Skip to content

Creating your pipeline#

You can use PSRule for Azure to validate Azure resources throughout their lifecycle. By using validation within a continuous integration (CI) pipeline, any issues provide fast feedback.

Within the root directory of your infrastructure as code repository:

Create a new GitHub Actions workflow by creating .github/workflows/analyze-arm.yaml.

name: Analyze templates
on:
- pull_request
jobs:
  analyze_arm:
    name: Analyze templates
    runs-on: ubuntu-latest
    steps:
    - name: Checkout
      uses: actions/checkout@v2

    # Analyze Azure resources using PSRule for Azure
    - name: Analyze Azure template files
      uses: Microsoft/ps-rule@main
      with:
        modules: 'PSRule.Rules.Azure'

Create a new Azure DevOps YAML pipeline by creating .azure-pipelines/analyze-arm.yaml.

steps:

# Analyze Azure resources using PSRule for Azure
- task: ps-rule-assert@0
  displayName: Analyze Azure template files
  inputs:
    inputType: repository
    modules: 'PSRule.Rules.Azure'

This will automatically install compatible versions of all dependencies.

Configuration#

Configuration options for PSRule for Azure are set within the ps-rule.yaml file.

Expand template parameter files#

Docs

PSRule for Azure can automatically expand Azure template parameter files. When enabled, PSRule for Azure automatically resolves parameter and template file context at runtime.

To enabled this feature, set the Configuration.AZURE_PARAMETER_FILE_EXPANSION to true. This option can be set within the ps-rule.yaml file.

configuration:
  # Enable automatic expansion of Azure parameter files
  AZURE_PARAMETER_FILE_EXPANSION: true

Expand Bicep source files#

Docs

PSRule for Azure can automatically expand Bicep source files. When enabled, PSRule for Azure automatically expands and analyzes Azure resource from .bicep files.

To enabled this feature, set the Configuration.AZURE_BICEP_FILE_EXPANSION to true. This option can be set within the ps-rule.yaml file.

configuration:
  # Enable automatic expansion of bicep source files
  AZURE_BICEP_FILE_EXPANSION: true

Ignoring rules#

To prevent a rule executing you can either:

  • Exclude — The rule is not executed for any resource.
  • Suppress — The rule is not executed for a specific resource by name.

To exclude a rule, set Rule.Exclude option within the ps-rule.yaml file.

Docs

rule:
  exclude:
  # Ignore the following rules for all resources
  - Azure.VM.UseHybridUseBenefit
  - Azure.VM.Standalone

To suppress a rule, set Suppression option within the ps-rule.yaml file.

Docs

suppression:
  Azure.AKS.AuthorizedIPs:
  # Exclude the following externally managed AKS clusters
  - aks-cluster-prod-eus-001
  Azure.Storage.SoftDelete:
  # Exclude the following non-production storage accounts
  - storagedeveus6jo36t
  - storagedeveus1df278

Tip

Use comments within ps-rule.yaml to describe the reason why rules are excluded or suppressed. Meaningful comments help during peer review within a Pull Request (PR). Also consider including a date if the exclusions or suppressions are temporary.

Advanced configuration#

Docs

PSRule for Azure comes with many configuration options. The setup section explains in detail how to configure each option.


Last update: 2021-09-24