Creating your pipeline#
You can use PSRule for Azure to validate Azure resources throughout their lifecycle. By using validation within a continuous integration (CI) pipeline, any issues provide fast feedback.
Within the root directory of your infrastructure as code repository:
Create a new GitHub Actions workflow by creating .github/workflows/analyze-arm.yaml.
name: Analyze templates
on:
push:
branches:
- main
pull_request:
branches:
- main
jobs:
analyze_arm:
name: Analyze templates
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v3
# Analyze Azure resources using PSRule for Azure
- name: Analyze Azure template files
uses: microsoft/ps-rule@v2.1.0
with:
modules: 'PSRule.Rules.Azure'
Create a new Azure DevOps YAML pipeline by creating .azure-pipelines/analyze-arm.yaml.
steps:
# Analyze Azure resources using PSRule for Azure
- task: ps-rule-assert@2
displayName: Analyze Azure template files
inputs:
modules: 'PSRule.Rules.Azure'
This will automatically install compatible versions of all dependencies.
Configuration#
Configuration options for PSRule for Azure are set within the ps-rule.yaml file.
To set options, create a new file named ps-rule.yaml in the root directory of your repository.
Tip
This file should be committed to your repository so it is available when your pipeline runs.
Expand template parameter files#
PSRule for Azure can automatically expand Azure template parameter files. When enabled, PSRule for Azure automatically resolves parameter and template file context at runtime.
To enabled this feature, set the Configuration.AZURE_PARAMETER_FILE_EXPANSION option to true.
This option can be set within the ps-rule.yaml file.
configuration:
# Enable automatic expansion of Azure parameter files
AZURE_PARAMETER_FILE_EXPANSION: true
Expand Bicep source files#
PSRule for Azure can automatically expand Bicep source files.
When enabled, PSRule for Azure automatically expands and analyzes Azure resource from .bicep files.
To enabled this feature, set the Configuration.AZURE_BICEP_FILE_EXPANSION option to true.
This option can be set within the ps-rule.yaml file.
configuration:
# Enable automatic expansion of bicep source files
AZURE_BICEP_FILE_EXPANSION: true
Ignoring rules#
To prevent a rule executing you can either:
- Exclude — The rule is not executed for any resource.
- Suppress — The rule is not executed for a specific resource by name.
To exclude a rule, set Rule.Exclude option within the ps-rule.yaml file.
rule:
exclude:
# Ignore the following rules for all resources
- Azure.VM.UseHybridUseBenefit
- Azure.VM.Standalone
To suppress a rule, set Suppression option within the ps-rule.yaml file.
suppression:
Azure.AKS.AuthorizedIPs:
# Exclude the following externally managed AKS clusters
- aks-cluster-prod-eus-001
Azure.Storage.SoftDelete:
# Exclude the following non-production storage accounts
- storagedeveus6jo36t
- storagedeveus1df278
Tip
Use comments within ps-rule.yaml to describe the reason why rules are excluded or suppressed.
Meaningful comments help during peer review within a Pull Request (PR).
Also consider including a date if the exclusions or suppressions are temporary.
Advanced configuration#
PSRule for Azure comes with many configuration options. The setup section explains in detail how to configure each option.