Add policy set definition commands (#4515)

* Initial commit for policy set definition commands

* Add sku, policysetdefinition to policy assignment create

* move policy set definition under api check

* Address some feedback

* Add notScopes to assignment create, new record for existing test to ensure no regression

* Fix not scopes issues

* fix pylint issue

* Check for free sku in policy assignment

* Add checks for not scopes

* Add policy set tests

* Fix policy record

* Fix pylint

* nits

* Fix CI issue

* Fix error message format

* fix check style issue

Author: vivsriaus

azure-cli.pyproj

@@ -995,6 +995,7 @@
     <Content Include="command_modules\azure-cli-resource\azure\cli\command_modules\resource\tests\param-validation-params.json" />
     <Content Include="command_modules\azure-cli-resource\azure\cli\command_modules\resource\tests\param-validation-ref-params.json" />
     <Content Include="command_modules\azure-cli-resource\azure\cli\command_modules\resource\tests\param-validation-template.json" />
+    <Content Include="command_modules\azure-cli-resource\azure\cli\command_modules\resource\tests\sample_policy_set.json" />
     <Content Include="command_modules\azure-cli-resource\azure\cli\command_modules\resource\tests\sample_policy_rule.json" />
     <Content Include="command_modules\azure-cli-resource\azure\cli\command_modules\resource\tests\simple_deploy.json" />
     <Content Include="command_modules\azure-cli-resource\azure\cli\command_modules\resource\tests\simple_deploy_parameters.json" />

src/azure-cli-core/azure/cli/core/profiles/_shared.py

@@ -66,7 +66,7 @@ def __init__(self, import_prefix, client_name):
         ResourceType.MGMT_RESOURCE_FEATURES: '2015-12-01',
         ResourceType.MGMT_RESOURCE_LINKS: '2016-09-01',
         ResourceType.MGMT_RESOURCE_LOCKS: '2016-09-01',
-        ResourceType.MGMT_RESOURCE_POLICY: '2016-12-01',
+        ResourceType.MGMT_RESOURCE_POLICY: '2017-06-01-preview',
         ResourceType.MGMT_RESOURCE_RESOURCES: '2017-05-10',
         ResourceType.MGMT_RESOURCE_SUBSCRIPTIONS: '2016-06-01',
         ResourceType.DATA_STORAGE: '2017-04-17'

src/command_modules/azure-cli-acr/setup.py

@@ -31,7 +31,7 @@
 
 DEPENDENCIES = [
     'azure-cli-core',
-    'azure-mgmt-resource==1.2.0rc2',
+    'azure-mgmt-resource==1.2.0rc3',
     'azure-mgmt-storage==1.2.0',
     'azure-mgmt-containerregistry==0.3.1',
 ]

src/command_modules/azure-cli-network/setup.py

@@ -33,7 +33,7 @@
     'azure-mgmt-network==1.5.0rc3',
     'azure-mgmt-trafficmanager==0.40.0',
     'azure-mgmt-dns==1.0.1',
-    'azure-mgmt-resource==1.2.0rc2',
+    'azure-mgmt-resource==1.2.0rc3',
     'azure-cli-core',
     'mock'
 ]

src/command_modules/azure-cli-resource/HISTORY.rst

@@ -6,6 +6,8 @@ Release History
 +++++++++++++++++++
 * policy: support to show built-in policy definition.
 * policy: support mode parameter for creating policy definitions.
+* policy: add policy set definition commands.
+* policy: add sku and policysetdefinition parameters when creating policy assignment
 * managedapp definition: support to create managedapp definition using create-ui-definition and main-template.
 * BREAKING CHANGE: managedapp: Update to latest ARM package, which includes changing resource type from appliances to applications and applianceDefinitions to applicationDefinitions.
 * resource invoke-action: supports ability to invoke any action onto resource, also supports user-specified url to post.

src/command_modules/azure-cli-resource/azure/cli/command_modules/resource/_client_factory.py

@@ -78,6 +78,10 @@ def cf_policy_definitions(_):
     return _resource_policy_client_factory().policy_definitions
 
 
+def cf_policy_set_definitions(_):
+    return _resource_policy_client_factory().policy_set_definitions
+
+
 def cf_management_locks(_):
     return _resource_lock_client_factory().management_locks
 

src/command_modules/azure-cli-resource/azure/cli/command_modules/resource/_help.py

@@ -172,7 +172,7 @@
                                 }
                             }
                         }
-            """
+"""
 helps['policy definition delete'] = """
     type: command
     short-summary: Delete a policy definition.
@@ -189,6 +189,43 @@
     type: command
     short-summary: List policy definitions.
 """
+helps['policy set-definition'] = """
+    type: group
+    short-summary: Manage resource policy set definitions.
+"""
+helps['policy set-definition create'] = """
+            type: command
+            short-summary: Create a policy set definition.
+            parameters:
+                - name: --definitions
+                  type: string
+                  short-summary: Policy definitions in JSON format, or a path to a file containing JSON rules.
+            examples:
+                - name: Create a policy set definition.
+                  text: |
+                    az policy setdefinition create -n readOnlyStorage --definitions \\
+                        [ \\
+                            { \\
+                                "policyDefinitionId": "/subscriptions/mySubId/providers/Microsoft.Authorization/policyDefinitions/storagePolicy" \\
+                            } \\
+                        ]
+"""
+helps['policy set-definition delete'] = """
+    type: command
+    short-summary: Delete a policy set definition.
+"""
+helps['policy set-definition show'] = """
+    type: command
+    short-summary: get a policy set definition.
+"""
+helps['policy set-definition update'] = """
+    type: command
+    short-summary: Update a policy set definition.
+"""
+helps['policy set-definition list'] = """
+    type: command
+    short-summary: List policy set definitions.
+"""
 helps['policy assignment'] = """
     type: group
     short-summary: Manage resource policy assignments.

src/command_modules/azure-cli-resource/azure/cli/command_modules/resource/_params.py

@@ -14,8 +14,9 @@
 from azure.cli.core.commands.parameters import (ignore_type, resource_group_name_type, tag_type,
                                                 tags_type, get_resource_group_completion_list,
                                                 enum_choice_list, no_wait_type, file_type)
-from .custom import (get_policy_completion_list, get_policy_assignment_completion_list,
-                     get_resource_types_completion_list, get_providers_completion_list)
+from .custom import (get_policy_completion_list, get_policy_set_completion_list,
+                     get_policy_assignment_completion_list, get_resource_types_completion_list,
+                     get_providers_completion_list)
 from ._validators import process_deployment_create_namespace, validate_lock_parameters
 
 # BASIC PARAMETER CONFIGURATION
@@ -78,7 +79,6 @@
                             help='mode of the new policy definition.',
                             **enum_choice_list(PolicyMode))
 
-
 register_cli_argument('policy definition', 'display_name', help='display name of policy definition')
 register_cli_argument('policy definition', 'description', help='description of policy definition')
 register_cli_argument('policy assignment', 'name', options_list=('--name', '-n'), completer=get_policy_assignment_completion_list, help='name of the assignment')
@@ -88,10 +88,28 @@
     c.register_cli_argument('policy assignment create', 'params', options_list=('--params', '-p'),
                             help='JSON formatted string or path to file with parameter values of policy rule')
 
+with VersionConstraint(ResourceType.MGMT_RESOURCE_POLICY, min_api='2017-06-01-preview') as c:
+    existing_policy_set_definition_name_type = CliArgumentType(options_list=('--name', '-n'), completer=get_policy_set_completion_list, help='The policy set definition name')
+    c.register_cli_argument('policy set-definition', 'policy_set_definition_name', arg_type=existing_policy_set_definition_name_type)
+    c.register_cli_argument('policy set-definition create', 'name', options_list=('--name', '-n'), help='name of the new policy set definition')
+    c.register_cli_argument('policy set-definition', 'display_name', help='display name of policy set definition')
+    c.register_cli_argument('policy set-definition', 'description', help='description of policy set definition')
+    c.register_cli_argument('policy set-definition', 'params',
+                            help='JSON formatted string or a path to a file or uri with parameter definitions',
+                            type=file_type, completer=FilesCompleter())
+    c.register_cli_argument('policy set-definition', 'definitions',
+                            help='JSON formatted string or a path to a file or uri with such content',
+                            type=file_type, completer=FilesCompleter())
+    c.register_cli_argument('policy assignment create', 'policy_set_definition', options_list=('--policy-set-definition', '-d'),
+                            help='name or id of the policy set definition.')
+    c.register_cli_argument('policy assignment create', 'sku', options_list=('--sku', '-s'),
+                            help='policy sku.', **enum_choice_list(['free', 'standard']))
+    c.register_cli_argument('policy assignment create', 'notscopes', options_list=('--not-scopes'), nargs='+')
+
 register_cli_argument('policy assignment', 'scope', help='scope at which this policy assignment applies to, e.g., /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333, /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup, or /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup/providers/Microsoft.Compute/virtualMachines/myVM')
 register_cli_argument('policy assignment', 'disable_scope_strict_match', action='store_true', help='include assignment either inhertied from parent scope or at child scope')
 register_cli_argument('policy assignment', 'display_name', help='display name of the assignment')
-register_cli_argument('policy assignment', 'policy', help='policy name or fully qualified id', completer=get_policy_completion_list)
+register_cli_argument('policy assignment', 'policy', help='name or id of the policy definition.', completer=get_policy_completion_list)
 
 register_cli_argument('group', 'tag', tag_type)
 register_cli_argument('group', 'tags', tags_type)

src/command_modules/azure-cli-resource/azure/cli/command_modules/resource/commands.py

@@ -21,6 +21,7 @@
                                                                 cf_deployments,
                                                                 cf_deployment_operations,
                                                                 cf_policy_definitions,
+                                                                cf_policy_set_definitions,
                                                                 cf_resource_links,
                                                                 cf_resource_managedapplications,
                                                                 cf_resource_managedappdefinitions)
@@ -125,6 +126,13 @@ def transform_deployments_list(result):
 cli_command(__name__, 'policy definition show', 'azure.cli.command_modules.resource.custom#get_policy_definition', exception_handler=empty_on_404)
 cli_command(__name__, 'policy definition update', 'azure.cli.command_modules.resource.custom#update_policy_definition')
 
+if supported_api_version(ResourceType.MGMT_RESOURCE_POLICY, min_api='2017-06-01-preview'):
+    cli_command(__name__, 'policy set-definition create', 'azure.cli.command_modules.resource.custom#create_policy_setdefinition')
+    cli_command(__name__, 'policy set-definition delete', 'azure.mgmt.resource.policy.operations#PolicySetDefinitionsOperations.delete', cf_policy_set_definitions)
+    cli_command(__name__, 'policy set-definition list', 'azure.mgmt.resource.policy.operations#PolicySetDefinitionsOperations.list', cf_policy_set_definitions)
+    cli_command(__name__, 'policy set-definition show', 'azure.cli.command_modules.resource.custom#get_policy_setdefinition', exception_handler=empty_on_404)
+    cli_command(__name__, 'policy set-definition update', 'azure.cli.command_modules.resource.custom#update_policy_setdefinition')
+
 cli_command(__name__, 'lock create', 'azure.cli.command_modules.resource.custom#create_lock')
 cli_command(__name__, 'lock delete', 'azure.cli.command_modules.resource.custom#delete_lock')
 cli_command(__name__, 'lock list', 'azure.cli.command_modules.resource.custom#list_locks')