Add PSRule To ALZ Bicep Testing (#313)

* Initial PSRule without parameter files #206 (#207)

* Initial PSRule without parameter files #206

* Update triggers and reference extension

* Separate job to ignore build bicep code

* Update PSRule options to include Bicep samples

* PSRule baseline and minium samples (#236)

* Update exclusions and complete AZ params for PIPs (#242)

* Update exclusions and complete AZ params for PIPs

* Add additional comments

* Final updates for merge (#252)

* psrule sample fixes

* fix github linter for PSRule MD

* typo fix

* update rules

Co-authored-by: Bernie White <bewhite@microsoft.com>

.github/workflows/bicep-build-to-validate.yml

@@ -6,6 +6,8 @@ on:
       - main
     paths:
       - "**.bicep"
+      - "ps-rule.yaml"
+      - ".ps-rule/*"
   workflow_dispatch: {}
 
 jobs:
@@ -15,7 +17,7 @@ jobs:
 
     steps:
       - name: Checkout Repo
-        uses: actions/checkout@v2
+        uses: actions/checkout@v3
         with:
           fetch-depth: 0
 
@@ -59,3 +61,23 @@ jobs:
 
           Write-Information "***** List of resource types in ALZ-Bicep modules *****" -InformationAction Continue
           $resourceTypesFullList.Keys | Sort-Object
+
+  azure_waf:
+    name: Test Azure Well-Architected Framework
+    runs-on: ubuntu-latest
+
+    steps:
+
+      - name: Checkout Repo
+        uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
+
+      # Add pipeline tests for Azure Well-Architected Framework.
+      # See https://aka.ms/ps-rule-action for configuration options.
+      - name: Run PSRule analysis
+        uses: Microsoft/ps-rule@v2.3.2
+        with:
+          modules: PSRule.Rules.Azure
+          baseline: Azure.GA_2022_06
+        continue-on-error: true

.ps-rule/FalsePositiveNsgBastion.Rule.yaml

@@ -0,0 +1,25 @@
+#
+# Suppression and rules for unsupported scenarios.
+#
+
+# NOTE:
+# For details on authoring suppression groups see:
+# https://microsoft.github.io/PSRule/v2/concepts/PSRule/en-US/about_PSRule_SuppressionGroups/
+# https://microsoft.github.io/PSRule/v2/concepts/PSRule/en-US/about_PSRule_Expressions/
+
+---
+# Synopsis: Ignore NSG lateral movement rule for Azure Bastion as this is needed for Bastion to work.
+apiVersion: github.com/microsoft/PSRule/v1
+kind: SuppressionGroup
+metadata:
+  name: ALZ.NSGForBastion
+spec:
+  rule:
+  - Azure.NSG.LateralTraversal
+  if:
+    allOf:
+    - name: '.'
+      contains: bastion
+    - type: '.'
+      in:
+      - Microsoft.Network/networkSecurityGroups

.ps-rule/Minimum.Rule.yaml

@@ -0,0 +1,34 @@
+#
+# Suppression and rules for the minimum sample configuration.
+#
+
+# NOTE:
+# For details on authoring suppression groups see:
+# https://microsoft.github.io/PSRule/v2/concepts/PSRule/en-US/about_PSRule_SuppressionGroups/
+# https://microsoft.github.io/PSRule/v2/concepts/PSRule/en-US/about_PSRule_Expressions/
+
+---
+# Synopsis: Ignore the minimum sample configuration.
+apiVersion: github.com/microsoft/PSRule/v1
+kind: SuppressionGroup
+metadata:
+  name: ALZ.MinimumSample
+spec:
+  rule:
+  - Azure.Firewall.Mode
+  - Azure.VNG.VPNAvailabilityZoneSKU
+  - Azure.PublicIP.AvailabilityZone
+  - Azure.VNG.VPNActiveActive
+  - Azure.PublicIP.StandardSKU
+  - Azure.VNET.UseNSGs
+  if:
+    allOf:
+    - type: '.'
+      in:
+      - Microsoft.Network/azureFirewalls
+      - Microsoft.Network/publicIPAddresses
+      - Microsoft.Network/virtualNetworks
+      - Microsoft.Network/virtualNetworkGateways
+    - source: 'Template'
+      endsWith:
+      - 'minimum.sample.bicep'

.ps-rule/UnsupportedPipBastion.Rule.yaml

@@ -0,0 +1,25 @@
+#
+# Suppression and rules for unsupported scenarios.
+#
+
+# NOTE:
+# For details on authoring suppression groups see:
+# https://microsoft.github.io/PSRule/v2/concepts/PSRule/en-US/about_PSRule_SuppressionGroups/
+# https://microsoft.github.io/PSRule/v2/concepts/PSRule/en-US/about_PSRule_Expressions/
+
+---
+# Synopsis: Ignore availability zones for Azure Bastion public IP which is not supported. https://github.com/Azure/PSRule.Rules.Azure/issues/1442
+apiVersion: github.com/microsoft/PSRule/v1
+kind: SuppressionGroup
+metadata:
+  name: ALZ.PublicIPForBastion
+spec:
+  rule:
+  - Azure.PublicIP.AvailabilityZone
+  if:
+    allOf:
+    - name: '.'
+      contains: bastion
+    - type: '.'
+      in:
+      - Microsoft.Network/publicIPAddresses

.ps-rule/en/ALZ.MinimumSample.md

@@ -0,0 +1,15 @@
+# Ignore minimum sample
+
+## SYNOPSIS
+
+Ignore the minimum sample configuration that may not be WAF compliant.
+See [https://github.com/Azure/ALZ-Bicep/blob/main/.ps-rule/en/ALZ.MinimumSample.md](https://github.com/Azure/ALZ-Bicep/blob/main/.ps-rule/en/ALZ.MinimumSample.md).
+
+## DESCRIPTION
+
+The _minimum_ sample provides a basic configuration.
+It is typically less complex, and has requires fewer requirements.
+This make is most suitable for early development and testing.
+
+The basic configuration may not have all the features required for alignment to the Well-Architected Framework.
+Consider using the _baseline_ sample for enterprise environments.

.vscode/bicep.code-snippets

@@ -0,0 +1,70 @@
+{
+    "Bicep minimum sample": {
+        "scope": "bicep",
+        "prefix": "bicep-minimum-sample",
+        "description": "A minmum sample for testing and examples.",
+        "body": [
+            "//",
+            "// Minimum deployment sample",
+            "//",
+            "",
+            "// Use this sample to deploy the minimum resource configuration.",
+            "",
+            "targetScope = 'resourceGroup'",
+            "",
+            "// ----------",
+            "// PARAMETERS",
+            "// ----------",
+            "",
+            "@description('The Azure location to deploy to.')",
+            "param location string = resourceGroup().location",
+            "",
+            "// ---------",
+            "// RESOURCES",
+            "// ---------",
+            "",
+            "@description('Minimum resource configuration')",
+            "module ${1} '../${2}}.bicep' = {",
+            "    name: '${1}'",
+            "    params: {",
+            "        parLocation: location",
+            "        parTags: {}",
+            "    }",
+            "}"
+        ]
+    },
+    "Bicep baseline sample": {
+        "scope": "bicep",
+        "prefix": "bicep-baseline-sample",
+        "description": "A sample that aligned to WAF recommendations.",
+        "body": [
+            "//",
+            "// Baseline deployment sample",
+            "//",
+            "",
+            "// Use this sample to deploy a Well-Architected aligned resource configuration.",
+            "",
+            "targetScope = 'resourceGroup'",
+            "",
+            "// ----------",
+            "// PARAMETERS",
+            "// ----------",
+            "",
+            "@description('The Azure location to deploy to.')",
+            "param location string = resourceGroup().location",
+            "",
+            "// ---------",
+            "// RESOURCES",
+            "// ---------",
+            "",
+            "@description('Baseline resource configuration')",
+            "module ${1} '../${2}}.bicep' = {",
+            "    name: '${1}'",
+            "    params: {",
+            "        parLocation: location",
+            "        parTags: {}",
+            "    }",
+            "}"
+        ]
+    }
+}

.vscode/extensions.json

@@ -4,6 +4,7 @@
         "ms-azuretools.vscode-bicep",
         "vsls-contrib.codetour",
         "msazurermtools.azurerm-vscode-tools",
-        "bencoleman.armview"
+        "bencoleman.armview",
+        "bewhite.psrule-vscode"
     ]
-}
+}

.vscode/tasks.json

@@ -0,0 +1,16 @@
+{
+    "version": "2.0.0",
+    "tasks": [
+        {
+            "type": "PSRule",
+            "problemMatcher": [
+                "$PSRule"
+            ],
+            "label": "PSRule: Run analysis",
+            "presentation": {
+                "panel": "dedicated",
+                "clear": true
+            }
+        }
+    ]
+}

docs/wiki/Contributing.md

@@ -56,6 +56,7 @@ The following tooling/extensions are recommended to assist you developing for th
 - [CodeTour extension for Visual Studio Code](https://marketplace.visualstudio.com/items?itemName=vsls-contrib.codetour)
 - [ARM Tools extension for Visual Studio Code](https://marketplace.visualstudio.com/items?itemName=msazurermtools.azurerm-vscode-tools)
 - [ARM Template Viewer extension for Visual Studio Code](https://marketplace.visualstudio.com/items?itemName=bencoleman.armview)
+- [PSRule extension for Visual Studio Code](https://marketplace.visualstudio.com/items?itemName=bewhite.psrule-vscode)
 - For visibility of Bracket Pairs:
   - Inside Visual Studio Code, add "editor.bracketPairColorization.enabled": true to your settings.json, to enable bracket pair colorization.
 

infra-as-code/bicep/modules/hubNetworking/samples/baseline.sample.bicep

@@ -0,0 +1,107 @@
+//
+// Baseline deployment sample
+//
+
+// Use this sample to deploy a Well-Architected aligned resource configuration.
+
+targetScope = 'resourceGroup'
+
+// ----------
+// PARAMETERS
+// ----------
+
+@description('The Azure location to deploy to.')
+param location string = resourceGroup().location
+
+// ---------
+// VARIABLES
+// ---------
+
+// Company prefix for unit testing
+var parCompanyPrefix = 'test'
+
+// ---------
+// RESOURCES
+// ---------
+
+@description('Baseline resource configuration')
+module baseline_hub_network '../hubNetworking.bicep' = {
+  name: 'baseline_hub_network'
+  params: {
+    parLocation: location
+    parPublicIpSku: 'Standard'
+    parAzFirewallAvailabilityZones: [
+      '1'
+      '2'
+      '3'
+    ]
+    parVpnGatewayConfig: {}
+    parExpressRouteGatewayConfig: {}
+  }
+}
+
+@description('Baseline resource configuration using ExpressRoute')
+module baseline_hub_network_with_ER '../hubNetworking.bicep' = {
+  name: 'baseline_hub_network_with_ER'
+  params: {
+    parLocation: location
+    parPublicIpSku: 'Standard'
+    parAzFirewallAvailabilityZones: [
+      '1'
+      '2'
+      '3'
+    ]
+    parVpnGatewayConfig: {}
+    parExpressRouteGatewayConfig: {
+      name: '${parCompanyPrefix}-ExpressRoute-Gateway'
+      gatewaytype: 'ExpressRoute'
+      sku: 'ErGw1AZ'
+      vpntype: 'RouteBased'
+      vpnGatewayGeneration: 'None'
+      enableBgp: false
+      activeActive: false
+      enableBgpRouteTranslationForNat: false
+      enableDnsForwarding: false
+      asn: '65515'
+      bgpPeeringAddress: ''
+      bgpsettings: {
+        asn: '65515'
+        bgpPeeringAddress: ''
+        peerWeight: '5'
+      }
+    }
+  }
+}
+
+@description('Baseline resource configuration using a VPN Gateway')
+module baseline_hub_network_with_VPN '../hubNetworking.bicep' = {
+  name: 'baseline_hub_network_with_VPN'
+  params: {
+    parLocation: location
+    parPublicIpSku: 'Standard'
+    parAzFirewallAvailabilityZones: [
+      '1'
+      '2'
+      '3'
+    ]
+    parVpnGatewayConfig: {
+      name: '${parCompanyPrefix}-Vpn-Gateway'
+      gatewaytype: 'Vpn'
+      sku: 'VpnGw1AZ'
+      vpntype: 'RouteBased'
+      generation: 'Generation1'
+      enableBgp: false
+      activeActive: false
+      enableBgpRouteTranslationForNat: false
+      enableDnsForwarding: false
+      asn: 65515
+      bgpPeeringAddress: ''
+      bgpsettings: {
+        asn: 65515
+        bgpPeeringAddress: ''
+        peerWeight: 5
+      }
+    }
+    parExpressRouteGatewayConfig: {}
+  }
+}

infra-as-code/bicep/modules/hubNetworking/samples/minimum.sample.bicep

@@ -0,0 +1,26 @@
+//
+// Minimum deployment sample
+//
+
+// Use this sample to deploy the minimum resource configuration.
+
+targetScope = 'resourceGroup'
+
+// ----------
+// PARAMETERS
+// ----------
+
+@description('The Azure location to deploy to.')
+param location string = resourceGroup().location
+
+// ---------
+// RESOURCES
+// ---------
+
+@description('Minimum resource configuration')
+module minimum_hub_network '../hubNetworking.bicep' = {
+  name: 'minimum_hub_network'
+  params: {
+    parLocation: location
+  }
+}