{"id":1954,"date":"2024-08-21T06:19:47","date_gmt":"2024-08-21T13:19:47","guid":{"rendered":"https:\/\/devblogs.microsoft.com\/identity\/?p=1954"},"modified":"2024-08-21T06:19:47","modified_gmt":"2024-08-21T13:19:47","slug":"secure-azure-deployments-with-psrule","status":"publish","type":"post","link":"https:\/\/devblogs.microsoft.com\/identity\/secure-azure-deployments-with-psrule\/","title":{"rendered":"Securing your Azure deployments with PSRule"},"content":{"rendered":"

We love automation! With Bicep, you can effortlessly define the Azure infrastructure you need for your application. And with the Azure Developer CLI (azd)<\/a>, you can easily deploy both infrastructure and application code at the same time. Microsoft provides standard reusable components to be used with the Azure Developer CLI, such as Azure Verified Modules<\/a> and a template gallery<\/a>, containing example applications that you can use as starting points for defining your infrastructure.<\/p>\n

While this approach allows you and your team to deploy applications quickly and consistently, you might not necessarily be a security expert. So, how can you be sure that your Bicep templates, or any sample templates you use as a starting point, are following best practices? There are lots of different knobs to tweak on Azure resources to make sure they are secure in the deployment\u2014what\u2019s a good way to see if you\u2019re setting all the right options?<\/p>\n

Today, I’m going to show you how you can automatically check that your Azure infrastructure is configured according to security best practices and how you can fit it in as part of your GitHub CI\/CD workflows.<\/p>\n

Introducing PSRule for Azure<\/h2>\n

PSRule for Azure<\/a> is a tool designed to help you test and validate your Azure Infrastructure as Code (IaC). It provides a set of pre-built checks and remediation steps to help you ensure that your Azure solutions are configured correctly. These checks can be applied both before and after deployment to Azure, allowing you to validate the configuration of Azure resources defined in ARM templates or Bicep code.<\/p>\n

The tool is particularly useful for validating IaC templates against best practices, such as those practices outlined in the Well-Architected Framework (WAF)<\/a>. This includes checking for cost, security, reliability, operational excellence, and performance. By integrating PSRule for Azure into your CI\/CD pipeline, you can catch issues early in the development process and improve the quality of your IaC templates.<\/p>\n

PSRule ships with over 400 tests, based on the Well-Architected Framework. You can also define your own tests, either declaratively in YAML or JSON, or with PowerShell.<\/p>\n

Deep dive \u2013 Managed Identities\u202f<\/h2>\n

To show how PSRule works, I\u2019ll use a scenario we tackled recently ourselves at Microsoft. We\u2019re on a company-wide drive to remove passwords and move to non-phishable credentials where possible. As part of this effort, we\u2019ve removed passwords and certificates from code samples and replaced them with Managed Identities.<\/p>\n

Managed identities provide an automatically managed identity in Microsoft Entra ID for applications to use when connecting to resources that support Microsoft Entra authentication, such as Azure services like AI Search and Storage. Applications can use managed identities to obtain Microsoft Entra tokens without having to manage any credentials. When you use Managed Identities:<\/p>\n