Azure / PSRule.Rules.Azure

Rules to validate Azure resources and infrastructure as code (IaC) using PSRule.
https://azure.github.io/PSRule.Rules.Azure/
MIT License
394 stars 86 forks source link

Self-hosted windows agent powershell error code 5 #1901

Closed maxricketts closed 1 year ago

maxricketts commented 1 year ago

Description of the issue

Random pipelines fail with the below error

##[error]Exit code 5 returned from process: file name 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe', arguments '-NoLogo -Sta -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -Command ". ([scriptblock]::Create('if ([Console]::InputEncoding -is [Text.UTF8Encoding] -and [Console]::InputEncoding.GetPreamble().Length -ne 0) { [Console]::InputEncoding = New-Object Text.UTF8Encoding $false } if (!$PSHOME) { $null = Get-Item -LiteralPath ''variable:PSHOME'' } else { Import-Module -Name ([System.IO.Path]::Combine($PSHOME, ''Modules\Microsoft.PowerShell.Management\Microsoft.PowerShell.Management.psd1'')) ; Import-Module -Name ([System.IO.Path]::Combine($PSHOME, ''Modules\Microsoft.PowerShell.Utility\Microsoft.PowerShell.Utility.psd1'')) }')) 2>&1 | ForEach-Object { Write-Verbose $_.Exception.Message -Verbose } ; Import-Module -Name 'C:\a\_tasks\ps-rule-assert_8804fc31-b62f-4d49-b2a1-c80dc0879dae\2.6.2211067\ps_modules\VstsTaskSdk\VstsTaskSdk.psd1' -ArgumentList @{ NonInteractive = $true } -ErrorAction Stop ; $VerbosePreference = 'SilentlyContinue' ; $DebugPreference = 'SilentlyContinue' ; Invoke-VstsTaskScript -ScriptBlock ([scriptblock]::Create('. ''C:\a\_tasks\ps-rule-assert_8804fc31-b62f-4d49-b2a1-c80dc0879dae\2.6.2211067\powershell.ps1'''))"'

Module in use and version:

Checking PSRule
[info] Using repository: PSGallery
[info] Installing PSRule: 2.6.0
Checking modules
> Checking module: PSRule.Rules.Azure
  - Installing module
  - Using version: 1.21.2
Checking environment
[info] Using PSRule: 2.6.0
[info] Using Extension: 2.6.0
[info] Using Task: 2.6.2211067
[info] Using Workspace: C:\a\1\s
[info] Using PWD: C:\a\_tasks\ps-rule-assert_8804fc31-b62f-4d49-b2a1-c80dc0879dae\2.6.2211067
[info] Using Path: C:\a\1\s
[info] Using Source: C:\a\1\s\.ps-rule\
[info] Using Baseline: 
[info] Using Conventions: 
[info] Using InputType: repository
[info] Using InputPath: C:\a\1\s\newImage\bicep\
[info] Using Option: 
[info] Using Outcome: 
[info] Using OutputFormat: Nunit3
[info] Using OutputPath: C:\a\1\s\rule-report.xml
BernieWhite commented 1 year ago

@maxricketts Ok so error code 5 reported by PowerShell indicates an access denied error. This could happen both for inputs and outputs.

With OutputPath set to rule-report.xml I don't think it is related to the outputs.

This looks like a problem. Using Source: C:\a\1\s.ps-rule which would not be valid.

Are you able to provide the pipeline YAML code for the ps-rule-assert@2 task and any settings configured within ps-rule.yaml under the input: and output: keys.

Also this discussion may help: https://github.com/microsoft/PSRule-pipelines/discussions/387

maxricketts commented 1 year ago

@BernieWhite. Here is the yaml for the psrule stage. This happens randomly, even when no changes have been applied to the code or yaml. Run the pipeline again and it will work. This does look like the same issue as 387 but I have the inputType set to repository and still get the random occurence or error code 5.

Please let me know if you require any more information.

# yaml-language-server: $schema=./deploy.yml

stages: 
  - stage: PSRuleScanning
    displayName: PSRule validation and governance
    jobs:
      - job: PSRule
        displayName: Checkout and scan code
        steps:
          - checkout: Exg.DevOps.ImageBuilder
            # Analyze Azure resources using PSRule for Azure
          - task: ps-rule-assert@2
            displayName: Analyze Azure bicep files
            inputs:
              modules: PSRule.Rules.Azure
              inputType: repository
              inputPath: newImage/bicep/
              outputFormat: Nunit3
              outputPath: rule-report.xml
            env:
              # Define environment variables within Azure Pipelines
              AZURE_CLIENT_ID: $(psrule-clientid)
              AZURE_CLIENT_SECRET: $(psrule-secret)
              AZURE_TENANT_ID: $(psrule-tenant)
          # PSRule results
          - task: PublishTestResults@2
            displayName: 'Publish PSRule results'
            inputs:
              testRunTitle: 'PSRule'
              testRunner: NUnit
              testResultsFiles: 'rule-report.xml'
              mergeTestResults: true
              publishRunAttachments: true
            condition: succeededOrFailed()
BernieWhite commented 1 year ago

@maxricketts Looks like the missing \ was just how the output sample was pasted. The paths look correct now as a text block.

The task parameters look fine.

We're going need to collect more information. You can enable verbose output by setting the SYSTEM_DEBUG pipeline variable to true.

maxricketts commented 1 year ago

I have attached the logs for you. It seems like it always fails the first time on a fresh vm instance on the scale set. run it again and its fine. I have also attached a log of when it runs all ok at the bottom

psrulepipelinedebug.txt

pipelinelogcompleted.txt

BernieWhite commented 1 year ago

@maxricketts Thanks for the logs. From the logs, PSRule is running and it starting to process files. It start to expand a Bicep file here:

2022-11-25T16:13:58.1294941Z ##[debug][Azure.ExpandBicep] -- Expanding bicep source: C:\a\1\s\newImage\bicep\imagebuilder.bicep

That's the last action in the logs.

With your VMSS setup, do you have additional custom scripts that might be running in the background while this job is running?

BernieWhite commented 1 year ago

@maxricketts Also additionally, I've added some additional verbose logging for testing in pre-release v1.22.0-B0203. This might help confirm if the Bicep compile is definitely the cause of the failure.

To use the pre-release you will need to enable the pre-release by setting the prerelease: true input parameter for the ps-rule-assert@2 task.

maxricketts commented 1 year ago

@BernieWhite - I have added prerelease: true - and I am getting the below error.

          - task: ps-rule-assert@2
            displayName: Analyze Azure bicep files            
            inputs:
              prerelease: true
              modules: PSRule.Rules.Azure
              inputType: repository
              inputPath: newImage/bicep/
              outputFormat: Nunit3
              outputPath: rule-report.xml

[error]An error occurred installing a dependency module. A parameter cannot be found that matches parameter name 'AllowPrerelease'.

BernieWhite commented 1 year ago

@BernieWhite - I have added prerelease: true - and I am getting the below error.

          - task: ps-rule-assert@2
            displayName: Analyze Azure bicep files            
            inputs:
              prerelease: true
              modules: PSRule.Rules.Azure
              inputType: repository
              inputPath: newImage/bicep/
              outputFormat: Nunit3
              outputPath: rule-report.xml

[error]An error occurred installing a dependency module. A parameter cannot be found that matches parameter name 'AllowPrerelease'.

Ah thanks for the feedback. This could occur if you have an old version of PowerShellGet installed. You could do either of the following to address that error:


However the latest v1.22.0 is out so you can avoid installing the pre-release anyway :)

maxricketts commented 1 year ago

@BernieWhite What version of powershellget is needed as the latest version of powershell was installed only a couple of weeks ago and that came with close to the latest powershellget version.

I'll test the fix and let you know

many thanks

BernieWhite commented 1 year ago

@BernieWhite What version of powershellget is needed as the latest version of powershell was installed only a couple of weeks ago and that came with close to the latest powershellget version.

I'll test the fix and let you know

many thanks

Any latest version installed in the last year should be fine. It's not a new feature, but does not ship in the PowerShell modules installed in Windows by default. If that's not your experience then maybe there is an old version installed in Windows PowerShell.

BernieWhite commented 1 year ago

@maxricketts Did you get a chance to check this with PSRule for Azure v1.22.0?

mpr555 commented 1 year ago

@BernieWhite - This has re-appeared a few times. I think it's when the scale set creates a new image. I have checked and it is on the latest version.

mpr555 commented 1 year ago

@maxricketts Did you get a chance to check this with PSRule for Azure v1.22.0?

@BernieWhite - This has re-appeared a few times. I think it's when the scale set creates a new image. I have checked and it is on the latest version.

BernieWhite commented 1 year ago

@mpr555 @maxricketts If you are able to post the debugs logs again since v1.22.0 because we added additional logging to help track specifically where the failure occurred. Thanks.

mpr555 commented 1 year ago

@BernieWhite I have attached the log files with the exit 5 issue. psruleext5issue.txt

BernieWhite commented 1 year ago

@maxricketts @mpr555 So based on the additional logging the crash is occurring when calling Bicep CLI.

Are you using Bicep CLI via the Azure CLI?

If not, to test if there is any different behaviour can you insert a new step before PSRule to install the Bicep CLI via Azure CLI.

For example:

- script: |
    az bicep install
    az bicep upgrade

Then add the PSRULE_AZURE_BICEP_USE_AZURE_CLI environment variable called out in Using Azure CLI.

BernieWhite commented 1 year ago

@maxricketts @mpr555 An update on this one. We were able to reproduce a case where path probing of the Bicep binaries was causing an issue and generating exit code 5. We've improved the behaviour to be less noisy. I'm not sure if this resolves your specific case however if you are able to test pre-release v1.25.0-B0035 and let us know.

If that does not resolve the issue, can I suggest that you:

  1. Separately install the Bicep CLI.
  2. Set the PSRULE_AZURE_BICEP_PATH environment variable to the specific location of the Bicep binary.

Details are further included here: https://azure.github.io/PSRule.Rules.Azure/setup/setup-bicep/#installing-bicep-cli


Please let us know how you go so that we can close the issue or update guidance docs as required.

BernieWhite commented 1 year ago

@maxricketts @mpr555 v1.25.0 is now released. Hopefully this has resolved the issue. Thanks for your patience to test and collect information. Please let us know if there is still an issue.

maxricketts commented 1 year ago

@BernieWhite - I am still getting an error on some builds.

##[error]One or more assertions failed.
---
##[error]Exit code 1 returned from process: file name 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe', arguments '-NoLogo -Sta -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -Command ". ([scriptblock]::Create('if ([Console]::InputEncoding -is [Text.UTF8Encoding] -and [Console]::InputEncoding.GetPreamble().Length -ne 0) { [Console]::InputEncoding = New-Object Text.UTF8Encoding $false } if (!$PSHOME) { $null = Get-Item -LiteralPath ''variable:PSHOME'' } else { Import-Module -Name ([System.IO.Path]::Combine($PSHOME, ''Modules\Microsoft.PowerShell.Management\Microsoft.PowerShell.Management.psd1'')) ; Import-Module -Name ([System.IO.Path]::Combine($PSHOME, ''Modules\Microsoft.PowerShell.Utility\Microsoft.PowerShell.Utility.psd1'')) }')) 2>&1 | ForEach-Object { Write-Verbose $_.Exception.Message -Verbose } ; Import-Module -Name 'C:\a\_tasks\ps-rule-assert_8804fc31-b62f-4d49-b2a1-c80dc0879dae\2.6.2301031\ps_modules\VstsTaskSdk\VstsTaskSdk.psd1' -ArgumentList @{ NonInteractive = $true } -ErrorAction Stop ; $VerbosePreference = 'SilentlyContinue' ; $DebugPreference = 'SilentlyContinue' ; Invoke-VstsTaskScript -ScriptBlock ([scriptblock]::Create('. ''C:\a\_tasks\ps-rule-assert_8804fc31-b62f-4d49-b2a1-c80dc0879dae\2.6.2301031\powershell.ps1'''))"'.
github-actions[bot] commented 1 year ago

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs within 7 days. Thank you for your contributions.

github-actions[bot] commented 1 year ago

This issue was closed because it has not had any recent activity.