From 9a692cc4344b1d432cad9f267ff8f5f3cbe2db94 Mon Sep 17 00:00:00 2001 From: jdmsoss <174804059+jdmsoss@users.noreply.github.com> Date: Mon, 7 Oct 2024 18:36:42 +0200 Subject: [PATCH 1/5] fix: arg output returning null value for param1 when "No Private Endpoint" condition is met (#431) --- .../kql/dc55be60-6f8c-461e-a9d5-a3c7686ed94e.kql | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/azure-resources/Storage/storageAccounts/kql/dc55be60-6f8c-461e-a9d5-a3c7686ed94e.kql b/azure-resources/Storage/storageAccounts/kql/dc55be60-6f8c-461e-a9d5-a3c7686ed94e.kql index 0dd9340cd..d17752b32 100644 --- a/azure-resources/Storage/storageAccounts/kql/dc55be60-6f8c-461e-a9d5-a3c7686ed94e.kql +++ b/azure-resources/Storage/storageAccounts/kql/dc55be60-6f8c-461e-a9d5-a3c7686ed94e.kql @@ -3,6 +3,6 @@ resources | where type =~ "Microsoft.Storage/StorageAccounts" | where isnull(properties.privateEndpointConnections) or properties.privateEndpointConnections[0].properties.provisioningState != ("Succeeded") or (isnull(properties.networkAcls) and properties.publicNetworkAccess == 'Enabled') -| extend param1 = strcat('Private Endpoint: ', iif(isnotnull(properties.privateEndpointConnections),split(properties.privateEndpointConnections[0].properties.privateEndpoint.id,'/')[8],'No Private Endpoint')) +| extend param1 = strcat('Private Endpoint: ', iif(array_length(properties.privateEndpointConnections) != 0,split(properties.privateEndpointConnections[0].properties.privateEndpoint.id,'/')[8],'No Private Endpoint')) | extend param2 = strcat('Access: ', iif(properties.publicNetworkAccess == 'Disabled', 'Public Access Disabled', iif(isnotnull(properties.networkAcls), 'NetworkACLs in place','Public Access Enabled'))) | project recommendationId = "dc55be60-6f8c-461e-a9d5-a3c7686ed94e", name, id, tags, param1, param2 From c848988454592358791524fa3bec8d9aabca868d Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 7 Oct 2024 14:09:39 -0500 Subject: [PATCH 2/5] build: Bump github/codeql-action from 3.26.9 to 3.26.11 (#449) Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/scorecard.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index a24f74d09..517dba5d2 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -68,6 +68,6 @@ jobs: # Upload the results to GitHub's code scanning dashboard (optional). # Commenting out will disable upload of results to your repo's Code Scanning dashboard - name: "Upload to code-scanning" - uses: github/codeql-action/upload-sarif@461ef6c76dfe95d5c364de2f431ddbd31a417628 # v3.26.9 + uses: github/codeql-action/upload-sarif@6db8d6351fd0be61f9ed8ebd12ccd35dcec51fea # v3.26.11 with: sarif_file: results.sarif From 55606c60a68fe900330120ece3b75d7e89a4c3a6 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 7 Oct 2024 14:09:59 -0500 Subject: [PATCH 3/5] build: Bump actions/checkout from 2.7.0 to 4.2.0 (#448) Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/build-recommendation-object.yml | 2 +- .github/workflows/code-review.yml | 2 +- .github/workflows/hugo-build-pr-check.yml | 2 +- .github/workflows/hugo-site-build.yml | 2 +- .github/workflows/scorecard.yml | 2 +- .github/workflows/validate-queries.yml | 2 +- .github/workflows/validate-recommendations.yml | 2 +- 7 files changed, 7 insertions(+), 7 deletions(-) diff --git a/.github/workflows/build-recommendation-object.yml b/.github/workflows/build-recommendation-object.yml index b75448711..16d6ee4ed 100644 --- a/.github/workflows/build-recommendation-object.yml +++ b/.github/workflows/build-recommendation-object.yml @@ -13,7 +13,7 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@v4 + uses: actions/checkout@v4.2.0 with: ref: main diff --git a/.github/workflows/code-review.yml b/.github/workflows/code-review.yml index dc931b36b..f217c9efe 100644 --- a/.github/workflows/code-review.yml +++ b/.github/workflows/code-review.yml @@ -21,7 +21,7 @@ jobs: steps: - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@v4.2.0 with: fetch-depth: 0 diff --git a/.github/workflows/hugo-build-pr-check.yml b/.github/workflows/hugo-build-pr-check.yml index d72f6ef81..806ef6567 100644 --- a/.github/workflows/hugo-build-pr-check.yml +++ b/.github/workflows/hugo-build-pr-check.yml @@ -41,7 +41,7 @@ jobs: run: sudo snap install dart-sass-embedded - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@v4.2.0 with: submodules: recursive fetch-depth: 0 diff --git a/.github/workflows/hugo-site-build.yml b/.github/workflows/hugo-site-build.yml index 0b8e9f88c..dc453f626 100644 --- a/.github/workflows/hugo-site-build.yml +++ b/.github/workflows/hugo-site-build.yml @@ -52,7 +52,7 @@ jobs: run: sudo snap install dart-sass-embedded - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@v4.2.0 with: submodules: recursive fetch-depth: 0 diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index 517dba5d2..ee1de1298 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -32,7 +32,7 @@ jobs: steps: - name: "Checkout code" - uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v2.7.0 + uses: actions/checkout@6b42224f41ee5dfe5395e27c8b2746f1f9955030 # v2.7.0 with: persist-credentials: false diff --git a/.github/workflows/validate-queries.yml b/.github/workflows/validate-queries.yml index 6ef7c7b5e..8fc4d1325 100644 --- a/.github/workflows/validate-queries.yml +++ b/.github/workflows/validate-queries.yml @@ -42,7 +42,7 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@v4 + uses: actions/checkout@v4.2.0 - name: Azure login (OIDC) uses: azure/login@v2 diff --git a/.github/workflows/validate-recommendations.yml b/.github/workflows/validate-recommendations.yml index 40bf937a3..4a2ef000d 100644 --- a/.github/workflows/validate-recommendations.yml +++ b/.github/workflows/validate-recommendations.yml @@ -14,7 +14,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout repository - uses: actions/checkout@v4 + uses: actions/checkout@v4.2.0 - name: Set up Python 3.x uses: actions/setup-python@v5 From 6df5c34a6f815baaab7bc7c79747d80864386058 Mon Sep 17 00:00:00 2001 From: Takeshi Katano Date: Tue, 8 Oct 2024 04:16:53 +0800 Subject: [PATCH 4/5] fix: Fix recommendationResourceType example value (#447) Co-authored-by: github-actions[bot] --- .../create-content/create-recommendations/_index.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/content/contributing/create-content/create-recommendations/_index.md b/docs/content/contributing/create-content/create-recommendations/_index.md index 3e382d923..295931234 100644 --- a/docs/content/contributing/create-content/create-recommendations/_index.md +++ b/docs/content/contributing/create-content/create-recommendations/_index.md @@ -72,7 +72,7 @@ The YAML structure for adding new recommendations consists of several key-value | recommendationTypeId | 3464854d-6f75-4922-95e4-a2a308b53ce6 | String | `null` until updated by the Azure Advisor team | The unique identifier for the recommendation in the context of Advisor. | | recommendationControl | Monitoring and Alerting | String | [High Availability, Business Continuity, Disaster Recovery, Scalability, Monitoring and Alerting, Service Upgrade and Retirement, Other Best Practices, Personalized, Governance, Security](#recommendation-categories) | Resiliency category associated with the recommendation | | recommendationImpact | Medium | String | Low, Medium, High | Importance of adopting the recommendation and/or the risk of choosing not to adopt | -| recommendationResourceType | Storage Account | String | Align with the resource type | Friendly name to identity resource type | +| recommendationResourceType | Microsoft.Storage/storageAccounts | String | Align with the resource type | Friendly name to identity resource type | | recommendationMetadataState | Active | String | Active, Disabled | Indicates whether the recommendation is visible | | longDescription | To enable Cross-region disaster recovery and business continuity, ensure that the appropriate quotas are set for all user subscription Batch accounts. | String | The length should be less than 300 characters | Detailed description of the recommendation and its implications | | potentialBenefits | Enhanced data redundancy and boosts availability | String | The length should be less than 60 characters | The potential benefits of implementing the recommendation | From 4f74227710eff4329b256fd4c7780d34acf5b2a9 Mon Sep 17 00:00:00 2001 From: Takeshi Katano Date: Tue, 8 Oct 2024 04:18:52 +0800 Subject: [PATCH 5/5] feat: Add recommendation for Service Bus minimum TLS version (#437) Co-authored-by: Zach Trocinski <30884663+oZakari@users.noreply.github.com> --- .../f075a1bd-de9e-4819-9a1d-1ac41037a74f.kql | 11 ++++++++++ .../namespaces/recommendations.yaml | 20 +++++++++++++++++++ 2 files changed, 31 insertions(+) create mode 100644 azure-resources/ServiceBus/namespaces/kql/f075a1bd-de9e-4819-9a1d-1ac41037a74f.kql diff --git a/azure-resources/ServiceBus/namespaces/kql/f075a1bd-de9e-4819-9a1d-1ac41037a74f.kql b/azure-resources/ServiceBus/namespaces/kql/f075a1bd-de9e-4819-9a1d-1ac41037a74f.kql new file mode 100644 index 000000000..6c18e8f15 --- /dev/null +++ b/azure-resources/ServiceBus/namespaces/kql/f075a1bd-de9e-4819-9a1d-1ac41037a74f.kql @@ -0,0 +1,11 @@ +// Azure Resource Graph Query +// Provides a list of Service Bus Namespace resources that have the lower minimum TLS version. +resources +| where type =~ "Microsoft.ServiceBus/namespaces" +| where properties.minimumTlsVersion in ("1.0", "1.1") +| project + recommendationId = "f075a1bd-de9e-4819-9a1d-1ac41037a74f", + name, + id, + tags, + param1 = strcat("minimumTlsVersion: ", properties.minimumTlsVersion) diff --git a/azure-resources/ServiceBus/namespaces/recommendations.yaml b/azure-resources/ServiceBus/namespaces/recommendations.yaml index 31f38e061..13e886adf 100644 --- a/azure-resources/ServiceBus/namespaces/recommendations.yaml +++ b/azure-resources/ServiceBus/namespaces/recommendations.yaml @@ -37,3 +37,23 @@ learnMoreLink: - name: Service Bus auto-scaling url: "https://learn.microsoft.com/azure/service-bus-messaging/automate-update-messaging-units" + +- description: Configure the minimum TLS version for Service Bus namespaces to TLS v1.2 or higher + aprlGuid: f075a1bd-de9e-4819-9a1d-1ac41037a74f + recommendationTypeId: null + recommendationControl: Service Upgrade and Retirement + recommendationImpact: High + recommendationResourceType: Microsoft.ServiceBus/namespaces + recommendationMetadataState: Active + longDescription: | + As of 31 October 2024, TLS 1.0 and TLS 1.1 will no longer be supported on Azure including Service Bus to enhance security and provide best-in-class encryption for your data. Change the minimum TLS version for your Service Bus namespace to TLS v1.2 or higher. + potentialBenefits: Avoids service disruption + pgVerified: false + publishedToLearn: false + automationAvailable: true + tags: null + learnMoreLink: + - name: Azure support for TLS 1.0 and TLS 1.1 will end by 31 October 2024 + url: "https://azure.microsoft.com/updates/azure-support-tls-will-end-by-31-october-2024-2/" + - name: Configure the minimum TLS version for a Service Bus namespace + url: "https://learn.microsoft.com/azure/service-bus-messaging/transport-layer-security-configure-minimum-version"