How do I suppress a rule for all ARM templates?

[mikejwhat]

I'm using PSRule in VSCode with the baseline 'Azure.GA_2022_12' and I'm having a really hard time trying to suppress the rule named 'Azure.Template.UseComments' for all ARM templates. I have the following rules file in the directory .ps-rule:

# Synopsis: Exclude non-security-related rules
apiVersion: github.com/microsoft/PSRule/v1
kind: SuppressionGroup
metadata:
  name: 'Exclude non-security-related rules'
spec:
  rule: 
  - 'Azure.Template.UseComments'
  if:
    field: 'resources'
    exists: true

It just seems to be ignored, even when I run Assert-PSRule and set the Options parameter value to the directory or file path of the above rule file.

[BernieWhite]

@mikejwhat The specific rule should be flagging against the files early in the process, before the resources are expanded. To suppress this rule you wouldn't be able to use the field: resources option, at least currently.

However you can:

1. Ignore/ exclude the rule

Since you don't want to run the rule for any template this is the simplest methods. Just set Rule.Exclude option.

For example in ps-rule.yaml:

rule:
  exclude:
  - Azure.Template.UseComments

2. Use a suppression group

For you use case this is unnecessary in because it is a little more complex. However does provide one benefit/ disadvantage depending on your perspective. It will generate a warning by default for each file that has been suppressed where as Rule.Exclude does not generate a warning.

If you wanted to use this option try something like this instead:

# Synopsis: Exclude non-security-related rules
apiVersion: github.com/microsoft/PSRule/v1
kind: SuppressionGroup
metadata:
  name: 'Exclude non-security-related rules'
spec:
  rule: 
  - 'PSRule.Rules.Azure\Azure.Template.UseComments'
  if:
    name: '.'
    endsWith:
    - '/template.json'

[BernieWhite]

@mikejwhat Did this answer your question?

[mikejwhat]

Yes thank you! Immediately saw this in the docs after trying this out - not sure how I missed it.