Azure · AlexanderSehr · Mar 14, 2024 · Feb 4, 2024 · Feb 4, 2024 · Feb 4, 2024
@@ -5,6 +5,7 @@ parameters:
 
   # Logic-related parameters
   modulePath: '$(modulePath)'
+  psRuleFilterRegex: '(defaults|waf-aligned)'
 
 ##---------------------------------------------##
 ## TEMPLATE LOGIC                              ##
@@ -19,32 +20,58 @@ jobs:
         name: ${{ parameters.poolName }}
     steps:
       - task: PowerShell@2
-        displayName: 'Get parameter files'
+        displayName: 'Get module test file paths'
         name: getModuleTestFilesTask
         inputs:
           targetType: inline
           pwsh: true
           script: |
+            ## ======= ##
+            ##   All   ##
+            ## ======= ##
+
             # Get the list of parameter file paths
             $moduleFolderPath = Join-Path '$(System.DefaultWorkingDirectory)' '${{ parameters.modulePath }}'
-            $testFilePaths = (Get-ChildItem -Path $moduleFolderPath -Recurse -Filter 'main.test.bicep').FullName | Sort-Object
 
-            $deploymentTestPaths = $testFilePaths | ForEach-Object {
+            $testFilePaths = (Get-ChildItem -Path $moduleFolderPath -Recurse -Filter 'main.test.bicep').FullName | Sort-Object
+            $testFilePaths = $testFilePaths | ForEach-Object {
               $_.Replace($moduleFolderPath, '').Trim('\').Trim('/')
             }
 
-            Write-Verbose 'Found module test files' -Verbose
-            $deploymentTestPaths | ForEach-Object { Write-Verbose "- [$_]" -Verbose }
+            Write-Verbose 'Found all module test files' -Verbose
+            $testFilePaths | ForEach-Object { Write-Verbose "- [$_]" -Verbose }
 
             $testTable = @{}
-            foreach ($deploymentTestPath in $deploymentTestPaths) {
-                $deploymentTestFileName = Split-Path (Split-Path $deploymentTestPath -Parent) -Leaf
-                $testTable[$deploymentTestFileName] += @{
-                    moduleTestFilePath = $deploymentTestPath
-                }
-            }
+            $testFilePaths | ForEach-Object {
+              $testFileName = Split-Path (Split-Path $_) -Leaf
+              $testTable[$testFileName] = @{
+                moduleTestFilePath = $_
+                moduleTestFileName = $testFileName
+              }
+            } | ConvertTo-Json -Compress
+            $deployCompressedOutput = $testTable | ConvertTo-Json -Compress
+
+            Write-Verbose "Publishing output: $deployCompressedOutput" -Verbose
+            Write-Host ('##vso[task.setVariable variable=moduleTestFilePaths;isOutput=true]{0}' -f $deployCompressedOutput)
 
-            $deploymentTestPathsOutput = $testTable | ConvertTo-Json -Compress
+            ## =========== ##
+            ##   PS-Rule   ##
+            ## =========== ##
+
+            $psRuleTestFilePaths = $testFilePaths | Where-Object { $_ -match '${{ parameters.psRuleFilterRegex }}' }
+
+            Write-Verbose 'Found PSRule module test files' -Verbose
+            $psRuleTestFilePaths | ForEach-Object { Write-Verbose "- [$_]" -Verbose }
+
+            $psRuleTestTable = @{}
+            $psRuleTestFilePaths | ForEach-Object {
+              $testFileName = Split-Path (Split-Path $_) -Leaf
+              $psRuleTestTable[$testFileName] = @{
+                moduleTestFilePath = $_
+                moduleTestFileName = $testFileName
+              }
+            }
+            $psRuleCompressedOutput = $psRuleTestTable | ConvertTo-Json -Compress
 
-            Write-Host ('##vso[task.setVariable variable=moduleTests;isOutput=true]{0}' -f ($testTable | ConvertTo-Json -Compress))
-            Write-Verbose "Module test files: $deploymentTestPathsOutput" -Verbose
+            Write-Host ('##vso[task.setVariable variable=psRuleModuleTestFilePaths;isOutput=true]{0}' -f $psRuleCompressedOutput)
+            Write-Verbose "PS Rule publishing output: $psRuleCompressedOutput" -Verbose
@@ -29,7 +29,6 @@
 ##   | vmImage                         | '$(vmImage)'                         | You can provide either a [poolname] or [vmImage] to run the job on.                                       | 'ubuntu20.04'                                         |
 ##   | defaultJobTimeoutInMinutes      | 120                                  | The timeout for the job in this pipeline.                                                                 | 120                                                   |
 ##   | removeDeployment                | 'true'                               | Set to [true] to flag resources for removal. If not provided, defaults to true.                           | 'true'                                                |
-##   | templateFilePath                | ''                                   | Path to the template file to deploy.                                                                      | 'modules/analysis-services/servers/main.bicep'        |
 ##   | customTokens                    | ''                                   | Additional token pairs in json format.                                                                    | '{"tokenName":"tokenValue"}'                          |
 ##   | jobDisplayName                  | ''                                   | The display name of the job.                                                                              | 'Deploy module'                                       |
 ##   | modulePath                      | '$(modulePath)'                      | The path to the module to deploy.                                                                         | 'c:/KeyVault'                                         |
@@ -50,7 +49,6 @@ parameters:
   defaultJobTimeoutInMinutes: 120
   # Logic-related parameters
   removeDeployment: false
-  templateFilePath: ''
   customTokens: ''
   modulePath: '$(modulePath)'
   location: '$(location)'
@@ -76,7 +74,7 @@ jobs:
     dependsOn:
       - getModuleTestFiles
     strategy:
-      matrix: $[ dependencies.getModuleTestFiles.outputs['getModuleTestFilesTask.moduleTests'] ]
+      matrix: $[ dependencies.getModuleTestFiles.outputs['getModuleTestFilesTask.moduleTestFilePaths'] ]
     ##---------------------------------------------##
     ## TEMPLATE LOGIC                              ##
     ##---------------------------------------------##
@@ -117,20 +115,16 @@ jobs:
 
       # [Agent] Replace tokens
       #-----------------------
-      - task: AzurePowerShell@5
-        displayName: 'Replace tokens in template file via connection [${{ parameters.serviceConnection }}]'
+      - task: PowerShell@2
+        displayName: 'Replace tokens in template files'
         inputs:
-          azureSubscription: ${{ parameters.serviceConnection }}
-          azurePowerShellVersion: 'latestVersion'
-          preferredAzurePowerShellVersion: ''
-          ScriptType: InlineScript
+          targetType: inline
           pwsh: true
-          inline: |
+          script: |
             # Load used functions
             . (Join-Path '$(System.DefaultWorkingDirectory)' 'utilities' 'pipelines' 'tokensReplacement' 'Convert-TokensInFileList.ps1')
             . (Join-Path '$(System.DefaultWorkingDirectory)' 'utilities' 'pipelines' 'sharedScripts' 'Get-LocallyReferencedFileList.ps1')
 
-
             # Get target files
             $moduleTestFilePath = Join-Path '$(System.DefaultWorkingDirectory)' '$(modulePath)' '$(moduleTestFilePath)'
 

@@ -0,0 +1,144 @@
+#########################################################
+## 'Validate module with Pester' Pipeline Template     ##
+#########################################################
+##
+## This pipeline template contains the logic to validate a module using a set of Pester tests
+##
+## Enabled levels of validation
+## - Resource-Group-Level
+## - Subscription-Level
+## - Management-Group-Level
+## - Tenant-Level
+##
+#########################################################
+##
+##---------------------------------------------##
+## TEMPLATE PARAMETERS                         ##
+##---------------------------------------------##
+##
+## By default it uses the variables specified in the below [parameters] section. However, you can overwrite these variables in the
+##    referencing pipeline by providing the parameter explicitly.
+##
+## NOTE: If you don't need to overwrite a shared value, you can IGNORE this section
+##
+##   |==============================================================================================================================================================================================================================================|
+##   | Parameter                  | Default Value                                 | Description                                                                                           | Example                                                 |
+##   |----------------------------|-----------------------------------------------|-------------------------------------------------------------------------------------------------------|---------------------------------------------------------|
+##   | poolName                   | '$(poolName)'                                 | You can provide either a [poolname] or [vmImage] to run the job on                                    | 'Custom Deployment Pool'                                |
+##   | vmImage                    | '$(vmImage)'                                  | You can provide either a [poolname] or [vmImage] to run the job on                                    | 'ubuntu20.04'                                           |
+##   | defaultJobTimeoutInMinutes | 120                                           | The timeout for the job in this pipeline                                                              | 120                                                     |
+##   | modulePath                 | '$(modulePath)'                               | The path to the module to deploy.                                                                     | 'c:/KeyVault'                                           |
+##   | psrulePath                 | 'utilities/pipelines/staticValidation/psrule' | The path to the PS-Rule configuration                                                                 | 'utilities/pipelines/staticValidation/module.tests.ps1' |
+##   | location                   | '$(location)'                                 | The location to validate with                                                                         | 'France Central'                                        |
+##   | subscriptionId             | '$(ARM_SUBSCRIPTION_ID)'                      | The id of the subscription to validate with when using a Management group service connection          | 'aed7c000-6387-412e-bed0-24dfddf4bbc6'                  |
+##   | managementGroupId          | '$(ARM_MGMTGROUP_ID)'                         | The id of the management group to validate with. Required only for Management-Group-Level validations | '477c9620-cb01-454f-9ebc-fc6b1df48c14'                  |
+##   |==============================================================================================================================================================================================================================================|
+##
+##---------------------------------------------##
+
+parameters:
+  # Pipeline-related parameters
+  poolName: '$(poolName)'
+  vmImage: '$(vmImage)'
+  defaultJobTimeoutInMinutes: 120
+  # Logic-related parameters
+  modulePath: '$(modulePath)'
+  psrulePath: 'utilities/pipelines/staticValidation/psrule'
+  location: '$(location)'
+  subscriptionId: '$(ARM_SUBSCRIPTION_ID)'
+  managementGroupId: '$(ARM_MGMTGROUP_ID)'
+
+##---------------------------------------------##
+## TEMPLATE LOGIC                              ##
+##---------------------------------------------##
+jobs:
+  - template: /.azuredevops/pipelineTemplates/jobs.getModuleTestFiles.yml
+  - job:
+    displayName: Run PSRule tests
+    timeoutInMinutes: ${{ parameters.defaultJobTimeoutInMinutes }}
+    pool:
+      ${{ if ne(parameters.vmImage, '') }}:
+        vmImage: ${{ parameters.vmImage }}
+      ${{ if ne(parameters.poolName, '') }}:
+        name: ${{ parameters.poolName }}
+    dependsOn:
+      - getModuleTestFiles
+    strategy:
+      matrix: $[ dependencies.getModuleTestFiles.outputs['getModuleTestFilesTask.psRuleModuleTestFilePaths'] ]
+    steps:
+      # [Agent] Replace tokens
+      #-----------------------
+      - task: PowerShell@2
+        displayName: 'Replace tokens in template files'
+        inputs:
+          targetType: inline
+          pwsh: true
+          script: |
+            # Load used functions
+            . (Join-Path '$(System.DefaultWorkingDirectory)' 'utilities' 'pipelines' 'tokensReplacement' 'Convert-TokensInFileList.ps1')
+            . (Join-Path '$(System.DefaultWorkingDirectory)' 'utilities' 'pipelines' 'sharedScripts' 'Get-LocallyReferencedFileList.ps1')
+
+            # Get target files
+            $moduleTestFilePath = Join-Path '$(System.DefaultWorkingDirectory)' '$(modulePath)' '$(moduleTestFilePath)'
+
+            # Get target files
+            $targetFileList = @(
+              $moduleTestFilePath
+            )
+
+            # Add all module template files as they may contain tokens
+            $targetFileList += (Get-LocallyReferencedFileList -FilePath $moduleTestFilePath)
+            $targetFileList = $targetFileList | Sort-Object -Unique
+
+            # Construct Token Function Input
+            $ConvertTokensInputs = @{
+                FilePathList = $targetFileList
+                Tokens       = @{}
+                TokenPrefix  = '$(tokenPrefix)'
+                TokenSuffix  = '$(tokenSuffix)'
+            }
+
+            # Add enforced tokens
+            $ConvertTokensInputs.Tokens += @{
+              subscriptionId    = '${{ parameters.subscriptionId }}'
+              managementGroupId = '${{ parameters.managementGroupId }}'
+              tenantId          = '$(ARM_TENANT_ID)'
+            }
+
+            # Add local (source control) tokens
+            $tokenMap = @{}
+            foreach ($token in (Get-ChildItem env: | Where-Object -Property Name -Like "localToken_*")) {
+              $tokenMap += @{ $token.Name.Replace('localToken_','','OrdinalIgnoreCase') = $token.value }
+            }
+            Write-Verbose ('Using local tokens [{0}]' -f ($tokenMap.Keys -join ', ')) -Verbose
+            $ConvertTokensInputs.Tokens += $tokenMap
+
+            # Swap 'namePrefix' token if empty and provided as a Azure DevOps variable
+            if([String]::IsNullOrEmpty($ConvertTokensInputs.Tokens['namePrefix'])){
+              Write-Verbose 'Using [namePrefix] token from Azure DevOps Variable Groups' -Verbose
+              $ConvertTokensInputs.Tokens['namePrefix'] = "$(TOKEN_NAMEPREFIX)"
+            }
+
+            # Add custom tokens (passed in via the pipeline)
+            if(-not [String]::IsNullOrEmpty('${{ parameters.customTokens }}')) {
+              $customTokens = '${{ parameters.customTokens }}' | ConvertFrom-Json -AsHashTable
+              Write-Verbose ('Using custom parameter file tokens [{0}]' -f ($customTokens.Keys -join ', ')) -Verbose
+              $ConvertTokensInputs.Tokens += $customTokens
+            }
+
+            Write-Verbose "Convert Tokens Input:`n $($ConvertTokensInputs | ConvertTo-Json -Depth 10)" -Verbose
+
+            # Invoke Token Replacement Functionality [For Module]
+            $null = Convert-TokensInFileList @ConvertTokensInputs
+
+      - task: ps-rule-assert@2
+        displayName: Analyze Azure template files
+        inputs:
+          inputType: inputPath
+          modules: 'PSRule.Rules.Azure'
+          inputPath: '$(System.DefaultWorkingDirectory)/$(modulePath)/$(moduleTestFilePath)'
+          outputFormat: Csv
+          option: '${{ parameters.psrulePath}}/ps-rule.yaml' # Path to PSRule configuration options file
+          source: '${{ parameters.psrulePath}}/.ps-rule/' # Path to folder containing suppression rules to use for analysis.
+          outputPath: '$(System.DefaultWorkingDirectory)/$(modulePath)/$(moduleTestFilePath)-PSRule-output.csv'
+        continueOnError: true