQL.MaintenanceWindow](../rules/Azure.MySQL.MaintenanceWindow.md) | Configure a customer-controlled maintenance window for Azure Database for MySQL servers. | Important [Azure.MySQL.MinTLS](../rules/Azure.MySQL.MinTLS.md) | MySQL DB servers should reject TLS versions older than 1.2. | Critical -[Azure.MySQL.Naming](../rules/Azure.MySQL.Naming.md) | MySQL database server resources without a standard naming convention may be difficult to identify and manage. | Awareness [Azure.MySQL.ServerName](../rules/Azure.MySQL.ServerName.md) | Azure MySQL DB server names should meet naming requirements. | Awareness +[Azure.MySQL.ServerNaming](../rules/Azure.MySQL.ServerNaming.md) | MySQL database server resources without a standard naming convention may be difficult to identify and manage. | Awareness [Azure.MySQL.UseFlexible](../rules/Azure.MySQL.UseFlexible.md) | Use Azure Database for MySQL Flexible Server deployment model. | Important [Azure.MySQL.UseSSL](../rules/Azure.MySQL.UseSSL.md) | Enforce encrypted MySQL connections. | Critical [Azure.MySQL.ZoneRedundantHA](../rules/Azure.MySQL.ZoneRedundantHA.md) | Deploy Azure Database for MySQL servers using zone-redundant high availability (HA) in supported regions to ensure high availability and resilience. | Important @@ -343,8 +349,8 @@ Name | Synopsis | Severity [Azure.PostgreSQL.GeoRedundantBackup](../rules/Azure.PostgreSQL.GeoRedundantBackup.md) | Azure Database for PostgreSQL should store backups in a geo-redundant storage. | Important [Azure.PostgreSQL.MaintenanceWindow](../rules/Azure.PostgreSQL.MaintenanceWindow.md) | Configure a customer-controlled maintenance window for Azure Database for PostgreSQL servers. | Important [Azure.PostgreSQL.MinTLS](../rules/Azure.PostgreSQL.MinTLS.md) | PostgreSQL DB servers should reject TLS versions older than 1.2. | Critical -[Azure.PostgreSQL.Naming](../rules/Azure.PostgreSQL.Naming.md) | PostgreSQL database server resources without a standard naming convention may be difficult to identify and manage. | Awareness [Azure.PostgreSQL.ServerName](../rules/Azure.PostgreSQL.ServerName.md) | Azure PostgreSQL DB server names should meet naming requirements. | Awareness +[Azure.PostgreSQL.ServerNaming](../rules/Azure.PostgreSQL.ServerNaming.md) | PostgreSQL database server resources without a standard naming convention may be difficult to identify and manage. | Awareness [Azure.PostgreSQL.UseSSL](../rules/Azure.PostgreSQL.UseSSL.md) | Enforce encrypted PostgreSQL connections. | Critical [Azure.PostgreSQL.ZoneRedundantHA](../rules/Azure.PostgreSQL.ZoneRedundantHA.md) | Deploy Azure Database for PostgreSQL servers using zone-redundant high availability (HA) in supported regions to ensure high availability and resilience. | Important [Azure.PrivateEndpoint.Name](../rules/Azure.PrivateEndpoint.Name.md) | Private Endpoint names should meet naming requirements. | Awareness @@ -374,7 +380,7 @@ Name | Synopsis | Severity [Azure.Redis.PublicNetworkAccess](../rules/Azure.Redis.PublicNetworkAccess.md) | Redis cache should disable public network access. | Critical [Azure.Redis.Version](../rules/Azure.Redis.Version.md) | Azure Cache for Redis should use the latest supported version of Redis. | Important [Azure.RedisEnterprise.MinTLS](../rules/Azure.RedisEnterprise.MinTLS.md) | Redis Cache should reject TLS versions older than 1.2. | Critical -[Azure.RedisEnterprise.Naming](../rules/Azure.RedisEnterprise.Naming.md) | Azure Managed Redis resources without a standard naming convention may be difficult to identify and manage. | Awareness +[Azure.RedisEnterprise.Naming](../rules/Azure.RedisEnterprise.Naming.md) | Azure Cache for Redis Enterprise resources without a standard naming convention may be difficult to identify and manage. | Awareness [Azure.RedisEnterprise.Zones](../rules/Azure.RedisEnterprise.Zones.md) | Enterprise Redis cache should be zone-redundant for high availability. | Important [Azure.Resource.AllowedRegions](../rules/Azure.Resource.AllowedRegions.md) | The deployment location of a resource determines the country or region where metadata and data is stored and processed. | Important [Azure.Resource.RequiredTags](../rules/Azure.Resource.RequiredTags.md) | Resources without a standard tagging convention may be difficult to identify and manage. | Awareness @@ -407,8 +413,8 @@ Name | Synopsis | Severity [Azure.SQL.AADOnly](../rules/Azure.SQL.AADOnly.md) | Ensure Entra ID only authentication is enabled with Azure SQL Database. | Important [Azure.SQL.AllowAzureAccess](../rules/Azure.SQL.AllowAzureAccess.md) | Determine if access from Azure services is required. | Important [Azure.SQL.Auditing](../rules/Azure.SQL.Auditing.md) | Enable auditing for Azure SQL logical server. | Important -[Azure.SQL.DatabaseNaming](../rules/Azure.SQL.DatabaseNaming.md) | Azure SQL database resources without a standard naming convention may be difficult to identify and manage. | Awareness [Azure.SQL.DBName](../rules/Azure.SQL.DBName.md) | Azure SQL Database names should meet naming requirements. | Awareness +[Azure.SQL.DBNaming](../rules/Azure.SQL.DBNaming.md) | Azure SQL database resources without a standard naming convention may be difficult to identify and manage. | Awareness [Azure.SQL.DefenderCloud](../rules/Azure.SQL.DefenderCloud.md) | Enable Microsoft Defender for Azure SQL logical server. | Important [Azure.SQL.ElasticPoolNaming](../rules/Azure.SQL.ElasticPoolNaming.md) | Azure SQL Elastic Pool resources without a standard naming convention may be difficult to identify and manage. | Awareness [Azure.SQL.FGName](../rules/Azure.SQL.FGName.md) | Azure SQL failover group names should meet naming requirements. | Awareness @@ -419,7 +425,6 @@ Name | Synopsis | Severity [Azure.SQL.MinTLS](../rules/Azure.SQL.MinTLS.md) | Azure SQL Database servers should reject TLS versions older than 1.2. | Critical [Azure.SQL.ServerName](../rules/Azure.SQL.ServerName.md) | Azure SQL logical server names should meet naming requirements. | Awareness [Azure.SQL.ServerNaming](../rules/Azure.SQL.ServerNaming.md) | Azure SQL Database server resources without a standard naming convention may be difficult to identify and manage. | Awareness -[Azure.SQL.StretchDBNaming](../rules/Azure.SQL.StretchDBNaming.md) | SQL Server Stretch Database resources without a standard naming convention may be difficult to identify and manage. | Awareness [Azure.SQL.TDE](../rules/Azure.SQL.TDE.md) | Use Transparent Data Encryption (TDE) with Azure SQL Database. | Critical [Azure.SQL.VAScan](../rules/Azure.SQL.VAScan.md) | SQL Databases may have configuration vulnerabilities discovered after they are deployed. | Important [Azure.SQLMI.AAD](../rules/Azure.SQLMI.AAD.md) | Use Azure Active Directory (AAD) authentication with Azure SQL Managed Instance. | Critical diff --git a/docs/en/rules/index.md b/docs/en/rules/index.md index 16f3b57cd22..fd1d8f09359 100644 --- a/docs/en/rules/index.md +++ b/docs/en/rules/index.md @@ -324,7 +324,7 @@ AZR-000300 | [Azure.Redis.FirewallIPRange](Azure.Redis.FirewallIPRange.md) | Det AZR-000301 | [Azure.RedisEnterprise.MinTLS](Azure.RedisEnterprise.MinTLS.md) | Redis Cache should reject TLS versions older than 1.2. | GA AZR-000302 | [Azure.AppGwWAF.PreventionMode](Azure.AppGwWAF.PreventionMode.md) | Use protection mode in Application Gateway Web Application Firewall (WAF) policies to protect back end resources. | GA AZR-000303 | [Azure.AppGwWAF.Exclusions](Azure.AppGwWAF.Exclusions.md) | Application Gateway Web Application Firewall (WAF) should have all rules enabled. | GA -AZR-000304 | [Azure.AppGwWAF.RuleGroups](Azure.AppGwWAF.RuleGroups.md) | Use recommended rule groups in Application Gateway Web Application Firewall (WAF) policies to protect back end resources. | GA +AZR-000304 | [Azure.AppGwWAF.RuleGroups](Azure.AppGwWAF.RuleGroups.md) | Application Gateway WAF policies should include both Microsoft Default Rule Set and Bot Manager Rule Set to provide comprehensive protection against web application threats and malicious bot traffic. | GA AZR-000305 | [Azure.FrontDoorWAF.Enabled](Azure.FrontDoorWAF.Enabled.md) | Front Door Web Application Firewall (WAF) policy must be enabled to protect back end resources. | GA AZR-000306 | [Azure.FrontDoorWAF.PreventionMode](Azure.FrontDoorWAF.PreventionMode.md) | Use protection mode in Front Door Web Application Firewall (WAF) policies to protect back end resources. | GA AZR-000307 | [Azure.FrontDoorWAF.Exclusions](Azure.FrontDoorWAF.Exclusions.md) | Use recommended rule groups in Front Door Web Application Firewall (WAF) policies to protect back end resources. Avoid configuring rule exclusions. | GA @@ -518,32 +518,37 @@ AZR-000495 | [Azure.ACR.ExportPolicy](Azure.ACR.ExportPolicy.md) | Export policy AZR-000496 | [Azure.Redis.LocalAuth](Azure.Redis.LocalAuth.md) | Access keys allow depersonalized access to Azure Cache for Redis using a shared secret. | GA AZR-000497 | [Azure.Storage.LocalAuth](Azure.Storage.LocalAuth.md) | Access keys allow depersonalized access to Storage Accounts using a shared secret. | GA AZR-000498 | [Azure.AppConfig.ReplicaLocation](Azure.AppConfig.ReplicaLocation.md) | The replication location determines the country or region where configuration data is stored and processed. | GA -AZR-000499 | [Azure.AKS.Naming](Azure.AKS.Naming.md) | AKS cluster resources without a standard naming convention may be difficult to identify and manage. | GA -AZR-000500 | [Azure.AKS.UserPoolNaming](Azure.AKS.UserPoolNaming.md) | AKS user node pool resources without a standard naming convention may be difficult to identify and manage. | GA -AZR-000501 | [Azure.ContainerApp.Naming](Azure.ContainerApp.Naming.md) | Container App resources without a standard naming convention may be difficult to identify and manage. | GA -AZR-000502 | [Azure.ContainerApp.EnvNaming](Azure.ContainerApp.EnvNaming.md) | Container App Environment resources without a standard naming convention may be difficult to identify and manage. | GA -AZR-000503 | [Azure.ContainerApp.JobNaming](Azure.ContainerApp.JobNaming.md) | Container App Job resources without a standard naming convention may be difficult to identify and manage. | GA -AZR-000504 | [Azure.ACR.Naming](Azure.ACR.Naming.md) | Container Registry resources without a standard naming convention may be difficult to identify and manage. | GA +AZR-000499 | [Azure.Cosmos.MongoEntraID](Azure.Cosmos.MongoEntraID.md) | MongoDB vCore clusters should have Microsoft Entra ID authentication enabled. | GA +AZR-000500 | [Azure.ADX.PublicAccess](Azure.ADX.PublicAccess.md) | Azure Data Explorer (ADX) clusters should have public network access disabled. | GA +AZR-000501 | [Azure.Grafana.AvailabilityZone](Azure.Grafana.AvailabilityZone.md) | Use zone redundant Grafana workspaces in supported regions to improve reliability. | GA +AZR-000502 | [Azure.Cosmos.AvailabilityZone](Azure.Cosmos.AvailabilityZone.md) | Use zone redundant Cosmos DB accounts in supported regions to improve reliability. | GA +AZR-000503 | [Azure.Cosmos.MongoAvailabilityZone](Azure.Cosmos.MongoAvailabilityZone.md) | Use zone redundant Cosmos DB vCore clusters in supported regions to improve reliability. | GA +AZR-000504 | [Azure.MICassandra.AvailabilityZone](Azure.MICassandra.AvailabilityZone.md) | Use zone redundant Managed Instance for Apache Cassandra clusters in supported regions to improve reliability. | GA AZR-000505 | [Azure.ACI.Naming](Azure.ACI.Naming.md) | Container Instance resources without a standard naming convention may be difficult to identify and manage. | GA -AZR-000506 | [Azure.ServiceFabric.Naming](Azure.ServiceFabric.Naming.md) | Service Fabric cluster resources without a standard naming convention may be difficult to identify and manage. | GA -AZR-000507 | [Azure.ServiceFabric.ManagedNaming](Azure.ServiceFabric.ManagedNaming.md) | Service Fabric managed cluster resources without a standard naming convention may be difficult to identify and manage. | GA -AZR-000508 | [Azure.Cosmos.CassandraNaming](Azure.Cosmos.CassandraNaming.md) | Cosmos DB for Apache Cassandra account resources without a standard naming convention may be difficult to identify and manage. | GA -AZR-000509 | [Azure.Cosmos.MongoNaming](Azure.Cosmos.MongoNaming.md) | Cosmos DB for MongoDB account resources without a standard naming convention may be difficult to identify and manage. | GA -AZR-000510 | [Azure.Cosmos.NoSQLNaming](Azure.Cosmos.NoSQLNaming.md) | Cosmos DB for NoSQL account resources without a standard naming convention may be difficult to identify and manage. | GA -AZR-000511 | [Azure.Cosmos.TableNaming](Azure.Cosmos.TableNaming.md) | Cosmos DB for Table account resources without a standard naming convention may be difficult to identify and manage. | GA -AZR-000512 | [Azure.Cosmos.GremlinNaming](Azure.Cosmos.GremlinNaming.md) | Cosmos DB for Apache Gremlin account resources without a standard naming convention may be difficult to identify and manage. | GA -AZR-000513 | [Azure.Cosmos.PostgreSQLNaming](Azure.Cosmos.PostgreSQLNaming.md) | Cosmos DB PostgreSQL cluster resources without a standard naming convention may be difficult to identify and manage. | GA -AZR-000514 | [Azure.Cosmos.DatabaseNaming](Azure.Cosmos.DatabaseNaming.md) | Cosmos DB database resources without a standard naming convention may be difficult to identify and manage. | GA -AZR-000515 | [Azure.Redis.Naming](Azure.Redis.Naming.md) | Azure Cache for Redis resources without a standard naming convention may be difficult to identify and manage. | GA -AZR-000516 | [Azure.RedisEnterprise.Naming](Azure.RedisEnterprise.Naming.md) | Azure Managed Redis resources without a standard naming convention may be difficult to identify and manage. | GA -AZR-000517 | [Azure.SQL.ServerNaming](Azure.SQL.ServerNaming.md) | Azure SQL Database server resources without a standard naming convention may be difficult to identify and manage. | GA -AZR-000518 | [Azure.SQL.DatabaseNaming](Azure.SQL.DatabaseNaming.md) | Azure SQL database resources without a standard naming convention may be difficult to identify and manage. | GA -AZR-000519 | [Azure.SQL.JobAgentNaming](Azure.SQL.JobAgentNaming.md) | Azure SQL Elastic Job agent resources without a standard naming convention may be difficult to identify and manage. | GA -AZR-000520 | [Azure.SQL.ElasticPoolNaming](Azure.SQL.ElasticPoolNaming.md) | Azure SQL Elastic Pool resources without a standard naming convention may be difficult to identify and manage. | GA -AZR-000521 | [Azure.MySQL.Naming](Azure.MySQL.Naming.md) | MySQL database server resources without a standard naming convention may be difficult to identify and manage. | GA -AZR-000522 | [Azure.PostgreSQL.Naming](Azure.PostgreSQL.Naming.md) | PostgreSQL database server resources without a standard naming convention may be difficult to identify and manage. | GA -AZR-000523 | [Azure.SQLMI.Naming](Azure.SQLMI.Naming.md) | SQL Managed Instance resources without a standard naming convention may be difficult to identify and manage. | GA -AZR-000524 | [Azure.SQL.StretchDBNaming](Azure.SQL.StretchDBNaming.md) | SQL Server Stretch Database resources without a standard naming convention may be difficult to identify and manage. | GA -AZR-000525 | [Azure.AKS.SystemPoolNaming](Azure.AKS.SystemPoolNaming.md) | AKS system node pool resources without a standard naming convention may be difficult to identify and manage. | GA +AZR-000506 | [Azure.ACR.Naming](Azure.ACR.Naming.md) | Container Registry resources without a standard naming convention may be difficult to identify and manage. | GA +AZR-000507 | [Azure.AKS.Naming](Azure.AKS.Naming.md) | AKS cluster resources without a standard naming convention may be difficult to identify and manage. | GA +AZR-000508 | [Azure.AKS.SystemPoolNaming](Azure.AKS.SystemPoolNaming.md) | AKS system node pool resources without a standard naming convention may be difficult to identify and manage. | GA +AZR-000509 | [Azure.AKS.UserPoolNaming](Azure.AKS.UserPoolNaming.md) | AKS user node pool resources without a standard naming convention may be difficult to identify and manage. | GA +AZR-000510 | [Azure.ContainerApp.Naming](Azure.ContainerApp.Naming.md) | Container App resources without a standard naming convention may be difficult to identify and manage. | GA +AZR-000511 | [Azure.ContainerApp.EnvNaming](Azure.ContainerApp.EnvNaming.md) | Container App Environment resources without a standard naming convention may be difficult to identify and manage. | GA +AZR-000512 | [Azure.ContainerApp.JobNaming](Azure.ContainerApp.JobNaming.md) | Container App Job resources without a standard naming convention may be difficult to identify and manage. | GA +AZR-000513 | [Azure.Cosmos.CassandraNaming](Azure.Cosmos.CassandraNaming.md) | Cosmos DB for Apache Cassandra account resources without a standard naming convention may be difficult to identify and manage. | GA +AZR-000514 | [Azure.Cosmos.MongoNaming](Azure.Cosmos.MongoNaming.md) | Cosmos DB for MongoDB account resources without a standard naming convention may be difficult to identify and manage. | GA +AZR-000515 | [Azure.Cosmos.NoSQLNaming](Azure.Cosmos.NoSQLNaming.md) | Cosmos DB for NoSQL account resources without a standard naming convention may be difficult to identify and manage. | GA +AZR-000516 | [Azure.Cosmos.TableNaming](Azure.Cosmos.TableNaming.md) | Cosmos DB for Table account resources without a standard naming convention may be difficult to identify and manage. | GA +AZR-000517 | [Azure.Cosmos.GremlinNaming](Azure.Cosmos.GremlinNaming.md) | Cosmos DB for Apache Gremlin account resources without a standard naming convention may be difficult to identify and manage. | GA +AZR-000518 | [Azure.Cosmos.PostgreSQLNaming](Azure.Cosmos.PostgreSQLNaming.md) | Cosmos DB PostgreSQL cluster resources without a standard naming convention may be difficult to identify and manage. | GA +AZR-000519 | [Azure.Cosmos.DatabaseNaming](Azure.Cosmos.DatabaseNaming.md) | Cosmos DB database resources without a standard naming convention may be difficult to identify and manage. | GA +AZR-000521 | [Azure.MySQL.ServerNaming](Azure.MySQL.ServerNaming.md) | MySQL database server resources without a standard naming convention may be difficult to identify and manage. | GA +AZR-000522 | [Azure.PostgreSQL.ServerNaming](Azure.PostgreSQL.ServerNaming.md) | PostgreSQL database server resources without a standard naming convention may be difficult to identify and manage. | GA +AZR-000523 | [Azure.Redis.Naming](Azure.Redis.Naming.md) | Azure Cache for Redis resources without a standard naming convention may be difficult to identify and manage. | GA +AZR-000524 | [Azure.RedisEnterprise.Naming](Azure.RedisEnterprise.Naming.md) | Azure Cache for Redis Enterprise resources without a standard naming convention may be difficult to identify and manage. | GA +AZR-000525 | [Azure.SQL.ServerNaming](Azure.SQL.ServerNaming.md) | Azure SQL Database server resources without a standard naming convention may be difficult to identify and manage. | GA +AZR-000526 | [Azure.SQL.DBNaming](Azure.SQL.DBNaming.md) | Azure SQL database resources without a standard naming convention may be difficult to identify and manage. | GA +AZR-000527 | [Azure.SQL.JobAgentNaming](Azure.SQL.JobAgentNaming.md) | Azure SQL Elastic Job agent resources without a standard naming convention may be difficult to identify and manage. | GA +AZR-000528 | [Azure.SQL.ElasticPoolNaming](Azure.SQL.ElasticPoolNaming.md) | Azure SQL Elastic Pool resources without a standard naming convention may be difficult to identify and manage. | GA +AZR-000529 | [Azure.SQLMI.Naming](Azure.SQLMI.Naming.md) | SQL Managed Instance resources without a standard naming convention may be difficult to identify and manage. | GA +AZR-000530 | [Azure.ServiceFabric.Naming](Azure.ServiceFabric.Naming.md) | Service Fabric cluster resources without a standard naming convention may be difficult to identify and manage. | GA +AZR-000531 | [Azure.ServiceFabric.ManagedNaming](Azure.ServiceFabric.ManagedNaming.md) | Service Fabric managed cluster resources without a standard naming convention may be difficult to identify and manage. | GA *[GA]: Generally Available — Rules related to a generally available Azure features. diff --git a/docs/en/rules/module.md b/docs/en/rules/module.md index a80e6f300a6..a87daa0a714 100644 --- a/docs/en/rules/module.md +++ b/docs/en/rules/module.md @@ -113,17 +113,22 @@ Name | Synopsis | Severity | Level [Azure.AppGw.Name](Azure.AppGw.Name.md) | Application Gateways should meet naming requirements. | Awareness | Error [Azure.AppInsights.Name](Azure.AppInsights.Name.md) | Azure Resource Manager (ARM) has requirements for Application Insights resource names. | Awareness | Error [Azure.ContainerApp.Name](Azure.ContainerApp.Name.md) | Container Apps should meet naming requirements. | Awareness | Error +[Azure.Cosmos.AccountName](Azure.Cosmos.AccountName.md) | Cosmos DB account names should meet naming requirements. | Awareness | Error [Azure.Group.Name](Azure.Group.Name.md) | Azure Resource Manager (ARM) has requirements for Resource Groups names. | Awareness | Error [Azure.KeyVault.KeyName](Azure.KeyVault.KeyName.md) | Key Vault Key names should meet naming requirements. | Awareness | Error [Azure.KeyVault.SecretName](Azure.KeyVault.SecretName.md) | Key Vault Secret names should meet naming requirements. | Awareness | Error [Azure.LB.Name](Azure.LB.Name.md) | Load Balancer names should meet naming requirements. | Awareness | Error [Azure.Log.Name](Azure.Log.Name.md) | Azure Resource Manager (ARM) has requirements for Azure Monitor Log workspace names. | Awareness | Error [Azure.MariaDB.DatabaseName](Azure.MariaDB.DatabaseName.md) | Azure Database for MariaDB databases should meet naming requirements. | Awareness | Error +[Azure.MySQL.ServerName](Azure.MySQL.ServerName.md) | Azure MySQL DB server names should meet naming requirements. | Awareness | Error [Azure.NIC.Name](Azure.NIC.Name.md) | Network Interface (NIC) names should meet naming requirements. | Awareness | Error [Azure.NSG.Name](Azure.NSG.Name.md) | Azure Resource Manager (ARM) has requirements for Network Security Group (NSG) names. | Awareness | Error +[Azure.PostgreSQL.ServerName](Azure.PostgreSQL.ServerName.md) | Azure PostgreSQL DB server names should meet naming requirements. | Awareness | Error [Azure.PublicIP.Name](Azure.PublicIP.Name.md) | Azure Resource Manager (ARM) has requirements for Public IP address names. | Awareness | Error [Azure.Route.Name](Azure.Route.Name.md) | Azure Resource Manager (ARM) has requirements for Route table names. | Awareness | Error [Azure.Search.Name](Azure.Search.Name.md) | Azure Resource Manager (ARM) has requirements for AI Search service names. | Awareness | Error +[Azure.SQL.DBName](Azure.SQL.DBName.md) | Azure SQL Database names should meet naming requirements. | Awareness | Error +[Azure.SQL.ServerName](Azure.SQL.ServerName.md) | Azure SQL logical server names should meet naming requirements. | Awareness | Error [Azure.Storage.Name](Azure.Storage.Name.md) | Azure Resource Manager (ARM) has requirements for Storage Account names. | Awareness | Error [Azure.VM.ComputerName](Azure.VM.ComputerName.md) | Virtual Machine (VM) computer name should meet naming requirements. | Awareness | Error [Azure.VM.Name](Azure.VM.Name.md) | Virtual Machine (VM) names should meet naming requirements. | Awareness | Error @@ -164,25 +169,24 @@ Name | Synopsis | Severity | Level [Azure.Group.RequiredTags](Azure.Group.RequiredTags.md) | Resource groups without a standard tagging convention may be difficult to identify and manage. | Awareness | Error [Azure.LB.Naming](Azure.LB.Naming.md) | Load balancer names should use a standard prefix. | Awareness | Error [Azure.Log.Naming](Azure.Log.Naming.md) | Azure Monitor Log workspaces without a standard naming convention may be difficult to identify and manage. | Awareness | Error -[Azure.MySQL.Naming](Azure.MySQL.Naming.md) | MySQL database server resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error +[Azure.MySQL.ServerNaming](Azure.MySQL.ServerNaming.md) | MySQL database server resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error [Azure.NSG.Naming](Azure.NSG.Naming.md) | Network security group (NSG) without a standard naming convention may be difficult to identify and manage. | Awareness | Error [Azure.Policy.AssignmentDescriptors](Azure.Policy.AssignmentDescriptors.md) | Policy assignments should use a display name and description. | Awareness | Error [Azure.Policy.Descriptors](Azure.Policy.Descriptors.md) | Policy and initiative definitions should use a display name, description, and category. | Awareness | Error [Azure.Policy.ExemptionDescriptors](Azure.Policy.ExemptionDescriptors.md) | Policy exemptions should use a display name and description. | Awareness | Error -[Azure.PostgreSQL.Naming](Azure.PostgreSQL.Naming.md) | PostgreSQL database server resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error +[Azure.PostgreSQL.ServerNaming](Azure.PostgreSQL.ServerNaming.md) | PostgreSQL database server resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error [Azure.PublicIP.Naming](Azure.PublicIP.Naming.md) | Public IP addresses without a standard naming convention may be difficult to identify and manage. | Awareness | Error [Azure.Redis.Naming](Azure.Redis.Naming.md) | Azure Cache for Redis resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error -[Azure.RedisEnterprise.Naming](Azure.RedisEnterprise.Naming.md) | Azure Managed Redis resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error +[Azure.RedisEnterprise.Naming](Azure.RedisEnterprise.Naming.md) | Azure Cache for Redis Enterprise resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error [Azure.Resource.RequiredTags](Azure.Resource.RequiredTags.md) | Resources without a standard tagging convention may be difficult to identify and manage. | Awareness | Error [Azure.Route.Naming](Azure.Route.Naming.md) | Route tables without a standard naming convention may be difficult to identify and manage. | Awareness | Error [Azure.Search.Naming](Azure.Search.Naming.md) | Azure AI Search services without a standard naming convention may be difficult to identify and manage. | Awareness | Error [Azure.ServiceFabric.ManagedNaming](Azure.ServiceFabric.ManagedNaming.md) | Service Fabric managed cluster resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error [Azure.ServiceFabric.Naming](Azure.ServiceFabric.Naming.md) | Service Fabric cluster resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error -[Azure.SQL.DatabaseNaming](Azure.SQL.DatabaseNaming.md) | Azure SQL database resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error +[Azure.SQL.DBNaming](Azure.SQL.DBNaming.md) | Azure SQL database resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error [Azure.SQL.ElasticPoolNaming](Azure.SQL.ElasticPoolNaming.md) | Azure SQL Elastic Pool resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error [Azure.SQL.JobAgentNaming](Azure.SQL.JobAgentNaming.md) | Azure SQL Elastic Job agent resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error [Azure.SQL.ServerNaming](Azure.SQL.ServerNaming.md) | Azure SQL Database server resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error -[Azure.SQL.StretchDBNaming](Azure.SQL.StretchDBNaming.md) | SQL Server Stretch Database resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error [Azure.SQLMI.Naming](Azure.SQLMI.Naming.md) | SQL Managed Instance resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error [Azure.Storage.Naming](Azure.Storage.Naming.md) | Storage Accounts without a standard naming convention may be difficult to identify and manage. | Awareness | Error [Azure.Subscription.RequiredTags](Azure.Subscription.RequiredTags.md) | Subscriptions without a standard tagging convention may be difficult to identify and manage. | Awareness | Error @@ -246,7 +250,6 @@ Name | Synopsis | Severity | Level [Azure.ASG.Name](Azure.ASG.Name.md) | Application Security Group (ASG) names should meet naming requirements. | Awareness | Error [Azure.Bastion.Name](Azure.Bastion.Name.md) | Bastion hosts should meet naming requirements. | Awareness | Error [Azure.CDN.EndpointName](Azure.CDN.EndpointName.md) | Azure CDN Endpoint names should meet naming requirements. | Awareness | Error -[Azure.Cosmos.AccountName](Azure.Cosmos.AccountName.md) | Cosmos DB account names should meet naming requirements. | Awareness | Error [Azure.Deployment.Name](Azure.Deployment.Name.md) | Nested deployments should meet naming requirements of deployments. | Awareness | Error [Azure.Firewall.Name](Azure.Firewall.Name.md) | Firewall names should meet naming requirements. | Awareness | Error [Azure.Firewall.PolicyName](Azure.Firewall.PolicyName.md) | Firewall policy names should meet naming requirements. | Awareness | Error @@ -257,18 +260,14 @@ Name | Synopsis | Severity | Level [Azure.MariaDB.FirewallRuleName](Azure.MariaDB.FirewallRuleName.md) | Azure Database for MariaDB firewall rules should meet naming requirements. | Awareness | Error [Azure.MariaDB.ServerName](Azure.MariaDB.ServerName.md) | Azure Database for MariaDB servers should meet naming requirements. | Awareness | Error [Azure.MariaDB.VNETRuleName](Azure.MariaDB.VNETRuleName.md) | Azure Database for MariaDB VNET rules should meet naming requirements. | Awareness | Error -[Azure.MySQL.ServerName](Azure.MySQL.ServerName.md) | Azure MySQL DB server names should meet naming requirements. | Awareness | Error [Azure.NSG.AKSRules](Azure.NSG.AKSRules.md) | AKS Network Security Group (NSG) should not have custom rules. | Awareness | Error [Azure.Policy.AssignmentAssignedBy](Azure.Policy.AssignmentAssignedBy.md) | Policy assignments should use assignedBy metadata. | Awareness | Error -[Azure.PostgreSQL.ServerName](Azure.PostgreSQL.ServerName.md) | Azure PostgreSQL DB server names should meet naming requirements. | Awareness | Error [Azure.PrivateEndpoint.Name](Azure.PrivateEndpoint.Name.md) | Private Endpoint names should meet naming requirements. | Awareness | Error [Azure.PublicIP.DNSLabel](Azure.PublicIP.DNSLabel.md) | Public IP domain name labels should meet naming requirements. | Awareness | Error [Azure.PublicIP.MigrateStandard](Azure.PublicIP.MigrateStandard.md) | Use the Standard SKU for Public IP addresses as the Basic SKU will be retired. | Important | Error [Azure.RSV.Name](Azure.RSV.Name.md) | Recovery Services vaults should meet naming requirements. | Awareness | Error [Azure.SignalR.Name](Azure.SignalR.Name.md) | SignalR service instance names should meet naming requirements. | Awareness | Error -[Azure.SQL.DBName](Azure.SQL.DBName.md) | Azure SQL Database names should meet naming requirements. | Awareness | Error [Azure.SQL.FGName](Azure.SQL.FGName.md) | Azure SQL failover group names should meet naming requirements. | Awareness | Error -[Azure.SQL.ServerName](Azure.SQL.ServerName.md) | Azure SQL logical server names should meet naming requirements. | Awareness | Error [Azure.SQLMI.Name](Azure.SQLMI.Name.md) | SQL Managed Instance names should meet naming requirements. | Awareness | Error [Azure.Template.ExpressionLength](Azure.Template.ExpressionLength.md) | Template expressions should not exceed the maximum length. | Awareness | Error [Azure.Template.ParameterFile](Azure.Template.ParameterFile.md) | Use ARM template parameter files that are valid. | Important | Error @@ -458,7 +457,10 @@ Name | Synopsis | Severity | Level [Azure.AppConfig.GeoReplica](Azure.AppConfig.GeoReplica.md) | Replicate app configuration store across all points of presence for an application. | Important | Error [Azure.ContainerApp.MinReplicas](Azure.ContainerApp.MinReplicas.md) | Use multiple replicas to remove a single point of failure. | Important | Error [Azure.ContainerApp.Storage](Azure.ContainerApp.Storage.md) | Use of Azure Files volume mounts to persistent storage container data. | Awareness | Error +[Azure.Cosmos.AvailabilityZone](Azure.Cosmos.AvailabilityZone.md) | Use zone redundant Cosmos DB accounts in supported regions to improve reliability. | Important | Error +[Azure.Cosmos.MongoAvailabilityZone](Azure.Cosmos.MongoAvailabilityZone.md) | Use zone redundant Cosmos DB vCore clusters in supported regions to improve reliability. | Important | Error [Azure.LB.Probe](Azure.LB.Probe.md) | Use a specific probe for web protocols. | Important | Error +[Azure.MICassandra.AvailabilityZone](Azure.MICassandra.AvailabilityZone.md) | Use zone redundant Managed Instance for Apache Cassandra clusters in supported regions to improve reliability. | Important | Error [Azure.MySQL.UseFlexible](Azure.MySQL.UseFlexible.md) | Use Azure Database for MySQL Flexible Server deployment model. | Important | Warning [Azure.ServiceBus.GeoReplica](Azure.ServiceBus.GeoReplica.md) | Enhance resilience to regional outages by replicating namespaces. | Important | Error [Azure.TrafficManager.Endpoints](Azure.TrafficManager.Endpoints.md) | Traffic Manager should use at lest two enabled endpoints. | Important | Error @@ -480,6 +482,7 @@ Name | Synopsis | Severity | Level [Azure.ASE.AvailabilityZone](Azure.ASE.AvailabilityZone.md) | Deploy app service environments using availability zones in supported regions to ensure high availability and resilience. | Important | Error [Azure.ContainerApp.AvailabilityZone](Azure.ContainerApp.AvailabilityZone.md) | Use Container Apps environments that are zone redundant to improve reliability. | Important | Error [Azure.Firewall.AvailabilityZone](Azure.Firewall.AvailabilityZone.md) | Deploy firewall instances using availability zones in supported regions to ensure high availability and resilience. | Important | Error +[Azure.Grafana.AvailabilityZone](Azure.Grafana.AvailabilityZone.md) | Use zone redundant Grafana workspaces in supported regions to improve reliability. | Important | Error [Azure.LB.AvailabilityZone](Azure.LB.AvailabilityZone.md) | Load balancers deployed with Standard SKU should be zone-redundant for high availability. | Important | Error [Azure.Log.Replication](Azure.Log.Replication.md) | Log Analytics workspaces should have workspace replication enabled to improve service availability. | Important | Error [Azure.MySQL.ZoneRedundantHA](Azure.MySQL.ZoneRedundantHA.md) | Deploy Azure Database for MySQL servers using zone-redundant high availability (HA) in supported regions to ensure high availability and resilience. | Important | Error @@ -627,7 +630,6 @@ Name | Synopsis | Severity | Level [Azure.AppGwWAF.Enabled](Azure.AppGwWAF.Enabled.md) | Application Gateway Web Application Firewall (WAF) must be enabled to protect backend resources. | Critical | Error [Azure.AppGwWAF.Exclusions](Azure.AppGwWAF.Exclusions.md) | Application Gateway Web Application Firewall (WAF) should have all rules enabled. | Critical | Error [Azure.AppGwWAF.PreventionMode](Azure.AppGwWAF.PreventionMode.md) | Use protection mode in Application Gateway Web Application Firewall (WAF) policies to protect back end resources. | Critical | Error -[Azure.AppGwWAF.RuleGroups](Azure.AppGwWAF.RuleGroups.md) | Use recommended rule groups in Application Gateway Web Application Firewall (WAF) policies to protect back end resources. | Critical | Error [Azure.MariaDB.AllowAzureAccess](Azure.MariaDB.AllowAzureAccess.md) | Determine if access from Azure services is required. | Important | Error ### Network segmentation @@ -697,6 +699,7 @@ Name | Synopsis | Severity | Level [Azure.ContainerApp.ManagedIdentity](Azure.ContainerApp.ManagedIdentity.md) | Ensure managed identity is used for authentication. | Important | Error [Azure.Cosmos.DisableLocalAuth](Azure.Cosmos.DisableLocalAuth.md) | Access keys allow depersonalized access to Cosmos DB accounts using a shared secret. | Critical | Error [Azure.Cosmos.DisableMetadataWrite](Azure.Cosmos.DisableMetadataWrite.md) | Use Entra ID identities for management place operations in Azure Cosmos DB. | Important | Error +[Azure.Cosmos.MongoEntraID](Azure.Cosmos.MongoEntraID.md) | MongoDB vCore clusters should have Microsoft Entra ID authentication enabled. | Critical | Error [Azure.EventGrid.DisableLocalAuth](Azure.EventGrid.DisableLocalAuth.md) | Authenticate publishing clients with Azure AD identities. | Important | Error [Azure.EventGrid.ManagedIdentity](Azure.EventGrid.ManagedIdentity.md) | Use managed identities to deliver Event Grid Topic events. | Important | Error [Azure.EventHub.DisableLocalAuth](Azure.EventHub.DisableLocalAuth.md) | Authenticate Event Hub publishers and consumers with Entra ID identities. | Important | Error @@ -722,12 +725,14 @@ Name | Synopsis | Severity | Level Name | Synopsis | Severity | Level ---- | -------- | -------- | ----- [Azure.ACR.Firewall](Azure.ACR.Firewall.md) | Container Registry without restrictions can be accessed from any network location including the Internet. | Important | Error +[Azure.ADX.PublicAccess](Azure.ADX.PublicAccess.md) | Azure Data Explorer (ADX) clusters should have public network access disabled. | Critical | Error [Azure.AI.PrivateEndpoints](Azure.AI.PrivateEndpoints.md) | Use Private Endpoints to access Azure AI services accounts. | Important | Error [Azure.AI.PublicAccess](Azure.AI.PublicAccess.md) | Restrict access of Azure AI services to authorized virtual networks. | Important | Error [Azure.AKS.AuthorizedIPs](Azure.AKS.AuthorizedIPs.md) | Restrict access to API server endpoints to authorized IP addresses. | Important | Error [Azure.AKS.HttpAppRouting](Azure.AKS.HttpAppRouting.md) | Disable HTTP application routing add-on in AKS clusters. | Important | Error [Azure.AppGw.UseWAF](Azure.AppGw.UseWAF.md) | Internet accessible Application Gateways should use protect endpoints with WAF. | Critical | Error [Azure.AppGw.WAFEnabled](Azure.AppGw.WAFEnabled.md) | Application Gateway Web Application Firewall (WAF) must be enabled to protect backend resources. | Critical | Error +[Azure.AppGwWAF.RuleGroups](Azure.AppGwWAF.RuleGroups.md) | Application Gateway WAF policies should include both Microsoft Default Rule Set and Bot Manager Rule Set to provide comprehensive protection against web application threats and malicious bot traffic. | Critical | Error [Azure.ContainerApp.ExternalIngress](Azure.ContainerApp.ExternalIngress.md) | Limit inbound communication for Container Apps is limited to callers within the Container Apps Environment. | Important | Error [Azure.ContainerApp.PublicAccess](Azure.ContainerApp.PublicAccess.md) | Ensure public network access for Container Apps environment is disabled. | Important | Error [Azure.ContainerApp.RestrictIngress](Azure.ContainerApp.RestrictIngress.md) | IP ingress restrictions mode should be set to allow action for all rules defined. | Important | Error diff --git a/docs/en/rules/resource.md b/docs/en/rules/resource.md index e378bf03acb..82eadab68b4 100644 --- a/docs/en/rules/resource.md +++ b/docs/en/rules/resource.md @@ -147,7 +147,7 @@ Name | Synopsis | Severity | Level [Azure.AppGwWAF.Enabled](Azure.AppGwWAF.Enabled.md) | Application Gateway Web Application Firewall (WAF) must be enabled to protect backend resources. | Critical | Error [Azure.AppGwWAF.Exclusions](Azure.AppGwWAF.Exclusions.md) | Application Gateway Web Application Firewall (WAF) should have all rules enabled. | Critical | Error [Azure.AppGwWAF.PreventionMode](Azure.AppGwWAF.PreventionMode.md) | Use protection mode in Application Gateway Web Application Firewall (WAF) policies to protect back end resources. | Critical | Error -[Azure.AppGwWAF.RuleGroups](Azure.AppGwWAF.RuleGroups.md) | Use recommended rule groups in Application Gateway Web Application Firewall (WAF) policies to protect back end resources. | Critical | Error +[Azure.AppGwWAF.RuleGroups](Azure.AppGwWAF.RuleGroups.md) | Application Gateway WAF policies should include both Microsoft Default Rule Set and Bot Manager Rule Set to provide comprehensive protection against web application threats and malicious bot traffic. | Critical | Error ## Application Insights @@ -203,6 +203,7 @@ Name | Synopsis | Severity | Level Name | Synopsis | Severity | Level ---- | -------- | -------- | ----- [Azure.RedisEnterprise.MinTLS](Azure.RedisEnterprise.MinTLS.md) | Redis Cache should reject TLS versions older than 1.2. | Critical | Error +[Azure.RedisEnterprise.Naming](Azure.RedisEnterprise.Naming.md) | Azure Cache for Redis Enterprise resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error [Azure.RedisEnterprise.Zones](Azure.RedisEnterprise.Zones.md) | Enterprise Redis cache should be zone-redundant for high availability. | Important | Error ## Azure Database @@ -241,6 +242,7 @@ Name | Synopsis | Severity | Level [Azure.MySQL.MaintenanceWindow](Azure.MySQL.MaintenanceWindow.md) | Configure a customer-controlled maintenance window for Azure Database for MySQL servers. | Important | Error [Azure.MySQL.MinTLS](Azure.MySQL.MinTLS.md) | MySQL DB servers should reject TLS versions older than 1.2. | Critical | Error [Azure.MySQL.ServerName](Azure.MySQL.ServerName.md) | Azure MySQL DB server names should meet naming requirements. | Awareness | Error +[Azure.MySQL.ServerNaming](Azure.MySQL.ServerNaming.md) | MySQL database server resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error [Azure.MySQL.UseFlexible](Azure.MySQL.UseFlexible.md) | Use Azure Database for MySQL Flexible Server deployment model. | Important | Warning [Azure.MySQL.UseSSL](Azure.MySQL.UseSSL.md) | Enforce encrypted MySQL connections. | Critical | Error [Azure.MySQL.ZoneRedundantHA](Azure.MySQL.ZoneRedundantHA.md) | Deploy Azure Database for MySQL servers using zone-redundant high availability (HA) in supported regions to ensure high availability and resilience. | Important | Error @@ -259,6 +261,7 @@ Name | Synopsis | Severity | Level [Azure.PostgreSQL.MaintenanceWindow](Azure.PostgreSQL.MaintenanceWindow.md) | Configure a customer-controlled maintenance window for Azure Database for PostgreSQL servers. | Important | Error [Azure.PostgreSQL.MinTLS](Azure.PostgreSQL.MinTLS.md) | PostgreSQL DB servers should reject TLS versions older than 1.2. | Critical | Error [Azure.PostgreSQL.ServerName](Azure.PostgreSQL.ServerName.md) | Azure PostgreSQL DB server names should meet naming requirements. | Awareness | Error +[Azure.PostgreSQL.ServerNaming](Azure.PostgreSQL.ServerNaming.md) | PostgreSQL database server resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error [Azure.PostgreSQL.UseSSL](Azure.PostgreSQL.UseSSL.md) | Enforce encrypted PostgreSQL connections. | Critical | Error [Azure.PostgreSQL.ZoneRedundantHA](Azure.PostgreSQL.ZoneRedundantHA.md) | Deploy Azure Database for PostgreSQL servers using zone-redundant high availability (HA) in supported regions to ensure high availability and resilience. | Important | Error @@ -315,12 +318,6 @@ Name | Synopsis | Severity | Level ---- | -------- | -------- | ----- [Azure.Grafana.Version](Azure.Grafana.Version.md) | Grafana workspaces should be on Grafana version 10. | Important | Error -## Azure Managed Redis - -Name | Synopsis | Severity | Level ----- | -------- | -------- | ----- -[Azure.RedisEnterprise.Naming](Azure.RedisEnterprise.Naming.md) | Azure Managed Redis resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error - ## Azure Monitor Alerts Name | Synopsis | Severity | Level @@ -341,7 +338,7 @@ Name | Synopsis | Severity | Level Name | Synopsis | Severity | Level ---- | -------- | -------- | ----- -[Azure.SQL.DatabaseNaming](Azure.SQL.DatabaseNaming.md) | Azure SQL database resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error +[Azure.SQL.DBNaming](Azure.SQL.DBNaming.md) | Azure SQL database resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error ## Azure SQL Database server @@ -448,11 +445,14 @@ Name | Synopsis | Severity | Level Name | Synopsis | Severity | Level ---- | -------- | -------- | ----- [Azure.Cosmos.AccountName](Azure.Cosmos.AccountName.md) | Cosmos DB account names should meet naming requirements. | Awareness | Error +[Azure.Cosmos.AvailabilityZone](Azure.Cosmos.AvailabilityZone.md) | Use zone redundant Cosmos DB accounts in supported regions to improve reliability. | Important | Error [Azure.Cosmos.ContinuousBackup](Azure.Cosmos.ContinuousBackup.md) | Enable continuous backup on Cosmos DB accounts. | Important | Error [Azure.Cosmos.DefenderCloud](Azure.Cosmos.DefenderCloud.md) | Enable Microsoft Defender for Azure Cosmos DB. | Critical | Error [Azure.Cosmos.DisableLocalAuth](Azure.Cosmos.DisableLocalAuth.md) | Access keys allow depersonalized access to Cosmos DB accounts using a shared secret. | Critical | Error [Azure.Cosmos.DisableMetadataWrite](Azure.Cosmos.DisableMetadataWrite.md) | Use Entra ID identities for management place operations in Azure Cosmos DB. | Important | Error [Azure.Cosmos.MinTLS](Azure.Cosmos.MinTLS.md) | Cosmos DB accounts should reject TLS versions older than 1.2. | Critical | Error +[Azure.Cosmos.MongoAvailabilityZone](Azure.Cosmos.MongoAvailabilityZone.md) | Use zone redundant Cosmos DB vCore clusters in supported regions to improve reliability. | Important | Error +[Azure.Cosmos.MongoEntraID](Azure.Cosmos.MongoEntraID.md) | MongoDB vCore clusters should have Microsoft Entra ID authentication enabled. | Critical | Error [Azure.Cosmos.PublicAccess](Azure.Cosmos.PublicAccess.md) | Azure Cosmos DB should have public network access disabled. | Critical | Error [Azure.Cosmos.SLA](Azure.Cosmos.SLA.md) | Use a paid tier to qualify for a Service Level Agreement (SLA). | Important | Error @@ -504,6 +504,7 @@ Name | Synopsis | Severity | Level ---- | -------- | -------- | ----- [Azure.ADX.DiskEncryption](Azure.ADX.DiskEncryption.md) | Use disk encryption for Azure Data Explorer (ADX) clusters. | Important | Error [Azure.ADX.ManagedIdentity](Azure.ADX.ManagedIdentity.md) | Configure Data Explorer clusters to use managed identities to access Azure resources securely. | Important | Error +[Azure.ADX.PublicAccess](Azure.ADX.PublicAccess.md) | Azure Data Explorer (ADX) clusters should have public network access disabled. | Critical | Error [Azure.ADX.SLA](Azure.ADX.SLA.md) | Use SKUs that include an SLA when configuring Azure Data Explorer (ADX) clusters. | Important | Error [Azure.ADX.Usage](Azure.ADX.Usage.md) | Regularly remove unused resources to reduce costs. | Important | Error @@ -668,6 +669,18 @@ Name | Synopsis | Severity | Level [Azure.ML.PublicAccess](Azure.ML.PublicAccess.md) | Disable public network access from a Azure Machine Learning workspace. | Critical | Error [Azure.ML.UserManagedIdentity](Azure.ML.UserManagedIdentity.md) | ML workspaces should use user-assigned managed identity, rather than the default system-assigned managed identity. | Important | Error +## Managed Grafana + +Name | Synopsis | Severity | Level +---- | -------- | -------- | ----- +[Azure.Grafana.AvailabilityZone](Azure.Grafana.AvailabilityZone.md) | Use zone redundant Grafana workspaces in supported regions to improve reliability. | Important | Error + +## Managed Instance for Apache Cassandra + +Name | Synopsis | Severity | Level +---- | -------- | -------- | ----- +[Azure.MICassandra.AvailabilityZone](Azure.MICassandra.AvailabilityZone.md) | Use zone redundant Managed Instance for Apache Cassandra clusters in supported regions to improve reliability. | Important | Error + ## Microsoft Defender for Cloud Name | Synopsis | Severity | Level @@ -697,12 +710,6 @@ Name | Synopsis | Severity | Level ---- | -------- | -------- | ----- [Azure.Monitor.ServiceHealth](Azure.Monitor.ServiceHealth.md) | Configure Service Health alerts to notify administrators. | Important | Error -## MySQL database server - -Name | Synopsis | Severity | Level ----- | -------- | -------- | ----- -[Azure.MySQL.Naming](Azure.MySQL.Naming.md) | MySQL database server resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error - ## Network Interface Name | Synopsis | Severity | Level @@ -733,12 +740,6 @@ Name | Synopsis | Severity | Level [Azure.Policy.ExemptionDescriptors](Azure.Policy.ExemptionDescriptors.md) | Policy exemptions should use a display name and description. | Awareness | Error [Azure.Policy.WaiverExpiry](Azure.Policy.WaiverExpiry.md) | Configure policy waiver exemptions to expire. | Awareness | Error -## PostgreSQL database server - -Name | Synopsis | Severity | Level ----- | -------- | -------- | ----- -[Azure.PostgreSQL.Naming](Azure.PostgreSQL.Naming.md) | PostgreSQL database server resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error - ## Private Endpoint Name | Synopsis | Severity | Level @@ -796,19 +797,9 @@ Name | Synopsis | Severity | Level Name | Synopsis | Severity | Level ---- | -------- | -------- | ----- [Azure.ServiceFabric.AAD](Azure.ServiceFabric.AAD.md) | Use Entra ID client authentication for Service Fabric clusters. | Critical | Error -[Azure.ServiceFabric.ProtectionLevel](Azure.ServiceFabric.ProtectionLevel.md) | Node to node communication that is not signed and encrypted may be susceptible to man-in-the-middle attacks. | Important | Error - -## Service Fabric cluster - -Name | Synopsis | Severity | Level ----- | -------- | -------- | ----- -[Azure.ServiceFabric.Naming](Azure.ServiceFabric.Naming.md) | Service Fabric cluster resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error - -## Service Fabric managed cluster - -Name | Synopsis | Severity | Level ----- | -------- | -------- | ----- [Azure.ServiceFabric.ManagedNaming](Azure.ServiceFabric.ManagedNaming.md) | Service Fabric managed cluster resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error +[Azure.ServiceFabric.Naming](Azure.ServiceFabric.Naming.md) | Service Fabric cluster resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error +[Azure.ServiceFabric.ProtectionLevel](Azure.ServiceFabric.ProtectionLevel.md) | Node to node communication that is not signed and encrypted may be susceptible to man-in-the-middle attacks. | Important | Error ## SignalR Service @@ -847,12 +838,6 @@ Name | Synopsis | Severity | Level [Azure.SQLMI.Name](Azure.SQLMI.Name.md) | SQL Managed Instance names should meet naming requirements. | Awareness | Error [Azure.SQLMI.Naming](Azure.SQLMI.Naming.md) | SQL Managed Instance resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error -## SQL Server Stretch Database - -Name | Synopsis | Severity | Level ----- | -------- | -------- | ----- -[Azure.SQL.StretchDBNaming](Azure.SQL.StretchDBNaming.md) | SQL Server Stretch Database resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error - ## Storage Account Name | Synopsis | Severity | Level diff --git a/docs/es/rules/index.md b/docs/es/rules/index.md index 16f3b57cd22..fd1d8f09359 100644 --- a/docs/es/rules/index.md +++ b/docs/es/rules/index.md @@ -324,7 +324,7 @@ AZR-000300 | [Azure.Redis.FirewallIPRange](Azure.Redis.FirewallIPRange.md) | Det AZR-000301 | [Azure.RedisEnterprise.MinTLS](Azure.RedisEnterprise.MinTLS.md) | Redis Cache should reject TLS versions older than 1.2. | GA AZR-000302 | [Azure.AppGwWAF.PreventionMode](Azure.AppGwWAF.PreventionMode.md) | Use protection mode in Application Gateway Web Application Firewall (WAF) policies to protect back end resources. | GA AZR-000303 | [Azure.AppGwWAF.Exclusions](Azure.AppGwWAF.Exclusions.md) | Application Gateway Web Application Firewall (WAF) should have all rules enabled. | GA -AZR-000304 | [Azure.AppGwWAF.RuleGroups](Azure.AppGwWAF.RuleGroups.md) | Use recommended rule groups in Application Gateway Web Application Firewall (WAF) policies to protect back end resources. | GA +AZR-000304 | [Azure.AppGwWAF.RuleGroups](Azure.AppGwWAF.RuleGroups.md) | Application Gateway WAF policies should include both Microsoft Default Rule Set and Bot Manager Rule Set to provide comprehensive protection against web application threats and malicious bot traffic. | GA AZR-000305 | [Azure.FrontDoorWAF.Enabled](Azure.FrontDoorWAF.Enabled.md) | Front Door Web Application Firewall (WAF) policy must be enabled to protect back end resources. | GA AZR-000306 | [Azure.FrontDoorWAF.PreventionMode](Azure.FrontDoorWAF.PreventionMode.md) | Use protection mode in Front Door Web Application Firewall (WAF) policies to protect back end resources. | GA AZR-000307 | [Azure.FrontDoorWAF.Exclusions](Azure.FrontDoorWAF.Exclusions.md) | Use recommended rule groups in Front Door Web Application Firewall (WAF) policies to protect back end resources. Avoid configuring rule exclusions. | GA @@ -518,32 +518,37 @@ AZR-000495 | [Azure.ACR.ExportPolicy](Azure.ACR.ExportPolicy.md) | Export policy AZR-000496 | [Azure.Redis.LocalAuth](Azure.Redis.LocalAuth.md) | Access keys allow depersonalized access to Azure Cache for Redis using a shared secret. | GA AZR-000497 | [Azure.Storage.LocalAuth](Azure.Storage.LocalAuth.md) | Access keys allow depersonalized access to Storage Accounts using a shared secret. | GA AZR-000498 | [Azure.AppConfig.ReplicaLocation](Azure.AppConfig.ReplicaLocation.md) | The replication location determines the country or region where configuration data is stored and processed. | GA -AZR-000499 | [Azure.AKS.Naming](Azure.AKS.Naming.md) | AKS cluster resources without a standard naming convention may be difficult to identify and manage. | GA -AZR-000500 | [Azure.AKS.UserPoolNaming](Azure.AKS.UserPoolNaming.md) | AKS user node pool resources without a standard naming convention may be difficult to identify and manage. | GA -AZR-000501 | [Azure.ContainerApp.Naming](Azure.ContainerApp.Naming.md) | Container App resources without a standard naming convention may be difficult to identify and manage. | GA -AZR-000502 | [Azure.ContainerApp.EnvNaming](Azure.ContainerApp.EnvNaming.md) | Container App Environment resources without a standard naming convention may be difficult to identify and manage. | GA -AZR-000503 | [Azure.ContainerApp.JobNaming](Azure.ContainerApp.JobNaming.md) | Container App Job resources without a standard naming convention may be difficult to identify and manage. | GA -AZR-000504 | [Azure.ACR.Naming](Azure.ACR.Naming.md) | Container Registry resources without a standard naming convention may be difficult to identify and manage. | GA +AZR-000499 | [Azure.Cosmos.MongoEntraID](Azure.Cosmos.MongoEntraID.md) | MongoDB vCore clusters should have Microsoft Entra ID authentication enabled. | GA +AZR-000500 | [Azure.ADX.PublicAccess](Azure.ADX.PublicAccess.md) | Azure Data Explorer (ADX) clusters should have public network access disabled. | GA +AZR-000501 | [Azure.Grafana.AvailabilityZone](Azure.Grafana.AvailabilityZone.md) | Use zone redundant Grafana workspaces in supported regions to improve reliability. | GA +AZR-000502 | [Azure.Cosmos.AvailabilityZone](Azure.Cosmos.AvailabilityZone.md) | Use zone redundant Cosmos DB accounts in supported regions to improve reliability. | GA +AZR-000503 | [Azure.Cosmos.MongoAvailabilityZone](Azure.Cosmos.MongoAvailabilityZone.md) | Use zone redundant Cosmos DB vCore clusters in supported regions to improve reliability. | GA +AZR-000504 | [Azure.MICassandra.AvailabilityZone](Azure.MICassandra.AvailabilityZone.md) | Use zone redundant Managed Instance for Apache Cassandra clusters in supported regions to improve reliability. | GA AZR-000505 | [Azure.ACI.Naming](Azure.ACI.Naming.md) | Container Instance resources without a standard naming convention may be difficult to identify and manage. | GA -AZR-000506 | [Azure.ServiceFabric.Naming](Azure.ServiceFabric.Naming.md) | Service Fabric cluster resources without a standard naming convention may be difficult to identify and manage. | GA -AZR-000507 | [Azure.ServiceFabric.ManagedNaming](Azure.ServiceFabric.ManagedNaming.md) | Service Fabric managed cluster resources without a standard naming convention may be difficult to identify and manage. | GA -AZR-000508 | [Azure.Cosmos.CassandraNaming](Azure.Cosmos.CassandraNaming.md) | Cosmos DB for Apache Cassandra account resources without a standard naming convention may be difficult to identify and manage. | GA -AZR-000509 | [Azure.Cosmos.MongoNaming](Azure.Cosmos.MongoNaming.md) | Cosmos DB for MongoDB account resources without a standard naming convention may be difficult to identify and manage. | GA -AZR-000510 | [Azure.Cosmos.NoSQLNaming](Azure.Cosmos.NoSQLNaming.md) | Cosmos DB for NoSQL account resources without a standard naming convention may be difficult to identify and manage. | GA -AZR-000511 | [Azure.Cosmos.TableNaming](Azure.Cosmos.TableNaming.md) | Cosmos DB for Table account resources without a standard naming convention may be difficult to identify and manage. | GA -AZR-000512 | [Azure.Cosmos.GremlinNaming](Azure.Cosmos.GremlinNaming.md) | Cosmos DB for Apache Gremlin account resources without a standard naming convention may be difficult to identify and manage. | GA -AZR-000513 | [Azure.Cosmos.PostgreSQLNaming](Azure.Cosmos.PostgreSQLNaming.md) | Cosmos DB PostgreSQL cluster resources without a standard naming convention may be difficult to identify and manage. | GA -AZR-000514 | [Azure.Cosmos.DatabaseNaming](Azure.Cosmos.DatabaseNaming.md) | Cosmos DB database resources without a standard naming convention may be difficult to identify and manage. | GA -AZR-000515 | [Azure.Redis.Naming](Azure.Redis.Naming.md) | Azure Cache for Redis resources without a standard naming convention may be difficult to identify and manage. | GA -AZR-000516 | [Azure.RedisEnterprise.Naming](Azure.RedisEnterprise.Naming.md) | Azure Managed Redis resources without a standard naming convention may be difficult to identify and manage. | GA -AZR-000517 | [Azure.SQL.ServerNaming](Azure.SQL.ServerNaming.md) | Azure SQL Database server resources without a standard naming convention may be difficult to identify and manage. | GA -AZR-000518 | [Azure.SQL.DatabaseNaming](Azure.SQL.DatabaseNaming.md) | Azure SQL database resources without a standard naming convention may be difficult to identify and manage. | GA -AZR-000519 | [Azure.SQL.JobAgentNaming](Azure.SQL.JobAgentNaming.md) | Azure SQL Elastic Job agent resources without a standard naming convention may be difficult to identify and manage. | GA -AZR-000520 | [Azure.SQL.ElasticPoolNaming](Azure.SQL.ElasticPoolNaming.md) | Azure SQL Elastic Pool resources without a standard naming convention may be difficult to identify and manage. | GA -AZR-000521 | [Azure.MySQL.Naming](Azure.MySQL.Naming.md) | MySQL database server resources without a standard naming convention may be difficult to identify and manage. | GA -AZR-000522 | [Azure.PostgreSQL.Naming](Azure.PostgreSQL.Naming.md) | PostgreSQL database server resources without a standard naming convention may be difficult to identify and manage. | GA -AZR-000523 | [Azure.SQLMI.Naming](Azure.SQLMI.Naming.md) | SQL Managed Instance resources without a standard naming convention may be difficult to identify and manage. | GA -AZR-000524 | [Azure.SQL.StretchDBNaming](Azure.SQL.StretchDBNaming.md) | SQL Server Stretch Database resources without a standard naming convention may be difficult to identify and manage. | GA -AZR-000525 | [Azure.AKS.SystemPoolNaming](Azure.AKS.SystemPoolNaming.md) | AKS system node pool resources without a standard naming convention may be difficult to identify and manage. | GA +AZR-000506 | [Azure.ACR.Naming](Azure.ACR.Naming.md) | Container Registry resources without a standard naming convention may be difficult to identify and manage. | GA +AZR-000507 | [Azure.AKS.Naming](Azure.AKS.Naming.md) | AKS cluster resources without a standard naming convention may be difficult to identify and manage. | GA +AZR-000508 | [Azure.AKS.SystemPoolNaming](Azure.AKS.SystemPoolNaming.md) | AKS system node pool resources without a standard naming convention may be difficult to identify and manage. | GA +AZR-000509 | [Azure.AKS.UserPoolNaming](Azure.AKS.UserPoolNaming.md) | AKS user node pool resources without a standard naming convention may be difficult to identify and manage. | GA +AZR-000510 | [Azure.ContainerApp.Naming](Azure.ContainerApp.Naming.md) | Container App resources without a standard naming convention may be difficult to identify and manage. | GA +AZR-000511 | [Azure.ContainerApp.EnvNaming](Azure.ContainerApp.EnvNaming.md) | Container App Environment resources without a standard naming convention may be difficult to identify and manage. | GA +AZR-000512 | [Azure.ContainerApp.JobNaming](Azure.ContainerApp.JobNaming.md) | Container App Job resources without a standard naming convention may be difficult to identify and manage. | GA +AZR-000513 | [Azure.Cosmos.CassandraNaming](Azure.Cosmos.CassandraNaming.md) | Cosmos DB for Apache Cassandra account resources without a standard naming convention may be difficult to identify and manage. | GA +AZR-000514 | [Azure.Cosmos.MongoNaming](Azure.Cosmos.MongoNaming.md) | Cosmos DB for MongoDB account resources without a standard naming convention may be difficult to identify and manage. | GA +AZR-000515 | [Azure.Cosmos.NoSQLNaming](Azure.Cosmos.NoSQLNaming.md) | Cosmos DB for NoSQL account resources without a standard naming convention may be difficult to identify and manage. | GA +AZR-000516 | [Azure.Cosmos.TableNaming](Azure.Cosmos.TableNaming.md) | Cosmos DB for Table account resources without a standard naming convention may be difficult to identify and manage. | GA +AZR-000517 | [Azure.Cosmos.GremlinNaming](Azure.Cosmos.GremlinNaming.md) | Cosmos DB for Apache Gremlin account resources without a standard naming convention may be difficult to identify and manage. | GA +AZR-000518 | [Azure.Cosmos.PostgreSQLNaming](Azure.Cosmos.PostgreSQLNaming.md) | Cosmos DB PostgreSQL cluster resources without a standard naming convention may be difficult to identify and manage. | GA +AZR-000519 | [Azure.Cosmos.DatabaseNaming](Azure.Cosmos.DatabaseNaming.md) | Cosmos DB database resources without a standard naming convention may be difficult to identify and manage. | GA +AZR-000521 | [Azure.MySQL.ServerNaming](Azure.MySQL.ServerNaming.md) | MySQL database server resources without a standard naming convention may be difficult to identify and manage. | GA +AZR-000522 | [Azure.PostgreSQL.ServerNaming](Azure.PostgreSQL.ServerNaming.md) | PostgreSQL database server resources without a standard naming convention may be difficult to identify and manage. | GA +AZR-000523 | [Azure.Redis.Naming](Azure.Redis.Naming.md) | Azure Cache for Redis resources without a standard naming convention may be difficult to identify and manage. | GA +AZR-000524 | [Azure.RedisEnterprise.Naming](Azure.RedisEnterprise.Naming.md) | Azure Cache for Redis Enterprise resources without a standard naming convention may be difficult to identify and manage. | GA +AZR-000525 | [Azure.SQL.ServerNaming](Azure.SQL.ServerNaming.md) | Azure SQL Database server resources without a standard naming convention may be difficult to identify and manage. | GA +AZR-000526 | [Azure.SQL.DBNaming](Azure.SQL.DBNaming.md) | Azure SQL database resources without a standard naming convention may be difficult to identify and manage. | GA +AZR-000527 | [Azure.SQL.JobAgentNaming](Azure.SQL.JobAgentNaming.md) | Azure SQL Elastic Job agent resources without a standard naming convention may be difficult to identify and manage. | GA +AZR-000528 | [Azure.SQL.ElasticPoolNaming](Azure.SQL.ElasticPoolNaming.md) | Azure SQL Elastic Pool resources without a standard naming convention may be difficult to identify and manage. | GA +AZR-000529 | [Azure.SQLMI.Naming](Azure.SQLMI.Naming.md) | SQL Managed Instance resources without a standard naming convention may be difficult to identify and manage. | GA +AZR-000530 | [Azure.ServiceFabric.Naming](Azure.ServiceFabric.Naming.md) | Service Fabric cluster resources without a standard naming convention may be difficult to identify and manage. | GA +AZR-000531 | [Azure.ServiceFabric.ManagedNaming](Azure.ServiceFabric.ManagedNaming.md) | Service Fabric managed cluster resources without a standard naming convention may be difficult to identify and manage. | GA *[GA]: Generally Available — Rules related to a generally available Azure features. diff --git a/docs/es/rules/module.md b/docs/es/rules/module.md index a80e6f300a6..a87daa0a714 100644 --- a/docs/es/rules/module.md +++ b/docs/es/rules/module.md @@ -113,17 +113,22 @@ Name | Synopsis | Severity | Level [Azure.AppGw.Name](Azure.AppGw.Name.md) | Application Gateways should meet naming requirements. | Awareness | Error [Azure.AppInsights.Name](Azure.AppInsights.Name.md) | Azure Resource Manager (ARM) has requirements for Application Insights resource names. | Awareness | Error [Azure.ContainerApp.Name](Azure.ContainerApp.Name.md) | Container Apps should meet naming requirements. | Awareness | Error +[Azure.Cosmos.AccountName](Azure.Cosmos.AccountName.md) | Cosmos DB account names should meet naming requirements. | Awareness | Error [Azure.Group.Name](Azure.Group.Name.md) | Azure Resource Manager (ARM) has requirements for Resource Groups names. | Awareness | Error [Azure.KeyVault.KeyName](Azure.KeyVault.KeyName.md) | Key Vault Key names should meet naming requirements. | Awareness | Error [Azure.KeyVault.SecretName](Azure.KeyVault.SecretName.md) | Key Vault Secret names should meet naming requirements. | Awareness | Error [Azure.LB.Name](Azure.LB.Name.md) | Load Balancer names should meet naming requirements. | Awareness | Error [Azure.Log.Name](Azure.Log.Name.md) | Azure Resource Manager (ARM) has requirements for Azure Monitor Log workspace names. | Awareness | Error [Azure.MariaDB.DatabaseName](Azure.MariaDB.DatabaseName.md) | Azure Database for MariaDB databases should meet naming requirements. | Awareness | Error +[Azure.MySQL.ServerName](Azure.MySQL.ServerName.md) | Azure MySQL DB server names should meet naming requirements. | Awareness | Error [Azure.NIC.Name](Azure.NIC.Name.md) | Network Interface (NIC) names should meet naming requirements. | Awareness | Error [Azure.NSG.Name](Azure.NSG.Name.md) | Azure Resource Manager (ARM) has requirements for Network Security Group (NSG) names. | Awareness | Error +[Azure.PostgreSQL.ServerName](Azure.PostgreSQL.ServerName.md) | Azure PostgreSQL DB server names should meet naming requirements. | Awareness | Error [Azure.PublicIP.Name](Azure.PublicIP.Name.md) | Azure Resource Manager (ARM) has requirements for Public IP address names. | Awareness | Error [Azure.Route.Name](Azure.Route.Name.md) | Azure Resource Manager (ARM) has requirements for Route table names. | Awareness | Error [Azure.Search.Name](Azure.Search.Name.md) | Azure Resource Manager (ARM) has requirements for AI Search service names. | Awareness | Error +[Azure.SQL.DBName](Azure.SQL.DBName.md) | Azure SQL Database names should meet naming requirements. | Awareness | Error +[Azure.SQL.ServerName](Azure.SQL.ServerName.md) | Azure SQL logical server names should meet naming requirements. | Awareness | Error [Azure.Storage.Name](Azure.Storage.Name.md) | Azure Resource Manager (ARM) has requirements for Storage Account names. | Awareness | Error [Azure.VM.ComputerName](Azure.VM.ComputerName.md) | Virtual Machine (VM) computer name should meet naming requirements. | Awareness | Error [Azure.VM.Name](Azure.VM.Name.md) | Virtual Machine (VM) names should meet naming requirements. | Awareness | Error @@ -164,25 +169,24 @@ Name | Synopsis | Severity | Level [Azure.Group.RequiredTags](Azure.Group.RequiredTags.md) | Resource groups without a standard tagging convention may be difficult to identify and manage. | Awareness | Error [Azure.LB.Naming](Azure.LB.Naming.md) | Load balancer names should use a standard prefix. | Awareness | Error [Azure.Log.Naming](Azure.Log.Naming.md) | Azure Monitor Log workspaces without a standard naming convention may be difficult to identify and manage. | Awareness | Error -[Azure.MySQL.Naming](Azure.MySQL.Naming.md) | MySQL database server resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error +[Azure.MySQL.ServerNaming](Azure.MySQL.ServerNaming.md) | MySQL database server resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error [Azure.NSG.Naming](Azure.NSG.Naming.md) | Network security group (NSG) without a standard naming convention may be difficult to identify and manage. | Awareness | Error [Azure.Policy.AssignmentDescriptors](Azure.Policy.AssignmentDescriptors.md) | Policy assignments should use a display name and description. | Awareness | Error [Azure.Policy.Descriptors](Azure.Policy.Descriptors.md) | Policy and initiative definitions should use a display name, description, and category. | Awareness | Error [Azure.Policy.ExemptionDescriptors](Azure.Policy.ExemptionDescriptors.md) | Policy exemptions should use a display name and description. | Awareness | Error -[Azure.PostgreSQL.Naming](Azure.PostgreSQL.Naming.md) | PostgreSQL database server resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error +[Azure.PostgreSQL.ServerNaming](Azure.PostgreSQL.ServerNaming.md) | PostgreSQL database server resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error [Azure.PublicIP.Naming](Azure.PublicIP.Naming.md) | Public IP addresses without a standard naming convention may be difficult to identify and manage. | Awareness | Error [Azure.Redis.Naming](Azure.Redis.Naming.md) | Azure Cache for Redis resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error -[Azure.RedisEnterprise.Naming](Azure.RedisEnterprise.Naming.md) | Azure Managed Redis resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error +[Azure.RedisEnterprise.Naming](Azure.RedisEnterprise.Naming.md) | Azure Cache for Redis Enterprise resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error [Azure.Resource.RequiredTags](Azure.Resource.RequiredTags.md) | Resources without a standard tagging convention may be difficult to identify and manage. | Awareness | Error [Azure.Route.Naming](Azure.Route.Naming.md) | Route tables without a standard naming convention may be difficult to identify and manage. | Awareness | Error [Azure.Search.Naming](Azure.Search.Naming.md) | Azure AI Search services without a standard naming convention may be difficult to identify and manage. | Awareness | Error [Azure.ServiceFabric.ManagedNaming](Azure.ServiceFabric.ManagedNaming.md) | Service Fabric managed cluster resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error [Azure.ServiceFabric.Naming](Azure.ServiceFabric.Naming.md) | Service Fabric cluster resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error -[Azure.SQL.DatabaseNaming](Azure.SQL.DatabaseNaming.md) | Azure SQL database resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error +[Azure.SQL.DBNaming](Azure.SQL.DBNaming.md) | Azure SQL database resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error [Azure.SQL.ElasticPoolNaming](Azure.SQL.ElasticPoolNaming.md) | Azure SQL Elastic Pool resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error [Azure.SQL.JobAgentNaming](Azure.SQL.JobAgentNaming.md) | Azure SQL Elastic Job agent resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error [Azure.SQL.ServerNaming](Azure.SQL.ServerNaming.md) | Azure SQL Database server resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error -[Azure.SQL.StretchDBNaming](Azure.SQL.StretchDBNaming.md) | SQL Server Stretch Database resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error [Azure.SQLMI.Naming](Azure.SQLMI.Naming.md) | SQL Managed Instance resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error [Azure.Storage.Naming](Azure.Storage.Naming.md) | Storage Accounts without a standard naming convention may be difficult to identify and manage. | Awareness | Error [Azure.Subscription.RequiredTags](Azure.Subscription.RequiredTags.md) | Subscriptions without a standard tagging convention may be difficult to identify and manage. | Awareness | Error @@ -246,7 +250,6 @@ Name | Synopsis | Severity | Level [Azure.ASG.Name](Azure.ASG.Name.md) | Application Security Group (ASG) names should meet naming requirements. | Awareness | Error [Azure.Bastion.Name](Azure.Bastion.Name.md) | Bastion hosts should meet naming requirements. | Awareness | Error [Azure.CDN.EndpointName](Azure.CDN.EndpointName.md) | Azure CDN Endpoint names should meet naming requirements. | Awareness | Error -[Azure.Cosmos.AccountName](Azure.Cosmos.AccountName.md) | Cosmos DB account names should meet naming requirements. | Awareness | Error [Azure.Deployment.Name](Azure.Deployment.Name.md) | Nested deployments should meet naming requirements of deployments. | Awareness | Error [Azure.Firewall.Name](Azure.Firewall.Name.md) | Firewall names should meet naming requirements. | Awareness | Error [Azure.Firewall.PolicyName](Azure.Firewall.PolicyName.md) | Firewall policy names should meet naming requirements. | Awareness | Error @@ -257,18 +260,14 @@ Name | Synopsis | Severity | Level [Azure.MariaDB.FirewallRuleName](Azure.MariaDB.FirewallRuleName.md) | Azure Database for MariaDB firewall rules should meet naming requirements. | Awareness | Error [Azure.MariaDB.ServerName](Azure.MariaDB.ServerName.md) | Azure Database for MariaDB servers should meet naming requirements. | Awareness | Error [Azure.MariaDB.VNETRuleName](Azure.MariaDB.VNETRuleName.md) | Azure Database for MariaDB VNET rules should meet naming requirements. | Awareness | Error -[Azure.MySQL.ServerName](Azure.MySQL.ServerName.md) | Azure MySQL DB server names should meet naming requirements. | Awareness | Error [Azure.NSG.AKSRules](Azure.NSG.AKSRules.md) | AKS Network Security Group (NSG) should not have custom rules. | Awareness | Error [Azure.Policy.AssignmentAssignedBy](Azure.Policy.AssignmentAssignedBy.md) | Policy assignments should use assignedBy metadata. | Awareness | Error -[Azure.PostgreSQL.ServerName](Azure.PostgreSQL.ServerName.md) | Azure PostgreSQL DB server names should meet naming requirements. | Awareness | Error [Azure.PrivateEndpoint.Name](Azure.PrivateEndpoint.Name.md) | Private Endpoint names should meet naming requirements. | Awareness | Error [Azure.PublicIP.DNSLabel](Azure.PublicIP.DNSLabel.md) | Public IP domain name labels should meet naming requirements. | Awareness | Error [Azure.PublicIP.MigrateStandard](Azure.PublicIP.MigrateStandard.md) | Use the Standard SKU for Public IP addresses as the Basic SKU will be retired. | Important | Error [Azure.RSV.Name](Azure.RSV.Name.md) | Recovery Services vaults should meet naming requirements. | Awareness | Error [Azure.SignalR.Name](Azure.SignalR.Name.md) | SignalR service instance names should meet naming requirements. | Awareness | Error -[Azure.SQL.DBName](Azure.SQL.DBName.md) | Azure SQL Database names should meet naming requirements. | Awareness | Error [Azure.SQL.FGName](Azure.SQL.FGName.md) | Azure SQL failover group names should meet naming requirements. | Awareness | Error -[Azure.SQL.ServerName](Azure.SQL.ServerName.md) | Azure SQL logical server names should meet naming requirements. | Awareness | Error [Azure.SQLMI.Name](Azure.SQLMI.Name.md) | SQL Managed Instance names should meet naming requirements. | Awareness | Error [Azure.Template.ExpressionLength](Azure.Template.ExpressionLength.md) | Template expressions should not exceed the maximum length. | Awareness | Error [Azure.Template.ParameterFile](Azure.Template.ParameterFile.md) | Use ARM template parameter files that are valid. | Important | Error @@ -458,7 +457,10 @@ Name | Synopsis | Severity | Level [Azure.AppConfig.GeoReplica](Azure.AppConfig.GeoReplica.md) | Replicate app configuration store across all points of presence for an application. | Important | Error [Azure.ContainerApp.MinReplicas](Azure.ContainerApp.MinReplicas.md) | Use multiple replicas to remove a single point of failure. | Important | Error [Azure.ContainerApp.Storage](Azure.ContainerApp.Storage.md) | Use of Azure Files volume mounts to persistent storage container data. | Awareness | Error +[Azure.Cosmos.AvailabilityZone](Azure.Cosmos.AvailabilityZone.md) | Use zone redundant Cosmos DB accounts in supported regions to improve reliability. | Important | Error +[Azure.Cosmos.MongoAvailabilityZone](Azure.Cosmos.MongoAvailabilityZone.md) | Use zone redundant Cosmos DB vCore clusters in supported regions to improve reliability. | Important | Error [Azure.LB.Probe](Azure.LB.Probe.md) | Use a specific probe for web protocols. | Important | Error +[Azure.MICassandra.AvailabilityZone](Azure.MICassandra.AvailabilityZone.md) | Use zone redundant Managed Instance for Apache Cassandra clusters in supported regions to improve reliability. | Important | Error [Azure.MySQL.UseFlexible](Azure.MySQL.UseFlexible.md) | Use Azure Database for MySQL Flexible Server deployment model. | Important | Warning [Azure.ServiceBus.GeoReplica](Azure.ServiceBus.GeoReplica.md) | Enhance resilience to regional outages by replicating namespaces. | Important | Error [Azure.TrafficManager.Endpoints](Azure.TrafficManager.Endpoints.md) | Traffic Manager should use at lest two enabled endpoints. | Important | Error @@ -480,6 +482,7 @@ Name | Synopsis | Severity | Level [Azure.ASE.AvailabilityZone](Azure.ASE.AvailabilityZone.md) | Deploy app service environments using availability zones in supported regions to ensure high availability and resilience. | Important | Error [Azure.ContainerApp.AvailabilityZone](Azure.ContainerApp.AvailabilityZone.md) | Use Container Apps environments that are zone redundant to improve reliability. | Important | Error [Azure.Firewall.AvailabilityZone](Azure.Firewall.AvailabilityZone.md) | Deploy firewall instances using availability zones in supported regions to ensure high availability and resilience. | Important | Error +[Azure.Grafana.AvailabilityZone](Azure.Grafana.AvailabilityZone.md) | Use zone redundant Grafana workspaces in supported regions to improve reliability. | Important | Error [Azure.LB.AvailabilityZone](Azure.LB.AvailabilityZone.md) | Load balancers deployed with Standard SKU should be zone-redundant for high availability. | Important | Error [Azure.Log.Replication](Azure.Log.Replication.md) | Log Analytics workspaces should have workspace replication enabled to improve service availability. | Important | Error [Azure.MySQL.ZoneRedundantHA](Azure.MySQL.ZoneRedundantHA.md) | Deploy Azure Database for MySQL servers using zone-redundant high availability (HA) in supported regions to ensure high availability and resilience. | Important | Error @@ -627,7 +630,6 @@ Name | Synopsis | Severity | Level [Azure.AppGwWAF.Enabled](Azure.AppGwWAF.Enabled.md) | Application Gateway Web Application Firewall (WAF) must be enabled to protect backend resources. | Critical | Error [Azure.AppGwWAF.Exclusions](Azure.AppGwWAF.Exclusions.md) | Application Gateway Web Application Firewall (WAF) should have all rules enabled. | Critical | Error [Azure.AppGwWAF.PreventionMode](Azure.AppGwWAF.PreventionMode.md) | Use protection mode in Application Gateway Web Application Firewall (WAF) policies to protect back end resources. | Critical | Error -[Azure.AppGwWAF.RuleGroups](Azure.AppGwWAF.RuleGroups.md) | Use recommended rule groups in Application Gateway Web Application Firewall (WAF) policies to protect back end resources. | Critical | Error [Azure.MariaDB.AllowAzureAccess](Azure.MariaDB.AllowAzureAccess.md) | Determine if access from Azure services is required. | Important | Error ### Network segmentation @@ -697,6 +699,7 @@ Name | Synopsis | Severity | Level [Azure.ContainerApp.ManagedIdentity](Azure.ContainerApp.ManagedIdentity.md) | Ensure managed identity is used for authentication. | Important | Error [Azure.Cosmos.DisableLocalAuth](Azure.Cosmos.DisableLocalAuth.md) | Access keys allow depersonalized access to Cosmos DB accounts using a shared secret. | Critical | Error [Azure.Cosmos.DisableMetadataWrite](Azure.Cosmos.DisableMetadataWrite.md) | Use Entra ID identities for management place operations in Azure Cosmos DB. | Important | Error +[Azure.Cosmos.MongoEntraID](Azure.Cosmos.MongoEntraID.md) | MongoDB vCore clusters should have Microsoft Entra ID authentication enabled. | Critical | Error [Azure.EventGrid.DisableLocalAuth](Azure.EventGrid.DisableLocalAuth.md) | Authenticate publishing clients with Azure AD identities. | Important | Error [Azure.EventGrid.ManagedIdentity](Azure.EventGrid.ManagedIdentity.md) | Use managed identities to deliver Event Grid Topic events. | Important | Error [Azure.EventHub.DisableLocalAuth](Azure.EventHub.DisableLocalAuth.md) | Authenticate Event Hub publishers and consumers with Entra ID identities. | Important | Error @@ -722,12 +725,14 @@ Name | Synopsis | Severity | Level Name | Synopsis | Severity | Level ---- | -------- | -------- | ----- [Azure.ACR.Firewall](Azure.ACR.Firewall.md) | Container Registry without restrictions can be accessed from any network location including the Internet. | Important | Error +[Azure.ADX.PublicAccess](Azure.ADX.PublicAccess.md) | Azure Data Explorer (ADX) clusters should have public network access disabled. | Critical | Error [Azure.AI.PrivateEndpoints](Azure.AI.PrivateEndpoints.md) | Use Private Endpoints to access Azure AI services accounts. | Important | Error [Azure.AI.PublicAccess](Azure.AI.PublicAccess.md) | Restrict access of Azure AI services to authorized virtual networks. | Important | Error [Azure.AKS.AuthorizedIPs](Azure.AKS.AuthorizedIPs.md) | Restrict access to API server endpoints to authorized IP addresses. | Important | Error [Azure.AKS.HttpAppRouting](Azure.AKS.HttpAppRouting.md) | Disable HTTP application routing add-on in AKS clusters. | Important | Error [Azure.AppGw.UseWAF](Azure.AppGw.UseWAF.md) | Internet accessible Application Gateways should use protect endpoints with WAF. | Critical | Error [Azure.AppGw.WAFEnabled](Azure.AppGw.WAFEnabled.md) | Application Gateway Web Application Firewall (WAF) must be enabled to protect backend resources. | Critical | Error +[Azure.AppGwWAF.RuleGroups](Azure.AppGwWAF.RuleGroups.md) | Application Gateway WAF policies should include both Microsoft Default Rule Set and Bot Manager Rule Set to provide comprehensive protection against web application threats and malicious bot traffic. | Critical | Error [Azure.ContainerApp.ExternalIngress](Azure.ContainerApp.ExternalIngress.md) | Limit inbound communication for Container Apps is limited to callers within the Container Apps Environment. | Important | Error [Azure.ContainerApp.PublicAccess](Azure.ContainerApp.PublicAccess.md) | Ensure public network access for Container Apps environment is disabled. | Important | Error [Azure.ContainerApp.RestrictIngress](Azure.ContainerApp.RestrictIngress.md) | IP ingress restrictions mode should be set to allow action for all rules defined. | Important | Error diff --git a/docs/es/rules/resource.md b/docs/es/rules/resource.md index e378bf03acb..82eadab68b4 100644 --- a/docs/es/rules/resource.md +++ b/docs/es/rules/resource.md @@ -147,7 +147,7 @@ Name | Synopsis | Severity | Level [Azure.AppGwWAF.Enabled](Azure.AppGwWAF.Enabled.md) | Application Gateway Web Application Firewall (WAF) must be enabled to protect backend resources. | Critical | Error [Azure.AppGwWAF.Exclusions](Azure.AppGwWAF.Exclusions.md) | Application Gateway Web Application Firewall (WAF) should have all rules enabled. | Critical | Error [Azure.AppGwWAF.PreventionMode](Azure.AppGwWAF.PreventionMode.md) | Use protection mode in Application Gateway Web Application Firewall (WAF) policies to protect back end resources. | Critical | Error -[Azure.AppGwWAF.RuleGroups](Azure.AppGwWAF.RuleGroups.md) | Use recommended rule groups in Application Gateway Web Application Firewall (WAF) policies to protect back end resources. | Critical | Error +[Azure.AppGwWAF.RuleGroups](Azure.AppGwWAF.RuleGroups.md) | Application Gateway WAF policies should include both Microsoft Default Rule Set and Bot Manager Rule Set to provide comprehensive protection against web application threats and malicious bot traffic. | Critical | Error ## Application Insights @@ -203,6 +203,7 @@ Name | Synopsis | Severity | Level Name | Synopsis | Severity | Level ---- | -------- | -------- | ----- [Azure.RedisEnterprise.MinTLS](Azure.RedisEnterprise.MinTLS.md) | Redis Cache should reject TLS versions older than 1.2. | Critical | Error +[Azure.RedisEnterprise.Naming](Azure.RedisEnterprise.Naming.md) | Azure Cache for Redis Enterprise resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error [Azure.RedisEnterprise.Zones](Azure.RedisEnterprise.Zones.md) | Enterprise Redis cache should be zone-redundant for high availability. | Important | Error ## Azure Database @@ -241,6 +242,7 @@ Name | Synopsis | Severity | Level [Azure.MySQL.MaintenanceWindow](Azure.MySQL.MaintenanceWindow.md) | Configure a customer-controlled maintenance window for Azure Database for MySQL servers. | Important | Error [Azure.MySQL.MinTLS](Azure.MySQL.MinTLS.md) | MySQL DB servers should reject TLS versions older than 1.2. | Critical | Error [Azure.MySQL.ServerName](Azure.MySQL.ServerName.md) | Azure MySQL DB server names should meet naming requirements. | Awareness | Error +[Azure.MySQL.ServerNaming](Azure.MySQL.ServerNaming.md) | MySQL database server resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error [Azure.MySQL.UseFlexible](Azure.MySQL.UseFlexible.md) | Use Azure Database for MySQL Flexible Server deployment model. | Important | Warning [Azure.MySQL.UseSSL](Azure.MySQL.UseSSL.md) | Enforce encrypted MySQL connections. | Critical | Error [Azure.MySQL.ZoneRedundantHA](Azure.MySQL.ZoneRedundantHA.md) | Deploy Azure Database for MySQL servers using zone-redundant high availability (HA) in supported regions to ensure high availability and resilience. | Important | Error @@ -259,6 +261,7 @@ Name | Synopsis | Severity | Level [Azure.PostgreSQL.MaintenanceWindow](Azure.PostgreSQL.MaintenanceWindow.md) | Configure a customer-controlled maintenance window for Azure Database for PostgreSQL servers. | Important | Error [Azure.PostgreSQL.MinTLS](Azure.PostgreSQL.MinTLS.md) | PostgreSQL DB servers should reject TLS versions older than 1.2. | Critical | Error [Azure.PostgreSQL.ServerName](Azure.PostgreSQL.ServerName.md) | Azure PostgreSQL DB server names should meet naming requirements. | Awareness | Error +[Azure.PostgreSQL.ServerNaming](Azure.PostgreSQL.ServerNaming.md) | PostgreSQL database server resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error [Azure.PostgreSQL.UseSSL](Azure.PostgreSQL.UseSSL.md) | Enforce encrypted PostgreSQL connections. | Critical | Error [Azure.PostgreSQL.ZoneRedundantHA](Azure.PostgreSQL.ZoneRedundantHA.md) | Deploy Azure Database for PostgreSQL servers using zone-redundant high availability (HA) in supported regions to ensure high availability and resilience. | Important | Error @@ -315,12 +318,6 @@ Name | Synopsis | Severity | Level ---- | -------- | -------- | ----- [Azure.Grafana.Version](Azure.Grafana.Version.md) | Grafana workspaces should be on Grafana version 10. | Important | Error -## Azure Managed Redis - -Name | Synopsis | Severity | Level ----- | -------- | -------- | ----- -[Azure.RedisEnterprise.Naming](Azure.RedisEnterprise.Naming.md) | Azure Managed Redis resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error - ## Azure Monitor Alerts Name | Synopsis | Severity | Level @@ -341,7 +338,7 @@ Name | Synopsis | Severity | Level Name | Synopsis | Severity | Level ---- | -------- | -------- | ----- -[Azure.SQL.DatabaseNaming](Azure.SQL.DatabaseNaming.md) | Azure SQL database resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error +[Azure.SQL.DBNaming](Azure.SQL.DBNaming.md) | Azure SQL database resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error ## Azure SQL Database server @@ -448,11 +445,14 @@ Name | Synopsis | Severity | Level Name | Synopsis | Severity | Level ---- | -------- | -------- | ----- [Azure.Cosmos.AccountName](Azure.Cosmos.AccountName.md) | Cosmos DB account names should meet naming requirements. | Awareness | Error +[Azure.Cosmos.AvailabilityZone](Azure.Cosmos.AvailabilityZone.md) | Use zone redundant Cosmos DB accounts in supported regions to improve reliability. | Important | Error [Azure.Cosmos.ContinuousBackup](Azure.Cosmos.ContinuousBackup.md) | Enable continuous backup on Cosmos DB accounts. | Important | Error [Azure.Cosmos.DefenderCloud](Azure.Cosmos.DefenderCloud.md) | Enable Microsoft Defender for Azure Cosmos DB. | Critical | Error [Azure.Cosmos.DisableLocalAuth](Azure.Cosmos.DisableLocalAuth.md) | Access keys allow depersonalized access to Cosmos DB accounts using a shared secret. | Critical | Error [Azure.Cosmos.DisableMetadataWrite](Azure.Cosmos.DisableMetadataWrite.md) | Use Entra ID identities for management place operations in Azure Cosmos DB. | Important | Error [Azure.Cosmos.MinTLS](Azure.Cosmos.MinTLS.md) | Cosmos DB accounts should reject TLS versions older than 1.2. | Critical | Error +[Azure.Cosmos.MongoAvailabilityZone](Azure.Cosmos.MongoAvailabilityZone.md) | Use zone redundant Cosmos DB vCore clusters in supported regions to improve reliability. | Important | Error +[Azure.Cosmos.MongoEntraID](Azure.Cosmos.MongoEntraID.md) | MongoDB vCore clusters should have Microsoft Entra ID authentication enabled. | Critical | Error [Azure.Cosmos.PublicAccess](Azure.Cosmos.PublicAccess.md) | Azure Cosmos DB should have public network access disabled. | Critical | Error [Azure.Cosmos.SLA](Azure.Cosmos.SLA.md) | Use a paid tier to qualify for a Service Level Agreement (SLA). | Important | Error @@ -504,6 +504,7 @@ Name | Synopsis | Severity | Level ---- | -------- | -------- | ----- [Azure.ADX.DiskEncryption](Azure.ADX.DiskEncryption.md) | Use disk encryption for Azure Data Explorer (ADX) clusters. | Important | Error [Azure.ADX.ManagedIdentity](Azure.ADX.ManagedIdentity.md) | Configure Data Explorer clusters to use managed identities to access Azure resources securely. | Important | Error +[Azure.ADX.PublicAccess](Azure.ADX.PublicAccess.md) | Azure Data Explorer (ADX) clusters should have public network access disabled. | Critical | Error [Azure.ADX.SLA](Azure.ADX.SLA.md) | Use SKUs that include an SLA when configuring Azure Data Explorer (ADX) clusters. | Important | Error [Azure.ADX.Usage](Azure.ADX.Usage.md) | Regularly remove unused resources to reduce costs. | Important | Error @@ -668,6 +669,18 @@ Name | Synopsis | Severity | Level [Azure.ML.PublicAccess](Azure.ML.PublicAccess.md) | Disable public network access from a Azure Machine Learning workspace. | Critical | Error [Azure.ML.UserManagedIdentity](Azure.ML.UserManagedIdentity.md) | ML workspaces should use user-assigned managed identity, rather than the default system-assigned managed identity. | Important | Error +## Managed Grafana + +Name | Synopsis | Severity | Level +---- | -------- | -------- | ----- +[Azure.Grafana.AvailabilityZone](Azure.Grafana.AvailabilityZone.md) | Use zone redundant Grafana workspaces in supported regions to improve reliability. | Important | Error + +## Managed Instance for Apache Cassandra + +Name | Synopsis | Severity | Level +---- | -------- | -------- | ----- +[Azure.MICassandra.AvailabilityZone](Azure.MICassandra.AvailabilityZone.md) | Use zone redundant Managed Instance for Apache Cassandra clusters in supported regions to improve reliability. | Important | Error + ## Microsoft Defender for Cloud Name | Synopsis | Severity | Level @@ -697,12 +710,6 @@ Name | Synopsis | Severity | Level ---- | -------- | -------- | ----- [Azure.Monitor.ServiceHealth](Azure.Monitor.ServiceHealth.md) | Configure Service Health alerts to notify administrators. | Important | Error -## MySQL database server - -Name | Synopsis | Severity | Level ----- | -------- | -------- | ----- -[Azure.MySQL.Naming](Azure.MySQL.Naming.md) | MySQL database server resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error - ## Network Interface Name | Synopsis | Severity | Level @@ -733,12 +740,6 @@ Name | Synopsis | Severity | Level [Azure.Policy.ExemptionDescriptors](Azure.Policy.ExemptionDescriptors.md) | Policy exemptions should use a display name and description. | Awareness | Error [Azure.Policy.WaiverExpiry](Azure.Policy.WaiverExpiry.md) | Configure policy waiver exemptions to expire. | Awareness | Error -## PostgreSQL database server - -Name | Synopsis | Severity | Level ----- | -------- | -------- | ----- -[Azure.PostgreSQL.Naming](Azure.PostgreSQL.Naming.md) | PostgreSQL database server resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error - ## Private Endpoint Name | Synopsis | Severity | Level @@ -796,19 +797,9 @@ Name | Synopsis | Severity | Level Name | Synopsis | Severity | Level ---- | -------- | -------- | ----- [Azure.ServiceFabric.AAD](Azure.ServiceFabric.AAD.md) | Use Entra ID client authentication for Service Fabric clusters. | Critical | Error -[Azure.ServiceFabric.ProtectionLevel](Azure.ServiceFabric.ProtectionLevel.md) | Node to node communication that is not signed and encrypted may be susceptible to man-in-the-middle attacks. | Important | Error - -## Service Fabric cluster - -Name | Synopsis | Severity | Level ----- | -------- | -------- | ----- -[Azure.ServiceFabric.Naming](Azure.ServiceFabric.Naming.md) | Service Fabric cluster resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error - -## Service Fabric managed cluster - -Name | Synopsis | Severity | Level ----- | -------- | -------- | ----- [Azure.ServiceFabric.ManagedNaming](Azure.ServiceFabric.ManagedNaming.md) | Service Fabric managed cluster resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error +[Azure.ServiceFabric.Naming](Azure.ServiceFabric.Naming.md) | Service Fabric cluster resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error +[Azure.ServiceFabric.ProtectionLevel](Azure.ServiceFabric.ProtectionLevel.md) | Node to node communication that is not signed and encrypted may be susceptible to man-in-the-middle attacks. | Important | Error ## SignalR Service @@ -847,12 +838,6 @@ Name | Synopsis | Severity | Level [Azure.SQLMI.Name](Azure.SQLMI.Name.md) | SQL Managed Instance names should meet naming requirements. | Awareness | Error [Azure.SQLMI.Naming](Azure.SQLMI.Naming.md) | SQL Managed Instance resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error -## SQL Server Stretch Database - -Name | Synopsis | Severity | Level ----- | -------- | -------- | ----- -[Azure.SQL.StretchDBNaming](Azure.SQL.StretchDBNaming.md) | SQL Server Stretch Database resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error - ## Storage Account Name | Synopsis | Severity | Level From 350a5b14aa7280f507b7d7dd6e447e2681d71f9e Mon Sep 17 00:00:00 2001 From: Bernie White Date: Sun, 23 Nov 2025 04:19:51 +0000 Subject: [PATCH 25/32] Fix --- tests/PSRule.Rules.Azure.Tests/Azure.AKS.Tests.ps1 | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/tests/PSRule.Rules.Azure.Tests/Azure.AKS.Tests.ps1 b/tests/PSRule.Rules.Azure.Tests/Azure.AKS.Tests.ps1 index 74257c46aa9..61de0b551ea 100644 --- a/tests/PSRule.Rules.Azure.Tests/Azure.AKS.Tests.ps1 +++ b/tests/PSRule.Rules.Azure.Tests/Azure.AKS.Tests.ps1 @@ -1476,7 +1476,7 @@ Describe 'Azure.AKS' -Tag AKS { $systemPoolNames = @( 'agentpool' 'npsystem001' - 'npsystem' + 'NPSYSTEM001' ) $userPoolNames = @( @@ -1538,13 +1538,13 @@ Describe 'Azure.AKS' -Tag AKS { $ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'Fail' }); $ruleResult | Should -Not -BeNullOrEmpty; $ruleResult.Length | Should -Be 1; - $ruleResult.TargetName | Should -Be 'agentpool'; + $ruleResult.TargetName | Should -Be 'agentpool', 'NPSYSTEM001'; # Pass $ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'Pass' }); $ruleResult | Should -Not -BeNullOrEmpty; - $ruleResult.Length | Should -Be 2; - $ruleResult.TargetName | Should -BeIn 'npsystem001', 'npsystem'; + $ruleResult.Length | Should -Be 7; + $ruleResult.TargetName | Should -BeIn 'npsystem001'; } It 'Azure.AKS.UserPoolNaming' { @@ -1559,7 +1559,7 @@ Describe 'Azure.AKS' -Tag AKS { # Pass $ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'Pass' }); $ruleResult | Should -Not -BeNullOrEmpty; - $ruleResult.Length | Should -Be 1; + $ruleResult.Length | Should -Be 7; $ruleResult.TargetName | Should -Be 'np001'; } } From 29d3605d040191572d29b8fa7b29e921cde800e8 Mon Sep 17 00:00:00 2001 From: Bernie White Date: Sun, 23 Nov 2025 06:58:58 +0000 Subject: [PATCH 26/32] Fix --- tests/PSRule.Rules.Azure.Tests/Azure.AKS.Tests.ps1 | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/tests/PSRule.Rules.Azure.Tests/Azure.AKS.Tests.ps1 b/tests/PSRule.Rules.Azure.Tests/Azure.AKS.Tests.ps1 index 61de0b551ea..8402e473cbd 100644 --- a/tests/PSRule.Rules.Azure.Tests/Azure.AKS.Tests.ps1 +++ b/tests/PSRule.Rules.Azure.Tests/Azure.AKS.Tests.ps1 @@ -1537,14 +1537,14 @@ Describe 'Azure.AKS' -Tag AKS { # Fail $ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'Fail' }); $ruleResult | Should -Not -BeNullOrEmpty; - $ruleResult.Length | Should -Be 1; $ruleResult.TargetName | Should -Be 'agentpool', 'NPSYSTEM001'; + $ruleResult.Length | Should -Be 2; # Pass $ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'Pass' }); $ruleResult | Should -Not -BeNullOrEmpty; + $ruleResult.TargetName | Should -BeIn @('cluster-001', 'aks-001', 'AKS-001', 'npsystem001', 'userpool', 'NP001', 'np001'); $ruleResult.Length | Should -Be 7; - $ruleResult.TargetName | Should -BeIn 'npsystem001'; } It 'Azure.AKS.UserPoolNaming' { @@ -1559,8 +1559,8 @@ Describe 'Azure.AKS' -Tag AKS { # Pass $ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'Pass' }); $ruleResult | Should -Not -BeNullOrEmpty; + $ruleResult.TargetName | Should -BeIn @('cluster-001', 'aks-001', 'AKS-001', 'agentpool', 'npsystem001', 'NPSYSTEM001', 'np001'); $ruleResult.Length | Should -Be 7; - $ruleResult.TargetName | Should -Be 'np001'; } } } From 4e9e9daf884966da58abbbe993d19102744216fa Mon Sep 17 00:00:00 2001 From: Bernie White Date: Sun, 23 Nov 2025 07:00:35 +0000 Subject: [PATCH 27/32] Fix --- tests/PSRule.Rules.Azure.Tests/Azure.Redis.Tests.ps1 | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tests/PSRule.Rules.Azure.Tests/Azure.Redis.Tests.ps1 b/tests/PSRule.Rules.Azure.Tests/Azure.Redis.Tests.ps1 index 56cba6e2d63..44096cd5a56 100644 --- a/tests/PSRule.Rules.Azure.Tests/Azure.Redis.Tests.ps1 +++ b/tests/PSRule.Rules.Azure.Tests/Azure.Redis.Tests.ps1 @@ -579,14 +579,14 @@ Describe 'Azure.Redis' -Tag 'Redis' { # Fail $ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'Fail' }); $ruleResult | Should -Not -BeNullOrEmpty; + $ruleResult.TargetName | Should -BeIn 'cache-001', 'REDIS-001'; $ruleResult.Length | Should -Be 2; - $ruleResult.TargetName | Should -BeIn 'enterprise-001', 'REDIS-001'; # Pass $ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'Pass' }); $ruleResult | Should -Not -BeNullOrEmpty; - $ruleResult.Length | Should -Be 1; $ruleResult.TargetName | Should -Be 'redis-001'; + $ruleResult.Length | Should -Be 1; } } } From 7f52778a044cb17c4746f88fe668ef9decea93e9 Mon Sep 17 00:00:00 2001 From: Bernie White Date: Mon, 24 Nov 2025 01:09:52 +0000 Subject: [PATCH 28/32] Updates --- docs/en/rules/Azure.Cosmos.GremlinNaming.md | 104 +++++++++++++++++- docs/en/rules/Azure.Cosmos.NoSQLNaming.md | 100 ++++++++++++++++- docs/examples/resources/cosmos.bicep | 46 +++++++- docs/examples/resources/cosmos.json | 52 ++++++++- src/PSRule.Rules.Azure/rules/Config.Rule.yaml | 2 + 5 files changed, 291 insertions(+), 13 deletions(-) diff --git a/docs/en/rules/Azure.Cosmos.GremlinNaming.md b/docs/en/rules/Azure.Cosmos.GremlinNaming.md index 326c07aef4c..f5bff91d694 100644 --- a/docs/en/rules/Azure.Cosmos.GremlinNaming.md +++ b/docs/en/rules/Azure.Cosmos.GremlinNaming.md @@ -1,5 +1,5 @@ --- -reviewed: 2025-10-10 +reviewed: 2025-11-24 severity: Awareness pillar: Operational Excellence category: OE:04 Tools and processes @@ -46,7 +46,7 @@ Additionally consider using Azure Policy to only permit creation using a standar ### Configure with Bicep -To deploy resources that pass this rule: +To deploy accounts that pass this rule: - Set the `name` property to a string that matches the naming requirements. - Optionally, consider constraining name parameters with `minLength` and `maxLength` attributes. @@ -62,16 +62,109 @@ param name string @description('The location resources will be deployed.') param location string = resourceGroup().location -// Example resource deployment +resource gremlin 'Microsoft.DocumentDB/databaseAccounts@2025-04-15' = { + name: name + location: location + kind: 'GlobalDocumentDB' + properties: { + capabilities: [ + { + name: 'EnableGremlin' + } + ] + locations: [ + { + locationName: location + failoverPriority: 0 + isZoneRedundant: true + } + ] + databaseAccountOfferType: 'Standard' + minimalTlsVersion: 'Tls12' + backupPolicy: { + type: 'Periodic' + periodicModeProperties: { + backupIntervalInMinutes: 240 + backupRetentionIntervalInHours: 8 + backupStorageRedundancy: 'Geo' + } + } + } + tags: { + defaultExperience: 'Gremlin (graph)' + } +} ``` + + ### Configure with Azure template -To deploy resources that pass this rule: +To deploy accounts that pass this rule: - Set the `name` property to a string that matches the naming requirements. - Optionally, consider constraining name parameters with `minLength` and `maxLength` attributes. +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "name": { + "type": "string", + "minLength": 3, + "maxLength": 44, + "metadata": { + "description": "The name of the resource." + } + }, + "location": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "The location resources will be deployed." + } + } + }, + "resources": [ + { + "type": "Microsoft.DocumentDB/databaseAccounts", + "apiVersion": "2025-04-15", + "name": "[parameters('name')]", + "location": "[parameters('location')]", + "kind": "GlobalDocumentDB", + "properties": { + "capabilities": [ + { + "name": "EnableGremlin" + } + ], + "locations": [ + { + "locationName": "[parameters('location')]", + "failoverPriority": 0, + "isZoneRedundant": true + } + ], + "databaseAccountOfferType": "Standard", + "minimalTlsVersion": "Tls12", + "backupPolicy": { + "type": "Periodic", + "periodicModeProperties": { + "backupIntervalInMinutes": 240, + "backupRetentionIntervalInHours": 8, + "backupStorageRedundancy": "Geo" + } + } + }, + "tags": { + "defaultExperience": "Gremlin (graph)" + } + } + ] +} +``` + ## NOTES This rule does not check if Cosmos DB for Apache Gremlin account resource names are unique. @@ -99,3 +192,6 @@ configuration: - [Recommended abbreviations for Azure resource types](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations) - [Naming rules and restrictions for Azure resources](https://learn.microsoft.com/azure/azure-resource-manager/management/resource-name-rules) - [Define your naming convention](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-naming) +- [Parameters in Bicep](https://learn.microsoft.com/azure/azure-resource-manager/bicep/parameters) +- [Bicep functions](https://learn.microsoft.com/azure/azure-resource-manager/bicep/bicep-functions) +- [Azure deployment reference](https://learn.microsoft.com/azure/templates/microsoft.documentdb/databaseaccounts) diff --git a/docs/en/rules/Azure.Cosmos.NoSQLNaming.md b/docs/en/rules/Azure.Cosmos.NoSQLNaming.md index 4df6ea941a0..6cf126bb999 100644 --- a/docs/en/rules/Azure.Cosmos.NoSQLNaming.md +++ b/docs/en/rules/Azure.Cosmos.NoSQLNaming.md @@ -1,5 +1,5 @@ --- -reviewed: 2025-10-10 +reviewed: 2025-11-24 severity: Awareness pillar: Operational Excellence category: OE:04 Tools and processes @@ -46,7 +46,7 @@ Additionally consider using Azure Policy to only permit creation using a standar ### Configure with Bicep -To deploy resources that pass this rule: +To deploy accounts that pass this rule: - Set the `name` property to a string that matches the naming requirements. - Optionally, consider constraining name parameters with `minLength` and `maxLength` attributes. @@ -62,16 +62,105 @@ param name string @description('The location resources will be deployed.') param location string = resourceGroup().location -// Example resource deployment +@description('The location of a secondary replica.') +param secondaryLocation string = location + +resource nosql 'Microsoft.DocumentDB/databaseAccounts@2025-04-15' = { + name: name + location: location + properties: { + enableFreeTier: false + consistencyPolicy: { + defaultConsistencyLevel: 'Session' + } + databaseAccountOfferType: 'Standard' + locations: [ + { + locationName: location + failoverPriority: 0 + isZoneRedundant: true + } + { + locationName: secondaryLocation + failoverPriority: 1 + isZoneRedundant: false + } + ] + disableKeyBasedMetadataWriteAccess: true + minimalTlsVersion: 'Tls12' + } +} ``` + + ### Configure with Azure template -To deploy resources that pass this rule: +To deploy accounts that pass this rule: - Set the `name` property to a string that matches the naming requirements. - Optionally, consider constraining name parameters with `minLength` and `maxLength` attributes. +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "name": { + "type": "string", + "minLength": 3, + "maxLength": 44, + "metadata": { + "description": "The name of the resource." + } + }, + "location": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "The location resources will be deployed." + } + }, + "secondaryLocation": { + "type": "string", + "defaultValue": "[parameters('location')]", + "metadata": { + "description": "The location of a secondary replica." + } + } + }, + "resources": [ + { + "type": "Microsoft.DocumentDB/databaseAccounts", + "apiVersion": "2025-04-15", + "name": "[parameters('name')]", + "location": "[parameters('location')]", + "properties": { + "enableFreeTier": false, + "consistencyPolicy": { + "defaultConsistencyLevel": "Session" + }, + "databaseAccountOfferType": "Standard", + "locations": [ + { + "locationName": "[parameters('location')]", + "failoverPriority": 0, + "isZoneRedundant": true + }, + { + "locationName": "[parameters('secondaryLocation')]", + "failoverPriority": 1, + "isZoneRedundant": false + } + ], + "disableKeyBasedMetadataWriteAccess": true, + "minimalTlsVersion": "Tls12" + } + } + ] +} +``` + ## NOTES This rule does not check if Cosmos DB for NoSQL account resource names are unique. @@ -99,3 +188,6 @@ configuration: - [Recommended abbreviations for Azure resource types](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations) - [Naming rules and restrictions for Azure resources](https://learn.microsoft.com/azure/azure-resource-manager/management/resource-name-rules) - [Define your naming convention](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-naming) +- [Parameters in Bicep](https://learn.microsoft.com/azure/azure-resource-manager/bicep/parameters) +- [Bicep functions](https://learn.microsoft.com/azure/azure-resource-manager/bicep/bicep-functions) +- [Azure deployment reference](https://learn.microsoft.com/azure/templates/microsoft.documentdb/databaseaccounts) diff --git a/docs/examples/resources/cosmos.bicep b/docs/examples/resources/cosmos.bicep index db6fe798afa..43044ab8b45 100644 --- a/docs/examples/resources/cosmos.bicep +++ b/docs/examples/resources/cosmos.bicep @@ -11,8 +11,11 @@ param name string @description('The location resources will be deployed.') param location string = resourceGroup().location +@description('The location of a secondary replica.') +param secondaryLocation string = location + // An example Cosmos DB account using the NoSQL API. -resource account 'Microsoft.DocumentDB/databaseAccounts@2025-04-15' = { +resource nosql 'Microsoft.DocumentDB/databaseAccounts@2025-04-15' = { name: name location: location properties: { @@ -27,6 +30,11 @@ resource account 'Microsoft.DocumentDB/databaseAccounts@2025-04-15' = { failoverPriority: 0 isZoneRedundant: true } + { + locationName: secondaryLocation + failoverPriority: 1 + isZoneRedundant: false + } ] disableKeyBasedMetadataWriteAccess: true minimalTlsVersion: 'Tls12' @@ -36,10 +44,44 @@ resource account 'Microsoft.DocumentDB/databaseAccounts@2025-04-15' = { // An example No SQL API database in a Cosmos DB account. resource database 'Microsoft.DocumentDB/databaseAccounts/sqlDatabases@2025-04-15' = { name: 'sql-001' - parent: account + parent: nosql properties: { resource: { id: 'sql-001' } } } + +// An example Cosmos DB account using the Gremlin API. +resource gremlin 'Microsoft.DocumentDB/databaseAccounts@2025-04-15' = { + name: name + location: location + kind: 'GlobalDocumentDB' + properties: { + capabilities: [ + { + name: 'EnableGremlin' + } + ] + locations: [ + { + locationName: location + failoverPriority: 0 + isZoneRedundant: true + } + ] + databaseAccountOfferType: 'Standard' + minimalTlsVersion: 'Tls12' + backupPolicy: { + type: 'Periodic' + periodicModeProperties: { + backupIntervalInMinutes: 240 + backupRetentionIntervalInHours: 8 + backupStorageRedundancy: 'Geo' + } + } + } + tags: { + defaultExperience: 'Gremlin (graph)' + } +} diff --git a/docs/examples/resources/cosmos.json b/docs/examples/resources/cosmos.json index 37075a6500a..6d7509bf25d 100644 --- a/docs/examples/resources/cosmos.json +++ b/docs/examples/resources/cosmos.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.38.33.27573", - "templateHash": "2704156339140852790" + "version": "0.39.26.7824", + "templateHash": "6873378420832907775" } }, "parameters": { @@ -23,6 +23,13 @@ "metadata": { "description": "The location resources will be deployed." } + }, + "secondaryLocation": { + "type": "string", + "defaultValue": "[parameters('location')]", + "metadata": { + "description": "The location of a secondary replica." + } } }, "resources": [ @@ -42,6 +49,11 @@ "locationName": "[parameters('location')]", "failoverPriority": 0, "isZoneRedundant": true + }, + { + "locationName": "[parameters('secondaryLocation')]", + "failoverPriority": 1, + "isZoneRedundant": false } ], "disableKeyBasedMetadataWriteAccess": true, @@ -60,6 +72,40 @@ "dependsOn": [ "[resourceId('Microsoft.DocumentDB/databaseAccounts', parameters('name'))]" ] + }, + { + "type": "Microsoft.DocumentDB/databaseAccounts", + "apiVersion": "2025-04-15", + "name": "[parameters('name')]", + "location": "[parameters('location')]", + "kind": "GlobalDocumentDB", + "properties": { + "capabilities": [ + { + "name": "EnableGremlin" + } + ], + "locations": [ + { + "locationName": "[parameters('location')]", + "failoverPriority": 0, + "isZoneRedundant": true + } + ], + "databaseAccountOfferType": "Standard", + "minimalTlsVersion": "Tls12", + "backupPolicy": { + "type": "Periodic", + "periodicModeProperties": { + "backupIntervalInMinutes": 240, + "backupRetentionIntervalInHours": 8, + "backupStorageRedundancy": "Geo" + } + } + }, + "tags": { + "defaultExperience": "Gremlin (graph)" + } } ] -} +} \ No newline at end of file diff --git a/src/PSRule.Rules.Azure/rules/Config.Rule.yaml b/src/PSRule.Rules.Azure/rules/Config.Rule.yaml index 90123536ca9..afec8e392bf 100644 --- a/src/PSRule.Rules.Azure/rules/Config.Rule.yaml +++ b/src/PSRule.Rules.Azure/rules/Config.Rule.yaml @@ -100,6 +100,8 @@ spec: AZURE_CONTAINER_APP_JOB_NAME_FORMAT: '' AZURE_CONTAINER_INSTANCE_NAME_FORMAT: '' AZURE_CONTAINER_REGISTRY_NAME_FORMAT: '' + AZURE_COSMOS_GREMLIN_NAME_FORMAT: '' + AZURE_COSMOS_NOSQL_NAME_FORMAT: '' AZURE_EVENTGRID_DOMAIN_NAME_FORMAT: '' AZURE_EVENTGRID_CUSTOM_TOPIC_NAME_FORMAT: '' AZURE_EVENTGRID_SYSTEM_TOPIC_NAME_FORMAT: '' From 06b83002ed93eb70053e4faeb1265e4f9044d7dc Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Mon, 24 Nov 2025 05:03:34 +0000 Subject: [PATCH 29/32] Add Bicep and ARM template examples to Cosmos DB naming rules - Added complete Bicep and ARM template examples to Azure.Cosmos.CassandraNaming.md - Added complete Bicep and ARM template examples to Azure.Cosmos.MongoNaming.md - Added complete Bicep and ARM template examples to Azure.Cosmos.TableNaming.md - Added complete Bicep and ARM template examples to Azure.Cosmos.DatabaseNaming.md - Added complete Bicep and ARM template examples to Azure.Cosmos.PostgreSQLNaming.md - Examples include proper resource configuration, capabilities, backup policies, and zone redundancy settings Co-authored-by: BernieWhite <13513058+BernieWhite@users.noreply.github.com> --- docs/en/rules/Azure.Cosmos.CassandraNaming.md | 95 ++++++++++++++++++- docs/en/rules/Azure.Cosmos.DatabaseNaming.md | 68 ++++++++++++- docs/en/rules/Azure.Cosmos.MongoNaming.md | 85 ++++++++++++++++- .../en/rules/Azure.Cosmos.PostgreSQLNaming.md | 78 ++++++++++++++- docs/en/rules/Azure.Cosmos.TableNaming.md | 95 ++++++++++++++++++- 5 files changed, 404 insertions(+), 17 deletions(-) diff --git a/docs/en/rules/Azure.Cosmos.CassandraNaming.md b/docs/en/rules/Azure.Cosmos.CassandraNaming.md index 6632cc919b9..22d210fd2a9 100644 --- a/docs/en/rules/Azure.Cosmos.CassandraNaming.md +++ b/docs/en/rules/Azure.Cosmos.CassandraNaming.md @@ -46,7 +46,7 @@ Additionally consider using Azure Policy to only permit creation using a standar ### Configure with Bicep -To deploy resources that pass this rule: +To deploy accounts that pass this rule: - Set the `name` property to a string that matches the naming requirements. - Optionally, consider constraining name parameters with `minLength` and `maxLength` attributes. @@ -62,16 +62,105 @@ param name string @description('The location resources will be deployed.') param location string = resourceGroup().location -// Example resource deployment +resource cassandra 'Microsoft.DocumentDB/databaseAccounts@2025-04-15' = { + name: name + location: location + kind: 'GlobalDocumentDB' + properties: { + capabilities: [ + { + name: 'EnableCassandra' + } + ] + locations: [ + { + locationName: location + failoverPriority: 0 + isZoneRedundant: true + } + ] + databaseAccountOfferType: 'Standard' + minimalTlsVersion: 'Tls12' + backupPolicy: { + type: 'Periodic' + periodicModeProperties: { + backupIntervalInMinutes: 240 + backupRetentionIntervalInHours: 8 + backupStorageRedundancy: 'Geo' + } + } + } +} ``` + + ### Configure with Azure template -To deploy resources that pass this rule: +To deploy accounts that pass this rule: - Set the `name` property to a string that matches the naming requirements. - Optionally, consider constraining name parameters with `minLength` and `maxLength` attributes. +For example: + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "name": { + "type": "string", + "minLength": 3, + "maxLength": 44, + "metadata": { + "description": "The name of the resource." + } + }, + "location": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "The location resources will be deployed." + } + } + }, + "resources": [ + { + "type": "Microsoft.DocumentDB/databaseAccounts", + "apiVersion": "2025-04-15", + "name": "[parameters('name')]", + "location": "[parameters('location')]", + "kind": "GlobalDocumentDB", + "properties": { + "capabilities": [ + { + "name": "EnableCassandra" + } + ], + "locations": [ + { + "locationName": "[parameters('location')]", + "failoverPriority": 0, + "isZoneRedundant": true + } + ], + "databaseAccountOfferType": "Standard", + "minimalTlsVersion": "Tls12", + "backupPolicy": { + "type": "Periodic", + "periodicModeProperties": { + "backupIntervalInMinutes": 240, + "backupRetentionIntervalInHours": 8, + "backupStorageRedundancy": "Geo" + } + } + } + } + ] +} +``` + ## NOTES This rule does not check if Cosmos DB for Apache Cassandra account resource names are unique. diff --git a/docs/en/rules/Azure.Cosmos.DatabaseNaming.md b/docs/en/rules/Azure.Cosmos.DatabaseNaming.md index bddaf116cec..f4287bb7b25 100644 --- a/docs/en/rules/Azure.Cosmos.DatabaseNaming.md +++ b/docs/en/rules/Azure.Cosmos.DatabaseNaming.md @@ -46,7 +46,7 @@ Additionally consider using Azure Policy to only permit creation using a standar ### Configure with Bicep -To deploy resources that pass this rule: +To deploy databases that pass this rule: - Set the `name` property to a string that matches the naming requirements. - Optionally, consider constraining name parameters with `minLength` and `maxLength` attributes. @@ -56,22 +56,80 @@ For example: ```bicep @minLength(1) @maxLength(255) -@description('The name of the resource.') -param name string +@description('The name of the Cosmos DB account.') +param accountName string + +@minLength(1) +@maxLength(255) +@description('The name of the database.') +param databaseName string @description('The location resources will be deployed.') param location string = resourceGroup().location -// Example resource deployment +resource account 'Microsoft.DocumentDB/databaseAccounts@2025-04-15' existing = { + name: accountName +} + +resource database 'Microsoft.DocumentDB/databaseAccounts/sqlDatabases@2025-04-15' = { + parent: account + name: databaseName + properties: { + resource: { + id: databaseName + } + } +} ``` + + ### Configure with Azure template -To deploy resources that pass this rule: +To deploy databases that pass this rule: - Set the `name` property to a string that matches the naming requirements. - Optionally, consider constraining name parameters with `minLength` and `maxLength` attributes. +For example: + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "accountName": { + "type": "string", + "minLength": 1, + "maxLength": 255, + "metadata": { + "description": "The name of the Cosmos DB account." + } + }, + "databaseName": { + "type": "string", + "minLength": 1, + "maxLength": 255, + "metadata": { + "description": "The name of the database." + } + } + }, + "resources": [ + { + "type": "Microsoft.DocumentDB/databaseAccounts/sqlDatabases", + "apiVersion": "2025-04-15", + "name": "[format('{0}/{1}', parameters('accountName'), parameters('databaseName'))]", + "properties": { + "resource": { + "id": "[parameters('databaseName')]" + } + } + } + ] +} +``` + ## NOTES This rule does not check if Cosmos DB database resource names are unique. diff --git a/docs/en/rules/Azure.Cosmos.MongoNaming.md b/docs/en/rules/Azure.Cosmos.MongoNaming.md index 94730f97bbc..eb8bd2bbd94 100644 --- a/docs/en/rules/Azure.Cosmos.MongoNaming.md +++ b/docs/en/rules/Azure.Cosmos.MongoNaming.md @@ -46,7 +46,7 @@ Additionally consider using Azure Policy to only permit creation using a standar ### Configure with Bicep -To deploy resources that pass this rule: +To deploy accounts that pass this rule: - Set the `name` property to a string that matches the naming requirements. - Optionally, consider constraining name parameters with `minLength` and `maxLength` attributes. @@ -62,16 +62,95 @@ param name string @description('The location resources will be deployed.') param location string = resourceGroup().location -// Example resource deployment +resource mongo 'Microsoft.DocumentDB/databaseAccounts@2025-04-15' = { + name: name + location: location + kind: 'MongoDB' + properties: { + locations: [ + { + locationName: location + failoverPriority: 0 + isZoneRedundant: true + } + ] + databaseAccountOfferType: 'Standard' + minimalTlsVersion: 'Tls12' + backupPolicy: { + type: 'Periodic' + periodicModeProperties: { + backupIntervalInMinutes: 240 + backupRetentionIntervalInHours: 8 + backupStorageRedundancy: 'Geo' + } + } + } +} ``` + + ### Configure with Azure template -To deploy resources that pass this rule: +To deploy accounts that pass this rule: - Set the `name` property to a string that matches the naming requirements. - Optionally, consider constraining name parameters with `minLength` and `maxLength` attributes. +For example: + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "name": { + "type": "string", + "minLength": 3, + "maxLength": 44, + "metadata": { + "description": "The name of the resource." + } + }, + "location": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "The location resources will be deployed." + } + } + }, + "resources": [ + { + "type": "Microsoft.DocumentDB/databaseAccounts", + "apiVersion": "2025-04-15", + "name": "[parameters('name')]", + "location": "[parameters('location')]", + "kind": "MongoDB", + "properties": { + "locations": [ + { + "locationName": "[parameters('location')]", + "failoverPriority": 0, + "isZoneRedundant": true + } + ], + "databaseAccountOfferType": "Standard", + "minimalTlsVersion": "Tls12", + "backupPolicy": { + "type": "Periodic", + "periodicModeProperties": { + "backupIntervalInMinutes": 240, + "backupRetentionIntervalInHours": 8, + "backupStorageRedundancy": "Geo" + } + } + } + } + ] +} +``` + ## NOTES This rule does not check if Cosmos DB for MongoDB account resource names are unique. diff --git a/docs/en/rules/Azure.Cosmos.PostgreSQLNaming.md b/docs/en/rules/Azure.Cosmos.PostgreSQLNaming.md index c36a92abbdf..5266992a2fe 100644 --- a/docs/en/rules/Azure.Cosmos.PostgreSQLNaming.md +++ b/docs/en/rules/Azure.Cosmos.PostgreSQLNaming.md @@ -46,7 +46,7 @@ Additionally consider using Azure Policy to only permit creation using a standar ### Configure with Bicep -To deploy resources that pass this rule: +To deploy clusters that pass this rule: - Set the `name` property to a string that matches the naming requirements. - Optionally, consider constraining name parameters with `minLength` and `maxLength` attributes. @@ -62,16 +62,88 @@ param name string @description('The location resources will be deployed.') param location string = resourceGroup().location -// Example resource deployment +@description('The administrator login name.') +param administratorLogin string + +@secure() +@description('The administrator login password.') +param administratorLoginPassword string + +resource postgresCluster 'Microsoft.DBforPostgreSQL/serverGroupsv2@2022-11-08' = { + name: name + location: location + properties: { + administratorLogin: administratorLogin + administratorLoginPassword: administratorLoginPassword + serverCount: 1 + coordinatorVCores: 4 + coordinatorStorageQuotaInMb: 524288 + } +} ``` + + ### Configure with Azure template -To deploy resources that pass this rule: +To deploy clusters that pass this rule: - Set the `name` property to a string that matches the naming requirements. - Optionally, consider constraining name parameters with `minLength` and `maxLength` attributes. +For example: + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "name": { + "type": "string", + "minLength": 3, + "maxLength": 63, + "metadata": { + "description": "The name of the resource." + } + }, + "location": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "The location resources will be deployed." + } + }, + "administratorLogin": { + "type": "string", + "metadata": { + "description": "The administrator login name." + } + }, + "administratorLoginPassword": { + "type": "securestring", + "metadata": { + "description": "The administrator login password." + } + } + }, + "resources": [ + { + "type": "Microsoft.DBforPostgreSQL/serverGroupsv2", + "apiVersion": "2022-11-08", + "name": "[parameters('name')]", + "location": "[parameters('location')]", + "properties": { + "administratorLogin": "[parameters('administratorLogin')]", + "administratorLoginPassword": "[parameters('administratorLoginPassword')]", + "serverCount": 1, + "coordinatorVCores": 4, + "coordinatorStorageQuotaInMb": 524288 + } + } + ] +} +``` + ## NOTES This rule does not check if Cosmos DB PostgreSQL cluster resource names are unique. diff --git a/docs/en/rules/Azure.Cosmos.TableNaming.md b/docs/en/rules/Azure.Cosmos.TableNaming.md index b2901d3b647..ce72ab90ad0 100644 --- a/docs/en/rules/Azure.Cosmos.TableNaming.md +++ b/docs/en/rules/Azure.Cosmos.TableNaming.md @@ -46,7 +46,7 @@ Additionally consider using Azure Policy to only permit creation using a standar ### Configure with Bicep -To deploy resources that pass this rule: +To deploy accounts that pass this rule: - Set the `name` property to a string that matches the naming requirements. - Optionally, consider constraining name parameters with `minLength` and `maxLength` attributes. @@ -62,16 +62,105 @@ param name string @description('The location resources will be deployed.') param location string = resourceGroup().location -// Example resource deployment +resource table 'Microsoft.DocumentDB/databaseAccounts@2025-04-15' = { + name: name + location: location + kind: 'GlobalDocumentDB' + properties: { + capabilities: [ + { + name: 'EnableTable' + } + ] + locations: [ + { + locationName: location + failoverPriority: 0 + isZoneRedundant: true + } + ] + databaseAccountOfferType: 'Standard' + minimalTlsVersion: 'Tls12' + backupPolicy: { + type: 'Periodic' + periodicModeProperties: { + backupIntervalInMinutes: 240 + backupRetentionIntervalInHours: 8 + backupStorageRedundancy: 'Geo' + } + } + } +} ``` + + ### Configure with Azure template -To deploy resources that pass this rule: +To deploy accounts that pass this rule: - Set the `name` property to a string that matches the naming requirements. - Optionally, consider constraining name parameters with `minLength` and `maxLength` attributes. +For example: + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "name": { + "type": "string", + "minLength": 3, + "maxLength": 44, + "metadata": { + "description": "The name of the resource." + } + }, + "location": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "The location resources will be deployed." + } + } + }, + "resources": [ + { + "type": "Microsoft.DocumentDB/databaseAccounts", + "apiVersion": "2025-04-15", + "name": "[parameters('name')]", + "location": "[parameters('location')]", + "kind": "GlobalDocumentDB", + "properties": { + "capabilities": [ + { + "name": "EnableTable" + } + ], + "locations": [ + { + "locationName": "[parameters('location')]", + "failoverPriority": 0, + "isZoneRedundant": true + } + ], + "databaseAccountOfferType": "Standard", + "minimalTlsVersion": "Tls12", + "backupPolicy": { + "type": "Periodic", + "periodicModeProperties": { + "backupIntervalInMinutes": 240, + "backupRetentionIntervalInHours": 8, + "backupStorageRedundancy": "Geo" + } + } + } + } + ] +} +``` + ## NOTES This rule does not check if Cosmos DB for Table account resource names are unique. From 3dd30bf76fb2dab07f9485a3eb481193452a4a16 Mon Sep 17 00:00:00 2001 From: Bernie White Date: Thu, 27 Nov 2025 14:13:26 +0000 Subject: [PATCH 30/32] Updates --- docs/en/rules/Azure.Cosmos.CassandraNaming.md | 5 +- docs/en/rules/Azure.Cosmos.DatabaseNaming.md | 15 ++-- docs/en/rules/Azure.Cosmos.MongoNaming.md | 5 +- .../en/rules/Azure.Cosmos.PostgreSQLNaming.md | 7 +- docs/en/rules/Azure.Cosmos.TableNaming.md | 5 +- docs/examples/resources/cosmos.bicep | 88 ++++++++++++++++++ docs/examples/resources/cosmos.json | 90 ++++++++++++++++++- src/PSRule.Rules.Azure/rules/Config.Rule.yaml | 5 ++ 8 files changed, 207 insertions(+), 13 deletions(-) diff --git a/docs/en/rules/Azure.Cosmos.CassandraNaming.md b/docs/en/rules/Azure.Cosmos.CassandraNaming.md index 22d210fd2a9..6aa7af5645c 100644 --- a/docs/en/rules/Azure.Cosmos.CassandraNaming.md +++ b/docs/en/rules/Azure.Cosmos.CassandraNaming.md @@ -1,5 +1,5 @@ --- -reviewed: 2025-10-10 +reviewed: 2025-11-27 severity: Awareness pillar: Operational Excellence category: OE:04 Tools and processes @@ -188,3 +188,6 @@ configuration: - [Recommended abbreviations for Azure resource types](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations) - [Naming rules and restrictions for Azure resources](https://learn.microsoft.com/azure/azure-resource-manager/management/resource-name-rules) - [Define your naming convention](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-naming) +- [Parameters in Bicep](https://learn.microsoft.com/azure/azure-resource-manager/bicep/parameters) +- [Bicep functions](https://learn.microsoft.com/azure/azure-resource-manager/bicep/bicep-functions) +- [Azure deployment reference](https://learn.microsoft.com/azure/templates/microsoft.documentdb/databaseaccounts) diff --git a/docs/en/rules/Azure.Cosmos.DatabaseNaming.md b/docs/en/rules/Azure.Cosmos.DatabaseNaming.md index f4287bb7b25..4311738f02b 100644 --- a/docs/en/rules/Azure.Cosmos.DatabaseNaming.md +++ b/docs/en/rules/Azure.Cosmos.DatabaseNaming.md @@ -1,5 +1,5 @@ --- -reviewed: 2025-10-10 +reviewed: 2025-11-27 severity: Awareness pillar: Operational Excellence category: OE:04 Tools and processes @@ -54,8 +54,8 @@ To deploy databases that pass this rule: For example: ```bicep -@minLength(1) -@maxLength(255) +@minLength(3) +@maxLength(44) @description('The name of the Cosmos DB account.') param accountName string @@ -82,7 +82,7 @@ resource database 'Microsoft.DocumentDB/databaseAccounts/sqlDatabases@2025-04-15 } ``` - + ### Configure with Azure template @@ -100,8 +100,8 @@ For example: "parameters": { "accountName": { "type": "string", - "minLength": 1, - "maxLength": 255, + "minLength": 3, + "maxLength": 44, "metadata": { "description": "The name of the Cosmos DB account." } @@ -157,3 +157,6 @@ configuration: - [Recommended abbreviations for Azure resource types](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations) - [Naming rules and restrictions for Azure resources](https://learn.microsoft.com/azure/azure-resource-manager/management/resource-name-rules) - [Define your naming convention](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-naming) +- [Parameters in Bicep](https://learn.microsoft.com/azure/azure-resource-manager/bicep/parameters) +- [Bicep functions](https://learn.microsoft.com/azure/azure-resource-manager/bicep/bicep-functions) +- [Azure deployment reference](https://learn.microsoft.com/azure/templates/microsoft.documentdb/databaseaccounts) diff --git a/docs/en/rules/Azure.Cosmos.MongoNaming.md b/docs/en/rules/Azure.Cosmos.MongoNaming.md index eb8bd2bbd94..7fb8b23559d 100644 --- a/docs/en/rules/Azure.Cosmos.MongoNaming.md +++ b/docs/en/rules/Azure.Cosmos.MongoNaming.md @@ -1,5 +1,5 @@ --- -reviewed: 2025-10-10 +reviewed: 2025-11-27 severity: Awareness pillar: Operational Excellence category: OE:04 Tools and processes @@ -178,3 +178,6 @@ configuration: - [Recommended abbreviations for Azure resource types](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations) - [Naming rules and restrictions for Azure resources](https://learn.microsoft.com/azure/azure-resource-manager/management/resource-name-rules) - [Define your naming convention](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-naming) +- [Parameters in Bicep](https://learn.microsoft.com/azure/azure-resource-manager/bicep/parameters) +- [Bicep functions](https://learn.microsoft.com/azure/azure-resource-manager/bicep/bicep-functions) +- [Azure deployment reference](https://learn.microsoft.com/azure/templates/microsoft.documentdb/databaseaccounts) diff --git a/docs/en/rules/Azure.Cosmos.PostgreSQLNaming.md b/docs/en/rules/Azure.Cosmos.PostgreSQLNaming.md index 5266992a2fe..93d5b8e8652 100644 --- a/docs/en/rules/Azure.Cosmos.PostgreSQLNaming.md +++ b/docs/en/rules/Azure.Cosmos.PostgreSQLNaming.md @@ -1,5 +1,5 @@ --- -reviewed: 2025-10-10 +reviewed: 2025-11-28 severity: Awareness pillar: Operational Excellence category: OE:04 Tools and processes @@ -82,8 +82,6 @@ resource postgresCluster 'Microsoft.DBforPostgreSQL/serverGroupsv2@2022-11-08' = } ``` - - ### Configure with Azure template To deploy clusters that pass this rule: @@ -171,3 +169,6 @@ configuration: - [Recommended abbreviations for Azure resource types](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations) - [Naming rules and restrictions for Azure resources](https://learn.microsoft.com/azure/azure-resource-manager/management/resource-name-rules) - [Define your naming convention](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-naming) +- [Parameters in Bicep](https://learn.microsoft.com/azure/azure-resource-manager/bicep/parameters) +- [Bicep functions](https://learn.microsoft.com/azure/azure-resource-manager/bicep/bicep-functions) +- [Azure deployment reference](https://learn.microsoft.com/azure/templates/microsoft.dbforpostgresql/servergroupsv2) diff --git a/docs/en/rules/Azure.Cosmos.TableNaming.md b/docs/en/rules/Azure.Cosmos.TableNaming.md index ce72ab90ad0..897f17bbb64 100644 --- a/docs/en/rules/Azure.Cosmos.TableNaming.md +++ b/docs/en/rules/Azure.Cosmos.TableNaming.md @@ -1,5 +1,5 @@ --- -reviewed: 2025-10-10 +reviewed: 2025-11-27 severity: Awareness pillar: Operational Excellence category: OE:04 Tools and processes @@ -188,3 +188,6 @@ configuration: - [Recommended abbreviations for Azure resource types](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-abbreviations) - [Naming rules and restrictions for Azure resources](https://learn.microsoft.com/azure/azure-resource-manager/management/resource-name-rules) - [Define your naming convention](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/resource-naming) +- [Parameters in Bicep](https://learn.microsoft.com/azure/azure-resource-manager/bicep/parameters) +- [Bicep functions](https://learn.microsoft.com/azure/azure-resource-manager/bicep/bicep-functions) +- [Azure deployment reference](https://learn.microsoft.com/azure/templates/microsoft.documentdb/databaseaccounts) diff --git a/docs/examples/resources/cosmos.bicep b/docs/examples/resources/cosmos.bicep index 43044ab8b45..83b3326b89b 100644 --- a/docs/examples/resources/cosmos.bicep +++ b/docs/examples/resources/cosmos.bicep @@ -85,3 +85,91 @@ resource gremlin 'Microsoft.DocumentDB/databaseAccounts@2025-04-15' = { defaultExperience: 'Gremlin (graph)' } } + +// An example Cosmos DB account using the Cassandra API. +resource cassandra 'Microsoft.DocumentDB/databaseAccounts@2025-04-15' = { + name: name + location: location + kind: 'GlobalDocumentDB' + properties: { + capabilities: [ + { + name: 'EnableCassandra' + } + ] + locations: [ + { + locationName: location + failoverPriority: 0 + isZoneRedundant: true + } + ] + databaseAccountOfferType: 'Standard' + minimalTlsVersion: 'Tls12' + backupPolicy: { + type: 'Periodic' + periodicModeProperties: { + backupIntervalInMinutes: 240 + backupRetentionIntervalInHours: 8 + backupStorageRedundancy: 'Geo' + } + } + } +} + +// An example Cosmos DB account using the MongoDB API. +resource mongo 'Microsoft.DocumentDB/databaseAccounts@2025-04-15' = { + name: name + location: location + kind: 'MongoDB' + properties: { + locations: [ + { + locationName: location + failoverPriority: 0 + isZoneRedundant: true + } + ] + databaseAccountOfferType: 'Standard' + minimalTlsVersion: 'Tls12' + backupPolicy: { + type: 'Periodic' + periodicModeProperties: { + backupIntervalInMinutes: 240 + backupRetentionIntervalInHours: 8 + backupStorageRedundancy: 'Geo' + } + } + } +} + +// An example Cosmos DB account using the Table API. +resource table 'Microsoft.DocumentDB/databaseAccounts@2025-04-15' = { + name: name + location: location + kind: 'GlobalDocumentDB' + properties: { + capabilities: [ + { + name: 'EnableTable' + } + ] + locations: [ + { + locationName: location + failoverPriority: 0 + isZoneRedundant: true + } + ] + databaseAccountOfferType: 'Standard' + minimalTlsVersion: 'Tls12' + backupPolicy: { + type: 'Periodic' + periodicModeProperties: { + backupIntervalInMinutes: 240 + backupRetentionIntervalInHours: 8 + backupStorageRedundancy: 'Geo' + } + } + } +} diff --git a/docs/examples/resources/cosmos.json b/docs/examples/resources/cosmos.json index 6d7509bf25d..70fc4e8a157 100644 --- a/docs/examples/resources/cosmos.json +++ b/docs/examples/resources/cosmos.json @@ -5,7 +5,7 @@ "_generator": { "name": "bicep", "version": "0.39.26.7824", - "templateHash": "6873378420832907775" + "templateHash": "13054416509978409621" } }, "parameters": { @@ -106,6 +106,94 @@ "tags": { "defaultExperience": "Gremlin (graph)" } + }, + { + "type": "Microsoft.DocumentDB/databaseAccounts", + "apiVersion": "2025-04-15", + "name": "[parameters('name')]", + "location": "[parameters('location')]", + "kind": "GlobalDocumentDB", + "properties": { + "capabilities": [ + { + "name": "EnableCassandra" + } + ], + "locations": [ + { + "locationName": "[parameters('location')]", + "failoverPriority": 0, + "isZoneRedundant": true + } + ], + "databaseAccountOfferType": "Standard", + "minimalTlsVersion": "Tls12", + "backupPolicy": { + "type": "Periodic", + "periodicModeProperties": { + "backupIntervalInMinutes": 240, + "backupRetentionIntervalInHours": 8, + "backupStorageRedundancy": "Geo" + } + } + } + }, + { + "type": "Microsoft.DocumentDB/databaseAccounts", + "apiVersion": "2025-04-15", + "name": "[parameters('name')]", + "location": "[parameters('location')]", + "kind": "MongoDB", + "properties": { + "locations": [ + { + "locationName": "[parameters('location')]", + "failoverPriority": 0, + "isZoneRedundant": true + } + ], + "databaseAccountOfferType": "Standard", + "minimalTlsVersion": "Tls12", + "backupPolicy": { + "type": "Periodic", + "periodicModeProperties": { + "backupIntervalInMinutes": 240, + "backupRetentionIntervalInHours": 8, + "backupStorageRedundancy": "Geo" + } + } + } + }, + { + "type": "Microsoft.DocumentDB/databaseAccounts", + "apiVersion": "2025-04-15", + "name": "[parameters('name')]", + "location": "[parameters('location')]", + "kind": "GlobalDocumentDB", + "properties": { + "capabilities": [ + { + "name": "EnableTable" + } + ], + "locations": [ + { + "locationName": "[parameters('location')]", + "failoverPriority": 0, + "isZoneRedundant": true + } + ], + "databaseAccountOfferType": "Standard", + "minimalTlsVersion": "Tls12", + "backupPolicy": { + "type": "Periodic", + "periodicModeProperties": { + "backupIntervalInMinutes": 240, + "backupRetentionIntervalInHours": 8, + "backupStorageRedundancy": "Geo" + } + } + } } ] } \ No newline at end of file diff --git a/src/PSRule.Rules.Azure/rules/Config.Rule.yaml b/src/PSRule.Rules.Azure/rules/Config.Rule.yaml index afec8e392bf..0ba9df86ee3 100644 --- a/src/PSRule.Rules.Azure/rules/Config.Rule.yaml +++ b/src/PSRule.Rules.Azure/rules/Config.Rule.yaml @@ -100,8 +100,13 @@ spec: AZURE_CONTAINER_APP_JOB_NAME_FORMAT: '' AZURE_CONTAINER_INSTANCE_NAME_FORMAT: '' AZURE_CONTAINER_REGISTRY_NAME_FORMAT: '' + AZURE_COSMOS_CASSANDRA_NAME_FORMAT: '' + AZURE_COSMOS_DATABASE_NAME_FORMAT: '' AZURE_COSMOS_GREMLIN_NAME_FORMAT: '' + AZURE_COSMOS_MONGO_NAME_FORMAT: '' AZURE_COSMOS_NOSQL_NAME_FORMAT: '' + AZURE_COSMOS_POSTGRESQL_NAME_FORMAT: '' + AZURE_COSMOS_TABLE_NAME_FORMAT: '' AZURE_EVENTGRID_DOMAIN_NAME_FORMAT: '' AZURE_EVENTGRID_CUSTOM_TOPIC_NAME_FORMAT: '' AZURE_EVENTGRID_SYSTEM_TOPIC_NAME_FORMAT: '' From 022e871bba3fecc8ddfcb8ca625b21c0282afb29 Mon Sep 17 00:00:00 2001 From: Bernie White Date: Thu, 27 Nov 2025 14:20:14 +0000 Subject: [PATCH 31/32] Updates --- tests/PSRule.Rules.Azure.Tests/Azure.ACR.Tests.ps1 | 2 +- .../Azure.ContainerApp.Tests.ps1 | 6 +++++- tests/PSRule.Rules.Azure.Tests/Azure.Cosmos.Tests.ps1 | 10 +++++++++- tests/PSRule.Rules.Azure.Tests/Azure.SQLMI.Tests.ps1 | 2 +- .../Azure.ServiceFabric.Tests.ps1 | 5 ++++- 5 files changed, 20 insertions(+), 5 deletions(-) diff --git a/tests/PSRule.Rules.Azure.Tests/Azure.ACR.Tests.ps1 b/tests/PSRule.Rules.Azure.Tests/Azure.ACR.Tests.ps1 index 083c8c410fc..2357cdcdbc9 100644 --- a/tests/PSRule.Rules.Azure.Tests/Azure.ACR.Tests.ps1 +++ b/tests/PSRule.Rules.Azure.Tests/Azure.ACR.Tests.ps1 @@ -389,7 +389,7 @@ Describe 'Azure.ACR' -Tag 'ACR' { } }); - $result = $items | Invoke-PSRule @invokeParams -Option $option + $result = $items | Invoke-PSRule @invokeParams -Option $option -Name 'Azure.ACR.Naming' } It 'Azure.ACR.Naming' { diff --git a/tests/PSRule.Rules.Azure.Tests/Azure.ContainerApp.Tests.ps1 b/tests/PSRule.Rules.Azure.Tests/Azure.ContainerApp.Tests.ps1 index 111b85531bf..9724e104590 100644 --- a/tests/PSRule.Rules.Azure.Tests/Azure.ContainerApp.Tests.ps1 +++ b/tests/PSRule.Rules.Azure.Tests/Azure.ContainerApp.Tests.ps1 @@ -310,7 +310,11 @@ Describe 'Azure.ContainerApp' -Tag 'ContainerApp' { } }); - $result = @($appItems + $envItems + $jobItems) | Invoke-PSRule @invokeParams -Option $option + $result = @($appItems + $envItems + $jobItems) | Invoke-PSRule @invokeParams -Option $option -Name @( + 'Azure.ContainerApp.Naming' + 'Azure.ContainerApp.EnvNaming' + 'Azure.ContainerApp.JobNaming' + ) } It 'Azure.ContainerApp.Naming' { diff --git a/tests/PSRule.Rules.Azure.Tests/Azure.Cosmos.Tests.ps1 b/tests/PSRule.Rules.Azure.Tests/Azure.Cosmos.Tests.ps1 index 8abb18c0a2d..9f498bff586 100644 --- a/tests/PSRule.Rules.Azure.Tests/Azure.Cosmos.Tests.ps1 +++ b/tests/PSRule.Rules.Azure.Tests/Azure.Cosmos.Tests.ps1 @@ -372,7 +372,15 @@ Describe 'Azure.Cosmos' -Tag 'Cosmos', 'CosmosDB' { } }); - $result = @($nosqlItems + $mongoItems + $cassandraItems + $tableItems + $gremlinItems + $dbItems + $postgresItems) | Invoke-PSRule @invokeParams -Option $option + $result = @($nosqlItems + $mongoItems + $cassandraItems + $tableItems + $gremlinItems + $dbItems + $postgresItems) | Invoke-PSRule @invokeParams -Option $option -Name @( + 'Azure.Cosmos.NoSQLNaming' + 'Azure.Cosmos.MongoNaming' + 'Azure.Cosmos.CassandraNaming' + 'Azure.Cosmos.TableNaming' + 'Azure.Cosmos.GremlinNaming' + 'Azure.Cosmos.DatabaseNaming' + 'Azure.Cosmos.PostgreSQLNaming' + ) } It 'Azure.Cosmos.NoSQLNaming' { diff --git a/tests/PSRule.Rules.Azure.Tests/Azure.SQLMI.Tests.ps1 b/tests/PSRule.Rules.Azure.Tests/Azure.SQLMI.Tests.ps1 index c79ae9abbf5..2fa644bb3f4 100644 --- a/tests/PSRule.Rules.Azure.Tests/Azure.SQLMI.Tests.ps1 +++ b/tests/PSRule.Rules.Azure.Tests/Azure.SQLMI.Tests.ps1 @@ -178,7 +178,7 @@ Describe 'Azure.SQLMI' -Tag 'SQLMI' { } }); - $result = $items | Invoke-PSRule @invokeParams -Option $option + $result = $items | Invoke-PSRule @invokeParams -Option $option -Name 'Azure.SQLMI.Naming'; } It 'Azure.SQLMI.Naming' { diff --git a/tests/PSRule.Rules.Azure.Tests/Azure.ServiceFabric.Tests.ps1 b/tests/PSRule.Rules.Azure.Tests/Azure.ServiceFabric.Tests.ps1 index 02989caf099..29ec9fe17ed 100644 --- a/tests/PSRule.Rules.Azure.Tests/Azure.ServiceFabric.Tests.ps1 +++ b/tests/PSRule.Rules.Azure.Tests/Azure.ServiceFabric.Tests.ps1 @@ -120,7 +120,10 @@ Describe 'Azure.ServiceFabric' -Tag 'ServiceFabric' { } }); - $result = @($clusterItems + $managedClusterItems) | Invoke-PSRule @invokeParams -Option $option + $result = @($clusterItems + $managedClusterItems) | Invoke-PSRule @invokeParams -Option $option -Name @( + 'Azure.ServiceFabric.Naming' + 'Azure.ServiceFabric.ManagedNaming' + ) } It 'Azure.ServiceFabric.Naming' { From 166de046c6211b1e8b0b18ad84905dbbf024c5ef Mon Sep 17 00:00:00 2001 From: Bernie White Date: Thu, 27 Nov 2025 14:49:24 +0000 Subject: [PATCH 32/32] Updates --- docs/changelog.md | 75 ++++++++++++++++++- docs/en/baselines/Azure.All.csv | 4 +- docs/en/baselines/Azure.All.md | 6 +- docs/en/baselines/Azure.Default.csv | 4 +- docs/en/baselines/Azure.Default.md | 6 +- docs/en/baselines/Azure.GA_2024_06.csv | 2 +- docs/en/baselines/Azure.GA_2024_06.md | 2 +- docs/en/baselines/Azure.GA_2024_09.csv | 2 +- docs/en/baselines/Azure.GA_2024_09.md | 2 +- docs/en/baselines/Azure.GA_2024_12.csv | 2 +- docs/en/baselines/Azure.GA_2024_12.md | 2 +- docs/en/baselines/Azure.GA_2025_03.csv | 2 +- docs/en/baselines/Azure.GA_2025_03.md | 2 +- docs/en/baselines/Azure.GA_2025_06.csv | 2 +- docs/en/baselines/Azure.GA_2025_06.md | 2 +- docs/en/baselines/Azure.GA_2025_09.csv | 2 +- docs/en/baselines/Azure.GA_2025_09.md | 2 +- docs/en/baselines/Azure.MCSB.v1.csv | 2 +- docs/en/baselines/Azure.MCSB.v1.md | 2 +- .../Azure.Pillar.OperationalExcellence.csv | 1 + .../Azure.Pillar.OperationalExcellence.md | 3 +- .../en/baselines/Azure.Pillar.Reliability.csv | 1 + docs/en/baselines/Azure.Pillar.Reliability.md | 3 +- .../en/baselines/Azure.Pillar.Security.L1.csv | 2 +- docs/en/baselines/Azure.Pillar.Security.L1.md | 2 +- docs/en/baselines/Azure.Pillar.Security.csv | 2 +- docs/en/baselines/Azure.Pillar.Security.md | 2 +- docs/en/baselines/Azure.Preview.csv | 4 +- docs/en/baselines/Azure.Preview.md | 6 +- docs/en/rules/Azure.SQL.MaintenanceWindow.md | 4 +- docs/en/rules/index.md | 2 + docs/en/rules/module.md | 4 +- docs/en/rules/resource.md | 11 +-- docs/es/rules/index.md | 4 +- docs/es/rules/module.md | 4 +- docs/es/rules/resource.md | 11 +-- docs/setup/setup-naming-and-tagging.md | 5 +- docs/updates/v1.47.md | 68 +++++++++++++++++ 38 files changed, 208 insertions(+), 54 deletions(-) create mode 100644 docs/updates/v1.47.md diff --git a/docs/changelog.md b/docs/changelog.md index 68d9565d19d..103cab874b9 100644 --- a/docs/changelog.md +++ b/docs/changelog.md @@ -39,9 +39,46 @@ See [upgrade notes][1] for helpful information when upgrading from previous vers - Azure Cache for Redis: - Check for legacy Azure Cache for Redis instances by @BenjaminEngeset. [#3605](https://github.com/Azure/PSRule.Rules.Azure/issues/3605) - - Managed Instance for Apache Cassandra: - - Check that Managed Instance for Apache Cassandra clusters have availability zones enabled by @BenjaminEngeset. - [#3592](https://github.com/Azure/PSRule.Rules.Azure/issues/3592) + - Check resources naming matches configured name format by @BernieWhite. + [#3548](https://github.com/Azure/PSRule.Rules.Azure/issues/3548) + - The name format can be configured by the following configuration options: + - `AZURE_REDIS_CACHE_NAME_FORMAT` + - `AZURE_REDIS_ENTERPRISE_NAME_FORMAT` + - Added configured name format by @BernieWhite. + - Azure Database for MySQL: + - Check resources naming matches configured name format by @BernieWhite. + [#3548](https://github.com/Azure/PSRule.Rules.Azure/issues/3548) + - The name format can be configured by the following configuration options: + - `AZURE_MYSQL_SERVER_NAME_FORMAT` + - Azure Database for PostgreSQL: + - Check resources naming matches configured name format by @BernieWhite. + [#3548](https://github.com/Azure/PSRule.Rules.Azure/issues/3548) + - The name format can be configured by the following configuration options: + - `AZURE_POSTGRESQL_SERVER_NAME_FORMAT` + - Azure Kubernetes Service: + - Check resources naming matches configured name format by @BernieWhite. + [#3548](https://github.com/Azure/PSRule.Rules.Azure/issues/3548) + - The name format can be configured by the following configuration options: + - `AZURE_AKS_CLUSTER_NAME_FORMAT` + - `AZURE_AKS_SYSTEM_POOL_NAME_FORMAT` + - `AZURE_AKS_USER_POOL_NAME_FORMAT` + - Container Apps: + - Check resources naming matches configured name format by @BernieWhite. + [#3548](https://github.com/Azure/PSRule.Rules.Azure/issues/3548) + - The name format can be configured by the following configuration options: + - `AZURE_CONTAINER_APP_NAME_FORMAT` + - `AZURE_CONTAINER_APP_ENVIRONMENT_NAME_FORMAT` + - `AZURE_CONTAINER_APP_JOB_NAME_FORMAT` + - Container Instance: + - Check resources naming matches configured name format by @BernieWhite. + [#3548](https://github.com/Azure/PSRule.Rules.Azure/issues/3548) + - The name format can be configured by the following configuration option: + - `AZURE_CONTAINER_INSTANCE_NAME_FORMAT` + - Container Registry: + - Check resources naming matches configured name format by @BernieWhite. + [#3548](https://github.com/Azure/PSRule.Rules.Azure/issues/3548) + - The name format can be configured by the following configuration option: + - `AZURE_CONTAINER_REGISTRY_NAME_FORMAT` - Cosmos DB: - Check that Cosmos DB accounts have availability zones enabled by @BenjaminEngeset. [#3055](https://github.com/Azure/PSRule.Rules.Azure/issues/3055) @@ -49,15 +86,47 @@ See [upgrade notes][1] for helpful information when upgrading from previous vers [#3369](https://github.com/Azure/PSRule.Rules.Azure/issues/3369) - Check that MongoDB vCore clusters have availability zones enabled by @BenjaminEngeset. [#3586](https://github.com/Azure/PSRule.Rules.Azure/issues/3586) + - Check resources naming matches configured name format by @BernieWhite. + [#3548](https://github.com/Azure/PSRule.Rules.Azure/issues/3548) + - The name format can be configured by the following configuration options: + - `AZURE_COSMOS_CASSANDRA_NAME_FORMAT` + - `AZURE_COSMOS_DATABASE_NAME_FORMAT` + - `AZURE_COSMOS_GREMLIN_NAME_FORMAT` + - `AZURE_COSMOS_MONGO_NAME_FORMAT` + - `AZURE_COSMOS_NOSQL_NAME_FORMAT` + - `AZURE_COSMOS_POSTGRESQL_NAME_FORMAT` + - `AZURE_COSMOS_TABLE_NAME_FORMAT` - Data Explorer: - Check that public network access is disabled by @BenjaminEngeset. [#3114](https://github.com/Azure/PSRule.Rules.Azure/issues/3114) - Event Hub: - Check that zone redundancy is enabled for Event Hub namespaces in supported regions by @BenjaminEngeset. [#3029](https://github.com/Azure/PSRule.Rules.Azure/issues/3029) + - Managed Instance for Apache Cassandra: + - Check that Managed Instance for Apache Cassandra clusters have availability zones enabled by @BenjaminEngeset. + [#3592](https://github.com/Azure/PSRule.Rules.Azure/issues/3592) - Managed Grafana: - Check that zone redundancy is enabled for Grafana workspaces in supported regions by @BenjaminEngeset. [#3294](https://github.com/Azure/PSRule.Rules.Azure/issues/3294) + - Service Fabric: + - Check resources naming matches configured name format by @BernieWhite. + [#3548](https://github.com/Azure/PSRule.Rules.Azure/issues/3548) + - The name format can be configured by the following configuration option: + - `AZURE_SERVICE_FABRIC_CLUSTER_NAME_FORMAT` + - `AZURE_SERVICE_FABRIC_MANAGED_CLUSTER_NAME_FORMAT` + - SQL Database: + - Check resources naming matches configured name format by @BernieWhite. + [#3548](https://github.com/Azure/PSRule.Rules.Azure/issues/3548) + - The name format can be configured by the following configuration option: + - `AZURE_SQL_DATABASE_NAME_FORMAT` + - `AZURE_SQL_SERVER_NAME_FORMAT` + - `AZURE_SQL_ELASTIC_POOL_NAME_FORMAT` + - `AZURE_SQL_JOB_AGENT_NAME_FORMAT` + - SQL Managed Instance: + - Check resources naming matches configured name format by @BernieWhite. + [#3548](https://github.com/Azure/PSRule.Rules.Azure/issues/3548) + - The name format can be configured by the following configuration option: + - `AZURE_SQL_MI_NAME_FORMAT` - Updated rules: - Application Gateway Policy: - Updated `Azure.AppGwWAF.RuleGroups` to use Microsoft Default Rule Set instead of legacy OWASP rule set by @BenjaminEngeset. diff --git a/docs/en/baselines/Azure.All.csv b/docs/en/baselines/Azure.All.csv index cd0752eb302..5519e8b4379 100644 --- a/docs/en/baselines/Azure.All.csv +++ b/docs/en/baselines/Azure.All.csv @@ -167,13 +167,13 @@ "Azure.Cosmos.ContinuousBackup","Enable continuous backup on Cosmos DB accounts.","Important","Reliability","-" "Azure.Cosmos.DatabaseNaming","Cosmos DB database resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" "Azure.Cosmos.DefenderCloud","Enable Microsoft Defender for Azure Cosmos DB.","Critical","Security","-" -"Azure.Cosmos.DisableLocalAuth","Access keys allow depersonalized access to Cosmos DB accounts using a shared secret.","Critical","Security","L1" "Azure.Cosmos.DisableMetadataWrite","Use Entra ID identities for management place operations in Azure Cosmos DB.","Important","Security","-" "Azure.Cosmos.GremlinNaming","Cosmos DB for Apache Gremlin account resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" "Azure.Cosmos.MinTLS","Cosmos DB accounts should reject TLS versions older than 1.2.","Critical","Security","L1" "Azure.Cosmos.MongoAvailabilityZone","Use zone redundant Cosmos DB vCore clusters in supported regions to improve reliability.","Important","Reliability","L1" "Azure.Cosmos.MongoEntraID","MongoDB vCore clusters should have Microsoft Entra ID authentication enabled.","Critical","Security","L1" "Azure.Cosmos.MongoNaming","Cosmos DB for MongoDB account resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" +"Azure.Cosmos.NoSQLLocalAuth","Access keys allow depersonalized access to Cosmos DB NoSQL API accounts using a shared secret.","Critical","Security","L1" "Azure.Cosmos.NoSQLNaming","Cosmos DB for NoSQL account resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" "Azure.Cosmos.PostgreSQLNaming","Cosmos DB PostgreSQL cluster resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" "Azure.Cosmos.PublicAccess","Azure Cosmos DB should have public network access disabled.","Critical","Security","-" @@ -225,6 +225,7 @@ "Azure.EventGrid.TopicNaming","Event Grid topics without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","-" "Azure.EventGrid.TopicPublicAccess","Use Private Endpoints to access Event Grid topics and domains.","Important","Security","-" "Azure.EventGrid.TopicTLS","Weak or deprecated transport protocols for client-server communication introduce security vulnerabilities.","Critical","Security","L1" +"Azure.EventHub.AvailabilityZone","Use zone redundant Event Hub namespaces in supported regions to improve reliability.","Important","Reliability","L1" "Azure.EventHub.DisableLocalAuth","Authenticate Event Hub publishers and consumers with Entra ID identities.","Important","Security","L1" "Azure.EventHub.Firewall","Access to the namespace endpoints should be restricted to only allowed sources.","Critical","Security","-" "Azure.EventHub.MinTLS","Weak or deprecated transport protocols for client-server communication introduce security vulnerabilities.","Critical","Security","L1" @@ -360,6 +361,7 @@ "Azure.Redis.FirewallRuleCount","Determine if there is an excessive number of firewall rules for the Redis cache.","Awareness","Security","-" "Azure.Redis.LocalAuth","Access keys allow depersonalized access to Azure Cache for Redis using a shared secret.","Important","Security","L1" "Azure.Redis.MaxMemoryReserved","Configure maxmemory-reserved to reserve memory for non-cache operations.","Important","Performance Efficiency","-" +"Azure.Redis.MigrateAMR","Azure Cache for Redis is being retired. Migrate to Azure Managed Redis.","Important","Operational Excellence","-" "Azure.Redis.MinSKU","Use Azure Cache for Redis instances of at least Standard C1.","Important","Performance Efficiency","-" "Azure.Redis.MinTLS","Redis Cache should reject TLS versions older than 1.2.","Critical","Security","L1" "Azure.Redis.Naming","Azure Cache for Redis resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" diff --git a/docs/en/baselines/Azure.All.md b/docs/en/baselines/Azure.All.md index 1e63e6ce96b..36b54a97bcf 100644 --- a/docs/en/baselines/Azure.All.md +++ b/docs/en/baselines/Azure.All.md @@ -10,7 +10,7 @@ Includes all Azure rules. The following rules are included within the `Azure.All` baseline. -This baseline includes a total of 528 rules. +This baseline includes a total of 530 rules. Name | Synopsis | Severity ---- | -------- | -------- @@ -182,13 +182,13 @@ Name | Synopsis | Severity [Azure.Cosmos.ContinuousBackup](../rules/Azure.Cosmos.ContinuousBackup.md) | Enable continuous backup on Cosmos DB accounts. | Important [Azure.Cosmos.DatabaseNaming](../rules/Azure.Cosmos.DatabaseNaming.md) | Cosmos DB database resources without a standard naming convention may be difficult to identify and manage. | Awareness [Azure.Cosmos.DefenderCloud](../rules/Azure.Cosmos.DefenderCloud.md) | Enable Microsoft Defender for Azure Cosmos DB. | Critical -[Azure.Cosmos.DisableLocalAuth](../rules/Azure.Cosmos.DisableLocalAuth.md) | Access keys allow depersonalized access to Cosmos DB accounts using a shared secret. | Critical [Azure.Cosmos.DisableMetadataWrite](../rules/Azure.Cosmos.DisableMetadataWrite.md) | Use Entra ID identities for management place operations in Azure Cosmos DB. | Important [Azure.Cosmos.GremlinNaming](../rules/Azure.Cosmos.GremlinNaming.md) | Cosmos DB for Apache Gremlin account resources without a standard naming convention may be difficult to identify and manage. | Awareness [Azure.Cosmos.MinTLS](../rules/Azure.Cosmos.MinTLS.md) | Cosmos DB accounts should reject TLS versions older than 1.2. | Critical [Azure.Cosmos.MongoAvailabilityZone](../rules/Azure.Cosmos.MongoAvailabilityZone.md) | Use zone redundant Cosmos DB vCore clusters in supported regions to improve reliability. | Important [Azure.Cosmos.MongoEntraID](../rules/Azure.Cosmos.MongoEntraID.md) | MongoDB vCore clusters should have Microsoft Entra ID authentication enabled. | Critical [Azure.Cosmos.MongoNaming](../rules/Azure.Cosmos.MongoNaming.md) | Cosmos DB for MongoDB account resources without a standard naming convention may be difficult to identify and manage. | Awareness +[Azure.Cosmos.NoSQLLocalAuth](../rules/Azure.Cosmos.NoSQLLocalAuth.md) | Access keys allow depersonalized access to Cosmos DB NoSQL API accounts using a shared secret. | Critical [Azure.Cosmos.NoSQLNaming](../rules/Azure.Cosmos.NoSQLNaming.md) | Cosmos DB for NoSQL account resources without a standard naming convention may be difficult to identify and manage. | Awareness [Azure.Cosmos.PostgreSQLNaming](../rules/Azure.Cosmos.PostgreSQLNaming.md) | Cosmos DB PostgreSQL cluster resources without a standard naming convention may be difficult to identify and manage. | Awareness [Azure.Cosmos.PublicAccess](../rules/Azure.Cosmos.PublicAccess.md) | Azure Cosmos DB should have public network access disabled. | Critical @@ -240,6 +240,7 @@ Name | Synopsis | Severity [Azure.EventGrid.TopicNaming](../rules/Azure.EventGrid.TopicNaming.md) | Event Grid topics without a standard naming convention may be difficult to identify and manage. | Awareness [Azure.EventGrid.TopicPublicAccess](../rules/Azure.EventGrid.TopicPublicAccess.md) | Use Private Endpoints to access Event Grid topics and domains. | Important [Azure.EventGrid.TopicTLS](../rules/Azure.EventGrid.TopicTLS.md) | Weak or deprecated transport protocols for client-server communication introduce security vulnerabilities. | Critical +[Azure.EventHub.AvailabilityZone](../rules/Azure.EventHub.AvailabilityZone.md) | Use zone redundant Event Hub namespaces in supported regions to improve reliability. | Important [Azure.EventHub.DisableLocalAuth](../rules/Azure.EventHub.DisableLocalAuth.md) | Authenticate Event Hub publishers and consumers with Entra ID identities. | Important [Azure.EventHub.Firewall](../rules/Azure.EventHub.Firewall.md) | Access to the namespace endpoints should be restricted to only allowed sources. | Critical [Azure.EventHub.MinTLS](../rules/Azure.EventHub.MinTLS.md) | Weak or deprecated transport protocols for client-server communication introduce security vulnerabilities. | Critical @@ -375,6 +376,7 @@ Name | Synopsis | Severity [Azure.Redis.FirewallRuleCount](../rules/Azure.Redis.FirewallRuleCount.md) | Determine if there is an excessive number of firewall rules for the Redis cache. | Awareness [Azure.Redis.LocalAuth](../rules/Azure.Redis.LocalAuth.md) | Access keys allow depersonalized access to Azure Cache for Redis using a shared secret. | Important [Azure.Redis.MaxMemoryReserved](../rules/Azure.Redis.MaxMemoryReserved.md) | Configure maxmemory-reserved to reserve memory for non-cache operations. | Important +[Azure.Redis.MigrateAMR](../rules/Azure.Redis.MigrateAMR.md) | Azure Cache for Redis is being retired. Migrate to Azure Managed Redis. | Important [Azure.Redis.MinSKU](../rules/Azure.Redis.MinSKU.md) | Use Azure Cache for Redis instances of at least Standard C1. | Important [Azure.Redis.MinTLS](../rules/Azure.Redis.MinTLS.md) | Redis Cache should reject TLS versions older than 1.2. | Critical [Azure.Redis.Naming](../rules/Azure.Redis.Naming.md) | Azure Cache for Redis resources without a standard naming convention may be difficult to identify and manage. | Awareness diff --git a/docs/en/baselines/Azure.Default.csv b/docs/en/baselines/Azure.Default.csv index f2cb8586242..0d0d5dccd01 100644 --- a/docs/en/baselines/Azure.Default.csv +++ b/docs/en/baselines/Azure.Default.csv @@ -160,13 +160,13 @@ "Azure.Cosmos.ContinuousBackup","Enable continuous backup on Cosmos DB accounts.","Important","Reliability","-" "Azure.Cosmos.DatabaseNaming","Cosmos DB database resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" "Azure.Cosmos.DefenderCloud","Enable Microsoft Defender for Azure Cosmos DB.","Critical","Security","-" -"Azure.Cosmos.DisableLocalAuth","Access keys allow depersonalized access to Cosmos DB accounts using a shared secret.","Critical","Security","L1" "Azure.Cosmos.DisableMetadataWrite","Use Entra ID identities for management place operations in Azure Cosmos DB.","Important","Security","-" "Azure.Cosmos.GremlinNaming","Cosmos DB for Apache Gremlin account resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" "Azure.Cosmos.MinTLS","Cosmos DB accounts should reject TLS versions older than 1.2.","Critical","Security","L1" "Azure.Cosmos.MongoAvailabilityZone","Use zone redundant Cosmos DB vCore clusters in supported regions to improve reliability.","Important","Reliability","L1" "Azure.Cosmos.MongoEntraID","MongoDB vCore clusters should have Microsoft Entra ID authentication enabled.","Critical","Security","L1" "Azure.Cosmos.MongoNaming","Cosmos DB for MongoDB account resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" +"Azure.Cosmos.NoSQLLocalAuth","Access keys allow depersonalized access to Cosmos DB NoSQL API accounts using a shared secret.","Critical","Security","L1" "Azure.Cosmos.NoSQLNaming","Cosmos DB for NoSQL account resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" "Azure.Cosmos.PostgreSQLNaming","Cosmos DB PostgreSQL cluster resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" "Azure.Cosmos.PublicAccess","Azure Cosmos DB should have public network access disabled.","Critical","Security","-" @@ -217,6 +217,7 @@ "Azure.EventGrid.TopicNaming","Event Grid topics without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","-" "Azure.EventGrid.TopicPublicAccess","Use Private Endpoints to access Event Grid topics and domains.","Important","Security","-" "Azure.EventGrid.TopicTLS","Weak or deprecated transport protocols for client-server communication introduce security vulnerabilities.","Critical","Security","L1" +"Azure.EventHub.AvailabilityZone","Use zone redundant Event Hub namespaces in supported regions to improve reliability.","Important","Reliability","L1" "Azure.EventHub.DisableLocalAuth","Authenticate Event Hub publishers and consumers with Entra ID identities.","Important","Security","L1" "Azure.EventHub.Firewall","Access to the namespace endpoints should be restricted to only allowed sources.","Critical","Security","-" "Azure.EventHub.MinTLS","Weak or deprecated transport protocols for client-server communication introduce security vulnerabilities.","Critical","Security","L1" @@ -352,6 +353,7 @@ "Azure.Redis.FirewallRuleCount","Determine if there is an excessive number of firewall rules for the Redis cache.","Awareness","Security","-" "Azure.Redis.LocalAuth","Access keys allow depersonalized access to Azure Cache for Redis using a shared secret.","Important","Security","L1" "Azure.Redis.MaxMemoryReserved","Configure maxmemory-reserved to reserve memory for non-cache operations.","Important","Performance Efficiency","-" +"Azure.Redis.MigrateAMR","Azure Cache for Redis is being retired. Migrate to Azure Managed Redis.","Important","Operational Excellence","-" "Azure.Redis.MinSKU","Use Azure Cache for Redis instances of at least Standard C1.","Important","Performance Efficiency","-" "Azure.Redis.MinTLS","Redis Cache should reject TLS versions older than 1.2.","Critical","Security","L1" "Azure.Redis.Naming","Azure Cache for Redis resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" diff --git a/docs/en/baselines/Azure.Default.md b/docs/en/baselines/Azure.Default.md index 800b8c2508d..1d81ecc3b75 100644 --- a/docs/en/baselines/Azure.Default.md +++ b/docs/en/baselines/Azure.Default.md @@ -10,7 +10,7 @@ Default baseline for that includes the latest rules for Azure GA features that i The following rules are included within the `Azure.Default` baseline. -This baseline includes a total of 514 rules. +This baseline includes a total of 516 rules. Name | Synopsis | Severity ---- | -------- | -------- @@ -175,13 +175,13 @@ Name | Synopsis | Severity [Azure.Cosmos.ContinuousBackup](../rules/Azure.Cosmos.ContinuousBackup.md) | Enable continuous backup on Cosmos DB accounts. | Important [Azure.Cosmos.DatabaseNaming](../rules/Azure.Cosmos.DatabaseNaming.md) | Cosmos DB database resources without a standard naming convention may be difficult to identify and manage. | Awareness [Azure.Cosmos.DefenderCloud](../rules/Azure.Cosmos.DefenderCloud.md) | Enable Microsoft Defender for Azure Cosmos DB. | Critical -[Azure.Cosmos.DisableLocalAuth](../rules/Azure.Cosmos.DisableLocalAuth.md) | Access keys allow depersonalized access to Cosmos DB accounts using a shared secret. | Critical [Azure.Cosmos.DisableMetadataWrite](../rules/Azure.Cosmos.DisableMetadataWrite.md) | Use Entra ID identities for management place operations in Azure Cosmos DB. | Important [Azure.Cosmos.GremlinNaming](../rules/Azure.Cosmos.GremlinNaming.md) | Cosmos DB for Apache Gremlin account resources without a standard naming convention may be difficult to identify and manage. | Awareness [Azure.Cosmos.MinTLS](../rules/Azure.Cosmos.MinTLS.md) | Cosmos DB accounts should reject TLS versions older than 1.2. | Critical [Azure.Cosmos.MongoAvailabilityZone](../rules/Azure.Cosmos.MongoAvailabilityZone.md) | Use zone redundant Cosmos DB vCore clusters in supported regions to improve reliability. | Important [Azure.Cosmos.MongoEntraID](../rules/Azure.Cosmos.MongoEntraID.md) | MongoDB vCore clusters should have Microsoft Entra ID authentication enabled. | Critical [Azure.Cosmos.MongoNaming](../rules/Azure.Cosmos.MongoNaming.md) | Cosmos DB for MongoDB account resources without a standard naming convention may be difficult to identify and manage. | Awareness +[Azure.Cosmos.NoSQLLocalAuth](../rules/Azure.Cosmos.NoSQLLocalAuth.md) | Access keys allow depersonalized access to Cosmos DB NoSQL API accounts using a shared secret. | Critical [Azure.Cosmos.NoSQLNaming](../rules/Azure.Cosmos.NoSQLNaming.md) | Cosmos DB for NoSQL account resources without a standard naming convention may be difficult to identify and manage. | Awareness [Azure.Cosmos.PostgreSQLNaming](../rules/Azure.Cosmos.PostgreSQLNaming.md) | Cosmos DB PostgreSQL cluster resources without a standard naming convention may be difficult to identify and manage. | Awareness [Azure.Cosmos.PublicAccess](../rules/Azure.Cosmos.PublicAccess.md) | Azure Cosmos DB should have public network access disabled. | Critical @@ -232,6 +232,7 @@ Name | Synopsis | Severity [Azure.EventGrid.TopicNaming](../rules/Azure.EventGrid.TopicNaming.md) | Event Grid topics without a standard naming convention may be difficult to identify and manage. | Awareness [Azure.EventGrid.TopicPublicAccess](../rules/Azure.EventGrid.TopicPublicAccess.md) | Use Private Endpoints to access Event Grid topics and domains. | Important [Azure.EventGrid.TopicTLS](../rules/Azure.EventGrid.TopicTLS.md) | Weak or deprecated transport protocols for client-server communication introduce security vulnerabilities. | Critical +[Azure.EventHub.AvailabilityZone](../rules/Azure.EventHub.AvailabilityZone.md) | Use zone redundant Event Hub namespaces in supported regions to improve reliability. | Important [Azure.EventHub.DisableLocalAuth](../rules/Azure.EventHub.DisableLocalAuth.md) | Authenticate Event Hub publishers and consumers with Entra ID identities. | Important [Azure.EventHub.Firewall](../rules/Azure.EventHub.Firewall.md) | Access to the namespace endpoints should be restricted to only allowed sources. | Critical [Azure.EventHub.MinTLS](../rules/Azure.EventHub.MinTLS.md) | Weak or deprecated transport protocols for client-server communication introduce security vulnerabilities. | Critical @@ -367,6 +368,7 @@ Name | Synopsis | Severity [Azure.Redis.FirewallRuleCount](../rules/Azure.Redis.FirewallRuleCount.md) | Determine if there is an excessive number of firewall rules for the Redis cache. | Awareness [Azure.Redis.LocalAuth](../rules/Azure.Redis.LocalAuth.md) | Access keys allow depersonalized access to Azure Cache for Redis using a shared secret. | Important [Azure.Redis.MaxMemoryReserved](../rules/Azure.Redis.MaxMemoryReserved.md) | Configure maxmemory-reserved to reserve memory for non-cache operations. | Important +[Azure.Redis.MigrateAMR](../rules/Azure.Redis.MigrateAMR.md) | Azure Cache for Redis is being retired. Migrate to Azure Managed Redis. | Important [Azure.Redis.MinSKU](../rules/Azure.Redis.MinSKU.md) | Use Azure Cache for Redis instances of at least Standard C1. | Important [Azure.Redis.MinTLS](../rules/Azure.Redis.MinTLS.md) | Redis Cache should reject TLS versions older than 1.2. | Critical [Azure.Redis.Naming](../rules/Azure.Redis.Naming.md) | Azure Cache for Redis resources without a standard naming convention may be difficult to identify and manage. | Awareness diff --git a/docs/en/baselines/Azure.GA_2024_06.csv b/docs/en/baselines/Azure.GA_2024_06.csv index bd3587b7a6a..857636e9bb9 100644 --- a/docs/en/baselines/Azure.GA_2024_06.csv +++ b/docs/en/baselines/Azure.GA_2024_06.csv @@ -131,9 +131,9 @@ "Azure.ContainerApp.Storage","Use of Azure Files volume mounts to persistent storage container data.","Awareness","Reliability","-" "Azure.Cosmos.AccountName","Cosmos DB account names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.Cosmos.DefenderCloud","Enable Microsoft Defender for Azure Cosmos DB.","Critical","Security","-" -"Azure.Cosmos.DisableLocalAuth","Access keys allow depersonalized access to Cosmos DB accounts using a shared secret.","Critical","Security","L1" "Azure.Cosmos.DisableMetadataWrite","Use Entra ID identities for management place operations in Azure Cosmos DB.","Important","Security","-" "Azure.Cosmos.MinTLS","Cosmos DB accounts should reject TLS versions older than 1.2.","Critical","Security","L1" +"Azure.Cosmos.NoSQLLocalAuth","Access keys allow depersonalized access to Cosmos DB NoSQL API accounts using a shared secret.","Critical","Security","L1" "Azure.Cosmos.PublicAccess","Azure Cosmos DB should have public network access disabled.","Critical","Security","-" "Azure.Cosmos.SLA","Use a paid tier to qualify for a Service Level Agreement (SLA).","Important","Reliability","-" "Azure.Databricks.PublicAccess","Azure Databricks workspaces should disable public network access.","Critical","Security","-" diff --git a/docs/en/baselines/Azure.GA_2024_06.md b/docs/en/baselines/Azure.GA_2024_06.md index 8bb0fb182d2..5a30cdf71ae 100644 --- a/docs/en/baselines/Azure.GA_2024_06.md +++ b/docs/en/baselines/Azure.GA_2024_06.md @@ -151,9 +151,9 @@ Name | Synopsis | Severity [Azure.ContainerApp.Storage](../rules/Azure.ContainerApp.Storage.md) | Use of Azure Files volume mounts to persistent storage container data. | Awareness [Azure.Cosmos.AccountName](../rules/Azure.Cosmos.AccountName.md) | Cosmos DB account names should meet naming requirements. | Awareness [Azure.Cosmos.DefenderCloud](../rules/Azure.Cosmos.DefenderCloud.md) | Enable Microsoft Defender for Azure Cosmos DB. | Critical -[Azure.Cosmos.DisableLocalAuth](../rules/Azure.Cosmos.DisableLocalAuth.md) | Access keys allow depersonalized access to Cosmos DB accounts using a shared secret. | Critical [Azure.Cosmos.DisableMetadataWrite](../rules/Azure.Cosmos.DisableMetadataWrite.md) | Use Entra ID identities for management place operations in Azure Cosmos DB. | Important [Azure.Cosmos.MinTLS](../rules/Azure.Cosmos.MinTLS.md) | Cosmos DB accounts should reject TLS versions older than 1.2. | Critical +[Azure.Cosmos.NoSQLLocalAuth](../rules/Azure.Cosmos.NoSQLLocalAuth.md) | Access keys allow depersonalized access to Cosmos DB NoSQL API accounts using a shared secret. | Critical [Azure.Cosmos.PublicAccess](../rules/Azure.Cosmos.PublicAccess.md) | Azure Cosmos DB should have public network access disabled. | Critical [Azure.Cosmos.SLA](../rules/Azure.Cosmos.SLA.md) | Use a paid tier to qualify for a Service Level Agreement (SLA). | Important [Azure.Databricks.PublicAccess](../rules/Azure.Databricks.PublicAccess.md) | Azure Databricks workspaces should disable public network access. | Critical diff --git a/docs/en/baselines/Azure.GA_2024_09.csv b/docs/en/baselines/Azure.GA_2024_09.csv index d9a62491a3e..797a3918215 100644 --- a/docs/en/baselines/Azure.GA_2024_09.csv +++ b/docs/en/baselines/Azure.GA_2024_09.csv @@ -136,9 +136,9 @@ "Azure.Cosmos.AccountName","Cosmos DB account names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.Cosmos.ContinuousBackup","Enable continuous backup on Cosmos DB accounts.","Important","Reliability","-" "Azure.Cosmos.DefenderCloud","Enable Microsoft Defender for Azure Cosmos DB.","Critical","Security","-" -"Azure.Cosmos.DisableLocalAuth","Access keys allow depersonalized access to Cosmos DB accounts using a shared secret.","Critical","Security","L1" "Azure.Cosmos.DisableMetadataWrite","Use Entra ID identities for management place operations in Azure Cosmos DB.","Important","Security","-" "Azure.Cosmos.MinTLS","Cosmos DB accounts should reject TLS versions older than 1.2.","Critical","Security","L1" +"Azure.Cosmos.NoSQLLocalAuth","Access keys allow depersonalized access to Cosmos DB NoSQL API accounts using a shared secret.","Critical","Security","L1" "Azure.Cosmos.PublicAccess","Azure Cosmos DB should have public network access disabled.","Critical","Security","-" "Azure.Cosmos.SLA","Use a paid tier to qualify for a Service Level Agreement (SLA).","Important","Reliability","-" "Azure.Databricks.PublicAccess","Azure Databricks workspaces should disable public network access.","Critical","Security","-" diff --git a/docs/en/baselines/Azure.GA_2024_09.md b/docs/en/baselines/Azure.GA_2024_09.md index 93550525260..1c8f1964e80 100644 --- a/docs/en/baselines/Azure.GA_2024_09.md +++ b/docs/en/baselines/Azure.GA_2024_09.md @@ -156,9 +156,9 @@ Name | Synopsis | Severity [Azure.Cosmos.AccountName](../rules/Azure.Cosmos.AccountName.md) | Cosmos DB account names should meet naming requirements. | Awareness [Azure.Cosmos.ContinuousBackup](../rules/Azure.Cosmos.ContinuousBackup.md) | Enable continuous backup on Cosmos DB accounts. | Important [Azure.Cosmos.DefenderCloud](../rules/Azure.Cosmos.DefenderCloud.md) | Enable Microsoft Defender for Azure Cosmos DB. | Critical -[Azure.Cosmos.DisableLocalAuth](../rules/Azure.Cosmos.DisableLocalAuth.md) | Access keys allow depersonalized access to Cosmos DB accounts using a shared secret. | Critical [Azure.Cosmos.DisableMetadataWrite](../rules/Azure.Cosmos.DisableMetadataWrite.md) | Use Entra ID identities for management place operations in Azure Cosmos DB. | Important [Azure.Cosmos.MinTLS](../rules/Azure.Cosmos.MinTLS.md) | Cosmos DB accounts should reject TLS versions older than 1.2. | Critical +[Azure.Cosmos.NoSQLLocalAuth](../rules/Azure.Cosmos.NoSQLLocalAuth.md) | Access keys allow depersonalized access to Cosmos DB NoSQL API accounts using a shared secret. | Critical [Azure.Cosmos.PublicAccess](../rules/Azure.Cosmos.PublicAccess.md) | Azure Cosmos DB should have public network access disabled. | Critical [Azure.Cosmos.SLA](../rules/Azure.Cosmos.SLA.md) | Use a paid tier to qualify for a Service Level Agreement (SLA). | Important [Azure.Databricks.PublicAccess](../rules/Azure.Databricks.PublicAccess.md) | Azure Databricks workspaces should disable public network access. | Critical diff --git a/docs/en/baselines/Azure.GA_2024_12.csv b/docs/en/baselines/Azure.GA_2024_12.csv index 304364e84d4..1310c681f3b 100644 --- a/docs/en/baselines/Azure.GA_2024_12.csv +++ b/docs/en/baselines/Azure.GA_2024_12.csv @@ -137,9 +137,9 @@ "Azure.Cosmos.AccountName","Cosmos DB account names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.Cosmos.ContinuousBackup","Enable continuous backup on Cosmos DB accounts.","Important","Reliability","-" "Azure.Cosmos.DefenderCloud","Enable Microsoft Defender for Azure Cosmos DB.","Critical","Security","-" -"Azure.Cosmos.DisableLocalAuth","Access keys allow depersonalized access to Cosmos DB accounts using a shared secret.","Critical","Security","L1" "Azure.Cosmos.DisableMetadataWrite","Use Entra ID identities for management place operations in Azure Cosmos DB.","Important","Security","-" "Azure.Cosmos.MinTLS","Cosmos DB accounts should reject TLS versions older than 1.2.","Critical","Security","L1" +"Azure.Cosmos.NoSQLLocalAuth","Access keys allow depersonalized access to Cosmos DB NoSQL API accounts using a shared secret.","Critical","Security","L1" "Azure.Cosmos.PublicAccess","Azure Cosmos DB should have public network access disabled.","Critical","Security","-" "Azure.Cosmos.SLA","Use a paid tier to qualify for a Service Level Agreement (SLA).","Important","Reliability","-" "Azure.Databricks.PublicAccess","Azure Databricks workspaces should disable public network access.","Critical","Security","-" diff --git a/docs/en/baselines/Azure.GA_2024_12.md b/docs/en/baselines/Azure.GA_2024_12.md index 24e0babcce8..85212dfaaa5 100644 --- a/docs/en/baselines/Azure.GA_2024_12.md +++ b/docs/en/baselines/Azure.GA_2024_12.md @@ -157,9 +157,9 @@ Name | Synopsis | Severity [Azure.Cosmos.AccountName](../rules/Azure.Cosmos.AccountName.md) | Cosmos DB account names should meet naming requirements. | Awareness [Azure.Cosmos.ContinuousBackup](../rules/Azure.Cosmos.ContinuousBackup.md) | Enable continuous backup on Cosmos DB accounts. | Important [Azure.Cosmos.DefenderCloud](../rules/Azure.Cosmos.DefenderCloud.md) | Enable Microsoft Defender for Azure Cosmos DB. | Critical -[Azure.Cosmos.DisableLocalAuth](../rules/Azure.Cosmos.DisableLocalAuth.md) | Access keys allow depersonalized access to Cosmos DB accounts using a shared secret. | Critical [Azure.Cosmos.DisableMetadataWrite](../rules/Azure.Cosmos.DisableMetadataWrite.md) | Use Entra ID identities for management place operations in Azure Cosmos DB. | Important [Azure.Cosmos.MinTLS](../rules/Azure.Cosmos.MinTLS.md) | Cosmos DB accounts should reject TLS versions older than 1.2. | Critical +[Azure.Cosmos.NoSQLLocalAuth](../rules/Azure.Cosmos.NoSQLLocalAuth.md) | Access keys allow depersonalized access to Cosmos DB NoSQL API accounts using a shared secret. | Critical [Azure.Cosmos.PublicAccess](../rules/Azure.Cosmos.PublicAccess.md) | Azure Cosmos DB should have public network access disabled. | Critical [Azure.Cosmos.SLA](../rules/Azure.Cosmos.SLA.md) | Use a paid tier to qualify for a Service Level Agreement (SLA). | Important [Azure.Databricks.PublicAccess](../rules/Azure.Databricks.PublicAccess.md) | Azure Databricks workspaces should disable public network access. | Critical diff --git a/docs/en/baselines/Azure.GA_2025_03.csv b/docs/en/baselines/Azure.GA_2025_03.csv index b83a5cb4538..6df77276688 100644 --- a/docs/en/baselines/Azure.GA_2025_03.csv +++ b/docs/en/baselines/Azure.GA_2025_03.csv @@ -137,9 +137,9 @@ "Azure.Cosmos.AccountName","Cosmos DB account names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.Cosmos.ContinuousBackup","Enable continuous backup on Cosmos DB accounts.","Important","Reliability","-" "Azure.Cosmos.DefenderCloud","Enable Microsoft Defender for Azure Cosmos DB.","Critical","Security","-" -"Azure.Cosmos.DisableLocalAuth","Access keys allow depersonalized access to Cosmos DB accounts using a shared secret.","Critical","Security","L1" "Azure.Cosmos.DisableMetadataWrite","Use Entra ID identities for management place operations in Azure Cosmos DB.","Important","Security","-" "Azure.Cosmos.MinTLS","Cosmos DB accounts should reject TLS versions older than 1.2.","Critical","Security","L1" +"Azure.Cosmos.NoSQLLocalAuth","Access keys allow depersonalized access to Cosmos DB NoSQL API accounts using a shared secret.","Critical","Security","L1" "Azure.Cosmos.PublicAccess","Azure Cosmos DB should have public network access disabled.","Critical","Security","-" "Azure.Cosmos.SLA","Use a paid tier to qualify for a Service Level Agreement (SLA).","Important","Reliability","-" "Azure.Databricks.PublicAccess","Azure Databricks workspaces should disable public network access.","Critical","Security","-" diff --git a/docs/en/baselines/Azure.GA_2025_03.md b/docs/en/baselines/Azure.GA_2025_03.md index 7a086bd5415..1dbf52c55c2 100644 --- a/docs/en/baselines/Azure.GA_2025_03.md +++ b/docs/en/baselines/Azure.GA_2025_03.md @@ -157,9 +157,9 @@ Name | Synopsis | Severity [Azure.Cosmos.AccountName](../rules/Azure.Cosmos.AccountName.md) | Cosmos DB account names should meet naming requirements. | Awareness [Azure.Cosmos.ContinuousBackup](../rules/Azure.Cosmos.ContinuousBackup.md) | Enable continuous backup on Cosmos DB accounts. | Important [Azure.Cosmos.DefenderCloud](../rules/Azure.Cosmos.DefenderCloud.md) | Enable Microsoft Defender for Azure Cosmos DB. | Critical -[Azure.Cosmos.DisableLocalAuth](../rules/Azure.Cosmos.DisableLocalAuth.md) | Access keys allow depersonalized access to Cosmos DB accounts using a shared secret. | Critical [Azure.Cosmos.DisableMetadataWrite](../rules/Azure.Cosmos.DisableMetadataWrite.md) | Use Entra ID identities for management place operations in Azure Cosmos DB. | Important [Azure.Cosmos.MinTLS](../rules/Azure.Cosmos.MinTLS.md) | Cosmos DB accounts should reject TLS versions older than 1.2. | Critical +[Azure.Cosmos.NoSQLLocalAuth](../rules/Azure.Cosmos.NoSQLLocalAuth.md) | Access keys allow depersonalized access to Cosmos DB NoSQL API accounts using a shared secret. | Critical [Azure.Cosmos.PublicAccess](../rules/Azure.Cosmos.PublicAccess.md) | Azure Cosmos DB should have public network access disabled. | Critical [Azure.Cosmos.SLA](../rules/Azure.Cosmos.SLA.md) | Use a paid tier to qualify for a Service Level Agreement (SLA). | Important [Azure.Databricks.PublicAccess](../rules/Azure.Databricks.PublicAccess.md) | Azure Databricks workspaces should disable public network access. | Critical diff --git a/docs/en/baselines/Azure.GA_2025_06.csv b/docs/en/baselines/Azure.GA_2025_06.csv index 979b29c85dc..ddaade2146d 100644 --- a/docs/en/baselines/Azure.GA_2025_06.csv +++ b/docs/en/baselines/Azure.GA_2025_06.csv @@ -143,9 +143,9 @@ "Azure.Cosmos.AccountName","Cosmos DB account names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.Cosmos.ContinuousBackup","Enable continuous backup on Cosmos DB accounts.","Important","Reliability","-" "Azure.Cosmos.DefenderCloud","Enable Microsoft Defender for Azure Cosmos DB.","Critical","Security","-" -"Azure.Cosmos.DisableLocalAuth","Access keys allow depersonalized access to Cosmos DB accounts using a shared secret.","Critical","Security","L1" "Azure.Cosmos.DisableMetadataWrite","Use Entra ID identities for management place operations in Azure Cosmos DB.","Important","Security","-" "Azure.Cosmos.MinTLS","Cosmos DB accounts should reject TLS versions older than 1.2.","Critical","Security","L1" +"Azure.Cosmos.NoSQLLocalAuth","Access keys allow depersonalized access to Cosmos DB NoSQL API accounts using a shared secret.","Critical","Security","L1" "Azure.Cosmos.PublicAccess","Azure Cosmos DB should have public network access disabled.","Critical","Security","-" "Azure.Cosmos.SLA","Use a paid tier to qualify for a Service Level Agreement (SLA).","Important","Reliability","-" "Azure.Databricks.PublicAccess","Azure Databricks workspaces should disable public network access.","Critical","Security","-" diff --git a/docs/en/baselines/Azure.GA_2025_06.md b/docs/en/baselines/Azure.GA_2025_06.md index 81f5778edd5..ee4ed9377df 100644 --- a/docs/en/baselines/Azure.GA_2025_06.md +++ b/docs/en/baselines/Azure.GA_2025_06.md @@ -163,9 +163,9 @@ Name | Synopsis | Severity [Azure.Cosmos.AccountName](../rules/Azure.Cosmos.AccountName.md) | Cosmos DB account names should meet naming requirements. | Awareness [Azure.Cosmos.ContinuousBackup](../rules/Azure.Cosmos.ContinuousBackup.md) | Enable continuous backup on Cosmos DB accounts. | Important [Azure.Cosmos.DefenderCloud](../rules/Azure.Cosmos.DefenderCloud.md) | Enable Microsoft Defender for Azure Cosmos DB. | Critical -[Azure.Cosmos.DisableLocalAuth](../rules/Azure.Cosmos.DisableLocalAuth.md) | Access keys allow depersonalized access to Cosmos DB accounts using a shared secret. | Critical [Azure.Cosmos.DisableMetadataWrite](../rules/Azure.Cosmos.DisableMetadataWrite.md) | Use Entra ID identities for management place operations in Azure Cosmos DB. | Important [Azure.Cosmos.MinTLS](../rules/Azure.Cosmos.MinTLS.md) | Cosmos DB accounts should reject TLS versions older than 1.2. | Critical +[Azure.Cosmos.NoSQLLocalAuth](../rules/Azure.Cosmos.NoSQLLocalAuth.md) | Access keys allow depersonalized access to Cosmos DB NoSQL API accounts using a shared secret. | Critical [Azure.Cosmos.PublicAccess](../rules/Azure.Cosmos.PublicAccess.md) | Azure Cosmos DB should have public network access disabled. | Critical [Azure.Cosmos.SLA](../rules/Azure.Cosmos.SLA.md) | Use a paid tier to qualify for a Service Level Agreement (SLA). | Important [Azure.Databricks.PublicAccess](../rules/Azure.Databricks.PublicAccess.md) | Azure Databricks workspaces should disable public network access. | Critical diff --git a/docs/en/baselines/Azure.GA_2025_09.csv b/docs/en/baselines/Azure.GA_2025_09.csv index 320b72308a8..744bb3cf653 100644 --- a/docs/en/baselines/Azure.GA_2025_09.csv +++ b/docs/en/baselines/Azure.GA_2025_09.csv @@ -146,9 +146,9 @@ "Azure.Cosmos.AccountName","Cosmos DB account names should meet naming requirements.","Awareness","Operational Excellence","L2" "Azure.Cosmos.ContinuousBackup","Enable continuous backup on Cosmos DB accounts.","Important","Reliability","-" "Azure.Cosmos.DefenderCloud","Enable Microsoft Defender for Azure Cosmos DB.","Critical","Security","-" -"Azure.Cosmos.DisableLocalAuth","Access keys allow depersonalized access to Cosmos DB accounts using a shared secret.","Critical","Security","L1" "Azure.Cosmos.DisableMetadataWrite","Use Entra ID identities for management place operations in Azure Cosmos DB.","Important","Security","-" "Azure.Cosmos.MinTLS","Cosmos DB accounts should reject TLS versions older than 1.2.","Critical","Security","L1" +"Azure.Cosmos.NoSQLLocalAuth","Access keys allow depersonalized access to Cosmos DB NoSQL API accounts using a shared secret.","Critical","Security","L1" "Azure.Cosmos.PublicAccess","Azure Cosmos DB should have public network access disabled.","Critical","Security","-" "Azure.Cosmos.SLA","Use a paid tier to qualify for a Service Level Agreement (SLA).","Important","Reliability","-" "Azure.Databricks.PublicAccess","Azure Databricks workspaces should disable public network access.","Critical","Security","-" diff --git a/docs/en/baselines/Azure.GA_2025_09.md b/docs/en/baselines/Azure.GA_2025_09.md index dffcb68cc41..9e5ac1544f3 100644 --- a/docs/en/baselines/Azure.GA_2025_09.md +++ b/docs/en/baselines/Azure.GA_2025_09.md @@ -163,9 +163,9 @@ Name | Synopsis | Severity [Azure.Cosmos.AccountName](../rules/Azure.Cosmos.AccountName.md) | Cosmos DB account names should meet naming requirements. | Awareness [Azure.Cosmos.ContinuousBackup](../rules/Azure.Cosmos.ContinuousBackup.md) | Enable continuous backup on Cosmos DB accounts. | Important [Azure.Cosmos.DefenderCloud](../rules/Azure.Cosmos.DefenderCloud.md) | Enable Microsoft Defender for Azure Cosmos DB. | Critical -[Azure.Cosmos.DisableLocalAuth](../rules/Azure.Cosmos.DisableLocalAuth.md) | Access keys allow depersonalized access to Cosmos DB accounts using a shared secret. | Critical [Azure.Cosmos.DisableMetadataWrite](../rules/Azure.Cosmos.DisableMetadataWrite.md) | Use Entra ID identities for management place operations in Azure Cosmos DB. | Important [Azure.Cosmos.MinTLS](../rules/Azure.Cosmos.MinTLS.md) | Cosmos DB accounts should reject TLS versions older than 1.2. | Critical +[Azure.Cosmos.NoSQLLocalAuth](../rules/Azure.Cosmos.NoSQLLocalAuth.md) | Access keys allow depersonalized access to Cosmos DB NoSQL API accounts using a shared secret. | Critical [Azure.Cosmos.PublicAccess](../rules/Azure.Cosmos.PublicAccess.md) | Azure Cosmos DB should have public network access disabled. | Critical [Azure.Cosmos.SLA](../rules/Azure.Cosmos.SLA.md) | Use a paid tier to qualify for a Service Level Agreement (SLA). | Important [Azure.Databricks.PublicAccess](../rules/Azure.Databricks.PublicAccess.md) | Azure Databricks workspaces should disable public network access. | Critical diff --git a/docs/en/baselines/Azure.MCSB.v1.csv b/docs/en/baselines/Azure.MCSB.v1.csv index 767ed7d2161..887441ef3ee 100644 --- a/docs/en/baselines/Azure.MCSB.v1.csv +++ b/docs/en/baselines/Azure.MCSB.v1.csv @@ -58,9 +58,9 @@ "Azure.ContainerApp.PublicAccess","Ensure public network access for Container Apps environment is disabled.","Important","Security","-" "Azure.ContainerApp.RestrictIngress","IP ingress restrictions mode should be set to allow action for all rules defined.","Important","Security","-" "Azure.Cosmos.DefenderCloud","Enable Microsoft Defender for Azure Cosmos DB.","Critical","Security","-" -"Azure.Cosmos.DisableLocalAuth","Access keys allow depersonalized access to Cosmos DB accounts using a shared secret.","Critical","Security","L1" "Azure.Cosmos.DisableMetadataWrite","Use Entra ID identities for management place operations in Azure Cosmos DB.","Important","Security","-" "Azure.Cosmos.MongoEntraID","MongoDB vCore clusters should have Microsoft Entra ID authentication enabled.","Critical","Security","L1" +"Azure.Cosmos.NoSQLLocalAuth","Access keys allow depersonalized access to Cosmos DB NoSQL API accounts using a shared secret.","Critical","Security","L1" "Azure.Cosmos.PublicAccess","Azure Cosmos DB should have public network access disabled.","Critical","Security","-" "Azure.Defender.Api","Enable Microsoft Defender for APIs.","Critical","Security","-" "Azure.Defender.AppServices","Enable Microsoft Defender for App Service.","Critical","Security","-" diff --git a/docs/en/baselines/Azure.MCSB.v1.md b/docs/en/baselines/Azure.MCSB.v1.md index b47a0d5948a..3cb90a77d18 100644 --- a/docs/en/baselines/Azure.MCSB.v1.md +++ b/docs/en/baselines/Azure.MCSB.v1.md @@ -79,9 +79,9 @@ Name | Synopsis | Severity [Azure.ContainerApp.PublicAccess](../rules/Azure.ContainerApp.PublicAccess.md) | Ensure public network access for Container Apps environment is disabled. | Important [Azure.ContainerApp.RestrictIngress](../rules/Azure.ContainerApp.RestrictIngress.md) | IP ingress restrictions mode should be set to allow action for all rules defined. | Important [Azure.Cosmos.DefenderCloud](../rules/Azure.Cosmos.DefenderCloud.md) | Enable Microsoft Defender for Azure Cosmos DB. | Critical -[Azure.Cosmos.DisableLocalAuth](../rules/Azure.Cosmos.DisableLocalAuth.md) | Access keys allow depersonalized access to Cosmos DB accounts using a shared secret. | Critical [Azure.Cosmos.DisableMetadataWrite](../rules/Azure.Cosmos.DisableMetadataWrite.md) | Use Entra ID identities for management place operations in Azure Cosmos DB. | Important [Azure.Cosmos.MongoEntraID](../rules/Azure.Cosmos.MongoEntraID.md) | MongoDB vCore clusters should have Microsoft Entra ID authentication enabled. | Critical +[Azure.Cosmos.NoSQLLocalAuth](../rules/Azure.Cosmos.NoSQLLocalAuth.md) | Access keys allow depersonalized access to Cosmos DB NoSQL API accounts using a shared secret. | Critical [Azure.Cosmos.PublicAccess](../rules/Azure.Cosmos.PublicAccess.md) | Azure Cosmos DB should have public network access disabled. | Critical [Azure.Defender.Api](../rules/Azure.Defender.Api.md) | Enable Microsoft Defender for APIs. | Critical [Azure.Defender.AppServices](../rules/Azure.Defender.AppServices.md) | Enable Microsoft Defender for App Service. | Critical diff --git a/docs/en/baselines/Azure.Pillar.OperationalExcellence.csv b/docs/en/baselines/Azure.Pillar.OperationalExcellence.csv index 2c86cda38ca..412e2a8e2e5 100644 --- a/docs/en/baselines/Azure.Pillar.OperationalExcellence.csv +++ b/docs/en/baselines/Azure.Pillar.OperationalExcellence.csv @@ -79,6 +79,7 @@ "Azure.PublicIP.MigrateStandard","Use the Standard SKU for Public IP addresses as the Basic SKU will be retired.","Important","Operational Excellence","-" "Azure.PublicIP.Name","Azure Resource Manager (ARM) has requirements for Public IP address names.","Awareness","Operational Excellence","-" "Azure.PublicIP.Naming","Public IP addresses without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","-" +"Azure.Redis.MigrateAMR","Azure Cache for Redis is being retired. Migrate to Azure Managed Redis.","Important","Operational Excellence","-" "Azure.Redis.Naming","Azure Cache for Redis resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" "Azure.RedisEnterprise.Naming","Azure Cache for Redis Enterprise resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" "Azure.Resource.RequiredTags","Resources without a standard tagging convention may be difficult to identify and manage.","Awareness","Operational Excellence","-" diff --git a/docs/en/baselines/Azure.Pillar.OperationalExcellence.md b/docs/en/baselines/Azure.Pillar.OperationalExcellence.md index 921b508bf82..3fea57ffc39 100644 --- a/docs/en/baselines/Azure.Pillar.OperationalExcellence.md +++ b/docs/en/baselines/Azure.Pillar.OperationalExcellence.md @@ -14,7 +14,7 @@ Microsoft Azure Well-Architected Framework - Operational Excellence pillar speci The following rules are included within the `Azure.Pillar.OperationalExcellence` baseline. -This baseline includes a total of 145 rules. +This baseline includes a total of 146 rules. Name | Synopsis | Severity | Maturity ---- | -------- | -------- | -------- @@ -98,6 +98,7 @@ Name | Synopsis | Severity | Maturity [Azure.PublicIP.MigrateStandard](../rules/Azure.PublicIP.MigrateStandard.md) | Use the Standard SKU for Public IP addresses as the Basic SKU will be retired. | Important | - [Azure.PublicIP.Name](../rules/Azure.PublicIP.Name.md) | Azure Resource Manager (ARM) has requirements for Public IP address names. | Awareness | - [Azure.PublicIP.Naming](../rules/Azure.PublicIP.Naming.md) | Public IP addresses without a standard naming convention may be difficult to identify and manage. | Awareness | - +[Azure.Redis.MigrateAMR](../rules/Azure.Redis.MigrateAMR.md) | Azure Cache for Redis is being retired. Migrate to Azure Managed Redis. | Important | - [Azure.Redis.Naming](../rules/Azure.Redis.Naming.md) | Azure Cache for Redis resources without a standard naming convention may be difficult to identify and manage. | Awareness | L2 [Azure.RedisEnterprise.Naming](../rules/Azure.RedisEnterprise.Naming.md) | Azure Cache for Redis Enterprise resources without a standard naming convention may be difficult to identify and manage. | Awareness | L2 [Azure.Resource.RequiredTags](../rules/Azure.Resource.RequiredTags.md) | Resources without a standard tagging convention may be difficult to identify and manage. | Awareness | - diff --git a/docs/en/baselines/Azure.Pillar.Reliability.csv b/docs/en/baselines/Azure.Pillar.Reliability.csv index b903718b3c0..ecae6941a36 100644 --- a/docs/en/baselines/Azure.Pillar.Reliability.csv +++ b/docs/en/baselines/Azure.Pillar.Reliability.csv @@ -37,6 +37,7 @@ "Azure.DataFactory.Version","Consider migrating to DataFactory v2.","Awareness","Reliability","-" "Azure.EntraDS.MinReplicas","Applications or infrastructure relying on a managed domain may fail if the domain is not available.","Important","Reliability","-" "Azure.EntraDS.SKU","The default SKU for Microsoft Entra Domain Services supports resiliency in a single region.","Important","Reliability","-" +"Azure.EventHub.AvailabilityZone","Use zone redundant Event Hub namespaces in supported regions to improve reliability.","Important","Reliability","L1" "Azure.Firewall.AvailabilityZone","Deploy firewall instances using availability zones in supported regions to ensure high availability and resilience.","Important","Reliability","-" "Azure.FrontDoor.Probe","Use health probes to check the health of each backend.","Important","Reliability","-" "Azure.FrontDoor.ProbeMethod","Configure health probes to use HEAD requests to reduce performance overhead.","Important","Reliability","-" diff --git a/docs/en/baselines/Azure.Pillar.Reliability.md b/docs/en/baselines/Azure.Pillar.Reliability.md index b80fd2cbf29..a4d926f1b4a 100644 --- a/docs/en/baselines/Azure.Pillar.Reliability.md +++ b/docs/en/baselines/Azure.Pillar.Reliability.md @@ -14,7 +14,7 @@ Microsoft Azure Well-Architected Framework - Reliability pillar specific baselin The following rules are included within the `Azure.Pillar.Reliability` baseline. -This baseline includes a total of 100 rules. +This baseline includes a total of 101 rules. Name | Synopsis | Severity | Maturity ---- | -------- | -------- | -------- @@ -56,6 +56,7 @@ Name | Synopsis | Severity | Maturity [Azure.DataFactory.Version](../rules/Azure.DataFactory.Version.md) | Consider migrating to DataFactory v2. | Awareness | - [Azure.EntraDS.MinReplicas](../rules/Azure.EntraDS.MinReplicas.md) | Applications or infrastructure relying on a managed domain may fail if the domain is not available. | Important | - [Azure.EntraDS.SKU](../rules/Azure.EntraDS.SKU.md) | The default SKU for Microsoft Entra Domain Services supports resiliency in a single region. | Important | - +[Azure.EventHub.AvailabilityZone](../rules/Azure.EventHub.AvailabilityZone.md) | Use zone redundant Event Hub namespaces in supported regions to improve reliability. | Important | L1 [Azure.Firewall.AvailabilityZone](../rules/Azure.Firewall.AvailabilityZone.md) | Deploy firewall instances using availability zones in supported regions to ensure high availability and resilience. | Important | - [Azure.FrontDoor.Probe](../rules/Azure.FrontDoor.Probe.md) | Use health probes to check the health of each backend. | Important | - [Azure.FrontDoor.ProbeMethod](../rules/Azure.FrontDoor.ProbeMethod.md) | Configure health probes to use HEAD requests to reduce performance overhead. | Important | - diff --git a/docs/en/baselines/Azure.Pillar.Security.L1.csv b/docs/en/baselines/Azure.Pillar.Security.L1.csv index 8ee86156a22..ab2c9b65e64 100644 --- a/docs/en/baselines/Azure.Pillar.Security.L1.csv +++ b/docs/en/baselines/Azure.Pillar.Security.L1.csv @@ -28,9 +28,9 @@ "Azure.CDN.MinTLS","Azure CDN endpoints should reject TLS versions older than 1.2.","Important","Security","L1" "Azure.ContainerApp.Insecure","Ensure insecure inbound traffic is not permitted to the container app.","Important","Security","L1" "Azure.ContainerApp.ManagedIdentity","Ensure managed identity is used for authentication.","Important","Security","L1" -"Azure.Cosmos.DisableLocalAuth","Access keys allow depersonalized access to Cosmos DB accounts using a shared secret.","Critical","Security","L1" "Azure.Cosmos.MinTLS","Cosmos DB accounts should reject TLS versions older than 1.2.","Critical","Security","L1" "Azure.Cosmos.MongoEntraID","MongoDB vCore clusters should have Microsoft Entra ID authentication enabled.","Critical","Security","L1" +"Azure.Cosmos.NoSQLLocalAuth","Access keys allow depersonalized access to Cosmos DB NoSQL API accounts using a shared secret.","Critical","Security","L1" "Azure.EntraDS.NTLM","Disable NTLM v1 for Microsoft Entra Domain Services.","Critical","Security","L1" "Azure.EntraDS.RC4","Disable RC4 encryption for Microsoft Entra Domain Services.","Critical","Security","L1" "Azure.EntraDS.TLS","Disable TLS v1 for Microsoft Entra Domain Services.","Critical","Security","L1" diff --git a/docs/en/baselines/Azure.Pillar.Security.L1.md b/docs/en/baselines/Azure.Pillar.Security.L1.md index cc3eaae11b1..5e807a3a4fe 100644 --- a/docs/en/baselines/Azure.Pillar.Security.L1.md +++ b/docs/en/baselines/Azure.Pillar.Security.L1.md @@ -49,9 +49,9 @@ Name | Synopsis | Severity | Maturity [Azure.CDN.MinTLS](../rules/Azure.CDN.MinTLS.md) | Azure CDN endpoints should reject TLS versions older than 1.2. | Important | L1 [Azure.ContainerApp.Insecure](../rules/Azure.ContainerApp.Insecure.md) | Ensure insecure inbound traffic is not permitted to the container app. | Important | L1 [Azure.ContainerApp.ManagedIdentity](../rules/Azure.ContainerApp.ManagedIdentity.md) | Ensure managed identity is used for authentication. | Important | L1 -[Azure.Cosmos.DisableLocalAuth](../rules/Azure.Cosmos.DisableLocalAuth.md) | Access keys allow depersonalized access to Cosmos DB accounts using a shared secret. | Critical | L1 [Azure.Cosmos.MinTLS](../rules/Azure.Cosmos.MinTLS.md) | Cosmos DB accounts should reject TLS versions older than 1.2. | Critical | L1 [Azure.Cosmos.MongoEntraID](../rules/Azure.Cosmos.MongoEntraID.md) | MongoDB vCore clusters should have Microsoft Entra ID authentication enabled. | Critical | L1 +[Azure.Cosmos.NoSQLLocalAuth](../rules/Azure.Cosmos.NoSQLLocalAuth.md) | Access keys allow depersonalized access to Cosmos DB NoSQL API accounts using a shared secret. | Critical | L1 [Azure.EntraDS.NTLM](../rules/Azure.EntraDS.NTLM.md) | Disable NTLM v1 for Microsoft Entra Domain Services. | Critical | L1 [Azure.EntraDS.RC4](../rules/Azure.EntraDS.RC4.md) | Disable RC4 encryption for Microsoft Entra Domain Services. | Critical | L1 [Azure.EntraDS.TLS](../rules/Azure.EntraDS.TLS.md) | Disable TLS v1 for Microsoft Entra Domain Services. | Critical | L1 diff --git a/docs/en/baselines/Azure.Pillar.Security.csv b/docs/en/baselines/Azure.Pillar.Security.csv index 065c01cfc68..32d9a331ed5 100644 --- a/docs/en/baselines/Azure.Pillar.Security.csv +++ b/docs/en/baselines/Azure.Pillar.Security.csv @@ -77,10 +77,10 @@ "Azure.ContainerApp.PublicAccess","Ensure public network access for Container Apps environment is disabled.","Important","Security","-" "Azure.ContainerApp.RestrictIngress","IP ingress restrictions mode should be set to allow action for all rules defined.","Important","Security","-" "Azure.Cosmos.DefenderCloud","Enable Microsoft Defender for Azure Cosmos DB.","Critical","Security","-" -"Azure.Cosmos.DisableLocalAuth","Access keys allow depersonalized access to Cosmos DB accounts using a shared secret.","Critical","Security","L1" "Azure.Cosmos.DisableMetadataWrite","Use Entra ID identities for management place operations in Azure Cosmos DB.","Important","Security","-" "Azure.Cosmos.MinTLS","Cosmos DB accounts should reject TLS versions older than 1.2.","Critical","Security","L1" "Azure.Cosmos.MongoEntraID","MongoDB vCore clusters should have Microsoft Entra ID authentication enabled.","Critical","Security","L1" +"Azure.Cosmos.NoSQLLocalAuth","Access keys allow depersonalized access to Cosmos DB NoSQL API accounts using a shared secret.","Critical","Security","L1" "Azure.Cosmos.PublicAccess","Azure Cosmos DB should have public network access disabled.","Critical","Security","-" "Azure.Databricks.PublicAccess","Azure Databricks workspaces should disable public network access.","Critical","Security","-" "Azure.Databricks.SecureConnectivity","Use Databricks workspaces configured for secure cluster connectivity.","Critical","Security","-" diff --git a/docs/en/baselines/Azure.Pillar.Security.md b/docs/en/baselines/Azure.Pillar.Security.md index 88467e78261..1cee0f9c422 100644 --- a/docs/en/baselines/Azure.Pillar.Security.md +++ b/docs/en/baselines/Azure.Pillar.Security.md @@ -96,10 +96,10 @@ Name | Synopsis | Severity | Maturity [Azure.ContainerApp.PublicAccess](../rules/Azure.ContainerApp.PublicAccess.md) | Ensure public network access for Container Apps environment is disabled. | Important | - [Azure.ContainerApp.RestrictIngress](../rules/Azure.ContainerApp.RestrictIngress.md) | IP ingress restrictions mode should be set to allow action for all rules defined. | Important | - [Azure.Cosmos.DefenderCloud](../rules/Azure.Cosmos.DefenderCloud.md) | Enable Microsoft Defender for Azure Cosmos DB. | Critical | - -[Azure.Cosmos.DisableLocalAuth](../rules/Azure.Cosmos.DisableLocalAuth.md) | Access keys allow depersonalized access to Cosmos DB accounts using a shared secret. | Critical | L1 [Azure.Cosmos.DisableMetadataWrite](../rules/Azure.Cosmos.DisableMetadataWrite.md) | Use Entra ID identities for management place operations in Azure Cosmos DB. | Important | - [Azure.Cosmos.MinTLS](../rules/Azure.Cosmos.MinTLS.md) | Cosmos DB accounts should reject TLS versions older than 1.2. | Critical | L1 [Azure.Cosmos.MongoEntraID](../rules/Azure.Cosmos.MongoEntraID.md) | MongoDB vCore clusters should have Microsoft Entra ID authentication enabled. | Critical | L1 +[Azure.Cosmos.NoSQLLocalAuth](../rules/Azure.Cosmos.NoSQLLocalAuth.md) | Access keys allow depersonalized access to Cosmos DB NoSQL API accounts using a shared secret. | Critical | L1 [Azure.Cosmos.PublicAccess](../rules/Azure.Cosmos.PublicAccess.md) | Azure Cosmos DB should have public network access disabled. | Critical | - [Azure.Databricks.PublicAccess](../rules/Azure.Databricks.PublicAccess.md) | Azure Databricks workspaces should disable public network access. | Critical | - [Azure.Databricks.SecureConnectivity](../rules/Azure.Databricks.SecureConnectivity.md) | Use Databricks workspaces configured for secure cluster connectivity. | Critical | - diff --git a/docs/en/baselines/Azure.Preview.csv b/docs/en/baselines/Azure.Preview.csv index ed67f0675fc..bc5584be635 100644 --- a/docs/en/baselines/Azure.Preview.csv +++ b/docs/en/baselines/Azure.Preview.csv @@ -165,13 +165,13 @@ "Azure.Cosmos.ContinuousBackup","Enable continuous backup on Cosmos DB accounts.","Important","Reliability","-" "Azure.Cosmos.DatabaseNaming","Cosmos DB database resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" "Azure.Cosmos.DefenderCloud","Enable Microsoft Defender for Azure Cosmos DB.","Critical","Security","-" -"Azure.Cosmos.DisableLocalAuth","Access keys allow depersonalized access to Cosmos DB accounts using a shared secret.","Critical","Security","L1" "Azure.Cosmos.DisableMetadataWrite","Use Entra ID identities for management place operations in Azure Cosmos DB.","Important","Security","-" "Azure.Cosmos.GremlinNaming","Cosmos DB for Apache Gremlin account resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" "Azure.Cosmos.MinTLS","Cosmos DB accounts should reject TLS versions older than 1.2.","Critical","Security","L1" "Azure.Cosmos.MongoAvailabilityZone","Use zone redundant Cosmos DB vCore clusters in supported regions to improve reliability.","Important","Reliability","L1" "Azure.Cosmos.MongoEntraID","MongoDB vCore clusters should have Microsoft Entra ID authentication enabled.","Critical","Security","L1" "Azure.Cosmos.MongoNaming","Cosmos DB for MongoDB account resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" +"Azure.Cosmos.NoSQLLocalAuth","Access keys allow depersonalized access to Cosmos DB NoSQL API accounts using a shared secret.","Critical","Security","L1" "Azure.Cosmos.NoSQLNaming","Cosmos DB for NoSQL account resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" "Azure.Cosmos.PostgreSQLNaming","Cosmos DB PostgreSQL cluster resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" "Azure.Cosmos.PublicAccess","Azure Cosmos DB should have public network access disabled.","Critical","Security","-" @@ -223,6 +223,7 @@ "Azure.EventGrid.TopicNaming","Event Grid topics without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","-" "Azure.EventGrid.TopicPublicAccess","Use Private Endpoints to access Event Grid topics and domains.","Important","Security","-" "Azure.EventGrid.TopicTLS","Weak or deprecated transport protocols for client-server communication introduce security vulnerabilities.","Critical","Security","L1" +"Azure.EventHub.AvailabilityZone","Use zone redundant Event Hub namespaces in supported regions to improve reliability.","Important","Reliability","L1" "Azure.EventHub.DisableLocalAuth","Authenticate Event Hub publishers and consumers with Entra ID identities.","Important","Security","L1" "Azure.EventHub.Firewall","Access to the namespace endpoints should be restricted to only allowed sources.","Critical","Security","-" "Azure.EventHub.MinTLS","Weak or deprecated transport protocols for client-server communication introduce security vulnerabilities.","Critical","Security","L1" @@ -358,6 +359,7 @@ "Azure.Redis.FirewallRuleCount","Determine if there is an excessive number of firewall rules for the Redis cache.","Awareness","Security","-" "Azure.Redis.LocalAuth","Access keys allow depersonalized access to Azure Cache for Redis using a shared secret.","Important","Security","L1" "Azure.Redis.MaxMemoryReserved","Configure maxmemory-reserved to reserve memory for non-cache operations.","Important","Performance Efficiency","-" +"Azure.Redis.MigrateAMR","Azure Cache for Redis is being retired. Migrate to Azure Managed Redis.","Important","Operational Excellence","-" "Azure.Redis.MinSKU","Use Azure Cache for Redis instances of at least Standard C1.","Important","Performance Efficiency","-" "Azure.Redis.MinTLS","Redis Cache should reject TLS versions older than 1.2.","Critical","Security","L1" "Azure.Redis.Naming","Azure Cache for Redis resources without a standard naming convention may be difficult to identify and manage.","Awareness","Operational Excellence","L2" diff --git a/docs/en/baselines/Azure.Preview.md b/docs/en/baselines/Azure.Preview.md index c57df8a3d35..3de89c19d42 100644 --- a/docs/en/baselines/Azure.Preview.md +++ b/docs/en/baselines/Azure.Preview.md @@ -10,7 +10,7 @@ Includes the latest rules for Azure GA and preview features that is updated each The following rules are included within the `Azure.Preview` baseline. -This baseline includes a total of 522 rules. +This baseline includes a total of 524 rules. Name | Synopsis | Severity ---- | -------- | -------- @@ -180,13 +180,13 @@ Name | Synopsis | Severity [Azure.Cosmos.ContinuousBackup](../rules/Azure.Cosmos.ContinuousBackup.md) | Enable continuous backup on Cosmos DB accounts. | Important [Azure.Cosmos.DatabaseNaming](../rules/Azure.Cosmos.DatabaseNaming.md) | Cosmos DB database resources without a standard naming convention may be difficult to identify and manage. | Awareness [Azure.Cosmos.DefenderCloud](../rules/Azure.Cosmos.DefenderCloud.md) | Enable Microsoft Defender for Azure Cosmos DB. | Critical -[Azure.Cosmos.DisableLocalAuth](../rules/Azure.Cosmos.DisableLocalAuth.md) | Access keys allow depersonalized access to Cosmos DB accounts using a shared secret. | Critical [Azure.Cosmos.DisableMetadataWrite](../rules/Azure.Cosmos.DisableMetadataWrite.md) | Use Entra ID identities for management place operations in Azure Cosmos DB. | Important [Azure.Cosmos.GremlinNaming](../rules/Azure.Cosmos.GremlinNaming.md) | Cosmos DB for Apache Gremlin account resources without a standard naming convention may be difficult to identify and manage. | Awareness [Azure.Cosmos.MinTLS](../rules/Azure.Cosmos.MinTLS.md) | Cosmos DB accounts should reject TLS versions older than 1.2. | Critical [Azure.Cosmos.MongoAvailabilityZone](../rules/Azure.Cosmos.MongoAvailabilityZone.md) | Use zone redundant Cosmos DB vCore clusters in supported regions to improve reliability. | Important [Azure.Cosmos.MongoEntraID](../rules/Azure.Cosmos.MongoEntraID.md) | MongoDB vCore clusters should have Microsoft Entra ID authentication enabled. | Critical [Azure.Cosmos.MongoNaming](../rules/Azure.Cosmos.MongoNaming.md) | Cosmos DB for MongoDB account resources without a standard naming convention may be difficult to identify and manage. | Awareness +[Azure.Cosmos.NoSQLLocalAuth](../rules/Azure.Cosmos.NoSQLLocalAuth.md) | Access keys allow depersonalized access to Cosmos DB NoSQL API accounts using a shared secret. | Critical [Azure.Cosmos.NoSQLNaming](../rules/Azure.Cosmos.NoSQLNaming.md) | Cosmos DB for NoSQL account resources without a standard naming convention may be difficult to identify and manage. | Awareness [Azure.Cosmos.PostgreSQLNaming](../rules/Azure.Cosmos.PostgreSQLNaming.md) | Cosmos DB PostgreSQL cluster resources without a standard naming convention may be difficult to identify and manage. | Awareness [Azure.Cosmos.PublicAccess](../rules/Azure.Cosmos.PublicAccess.md) | Azure Cosmos DB should have public network access disabled. | Critical @@ -238,6 +238,7 @@ Name | Synopsis | Severity [Azure.EventGrid.TopicNaming](../rules/Azure.EventGrid.TopicNaming.md) | Event Grid topics without a standard naming convention may be difficult to identify and manage. | Awareness [Azure.EventGrid.TopicPublicAccess](../rules/Azure.EventGrid.TopicPublicAccess.md) | Use Private Endpoints to access Event Grid topics and domains. | Important [Azure.EventGrid.TopicTLS](../rules/Azure.EventGrid.TopicTLS.md) | Weak or deprecated transport protocols for client-server communication introduce security vulnerabilities. | Critical +[Azure.EventHub.AvailabilityZone](../rules/Azure.EventHub.AvailabilityZone.md) | Use zone redundant Event Hub namespaces in supported regions to improve reliability. | Important [Azure.EventHub.DisableLocalAuth](../rules/Azure.EventHub.DisableLocalAuth.md) | Authenticate Event Hub publishers and consumers with Entra ID identities. | Important [Azure.EventHub.Firewall](../rules/Azure.EventHub.Firewall.md) | Access to the namespace endpoints should be restricted to only allowed sources. | Critical [Azure.EventHub.MinTLS](../rules/Azure.EventHub.MinTLS.md) | Weak or deprecated transport protocols for client-server communication introduce security vulnerabilities. | Critical @@ -373,6 +374,7 @@ Name | Synopsis | Severity [Azure.Redis.FirewallRuleCount](../rules/Azure.Redis.FirewallRuleCount.md) | Determine if there is an excessive number of firewall rules for the Redis cache. | Awareness [Azure.Redis.LocalAuth](../rules/Azure.Redis.LocalAuth.md) | Access keys allow depersonalized access to Azure Cache for Redis using a shared secret. | Important [Azure.Redis.MaxMemoryReserved](../rules/Azure.Redis.MaxMemoryReserved.md) | Configure maxmemory-reserved to reserve memory for non-cache operations. | Important +[Azure.Redis.MigrateAMR](../rules/Azure.Redis.MigrateAMR.md) | Azure Cache for Redis is being retired. Migrate to Azure Managed Redis. | Important [Azure.Redis.MinSKU](../rules/Azure.Redis.MinSKU.md) | Use Azure Cache for Redis instances of at least Standard C1. | Important [Azure.Redis.MinTLS](../rules/Azure.Redis.MinTLS.md) | Redis Cache should reject TLS versions older than 1.2. | Critical [Azure.Redis.Naming](../rules/Azure.Redis.Naming.md) | Azure Cache for Redis resources without a standard naming convention may be difficult to identify and manage. | Awareness diff --git a/docs/en/rules/Azure.SQL.MaintenanceWindow.md b/docs/en/rules/Azure.SQL.MaintenanceWindow.md index 70f314a1c56..8bc6b3e702c 100644 --- a/docs/en/rules/Azure.SQL.MaintenanceWindow.md +++ b/docs/en/rules/Azure.SQL.MaintenanceWindow.md @@ -2,8 +2,8 @@ severity: Important pillar: Reliability category: RE:04 Target metrics -resource: Azure Database -resourceType: Microsoft.Sql/servers',Microsoft.Sql/servers/databases,Microsoft.Sql/servers/elasticPools +resource: SQL Database +resourceType: Microsoft.Sql/servers,Microsoft.Sql/servers/databases,Microsoft.Sql/servers/elasticPools online version: https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.SQL.MaintenanceWindow/ --- diff --git a/docs/en/rules/index.md b/docs/en/rules/index.md index 3edf92b5092..cd90d2aa2ff 100644 --- a/docs/en/rules/index.md +++ b/docs/en/rules/index.md @@ -550,5 +550,7 @@ AZR-000528 | [Azure.SQL.ElasticPoolNaming](Azure.SQL.ElasticPoolNaming.md) | Azu AZR-000529 | [Azure.SQLMI.Naming](Azure.SQLMI.Naming.md) | SQL Managed Instance resources without a standard naming convention may be difficult to identify and manage. | GA AZR-000530 | [Azure.ServiceFabric.Naming](Azure.ServiceFabric.Naming.md) | Service Fabric cluster resources without a standard naming convention may be difficult to identify and manage. | GA AZR-000531 | [Azure.ServiceFabric.ManagedNaming](Azure.ServiceFabric.ManagedNaming.md) | Service Fabric managed cluster resources without a standard naming convention may be difficult to identify and manage. | GA +AZR-000532 | [Azure.EventHub.AvailabilityZone](Azure.EventHub.AvailabilityZone.md) | Use zone redundant Event Hub namespaces in supported regions to improve reliability. | GA +AZR-000533 | [Azure.Redis.MigrateAMR](Azure.Redis.MigrateAMR.md) | Azure Cache for Redis is being retired. Migrate to Azure Managed Redis. | GA *[GA]: Generally Available — Rules related to a generally available Azure features. diff --git a/docs/en/rules/module.md b/docs/en/rules/module.md index a87daa0a714..45ade7b8fa1 100644 --- a/docs/en/rules/module.md +++ b/docs/en/rules/module.md @@ -201,6 +201,7 @@ Name | Synopsis | Severity | Level Name | Synopsis | Severity | Level ---- | -------- | -------- | ----- +[Azure.Redis.MigrateAMR](Azure.Redis.MigrateAMR.md) | Azure Cache for Redis is being retired. Migrate to Azure Managed Redis. | Important | Error [Azure.Template.ResourceLocation](Azure.Template.ResourceLocation.md) | Resource locations should be an expression or global. | Awareness | Error [Azure.Template.TemplateFile](Azure.Template.TemplateFile.md) | Use ARM template files that are valid. | Important | Error [Azure.Template.ValidSecretRef](Azure.Template.ValidSecretRef.md) | Use a valid secret reference within parameter files. | Awareness | Error @@ -459,6 +460,7 @@ Name | Synopsis | Severity | Level [Azure.ContainerApp.Storage](Azure.ContainerApp.Storage.md) | Use of Azure Files volume mounts to persistent storage container data. | Awareness | Error [Azure.Cosmos.AvailabilityZone](Azure.Cosmos.AvailabilityZone.md) | Use zone redundant Cosmos DB accounts in supported regions to improve reliability. | Important | Error [Azure.Cosmos.MongoAvailabilityZone](Azure.Cosmos.MongoAvailabilityZone.md) | Use zone redundant Cosmos DB vCore clusters in supported regions to improve reliability. | Important | Error +[Azure.EventHub.AvailabilityZone](Azure.EventHub.AvailabilityZone.md) | Use zone redundant Event Hub namespaces in supported regions to improve reliability. | Important | Error [Azure.LB.Probe](Azure.LB.Probe.md) | Use a specific probe for web protocols. | Important | Error [Azure.MICassandra.AvailabilityZone](Azure.MICassandra.AvailabilityZone.md) | Use zone redundant Managed Instance for Apache Cassandra clusters in supported regions to improve reliability. | Important | Error [Azure.MySQL.UseFlexible](Azure.MySQL.UseFlexible.md) | Use Azure Database for MySQL Flexible Server deployment model. | Important | Warning @@ -697,9 +699,9 @@ Name | Synopsis | Severity | Level [Azure.AppInsights.LocalAuth](Azure.AppInsights.LocalAuth.md) | Local authentication allows depersonalized access to store telemetry in Application Insights using a shared identifier. | Critical | Error [Azure.AppService.ManagedIdentity](Azure.AppService.ManagedIdentity.md) | Configure managed identities to access Azure resources. | Important | Error [Azure.ContainerApp.ManagedIdentity](Azure.ContainerApp.ManagedIdentity.md) | Ensure managed identity is used for authentication. | Important | Error -[Azure.Cosmos.DisableLocalAuth](Azure.Cosmos.DisableLocalAuth.md) | Access keys allow depersonalized access to Cosmos DB accounts using a shared secret. | Critical | Error [Azure.Cosmos.DisableMetadataWrite](Azure.Cosmos.DisableMetadataWrite.md) | Use Entra ID identities for management place operations in Azure Cosmos DB. | Important | Error [Azure.Cosmos.MongoEntraID](Azure.Cosmos.MongoEntraID.md) | MongoDB vCore clusters should have Microsoft Entra ID authentication enabled. | Critical | Error +[Azure.Cosmos.NoSQLLocalAuth](Azure.Cosmos.NoSQLLocalAuth.md) | Access keys allow depersonalized access to Cosmos DB NoSQL API accounts using a shared secret. | Critical | Error [Azure.EventGrid.DisableLocalAuth](Azure.EventGrid.DisableLocalAuth.md) | Authenticate publishing clients with Azure AD identities. | Important | Error [Azure.EventGrid.ManagedIdentity](Azure.EventGrid.ManagedIdentity.md) | Use managed identities to deliver Event Grid Topic events. | Important | Error [Azure.EventHub.DisableLocalAuth](Azure.EventHub.DisableLocalAuth.md) | Authenticate Event Hub publishers and consumers with Entra ID identities. | Important | Error diff --git a/docs/en/rules/resource.md b/docs/en/rules/resource.md index 82eadab68b4..f96db08ebce 100644 --- a/docs/en/rules/resource.md +++ b/docs/en/rules/resource.md @@ -191,6 +191,7 @@ Name | Synopsis | Severity | Level [Azure.Redis.FirewallRuleCount](Azure.Redis.FirewallRuleCount.md) | Determine if there is an excessive number of firewall rules for the Redis cache. | Awareness | Error [Azure.Redis.LocalAuth](Azure.Redis.LocalAuth.md) | Access keys allow depersonalized access to Azure Cache for Redis using a shared secret. | Important | Error [Azure.Redis.MaxMemoryReserved](Azure.Redis.MaxMemoryReserved.md) | Configure maxmemory-reserved to reserve memory for non-cache operations. | Important | Error +[Azure.Redis.MigrateAMR](Azure.Redis.MigrateAMR.md) | Azure Cache for Redis is being retired. Migrate to Azure Managed Redis. | Important | Error [Azure.Redis.MinSKU](Azure.Redis.MinSKU.md) | Use Azure Cache for Redis instances of at least Standard C1. | Important | Error [Azure.Redis.MinTLS](Azure.Redis.MinTLS.md) | Redis Cache should reject TLS versions older than 1.2. | Critical | Error [Azure.Redis.Naming](Azure.Redis.Naming.md) | Azure Cache for Redis resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error @@ -206,12 +207,6 @@ Name | Synopsis | Severity | Level [Azure.RedisEnterprise.Naming](Azure.RedisEnterprise.Naming.md) | Azure Cache for Redis Enterprise resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error [Azure.RedisEnterprise.Zones](Azure.RedisEnterprise.Zones.md) | Enterprise Redis cache should be zone-redundant for high availability. | Important | Error -## Azure Database - -Name | Synopsis | Severity | Level ----- | -------- | -------- | ----- -[Azure.SQL.MaintenanceWindow](Azure.SQL.MaintenanceWindow.md) | Configure a customer-controlled maintenance window for Azure SQL databases. | Important | Error - ## Azure Database for MariaDB Name | Synopsis | Severity | Level @@ -448,11 +443,11 @@ Name | Synopsis | Severity | Level [Azure.Cosmos.AvailabilityZone](Azure.Cosmos.AvailabilityZone.md) | Use zone redundant Cosmos DB accounts in supported regions to improve reliability. | Important | Error [Azure.Cosmos.ContinuousBackup](Azure.Cosmos.ContinuousBackup.md) | Enable continuous backup on Cosmos DB accounts. | Important | Error [Azure.Cosmos.DefenderCloud](Azure.Cosmos.DefenderCloud.md) | Enable Microsoft Defender for Azure Cosmos DB. | Critical | Error -[Azure.Cosmos.DisableLocalAuth](Azure.Cosmos.DisableLocalAuth.md) | Access keys allow depersonalized access to Cosmos DB accounts using a shared secret. | Critical | Error [Azure.Cosmos.DisableMetadataWrite](Azure.Cosmos.DisableMetadataWrite.md) | Use Entra ID identities for management place operations in Azure Cosmos DB. | Important | Error [Azure.Cosmos.MinTLS](Azure.Cosmos.MinTLS.md) | Cosmos DB accounts should reject TLS versions older than 1.2. | Critical | Error [Azure.Cosmos.MongoAvailabilityZone](Azure.Cosmos.MongoAvailabilityZone.md) | Use zone redundant Cosmos DB vCore clusters in supported regions to improve reliability. | Important | Error [Azure.Cosmos.MongoEntraID](Azure.Cosmos.MongoEntraID.md) | MongoDB vCore clusters should have Microsoft Entra ID authentication enabled. | Critical | Error +[Azure.Cosmos.NoSQLLocalAuth](Azure.Cosmos.NoSQLLocalAuth.md) | Access keys allow depersonalized access to Cosmos DB NoSQL API accounts using a shared secret. | Critical | Error [Azure.Cosmos.PublicAccess](Azure.Cosmos.PublicAccess.md) | Azure Cosmos DB should have public network access disabled. | Critical | Error [Azure.Cosmos.SLA](Azure.Cosmos.SLA.md) | Use a paid tier to qualify for a Service Level Agreement (SLA). | Important | Error @@ -584,6 +579,7 @@ Name | Synopsis | Severity | Level Name | Synopsis | Severity | Level ---- | -------- | -------- | ----- +[Azure.EventHub.AvailabilityZone](Azure.EventHub.AvailabilityZone.md) | Use zone redundant Event Hub namespaces in supported regions to improve reliability. | Important | Error [Azure.EventHub.DisableLocalAuth](Azure.EventHub.DisableLocalAuth.md) | Authenticate Event Hub publishers and consumers with Entra ID identities. | Important | Error [Azure.EventHub.Firewall](Azure.EventHub.Firewall.md) | Access to the namespace endpoints should be restricted to only allowed sources. | Critical | Error [Azure.EventHub.MinTLS](Azure.EventHub.MinTLS.md) | Weak or deprecated transport protocols for client-server communication introduce security vulnerabilities. | Critical | Error @@ -822,6 +818,7 @@ Name | Synopsis | Severity | Level [Azure.SQL.FGName](Azure.SQL.FGName.md) | Azure SQL failover group names should meet naming requirements. | Awareness | Error [Azure.SQL.FirewallIPRange](Azure.SQL.FirewallIPRange.md) | Each IP address in the permitted IP list is allowed network access to any databases hosted on the same logical server. | Important | Error [Azure.SQL.FirewallRuleCount](Azure.SQL.FirewallRuleCount.md) | Determine if there is an excessive number of firewall rules. | Awareness | Error +[Azure.SQL.MaintenanceWindow](Azure.SQL.MaintenanceWindow.md) | Configure a customer-controlled maintenance window for Azure SQL databases. | Important | Error [Azure.SQL.MinTLS](Azure.SQL.MinTLS.md) | Azure SQL Database servers should reject TLS versions older than 1.2. | Critical | Error [Azure.SQL.ServerName](Azure.SQL.ServerName.md) | Azure SQL logical server names should meet naming requirements. | Awareness | Error [Azure.SQL.TDE](Azure.SQL.TDE.md) | Use Transparent Data Encryption (TDE) with Azure SQL Database. | Critical | Error diff --git a/docs/es/rules/index.md b/docs/es/rules/index.md index fd1d8f09359..cd90d2aa2ff 100644 --- a/docs/es/rules/index.md +++ b/docs/es/rules/index.md @@ -440,7 +440,7 @@ AZR-000416 | [Azure.EntraDS.NTLM](Azure.EntraDS.NTLM.md) | Disable NTLM v1 for M AZR-000417 | [Azure.EntraDS.TLS](Azure.EntraDS.TLS.md) | Disable TLS v1 for Microsoft Entra Domain Services. | GA AZR-000418 | [Azure.EntraDS.RC4](Azure.EntraDS.RC4.md) | Disable RC4 encryption for Microsoft Entra Domain Services. | GA AZR-000419 | [Azure.Cosmos.SLA](Azure.Cosmos.SLA.md) | Use a paid tier to qualify for a Service Level Agreement (SLA). | GA -AZR-000420 | [Azure.Cosmos.DisableLocalAuth](Azure.Cosmos.DisableLocalAuth.md) | Access keys allow depersonalized access to Cosmos DB accounts using a shared secret. | GA +AZR-000420 | [Azure.Cosmos.NoSQLLocalAuth](Azure.Cosmos.NoSQLLocalAuth.md) | Access keys allow depersonalized access to Cosmos DB NoSQL API accounts using a shared secret. | GA AZR-000421 | [Azure.Cosmos.PublicAccess](Azure.Cosmos.PublicAccess.md) | Azure Cosmos DB should have public network access disabled. | GA AZR-000422 | [Azure.EventHub.Firewall](Azure.EventHub.Firewall.md) | Access to the namespace endpoints should be restricted to only allowed sources. | GA AZR-000423 | [Azure.AppGw.MigrateWAFPolicy](Azure.AppGw.MigrateWAFPolicy.md) | Migrate to Application Gateway WAF policy. | GA @@ -550,5 +550,7 @@ AZR-000528 | [Azure.SQL.ElasticPoolNaming](Azure.SQL.ElasticPoolNaming.md) | Azu AZR-000529 | [Azure.SQLMI.Naming](Azure.SQLMI.Naming.md) | SQL Managed Instance resources without a standard naming convention may be difficult to identify and manage. | GA AZR-000530 | [Azure.ServiceFabric.Naming](Azure.ServiceFabric.Naming.md) | Service Fabric cluster resources without a standard naming convention may be difficult to identify and manage. | GA AZR-000531 | [Azure.ServiceFabric.ManagedNaming](Azure.ServiceFabric.ManagedNaming.md) | Service Fabric managed cluster resources without a standard naming convention may be difficult to identify and manage. | GA +AZR-000532 | [Azure.EventHub.AvailabilityZone](Azure.EventHub.AvailabilityZone.md) | Use zone redundant Event Hub namespaces in supported regions to improve reliability. | GA +AZR-000533 | [Azure.Redis.MigrateAMR](Azure.Redis.MigrateAMR.md) | Azure Cache for Redis is being retired. Migrate to Azure Managed Redis. | GA *[GA]: Generally Available — Rules related to a generally available Azure features. diff --git a/docs/es/rules/module.md b/docs/es/rules/module.md index a87daa0a714..45ade7b8fa1 100644 --- a/docs/es/rules/module.md +++ b/docs/es/rules/module.md @@ -201,6 +201,7 @@ Name | Synopsis | Severity | Level Name | Synopsis | Severity | Level ---- | -------- | -------- | ----- +[Azure.Redis.MigrateAMR](Azure.Redis.MigrateAMR.md) | Azure Cache for Redis is being retired. Migrate to Azure Managed Redis. | Important | Error [Azure.Template.ResourceLocation](Azure.Template.ResourceLocation.md) | Resource locations should be an expression or global. | Awareness | Error [Azure.Template.TemplateFile](Azure.Template.TemplateFile.md) | Use ARM template files that are valid. | Important | Error [Azure.Template.ValidSecretRef](Azure.Template.ValidSecretRef.md) | Use a valid secret reference within parameter files. | Awareness | Error @@ -459,6 +460,7 @@ Name | Synopsis | Severity | Level [Azure.ContainerApp.Storage](Azure.ContainerApp.Storage.md) | Use of Azure Files volume mounts to persistent storage container data. | Awareness | Error [Azure.Cosmos.AvailabilityZone](Azure.Cosmos.AvailabilityZone.md) | Use zone redundant Cosmos DB accounts in supported regions to improve reliability. | Important | Error [Azure.Cosmos.MongoAvailabilityZone](Azure.Cosmos.MongoAvailabilityZone.md) | Use zone redundant Cosmos DB vCore clusters in supported regions to improve reliability. | Important | Error +[Azure.EventHub.AvailabilityZone](Azure.EventHub.AvailabilityZone.md) | Use zone redundant Event Hub namespaces in supported regions to improve reliability. | Important | Error [Azure.LB.Probe](Azure.LB.Probe.md) | Use a specific probe for web protocols. | Important | Error [Azure.MICassandra.AvailabilityZone](Azure.MICassandra.AvailabilityZone.md) | Use zone redundant Managed Instance for Apache Cassandra clusters in supported regions to improve reliability. | Important | Error [Azure.MySQL.UseFlexible](Azure.MySQL.UseFlexible.md) | Use Azure Database for MySQL Flexible Server deployment model. | Important | Warning @@ -697,9 +699,9 @@ Name | Synopsis | Severity | Level [Azure.AppInsights.LocalAuth](Azure.AppInsights.LocalAuth.md) | Local authentication allows depersonalized access to store telemetry in Application Insights using a shared identifier. | Critical | Error [Azure.AppService.ManagedIdentity](Azure.AppService.ManagedIdentity.md) | Configure managed identities to access Azure resources. | Important | Error [Azure.ContainerApp.ManagedIdentity](Azure.ContainerApp.ManagedIdentity.md) | Ensure managed identity is used for authentication. | Important | Error -[Azure.Cosmos.DisableLocalAuth](Azure.Cosmos.DisableLocalAuth.md) | Access keys allow depersonalized access to Cosmos DB accounts using a shared secret. | Critical | Error [Azure.Cosmos.DisableMetadataWrite](Azure.Cosmos.DisableMetadataWrite.md) | Use Entra ID identities for management place operations in Azure Cosmos DB. | Important | Error [Azure.Cosmos.MongoEntraID](Azure.Cosmos.MongoEntraID.md) | MongoDB vCore clusters should have Microsoft Entra ID authentication enabled. | Critical | Error +[Azure.Cosmos.NoSQLLocalAuth](Azure.Cosmos.NoSQLLocalAuth.md) | Access keys allow depersonalized access to Cosmos DB NoSQL API accounts using a shared secret. | Critical | Error [Azure.EventGrid.DisableLocalAuth](Azure.EventGrid.DisableLocalAuth.md) | Authenticate publishing clients with Azure AD identities. | Important | Error [Azure.EventGrid.ManagedIdentity](Azure.EventGrid.ManagedIdentity.md) | Use managed identities to deliver Event Grid Topic events. | Important | Error [Azure.EventHub.DisableLocalAuth](Azure.EventHub.DisableLocalAuth.md) | Authenticate Event Hub publishers and consumers with Entra ID identities. | Important | Error diff --git a/docs/es/rules/resource.md b/docs/es/rules/resource.md index 82eadab68b4..f96db08ebce 100644 --- a/docs/es/rules/resource.md +++ b/docs/es/rules/resource.md @@ -191,6 +191,7 @@ Name | Synopsis | Severity | Level [Azure.Redis.FirewallRuleCount](Azure.Redis.FirewallRuleCount.md) | Determine if there is an excessive number of firewall rules for the Redis cache. | Awareness | Error [Azure.Redis.LocalAuth](Azure.Redis.LocalAuth.md) | Access keys allow depersonalized access to Azure Cache for Redis using a shared secret. | Important | Error [Azure.Redis.MaxMemoryReserved](Azure.Redis.MaxMemoryReserved.md) | Configure maxmemory-reserved to reserve memory for non-cache operations. | Important | Error +[Azure.Redis.MigrateAMR](Azure.Redis.MigrateAMR.md) | Azure Cache for Redis is being retired. Migrate to Azure Managed Redis. | Important | Error [Azure.Redis.MinSKU](Azure.Redis.MinSKU.md) | Use Azure Cache for Redis instances of at least Standard C1. | Important | Error [Azure.Redis.MinTLS](Azure.Redis.MinTLS.md) | Redis Cache should reject TLS versions older than 1.2. | Critical | Error [Azure.Redis.Naming](Azure.Redis.Naming.md) | Azure Cache for Redis resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error @@ -206,12 +207,6 @@ Name | Synopsis | Severity | Level [Azure.RedisEnterprise.Naming](Azure.RedisEnterprise.Naming.md) | Azure Cache for Redis Enterprise resources without a standard naming convention may be difficult to identify and manage. | Awareness | Error [Azure.RedisEnterprise.Zones](Azure.RedisEnterprise.Zones.md) | Enterprise Redis cache should be zone-redundant for high availability. | Important | Error -## Azure Database - -Name | Synopsis | Severity | Level ----- | -------- | -------- | ----- -[Azure.SQL.MaintenanceWindow](Azure.SQL.MaintenanceWindow.md) | Configure a customer-controlled maintenance window for Azure SQL databases. | Important | Error - ## Azure Database for MariaDB Name | Synopsis | Severity | Level @@ -448,11 +443,11 @@ Name | Synopsis | Severity | Level [Azure.Cosmos.AvailabilityZone](Azure.Cosmos.AvailabilityZone.md) | Use zone redundant Cosmos DB accounts in supported regions to improve reliability. | Important | Error [Azure.Cosmos.ContinuousBackup](Azure.Cosmos.ContinuousBackup.md) | Enable continuous backup on Cosmos DB accounts. | Important | Error [Azure.Cosmos.DefenderCloud](Azure.Cosmos.DefenderCloud.md) | Enable Microsoft Defender for Azure Cosmos DB. | Critical | Error -[Azure.Cosmos.DisableLocalAuth](Azure.Cosmos.DisableLocalAuth.md) | Access keys allow depersonalized access to Cosmos DB accounts using a shared secret. | Critical | Error [Azure.Cosmos.DisableMetadataWrite](Azure.Cosmos.DisableMetadataWrite.md) | Use Entra ID identities for management place operations in Azure Cosmos DB. | Important | Error [Azure.Cosmos.MinTLS](Azure.Cosmos.MinTLS.md) | Cosmos DB accounts should reject TLS versions older than 1.2. | Critical | Error [Azure.Cosmos.MongoAvailabilityZone](Azure.Cosmos.MongoAvailabilityZone.md) | Use zone redundant Cosmos DB vCore clusters in supported regions to improve reliability. | Important | Error [Azure.Cosmos.MongoEntraID](Azure.Cosmos.MongoEntraID.md) | MongoDB vCore clusters should have Microsoft Entra ID authentication enabled. | Critical | Error +[Azure.Cosmos.NoSQLLocalAuth](Azure.Cosmos.NoSQLLocalAuth.md) | Access keys allow depersonalized access to Cosmos DB NoSQL API accounts using a shared secret. | Critical | Error [Azure.Cosmos.PublicAccess](Azure.Cosmos.PublicAccess.md) | Azure Cosmos DB should have public network access disabled. | Critical | Error [Azure.Cosmos.SLA](Azure.Cosmos.SLA.md) | Use a paid tier to qualify for a Service Level Agreement (SLA). | Important | Error @@ -584,6 +579,7 @@ Name | Synopsis | Severity | Level Name | Synopsis | Severity | Level ---- | -------- | -------- | ----- +[Azure.EventHub.AvailabilityZone](Azure.EventHub.AvailabilityZone.md) | Use zone redundant Event Hub namespaces in supported regions to improve reliability. | Important | Error [Azure.EventHub.DisableLocalAuth](Azure.EventHub.DisableLocalAuth.md) | Authenticate Event Hub publishers and consumers with Entra ID identities. | Important | Error [Azure.EventHub.Firewall](Azure.EventHub.Firewall.md) | Access to the namespace endpoints should be restricted to only allowed sources. | Critical | Error [Azure.EventHub.MinTLS](Azure.EventHub.MinTLS.md) | Weak or deprecated transport protocols for client-server communication introduce security vulnerabilities. | Critical | Error @@ -822,6 +818,7 @@ Name | Synopsis | Severity | Level [Azure.SQL.FGName](Azure.SQL.FGName.md) | Azure SQL failover group names should meet naming requirements. | Awareness | Error [Azure.SQL.FirewallIPRange](Azure.SQL.FirewallIPRange.md) | Each IP address in the permitted IP list is allowed network access to any databases hosted on the same logical server. | Important | Error [Azure.SQL.FirewallRuleCount](Azure.SQL.FirewallRuleCount.md) | Determine if there is an excessive number of firewall rules. | Awareness | Error +[Azure.SQL.MaintenanceWindow](Azure.SQL.MaintenanceWindow.md) | Configure a customer-controlled maintenance window for Azure SQL databases. | Important | Error [Azure.SQL.MinTLS](Azure.SQL.MinTLS.md) | Azure SQL Database servers should reject TLS versions older than 1.2. | Critical | Error [Azure.SQL.ServerName](Azure.SQL.ServerName.md) | Azure SQL logical server names should meet naming requirements. | Awareness | Error [Azure.SQL.TDE](Azure.SQL.TDE.md) | Use Transparent Data Encryption (TDE) with Azure SQL Database. | Critical | Error diff --git a/docs/setup/setup-naming-and-tagging.md b/docs/setup/setup-naming-and-tagging.md index 55b613c344c..17586c053e9 100644 --- a/docs/setup/setup-naming-and-tagging.md +++ b/docs/setup/setup-naming-and-tagging.md @@ -253,8 +253,8 @@ Rule | Resource type `Azure.NSG.Naming` | `Microsoft.Network/networkSecurityGroups` | `AZURE_NETWORK_SECURITY_GROUP_NAME_FORMAT` `Azure.PostgreSQL.Naming` | `Microsoft.DBforPostgreSQL/servers`, `Microsoft.DBforPostgreSQL/flexibleServers` | `AZURE_POSTGRESQL_SERVER_NAME_FORMAT` `Azure.PublicIP.Naming` | `Microsoft.Network/publicIPAddresses` | `AZURE_PUBLIC_IP_ADDRESS_NAME_FORMAT` -`Azure.Redis.Naming` | `Microsoft.Cache/Redis` | `AZURE_REDIS_CACHE_NAME_FORMAT` -`Azure.RedisEnterprise.Naming` | `Microsoft.Cache/RedisEnterprise` with Enterprise or Enterprise Flash | `AZURE_REDIS_ENTERPRISE_NAME_FORMAT` +`Azure.Redis.Naming` | `Microsoft.Cache/redis` | `AZURE_REDIS_CACHE_NAME_FORMAT` +`Azure.RedisEnterprise.Naming` | `Microsoft.Cache/redisEnterprise` with Enterprise or Enterprise Flash | `AZURE_REDIS_ENTERPRISE_NAME_FORMAT` `Azure.Group.Naming` | `Microsoft.Resources/resourceGroups` | `AZURE_RESOURCE_GROUP_NAME_FORMAT` `Azure.Group.RequiredTags` | `Microsoft.Resources/resourceGroups` | `AZURE_RESOURCE_GROUP_REQUIRED_TAGS` `Azure.Resource.RequiredTags` | Applies to all types that support tags except subscription and resource groups. | `AZURE_RESOURCE_REQUIRED_TAGS` @@ -265,7 +265,6 @@ Rule | Resource type `Azure.SQL.DBNaming` | `Microsoft.Sql/servers/databases` | `AZURE_SQL_DATABASE_NAME_FORMAT` `Azure.SQL.JobAgentNaming` | `Microsoft.Sql/servers/jobAgents` | `AZURE_SQL_JOB_AGENT_NAME_FORMAT` `Azure.SQL.ElasticPoolNaming` | `Microsoft.Sql/servers/elasticPools` | `AZURE_SQL_ELASTIC_POOL_NAME_FORMAT` -`Azure.SQL.StretchDBNaming` | `Microsoft.Sql/servers/databases` with Data Warehouse service objective | `AZURE_SQL_STRETCH_DB_NAME_FORMAT` `Azure.SQLMI.Naming` | `Microsoft.Sql/managedInstances` | `AZURE_SQL_MI_NAME_FORMAT` `Azure.Storage.Naming` | `Microsoft.Storage/storageAccounts` | `AZURE_STORAGE_ACCOUNT_NAME_FORMAT` `Azure.Subscription.RequiredTags` | `Microsoft.Subscription/aliases` | `AZURE_SUBSCRIPTION_REQUIRED_TAGS` diff --git a/docs/updates/v1.47.md b/docs/updates/v1.47.md new file mode 100644 index 00000000000..4ad60c800c3 --- /dev/null +++ b/docs/updates/v1.47.md @@ -0,0 +1,68 @@ +--- +date: 2025-11-30 +version: 1.47 +discussion: false +draft: true +--- + +# November 2025 + +Install with: [GitHub Actions](../install.md#with-github-actions) | [Azure Pipelines](../install.md#with-azure-pipelines) | [PowerShell](../install.md#with-powershell) + +--- + +Welcome to the November 2025 release of PSRule for Azure. +This release includes new features, new rules and improvements to existing rules. + +See the [change log][1] or [GitHub history][2] for a complete list of changes. + +## Expanded support for CAF naming + +Support for CAF naming conventions has been expanded with new rules to cover additional resource types. +New resource types supported for enforcing naming conventions include: + +- `Microsoft.ContainerInstance/containerGroups` +- `Microsoft.ContainerRegistry/registries` +- `Microsoft.ContainerService/managedClusters` +- `Microsoft.ContainerService/managedClusters/agentPools` +- `Microsoft.App/containerApps` +- `Microsoft.App/managedEnvironments` +- `Microsoft.App/jobs` +- `Microsoft.DocumentDb/databaseAccounts` +- `Microsoft.DocumentDB/databaseAccounts/sqlDatabases` +- `Microsoft.DBforPostgreSQL/serverGroupsv2` +- `Microsoft.DBforMySQL/servers` +- `Microsoft.DBforMySQL/flexibleServers` +- `Microsoft.DBforPostgreSQL/servers` +- `Microsoft.DBforPostgreSQL/flexibleServers` +- `Microsoft.Cache/redis` +- `Microsoft.Cache/redisEnterprise` +- `Microsoft.ServiceFabric/clusters` +- `Microsoft.ServiceFabric/managedClusters` +- `Microsoft.Sql/servers` +- `Microsoft.Sql/servers/databases` +- `Microsoft.Sql/servers/elasticPools` +- `Microsoft.Sql/servers/jobAgents` +- `Microsoft.Sql/managedInstances` + +## Contributions + +We would like to thank the following contributors for their contributions to this release: + +- @BenjaminEngeset + +## Thank you + +Thanks for your continued support and feedback. +We are always looking for ways to improve the experience of using PSRule for Azure. + +If you have any feedback or suggestions, please reach out to us on [GitHub Discussions][6] or [GitHub Issues][7]. + +If you'd like to contribute to the project, please check out our [contributing guide][8]. +We welcome contributions of all kinds, from rules, code, documentation, and samples. + + [1]: ../changelog.md#v1460 + [2]: https://github.com/Azure/PSRule.Rules.Azure/compare/v1.46.0...v1.47.0 + [6]: https://github.com/Azure/PSRule.Rules.Azure/discussions + [7]: https://github.com/Azure/PSRule.Rules.Azure/issues + [8]: ../license-contributing/get-started-contributing.md