[CI Environment] Add scheduled workflow to validate PSRule pre-flight checks on the whole library

.github/workflows/platform.librarycheck.psrule.yml

@@ -0,0 +1,109 @@
+name: '.Platform: Library PSRule pre-flight validation'
+
+on:
+  workflow_dispatch:
+  schedule:
+    - cron: '0 12 * * 0' # Weekly Sunday Analysis
+
+env:
+  variablesPath: 'settings.yml'
+  modulesPath: 'modules'
+  TOKEN_NAMEPREFIX: '${{ secrets.TOKEN_NAMEPREFIX }}'
+
+jobs:
+  psrule:
+    name: PSRule
+    runs-on: ubuntu-20.04
+    steps:
+      # Analyze module library with PSRule
+      - name: Checkout
+        uses: actions/checkout@v3
+      - name: Set environment variables
+        uses: ./.github/actions/templates/setEnvironmentVariables
+        with:
+          variablesPath: ${{ env.variablesPath }}
+      - name: 'Replace tokens in template file'
+        uses: azure/powershell@v1
+        with:
+          azPSVersion: 'latest'
+          inlineScript: |
+            # Grouping task logs
+            Write-Output '::group::Replace tokens in template file'
+
+            # Load used functions
+            . (Join-Path $env:GITHUB_WORKSPACE 'utilities' 'pipelines' 'tokensReplacement' 'Convert-TokensInFileList.ps1')
+
+            # Populate tokens
+            $Tokens = @{
+              subscriptionId    = '${{ secrets.ARM_SUBSCRIPTION_ID }}'
+              managementGroupId = '${{ secrets.ARM_MGMTGROUP_ID }}'
+              tenantId          = '${{ env.ARM_TENANT_ID }}'
+            }
+
+            ## Add local (source control) tokens
+            $tokenMap = @{}
+            foreach ($token in (Get-ChildItem env: | Where-Object -Property Name -Like "localToken_*")) {
+              $tokenMap += @{ $token.Name.Replace('localToken_','','OrdinalIgnoreCase') = $token.value }
+            }
+            Write-Verbose ('Using local tokens [{0}]' -f ($tokenMap.Keys -join ', ')) -Verbose
+            $Tokens += $tokenMap
+
+            ## Swap 'namePrefix' token if empty and provided as a GitHub secret
+            if([String]::IsNullOrEmpty($Tokens['namePrefix'])){
+              Write-Verbose 'Using [namePrefix] token from GitHub' -Verbose
+              $Tokens['namePrefix'] = '${{ env.TOKEN_NAMEPREFIX }}'
+            }
+
+            # Get File Path List
+            $modulesFolderPath = Join-Path $env:GITHUB_WORKSPACE '${{ env.modulesPath }}'
+            $moduleTestFiles = [System.Collections.ArrayList]@()
+            $moduleTestFiles += Get-ChildItem -Path $env:GITHUB_WORKSPACE -Filter *.test.bicep -Recurse -Force -Name
+
+            # Construct Token Function Input
+            $ConvertTokensInputs = @{
+              FilePathList = $moduleTestFiles
+              Tokens       = $Tokens
+              TokenPrefix  = '${{ env.tokenPrefix }}'
+              TokenSuffix  = '${{ env.tokenSuffix }}'
+            }
+
+            Write-Verbose "Convert Tokens Input:`n $($ConvertTokensInputs | ConvertTo-Json -Depth 10)" -Verbose
+
+            # Invoke Token Replacement Functionality [For Module]
+            $null = Convert-TokensInFileList @ConvertTokensInputs -verbose
+
+            Write-Output '::endgroup::'
+      - name: Run PSRule analysis
+        uses: microsoft/[email protected]
+        continue-on-error: true # Setting this whilst PSRule gets bedded in, in this project
+        with:
+          modules: 'PSRule.Rules.Azure'
+          inputPath: '${{ env.modulesPath }}/'
+          outputFormat: Csv
+          outputPath: '${{ env.modulesPath }}/PSRule-output.csv'
+      - name: 'Parse CSV content'
+        uses: azure/powershell@v1
+        with:
+          azPSVersion: 'latest'
+          inlineScript: |
+            # Grouping task logs
+            Write-Output '::group::Parse CSV content'
+
+            # Load used functions
+            . (Join-Path $env:GITHUB_WORKSPACE 'utilities' 'pipelines' 'PSRuleValidation' 'Set-PSRuleGitHubOutput.ps1')
+
+            # Populate parameter input
+            $ParameterInput = @{
+              inputFilePath           = '${{ env.modulesPath }}/PSRule-output.csv'
+              outputFilePath          = '${{ env.modulesPath }}/PSRule-output.md'
+              skipPassedRulesReport   = $true
+            }
+
+            # Invoke function
+            $null = Set-PSRuleGitHubOutput @ParameterInput
+
+            Write-Output '::endgroup::'
+      - name: Output to GitHub job summaries
+        if: always()
+        shell: pwsh
+        run: Get-Content '${{ env.modulesPath }}/PSRule-output.md' >> $env:GITHUB_STEP_SUMMARY

.ps-rule/dep-suppress.Rule.yaml

@@ -0,0 +1,13 @@
+---
+# Synopsis: Suppress Rules for dependencies
+apiVersion: github.com/microsoft/PSRule/v1
+kind: SuppressionGroup
+metadata:
+  name: 'SuppressDependency'
+spec:
+  if:
+    name: '.'
+    startsWith:
+      - 'dep'
+      - 'ms.'
+      - 'privatelink.'

.ps-rule/min-suppress.Rule.yaml

@@ -0,0 +1,15 @@
+---
+# Synopsis: Suppress Rules for min tests
+apiVersion: github.com/microsoft/PSRule/v1
+kind: SuppressionGroup
+metadata:
+  name: 'SuppressMin'
+spec:
+  rule:
+   - Azure.Resource.UseTags
+   - Azure.KeyVault.Logs
+  if:
+    name: '.'
+    contains:
+      - 'min'
+

docs/wiki/The CI environment - Pipeline design.md

@@ -11,6 +11,7 @@ This section provides an overview of the design principles applied to the CARML
 - [Platform pipelines](#platform-pipelines)
   - [ReadMe pipeline](#readme-pipeline)
   - [Wiki pipeline](#wiki-pipeline)
+  - [PSRule Pre-Flight validation pipeline](#psrule-pre-flight-validation-pipeline)
 
 ---
 
@@ -105,6 +106,7 @@ In addition to module pipelines, the repository includes several platform pipeli
 
 - [ReadMe pipeline](#readme-pipeline)
 - [Wiki pipeline](#wiki-pipeline)
+- [PSRule Pre-Flight validation pipeline](#psrule-pre-flight-validation-pipeline)
 
 ## ReadMe pipeline
 
@@ -121,3 +123,48 @@ Once triggered, the pipeline crawls through the library and updates the tables i
 The purpose of the wiki pipeline is to sync any files from the `docs/wiki` folder to the wiki repository. It is triggered each time changes are pushed to the `main` branch and only if files in the `docs/wiki` folder are altered.
 
 > **Note:** Any changes performed directly on the wiki via the UI will be overwritten by this pipeline.
+
+## PSRule Pre-Flight validation pipeline
+
+The purpose of the PSRule Pre-Flight validation pipeline is to validate Azure resources deployed by module validation pipeline tests, by leveraging [PSRule for Azure](https://azure.github.io/PSRule.Rules.Azure/about/).
+PSRule for Azure is aligned to the [Well-Architected Framework (WAF)](https://learn.microsoft.com/en-us/azure/architecture/framework/). Tests, called _Rules_, check the configuration of Azure resources against WAF principles.
+
+The pipeline, currently only available as a [GitHub workflow](https://github.com/Azure/ResourceModules/blob/main/.github/workflows/platform.librarycheck.psrule.yml), runs weekly on the whole library, providing as output the list of non-compliant resources and corresponding failing rules, if any.
+
+### Configuration settings
+
+PSRule options set for the CARML repository are configured in the [ps-rule.yaml](https://github.com/Azure/ResourceModules/blob/main/ps-rule.yaml) file.
+
+Documentation for all configuration options is available at the following links:
+- https://aka.ms/ps-rule/options
+- https://aka.ms/ps-rule-azure/options
+
+### Baselines
+
+A [baseline](https://azure.github.io/PSRule.Rules.Azure/working-with-baselines/) is a standard PSRule artifact that combines rules and configuration. The PSRule Pre-Flight validation pipeline uses the default baseline to analyze module test resources.
+
+For the list of all rules included see [Azure.Default baseline](https://azure.github.io/PSRule.Rules.Azure/en/baselines/Azure.Default/).
+To view a list of rules by Azure resources see [Rules by resource](https://azure.github.io/PSRule.Rules.Azure/en/rules/resource/).
+
+### Exclusions and suppression rules
+
+Not all baseline rules may be valid for some of the test Azure resources deployed by the module validation pipelines.
+
+For example, resources deployed by the min tests, aim to validate only the required input parameters for each module.
+Therefore, optional features such as diagnostic settings are not configured in those tests. Since enabling logging is a general recommendation for most of the resources supporting them, missing diagnostic settings usually trigger incopliance of PSRule checks, e.g., [Azure.KeyVault.Logs](https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.KeyVault.Logs/). For this reason, these checks are excluded from being evaluated for resources deployed by min tests.
+
+PSRule allows skipping rules on two levels:
+
+- **Exclusions**: Can be leveraged to exclude specific baseline rules from being evaluated for any resource.
+   - [ps-rule.yaml](https://github.com/Azure/ResourceModules/blob/main/ps-rule.yaml): Lists the name of specific rules to exclude under the option [Rule.Exclude](https://microsoft.github.io/PSRule/v2/concepts/PSRule/en-US/about_PSRule_Options/#ruleexclude)
+- **Suppression Groups**: PSRule can use [Suppression Groups](https://microsoft.github.io/PSRule/v2/concepts/PSRule/en-US/about_PSRule_SuppressionGroups/) to suppress rules based on a condition. Suppression groups can be leveraged when some of the rules in the baseline are not relevant under specific conditions, e.g., only for specific resources. They are stored in the `.ps-rule` repo root folder in `.yaml` format. In particular:
+   - [.ps-rule\dep-suppress.Rule.yaml](https://github.com/Azure/ResourceModules/blob/main/.ps-rule/dep-suppress.Rule.yaml): Lists rules to be ignored for resources deployed as dependencies
+   - [.ps-rule\min-suppress.Rule.yaml](https://github.com/Azure/ResourceModules/blob/main/.ps-rule/min-suppress.Rule.yaml): Lists rules to be ignored for resources deployed by the min tests
+
+### Output
+
+To better outline failed rules and allow fixing incompliant resources quickly, the pipeline leverages the script [utilities\pipelines\PSRuleValidation\Set-PSRuleGitHubOutput.ps1](https://github.com/Azure/ResourceModules/blob/main/utilities/pipelines/PSRuleValidation/Set-PSRuleGitHubOutput.ps1) to aggregate PSRule output into Custom Markdown content and display it to the Actions run summary page.
+
+<img src="./media/CIEnvironment/PSRuleSummary.png" alt="PSRule Summary">
+
+

ps-rule.yaml

@@ -0,0 +1,56 @@
+#
+# PSRule for Azure configuration
+#
+
+# Please see the documentation for all configuration options:
+# https://aka.ms/ps-rule/options
+# https://aka.ms/ps-rule-azure/options
+
+# Configure binding for local rules.
+binding:
+  preferTargetInfo: true
+  targetType:
+    - type
+    - resourceType
+
+# Require minimum versions of modules.
+requires:
+  PSRule: '@pre >=2.4.0'
+  PSRule.Rules.Azure: '@pre >=1.19.2'
+
+# Use PSRule for Azure.
+include:
+  module:
+    - PSRule.Rules.Azure
+
+execution:
+  suppressedRuleWarning: false
+  notProcessedWarning: false
+
+output:
+  culture:
+    - 'en-US'
+
+input:
+  pathIgnore:
+    # Ignore other files in the repository.
+    - '**/*'
+    # Do not ignore tests.
+    - '!modules/**/*.test.bicep'
+
+configuration:
+  # Enable automatic expansion of Azure parameter files.
+  AZURE_PARAMETER_FILE_EXPANSION: false
+
+  # Enable automatic expansion of Azure Bicep source files.
+  AZURE_BICEP_FILE_EXPANSION: true
+
+  # Configures the number of seconds to wait for build Bicep files.
+  AZURE_BICEP_FILE_EXPANSION_TIMEOUT: 10
+
+rule:
+  # Enable custom rules that don't exist in the baseline
+  includeLocal: false
+  exclude:
+  # Ignore the following rules for all resources
+   - Azure.KeyVault.PurgeProtect