Skip to content

Change log#

See upgrade notes for helpful information when upgrading from previous versions.

Important notes:

  • Issue #741: Could not load file or assembly YamlDotNet. See troubleshooting guide for a workaround to this issue.
  • The configuration option Azure_AKSMinimumVersion is replaced with AZURE_AKS_CLUSTER_MINIMUM_VERSION. If you have this option configured, please update it to AZURE_AKS_CLUSTER_MINIMUM_VERSION. Support for Azure_AKSMinimumVersion will be removed in v2. See upgrade notes for more information.
  • The SupportsTag PowerShell function has been replaced with the Azure.Resource.SupportsTags selector. Update PowerShell rules to use the Azure.Resource.SupportsTags selector instead. Support for the SupportsTag function will be removed in v2. See upgrade notes for more information.

Unreleased#

What's changed since pre-release v1.17.0-B0014:

  • Engineering:
    • Bump Newtonsoft.Json to v13.0.1. #1494

v1.17.0-B0014 (pre-release)#

What's changed since v1.16.1:

  • New rules:
    • Deployment:
      • Check for secure values in outputs by @BernieWhite. #297
  • New features:
    • Added more field count expression support for Azure Policy JSON rules by @ArmaanMcleod. #181
  • Engineering:
    • Updated NuGet packaging metadata by @BernieWhite. #1428
  • Bug fixes:
    • Fixed the language expression value fails in outputs by @BernieWhite. #1485

v1.16.1#

What's changed since v1.16.0:

  • Bug fixes:
    • Fixed TLS 1.3 support in Azure.AppGw.SSLPolicy by @BernieWhite. #1469
    • Fixed Application Gateway referencing a WAF policy by @BernieWhite. #1466

v1.16.0#

What's changed since v1.15.2:

  • New rules:
    • App Service:
      • Check web apps have insecure FTP disabled by @BernieWhite. #1436
      • Check web apps use a dedicated health probe by @BernieWhite. #1437
  • Updated rules:
    • Public IP:
      • Updated Azure.PublicIP.AvailabilityZone to exclude IP addresses for Azure Bastion by @BernieWhite. #1442
        • Public IP addresses with the resource-usage tag set to azure-bastion are excluded.
  • General improvements:
    • Added support for dateTimeFromEpoch and dateTimeToEpoch ARM functions by @BernieWhite. #1451
  • Engineering:
    • Updated built documentation to include rule ref and metadata by @BernieWhite. #1432
    • Added ref properties for several rules by @BernieWhite. #1430
    • Updated provider data for analysis. #1453
    • Bump Microsoft.NET.Test.Sdk to v17.2.0. #1410
    • Update CI checks to include required ref property by @BernieWhite. #1431
    • Added ref properties for rules by @BernieWhite. #1430
  • Bug fixes:
    • Fixed Azure.Template.UseVariables does not accept function variables names by @BernieWhite. #1427
    • Fixed dependency issue within Azure Pipelines AzurePowerShell task by @BernieWhite. #1447
      • Removed dependency on Az.Accounts and Az.Resources from manifest. Pre-install these modules to use export cmdlets.

What's changed since pre-release v1.16.0-B0072:

  • No additional changes.

v1.16.0-B0072 (pre-release)#

What's changed since pre-release v1.16.0-B0041:

  • Engineering:
    • Update CI checks to include required ref property by @BernieWhite. #1431
    • Added ref properties for rules by @BernieWhite. #1430
  • Bug fixes:
    • Fixed dependency issue within Azure Pipelines AzurePowerShell task by @BernieWhite. #1447
      • Removed dependency on Az.Accounts and Az.Resources from manifest. Pre-install these modules to use export cmdlets.

v1.16.0-B0041 (pre-release)#

What's changed since pre-release v1.16.0-B0017:

  • Updated rules:
    • Public IP:
      • Updated Azure.PublicIP.AvailabilityZone to exclude IP addresses for Azure Bastion by @BernieWhite. #1442
        • Public IP addresses with the resource-usage tag set to azure-bastion are excluded.
  • General improvements:
    • Added support for dateTimeFromEpoch and dateTimeToEpoch ARM functions by @BernieWhite. #1451
  • Engineering:
    • Updated built documentation to include rule ref and metadata by @BernieWhite. #1432
    • Added ref properties for several rules by @BernieWhite. #1430
    • Updated provider data for analysis. #1453

v1.16.0-B0017 (pre-release)#

What's changed since v1.15.2:

  • New rules:
    • App Service:
      • Check web apps have insecure FTP disabled by @BernieWhite. #1436
      • Check web apps use a dedicated health probe by @BernieWhite. #1437
  • Engineering:
    • Bump Microsoft.NET.Test.Sdk to v17.2.0. #1410
  • Bug fixes:
    • Fixed Azure.Template.UseVariables does not accept function variables names by @BernieWhite. #1427

v1.15.2#

What's changed since v1.15.1:

  • Bug fixes:
    • Fixed Azure.AppService.ManagedIdentity does not accept both system and user assigned by @BernieWhite. #1415
      • This also applies to:
        • Azure.ADX.ManagedIdentity
        • Azure.APIM.ManagedIdentity
        • Azure.EventGrid.ManagedIdentity
        • Azure.Automation.ManagedIdentity
    • Fixed Web apps with .NET 6 do not meet version constraint of Azure.AppService.NETVersion by @BernieWhite. #1414
      • This also applies to Azure.AppService.PHPVersion.

v1.15.1#

What's changed since v1.15.0:

  • Bug fixes:
    • Fixed exclusion of dataCollectionRuleAssociations from Azure.Resource.UseTags by @BernieWhite. #1400
    • Fixed could not determine JSON object type for MockObject using CreateObject by @BernieWhite. #1411
    • Fixed cannot bind argument to parameter 'Sku' because it is an empty string by @BernieWhite. #1407

v1.15.0#

What's changed since v1.14.3:

  • New features:
    • Important change: Added Azure.Resource.SupportsTags selector by @BernieWhite. #1339
      • Use this selector in custom rules to filter rules to only run against resources that support tags.
      • This selector replaces the SupportsTags PowerShell function.
      • Using the SupportsTag function will now result in a warning.
      • The SupportsTags function will be removed in v2.
      • See upgrade notes for more information.
  • Updated rules:
    • Azure Kubernetes Service:
      • Updated Azure.AKS.Version to use latest stable version 1.22.6 by @BernieWhite. #1386
        • Use AZURE_AKS_CLUSTER_MINIMUM_VERSION to configure the minimum version of the cluster.
  • Engineering:
    • Added code signing of module by @BernieWhite. #1379
    • Added SBOM manifests to module by @BernieWhite. #1380
    • Embedded provider and alias information as manifest resources by @BernieWhite. #1383
      • Resources are minified and compressed to improve size and speed.
    • Added additional nodeps manifest that does not include dependencies for Az modules by @BernieWhite. #1392
    • Bump Az.Accounts to 2.7.6. #1338
    • Bump Az.Resources to 5.6.0. #1338
    • Bump PSRule to 2.1.0. #1338
    • Bump Pester to 5.3.3. #1338
  • Bug fixes:
    • Fixed dependency chain order when dependsOn copy by @BernieWhite. #1381
    • Fixed error calling SupportsTags function by @BernieWhite. #1401

What's changed since pre-release v1.15.0-B0053:

  • Bug fixes:
    • Fixed error calling SupportsTags function by @BernieWhite. #1401

v1.15.0-B0053 (pre-release)#

What's changed since pre-release v1.15.0-B0022:

  • New features:
    • Important change: Added Azure.Resource.SupportsTags selector. #1339
      • Use this selector in custom rules to filter rules to only run against resources that support tags.
      • This selector replaces the SupportsTags PowerShell function.
      • Using the SupportsTag function will now result in a warning.
      • The SupportsTags function will be removed in v2.
      • See upgrade notes for more information.
  • Engineering:
    • Embedded provider and alias information as manifest resources. #1383
      • Resources are minified and compressed to improve size and speed.
    • Added additional nodeps manifest that does not include dependencies for Az modules. #1392
    • Bump Az.Accounts to 2.7.6. #1338
    • Bump Az.Resources to 5.6.0. #1338
    • Bump PSRule to 2.1.0. #1338
    • Bump Pester to 5.3.3. #1338

v1.15.0-B0022 (pre-release)#

What's changed since v1.14.3:

  • Updated rules:
    • Azure Kubernetes Service:
      • Updated Azure.AKS.Version to use latest stable version 1.22.6. #1386
        • Use AZURE_AKS_CLUSTER_MINIMUM_VERSION to configure the minimum version of the cluster.
  • Engineering:
    • Added code signing of module. #1379
    • Added SBOM manifests to module. #1380
  • Bug fixes:
    • Fixed dependency chain order when dependsOn copy. #1381

v1.14.3#

What's changed since v1.14.2:

  • Bug fixes:
    • Fixed Azure Firewall threat intel mode reported for Secure VNET hubs. #1365
    • Fixed array function handling with mock objects. #1367

v1.14.2#

What's changed since v1.14.1:

  • Bug fixes:
    • Fixed handling of parent resources when sub resource is in a separate deployment. #1360

v1.14.1#

What's changed since v1.14.0:

  • Bug fixes:
    • Fixed unable to set parameter defaults option with type object. #1355

v1.14.0#

What's changed since v1.13.4:

  • New features:
    • Added support for referencing resources in template. #1315
      • The reference() function can be used to reference resources in template.
      • A placeholder value is still used for resources outside of the template.
    • Added March 2022 baselines Azure.GA_2022_03 and Azure.Preview_2022_03. #1334
      • Includes rules released before or during March 2022.
      • Marked Azure.GA_2021_12 and Azure.Preview_2021_12 baselines as obsolete.
    • Experimental: Cmdlets to validate objects with Azure policy conditions:
      • Export-AzPolicyAssignmentData - Exports policy assignment data. #1266
      • Export-AzPolicyAssignmentRuleData - Exports JSON rules from policy assignment data. #1278
      • Get-AzPolicyAssignmentDataSource - Discovers policy assignment data. #1340
      • See cmdlet help for limitations and usage.
      • Additional information will be posted as this feature evolves here.
  • New rules:
    • SignalR Service:
      • Check services use Managed Identities. #1306
      • Check services use a SKU with an SLA. #1307
    • Web PubSub Service:
      • Check services use Managed Identities. #1308
      • Check services use a SKU with an SLA. #1309
  • Updated rules:
    • Azure Kubernetes Service:
      • Updated Azure.AKS.Version to use latest stable version 1.21.9. #1318
        • Use AZURE_AKS_CLUSTER_MINIMUM_VERSION to configure the minimum version of the cluster.
  • Engineering:
    • Cache Azure Policy Aliases. #1277
    • Cleanup of additional alias metadata. #1351
  • Bug fixes:
    • Fixed index was out of range with split on mock properties. #1327
    • Fixed mock objects with no properties. #1347
    • Fixed sub-resources nesting by scope regression. #1348
    • Fixed expand of runtime properties on reference objects. #1324
    • Fixed processing of deployment outputs. #1316

What's changed since pre-release v1.14.0-B2204013:

  • No additional changes.

v1.14.0-B2204013 (pre-release)#

What's changed since pre-release v1.14.0-B2204007:

  • Engineering:
    • Cleanup of additional alias metadata. #1351

v1.14.0-B2204007 (pre-release)#

What's changed since pre-release v1.14.0-B2203117:

  • Bug fixes:
    • Fixed mock objects with no properties. #1347
    • Fixed sub-resources nesting by scope regression. #1348

v1.14.0-B2203117 (pre-release)#

What's changed since pre-release v1.14.0-B2203088:

  • New features:
    • Experimental: Cmdlets to validate objects with Azure policy conditions:
      • Export-AzPolicyAssignmentData - Exports policy assignment data. #1266
      • Export-AzPolicyAssignmentRuleData - Exports JSON rules from policy assignment data. #1278
      • Get-AzPolicyAssignmentDataSource - Discovers policy assignment data. #1340
      • See cmdlet help for limitations and usage.
      • Additional information will be posted as this feature evolves here.
  • Engineering:
    • Cache Azure Policy Aliases. #1277
  • Bug fixes:
    • Fixed index was out of range with split on mock properties. #1327

v1.14.0-B2203088 (pre-release)#

What's changed since pre-release v1.14.0-B2203066:

  • New features:
    • Added March 2022 baselines Azure.GA_2022_03 and Azure.Preview_2022_03. #1334
      • Includes rules released before or during March 2022.
      • Marked Azure.GA_2021_12 and Azure.Preview_2021_12 baselines as obsolete.
  • Bug fixes:
    • Fixed expand of runtime properties on reference objects. #1324

v1.14.0-B2203066 (pre-release)#

What's changed since v1.13.4:

  • New features:
    • Added support for referencing resources in template. #1315
      • The reference() function can be used to reference resources in template.
      • A placeholder value is still used for resources outside of the template.
  • New rules:
    • SignalR Service:
      • Check services use Managed Identities. #1306
      • Check services use a SKU with an SLA. #1307
    • Web PubSub Service:
      • Check services use Managed Identities. #1308
      • Check services use a SKU with an SLA. #1309
  • Updated rules:
    • Azure Kubernetes Service:
      • Updated Azure.AKS.Version to use latest stable version 1.21.9. #1318
        • Use AZURE_AKS_CLUSTER_MINIMUM_VERSION to configure the minimum version of the cluster.
  • Bug fixes:
    • Fixed processing of deployment outputs. #1316

v1.13.4#

What's changed since v1.13.3:

  • Bug fixes:
    • Fixed virtual network without any subnets is invalid. #1303
    • Fixed container registry rules that require a premium tier. #1304
      • Rules Azure.ACR.Retention and Azure.ACR.ContentTrust are now only run against premium instances.

v1.13.3#

What's changed since v1.13.2:

  • Bug fixes:
    • Fixed bicep build timeout for complex deployments. #1299

v1.13.2#

What's changed since v1.13.1:

  • Engineering:
    • Bump PowerShellStandard.Library to 5.1.1. #1295
  • Bug fixes:
    • Fixed nested resource loops. #1293

v1.13.1#

What's changed since v1.13.0:

  • Bug fixes:
    • Fixed parsing of nested quote pairs within JSON function. #1288

v1.13.0#

What's changed since v1.12.2:

  • New features:
    • Added support for setting defaults for required parameters. #1065
      • When specified, the value will be used when a parameter value is not provided.
    • Added support expanding Bicep from parameter files. #1160
  • New rules:
    • Azure Cache for Redis:
      • Limit public access for Azure Cache for Redis instances. #935
    • Container App:
      • Check insecure ingress is not enabled (preview). #1252
    • Key Vault:
      • Check key auto-rotation is enabled (preview). #1159
    • Recovery Services Vault:
      • Check vaults have replication alerts configured. #7
  • Engineering:
    • Automatically build baseline docs. #1242
    • Bump PSRule dependency to v1.11.1. #1269
  • Bug fixes:
    • Fixed empty value with strong type. #1258
    • Fixed error with empty logic app trigger. #1249
    • Fixed out of order parameters. #1257
    • Fixed mapping default configuration causes cast exception. #1274
    • Fixed resource id is incorrectly built for sub resource types. #1279

What's changed since pre-release v1.13.0-B2202113:

  • No additional changes.

v1.13.0-B2202113 (pre-release)#

What's changed since pre-release v1.13.0-B2202108:

  • Bug fixes:
    • Fixed resource id is incorrectly built for sub resource types. #1279

v1.13.0-B2202108 (pre-release)#

What's changed since pre-release v1.13.0-B2202103:

  • Bug fixes:
    • Fixed mapping default configuration causes cast exception. #1274

v1.13.0-B2202103 (pre-release)#

What's changed since pre-release v1.13.0-B2202090:

  • Engineering:
    • Bump PSRule dependency to v1.11.1. #1269
  • Bug fixes:
    • Fixed out of order parameters. #1257

v1.13.0-B2202090 (pre-release)#

What's changed since pre-release v1.13.0-B2202063:

  • New rules:
    • Azure Cache for Redis:
      • Limit public access for Azure Cache for Redis instances. #935
  • Engineering:
    • Automatically build baseline docs. #1242
  • Bug fixes:
    • Fixed empty value with strong type. #1258

v1.13.0-B2202063 (pre-release)#

What's changed since v1.12.2:

  • New features:
    • Added support for setting defaults for required parameters. #1065
      • When specified, the value will be used when a parameter value is not provided.
    • Added support expanding Bicep from parameter files. #1160
  • New rules:
    • Container App:
      • Check insecure ingress is not enabled (preview). #1252
    • Key Vault:
      • Check key auto-rotation is enabled (preview). #1159
    • Recovery Services Vault:
      • Check vaults have replication alerts configured. #7
  • Bug fixes:
    • Fixed error with empty logic app trigger. #1249

v1.12.2#

What's changed since v1.12.1:

  • Bug fixes:
    • Fixed detect strong type requirements for nested deployments. #1235

v1.12.1#

What's changed since v1.12.0:

  • Bug fixes:
    • Fixed Bicep already exists with PSRule v2. #1232

v1.12.0#

What's changed since v1.11.1:

  • New rules:
    • Data Explorer:
      • Check clusters use Managed Identities. #1207
      • Check clusters use a SKU with a SLA. #1208
      • Check clusters use disk encryption. #1209
      • Check clusters are in use with databases. #1215
    • Event Hub:
      • Check namespaces are in use with event hubs. #1216
      • Check namespaces only accept identity-based authentication. #1217
    • Azure Recovery Services Vault:
      • Check vaults use geo-redundant storage. #5
    • Service Bus:
      • Check namespaces are in use with queues and topics. #1218
      • Check namespaces only accept identity-based authentication. #1219
  • Updated rules:
    • Azure Kubernetes Service:
      • Updated Azure.AKS.Version to use latest stable version 1.21.7. #1188
        • Pinned latest GA baseline Azure.GA_2021_12 to previous version 1.20.5.
        • Use AZURE_AKS_CLUSTER_MINIMUM_VERSION to configure the minimum version of the cluster.
    • Azure API Management:
      • Check service disabled insecure ciphers. #1128
      • Refactored the cipher and protocol rule into individual rules.
        • Azure.APIM.Protocols
        • Azure.APIM.Ciphers
  • General improvements:
    • Important change: Replaced Azure_AKSMinimumVersion option with AZURE_AKS_CLUSTER_MINIMUM_VERSION. #941
      • For compatibility, if Azure_AKSMinimumVersion is set it will be used instead of AZURE_AKS_CLUSTER_MINIMUM_VERSION.
      • If only AZURE_AKS_CLUSTER_MINIMUM_VERSION is set, this value will be used.
      • The default will be used neither options are configured.
      • If Azure_AKSMinimumVersion is set a warning will be generated until the configuration is removed.
      • Support for Azure_AKSMinimumVersion is deprecated and will be removed in v2.
      • See upgrade notes for details.
  • Bug fixes:
    • Fixed false positive of blob container with access unspecified. #1212

What's changed since pre-release v1.12.0-B2201086:

  • No additional changes.

v1.12.0-B2201086 (pre-release)#

What's changed since pre-release v1.12.0-B2201067:

  • New rules:
    • Data Explorer:
      • Check clusters are in use with databases. #1215
    • Event Hub:
      • Check namespaces are in use with event hubs. #1216
      • Check namespaces only accept identity-based authentication. #1217
    • Azure Recovery Services Vault:
      • Check vaults use geo-redundant storage. #5
    • Service Bus:
      • Check namespaces are in use with queues and topics. #1218
      • Check namespaces only accept identity-based authentication. #1219

v1.12.0-B2201067 (pre-release)#

What's changed since pre-release v1.12.0-B2201054:

  • New rules:
    • Data Explorer:
      • Check clusters use Managed Identities. #1207
      • Check clusters use a SKU with a SLA. #1208
      • Check clusters use disk encryption. #1209
  • Bug fixes:
    • Fixed false positive of blob container with access unspecified. #1212

v1.12.0-B2201054 (pre-release)#

What's changed since v1.11.1:

  • Updated rules:
    • Azure Kubernetes Service:
      • Updated Azure.AKS.Version to use latest stable version 1.21.7. #1188
        • Pinned latest GA baseline Azure.GA_2021_12 to previous version 1.20.5.
        • Use AZURE_AKS_CLUSTER_MINIMUM_VERSION to configure the minimum version of the cluster.
    • Azure API Management:
      • Check service disabled insecure ciphers. #1128
      • Refactored the cipher and protocol rule into individual rules.
        • Azure.APIM.Protocols
        • Azure.APIM.Ciphers
  • General improvements:
    • Important change: Replaced Azure_AKSMinimumVersion option with AZURE_AKS_CLUSTER_MINIMUM_VERSION. #941
      • For compatibility, if Azure_AKSMinimumVersion is set it will be used instead of AZURE_AKS_CLUSTER_MINIMUM_VERSION.
      • If only AZURE_AKS_CLUSTER_MINIMUM_VERSION is set, this value will be used.
      • The default will be used neither options are configured.
      • If Azure_AKSMinimumVersion is set a warning will be generated until the configuration is removed.
      • Support for Azure_AKSMinimumVersion is deprecated and will be removed in v2.
      • See upgrade notes for details.

v1.11.1#

What's changed since v1.11.0:

  • Bug fixes:
    • Fixed Azure.AKS.CNISubnetSize rule to use CNI selector. #1178

v1.11.0#

What's changed since v1.10.4:

  • New features:
    • Added baselines containing only Azure preview features. #1129
      • Added baseline Azure.Preview_2021_09.
      • Added baseline Azure.Preview_2021_12.
    • Added Azure.GA_2021_12 baseline. #1146
      • Includes rules released before or during December 2021 for Azure GA features.
      • Marked baseline Azure.GA_2021_09 as obsolete.
    • Bicep support promoted from experimental to generally available (GA). #1176
  • New rules:
    • All resources:
      • Check comments for each template resource. #969
    • Automation Account:
      • Automation accounts should enable diagnostic logs. #1075
    • Azure Kubernetes Service:
      • Check clusters have the HTTP application routing add-on disabled. #1131
      • Check clusters use the Secrets Store CSI Driver add-on. #992
      • Check clusters autorotation with the Secrets Store CSI Driver add-on. #993
      • Check clusters use Azure AD Pod Managed Identities (preview). #991
    • Azure Redis Cache:
      • Use availability zones for Azure Cache for Redis for regions that support it. #1078
        • Azure.Redis.AvailabilityZone
        • Azure.RedisEnterprise.Zones
    • Application Security Group:
      • Check Application Security Groups meet naming requirements. #1110
    • Firewall:
      • Check Firewalls meet naming requirements. #1110
      • Check Firewall policies meet naming requirements. #1110
    • Private Endpoint:
      • Check Private Endpoints meet naming requirements. #1110
    • Virtual WAN:
      • Check Virtual WANs meet naming requirements. #1110
  • Updated rules:
    • Azure Kubernetes Service:
      • Promoted Azure.AKS.AutoUpgrade to GA rule set. #1130
  • General improvements:
    • Added support for template function tenant(). #1124
    • Added support for template function managementGroup(). #1125
    • Added support for template function pickZones(). #518
  • Engineering:
    • Rule refactoring of rules from PowerShell to YAML. #1109
      • The following rules were refactored:
        • Azure.LB.Name
        • Azure.NSG.Name
        • Azure.Firewall.Mode
        • Azure.Route.Name
        • Azure.VNET.Name
        • Azure.VNG.Name
        • Azure.VNG.ConnectionName
        • Azure.AppConfig.SKU
        • Azure.AppConfig.Name
        • Azure.AppInsights.Workspace
        • Azure.AppInsights.Name
        • Azure.Cosmos.AccountName
        • Azure.FrontDoor.State
        • Azure.FrontDoor.Name
        • Azure.FrontDoor.WAF.Mode
        • Azure.FrontDoor.WAF.Enabled
        • Azure.FrontDoor.WAF.Name
        • Azure.AKS.MinNodeCount
        • Azure.AKS.ManagedIdentity
        • Azure.AKS.StandardLB
        • Azure.AKS.AzurePolicyAddOn
        • Azure.AKS.ManagedAAD
        • Azure.AKS.AuthorizedIPs
        • Azure.AKS.LocalAccounts
        • Azure.AKS.AzureRBAC
  • Bug fixes:
    • Fixed output of Bicep informational and warning messages in error stream. #1157

What's changed since pre-release v1.11.0-B2112112:

  • New features:
    • Bicep support promoted from experimental to generally available (GA). #1176

v1.11.0-B2112112 (pre-release)#

What's changed since pre-release v1.11.0-B2112104:

  • New rules:
    • Azure Redis Cache:
      • Use availability zones for Azure Cache for Redis for regions that support it. #1078
        • Azure.Redis.AvailabilityZone
        • Azure.RedisEnterprise.Zones

v1.11.0-B2112104 (pre-release)#

What's changed since pre-release v1.11.0-B2112073:

  • New rules:
    • Azure Kubernetes Service:
      • Check clusters use Azure AD Pod Managed Identities (preview). #991
  • Engineering:
    • Rule refactoring of rules from PowerShell to YAML. #1109
      • The following rules were refactored:
        • Azure.AppConfig.SKU
        • Azure.AppConfig.Name
        • Azure.AppInsights.Workspace
        • Azure.AppInsights.Name
        • Azure.Cosmos.AccountName
        • Azure.FrontDoor.State
        • Azure.FrontDoor.Name
        • Azure.FrontDoor.WAF.Mode
        • Azure.FrontDoor.WAF.Enabled
        • Azure.FrontDoor.WAF.Name
        • Azure.AKS.MinNodeCount
        • Azure.AKS.ManagedIdentity
        • Azure.AKS.StandardLB
        • Azure.AKS.AzurePolicyAddOn
        • Azure.AKS.ManagedAAD
        • Azure.AKS.AuthorizedIPs
        • Azure.AKS.LocalAccounts
        • Azure.AKS.AzureRBAC
  • Bug fixes:
    • Fixed output of Bicep informational and warning messages in error stream. #1157
    • Fixed obsolete flag for baseline Azure.Preview_2021_12. #1166

v1.11.0-B2112073 (pre-release)#

What's changed since pre-release v1.11.0-B2112024:

  • New features:
    • Added baselines containing only Azure preview features. #1129
      • Added baseline Azure.Preview_2021_09.
      • Added baseline Azure.Preview_2021_12.
    • Added Azure.GA_2021_12 baseline. #1146
      • Includes rules released before or during December 2021 for Azure GA features.
      • Marked baseline Azure.GA_2021_09 as obsolete.
  • New rules:
    • All resources:
      • Check comments for each template resource. #969
  • Bug fixes:
    • Fixed template function equals parameter count mismatch. #1137
    • Fixed copy loop on nested deployment parameters is not handled. #1144
    • Fixed outer copy loop of nested deployment. #1154

v1.11.0-B2112024 (pre-release)#

What's changed since pre-release v1.11.0-B2111014:

  • New rules:
    • Azure Kubernetes Service:
      • Check clusters have the HTTP application routing add-on disabled. #1131
      • Check clusters use the Secrets Store CSI Driver add-on. #992
      • Check clusters autorotation with the Secrets Store CSI Driver add-on. #993
    • Automation Account:
      • Automation accounts should enable diagnostic logs. #1075
  • Updated rules:
    • Azure Kubernetes Service:
      • Promoted Azure.AKS.AutoUpgrade to GA rule set. #1130
  • General improvements:
    • Added support for template function tenant(). #1124
    • Added support for template function managementGroup(). #1125
    • Added support for template function pickZones(). #518
  • Bug fixes:
    • Fixed Azure.Policy.WaiverExpiry date conversion. #1118

v1.11.0-B2111014 (pre-release)#

What's changed since v1.10.0:

  • New rules:
    • Application Security Group:
      • Check Application Security Groups meet naming requirements. #1110
    • Firewall:
      • Check Firewalls meet naming requirements. #1110
      • Check Firewall policies meet naming requirements. #1110
    • Private Endpoint:
      • Check Private Endpoints meet naming requirements. #1110
    • Virtual WAN:
      • Check Virtual WANs meet naming requirements. #1110
  • Engineering:
    • Rule refactoring of rules from PowerShell to YAML. #1109
      • The following rules were refactored:
        • Azure.LB.Name
        • Azure.NSG.Name
        • Azure.Firewall.Mode
        • Azure.Route.Name
        • Azure.VNET.Name
        • Azure.VNG.Name
        • Azure.VNG.ConnectionName

v1.10.4#

What's changed since v1.10.3:

  • Bug fixes:
    • Fixed outer copy loop of nested deployment. #1154

v1.10.3#

What's changed since v1.10.2:

  • Bug fixes:
    • Fixed copy loop on nested deployment parameters is not handled. #1144

v1.10.2#

What's changed since v1.10.1:

  • Bug fixes:
    • Fixed template function equals parameter count mismatch. #1137

v1.10.1#

What's changed since v1.10.0:

  • Bug fixes:
    • Fixed Azure.Policy.WaiverExpiry date conversion. #1118

v1.10.0#

What's changed since v1.9.1:

  • New features:
    • Added support for parameter strong types. #1083
      • The value of string parameters can be tested against the expected type.
      • When configuring a location strong type, the parameter value must be a valid Azure location.
      • When configuring a resource type strong type, the parameter value must be a matching resource Id.
  • New rules:
    • All resources:
      • Check template expressions do not exceed a maximum length. #1006
    • Automation Service:
      • Check automation accounts should use managed identities for authentication. #1074
    • Event Grid:
      • Check topics and domains use managed identities. #1091
      • Check topics and domains use private endpoints. #1092
      • Check topics and domains use identity-based authentication. #1093
  • General improvements:
    • Updated default baseline to use module configuration. #1089
  • Engineering:
    • Bump PSRule dependency to v1.9.0. #1081
    • Bump Microsoft.CodeAnalysis.NetAnalyzers to v6.0.0. #1080
    • Bump Microsoft.SourceLink.GitHub to 1.1.1. #1085
  • Bug fixes:
    • Fixed expansion of secret references. #1098
    • Fixed handling of tagging for deployments. #1099
    • Fixed strong type issue flagged with empty defaultValue string. #1100

What's changed since pre-release v1.10.0-B2111081:

  • No additional changes.

v1.10.0-B2111081 (pre-release)#

What's changed since pre-release v1.10.0-B2111072:

  • New rules:
    • Automation Service:
      • Automation accounts should use managed identities for authentication. #1074

v1.10.0-B2111072 (pre-release)#

What's changed since pre-release v1.10.0-B2111058:

  • New rules:
    • All resources:
      • Check template expressions do not exceed a maximum length. #1006
  • Bug fixes:
    • Fixed expansion of secret references. #1098
    • Fixed handling of tagging for deployments. #1099
    • Fixed strong type issue flagged with empty defaultValue string. #1100

v1.10.0-B2111058 (pre-release)#

What's changed since pre-release v1.10.0-B2111040:

  • New rules:
    • Event Grid:
      • Check topics and domains use managed identities. #1091
      • Check topics and domains use private endpoints. #1092
      • Check topics and domains use identity-based authentication. #1093
  • General improvements:
    • Updated default baseline to use module configuration. #1089

v1.10.0-B2111040 (pre-release)#

What's changed since v1.9.1:

  • New features:
    • Added support for parameter strong types. #1083
      • The value of string parameters can be tested against the expected type.
      • When configuring a location strong type, the parameter value must be a valid Azure location.
      • When configuring a resource type strong type, the parameter value must be a matching resource Id.
  • Engineering:
    • Bump PSRule dependency to v1.9.0. #1081
    • Bump Microsoft.CodeAnalysis.NetAnalyzers to v6.0.0. #1080
    • Bump Microsoft.SourceLink.GitHub to 1.1.1. #1085

v1.9.1#

What's changed since v1.9.0:

  • Bug fixes:
    • Fixed can not index into resource group tags. #1066
    • Fixed Azure.VM.ASMinMembers for template deployments. #1064
    • Fixed zones property not found on public IP resource. #1070

v1.9.0#

What's changed since v1.8.1:

  • New rules:
    • API Management Service:
      • Check API management services are using availability zones when available. #1017
    • Public IP Address:
      • Check Public IP addresses are configured with zone-redundancy. #958
      • Check Public IP addresses are using Standard SKU. #979
    • User Assigned Managed Identity:
      • Check identities meet naming requirements. #1021
    • Virtual Network Gateway:
      • Check VPN/ExpressRoute gateways are configured with availability zone SKU. #926
  • General improvements:
    • Improved processing of AzOps generated templates. #799
      • Azure.Template.DefineParameters is ignored for AzOps generated templates.
      • Azure.Template.UseLocationParameter is ignored for AzOps generated templates.
    • Bicep is now installed when using PSRule GitHub Action. #1050
  • Engineering:
    • Bump PSRule dependency to v1.8.0. #1018
    • Added automated PR workflow to bump providers.json monthly. #1041
  • Bug fixes:
    • Fixed AKS Network Policy should accept calico. #1046
    • Fixed Azure.ACR.AdminUser fails when adminUserEnabled not set. #1014
    • Fixed Azure.KeyVault.Logs reports cannot index into a null array. #1024
    • Fixed template function empty returns object reference not set exception. #1025
    • Fixed delayed binding of and template function. #1026
    • Fixed template function array nests array with array parameters. #1027
    • Fixed property used by Azure.ACR.MinSKU to work more reliably with templates. #1034
    • Fixed could not determine JSON object type for MockMember using CreateObject. #1035
    • Fixed Bicep convention ordering. #1053

What's changed since pre-release v1.9.0-B2110087:

  • No additional changes.

v1.9.0-B2110087 (pre-release)#

What's changed since pre-release v1.9.0-B2110082:

  • Bug fixes:
    • Fixed Bicep convention ordering. #1053

v1.9.0-B2110082 (pre-release)#

What's changed since pre-release v1.9.0-B2110059:

  • General improvements:
    • Bicep is now installed when using PSRule GitHub Action. #1050
  • Engineering:
    • Added automated PR workflow to bump providers.json monthly. #1041
  • Bug fixes:
    • Fixed AKS Network Policy should accept calico. #1046

v1.9.0-B2110059 (pre-release)#

What's changed since pre-release v1.9.0-B2110040:

  • New rules:
    • API Management Service:
      • Check API management services are using availability zones when available. #1017
  • Bug fixes:
    • Fixed property used by Azure.ACR.MinSKU to work more reliably with templates. #1034
    • Fixed could not determine JSON object type for MockMember using CreateObject. #1035

v1.9.0-B2110040 (pre-release)#

What's changed since pre-release v1.9.0-B2110025:

  • New rules:
    • User Assigned Managed Identity:
      • Check identities meet naming requirements. #1021
  • Bug fixes:
    • Fixed Azure.KeyVault.Logs reports cannot index into a null array. #1024
    • Fixed template function empty returns object reference not set exception. #1025
    • Fixed delayed binding of and template function. #1026
    • Fixed template function array nests array with array parameters. #1027

v1.9.0-B2110025 (pre-release)#

What's changed since pre-release v1.9.0-B2110014:

  • Engineering:
    • Bump PSRule dependency to v1.8.0. #1018
  • Bug fixes:
    • Fixed Azure.ACR.AdminUser fails when adminUserEnabled not set. #1014

v1.9.0-B2110014 (pre-release)#

What's changed since pre-release v1.9.0-B2110009:

  • Bug fixes:
    • Fixed expression out of range of valid values. #1005
    • Fixed template expand fails in nested reference expansion. #1007

v1.9.0-B2110009 (pre-release)#

What's changed since pre-release v1.9.0-B2109027:

  • Bug fixes:
    • Fixed handling of comments with template and parameter file rules. #996
    • Fixed Azure.Template.UseLocationParameter to only apply to templates deployed as RG scope #995
    • Fixed expand template fails with createObject when no parameters are specified. #1000

v1.9.0-B2109027 (pre-release)#

What's changed since v1.8.0:

  • New rules:
    • Public IP Address:
      • Check Public IP addresses are configured with zone-redundancy. #958
      • Check Public IP addresses are using Standard SKU. #979
    • Virtual Network Gateway:
      • Check VPN/ExpressRoute gateways are configured with availability zone SKU. #926
  • General improvements:
    • Improved processing of AzOps generated templates. #799
      • Azure.Template.DefineParameters is ignored for AzOps generated templates.
      • Azure.Template.UseLocationParameter is ignored for AzOps generated templates.
  • Bug fixes:
    • Fixed ToUpper fails to convert character. #986

v1.8.1#

What's changed since v1.8.0:

  • Bug fixes:
    • Fixed handling of comments with template and parameter file rules. #996
    • Fixed Azure.Template.UseLocationParameter to only apply to templates deployed as RG scope #995
    • Fixed expand template fails with createObject when no parameters are specified. #1000
    • Fixed ToUpper fails to convert character. #986
    • Fixed expression out of range of valid values. #1005
    • Fixed template expand fails in nested reference expansion. #1007

v1.8.0#

What's changed since v1.7.0:

  • New features:
    • Added Azure.GA_2021_09 baseline. #961
      • Includes rules released before or during September 2021 for Azure GA features.
      • Marked baseline Azure.GA_2021_06 as obsolete.
  • New rules:
    • Application Gateway:
      • Check App Gateways should use availability zones when available. Thanks @ArmaanMcleod. #928
    • Azure Kubernetes Service:
    • Cosmos DB:
      • Check DB account names meet naming requirements. #954
      • Check DB accounts use Azure AD identities for resource management operations. #953
    • Load Balancer:
  • Engineering:
    • Bump PSRule dependency to v1.7.2. #951
    • Automated update of availability zone information in providers.json. #907
    • Increased test coverage of rule reasons. Thanks @ArmaanMcleod. #960
  • Bug fixes:
    • Fixed export of in-flight AKS related subnets for kubenet clusters. Thanks @ArmaanMcleod. #920
    • Fixed plan instance count is not applicable to Elastic Premium plans. #946
    • Fixed minimum App Service Plan fails Elastic Premium plans. #945
    • Fixed App Service Plan should include PremiumV3 plan. #944
    • Fixed Azure.VM.NICAttached with private endpoints. #932
    • Fixed Bicep CLI fails with unexpected end of content. #889
    • Fixed incomplete reason message for Azure.Storage.MinTLS. #971
    • Fixed false positive of Azure.Storage.UseReplication with large file storage. #965

What's changed since pre-release v1.8.0-B2109060:

  • No additional changes.

v1.8.0-B2109086 (pre-release)#

What's changed since pre-release v1.8.0-B2109060:

  • New rules:
    • Load Balancer:
  • Engineering:
  • Bug fixes:
    • Fixed Bicep CLI fails with unexpected end of content. #889
    • Fixed incomplete reason message for Azure.Storage.MinTLS. #971
    • Fixed false positive of Azure.Storage.UseReplication with large file storage. #965

v1.8.0-B2109060 (pre-release)#

What's changed since pre-release v1.8.0-B2109046:

  • New features:
    • Added Azure.GA_2021_09 baseline. #961
      • Includes rules released before or during September 2021 for Azure GA features.
      • Marked baseline Azure.GA_2021_06 as obsolete.
  • New rules:
    • Load Balancer:
      • Check Load Balancers are configured with zone-redundancy. Thanks @ArmaanMcleod. #927

v1.8.0-B2109046 (pre-release)#

What's changed since pre-release v1.8.0-B2109020:

  • New rules:
    • Application Gateway:
      • Check App Gateways should use availability zones when available. Thanks @ArmaanMcleod. #928
    • Cosmos DB:
      • Check DB account names meet naming requirements. #954
      • Check DB accounts use Azure AD identities for resource management operations. #953
  • Bug fixes:
    • Fixed plan instance count is not applicable to Elastic Premium plans. #946
    • Fixed minimum App Service Plan fails Elastic Premium plans. #945
    • Fixed App Service Plan should include PremiumV3 plan. #944
    • Fixed Azure.VM.NICAttached with private endpoints. #932
  • Engineering:
    • Bump PSRule dependency to v1.7.2. #951

v1.8.0-B2109020 (pre-release)#

What's changed since pre-release v1.8.0-B2108026:

  • New rules:
    • Azure Kubernetes Service:
  • Engineering:
    • Bump PSRule dependency to v1.7.0. #938

v1.8.0-B2108026 (pre-release)#

What's changed since pre-release v1.8.0-B2108013:

  • New rules:
    • Azure Kubernetes Service:
      • Check clusters use Container Insights for monitoring workloads. Thanks @ArmaanMcleod. #881
  • Bug fixes:
    • Fixed export of in-flight AKS related subnets for kubenet clusters. Thanks @ArmaanMcleod. #920

v1.8.0-B2108013 (pre-release)#

What's changed since v1.7.0:

  • New rules:
    • Azure Kubernetes Service:
  • Engineering:
    • Bump PSRule dependency to v1.6.1. #913
    • Automated update of availability zone information in providers.json. #907

v1.7.0#

What's changed since v1.6.0:

  • New rules:
    • All resources:
      • Check template parameter files use metadata links. #846
        • Configure the AZURE_PARAMETER_FILE_METADATA_LINK option to enable this rule.
      • Check template files use a recent schema. #845
      • Check template files use a https schema scheme. #894
      • Check template parameter files use a https schema scheme. #894
      • Check template parameters set a value. #896
      • Check template parameters use a valid secret reference. #897
    • Azure Kubernetes Service:
      • Check clusters using Azure CNI should use large subnets. Thanks @ArmaanMcleod. #273
      • Check clusters use auto-scale node pools. Thanks @ArmaanMcleod. #218
        • By default, a minimum of a /23 subnet is required.
        • Configure AZURE_AKS_CNI_MINIMUM_CLUSTER_SUBNET_SIZE to change the default minimum subnet size.
    • Storage Account:
      • Check Storage Accounts only accept explicitly allowed network traffic. #884
  • Updated rules:
    • Virtual Network:
      • Excluded AzureFirewallManagementSubnet from Azure.VNET.UseNSGs. #869
  • General improvements:
    • Added version information to bicep compilation exceptions. #903
  • Engineering:
    • Bump PSRule dependency to v1.6.0. #871
  • Bug fixes:
    • Fixed DateTimeAdd function and tests within timezones with DST. #891
    • Fixed Azure.Template.ParameterValue failing on empty value. #901

What's changed since pre-release v1.7.0-B2108059:

  • No additional changes.

v1.7.0-B2108059 (pre-release)#

What's changed since pre-release v1.7.0-B2108049:

  • General improvements:
    • Added version information to bicep compilation exceptions. #903
  • Bug fixes:
    • Fixed Azure.Template.ParameterValue failing on empty value. #901

v1.7.0-B2108049 (pre-release)#

What's changed since pre-release v1.7.0-B2108040:

  • New rules:
    • All resources:
      • Check template files use a recent schema. #845
      • Check template files use a https schema scheme. #894
      • Check template parameter files use a https schema scheme. #894
      • Check template parameters set a value. #896
      • Check template parameters use a valid secret reference. #897
  • Bug fixes:
    • Fixed DateTimeAdd function and tests within timezones with DST. #891

v1.7.0-B2108040 (pre-release)#

What's changed since pre-release v1.7.0-B2108020:

  • New rules:
    • All resources:
      • Check template parameter files use metadata links. #846
        • Configure the AZURE_PARAMETER_FILE_METADATA_LINK option to enable this rule.
    • Azure Kubernetes Service:
      • Check clusters using Azure CNI should use large subnets. Thanks @ArmaanMcleod. #273
        • By default, a minimum of a /23 subnet is required.
        • Configure AZURE_AKS_CNI_MINIMUM_CLUSTER_SUBNET_SIZE to change the default minimum subnet size.
    • Storage Account:
      • Check Storage Accounts only accept explicitly allowed network traffic. #884

v1.7.0-B2108020 (pre-release)#

What's changed since v1.6.0:

  • New rules:
    • Azure Kubernetes Service:
  • Updated rules:
    • Virtual Network:
      • Excluded AzureFirewallManagementSubnet from Azure.VNET.UseNSGs. #869
  • Engineering:
    • Bump PSRule dependency to v1.6.0. #871

v1.6.0#

What's changed since v1.5.1:

  • New features:
    • Experimental: Added support for expansion from Bicep source files. #848 #670 #858
      • Bicep support is currently experimental.
      • To opt-in set the AZURE_BICEP_FILE_EXPANSION configuration to true.
      • For more information see Using Bicep.
  • New rules:
    • Application Gateways:
      • Check Application Gateways publish endpoints by HTTPS. #841
  • Engineering:
    • Bump PSRule dependency to v1.5.0. #832
    • Migration of Pester v4 tests to Pester v5. Thanks @ArmaanMcleod. #395

What's changed since pre-release v1.6.0-B2108038:

  • Bug fixes:
    • Fixed Bicep expand creates deadlock and times out. #863

v1.6.0-B2108038 (pre-release)#

What's changed since pre-release v1.6.0-B2108023:

  • Bug fixes:
    • Fixed Bicep expand hangs analysis. #858

v1.6.0-B2108023 (pre-release)#

What's changed since pre-release v1.6.0-B2107028:

  • New features:
    • Experimental: Added support for expansion from Bicep source files. #848 #670
      • Bicep support is currently experimental.
      • To opt-in set the AZURE_BICEP_FILE_EXPANSION configuration to true.
      • For more information see Using Bicep.

v1.6.0-B2107028 (pre-release)#

What's changed since v1.5.1:

  • New rules:
    • Application Gateways:
      • Check Application Gateways publish endpoints by HTTPS. #841
  • Engineering:
    • Bump PSRule dependency to v1.5.0. #832

v1.5.1#

What's changed since v1.5.0:

  • Bug fixes:
    • Fixed rule does not detect more restrictive NSG rules. #831

v1.5.0#

What's changed since v1.4.1:

  • New features:
    • Added Azure.GA_2021_06 baseline. #822
      • Includes rules released before or during June 2021 for Azure GA features.
      • Marked baseline Azure.GA_2021_03 as obsolete.
  • New rules:
    • Application Insights:
      • Check App Insights resources use workspace-based configuration. #813
      • Check App Insights resources meet naming requirements. #814
  • General improvements:
    • Exclude not applicable rules for templates generated with Bicep and PSArm. #815
    • Updated rule help to use docs pages for online version. #824
  • Engineering:
    • Bump PSRule dependency to v1.4.0. #823
    • Bump YamlDotNet dependency to v11.2.1. #821
    • Migrate project to Azure GitHub organization and updated links. #800
  • Bug fixes:
    • Fixed detection of parameters and variables with line breaks. #811

What's changed since pre-release v1.5.0-B2107002:

  • No additional changes.

v1.5.0-B2107002 (pre-release)#

What's changed since pre-release v1.5.0-B2106018:

  • New features:
    • Added Azure.GA_2021_06 baseline. #822
      • Includes rules released before or during June 2021 for Azure GA features.
      • Marked baseline Azure.GA_2021_03 as obsolete.
  • General improvements:
    • Updated rule help to use docs pages for online version. #824
  • Engineering:
    • Bump PSRule dependency to v1.4.0. #823
    • Bump YamlDotNet dependency to v11.2.1. #821

v1.5.0-B2106018 (pre-release)#

What's changed since v1.4.1:

  • New rules:
    • Application Insights:
      • Check App Insights resources use workspace-based configuration. #813
      • Check App Insights resources meet naming requirements. #814
  • General improvements:
    • Exclude not applicable rules for templates generated with Bicep and PSArm. #815
  • Engineering:
    • Bump YamlDotNet dependency to v11.2.0. #801
    • Migrate project to Azure GitHub organization and updated links. #800
  • Bug fixes:
    • Fixed detection of parameters and variables with line breaks. #811

v1.4.1#

What's changed since v1.4.0:

  • Bug fixes:
    • Fixed boolean string conversion case. #793
    • Fixed case sensitive property matching. #794
    • Fixed automatic expansion of template parameter files. #796
      • Template parameter files are not automatically expanded by default.
      • To enable this, set the AZURE_PARAMETER_FILE_EXPANSION configuration option.

v1.4.0#

What's changed since v1.3.2:

  • New features:
    • Automatically expand template from parameter files for analysis. #772
      • Previously templates needed to be exported with Export-AzRuleTemplateData.
      • To export template data automatically use PSRule cmdlets with -Format File.
  • New rules:
    • Cognitive Search:
      • Check search services meet index SLA replica requirement. #761
      • Check search services meet query SLA replica requirement. #762
      • Check search services meet naming requirements. #763
      • Check search services use a minimum SKU. #764
      • Check search services use managed identities. #765
    • Azure Kubernetes Service:
      • Check clusters use AKS-managed Azure AD integration. #436
      • Check clusters have local account disabled (preview). #786
      • Check clusters have an auto-upgrade channel set (preview). #787
      • Check clusters limit access network access to the API server. #788
      • Check clusters used Azure RBAC for Kubernetes authorization. #789
  • Updated rules:
    • Azure Kubernetes Service:
      • Updated Azure.AKS.Version to 1.20.5. #767
  • General improvements:
    • Automatically nest template sub-resources for analysis. #746
      • Sub-resources such as diagnostic logs or configurations are automatically nested.
      • Automatic nesting a resource requires:
        • The parent resource is defined in the same template.
        • The sub-resource depends on the parent resource.
    • Added support for source location references to template files. #781
      • Output includes source location to resources exported from a templates.
  • Bug fixes:
    • Fixed string index parsing in expressions with whitespace. #775
    • Fixed base for DateTimeAdd is not a valid string. #777
  • Engineering:
    • Added source link to project. #783

What's changed since pre-release v1.4.0-B2105057:

  • No additional changes.

v1.4.0-B2105057 (pre-release)#

What's changed since pre-release v1.4.0-B2105050:

  • New rules:
    • Azure Kubernetes Service:
      • Check clusters use AKS-managed Azure AD integration. #436
      • Check clusters have local account disabled (preview). #786
      • Check clusters have an auto-upgrade channel set (preview). #787
      • Check clusters limit access network access to the API server. #788
      • Check clusters used Azure RBAC for Kubernetes authorization. #789
  • Updated rules:
    • Azure Kubernetes Service:
      • Updated Azure.AKS.Version to 1.20.5. #767
  • Engineering:
    • Added source link to project. #783

v1.4.0-B2105050 (pre-release)#

What's changed since pre-release v1.4.0-B2105044:

  • General improvements:
    • Added support for source location references to template files. #781
      • Output includes source location to resources exported from a templates.

v1.4.0-B2105044 (pre-release)#

What's changed since pre-release v1.4.0-B2105027:

  • New features:
    • Automatically expand template from parameter files for analysis. #772
      • Previously templates needed to be exported with Export-AzRuleTemplateData.
      • To export template data automatically use PSRule cmdlets with -Format File.
  • Bug fixes:
    • Fixed string index parsing in expressions with whitespace. #775
    • Fixed base for DateTimeAdd is not a valid string. #777

v1.4.0-B2105027 (pre-release)#

What's changed since pre-release v1.4.0-B2105020:

  • New rules:
    • Cognitive Search:
      • Check search services meet index SLA replica requirement. #761
      • Check search services meet query SLA replica requirement. #762
      • Check search services meet naming requirements. #763
      • Check search services use a minimum SKU. #764
      • Check search services use managed identities. #765

v1.4.0-B2105020 (pre-release)#

What's changed since v1.3.2:

  • General improvements:
    • Automatically nest template sub-resources for analysis. #746
      • Sub-resources such as diagnostic logs or configurations are automatically nested.
      • Automatic nesting a resource requires:
        • The parent resource is defined in the same template.
        • The sub-resource depends on the parent resource.

v1.3.2#

What's changed since v1.3.1:

  • Bug fixes:
    • Fixed rule reason reported the parameter inputObject is null. #753

v1.3.1#

What's changed since v1.3.0:

  • Engineering:
    • Bump PSRule dependency to v1.3.0. #749
    • Bump YamlDotNet dependency to v11.1.1. #742

v1.3.0#

What's changed since v1.2.1:

  • New rules:
    • Policy:
      • Check policy assignment display name and description are set. #725
      • Check policy assignment assigned by metadata is set. #726
      • Check policy exemption display name and description are set. #723
      • Check policy waiver exemptions have an expiry date set. #724
  • Removed rules:
    • Storage:
      • Remove Azure.Storage.UseEncryption as Storage Service Encryption (SSE) is always on. #630
        • SSE is on by default and can not be disabled.
  • General improvements:
    • Additional metadata added in parameter files is passed through with Get-AzRuleTemplateLink. #706
    • Improved binding support for File inputs. #480
      • Template and parameter file names now return a relative path instead of full path.
    • Added API version for each module resource. #729
  • Engineering:
    • Clean up depreciated warning message for configuration option azureAllowedRegions. #737
    • Clean up depreciated warning message for configuration option minAKSVersion. #738
    • Bump PSRule dependency to v1.2.0. #713
  • Bug fixes:
    • Fixed could not load file or assembly YamlDotNet. #741
      • This fix pins the PSRule version to v1.2.0 until the next stable release of PSRule for Azure.

What's changed since pre-release v1.3.0-B2104040:

  • No additional changes.

v1.3.0-B2104040 (pre-release)#

What's changed since pre-release v1.3.0-B2104034:

  • Bug fixes:
    • Fixed could not load file or assembly YamlDotNet. #741
      • This fix pins the PSRule version to v1.2.0 until the next stable release of PSRule for Azure.

v1.3.0-B2104034 (pre-release)#

What's changed since pre-release v1.3.0-B2104023:

  • New rules:
    • Policy:
      • Check policy assignment display name and description are set. #725
      • Check policy assignment assigned by metadata is set. #726
      • Check policy exemption display name and description are set. #723
      • Check policy waiver exemptions have an expiry date set. #724
  • Engineering:
    • Clean up depreciated warning message for configuration option azureAllowedRegions. #737
    • Clean up depreciated warning message for configuration option minAKSVersion. #738

v1.3.0-B2104023 (pre-release)#

What's changed since pre-release v1.3.0-B2104013:

  • General improvements:
    • Improved binding support for File inputs. #480
      • Template and parameter file names now return a relative path instead of full path.
    • Added API version for each module resource. #729

v1.3.0-B2104013 (pre-release)#

What's changed since pre-release v1.3.0-B2103007:

  • Engineering:
    • Bump PSRule dependency to v1.2.0. #713
  • Bug fixes:
    • Fixed export not expanding nested deployments. #715

v1.3.0-B2103007 (pre-release)#

What's changed since v1.2.0:

  • Removed rules:
    • Storage:
      • Remove Azure.Storage.UseEncryption as Storage Service Encryption (SSE) is always on. #630
        • SSE is on by default and can not be disabled.
  • General improvements:
    • Additional metadata added in parameter files is passed through with Get-AzRuleTemplateLink. #706

v1.2.1#

What's changed since v1.2.0:

  • Bug fixes:
    • Fixed export not expanding nested deployments. #715

v1.2.0#

What's changed since v1.1.4:

  • New features:
    • Added Azure.GA_2021_03 baseline. #673
      • Includes rules released before or during March 2021 for Azure GA features.
      • Marked baseline Azure.GA_2020_12 as obsolete.
  • New rules:
    • Key Vault:
      • Check vaults, keys, and secrets meet name requirements. #646
  • Updated rules:
    • Azure Kubernetes Service:
      • Updated Azure.AKS.Version to 1.19.7. #696
  • General improvements:
    • Added support for user defined functions in templates. #682
  • Engineering:
    • Bump PSRule dependency to v1.1.0. #692

What's changed since pre-release v1.2.0-B2103044:

  • No additional changes.

v1.2.0-B2103044 (pre-release)#

What's changed since pre-release v1.2.0-B2103032:

  • New features:
    • Added Azure.GA_2021_03 baseline. #673
      • Includes rules released before or during March 2021 for Azure GA features.
      • Marked baseline Azure.GA_2020_12 as obsolete.
  • Updated rules:
    • Azure Kubernetes Service:
      • Updated Azure.AKS.Version to 1.19.7. #696

v1.2.0-B2103032 (pre-release)#

What's changed since pre-release v1.2.0-B2103024:

  • New rules:
    • Key Vault:
      • Check vaults, keys, and secrets meet name requirements. #646
  • Engineering:
    • Bump PSRule dependency to v1.1.0. #692

v1.2.0-B2103024 (pre-release)#

What's changed since v1.1.4:

  • General improvements:
    • Added support for user defined functions in templates. #682

v1.1.4#

What's changed since v1.1.3:

  • Bug fixes:
    • Fixed handling of literal index with copyIndex function. #686
    • Fixed handling of inner scoped nested deployments. #687

v1.1.3#

What's changed since v1.1.2:

  • Bug fixes:
    • Fixed parsing of property names for functions across multiple lines. #683

v1.1.2#

What's changed since v1.1.1:

  • Bug fixes:
    • Fixed copy peer property resolve. #677
    • Fixed partial resource group or subscription object not populating. #678
    • Fixed lazy loading of environment and resource providers. #679

v1.1.1#

What's changed since v1.1.0:

  • Bug fixes:
    • Fixed support for parameter file schemas. #674

v1.1.0#

What's changed since v1.0.0:

  • New features:
    • Exporting template with Export-AzRuleTemplateData supports custom resource group and subscription. #651
      • Subscription and resource group used for deployment can be specified instead of using defaults.
      • ResourceGroupName parameter of Export-AzRuleTemplateData has been renamed to ResourceGroup.
      • Added a parameter alias for ResourceGroupName on Export-AzRuleTemplateData.
  • New rules:
    • All resources:
      • Check template parameters are defined. #631
      • Check location parameter is type string. #632
      • Check template parameter minValue and maxValue constraints are valid. #637
      • Check template resources do not use hard coded locations. #633
      • Check resource group location not referenced instead of location parameter. #634
      • Check increased debug detail is disabled for nested deployments. #638
  • General improvements:
    • Added support for matching template by name. #661
      • Get-AzRuleTemplateLink discovers <templateName>.json from <templateName>.parameters.json.
  • Engineering:
    • Bump PSRule dependency to v1.0.3. #648
  • Bug fixes:
    • Fixed Azure.VM.ADE to limit rule to exports only. #644
    • Fixed if condition values evaluation order. #652
    • Fixed handling of int parameters with large values. #653
    • Fixed handling of expressions split over multiple lines. #654
    • Fixed handling of bool parameter values within logical expressions. #655
    • Fixed copy loop value does not fall within the expected range. #664
    • Fixed template comparison functions handling of large integer values. #666
    • Fixed handling of createArray function with no arguments. #667

What's changed since pre-release v1.1.0-B2102034:

  • No additional changes.

v1.1.0-B2102034 (pre-release)#

What's changed since pre-release v1.1.0-B2102023:

  • General improvements:
    • Added support for matching template by name. #661
      • Get-AzRuleTemplateLink discovers <templateName>.json from <templateName>.parameters.json.
  • Bug fixes:
    • Fixed copy loop value does not fall within the expected range. #664
    • Fixed template comparison functions handling of large integer values. #666
    • Fixed handling of createArray function with no arguments. #667

v1.1.0-B2102023 (pre-release)#

What's changed since pre-release v1.1.0-B2102015:

  • New features:
    • Exporting template with Export-AzRuleTemplateData supports custom resource group and subscription. #651
      • Subscription and resource group used for deployment can be specified instead of using defaults.
      • ResourceGroupName parameter of Export-AzRuleTemplateData has been renamed to ResourceGroup.
      • Added a parameter alias for ResourceGroupName on Export-AzRuleTemplateData.

v1.1.0-B2102015 (pre-release)#

What's changed since pre-release v1.1.0-B2102010:

  • Bug fixes:
    • Fixed if condition values evaluation order. #652
    • Fixed handling of int parameters with large values. #653
    • Fixed handling of expressions split over multiple lines. #654
    • Fixed handling of bool parameter values within logical expressions. #655

v1.1.0-B2102010 (pre-release)#

What's changed since pre-release v1.1.0-B2102001:

  • Engineering:
    • Bump PSRule dependency to v1.0.3. #648
  • Bug fixes:
    • Fixed Azure.VM.ADE to limit rule to exports only. #644

v1.1.0-B2102001 (pre-release)#

What's changed since v1.0.0:

  • New rules:
    • All resources:
      • Check template parameters are defined. #631
      • Check location parameter is type string. #632
      • Check template parameter minValue and maxValue constraints are valid. #637
      • Check template resources do not use hard coded locations. #633
      • Check resource group location not referenced instead of location parameter. #634
      • Check increased debug detail is disabled for nested deployments. #638
  • Engineering:
    • Bump PSRule dependency to v1.0.2. #635

v1.0.0#

What's changed since v0.19.0:

  • New rules:
    • All resources:
      • Check parameter default value type matches type. #311
      • Check location parameter defaults to resource group. #361
    • Front Door:
      • Check Front Door uses a health probe for each backend pool. #546
      • Check Front Door uses a dedicated health probe path backend pools. #547
      • Check Front Door uses HEAD requests for backend health probes. #613
    • Service Fabric:
      • Check Service Fabric clusters use AAD client authentication. #619
  • Updated rules:
    • Azure Kubernetes Service:
      • Updated Azure.AKS.Version to 1.19.6. #603
  • General improvements:
    • Renamed Export-AzTemplateRuleData to Export-AzRuleTemplateData. #596
      • New name Export-AzRuleTemplateData aligns with prefix of other cmdlets.
      • Use of Export-AzTemplateRuleData is now deprecated and will be removed in the next major version.
      • Added alias to allow Export-AzTemplateRuleData to continue to be used.
      • Using Export-AzTemplateRuleData returns a deprecation warning.
    • Added support for environment template function. #517
  • Engineering:
    • Bump PSRule dependency to v1.0.1. #611

What's changed since pre-release v1.0.0-B2101028:

  • No additional changes.

v1.0.0-B2101028 (pre-release)#

What's changed since pre-release v1.0.0-B2101016:

  • New rules:
    • All resources:
      • Check parameter default value type matches type. #311
  • General improvements:
    • Renamed Export-AzTemplateRuleData to Export-AzRuleTemplateData. #596
      • New name Export-AzRuleTemplateData aligns with prefix of other cmdlets.
      • Use of Export-AzTemplateRuleData is now deprecated and will be removed in the next major version.
      • Added alias to allow Export-AzTemplateRuleData to continue to be used.
      • Using Export-AzTemplateRuleData returns a deprecation warning.

v1.0.0-B2101016 (pre-release)#

What's changed since pre-release v1.0.0-B2101006:

  • New rules:
    • Service Fabric:
      • Check Service Fabric clusters use AAD client authentication. #619
  • Bug fixes:
    • Fixed reason Azure.FrontDoor.ProbePath so the probe name is included. #617

v1.0.0-B2101006 (pre-release)#

What's changed since v0.19.0:

  • New rules:
    • All resources:
      • Check location parameter defaults to resource group. #361
    • Front Door:
      • Check Front Door uses a health probe for each backend pool. #546
      • Check Front Door uses a dedicated health probe path backend pools. #547
      • Check Front Door uses HEAD requests for backend health probes. #613
  • Updated rules:
    • Azure Kubernetes Service:
      • Updated Azure.AKS.Version to 1.19.6. #603
  • General improvements:
    • Added support for environment template function. #517
  • Engineering:
    • Bump PSRule dependency to v1.0.1. #611

Last update: 2022-06-25