Skip to content

What is PSRule for Azure?#

PSRule for Azure is a module for PSRule, a flexible rules engine designed to validate Infrastructure as Code (IaC). PSRule for Azure includes a suite Azure Well-Architected Framework (WAF) aligned rules for validating Azure resources.

Leverage over 200 pre-built rules across five (5) WAF pillars:

  • Cost Optimization
  • Operational Excellence
  • Performance Efficiency
  • Reliability
  • Security

Rules automatically detect and analyze Azure resources from IaC artifacts, such as Azure Resource Manager (ARM) templates.

PSRule for Azure supports two methods for analyzing Azure resources:

  • Pre-flight — Before resources are deployed from an ARM template. Use pre-flight analysis to:
    • Implement checks within Pull Requests (PRs).
    • Improve alignment of resources to WAF recommendations.
    • Identify issues that prevent successful resource deployments on Azure.
    • Integrate continual improvement and standardization of Azure resource configurations.
    • Implement release gates between environments.
  • In-flight — After resources are deployed to an Azure subscription. Use in-flight analysis to:

    • Implement release gates between environments for non-native tools such as Terraform.
    • Performing offline analysis in split-environments.

Ready to go#

PSRule for Azure includes over 200 rules for validating resources against configuration recommendations. Each rule performs Azure Well-Architected Framework aligned tests against templates and Azure resources. In addition to basic unit tests, PSRule also include documentation to help remediate issues. Just like application code, PSRule for Azure allows you quickly to light up unit testing for Azure templates.

Use the built-in rules to start enforcing testing quickly. Then layer on your own rules as your organization's requirements mature. Custom rules can be implemented quickly and work side-by-side with built-in rules.

As new built-in rules are added and improved, download the latest version to start using them.

Tip

For detailed information on building custom rules see:

DevOps#

Azure resources can be validated throughout their lifecycle to support a DevOps culture. From as early as authoring an ARM template, resources can be validated offline before deployment.

Pre-flight validation can be integrated into a continuous integration (CI) pipeline as unit tests to:

  • Shift-left — Identify configuration issues and provide fast feedback in PRs.
  • Quality gates — Implement quality gates between environments such as development, test, and production.
  • Monitor continuously — Perform ongoing checks for configuration optimization opportunities.

Cross-platform#

PSRule for Azure uses modern PowerShell libraries at its core, allowing it to go anywhere PowerShell can go. PSRule for Azure runs on MacOS, Linux, and Windows.

PowerShell makes it easy to integrate PSRule into popular CI systems. Run natively or in a container depending on your platform. PSRule has native extensions for:

Additionally, PSRule for Azure can be installed locally or within Azure Cloud Shell. For installation options see installation.

Frequently Asked Questions (FAQ)#

Continue reading for FAQ relating to PSRule for Azure. For general FAQ see PSRule - Frequently Asked Questions (FAQ), including:

How do I create a custom rule to enforce resource group tagging?#

PSRule for Azure covers common use cases that align to the Microsoft Azure Well-Architected Framework. Use of resource and resource group tags is recommended in the WAF, however implementation may vary. You may want to use PSRule to enforce tagging or something similar early in a DevOps pipeline.

We have a walk through scenario Enforcing custom tags to get you started.

How do I create a custom rule to enforce code ownership?#

GitHub, Azure DevOps, and other DevOps platforms may implement code ownership. This process involves assigning a team or an individual review and approval responsibility. In GitHub or Azure DevOps implementation, ownership is linked to the file path.

When a repository contains resources that different teams would approve how do you:

  • Resources are created in a path that triggers the correct approval.

We have a walk through scenario Enforcing code ownership to get you started.

Do I need PowerShell experience to start using PSRule for Azure?#

No. You can start using built-in rules and CI with Azure Pipelines or GitHub Actions. If we didn't tell you, you might not even know that PowerShell runs under the covers.

To perform local validation, some PowerShell setup is required but we step you through that. See installation and validating locally for details.

To start writing your own custom rules, some PowerShell experience is required. We have a walk through scenario Enforcing custom tags to get you started.

What permissions do I need to export data?#

The default built-in Reader role to a subscription is required for:

  • Exporting rule data with Export-AzRuleData.
  • Exporting rule data from templates with Export-AzRuleTemplateData when online features are used.
    • Optionally -ResourceGroupName and -Subscription parameter can be used; these require access Reader access.

What permissions do I need to analyze exported data?#

When exporting data for in-flight analysis, no access to Azure is required after data has been exported to JSON.

Should I continue to use Azure Advisor, Security Center, or Azure Policy?#

Absolutely. PSRule for Azure does not replace Azure Advisor, Security Center, or Azure Policy.

PSRule complements Azure Advisor, Security Center, and Azure Policy features by:

  • Recommending turning on and using features of Azure Advisor, Azure Security Center, or Azure Policy.
  • Providing offline analysis in split environments where the analyst has no access to Azure subscriptions. Rule data for analysis can be exported out to a JSON file.
  • Providing the ability to analyze resources in Azure Resource Manager templates before deployment. Additionally, analysis can be performed in a CI process.
  • Providing the ability to layer on organization specific rules, as required.
  • Data collection requires limited permissions and requires no additional configuration.

Traditional unit testing vs PSRule for Azure?#

You may already be using a unit test framework such as Pester to test infrastructure code. If you are, then you may have encountered the following challenges.

For a general PSRule/ Pester comparison see How is PSRule different to Pester?

Unit testing more than basic JSON structure#

Unit tests are unable to effectively test resources contained within Azure templates. Templates should be reusable, but this creates problems for testing when functions, conditions and copy loops are used. Template parameters could completely change the type, number of, or configuration of resources.

PSRule resolves templates to allow analysis of the resources that would be deployed based on provided parameters.

Standard library of tests#

When building unit tests for Azure resources, starting with an empty repository can be a daunting experience. While there are several open source repositories and samples around to get you started, you need to integrate these yourself.

PSRule for Azure is distributed as a PowerShell module using the PowerShell Gallery. Using a PowerShell module makes it easy to install and update. The built-in rules allow you starting testing resources quickly, with minimal integration.

For detailed examples see:

Collection of telemetry#

PSRule and PSRule for Azure currently do not collect any telemetry during installation or execution.

PowerShell (used by PSRule for Azure) does collect basic telemetry by default. Collection of telemetry in PowerShell and how to opt-out is explained in about_Telemetry.


Last update: 2021-09-15