search

Azure / PSRule.Rules.Azure

Rules to validate Azure resources and infrastructure as code (IaC) using PSRule.
https://azure.github.io/PSRule.Rules.Azure/
MIT License
387 stars 84 forks source link

VisitAKSCluster fails to get vnetSubnetID property when kubenet network plugin is used #920

Closed ArmaanMcleod closed 3 years ago

ArmaanMcleod commented 3 years ago

Description of the issue

When running Export-AzRuleData on a RG with my AKS cluster that is using kubenet instead of Azure CNI, the following error happens:

VisitAKSCluster: C:\Users\armcleod\Documents\github-repos\PSRule.Rules.Azure\out\modules\PSRule.Rules.Azure\PSRule.Rules.Azure.psm1:1140:60
Line |
1140 |  … ainerService/managedClusters' { VisitAKSCluster @PSBoundParameters; }
     |                                    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
     | The property 'vnetSubnetID' cannot be found on this object. Verify that the property exists.

To Reproduce

Steps to reproduce the issue:

Export-AzRuleData -Subscription '<subID>' -Tenant '<tenantID>' -ResourceGroupName '<rgName>'

Expected behaviour

Not error out for invalid vnetSubnetID property.

I think this should check if properties.networkProfile.networkPlugin is not set to kubenet before adding this property. Could also just check if it set to azure.

https://docs.microsoft.com/en-us/azure/templates/microsoft.containerservice/managedclusters?tabs=json#containerservicenetworkprofile-object

Let me know if I'm not running something properly here 😄 .

ArmaanMcleod commented 3 years ago

Something like this should work:

function VisitAKSCluster {
    [CmdletBinding()]
    param (
        [Parameter(Mandatory = $True, ValueFromPipeline = $True)]
        [PSObject]$Resource,

        [Parameter(Mandatory = $True)]
        [Microsoft.Azure.Commands.Common.Authentication.Abstractions.Core.IAzureContextContainer]$Context
    )
    process {
        $resources = @();
        if ($Resource.Properties.networkProfile.networkPlugin -eq 'azure') {
            $nodePools = @($Resource.Properties.agentPoolProfiles);
            foreach ($nodePool in $nodePools) {
                $vnetId = $nodePool.vnetSubnetID;
                $resources += GetResourceById -ResourceId $vnetId -ApiVersion '2020-05-01' -Context $Context;
            }
        }
        $Resource | Add-Member -MemberType NoteProperty -Name resources -Value $resources -PassThru;
    }
}
BernieWhite commented 3 years ago

@ArmaanMcleod Thanks. Makes sense to me. I'll review the PR.