How to dynamically exclude PSRule rules based on environment (DEV, QA, PROD)?

[mikkelh-SDU]

Hi all, this might be a silly question

We have a use case where we want to apply different PSRule exclusions depending on the environment (e.g., DEV, QA, PROD). For example, in our DEV environment, we want to exclude rules like 'Azure.AppService.MinPlan', which we do want enforced in PROD.

Currently, I extract the environment name from the .bicepparam file like this:

# Extract environment name from bicepparam file
$bicepParamFile = Get-Item "$FolderToTest/infra/main.bicepparam" -ErrorAction SilentlyContinue
$environmentName = "dev" # Default fallback

if ($bicepParamFile) {
    $bicepParamContent = Get-Content -Path $bicepParamFile.FullName -Raw
    if ($bicepParamContent -match "param\s+environmentName\s+=\s+readEnvironmentVariable\(['\`"]AZURE_ENV_NAME['\`"],\s*['\`"]([^'\`"]+)['\`"]\)") {
        $environmentName = $Matches[1]
    } elseif ($bicepParamContent -match "param\s+environmentName\s+=\s+['\`"]([^'\`"]+)['\`"]") {
        $environmentName = $Matches[1]
    }
}

Write-Host "Using environment: $environmentName"

Then I dynamically build the list of rules to exclude based on the environment:

# Define rules to exclude based on environment
$devRulesToExclude = @(
    'Azure.Storage.UseReplication',
    'Azure.FrontDoorWAF.RuleGroups',
    'Azure.ACR.MinSku',
    'Azure.AppService.MinPlan',
    'Azure.AppService.PlanInstanceCount',
    'Azure.AppService.AvailabilityZone',
    'Azure.KeyVault.PurgeProtect',
    'Azure.APIM.ProductApproval',
    'Azure.APIM.MultiRegion',
    'Azure.APIM.EncryptValues',
    'Azure.APIM.AvailabilityZone',
    'Local.YAML.KeyVault.enablePurgeProtection'
)

$qaRulesToExclude = @(
    'Azure.APIM.MultiRegion',
    'Azure.APIM.AvailabilityZone'
)

$prodRulesToExclude = @(
    # Very limited exceptions for production
)

# Choose rules based on environment
$rulesToExclude = switch ($environmentName.ToLower()) {
    'dev' { $devRulesToExclude }
    'qa'  { $qaRulesToExclude }
    'prod' { $prodRulesToExclude }
    default { @() }
}

# Add default exclusions that apply to all environments
$rulesToExclude += @(
    'Azure.Deployment.SecureParameter',
    'Azure.Log.Replication'
)

# Load the ps-rule.yaml file
$psRuleConfig = Get-Content -Path $optionsFile.FullName -Raw | ConvertFrom-Yaml

# Update the rule exclusions
$psRuleConfig.rule.exclude = $rulesToExclude

# Save the updated ps-rule.yaml to a temporary file
$tempOptionsFile = Join-Path $env:TEMP "ps-rule-$environmentName.yaml"
$psRuleConfig | ConvertTo-Yaml -OutFile $tempOptionsFile -Force

Write-Host "Created environment-specific PS-Rule config at $tempOptionsFile"

This works, but it feels a bit clunky. Is there a more elegant or built-in way in PSRule to handle environment-specific rule exclusions—perhaps by referencing parameters from the Bicep or .bicepparam files directly, or by using profiles or conditions?

Any best practices or suggestions would be appreciated!

[BernieWhite]

Hi @mikkelh-SDU, yes there is a few options you could use. Based on your provided sample code, these would probably be the most applicable:

• Suppression groups - Allows you to dynamically suppress rule based on the resource.
• Use separate option files - Configure different option files for different environments with exclusions.

For suppression groups, they work well when resources already use a naming or tagging convention, for example:

• Suppress rules for resources with the tag env = dev. See https://github.com/Azure/PSRule.Rules.Azure/blob/main/samples/suppression/SuppressGeoReplicationInDev/README.md
• Suppress rule for resource based on a naming convention. See https://azure.github.io/PSRule.Rules.Azure/customization/permit-outbound-management/
• Suppress within a file structure or separately named parameter files, see https://github.com/Azure/bicep-registry-modules/blob/1e35852d4086cdf73bdeb60d1959aa56c0871b2a/utilities/pipelines/staticValidation/psrule/.ps-rule/na-suppress.Rule.yaml#L33-L44

For separate option files, it's as easy as creating two option files and setting the rule.exclude option, for example:

• ps-rule.yaml default option files configure the production.
• ps-rule-dev.yaml exclusions for dev environments.

When you run PSRule you can specify the option file by -Option for PowerShell on Invoke-PSRule or Assert-PSRule. In GitHub or Azure Pipelines there is a option: parameter that allows you to specify the option file.

Alternatively, you could also do the following, but it might add some additional complexity when authoring locally or running pipelines:

• Dynamically build the options object using the New-PSRuleOption cmdlet in PowerShell. See: https://microsoft.github.io/PSRule/v2/commands/PSRule/en-US/New-PSRuleOption/, here is an example: https://github.com/Azure/PSRule.Rules.Azure/blob/06881700d1547ba4d0bc86a4eff190c990cb4e8e/tests/PSRule.Rules.Azure.Tests/Azure.Group.Tests.ps1#L36-L63
• Define and use separate baselines for each environment. See: https://microsoft.github.io/PSRule/v2/concepts/PSRule/en-US/about_PSRule_Baseline/, https://azure.github.io/PSRule.Rules.Azure/working-with-baselines/

[mikkelh-SDU]

uppression groups, they work well when resources already us

Thanks for the quick reply!

I went with a solution where I just state the rules I want to ignore in my script like so:

# Extract environment name from bicepparam file
$bicepParamFile = Get-Item "$FolderToTest/infra/main.bicepparam" -ErrorAction SilentlyContinue
$environmentName = "dev" # Default fallback

if ($bicepParamFile) {
    $bicepParamContent = Get-Content -Path $bicepParamFile.FullName -Raw
    if ($bicepParamContent -match "param\s+environmentName\s+=\s+readEnvironmentVariable\(['\`"]AZURE_ENV_NAME['\`"],\s*['\`"]([^'\`"]+)['\`"]\)") {
        $environmentName = $Matches[1]
    } elseif ($bicepParamContent -match "param\s+environmentName\s+=\s+['\`"]([^'\`"]+)['\`"]") {
        $environmentName = $Matches[1]
    }
}

$qaRulesToExclude = @(
    'Azure.APIM.MultiRegion',
    'Azure.APIM.AvailabilityZone'
)

# Choose rules based on environment
$rulesToExclude = switch ($environmentName.ToLower()) {
    'dev' { $devRulesToExclude }
    'qa'  { $qaRulesToExclude }
    'prod' { $prodRulesToExclude }
    default { @() }
}

$splat = @{
    InputPath = $FolderToTest.FullName
    Option = @{
        # Load base options from file
        'path' = $optionsFile.FullName
        # Override only the rule exclusions
        'rule.exclude' = $rulesToExclude
    }
    Path = $rulesFolder.FullName
}

[BernieWhite]

The main problem with adding the custom scripting is that it is hard to keep a constant experience between CI tests and a fast cycle time by running tests locally.

Is there anything that would make this a better solution in the future?