Test policy test (#1396)

Co-authored-by: github-actions <41898282+github-actions[bot]@users.noreply.github.com>
Azure · Aug 1, 2023 · 43f540c · 43f540c
1 parent 5a5cd84
commit 43f540c
Show file tree

Hide file tree

Showing 6 changed files with 60 additions and 26 deletions.
diff --git a/.github/workflows/test-portal.yml b/.github/workflows/test-portal.yml
@@ -142,28 +142,55 @@ jobs:
           inlineScript: ./src/scripts/Invoke-ActionRunEslzArmDeployment.ps1
           azPSVersion: "latest"
 
+      - name: Install PowerShell modules
+        shell: pwsh
+        run: |
+          Install-Module -Name "Az" -RequiredVersion "10.1.0" -Force -Scope CurrentUser -ErrorAction Stop
+          Update-AzConfig -DisplayBreakingChangeWarning $false
+
       - name: Pester Test for Policies
-        uses: azure/powershell@v1
-        with:
-          inlineScript: |
-            Import-Module Pester -Force
-            $pesterConfiguration = @{
-              Run    = @{
-                Path = "tests/*.tests.ps1" 
-                PassThru  = $true
-              }
-              Output = @{
-                Verbosity = 'Detailed'
-                CIFormat = 'Auto'
-              }
+        shell: pwsh
+        run: |
+          Import-Module Pester -Force
+          $pesterConfiguration = @{
+            Run    = @{
+              Path = "tests/*.tests.ps1" 
+              PassThru  = $true
+            }
+            Output = @{
+              Verbosity = 'Detailed'
+              CIFormat = 'Auto'
             }
-            $result = Invoke-Pester -Configuration $pesterConfiguration
-            exit $result.FailedCount
-          azPSVersion: "10.1.0"
+          }
+          $result = Invoke-Pester -Configuration $pesterConfiguration
+          exit $result.FailedCount
         env:
           SUBSCRIPTION_ID: ${{ secrets.AZURE_POLICY_SUBSCRIPTION1_ID }}
           SUBSCRIPTION2_ID: ${{ secrets.AZURE_POLICY_SUBSCRIPTION2_ID }} #Used for policy tests that require a second subscription (e.g. cross subscription peering)
-          TENANT_ID: ${{ secrets.AZURE_TENANT_ID }}
+          TENANT_ID: ${{ secrets.AZURE_TENANT_ID }}          
+
+      # - name: Pester Test for Policies
+      #   uses: azure/powershell@v1
+      #   with:
+      #     inlineScript: |
+      #       Import-Module Pester -Force
+      #       $pesterConfiguration = @{
+      #         Run    = @{
+      #           Path = "tests/*.tests.ps1" 
+      #           PassThru  = $true
+      #         }
+      #         Output = @{
+      #           Verbosity = 'Detailed'
+      #           CIFormat = 'Auto'
+      #         }
+      #       }
+      #       $result = Invoke-Pester -Configuration $pesterConfiguration
+      #       exit $result.FailedCount
+      #     azPSVersion: "10.1.0"
+      #   env:
+      #     SUBSCRIPTION_ID: ${{ secrets.AZURE_POLICY_SUBSCRIPTION1_ID }}
+      #     SUBSCRIPTION2_ID: ${{ secrets.AZURE_POLICY_SUBSCRIPTION2_ID }} #Used for policy tests that require a second subscription (e.g. cross subscription peering)
+      #     TENANT_ID: ${{ secrets.AZURE_TENANT_ID }}
 
       - name: Run eslzArm deployment (DESTROY)
         uses: azure/powershell@v1

diff --git a/eslzArm/managementGroupTemplates/policyDefinitions/policies.json b/eslzArm/managementGroupTemplates/policyDefinitions/policies.json
diff --git a/src/resources/Microsoft.Authorization/policyDefinitions/Deny-MgmtPorts-From-Internet.json b/src/resources/Microsoft.Authorization/policyDefinitions/Deny-MgmtPorts-From-Internet.json
@@ -252,4 +252,4 @@
             }
         }
     }
-}
+}
diff --git a/tests/policy/Deny-AA-child-resources.Tests.ps1.TODO b/tests/policy/Deny-AA-child-resources.Tests.ps1.TODO
@@ -13,7 +13,8 @@ Import-Module "$($PSScriptRoot)/../../tests/utils/Generic.Utils.psm1" -Force
 
 #######################################################################################################################
 ##
-##  This test needs a lot of work, and I suspect the policy doesn't work as intended. This is not assigned by default.
+##  TODO: This test needs a lot of work, and I suspect the policy doesn't work as intended. 
+##  This is not assigned by default.
 ##
 #######################################################################################################################
 

diff --git a/tests/policy/Deny-MySql-http.Tests.ps1 b/tests/policy/Deny-MySql-http.Tests.ps1
@@ -48,10 +48,10 @@ Describe "Testing policy 'Deny-MySql-http'" -Tag "deny-mysql-http" {
 
                 $random = GenerateRandomString -Length 13
                 $password = GeneratePasswordString -Length 20  | ConvertTo-Securestring -AsPlainText -Force
-                $name = "mysql-$Random" 
+                $name = "mysql-$random" 
 
                 {
-                    New-AzMySqlServer -Name $name -ResourceGroupName $ResourceGroup.ResourceGroupName -Location "uksouth" -AdministratorUserName mysql_test -AdministratorLoginPassword $password -SslEnforcement Disabled -MinimalTlsVersion 'TLS1_2' -Sku GP_Gen5_2
+                    New-AzMySqlServer -Name $name -ResourceGroupName $ResourceGroup.ResourceGroupName -Location "uksouth" -AdministratorUserName mysql_test -AdministratorLoginPassword $password -SslEnforcement 'Disabled' -MinimalTlsVersion 'TLS1_2' -Sku GP_Gen5_2
 
                 } | Should -Throw "*disallowed by policy*"
             }
@@ -63,10 +63,10 @@ Describe "Testing policy 'Deny-MySql-http'" -Tag "deny-mysql-http" {
 
                 $random = GenerateRandomString -Length 13
                 $password = GeneratePasswordString -Length 20  | ConvertTo-Securestring -AsPlainText -Force
-                $name = "mysql-$Random" 
+                $name = "mysql-$random" 
 
                 {
-                    New-AzMySqlServer -Name $name -ResourceGroupName $ResourceGroup.ResourceGroupName -Location "uksouth" -AdministratorUserName mysql_test -AdministratorLoginPassword $password -SslEnforcement 'Enabled' -MinimalTlsVersion 'TLS1_1' -Sku GP_Gen5_2
+                    New-AzMySqlServer -Name $name -ResourceGroupName $ResourceGroup.ResourceGroupName -Location "uksouth" -AdministratorUserName mysql_test -AdministratorLoginPassword $password -SslEnforcement 'Enabled' -MinimalTlsVersion 'TLS1_0' -Sku GP_Gen5_2
 
                 } | Should -Throw "*disallowed by policy*"
             }
@@ -78,7 +78,7 @@ Describe "Testing policy 'Deny-MySql-http'" -Tag "deny-mysql-http" {
 
                 $random = GenerateRandomString -Length 13
                 $password = GeneratePasswordString -Length 20  | ConvertTo-Securestring -AsPlainText -Force
-                $name = "mysql-$Random" 
+                $name = "mysql-$random" 
 
                 {
                     New-AzMySqlServer -Name $name -ResourceGroupName $ResourceGroup.ResourceGroupName -Location "uksouth" -AdministratorUserName mysql_test -AdministratorLoginPassword $password -SslEnforcement 'Enabled' -MinimalTlsVersion 'TLS1_2' -Sku GP_Gen5_2

diff --git a/tests/policy/Deny-Redis-http.Tests.ps1.TODO b/tests/policy/Deny-Redis-http.Tests.ps1.TODO
@@ -11,6 +11,12 @@ Import-Module "$($PSScriptRoot)/../../tests/utils/Rest.Utils.psm1" -Force
 Import-Module "$($PSScriptRoot)/../../tests/utils/Test.Utils.psm1" -Force
 Import-Module "$($PSScriptRoot)/../../tests/utils/Generic.Utils.psm1" -Force
 
+#######################################################################################################################
+##
+##  TODO: This test is redundant, as the append policies for this resource fire before the deny logic resulting in a conflicting action.
+##
+#######################################################################################################################
+
 Describe "Testing policy 'Deny-Redis-http'" -Tag "deny-redis-http" {
 
     BeforeAll {