en-US/about_PSRule_Azure_Configuration.help.txt

TOPIC
    about_psrule_azure_configuration
 
SHORT DESCRIPTION
    Describes PSRule configuration options specific to PSRule for Azure.
 
LONG DESCRIPTION
    PSRule exposes configuration options that can be used to customize execution
    of `PSRule.Rules.Azure`. This topic describes what configuration options are available.
    PSRule configuration options can be specified by setting the configuration
    option in `ps-rule.yaml`. Additionally, configuration options can be
    configured in a baseline or set at runtime. For details of setting
    configuration options see [PSRule options][1].
    The following configurations options are available for use:
    -
    AZURE_AKS_CLUSTER_MINIMUM_VERSION
    -
    AZURE_AKS_POOL_MINIMUM_MAXPODS
    -
    AZURE_RESOURCE_ALLOWED_LOCATIONS
    -
    AZURE_APIM_MINIMUM_CERTIFICATE_LIFETIME
    -
    AZURE_PARAMETER_FILE_EXPANSION
    -
    AZURE_POLICY_WAIVER_MAX_EXPIRY
    -
    AZURE_RESOURCE_GROUP
    -
    AZURE_SUBSCRIPTION
    -
    AZURE_POLICY_IGNORE_LIST
    -
    AZURE_POLICY_RULE_PREFIX
    -
    AZURE_APIM_MIN_API_VERSION
    -
    AZURE_COSMOS_DEFENDER_PER_ACCOUNT
    -
    AZURE_STORAGE_DEFENDER_PER_ACCOUNT
    [1]: https://aka.ms/ps-rule/options
 
    AZURE_AKS_CLUSTER_MINIMUM_VERSION
    This configuration option determines the minimum version of Kubernetes for
    AKS clusters and node pools. Rules that check the Kubernetes version fail
    when the version is older than the version specified.
    Syntax:
 
    configuration:
      AZURE_AKS_CLUSTER_MINIMUM_VERSION: string # A version string
 
    Default:
 
    # YAML: The default AZURE_AKS_CLUSTER_MINIMUM_VERSION configuration option
    configuration:
      AZURE_AKS_CLUSTER_MINIMUM_VERSION: 1.29.7
 
    Example:
 
    # YAML: Set the AZURE_AKS_CLUSTER_MINIMUM_VERSION configuration option to 1.19.7
    configuration:
      AZURE_AKS_CLUSTER_MINIMUM_VERSION: 1.19.7
 
    AZURE_AKS_POOL_MINIMUM_MAXPODS
    This configuration option determines the minimum allowed max pods setting
    per node pool. When an AKS cluster node pool is created, a `maxPods` option
    is used to determine the maximum number of pods for each node in the node pool.
    Syntax:
 
    configuration:
      AZURE_AKS_POOL_MINIMUM_MAXPODS: integer
 
    Default:
 
    # YAML: The default AZURE_AKS_POOL_MINIMUM_MAXPODS configuration option
    configuration:
      AZURE_AKS_POOL_MINIMUM_MAXPODS: 50
 
    Example:
 
    # YAML: Set the AZURE_AKS_POOL_MINIMUM_MAXPODS configuration option to 30
    configuration:
      AZURE_AKS_POOL_MINIMUM_MAXPODS: 30
 
    AZURE_RESOURCE_ALLOWED_LOCATIONS
    This configuration option specifies a list of allowed locations that
    resources can be deployed to. Rules that check the location of Azure
    resources fail when a resource or resource group is created in a different region.
    By default, `AZURE_RESOURCE_ALLOWED_LOCATIONS` is not configured. The rule
    `Azure.Resource.AllowedRegions` is skipped when no allowed locations are configured.
    Syntax:
 
    configuration:
      AZURE_RESOURCE_ALLOWED_LOCATIONS: array # An array of regions
 
    Default:
 
    # YAML: The default AZURE_RESOURCE_ALLOWED_LOCATIONS configuration option
    configuration:
      AZURE_RESOURCE_ALLOWED_LOCATIONS: []
 
    Example:
 
    # YAML: Set the AZURE_RESOURCE_ALLOWED_LOCATIONS configuration option to Australia East, Australia South East
    configuration:
      AZURE_RESOURCE_ALLOWED_LOCATIONS:
      - 'australiaeast'
      - 'australiasoutheast'
 
    AZURE_APIM_MINIMUM_CERTIFICATE_LIFETIME
    This configuration option determines the minimum number of days allowed
    before certificate expiry. Rules that check certificate lifetime fail when
    the days remaining before expiry drop below this number.
    Syntax:
 
    configuration:
      AZURE_APIM_MINIMUM_CERTIFICATE_LIFETIME: integer
 
    Default:
 
    # YAML: The default AZURE_APIM_MINIMUM_CERTIFICATE_LIFETIME configuration option
    configuration:
      AZURE_APIM_MINIMUM_CERTIFICATE_LIFETIME: 30
 
    Example:
 
    # YAML: Set the AZURE_APIM_MINIMUM_CERTIFICATE_LIFETIME configuration option to 90
    configuration:
      AZURE_APIM_MINIMUM_CERTIFICATE_LIFETIME: 90
 
    AZURE_PARAMETER_FILE_EXPANSION
    This configuration option determines if Azure template parameter files will
    automatically be expanded. By default, parameter files will not be
    automatically expanded.
    Parameter files are expanded when PSRule cmdlets with the `-Format File`
    parameter are used.
    Syntax:
 
    configuration:
      AZURE_PARAMETER_FILE_EXPANSION: bool
 
    Default:
 
    # YAML: The default AZURE_PARAMETER_FILE_EXPANSION configuration option
    configuration:
      AZURE_PARAMETER_FILE_EXPANSION: false
 
    Example:
 
    # YAML: Set the AZURE_PARAMETER_FILE_EXPANSION configuration option to enable expansion
    configuration:
      AZURE_PARAMETER_FILE_EXPANSION: true
 
    AZURE_POLICY_WAIVER_MAX_EXPIRY
    This configuration option determines the maximum number of days in the
    future for a waiver policy exemption.
    Syntax:
 
    configuration:
      AZURE_POLICY_WAIVER_MAX_EXPIRY: integer
 
    Default:
 
    # YAML: The default AZURE_POLICY_WAIVER_MAX_EXPIRY configuration option
    configuration:
      AZURE_POLICY_WAIVER_MAX_EXPIRY: 366
 
    Example:
 
    # YAML: Set the AZURE_POLICY_WAIVER_MAX_EXPIRY configuration option to 90
    configuration:
      AZURE_POLICY_WAIVER_MAX_EXPIRY: 90
 
    AZURE_RESOURCE_GROUP
    This configuration option sets the resource group object used by the
    `resourceGroup()` function. Configure this option to change the resource
    group object when using exporting templates for analysis. Provided
    properties will override the default. Any properties that are not provided
    with use the defaults as specified below.
    This configuration option will be ignored when `-ResourceGroup` is used with `Export-AzRuleTemplateData`.
    Syntax:
 
    configuration:
      AZURE_RESOURCE_GROUP:
        name: string
        location: string
        tags: object
        properties:
          provisioningState: string
 
    Default:
 
    # YAML: The default AZURE_RESOURCE_GROUP configuration option
    configuration:
      AZURE_RESOURCE_GROUP:
        name: 'ps-rule-test-rg'
        location: 'eastus'
        tags: { }
        properties:
          provisioningState: 'Succeeded'
 
    Example:
 
    # YAML: Override the location of the resource group object.
    configuration:
      AZURE_RESOURCE_GROUP:
        location: 'australiasoutheast'
 
    AZURE_SUBSCRIPTION
    This configuration option sets the subscription object used by the
    `subscription()` function. Configure this option to change the subscription
    object when using exporting templates for analysis. Provided properties will
    override the default. Any properties that are not provided with use the
    defaults as specified below.
    This configuration option will be ignored when `-Subscription` is used with `Export-AzRuleTemplateData`.
    Syntax:
 
    configuration:
      AZURE_SUBSCRIPTION:
        subscriptionId: string
        tenantId: string
        displayName: string
        state: string
 
    Default:
 
    # YAML: The default AZURE_SUBSCRIPTION configuration option
    configuration:
      AZURE_SUBSCRIPTION:
        subscriptionId: 'ffffffff-ffff-ffff-ffff-ffffffffffff'
        tenantId: 'ffffffff-ffff-ffff-ffff-ffffffffffff'
        displayName: 'PSRule Test Subscription'
        state: 'NotDefined'
 
    Example:
 
    # YAML: Override the display name of the subscription object
      AZURE_SUBSCRIPTION:
        displayName: 'My test subscription'
 
    AZURE_POLICY_IGNORE_LIST
    This configuration option configures a custom list policy definitions to
    ignore when exporting policy to rules. In addition to the custom list, a
    built-in list of policies are ignored. The built-in list can be found
    here
    .
    Configure this option to ignore policy definitions that:
    - Already have a rule defined.
    - Are not relevant to testing Infrastructure as Code.
    Syntax:
 
    configuration:
      AZURE_POLICY_IGNORE_LIST: array
 
    Default:
 
    # YAML: The default AZURE_POLICY_IGNORE_LIST configuration option
    configuration:
      AZURE_POLICY_IGNORE_LIST: []
 
    Example:
 
    # YAML: Add a custom policy definition to ignore
    configuration:
      AZURE_POLICY_IGNORE_LIST:
      - '/providers/Microsoft.Authorization/policyDefinitions/1f314764-cb73-4fc9-b863-8eca98ac36e9'
      - '/providers/Microsoft.Authorization/policyDefinitions/b54ed75b-3e1a-44ac-a333-05ba39b99ff0'
 
    AZURE_POLICY_RULE_PREFIX
    This configuration option sets the prefix for names of exported rules.
    Configure this option to change the prefix, which defaults to `Azure`.
    This configuration option will be ignored when `-Prefix` is used with `Export-AzPolicyAssignmentRuleData`.
    Syntax:
 
    configuration:
      AZURE_POLICY_RULE_PREFIX: string
 
    Default:
 
    # YAML: The default AZURE_POLICY_RULE_PREFIX configuration option
    configuration:
      AZURE_POLICY_RULE_PREFIX: 'Azure'
 
    Example:
 
    # YAML: Override the prefix of exported policy rules
      AZURE_POLICY_RULE_PREFIX: 'AzureCustomPrefix'
 
    AZURE_APIM_MIN_API_VERSION
    This configuration option sets the minimum API version used for control
    plane API calls to API Management instances. Configure this option to change
    the minimum API version, which defaults to `'2021-08-01'`.
    Syntax:
 
    configuration:
      AZURE_APIM_MIN_API_VERSION: string
 
    Default:
 
    # YAML: The default AZURE_APIM_MIN_API_VERSION configuration option
    configuration:
      AZURE_APIM_MIN_API_VERSION: '2021-08-01'
 
    Example:
 
    # YAML: Set the AZURE_APIM_MIN_API_VERSION configuration option to '2021-12-01-preview'
    configuration:
      AZURE_APIM_MIN_API_VERSION: '2021-12-01-preview'
 
    AZURE_COSMOS_DEFENDER_PER_ACCOUNT
    This configuration option enables validation for that each Cosmos DB account
    is associated with a Microsoft Defender for Cosmos DB resource level plan.
    Configure this option to enable the per account validation, which defaults
    to `false`.
    Syntax:
 
    configuration:
      AZURE_COSMOS_DEFENDER_PER_ACCOUNT: boolean
 
    Default:
 
    # YAML: The default AZURE_COSMOS_DEFENDER_PER_ACCOUNT configuration option
    configuration:
      AZURE_COSMOS_DEFENDER_PER_ACCOUNT: false
 
    Example:
 
    # YAML: Set the AZURE_COSMOS_DEFENDER_PER_ACCOUNT configuration option to true
    configuration:
      AZURE_COSMOS_DEFENDER_PER_ACCOUNT: true
 
    AZURE_STORAGE_DEFENDER_PER_ACCOUNT
    This configuration option enables validation for that each storage account
    is associated with a Microsoft Defender for Storage resource level plan.
    Configure this option to enable the per account validation, which defaults
    to `false`.
    Syntax:
 
    configuration:
      AZURE_STORAGE_DEFENDER_PER_ACCOUNT: boolean
 
    Default:
 
    # YAML: The default AZURE_STORAGE_DEFENDER_PER_ACCOUNT configuration option
    configuration:
      AZURE_STORAGE_DEFENDER_PER_ACCOUNT: false
 
    Example:
 
    # YAML: Set the AZURE_STORAGE_DEFENDER_PER_ACCOUNT configuration option to true
    configuration:
      AZURE_STORAGE_DEFENDER_PER_ACCOUNT: true
 
NOTE
    An online version of this document is available at
    <https://github.com/Azure/PSRule.Rules.Azure/blob/main/docs/concepts/about_PSRule_Azure_Configuration.md>.
 
KEYWORDS
    - Configuration
- Rule