-
Notifications
You must be signed in to change notification settings - Fork 409
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
## Description - Add a platform workflow to run PSRule analisys on the whole library, manually and on weekly schedule > Example for Reliability check >  - Allow selecting specific WAF pillar in input (defaults to Azure.Default = all pillars) >  >  - Fix bug with filtering unique values when listing rules in the job summary ## Pipeline Reference <!-- Insert your Pipeline Status Badge below --> | Pipeline | | -------- | | [](https://github.com/eriqua/bicep-registry-modules/actions/workflows/avm.platform.check.psrule.yml) (test new workflow)| | [](https://github.com/eriqua/bicep-registry-modules/actions/workflows/avm.res.app-configuration.configuration-store.yml) (test usual module validation workflow) | ## Type of Change <!-- Use the check-boxes [x] on the options that are relevant. --> - [x] Update to CI Environment or utlities (Non-module effecting changes) - [ ] Azure Verified Module updates: - [ ] Bugfix containing backwards compatible bug fixes, and I have NOT bumped the MAJOR or MINOR version in `version.json`: - [ ] Someone has opened a bug report issue, and I have included "Closes #{bug_report_issue_number}" in the PR description. - [ ] The bug was found by the module author, and no one has opened an issue to report it yet. - [ ] Feature update backwards compatible feature updates, and I have bumped the MINOR version in `version.json`. - [ ] Breaking changes and I have bumped the MAJOR version in `version.json`. - [ ] Update to documentation ## Checklist - [x] I'm sure there are no other open Pull Requests for the same update/change - [ ] I have run `Set-AVMModule` locally to generate the supporting module files. - [ ] My corresponding pipelines / checks run clean and green without any errors or warnings <!-- Please keep up to day with the contribution guide at https://aka.ms/avm/contribute/bicep -->
- Loading branch information
](https://github.com/eriqua/bicep-registry-modules/actions/workflows/avm.platform.check.psrule.yml){kind=link}
](https://github.com/eriqua/bicep-registry-modules/actions/workflows/avm.res.app-configuration.configuration-store.yml){kind=link}
Showing
4 changed files
with
213 additions
and
25 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,199 @@ | ||
| name: "avm.platform.check.psrule" | ||
|
|
||
| on: | ||
| workflow_dispatch: | ||
| inputs: | ||
| psruleBaseline: | ||
| type: choice | ||
| description: "PSRule baseline" | ||
| required: true | ||
| default: "Azure.Default" | ||
| options: | ||
| - Azure.Default | ||
| - Azure.Pillar.CostOptimization | ||
| - Azure.Pillar.OperationalExcellence | ||
| - Azure.Pillar.PerformanceEfficiency | ||
| - Azure.Pillar.Reliability | ||
| - Azure.Pillar.Security | ||
| skipPassedRulesReport: | ||
| type: boolean | ||
| description: "Show only failed rules in job summary" | ||
| required: true | ||
| default: true | ||
| schedule: | ||
| - cron: "0 12 * * 0" # Weekly Sunday Analysis | ||
|
|
||
| env: | ||
| workflowPath: ".github/workflows/avm.platform.check.psrule.yml" | ||
| targetPath: "avm/res/" | ||
| PSRuleOutputFilePath: "avm/res/PSRule-output.csv" | ||
| PSRuleInputFilePath: "avm/res/PSRule-output.md" | ||
| psRuleFilterRegex: "(defaults|waf-aligned)" # The regex used to filter PSRule compliant files | ||
| psrulePath: "avm/utilities/pipelines/staticValidation/psrule" | ||
| ARM_SUBSCRIPTION_ID: "${{ secrets.ARM_SUBSCRIPTION_ID }}" | ||
| ARM_MGMTGROUP_ID: "${{ secrets.ARM_MGMTGROUP_ID }}" | ||
| TOKEN_NAMEPREFIX: "${{ secrets.TOKEN_NAMEPREFIX }}" | ||
|
|
||
| jobs: | ||
| ########################### | ||
| # Initialize pipeline # | ||
| ########################### | ||
| job_init_psrule_pipeline: | ||
| runs-on: ubuntu-latest | ||
| name: "Initialize pipeline" | ||
| steps: | ||
| - name: Checkout | ||
| uses: actions/checkout@v4 | ||
| with: | ||
| fetch-depth: 0 | ||
| - name: Set input parameters to output variables | ||
| id: get-workflow-param | ||
| uses: ./.github/actions/templates/avm-getWorkflowInput | ||
| with: | ||
| workflowPath: "${{ env.workflowPath}}" | ||
| outputs: | ||
| workflowInput: ${{ steps.get-workflow-param.outputs.workflowInput }} | ||
|
|
||
| ############## | ||
| # PSRule # | ||
| ############## | ||
| job_psrule: | ||
| runs-on: ubuntu-latest | ||
| name: "PSRule validation" | ||
| needs: | ||
| - job_init_psrule_pipeline | ||
| steps: | ||
| # [Init] task(s) | ||
| # --------------------------- | ||
| - name: Checkout | ||
| uses: actions/checkout@v4 | ||
|
|
||
| - name: Set environment | ||
| uses: ./.github/actions/templates/avm-setEnvironment | ||
|
|
||
| # [Token replacement] task(s) | ||
| # --------------------------- | ||
| - name: Replace tokens in relevant files | ||
| uses: azure/powershell@v1 | ||
| with: | ||
| azPSVersion: "latest" | ||
| inlineScript: | | ||
| # Grouping task logs | ||
| Write-Output '::group::Replace tokens in relevant files' | ||
| # Load used functions | ||
| . (Join-Path $env:GITHUB_WORKSPACE 'avm' 'utilities' 'pipelines' 'sharedScripts' 'tokenReplacement' 'Convert-TokensInFileList.ps1') | ||
| . (Join-Path $env:GITHUB_WORKSPACE 'avm' 'utilities' 'pipelines' 'sharedScripts' 'Get-LocallyReferencedFileList.ps1') | ||
| $targetPath = Join-Path $env:GITHUB_WORKSPACE '${{ env.targetPath }}' | ||
| $psRuleFilterRegex = '${{ env.psRuleFilterRegex }}' | ||
| Write-Verbose ('targetPath [{0}]' -f $targetPath) -Verbose | ||
| # Get target files in target path | ||
| $targetFileList = @() | ||
| # Retrieve all relevant test files in targetPath | ||
| $allTestFiles = (Get-ChildItem -Path $targetPath -Recurse -Filter 'main.test.bicep').FullName | Sort-Object | ||
| $relevantTestFiles = $allTestFiles | Where-Object { $_ -match $psRuleFilterRegex } | ||
| # Add all relevant test files and related module template files as they may contain tokens | ||
| foreach ($relevantTestFile in $relevantTestFiles) { | ||
| $targetFileList += $relevantTestFile | ||
| $targetFileList += (Get-LocallyReferencedFileList -FilePath $relevantTestFile) | ||
| } | ||
| $targetFileList = $targetFileList | Sort-Object -Unique | ||
| # Construct Token Function Input | ||
| $ConvertTokensInputs = @{ | ||
| FilePathList = $targetFileList | ||
| Tokens = @{} | ||
| } | ||
| # Add enforced tokens | ||
| $ConvertTokensInputs.Tokens += @{ | ||
| subscriptionId = '${{ env.ARM_SUBSCRIPTION_ID }}' | ||
| managementGroupId = '${{ env.ARM_MGMTGROUP_ID }}' | ||
| } | ||
| # Add local (source control) tokens | ||
| $tokenMap = @{} | ||
| foreach ($token in (Get-ChildItem env: | Where-Object -Property Name -Like "localToken_*")) { | ||
| $tokenMap += @{ $token.Name.Replace('localToken_','','OrdinalIgnoreCase') = $token.value } | ||
| } | ||
| Write-Verbose ('Using local tokens [{0}]' -f ($tokenMap.Keys -join ', ')) -Verbose | ||
| $ConvertTokensInputs.Tokens += $tokenMap | ||
| # Swap 'namePrefix' token if empty and provided as a GitHub secret | ||
| if([String]::IsNullOrEmpty($ConvertTokensInputs.Tokens['namePrefix'])){ | ||
| Write-Verbose 'Using [namePrefix] token from GitHub' -Verbose | ||
| $ConvertTokensInputs.Tokens['namePrefix'] = '${{ env.TOKEN_NAMEPREFIX }}' | ||
| } | ||
| Write-Verbose "Convert Tokens Input:`n $($ConvertTokensInputs | ConvertTo-Json -Depth 10)" -Verbose | ||
| # Invoke Token Replacement Functionality [For Module] | ||
| $null = Convert-TokensInFileList @ConvertTokensInputs | ||
| Write-Output '::endgroup::' | ||
| # [PSRule validation] task(s) | ||
| #----------------------------- | ||
| - name: Run PSRule analysis | ||
| uses: microsoft/[email protected] | ||
| with: | ||
| modules: "PSRule.Rules.Azure" | ||
| prerelease: true | ||
| baseline: "${{(fromJson(needs.job_init_psrule_pipeline.outputs.workflowInput)).psruleBaseline }}" | ||
| inputPath: "${{(fromJson(needs.job_init_psrule_pipeline.outputs.workflowInput)).targetPath }}" | ||
| outputFormat: Csv | ||
| outputPath: "${{ env.PSRuleOutputFilePath }}" | ||
| option: "${{ github.workspace }}/${{ env.psrulePath}}/ps-rule.yaml" # Path to PSRule configuration options file | ||
| source: "${{ env.psrulePath}}/.ps-rule/" # Path to folder containing suppression rules to use for analysis. | ||
| summary: false # Disabling as taken care in customized task | ||
|
|
||
| # [Print to Summary] task(s) | ||
| #----------------------------- | ||
| - name: Parse CSV content | ||
| if: always() | ||
| uses: azure/powershell@v1 | ||
| with: | ||
| azPSVersion: "latest" | ||
| inlineScript: | | ||
| # Grouping task logs | ||
| Write-Output '::group::Parse CSV content' | ||
| # Load used functions | ||
| . (Join-Path $env:GITHUB_WORKSPACE 'avm' 'utilities' 'pipelines' 'staticValidation' 'psrule' 'Set-PSRuleGitHubOutput.ps1') | ||
| # Populate parameter input | ||
| $ParameterInput = @{ | ||
| inputFilePath = '${{ env.PSRuleOutputFilePath }}' | ||
| outputFilePath = '${{ env.PSRuleInputFilePath }}' | ||
| skipPassedRulesReport = [System.Convert]::ToBoolean('${{(fromJson(needs.job_init_psrule_pipeline.outputs.workflowInput)).skipPassedRulesReport }}') | ||
| } | ||
| Write-Verbose ('Set PS Rule Output with following parameters:`n{0}' -f (ConvertTo-Json $ParameterInput -Depth 10)) -Verbose | ||
| # Invoke Set PSRule Output Functionality | ||
| $null = Set-PSRuleGitHubOutput @ParameterInput | ||
| Write-Output '::endgroup::' | ||
| - name: Output to GitHub job summaries | ||
| if: always() | ||
| shell: pwsh | ||
| run: | | ||
| # Grouping task logs | ||
| Write-Output '::group::Output to GitHub job summaries' | ||
| $mdPSRuleOutputFilePath = Join-Path $env:GITHUB_WORKSPACE '${{ env.PSRuleInputFilePath }}' | ||
| if (-not (Test-Path $mdPSRuleOutputFilePath)) { | ||
| Write-Warning ('Input file [{0}] not found. Please check if the previous task threw an error and try again.' -f $mdPSRuleOutputFilePath) | ||
| return '' | ||
| } else { | ||
| Get-Content $mdPSRuleOutputFilePath >> $env:GITHUB_STEP_SUMMARY | ||
| Write-Verbose ('Successfully printed out file [{0}] to Job Summaries' -f $mdPSRuleOutputFilePath) -Verbose | ||
| } | ||
| Write-Output '::endgroup::' |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters