AzureDevOpsPowerShellAPI/AzureDevOpsPowerShell/Public/Api/ApprovalsAndChecks/CheckConfigurations/Add-AzDoPipelineBranchControl.ps1 at db145b5533bcd68f51928fe556bfadb68d41bdaa · WeAreInSpark/AzureDevOpsPowerShellAPI · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
function Add-AzDoPipelineBranchControl {
  <#
.SYNOPSIS
    Creates a Build Validation policy on a branch
.DESCRIPTION
    Creates a Build Validation policy on a branch
.EXAMPLE
    $params = @{
        CollectionUri = "https://dev.azure.com/contoso"
        ProjectName   = "Project 1"
        ResourceType  = "environment"
        ResourceName  = "MyEnvironment"
    }
    Add-AzDoPipelineBranchControl @params

    Default usage
.EXAMPLE
    $params = @{
        CollectionUri            = "https://dev.azure.com/contoso"
        ProjectName              = "Project 1"
        ResourceType             = "repository"
        ResourceName             = "MyRepo"
        AllowedBranches          = "refs/heads/main,refs/heads/develop"
        EnsureProtectionOfBranch = "true"
    }
    Add-AzDoPipelineBranchControl @params

    Add allowed branches and ensure branch protection
.OUTPUTS
    [PSCustomObject]@{
      CollectionUri = $CollectionUri
      ProjectName   = $ProjectName
      CheckId            = $_.id
    }
.NOTES
#>
  [CmdletBinding(SupportsShouldProcess, ConfirmImpact = 'High')]
  param (
    # Collection Uri of the organization
    [Parameter(Mandatory, ValueFromPipelineByPropertyName)]
    [ValidateScript({ Validate-CollectionUri -CollectionUri $_ })]
    [string]
    $CollectionUri,

    # Project where the pipeline will be created.
    [Parameter(Mandatory, ValueFromPipelineByPropertyName)]
    [string]
    $ProjectName,

    # Name of the Build Validation policy. Default is the name of the Build Definition
    [Parameter()]
    [string]
    $PolicyName = "Branch Control",

    # The type of Azure DevOps resource to be protected by a build validation policy
    [Parameter(Mandatory)]
    [string]
    [ValidateSet("environment", "variablegroup", "repository")]
    $ResourceType,

    # Name of the resource to be protected by a build validation policy
    [Parameter(Mandatory)]
    [string[]]
    $ResourceName,

    # Allow deployment from branches for which protection status could not be obtained.
    [Parameter()]
    [string]
    $AllowUnknownStatusBranches = "false",

    # Setup a comma separated list of branches from which a pipeline must be run to access this resource
    [Parameter()]
    [string]
    $AllowedBranches = "refs/head/main",

    # Validate the branches being deployed are protected.
    [Parameter()]
    [string]
    [validateset("true", "false")]
    $EnsureProtectionOfBranch = "true",

    # Valid duration of the Build Validation policy. Default is 1440 minutes
    [Parameter()]
    [int]
    $Timeout = 1440
  )
  process {
    Write-Verbose "Starting function: Add-AzDoPipelineBranchControl"

    foreach ($name in $ResourceName) {

      switch ($ResourceType) {
        "environment" {
          $resourceId = (Get-AzDoEnvironment -CollectionUri $CollectionUri -ProjectName $ProjectName -EnvironmentName $name).EnvironmentId
        }
        "variablegroup" {
          $resourceId = (Get-AzDoVariableGroup -CollectionUri $CollectionUri -ProjectName $ProjectName -VariableGroupName $name).VariableGroupId
        }
        "repository" {
          $projectId = (Get-AzDoProject -CollectionUri $CollectionUri -ProjectName $ProjectName).projectId

          $repoId = (Get-AzDoRepo -CollectionUri $CollectionUri -ProjectName $ProjectName -RepoName $name).RepoId
          $resourceId = "$($projectId).$($repoId)"
        }
      }

      #TODO: Check if policy already exists

      $body = @{
        type     = @{
          name = "Task Check"
          id   = "fe1de3ee-a436-41b4-bb20-f6eb4cb879a7"
        }
        settings = @{
          displayName   = $PolicyName
          definitionRef = @{
            id      = "86b05a0c-73e6-4f7d-b3cf-e38f3b39a75b"
            name    = "evaluatebranchProtection"
            version = "0.0.1"
          }
          inputs        = @{
            allowUnknownStatusBranches = $AllowUnknownStatusBranches
            allowedBranches            = $AllowedBranches
            ensureProtectionOfBranch   = $EnsureProtectionOfBranch
          }
        }
        timeout  = $Timeout
        resource = @{
          type = $ResourceType
          id   = $resourceId
        }
      }

      $params = @{
        uri     = "$CollectionUri/$ProjectName/_apis/pipelines/checks/configurations"
        version = "7.2-preview.1"
        Method  = "POST"
        body    = $body
      }

      if ($PSCmdlet.ShouldProcess($ProjectName, "Create build-validation policy named: $($PSStyle.Bold)$PolicyName$($PSStyle.Reset)")) {
        try {
          Invoke-AzDoRestMethod @params | ForEach-Object {
            [PSCustomObject]@{
              CollectionUri = $CollectionUri
              ProjectName   = $ProjectName
              CheckId       = $_.id
            }
          }
        } catch {
          Write-Error "Failed to create build-validation policy named: $($PolicyName) on $($ResourceType) named: $($name) in project: $($ProjectName) in collection: $($CollectionUri). Error: $_"
        }
      } else {
        Write-Verbose "Calling Invoke-AzDoRestMethod with $($params| ConvertTo-Json -Depth 10)"
      }
    }
  }
}