InfraCI - Regression Validation #1784
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: InfraCI - Regression Validation | |
on: | |
#Run on Manual execution | |
workflow_dispatch: | |
#Run when our bicep code changes | |
push: | |
paths: | |
- "bicep/*" | |
#Run when PR's are made to main, where the changes are in the bicep directory or this workflow file itself | |
pull_request: | |
branches: [main] | |
paths: | |
- "bicep/*" | |
- ".github/workflows/regressionparams.yml" | |
- ".github/workflows_dep/regressionparams/*" | |
#Run on a weekly schedule | |
schedule: | |
# At 11:00pm, every Thursday week | |
- cron: "0 23 * * 4" | |
env: | |
RG: "AksBicepAcc-Ci-HelperValidate" #The resource group we're deploying to. | |
ParamDir: ".github/workflows_dep/regressionparams/" #Path to parameter file | |
AZCLIVERSION: 2.58.0 #2.53.0 #2.43.0 #2.34.1 #2.29.2 #2.26.0 #latest | |
jobs: | |
GetParamFiles: | |
runs-on: ubuntu-latest | |
if: ${{ !github.event.pull_request.head.repo.fork }} | |
name: Get Param File List | |
outputs: | |
FILELIST: ${{ steps.getfiles.outputs.FILELIST}} | |
steps: | |
#Get the code files from the repo | |
- uses: actions/checkout@v4.1.1 | |
- name: Job parameter check | |
run: | | |
RG='${{ env.RG }}' | |
echo "RG is: $RG" | |
echo "Param dir path is: ${{ env.ParamDir }}" | |
- name: Get List of json files | |
id: getfiles | |
shell: pwsh | |
run: | | |
$FilePath="${{ env.ParamDir }}" | |
$FILELISTJSON=get-ChildItem -Path $FilePath -File '*.json' | select-object -ExpandProperty Name | ConvertTo-Json -Compress | |
Write-Output $FILELISTJSON | |
echo "FILELIST=$FILELISTJSON" >> $Env:GITHUB_OUTPUT | |
Validation: | |
needs: [GetParamFiles] | |
strategy: | |
matrix: | |
files: ${{ fromJson(needs.GetParamFiles.outputs.FILELIST) }} | |
max-parallel: 4 | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@v4.1.1 | |
- name: Job parameter check | |
run: | | |
RG='${{ env.RG }}' | |
echo "RG is: $RG" | |
echo "Param dir path is: ${{ env.ParamDir }}" | |
echo "Param file is ${{ matrix.files }}" | |
echo "Input path is ${{ env.ParamDir }}${{ matrix.files }}" | |
echo "Do PS Rule is ${{ steps.paramfile.outputs.DOPSRULE }}" | |
- name: Arm Parameter file check | |
shell: pwsh | |
id: paramfile | |
run: | | |
Write-Output "Checking parameter file existance/contents" | |
$paramFilePath="${{ env.ParamDir }}${{ matrix.files }}" | |
Test-Path $paramFilePath | |
if (Test-Path $paramFilePath) { | |
$paramFileContent=Get-Content $paramFilePath | |
Write-Output $paramFileContent | |
Write-Output "Checking for PSrule template link metadata" | |
$paramfile=$paramFileContent|ConvertFrom-Json | |
if ($null -ne $paramfile.metadata.template) { | |
Write-Output "Temnplate value found" | |
Write-Output $paramfile.metadata.template | |
Write-Output $paramfile.metadata.template.length | |
echo "DOPSRULE=true" >> $GITHUB_OUTPUT | |
} else { | |
Write-Output "Temnplate value NOT found" | |
echo "DOPSRULE=false" >> $GITHUB_OUTPUT | |
} | |
} | |
- name: Replace subnet, dnszone and kv param values from secret | |
shell: pwsh | |
run: | | |
$paramFilePath="${{ env.ParamDir }}${{ matrix.files }}" | |
$params = Get-Content $paramFilePath | ConvertFrom-Json | |
if($params.parameters.dnsZoneId.value -ne $null) { | |
$params.parameters.dnsZoneId.value = "${{ secrets.BYODNSZONEID }}" | |
} | |
if($params.parameters.byoAKSSubnetId.value -ne $null) { | |
$params.parameters.byoAKSSubnetId.value = "${{ secrets.ByoAksSubnetId }}" | |
} | |
if($params.parameters.byoAGWSubnetId.value -ne $null) { | |
$params.parameters.byoAGWSubnetId.value = "${{ secrets.ByoAgwSubnetId }}" | |
} | |
if($params.parameters.keyVaultKmsByoKeyId.value -ne $null) { | |
$params.parameters.keyVaultKmsByoKeyId.value = "${{ secrets.ByoKmsKeyId }}" | |
} | |
$params | ConvertTo-Json -Depth 4 | Out-File "${{ env.ParamDir }}${{ matrix.files }}" | |
- name: Azure Login | |
uses: Azure/login@v2 | |
with: | |
creds: ${{ secrets.AZURE_CREDENTIALS }} | |
enable-AzPSSession: false | |
environment: azurecloud | |
allow-no-subscriptions: false | |
- name: Validate Infrastructure deployment | |
uses: Azure/cli@v2 | |
with: | |
azcliversion: ${{ env.AZCLIVERSION }} | |
inlineScript: | | |
RG='${{ env.RG }}' | |
az deployment group validate -f bicep/main.bicep -g $RG -p ${{ env.ParamDir }}${{ matrix.files }} | |
- name: WhatIf Infrastructure deployment | |
if: steps.paramfile.outputs.DOPSRULE == 'true' | |
continue-on-error: ${{ secrets.ISAZCLIWHATIFUNRELIABLE == 'true' }} | |
uses: Azure/cli@v2 | |
with: | |
azcliversion: ${{ env.AZCLIVERSION }} | |
inlineScript: | | |
RG='${{ env.RG }}' | |
az deployment group what-if -f bicep/main.bicep -g $RG -p ${{ env.ParamDir }}${{ matrix.files }} | |
# PSRule does this cool thing where it traverse the parameter file through to the arm template | |
# PSRule performs IaC recommendations of the template. | |
# https://azure.github.io/PSRule.Rules.Azure/ | |
- name: PSRule - Analyze Azure parameter file | |
if: steps.paramfile.outputs.DOPSRULE == 'true' | |
uses: Microsoft/ps-rule@main | |
continue-on-error: true #Setting this whilst PSRule gets bedded in, in this project | |
with: | |
modules: 'PSRule.Rules.Azure' | |
inputPath: "${{ env.ParamDir }}${{ matrix.files }}" | |
#prerelease: false | |
baseline: 'Azure.Default' #'Azure.Preview' | |
- name: PSRule - Analyze Azure parameter file including Preview feature rulesets | |
if: steps.paramfile.outputs.DOPSRULE == 'true' | |
uses: Microsoft/ps-rule@main | |
continue-on-error: true #Preview feature checking means we need to suppress errors | |
with: | |
modules: 'PSRule.Rules.Azure' | |
inputPath: "${{ env.ParamDir }}${{ matrix.files }}" | |
baseline: 'Azure.All' #All includes preview and internal rules |