Using PSRule for platform policy testing?

[userwizz]

Hello,

We should build a test setup and tests for policy testing. I quickly tried "policy as rules" feature and managed to export assignments/policies and with that export then generated rules. For developers who are deploying resources to Azure these policy rules are nice way check that their deployment/resources are not violating any policies. But in our case we have a bit different angle - we are not deploying Azure resources but setting/building policies to platform and we should be able to verify that correct policies are in place and e.g. that certain things are not allowed.

Do you have any idea how we could utilize PSRule for this kind of policy testing? One option might be following:

1. use "policy as rules" feature to export polices and generate rules.
2. define dummy Azure test resources (e.g.bicep definitions) and implement these test resources to violate certain, known, policies
3. run PSRule and check that certain policy checks/rules are failing.

I just don't know is there a smart way to do this kind of "negative" testing meaning run PSRule and expect/verify that certain rules/tests fails? And of course the bigger question here is that is there a smarter way to do platform policy testing?

BR,
-Wizz

[BernieWhite]

@userwizz great question, @anwather has does some exploring of this concept in a blog post over here combined with Enterprise Policy as Code (EPAC).

Some key points are called out in Limitations, mainly policies that check runtime states or states that query data plane properties aren't supported.

---

Today, PSRule doesn't have a "this rule should fail" concept. But as we continue to improve testability of rules then it makes sense to add this concept, although it is not on the current roadmap, if there is community contributor that is interested in adding this functionality then we can work together to get it incorporated into PSRule.

Examples of positive/ negative testing can be found in the PSRule for Azure code base, since we do that for each rule. Examples are in Pester here and similar files with a .Tests.ps1 suffix: https://github.com/Azure/PSRule.Rules.Azure/blob/main/tests/PSRule.Rules.Azure.Tests/Azure.ACR.Tests.ps1

When calling Invoke-PSRule you will get the output as an object and can make sure that intended rules Pass/ Fail based on resources.

---

In terms of are there any other options? Today most testing of policy outside of general linting, relies on testing resources deployed to Azure using compliance states usually with PowerShell and Pester. But maybe @anwather has some additional thoughts here.

---

I hope that helps get you started. But I'm interested in hearing if there is specific features that would make this easier in the future.