From 8678c5946ad5adfcde6f25cd428994118b9ca84b Mon Sep 17 00:00:00 2001 From: Anthony Shaw Date: Tue, 11 Jun 2024 13:42:41 +1000 Subject: [PATCH 1/6] Use PSRule for testing --- .github/workflows/bicep-audit.yml | 23 +++++++++++-------- ps-rule.yaml | 3 +++ tests/README.md | 1 + tests/cloud-native/aks-arm64.test.bicep | 10 ++++++++ tests/cloud-native/aks-azure-linux.test.bicep | 9 ++++++++ tests/cloud-native/aks-bicep-k8s.test.bicep | 9 ++++++++ tests/cloud-native/aks-bicep-keda.test.bicep | 9 ++++++++ tests/cloud-native/aks-bicep.test.bicep | 9 ++++++++ .../cloud-native/aks-open-service-mesh.bicep | 11 +++++++++ .../aks-webapp-routing.test.bicep | 12 ++++++++++ tests/cloud-native/containerapps.test.bicep | 9 ++++++++ 11 files changed, 96 insertions(+), 9 deletions(-) create mode 100644 ps-rule.yaml create mode 100644 tests/README.md create mode 100644 tests/cloud-native/aks-arm64.test.bicep create mode 100644 tests/cloud-native/aks-azure-linux.test.bicep create mode 100644 tests/cloud-native/aks-bicep-k8s.test.bicep create mode 100644 tests/cloud-native/aks-bicep-keda.test.bicep create mode 100644 tests/cloud-native/aks-bicep.test.bicep create mode 100644 tests/cloud-native/aks-open-service-mesh.bicep create mode 100644 tests/cloud-native/aks-webapp-routing.test.bicep create mode 100644 tests/cloud-native/containerapps.test.bicep diff --git a/.github/workflows/bicep-audit.yml b/.github/workflows/bicep-audit.yml index eb7f66d..50c1580 100644 --- a/.github/workflows/bicep-audit.yml +++ b/.github/workflows/bicep-audit.yml @@ -20,16 +20,21 @@ jobs: steps: - name: Checkout uses: actions/checkout@v4 - - - name: Run Microsoft Security DevOps Analysis - uses: microsoft/security-devops-action@preview - id: msdo - continue-on-error: true + - name: Run PSRule analysis + uses: microsoft/ps-rule@v2.9.0 with: - tools: templateanalyzer - - - name: Upload alerts to Security tab + modules: PSRule.Rules.Azure + baseline: Azure.Pillar.Security + inputPath: tests/*.test.bicep + outputFormat: Sarif + outputPath: reports/ps-rule-results.sarif + summary: true + continue-on-error: true + env: + PSRULE_CONFIGURATION_AZURE_BICEP_FILE_EXPANSION: 'true' + PSRULE_CONFIGURATION_AZURE_BICEP_FILE_EXPANSION_TIMEOUT: '30' + - name: Upload results to security tab uses: github/codeql-action/upload-sarif@v3 if: github.repository_owner == 'Azure-Samples' with: - sarif_file: ${{ steps.msdo.outputs.sarifFile }} + sarif_file: reports/ps-rule-results.sarif diff --git a/ps-rule.yaml b/ps-rule.yaml new file mode 100644 index 0000000..bb4904b --- /dev/null +++ b/ps-rule.yaml @@ -0,0 +1,3 @@ +# YAML: Set the AZURE_BICEP_FILE_EXPANSION configuration option to enable expansion +configuration: + AZURE_BICEP_FILE_EXPANSION: true \ No newline at end of file diff --git a/tests/README.md b/tests/README.md new file mode 100644 index 0000000..633eb17 --- /dev/null +++ b/tests/README.md @@ -0,0 +1 @@ +The files in this folder are for the purposes of running PSRule analysis for security checks. \ No newline at end of file diff --git a/tests/cloud-native/aks-arm64.test.bicep b/tests/cloud-native/aks-arm64.test.bicep new file mode 100644 index 0000000..1031af0 --- /dev/null +++ b/tests/cloud-native/aks-arm64.test.bicep @@ -0,0 +1,10 @@ +targetScope = 'subscription' + + +module main '../../cloud-native/aks-arm64/main.bicep' = { + name: 'aks-arm64' + params: { + name: 'test-aks-arm64' + location: 'westus' + } +} diff --git a/tests/cloud-native/aks-azure-linux.test.bicep b/tests/cloud-native/aks-azure-linux.test.bicep new file mode 100644 index 0000000..6937814 --- /dev/null +++ b/tests/cloud-native/aks-azure-linux.test.bicep @@ -0,0 +1,9 @@ +targetScope = 'resourceGroup' + + +module main '../../cloud-native/aks-azure-linux/aks.bicep' = { + name: 'aks-azure-linux' + params: { + location: 'westus' + } +} diff --git a/tests/cloud-native/aks-bicep-k8s.test.bicep b/tests/cloud-native/aks-bicep-k8s.test.bicep new file mode 100644 index 0000000..1036d92 --- /dev/null +++ b/tests/cloud-native/aks-bicep-k8s.test.bicep @@ -0,0 +1,9 @@ +targetScope = 'resourceGroup' + + +module main '../../cloud-native/aks-bicep-k8s/main.bicep' = { + name: 'aks-bicep' + params: { + location: 'westus' + } +} diff --git a/tests/cloud-native/aks-bicep-keda.test.bicep b/tests/cloud-native/aks-bicep-keda.test.bicep new file mode 100644 index 0000000..13d0b66 --- /dev/null +++ b/tests/cloud-native/aks-bicep-keda.test.bicep @@ -0,0 +1,9 @@ +targetScope = 'subscription' + + +module main01 '../../cloud-native/aks-bicep-keda/01-aks/main.bicep' = { + name: 'aks-01-bicep' + params: { + location: 'westus' + } +} diff --git a/tests/cloud-native/aks-bicep.test.bicep b/tests/cloud-native/aks-bicep.test.bicep new file mode 100644 index 0000000..a63be7c --- /dev/null +++ b/tests/cloud-native/aks-bicep.test.bicep @@ -0,0 +1,9 @@ +targetScope = 'subscription' + + +module main '../../cloud-native/aks-bicep/01-aks/main.bicep' = { + name: 'aks-bicep' + params: { + location: 'westus' + } +} diff --git a/tests/cloud-native/aks-open-service-mesh.bicep b/tests/cloud-native/aks-open-service-mesh.bicep new file mode 100644 index 0000000..61dac06 --- /dev/null +++ b/tests/cloud-native/aks-open-service-mesh.bicep @@ -0,0 +1,11 @@ +targetScope = 'subscription' + + +module main '../../cloud-native/aks-open-service-mesh/main.bicep' = { + name: 'aks-open-service-mesh' + params: { + name: 'testing' + userObjectId: '00000000-0000-0000-0000-000000000000' + location: 'westus' + } +} diff --git a/tests/cloud-native/aks-webapp-routing.test.bicep b/tests/cloud-native/aks-webapp-routing.test.bicep new file mode 100644 index 0000000..6bff46d --- /dev/null +++ b/tests/cloud-native/aks-webapp-routing.test.bicep @@ -0,0 +1,12 @@ +targetScope = 'subscription' + + +module main '../../cloud-native/aks-webapp-routing/main.bicep' = { + name: 'aks-webapp-routing' + params: { + name: 'testing' + userObjectId: '00000000-0000-0000-0000-000000000000' + location: 'westus' + dnsName: 'testing.com' + } +} diff --git a/tests/cloud-native/containerapps.test.bicep b/tests/cloud-native/containerapps.test.bicep new file mode 100644 index 0000000..3a93c4b --- /dev/null +++ b/tests/cloud-native/containerapps.test.bicep @@ -0,0 +1,9 @@ +targetScope = 'subscription' + + +module main '../../cloud-native/containerapps-bicep/main.bicep' = { + name: 'containerapps-bicep' + params: { + location: 'westus' + } +} From 7e6d46fa7cbef72b9e2bc5d37d4dd5363212b6eb Mon Sep 17 00:00:00 2001 From: Anthony Shaw Date: Tue, 11 Jun 2024 13:51:12 +1000 Subject: [PATCH 2/6] recursive test path --- .github/workflows/bicep-audit.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/bicep-audit.yml b/.github/workflows/bicep-audit.yml index 50c1580..82ecde6 100644 --- a/.github/workflows/bicep-audit.yml +++ b/.github/workflows/bicep-audit.yml @@ -25,7 +25,7 @@ jobs: with: modules: PSRule.Rules.Azure baseline: Azure.Pillar.Security - inputPath: tests/*.test.bicep + inputPath: tests/**/*.test.bicep outputFormat: Sarif outputPath: reports/ps-rule-results.sarif summary: true From 4691d8941e7934ab4a9e0570a3ece04aabe0e059 Mon Sep 17 00:00:00 2001 From: Anthony Shaw Date: Tue, 11 Jun 2024 14:02:28 +1000 Subject: [PATCH 3/6] Linux test files --- tests/linux/vm-flatcar-postgres.test.bicep | 10 ++++++++++ tests/linux/vm-mariner.test.bicep | 10 ++++++++++ tests/linux/vm-mastodon.test.bicep | 8 ++++++++ tests/linux/vm.test.bicep | 9 +++++++++ tests/linux/vmss.test.bicep | 8 ++++++++ 5 files changed, 45 insertions(+) create mode 100644 tests/linux/vm-flatcar-postgres.test.bicep create mode 100644 tests/linux/vm-mariner.test.bicep create mode 100644 tests/linux/vm-mastodon.test.bicep create mode 100644 tests/linux/vm.test.bicep create mode 100644 tests/linux/vmss.test.bicep diff --git a/tests/linux/vm-flatcar-postgres.test.bicep b/tests/linux/vm-flatcar-postgres.test.bicep new file mode 100644 index 0000000..c2a863b --- /dev/null +++ b/tests/linux/vm-flatcar-postgres.test.bicep @@ -0,0 +1,10 @@ +targetScope = 'subscription' + + +module main '../../linux/vm-flatcar-postgres/main.bicep' = { + name: 'vm-flatcar-postgres' + params: { + location: 'westus' + sshKey: 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQD' + } +} diff --git a/tests/linux/vm-mariner.test.bicep b/tests/linux/vm-mariner.test.bicep new file mode 100644 index 0000000..7ea2e49 --- /dev/null +++ b/tests/linux/vm-mariner.test.bicep @@ -0,0 +1,10 @@ +targetScope = 'resourceGroup' + + +module main '../../linux/vm-mariner/vm.bicep' = { + name: 'vm-mariner' + params: { + location: 'westus' + sshKey: 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQD' + } +} diff --git a/tests/linux/vm-mastodon.test.bicep b/tests/linux/vm-mastodon.test.bicep new file mode 100644 index 0000000..9f1c382 --- /dev/null +++ b/tests/linux/vm-mastodon.test.bicep @@ -0,0 +1,8 @@ +targetScope = 'resourceGroup' + + +module main '../../linux/vm-mastodon/vm.bicep' = { + name: 'vm-mastodon' + params: { + } +} diff --git a/tests/linux/vm.test.bicep b/tests/linux/vm.test.bicep new file mode 100644 index 0000000..e50a46d --- /dev/null +++ b/tests/linux/vm.test.bicep @@ -0,0 +1,9 @@ +targetScope = 'resourceGroup' + + +module main '../../linux/vm/vm.bicep' = { + name: 'linux-vm' + params: { + location: 'westus' + } +} diff --git a/tests/linux/vmss.test.bicep b/tests/linux/vmss.test.bicep new file mode 100644 index 0000000..f4b2734 --- /dev/null +++ b/tests/linux/vmss.test.bicep @@ -0,0 +1,8 @@ +targetScope = 'resourceGroup' + + +module main '../../linux/vmss/vmss.bicep' = { + name: 'vmss' + params: { + } +} From 8d0b27ef3c62f5c15949945c68c5abe3d2a497bf Mon Sep 17 00:00:00 2001 From: Anthony Shaw Date: Tue, 11 Jun 2024 14:14:50 +1000 Subject: [PATCH 4/6] Try the whole tests folder --- .github/workflows/bicep-audit.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/bicep-audit.yml b/.github/workflows/bicep-audit.yml index 82ecde6..01f8c85 100644 --- a/.github/workflows/bicep-audit.yml +++ b/.github/workflows/bicep-audit.yml @@ -25,7 +25,7 @@ jobs: with: modules: PSRule.Rules.Azure baseline: Azure.Pillar.Security - inputPath: tests/**/*.test.bicep + inputPath: tests/ outputFormat: Sarif outputPath: reports/ps-rule-results.sarif summary: true From a1b30bea03d51e3ed5c406dec3ea8510d534f8bb Mon Sep 17 00:00:00 2001 From: Anthony Shaw Date: Tue, 11 Jun 2024 14:29:35 +1000 Subject: [PATCH 5/6] Rename test file --- ...s-open-service-mesh.bicep => aks-open-service-mesh.test.bicep} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename tests/cloud-native/{aks-open-service-mesh.bicep => aks-open-service-mesh.test.bicep} (100%) diff --git a/tests/cloud-native/aks-open-service-mesh.bicep b/tests/cloud-native/aks-open-service-mesh.test.bicep similarity index 100% rename from tests/cloud-native/aks-open-service-mesh.bicep rename to tests/cloud-native/aks-open-service-mesh.test.bicep From 438f9ceccd741ed944ebf0b93a810d78fba8e6c0 Mon Sep 17 00:00:00 2001 From: Anthony Shaw Date: Wed, 12 Jun 2024 10:41:38 +1000 Subject: [PATCH 6/6] Extend timeout --- .github/workflows/bicep-audit.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/bicep-audit.yml b/.github/workflows/bicep-audit.yml index 01f8c85..c795d9b 100644 --- a/.github/workflows/bicep-audit.yml +++ b/.github/workflows/bicep-audit.yml @@ -32,7 +32,7 @@ jobs: continue-on-error: true env: PSRULE_CONFIGURATION_AZURE_BICEP_FILE_EXPANSION: 'true' - PSRULE_CONFIGURATION_AZURE_BICEP_FILE_EXPANSION_TIMEOUT: '30' + PSRULE_CONFIGURATION_AZURE_BICEP_FILE_EXPANSION_TIMEOUT: '60' - name: Upload results to security tab uses: github/codeql-action/upload-sarif@v3 if: github.repository_owner == 'Azure-Samples'