Skip to content

Creating your pipeline#

You can use PSRule to test Infrastructure as Code (IaC) artifacts throughout their lifecycle. By using validation within a continuous integration (CI) pipeline, any issues provide fast feedback.

Within the root directory of your IaC repository:

Create a new GitHub Actions workflow by creating .github/workflows/analyze-arm.yaml.

name: Analyze templates
on:
- pull_request
jobs:
  analyze_arm:
    name: Analyze templates
    runs-on: ubuntu-latest
    steps:

    - name: Checkout
      uses: actions/checkout@v3

    # Analyze Azure resources using PSRule for Azure
    - name: Analyze Azure template files
      uses: microsoft/ps-rule@v2.8.1
      with:
        modules: 'PSRule.Rules.Azure'

This will automatically install compatible versions of all dependencies.

Create a new Azure DevOps YAML pipeline by creating .azure-pipelines/analyze-arm.yaml.

steps:

# Analyze Azure resources using PSRule for Azure
- task: ps-rule-assert@2
  displayName: Analyze Azure template files
  inputs:
    inputType: repository
    modules: 'PSRule.Rules.Azure'

This will automatically install compatible versions of all dependencies.

Create a pipeline in any CI environment by using PowerShell.

$modules = @('PSRule.Rules.Azure')
Install-Module -Name $modules -Scope CurrentUser -Force -ErrorAction Stop;
Assert-PSRule -InputPath '.' -Module $modules -Format File -ErrorAction Stop;

Tip

This example demonstrates using PSRule for Azure, a populate module for testing Azure IaC. Instead, you can write your own module or use one of our pre-built modules.

Configuration#

Configuration options for PSRule are set within the ps-rule.yaml file.

Ignoring rules#

To prevent a rule executing you can either:

  • Exclude rules by name — The rule is not executed for any object.
  • Suppress rules by name — The rule is not executed for a specific object by name.
  • Suppress rules by condition — The rule is not executed for matching objects.

To exclude a rule, set Rule.Exclude option within the ps-rule.yaml file.

[ Docs][3]

ps-rule.yaml
rule:
  exclude:
  # Ignore the following rules for all objects
  - Azure.VM.UseHybridUseBenefit
  - Azure.VM.Standalone

To suppress an individual rule, set Suppression option within the ps-rule.yaml file.

[ Docs][4]

ps-rule.yaml
suppression:
  Azure.AKS.AuthorizedIPs:
  # Exclude the following externally managed AKS clusters
  - aks-cluster-prod-eus-001
  Azure.Storage.SoftDelete:
  # Exclude the following non-production storage accounts
  - storagedeveus6jo36t
  - storagedeveus1df278

To suppress an rules by condition, create a suppression group.

[ Docs][5]

---
# Synopsis: Ignore test objects by name.
apiVersion: github.com/microsoft/PSRule/v1
kind: SuppressionGroup
metadata:
  name: SuppressWithTargetName
spec:
  rule:
  - 'FromFile1'
  - 'FromFile2'
  if:
    name: '.'
    in:
    - 'TestObject1'
    - 'TestObject2'

Tip

Use comments within ps-rule.yaml to describe the reason why rules are excluded or suppressed. Meaningful comments help during peer review within a Pull Request (PR). Also consider including a date if the exclusions or suppressions are temporary.

Processing changed files only#

v2.5.0 ยท Docs

To only process files that have changed within a pull request, set the Input.IgnoreUnchangedPath option.

Update your GitHub Actions workflow by setting the PSRULE_INPUT_IGNOREUNCHANGEDPATH environment variable.

.github/workflows/analyze-arm.yaml
name: Analyze templates
on:
- pull_request
jobs:
  analyze_arm:
    name: Analyze templates
    runs-on: ubuntu-latest
    steps:

    - name: Checkout
      uses: actions/checkout@v3

    # Analyze Azure resources using PSRule for Azure
    - name: Analyze Azure template files
      uses: microsoft/ps-rule@v2.8.1
      with:
        modules: 'PSRule.Rules.Azure'
      env:
        PSRULE_INPUT_IGNOREUNCHANGEDPATH: true

Update your Azure DevOps YAML pipeline by setting the PSRULE_INPUT_IGNOREUNCHANGEDPATH environment variable.

.azure-pipelines/analyze-arm.yaml
steps:

# Analyze Azure resources using PSRule for Azure
- task: ps-rule-assert@2
  displayName: Analyze Azure template files
  inputs:
    inputType: repository
    modules: 'PSRule.Rules.Azure'
  env:
    PSRULE_INPUT_IGNOREUNCHANGEDPATH: true

Update your PowerShell command-line to include the Input.IgnoreUnchangedPath option.

PowerShell
$modules = @('PSRule.Rules.Azure')
$options = @{
    'Input.IgnoreUnchangedPath' = $True
}
Install-Module -Name $modules -Scope CurrentUser -Force -ErrorAction Stop;
Assert-PSRule -Options $options -InputPath '.' -Module $modules -Format File -ErrorAction Stop;

Tip

In some cases it may be nessessary to set Repository.BaseRef to the default branch of your repository. By default, PSRule will detect the default branch of the repository from the build system environment variables.


Last update: 2023-04-24

Comments