One of the fundamental ideas of DevOps is to combine the best practices from the infrastructure and development worlds, to learn from each other. This means applying the concept of testing to our Infrastructure As Code (Bicep, Arm, etc). However, it can sometimes be tricky to know where to start and what tools are available to you. This blog post will be a part of a series of posts that will show you how to start, what tools to use and why.
Testing Infrastructure As Code (IAC)
Before getting into the tooling and principles, let's start with why should I test my IAC. It does require some setup and a CICD pipeline (Github actions or Azure DevOps pipelines, etc) so why should I bother?
Writing IAC templates can be complicated and we're all human. What if there's a typo, an incorrectly formatted JSON or Bicep module? These templates are meant to be shared out and reusable, so if there's a bad change merged in, the impact could be widespread. There's a lot of talk about shifting to the left - not leaving testing to the very end of the process, just before deployment, but making it part of the development process earlier. This is a great example of this saying. We can move testing and validation on the IAC template and how they're consumed into our pipeline checks so anyone developing new templates or leveraging the existing templates get additional validation and feedback. This can increase the success rate and ease of using IAC. Consider the perspective of a consumer of these IAC templates. They didn't write them and this might be their first time using an IAC template. When you're using trying to use the IAC templates, getting feedback, examples, and validation can help provide guidance and support to ensure that they're successful.
There are a few different levels to testing IAC templates, the below table explains the levels:
For IAC templates to work, they need to be valid. This could be as simple as checking the JSON structure for an ARM template and Parameter file. Or running thebicep buildcommand to verify the bicep modules can correctly render into an ARM template.
- Bicep: Usebicep buildon all.bicepfiles in the repository (find the files and do a foreach loop). - ARM: Validate the ARM template and Parameter file is valid JSON.
Compare against the Well Architected Framework (WAF)
Validates that IAC templates pass the standards outlined in the WAF. This enables organisations to analyze their templates for best practices against the 5 WAF pillars (cost, security, reliability, operational excellence, and performance). These findings can help to improve the quality of your IAC templates and help detect security or reliability risks before they're implemented (by testing on the left (in the pipeline)).
Each organisation has a different set of recommendations and standards. However, it can be challenging to enforce these standards. For the most part, these standards are either enforced in the IAC template or just documented. What if there was a tool that allows you to create rules to help enforce these standards (for free?!)
In this blog post, we're going to focus on usingPSRule for Azure. A different blog post will be written in the future forPSRule, however for more information, please use the link provided below.
PSRule For Azure - (Intermediate)
So we now know that PSRule for Azure can verify our IAC templates against best practices. But what is it scanning for? Well, it includes over 260 rules that it evaluates. For a list of what is evaluatedclick here.
Finally, let's dive into how to use this tool locally!
The following platforms are supported:
Windows PowerShell 5.1 with .NET Framework 4.7.2 or greater.
PowerShell 7.2 or greater on macOS, Linux, and Windows.
Step 1 - Installation
PSRule for Azure can be installed locally by running the following commands in a PowerShell terminal:
To install PSRule for Azure for the current user use:
Tip:The benefit of publishing the PsRule results to Azure Monitor is that you can build a workbook to visualise how your IAC template comply against WAF best practices and monitor improvements over time!