PSRule and extension resources #2179
-
Hi @BernieWhite Didn't see that an issue was a fit, as it is more of an question. We already have rules where we are using These kind of extension resources are standalone, and always outside it's "parent", how come that this function is able to get the diagnostic? I'm planning to create Defender for Cloud rule for Cosmos DB, but that is an extension resource as well. Initially I taught that we would not be able to create this, but now I am unsure if PSRule is doing anything magical and it is a douable task after all. |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment 3 replies
-
@BenjaminEngeset With For example: @sys.description('Configure auditing for Key Vault.')
resource logs 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = if (!empty(workspaceId)) {
name: 'service'
scope: vault
properties: {
workspaceId: workspaceId
logs: [
{
category: 'AuditEvent'
enabled: true
}
]
}
} So it's resulting resource Id is For in-flight we need to specifically extract these types of resources because they are never automatically returned by Azure in a REST request unless you ask for them. For pre-flight we check for scoped resources and then automatically nest them in their scoped parent if it exists in the same deployment so they appear under For resources that don't fit into scope or sub-resources there isn't really a good solution in PSRule today. There is this discussion #1984 relating to that. Ultimately, we need to provide an option to query across relationship in PSRule which it doesn't currently support this, but it is something we'd like to do. For specific cases that make sense we can look at automatically nesting them. Which Cosmos DB resources type are we talking about? |
Beta Was this translation helpful? Give feedback.
@BenjaminEngeset With
Microsoft.Insights/diagnosticSettings
because it is an extension resource it is deployed in the scope of the parent resource.For example:
So it's resulting resource Id is
/subscriptions/nnn/resourceGroups/nnn/Microsoft.KeyVault/vaults/my-vault/providers/Microsoft.Insights/diagnosticSettings/service
.For in-flight we need to specifically extract …