Skip to content

Metadata reference#

PSRule for Azure uses several metadata tags, labels, and annotations that are specific to the framework and Azure resources. This document provides a comprehensive reference for all metadata used across rules, baselines, and documentation.

Rule metadata#

Rules in PSRule for Azure use metadata to categorize, classify, and provide additional context. This metadata is used by baselines to include rules and by the documentation system to generate reference materials.

Tags#

Tags are used to categorize rules and are specified in the PowerShell or YAML rule definition.

release#

Indicates the release status of the Azure feature that the rule validates, with one of the following values:

  • GA — Generally Available features that are fully supported and recommended for production use.
  • preview — Preview features that may have limitations or different terms of service.
  • deprecated — Rules for features that are no longer recommended or are being phased out.

For example:

-Tag @{ release = 'GA'; }
tag:
  release: GA

ruleSet#

Indicates the quarterly release when the rule was introduced or last significantly updated. Used by quarterly baselines to provide stable checkpoints.

A valid rule set used the format yyyy_mm where yyyy is the year and mm is the month (03, 06, 09, 12).

For example:

-Tag @{ ruleSet = '2025_06'; }
tag:
  ruleSet: 2025_06

Azure.WAF/pillar#

Aligns the rule with the Microsoft Azure Well-Architected Framework (WAF) pillars. The following are valid pillars accepted by this tag:

  • Security — Rules that enhance the security posture of Azure resources.
  • Reliability — Rules that improve system reliability and resilience.
  • Performance Efficiency — Rules that optimize performance and efficiency.
  • Cost Optimization — Rules that help optimize costs.
  • Operational Excellence — Rules that improve operational practices.

Example:

-Tag @{ 'Azure.WAF/pillar' = 'Security'; }
tag:
  Azure.WAF/pillar: Security

Labels#

Labels provide additional classification and mapping to frameworks.

Azure.MCSB.v1/control#

Maps the rule to Microsoft Cloud Security Benchmark (MCSB) version 1 controls.

For example, for a single control:

-Labels @{ 'Azure.MCSB.v1/control' = 'DP-4' }
labels:
  Azure.MCSB.v1/control: DP-4

For example, multiple controls:

-Labels @{ 'Azure.MCSB.v1/control' = @('DP-2', 'LT-1') }
labels:
  Azure.MCSB.v1/control:
    - DP-2
    - LT-1

Azure.CAF#

Maps the rule to Cloud Adoption Framework (CAF) categories. Valid values include:

  • naming — Rules related to resource naming conventions.
  • tagging — Rules related to resource tagging standards.

For example:

-Labels @{ 'Azure.CAF' = 'naming' }
labels:
  Azure.CAF: naming

Azure.WAF/maturity#

Indicates the maturity level for Well-Architected Framework implementation. Valid values include:

  • L1 — Level 1 maturity requirements.
  • L2 — Level 2 maturity requirements.
  • L3 — Level 3 maturity requirements.
  • L4 — Level 4 maturity requirements.
  • L5 — Level 5 maturity requirements.

For example:

-Labels @{ 'Azure.WAF/maturity' = 'L1'; }
labels:
  Azure.WAF/maturity: L1

For more information about the WAF security maturity model, see Security maturity model.

Documentation metadata#

Rule documentation uses front matter metadata to provide structured information about each rule. This metadata is used to generate documentation and provide context to users.

severity#

Indicates the subjective impact rating of the rule on the solution or platform.

Valid values include:

  • Critical — A 'must have' if the solution is to be considered 'fit for purpose', secure, well governed and managed inline with the Microsoft Azure Well-Architected Framework.
  • Important — A 'to be considered' within the context of the solution and domain. In some cases, can introduce cost or complexity that should be considered as a trade-off and explicitly documented as a Key Design Decision.
  • Awareness — A 'good to have' and should be considered alongside other recommendations. These rules help highlight opportunities for operational maturity.

Example:

severity: Important

pillar#

Aligns with the Azure Well-Architected Framework pillar. Same values as Azure.WAF/pillar in rule tags.

Values: Security, Reliability, Performance Efficiency, Cost Optimization, Operational Excellence

category#

Provides the specific Well-Architected Framework category that the rule addresses.

For example:

  • RE:01 Simplicity and efficiency
  • SE:10 Monitoring and threat detection
  • PE:05 Scaling and partitioning
  • CO:07 Component costs
  • OE:02 Deployment and testing

resource#

Human-readable description of the Azure resource type.

Examples: Virtual Machine, Storage Account, Key Vault, Application Gateway

resourceType#

The Azure resource type(s) that the rule applies to. Can be a single type or comma-separated list.

For example:

  • Microsoft.Compute/virtualMachines
  • Microsoft.Storage/storageAccounts,Microsoft.Security/defenderForStorageSettings

reviewed#

The date when the rule documentation was last reviewed, in YYYY-MM-DD format.

For example:

reviewed: 2024-01-05

online version#

The URL to the online version of the rule documentation.

For example:

online version: https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.VM.UseManagedDisks/

Baseline metadata#

Baselines use YAML metadata to define their scope, purpose, and characteristics.

metadata.annotations#

taxonomy#

Categorizes the baseline within a classification system. Valid values include:

  • Azure.WAF — Well-Architected Framework baselines

pillar#

For WAF baselines, specifies the pillar focus. Same as Azure.WAF/pillar in rule tags.

export#

Indicates whether the baseline should be exported in module manifests. Valid values are true, false.

moduleVersion#

The module version when the baseline was introduced or last updated.

Format: v<major>.<minor>.<patch> (e.g., v1.35.0)

experimental#

Marks baselines that are in experimental status. Valid values are true, false.

obsolete#

Marks baselines that are obsolete and should not be used. Valid values are true, false.

See also#

Comments