diff --git a/.github/actions/templates/avm-validateModulePSRule/action.yml b/.github/actions/templates/avm-validateModulePSRule/action.yml index 88c123fca6..ab29a6d245 100644 --- a/.github/actions/templates/avm-validateModulePSRule/action.yml +++ b/.github/actions/templates/avm-validateModulePSRule/action.yml @@ -131,6 +131,35 @@ runs: source: "${{ inputs.psrulePath}}/.ps-rule/" # Path to folder containing suppression rules to use for analysis. summary: false # Disabling as taken care in customized task + - name: Run PSRule analysis - Security Pillar Only (Custom Security Pillar) + uses: microsoft/ps-rule@v2.9.0 + if: ${{ inputs.psruleBaseline == 'CB.AVM.WAF.Security' }} + with: + modules: "PSRule.Rules.Azure" + prerelease: true + baseline: "${{ inputs.psruleBaseline }}" + inputPath: "${{ inputs.templateFilePath}}" + outputFormat: Csv + outputPath: "${{ inputs.templateFilePath}}-PSRule-output.csv" + option: "${{ github.workspace }}/${{ inputs.psrulePath}}/ps-rule.yaml" # Path to PSRule configuration options file + source: "${{ inputs.psrulePath}}/.ps-rule/" # Path to folder containing suppression rules to use for analysis. + summary: false # Disabling as taken care in customized task + + - name: Run PSRule analysis - Security Pillar Only (Azure.Pillar.Security) + uses: microsoft/ps-rule@v2.9.0 + if: ${{ inputs.psruleBaseline == 'Azure.Pillar.Security' }} + continue-on-error: true + with: + modules: "PSRule.Rules.Azure" + prerelease: true + baseline: "${{ inputs.psruleBaseline }}" + inputPath: "${{ inputs.templateFilePath}}" + outputFormat: Csv + outputPath: "${{ inputs.templateFilePath}}-PSRule-output.csv" + option: "${{ github.workspace }}/${{ inputs.psrulePath}}/ps-rule.yaml" # Path to PSRule configuration options file + source: "${{ inputs.psrulePath}}/.ps-rule/" # Path to folder containing suppression rules to use for analysis. + summary: false # Disabling as taken care in customized task + - name: "Parse CSV content" if: always() uses: azure/powershell@v2 diff --git a/.github/workflows/avm.template.module.yml b/.github/workflows/avm.template.module.yml index 4df961c68e..f7b409ce9a 100644 --- a/.github/workflows/avm.template.module.yml +++ b/.github/workflows/avm.template.module.yml @@ -94,6 +94,50 @@ jobs: psrulePath: "avm/utilities/pipelines/staticValidation/psrule" #'${{ github.workspace }}/avm' psruleBaseline: "Azure.Pillar.Reliability" + job_psrule_test_waf_security_cb: # Note: Please don't change this job name. It is used by the setEnvironment action to define which PS modules to install on runners. + name: "PSRule - WAF Security - AVM Custom Baseline [${{ matrix.testCases.name }}]" + runs-on: ubuntu-latest + if: ${{ inputs.psRuleModuleTestFilePaths != '' && (fromJson(inputs.workflowInput)).staticValidation == 'true' }} + strategy: + fail-fast: false + matrix: + testCases: ${{ fromJson(inputs.psRuleModuleTestFilePaths) }} + steps: + - name: Checkout + uses: actions/checkout@v4 + - name: Set environment + uses: ./.github/actions/templates/avm-setEnvironment + - name: "Run PSRule validation with [${{ matrix.testCases.path }}]" + uses: ./.github/actions/templates/avm-validateModulePSRule + with: + templateFilePath: "${{ inputs.modulePath }}/${{ matrix.testCases.path }}" + subscriptionId: "${{ secrets.ARM_SUBSCRIPTION_ID }}" + managementGroupId: "${{ secrets.ARM_MGMTGROUP_ID }}" + psrulePath: "avm/utilities/pipelines/staticValidation/psrule" #'${{ github.workspace }}/avm' + psruleBaseline: "CB.AVM.WAF.Security" + + job_psrule_test_waf_security: # Note: Please don't change this job name. It is used by the setEnvironment action to define which PS modules to install on runners. + name: "PSRule - WAF Security [${{ matrix.testCases.name }}]" + runs-on: ubuntu-latest + if: ${{ inputs.psRuleModuleTestFilePaths != '' && (fromJson(inputs.workflowInput)).staticValidation == 'true' }} + strategy: + fail-fast: false + matrix: + testCases: ${{ fromJson(inputs.psRuleModuleTestFilePaths) }} + steps: + - name: Checkout + uses: actions/checkout@v4 + - name: Set environment + uses: ./.github/actions/templates/avm-setEnvironment + - name: "Run PSRule validation with [${{ matrix.testCases.path }}]" + uses: ./.github/actions/templates/avm-validateModulePSRule + with: + templateFilePath: "${{ inputs.modulePath }}/${{ matrix.testCases.path }}" + subscriptionId: "${{ secrets.ARM_SUBSCRIPTION_ID }}" + managementGroupId: "${{ secrets.ARM_MGMTGROUP_ID }}" + psrulePath: "avm/utilities/pipelines/staticValidation/psrule" #'${{ github.workspace }}/avm' + psruleBaseline: "Azure.Pillar.Security" + ############################# # Deployment validation # ############################# @@ -104,10 +148,12 @@ jobs: !cancelled() && (fromJson(inputs.workflowInput)).deploymentValidation == 'true' && needs.job_module_static_validation.result != 'failure' && - needs.job_psrule_test_waf_reliability.result != 'failure' + needs.job_psrule_test_waf_reliability.result != 'failure' && + needs.job_psrule_test_waf_security_cb.result != 'failure' needs: - job_module_static_validation - job_psrule_test_waf_reliability + - job_psrule_test_waf_security_cb strategy: fail-fast: false matrix: diff --git a/avm/utilities/pipelines/staticValidation/psrule/.ps-rule/cb-waf-security.Rule.yaml b/avm/utilities/pipelines/staticValidation/psrule/.ps-rule/cb-waf-security.Rule.yaml new file mode 100644 index 0000000000..3620b3c9bd --- /dev/null +++ b/avm/utilities/pipelines/staticValidation/psrule/.ps-rule/cb-waf-security.Rule.yaml @@ -0,0 +1,46 @@ +--- +# Synopsis: Custom baseline for AVM WAF security pillar recommendations that are enforced in CI. +apiVersion: github.com/microsoft/PSRule/v1 +kind: Baseline +metadata: + name: CB.AVM.WAF.Security +spec: + rule: + include: + - Azure.ACR.AdminUser + - Azure.ACR.ContainerScan + - Azure.ACR.ContentTrust + - Azure.ACR.Firewall + - Azure.AKS.AzureRBAC + - Azure.AppGw.UseHTTPS + - Azure.AppGw.SSLPolicy + - Azure.AppGw.WAFEnabled + - Azure.AppGw.UseWAF + - Azure.AppService.WebSecureFtp + - Azure.AppService.MinTLS + - Azure.Cosmos.MinTLS + - Azure.Defender.Api + - Azure.Defender.AppServices + - Azure.Defender.Arm + - Azure.Defender.Containers + - Azure.Defender.CosmosDb + - Azure.Defender.Cspm + - Azure.Defender.Dns + - Azure.Defender.KeyVault + - Azure.Defender.OssRdb + - Azure.Defender.SQL + - Azure.Defender.SQLOnVM + - Azure.Defender.SecurityContact + - Azure.Defender.Servers + - Azure.Defender.Storage.DataScan + - Azure.Defender.Storage.MalwareScan + - Azure.Defender.Storage + - Azure.Firewall.Mode + - Azure.Firewall.PolicyMode + - Azure.Storage.DefenderCloud + - Azure.Storage.Defender.MalwareScan + - Azure.Storage.SecureTransfer + - Azure.Storage.BlobPublicAccess + - Azure.Storage.BlobAccessType + - Azure.Storage.Firewall + - Azure.Storage.MinTLS