Addressing Well Architected Framework gaps (#149)

* first cut of WAF rule gaps
* introducing capturing of azcmds to file
* updating ResourceGroup Name in UI
* path problem and cmd replace
* oops. token mistake
* shifting to complete mode deployment
* adding conditions to cover forks
* Making full deployment optional in a manual run
* Excluding Azure.AppGw.UseHTTPS rule as AGIC managed
* More WAF param tweaks for better coverage
* shifted disableLocalAccounts to param
* param metadata
* changing default of AksDisableLocalAccounts to false.
* added ui and playwrite test for disabledlocalaccounts
* disabling local accounts for basic cluster
* removing the use of admin local account login
* using aks-se
* download kubelogin binary
* Kubelogin
* Changing RG used by Publish actions to be dedicated.
* setting aksDisableLocalAccounts for the WAF param config
* bumping template version in web app
* case issue with aksDisableLocalAccounts
* implementing keiths suggestion of default value cover on the new param.
* removing invalid inputProps from TextFields
* fixing != !== issue i spotted in the jscode
* fixed up playwright test to be better
* userauth cspell dictionary update

Author: Gordon Byers

.github/workflows/AppDeploy_JavaApp.yml

@@ -47,6 +47,7 @@ on:
         description: 'Uninstall app after tests  [yes|no]'
         type: boolean
         default: true
+        required: false
     secrets:
       AZURE_CREDENTIALS:
         required: true
@@ -136,12 +137,16 @@ jobs:
           RG: "${{ inputs.RG }}"
           AKSNAME: "${{ inputs.AKSNAME }}"
         run: |
-          az aks get-credentials -n $AKSNAME -g $RG --admin --overwrite-existing
+          az aks get-credentials -n $AKSNAME -g $RG --overwrite-existing
 
-      - name: Kubectl
+      - name: Kubelogin
+        env:
+          kubeloginversion: 'v0.0.10'
         run: |
-          #sudo az aks install-cli
-          kubectl version
+          wget https://github.com/Azure/kubelogin/releases/download/${{ env.kubeloginversion }}/kubelogin-linux-amd64.zip
+          unzip kubelogin-linux-amd64.zip
+          sudo mv bin/linux_amd64/kubelogin /usr/bin
+          kubelogin convert-kubeconfig -l azurecli
 
       - name: Observe Existing DNSConfig
         env:

.github/workflows/ByoVnetCI.yml

@@ -543,13 +543,16 @@ jobs:
       - name: AKS Connect
         run: |
           AKSNAME='${{ needs.Deploy.outputs.AKSNAME}}'
-          az aks get-credentials -n $AKSNAME -g $RG --admin --overwrite-existing
+          az aks get-credentials -n $AKSNAME -g $RG --overwrite-existing
 
-      - name: Kubectl
-        if: github.event.inputs.doDebugSteps != 'no'
+      - name: Kubelogin
+        env:
+          kubeloginversion: 'v0.0.10'
         run: |
-          #sudo az aks install-cli
-          kubectl version
+          wget https://github.com/Azure/kubelogin/releases/download/${{ env.kubeloginversion }}/kubelogin-linux-amd64.zip
+          unzip kubelogin-linux-amd64.zip
+          sudo mv bin/linux_amd64/kubelogin /usr/bin
+          kubelogin convert-kubeconfig -l azurecli
 
       - name: Deploy AGIC Public Facing Workload
         env:
@@ -726,13 +729,16 @@ jobs:
       - name: AKS Connect
         run: |
           AKSNAME='${{ needs.Deploy.outputs.AKSNAME}}'
-          az aks get-credentials -n $AKSNAME -g $RG --admin --overwrite-existing
+          az aks get-credentials -n $AKSNAME -g $RG --overwrite-existing
 
-      - name: Kubectl
-        if: github.event.inputs.doDebugSteps != 'no'
+      - name: Kubelogin
+        env:
+          kubeloginversion: 'v0.0.10'
         run: |
-          #sudo az aks install-cli
-          kubectl version
+          wget https://github.com/Azure/kubelogin/releases/download/${{ env.kubeloginversion }}/kubelogin-linux-amd64.zip
+          unzip kubelogin-linux-amd64.zip
+          sudo mv bin/linux_amd64/kubelogin /usr/bin
+          kubelogin convert-kubeconfig -l azurecli
 
       - name: Kubectl get events
         if: github.event.inputs.doDebugSteps != 'no'

.github/workflows/ByoVnetPrivateCI.yml

@@ -269,7 +269,7 @@ jobs:
       - name: AKS Connect
         run: |
           AKSNAME='${{ needs.Deploy.outputs.AKSNAME}}'
-          az aks get-credentials -n $AKSNAME -g $RG --admin --overwrite-existing
+          az aks get-credentials -n $AKSNAME -g $RG --overwrite-existing
 
       - name: Kubectl
         run: |

.github/workflows/StandardCI.yml

@@ -128,15 +128,26 @@ jobs:
           environment: azurecloud
           allow-no-subscriptions: false
 
+      # - name: AKS Connect
+      #   uses: Azure/aks-set-context@v1
+      #   with:
+      #     creds: '${{ secrets.AZURE_CREDENTIALS }}'
+      #     cluster-name: ${{ needs.Deploy.outputs.AKSNAME }}
+      #     resource-group: ${{ env.RG }}
+
       - name: AKS Connect
         run: |
           AKSNAME='${{ needs.Deploy.outputs.AKSNAME}}'
-          az aks get-credentials -n $AKSNAME -g $RG --admin --overwrite-existing
+          az aks get-credentials -n $AKSNAME -g $RG --overwrite-existing
 
-      - name: Kubectl
+      - name: Kubelogin
+        env:
+          kubeloginversion: 'v0.0.10'
         run: |
-          #sudo az aks install-cli
-          kubectl version
+          wget https://github.com/Azure/kubelogin/releases/download/${{ env.kubeloginversion }}/kubelogin-linux-amd64.zip
+          unzip kubelogin-linux-amd64.zip
+          sudo mv bin/linux_amd64/kubelogin /usr/bin
+          kubelogin convert-kubeconfig -l azurecli
 
       - name: Deploy Simple Workload
         env:

.github/workflows/ghpages.yml

@@ -17,9 +17,17 @@ on:
       - "helper/**"
 
   workflow_dispatch:
+    inputs:
+      doAzCmdDeployment:
+        description: 'Test AZ Cmd by deploying to an Azure subscription'
+        default: 'false'
+        type: boolean
+        required: false
 
 env:
-  templateRelease: 0.3.3
+  templateRelease: 0.3.4-preview
+  AZCLIVERSION: 2.30.0 #2.29.2 #2.26.0 #latest
+  RG: "Automation-Actions-AksPublishCI"
 
 jobs:
 
@@ -81,12 +89,73 @@ jobs:
 
       - name: Playwright - Run stable helper tests
         env:
-          filenamewordmatch: 'helper'
+          filenamewordmatch: 'helper-test'
           filenamewordexclude: 'fragile'
         run: |
           cd helper
           npx playwright test --browser chromium .playwrighttests/ -g '${{ env.filenamewordmatch }}' --grep-invert '${{ env.filenamewordexclude }}' --reporter list
 
+      - name: Playwright - Grab Az Commands
+        env:
+          filenamewordmatch: 'helper-export'
+        run: |
+          cd helper
+          npx playwright test --browser chromium .playwrighttests/ -g '${{ env.filenamewordmatch }}' --reporter list
+
+      - name: Persist exported Az Commands for visibility
+        if: ${{ github.event.pull_request.head.repo.fork }}
+        uses: actions/upload-artifact@v2
+        with:
+          name: AzCmds
+          path: helper/azcmd-*.sh
+
+      - name: Azure Login
+        if: ${{ !github.event.pull_request.head.repo.fork }}
+        uses: Azure/login@v1
+        with:
+          creds: ${{ secrets.AZURE_CREDENTIALS }}
+          enable-AzPSSession: true
+          environment: azurecloud
+          allow-no-subscriptions: false
+
+      #TODO: If/When we capture more AZ CMD's, then we'll want to iterate over files beginning with "azcmd"
+      - name: Verify AZ Commands
+        if: ${{ !github.event.pull_request.head.repo.fork }}
+        uses: Azure/[email protected]
+        env:
+          azcmdpath: "helper/azcmd-managed-private.sh"
+        with:
+          azcliversion: ${{ env.AZCLIVERSION }}
+          inlineScript: |
+            #Change the Create to a Validate statement
+            sed -i 's/az deployment group create/az deployment group validate/' $azcmdpath
+
+            #Debug
+            cat $azcmdpath
+
+            #Run the script
+            sh $azcmdpath
+
+      - name: Full deploy test AZ Commands
+        if: ${{ !github.event.pull_request.head.repo.fork &&  github.event.inputs.doAzCmdDeployment == 'true' }}
+        uses: Azure/[email protected]
+        env:
+          azcmdpath: "helper/azcmd-managed-private.sh"
+        with:
+          azcliversion: ${{ env.AZCLIVERSION }}
+          inlineScript: |
+            #Change the Create to a Validate statement
+            sed -i 's/az deployment group validate/az deployment group create --mode Complete --name ghpages/' $azcmdpath
+
+            #Debug
+            cat $azcmdpath
+
+            #Run the script
+            sh $azcmdpath
+
+            #Cleanup
+            #az deploymentg group delete -n ghpages  -g $RG
+
       - name: Persist test failure screengrabs as artifacts
         uses: actions/upload-artifact@v2
         if: failure()

.github/workflows/regressionparams.yml

@@ -69,6 +69,8 @@ jobs:
           echo "RG is: $RG"
           echo "Param dir path is: ${{ env.ParamDir }}"
           echo "Param file is ${{ matrix.files }}"
+          echo "Input path is ${{ env.ParamDir }}${{ matrix.files }}"
+          echo "Do PS Rule is ${{ steps.paramfile.outputs.DOPSRULE }}"
 
       - name: Arm Parameter file check
         shell: pwsh
@@ -130,10 +132,14 @@ jobs:
             RG='${{ env.RG }}'
             az deployment group validate -f bicep/main.bicep -g $RG -p ${{ env.ParamDir }}${{ matrix.files }}
 
-      - name: Debug
-        run: |
-          echo "Input path is ${{ env.ParamDir }}${{ matrix.files }}"
-          echo "Do PS Rule is ${{ steps.paramfile.outputs.DOPSRULE }}"
+      - name: WhatIf Infrastructure deployment
+        if: steps.paramfile.outputs.DOPSRULE == 'true'
+        uses: Azure/[email protected]
+        with:
+          azcliversion: ${{ env.AZCLIVERSION }}
+          inlineScript: |
+            RG='${{ env.RG }}'
+            az deployment group what-if -f bicep/main.bicep -g $RG -p ${{ env.ParamDir }}${{ matrix.files }}
 
       # PSRule does this cool thing where it traverse the parameter file through to the arm template
       # PSRule performs IaC recommendations of the template.
@@ -145,5 +151,14 @@ jobs:
         with:
           modules: 'PSRule.Rules.Azure'
           inputPath: "${{ env.ParamDir }}${{ matrix.files }}"
-          prerelease: false
-          baseline: 'Azure.Preview'
+          #prerelease: false
+          baseline: 'Azure.Default' #'Azure.Preview'
+
+      - name: PSRule - Analyze Azure parameter file including Preview feature rulesets
+        if: steps.paramfile.outputs.DOPSRULE == 'true'
+        uses: Microsoft/ps-rule@main
+        continue-on-error: true #Preview feature checking means we need to suppress errors
+        with:
+          modules: 'PSRule.Rules.Azure'
+          inputPath: "${{ env.ParamDir }}${{ matrix.files }}"
+          baseline: 'Azure.All' #All includes preview and internal rules

.github/workflows_dep/AksDeploy-Basic.parameters.json

@@ -23,6 +23,9 @@
         "enableAzureRBAC": {
             "value": true
         },
+        "aksDisableLocalAccounts": {
+            "value": true
+          },
         "omsagent": {
             "value": true
         },

.github/workflows_dep/AksDeploy-ByoVnetPrivate.parameters.json

@@ -23,6 +23,9 @@
           "enable_aad": {
             "value": true
           },
+          "aksDisableLocalAccounts": {
+            "value": true
+          },
           "enableAzureRBAC": {
             "value": true
           },

.github/workflows_dep/regressionparams/managed-private.json

@@ -20,6 +20,9 @@
     "enable_aad": {
       "value": true
     },
+    "aksDisableLocalAccounts": {
+      "value": true
+    },
     "enableAzureRBAC": {
       "value": true
     },

.github/workflows_dep/regressionparams/optimised-for-well-architected.json

@@ -84,6 +84,22 @@
           },
           "upgradeChannel": {
             "value": "stable"
+          },
+          "AksDiagCategories": {
+            "value": [
+              "cluster-autoscaler",
+              "kube-apiserver",
+              "kube-controller-manager",
+              "kube-audit-admin",
+              "kube-scheduler",
+              "guard"
+            ]
+          },
+          "acrUntaggedRetentionPolicyEnabled": {
+            "value": true
+          },
+          "aksDisableLocalAccounts": {
+            "value": true
           }
     }
 }

.gitignore

@@ -1,3 +1,4 @@
 */node_modules
 localdebug/*
-helper/*screengrabs/*
+helper/*screengrabs/*
+helper/azcmd*.sh

CONTRIBUTING.md

@@ -83,11 +83,24 @@ When changing the Bicep code, try to build into your `developer inner loop` the
 
 #### Breaking Changes
 
-Should be avoided wherever possible, and where necessary highlight the breaking change in the release notes.
+Should be avoided wherever possible, and where necessary highlight the breaking change in the release notes. Version 1.0 will signify a stricter policy around breaking  changes.
+
+#### PSRule validation for Well Architected Analysis
+
+[PSRule for Azure](https://azure.github.io/PSRule.Rules.Azure) provides analysis for IaC against the Well Architected Framework. It is leveraged in the GitHub actions that run on PR, but you can leverage it locally with the following script;
+
+```powershell
+Install-Module -Name 'PSRule.Rules.Azure' -Repository PSGallery -Scope CurrentUser
+
+$paramPath="./.github/workflows_dep/regressionparams/optimised-for-well-architected.json"
+test-path $paramPath
+Assert-PSRule -Module 'PSRule.Rules.Azure' -InputPath $paramPath -Format File -outcome Processed
+
+```
 
 ### The Wizard Web App
 
-The [configuration experience](https://azure.github.io/Aks-Construction/) is hosted in GitHub pages. It's a static web app, written in NodeJS using FluentUI.
+The [configuration experience](https://azure.github.io/Aks-Construction/) is hosted in GitHub pages. It's a static web app, written in NodeJS using [FluentUI](https://developer.microsoft.com/en-us/fluentui).
 
 #### Playwright tests