use rule name as package name path suffix, so we can ignore a specifi…

…ed rule easily
Azure · Feb 13, 2025 · 6be73ff · 6be73ff
1 parent a159c79
commit 6be73ff
Show file tree

Hide file tree

Showing 16 changed files with 120 additions and 67 deletions.
diff --git a/.../aks/microsoft_container_service_managedClusters_agentPoolProfiles_availabilityZones.rego b/.../aks/microsoft_container_service_managedClusters_agentPoolProfiles_availabilityZones.rego
@@ -1,8 +1,8 @@
-package Azure_Proactive_Resiliency_Library_v2.Microsoft_ContainerService_managedClusters
+package Azure_Proactive_Resiliency_Library_v2.configure_aks_default_node_pool_zones
 
 import rego.v1
 
-valid_zones(resource) if {
+valid_azapi_zones(resource) if {
     pool := resource.values.body.properties.agentPoolProfiles[_]
     count(pool.availabilityZones) >= 2
 }

diff --git a/...y-Library-v2/azapi/cosmos-db/microsoft_documentdb_databaseAccounts_backupPolicy_type.rego b/...y-Library-v2/azapi/cosmos-db/microsoft_documentdb_databaseAccounts_backupPolicy_type.rego
@@ -1,15 +1,15 @@
-package Azure_Proactive_Resiliency_Library_v2.Microsoft_Network_databaseAccounts
+package Azure_Proactive_Resiliency_Library_v2.configure_cosmosdb_account_continuous_backup_mode
 
 import rego.v1
 
-valid_cosmosdb_account_backup_policy_type(resource) if {
+valid_azapi_cosmosdb_account_backup_policy_type(resource) if {
     resource.values.body.properties.backupPolicy.type == "Continuous"
 }
 
 deny_configure_cosmosdb_account_continuous_backup_mode contains reason if {
     resource := data.utils.resource(input, "azapi_resource")[_]
     data.utils.is_azure_type(resource.values, "Microsoft.DocumentDB/databaseAccounts")
-    not valid_cosmosdb_account_backup_policy_type(resource)
+    not valid_azapi_cosmosdb_account_backup_policy_type(resource)
 
     reason := sprintf("Azure-Proactive-Resiliency-Library-v2: '%s' `azapi_resource` must have backup type configured to 'Continuous': https://azure.github.io/Azure-Proactive-Resiliency-Library-v2/azure-resources/DocumentDB/databaseAccounts/#configure-continuous-backup-mode", [resource.address])
 }
diff --git a/...e-Resiliency-Library-v2/azapi/network/microsoft_network_applicationGateways_sku_name.rego b/...e-Resiliency-Library-v2/azapi/network/microsoft_network_applicationGateways_sku_name.rego
@@ -1,19 +1,19 @@
-package Azure_Proactive_Resiliency_Library_v2.Microsoft_Network_applicationGateways
+package Azure_Proactive_Resiliency_Library_v2.migrate_to_application_gateway_v2
 
 import rego.v1
 
-valid_sku(resource) if {
+valid_azapi_sku(resource) if {
     resource.values.body.properties.sku.name == "Standard_v2"
 }
 
-valid_sku(resource) if {
+valid_azapi_sku(resource) if {
     resource.values.body.properties.sku.name == "WAF_v2"
 }
 
 deny_migrate_to_application_gateway_v2 contains reason if {
     resource := data.utils.resource(input, "azapi_resource")[_]
     data.utils.is_azure_type(resource.values, "Microsoft.Network/applicationGateways")
-    not valid_sku(resource)
+    not valid_azapi_sku(resource)
 
     reason := sprintf("Azure-Proactive-Resiliency-Library-v2: '%s' `azapi_resource` must have 'body.properties.sku.name' set to 'Standard_v2' or 'WAF_v2': https://azure.github.io/Azure-Proactive-Resiliency-Library-v2/azure-resources/Network/applicationGateways/#migrate-to-application-gateway-v2", [resource.address])
 }
diff --git a/...tive-Resiliency-Library-v2/azapi/network/microsoft_network_applicationGateways_zones.rego b/...tive-Resiliency-Library-v2/azapi/network/microsoft_network_applicationGateways_zones.rego
@@ -1,16 +1,16 @@
-package Azure_Proactive_Resiliency_Library_v2.Microsoft_Network_applicationGateways
+package Azure_Proactive_Resiliency_Library_v2.deploy_application_gateway_in_a_zone_redundant_configuration
 
 import rego.v1
 
-valid_zones(resource) if {
+valid_azapi_zones(resource) if {
     resource.values.body.zones == resource.values.body.zones
     count(resource.values.body.zones) >= 2
 }
 
 deny_deploy_application_gateway_in_a_zone_redundant_configuration contains reason if {
     resource := data.utils.resource(input, "azapi_resource")[_]
     data.utils.is_azure_type(resource.values, "Microsoft.Network/applicationGateways")
-    not valid_zones(resource)
+    not valid_azapi_zones(resource)
 
     reason := sprintf("Azure-Proactive-Resiliency-Library-v2: '%s' `azapi_resource` must have must have configured to use at least 2 Availability Zones: https://azure.github.io/Azure-Proactive-Resiliency-Library-v2/azure-resources/Network/applicationGateways/#deploy-application-gateway-in-a-zone-redundant-configuration", [resource.address])
 }
diff --git a/...e-Resiliency-Library-v2/azapi/network/microsoft_network_loadBalancers_outbound_rules.rego b/...e-Resiliency-Library-v2/azapi/network/microsoft_network_loadBalancers_outbound_rules.rego
@@ -1,19 +1,19 @@
-package Azure_Proactive_Resiliency_Library_v2.Microsoft_Network_loadBalancers
+package Azure_Proactive_Resiliency_Library_v2.use_nat_gateway_instead_of_outbound_rules_for_production_load_lalancer
 
 import rego.v1
 
-valid_outbound_rules(resource) if {
+valid_azapi_outbound_rules(resource) if {
     count(resource.values.body.properties.outboundRules) == 0
 }
 
-valid_outbound_rules(resource) if {
+valid_azapi_outbound_rules(resource) if {
     not resource.values.body.properties.outboundRules == resource.values.body.properties.outboundRules
 }
 
 deny_use_nat_gateway_instead_of_outbound_rules_for_production_load_lalancer contains reason if {
     resource := data.utils.resource(input, "azapi_resource")[_]
     data.utils.is_azure_type(resource.values, "Microsoft.Network/loadBalancers")
-    not valid_outbound_rules(resource)
+    not valid_azapi_outbound_rules(resource)
 
     reason := sprintf("Azure-Proactive-Resiliency-Library-v2: '%s' `azapi_resource` must not config `outboundRules. Outbound rules for Standard Public Load Balancer involve manual port allocation for backend pools, limiting scalability and risk of SNAT port exhaustion. NAT Gateway is recommended for its dynamic scaling and secure internet connectivity.: https://azure.github.io/Azure-Proactive-Resiliency-Library-v2/azure-resources/Network/loadBalancers/#use-nat-gateway-instead-of-outbound-rules-for-production-workloads", [resource.address])
 }
diff --git a/...re-Proactive-Resiliency-Library-v2/azapi/network/microsoft_network_loadBalancers_sku.rego b/...re-Proactive-Resiliency-Library-v2/azapi/network/microsoft_network_loadBalancers_sku.rego
@@ -1,16 +1,16 @@
-package Azure_Proactive_Resiliency_Library_v2.Microsoft_Network_loadBalancers
+package Azure_Proactive_Resiliency_Library_v2.use_resilient_load_lalancer_sku
 
 import rego.v1
 
-valid_sku(resource) if {
+valid_azapi_sku(resource) if {
     resource.values.body.sku.name
     resource.values.body.sku.name != "Basic"
 }
 
 deny_use_resilient_load_lalancer_sku contains reason if {
     resource := data.utils.resource(input, "azapi_resource")[_]
     data.utils.is_azure_type(resource.values, "Microsoft.Network/loadBalancers")
-    not valid_sku(resource)
+    not valid_azapi_sku(resource)
 
     reason := sprintf("Azure-Proactive-Resiliency-Library-v2: '%s' `azapi_resource` must not have 'sku.name' set to 'Basic': https://azure.github.io/Azure-Proactive-Resiliency-Library-v2/azure-resources/Network/loadBalancers/#use-standard-load-balancer-sku", [resource.address])
 }
diff --git a/...re-Proactive-Resiliency-Library-v2/azapi/network/microsoft_network_publicIPAddresses.rego b/...re-Proactive-Resiliency-Library-v2/azapi/network/microsoft_network_publicIPAddresses.rego
@@ -1,16 +1,16 @@
-package Azure_Proactive_Resiliency_Library_v2.Microsoft_Network_publicIPAddresses
+package Azure_Proactive_Resiliency_Library_v2.use_standard_sku_and_zone_redundant_ip
 
 import rego.v1
 
-valid(resource) if {
+valid_azapi_sku_name(resource) if {
     resource.values.body.sku.name == "Sandard"
     count(resource.values.body.zones) >= 2
 }
 
 deny_use_standard_sku_and_zone_redundant_ip contains reason if {
     resource := data.utils.resource(input, "azapi_resource")[_]
     data.utils.is_azure_type(resource.values, "Microsoft.Network/publicIPAddresses")
-    not valid(resource)
+    not valid_azapi_sku_name(resource)
 
     reason := sprintf("Azure-Proactive-Resiliency-Library-v2: '%s' `azapi_resource` must have configured `sku.name` to `\"Standard\"` and a `zones` that cotnains at least 2 zones: https://azure.github.io/Azure-Proactive-Resiliency-Library-v2/azure-resources/Network/publicIPAddresses/#use-standard-sku-and-zone-redundant-ips-when-applicable", [resource.address])
 }
diff --git a/...ncy-Library-v2/azurerm/containers/azurerm_kubernetes_cluster_default_node_pool_zones.rego b/...ncy-Library-v2/azurerm/containers/azurerm_kubernetes_cluster_default_node_pool_zones.rego
@@ -1,15 +1,15 @@
-package Azure_Proactive_Resiliency_Library_v2.azurerm_kubernetes_cluster
+package Azure_Proactive_Resiliency_Library_v2.configure_aks_default_node_pool_zones contains
 
 import rego.v1
 
-valid_zones(resource) if {
+valid_azurerm_zones(resource) if {
     pool := resource.values.default_node_pool[_]
     count(pool.zones) >= 2
 }
 
 deny_configure_aks_default_node_pool_zones contains reason if {
     resource := data.utils.resource(input, "azurerm_kubernetes_cluster")[_]
-    not valid_zones(resource)
+    not valid_azurerm_zones(resource)
 
     reason := sprintf("Azure-Proactive-Resiliency-Library-v2: '%s' `azurerm_kubernetes_cluster` must have configured `default_node_pool` to use at least 2 Availability Zones: https://azure.github.io/Azure-Proactive-Resiliency-Library-v2/azure-resources/ContainerService/managedClusters/#deploy-aks-cluster-across-availability-zones", [resource.address])
 }
diff --git a/...-Proactive-Resiliency-Library-v2/azurerm/cosmos/azurerm_cosmosdb_account_backup_type.rego b/...-Proactive-Resiliency-Library-v2/azurerm/cosmos/azurerm_cosmosdb_account_backup_type.rego
@@ -1,14 +1,14 @@
-package Azure_Proactive_Resiliency_Library_v2.azurerm_cosmosdb_account
+package Azure_Proactive_Resiliency_Library_v2.configure_cosmosdb_account_continuous_backup_mode
 
 import rego.v1
 
-valid_cosmosdb_account_backup_policy_type(resource) if {
+valid_azurerm_cosmosdb_account_backup_policy_type(resource) if {
     resource.values.backup[_].type == "Continuous"
 }
 
 deny_configure_cosmosdb_account_continuous_backup_mode contains reason if {
     resource := data.utils.resource(input, "azurerm_cosmosdb_account")[_]
-    not valid_cosmosdb_account_backup_policy_type(resource)
+    not valid_azurerm_cosmosdb_account_backup_policy_type(resource)
 
     reason := sprintf("Azure-Proactive-Resiliency-Library-v2: '%s' `azurerm_cosmosdb_account` must have backup type configured to 'Continuous': https://azure.github.io/Azure-Proactive-Resiliency-Library-v2/azure-resources/DocumentDB/databaseAccounts/#configure-continuous-backup-mode", [resource.address])
 }
diff --git a/.../Azure-Proactive-Resiliency-Library-v2/azurerm/loadbalancer/azurerm_lb_outbound_rule.rego b/.../Azure-Proactive-Resiliency-Library-v2/azurerm/loadbalancer/azurerm_lb_outbound_rule.rego
@@ -1,4 +1,4 @@
-package Azure_Proactive_Resiliency_Library_v2.azurerm_lb
+package Azure_Proactive_Resiliency_Library_v2.use_nat_gateway_instead_of_outbound_rules_for_production_load_lalancer
 
 import rego.v1
 

diff --git a/policy/Azure-Proactive-Resiliency-Library-v2/azurerm/loadbalancer/azurerm_lb_sku.rego b/policy/Azure-Proactive-Resiliency-Library-v2/azurerm/loadbalancer/azurerm_lb_sku.rego
@@ -1,14 +1,14 @@
-package Azure_Proactive_Resiliency_Library_v2.azurerm_lb
+package Azure_Proactive_Resiliency_Library_v2.use_resilient_load_lalancer_sku
 
 import rego.v1
 
-valid_sku(resource) if {
+valid_azurerm_sku(resource) if {
     resource.values.sku != "Basic"
 }
 
 deny_use_resilient_load_lalancer_sku contains reason if {
     resource := data.utils.resource(input, "azurerm_lb")[_]
-    not valid_sku(resource)
+    not valid_azurerm_sku(resource)
 
     reason := sprintf("Azure-Proactive-Resiliency-Library-v2: '%s' `azurerm_lb` must not have 'sku' set to 'Basic': https://azure.github.io/Azure-Proactive-Resiliency-Library-v2/azure-resources/Network/loadBalancers/#use-standard-load-balancer-sku", [resource.address])
 }
diff --git a/...Proactive-Resiliency-Library-v2/azurerm/network/azurerm_application_gateway_sku_name.rego b/...Proactive-Resiliency-Library-v2/azurerm/network/azurerm_application_gateway_sku_name.rego
@@ -1,18 +1,18 @@
-package Azure_Proactive_Resiliency_Library_v2.azurerm_application_gateway
+package Azure_Proactive_Resiliency_Library_v2.migrate_to_application_gateway_v2
 
 import rego.v1
 
-valid_sku(resource) if {
+valid_azurerm_sku(resource) if {
     resource.values.sku[_].name == "Standard_v2"
 }
 
-valid_sku(resource) if {
+valid_azurerm_sku(resource) if {
     resource.values.sku[_].name == "WAF_v2"
 }
 
 deny_migrate_to_application_gateway_v2 contains reason if {
     resource := data.utils.resource(input, "azurerm_application_gateway")[_]
-    not valid_sku(resource)
+    not valid_azurerm_sku(resource)
 
     reason := sprintf("Azure-Proactive-Resiliency-Library-v2: '%s' `azurerm_application_gateway` must have 'sku.name' set to 'Standard_v2' or 'WAF_v2': https://azure.github.io/Azure-Proactive-Resiliency-Library-v2/azure-resources/Network/applicationGateways/#migrate-to-application-gateway-v2", [resource.address])
 }
diff --git a/...re-Proactive-Resiliency-Library-v2/azurerm/network/azurerm_application_gateway_zones.rego b/...re-Proactive-Resiliency-Library-v2/azurerm/network/azurerm_application_gateway_zones.rego
@@ -1,15 +1,15 @@
-package Azure_Proactive_Resiliency_Library_v2.azurerm_application_gateway
+package Azure_Proactive_Resiliency_Library_v2.deploy_application_gateway_in_a_zone_redundant_configuration
 
 import rego.v1
 
-valid_zones(resource) if {
+valid_azurerm_zones(resource) if {
     resource.values.zones == resource.values.zones
     count(resource.values.zones) >= 2
 }
 
 deny_deploy_application_gateway_in_a_zone_redundant_configuration contains reason if {
     resource := data.utils.resource(input, "azurerm_application_gateway")[_]
-    not valid_zones(resource)
+    not valid_azurerm_zones(resource)
 
     reason := sprintf("Azure-Proactive-Resiliency-Library-v2: '%s' `azurerm_application_gateway` must have configured to use at least 2 Availability Zones: https://azure.github.io/Azure-Proactive-Resiliency-Library-v2/azure-resources/Network/applicationGateways/#deploy-application-gateway-in-a-zone-redundant-configuration", [resource.address])
 }
diff --git a/...ure-Proactive-Resiliency-Library-v2/azurerm/network/azurerm_public_ip_zone_redundant.rego b/...ure-Proactive-Resiliency-Library-v2/azurerm/network/azurerm_public_ip_zone_redundant.rego
@@ -1,15 +1,15 @@
-package Azure_Proactive_Resiliency_Library_v2.azurerm_public_ip
+package Azure_Proactive_Resiliency_Library_v2.use_standard_sku_and_zone_redundant_ip
 
 import rego.v1
 
-valid_ip(resource) if {
+valid_azurerm_sku(resource) if {
    resource.values.sku == "Standard"
    count(resource.values.zones) >= 2
 }
 
 deny_use_standard_sku_and_zone_redundant_ip contains reason if {
     resource := data.utils.resource(input, "azurerm_public_ip")[_]
-    not valid_ip(resource)
+    not valid_azurerm_sku(resource)
 
     reason := sprintf("Azure-Proactive-Resiliency-Library-v2: '%s' `azurerm_public_ip` must have configured `sku` to `\"Standard\"` and a `zones` that cotnains at least 2 zones: https://azure.github.io/Azure-Proactive-Resiliency-Library-v2/azure-resources/Network/publicIPAddresses/#use-standard-sku-and-zone-redundant-ips-when-applicable", [resource.address])
 }
diff --git a/...ibrary-v2/azurerm/postgres/azurerm_postgresql_flexible_server_high_availability_mode.rego b/...ibrary-v2/azurerm/postgres/azurerm_postgresql_flexible_server_high_availability_mode.rego
@@ -1,14 +1,14 @@
-package Azure_Proactive_Resiliency_Library_v2.azurerm_postgresql_flexible_server
+package Azure_Proactive_Resiliency_Library_v2.postgresql_flexible_server_high_availability_mode_zone_redundant
 
 import rego.v1
 
-valid_high_availability_mode(resource) if {
+valid_azurerm_high_availability_mode(resource) if {
     resource.values.high_availability[_].mode == "ZoneRedundant"
 }
 
 deny_postgresql_flexible_server_high_availability_mode_zone_redundant contains reason if {
     resource := data.utils.resource(input, "azurerm_postgresql_flexible_server")[_]
-    not valid_high_availability_mode(resource)
+    not valid_azurerm_high_availability_mode(resource)
 
     reason := sprintf("Azure-Proactive-Resiliency-Library-v2: '%s' `azurerm_postgresql_flexible_server` must have 'high_availability.mode' set to 'ZoneRedundant': https://azure.github.io/Azure-Proactive-Resiliency-Library-v2/azure-resources/DBforPostgreSQL/flexibleServers/#enable-ha-with-zone-redundancy", [resource.address])
 }