search

microsoft / PSRule

Validate infrastructure as code (IaC) and objects using PowerShell rules.
https://microsoft.github.io/PSRule/v2/
MIT License
396 stars 49 forks source link

Policy Rules - resource passing rule when it should fail #1578

Closed anwather closed 1 year ago

anwather commented 1 year ago

Description of the issue

The rule states that a location outside of the parameter is not allowed however comes up as a pass when testing.

If I change the value to match the rule it will fail.. i.e. It is the opposite effect.

To Reproduce

rg.bicep

param location string = 'australiasoutheast'
param resourceGroupName string = 'ps-rule-test'

targetScope = 'subscription'

resource rg 'Microsoft.Resources/resourceGroups@2022-09-01' = {
  name: resourceGroupName
  location: location
  tags: {
    environment: 'test'
  }
}

rule.Rule.jsonc

[
    {
        // Synopsis: This policy enables you to restrict the locations your organization can specify when deploying resources. Use to enforce your geo-compliance requirements. Excludes resource groups, Microsoft.AzureActiveDirectory/b2cDirectories, and resources that use the 'global' region.
        "apiVersion": "github.com/microsoft/PSRule/v1",
        "kind": "Rule",
        "metadata": {
            "name": "Azure.Policy.b95c1c4b7d18",
            "tags": {
                "Azure.Policy/category": "General"
            },
            "annotations": {
                "Azure.Policy/id": "/providers/Microsoft.Authorization/policyDefinitions/e56962a6-4747-49cd-b67b-bf8b01975c4c",
                "Azure.Policy/version": "1.0.0"
            }
        },
        "spec": {
            "with": [
                "PSRule.Rules.Azure\\Azure.Resource.SupportsTags"
            ],
            "condition": {
                "allOf": [
                    {
                        "field": "location",
                        "notIn": [
                            "australiaeast"
                        ]
                    },
                    {
                        "field": "location",
                        "notEquals": "global"
                    },
                    {
                        "notEquals": "Microsoft.AzureActiveDirectory/b2cDirectories",
                        "type": "."
                    }
                ]
            }
        }
    }
]

Expected behaviour

[FAIL] Azure.Policy.b95c1c4b7d18 | Template: templates/rg.bicep:22:5

| REASON:
| - Path location: Is set to 'australiasoutheast'.

Error output

VERBOSE: [PSRule][R][2][.\Azure.Policy.b95c1c4b7d18] :: ps-rule-test
VERBOSE: [PSRule][R][2][.\Azure.Policy.b95c1c4b7d18] -- [1/1] [Pass]

 -> ps-rule-test : Microsoft.Resources/resourceGroups [4/4]

    [PASS] Azure.Resource.UseTags (AZR-000166)
    [PASS] Azure.ResourceGroup.Name (AZR-000168)
    [PASS] Azure.RBAC.UseRGDelegation (AZR-000207)
    [PASS] Azure.Policy.b95c1c4b7d18

Module in use and version:

Captured output from $PSVersionTable:

PSVersion                      7.3.6
PSEdition                      Core
GitCommitId                    7.3.6
OS                             Microsoft Windows 10.0.22631
Platform                       Win32NT
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0…}
PSRemotingProtocolVersion      2.3
SerializationVersion           1.1.0.1
WSManStackVersion              3.0
github-actions[bot] commented 1 year ago

Thanks for raising your first issue, the team appreciates the time you have taken 😉

BernieWhite commented 1 year ago

Fixed in PSRule for Azure v.1.28.2.