Update code ownership sample (#2573)

Azure · Dec 6, 2023 · 2d60b41 · 2d60b41
1 parent ba6931f
commit 2d60b41
Show file tree

Hide file tree

Showing 7 changed files with 78 additions and 45 deletions.
diff --git a/.devcontainer/Dockerfile b/.devcontainer/Dockerfile
@@ -4,7 +4,9 @@
 # Visual Studio Code image with .NET
 
 # NOTE:
-# See here for image contents: https://github.com/microsoft/vscode-dev-containers/tree/main/containers/dotnet
+# See here for image contents: https://github.com/devcontainers/images/tree/main/src/dotnet
 
 ARG VARIANT="7.0-bullseye-slim"
 FROM mcr.microsoft.com/vscode/devcontainers/dotnet:${VARIANT}
+
+RUN sudo apt update -y && sudo apt install python3-pip python3-wheel -y
diff --git a/docs/customization/enforce-codeowners.md b/docs/customization/enforce-codeowners.md
@@ -5,29 +5,37 @@ author: BernieWhite
 
 # Enforcing code ownership
 
-With PSRule, you can layer on custom rules with to implement organization specific requirements.
-These custom rules work side-by-side with PSRule for Azure.
+!!! Abstract
+    The following scenario _extends_ on existing code ownership features available in your tool of choice.
+    This topic covers static analysis testing for the content (specific Azure resource) within file paths.
+    This allows you to:
+
+    - Identify if specific Azure resource types are added to file paths they shouldn't be.
+
+Pull requests (PRs) are a key concept within common Git workflows and DevOps culture to enforce peer review.
+Code ownership provides a mechanism to require one or more specific people review changes prior to merging a PR.
+
+For Git repositories in GitHub and Azure Repos, code ownership is controlled based on file path.
+If a person or team owns a file or file path they are required to review the changes proposed in the PR.
+The specifics of how many approvals and if approval is optional vs required is controlled by branch protection/ policies.
 
-Pull requests are a key concept within common Git workflows used with DevOps to enforce peer review.
-To support peer review across a team tools such as GitHub and Azure DevOps provide code ownership.
-Code ownership, allows mix discipline teams to direct peer reviews based the path of a changed file.
+In the context of Azure Infrastructure as Code (IaC) - Azure Bicep/ ARM templates, these changes may:
 
-For sensitive changes such as firewall or policy exemptions, peer reviews may form a security control.
-In these cases, it may be important that specific paths are used for Infrastructure as Code artifacts.
+- Add, change, or remove infrastructure components.
+- Include sensitive changes such as updates to firewall rules or policy exemptions.
+- Introduce concerns that sentitive changes could be moved to a different file path to bypass review by a specific team.
+
+PSRule allows teams to layer on additional rules to ensure Azure resources fall within the paths expected by code ownership.
 
 !!! Info
     Code ownership is implemented through [CODEOWNERS][1] in GitHub and [required reviewers][2] in Azure Repos.
 
-!!! Abstract
-    The following scenario shows how to create a custom rule to validate the file path of code artifacts.
-    The scenario walks you through the process so that you can apply the same concepts for similar requirements.
-
   [1]: https://docs.github.com/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/about-code-owners
   [2]: https://learn.microsoft.com/azure/devops/repos/git/branch-policies#automatically-include-code-reviewers
 
 ## Creating a new rule
 
-Within the `.ps-rule` sub-directory create a new file called `Org.Azure.Rule.ps1`.
+Within the `.ps-rule/` sub-directory create a new file called `Org.Azure.Rule.ps1`.
 Use the following snippet to populate the rule file:
 
 ```powershell
@@ -66,7 +74,7 @@ To configure type binding:
 - Create/ update the `ps-rule.yaml` file within the root of the repository.
 - Add the following configuration snippet.
 
-```yaml
+```yaml title="ps-rule.yaml"
 # Configure binding options
 binding:
   targetType:
@@ -87,8 +95,9 @@ If neither property exists, PSRule will use the object type.
 To test the custom rule within Visual Studio Code, see [How to install PSRule for Azure][4].
 Alternatively you can test the rule manually by running the following from a PowerShell terminal.
 
-```powershell
-Assert-PSRule -Path '.ps-rule/' -Module 'PSRule.Rules.Azure' -InputPath . -Format File
+```powershell title="PowerShell"
+Assert-PSRule -Path '.ps-rule/' -Module 'PSRule.Rules.Azure' `
+  -InputPath . -Format File
 ```
 
   [4]: ../install.md#with-visual-studio-code

diff --git a/docs/en/baselines/Azure.MCSB.v1.md b/docs/en/baselines/Azure.MCSB.v1.md
@@ -6,7 +6,7 @@ Microsoft Cloud Security Benchmark v1.
 
 ## Controls
 
-The following rules are included within `Azure.MCSB.v1`. This baseline includes a total of 122 rules.
+The following rules are included within `Azure.MCSB.v1`. This baseline includes a total of 124 rules.
 
 Name | Synopsis | Severity
 ---- | -------- | --------
@@ -39,6 +39,7 @@ Name | Synopsis | Severity
 [Azure.APIM.HTTPEndpoint](../rules/Azure.APIM.HTTPEndpoint.md) | Enforce HTTPS for communication to API clients. | Important
 [Azure.APIM.ManagedIdentity](../rules/Azure.APIM.ManagedIdentity.md) | Configure managed identities to access Azure resources. | Important
 [Azure.APIM.Protocols](../rules/Azure.APIM.Protocols.md) | API Management should only accept a minimum of TLS 1.2 for client and backend communication. | Critical
+[Azure.AppConfig.AuditLogs](../rules/Azure.AppConfig.AuditLogs.md) | Ensure app configuration store audit diagnostic logs are enabled. | Important
 [Azure.AppConfig.DisableLocalAuth](../rules/Azure.AppConfig.DisableLocalAuth.md) | Authenticate App Configuration clients with Azure AD identities. | Important
 [Azure.AppGw.SSLPolicy](../rules/Azure.AppGw.SSLPolicy.md) | Application Gateway should only accept a minimum of TLS 1.2. | Critical
 [Azure.AppGw.UseHTTPS](../rules/Azure.AppGw.UseHTTPS.md) | Application Gateways should only expose frontend HTTP endpoints over HTTPS. | Critical
@@ -86,6 +87,7 @@ Name | Synopsis | Severity
 [Azure.FrontDoor.ManagedIdentity](../rules/Azure.FrontDoor.ManagedIdentity.md) | Ensure Front Door uses a managed identity to authorize access to Azure resources. | Important
 [Azure.FrontDoor.WAF.Enabled](../rules/Azure.FrontDoor.WAF.Enabled.md) | Front Door Web Application Firewall (WAF) policy must be enabled to protect back end resources. | Critical
 [Azure.IoTHub.MinTLS](../rules/Azure.IoTHub.MinTLS.md) | IoT Hubs should reject TLS versions older than 1.2. | Critical
+[Azure.KeyVault.Logs](../rules/Azure.KeyVault.Logs.md) | Ensure audit diagnostics logs are enabled to audit Key Vault access. | Important
 [Azure.KeyVault.RBAC](../rules/Azure.KeyVault.RBAC.md) | Key Vaults should use Azure RBAC as the authorization system for the data plane. | Awareness
 [Azure.ML.ComputeVnet](../rules/Azure.ML.ComputeVnet.md) | Azure Machine Learning Computes should be hosted in a virtual network (VNet). | Critical
 [Azure.ML.PublicAccess](../rules/Azure.ML.PublicAccess.md) | Disable public network access from a Azure Machine Learning workspace. | Critical

diff --git a/docs/en/rules/index.md b/docs/en/rules/index.md
@@ -1,6 +1,6 @@
 ---
-title: Reference
 generated: True
+title: Reference
 ---
 
 # Reference

diff --git a/docs/en/rules/module.md b/docs/en/rules/module.md
@@ -14,6 +14,15 @@ Name | Synopsis | Severity | Level
 ---- | -------- | -------- | -----
 [Azure.Resource.UseTags](Azure.Resource.UseTags.md) | Azure resources should be tagged using a standard convention. | Awareness | Error
 
+### CO:14 Consolidation
+
+Name | Synopsis | Severity | Level
+---- | -------- | -------- | -----
+[Azure.ADX.Usage](Azure.ADX.Usage.md) | Regularly remove unused resources to reduce costs. | Important | Error
+[Azure.EventHub.Usage](Azure.EventHub.Usage.md) | Regularly remove unused resources to reduce costs. | Important | Error
+[Azure.PublicIP.IsAttached](Azure.PublicIP.IsAttached.md) | Public IP addresses should be attached or cleaned up if not in use. | Important | Error
+[Azure.ServiceBus.Usage](Azure.ServiceBus.Usage.md) | Regularly remove unused resources to reduce costs. | Important | Error
+
 ### Optimize
 
 Name | Synopsis | Severity | Level
@@ -27,12 +36,6 @@ Name | Synopsis | Severity | Level
 [Azure.VM.PromoSku](Azure.VM.PromoSku.md) | Virtual machines (VMs) should not use expired promotional SKU. | Awareness | Error
 [Azure.VM.UseHybridUseBenefit](Azure.VM.UseHybridUseBenefit.md) | Use Azure Hybrid Benefit for applicable virtual machine (VM) workloads. | Awareness | Error
 
-### Principles
-
-Name | Synopsis | Severity | Level
----- | -------- | -------- | -----
-[Azure.PublicIP.IsAttached](Azure.PublicIP.IsAttached.md) | Public IP addresses should be attached or cleaned up if not in use. | Important | Error
-
 ### Provision
 
 Name | Synopsis | Severity | Level
@@ -44,9 +47,6 @@ Name | Synopsis | Severity | Level
 Name | Synopsis | Severity | Level
 ---- | -------- | -------- | -----
 [Azure.ACR.Usage](Azure.ACR.Usage.md) | Regularly remove deprecated and unneeded images to reduce storage usage. | Important | Error
-[Azure.ADX.Usage](Azure.ADX.Usage.md) | Regularly remove unused resources to reduce costs. | Important | Error
-[Azure.EventHub.Usage](Azure.EventHub.Usage.md) | Regularly remove unused resources to reduce costs. | Important | Error
-[Azure.ServiceBus.Usage](Azure.ServiceBus.Usage.md) | Regularly remove unused resources to reduce costs. | Important | Error
 
 ### Resource usage
 
@@ -101,7 +101,6 @@ Name | Synopsis | Severity | Level
 Name | Synopsis | Severity | Level
 ---- | -------- | -------- | -----
 [Azure.APIM.APIDescriptors](Azure.APIM.APIDescriptors.md) | API Management APIs should have a display name and description. | Awareness | Warning
-[Azure.APIM.ProductDescriptors](Azure.APIM.ProductDescriptors.md) | API Management products should have a display name and description. | Awareness | Warning
 
 ### Monitor
 
@@ -136,6 +135,12 @@ Name | Synopsis | Severity | Level
 [Azure.VNG.ConnectionName](Azure.VNG.ConnectionName.md) | Virtual Network Gateway (VNG) connection names should meet naming requirements. | Awareness | Error
 [Azure.VNG.Name](Azure.VNG.Name.md) | Virtual Network Gateway (VNG) names should meet naming requirements. | Awareness | Error
 
+### OE:04 Tools and processes
+
+Name | Synopsis | Severity | Level
+---- | -------- | -------- | -----
+[Azure.APIM.ProductDescriptors](Azure.APIM.ProductDescriptors.md) | API Management products should have a display name and description. | Awareness | Warning
+
 ### Principles
 
 Name | Synopsis | Severity | Level
@@ -584,8 +589,6 @@ Name | Synopsis | Severity | Level
 [Azure.AKS.AzureRBAC](Azure.AKS.AzureRBAC.md) | Use Azure RBAC for Kubernetes Authorization with AKS clusters. | Important | Error
 [Azure.AKS.ManagedAAD](Azure.AKS.ManagedAAD.md) | Use AKS-managed Azure AD to simplify authorization and improve security. | Important | Error
 [Azure.AKS.UseRBAC](Azure.AKS.UseRBAC.md) | Deploy AKS cluster with role-based access control (RBAC) enabled. | Important | Error
-[Azure.APIM.ProductApproval](Azure.APIM.ProductApproval.md) | Configure products to require approval. | Important | Error
-[Azure.APIM.ProductSubscription](Azure.APIM.ProductSubscription.md) | Configure products to require a subscription. | Important | Error
 [Azure.Automation.WebHookExpiry](Azure.Automation.WebHookExpiry.md) | Do not create webhooks with an expiry time greater than 1 year (default). | Awareness | Error
 [Azure.KeyVault.AccessPolicy](Azure.KeyVault.AccessPolicy.md) | Use the principal of least privilege when assigning access to Key Vault. | Important | Error
 [Azure.ML.UserManagedIdentity](Azure.ML.UserManagedIdentity.md) | ML workspaces should use user-assigned managed identity, rather than the default system-assigned managed identity. | Important | Error
@@ -638,7 +641,6 @@ Name | Synopsis | Severity | Level
 Name | Synopsis | Severity | Level
 ---- | -------- | -------- | -----
 [Azure.AKS.AuditLogs](Azure.AKS.AuditLogs.md) | AKS clusters should collect security-based audit logs to assess and monitor the compliance status of workloads. | Important | Error
-[Azure.AppConfig.AuditLogs](Azure.AppConfig.AuditLogs.md) | Ensure app configuration store audit diagnostic logs are enabled. | Important | Error
 [Azure.Automation.AuditLogs](Azure.Automation.AuditLogs.md) | Ensure automation account audit diagnostic logs are enabled. | Important | Error
 [Azure.ServiceBus.AuditLogs](Azure.ServiceBus.AuditLogs.md) | Ensure namespaces audit diagnostic logs are enabled. | Important | Error
 
@@ -703,6 +705,14 @@ Name | Synopsis | Severity | Level
 Name | Synopsis | Severity | Level
 ---- | -------- | -------- | -----
 [Azure.ACR.AdminUser](Azure.ACR.AdminUser.md) | Use Entra ID identities instead of using the registry admin user. | Critical | Error
+[Azure.APIM.ProductApproval](Azure.APIM.ProductApproval.md) | Configure products to require approval. | Important | Error
+[Azure.APIM.ProductSubscription](Azure.APIM.ProductSubscription.md) | Configure products to require a subscription. | Important | Error
+
+### SE:10 Monitoring and threat detection
+
+Name | Synopsis | Severity | Level
+---- | -------- | -------- | -----
+[Azure.AppConfig.AuditLogs](Azure.AppConfig.AuditLogs.md) | Ensure app configuration store audit diagnostic logs are enabled. | Important | Error
 
 ### Secrets
 

diff --git a/docs/es/rules/index.md b/docs/es/rules/index.md
@@ -1,6 +1,6 @@
 ---
-title: Reference
 generated: True
+title: Reference
 ---
 
 # Reference

diff --git a/docs/es/rules/module.md b/docs/es/rules/module.md
@@ -14,6 +14,15 @@ Name | Synopsis | Severity | Level
 ---- | -------- | -------- | -----
 [Azure.Resource.UseTags](Azure.Resource.UseTags.md) | Azure resources should be tagged using a standard convention. | Awareness | Error
 
+### CO:14 Consolidation
+
+Name | Synopsis | Severity | Level
+---- | -------- | -------- | -----
+[Azure.ADX.Usage](Azure.ADX.Usage.md) | Regularly remove unused resources to reduce costs. | Important | Error
+[Azure.EventHub.Usage](Azure.EventHub.Usage.md) | Regularly remove unused resources to reduce costs. | Important | Error
+[Azure.PublicIP.IsAttached](Azure.PublicIP.IsAttached.md) | Public IP addresses should be attached or cleaned up if not in use. | Important | Error
+[Azure.ServiceBus.Usage](Azure.ServiceBus.Usage.md) | Regularly remove unused resources to reduce costs. | Important | Error
+
 ### Optimize
 
 Name | Synopsis | Severity | Level
@@ -27,12 +36,6 @@ Name | Synopsis | Severity | Level
 [Azure.VM.PromoSku](Azure.VM.PromoSku.md) | Virtual machines (VMs) should not use expired promotional SKU. | Awareness | Error
 [Azure.VM.UseHybridUseBenefit](Azure.VM.UseHybridUseBenefit.md) | Use Azure Hybrid Benefit for applicable virtual machine (VM) workloads. | Awareness | Error
 
-### Principles
-
-Name | Synopsis | Severity | Level
----- | -------- | -------- | -----
-[Azure.PublicIP.IsAttached](Azure.PublicIP.IsAttached.md) | Public IP addresses should be attached or cleaned up if not in use. | Important | Error
-
 ### Provision
 
 Name | Synopsis | Severity | Level
@@ -44,9 +47,6 @@ Name | Synopsis | Severity | Level
 Name | Synopsis | Severity | Level
 ---- | -------- | -------- | -----
 [Azure.ACR.Usage](Azure.ACR.Usage.md) | Regularly remove deprecated and unneeded images to reduce storage usage. | Important | Error
-[Azure.ADX.Usage](Azure.ADX.Usage.md) | Regularly remove unused resources to reduce costs. | Important | Error
-[Azure.EventHub.Usage](Azure.EventHub.Usage.md) | Regularly remove unused resources to reduce costs. | Important | Error
-[Azure.ServiceBus.Usage](Azure.ServiceBus.Usage.md) | Regularly remove unused resources to reduce costs. | Important | Error
 
 ### Resource usage
 
@@ -101,7 +101,6 @@ Name | Synopsis | Severity | Level
 Name | Synopsis | Severity | Level
 ---- | -------- | -------- | -----
 [Azure.APIM.APIDescriptors](Azure.APIM.APIDescriptors.md) | API Management APIs should have a display name and description. | Awareness | Warning
-[Azure.APIM.ProductDescriptors](Azure.APIM.ProductDescriptors.md) | API Management products should have a display name and description. | Awareness | Warning
 
 ### Monitor
 
@@ -136,6 +135,12 @@ Name | Synopsis | Severity | Level
 [Azure.VNG.ConnectionName](Azure.VNG.ConnectionName.md) | Virtual Network Gateway (VNG) connection names should meet naming requirements. | Awareness | Error
 [Azure.VNG.Name](Azure.VNG.Name.md) | Virtual Network Gateway (VNG) names should meet naming requirements. | Awareness | Error
 
+### OE:04 Tools and processes
+
+Name | Synopsis | Severity | Level
+---- | -------- | -------- | -----
+[Azure.APIM.ProductDescriptors](Azure.APIM.ProductDescriptors.md) | API Management products should have a display name and description. | Awareness | Warning
+
 ### Principles
 
 Name | Synopsis | Severity | Level
@@ -584,8 +589,6 @@ Name | Synopsis | Severity | Level
 [Azure.AKS.AzureRBAC](Azure.AKS.AzureRBAC.md) | Use Azure RBAC for Kubernetes Authorization with AKS clusters. | Important | Error
 [Azure.AKS.ManagedAAD](Azure.AKS.ManagedAAD.md) | Use AKS-managed Azure AD to simplify authorization and improve security. | Important | Error
 [Azure.AKS.UseRBAC](Azure.AKS.UseRBAC.md) | Deploy AKS cluster with role-based access control (RBAC) enabled. | Important | Error
-[Azure.APIM.ProductApproval](Azure.APIM.ProductApproval.md) | Configure products to require approval. | Important | Error
-[Azure.APIM.ProductSubscription](Azure.APIM.ProductSubscription.md) | Configure products to require a subscription. | Important | Error
 [Azure.Automation.WebHookExpiry](Azure.Automation.WebHookExpiry.md) | Do not create webhooks with an expiry time greater than 1 year (default). | Awareness | Error
 [Azure.KeyVault.AccessPolicy](Azure.KeyVault.AccessPolicy.md) | Use the principal of least privilege when assigning access to Key Vault. | Important | Error
 [Azure.ML.UserManagedIdentity](Azure.ML.UserManagedIdentity.md) | ML workspaces should use user-assigned managed identity, rather than the default system-assigned managed identity. | Important | Error
@@ -638,7 +641,6 @@ Name | Synopsis | Severity | Level
 Name | Synopsis | Severity | Level
 ---- | -------- | -------- | -----
 [Azure.AKS.AuditLogs](Azure.AKS.AuditLogs.md) | AKS clusters should collect security-based audit logs to assess and monitor the compliance status of workloads. | Important | Error
-[Azure.AppConfig.AuditLogs](Azure.AppConfig.AuditLogs.md) | Ensure app configuration store audit diagnostic logs are enabled. | Important | Error
 [Azure.Automation.AuditLogs](Azure.Automation.AuditLogs.md) | Ensure automation account audit diagnostic logs are enabled. | Important | Error
 [Azure.ServiceBus.AuditLogs](Azure.ServiceBus.AuditLogs.md) | Ensure namespaces audit diagnostic logs are enabled. | Important | Error
 
@@ -703,6 +705,14 @@ Name | Synopsis | Severity | Level
 Name | Synopsis | Severity | Level
 ---- | -------- | -------- | -----
 [Azure.ACR.AdminUser](Azure.ACR.AdminUser.md) | Use Entra ID identities instead of using the registry admin user. | Critical | Error
+[Azure.APIM.ProductApproval](Azure.APIM.ProductApproval.md) | Configure products to require approval. | Important | Error
+[Azure.APIM.ProductSubscription](Azure.APIM.ProductSubscription.md) | Configure products to require a subscription. | Important | Error
+
+### SE:10 Monitoring and threat detection
+
+Name | Synopsis | Severity | Level
+---- | -------- | -------- | -----
+[Azure.AppConfig.AuditLogs](Azure.AppConfig.AuditLogs.md) | Ensure app configuration store audit diagnostic logs are enabled. | Important | Error
 
 ### Secrets