Using 'Microsoft.Authorization/locks' custom rule, PSRule is returning the wrong 'Reason:' text when failing

[lassehastrup]

Description of the issue

Using a custom rule (PSRule/v1) validating resourcelocks names we receive an unexpected error when PSRule is attempting to compare the name of the lock in the bicep file with the filter in the rule condition of the rule.

When hardcoding the name in the bicep-file of the resource lock and doing the same in the .Rule.Yaml file everything works as expected. However, when the names doesn't match and PSRule is expected to fail, we receive a wrong error-message (Reason:)

Example:

Bicep File:

resource subLock 'Microsoft.Authorization/locks@2017-04-01' = {
  name: 'ResourceLock1'
  properties: {
    level: 'CanNotDelete'
    notes: 'Prevent deletion of subscription and resources'
  }
}

Custom Resource Lock Rule:

apiVersion: github.com/microsoft/PSRule/v1
kind: Rule
metadata:
  name: Authorization.locks
spec:
  type:
    - Microsoft.Authorization/locks
  condition:
    allOf:
      - name: .
        match: ^[a-zA-Z0-9_\.()-]{0,89}[a-zA-Z0-9_()-]$
      - name: .
        startsWith: CanNotDelete

Expected behaviour

The error we expect to receive is the following:

Reason:
  - The value 'ResourceLock1' does not start with any of 'CanNotDelete'.

Error output

However we receive the following:

  Reason:
  - The value 'System.String[]' does not start with any of 'System.String[]'.

It seems to output a string array instead of the exact condition being processed.

To Reproduce

I have attached a small .zip file with my use case, which can be run by running the StartPSRule.ps1 file.
(You'll have to change the paths in the PowerShell Splat after the download)

Module in use and version:

• Module: PSRule
• Version: [2.9.0]

Captured output from $PSVersionTable:

Name                           Value
----                           -----
PSVersion                      7.4.2
PSEdition                      Core
GitCommitId                    7.4.2
OS                             Darwin 23.4.0 Darwin Kernel Version 23.4.0: Fri Mar 15 00:10:42 PDT 2024; root:xnu-10063.101.17~1/RELEASE_ARM64_T6000
Platform                       Unix
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0…}
PSRemotingProtocol


Version      2.3
SerializationVersion           1.1.0.1
WSManStackVersion              3.0

Additional context

Zip file uploaded:

tmp.zip

[BernieWhite]

Fair @lassehastrup. Some of the generated reasons are not always ideal. Thanks for calling it out.

[lassehastrup]

Fyi - @BernieWhite , it seems to be a general issue when outputting the 'Reason'.
I'm also receiving (
| REASON:
| - The value 'System.String[]' does not start with any of 'System.String[]'.
) when I'm attempting to use the rule for deployment Names.

apiVersion: github.com/microsoft/PSRule/v1
kind: Rule
metadata:
  name: Local.YAML.NamingConvention.Resources.deployments
spec:
  type:
    - Microsoft.Resources/deployments
  recommend: "Valid text: 'Alphanumerics, underscores, parentheses, hyphens, and periods.'"
  condition:
    allOf:
      - name: .
        match: ^[a-zA-Z0-9_\.()-]{1,64}$
      - name: .
        startsWith: deploy

Just a heads-up to help your troubleshooting proces :)

[lassehastrup]

Hi @BernieWhite ,

I've been doing some testing with the B0203 pre-release module, and it seems that the 'Reason' output is still wrong.

[BernieWhite]

Hi @lassehastrup isn't the version you have installed from the screen shot v3.0.0-B0198 not v3.0.0-B0203?