Enforcing code ownership#
With PSRule, you can layer on custom rules with to implement organization specific requirements. These custom rules work side-by-side with PSRule for Azure.
Pull requests are a key concept within common Git workflows used with DevOps to enforce peer review. To support peer review across a team tools such as GitHub and Azure DevOps provide code ownership. Code ownership, allows mix discipline teams to direct peer reviews based the path of a changed file.
For sensitive changes such as firewall or policy exemptions, peer reviews may form a security control. In these cases, it may be important that specific paths are used for Infrastructure as Code artifacts.
The following scenario shows how to create a custom rule to validate the file path of code artifacts. The scenario walks you through the process so that you can apply the same concepts for similar requirements.
Creating a new rule#
.ps-rule sub-directory create a new file called
Use the following snippet to populate the rule file:
Some key points to call out with the rule snippet include:
- The name of the rule is
Org.Azure.Policy.Path. Each rule name must be unique.
- The rule applies to resources with the type of
Microsoft.Authorization/policyExemptions. i.e. Policy exemptions.
- The synopsis comment above the rule is read and used as the default recommendation if the rule fails. The rule recommendation appears in output and is intended as an instruction to remediate the failure.
- The assertion
$Assert.WithinPathensures the specifies path is within the
- The automatic variable
$PSRule.Sourceexposes the source path for the resource. PSRule for Azure exposes a
Parametersource for resources originating from a template.
For recommendations on naming and storing rules see storing custom rules.
Rules packaged within PSRule for Azure will automatically detect Policy Exemptions by their type properties.
Standalone rules will get their type binding configuration from
To configure type binding:
- Create/ update the
ps-rule.yamlfile within the root of the repository.
- Add the following configuration snippet.
Some key points to call out include:
- Configuring the binding for
targetTypeallows rules to use the
-Typeparameter. Our custom rule uses
- The binding configuration will use the
resourceTypeproperty if it exists, alternative it will use
type. If neither property exists, PSRule will use the object type.
To test the custom rule within Visual Studio Code, see How to install PSRule for Azure. Alternatively you can test the rule manually by running the following from a PowerShell terminal.
Grab the full sample code for each of these files from: