PSRule.Rules.Azure icon indicating copy to clipboard operation
PSRule.Rules.Azure copied to clipboard

Published 20 hours ago verified publisher icon Azure

Module in module support

Open Dylan-Prins opened this issue 2 years ago • 2 comments

Is your feature request related to a problem? Please describe.

Supporting moduleception (modules in modules). We have the following set-up:

main.bicep -> local modules with resource group deployments -> acr modules.

This means the resources are not getting evaluated, because only deployments in deployments are tested.

This is what works: (Get-Content template.json | ConvertFrom-Json -Depth 99).resources[0].properties.template.resources | Assert-PSRule -Format Json

But I was hoping to use the azure pipeline task:

  - task: ps-rule-assert@2
    displayName: Analyze Azure template files
    inputs:
      inputType: repository
      modules: "PSRule.Rules.Azure"
      outputFormat: NUnit3
      outputPath: reports/ps-rule-results.xml

Describe the solution you'd like

Describe alternatives you've considered

Additional context

Dylan-Prins avatar Aug 04 '22 11:08 Dylan-Prins

@Dylan-Prins Thanks for the feature request. I'm not sure I understand the request entirely.

Currently PSRule for Azure will expand resources in nested deployments in the following cases:

  • Parameter file (JSON) -> Template (JSON) -> Nested deployment within the same file
  • Parameter file (JSON) -> Bicep module/ deployment > Bicep module
  • Bicep tests/ deployment -> Bicep module -> Bicep module

Bicep modules will be restored from a Bicep registry (ACR) automatically, however a private registry requires authorization. See Restoring modules from a private registry for details on how to configure this within a pipeline.

Also consider setting the AZURE_BICEP_FILE_EXPANSION_TIMEOUT option as restores from a registry can take longer particularly when you are referencing several modules. Start with 15 or 30 seconds and tune as required if you still see timeouts.

Are you after a different option? or are the above options not working (bug)?

BernieWhite avatar Aug 04 '22 11:08 BernieWhite

@Dylan-Prins

You can use the AzurePowerShell@5 task.

I am using private ACRs for Bicep repositories (modules) and using this configuration currently.

  - task: AzurePowerShell@5
        displayName: "Validate module files with Well-Architected Framework"
        condition: contains(variables['diff'], 'module')
        inputs:
          azureSubscription: $(serviceConnectionName)
          scriptType: "inlineScript"
          inline: |
            Install-Module PSRule.Rules.Azure -Scope CurrentUser -Force;
            git diff --diff-filter=d HEAD^ HEAD --name-only | ForEach-Object { Get-ChildItem $_ } | Assert-PSRule -Format File - 
            Module 'PSRule.Rules.Azure' -Baseline 'Azure.GA_2022_06' -OutputFormat NUnit3 -OutputPath 'reports/ps-rule- 
            results.xml'
          azurePowerShellVersion: latestVersion

BenjaminEngeset avatar Aug 30 '22 08:08 BenjaminEngeset