PSrule not using local rules in Azure pipeline

[bobanda87]

I am having an issue with Azure pipeline. It is ignoring rules that I defined in .ps-rule/ folder.

My pipeline looks like this:

trigger:
- none

pool:
  vmImage: ubuntu-latest

stages:

- stage: PSrule
  jobs:
  - job: PSrule
    displayName: PSrule best practice validation
    steps:

      # Install PSRule.Rules.Azure from the PowerShell Gallery
      - task: ps-rule-install@2
        inputs:
          module: PSRule.Rules.Azure   # Install PSRule.Rules.Azure from the PowerShell Gallery.

      # Run analysis from JSON files using the `PSRule.Rules.Azure` module and custom rules from `.ps-rule/`.
      - task: ps-rule-assert@2
        continueOnError: true
        inputs:
          inputType: repository
          modules: 'PSRule.Rules.Azure'            # Analyze objects using the rules within the PSRule.Rules.Azure PowerShell module.
          baseline: 'Azure.GA_2023_09'
          option: 'ps-rule.yaml'                   # Use the rules defined in 'ps-rule.yaml'.
          source: '.ps-rule/'                      # Additionally, analyze object using custom rules from '.ps-rule/'.
          outputFormat: NUnit3                     # Save results to an NUnit report.
          outputPath: reports/ps-results.xml  # Write NUnit report to 'reports/ps-rule-results.xml'.

And my ps-rule.yaml

#
# PSRule for Azure configuration
#

# Use rules from the following modules/
include:
  module:
  - 'PSRule.Rules.Azure'

# Require a minimum version of modules that include referenced baseline.
requires:
  PSRule: '@pre >=2.3.2'
  PSRule.Rules.Azure: '@pre >=1.18.1'

# Reference the repository in output.
repository:
  url: xxxxxxxxx

execution:
  # Ignore warnings for resources and objects that don't have any rules.
  notProcessedWarning: false

configuration:
  # Enable expansion for Bicep source files.
  AZURE_BICEP_FILE_EXPANSION: false

  # Expand Bicep module from Azure parameter files.
  AZURE_PARAMETER_FILE_EXPANSION: true

  # Set timeout for expanding Bicep source files.
  AZURE_BICEP_FILE_EXPANSION_TIMEOUT: 15

input:
  pathIgnore:
  # Ignore common files that don't need analysis.
  - '**/bicepconfig.json'
  - '.github/'

  # Exclude samples/ test files from modules
  - 'infra-as-code/bicep/**/samples/*.bicep'

binding:
  preferTargetInfo: true
  targetType:
  - resourceType
  - type

rule:
  includeLocal: true
  exclude:
  # Ignore these recommendations for this repo.
  - Azure.Resource.UseTags
  - Azure.ACR.MinSku
  - Azure.ACR.ContentTrust
  - Azure.Policy.AssignmentAssignedBy

  # Currently a bug as of v1.15.2. Review in the next release.
  - Azure.PublicIP.Name

Sample rule that I have in .ps-rule/LogForAutomation.Rule.yaml

# Synopsis: Ignore automation account audit diagnostic logs are enabled as these are covered by DINE policies in ALZ
apiVersion: github.com/microsoft/PSRule/v1
kind: SuppressionGroup
metadata:
  name: ALZ.DiagLogForAutomation
spec:
  rule:
  - Azure.Automation.AuditLogs
  - Azure.Automation.PlatformLogs
  if:
    allOf:
    - name: '.'
      contains: alz-automation-account
    - type: '.'
      in:
      - Microsoft.Automation/automationAccounts

This project was based on https://github.com/Azure/ALZ-Bicep

[BernieWhite]

@bobanda87

• Are you seeing built-in rules from PSRule for Azure reporting in the pipeline as passed/ failed? or are no rules at all being processed?
• Are you using *.parameters.json or .*bicepparam files?

---

If the issue is suppression is not occurring. For the suppression group, try fully qualify the rule names:

# Synopsis: Ignore automation account audit diagnostic logs are enabled as these are covered by DINE policies in ALZ
apiVersion: github.com/microsoft/PSRule/v1
kind: SuppressionGroup
metadata:
  name: ALZ.DiagLogForAutomation
spec:
  rule:
  - PSRule.Rules.Azure\Azure.Automation.AuditLogs
  - PSRule.Rules.Azure\Azure.Automation.PlatformLogs
  if:
    allOf:
    - name: '.'
      contains: alz-automation-account
    - type: '.'
      in:
      - Microsoft.Automation/automationAccounts

[bobanda87]

Hi @BernieWhite thanks for the reply.

I am seeing rules in the pipeline as passed/failed.

I am using *.parameters.json

I am seeing a failure for the rules that should be suppressed

##[error]AZR-000088: SB-automation-account failed Azure.Automation.AuditLogs. Ensure automation account audit diagnostic logs are enabled.

These files are actually part of the original Azure ALZ repo, https://github.com/Azure/ALZ-Bicep/blob/main/.ps-rule/DiagLogForAutomation.Rule.yaml

But I will try to add the full path as you suggested.

[bobanda87]

Same error with the full path.

The error is referencing this code

resource resAutomationAccount 'Microsoft.Automation/automationAccounts@2022-08-08' = {
  name: automationAccountName
  location: automationAccountLocation
  tags: union (tags,automationAccountTags)
  identity: automationAccountUseManagedIdentity ? {
    type: 'SystemAssigned'
  } : null
  properties: {
    sku: {
      name: 'Basic'
    }
    encryption: {
      keySource: 'Microsoft.Automation'
    }
  }
}

[BernieWhite]

@bobanda87 The suppression group only applies if you are using an automation account name that contains alz-automation-account. Looks like you are using the name SB-automation-account instead, which won't match with this condition.

You could update the suppression group to ignore all automation accounts:

# Synopsis: Ignore automation account audit diagnostic logs are enabled as these are covered by DINE policies in ALZ
apiVersion: github.com/microsoft/PSRule/v1
kind: SuppressionGroup
metadata:
  name: ALZ.DiagLogForAutomation
spec:
  rule:
  - PSRule.Rules.Azure\Azure.Automation.AuditLogs
  - PSRule.Rules.Azure\Azure.Automation.PlatformLogs
  if:
    allOf:
    - type: '.'
      in:
      - Microsoft.Automation/automationAccounts

Or just this automation account:

# Synopsis: Ignore automation account audit diagnostic logs are enabled as these are covered by DINE policies in ALZ
apiVersion: github.com/microsoft/PSRule/v1
kind: SuppressionGroup
metadata:
  name: ALZ.DiagLogForAutomation
spec:
  rule:
  - PSRule.Rules.Azure\Azure.Automation.AuditLogs
  - PSRule.Rules.Azure\Azure.Automation.PlatformLogs
  if:
    allOf:
    - name: '.'
      equals: SB-automation-account
    - type: '.'
      in:
      - Microsoft.Automation/automationAccounts

Alternatively there is other ways to suppress for a specific automation account or exclude the rule entirely (effectively disable).

See: https://azure.github.io/PSRule.Rules.Azure/concepts/suppression/

---

The ALZ-Bicep team used the suppression group approach because they wanted to call out specifically why the rule is suppressed for transparency (and have that output as a warning) instead of disabling a rule for all customer environments.

I hope that answers the question.

[bobanda87]

Thanks it works!