Expressions#

Describes PSRule expressions and how to use them.

Description#

PSRule expressions are used within YAML-based rules or selectors to evaluate an object. Expressions are comprised of nested conditions, operators, and comparison properties.

The following conditions are available:

APIVersion
Contains
Count
Equals
EndsWith
Exists
Greater
GreaterOrEquals
HasDefault
HasSchema
HasValue
In
IsLower
IsString
IsArray
IsBoolean
IsDateTime
IsInteger
IsNumeric
IsUpper
Less
LessOrEquals
Like
Match
NotContains
NotCount
NotEndsWith
NotEquals
NotIn
NotLike
NotMatch
NotStartsWith
NotWithinPath
SetOf
StartsWith
Subset
WithinPath
Version

The following operators are available:

AllOf
AnyOf
Not

The following comparison properties are available:

Field
Name
Scope
Source
Type

AllOf#

The allOf operator is used to require all nested expressions to match. When any nested expression does not match, allOf does not match. This is similar to a logical and operation.

Additionally sub-selectors can be used to modify the allOf operator. Sub-selectors allow filtering and looping through arrays of objects before the allOf operator is applied. See sub-selectors for more information.

Syntax:

allOf: <expression[]>

For example:

---
apiVersion: github.com/microsoft/PSRule/2025-01-01
kind: Rule
metadata:
  name: 'ExampleAllOf'
spec:
  condition:
    allOf:
    # Both Name and Description must exist.
    - field: 'Name'
      exists: true
    - field: 'Description'
      exists: true

---
apiVersion: github.com/microsoft/PSRule/2025-01-01
kind: Selector
metadata:
  name: 'ExampleAllOf'
spec:
  if:
    allOf:
    # Both Name and Description must exist.
    - field: 'Name'
      exists: true
    - field: 'Description'
      exists: true

AnyOf#

The anyOf operator is used to require one or more nested expressions to match. When any nested expression matches, allOf matches. This is similar to a logical or operation.

Additionally sub-selectors can be used to modify the anyOf operator. Sub-selectors allow filtering and looping through arrays of objects before the anyOf operator is applied. See sub-selectors for more information.

Syntax:

anyOf: <expression[]>

For example:

---
apiVersion: github.com/microsoft/PSRule/2025-01-01
kind: Rule
metadata:
  name: 'ExampleAnyOf'
spec:
  condition:
    anyOf:
    # Name and/ or AlternativeName must exist.
    - field: 'Name'
      exists: true
    - field: 'AlternativeName'
      exists: true

---
apiVersion: github.com/microsoft/PSRule/2025-01-01
kind: Selector
metadata:
  name: 'ExampleAnyOf'
spec:
  if:
    anyOf:
    # Name and/ or AlternativeName must exist.
    - field: 'Name'
      exists: true
    - field: 'AlternativeName'
      exists: true

APIVersion#

The apiVersion condition determines if the operand is a valid date version. A constraint can optionally be provided to require the date version to be within a range. Supported version constraints for expression are the same as the $Assert.APIVersion assertion helper.

Syntax:

apiVersion: <string>
includePrerelease: <bool>

For example:

---
apiVersion: github.com/microsoft/PSRule/2025-01-01
kind: Rule
metadata:
  name: 'ExampleAPIVersion'
spec:
  condition:
    field: 'engine.apiVersion'
    apiVersion: '>=2015-10-01'

---
apiVersion: github.com/microsoft/PSRule/2025-01-01
kind: Selector
metadata:
  name: 'ExampleAnyAPIVersion'
spec:
  if:
    field: 'engine.apiVersion'
    apiVersion: ''

---
apiVersion: github.com/microsoft/PSRule/2025-01-01
kind: Selector
metadata:
  name: 'ExampleAPIVersionIncludingPrerelease'
spec:
  if:
    field: 'engine.apiVersion'
    apiVersion: '>=2015-10-01'
    includePrerelease: true

Contains#

The contains condition can be used to determine if the operand contains a specified sub-string. One or more strings to compare can be specified.

caseSensitive - Optionally, a case sensitive-comparison can be performed. By default, case-insensitive comparison is performed.
convert - Optionally, types can be converted to string type. By default convert is false.

Syntax:

contains: <string | array>
caseSensitive: <boolean>
convert: <boolean>

If the operand is a field, and the field does not exist, contains always returns false.

For example:

---
apiVersion: github.com/microsoft/PSRule/2025-01-01
kind: Rule
metadata:
  name: 'ExampleContains'
spec:
  condition:
    anyOf:
    - field: 'url'
      contains: '/azure/'
    - field: 'url'
      contains:
      - 'github.io'
      - 'github.com'

---
apiVersion: github.com/microsoft/PSRule/2025-01-01
kind: Selector
metadata:
  name: 'ExampleContains'
spec:
  if:
    anyOf:
    - field: 'url'
      contains: '/azure/'
    - field: 'url'
      contains:
      - 'github.io'
      - 'github.com'

Count#

The count condition is used to determine if the operand contains a specified number of items.

Syntax:

count: <int>

For example:

---
apiVersion: github.com/microsoft/PSRule/2025-01-01
kind: Rule
metadata:
  name: 'ExampleCount'
spec:
  condition:
    field: 'items'
    count: 2

---
apiVersion: github.com/microsoft/PSRule/2025-01-01
kind: Selector
metadata:
  name: 'ExampleCount'
spec:
  if:
    field: 'items'
    count: 2

Equals#

The equals condition can be used to compare if the operand is equal to a supplied value.

caseSensitive - Optionally, a case sensitive-comparison can be performed. This only applies to string comparisons. By default, case-insensitive comparison is performed.
convert - Optionally, perform type conversion on operand type. By default convert is false.

Syntax:

equals: <string | int | bool>
caseSensitive: <boolean>
convert: <boolean>

For example:

---
apiVersion: github.com/microsoft/PSRule/2025-01-01
kind: Rule
metadata:
  name: 'ExampleEquals'
spec:
  condition:
    field: 'Name'
    equals: 'TargetObject1'

---
apiVersion: github.com/microsoft/PSRule/2025-01-01
kind: Selector
metadata:
  name: 'ExampleEquals'
spec:
  if:
    field: 'Name'
    equals: 'TargetObject1'

EndsWith#

The endsWith condition can be used to determine if the operand ends with a specified string. One or more strings to compare can be specified.

caseSensitive - Optionally, a case sensitive-comparison can be performed. By default, case-insensitive comparison is performed.
convert - Optionally, types can be converted to string type. By default convert is false.

Syntax:

endsWith: <string | array>
caseSensitive: <boolean>
convert: <boolean>

If the operand is a field, and the field does not exist, endsWith always returns false.

For example:

---
apiVersion: github.com/microsoft/PSRule/2025-01-01
kind: Rule
metadata:
  name: 'ExampleEndsWith'
spec:
  condition:
    anyOf:
    - field: 'hostname'
      endsWith: '.com'
    - field: 'hostname'
      endsWith:
      - '.com.au'
      - '.com'

---
apiVersion: github.com/microsoft/PSRule/2025-01-01
kind: Selector
metadata:
  name: 'ExampleEndsWith'
spec:
  if:
    anyOf:
    - field: 'hostname'
      endsWith: '.com'
    - field: 'hostname'
      endsWith:
      - '.com.au'
      - '.com'

Exists#

The exists condition determines if the specified field exists.

Syntax:

exists: <bool>

When exists: true, exists will return true if the field exists.
When exists: false, exists will return true if the field does not exist.

For example:

---
apiVersion: github.com/microsoft/PSRule/2025-01-01
kind: Rule
metadata:
  name: 'ExampleExists'
spec:
  condition:
    field: 'Name'
    exists: true

---
apiVersion: github.com/microsoft/PSRule/2025-01-01
kind: Selector
metadata:
  name: 'ExampleExists'
spec:
  if:
    field: 'Name'
    exists: true

Field#

The comparison property field is used with a condition to determine field of the object to evaluate. A field can be:

A property name.
A key within a hashtable or dictionary.
An index in an array or collection.
A nested path through an object.

Syntax:

field: <string>

For example:

---
apiVersion: github.com/microsoft/PSRule/2025-01-01
kind: Rule
metadata:
  name: 'ExampleField'
spec:
  condition:
    field: 'Properties.securityRules[0].name'
    exists: true

---
apiVersion: github.com/microsoft/PSRule/2025-01-01
kind: Selector
metadata:
  name: 'ExampleField'
spec:
  if:
    field: 'Properties.securityRules[0].name'
    exists: true

Greater#

The greater condition determines if the operand is greater than a supplied value. The field value can either be an integer, float, array, or string.

convert - Optionally, perform type conversion on operand type. By default convert is false.

When the field value is:

An integer or float, a numerical comparison is used.
An array, the number of elements is compared.
A string, the length of the string is compared. If convert is true, the string is converted a number instead.
A DateTime, the number of days from the current time is compared.

Syntax:

greater: <int>
convert: <boolean>

For example:

---
apiVersion: github.com/microsoft/PSRule/2025-01-01
kind: Rule
metadata:
  name: 'ExampleGreater'
spec:
  condition:
    field: 'Name'
    greater: 3

---
apiVersion: github.com/microsoft/PSRule/2025-01-01
kind: Selector
metadata:
  name: 'ExampleGreater'
spec:
  if:
    field: 'Name'
    greater: 3

GreaterOrEquals#

The greaterOrEquals condition determines if the operand is greater or equal to the supplied value. The field value can either be an integer, float, array, or string.

convert - Optionally, perform type conversion on operand type. By default convert is false.

When the field value is:

An integer or float, a numerical comparison is used.
An array, the number of elements is compared.
A string, the length of the string is compared. If convert is true, the string is converted a number instead.
A DateTime, the number of days from the current time is compared.

Syntax:

greaterOrEquals: <int>
convert: <boolean>

For example:

---
apiVersion: github.com/microsoft/PSRule/2025-01-01
kind: Rule
metadata:
  name: 'ExampleGreaterOrEquals'
spec:
  condition:
    field: 'Name'
    greaterOrEquals: 3

---
apiVersion: github.com/microsoft/PSRule/2025-01-01
kind: Selector
metadata:
  name: 'ExampleGreaterOrEquals'
spec:
  if:
    field: 'Name'
    greaterOrEquals: 3

HasDefault#

The hasDefault condition determines if the field exists that it is set to the specified value. If the field does not exist, the condition will return true.

The following properties are accepted:

caseSensitive - Optionally, a case-sensitive comparison can be performed for string values. By default, case-insensitive comparison is performed.

Syntax:

hasDefault: <string | int | bool>
caseSensitive: <bool>

For example:

---
apiVersion: github.com/microsoft/PSRule/2025-01-01
kind: Rule
metadata:
  name: 'ExampleHasDefault'
spec:
  condition:
    field: 'enabled'
    hasDefault: true

---
apiVersion: github.com/microsoft/PSRule/2025-01-01
kind: Selector
metadata:
  name: 'ExampleHasDefault'
spec:
  if:
    field: 'enabled'
    hasDefault: true

HasSchema#

The hasSchema condition determines if the operand has a $schema property defined. If the $schema property is defined, it must match one of the specified schemas. If a trailing # is specified it is ignored.

The following properties are accepted:

caseSensitive - Optionally, a case-sensitive comparison can be performed. By default, case-insensitive comparison is performed.
ignoreScheme - Optionally, the URI scheme is ignored in the comparison. By default, the scheme is compared. When true, the schema will match if either http:// or https:// is specified.

Syntax:

hasSchema: <array>
caseSensitive: <bool>
ignoreScheme: <bool>

When hasSchema: [], hasSchema will return true if any non-empty $schema property is defined.

For example:

---
apiVersion: github.com/microsoft/PSRule/2025-01-01
kind: Rule
metadata:
  name: 'ExampleHasSchema'
spec:
  condition:
    field: '.'
    hasSchema:
    - https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#

---
apiVersion: github.com/microsoft/PSRule/2025-01-01
kind: Selector
metadata:
  name: 'ExampleHasSchema'
spec:
  if:
    field: '.'
    hasSchema:
    - https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#
    - https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#
    ignoreScheme: true

---
apiVersion: github.com/microsoft/PSRule/2025-01-01
kind: Selector
metadata:
  name: 'ExampleHasAnySchema'
spec:
  if:
    field: '.'
    hasSchema: []

HasValue#

The hasValue condition determines if the field exists and has a non-empty value.

Syntax:

hasValue: <bool>

When hasValue: true, hasValue will return true if the field is not empty.
When hasValue: false, hasValue will return true if the field is empty.

For example:

---
apiVersion: github.com/microsoft/PSRule/2025-01-01
kind: Rule
metadata:
  name: 'ExampleHasValue'
spec:
  condition:
    field: 'Name'
    hasValue: true

---
apiVersion: github.com/microsoft/PSRule/2025-01-01
kind: Selector
metadata:
  name: 'ExampleHasValue'
spec:
  if:
    field: 'Name'
    hasValue: true

In#

The in condition can be used to compare if a field contains one of the specified values.

Syntax:

in: <array>

For example:

---
apiVersion: github.com/microsoft/PSRule/2025-01-01
kind: Rule
metadata:
  name: 'ExampleIn'
spec:
  condition:
    field: 'Name'
    in:
    - 'Value1'
    - 'Value2'

---
apiVersion: github.com/microsoft/PSRule/2025-01-01
kind: Selector
metadata:
  name: 'ExampleIn'
spec:
  if:
    field: 'Name'
    in:
    - 'Value1'
    - 'Value2'

IsLower#

The isLower condition determines if the operand is a lowercase string.

Syntax:

isLower: <bool>

When isLower: true, isLower will return true if the operand is a lowercase string. Non-letter characters are ignored.
When isLower: false, isLower will return true if the operand is not a lowercase string.
If the operand is a field, and the field does not exist isLower always returns false.

For example:

---
apiVersion: github.com/microsoft/PSRule/2025-01-01
kind: Rule
metadata:
  name: 'ExampleIsLower'
spec:
  condition:
    field: 'Name'
    isLower: true

---
apiVersion: github.com/microsoft/PSRule/2025-01-01
kind: Selector
metadata:
  name: 'ExampleIsLower'
spec:
  if:
    field: 'Name'
    isLower: true

IsString#

The isString condition determines if the operand is a string or other type.

Syntax:

isString: <bool>

When isString: true, isString will return true if the operand is a string.
When isString: false, isString will return true if the operand is not a string or is null.
If the operand is a field, and the field does not exist isString always returns false.

For example:

---
apiVersion: github.com/microsoft/PSRule/2025-01-01
kind: Rule
metadata:
  name: 'ExampleIsString'
spec:
  condition:
    field: 'Name'
    isString: true

---
apiVersion: github.com/microsoft/PSRule/2025-01-01
kind: Selector
metadata:
  name: 'ExampleIsString'
spec:
  if:
    field: 'Name'
    isString: true

IsArray#

The isArray condition determines if the operand is an array or other type.

Syntax:

isArray: <bool>

When isArray: true, isArray will return true if the operand is an array.
When isArray: false, isArray will return true if the operand is not an array or null.
If the operand is a field, and the field does not exist, isArray always returns false.

For example:

---
# Synopsis: Using isArray
apiVersion: github.com/microsoft/PSRule/2025-01-01
kind: Selector
metadata:
  name: IsArrayExample
spec:
  if:
    field: 'Value'
    isArray: true

IsBoolean#

The isBoolean condition determines if the operand is a boolean or other type.

convert - Optionally, types can be converted to boolean type. E.g. 'true' can be converted to true. By default convert is false.

isBoolean: <bool>
convert: <bool>

When isBoolean: true, isBoolean will return true if the operand is a boolean.
When isBoolean: false, isBoolean will return false if the operand is not a boolean or null.
When convert: true, types will be converted to boolean before condition is evaluated.

For example:

---
# Synopsis: Using isBoolean
apiVersion: github.com/microsoft/PSRule/2025-01-01
kind: Selector
metadata:
  name: IsBooleanExample
spec:
  if:
    field: 'Value'
    isBoolean: true

---
# Synopsis: Using isBoolean with conversion
apiVersion: github.com/microsoft/PSRule/2025-01-01
kind: Selector
metadata:
  name: IsBooleanExampleWithConversion
spec:
  if:
    field: 'Value'
    isBoolean: true
    convert: true

IsDateTime#

The isDateTime condition determines if the operand is a datetime or other type.

convert - Optionally, types can be converted to datetime type. E.g. '2021-04-03T15:00:00.00+10:00' can be converted to a datetime. By default convert is false.

isDateTime: <bool>
convert: <bool>

When isDateTime: true, isDateTime will return true if the operand is a datetime.
When isDateTime: false, isDateTime will return false if the operand is not a datetime or null.
When convert: true, types will be converted to datetime before condition is evaluated.

For example:

---
# Synopsis: Using isDateTime
apiVersion: github.com/microsoft/PSRule/2025-01-01
kind: Selector
metadata:
  name: IsDateTimeExample
spec:
  if:
    field: 'Value'
    isDateTime: true

---
# Synopsis: Using isDateTime with conversion
apiVersion: github.com/microsoft/PSRule/2025-01-01
kind: Selector
metadata:
  name: IsDateTimeExampleWithConversion
spec:
  if:
    field: 'Value'
    isDateTime: true
    convert: true

IsInteger#

The isInteger condition determines if the operand is a an integer or other type. The following types are considered integer types int, long, byte.

convert - Optionally, types can be converted to integer type. E.g. '123' can be converted to 123. By default convert is false.

isInteger: <bool>
convert: <bool>

When isInteger: true, isInteger will return true if the operand is an integer.
When isInteger: false, isInteger will return false if the operand is not an integer or null.
When convert: true, types will be converted to integer before condition is evaluated.

For example:

---
# Synopsis: Using isInteger
apiVersion: github.com/microsoft/PSRule/2025-01-01
kind: Selector
metadata:
  name: IsIntegerExample
spec:
  if:
    field: 'Value'
    isInteger: true

---
# Synopsis: Using isInteger with conversion
apiVersion: github.com/microsoft/PSRule/2025-01-01
kind: Selector
metadata:
  name: IsIntegerExampleWithConversion
spec:
  if:
    field: 'Value'
    isInteger: true
    convert: true

IsNumeric#

The isNumeric condition determines if the operand is a a numeric or other type. The following types are considered numeric types int, long, float, byte, double.

convert - Optionally, types can be converted to numeric type. E.g. '123' can be converted to 123. By default convert is false.

isNumeric: <bool>
convert: <bool>

When isNumeric: true, isNumeric will return true if the operand is a numeric.
When isNumeric: false, isNumeric will return false if the operand is not a numeric or null.
When convert: true, types will be converted to numeric before condition is evaluated.

For example:

---
# Synopsis: Using isNumeric
apiVersion: github.com/microsoft/PSRule/2025-01-01
kind: Selector
metadata:
  name: IsNumericExample
spec:
  if:
    field: 'Value'
    isNumeric: true

---
# Synopsis: Using isNumeric with conversion
apiVersion: github.com/microsoft/PSRule/2025-01-01
kind: Selector
metadata:
  name: IsNumercExampleWithConversion
spec:
  if:
    field: 'Value'
    isNumeric: true
    convert: true

IsUpper#

The isUpper condition determines if the operand is an uppercase string.

Syntax:

isUpper: <bool>

When isUpper: true, isUpper will return true if the operand is an uppercase string. Non-letter characters are ignored.
When isUpper: false, isUpper will return true if the operand is not an uppercase string.
If the operand is a field, and the field does not exist isUpper always returns false.

For example:

---
apiVersion: github.com/microsoft/PSRule/2025-01-01
kind: Rule
metadata:
  name: 'ExampleIsUpper'
spec:
  condition:
    field: 'Name'
    isUpper: true

---
apiVersion: github.com/microsoft/PSRule/2025-01-01
kind: Selector
metadata:
  name: 'ExampleIsUpper'
spec:
  if:
    field: 'Name'
    isUpper: true

Less#

The less condition determines if the operand is less than a supplied value. The field value can either be an integer, float, array, or string.

convert - Optionally, perform type conversion on operand type. By default convert is false.

When the field value is:

An integer or float, a numerical comparison is used.
An array, the number of elements is compared.
A string, the length of the string is compared. If convert is true, the string is converted a number instead.
A DateTime, the number of days from the current time is compared.

Syntax:

less: <int>
convert: <boolean>

For example:

---
apiVersion: github.com/microsoft/PSRule/2025-01-01
kind: Rule
metadata:
  name: 'ExampleLess'
spec:
  condition:
    field: 'Name'
    less: 3

---
apiVersion: github.com/microsoft/PSRule/2025-01-01
kind: Selector
metadata:
  name: 'ExampleLess'
spec:
  if:
    field: 'Name'
    less: 3

LessOrEquals#

The lessOrEquals condition determines if the operand is less or equal to the supplied value. The field value can either be an integer, float, array, or string.

convert - Optionally, perform type conversion on operand type. By default convert is false.

When the field value is:

An integer or float, a numerical comparison is used.
An array, the number of elements is compared.
A string, the length of the string is compared. If convert is true, the string is converted a number instead.
A DateTime, the number of days from the current time is compared.

Syntax:

lessOrEquals: <int>
convert: <boolean>

For example:

---
apiVersion: github.com/microsoft/PSRule/2025-01-01
kind: Rule
metadata:
  name: 'ExampleLessOrEquals'
spec:
  condition:
    field: 'Name'
    lessOrEquals: 3

---
apiVersion: github.com/microsoft/PSRule/2025-01-01
kind: Selector
metadata:
  name: 'ExampleLessOrEquals'
spec:
  if:
    field: 'Name'
    lessOrEquals: 3

Like#

The like condition can be used to determine if the operand matches a wildcard pattern. One or more patterns to compare can be specified.

caseSensitive - Optionally, a case sensitive-comparison can be performed. By default, case-insensitive comparison is performed.
convert - Optionally, types can be converted to string type. By default convert is false.

Syntax:

like: <string | array>
caseSensitive: <boolean>
convert: <boolean>

If the operand is a field, and the field does not exist, like always returns false.

For example:

---
apiVersion: github.com/microsoft/PSRule/2025-01-01
kind: Rule
metadata:
  name: 'ExampleLike'
spec:
  condition:
    anyOf:
    - field: 'url'
      like: 'http://*'
    - field: 'url'
      like:
      - 'http://*'
      - 'https://*'

---
apiVersion: github.com/microsoft/PSRule/2025-01-01
kind: Selector
metadata:
  name: 'ExampleLike'
spec:
  if:
    anyOf:
    - field: 'url'
      like: 'http://*'
    - field: 'url'
      like:
      - 'http://*'
      - 'https://*'

Match#

The match condition can be used to compare if a field matches a supplied regular expression.

caseSensitive - Optionally, a case sensitive-comparison can be performed. By default, case-insensitive comparison is performed.

Syntax:

match: <string>
caseSensitive: <boolean>

For example:

---
apiVersion: github.com/microsoft/PSRule/2025-01-01
kind: Rule
metadata:
  name: 'ExampleMatch'
spec:
  condition:
    field: 'Name'
    match: '$(abc|efg)$'

---
apiVersion: github.com/microsoft/PSRule/2025-01-01
kind: Selector
metadata:
  name: 'ExampleMatch'
spec:
  if:
    field: 'Name'
    match: '$(abc|efg)$'

Name#

The comparison property name is used with a condition to evaluate the target name of the object. The name property must be set to .. Any other value will cause the condition to evaluate to false.

Syntax:

name: '.'

For example:

---
apiVersion: github.com/microsoft/PSRule/2025-01-01
kind: Rule
metadata:
  name: 'ExampleName'
spec:
  condition:
    name: '.'
    equals: 'TargetObject1'

---
apiVersion: github.com/microsoft/PSRule/2025-01-01
kind: Selector
metadata:
  name: 'ExampleName'
spec:
  if:
    name: '.'
    in:
    - 'TargetObject1'
    - 'TargetObject2'

Not#

The any operator is used to invert the result of the nested expression. When a nested expression matches, not does not match. When a nested expression does not match, not matches.

Syntax:

not: <expression>

For example:

---
apiVersion: github.com/microsoft/PSRule/2025-01-01
kind: Rule
metadata:
  name: 'ExampleNot'
spec:
  condition:
    not:
      # The AlternativeName field must not exist.
      field: 'AlternativeName'
      exists: true

---
apiVersion: github.com/microsoft/PSRule/2025-01-01
kind: Selector
metadata:
  name: 'ExampleNot'
spec:
  if:
    not:
      # The AlternativeName field must not exist.
      field: 'AlternativeName'
      exists: true

NotContains#

The notContains condition can be used to determine if the operand contains a specified sub-string. This condition fails when any of the specified sub-strings are found in the operand. One or more strings to compare can be specified.

caseSensitive - Optionally, a case sensitive-comparison can be performed. By default, case-insensitive comparison is performed.
convert - Optionally, types can be converted to string type. By default convert is false.

Syntax:

notContains: <string | array>
caseSensitive: <boolean>
convert: <boolean>

If the operand is a field, and the field does not exist, notContains always returns false.

For example:

---
apiVersion: github.com/microsoft/PSRule/2025-01-01
kind: Rule
metadata:
  name: 'ExampleNotContains'
spec:
  condition:
    anyOf:
    - field: 'url'
      notContains: '/azure/'
    - field: 'url'
      notContains:
      - 'github.io'
      - 'github.com'

---
apiVersion: github.com/microsoft/PSRule/2025-01-01
kind: Selector
metadata:
  name: 'ExampleNotContains'
spec:
  if:
    anyOf:
    - field: 'url'
      notContains: '/azure/'
    - field: 'url'
      notContains:
      - 'github.io'
      - 'github.com'

NotCount#

The notCount condition is used to determine if the operand does not contain a specified number of items.

Syntax:

notCount: <int>

For example:

---
apiVersion: github.com/microsoft/PSRule/2025-01-01
kind: Rule
metadata:
  name: 'ExampleNotCount'
spec:
  condition:
    field: 'items'
    notCount: 2

---
apiVersion: github.com/microsoft/PSRule/2025-01-01
kind: Selector
metadata:
  name: 'ExampleNotCount'
spec:
  if:
    field: 'items'
    notCount: 2

NotEndsWith#

The notEndsWith condition can be used to determine if the operand ends with a specified string. This condition fails when any of the specified sub-strings are found at the end of the operand. One or more strings to compare can be specified.

caseSensitive - Optionally, a case sensitive-comparison can be performed. By default, case-insensitive comparison is performed.
convert - Optionally, types can be converted to string type. By default convert is false.

Syntax:

notEndsWith: <string | array>
caseSensitive: <boolean>
convert: <boolean>

If the operand is a field, and the field does not exist, notEndsWith always returns false.

For example:

---
apiVersion: github.com/microsoft/PSRule/2025-01-01
kind: Rule
metadata:
  name: 'ExampleNotEndsWith'
spec:
  condition:
    anyOf:
    - field: 'hostname'
      notEndsWith: '.com'
    - field: 'hostname'
      notEndsWith:
      - '.com.au'
      - '.com'

---
apiVersion: github.com/microsoft/PSRule/2025-01-01
kind: Selector
metadata:
  name: 'ExampleNotEndsWith'
spec:
  if:
    anyOf:
    - field: 'hostname'
      notEndsWith: '.com'
    - field: 'hostname'
      notEndsWith:
      - '.com.au'
      - '.com'

NotEquals#

The notEquals condition can be used to compare if a field is equal to a supplied value.

caseSensitive - Optionally, a case sensitive-comparison can be performed. This only applies to string comparisons. By default, case-insensitive comparison is performed.
convert - Optionally, perform type conversion on operand type. By default convert is false.

Syntax:

notEquals: <string | int | bool>
caseSensitive: <boolean>
convert: <boolean>

For example:

---
apiVersion: github.com/microsoft/PSRule/2025-01-01
kind: Rule
metadata:
  name: 'ExampleNotEquals'
spec:
  condition:
    field: 'Name'
    notEquals: 'TargetObject1'

---
apiVersion: github.com/microsoft/PSRule/2025-01-01
kind: Selector
metadata:
  name: 'ExampleNotEquals'
spec:
  if:
    field: 'Name'
    notEquals: 'TargetObject1'

NotIn#

The notIn condition can be used to compare if a field does not contains one of the specified values.

Syntax:

notIn: <array>

For example:

---
apiVersion: github.com/microsoft/PSRule/2025-01-01
kind: Rule
metadata:
  name: 'ExampleNotIn'
spec:
  condition:
    field: 'Name'
    notIn:
    - 'Value1'
    - 'Value2'

---
apiVersion: github.com/microsoft/PSRule/2025-01-01
kind: Selector
metadata:
  name: 'ExampleNotIn'
spec:
  if:
    field: 'Name'
    notIn:
    - 'Value1'
    - 'Value2'

NotLike#

The notLike condition can be used to determine if the operand matches a wildcard pattern. This condition fails when any of the specified patterns match the operand. One or more patterns to compare can be specified.

caseSensitive - Optionally, a case sensitive-comparison can be performed. By default, case-insensitive comparison is performed.
convert - Optionally, types can be converted to string type. By default convert is false.

Syntax:

notLike: <string | array>
caseSensitive: <boolean>
convert: <boolean>

If the operand is a field, and the field does not exist, notLike always returns false.

For example:

---
apiVersion: github.com/microsoft/PSRule/2025-01-01
kind: Rule
metadata:
  name: 'ExampleNotLike'
spec:
  condition:
    anyOf:
    - field: 'url'
      notLike: 'http://*'
    - field: 'url'
      notLike:
      - 'http://'
      - 'https://'

---
apiVersion: github.com/microsoft/PSRule/2025-01-01
kind: Selector
metadata:
  name: 'ExampleNotLike'
spec:
  if:
    anyOf:
    - field: 'url'
      notLike: 'http://*'
    - field: 'url'
      notLike:
      - 'http://'
      - 'https://'

NotMatch#

The notMatch condition can be used to compare if a field does not matches a supplied regular expression.

caseSensitive - Optionally, a case sensitive-comparison can be performed. By default, case-insensitive comparison is performed.

Syntax:

notMatch: <string>
caseSensitive: <boolean>

For example:

---
apiVersion: github.com/microsoft/PSRule/2025-01-01
kind: Rule
metadata:
  name: 'ExampleNotMatch'
spec:
  condition:
    field: 'Name'
    notMatch: '$(abc|efg)$'

---
apiVersion: github.com/microsoft/PSRule/2025-01-01
kind: Selector
metadata:
  name: 'ExampleNotMatch'
spec:
  if:
    field: 'Name'
    notMatch: '$(abc|efg)$'

NotStartsWith#

The notStartsWith condition can be used to determine if the operand starts with a specified string. This condition fails when any of the specified sub-strings are found at the start of the operand. One or more strings to compare can be specified.

caseSensitive - Optionally, a case sensitive-comparison can be performed. By default, case-insensitive comparison is performed.
convert - Optionally, types can be converted to string type. By default convert is false.

Syntax:

notStartsWith: <string | array>
caseSensitive: <boolean>
convert: <boolean>

If the operand is a field, and the field does not exist, notStartsWith always returns false.

For example:

---
apiVersion: github.com/microsoft/PSRule/2025-01-01
kind: Rule
metadata:
  name: 'ExampleNotStartsWith'
spec:
  condition:
    anyOf:
    - field: 'url'
      notStartsWith: 'http'
    - field: 'url'
      notStartsWith:
      - 'http://'
      - 'https://'

---
apiVersion: github.com/microsoft/PSRule/2025-01-01
kind: Selector
metadata:
  name: 'ExampleNotStartsWith'
spec:
  if:
    anyOf:
    - field: 'url'
      notStartsWith: 'http'
    - field: 'url'
      notStartsWith:
      - 'http://'
      - 'https://'

NotWithinPath#

The notWithinPath condition determines if a file path is not within a required path.

If the path is not within the required path, the condition will return true. If the path is within the required path, the condition will return false.

The following properties are accepted:

caseSensitive - Optionally, a case-sensitive comparison can be performed for string values. By default, case-insensitive comparison is performed.

Syntax:

notWithinPath: <array>
caseSensitive: <boolean>

For example:

---
# Synopsis: Test notWithinPath with source
apiVersion: github.com/microsoft/PSRule/2025-01-01
kind: Selector
metadata:
  name: YamlSourceNotWithinPath
spec:
  if:
    source: 'Template'
    notWithinPath:
      - "deployments/path/"

---
# Synopsis: Test notWithinPath with source and case sensitive
apiVersion: github.com/microsoft/PSRule/2025-01-01
kind: Selector
metadata:
  name: YamlSourceNotWithinPathCaseSensitive
spec:
  if:
    source: 'Template'
    notWithinPath:
      - "Deployments/Path/"
    caseSensitive: true

Scope#

The comparison property scope is used with a condition to evaluate any scopes assigned to the object. The scope property must be set to .. Any other value will cause the condition to evaluate to false.

Syntax:

scope: '.'

For example:

---
apiVersion: github.com/microsoft/PSRule/2025-01-01
kind: Rule
metadata:
  name: 'ExampleScope'
spec:
  condition:
    scope: '.'
    startsWith: '/'

---
apiVersion: github.com/microsoft/PSRule/2025-01-01
kind: Selector
metadata:
  name: 'ExampleScope'
spec:
  if:
    scope: '.'
    startsWith: '/'

SetOf#

The setOf condition can be used to determine if the operand is a set of specified values. Additionally the following properties are accepted:

caseSensitive - Optionally, a case sensitive-comparison can be performed. By default, case-insensitive comparison is performed.

Syntax:

setOf: <array>
caseSensitive: <bool>

For example:

---
apiVersion: github.com/microsoft/PSRule/2025-01-01
kind: Rule
metadata:
  name: 'ExampleSetOf'
spec:
  condition:
    field: 'zones'
    setOf:
    - 1
    - 2
    - 3
    caseSensitive: false

---
apiVersion: github.com/microsoft/PSRule/2025-01-01
kind: Selector
metadata:
  name: 'ExampleSetOf'
spec:
  if:
    field: 'zones'
    setOf:
    - 1
    - 2
    - 3
    caseSensitive: false

Source#

The comparison property source is used with a condition to expose the source path for the resource. The source property can be set to any value. The default is file when objects loaded from a file don't identify a source.

Syntax:

source: 'file'

For example:

---
apiVersion: github.com/microsoft/PSRule/2025-01-01
kind: Selector
metadata:
  name: IgnoreTestFiles
spec:
  if:
    source: 'file'
    withinPath: 'tests/PSRule.Tests/'

StartsWith#

The startsWith condition can be used to determine if the operand starts with a specified string. One or more strings to compare can be specified.

caseSensitive - Optionally, a case sensitive-comparison can be performed. By default, case-insensitive comparison is performed.
convert - Optionally, types can be converted to string type. By default convert is false.

Syntax:

startsWith: <string | array>
caseSensitive: <boolean>
convert: <boolean>

If the operand is a field, and the field does not exist, startsWith always returns false.

For example:

---
apiVersion: github.com/microsoft/PSRule/2025-01-01
kind: Rule
metadata:
  name: 'ExampleStartsWith'
spec:
  condition:
    anyOf:
    - field: 'url'
      startsWith: 'http'
    - field: 'url'
      startsWith:
      - 'http://'
      - 'https://'

---
apiVersion: github.com/microsoft/PSRule/2025-01-01
kind: Selector
metadata:
  name: 'ExampleStartsWith'
spec:
  if:
    anyOf:
    - field: 'url'
      startsWith: 'http'
    - field: 'url'
      startsWith:
      - 'http://'
      - 'https://'

Subset#

The subset condition can be used to determine if the operand is a set of specified values. The following properties are accepted:

caseSensitive - Optionally, a case-sensitive comparison can be performed. By default, case-insensitive comparison is performed.
unique - Optionally, the operand must not contain duplicates. By default, duplicates are allowed.

Syntax:

subset: <array>
caseSensitive: <bool>
unique: <bool>

For example:

---
apiVersion: github.com/microsoft/PSRule/2025-01-01
kind: Rule
metadata:
  name: 'ExampleSubset'
spec:
  condition:
    field: 'logs'
    subset:
    - 'cluster-autoscaler'
    - 'kube-apiserver'
    - 'kube-scheduler'
    caseSensitive: true
    unique: true

---
apiVersion: github.com/microsoft/PSRule/2025-01-01
kind: Selector
metadata:
  name: 'ExampleSubset'
spec:
  if:
    field: 'logs'
    subset:
    - 'cluster-autoscaler'
    - 'kube-apiserver'
    - 'kube-scheduler'
    caseSensitive: true
    unique: true

Type#

The comparison property type is used with a condition to evaluate the target type of the object. The type property must be set to .. Any other value will cause the condition to evaluate to false.

Syntax:

type: '.'

For example:

---
apiVersion: github.com/microsoft/PSRule/2025-01-01
kind: Rule
metadata:
  name: 'ExampleType'
spec:
  condition:
    type: '.'
    equals: 'CustomType'

---
apiVersion: github.com/microsoft/PSRule/2025-01-01
kind: Selector
metadata:
  name: 'ExampleType'
spec:
  if:
    type: '.'
    in:
    - 'Microsoft.Storage/storageAccounts'
    - 'Microsoft.Storage/storageAccounts/blobServices'

Version#

The version condition determines if the operand is a valid semantic version. A constraint can optionally be provided to require the semantic version to be within a range. Supported version constraints for expression are the same as the $Assert.Version assertion helper.

Syntax:

version: <string>
includePrerelease: <bool>

For example:

---
apiVersion: github.com/microsoft/PSRule/2025-01-01
kind: Rule
metadata:
  name: 'ExampleVersion'
spec:
  condition:
    field: 'engine.version'
    version: '^1.2.3'

---
apiVersion: github.com/microsoft/PSRule/2025-01-01
kind: Selector
metadata:
  name: 'ExampleAnyVersion'
spec:
  if:
    field: 'engine.version'
    version: ''

---
apiVersion: github.com/microsoft/PSRule/2025-01-01
kind: Selector
metadata:
  name: 'ExampleVersionIncludingPrerelease'
spec:
  if:
    field: 'engine.version'
    version: '>=1.5.0'
    includePrerelease: true

WithinPath#

The withinPath condition determines if a file path is within a required path.

If the path is within the required path, the condition will return true. If the path is not within the required path, the condition will return false.

The following properties are accepted:

caseSensitive - Optionally, a case-sensitive comparison can be performed for string values. By default, case-insensitive comparison is performed.

Syntax:

withinPath: <array>
caseSensitive: <boolean>

For example:

---
# Synopsis: Test withinPath with source
apiVersion: github.com/microsoft/PSRule/2025-01-01
kind: Selector
metadata:
  name: YamlSourceWithinPath
spec:
  if:
    source: 'Template'
    withinPath:
      - "deployments/path/"

---
# Synopsis: Test withinPath with source and case sensitive
apiVersion: github.com/microsoft/PSRule/2025-01-01
kind: Selector
metadata:
  name: YamlSourceWithinPathCaseSensitive
spec:
  if:
    source: 'Template'
    withinPath:
      - "Deployments/Path/"
    caseSensitive: true

Links#

Invoke-PSRule

Expressions#

Description#

AllOf#

AnyOf#

APIVersion#

Contains#

Count#

Equals#

EndsWith#

Exists#

Field#

Greater#

GreaterOrEquals#

HasDefault#

HasSchema#

HasValue#

In#

IsLower#

IsString#

IsArray#

IsBoolean#

IsDateTime#

IsInteger#

IsNumeric#

IsUpper#

Less#

LessOrEquals#

Like#

Match#

Name#

Not#

NotContains#

NotCount#

NotEndsWith#

NotEquals#

NotIn#

NotLike#

NotMatch#

NotStartsWith#

NotWithinPath#

Scope#

SetOf#

Source#

StartsWith#

Subset#

Type#

Version#

WithinPath#

Links#

Comments