Custom rule always fails

[majorku5anagi]

Hi, I have an issue or maybe my own understanding is wrong on how to make custom rule. Namely, I wanted to make simple check of existence of Tags within Bicep file. I've setup ps-rule.yaml file in which I set cofnfiguration for expansion because of the Bicep code and I've created .ps-rule folder with countryTag.Rule.ps1 with custom rule. Whichever approach I make in creating the rule it always fails. Built-in PSRule works great and it actually sees which resources I'm trying to deploy and therefore pulls out all related Azure Well Architecture Framework rules and compare it with PASS/FAIL flags correctly. My custom rule is being run as I can see it on the beginning of the report but it is always in FAIL status no matter what I do and in the setup that I currently have I expect it to PASS. Screenshots of all mentioned PSRules files are below alongside with portion of the Bicep code that shows the tag existence.

.ps-rule/countryTag.Rule.ps1:

ps-rule.yaml:

Bicep code:

When I tried different approach by fulfilling the countryTag.Rule.ps1 with this code I received again FAIL status. This time I deliberately made correction on the bicep file so that all builtin checks to pass. Only custom rule didn't :

This question/issue has also been created at: microsoft/PSRule-pipelines#345 (comment) because the result is the same if I use the Azure DevOps Pipelines

[BernieWhite]

@majorku5anagi Thanks for asking the question.

In short, when PSRule processes Azure resources there is additional objects that may not be obvious. There is three entries for countryTag.Rule. It is the additional objects that are failing, and the storage account is passing.

To solve your problem you could set a pre-condition. The docs provides this example -Type 'Microsoft.Resources/resourceGroups' in this section:

# Synopsis: Resource Groups must have all mandatory tags defined.
Rule 'Org.Azure.RG.Tags' -Type 'Microsoft.Resources/resourceGroups' {
    $hasTags = $Assert.HasField($TargetObject, 'Tags')
    if (!$hasTags.Result) {
        return $hasTags
    }

    # <Code for custom tags goes here>
}

If you only wanted to target storage accounts you could use -Type 'Microsoft.Storage/storageAccounts', but I suspect that you want to target all resources that can be tagged so you could use -If { (SupportsTags) }. The SupportsTags function is a built-in function that only works in PowerShell rules. We will have a better solution in the future, but this is probably the best for that use case at the moment.

If this answers the question please let us and others know by marking as answered.

---

To explain this more, from the bicep snippet you have provided (thanks for that) there is three objects.

• The bicep file - For your case, you can ignore this object. Because the resources are automatically exported from it by setting AZURE_BICEP_FILE_EXPANSION to true, nothing further needs to be done with this object.
• The deployment - Effectively this is the deployment that would be created if you deployed the Bicep file to Azure. For your use case you can ignore this.
• The storage account - Where you want to check for tags. For your use case only target this.

[majorku5anagi]

Thanks @BernieWhite for the explanation! When I changed the .Rule.ps1 file with SupportsTags function like you've explained, checks are now looking good 👍 I made additional testing with purposeful deviations and it really worked as it detected them all. Screenshot of the result is below and I just wanted to ask you about the yellow WARN status on top why it is showing and how can I suppress it?

[BernieWhite]

@majorku5anagi Thanks for that and the screenshot updates. That should really help someone else with the same issue in the future.

To disable the warning configure the Execution.NotProcessedWarning option.

For example, you can do this in ps-rule.yaml by:

execution:
  notProcessedWarning: false

Other options on how to configure this are available in the docs.