def test_find_by_name_definition(self, client_mock, policy_mock):
policy_mock.return_value.value = []
client_mock.policy_definitions.list.return_value = [PolicyDefinition(display_name='TEST')]
p = self.load_policy({
'name': 'test-azure-vm',
'resource': 'azure.vm',
'filters': [
{'type': 'value',
'key': 'name',
'op': 'eq',
'value_type': 'normalize',
'value': 'cctestvm'},
{'type': 'policy-compliant',
'definitions': ['TEST'],
'compliant': True}]
})
resources = p.run()
self.assertEqual(len(resources), 1)
p = self.load_policy({
'name': 'test-azure-vm',
'resource': 'azure.vm',
'filters': [
{'type': 'value',
'key': 'name',
'op': 'eq',
'value_type': 'normalize',
'value': 'cctestvm'},
{'type': 'policy-compliant',
'definitions': ['TEST'],
'compliant': False}]
})
resources = p.run()
self.assertEqual(len(resources), 0)
def create_policy_definition(name, rules, display_name=None, description=None):
if os.path.exists(rules):
rules = get_file_json(rules)
else:
rules = shell_safe_json_parse(rules)
policy_client = _resource_policy_client_factory()
parameters = PolicyDefinition(policy_rule=rules, description=description,
display_name=display_name)
return policy_client.policy_definitions.create_or_update(name, parameters)
def update_policy_definition(policy_definition_name, rules=None,
display_name=None, description=None):
if rules is not None:
if os.path.exists(rules):
rules = get_file_json(rules)
else:
rules = shell_safe_json_parse(rules)
policy_client = _resource_policy_client_factory()
definition = policy_client.policy_definitions.get(policy_definition_name)
#pylint: disable=line-too-long,no-member
parameters = PolicyDefinition(policy_rule=rules if rules is not None else definition.policy_rule,
description=description if description is not None else definition.description,
display_name=display_name if display_name is not None else definition.display_name)
return policy_client.policy_definitions.create_or_update(policy_definition_name, parameters)
def create_policy_definition(self, policy_config: PolicyConfig):
"""define policy at subscription scope"""
# DeployIfNotExist is not supported by SDK. see ref: https://github.com/Azure/azure-policy/issues/20
# Use CLI for deployIfNotExist instead
self.policy_client = PolicyClient(self.credentials,
policy_config.subscription_id)
policy_definition = PolicyDefinition(
mode="All",
display_name=policy_config.policy_display_name,
description=policy_config.policy_description,
policy_rule=policy_config.policy_rule,
)
policy_effect = policy_config.policy_rule.get("then").get(
"effect").lower()
if policy_effect == "deployifnotexists":
return self.__policy_definition_cli(policy_config)
else:
return self.policy_client.policy_definitions.create_or_update(
policy_config.policy_name, policy_definition)
def create_and_assign_policy(self, scope: str, policies: dict,
deployment_parameters: dict):
"""Function creates and assigns policies by reading a file located in policies/shared-services|workload/arm.policies.json (subscription level) or
policies/shared-services|workload/resource/arm.policies.json (resource group level)
:param scope: Scope of the policy assignment
:type scope: str
:param policies: Policies (json deserialized) object
:type policies: dict
:param deployment_parameters: Deployment parameters used to replace tokens, if any exists in the policy file(s)
:type deployment_parameters: dict
:raises: :class:`Exception`
"""
try:
for policy in policies:
policy_creation_parameters: PolicyDefinition = \
PolicyDefinition()
policy_assignment_parameters: PolicyAssignment = \
PolicyAssignment()
policy_definition_id = ''
if 'policyDefinitionId' not in policy or \
len(policy['policyDefinitionId']) == 0:
policy_creation_parameters\
.policy_rule = policy['rules']
policy_creation_parameters\
.display_name = policy['name']
policy_creation_parameters\
.description = policy['description']
policy_creation_parameters\
.metadata = dict({
'category': 'VDC'
})
if 'parameters' in policy:
policy_creation_parameters\
.parameters = policy['parameters']
policy_creation_return = \
self._policy_client\
.policy_definitions\
.create_or_update(
policy['name'],
policy_creation_parameters)
policy_definition_id =\
policy_creation_return.id
# Let's create policy assignment object
policy_assignment_parameters\
.name = \
policy['name']
policy_assignment_parameters\
.display_name = \
policy['name']
else:
policy_definition_id = \
policy['policyDefinitionId']
policy_assignment_parameters\
.policy_definition_id = \
policy_definition_id
# Assign policies if there are no policy parameters
# or if there are policy parameters plus parameters-value
# parameters-value contains the values corresponding to
# the different policy parameters
if 'policyDefinitionId' in policy or\
'parameters' not in policy or \
('parameters' in policy and \
'parameters-value' in policy):
if 'parameters-value' in policy:
policy_assignment_parameters\
.parameters = \
policy['parameters-value']
try:
self._policy_client\
.policy_assignments\
.create(
scope,
policy['name'],
policy_assignment_parameters)
except Exception as ex:
print(str(ex))
except Exception as ex:
self._logger.error(
'There was an error while creating/assigning policies')
self._logger.error(ex)
raise ex