search

Azure / PSRule.Rules.Azure

Rules to validate Azure resources and infrastructure as code (IaC) using PSRule.
https://azure.github.io/PSRule.Rules.Azure/
MIT License
389 stars 84 forks source link

[BUG] AZURE_RESOURCE_ALLOWED_LOCATIONS not working as expected #2687

Closed rousseeric closed 7 months ago

rousseeric commented 7 months ago

Existing rule

Azure.Resource.AllowedRegions

Description of the issue

First, I'm starting off with PSRule, I think, I have everything setup correctly. But if I run Assert-PSRule -InputPath . -Format File

I'm getting two fails, I'm actually testing with two simple resources, ASG and Storage Account. All locations to canadacentral, as configure in my ps-rule.yaml file. But it always report as an error. If I change the region, I will see the updated location in the output, and still a fail.

I've went trough all your docs, and config files, and can't see anything wrong. Is it in the code ?

Error messages

   / __ \/ ___// __ \__  __/ /__
  / /_/ /\__ \/ /_/ / / / / / _ \
 / ____/___/ / _, _/ /_/ / /  __/
/_/    /____/_/ |_|\__,_/_/\___/

Using PSRule v2.9.0
Using PSRule.Rules.Azure v1.33.1

----------------------------
Explore documentation: https://aka.ms/ps-rule
Contribute and find source: https://github.com/microsoft/PSRule
Report issues: https://github.com/microsoft/PSRule/issues
PSRule.Rules.Azure: https://aka.ms/ps-rule-azure
----------------------------

   WARN  Target object 'refs/heads/feature/eric' has not been processed because no matching rules were found.
   WARN  Target object 'bicep/modules/asg/v1/.tests/main.tests.bicepparam' has not been processed because no matching rules were found.
   WARN  Target object 'bicep/modules/asg/v1/.tests/main.tests.bicep' has not been processed because no matching rules were found.

> /home/cz2409/Documents/gitstuff/bicep_publies/bicep/modules/asg/v1/.tests/main.tests.bicepparam : Microsoft.Resources/deployments [6/6]

   PASS  Azure.Template.ParameterStrongType (AZR-000227)
   PASS  Azure.Template.ExpressionLength (AZR-000228)
   PASS  Azure.Deployment.OutputSecretValue (AZR-000279)
   PASS  Azure.Deployment.AdminUsername (AZR-000284)
   PASS  Azure.Deployment.SecureParameter (AZR-000408)
   PASS  Azure.Deployment.SecureValue (AZR-000316)

> test : Microsoft.Network/applicationSecurityGroups [2/3]

   PASS  Azure.Resource.UseTags (AZR-000166)
   FAIL  Azure.Resource.AllowedRegions (AZR-000167)

  Resources should be deployed to allowed regions.

  Parameter: bicep/modules/asg/v1/.tests/main.tests.bicepparam:1:0

  Reason:
  - Path True: canadacentral

   PASS  Azure.ASG.Name (AZR-000085)

> /home/cz2409/Documents/gitstuff/bicep_publies/bicep/modules/asg/v1/.tests/main.tests.bicep : Microsoft.Resources/deployments [7/7]

   PASS  Azure.Template.ParameterStrongType (AZR-000227)
   PASS  Azure.Template.ExpressionLength (AZR-000228)
   PASS  Azure.Deployment.OutputSecretValue (AZR-000279)
   PASS  Azure.Deployment.AdminUsername (AZR-000284)
   PASS  Azure.Deployment.SecureParameter (AZR-000408)
   PASS  Azure.Deployment.SecureValue (AZR-000316)
   PASS  Azure.Deployment.OuterSecret (AZR-000331)

> testName-testDep : Microsoft.Resources/deployments [7/7]

   PASS  Azure.Template.ParameterStrongType (AZR-000227)
   PASS  Azure.Template.ExpressionLength (AZR-000228)
   PASS  Azure.Deployment.OutputSecretValue (AZR-000279)
   PASS  Azure.Deployment.AdminUsername (AZR-000284)
   PASS  Azure.Deployment.SecureParameter (AZR-000408)
   PASS  Azure.Deployment.SecureValue (AZR-000316)
   PASS  Azure.Deployment.Name (AZR-000359)

> testName : Microsoft.Network/applicationSecurityGroups [2/3]

   PASS  Azure.Resource.UseTags (AZR-000166)
   FAIL  Azure.Resource.AllowedRegions (AZR-000167)

  Resources should be deployed to allowed regions.

  Template: bicep/modules/asg/v1/.tests/main.tests.bicep:121:13

  Reason:
  - Path True: canadacentral

   PASS  Azure.ASG.Name (AZR-000085)

Rules processed: 26, failed: 2, errored: 0
Run 26c656f5527930578159e729109afb85f3b03f93 completed in 00:00:03.0908834
Assert-PSRule: One or more rules reported failure.

Reproduction

my ps-rule.yaml file:

# PSRule configuration
#
binding:
    preferTargetInfo: true
    targetType:
        - type
        - resourceType

requires:
    #https://github.com/Azure/PSRule.Rules.Azure/
    PSRule.Rules.Azure: "1.33.1"
    #https://github.com/microsoft/PSRule
    PSRule: ">=2.9.0"
    #https://github.com/microsoft/PSRule.Rules.CAF
    PSRule.Rules.CAF: ">=0.3.0"
    #PSRule.Rules.MSFT.OSS: ">=1.1.0"

# Automatically use rules for Azure.
include:
    module:
        - PSRule.Rules.Azure

input:
    pathIgnore:
        # Ignore other files in the repository.
        - "**"

        # Include module tests.
        - "!*.tests.bicep"

configuration:
    AZURE_RESOURCE_ALLOWED_LOCATIONS:
        - canadacentral
        - canadaeast
    AZURE_RESOURCE_GROUP:
        location: canadacentral
    # Enable automatic expansion of Azure parameter files.
    AZURE_PARAMETER_FILE_EXPANSION: true

    # Enable automatic expansion of Azure Bicep source files.
    AZURE_BICEP_FILE_EXPANSION: true
    AZURE_BICEP_PARAMS_FILE_EXPANSION: true

    # Configures the number of seconds to wait for build Bicep files.
    AZURE_BICEP_FILE_EXPANSION_TIMEOUT: 10

    # Enable Bicep CLI checks.
    AZURE_BICEP_CHECK_TOOL: true

    # Configure the minimum version of the Bicep CLI.
    AZURE_BICEP_MINIMUM_VERSION: "0.19.5"

output:
    culture:
        - "fr-FR"

my main asg test file:

//*****************************************************************************
// Template: Création d'un ASG - ----------- EXEMPLE -------
// Date: Nov. 2022
// Configuration par défaut: Permet de créer les ASGs par défaut pour le projet
//*****************************************************************************

param deploymentNamesuffix string = 'testDep'
param asgName string = 'testName'
param resourceDescription string = 'testDescription'
param location string = 'canadacentral'

module asg_module '../asg.bicep' = {
    name: '${asgName}-${deploymentNamesuffix}'
    params: {
        os: 'linux'
        location: location
        name: asgName
        resourceDescription: resourceDescription
        appName: 'AZU'
    }
}

Version of PSRule

2.9.0

Version of PSRule for Azure

1.33.1

Additional context

No response

rousseeric commented 7 months ago

wait... not sure what changed, but everything looks okay now... same version... I might have restarted that shell it was running in. But i believe I tried that before as well. Bah anyway... thanks! :D

rousseeric commented 7 months ago

Go figure, this morning, booted the laptop and then... error is back


    ____  _____ ____        __
   / __ \/ ___// __ \__  __/ /__
  / /_/ /\__ \/ /_/ / / / / / _ \
 / ____/___/ / _, _/ /_/ / /  __/
/_/    /____/_/ |_|\__,_/_/\___/

Using PSRule v2.9.0
Using PSRule.Rules.Azure v1.33.1

----------------------------
Explore documentation: https://aka.ms/ps-rule
Contribute and find source: https://github.com/microsoft/PSRule
Report issues: https://github.com/microsoft/PSRule/issues
PSRule.Rules.Azure: https://aka.ms/ps-rule-azure
----------------------------

   WARN  Target object 'refs/heads/feature/eric' has not been processed because no matching rules were found.
   WARN  Target object 'bicep/modules/asg/v1/.tests/main.tests.bicepparam' has not been processed because no matching rules were found.
   WARN  Target object 'bicep/modules/asg/v1/.tests/main.tests.bicep' has not been processed because no matching rules were found.

> /home/cz2409/Documents/gitstuff/bicep_publies/bicep/modules/asg/v1/.tests/main.tests.bicepparam : Microsoft.Resources/deployments [6/6]

   PASS  Azure.Template.ParameterStrongType (AZR-000227)
   PASS  Azure.Template.ExpressionLength (AZR-000228)
   PASS  Azure.Deployment.OutputSecretValue (AZR-000279)
   PASS  Azure.Deployment.AdminUsername (AZR-000284)
   PASS  Azure.Deployment.SecureParameter (AZR-000408)
   PASS  Azure.Deployment.SecureValue (AZR-000316)

> test : Microsoft.Network/applicationSecurityGroups [2/3]

   PASS  Azure.Resource.UseTags (AZR-000166)
   FAIL  Azure.Resource.AllowedRegions (AZR-000167)

  Resources should be deployed to allowed regions.

  Parameter: bicep/modules/asg/v1/.tests/main.tests.bicepparam:1:0

  Reason:
  - Path True: canadacentral

   PASS  Azure.ASG.Name (AZR-000085)

> /home/cz2409/Documents/gitstuff/bicep_publies/bicep/modules/asg/v1/.tests/main.tests.bicep : Microsoft.Resources/deployments [7/7]

   PASS  Azure.Template.ParameterStrongType (AZR-000227)
   PASS  Azure.Template.ExpressionLength (AZR-000228)
   PASS  Azure.Deployment.OutputSecretValue (AZR-000279)
   PASS  Azure.Deployment.AdminUsername (AZR-000284)
   PASS  Azure.Deployment.SecureParameter (AZR-000408)
   PASS  Azure.Deployment.SecureValue (AZR-000316)
   PASS  Azure.Deployment.OuterSecret (AZR-000331)

> testName-testDep : Microsoft.Resources/deployments [7/7]

   PASS  Azure.Template.ParameterStrongType (AZR-000227)
   PASS  Azure.Template.ExpressionLength (AZR-000228)
   PASS  Azure.Deployment.OutputSecretValue (AZR-000279)
   PASS  Azure.Deployment.AdminUsername (AZR-000284)
   PASS  Azure.Deployment.SecureParameter (AZR-000408)
   PASS  Azure.Deployment.SecureValue (AZR-000316)
   PASS  Azure.Deployment.Name (AZR-000359)

> testName : Microsoft.Network/applicationSecurityGroups [2/3]

   PASS  Azure.Resource.UseTags (AZR-000166)
   FAIL  Azure.Resource.AllowedRegions (AZR-000167)

  Resources should be deployed to allowed regions.

  Template: bicep/modules/asg/v1/.tests/main.tests.bicep:121:13

  Reason:
  - Path True: canadacentral

   PASS  Azure.ASG.Name (AZR-000085)

Rules processed: 26, failed: 2, errored: 0
Run 935f5a4f44d45591bb42d9d7aee14a70080952f0 completed in 00:00:04.2780996
Assert-PSRule: One or more rules reported failure.```
BernieWhite commented 7 months ago

@rousseeric Thanks for reporting the issue. First look your configuration looks fine.

rousseeric commented 7 months ago

ah also, I haven't been able to test with a DevContainer, since I'm trying to setup this as well, but its not easy being behind a proxy that needs authentification and does https inspection.

So if it might help pin point the issue, I'm running PowerShell Core 7.4.1 in Linux.

And I just tested with the vscode extension, to do the analysis from there instead of a terminal manually.



Using PSRule v2.9.0
Using PSRule.Rules.Azure v1.33.1

   WARN  The option 'Execution.NotProcessedWarning' is deprecated and will be removed with PSRule v3. See http://aka.ms/ps-rule/deprecations for more detail.

Rules processed: 26, failed: 0, errored: 0
Run 94a66841baf664846bf037aaad6e9f8b862fbc09 completed in 00:00:03.9645918
 *  Terminal will be reused by tasks, press any key to close it. ```

If I re-run the same line manually in the terminal, it fails.

``` bicep_publies  Assert-PSRule -Format File -Path './.ps-rule/' -InputPath . -Outcome Fail, Error;
    ____  _____ ____        __
   / __ \/ ___// __ \__  __/ /__
  / /_/ /\__ \/ /_/ / / / / / _ \
 / ____/___/ / _, _/ /_/ / /  __/
/_/    /____/_/ |_|\__,_/_/\___/

Using PSRule v2.9.0
Using PSRule.Rules.Azure v1.33.1

----------------------------
Explore documentation: https://aka.ms/ps-rule
Contribute and find source: https://github.com/microsoft/PSRule
Report issues: https://github.com/microsoft/PSRule/issues
PSRule.Rules.Azure: https://aka.ms/ps-rule-azure
----------------------------

   WARN  Target object 'refs/heads/feature/eric' has not been processed because no matching rules were found.
   WARN  Target object 'bicep/modules/asg/v1/.tests/main.tests.bicepparam' has not been processed because no matching rules were found.
   WARN  Target object 'bicep/modules/asg/v1/.tests/main.tests.bicep' has not been processed because no matching rules were found.

> test : Microsoft.Network/applicationSecurityGroups [2/3]

   FAIL  Azure.Resource.AllowedRegions (AZR-000167)

  Resources should be deployed to allowed regions.

  Parameter: bicep/modules/asg/v1/.tests/main.tests.bicepparam:1:0

  Reason:
  - Path True: canadacentral

> testName : Microsoft.Network/applicationSecurityGroups [2/3]

   FAIL  Azure.Resource.AllowedRegions (AZR-000167)

  Resources should be deployed to allowed regions.

  Template: bicep/modules/asg/v1/.tests/main.tests.bicep:121:13

  Reason:
  - Path True: canadacentral

Rules processed: 26, failed: 2, errored: 0
Run 5a8b05e96209be863941b163430c157b62f2c195 completed in 00:00:03.2511098
Assert-PSRule: One or more rules reported failure.```
BernieWhite commented 7 months ago

@rousseeric Are you able to provide the result from $PSVersionTable within the PowerShell Extension terminal and within pwsh directly?

BernieWhite commented 7 months ago

@rousseeric Release v1.33.2 should address the issue, but let us know if it does not.

We would still like the powershell details though so we can further investigate why we were not seeing the issue in all environments. Thanks.

rousseeric commented 7 months ago

I've updated to v1.33.2, and so far so good. Here's my PS Info:


----                           -----
PSVersion                      7.4.1
PSEdition                      Core
GitCommitId                    7.4.1
OS                             Ubuntu 22.04.3 LTS
Platform                       Unix
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0…}
PSRemotingProtocolVersion      2.3
SerializationVersion           1.1.0.1
WSManStackVersion              3.0```