Update to rules and docs Azure#2570 (Azure#2633)

* Update to rules and docs Azure#2570

* Additional updates

Author: BernieWhite

.github/workflows/docs.yaml

@@ -56,6 +56,8 @@ jobs:
 
       - name: Build site
         run: mkdocs build
+        with:
+          MKDOCS_GIT_COMMITTERS_APIKEY: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Deploy
         uses: peaceiris/actions-gh-pages@v3

data/policy-ignore.json

@@ -1,4 +1,7 @@
 [
+  // Azure.ACR.AdminUser
+  "/providers/Microsoft.Authorization/policyDefinitions/dc921057-6b28-4fbe-9b83-f7bec05db6c2",
+  "/providers/Microsoft.Authorization/policyDefinitions/79fdfe03-ffcb-4e55-b4d0-b925b8241759",
   // Azure.SQL.AAD
   "/providers/Microsoft.Authorization/policyDefinitions/1f314764-cb73-4fc9-b863-8eca98ac36e9",
   // Azure.ServiceFabric.AAD
@@ -27,5 +30,7 @@
   "/providers/Microsoft.Authorization/policyDefinitions/71ef260a-8f18-47b7-abcb-62d0673d94dc",
   "/providers/Microsoft.Authorization/policyDefinitions/14de9e63-1b31-492e-a5a3-c3f7fd57f555",
   // Azure.Cognitive.ManagedIdentity
-  "/providers/Microsoft.Authorization/policyDefinitions/fe3fd216-4f83-4fc1-8984-2bbec80a3418"
+  "/providers/Microsoft.Authorization/policyDefinitions/fe3fd216-4f83-4fc1-8984-2bbec80a3418",
+  // Azure.VM.UseManagedDisks
+  "/providers/Microsoft.Authorization/policyDefinitions/06a78e20-9358-41c9-923c-fb736d382a4d"
 ]

docs/CHANGELOG-v1.md

@@ -54,6 +54,7 @@ What's changed since v1.32.1:
 - General improvements:
   - Quality updates to rules and documentation by @BernieWhite.
     [#1772](https://github.com/Azure/PSRule.Rules.Azure/issues/1772)
+    [#2570](https://github.com/Azure/PSRule.Rules.Azure/issues/2570)
 - Engineering:
   - Bump xunit to v2.6.4.
     [#2618](https://github.com/Azure/PSRule.Rules.Azure/pull/2618)

docs/en/rules/Azure.ACR.AdminUser.md

@@ -1,5 +1,5 @@
 ---
-reviewed: 2023-12-01
+reviewed: 2024-01-05
 severity: Critical
 pillar: Security
 category: SE:05 Identity and access management
@@ -47,7 +47,7 @@ For example:
 ```json
 {
   "type": "Microsoft.ContainerRegistry/registries",
-  "apiVersion": "2023-08-01-preview",
+  "apiVersion": "2023-07-01",
   "name": "[parameters('name')]",
   "location": "[parameters('location')]",
   "sku": {
@@ -81,7 +81,7 @@ To deploy registries that pass this rule:
 For example:
 
 ```bicep
-resource registry 'Microsoft.ContainerRegistry/registries@2023-08-01-preview' = {
+resource registry 'Microsoft.ContainerRegistry/registries@2023-07-01' = {
   name: name
   location: location
   sku: {
@@ -108,16 +108,29 @@ resource registry 'Microsoft.ContainerRegistry/registries@2023-08-01-preview' =
 
 ### Configure with Azure CLI
 
+To configure registries that pass this rule:
+
 ```bash
-az acr update --admin-enabled false -n '<name>' -g '<resource_group>'
+az acr update -n '<name>' -g '<resource_group>' --admin-enabled false
 ```
 
 ### Configure with Azure PowerShell
 
+To configure registries that pass this rule:
+
 ```powershell
 Update-AzContainerRegistry -ResourceGroupName '<resource_group>' -Name '<name>' -DisableAdminUser
 ```
 
+### Configure with Azure Policy
+
+To address this issue at runtime use the following policies:
+
+- [Container registries should have local admin account disabled](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Container%20Registry/ACR_AdminAccountDisabled_AuditDeny.json)
+  `/providers/Microsoft.Authorization/policyDefinitions/dc921057-6b28-4fbe-9b83-f7bec05db6c2`.
+- [Configure container registries to disable local admin account](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Container%20Registry/ACR_AdminAccountDisabled_Modify.json)
+  `/providers/Microsoft.Authorization/policyDefinitions/79fdfe03-ffcb-4e55-b4d0-b925b8241759`.
+
 ## LINKS
 
 - [SE:05 Identity and access management](https://learn.microsoft.com/azure/well-architected/security/identity-access)

docs/en/rules/Azure.ACR.AnonymousAccess.md

@@ -30,7 +30,7 @@ Consider disabling anonymous pull access in scenarios that require user authenti
 
 ### Configure with Azure template
 
-To deploy Azure Container Registries that pass this rule:
+To deploy registries that pass this rule:
 
 - Set the `properties.anonymousPullEnabled` property to `false`.
 
@@ -39,43 +39,87 @@ For example:
 ```json
 {
   "type": "Microsoft.ContainerRegistry/registries",
-  "apiVersion": "2023-01-01-preview",
-  "name": "[parameters('registryName')]",
+  "apiVersion": "2023-08-01-preview",
+  "name": "[parameters('name')]",
   "location": "[parameters('location')]",
   "sku": {
-    "name": "Standard"
+    "name": "Premium"
+  },
+  "identity": {
+    "type": "SystemAssigned"
   },
   "properties": {
-    "anonymousPullEnabled": false
+    "adminUserEnabled": false,
+    "anonymousPullEnabled": false,
+    "policies": {
+      "quarantinePolicy": {
+        "status": "enabled"
+      },
+      "trustPolicy": {
+        "status": "enabled",
+        "type": "Notary"
+      },
+      "retentionPolicy": {
+        "days": 30,
+        "status": "enabled"
+      },
+      "softDeletePolicy": {
+        "retentionDays": 90,
+        "status": "enabled"
+      }
+    }
   }
 }
 ```
 
 ### Configure with Bicep
 
-To deploy Azure Container Registries that pass this rule:
+To deploy registries that pass this rule:
 
 - Set the `properties.anonymousPullEnabled` property to `false`.
 
 For example:
 
 ```bicep
-resource acr 'Microsoft.ContainerRegistry/registries@2023-01-01-preview' = {
-  name: registryName
+resource registry 'Microsoft.ContainerRegistry/registries@2023-08-01-preview' = {
+  name: name
   location: location
   sku: {
-    name: 'Standard'
+    name: 'Premium'
+  }
+  identity: {
+    type: 'SystemAssigned'
   }
   properties: {
+    adminUserEnabled: false
     anonymousPullEnabled: false
+    policies: {
+      quarantinePolicy: {
+        status: 'enabled'
+      }
+      trustPolicy: {
+        status: 'enabled'
+        type: 'Notary'
+      }
+      retentionPolicy: {
+        days: 30
+        status: 'enabled'
+      }
+      softDeletePolicy: {
+        retentionDays: 90
+        status: 'enabled'
+      }
+    }
   }
 }
 ```
 
 ### Configure with Azure CLI
 
+To configure registries that pass this rule:
+
 ```bash
-az acr update --name myregistry --anonymous-pull-enabled false
+az acr update  -n '<name>' -g '<resource_group>' --anonymous-pull-enabled false
 ```
 
 ## NOTES

docs/en/rules/Azure.ADX.ManagedIdentity.md

@@ -2,7 +2,7 @@
 reviewed: 2022-05-14
 severity: Important
 pillar: Security
-category: Authentication
+category: SE:05 Identity and access management
 resource: Data Explorer
 online version: https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.ADX.ManagedIdentity/
 ---
@@ -88,8 +88,9 @@ resource adx 'Microsoft.Kusto/clusters@2021-08-27' = {
 
 ## LINKS
 
-- [Use identity-based authentication](https://learn.microsoft.com/azure/well-architected/security/design-identity-authentication#use-identity-based-authentication)
-- [Managed identities overview](https://docs.microsoft.com/azure/data-explorer/managed-identities-overview)
-- [Configure managed identities for your Azure Data Explorer cluster](https://docs.microsoft.com/azure/data-explorer/configure-managed-identities-cluster)
-- [Managed identities for Azure resources](https://docs.microsoft.com/azure/data-explorer/security#managed-identities-for-azure-resources)
-- [Azure deployment reference](https://docs.microsoft.com/azure/templates/microsoft.kusto/clusters)
+- [SE:05 Identity and access management](https://learn.microsoft.com/azure/well-architected/security/identity-access#resource-identity)
+- [What are managed identities for Azure resources?](https://learn.microsoft.com/entra/identity/managed-identities-azure-resources/overview)
+- [Managed identities overview](https://learn.microsoft.com/azure/data-explorer/managed-identities-overview)
+- [Configure managed identities for your Azure Data Explorer cluster](https://learn.microsoft.com/azure/data-explorer/configure-managed-identities-cluster)
+- [Managed identities for Azure resources](https://learn.microsoft.com/azure/data-explorer/security#managed-identities-for-azure-resources)
+- [Azure deployment reference](https://learn.microsoft.com/azure/templates/microsoft.kusto/clusters)

docs/en/rules/Azure.AKS.ManagedIdentity.md

@@ -1,7 +1,7 @@
 ---
 severity: Important
 pillar: Security
-category: Authentication
+category: SE:05 Identity and access management
 resource: Azure Kubernetes Service
 online version: https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.AKS.ManagedIdentity/
 ---
@@ -42,7 +42,7 @@ AKS clusters can not be updated to use managed identities for cluster infrastruc
 
 ## LINKS
 
-- [Use identity-based authentication](https://learn.microsoft.com/azure/well-architected/security/design-identity-authentication#use-identity-based-authentication)
-- [Use managed identities in Azure Kubernetes Service](https://docs.microsoft.com/azure/aks/use-managed-identity)
-- [What are managed identities for Azure resources?](https://docs.microsoft.com/azure/active-directory/managed-identities-azure-resources/overview)
-- [Azure deployment reference](https://docs.microsoft.com/azure/templates/microsoft.containerservice/managedclusters)
+- [SE:05 Identity and access management](https://learn.microsoft.com/azure/well-architected/security/identity-access#resource-identity)
+- [What are managed identities for Azure resources?](https://learn.microsoft.com/entra/identity/managed-identities-azure-resources/overview)
+- [Use managed identities in Azure Kubernetes Service](https://learn.microsoft.com/azure/aks/use-managed-identity)
+- [Azure deployment reference](https://learn.microsoft.com/azure/templates/microsoft.containerservice/managedclusters)

docs/en/rules/Azure.APIM.ManagedIdentity.md

@@ -2,7 +2,7 @@
 reviewed: 2023-03-05
 severity: Important
 pillar: Security
-category: Authentication
+category: SE:05 Identity and access management
 resource: API Management
 online version: https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.APIM.ManagedIdentity/
 ---
@@ -123,7 +123,8 @@ resource service 'Microsoft.ApiManagement/service@2021-08-01' = {
 
 ## LINKS
 
-- [Use identity-based authentication](https://learn.microsoft.com/azure/well-architected/security/design-identity-authentication#use-identity-based-authentication)
+- [SE:05 Identity and access management](https://learn.microsoft.com/azure/well-architected/security/identity-access#resource-identity)
+- [What are managed identities for Azure resources?](https://learn.microsoft.com/entra/identity/managed-identities-azure-resources/overview)
 - [Use managed identities in Azure API Management](https://learn.microsoft.com/azure/api-management/api-management-howto-use-managed-service-identity)
 - [Authenticate with managed identity](https://learn.microsoft.com/azure/api-management/api-management-policies#authentication-policies)
 - [Azure deployment reference](https://learn.microsoft.com/azure/templates/microsoft.apimanagement/service)

docs/en/rules/Azure.AppService.ManagedIdentity.md

@@ -1,7 +1,7 @@
 ---
 severity: Important
 pillar: Security
-category: Authentication
+category: SE:05 Identity and access management
 resource: App Service
 online version: https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.AppService.ManagedIdentity/
 ---
@@ -102,8 +102,8 @@ resource webApp 'Microsoft.Web/sites@2021-02-01' = {
 
 ## LINKS
 
-- [Use identity-based authentication](https://learn.microsoft.com/azure/well-architected/security/design-identity-authentication#use-identity-based-authentication)
+- [SE:05 Identity and access management](https://learn.microsoft.com/azure/well-architected/security/identity-access#resource-identity)
 - [What are managed identities for Azure resources?](https://docs.microsoft.com/azure/active-directory/managed-identities-azure-resources/overview)
 - [Tutorial: Secure Azure SQL Database connection from App Service using a managed identity](https://docs.microsoft.com/azure/app-service/app-service-web-tutorial-connect-msi)
 - [How to use managed identities for App Service and Azure Functions](https://docs.microsoft.com/azure/app-service/overview-managed-identity?tabs=dotnet)
-- [Azure deployment reference](https://docs.microsoft.com/azure/templates/microsoft.web/sites#managedserviceidentity-object)
+- [Azure deployment reference](https://learn.microsoft.com/azure/templates/microsoft.web/sites)

docs/en/rules/Azure.Cognitive.ManagedIdentity.md

@@ -97,9 +97,8 @@ resource language 'Microsoft.CognitiveServices/accounts@2023-05-01' = {
 
 To address this issue at runtime use the following policies:
 
-```text
-/providers/Microsoft.Authorization/policyDefinitions/fe3fd216-4f83-4fc1-8984-2bbec80a3418
-```
+- [Cognitive Services accounts should use a managed identity](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/CognitiveServices_ManagedIdentity_Audit.json)
+  `/providers/Microsoft.Authorization/policyDefinitions/fe3fd216-4f83-4fc1-8984-2bbec80a3418`.
 
 ## NOTES
 

docs/en/rules/Azure.FrontDoor.State.md

@@ -2,7 +2,7 @@
 reviewed: 2023-02-18
 severity: Important
 pillar: Cost Optimization
-category: Optimize
+category: CO:14 Consolidation
 resource: Front Door
 online version: https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.FrontDoor.State/
 ---
@@ -77,5 +77,5 @@ resource afd_classic 'Microsoft.Network/frontDoors@2021-06-01' = {
 
 ## LINKS
 
-- [Design review checklist for Cost Optimization](https://learn.microsoft.com/azure/well-architected/cost-optimization/checklist)
+- [CO:14 Consolidation](https://learn.microsoft.com/azure/well-architected/cost-optimization/consolidation)
 - [Azure deployment reference](https://learn.microsoft.com/azure/templates/microsoft.network/frontdoors)

docs/en/rules/Azure.ML.ComputeIdleShutdown.md

@@ -2,7 +2,7 @@
 reviewed: 2023-10-06
 severity: Critical
 pillar: Cost Optimization
-category: Provision
+category: CO:06 Usage and billing increments
 resource: Machine Learning
 online version: https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.ML.ComputeIdleShutdown/
 ---
@@ -83,6 +83,7 @@ resource compute_instance 'Microsoft.MachineLearningServices/workspaces/computes
 
 ## LINKS
 
+- [CO:06 Usage and billing increments](https://learn.microsoft.com/azure/well-architected/cost-optimization/align-usage-to-billing-increments)
 - [AI + Machine Learning cost estimates](https://learn.microsoft.com/azure/well-architected/cost/provision-ai-ml)
 - [Configure idle shutdown](https://learn.microsoft.com/azure/machine-learning/how-to-create-compute-instance#configure-idle-shutdown)
 - [ML Compute](https://learn.microsoft.com/azure/machine-learning/azure-machine-learning-glossary#compute)