From 04bef467bb894c538b59a3b25d393181af6a4063 Mon Sep 17 00:00:00 2001 From: Elad Perets Date: Thu, 21 Jan 2021 17:17:01 -0800 Subject: [PATCH 1/2] Add new policy 'count' expressions Also updating some descriptions --- .../2015-10-01-preview/policyDefinition.json | 2 +- schemas/2016-12-01/policyDefinition.json | 2 +- schemas/2018-05-01/policyDefinition.json | 2 +- schemas/2019-01-01/policyDefinition.json | 2 +- schemas/2019-06-01/policyDefinition.json | 2 +- schemas/2019-09-01/policyDefinition.json | 50 +++++++++++---- tests/2019-09-01/policyDefinition.tests.json | 63 ++++++++++++++++++- 7 files changed, 104 insertions(+), 19 deletions(-) diff --git a/schemas/2015-10-01-preview/policyDefinition.json b/schemas/2015-10-01-preview/policyDefinition.json index 49c0519fce..2f31aae4d4 100644 --- a/schemas/2015-10-01-preview/policyDefinition.json +++ b/schemas/2015-10-01-preview/policyDefinition.json @@ -2,7 +2,7 @@ "id": "https://schema.management.azure.com/schemas/2015-10-01-preview/policyDefinition.json#", "$schema": "http://json-schema.org/draft-04/schema#", "title": "Policy Definition", - "description": "This schema defines Azure resource policy definition, please see https://azure.microsoft.com/en-us/documentation/articles/resource-manager-policy/ for more details.", + "description": "This schema defines Azure Policy definition policy rules. For more details, see https://docs.microsoft.com/azure/governance/policy/.", "type": "object", "properties": { "if": { diff --git a/schemas/2016-12-01/policyDefinition.json b/schemas/2016-12-01/policyDefinition.json index d888412e00..93d79a782f 100644 --- a/schemas/2016-12-01/policyDefinition.json +++ b/schemas/2016-12-01/policyDefinition.json @@ -2,7 +2,7 @@ "id": "https://schema.management.azure.com/schemas/2016-12-01/policyDefinition.json#", "$schema": "http://json-schema.org/draft-04/schema#", "title": "Policy Definition", - "description": "This schema defines Azure resource policy definition, please see https://azure.microsoft.com/en-us/documentation/articles/resource-manager-policy/ for more details.", + "description": "This schema defines Azure Policy definition policy rules. For more details, see https://docs.microsoft.com/azure/governance/policy/.", "type": "object", "properties": { "if": { diff --git a/schemas/2018-05-01/policyDefinition.json b/schemas/2018-05-01/policyDefinition.json index d34f19fbb0..8c18348cfe 100644 --- a/schemas/2018-05-01/policyDefinition.json +++ b/schemas/2018-05-01/policyDefinition.json @@ -2,7 +2,7 @@ "id": "https://schema.management.azure.com/schemas/2018-05-01/policyDefinition.json#", "$schema": "http://json-schema.org/draft-04/schema#", "title": "Policy Definition", - "description": "This schema defines Azure resource policy definition, please see https://azure.microsoft.com/en-us/documentation/articles/resource-manager-policy/ for more details.", + "description": "This schema defines Azure Policy definition policy rules. For more details, see https://docs.microsoft.com/azure/governance/policy/.", "type": "object", "properties": { "if": { diff --git a/schemas/2019-01-01/policyDefinition.json b/schemas/2019-01-01/policyDefinition.json index ec2f18af4a..b345b3319e 100644 --- a/schemas/2019-01-01/policyDefinition.json +++ b/schemas/2019-01-01/policyDefinition.json @@ -2,7 +2,7 @@ "id": "https://schema.management.azure.com/schemas/2019-01-01/policyDefinition.json#", "$schema": "http://json-schema.org/draft-04/schema#", "title": "Policy Definition", - "description": "This schema defines Azure resource policy definition, please see https://azure.microsoft.com/documentation/articles/resource-manager-policy/ for more details.", + "description": "This schema defines Azure Policy definition policy rules. For more details, see https://docs.microsoft.com/azure/governance/policy/.", "type": "object", "properties": { "if": { diff --git a/schemas/2019-06-01/policyDefinition.json b/schemas/2019-06-01/policyDefinition.json index 4c5b578e77..2b6ef2c311 100644 --- a/schemas/2019-06-01/policyDefinition.json +++ b/schemas/2019-06-01/policyDefinition.json @@ -2,7 +2,7 @@ "id": "https://schema.management.azure.com/schemas/2019-06-01/policyDefinition.json#", "$schema": "http://json-schema.org/draft-04/schema#", "title": "Policy Definition", - "description": "This schema defines Azure resource policy definition, please see https://azure.microsoft.com/documentation/articles/resource-manager-policy/ for more details.", + "description": "This schema defines Azure Policy definition policy rules. For more details, see https://docs.microsoft.com/azure/governance/policy/.", "type": "object", "properties": { "if": { diff --git a/schemas/2019-09-01/policyDefinition.json b/schemas/2019-09-01/policyDefinition.json index 67189082ef..079c7b8d98 100644 --- a/schemas/2019-09-01/policyDefinition.json +++ b/schemas/2019-09-01/policyDefinition.json @@ -348,21 +348,45 @@ ] }, "countExpression": { - "properties": { - "field": { - "type": "string" + "oneOf": [ + { + "properties": { + "field": { + "type": "string" + }, + "where": { + "oneOf": [ + { "$ref": "#/definitions/condition" }, + { "$ref": "#/definitions/operatorNot" }, + { "$ref": "#/definitions/operatorAnyOf" }, + { "$ref": "#/definitions/operatorAllOf" } + ] + } + }, + "required": [ "field" ], + "additionalProperties": false }, - "where": { - "oneOf": [ - { "$ref": "#/definitions/condition" }, - { "$ref": "#/definitions/operatorNot" }, - { "$ref": "#/definitions/operatorAnyOf" }, - { "$ref": "#/definitions/operatorAllOf" } - ] + { + "properties": { + "value": { + "type": [ "array", "string" ] + }, + "name": { + "type": "string" + }, + "where": { + "oneOf": [ + { "$ref": "#/definitions/condition" }, + { "$ref": "#/definitions/operatorNot" }, + { "$ref": "#/definitions/operatorAnyOf" }, + { "$ref": "#/definitions/operatorAllOf" } + ] + } + }, + "required": [ "value" ], + "additionalProperties": false } - }, - "required": [ "field" ], - "additionalProperties": false + ] }, "operatorNot": { "properties": { diff --git a/tests/2019-09-01/policyDefinition.tests.json b/tests/2019-09-01/policyDefinition.tests.json index cbc025695b..743d9922c3 100644 --- a/tests/2019-09-01/policyDefinition.tests.json +++ b/tests/2019-09-01/policyDefinition.tests.json @@ -57,7 +57,7 @@ } }, { - "name": "PolicyDefinition tests - valid complex count condition", + "name": "PolicyDefinition tests - valid complex field count condition", "definition": "https://schema.management.azure.com/schemas/2019-09-01/policyDefinition.json#", "json": { "if": { @@ -93,6 +93,67 @@ } } }, + { + "name": "PolicyDefinition tests - valid value count conditions", + "definition": "https://schema.management.azure.com/schemas/2019-09-01/policyDefinition.json#", + "json": { + "if": { + "allOf": [ + { + "count": { + "value": [] + }, + "greater": 0 + }, + { + "count": { + "value": [], + "name": "currentValue" + }, + "greater": 0 + }, + { + "count": { + "value": [], + "name": "currentValue", + "where": { + "value": "[current('currentValue')]", + "equals": 1 + } + }, + "greater": 0 + }, + { + "count": { + "value": "[parameters('arrayParam')]" + }, + "greater": 0 + }, + { + "count": { + "value": "[parameters('arrayParam')]", + "name": "currentValue" + }, + "greater": 0 + }, + { + "count": { + "value": "[parameters('arrayParam')]", + "name": "currentValue", + "where": { + "value": "[current('currentValue')]", + "equals": 1 + } + }, + "greater": 0 + } + ] + }, + "then": { + "effect": "deny" + } + } + }, { "name": "PolicyDefinition tests - valid append details", "definition": "https://schema.management.azure.com/schemas/2019-09-01/policyDefinition.json#", From 2523317caee2553fed825f834e129a8552fcd6e3 Mon Sep 17 00:00:00 2001 From: SDKAuto Date: Fri, 22 Jan 2021 20:26:34 +0000 Subject: [PATCH 2/2] CodeGen from PR 12526 in Azure/azure-rest-api-specs Merge de7937cb6ca3ffcd27c7cccafddf93f6f2a88bb9 into a35bddecf81df1a1a3030dbaee0b73c777aeb0db --- .../2015-07-01/Microsoft.Authorization.json | 187 +++++++ .../Microsoft.Authorization.json | 75 +++ .../Microsoft.Authorization.json | 226 +++++++++ .../Microsoft.Authorization.json | 478 ++++++++++++++++++ .../Microsoft.Authorization.json | 102 ++++ .../Microsoft.Authorization.json | 114 +++++ 6 files changed, 1182 insertions(+) create mode 100644 schemas/2015-07-01/Microsoft.Authorization.json create mode 100644 schemas/2017-10-01-preview/Microsoft.Authorization.json create mode 100644 schemas/2018-01-01-preview/Microsoft.Authorization.json create mode 100644 schemas/2018-05-01-preview/Microsoft.Authorization.json create mode 100644 schemas/2018-09-01-preview/Microsoft.Authorization.json create mode 100644 schemas/2020-04-01-preview/Microsoft.Authorization.json diff --git a/schemas/2015-07-01/Microsoft.Authorization.json b/schemas/2015-07-01/Microsoft.Authorization.json new file mode 100644 index 0000000000..a032d9400b --- /dev/null +++ b/schemas/2015-07-01/Microsoft.Authorization.json @@ -0,0 +1,187 @@ +{ + "id": "https://schema.management.azure.com/schemas/2015-07-01/Microsoft.Authorization.json#", + "$schema": "http://json-schema.org/draft-04/schema#", + "title": "Microsoft.Authorization", + "description": "Microsoft Authorization Resource Types", + "resourceDefinitions": {}, + "unknown_resourceDefinitions": { + "roleAssignments": { + "type": "object", + "properties": { + "apiVersion": { + "type": "string", + "enum": [ + "2015-07-01" + ] + }, + "name": { + "type": "string", + "description": "The name of the role assignment to create. It can be any valid GUID." + }, + "properties": { + "oneOf": [ + { + "$ref": "#/definitions/RoleAssignmentProperties" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Role assignment properties." + }, + "type": { + "type": "string", + "enum": [ + "Microsoft.Authorization/roleAssignments" + ] + } + }, + "required": [ + "apiVersion", + "name", + "properties", + "type" + ], + "description": "Microsoft.Authorization/roleAssignments" + }, + "roleDefinitions": { + "type": "object", + "properties": { + "apiVersion": { + "type": "string", + "enum": [ + "2015-07-01" + ] + }, + "name": { + "type": "string", + "description": "The ID of the role definition." + }, + "properties": { + "oneOf": [ + { + "$ref": "#/definitions/RoleDefinitionProperties" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Role definition properties." + }, + "type": { + "type": "string", + "enum": [ + "Microsoft.Authorization/roleDefinitions" + ] + } + }, + "required": [ + "apiVersion", + "name", + "properties", + "type" + ], + "description": "Microsoft.Authorization/roleDefinitions" + } + }, + "definitions": { + "Permission": { + "type": "object", + "properties": { + "actions": { + "oneOf": [ + { + "type": "array", + "items": { + "type": "string" + } + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Allowed actions." + }, + "notActions": { + "oneOf": [ + { + "type": "array", + "items": { + "type": "string" + } + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Denied actions." + } + }, + "description": "Role definition permissions." + }, + "RoleAssignmentProperties": { + "type": "object", + "properties": { + "principalId": { + "type": "string", + "description": "The principal ID assigned to the role. This maps to the ID inside the Active Directory. It can point to a user, service principal, or security group." + }, + "roleDefinitionId": { + "type": "string", + "description": "The role definition ID used in the role assignment." + } + }, + "required": [ + "principalId", + "roleDefinitionId" + ], + "description": "Role assignment properties." + }, + "RoleDefinitionProperties": { + "type": "object", + "properties": { + "assignableScopes": { + "oneOf": [ + { + "type": "array", + "items": { + "type": "string" + } + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Role definition assignable scopes." + }, + "description": { + "type": "string", + "description": "The role definition description." + }, + "permissions": { + "oneOf": [ + { + "type": "array", + "items": { + "$ref": "#/definitions/Permission" + } + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Role definition permissions." + }, + "roleName": { + "type": "string", + "description": "The role name." + }, + "type": { + "type": "string", + "description": "The role type." + } + }, + "description": "Role definition properties." + } + } +} diff --git a/schemas/2017-10-01-preview/Microsoft.Authorization.json b/schemas/2017-10-01-preview/Microsoft.Authorization.json new file mode 100644 index 0000000000..4403356cb0 --- /dev/null +++ b/schemas/2017-10-01-preview/Microsoft.Authorization.json @@ -0,0 +1,75 @@ +{ + "id": "https://schema.management.azure.com/schemas/2017-10-01-preview/Microsoft.Authorization.json#", + "$schema": "http://json-schema.org/draft-04/schema#", + "title": "Microsoft.Authorization", + "description": "Microsoft Authorization Resource Types", + "resourceDefinitions": {}, + "unknown_resourceDefinitions": { + "roleAssignments": { + "type": "object", + "properties": { + "apiVersion": { + "type": "string", + "enum": [ + "2017-10-01-preview" + ] + }, + "name": { + "type": "string", + "description": "The name of the role assignment to create. It can be any valid GUID." + }, + "properties": { + "oneOf": [ + { + "$ref": "#/definitions/RoleAssignmentProperties" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Role assignment properties." + }, + "type": { + "type": "string", + "enum": [ + "Microsoft.Authorization/roleAssignments" + ] + } + }, + "required": [ + "apiVersion", + "name", + "properties", + "type" + ], + "description": "Microsoft.Authorization/roleAssignments" + } + }, + "definitions": { + "RoleAssignmentProperties": { + "type": "object", + "properties": { + "canDelegate": { + "oneOf": [ + { + "type": "boolean" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "The delegation flag used for creating a role assignment" + }, + "principalId": { + "type": "string", + "description": "The principal ID assigned to the role. This maps to the ID inside the Active Directory. It can point to a user, service principal, or security group." + }, + "roleDefinitionId": { + "type": "string", + "description": "The role definition ID used in the role assignment." + } + }, + "description": "Role assignment properties." + } + } +} diff --git a/schemas/2018-01-01-preview/Microsoft.Authorization.json b/schemas/2018-01-01-preview/Microsoft.Authorization.json new file mode 100644 index 0000000000..1891f79c0c --- /dev/null +++ b/schemas/2018-01-01-preview/Microsoft.Authorization.json @@ -0,0 +1,226 @@ +{ + "id": "https://schema.management.azure.com/schemas/2018-01-01-preview/Microsoft.Authorization.json#", + "$schema": "http://json-schema.org/draft-04/schema#", + "title": "Microsoft.Authorization", + "description": "Microsoft Authorization Resource Types", + "resourceDefinitions": {}, + "unknown_resourceDefinitions": { + "roleAssignments": { + "type": "object", + "properties": { + "apiVersion": { + "type": "string", + "enum": [ + "2018-01-01-preview" + ] + }, + "name": { + "type": "string", + "description": "The name of the role assignment to create. It can be any valid GUID." + }, + "properties": { + "oneOf": [ + { + "$ref": "#/definitions/RoleAssignmentProperties" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Role assignment properties." + }, + "type": { + "type": "string", + "enum": [ + "Microsoft.Authorization/roleAssignments" + ] + } + }, + "required": [ + "apiVersion", + "name", + "properties", + "type" + ], + "description": "Microsoft.Authorization/roleAssignments" + }, + "roleDefinitions": { + "type": "object", + "properties": { + "apiVersion": { + "type": "string", + "enum": [ + "2018-01-01-preview" + ] + }, + "name": { + "type": "string", + "description": "The ID of the role definition." + }, + "properties": { + "oneOf": [ + { + "$ref": "#/definitions/RoleDefinitionProperties" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Role definition properties." + }, + "type": { + "type": "string", + "enum": [ + "Microsoft.Authorization/roleDefinitions" + ] + } + }, + "required": [ + "apiVersion", + "name", + "properties", + "type" + ], + "description": "Microsoft.Authorization/roleDefinitions" + } + }, + "definitions": { + "Permission": { + "type": "object", + "properties": { + "actions": { + "oneOf": [ + { + "type": "array", + "items": { + "type": "string" + } + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Allowed actions." + }, + "dataActions": { + "oneOf": [ + { + "type": "array", + "items": { + "type": "string" + } + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Allowed Data actions." + }, + "notActions": { + "oneOf": [ + { + "type": "array", + "items": { + "type": "string" + } + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Denied actions." + }, + "notDataActions": { + "oneOf": [ + { + "type": "array", + "items": { + "type": "string" + } + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Denied Data actions." + } + }, + "description": "Role definition permissions." + }, + "RoleAssignmentProperties": { + "type": "object", + "properties": { + "canDelegate": { + "oneOf": [ + { + "type": "boolean" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "The delegation flag used for creating a role assignment" + }, + "principalId": { + "type": "string", + "description": "The principal ID assigned to the role. This maps to the ID inside the Active Directory. It can point to a user, service principal, or security group." + }, + "roleDefinitionId": { + "type": "string", + "description": "The role definition ID used in the role assignment." + } + }, + "required": [ + "principalId", + "roleDefinitionId" + ], + "description": "Role assignment properties." + }, + "RoleDefinitionProperties": { + "type": "object", + "properties": { + "assignableScopes": { + "oneOf": [ + { + "type": "array", + "items": { + "type": "string" + } + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Role definition assignable scopes." + }, + "description": { + "type": "string", + "description": "The role definition description." + }, + "permissions": { + "oneOf": [ + { + "type": "array", + "items": { + "$ref": "#/definitions/Permission" + } + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Role definition permissions." + }, + "roleName": { + "type": "string", + "description": "The role name." + }, + "type": { + "type": "string", + "description": "The role type." + } + }, + "description": "Role definition properties." + } + } +} diff --git a/schemas/2018-05-01-preview/Microsoft.Authorization.json b/schemas/2018-05-01-preview/Microsoft.Authorization.json new file mode 100644 index 0000000000..c7514d9b89 --- /dev/null +++ b/schemas/2018-05-01-preview/Microsoft.Authorization.json @@ -0,0 +1,478 @@ +{ + "id": "https://schema.management.azure.com/schemas/2018-05-01-preview/Microsoft.Authorization.json#", + "$schema": "http://json-schema.org/draft-04/schema#", + "title": "Microsoft.Authorization", + "description": "Microsoft Authorization Resource Types", + "resourceDefinitions": {}, + "subscription_resourceDefinitions": { + "accessReviewScheduleDefinitions": { + "type": "object", + "properties": { + "apiVersion": { + "type": "string", + "enum": [ + "2018-05-01-preview" + ] + }, + "descriptionForAdmins": { + "type": "string", + "description": "The description provided by the access review creator and visible to admins." + }, + "descriptionForReviewers": { + "type": "string", + "description": "The description provided by the access review creator to be shown to reviewers." + }, + "displayName": { + "type": "string", + "description": "The display name for the schedule definition." + }, + "instances": { + "oneOf": [ + { + "type": "array", + "items": { + "$ref": "#/definitions/AccessReviewInstance" + } + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "This is the collection of instances returned when one does an expand on it." + }, + "name": { + "type": "string", + "description": "The id of the access review schedule definition." + }, + "reviewers": { + "oneOf": [ + { + "type": "array", + "items": { + "$ref": "#/definitions/AccessReviewReviewer" + } + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "This is the collection of reviewers." + }, + "settings": { + "oneOf": [ + { + "$ref": "#/definitions/AccessReviewScheduleSettings" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Settings of an Access Review." + }, + "type": { + "type": "string", + "enum": [ + "Microsoft.Authorization/accessReviewScheduleDefinitions" + ] + } + }, + "required": [ + "apiVersion", + "name", + "type" + ], + "description": "Microsoft.Authorization/accessReviewScheduleDefinitions" + }, + "accessReviewScheduleSettings": { + "type": "object", + "properties": { + "apiVersion": { + "type": "string", + "enum": [ + "2018-05-01-preview" + ] + }, + "autoApplyDecisionsEnabled": { + "oneOf": [ + { + "type": "boolean" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Flag to indicate whether auto-apply capability, to automatically change the target object access resource, is enabled. If not enabled, a user must, after the review completes, apply the access review." + }, + "defaultDecision": { + "oneOf": [ + { + "type": "string", + "enum": [ + "Approve", + "Deny", + "Recommendation" + ] + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "This specifies the behavior for the autoReview feature when an access review completes." + }, + "defaultDecisionEnabled": { + "oneOf": [ + { + "type": "boolean" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Flag to indicate whether reviewers are required to provide a justification when reviewing access." + }, + "instanceDurationInDays": { + "oneOf": [ + { + "type": "integer" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "The duration in days for an instance." + }, + "justificationRequiredOnApproval": { + "oneOf": [ + { + "type": "boolean" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Flag to indicate whether the reviewer is required to pass justification when recording a decision." + }, + "mailNotificationsEnabled": { + "oneOf": [ + { + "type": "boolean" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Flag to indicate whether sending mails to reviewers and the review creator is enabled." + }, + "name": { + "type": "string", + "enum": [ + "default" + ] + }, + "recommendationsEnabled": { + "oneOf": [ + { + "type": "boolean" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Flag to indicate whether showing recommendations to reviewers is enabled." + }, + "recurrence": { + "oneOf": [ + { + "$ref": "#/definitions/AccessReviewRecurrenceSettings" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Recurrence Settings of an Access Review Schedule Definition." + }, + "reminderNotificationsEnabled": { + "oneOf": [ + { + "type": "boolean" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Flag to indicate whether sending reminder emails to reviewers are enabled." + }, + "type": { + "type": "string", + "enum": [ + "Microsoft.Authorization/accessReviewScheduleSettings" + ] + } + }, + "required": [ + "apiVersion", + "name", + "type" + ], + "description": "Microsoft.Authorization/accessReviewScheduleSettings" + } + }, + "definitions": { + "AccessReviewInstance": { + "type": "object", + "properties": { + "properties": { + "oneOf": [ + { + "$ref": "#/definitions/AccessReviewInstanceProperties" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Access Review Instance properties." + } + }, + "description": "Access Review Instance." + }, + "AccessReviewInstanceProperties": { + "type": "object", + "properties": { + "endDateTime": { + "type": "string", + "format": "date-time", + "description": "The DateTime when the review instance is scheduled to end." + }, + "startDateTime": { + "type": "string", + "format": "date-time", + "description": "The DateTime when the review instance is scheduled to be start." + } + }, + "description": "Access Review Instance properties." + }, + "AccessReviewRecurrencePattern": { + "type": "object", + "properties": { + "interval": { + "oneOf": [ + { + "type": "integer" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "The interval for recurrence. For a quarterly review, the interval is 3 for type : absoluteMonthly." + }, + "type": { + "oneOf": [ + { + "type": "string", + "enum": [ + "weekly", + "absoluteMonthly" + ] + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "The recurrence type : weekly, monthly, etc." + } + }, + "description": "Recurrence Pattern of an Access Review Schedule Definition." + }, + "AccessReviewRecurrenceRange": { + "type": "object", + "properties": { + "endDate": { + "type": "string", + "format": "date-time", + "description": "The DateTime when the review is scheduled to end. Required if type is endDate" + }, + "numberOfOccurrences": { + "oneOf": [ + { + "type": "integer" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "The number of times to repeat the access review. Required and must be positive if type is numbered." + }, + "startDate": { + "type": "string", + "format": "date-time", + "description": "The DateTime when the review is scheduled to be start. This could be a date in the future. Required on create." + }, + "type": { + "oneOf": [ + { + "type": "string", + "enum": [ + "endDate", + "noEnd", + "numbered" + ] + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "The recurrence range type. The possible values are: endDate, noEnd, numbered." + } + }, + "description": "Recurrence Range of an Access Review Schedule Definition." + }, + "AccessReviewRecurrenceSettings": { + "type": "object", + "properties": { + "pattern": { + "oneOf": [ + { + "$ref": "#/definitions/AccessReviewRecurrencePattern" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Recurrence Pattern of an Access Review Schedule Definition." + }, + "range": { + "oneOf": [ + { + "$ref": "#/definitions/AccessReviewRecurrenceRange" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Recurrence Range of an Access Review Schedule Definition." + } + }, + "description": "Recurrence Settings of an Access Review Schedule Definition." + }, + "AccessReviewReviewer": { + "type": "object", + "properties": { + "principalId": { + "type": "string", + "description": "The id of the reviewer(user/servicePrincipal)" + } + }, + "description": "Descriptor for what needs to be reviewed" + }, + "AccessReviewScheduleSettings": { + "type": "object", + "properties": { + "autoApplyDecisionsEnabled": { + "oneOf": [ + { + "type": "boolean" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Flag to indicate whether auto-apply capability, to automatically change the target object access resource, is enabled. If not enabled, a user must, after the review completes, apply the access review." + }, + "defaultDecision": { + "oneOf": [ + { + "type": "string", + "enum": [ + "Approve", + "Deny", + "Recommendation" + ] + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "This specifies the behavior for the autoReview feature when an access review completes." + }, + "defaultDecisionEnabled": { + "oneOf": [ + { + "type": "boolean" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Flag to indicate whether reviewers are required to provide a justification when reviewing access." + }, + "instanceDurationInDays": { + "oneOf": [ + { + "type": "integer" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "The duration in days for an instance." + }, + "justificationRequiredOnApproval": { + "oneOf": [ + { + "type": "boolean" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Flag to indicate whether the reviewer is required to pass justification when recording a decision." + }, + "mailNotificationsEnabled": { + "oneOf": [ + { + "type": "boolean" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Flag to indicate whether sending mails to reviewers and the review creator is enabled." + }, + "recommendationsEnabled": { + "oneOf": [ + { + "type": "boolean" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Flag to indicate whether showing recommendations to reviewers is enabled." + }, + "recurrence": { + "oneOf": [ + { + "$ref": "#/definitions/AccessReviewRecurrenceSettings" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Recurrence Settings of an Access Review Schedule Definition." + }, + "reminderNotificationsEnabled": { + "oneOf": [ + { + "type": "boolean" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Flag to indicate whether sending reminder emails to reviewers are enabled." + } + }, + "description": "Settings of an Access Review." + } + } +} diff --git a/schemas/2018-09-01-preview/Microsoft.Authorization.json b/schemas/2018-09-01-preview/Microsoft.Authorization.json new file mode 100644 index 0000000000..1c9ddd7682 --- /dev/null +++ b/schemas/2018-09-01-preview/Microsoft.Authorization.json @@ -0,0 +1,102 @@ +{ + "id": "https://schema.management.azure.com/schemas/2018-09-01-preview/Microsoft.Authorization.json#", + "$schema": "http://json-schema.org/draft-04/schema#", + "title": "Microsoft.Authorization", + "description": "Microsoft Authorization Resource Types", + "resourceDefinitions": {}, + "unknown_resourceDefinitions": { + "roleAssignments": { + "type": "object", + "properties": { + "apiVersion": { + "type": "string", + "enum": [ + "2018-09-01-preview" + ] + }, + "name": { + "type": "string", + "description": "The name of the role assignment to create. It can be any valid GUID." + }, + "properties": { + "oneOf": [ + { + "$ref": "#/definitions/RoleAssignmentProperties" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Role assignment properties." + }, + "type": { + "type": "string", + "enum": [ + "Microsoft.Authorization/roleAssignments" + ] + } + }, + "required": [ + "apiVersion", + "name", + "properties", + "type" + ], + "description": "Microsoft.Authorization/roleAssignments" + } + }, + "definitions": { + "RoleAssignmentProperties": { + "type": "object", + "properties": { + "canDelegate": { + "oneOf": [ + { + "type": "boolean" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "The delegation flag used for creating a role assignment" + }, + "principalId": { + "type": "string", + "description": "The principal ID assigned to the role. This maps to the ID inside the Active Directory. It can point to a user, service principal, or security group." + }, + "principalType": { + "oneOf": [ + { + "type": "string", + "enum": [ + "User", + "Group", + "ServicePrincipal", + "Unknown", + "DirectoryRoleTemplate", + "ForeignGroup", + "Application", + "MSI", + "DirectoryObjectOrGroup", + "Everyone" + ] + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "The principal type of the assigned principal ID." + }, + "roleDefinitionId": { + "type": "string", + "description": "The role definition ID used in the role assignment." + } + }, + "required": [ + "principalId", + "roleDefinitionId" + ], + "description": "Role assignment properties." + } + } +} diff --git a/schemas/2020-04-01-preview/Microsoft.Authorization.json b/schemas/2020-04-01-preview/Microsoft.Authorization.json new file mode 100644 index 0000000000..82e9c48392 --- /dev/null +++ b/schemas/2020-04-01-preview/Microsoft.Authorization.json @@ -0,0 +1,114 @@ +{ + "id": "https://schema.management.azure.com/schemas/2020-04-01-preview/Microsoft.Authorization.json#", + "$schema": "http://json-schema.org/draft-04/schema#", + "title": "Microsoft.Authorization", + "description": "Microsoft Authorization Resource Types", + "resourceDefinitions": {}, + "unknown_resourceDefinitions": { + "roleAssignments": { + "type": "object", + "properties": { + "apiVersion": { + "type": "string", + "enum": [ + "2020-04-01-preview" + ] + }, + "name": { + "type": "string", + "description": "The name of the role assignment to create. It can be any valid GUID." + }, + "properties": { + "oneOf": [ + { + "$ref": "#/definitions/RoleAssignmentProperties" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Role assignment properties." + }, + "type": { + "type": "string", + "enum": [ + "Microsoft.Authorization/roleAssignments" + ] + } + }, + "required": [ + "apiVersion", + "name", + "properties", + "type" + ], + "description": "Microsoft.Authorization/roleAssignments" + } + }, + "definitions": { + "RoleAssignmentProperties": { + "type": "object", + "properties": { + "canDelegate": { + "oneOf": [ + { + "type": "boolean" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "The delegation flag used for creating a role assignment" + }, + "condition": { + "type": "string", + "description": "The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase 'foo_storage_container'" + }, + "conditionVersion": { + "type": "string", + "description": "Version of the condition. Currently accepted value is '2.0'" + }, + "description": { + "type": "string", + "description": "Description of role assignment" + }, + "principalId": { + "type": "string", + "description": "The principal ID assigned to the role. This maps to the ID inside the Active Directory. It can point to a user, service principal, or security group." + }, + "principalType": { + "oneOf": [ + { + "type": "string", + "enum": [ + "User", + "Group", + "ServicePrincipal", + "Unknown", + "DirectoryRoleTemplate", + "ForeignGroup", + "Application", + "MSI", + "DirectoryObjectOrGroup", + "Everyone" + ] + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "The principal type of the assigned principal ID." + }, + "roleDefinitionId": { + "type": "string", + "description": "The role definition ID used in the role assignment." + } + }, + "required": [ + "principalId", + "roleDefinitionId" + ], + "description": "Role assignment properties." + } + } +}