Command module for Microsoft.PolicyInsights #6378
Conversation
…ams, help, completers, etc.)
…icyinsights" command group)
|
View a preview at https://prompt.ws/r/Azure/azure-cli/6378 |
Codecov Report
@@ Coverage Diff @@
## dev #6378 +/- ##
===================================
Coverage 0% 0%
===================================
Files 11 11
Lines 133 133
Branches 9 9
===================================
Misses 133 133Continue to review full report at Codecov.
|
| type: string | ||
|
|
||
| - name: --apply | ||
| type: string |
There was a problem hiding this comment.
None of these parameters entries are required.
There was a problem hiding this comment.
thanks. will remove
| - name: --policy-set-definition-name -ps | ||
| type: string | ||
|
|
||
| - name: --policy-definition-name -pd |
There was a problem hiding this comment.
Short options can only be a single character.
| with self.argument_context('policy event') as c: | ||
| c.argument( | ||
| 'management_group_name', | ||
| options_list=('--management-group-name', '-m'), |
There was a problem hiding this comment.
Please use list syntax (square brackets) and not tuple notation for options_list.
| c.argument( | ||
| 'from_value', | ||
| options_list=('--from'), | ||
| help='Timestamp specifying the start time of the interval to query.') |
There was a problem hiding this comment.
What is the format of this? How are you (or are you?) validating this?
There was a problem hiding this comment.
iso-8601. azure-mgmt-policyinsights API validates it to be iso-8601 and server validates it as well.
There was a problem hiding this comment.
You should probably give the timestamp format as part of the parameter help
There was a problem hiding this comment.
thanks. will do.
| 'all_results', | ||
| options_list=('--all'), | ||
| arg_type=get_three_state_flag(), | ||
| help='Within the specified time interval, get all policy states instead of the latest only.') |
There was a problem hiding this comment.
Is this a flag on the command behavior or a Boolean property? three_state_flag is intended for Boolean properties only. https://github.com/Azure/azure-cli/blob/dev/doc/authoring_command_modules/authoring_commands.md#registering-flags
There was a problem hiding this comment.
It is a Boolean parameter.
There was a problem hiding this comment.
Since it isn't saved (it's not a Boolean property on a resource) this should probably not use three_state_flag but instead use just "action=store_true"
There was a problem hiding this comment.
Thanks for the clarification. Will change this.
| help='Resource group name.') | ||
| c.argument( | ||
| 'resource_id', | ||
| options_list=('--resource-id', '-r'), |
There was a problem hiding this comment.
If this can be an arbitrary resource, it should expose the full range of resource ID or named components. See:
https://github.com/Azure/azure-cli/blob/dev/doc/authoring_command_modules/authoring_commands.md#supporting-name-or-id-parameters
There was a problem hiding this comment.
This makes the CLI inconsistent with the PS API, and ambiguous in itself. Our RP is an extension RP, and can be called with any resource as a scope. In the swagger API we specifically refrained from making parts of ARM resource ID separate parameters because that would make it impossible to support multiple nested level resources. API board review agreed on that. If we change this now in the CLI contract (so that we can support resource names), we will need to add multiple levels of namespace and resource type arguments, which makes the API unusable (and inconsistent with the PS API. Feel free to reach out to me to go over the swagger specs, PS API and any other details.
There was a problem hiding this comment.
Consistency with Powershell is not important in the CLI, but consistency with other modules in the CLI is. This requires no change to swagger or the API.
There was a problem hiding this comment.
As discussed offline, I'll implement additional parameters to make resourceid a resource that can take either an ID or a name.
| c.argument( | ||
| 'to_value', | ||
| options_list=('--to'), | ||
| help='Timestamp specifying the end time of the interval to query.') |
There was a problem hiding this comment.
There seems to be a lot of duplication of arguments. Please review: https://github.com/Azure/azure-cli/blob/dev/doc/authoring_command_modules/authoring_commands.md#customize-arguments
Please register your arguments at the appropriate scopes to avoid copy/paste duplicate code.
There was a problem hiding this comment.
This is unavoidable. "policy event" and "policy state" share those parameters, but those do not exist in "policy".
If there is a way to define them once and use in different 'with' statements, please let me know - this is the first time I'm touching Phthon code.
There was a problem hiding this comment.
You can use a for loop:
for scope in ['state', 'event']:
with self.argument_context('policy {}'.format(scope)) as c:
There was a problem hiding this comment.
state has one additional parameter. can i add it to the context after this?
There was a problem hiding this comment.
Looks like I can. thanks!
There was a problem hiding this comment.
If a parameter doesn't exist in a scope, it is ignored, so you don't need to worry too much about extras.
There was a problem hiding this comment.
Cool. Just to make this explicit, I did common ones in a for loop and then specifically added the extra one (--all) for state into the context. It worked.
| c.ignore('all_results') | ||
| c.ignore('order_by_clause') | ||
| c.ignore('select_clause') | ||
| c.ignore('apply_clause') |
There was a problem hiding this comment.
You can put all of these parameters in a single ignore entry.
| ) | ||
|
|
||
| with self.command_group('policy event', policy_events_sdk, client_factory=policy_events_operations) as g: | ||
| g.custom_command('list', 'list_policy_events') |
There was a problem hiding this comment.
These commands are going to live side-by-side with the policy commands defined in azure-cli-resource. Is there a reason you don't just add your commands to that module?
There was a problem hiding this comment.
Yes, my intention is to maintain this package separately yet be part of the same command set. If the latter had not worked, I was planning to make it a separate command set.
There was a problem hiding this comment.
Where do/will the powershell commands reside? If they are separate from the rest of the policy commands then this is also fine for us @twitchax
There was a problem hiding this comment.
In PS, there is no command set concept. You can name your cmdlets the way you want following some naming conventions. We have 3 cmdlets in PS: Get-AzureRmPolicyEvent, Get-AzureRmPolicyState and Get-AzureRmPolicyStateSummary.
There was a problem hiding this comment.
I want to maintain the package separately for our RP. Not having to name the command set policyinsights makes it consistent with PS as well. This is probably not important for CLI, but I think it makes it much easier for customers to remember.
There was a problem hiding this comment.
We're fine with the new module in the CLI as in powershell, the policyinsights folder is also separate from that of resources
| default_subscription_id, | ||
| query_options) | ||
|
|
||
| return summary.value[0] |
There was a problem hiding this comment.
What is the difference between summary and list?
There was a problem hiding this comment.
List returns a list of policy states. Summarize returns pre-cooked aggregations as a summary object. Feel free to reach out to me if you need more info on the RP. I explained the RP to @williexu briefly.
|
@tjprescott @williexu Merged some of the requested changes. For the others and questions please see my comments above. |
* Remove --subscription_id parameter * Change --all to be store_true * Change --resource_id to be --resource which can take resource ID or name * Add --resource-provider-namespace and --resource-type parameters that are required if --resource is not an ID
|
@tjprescott @williexu Updated the PR with the rest of the requested changes. |
| c.argument( | ||
| 'apply_clause', | ||
| options_list=['--apply'], | ||
| help='Apply expression for aggregations using OData notation.') |
There was a problem hiding this comment.
Use the arg_group kwarg to group similar arguments. Ex. "Resource Id", "Query", "Policy", etc.
| 'resource_type', | ||
| options_list=['--resource-type', '-t'], | ||
| completer=get_resource_types_completion_list, | ||
| help='Resource type.') |
There was a problem hiding this comment.
Can you format the resource args to align more closely with that of az resource?
Help for resource show shown below:
(env36) C:\Users\wilx\azure-cli>az resource show -h
Command
az resource show: Get the details of a resource.
Arguments
--include-response-body: Use if the default command output doesn't capture all of the property
data. Allowed values: false, true.
Resource Id Arguments
--api-version : The api version of the resource (omit for latest).
--ids : One or more resource IDs (space-delimited). If provided, no other
"Resource Id" arguments should be specified.
--name -n : The resource name. (Ex: myC).
--namespace : Provider namespace (Ex: 'Microsoft.Provider').
--parent : The parent path (Ex: 'resA/myA/resB/myB').
--resource-group -g : Name of resource group. You can configure the default group using `az
configure --defaults group=<name>`.
--resource-type : The resource type (Ex: 'resC'). Can also accept namespace/type format
(Ex: 'Microsoft.Provider/resC').
There was a problem hiding this comment.
As discussed, this does not apply to us.
There was a problem hiding this comment.
I will make the changes to align other resource parameters with the resources command set (will change names and add a parent parameter)
There was a problem hiding this comment.
Yep, ignore the --ids parameter and allow --resource to accept both an id and name.
| subscription_id, | ||
| query_options) | ||
|
|
||
| return summary.value[0] |
There was a problem hiding this comment.
Why do we only return the first value in the list?
There was a problem hiding this comment.
The REST API path returns a list but the list always contains a single object (summary object).
|
|
||
| subscription_id = get_subscription_id(cmd.cli_ctx) | ||
|
|
||
| if policy_assignment_name is not None: |
There was a problem hiding this comment.
Can the names be an empty string? If not, change this to if policy_assignment_name:.
Same for others below.
| name=resource) | ||
| events = client.list_query_results_for_resource( | ||
| resource, | ||
| query_options) |
There was a problem hiding this comment.
Please provide a test for resource id scenario.
Also, what happens with more complex resource-ids like subnets? Here's an example id:
/subscriptions/<sub id>/resourceGroups/clitestlab/providers/Microsoft.Network/virtualNetworks/Dtlcliautomationlab/subnets/DtlcliautomationlabSubnet
There was a problem hiding this comment.
As discussed, I will add a test for that with a hard coded resource id which will not be enabled for live execution.
* Add arg_group to all parameters * Don't override existing global resource_group_name parameter attributes other than arg_group; this way argument name and help stays standard with other commands. * Change the name of the resource provider namespace argument to make it consistent with resource package * Add parent argument to be used for resource name case to help specify nested resources * Handle empty string in arguments * Extend the scenario test to test all scopes and parameters; make it record only
|
rebase to get the updates from #6407 please |
|
@tjprescott @williexu Updated the PR with the rest of the requested changes. |
williexu
left a comment
williexu
left a comment
There was a problem hiding this comment.
Looks generally good, small comments
| arg_group='Scope') | ||
| c.argument( | ||
| 'resource', | ||
| options_list=['--resource', '-r'], |
There was a problem hiding this comment.
the -r option should not be given as it is not available for other instances of --resource in the CLI and the default option is relatively short
There was a problem hiding this comment.
Forgot to remove. Will do.
| help='Resource type (Ex: ''resC'').') | ||
| c.argument( | ||
| 'policy_set_definition_name', | ||
| options_list=['--policy-set-definition-name', '-p'], |
There was a problem hiding this comment.
-s for set would be a much better choice
There was a problem hiding this comment.
Agreed. Will change it.
|
@tjprescott @williexu Made the small changes as well. Is this good to go? |
|
@tjprescott @williexu When merged, do I need to do anything for publishing this to PyPl? If not, how long after the merge should I expect it to be available there for PIP install? |
|
@bulentelmaci https://github.com/Azure/azure-cli/milestones has the dates of our release |
tjprescott
left a comment
tjprescott
left a comment
There was a problem hiding this comment.
There's a major inconsistency between the "Resource ID" arguments and the "Scope" arguments. We should review options offline.
|
@tjprescott “Resource ID” which is one of the query scopes (like MG, subscription, RG, policy set/definition/assignment) for policy events and states has no direct association to the scope for a policy assignment. I’ll ping you offline to explain and discuss. |
williexu
left a comment
williexu
left a comment
There was a problem hiding this comment.
More small fixes that came to mind.
The options_lists for --resource and --resource-type don't need to be given. By default, we will convert underscore-separated arguments to the corresponding arguments that users see, i.e. resource_type to --resource-type
| options_list=['--resource'], | ||
| validator=validate_resource, | ||
| arg_group='Resource ID', | ||
| help='Resource ID or resource name.') |
There was a problem hiding this comment.
I'd recommend adding an extra line to the help along the lines of,
If an name is given, please provide the resource_group and other relevant resource id arguments.
This is because --resource-group will be under a different argument group.
| arg_group='Scope') | ||
| c.argument( | ||
| 'resource', | ||
| options_list=['--resource'], |
There was a problem hiding this comment.
You can remove this options_list
| help='The parent path (Ex: ''resA/myA/resB/myB'').') | ||
| c.argument( | ||
| 'resource_type', | ||
| options_list=['--resource-type'], |
|
@tjprescott for a last look |
7 participants
Command module for the new Microsoft.PolicyInsights RP.
This checklist is used to make sure that common guidelines for a pull request are followed.
The PR has modified HISTORY.rst describing any customer-facing, functional changes. Note that this does not include changes only to help content. (see Modifying change log).
I adhere to the Command Guidelines.