-
Notifications
You must be signed in to change notification settings - Fork 273
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge branch 'main' of https://github.com/azure/azure-monitor-baselin…
…e-alerts into computerstoinclude_remove
- Loading branch information
Showing
1,261 changed files
with
2,817 additions
and
50 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,159 @@ | ||
| Describe 'UnitTest-ModifiedPolicies' { | ||
| BeforeAll { | ||
| Import-Module -Name $PSScriptRoot\PolicyPesterTestHelper.psm1 -Force -Verbose | ||
|
|
||
| $ModifiedFiles = @(Get-PolicyFiles -DiffFilter "M") | ||
| if ($ModifiedFiles -ne $null) { | ||
| Write-Warning "These are the modified policies:" | ||
| $ModifiedFiles | ForEach-Object { | ||
| Write-Host "`t$_" -ForegroundColor DarkYellow | ||
| } | ||
| } | ||
| else { | ||
| Write-Information "There are no modified policies" | ||
| } | ||
|
|
||
| $AddedFiles = @(Get-PolicyFiles -DiffFilter "A") | ||
| if ($AddedFiles -ne $null) { | ||
| Write-Warning "These are the added policies:" | ||
| $AddedFiles | ForEach-Object { | ||
| Write-Host "`t$_" -ForegroundColor DarkYellow | ||
| } | ||
| } | ||
| else { | ||
| Write-Information "There are no added policies" | ||
| } | ||
|
|
||
| $ModifiedAddedFiles = $ModifiedFiles + $AddedFiles | ||
| } | ||
|
|
||
| Context "Validate policy metadata" { | ||
|
|
||
| It "Check policy metadata version exists" { | ||
| $ModifiedAddedFiles | ForEach-Object { | ||
| $PolicyJson = Get-Content -Path $_ -Raw | ConvertFrom-Json | ||
| $PolicyFile = Split-Path $_ -Leaf | ||
| $PolicyMetadataVersion = $PolicyJson.properties.metadata.version | ||
| # Write-Warning "$($PolicyFile) - The current metadata version for the policy in the PR branch is : $($PolicyMetadataVersion)" | ||
| $PolicyMetadataVersion | Should -Not -BeNullOrEmpty -Because "the [version] attribute does not exist on file [$PolicyFile]." | ||
| } | ||
| } | ||
|
|
||
| It "Check policy metadata version is greater than its previous version" -Skip:($ModifiedFiles -ne $null) { | ||
| $ModifiedFiles | ForEach-Object { | ||
| $PolicyFile = Split-Path $_ -Leaf | ||
| $PolicyJson = Get-Content -Path $_ -Raw | ConvertFrom-Json | ||
| $PreviousPolicyDefinitionRawUrl = "https://raw.githubusercontent.com/Azure/azure-monitor-baseline-alerts/main/$_" | ||
| $PreviousPolicyDefinitionOutputFile = "./previous-$PolicyFile" | ||
| Invoke-WebRequest -Uri $PreviousPolicyDefinitionRawUrl -OutFile $PreviousPolicyDefinitionOutputFile | ||
| $PreviousPolicyDefinitionsFile = Get-Content $PreviousPolicyDefinitionOutputFile -Raw | ConvertFrom-Json | ||
| $PreviousPolicyDefinitionsFileVersion = $PreviousPolicyDefinitionsFile.properties.metadata.version | ||
| # Write-Warning "$($PolicyFile) - The current metadata version for the policy in the main branch is : $($PreviousPolicyDefinitionsFileVersion)" | ||
| $PolicyMetadataVersion = $PolicyJson.properties.metadata.version | ||
| $PolicyJson = Get-Content -Path $_ -Raw | ConvertFrom-Json | ||
| # Write-Warning "$($PolicyFile) - The current metadata version for the policy in the PR branch is : $($PolicyMetadataVersion)" | ||
| if (!$PreviousPolicyDefinitionsFileVersion.EndsWith("deprecated")) { | ||
| $PolicyMetadataVersion | Should -BeGreaterThan $PreviousPolicyDefinitionsFileVersion -Because "the [version] attribute value of file [$PolicyFile] needs to be incremented when modifying policies." | ||
| } | ||
| } | ||
| } | ||
|
|
||
| It "Check deprecated policy contains all required metadata" { | ||
| $ModifiedAddedFiles | ForEach-Object { | ||
| $PolicyJson = Get-Content -Path $_ -Raw | ConvertFrom-Json | ||
| $PolicyFile = Split-Path $_ -Leaf | ||
| $PolicyMetadataVersion = $PolicyJson.properties.metadata.version | ||
| # Write-Warning "$($PolicyFile) - This is the policy metadata version: $($PolicyMetadataVersion)" | ||
| if ($PolicyMetadataVersion.EndsWith("deprecated")) { | ||
| # Write-Warning "$($PolicyFile) - Should have the deprecated metadata flag set to true" | ||
| $PolicyMetadataDeprecated = $PolicyJson.properties.metadata.deprecated | ||
| $PolicyMetadataDeprecated | Should -BeTrue | ||
| # Write-Warning "$($PolicyFile) - Should have the supersededBy metadata value set" | ||
| $PolicyMetadataSuperseded = $PolicyJson.properties.metadata.supersededBy | ||
| $PolicyMetadataSuperseded | Should -Not -BeNullOrEmpty | ||
| # Write-Warning "$($PolicyFile) - [Deprecated] should be in the display name" | ||
| $PolicyPropertiesDisplayName = $PolicyJson.properties.displayName | ||
| $PolicyPropertiesDisplayName | Should -Match "[DEPRECATED]" -Because "the [version] attribute on file [$PolicyFile] needs to end with [DEPRECATED]." | ||
| } | ||
| } | ||
| } | ||
|
|
||
| It "Check policy metadata category exists" { | ||
| $ModifiedAddedFiles | ForEach-Object { | ||
| $PolicyJson = Get-Content -Path $_ -Raw | ConvertFrom-Json | ||
| $PolicyFile = Split-Path $_ -Leaf | ||
| $PolicyMetadataCategories = $PolicyJson.properties.metadata.category | ||
| # Write-Warning "$($PolicyFile) - These are the policy metadata categories: $($PolicyMetadataCategories)" | ||
| $PolicyMetadataCategories | Should -Not -BeNullOrEmpty -Because "the [category] attribute on file [$PolicyFile] is empty." | ||
| } | ||
| } | ||
|
|
||
| It "Check policy metadata source is set to azure-monitor-baseline-alerts repo" { | ||
| $ModifiedAddedFiles | ForEach-Object { | ||
| $PolicyJson = Get-Content -Path $_ -Raw | ConvertFrom-Json | ||
| $PolicyFile = Split-Path $_ -Leaf | ||
| $PolicyMetadataSource = $PolicyJson.properties.metadata.source | ||
| # Write-Warning "$($PolicyFile) - This is the policy source link: $($PolicyMetadataSource)" | ||
| $PolicyMetadataSource | Should -Be 'https://github.com/Azure/azure-monitor-baseline-alerts/' -Because "the [source] attribute on file [$PolicyFile] is not set to [https://github.com/Azure/azure-monitor-baseline-alerts/]." | ||
| } | ||
| } | ||
|
|
||
| It "Check policy metadata ALZ Environments are specified for Public, US Gov or China Clouds" { | ||
| $ModifiedAddedFiles | ForEach-Object { | ||
| $PolicyJson = Get-Content -Path $_ -Raw | ConvertFrom-Json | ||
| $PolicyFile = Split-Path $_ -Leaf | ||
| $AlzEnvironments = @("AzureCloud", "AzureChinaCloud", "AzureUSGovernment") | ||
| $PolicyEnvironments = $PolicyJson.properties.metadata.alzCloudEnvironments | ||
| # Write-Warning "$($PolicyFile) - These are the environments: $($PolicyEnvironments)" | ||
| $PolicyJson.properties.metadata.alzCloudEnvironments | Should -BeIn $AlzEnvironments -Because "the [alzCloudEnvironments] attribute value does not match [AzureCloud] or [AzureChinaCloud] or [AzureUSGovernment]." | ||
| } | ||
| } | ||
|
|
||
| <# Commenting this block since we use a different name for policy name and file name | ||
| It "Check policy metadata name matches policy filename" { | ||
| $ModifiedAddedFiles | ForEach-Object { | ||
| $PolicyJson = Get-Content -Path $_ -Raw | ConvertFrom-Json | ||
| $PolicyFile = Split-Path $_ -Leaf | ||
| $PolicyMetadataName = $PolicyJson.name | ||
| $PolicyFileNoExt = [System.IO.Path]::GetFileNameWithoutExtension($PolicyFile) | ||
| if ($PolicyFileNoExt.Contains("AzureChinaCloud") -or $PolicyFileNoExt.ContEnterpriains("AzureUSGovernment")) { | ||
| $PolicyFileNoExt = $PolicyFileNoExt.Substring(0, $PolicyFileNoExt.IndexOf(".")) | ||
| } | ||
| # Write-Warning "$($PolicyFileNoExt) - This is the policy metadata name: $($PolicyMetadataName)" | ||
| $PolicyMetadataName | Should -Be $PolicyFileNoExt | ||
| } | ||
| }#> | ||
| } | ||
|
|
||
| Context "Validate policy parameters" { | ||
| It 'Check for policy parameters have default values' { | ||
| $ModifiedAddedFiles | ForEach-Object { | ||
| $PolicyJson = Get-Content -Path $_ -Raw | ConvertFrom-Json | ||
| $PolicyFile = Split-Path $_ -Leaf | ||
| $PolicyMetadataName = $PolicyJson.name | ||
| $ExcludePolicy = @() | ||
| $ExcludeParams = @("ALZManagementSubscriptionId", "BYOUserAssignedManagedIdentityResourceId") | ||
| if ($PolicyMetadataName -notin $ExcludePolicy) { | ||
| $PolicyParameters = $PolicyJson.properties.parameters | ||
| if ($PolicyParameters | Get-Member -MemberType NoteProperty) { | ||
| $Parameters = $PolicyParameters | Get-Member -MemberType NoteProperty | Select-Object -Expand Name | ||
| # Write-Warning "$($PolicyFile) - These are the params: $($Parameters)" | ||
| $Parameters = $PolicyParameters | Get-Member -MemberType NoteProperty | ||
| $Parameters | ForEach-Object { | ||
| $key = $_.name | ||
| if ($key -notin $ExcludeParams) { | ||
| $defaultValue = $PolicyParameters.$key | Get-Member -MemberType NoteProperty | Where-Object Name -EQ "defaultValue" | ||
| # Write-Warning "$($PolicyFile) - Parameter: $($key) - Default Value: $($defaultValue)" | ||
| $PolicyParameters.$key.defaultValue | Should -Not -Because "the [defaultValue] for parameter [$key] is empty." | ||
| } | ||
| } | ||
| } | ||
| } | ||
| } | ||
| } | ||
| } | ||
|
|
||
| AfterAll { | ||
| # These are not the droids you are looking for... | ||
| } | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,48 @@ | ||
| name: Check Policy Version | ||
|
|
||
| ########################################## | ||
| # Start the job on PR for all branches # | ||
| ########################################## | ||
|
|
||
| # yamllint disable-line rule:truthy | ||
| on: | ||
| pull_request: | ||
| types: | ||
| - opened | ||
| - reopened | ||
| - synchronize | ||
| - ready_for_review | ||
| paths: | ||
| - "services/**.json" | ||
| - "patterns/alz/policySetDefinitions/**.json" | ||
| workflow_dispatch: {} | ||
|
|
||
| env: | ||
| POLICY_DIR: "services" | ||
| POLICYSET_DIR: "patterns/alz/policySetDefinitions" | ||
|
|
||
| jobs: | ||
| validate-policy-files: | ||
| runs-on: ubuntu-latest | ||
| steps: | ||
| - name: Checkout | ||
| uses: actions/checkout@v4 | ||
| with: | ||
| fetch-depth: 0 | ||
| ref: ${{github.event.pull_request.head.ref}} | ||
| repository: ${{github.event.pull_request.head.repo.full_name}} | ||
| - name: Pester Test for Modified Policies | ||
| shell: pwsh | ||
| run: | | ||
| Import-Module Pester -Force | ||
| $pesterConfiguration = @{ | ||
| Run = @{ | ||
| Container = New-PesterContainer -Path "./.github/actions-pester/Test-ModifiedPolicies.Tests.ps1" | ||
| PassThru = $true | ||
| } | ||
| Output = @{ | ||
| Verbosity = 'Detailed' | ||
| } | ||
| } | ||
| $result = Invoke-Pester -Configuration $pesterConfiguration | ||
| exit $result.FailedCount |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.