GH Workflow update for Policy Testing (#1538)

Azure · Jan 26, 2024 · ea3724f · ea3724f
1 parent cb1b176
commit ea3724f
Show file tree

Hide file tree

Showing 4 changed files with 74 additions and 18 deletions.
diff --git a/.github/actions-pester/PTF-TestPolicies.ps1 b/.github/actions-pester/PTF-TestPolicies.ps1
@@ -0,0 +1,63 @@
+Import-Module -Name $PSScriptRoot\PolicyPesterTestHelper.psm1 -Force -Verbose
+Import-Module Pester -Force
+
+function RunPester
+{
+    param (
+        [Parameter()]
+        [String]$PolicyTest
+    )
+
+    $pesterConfiguration = @{
+    Run    = @{
+        Container = New-PesterContainer -Path $PolicyTest
+        PassThru  = $true
+    }
+    Output = @{
+        Verbosity = 'Detailed'
+        CIFormat = 'Auto'
+    }
+    }
+    $result = Invoke-Pester -Configuration $pesterConfiguration
+    #exit $result.FailedCount
+}
+
+$ModifiedFiles = @(Get-PolicyFiles -DiffFilter "M")
+if ([String]::IsNullOrEmpty($ModifiedFiles))
+{
+    Write-Warning "These are the modified policies: $($ModifiedFiles)"
+}
+else
+{
+    Write-Warning "There are no modified policies"
+}
+
+$AddedFiles = @(Get-PolicyFiles -DiffFilter "A")
+if ([String]::IsNullOrEmpty($AddedFiles))
+{
+    Write-Warning "These are the added policies: $($AddedFiles)"
+}
+else
+{
+    Write-Warning "There are no added policies"
+}
+
+$ModifiedAddedFiles = $ModifiedFiles + $AddedFiles
+
+$ModifiedAddedFiles | ForEach-Object {
+
+    $PolicyFile = Split-Path $_ -Leaf
+    $PolicyFileClean = $PolicyFile -replace ".json", ""
+
+    $testPath = "tests/policy/$($PolicyFileClean).Tests.ps1"
+
+    if (Test-Path $testPath)
+    {
+        Write-Warning "Running pester tests on $PolicyFileClean"
+        RunPester($testPath)
+    }
+    else
+    {
+        Write-Warning "There are no tests for $PolicyFileClean"
+    }
+}
diff --git a/.github/workflows/test-portal.yml b/.github/workflows/test-portal.yml
@@ -25,6 +25,8 @@ env:
   GITHUB_PR_ID: ${{ github.event.pull_request.id }}
   TEMP_SUBSCRIPTIONS_JSON_PATH: "./src/data/subscriptions.json"
   TEMP_DEPLOYMENT_OBJECT_PATH: "./src/data/eslzArm.test.deployment.json"
+  POLICY_DIR: "src/resources/Microsoft.Authorization/policyDefinitions"
+  POLICYSET_DIR: "src/resources/Microsoft.Authorization/policySetDefinitions"  
 
 permissions:
   contents: read
@@ -149,21 +151,11 @@ jobs:
           Update-AzConfig -DisplayBreakingChangeWarning $false
 
       - name: Pester Test for Policies
-        shell: pwsh
-        run: |
-          Import-Module Pester -Force
-          $pesterConfiguration = @{
-            Run    = @{
-              Path = "tests/*.tests.ps1" 
-              PassThru  = $true
-            }
-            Output = @{
-              Verbosity = 'Detailed'
-              CIFormat = 'Auto'
-            }
-          }
-          $result = Invoke-Pester -Configuration $pesterConfiguration
-          exit $result.FailedCount
+        uses: azure/powershell@v1
+        with:
+          inlineScript: |
+            ./.github/actions-pester/PTF-TestPolicies.ps1
+          azPSVersion: "latest"
         env:
           SUBSCRIPTION_ID: ${{ secrets.AZURE_POLICY_SUBSCRIPTION1_ID }}
           SUBSCRIPTION2_ID: ${{ secrets.AZURE_POLICY_SUBSCRIPTION2_ID }} #Used for policy tests that require a second subscription (e.g. cross subscription peering)

diff --git a/docs/wiki/Whats-new.md b/docs/wiki/Whats-new.md
@@ -49,6 +49,7 @@ Here's what's changed in Enterprise Scale/Azure Landing Zones:
 - Bug fix for Portal Accelerator, removing region restrictions for VPN Gateways when deploying regional (not AZ).
 - Bug fix for Portal Accelerator deployment when deploying using a single platform subscription. Previously, a single tenant deployment would have three failed deployments for diagnostic settings which were looking for non-existent management groups (Management, Identity and Connectivity). This has been fixed and the deployment will now succeed.
 - Added drop down selection option for Azure Private Link Private DNS Zones as part of portal based ALZ deployment experience where you can select to deploy or not to deploy a subset of Private Link Private DNS zones.
+- Updated ALZ policy testing framework on pull request to only test new or changed policies, drastically speeding up the testing process.
 
 ### December 2023
 

diff --git a/src/resources/Microsoft.Authorization/policyDefinitions/Deny-MgmtPorts-From-Internet.json b/src/resources/Microsoft.Authorization/policyDefinitions/Deny-MgmtPorts-From-Internet.json
@@ -7,9 +7,9 @@
         "policyType": "Custom",
         "mode": "All",
         "displayName": "Management port access from the Internet should be blocked",
-        "description": "This policy denies any network security rule that allows management port access from the Internet",
+        "description": "This policy denies any network security rule that allows management port access from the Internet, by default blocking SSH/RDP ports.",
         "metadata": {
-            "version": "2.1.0",
+            "version": "2.1.1",
             "category": "Network",
             "source": "https://github.com/Azure/Enterprise-Scale/",
             "replacesPolicy": "Deny-RDP-From-Internet",
@@ -252,4 +252,4 @@
             }
         }
     }
-}
+}