Creating your pipeline#
You can use PSRule to test Infrastructure as Code (IaC) artifacts throughout their lifecycle. By using validation within a continuous integration (CI) pipeline, any issues provide fast feedback.
Within the root directory of your IaC repository:
Create a new GitHub Actions workflow by creating .github/workflows/analyze-arm.yaml
.
name: Analyze templates
on:
- pull_request
jobs:
analyze_arm:
name: Analyze templates
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v3
# Analyze Azure resources using PSRule for Azure
- name: Analyze Azure template files
uses: microsoft/ps-rule@v2.8.1
with:
modules: 'PSRule.Rules.Azure'
This will automatically install compatible versions of all dependencies.
Create a new Azure DevOps YAML pipeline by creating .azure-pipelines/analyze-arm.yaml
.
steps:
# Analyze Azure resources using PSRule for Azure
- task: ps-rule-assert@2
displayName: Analyze Azure template files
inputs:
inputType: repository
modules: 'PSRule.Rules.Azure'
This will automatically install compatible versions of all dependencies.
Create a pipeline in any CI environment by using PowerShell.
$modules = @('PSRule.Rules.Azure')
Install-Module -Name $modules -Scope CurrentUser -Force -ErrorAction Stop;
Assert-PSRule -InputPath '.' -Module $modules -Format File -ErrorAction Stop;
Tip
This example demonstrates using PSRule for Azure, a populate module for testing Azure IaC. Instead, you can write your own module or use one of our pre-built modules.
Configuration#
Configuration options for PSRule are set within the ps-rule.yaml
file.
Ignoring rules#
To prevent a rule executing you can either:
- Exclude rules by name — The rule is not executed for any object.
- Suppress rules by name — The rule is not executed for a specific object by name.
- Suppress rules by condition — The rule is not executed for matching objects.
To exclude a rule, set Rule.Exclude
option within the ps-rule.yaml
file.
[ Docs][3]
rule:
exclude:
# Ignore the following rules for all objects
- Azure.VM.UseHybridUseBenefit
- Azure.VM.Standalone
To suppress an individual rule, set Suppression
option within the ps-rule.yaml
file.
[ Docs][4]
suppression:
Azure.AKS.AuthorizedIPs:
# Exclude the following externally managed AKS clusters
- aks-cluster-prod-eus-001
Azure.Storage.SoftDelete:
# Exclude the following non-production storage accounts
- storagedeveus6jo36t
- storagedeveus1df278
To suppress an rules by condition, create a suppression group.
[ Docs][5]
---
# Synopsis: Ignore test objects by name.
apiVersion: github.com/microsoft/PSRule/v1
kind: SuppressionGroup
metadata:
name: SuppressWithTargetName
spec:
rule:
- 'FromFile1'
- 'FromFile2'
if:
name: '.'
in:
- 'TestObject1'
- 'TestObject2'
Tip
Use comments within ps-rule.yaml
to describe the reason why rules are excluded or suppressed.
Meaningful comments help during peer review within a Pull Request (PR).
Also consider including a date if the exclusions or suppressions are temporary.
Processing changed files only#
v2.5.0 ยท Docs
To only process files that have changed within a pull request, set the Input.IgnoreUnchangedPath
option.
Update your GitHub Actions workflow by setting the PSRULE_INPUT_IGNOREUNCHANGEDPATH
environment variable.
name: Analyze templates
on:
- pull_request
jobs:
analyze_arm:
name: Analyze templates
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v3
# Analyze Azure resources using PSRule for Azure
- name: Analyze Azure template files
uses: microsoft/ps-rule@v2.8.1
with:
modules: 'PSRule.Rules.Azure'
env:
PSRULE_INPUT_IGNOREUNCHANGEDPATH: true
Update your Azure DevOps YAML pipeline by setting the PSRULE_INPUT_IGNOREUNCHANGEDPATH
environment variable.
steps:
# Analyze Azure resources using PSRule for Azure
- task: ps-rule-assert@2
displayName: Analyze Azure template files
inputs:
inputType: repository
modules: 'PSRule.Rules.Azure'
env:
PSRULE_INPUT_IGNOREUNCHANGEDPATH: true
Update your PowerShell command-line to include the Input.IgnoreUnchangedPath
option.
$modules = @('PSRule.Rules.Azure')
$options = @{
'Input.IgnoreUnchangedPath' = $True
}
Install-Module -Name $modules -Scope CurrentUser -Force -ErrorAction Stop;
Assert-PSRule -Options $options -InputPath '.' -Module $modules -Format File -ErrorAction Stop;
Tip
In some cases it may be nessessary to set Repository.BaseRef
to the default branch of your repository.
By default, PSRule will detect the default branch of the repository from the build system environment variables.