v1.40.0-B0147

What's changed since pre-release v1.40.0-B0103:

• Bug fixes:
  • Fixed object to hashtable conversion for default parameter values by @BernieWhite.
    #3033
  • Fixed deployments with more than one module at tenant scope by @BernieWhite.
    #3167

See change log.

v1.40.0-B0103

What's changed since pre-release v1.40.0-B0063:

• New features:
  • Added support for expanding from .jsonc parameter files by @BernieWhite.
    #2053
    • Previously only parameter files with the .json extension where automatically expanded.
    • This feature adds support so that JSON parameter files with the .jsonc extension are also discovered and expanded.
    • No additional configuration is required if expansion of JSON parameter files is enabled.
    • To enable parameter file expansion set the AZURE_PARAMETER_FILE_EXPANSION configuration option to true.
• General improvements:
  • Additional quality updates to documentation by @BernieWhite.
    #3102
• Bug fixes:
  • Fixed projection of default role authorization property principalType by @BernieWhite.
    #3163
  • Fixed user defined function not found when used as parameter default by @BernieWhite.
    #3169

See change log.

v1.40.0-B0063

What's changed since pre-release v1.40.0-B0029:

• Updated rules:
  • Microsoft Defender for Cloud:
    • Updated Azure.DefenderCloud.Contact to use emails property and removed phone by @BernieWhite.
      #3117
      • Renamed rule to Azure.Defender.SecurityContact to better align with naming for defender rules.
      • Bumped rule set to 2024_12.
• Bug fixes:
  • Fixed evaluation of Azure.NSG.LateralTraversal with empty string properties by @BernieWhite.
    #3130
  • Fixed evaluation of Azure.Deployment.AdminUsername with symbolic references by @BernieWhite.
    #3146

See change log.

v1.40.0-B0029

What's changed since v1.39.3:

• Updated rules:
  • Deployment:
    • Updated Azure.Deployment.SecureValue to check additional resource types by @BernieWhite.
      #2650
      #2651
      • Added support for container apps secret properties.
      • Added support for deployment script secret properties.
      • Bumped rule set to 2024_12.
    • Updated Azure.Deployment.SecureParameter to reduce false positives by @BernieWhite.
      #3149
      • Parameters named ending with name, uri, url, path, type, id, or options are ignored.
      • The customerManagedKey parameter is ignored.
• Engineering:
  • Migrated Azure samples into PSRule for Azure by @BernieWhite.
    #3085
  • Quality updates to rule documentation by @BernieWhite.
    #3102
• Bug fixes:
  • Fixed output map expansion with resource IDs by @BernieWhite.
    #3153

See change log.

v1.39.3

What's changed since v1.39.2:

• Bug fixes:
  • Fixed index out of bounds for existing symbolic name reference by @BernieWhite.
    #3129

See change log.

v1.39.2

What's changed since v1.39.1:

• Bug fixes:
  • Fixed user-defined function reference to exported variable by @BernieWhite.
    #3120
  • Fixed name expand of existing resource references by @BernieWhite.
    #3123

See change log.

v1.39.1

What's changed since v1.39.0:

• Bug fixes:
  • Fixed GetBicepParamResources exception when expanding Microsoft.Graph/groups resource by @BernieWhite.
    #3062
  • Fixed Azure.AppGw.AvailabilityZone passes when a zonal configuration is used by @BernieWhite.
    #3061
  • Fixed conditional secret as parameter or placeholder by @BernieWhite.
    #2054

See change log.

v1.39.0

What's changed since v1.38.0:

• New features:
  • Added September 2024 baselines Azure.GA_2024_09 and Azure.Preview_2024_09 by @BernieWhite.
    #3048
    • Includes rules released before or during September 2024.
    • Marked Azure.GA_2024_06 and Azure.Preview_2024_06 baselines as obsolete.
• New rules:
  • Azure Kubernetes Service:
    • Verify that clusters have kube-audit logging disabled when not required by @BenjaminEngeset.
      #2450
    • Verify that clusters have the customer-controlled maintenance windows aksManagedAutoUpgradeSchedule and aksManagedNodeOSUpgradeSchedule configured by @BenjaminEngeset.
      #2444
  • App Service:
    • Verify that app service plans have availability zones configured by @BenjaminEngeset.
      #2964
  • App Service Environment:
    • Verify that app service environments have availability zones configured by @BenjaminEngeset.
      #2964
  • Azure SQL Database:
    • Verify that Azure SQL databases have a customer-controlled maintenance window configured by @BenjaminEngeset.
      #2956
  • Azure SQL Managed Instance:
    • Verify that Azure SQL Managed Instances have a customer-controlled maintenance window configured by @BenjaminEngeset.
      #2979
  • Service Bus:
    • Verify that service bus namespaces have geo-replication configured by @BenjaminEngeset.
      #2988
  • Virtual Machine:
    • Verify that virtual machines does not have public IPs attached by @BenjaminEngeset.
      #11
    • Verify that multi-tenant Hosting Rights are used for Windows client VMs by @BenjaminEngeset.
      #432
    • Verify that availability set members are in a backend pool by @BenjaminEngeset.
      #67
  • Virtual Machine Scale Sets:
    • Verify that virtual machine scale set instances does not have public IPs attached by @BenjaminEngeset.
      #3014
  • Virtual Network:
    • Verify that zonal-deployed Azure firewalls uses Azure NAT Gateway for outbound access by @BenjaminEngeset.
      ##3005
    • Verify that subnets have disabled default outbound access for virtual machines by @BenjaminEngeset.
      #3001
• Updated rules:
  • Azure Kubernetes Service:
    • Updated Azure.AKS.AuditLogs documentation to call out important specific of the kube-audit log by @BernieWhite.
      #2449
    • Updated Azure.AKS.Version to use 1.29.7 as the minimum version by @BernieWhite.
      #3042
  • Container Apps:
    • Updated Azure.ContainerApp.AvailabilityZone to check for infrastructure subnet by @BernieWhite.
      #3068
      • Configuring an infrastructure subnet is a requirement for enabling zone redundancy.
        Both rule and documentation have been updated to clearly call this out.
  • Virtual Network:
    • Updated Azure.VNET.UseNSGs to correctly handle cases for special purpose and customer-excluded subnets by @BenjaminEngeset.
      #3007
• General improvements:
  • Important change: Replaced the Azure_AKSNodeMinimumMaxPods option with AZURE_AKS_POOL_MINIMUM_MAXPODS by @BernieWhite.
    #941
    • For compatibility, if Azure_AKSNodeMinimumMaxPods is set it will be used instead of AZURE_AKS_POOL_MINIMUM_MAXPODS.
    • If only AZURE_AKS_POOL_MINIMUM_MAXPODS is set, this value will be used.
    • The default will be used neither options are configured.
    • If Azure_AKSNodeMinimumMaxPods is set a warning will be generated until the configuration is removed.
    • Support for Azure_AKSNodeMinimumMaxPods is deprecated and will be removed in v2.
  • Important change: Replaced the Azure_MinimumCertificateLifetime option with AZURE_APIM_MINIMUM_CERTIFICATE_LIFETIME by @BernieWhite.
    #941
    • For compatibility, if Azure_MinimumCertificateLifetime is set it will be used instead of AZURE_APIM_MINIMUM_CERTIFICATE_LIFETIME.
    • If only AZURE_APIM_MINIMUM_CERTIFICATE_LIFETIME is set, this value will be used.
    • The default will be used neither options are configured.
    • If Azure_MinimumCertificateLifetime is set a warning will be generated until the configuration is removed.
    • Support for Azure_MinimumCertificateLifetime is deprecated and will be removed in v2.
  • Add binding configuration to policy as rules docs by @BernieWhite.
    #2995
  • Updated resource providers and policy aliases.
    #3074
• Engineering:
  • Bump development tools to .NET 8.0 SDK by @BernieWhite.
    #3017
  • Quality updates to rule documentation by @BernieWhite.
    #2570
  • Bump xunit to v2.9.0.
    #2982
  • Bump xunit.runner.visualstudio to v2.8.2.
    #2982
• Bug fixed:
  • Fixed expansion with deployments by resource ID at management group by @BernieWhite
    #3013
  • Fixed subscription aliases don't support tags by @BernieWhite.
    #3021
  • Fixed Azure.AppService.AvailabilityZone only detects premium by tier property @BenjaminEngeset.
    #3034
  • Fixed loading of expansion options from non-default options file @BernieWhite.
    #3033
  • Fixed TLS defaults for Azure.Redis.MinTLS and Azure.RedisEnterprise.MinTLS by @BernieWhite.
    #3066
  • Fixed symbolic expand for existing with conditional cases by @BernieWhite.
    #2917

What's changed since pre-release v1.39.0-B0249:

• No additional changes.

See change log.

v1.39.0-B0249

What's changed since pre-release v1.39.0-B0182:

• Bug fixes:
  • Fixed symbolic expand for existing with conditional cases by @BernieWhite.
    #2917

See change log.

v1.39.0-B0182

What's changed since pre-release v1.39.0-B0118:

• Updated rules:
  • Container Apps:
    • Updated Azure.ContainerApp.AvailabilityZone to check for infrastructure subnet by @BernieWhite.
      #3068
      • Configuring an infrastructure subnet is a requirement for enabling zone redundancy.
        Both rule and documentation have been updated to clearly call this out.
• General improvements:
  • Updated resource providers and policy aliases.
    #3074
• Engineering:
  • Quality updates to rule documentation by @BernieWhite.
    #2570
• Bug fixes:
  • Fixed TLS defaults for Azure.Redis.MinTLS and Azure.RedisEnterprise.MinTLS by @BernieWhite.
    #3066

See change log.