Promote Azure.ACR.AnonymousAccess to GA Azure#3119 (Azure#3204)

Author: BernieWhite

data/policy-ignore.json

@@ -296,5 +296,13 @@
     ],
     "reason": "Duplicate",
     "value": "Azure.AppConfig.DisableLocalAuth"
+  },
+  {
+    "policyDefinitionIds": [
+      "/providers/Microsoft.Authorization/policyDefinitions/9f2dea28-e834-476c-99c5-3507b4728395",
+      "/providers/Microsoft.Authorization/policyDefinitions/cced2946-b08a-44fe-9fd9-e4ed8a779897"
+    ],
+    "reason": "Duplicate",
+    "value": "Azure.ACR.AnonymousAccess"
   }
 ]

docs/CHANGELOG-v1.md

@@ -29,6 +29,14 @@ See [upgrade notes][1] for helpful information when upgrading from previous vers
 
 ## Unreleased
 
+What's changed since v1.40.0:
+
+- Updated rules:
+  - Container Registry:
+    - Updated documentation and promoted `Azure.ACR.AnonymousAccess` to GA by @BernieWhite.
+      [#3119](https://github.com/Azure/PSRule.Rules.Azure/issues/3119)
+      - Bumped rule set to `2024_12`.
+
 ## v1.40.0
 
 What's changed since v1.39.3:

docs/en/rules/Azure.ACR.AnonymousAccess.md

@@ -1,4 +1,5 @@
 ---
+reviewed: 2024-12-10
 severity: Important
 pillar: Security
 category: SE:05 Identity and access management
@@ -37,7 +38,7 @@ For example:
 ```json
 {
   "type": "Microsoft.ContainerRegistry/registries",
-  "apiVersion": "2023-08-01-preview",
+  "apiVersion": "2023-11-01-preview",
   "name": "[parameters('name')]",
   "location": "[parameters('location')]",
   "sku": {
@@ -79,7 +80,7 @@ To deploy registries that pass this rule:
 For example:
 
 ```bicep
-resource registry 'Microsoft.ContainerRegistry/registries@2023-08-01-preview' = {
+resource registry 'Microsoft.ContainerRegistry/registries@2023-11-01-preview' = {
   name: name
   location: location
   sku: {
@@ -112,7 +113,7 @@ resource registry 'Microsoft.ContainerRegistry/registries@2023-08-01-preview' =
 }
 ```
 
-<!-- external:avm avm/res/container-registry/registry:0.5.1 anonymousPullEnabled -->
+<!-- external:avm avm/res/container-registry/registry anonymousPullEnabled -->
 
 ### Configure with Azure CLI
 
@@ -122,13 +123,21 @@ To configure registries that pass this rule:
 az acr update  -n '<name>' -g '<resource_group>' --anonymous-pull-enabled false
 ```
 
+### Configure with Azure Policy
+
+To address this issue at runtime use the following policies:
+
+- [Container registries should have anonymous authentication disabled](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Container%20Registry/ACR_AnonymousPullDisabled_AuditDeny.json)
+  `/providers/Microsoft.Authorization/policyDefinitions/9f2dea28-e834-476c-99c5-3507b4728395`.
+- [Configure container registries to disable anonymous authentication](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Container%20Registry/ACR_AnonymousPullDisabled_Modify.json)
+  `/providers/Microsoft.Authorization/policyDefinitions/cced2946-b08a-44fe-9fd9-e4ed8a779897`.
+
 ## NOTES
 
-The anonymous pull access feature is currently in preview.
 Anonymous pull access is only available in the `Standard` and `Premium` service tiers.
 
-This rule may generate false positives in specific scenarios where to intend to distribute OCI content to Internet users,
-for example: You are a software vendor and intend to distribute container images of your software to customers.
+This rule may generate false positives in specific scenarios where to intend to distribute OCI content to Internet users.
+For example: You are a software vendor and intend to distribute container images of your software to customers.
 
 ## LINKS
 

docs/examples/avm/acr.bicep

@@ -12,7 +12,7 @@ param name string
 param location string = resourceGroup().location
 
 // An example container registry deployed with Premium SKU.
-module registry 'br/public:avm/res/container-registry/registry:0.5.1' = {
+module registry 'br/public:avm/res/container-registry/registry:0.6.0' = {
   params: {
     name: name
     location: location

src/PSRule.Rules.Azure/rules/Azure.ACR.Rule.yaml

@@ -143,7 +143,7 @@ metadata:
   ref: AZR-000401
   tags:
     release: preview
-    ruleSet: 2023_09
+    ruleSet: 2024_12
     Azure.WAF/pillar: Security
   labels:
     Azure.MCSB.v1/control: 'IM-1'

tests/PSRule.Rules.Azure.Tests/Azure.Baseline.Tests.ps1

@@ -213,7 +213,7 @@ Describe 'Baselines' -Tag Baseline {
             $result = @(Get-PSRule -Module PSRule.Rules.Azure -Baseline 'Azure.Preview_2023_09' -WarningAction Ignore);
             $filteredResult = @($result | Where-Object { $_.Tag.release -in 'preview'});
             $filteredResult | Should -Not -BeNullOrEmpty;
-            $filteredResult.Length | Should -Be 8;
+            $filteredResult.Length | Should -Be 7;
         }
 
         It 'With Azure.GA_2023_12' {
@@ -227,7 +227,7 @@ Describe 'Baselines' -Tag Baseline {
             $result = @(Get-PSRule -Module PSRule.Rules.Azure -Baseline 'Azure.Preview_2023_12' -WarningAction Ignore);
             $filteredResult = @($result | Where-Object { $_.Tag.release -in 'preview'});
             $filteredResult | Should -Not -BeNullOrEmpty;
-            $filteredResult.Length | Should -Be 8;
+            $filteredResult.Length | Should -Be 7;
         }
 
         It 'With Azure.GA_2024_03' {
@@ -241,7 +241,7 @@ Describe 'Baselines' -Tag Baseline {
             $result = @(Get-PSRule -Module PSRule.Rules.Azure -Baseline 'Azure.Preview_2024_03' -WarningAction Ignore);
             $filteredResult = @($result | Where-Object { $_.Tag.release -in 'preview'});
             $filteredResult | Should -Not -BeNullOrEmpty;
-            $filteredResult.Length | Should -Be 8;
+            $filteredResult.Length | Should -Be 7;
         }
 
         It 'With Azure.GA_2024_06' {
@@ -255,7 +255,7 @@ Describe 'Baselines' -Tag Baseline {
             $result = @(Get-PSRule -Module PSRule.Rules.Azure -Baseline 'Azure.Preview_2024_06' -WarningAction Ignore);
             $filteredResult = @($result | Where-Object { $_.Tag.release -in 'preview'});
             $filteredResult | Should -Not -BeNullOrEmpty;
-            $filteredResult.Length | Should -Be 11;
+            $filteredResult.Length | Should -Be 10;
         }
 
         It 'With Azure.GA_2024_09' {
@@ -269,7 +269,7 @@ Describe 'Baselines' -Tag Baseline {
             $result = @(Get-PSRule -Module PSRule.Rules.Azure -Baseline 'Azure.Preview_2024_09' -WarningAction Ignore);
             $filteredResult = @($result | Where-Object { $_.Tag.release -in 'preview'});
             $filteredResult | Should -Not -BeNullOrEmpty;
-            $filteredResult.Length | Should -Be 13;
+            $filteredResult.Length | Should -Be 12;
         }
     }
 }