Add bicepparam sample (#41)

Author: BernieWhite

README.md

@@ -33,6 +33,7 @@ This repository includes:
 This repository shows valid uses of PSRule for Azure, both pass and failure cases.
 Inspect the following files for instructions to test PSRule for Azure rules by creating a failure.
 
+- [bicep/deployments/contoso/landing-zones/subscription-1/rg-app-001/dev.bicepparam](bicep/deployments/contoso/landing-zones/subscription-1/rg-app-001/dev.bicepparam)
 - [bicep/deployments/contoso/landing-zones/subscription-1/rg-app-002/deploy.bicep](bicep/deployments/contoso/landing-zones/subscription-1/rg-app-002/deploy.bicep)
 - [template/deployments/contoso/landing-zones/subscription-1/rg-app-001/sttemplateapp001.parameters.json](template/deployments/contoso/landing-zones/subscription-1/rg-app-001/sttemplateapp001.parameters.json)
 

bicep/deployments/contoso/landing-zones/subscription-1/rg-app-001/dev.bicepparam

@@ -0,0 +1,10 @@
+using 'main.bicep'
+
+param environment = 'dev'
+param name = 'kv-example-001'
+
+// Key Vault should only accept explicitly allowed traffic through the firewall.
+// Set to 'Allow' to fail Azure.KeyVault.Firewall.
+param defaultAction = 'Deny'
+
+param workspaceId = '/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/rg-test/providers/microsoft.operationalinsights/workspaces/workspace-001'

bicep/deployments/contoso/landing-zones/subscription-1/rg-app-001/main.bicep

@@ -0,0 +1,48 @@
+targetScope = 'resourceGroup'
+
+param name string
+param location string = resourceGroup().location
+
+@allowed([
+  'Allow'
+  'Deny'
+])
+param defaultAction string = 'Deny'
+param environment string
+param workspaceId string = ''
+
+resource vault 'Microsoft.KeyVault/vaults@2023-02-01' = {
+  name: name
+  location: location
+  properties: {
+    sku: {
+      family: 'A'
+      name: 'standard'
+    }
+    tenantId: tenant().tenantId
+    enableSoftDelete: true
+    enablePurgeProtection: true
+    enableRbacAuthorization: true
+    networkAcls: {
+      defaultAction: defaultAction
+    }
+  }
+  tags: {
+    env: environment
+  }
+}
+
+@sys.description('Configure auditing for Key Vault.')
+resource logs 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = if (!empty(workspaceId)) {
+  name: 'service'
+  scope: vault
+  properties: {
+    workspaceId: workspaceId
+    logs: [
+      {
+        category: 'AuditEvent'
+        enabled: true
+      }
+    ]
+  }
+}

ps-rule.yaml

@@ -30,12 +30,14 @@ output:
 input:
   pathIgnore:
     # Ignore other files in the repository.
-    - '.vscode/'
-    - '.github/'
-    - '*.md'
+    - '**'
 
-    # Exclude modules but not tests.
-    - 'bicep/modules/**/*.bicep'
+    # Include deployments.
+    - '!bicep/deployments/**/*.bicepparam'
+    - '!bicep/deployments/**/deploy.bicep'
+    - '!template/**/*.parameters.json'
+
+    # Include module tests.
     - '!bicep/modules/**/*.tests.bicep'
 
 configuration:
@@ -44,6 +46,7 @@ configuration:
 
   # Enable automatic expansion of Azure Bicep source files.
   AZURE_BICEP_FILE_EXPANSION: true
+  AZURE_BICEP_PARAMS_FILE_EXPANSION: true
 
   # Configures the number of seconds to wait for build Bicep files.
   AZURE_BICEP_FILE_EXPANSION_TIMEOUT: 10
@@ -52,7 +55,7 @@ configuration:
   AZURE_BICEP_CHECK_TOOL: true
 
   # Configure the minimum version of the Bicep CLI.
-  AZURE_BICEP_MINIMUM_VERSION: '0.13.0'
+  AZURE_BICEP_MINIMUM_VERSION: '0.19.5'
 
 # Suppression ignores rules for a specific Azure resource by name.
 suppression: