Giters

microsoft / PSRule

Validate infrastructure as code (IaC) and objects using PowerShell rules.

Home Page:https://microsoft.github.io/PSRule/v2/

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Include local not automatically being enabled for default module baseline

BernieWhite opened this issue · comments

commented

Description of the issue

When using a module, if the module specifies a default baseline local rules should automatically be included based on the principal of least surprise (Customers would expect local rules to be automatically processed).

However currently when using a module such as PSRule for Azure which specifies a default baseline, local rules are not automatically included.

Local rules are included when the Rule.IncludeLocal option is explicitly set to true.

Additional context

Related to discussion here #1504.

commented

When we do not add Rules.IncludeLocal to the options, we have found that adding the GA tag to our custom rules does allow them to show up in the assertion run. Since we're not explicitly setting the baseline in the assertion run, this seems to be counter to the documentation for PSRule.Rules.Azure, which mentions "When you specify a baseline...."

image

Based on that statement, we would expect our custom rules to be included because we're not specifying a baseline in the command. We're letting the Module select the Azure.Default baseline for us.

So, to get our custom rules included when using a module, we either need to tag all of our custom rules so that they match the default baseline in the module, or we need to include Rules.IncludeLocal in the options for the assertion run. Of course, it would be great to get an update to have custom rules included automatically when not explicitly selecting a baseline.

commented

@tstooke Looking at this issue. Testing locally, trying to reproduce.

Are you able to advise if you have any configuration set within ps-rule.yaml under the rule: option except for the previously mentioned Rule.IncludeLocal option. Such as Rule.Include?

commented

@BernieWhite We do have a handful of Azure rules listed under Rule.Exclude. Here's our ps-rule.yaml file (shortened list of exclusions).

# Require minimum versions of modules.
requires:
  PSRule: '>=2.8.1'
  PSRule.Rules.Azure: '>=1.26.1'

output:
  culture:
    - 'en-US'

binding:
  targetType:
    - 'resourceType'
    - 'type'

rule:
  exclude:
  - Azure.Resource.UseTags
  - Azure.Redis.MinSku
  # others, as well

When we execute Assert-PSRule, we have the following in a PS script:

$config = @{
    AZURE_BICEP_FILE_EXPANSION = $True
    AZURE_BICEP_CHECK_TOOL = $True
    AZURE_BICEP_MINIMUM_VERSION = "0.16.2"
    AZURE_BICEP_FILE_EXPANSION_TIMEOUT = 120
}

$options = New-PSRuleOption `
    -NotProcessedWarning $False `
    -InputPathIgnore @("*", "!**/*.tests.bicep") `
    -RuleIncludeLocal $True `
    -Configuration $config

Assert-PSRule -Module "PSRule.Rules.Azure" -Path "./.ps-rule/" -Format File -InputPath '.' -Option $options