Skip to content

Commit

Permalink
Microsoft.PolicyInsights/checkPolicyRestrictions API (#10798)
Browse files Browse the repository at this point in the history 
* CheckPolicyRestrictions API

* Run prettier

* Increment package version

* Remove from old tag

* Remove suppression
  • Loading branch information
@pilor
pilor authored Nov 18, 2020
1 parent abc4477 commit c1cb52f
Show file tree
Hide file tree
Showing 7 changed files with 660 additions and 1 deletion.
5 changes: 5 additions & 0 deletions ...icyinsights/resource-manager/Microsoft.PolicyInsights/stable/2019-10-01/policyStates.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1398,6 +1398,11 @@
"description": "Expression evaluated.",
"type": "string"
},
"expressionKind": {
"description": "The kind of expression that was evaluated.",
"type": "string",
"readOnly": true
},
"path": {
"description": "Property path if the expression is a field or an alias.",
"type": "string"
Expand Down
320 changes: 320 additions & 0 deletions .../resource-manager/Microsoft.PolicyInsights/stable/2020-07-01/checkPolicyRestrictions.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,320 @@
{
"swagger": "2.0",
"info": {
"title": "CheckPolicyRestrictionsClient",
"version": "2020-07-01"
},
"host": "management.azure.com",
"schemes": [
"https"
],
"produces": [
"application/json"
],
"security": [
{
"azure_auth": [
"user_impersonation"
]
}
],
"securityDefinitions": {
"azure_auth": {
"type": "oauth2",
"authorizationUrl": "https://login.microsoftonline.com/common/oauth2/authorize",
"flow": "implicit",
"description": "Azure Active Directory OAuth2 Flow",
"scopes": {
"user_impersonation": "impersonate your user account"
}
}
},
"paths": {
"/subscriptions/{subscriptionId}/providers/Microsoft.PolicyInsights/checkPolicyRestrictions": {
"post": {
"operationId": "PolicyRestrictions_CheckAtSubscriptionScope",
"description": "Checks what restrictions Azure Policy will place on a resource within a subscription.",
"parameters": [
{
"$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter"
},
{
"$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/ApiVersionParameter"
},
{
"name": "parameters",
"in": "body",
"required": true,
"schema": {
"$ref": "#/definitions/CheckRestrictionsRequest"
},
"description": "The check policy restrictions parameters."
}
],
"responses": {
"200": {
"description": "The restrictions that will be placed on the resource by Azure Policy.",
"schema": {
"$ref": "#/definitions/CheckRestrictionsResult"
}
},
"default": {
"description": "Error response describing why the operation failed.",
"schema": {
"$ref": "../../stable/2019-10-01/policyMetadata.json#/definitions/ErrorResponse"
}
}
},
"x-ms-examples": {
"Check policy restrictions at subscription scope": {
"$ref": "./examples/PolicyRestrictions_CheckAtSubscriptionScope.json"
}
}
}
},
"/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.PolicyInsights/checkPolicyRestrictions": {
"post": {
"operationId": "PolicyRestrictions_CheckAtResourceGroupScope",
"description": "Checks what restrictions Azure Policy will place on a resource within a resource group. Use this when the resource group the resource will be created in is already known.",
"parameters": [
{
"$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter"
},
{
"$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/ResourceGroupNameParameter"
},
{
"$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/ApiVersionParameter"
},
{
"name": "parameters",
"in": "body",
"required": true,
"schema": {
"$ref": "#/definitions/CheckRestrictionsRequest"
},
"description": "The check policy restrictions parameters."
}
],
"responses": {
"200": {
"description": "The restrictions that will be placed on the resource by Azure Policy.",
"schema": {
"$ref": "#/definitions/CheckRestrictionsResult"
}
},
"default": {
"description": "Error response describing why the operation failed.",
"schema": {
"$ref": "../../stable/2019-10-01/policyMetadata.json#/definitions/ErrorResponse"
}
}
},
"x-ms-examples": {
"Check policy restrictions at resource group scope": {
"$ref": "./examples/PolicyRestrictions_CheckAtResourceGroupScope.json"
}
}
}
}
},
"definitions": {
"CheckRestrictionsRequest": {
"description": "The check policy restrictions parameters describing the resource that is being evaluated.",
"properties": {
"resourceDetails": {
"description": "The information about the resource that will be evaluated.",
"$ref": "#/definitions/CheckRestrictionsResourceDetails"
},
"pendingFields": {
"description": "The list of fields and values that should be evaluated for potential restrictions.",
"type": "array",
"items": {
"$ref": "#/definitions/PendingField"
}
}
},
"required": [
"resourceDetails"
]
},
"CheckRestrictionsResourceDetails": {
"description": "The information about the resource that will be evaluated.",
"properties": {
"resourceContent": {
"description": "The resource content. This should include whatever properties are already known and can be a partial set of all resource properties.",
"type": "object"
},
"apiVersion": {
"description": "The api-version of the resource content.",
"type": "string"
},
"scope": {
"description": "The scope where the resource is being created. For example, if the resource is a child resource this would be the parent resource's resource ID.",
"type": "string"
}
},
"required": [
"resourceContent"
]
},
"PendingField": {
"description": "A field that should be evaluated against Azure Policy to determine restrictions.",
"properties": {
"field": {
"description": "The name of the field. This can be a top-level property like 'name' or 'type' or an Azure Policy field alias.",
"type": "string"
},
"values": {
"description": "The list of potential values for the field that should be evaluated against Azure Policy.",
"type": "array",
"items": {
"type": "string"
}
}
},
"required": [
"field"
]
},
"CheckRestrictionsResult": {
"description": "The result of a check policy restrictions evaluation on a resource.",
"properties": {
"fieldRestrictions": {
"description": "The restrictions that will be placed on various fields in the resource by policy.",
"type": "array",
"items": {
"$ref": "#/definitions/FieldRestrictions"
},
"readOnly": true
},
"contentEvaluationResult": {
"description": "Evaluation results for the provided partial resource content.",
"properties": {
"policyEvaluations": {
"description": "Policy evaluation results against the given resource content. This will indicate if the partial content that was provided will be denied as-is.",
"type": "array",
"items": {
"$ref": "#/definitions/PolicyEvaluationResult"
}
}
},
"readOnly": true
}
}
},
"FieldRestrictions": {
"description": "The restrictions that will be placed on a field in the resource by policy.",
"properties": {
"field": {
"description": "The name of the field. This can be a top-level property like 'name' or 'type' or an Azure Policy field alias.",
"type": "string",
"readOnly": true
},
"restrictions": {
"description": "The restrictions placed on that field by policy.",
"type": "array",
"items": {
"$ref": "#/definitions/FieldRestriction"
}
}
}
},
"FieldRestriction": {
"description": "The restrictions on a field imposed by a specific policy.",
"properties": {
"result": {
"description": "The type of restriction that is imposed on the field.",
"type": "string",
"enum": [
"Required",
"Removed",
"Deny"
],
"x-ms-enum": {
"name": "FieldRestrictionResult",
"modelAsString": true,
"values": [
{
"value": "Required",
"description": "The field and/or values are required by policy."
},
{
"value": "Removed",
"description": "The field will be removed by policy."
},
{
"value": "Deny",
"description": "The field and/or values will be denied by policy."
}
]
},
"readOnly": true
},
"defaultValue": {
"description": "The value that policy will set for the field if the user does not provide a value.",
"type": "string",
"readOnly": true
},
"values": {
"description": "The values that policy either requires or denies for the field.",
"type": "array",
"items": {
"type": "string"
},
"readOnly": true
},
"policy": {
"description": "The details of the policy that is causing the field restriction.",
"$ref": "#/definitions/PolicyReference",
"readOnly": true
}
}
},
"PolicyEvaluationResult": {
"description": "The result of a non-compliant policy evaluation against the given resource content.",
"properties": {
"policyInfo": {
"description": "The details of the policy that was evaluated.",
"$ref": "#/definitions/PolicyReference",
"readOnly": true
},
"evaluationResult": {
"description": "The result of the policy evaluation against the resource. This will typically be 'NonCompliant' but may contain other values if errors were encountered.",
"type": "string",
"readOnly": true
},
"evaluationDetails": {
"description": "The detailed results of the policy expressions and values that were evaluated.",
"$ref": "../../stable/2019-10-01/policyStates.json#/definitions/PolicyEvaluationDetails",
"readOnly": true
}
}
},
"PolicyReference": {
"description": "Resource identifiers for a policy.",
"properties": {
"policyDefinitionId": {
"description": "The resource identifier of the policy definition.",
"type": "string",
"readOnly": true
},
"policySetDefinitionId": {
"description": "The resource identifier of the policy set definition.",
"type": "string",
"readOnly": true
},
"policyDefinitionReferenceId": {
"description": "The reference identifier of a specific policy definition within a policy set definition.",
"type": "string",
"readOnly": true
},
"policyAssignmentId": {
"description": "The resource identifier of the policy assignment.",
"type": "string",
"readOnly": true
}
}
}
}
}
Loading

0 comments on commit c1cb52f

Please sign in to comment.