Testing Bicep Code Using PSRule in Azure Pipeline

PSRule is a test and validation tool that can be used to test your Infrastructure as Code (IaC). It works with various supplement modules for different platforms such as Azure, Kubernetes, etc. It is open sourced, maintained by Microsoft’s Bernie White. When using it together with its supplement module PSRule.Rules.Azure, we can validate our ARM and Bicep templates against over 250 predefined best practices by Microsoft.

The focus of PSRule is different than the language specific linter such as ARM-TTK or Bicep linter which focus on the language syntax, PSRule is focused on how the resources defined in your IaC code are configured, if the resource configurations align with pre-configured rules. It is a great tool if you are adopting the Shift-Left approach in DevOps.

I have been playing with PSRule in a customer’s environment. With Bernie’s help, I have managed to configure it the way I want as part of the Azure Pipelines deploying various Bicep templates.

In my pipelines, I have created a Test and Build stage that contains the following steps before deploying the bicep templates to various environments:

1. Install required PSRule modules since I’m using Microsoft-hosted pipeline agents.
2. Using bicep build command to compile the bicep code to an ARM template, this step also triggers the[native bicep linter.
3. Validate the ARM template generated by the previous step using PSRule.
4. Publish PSRule test results.
5. Get the What-If result against the bicep template.
6. Run deployment validation against the bicep template.

The sample pipeline and all related code is located in my GitHub repo bicep.psrule.demo

NOTE: the sample pipeline only contains the `Test and Build’ stage. It does not contain any deployment stages.

Few things to note:

1. PSRule Azure DevOps extension.

I am using this Azure DevOps extension in my sample code. However, this is not mandatory. You can also use install-module cmdlet to install the PSRule and PSRule.Rules.Azure modules, and use ‘Assert-PSRule’ cmdlet to run the PSRule validation.

2. I am not using PSRule to test Bicep files directly

Although PSRule supports Bicep files now, I am still testing the ARM template generated by bicep build command instead of the bicep files. This is because I am using modules in my Bicep templates and the modules are located in different folders. Based on my testing, when testing the bicep templates directly, the modules are not included. Although I can potentially explicitly test the Bicep modules with PSRule separately, it is easier to just test the compiled ARM template because it consolidates all required modules into Nested deployments.

3. Custom PSRule baselines defined in the `.ps-rule’ folder.

The pipeline YAML template accepts a parameter called psRuleBaselineName. I have a custom baseline defined for the particular Bicep template. You can customize the PSRule behavior in the baseline. More information about PSRule baselines can be found here.

4. ps-rule.yaml file

on the root folder of your Git repository, you can create a ps-rule.yaml file and set various options in this file. Options configured in this file will be applied to everything within the repo.

Please feel free to give it a try, the rules for Azure are updated quarterly. PSRule also provides capability to integrate with Azure Monitor so you can send test results to Azure Monitor via the supplement module PSRule.Monitor. I have not tried it myself, but it’s definitely on my to-do list. Although the sample pipeline is designed for Azure DevOps, PSRule also provides an action for GitHub Action.

[2022-03-30 Update]: Jorge Arteiro (@JorgeArteiro), Bernie White (@BernieAWhite) and I have produced a video for PSRule, and published on his @AzureTar YouTube Channel: