Skip to content

lang for sec policy exceptions#1978

Open
jchancellor-ms wants to merge 1 commit intomainfrom
testing_exclusions
Open

lang for sec policy exceptions#1978
jchancellor-ms wants to merge 1 commit intomainfrom
testing_exclusions

Conversation

@jchancellor-ms
Copy link
Contributor

@jchancellor-ms jchancellor-ms commented Apr 16, 2025
edited
Loading

Overview/Summary

Added language detailing how terraform security exceptions differ from resiliency exceptions with an example

This PR fixes/adds/changes/removes

  1. Updates contributor testing guidance with a security example to go along with the resiliency example.

Breaking Changes

As part of this Pull Request I have

  • Read the Contribution Guide and ensured this PR is compliant with the guide
  • Checked for duplicate Pull Requests
  • Associated it with relevant GitHub Issues or ADO Work Items (Internal Only)
  • Ensured my code/branch is up-to-date with the latest changes in the main branch
  • Ensured PR tests are passing
  • Updated relevant and associated documentation (e.g. Contribution Guide, Docs etc.)

@jchancellor-ms jchancellor-ms requested a review from a team as a code owner April 16, 2025 20:44
@microsoft-github-policy-service microsoft-github-policy-service bot added the Needs: Triage 🔍 Maintainers need to triage still label Apr 16, 2025
@microsoft-github-policy-service
Copy link

microsoft-github-policy-service bot commented Apr 16, 2025

Important

The "Needs: Triage 🔍" label must be removed once the triage process is complete!

Tip

For additional guidance on how to triage this issue/PR, see the AVM Issue Triage documentation.

lonegunmanb
lonegunmanb requested changes Apr 17, 2025
View reviewed changes
docs/content/contributing/terraform/testing.md
For example, to exclude the rule called `"configure_aks_default_node_pool_zones"`, create a file called `exceptions/exception.rego` in your example, with the following content:
As a general rule, exceptions should only be applied to module examples where you are testing valid but non-compliant configurations. Root module defaults should still comply with WAF and Security best practices. However, if you need to create an exception for a policy, you can do so by creating a `.rego` file in the `exceptions` sub-directory of your example.

For example, to exclude the Azure Proactive Resiliency Library policy rule called `"configure_aks_default_node_pool_zones"`, create a file called `exceptions/exception.rego` in your example with the following content:
Copy link
Member

@lonegunmanb lonegunmanb Apr 17, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The users might need to ignore rules in different packages, could we use package name like aprl.rego and avmsec.rego in the file name?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@lonegunmanb lonegunmanb lonegunmanb requested changes

Requested changes must be addressed to merge this pull request.

Assignees

No one assigned

Labels

Needs: Triage 🔍 Maintainers need to triage still

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@jchancellor-ms @lonegunmanb