Welcome, and thank you for your interest in contributing to PSRule!
There are many ways in which you can contribute, beyond writing code. The goal of this document is to provide a high-level overview of how you can get involved.
- Reporting issues
- Improve documentation
- Adding or improving rules
- Fix bugs or add features
Have a question? Rather than opening an issue, please ask a question in discussions. Your well-worded question will serve as a resource to others searching for help.
Have you identified a reproducible problem? Have a feature request? We want to hear about it! Here's how you can make reporting your issue as effective as possible.
The PSRule project is distributed across multiple repositories. Try to file the issue against the correct repository. Check the list of related projects if you aren't sure which repository is correct.
Before you create a new issue, please do a search in open issues to see if the issue or feature request has already been filed.
If you find your issue already exists, make relevant comments and add your reaction. Use a reaction in place of a "+1" comment:
- 👍 - upvote
- 👎 - downvote
This project contains a wide range of documentation, stored in docs/
.
Some of the documentation that you might like to improve include:
- Rule recommendations (
docs/en/rules/
). - Scenarios and examples (
docs/customization/
anddocs/scenarios/
). - PowerShell cmdlet and conceptual topics (
docs/commands/
anddocs/concepts/
).
When writing documentation in Markdown, please follow these formatting guidelines:
- Semantically break up long paragraphs into multiple lines, particularly if they contain multiple sentences.
- Add a blank line between paragraphs.
- Add a blank line before and after lists, code blocks, and section headers.
Before improving rule recommendations familiarize yourself with writing rule markdown documentation. Rule documentation requires the following annotations for use with PSRule for Azure:
-
severity
- A subjective rating of the impact of a rule on the solution or platform. NB - the severity ratings reflect a production implementation, consideration should be applied for pre-production environments.Available severities are:
Critical
- A 'must have' if the solution is to be considered 'fit for purpose', secure, well governed and managed inline with the Microsoft Azure Well-Architected Framework.Important
- A 'to be considered' within the context of the solution and domain. In some cases, can introduce cost or complexity that should be considered as a trade off and explicitly documented as a Key Design Decision.Awareness
- A 'good to have' feature, normally reserved for solutions with the highest non-functional requirements.
-
pillar
- A Azure Well-Architected Framework pillar. EitherCost Optimization
,Operational Excellence
,Performance Efficiency
,Reliability
,Security
. -
category
- A category of Azure Well-Architected Framework pillar. -
online version
- The URL of the online version of the documentation. This will start withhttps://azure.github.io/PSRule.Rules.Azure/en/rules/
. The URL will not exist for new rules until the Pull Request is merged.
When authoring and improving rule documentation, please follow these guidelines:
- Reference the WAF — by the pillar recommendation. For example if the rule relates to redundancy in the Reliability pillar you could reference RE:05 Redundancy.
- Add relevant links — to the Azure service documentation.
Examples of good documentation links include:
- Best practices for the Azure service.
- Instructions on how to configure the Azure service.
- Azure deployment reference.
- Remove culture — from links to https://learn.microsoft.com/ to make it more generic. This will allow the link to redirect to a language based on the user's settings. For example https://learn.microsoft.com/azure/aks/concepts-scale instead of https://learn.microsoft.com/en-us/azure/aks/concepts-scale.
- Add examples — of a Azure resource that would pass the rule. For rules that apply to pre-flight checks provide an example in Azure Bicep and Azure template format.
- Reference Azure Verified Module — If a pre-built Azure Verified Module (AVM) is available,
reference after the Bicep example using a short-code.
The short-code format is
<!-- external:avm <path>[:<suggestedVersion>] [<params>,...] -->
.- For example
<!-- external:avm avm/res/app/container-app:0.11.0 scaleMinReplicas -->
:- The module path is
avm/res/app/container-app
. - The suggested version is
0.11.0
. - The parameter that must be configured to pass the rule is
scaleMinReplicas
. Additional parameters can be added if multiple must be configured by separating with a comma (but no spaces). - For more information see the example.
- The module path is
- For example
- Rules are stored in
src/PSRule.Rules.Azure/rules/
. - Rules are organized into separate
.Rule.ps1
or.Rule.yaml
files based on service. - Rule documentation in English is stored in
docs/en/rules/
.- Additional cultures can be added in a subdirectory under
docs/
.
- Additional cultures can be added in a subdirectory under
- Use pre-conditions to limit the type of resource a rule applies to.
Each rule must meet the following requirements:
- Named with the
Azure.
prefix. - The rule name must not be longer than 35 characters.
- Use a unique
Ref
following the formatAZR-nnnnnnn
. Wherennnnnn
is a sequential number from000001
. See how to get the next unique rule ref. - Have documentation and unit tests.
- Have a
release
tag eitherGA
orpreview
. e.g.-Tag @{ release = 'GA' }
- Rules are marked as
GA
if they relate to generally available Azure features. - Rules are marked as
preview
if they relate to preview Azure features. - Rules are marked as
deprecated
if they are no longer relevant and will be removed in the next major release.
- Rules are marked as
- Have a
ruleSet
tag. e.g.-Tag @{ release = 'GA'; ruleSet = '2020_09' }
- The rule set tag identifies the quarter that the rule was first released.
- This is used to include rules in quarterly baselines.
- New rules are included in the next quarterly baseline. i.e. (YYYY_03, YYYY_06, YYYY_09, YYYY_12)
- Have a
Azure.WAF/pillar
tag identifying the primary WAF pillar the rule aligns to. e.g.-Tag @{ release = 'GA'; ruleSet = '2020_09'; 'Azure.WAF/pillar' = 'Reliability' }
- If more then one pillar is applicable, the
Azure.WAF/additionalPillars
label can be added on rules.
- If more then one pillar is applicable, the
- Include an inline
Synopsis:
comment above each rule.
For example:
# Synopsis: Consider configuring a managed identity for each API Management instance.
Rule 'Azure.APIM.ManagedIdentity' -Type 'Microsoft.ApiManagement/service' -Tag @{ release = 'GA'; ruleSet = '2020_06'; 'Azure.WAF/pillar' = 'Security' } {
$Assert.In($TargetObject, 'Identity.Type', @('SystemAssigned', 'UserAssigned'))
}
---
# Synopsis: Consider configuring a managed identity for each API Management instance.
apiVersion: github.com/microsoft/PSRule/v1
kind: Rule
metadata:
name: Azure.APIM.ManagedIdentity
tags:
release: 'GA'
ruleSet: '2020_06'
Azure.WAF/pillar: Security
spec:
type:
- Microsoft.ApiManagement/service
condition:
field: 'Identity.Type'
in:
- 'SystemAssigned'
- 'UserAssigned'
Tips for authoring rules:
- To create new rules, snippets in the VS Code extension for PSRule can be used.
- Use YAML-based rules over PowerShell-based rules when possible. We prefer YAML-based because they are easier for the community read and maintain.
- Use
-Type
over-If
pre-conditions when possible. Both may be required in some cases.
To get the next unique rule ref:
- Scroll to the bottom of this reference page.
- Choose the next available ref number sequence.
- Be aware of any existing open PRs that add rules, and choose the next available ref number sequence. If both PRs choose the same rule ref the CI build will fail after one is merged.
For some rules, adding configuration options to allow customization may be helpful. When adding configuration options, please follow these guidelines:
- Name the configuration option using by:
- Prefixing the configuration option name with
AZURE_
. - Separating words with
_
to make the configuration option name more readable. - Capitalize the configuration option name. e.g.
AZURE_POLICY_WAIVER_MAX_EXPIRY
- Prefixing the configuration option name with
- Include relevant documentation for the configuration option in the rule's documentation. See Azure.Policy.WaiverExpiry for an example.
- Include relevant examples of the configuration option in Configuring rule defaults.
- Before writing a fix or feature enhancement, ensure that an issue is logged.
- Be prepared to discuss a feature and take feedback.
- Include unit tests and updates documentation to complement the change.
When you are ready to contribute a fix or feature:
- Start by forking the PSRule.Rules.Azure repo.
- Create a new branch from
main
in your fork. - Add commits in your branch.
- If you have updated module code or rules also update
CHANGELOG.md
. - You don't need to update the
CHANGELOG.md
for changes to unit tests or documentation. - Try building your changes locally. See building from source for instructions.
- If you have updated module code or rules also update
- Create a pull request to merge changes into the PSRule
main
branch.- If you are ready for your changes to be reviewed create a pull request.
- If you are not ready for your changes to be reviewed, create a draft pull request.
- An continuous integration (CI) process will automatically build your changes.
- You changes must build successfully to be merged.
- If you have any build errors, push new commits to your branch.
- Avoid using forced pushes or squashing changes while in review, as this makes reviewing your changes harder.
When contributing to documentation or code changes, you'll need to have a GitHub account and a basic understanding of Git. Check out the links below to get started.
- Make sure you have a GitHub account.
- GitHub Help:
You should use the multi-platform Visual Studio Code (VS Code). The project contains a number of workspace specific settings that make it easier to author consistently.
After installing VS Code, install the following extensions:
When creating a pull request to merge your changes, a continuous integration (CI) pipeline is run. The CI pipeline will build then test your changes across MacOS, Linux and Windows configurations.
Before opening a pull request try building your changes locally. To do this See building from source for instructions.
This project welcomes contributions and suggestions. Most contributions require you to agree to a Contributor License Agreement (CLA) declaring that you have the right to, and actually do, grant us the rights to use your contribution. For details, visit https://cla.microsoft.com.
When you submit a pull request, a CLA-bot will automatically determine whether you need to provide a CLA and decorate the PR appropriately (e.g., label, comment). Simply follow the instructions provided by the bot. You will only need to do this once across all repositories using our CLA.
This project has adopted the Microsoft Open Source Code of Conduct. For more information see the Code of Conduct FAQ or contact [email protected] with any additional questions or comments.
Your contributions to open source, large or small, make great projects like this possible. Thank you for taking the time to contribute.