Update repo structure to focus on Bicep #45

.vscode/settings.json

@@ -11,5 +11,13 @@
   "[powershell]": {
     "editor.formatOnSave": false,
     "editor.tabSize": 4
-  }
+  },
+  "cSpell.words": [
+    "bicepparam",
+    "contoso",
+    "eastus"
+  ],
+  "cSpell.enableFiletypes": [
+    "bicep"
+  ]
 }

README.md

@@ -13,10 +13,10 @@ To learn more about PSRule for Azure, see <https://aka.ms/ps-rule-azure>.
 
 This repository includes:
 
-- **Azure Templates** &mdash; Starter Azure Resource Manager (ARM) templates and parameter files.
-  - Use the files in the `template/` folder if you are using ARM templates to deploy resources.
-- **Azure Bicep** &mdash; Starter Azure Bicep deployments and test files.
-  - Use the files in the `bicep/` folder if you are using Bicep deployments and modules to deploy resources.
+- **Azure Bicep deployment** &mdash; Starter Azure Bicep deployments.
+  - Use the files in the `deployments/` folder if you are using Bicep to deploy resources.
+- **Azure Bicep modules** &mdash; Starter Azure Bicep modules.
+  - Use the files in the `modules/` folder if you are using Bicep to create reusable modules with tests.
 - **GitHub Actions** &mdash; Starter workflow for checking Azure Infrastructure as Code (IaC).
   - Use the files in the `.github/workflows/` to check your Azure IaC with GitHub Actions.
   - The `ms-analyze.yaml` file can be ignore or removed as this will not execute outside this repository.
@@ -28,14 +28,21 @@ This repository includes:
   - PSRule options are configures within `ps-rule.yaml`.
   - Options include suppressing rules, configuring input/ output, and any rules modules.
 
+> **ARM templates**
+> PSRule for Azure supports ARM templates in addition to Bicep code.
+> However going forward this repository will focus on Bicep deployments and modules.
+> Existing ARM templates samples are no longer maintained and have been archived.
+> To access these samples jump to the [archive/with-arm-templates][3] branch.
+
+  [3]: https://github.com/Azure/PSRule.Rules.Azure-quickstart/tree/archive/with-arm-templates
+
 ## What to expect?
 
 This repository shows valid uses of PSRule for Azure, both pass and failure cases.
 Inspect the following files for instructions to test PSRule for Azure rules by creating a failure.
 
-- [bicep/deployments/contoso/landing-zones/subscription-1/rg-app-001/dev.bicepparam](bicep/deployments/contoso/landing-zones/subscription-1/rg-app-001/dev.bicepparam)
-- [bicep/deployments/contoso/landing-zones/subscription-1/rg-app-002/deploy.bicep](bicep/deployments/contoso/landing-zones/subscription-1/rg-app-002/deploy.bicep)
-- [template/deployments/contoso/landing-zones/subscription-1/rg-app-001/sttemplateapp001.parameters.json](template/deployments/contoso/landing-zones/subscription-1/rg-app-001/sttemplateapp001.parameters.json)
+- [deployments/contoso/landing-zones/subscription-1/rg-app-001/dev.bicepparam](deployments/contoso/landing-zones/subscription-1/rg-app-001/dev.bicepparam)
+- [deployments/contoso/landing-zones/subscription-1/rg-app-002/deploy.bicep](deployments/contoso/landing-zones/subscription-1/rg-app-002/deploy.bicep)
 
 ## Support
 
@@ -61,7 +68,6 @@ or contact [opencode@microsoft.com](mailto:opencode@microsoft.com) with any addi
 ## Maintainers
 
 - [Bernie White](https://github.com/BernieWhite)
-- [Sam Bell](https://github.com/ms-sambell)
 
 ## License
 

bicep/deployments/contoso/landing-zones/subscription-1/rg-app-001/dev.bicepparam → deployments/contoso/landing-zones/subscription-1/rg-app-001/dev.bicepparam

@@ -1,6 +1,16 @@
+// Copyright (c) Microsoft Corporation.
+// Licensed under the MIT License.
+
+// Note:
+// This Azure Bicep parameter file demonstrates using parameters.
+
 using 'main.bicep'
 
+// The env tag must be test, dev, or prod.
+// Try setting this to 'demo' to fail the custom organization Org.Azure.Tags rule.
+// See .ps-rule/Org.Rule.yaml for details.
 param environment = 'dev'
+
 param name = 'kv-example-001'
 
 // Key Vault should only accept explicitly allowed traffic through the firewall.

bicep/deployments/contoso/landing-zones/subscription-1/rg-app-001/main.bicep → deployments/contoso/landing-zones/subscription-1/rg-app-001/main.bicep

@@ -1,3 +1,10 @@
+// Copyright (c) Microsoft Corporation.
+// Licensed under the MIT License.
+
+// Note:
+// This Azure Bicep code demonstrates using resources directly.
+// Also see parameter file for configurable options.
+
 targetScope = 'resourceGroup'
 
 param name string
@@ -20,9 +27,12 @@ resource vault 'Microsoft.KeyVault/vaults@2023-02-01' = {
       name: 'standard'
     }
     tenantId: tenant().tenantId
+
+    // Try setting any of these to false to flag an issue.
     enableSoftDelete: true
     enablePurgeProtection: true
     enableRbacAuthorization: true
+
     networkAcls: {
       defaultAction: defaultAction
     }

bicep/deployments/contoso/landing-zones/subscription-1/rg-app-002/deploy.bicep → deployments/contoso/landing-zones/subscription-1/rg-app-002/deploy.bicep

@@ -2,7 +2,7 @@
 // Licensed under the MIT License.
 
 // Note:
-// This Azure Bicep code demonistrates a deployment of one or more modules.
+// This Azure Bicep code demonstrates a deployment of one or more modules.
 // This file has multiple template errors to show validation.
 
 @description('Configures the location to deploy the Azure resources.')
@@ -42,7 +42,8 @@ module keyvault '../../../../../modules/keyvault/v1/main.bicep' = {
     workspaceId: '/subscriptions/<subscription_id>/resourceGroups/rg-test/providers/Microsoft.OperationalInsights/workspaces/latest001'
 
     // An env tag must be test, dev, or prod.
-    // Try setting this to 'demo' to fail the Org.Azure.Tags rule.
+    // Try setting this to 'demo' to fail the custom organization Org.Azure.Tags rule.
+    // See .ps-rule/Org.Rule.yaml for details.
     tags: {
       env: 'dev'
     }

deployments/contoso/landing-zones/subscription-1/rg-app-003/deploy.bicep

@@ -0,0 +1,41 @@
+// Copyright (c) Microsoft Corporation.
+// Licensed under the MIT License.
+
+// Note:
+// This Azure Bicep code demonstrates using an AVM module.
+
+module vault 'br/public:avm/res/key-vault/vault:0.3.5' = {
+  // The name of the deployment.
+  name: '${uniqueString(deployment().name)}-test-kvvwaf'
+  params: {
+
+    // The name of the key vault.
+    name: 'kvvwaf002'
+
+    // Try setting any of these to false to flag an issue.
+    enablePurgeProtection: true
+    enableRbacAuthorization: true
+
+    networkAcls: {
+      bypass: 'AzureServices'
+
+      // Try setting the firewall to 'Allow' traffic by default to flag an issue.
+      defaultAction: 'Deny'
+    }
+
+    diagnosticSettings: [
+      {
+        workspaceResourceId: '<workspaceResourceId>'
+      }
+    ]
+
+    softDeleteRetentionInDays: 7
+
+    // An env tag must be test, dev, or prod.
+    // Try setting this to 'demo' to fail the custom organization Org.Azure.Tags rule.
+    // See .ps-rule/Org.Rule.yaml for details.
+    tags: {
+      env: 'dev'
+    }
+  }
+}

bicep/modules/keyvault/v1/main.bicep → modules/keyvault/v1/main.bicep

@@ -2,9 +2,9 @@
 // Licensed under the MIT License.
 
 targetScope = 'resourceGroup'
-
 metadata name = 'Key Vault'
 metadata description = 'Create or update an Azure Key Vault.'
+metadata version = '1.0.0'
 
 @sys.description('The name of the Key Vault.')
 param name string

modules/storage/v1/.bicep/pe.bicep

@@ -0,0 +1,105 @@
+// Create or update a Private Endpoint for the Storage Account.
+
+// ----------
+// PARAMETERS
+// ----------
+
+@description('The name of the Private Endpoint.')
+param name string
+
+@metadata({
+  strongType: 'location'
+  example: 'eastus'
+})
+@description('The Azure region to deploy to.')
+param location string
+
+@description('The unique resource identifer for the resource to expose through the Private Endpoint.')
+param resourceId string
+
+@allowed([
+  'blob'
+  'file'
+  'table'
+  'queue'
+])
+@description('The sub-resources to register the Private Endpoint for.')
+param groupId string
+
+@metadata({
+  strongType: 'Microsoft.Network/virtualNetworks/subnets'
+})
+@description('The unique resource identifer for the subnet to join the private endpoint to.')
+param subnetId string
+
+@metadata({
+  strongType: 'Microsoft.Network/privateDnsZones'
+})
+@description('The private DNS zone to register the private endpoint within.')
+param privateDnsZoneId string = ''
+
+@description('Tags to apply to the resource.')
+param tags object
+
+// ---------
+// VARIABLES
+// ---------
+
+// ---------
+// RESOURCES
+// ---------
+
+@description('Create or update a Private Endpoint for a resource.')
+resource endpoint 'Microsoft.Network/privateEndpoints@2023-04-01' = {
+  location: location
+  name: name
+  properties: {
+    subnet: {
+      id: subnetId
+    }
+    privateLinkServiceConnections: [
+      {
+        name: name
+        properties: {
+          privateLinkServiceId: resourceId
+          groupIds: [
+            groupId
+          ]
+        }
+      }
+    ]
+  }
+  tags: tags
+}
+
+@description('Configures DNS for the Private Endpoint.')
+resource endpointGroup 'Microsoft.Network/privateEndpoints/privateDnsZoneGroups@2023-04-01' = if (!empty(privateDnsZoneId)) {
+  parent: endpoint
+  name: 'default'
+  properties: {
+    privateDnsZoneConfigs: [
+      {
+        name: replace(last(split(privateDnsZoneId, '/')), '.', '-')
+        properties: {
+          privateDnsZoneId: privateDnsZoneId
+        }
+      }
+    ]
+  }
+}
+
+// -------
+// OUTPUTS
+// -------
+
+@description('A unique identifier for the Private Endpoint.')
+output id string = endpoint.id
+
+@description('The name of the associated Private DNS Zone.')
+output privateDnsZone string = last(split(privateDnsZoneId, '/'))
+
+@description('The name of the Resource Group where the Private Endpoint is deployed.')
+output resourceGroupName string = resourceGroup().name
+
+@description('The guid for the subscription where the Private Endpoint is deployed.')
+output subscriptionId string = subscription().subscriptionId