Merge patch v1.41.4 (#3268)

Azure · Feb 28, 2025 · 2df4d57 · 2df4d57
1 parent 7ba89dd
commit 2df4d57
Show file tree

Hide file tree

Showing 11 changed files with 434 additions and 230 deletions.
diff --git a/docs/CHANGELOG-v1.md b/docs/CHANGELOG-v1.md
@@ -29,12 +29,31 @@ See [upgrade notes][1] for helpful information when upgrading from previous vers
 
 ## Unreleased
 
-What's changed since v1.41.2:
+What's changed since v1.41.4:
 
 - General improvements:
   - Added a new quickstart guide for using Azure Pipelines with PSRule by @that-ar-guy.  
     [#3220](https://github.com/Azure/PSRule.Rules.Azure/pull/3220)
 
+## v1.41.4
+
+What's changed since v1.41.3:
+
+- Bug fixes:
+  - Fixed Azure VM Standalone failing on data disks check by @BernieWhite.
+    [#3263](https://github.com/Azure/PSRule.Rules.Azure/issues/3263)
+  - Fixed in-flight analysis of key rotation policy fails due to missing data by @BernieWhite.
+    [#3261](https://github.com/Azure/PSRule.Rules.Azure/issues/3261)
+    - Disabled export of `keys` from management plane API because the data is incomplete for this rule.
+
+## v1.41.3
+
+What's changed since v1.41.2:
+
+- Bug fixes:
+  - Fixed ordering of symbolic copy loop dependencies by @BernieWhite.
+    [#3257](https://github.com/Azure/PSRule.Rules.Azure/issues/3257)
+
 ## v1.41.2
 
 What's changed since v1.41.1:

diff --git a/docs/en/rules/Azure.KeyVault.AutoRotationPolicy.md b/docs/en/rules/Azure.KeyVault.AutoRotationPolicy.md
@@ -1,17 +1,17 @@
 ---
-reviewed: 2024-06-17
+reviewed: 2025-02-27
 severity: Important
 pillar: Security
 category: SE:09 Application secrets
 resource: Key Vault
 online version: https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.KeyVault.AutoRotationPolicy/
 ---
 
-# Enable Key Vault key auto-rotation
+# Key Vault key rotation policy is not set
 
 ## SYNOPSIS
 
-Key Vault keys should have auto-rotation enabled.
+Keys that become compromised may be used to spoof, decrypt, or gain access to sensitive data.
 
 ## DESCRIPTION
 
@@ -124,6 +124,10 @@ resource vaultName_key1 'Microsoft.KeyVault/vaults/keys@2021-06-01-preview' = {
 }
 ```
 
+## NOTES
+
+This rule only applies to pre-flight validation of Azure templates and Bicep files.
+
 ## LINKS
 
 - [SE:09 Application secrets](https://learn.microsoft.com/azure/well-architected/security/application-secrets)

diff --git a/docs/en/rules/Azure.VM.Standalone.md b/docs/en/rules/Azure.VM.Standalone.md
@@ -1,17 +1,17 @@
 ---
-reviewed: 2022-07-09
+reviewed: 2025-02-27
 severity: Important
 pillar: Reliability
 category: RE:04 Target metrics
 resource: Virtual Machine
 online version: https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.VM.Standalone/
 ---
 
-# Standalone Virtual Machine
+# Virtual Machine is not configured for improved SLA
 
 ## SYNOPSIS
 
-Use VM features to increase reliability and improve covered SLA for VM configurations.
+Single instance VMs are a single point of failure, however reliability can be improved by using premium storage.
 
 ## DESCRIPTION
 
@@ -29,73 +29,15 @@ Taking advantage of some of the features of Azure can further increase the avail
   Each Availability Zone has a distinct power source, network, and cooling.
 - **Availability Sets** - is a logical grouping of VMs that allows Azure to understand how your application is built.
   By understanding the distinct tiers of the application, Azure can better organize compute and storage to improve availability.
-- **Solid State Storage (SSD) Disks** - high performance block-level storage with three replicas of your data.
+- **Premium Solid State Storage (SSD) Disks** - high performance block-level storage with three replicas of your data.
+  When you use a mix of storage for OS and data disk attached to your VMs, the SLA is based on the lowest performing disk.
 
 ## RECOMMENDATION
 
 Consider using availability zones/ sets or only premium/ ultra disks to improve SLA.
 
 ## EXAMPLES
 
-### Configure with Azure template
-
-To deploy VMs that pass this rule with on of the following:
-
-- Deploy the VM in an Availability Set by specifying `properties.availabilitySet.id` in code.
-- Deploy the VM in an Availability Zone by specifying `zones` with `1`, `2`, or `3` in code.
-- Deploy the VM using only premium disks for OS and data disks by specifying `storageAccountType` as `Premium_LRS`.
-
-For example:
-
-```json
-{
-    "type": "Microsoft.Compute/virtualMachines",
-    "apiVersion": "2022-03-01",
-    "name": "[parameters('name')]",
-    "location": "[parameters('location')]",
-    "zones": [
-        "1"
-    ],
-    "properties": {
-        "hardwareProfile": {
-            "vmSize": "Standard_D2s_v3"
-        },
-        "osProfile": {
-            "computerName": "[parameters('name')]",
-            "adminUsername": "[parameters('adminUsername')]",
-            "adminPassword": "[parameters('adminPassword')]"
-        },
-        "storageProfile": {
-            "imageReference": {
-                "publisher": "MicrosoftWindowsServer",
-                "offer": "WindowsServer",
-                "sku": "[parameters('sku')]",
-                "version": "latest"
-            },
-            "osDisk": {
-                "name": "[format('{0}-disk0', parameters('name'))]",
-                "caching": "ReadWrite",
-                "createOption": "FromImage",
-                "managedDisk": {
-                    "storageAccountType": "Premium_LRS"
-                }
-            }
-        },
-        "licenseType": "Windows_Server",
-        "networkProfile": {
-            "networkInterfaces": [
-                {
-                    "id": "[resourceId('Microsoft.Network/networkInterfaces', format('{0}-nic0', parameters('name')))]"
-                }
-            ]
-        }
-    },
-    "dependsOn": [
-        "[resourceId('Microsoft.Network/networkInterfaces', format('{0}-nic0', parameters('name')))]"
-    ]
-}
-```
-
 ### Configure with Bicep
 
 To deploy VMs that pass this rule with on of the following:
@@ -107,7 +49,7 @@ To deploy VMs that pass this rule with on of the following:
 For example:
 
 ```bicep
-resource vm1 'Microsoft.Compute/virtualMachines@2022-03-01' = {
+resource vm 'Microsoft.Compute/virtualMachines@2024-07-01' = {
   name: name
   location: location
   zones: [
@@ -150,11 +92,70 @@ resource vm1 'Microsoft.Compute/virtualMachines@2022-03-01' = {
 }
 ```
 
+<!-- external:avm avm/res/compute/virtual-machine zone -->
+
+### Configure with Azure template
+
+To deploy VMs that pass this rule with on of the following:
+
+- Deploy the VM in an Availability Set by specifying `properties.availabilitySet.id` in code.
+- Deploy the VM in an Availability Zone by specifying `zones` with `1`, `2`, or `3` in code.
+- Deploy the VM using only premium disks for OS and data disks by specifying `storageAccountType` as `Premium_LRS`.
+
+For example:
+
+```json
+{
+  "type": "Microsoft.Compute/virtualMachines",
+  "apiVersion": "2024-07-01",
+  "name": "[parameters('name')]",
+  "location": "[parameters('location')]",
+  "zones": [
+    "1"
+  ],
+  "properties": {
+    "hardwareProfile": {
+      "vmSize": "Standard_D2s_v3"
+    },
+    "osProfile": {
+      "computerName": "[parameters('name')]",
+      "adminUsername": "[parameters('adminUsername')]",
+      "adminPassword": "[parameters('adminPassword')]"
+    },
+    "storageProfile": {
+      "imageReference": {
+        "publisher": "MicrosoftWindowsServer",
+        "offer": "WindowsServer",
+        "sku": "[parameters('sku')]",
+        "version": "latest"
+      },
+      "osDisk": {
+        "name": "[format('{0}-disk0', parameters('name'))]",
+        "caching": "ReadWrite",
+        "createOption": "FromImage",
+        "managedDisk": {
+          "storageAccountType": "Premium_LRS"
+        }
+      }
+    },
+    "licenseType": "Windows_Server",
+    "networkProfile": {
+      "networkInterfaces": [
+        {
+          "id": "[resourceId('Microsoft.Network/networkInterfaces', parameters('nicName'))]"
+        }
+      ]
+    }
+  },
+  "dependsOn": [
+    "[resourceId('Microsoft.Network/networkInterfaces', parameters('nicName'))]"
+  ]
+}
+```
+
 ## LINKS
 
 - [RE:04 Target metrics](https://learn.microsoft.com/azure/well-architected/reliability/metrics)
-- [Virtual Machine SLA](https://azure.microsoft.com/support/legal/sla/virtual-machines)
-- [Availability options for virtual machines in Azure](https://learn.microsoft.com/azure/virtual-machines/availability)
-- [Manage the availability of Windows virtual machines in Azure](https://learn.microsoft.com/azure/virtual-machines/windows/manage-availability)
-- [Manage the availability of Linux virtual machines](https://learn.microsoft.com/azure/virtual-machines/linux/manage-availability)
+- [Virtual Machine SLA](https://www.microsoft.com/licensing/docs/view/Service-Level-Agreements-SLA-for-Online-Services)
+- [Availability options for Azure Virtual Machines](https://learn.microsoft.com/azure/virtual-machines/availability)
 - [Azure deployment reference](https://learn.microsoft.com/azure/templates/microsoft.compute/virtualmachines)
diff --git a/docs/examples/resources/vm.bicep b/docs/examples/resources/vm.bicep
@@ -27,7 +27,7 @@ param subnetId string
 param amaIdentityId string
 
 // An example virtual machine running Windows Server and one data disk attached.
-resource vm 'Microsoft.Compute/virtualMachines@2024-03-01' = {
+resource vm 'Microsoft.Compute/virtualMachines@2024-07-01' = {
   name: name
   location: location
   identity: {
@@ -146,7 +146,7 @@ resource config 'Microsoft.Maintenance/configurationAssignments@2023-04-01' = {
 }
 
 // An example virtual machine with Azure Hybrid Benefit.
-resource vm_with_benefit 'Microsoft.Compute/virtualMachines@2023-09-01' = {
+resource vm_with_benefit 'Microsoft.Compute/virtualMachines@2024-07-01' = {
   name: name
   location: location
   zones: [

diff --git a/docs/examples/resources/vm.json b/docs/examples/resources/vm.json
@@ -4,8 +4,8 @@
   "metadata": {
     "_generator": {
       "name": "bicep",
-      "version": "0.32.4.45862",
-      "templateHash": "13775676563717028722"
+      "version": "0.33.93.31351",
+      "templateHash": "2836501364278978101"
     }
   },
   "parameters": {
@@ -64,7 +64,7 @@
   "resources": [
     {
       "type": "Microsoft.Compute/virtualMachines",
-      "apiVersion": "2024-03-01",
+      "apiVersion": "2024-07-01",
       "name": "[parameters('name')]",
       "location": "[parameters('location')]",
       "identity": {
@@ -193,7 +193,7 @@
     },
     {
       "type": "Microsoft.Compute/virtualMachines",
-      "apiVersion": "2023-09-01",
+      "apiVersion": "2024-07-01",
       "name": "[parameters('name')]",
       "location": "[parameters('location')]",
       "zones": [