Skip to content

Commit

Permalink
feat: Add WAF Security PS Rule Config (#3745)
Browse files Browse the repository at this point in the history
## Description

Add WAF Security PS Rule Config as agreed, defined below:

1. New PSRule custom baseline with explicit rules added based on WAF
security work, prioritizing top 20 resources
2. Run of PSRule with `Azure.Pillar.Security` in "audit only" mode
(`continue_on_error = true`)

## Pipeline Reference

<!-- Insert your Pipeline Status Badge below -->

| Pipeline |
| -------- |
|
[![avm.res.container-registry.registry](https://github.com/Azure/bicep-registry-modules/actions/workflows/avm.res.container-registry.registry.yml/badge.svg?branch=feat%2Fadd-waf-security)](https://github.com/Azure/bicep-registry-modules/actions/workflows/avm.res.container-registry.registry.yml)
- Note failure is not due to changes and is in different job |
|
[![avm.res.network.firewall-policy](https://github.com/Azure/bicep-registry-modules/actions/workflows/avm.res.network.firewall-policy.yml/badge.svg)](https://github.com/Azure/bicep-registry-modules/actions/workflows/avm.res.network.firewall-policy.yml)
- failing as rule is not passing as expected |
|
[![avm.res.network.azure-firewall](https://github.com/Azure/bicep-registry-modules/actions/workflows/avm.res.network.azure-firewall.yml/badge.svg?branch=feat%2Fadd-waf-security)](https://github.com/Azure/bicep-registry-modules/actions/workflows/avm.res.network.azure-firewall.yml)
|

|[![avm.res.network.application-gateway-web-application-firewall-policy](https://github.com/Azure/bicep-registry-modules/actions/workflows/avm.res.network.application-gateway-web-application-firewall-policy.yml/badge.svg?branch=feat%2Fadd-waf-security)](https://github.com/Azure/bicep-registry-modules/actions/workflows/avm.res.network.application-gateway-web-application-firewall-policy.yml)
|
|
[![avm.res.network.application-gateway](https://github.com/Azure/bicep-registry-modules/actions/workflows/avm.res.network.application-gateway.yml/badge.svg)](https://github.com/Azure/bicep-registry-modules/actions/workflows/avm.res.network.application-gateway.yml)
- failing as expected |
|
[![avm.res.storage.storage-account](https://github.com/Azure/bicep-registry-modules/actions/workflows/avm.res.storage.storage-account.yml/badge.svg)](https://github.com/Azure/bicep-registry-modules/actions/workflows/avm.res.storage.storage-account.yml)
- Note failure is not due to changes and is in different job|

## Type of Change

<!-- Use the checkboxes [x] on the options that are relevant. -->

- [x] Update to CI Environment or utilities (Non-module affecting
changes)
- [ ] Azure Verified Module updates:
- [ ] Bugfix containing backwards-compatible bug fixes, and I have NOT
bumped the MAJOR or MINOR version in `version.json`:
- [ ] Someone has opened a bug report issue, and I have included "Closes
#{bug_report_issue_number}" in the PR description.
- [ ] The bug was found by the module author, and no one has opened an
issue to report it yet.
- [ ] Feature update backwards compatible feature updates, and I have
bumped the MINOR version in `version.json`.
- [ ] Breaking changes and I have bumped the MAJOR version in
`version.json`.
  - [ ] Update to documentation

## Checklist

- [x] I'm sure there are no other open Pull Requests for the same
update/change
- [x] I have run `Set-AVMModule` locally to generate the supporting
module files.
- [x] My corresponding pipelines / checks run clean and green without
any errors or warnings

<!-- Please keep up to date with the contribution guide at
https://aka.ms/avm/contribute/bicep -->
  • Loading branch information
jtracey93 authored Nov 15, 2024
1 parent 72199cd commit f84c0ad
Show file tree
Hide file tree
Showing 3 changed files with 122 additions and 1 deletion.
29 changes: 29 additions & 0 deletions .github/actions/templates/avm-validateModulePSRule/action.yml
Original file line number Diff line number Diff line change
Expand Up @@ -131,6 +131,35 @@ runs:
source: "${{ inputs.psrulePath}}/.ps-rule/" # Path to folder containing suppression rules to use for analysis.
summary: false # Disabling as taken care in customized task

- name: Run PSRule analysis - Security Pillar Only (Custom Security Pillar)
uses: microsoft/[email protected]
if: ${{ inputs.psruleBaseline == 'CB.AVM.WAF.Security' }}
with:
modules: "PSRule.Rules.Azure"
prerelease: true
baseline: "${{ inputs.psruleBaseline }}"
inputPath: "${{ inputs.templateFilePath}}"
outputFormat: Csv
outputPath: "${{ inputs.templateFilePath}}-PSRule-output.csv"
option: "${{ github.workspace }}/${{ inputs.psrulePath}}/ps-rule.yaml" # Path to PSRule configuration options file
source: "${{ inputs.psrulePath}}/.ps-rule/" # Path to folder containing suppression rules to use for analysis.
summary: false # Disabling as taken care in customized task

- name: Run PSRule analysis - Security Pillar Only (Azure.Pillar.Security)
uses: microsoft/[email protected]
if: ${{ inputs.psruleBaseline == 'Azure.Pillar.Security' }}
continue-on-error: true
with:
modules: "PSRule.Rules.Azure"
prerelease: true
baseline: "${{ inputs.psruleBaseline }}"
inputPath: "${{ inputs.templateFilePath}}"
outputFormat: Csv
outputPath: "${{ inputs.templateFilePath}}-PSRule-output.csv"
option: "${{ github.workspace }}/${{ inputs.psrulePath}}/ps-rule.yaml" # Path to PSRule configuration options file
source: "${{ inputs.psrulePath}}/.ps-rule/" # Path to folder containing suppression rules to use for analysis.
summary: false # Disabling as taken care in customized task

- name: "Parse CSV content"
if: always()
uses: azure/powershell@v2
Expand Down
48 changes: 47 additions & 1 deletion .github/workflows/avm.template.module.yml
Original file line number Diff line number Diff line change
Expand Up @@ -94,6 +94,50 @@ jobs:
psrulePath: "avm/utilities/pipelines/staticValidation/psrule" #'${{ github.workspace }}/avm'
psruleBaseline: "Azure.Pillar.Reliability"

job_psrule_test_waf_security_cb: # Note: Please don't change this job name. It is used by the setEnvironment action to define which PS modules to install on runners.
name: "PSRule - WAF Security - AVM Custom Baseline [${{ matrix.testCases.name }}]"
runs-on: ubuntu-latest
if: ${{ inputs.psRuleModuleTestFilePaths != '' && (fromJson(inputs.workflowInput)).staticValidation == 'true' }}
strategy:
fail-fast: false
matrix:
testCases: ${{ fromJson(inputs.psRuleModuleTestFilePaths) }}
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Set environment
uses: ./.github/actions/templates/avm-setEnvironment
- name: "Run PSRule validation with [${{ matrix.testCases.path }}]"
uses: ./.github/actions/templates/avm-validateModulePSRule
with:
templateFilePath: "${{ inputs.modulePath }}/${{ matrix.testCases.path }}"
subscriptionId: "${{ secrets.ARM_SUBSCRIPTION_ID }}"
managementGroupId: "${{ secrets.ARM_MGMTGROUP_ID }}"
psrulePath: "avm/utilities/pipelines/staticValidation/psrule" #'${{ github.workspace }}/avm'
psruleBaseline: "CB.AVM.WAF.Security"

job_psrule_test_waf_security: # Note: Please don't change this job name. It is used by the setEnvironment action to define which PS modules to install on runners.
name: "PSRule - WAF Security [${{ matrix.testCases.name }}]"
runs-on: ubuntu-latest
if: ${{ inputs.psRuleModuleTestFilePaths != '' && (fromJson(inputs.workflowInput)).staticValidation == 'true' }}
strategy:
fail-fast: false
matrix:
testCases: ${{ fromJson(inputs.psRuleModuleTestFilePaths) }}
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Set environment
uses: ./.github/actions/templates/avm-setEnvironment
- name: "Run PSRule validation with [${{ matrix.testCases.path }}]"
uses: ./.github/actions/templates/avm-validateModulePSRule
with:
templateFilePath: "${{ inputs.modulePath }}/${{ matrix.testCases.path }}"
subscriptionId: "${{ secrets.ARM_SUBSCRIPTION_ID }}"
managementGroupId: "${{ secrets.ARM_MGMTGROUP_ID }}"
psrulePath: "avm/utilities/pipelines/staticValidation/psrule" #'${{ github.workspace }}/avm'
psruleBaseline: "Azure.Pillar.Security"

#############################
# Deployment validation #
#############################
Expand All @@ -104,10 +148,12 @@ jobs:
!cancelled() &&
(fromJson(inputs.workflowInput)).deploymentValidation == 'true' &&
needs.job_module_static_validation.result != 'failure' &&
needs.job_psrule_test_waf_reliability.result != 'failure'
needs.job_psrule_test_waf_reliability.result != 'failure' &&
needs.job_psrule_test_waf_security_cb.result != 'failure'
needs:
- job_module_static_validation
- job_psrule_test_waf_reliability
- job_psrule_test_waf_security_cb
strategy:
fail-fast: false
matrix:
Expand Down
Original file line number Diff line number Diff line change
@@ -0,0 +1,46 @@
---
# Synopsis: Custom baseline for AVM WAF security pillar recommendations that are enforced in CI.
apiVersion: github.com/microsoft/PSRule/v1
kind: Baseline
metadata:
name: CB.AVM.WAF.Security
spec:
rule:
include:
- Azure.ACR.AdminUser
- Azure.ACR.ContainerScan
- Azure.ACR.ContentTrust
- Azure.ACR.Firewall
- Azure.AKS.AzureRBAC
- Azure.AppGw.UseHTTPS
- Azure.AppGw.SSLPolicy
- Azure.AppGw.WAFEnabled
- Azure.AppGw.UseWAF
- Azure.AppService.WebSecureFtp
- Azure.AppService.MinTLS
- Azure.Cosmos.MinTLS
- Azure.Defender.Api
- Azure.Defender.AppServices
- Azure.Defender.Arm
- Azure.Defender.Containers
- Azure.Defender.CosmosDb
- Azure.Defender.Cspm
- Azure.Defender.Dns
- Azure.Defender.KeyVault
- Azure.Defender.OssRdb
- Azure.Defender.SQL
- Azure.Defender.SQLOnVM
- Azure.Defender.SecurityContact
- Azure.Defender.Servers
- Azure.Defender.Storage.DataScan
- Azure.Defender.Storage.MalwareScan
- Azure.Defender.Storage
- Azure.Firewall.Mode
- Azure.Firewall.PolicyMode
- Azure.Storage.DefenderCloud
- Azure.Storage.Defender.MalwareScan
- Azure.Storage.SecureTransfer
- Azure.Storage.BlobPublicAccess
- Azure.Storage.BlobAccessType
- Azure.Storage.Firewall
- Azure.Storage.MinTLS

0 comments on commit f84c0ad

Please sign in to comment.