def get_at_management_group(
self,
policy_definition_name,
credentials=None,
management_group_id=None,
subscription_id=None,
raw=False,
):
if credentials is None:
credentials = AzureIdentityCredentialAdapter()
if subscription_id is None:
subscription_id = self.subscription_id
# Defaults to the root management group unless specified in the parameter list
if management_group_id is None:
management_group_id = self.tenant_id
policy_client = PolicyClient(
credentials=credentials, subscription_id=subscription_id
)
policy_definition = policy_client.policy_definitions.get_at_management_group(
policy_definition_name=policy_definition_name,
management_group_id=management_group_id,
raw=raw,
)
return policy_definition
def test_list_at_subscription_level(self):
credentials = AzureIdentityCredentialAdapter()
policy_client = PolicyClient(credentials=credentials,
subscription_id=self.subscription_id)
policy_definitions = list(policy_client.policy_definitions.list())
self.assertGreater(len(policy_definitions), 0)
logging.debug("Subscription policy definition list count {}".format(
len(policy_definitions)))
def test_get(self):
credentials = AzureIdentityCredentialAdapter()
policy_definition_client = MopPolicyDefinition(
operations_path=TESTINGPATH, config_variables=TESTVARIABLES)
policy_definition = policy_definition_client.get_at_management_group(
policy_definition_name=self.test_data_config['AZURE_POLICY']
["policy_name_02"],
management_group_id=self.tenant_id)
self.assertTrue("PolicyDefinition" in str(type(policy_definition)))
def test_get_subscription_level_raw(self):
credentials = AzureIdentityCredentialAdapter()
policy_client = PolicyClient(credentials=credentials,
subscription_id=self.subscription_id)
policy_definition_name = self.test_data_config['AZURE_POLICY'][
"policy_name_04"]
policy_definition = policy_client.policy_definitions.get(
policy_definition_name=policy_definition_name, raw=True)
self.assertIsNotNone(policy_definition)
def test_get_subscription_level(self):
credentials = AzureIdentityCredentialAdapter()
policy_client = PolicyClient(credentials=credentials,
subscription_id=self.subscription_id)
policy_definition = policy_client.policy_definitions.get(
policy_definition_name=self.test_data_config['AZURE_POLICY']
["policy_name_03"])
self.assertIsNotNone(policy_definition)
self.assertTrue("PolicyDefinition" in str(type(policy_definition)))
def test_list_resource_group(self):
subscription_id = os.getenv("AZURE_SUBSCRIPTION_ID")
credentials = AzureIdentityCredentialAdapter()
from azure.mgmt.resource import ResourceManagementClient
client = ResourceManagementClient(credentials, self.subscription_id)
# Not raising any exception means we were able to do it
rg_list = list(client.resource_groups.list())
self.assertGreater(len(rg_list), 0)
print(rg_list)
def create_manage_group_assignment(
self,
policy_defintion_name,
policy_assignment_name,
credentials=None,
management_group_id=None,
subscription_id=None,
):
"""
Create a policy assignment at the specified management group level
:param policy_assignment_name:
:param credentials:
:param management_group_id:
:param subscription_id:
:return:
"""
if credentials is None:
credentials = AzureIdentityCredentialAdapter()
if subscription_id is None:
subscription_id = self.subscription_id
# Defaults to the root management group unless specified in the parameter list
if management_group_id is None:
management_group_id = self.management_group_id
policy_defintion_client = MopPolicyDefinition(
operations_path=self.operations_path,
config_variables=self.config_variables)
policy_definition = policy_defintion_client.get_at_management_group(
policy_definition_name=policy_defintion_name, raw=True)
# Cannot assignment a policy for a policy that doesn't exist yet
if not policy_definition:
raise KeyError
assignment_scope = self.config["AZURESDK"][
"management_group_scope_policy_assignment"]
assignment_scope = assignment_scope.format(
managementGroup=management_group_id)
parameters = self.create_assignment_body(policy_definition)
policy_client = PolicyClient(credentials=credentials,
subscription_id=subscription_id)
mgmnt_group_policy_assingment = policy_client.policy_assignments.create(
scope=assignment_scope,
policy_assignment_name=policy_assignment_name,
parameters=parameters,
)
print(mgmnt_group_policy_assingment)
def test_list_query_results_for_policy_definition(self):
# Policy Defintion to be tested
policy_definition_name = self.test_data_config['AZURE_POLICY'][
"policy_name_04"]
# Azure Active Directory Credentials
credentials = AzureIdentityCredentialAdapter()
policy_definition_insight = PolicyDefinitionInsightScope(
operations_path=TESTINGPATH, config_variables=TESTVARIABLES)
insights = policy_definition_insight.list_query_results_for_policy_definition(
subscription_id=self.subscription_id,
policy_definition_name=policy_definition_name,
credentials=credentials)
self.assertEqual(True, True)
def create_at_management_group_scope(self,
policy_definition_name,
policy_definition_body,
credentials=None,
management_group_id=None,
subscription_id=None,
):
"""
This method has the benefit of specifying the the internal name of the policy. The policy_definition_name given
in this method will set the unique name for the Azure Tenant. Creating a policy this way offers more control, but
can also yield name collisions. If a policy with the same internal name is found, this method WILL OVERWRITE that
policy.
:param policy_definition_name:
:param policy_definition_body:
:param credentials:
:param management_group_id:
:param subscription_id:
:return:
"""
if credentials is None:
credentials = AzureIdentityCredentialAdapter()
if subscription_id is None:
subscription_id = self.subscription_id
# Defaults to the root management group unless specified in the parameter list
if management_group_id is None:
management_group_id = self.tenant_id
policy_client = PolicyClient(
credentials=credentials, subscription_id=subscription_id
)
policy_definition = policy_client.policy_definitions.create_or_update_at_management_group(
policy_definition_name=policy_definition_name, parameters=policy_definition_body,
management_group_id=management_group_id)
return policy_definition
def list_for_management_group(
self, management_group_id, credentials=None, subscription_id=None
):
if credentials is None:
credentials = AzureIdentityCredentialAdapter()
if subscription_id is None:
subscription_id = self.subscription_id
# Defaults to the root management group unless specified in the parameter list
if management_group_id is None:
management_group_id = self.tenant_id
policy_client = PolicyClient(
credentials=credentials, subscription_id=subscription_id
)
policy_definition_list = policy_client.policy_definitions.list_by_management_group(
management_group_id=management_group_id
)
return policy_definition_list
def list_for_management_group(
self,
credentials=None,
management_group_id=None,
subscription_id=None,
filter="atScope()",
):
if credentials is None:
credentials = AzureIdentityCredentialAdapter()
if subscription_id is None:
subscription_id = self.subscription_id
# Defaults to the root management group unless specified in the parameter list
if management_group_id is None:
management_group_id = self.management_group_id
policy_client = PolicyClient(credentials=credentials,
subscription_id=subscription_id)
policy_assignments = list(
policy_client.policy_assignments.list_for_management_group(
management_group_id=management_group_id, filter=filter))
return policy_assignments
def test_batch_create(self):
credentials = AzureIdentityCredentialAdapter()
policy_definition = MopPolicyDefinition(operations_path=TESTINGPATH,
config_variables=TESTVARIABLES)
assert policy_definition.batch_create()