PSRule icon indicating copy to clipboard operation
PSRule copied to clipboard

Published 20 hours ago verified publisher icon microsoft

Expand on baselines lifecycle

Open BernieWhite opened this issue 2 years ago • 0 comments

Currently customers can configure a single baseline to use. For general use, the baseline is defined on the workflow as an input parameter.

For cases with lots of workflows, this may create undue burden updating these workflows to point to the new baseline.

Setting by environment variable

If the baseline can be set by environment variable, a GitHub repository could set the environment variable which would be inherited by all repos. Azure DevOps would be via variable template/ variable group.

Technically this could already be done by passing the environment variable as a parameter in the GitHub Action. However there is no documentation for this approach.

Pros:

  • Low maintenance.
  • Flexible options to run different baselines with different environment variables.

Cons:

  • No code change, so no PR.
  • Privileged operation for the repository.

Options file

The baseline could be set by options file, this is mostly implemented for setting baselines via module configuration. i.e. rule.baseline.

Pros:

  • Low maintenance
  • Code change, so required PR and test validation as part of the process.

Cons:

  • Does not support environments natively, but different options files can be used.
  • Multi-module scenarios are not currently supported.
  • Only a single baseline can be selected currently.

Baseline group

Provide an option to configure a baseline group, which is friendly name for the baseline but one that can be set within options.

For example:

baseline:
  group:
    recommended: PSRule.Rules.Azure\Azure.Default
    preview: PSRule.Rules.Azure\Azure.Preview

# Analyze Azure resources using PSRule for Azure
- name: Analyze Azure template files
  uses: microsoft/[email protected]
  with:
    modules: 'PSRule.Rules.Azure'
    baseline: '@recommended'

Pros:

  • Low maintenance
  • Code change, so required PR and test validation as part of the process.
  • Allows a different baseline tags to be configured within the pipeline, baseline can be bumped without updating the pipeline.

Cons:

  • Multi-module scenarios are not currently supported.
  • Only a single baseline can be selected currently.

BernieWhite avatar May 05 '23 16:05 BernieWhite