-
Notifications
You must be signed in to change notification settings - Fork 169
170 lines (146 loc) · 6.09 KB
/
regressionparams.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
name: InfraCI - Regression Validation
on:
#Run on Manual execution
workflow_dispatch:
#Run when our bicep code changes
push:
paths:
- "bicep/*"
#Run when PR's are made to main, where the changes are in the bicep directory or this workflow file itself
pull_request:
branches: [main]
paths:
- "bicep/*"
- ".github/workflows/regressionparams.yml"
- ".github/workflows_dep/regressionparams/*"
#Run on a weekly schedule
schedule:
# At 11:00pm, every Thursday week
- cron: "0 23 * * 4"
env:
RG: "AksBicepAcc-Ci-HelperValidate" #The resource group we're deploying to.
ParamDir: ".github/workflows_dep/regressionparams/" #Path to parameter file
AZCLIVERSION: 2.43.0 #Pinning to a specific AZ CLI version
jobs:
GetParamFiles:
runs-on: ubuntu-latest
if: ${{ !github.event.pull_request.head.repo.fork }}
name: Get Param File List
outputs:
FILELIST: ${{ steps.getfiles.outputs.FILELIST}}
steps:
#Get the code files from the repo
- uses: actions/[email protected]
- name: Job parameter check
run: |
RG='${{ env.RG }}'
echo "RG is: $RG"
echo "Param dir path is: ${{ env.ParamDir }}"
- name: Get List of json files
id: getfiles
shell: pwsh
run: |
$FilePath="${{ env.ParamDir }}"
$FILELISTJSON=get-ChildItem -Path $FilePath -File '*.json' | select-object -ExpandProperty Name | ConvertTo-Json -Compress
Write-Output $FILELISTJSON
echo "FILELIST=$FILELISTJSON" >> $Env:GITHUB_OUTPUT
Validation:
needs: [GetParamFiles]
strategy:
matrix:
files: ${{ fromJson(needs.GetParamFiles.outputs.FILELIST) }}
max-parallel: 4
runs-on: ubuntu-latest
steps:
- uses: actions/[email protected]
- name: Job parameter check
run: |
RG='${{ env.RG }}'
echo "RG is: $RG"
echo "Param dir path is: ${{ env.ParamDir }}"
echo "Param file is ${{ matrix.files }}"
echo "Input path is ${{ env.ParamDir }}${{ matrix.files }}"
echo "Do PS Rule is ${{ steps.paramfile.outputs.DOPSRULE }}"
- name: Arm Parameter file check
shell: pwsh
id: paramfile
run: |
Write-Output "Checking parameter file existance/contents"
$paramFilePath="${{ env.ParamDir }}${{ matrix.files }}"
Test-Path $paramFilePath
if (Test-Path $paramFilePath) {
$paramFileContent=Get-Content $paramFilePath
Write-Output $paramFileContent
Write-Output "Checking for PSrule template link metadata"
$paramfile=$paramFileContent|ConvertFrom-Json
if ($null -ne $paramfile.metadata.template) {
Write-Output "Temnplate value found"
Write-Output $paramfile.metadata.template
Write-Output $paramfile.metadata.template.length
echo "DOPSRULE=true" >> $GITHUB_OUTPUT
} else {
Write-Output "Temnplate value NOT found"
echo "DOPSRULE=false" >> $GITHUB_OUTPUT
}
}
- name: Replace subnet, dnszone and kv param values from secret
shell: pwsh
run: |
$paramFilePath="${{ env.ParamDir }}${{ matrix.files }}"
$params = Get-Content $paramFilePath | ConvertFrom-Json
if($params.parameters.dnsZoneId.value -ne $null) {
$params.parameters.dnsZoneId.value = "${{ secrets.BYODNSZONEID }}"
}
if($params.parameters.byoAKSSubnetId.value -ne $null) {
$params.parameters.byoAKSSubnetId.value = "${{ secrets.ByoAksSubnetId }}"
}
if($params.parameters.byoAGWSubnetId.value -ne $null) {
$params.parameters.byoAGWSubnetId.value = "${{ secrets.ByoAgwSubnetId }}"
}
if($params.parameters.keyVaultKmsByoKeyId.value -ne $null) {
$params.parameters.keyVaultKmsByoKeyId.value = "${{ secrets.ByoKmsKeyId }}"
}
$params | ConvertTo-Json -Depth 4 | Out-File "${{ env.ParamDir }}${{ matrix.files }}"
- name: Azure Login
uses: Azure/[email protected]
with:
creds: ${{ secrets.AZURE_CREDENTIALS }}
enable-AzPSSession: false
environment: azurecloud
allow-no-subscriptions: false
- name: Validate Infrastructure deployment
uses: Azure/[email protected]
with:
azcliversion: ${{ env.AZCLIVERSION }}
inlineScript: |
RG='${{ env.RG }}'
az deployment group validate -f bicep/main.bicep -g $RG -p ${{ env.ParamDir }}${{ matrix.files }}
- name: WhatIf Infrastructure deployment
if: steps.paramfile.outputs.DOPSRULE == 'true'
continue-on-error: ${{ secrets.ISAZCLIWHATIFUNRELIABLE == 'true' }}
uses: Azure/[email protected]
with:
azcliversion: ${{ env.AZCLIVERSION }}
inlineScript: |
RG='${{ env.RG }}'
az deployment group what-if -f bicep/main.bicep -g $RG -p ${{ env.ParamDir }}${{ matrix.files }}
# PSRule does this cool thing where it traverse the parameter file through to the arm template
# PSRule performs IaC recommendations of the template.
# https://azure.github.io/PSRule.Rules.Azure/
- name: PSRule - Analyze Azure parameter file
if: steps.paramfile.outputs.DOPSRULE == 'true'
uses: Microsoft/ps-rule@main
continue-on-error: true #Setting this whilst PSRule gets bedded in, in this project
with:
modules: 'PSRule.Rules.Azure'
inputPath: "${{ env.ParamDir }}${{ matrix.files }}"
#prerelease: false
baseline: 'Azure.Default' #'Azure.Preview'
- name: PSRule - Analyze Azure parameter file including Preview feature rulesets
if: steps.paramfile.outputs.DOPSRULE == 'true'
uses: Microsoft/ps-rule@main
continue-on-error: true #Preview feature checking means we need to suppress errors
with:
modules: 'PSRule.Rules.Azure'
inputPath: "${{ env.ParamDir }}${{ matrix.files }}"
baseline: 'Azure.All' #All includes preview and internal rules