PSRule.Rules.Azure

1.7.0

rules/Azure.Policy.Rule.ps1

                                # Copyright (c) Microsoft Corporation.

# Licensed under the MIT License.

#

# Validation rules for Azure Policy

#

# Synopsis: Policy and initiative definitions require a display name, description, and category.

Rule 'Azure.Policy.Descriptors' -Type 'Microsoft.Authorization/policyDefinitions', 'Microsoft.Authorization/policySetDefinitions' -Tag @{ release = 'GA'; ruleSet = '2020_06' } {

    $Assert.HasFieldValue($TargetObject, 'properties.displayName');

    $Assert.HasFieldValue($TargetObject, 'properties.description');

    $Assert.HasFieldValue($TargetObject, 'properties.metadata.category');

}

# Synopsis: Policy assignments require a display name and description.

Rule 'Azure.Policy.AssignmentDescriptors' -Type 'Microsoft.Authorization/policyAssignments' -Tag @{ release = 'GA'; ruleSet = '2021_06'; } {

    $Assert.HasFieldValue($TargetObject, 'properties.displayName');

    $Assert.HasFieldValue($TargetObject, 'properties.description');

}

# Synopsis: Policy assignments require assignedBy metadata.

Rule 'Azure.Policy.AssignmentAssignedBy' -Type 'Microsoft.Authorization/policyAssignments' -Tag @{ release = 'GA'; ruleSet = '2021_06'; } {

    $Assert.HasFieldValue($TargetObject, 'properties.metadata.assignedBy');

}

# Synopsis: Policy exemptions require a display name, and description.

Rule 'Azure.Policy.ExemptionDescriptors' -Type 'Microsoft.Authorization/policyExemptions' -Tag @{ release = 'GA'; ruleSet = '2021_06'; } {

    $Assert.HasFieldValue($TargetObject, 'properties.displayName');

    $Assert.HasFieldValue($TargetObject, 'properties.description');

}

# Synopsis: Policy exceptions must be less then 2 years.

Rule 'Azure.Policy.WaiverExpiry' -Type 'Microsoft.Authorization/policyExemptions' -With 'Azure.PolicyExemptionWaiver' -Tag @{ release = 'GA'; ruleSet = '2021_06' } {

    $expiresOn = $Assert.HasFieldValue($TargetObject, 'properties.expiresOn');

    $expiresOn;

    if ($expiresOn.Result) {

        $days = [int]($TargetObject.Properties.expiresOn - [DateTime]::Now).TotalDays;

        $Assert.LessOrEqual($days, '.', $Configuration.AZURE_POLICY_WAIVER_MAX_EXPIRY);

    }

} -Configure @{ AZURE_POLICY_WAIVER_MAX_EXPIRY = 366 }