feat: child modules telemetry check #4370
Draft
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
- referenced child modules should have the telemetry disabled
microsoft-github-policy-service
bot
added
Needs: Triage 🔍
AlexanderSehr
requested changes
Feb 3, 2025
| # We only care about module templates | ||
| (Split-Path $involvedFilePath -Leaf) -eq 'main.bicep' -and | ||
| # only return child modules | ||
| (Test-Path -Path (Join-Path (Split-Path $involvedFilePath) 'version.json') -PathType Leaf) |
There was a problem hiding this comment.
Either I recommend to rename the variable or remove this line, as a child module does not need a version.json file (as per its current definition).
AlexanderSehr
requested changes
Feb 4, 2025
utilities/pipelines/staticValidation/compliance/module.tests.ps1
Outdated
Show resolved
Hide resolved
| return | ||
| } | ||
|
|
||
| $modulesWithChildReferences | ForEach-Object { |
There was a problem hiding this comment.
Test should be written in a way where you collect all incorrect cases first, and then fail for that list not being empty. Otherwise, this test will fail on the very first incorrect case, and if you have more than one, you won't know until you fix the first, run the test again, and so on and so forth.
You can see this approach being implemented for other tests like
| @@ -992,6 +1001,52 @@ Describe 'Module tests' -Tag 'Module' { | |||
| $telemetryDeploymentName = $telemetryDeployment.name # The AVM telemetry prefix | |||
| $telemetryDeploymentName | Should -Match "$expectedTelemetryIdentifier" | |||
| } | |||
|
|
|||
| It '[<moduleFolderName>] Telemetry should be disabled for child modules.' -TestCases ($moduleFolderTestCases | Where-Object { $_.isTopLevelModule }) { | |||
There was a problem hiding this comment.
Would recommend to simplify this to
It '[<moduleFolderName>] Telemetry should be disabled for referenced modules with dedicated telemetry.' -TestCases $moduleFolderTestCases {
param(
[hashtable] $templateFileContent
)
$referencesWithTelemetry = @()
$templateFileContent.resources.Keys | ForEach-Object {
$elem = $templateFileContent.resources[$_]
if ($elem.type -eq 'Microsoft.Resources/deployments' -and $elem.properties.template.parameters.Keys -contains 'enableTelemetry') {
$elem['bicepRef'] = $_
$referencesWithTelemetry += $elem
}
}
if ($referencesWithTelemetry.Count -eq 0) {
Set-ItResult -Skipped -Because 'no modules with dedicated telemetry are deployed.'
return
}
# Analyze
$incorrectReferences = @()
foreach ($reference in $referencesWithTelemetry) {
if ($reference.properties.parameters.Keys -notContains 'enableTelemetry' -or $reference.properties.parameters.enableTelemetry.value -ne "[variables('enableReferencedModuleTelemetry')]") {
$incorrectReferences += $reference.bicepRef
}
}
$incorrectReferences | Should -BeNullOrEmpty -Because ('module deployments that implement their own telemetry should pass `enableTelemetry: enableReferencedModuleTelemetry` to the referenced module. Found incorrect items: [{0}].' -f ($incorrectReferences -join ', '))
}It does not rely on any function analyzing the repo and is purely using the compiled Bicep template to decide which references are relevant for testing
There was a problem hiding this comment.
Result would look like
[-] [key-vault/vault] Telemetry should be disabled for referenced modules with dedicated telemetry. 11ms (10ms|1ms)
Expected $null or empty, because module deployments that implement their own telemetry should pass `enableTelemetry: enableReferencedModuleTelemetry` to the referenced module. Found incorrect items: [keyVault_secrets, keyVault_privateEndpoints]., but got @('keyVault_secrets', 'keyVault_privateEndpoints').
at $incorrectReferences | Should -BeNullOrEmpty -Because ('module deployments that implement their own telemetry should pass `enableTelemetry: enableReferencedModuleTelemetry` to the referenced module. Found incorrect items: [{0}].' -f ($incorrectReferences -join ', ')), C:\dev\ip\bicep-registry-modules\Upstream-Azure\utilities\pipelines\staticValidation\compliance\module.tests.ps1:620
at <ScriptBlock>, C:\dev\ip\bicep-registry-modules\Upstream-Azure\utilities\pipelines\staticValidation\compliance\module.tests.ps1:620
There was a problem hiding this comment.
I recommend also adding the following test for variables
It '[<moduleFolderName>] Variable `var enableReferencedModulesTelemetry = false` should exist if module references other modules with dedicated telemetry.' -TestCases $moduleFolderTestCases {
param(
[hashtable] $templateFileContent
)
$referencesWithTelemetry = $templateFileContent.resources.Values | Where-Object {
$_.type -eq 'Microsoft.Resources/deployments' -and
$_.properties.template.parameters.Keys -contains 'enableTelemetry'
}
if ($referencesWithTelemetry.Count -eq 0) {
Set-ItResult -Skipped -Because 'no modules with dedicated telemetry are deployed.'
return
}
$templateFileContent.variables.Keys | Should -Contain 'enableReferencedModulesTelemetry'
$templateFileContent.variables.enableReferencedModulesTelemetry | Should -Be $false
}There was a problem hiding this comment.
Result would look like
[-] [key-vault/vault] Variable
ar enableReferencedModulesTelemetry = false should exist if module references other modules with dedicated telemetry. 26ms (17ms|8ms)
Expected 'enableReferencedModulesTelemetry' to be found in collection @('copy', 'enableReferencedModuleTelemetry', 'builtInRoleNames'), but it was not found.
at $templateFileContent.variables.Keys | Should -Contain 'enableReferencedModulesTelemetry', C:\dev\ip\bicep-registry-modules\Upstream-Azure\utilities\pipelines\staticValidation\compliance\module.tests.ps1:586
at <ScriptBlock>, C:\dev\ip\bicep-registry-modules\Upstream-Azure\utilities\pipelines\staticValidation\compliance\module.tests.ps1:586
[-] [key-vault/vault] Telemetry should be disabled for referenced modules with dedicated telemetry. 11ms (10ms|1ms)
Co-authored-by: Alexander Sehr <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description
Child modules should be references with telemetry disabled.
Pipeline Reference
Type of Change
version.json:version.json.version.json.Checklist
Set-AVMModulelocally to generate the supporting module files.