Command module for Microsoft.PolicyInsights

.github/CODEOWNERS

@@ -22,6 +22,7 @@
 /src/command_modules/azure-cli-keyvault/ @tjprescott
 /src/command_modules/azure-cli-monitor/ @troydai
 /src/command_modules/azure-cli-network/ @tjprescott
+/src/command_modules/azure-cli-policyinsights/ @bulentelmaci
 /src/command_modules/azure-cli-profile/ @yugangw-msft
 /src/command_modules/azure-cli-storage/ @troydai
 /src/command_modules/azure-cli-servicefabric/ @QingChenmsft

doc/sphinx/azhelpgen/doc_source_map.json

@@ -36,6 +36,7 @@
     "monitor": "src/command_modules/azure-cli-monitor/azure/cli/command_modules/monitor/_help.py",
     "network": "src/command_modules/azure-cli-network/azure/cli/command_modules/network/_help.py",
     "policy": "src/command_modules/azure-cli-resource/azure/cli/command_modules/resource/_help.py",
+    "policyinsights": "src/command_modules/azure-cli-policyinsights/azure/cli/command_modules/policyinsights/_help.py",
     "provider": "src/command_modules/azure-cli-resource/azure/cli/command_modules/resource/_help.py",
     "rdbms": "src/command_modules/azure-cli-rdbms/azure/cli/command_modules/rdbms/_help.py",
     "redis": "src/command_modules/azure-cli-redis/azure/cli/command_modules/redis/_help.py",

src/command_modules/azure-cli-policyinsights/HISTORY.rst

@@ -0,0 +1,9 @@
+.. :changelog:
+
+Release History
+===============
+
+0.1.0
+++++++++++++++++++
+
+* Initial Release

src/command_modules/azure-cli-policyinsights/MANIFEST.in

@@ -0,0 +1 @@
+include *.rst

src/command_modules/azure-cli-policyinsights/README.rst

@@ -0,0 +1,7 @@
+Microsoft Azure CLI 'policyinsights' Command Module
+===================================================
+
+This package is for the 'policyinsights' module.
+i.e. 'az policy event' and 'az policy state'
+
+

src/command_modules/azure-cli-policyinsights/azure/__init__.py

@@ -0,0 +1,7 @@
+# --------------------------------------------------------------------------------------------
+# Copyright (c) Microsoft Corporation. All rights reserved.
+# Licensed under the MIT License. See License.txt in the project root for license information.
+# --------------------------------------------------------------------------------------------
+
+import pkg_resources
+pkg_resources.declare_namespace(__name__)

src/command_modules/azure-cli-policyinsights/azure/cli/__init__.py

@@ -0,0 +1,7 @@
+# --------------------------------------------------------------------------------------------
+# Copyright (c) Microsoft Corporation. All rights reserved.
+# Licensed under the MIT License. See License.txt in the project root for license information.
+# --------------------------------------------------------------------------------------------
+
+import pkg_resources
+pkg_resources.declare_namespace(__name__)

src/command_modules/azure-cli-policyinsights/azure/cli/command_modules/__init__.py

@@ -0,0 +1,7 @@
+# --------------------------------------------------------------------------------------------
+# Copyright (c) Microsoft Corporation. All rights reserved.
+# Licensed under the MIT License. See License.txt in the project root for license information.
+# --------------------------------------------------------------------------------------------
+
+import pkg_resources
+pkg_resources.declare_namespace(__name__)

src/command_modules/azure-cli-policyinsights/azure/cli/command_modules/policyinsights/__init__.py

@@ -0,0 +1,39 @@
+# --------------------------------------------------------------------------------------------
+# Copyright (c) Microsoft Corporation. All rights reserved.
+# Licensed under the MIT License. See License.txt in the project root for license information.
+# --------------------------------------------------------------------------------------------
+
+# pylint: disable=unused-import
+
+from azure.cli.command_modules.policyinsights._help import helps
+from azure.cli.core import AzCommandsLoader
+
+
+class PolicyInsightsCommandsLoader(AzCommandsLoader):
+
+    def __init__(self, cli_ctx=None):
+        from azure.cli.core.commands import CliCommandType
+        from ._exception_handler import policy_insights_exception_handler
+
+        policyinsights_custom = CliCommandType(
+            operations_tmpl='azure.cli.command_modules.policyinsights.custom#{}',
+            exception_handler=policy_insights_exception_handler)
+
+        super(PolicyInsightsCommandsLoader, self).__init__(
+            cli_ctx=cli_ctx,
+            min_profile='2017-03-10-profile',
+            custom_command_type=policyinsights_custom)
+
+    def load_command_table(self, args):
+        from .commands import load_command_table
+
+        load_command_table(self, args)
+        return self.command_table
+
+    def load_arguments(self, command):
+        from ._params import load_arguments
+
+        load_arguments(self, command)
+
+
+COMMAND_LOADER_CLS = PolicyInsightsCommandsLoader

src/command_modules/azure-cli-policyinsights/azure/cli/command_modules/policyinsights/_client_factory.py

@@ -0,0 +1,19 @@
+# --------------------------------------------------------------------------------------------
+# Copyright (c) Microsoft Corporation. All rights reserved.
+# Licensed under the MIT License. See License.txt in the project root for license information.
+# --------------------------------------------------------------------------------------------
+
+
+def _cf_policy_insights(cli_ctx, **_):
+    from azure.cli.core.commands.client_factory import get_mgmt_service_client
+    from azure.mgmt.policyinsights import PolicyInsightsClient
+
+    return get_mgmt_service_client(cli_ctx, PolicyInsightsClient, subscription_bound=False)
+
+
+def policy_events_operations(cli_ctx, _):
+    return _cf_policy_insights(cli_ctx).policy_events
+
+
+def policy_states_operations(cli_ctx, _):
+    return _cf_policy_insights(cli_ctx).policy_states

src/command_modules/azure-cli-policyinsights/azure/cli/command_modules/policyinsights/_exception_handler.py

@@ -0,0 +1,19 @@
+# --------------------------------------------------------------------------------------------
+# Copyright (c) Microsoft Corporation. All rights reserved.
+# Licensed under the MIT License. See License.txt in the project root for license information.
+# --------------------------------------------------------------------------------------------
+
+from azure.cli.core.util import CLIError
+
+
+def policy_insights_exception_handler(ex):
+    from azure.mgmt.policyinsights.models import QueryFailureException
+
+    if isinstance(ex, QueryFailureException):
+        message = '({}) {}'.format(ex.error.error.code, ex.error.error.message)
+        raise CLIError(message)
+    else:
+        import sys
+        from six import reraise
+
+        reraise(*sys.exc_info())

src/command_modules/azure-cli-policyinsights/azure/cli/command_modules/policyinsights/_help.py

@@ -0,0 +1,174 @@
+# --------------------------------------------------------------------------------------------
+# Copyright (c) Microsoft Corporation. All rights reserved.
+# Licensed under the MIT License. See License.txt in the project root for license information.
+# --------------------------------------------------------------------------------------------
+
+from knack.help_files import helps
+
+helps['policy event'] = """
+    type: group
+    short-summary: Manage policy events.
+"""
+helps['policy event list'] = """
+    type: command
+    short-summary: List policy events.
+    examples:
+        - name: Get policy events at current subscription scope created in the last day.
+          text: >
+              az policy event list
+        - name: Get policy events at management group scope.
+          text: >
+              az policy event list -m "myMg"
+        - name: Get policy events at resource group scope in current subscription.
+          text: >
+              az policy event list -g "myRg"
+        - name: Get policy events for a resource using resource ID.
+          text: >
+              az policy event list --resource "/subscriptions/fff10b27-fff3-fff5-fff8-fffbe01e86a5/resourceGroups/myResourceGroup /providers/Microsoft.EventHub/namespaces/myns1/eventhubs/eh1/consumergroups/cg1"
+        - name: Get policy events for a resource using resource name.
+          text: >
+              az policy event list --resource "myKeyVault" --namespace "Microsoft.KeyVault" --resource-type "vaults" -g "myresourcegroup"
+        - name: Get policy events for a nested resource using resource name.
+          text: >
+              az policy event list --resource "myRule1" --namespace "Microsoft.Network" --resource-type "securityRules" --parent "networkSecurityGroups/mysecuritygroup1" -g "myresourcegroup"
+        - name: Get policy events for a policy set definition in current subscription.
+          text: >
+              az policy event list -s "fff58873-fff8-fff5-fffc-fffbe7c9d697"
+        - name: Get policy events for a policy definition in current subscription.
+          text: >
+              az policy event list -d "fff69973-fff8-fff5-fffc-fffbe7c9d698"
+        - name: Get policy events for a policy assignment in current subscription.
+          text: >
+              az policy event list -a "ddd8ef92e3714a5ea3d208c1"
+        - name: Get policy events for a policy assignment in the specified resource group in current subscription.
+          text: >
+              az policy event list -g "myRg" -a "ddd8ef92e3714a5ea3d208c1"
+        - name: Get top 5 policy events in current subscription, selecting a subset of properties and customizing ordering.
+          text: >
+              az policy event list --top 5 --order-by "timestamp desc, policyAssignmentName asc" --select "timestamp, resourceId, policyAssignmentId, policySetDefinitionId, policyDefinitionId"
+        - name: Get policy events in current subscription during a custom time interval.
+          text: >
+              az policy event list --from "2018-03-08T00:00:00Z" --to "2018-03-15T00:00:00Z"
+        - name: Get policy events in current subscription filtering results based on some property values.
+          text: >
+              az policy event list --filter "(policyDefinitionAction eq 'deny' or policyDefinitionAction eq 'audit') and resourceLocation ne 'eastus'"
+        - name: Get number of policy events in current subscription.
+          text: >
+              az policy event list --apply "aggregate($count as numberOfRecords)"
+        - name: Get policy events in current subscription aggregating results based on some properties.
+          text: >
+              az policy event list --apply "groupby((policyAssignmentId, policyDefinitionId, policyDefinitionAction, resourceId), aggregate($count as numEvents))"
+        - name: Get policy events in current subscription grouping results based on some properties.
+          text: >
+              az policy event list --apply "groupby((policyAssignmentName, resourceId))"
+        - name: Get policy events in current subscription aggregating results based on some properties specifying multiple groupings.
+          text: >
+              az policy event list --apply "groupby((policyAssignmentId, policyDefinitionId, resourceId))/groupby((policyAssignmentId, policyDefinitionId), aggregate($count as numResourcesWithEvents))"
+"""
+helps['policy state'] = """
+    type: group
+    short-summary: Manage policy compliance states.
+"""
+helps['policy state list'] = """
+    type: command
+    short-summary: List policy compliance states.
+    examples:
+        - name: Get latest policy states at current subscription scope.
+          text: >
+              az policy state list
+        - name: Get all policy states at current subscription scope.
+          text: >
+              az policy state list --all
+        - name: Get latest policy states at management group scope.
+          text: >
+              az policy state list -m "myMg"
+        - name: Get latest policy states at resource group scope in current subscription.
+          text: >
+              az policy state list -g "myRg"
+        - name: Get latest policy states for a resource using resource ID.
+          text: >
+              az policy state list --resource "/subscriptions/fff10b27-fff3-fff5-fff8-fffbe01e86a5/resourceGroups/myResourceGroup /providers/Microsoft.EventHub/namespaces/myns1/eventhubs/eh1/consumergroups/cg1"
+        - name: Get latest policy states for a resource using resource name.
+          text: >
+              az policy state list --resource "myKeyVault" --namespace "Microsoft.KeyVault" --resource-type "vaults" -g "myresourcegroup"
+        - name: Get latest policy states for a nested resource using resource name.
+          text: >
+              az policy state list --resource "myRule1" --namespace "Microsoft.Network" --resource-type "securityRules" --parent "networkSecurityGroups/mysecuritygroup1" -g "myresourcegroup"
+        - name: Get latest policy states for a policy set definition in current subscription.
+          text: >
+              az policy state list -s "fff58873-fff8-fff5-fffc-fffbe7c9d697"
+        - name: Get latest policy states for a policy definition in current subscription.
+          text: >
+              az policy state list -d "fff69973-fff8-fff5-fffc-fffbe7c9d698"
+        - name: Get latest policy states for a policy assignment in current subscription.
+          text: >
+              az policy state list -a "ddd8ef92e3714a5ea3d208c1"
+        - name: Get latest policy states for a policy assignment in the specified resource group in current subscription.
+          text: >
+              az policy state list -g "myRg" -a "ddd8ef92e3714a5ea3d208c1"
+        - name: Get top 5 latest policy states in current subscription, selecting a subset of properties and customizing ordering.
+          text: >
+              az policy state list --top 5 --order-by "timestamp desc, policyAssignmentName asc" --select "timestamp, resourceId, policyAssignmentId, policySetDefinitionId, policyDefinitionId"
+        - name: Get latest policy states in current subscription during a custom time interval.
+          text: >
+              az policy state list --from "2018-03-08T00:00:00Z" --to "2018-03-15T00:00:00Z"
+        - name: Get latest policy states in current subscription filtering results based on some property values.
+          text: >
+              az policy state list --filter "(policyDefinitionAction eq 'deny' or policyDefinitionAction eq 'audit') and resourceLocation ne 'eastus'"
+        - name: Get number of latest policy states in current subscription.
+          text: >
+              az policy state list --apply "aggregate($count as numberOfRecords)"
+        - name: Get latest policy states in current subscription aggregating results based on some properties.
+          text: >
+              az policy state list --apply "groupby((policyAssignmentId, policySetDefinitionId, policyDefinitionReferenceId, policyDefinitionId), aggregate($count as numStates))"
+        - name: Get latest policy states in current subscription grouping results based on some properties.
+          text: >
+              az policy state list --apply "groupby((policyAssignmentName, resourceId))"
+        - name: Get latest policy states in current subscription aggregating results based on some properties specifying multiple groupings.
+          text: >
+              az policy state list --apply "groupby((policyAssignmentId, policySetDefinitionId, policyDefinitionReferenceId, policyDefinitionId, resourceId))/groupby((policyAssignmentId, policySetDefinitionId, policyDefinitionReferenceId, policyDefinitionId), aggregate($count as numNonCompliantResources))"
+"""
+helps['policy state summarize'] = """
+    type: command
+    short-summary: Summarize policy compliance states.
+    examples:
+        - name: Get latest non-compliant policy states summary at current subscription scope.
+          text: >
+              az policy state summarize
+        - name: Get latest non-compliant policy states summary at management group scope.
+          text: >
+              az policy state summarize -m "myMg"
+        - name: Get latest non-compliant policy states summary at resource group scope in current subscription.
+          text: >
+              az policy state summarize -g "myRg"
+        - name: Get latest non-compliant policy states summary for a resource using resource ID.
+          text: >
+              az policy state summarize --resource "/subscriptions/fff10b27-fff3-fff5-fff8-fffbe01e86a5/resourceGroups/myResourceGroup /providers/Microsoft.EventHub/namespaces/myns1/eventhubs/eh1/consumergroups/cg1"
+        - name: Get latest non-compliant policy states summary for a resource using resource name.
+          text: >
+              az policy state summarize --resource "myKeyVault" --namespace "Microsoft.KeyVault" --resource-type "vaults" -g "myresourcegroup"
+        - name: Get latest non-compliant policy states summary for a nested resource using resource name.
+          text: >
+              az policy state summarize --resource "myRule1" --namespace "Microsoft.Network" --resource-type "securityRules" --parent "networkSecurityGroups/mysecuritygroup1" -g "myresourcegroup"
+        - name: Get latest non-compliant policy states summary for a policy set definition in current subscription.
+          text: >
+              az policy state summarize -s "fff58873-fff8-fff5-fffc-fffbe7c9d697"
+        - name: Get latest non-compliant policy states summary for a policy definition in current subscription.
+          text: >
+              az policy state summarize -d "fff69973-fff8-fff5-fffc-fffbe7c9d698"
+        - name: Get latest non-compliant policy states summary for a policy assignment in current subscription.
+          text: >
+              az policy state summarize -a "ddd8ef92e3714a5ea3d208c1"
+        - name: Get latest non-compliant policy states summary for a policy assignment in the specified resource group in current subscription.
+          text: >
+              az policy state summarize -g "myRg" -a "ddd8ef92e3714a5ea3d208c1"
+        - name: Get latest non-compliant policy states summary in current subscription, limiting the assignments summary to top 5.
+          text: >
+              az policy state summarize --top 5
+        - name: Get latest non-compliant policy states summary in current subscription for a custom time interval.
+          text: >
+              az policy state summarize --from "2018-03-08T00:00:00Z" --to "2018-03-15T00:00:00Z"
+        - name: Get latest non-compliant policy states summary in current subscription filtering results based on some property values.
+          text: >
+              az policy state summarize --filter "(policyDefinitionAction eq 'deny' or policyDefinitionAction eq 'audit') and resourceLocation ne 'eastus'"
+"""