From 865db2963656a19aca6ad07410d2136911230ffc Mon Sep 17 00:00:00 2001 From: Min Jae Kim Date: Fri, 14 Apr 2023 02:35:16 -0400 Subject: [PATCH] [Hub Generated] Review request for Microsoft.PolicyInsights to add version stable/2023-03-01 (#22789) * Adds base for updating Microsoft.PolicyInsights from version stable/2022-03-01 to version 2023-03-01 * Updates readme * Updates API version in new specs and examples * Add new API version (2023-03-01) to Microsoft.PolicyInsights * Fixed UNRESOLVABLE_REFERENCE issue * Fixed UNRESOLVABLE_REFERENCE issue * Fixed UNRESOLVABLE_REFERENCE issue * Fixed MissingTypeObject issue * Added reference to PolicyRestrictions_CheckAtSubscriptionScopeIncludeAuditEffect example and set IncludeAuditEffect default to false * Added PolicyRestrictions_CheckAtResourceGroupScopeIncludeAuditEffect * update readme Tag: package-2023-03 * Fixed error in PolicyRestrictions_CheckAtSubscriptionScope.json * Fixed error in PolicyRestrictions_CheckAtResourceGroupScope.json * Update readme.go.md * updated examples for checkPolicyRestrictions * Added tag for java * Update specification/policyinsights/resource-manager/Microsoft.PolicyInsights/stable/2023-03-01/checkPolicyRestrictions.json Co-authored-by: Chris Eggert * Replaced policyEffect type from enum to string and added doc url to description. * Revert readme.go.md * Update checkPolicyRestrictions.json * Update checkPolicyRestrictions.json * Update checkPolicyRestrictions.json * undo last commit --------- Co-authored-by: Minjae Kim Co-authored-by: Chris Eggert --- .../2023-03-01/checkPolicyRestrictions.json | 474 ++++++++++++++++++ ...trictions_CheckAtManagementGroupScope.json | 45 ++ ...estrictions_CheckAtResourceGroupScope.json | 148 ++++++ ...tResourceGroupScopeIncludeAuditEffect.json | 150 ++++++ ...Restrictions_CheckAtSubscriptionScope.json | 147 ++++++ ...AtSubscriptionScopeIncludeAuditEffect.json | 149 ++++++ .../policyinsights/resource-manager/readme.md | 38 +- 7 files changed, 1148 insertions(+), 3 deletions(-) create mode 100644 specification/policyinsights/resource-manager/Microsoft.PolicyInsights/stable/2023-03-01/checkPolicyRestrictions.json create mode 100644 specification/policyinsights/resource-manager/Microsoft.PolicyInsights/stable/2023-03-01/examples/PolicyRestrictions_CheckAtManagementGroupScope.json create mode 100644 specification/policyinsights/resource-manager/Microsoft.PolicyInsights/stable/2023-03-01/examples/PolicyRestrictions_CheckAtResourceGroupScope.json create mode 100644 specification/policyinsights/resource-manager/Microsoft.PolicyInsights/stable/2023-03-01/examples/PolicyRestrictions_CheckAtResourceGroupScopeIncludeAuditEffect.json create mode 100644 specification/policyinsights/resource-manager/Microsoft.PolicyInsights/stable/2023-03-01/examples/PolicyRestrictions_CheckAtSubscriptionScope.json create mode 100644 specification/policyinsights/resource-manager/Microsoft.PolicyInsights/stable/2023-03-01/examples/PolicyRestrictions_CheckAtSubscriptionScopeIncludeAuditEffect.json diff --git a/specification/policyinsights/resource-manager/Microsoft.PolicyInsights/stable/2023-03-01/checkPolicyRestrictions.json b/specification/policyinsights/resource-manager/Microsoft.PolicyInsights/stable/2023-03-01/checkPolicyRestrictions.json new file mode 100644 index 0000000000..7186e0cea6 --- /dev/null +++ b/specification/policyinsights/resource-manager/Microsoft.PolicyInsights/stable/2023-03-01/checkPolicyRestrictions.json @@ -0,0 +1,474 @@ +{ + "swagger": "2.0", + "info": { + "title": "CheckPolicyRestrictionsClient", + "version": "2023-03-01" + }, + "host": "management.azure.com", + "schemes": [ + "https" + ], + "produces": [ + "application/json" + ], + "security": [ + { + "azure_auth": [ + "user_impersonation" + ] + } + ], + "securityDefinitions": { + "azure_auth": { + "type": "oauth2", + "authorizationUrl": "https://login.microsoftonline.com/common/oauth2/authorize", + "flow": "implicit", + "description": "Azure Active Directory OAuth2 Flow", + "scopes": { + "user_impersonation": "impersonate your user account" + } + } + }, + "paths": { + "/subscriptions/{subscriptionId}/providers/Microsoft.PolicyInsights/checkPolicyRestrictions": { + "post": { + "operationId": "PolicyRestrictions_CheckAtSubscriptionScope", + "description": "Checks what restrictions Azure Policy will place on a resource within a subscription.", + "parameters": [ + { + "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/ApiVersionParameter" + }, + { + "name": "parameters", + "in": "body", + "required": true, + "schema": { + "$ref": "#/definitions/CheckRestrictionsRequest" + }, + "description": "The check policy restrictions parameters." + } + ], + "responses": { + "200": { + "description": "The restrictions that will be placed on the resource by Azure Policy.", + "schema": { + "$ref": "#/definitions/CheckRestrictionsResult" + } + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "../../stable/2019-10-01/policyMetadata.json#/definitions/ErrorResponse" + } + } + }, + "x-ms-examples": { + "Check policy restrictions at subscription scope": { + "$ref": "./examples/PolicyRestrictions_CheckAtSubscriptionScope.json" + }, + "Check policy restrictions at subscription scope including audit effect": { + "$ref": "./examples/PolicyRestrictions_CheckAtSubscriptionScopeIncludeAuditEffect.json" + } + } + } + }, + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.PolicyInsights/checkPolicyRestrictions": { + "post": { + "operationId": "PolicyRestrictions_CheckAtResourceGroupScope", + "description": "Checks what restrictions Azure Policy will place on a resource within a resource group. Use this when the resource group the resource will be created in is already known.", + "parameters": [ + { + "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/ResourceGroupNameParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/ApiVersionParameter" + }, + { + "name": "parameters", + "in": "body", + "required": true, + "schema": { + "$ref": "#/definitions/CheckRestrictionsRequest" + }, + "description": "The check policy restrictions parameters." + } + ], + "responses": { + "200": { + "description": "The restrictions that will be placed on the resource by Azure Policy.", + "schema": { + "$ref": "#/definitions/CheckRestrictionsResult" + } + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "../../stable/2019-10-01/policyMetadata.json#/definitions/ErrorResponse" + } + } + }, + "x-ms-examples": { + "Check policy restrictions at resource group scope": { + "$ref": "./examples/PolicyRestrictions_CheckAtResourceGroupScope.json" + }, + "Check policy restrictions at resource group scope including audit effect": { + "$ref": "./examples/PolicyRestrictions_CheckAtResourceGroupScopeIncludeAuditEffect.json" + } + } + } + }, + "/providers/{managementGroupsNamespace}/managementGroups/{managementGroupId}/providers/Microsoft.PolicyInsights/checkPolicyRestrictions": { + "post": { + "operationId": "PolicyRestrictions_CheckAtManagementGroupScope", + "description": "Checks what restrictions Azure Policy will place on resources within a management group.", + "parameters": [ + { + "$ref": "#/parameters/managementGroupsNamespaceParameter" + }, + { + "$ref": "#/parameters/managementGroupIdParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/ApiVersionParameter" + }, + { + "name": "parameters", + "in": "body", + "required": true, + "schema": { + "$ref": "#/definitions/CheckManagementGroupRestrictionsRequest" + }, + "description": "The check policy restrictions parameters." + } + ], + "responses": { + "200": { + "description": "The restrictions that will be placed on the resource by Azure Policy.", + "schema": { + "$ref": "#/definitions/CheckRestrictionsResult" + } + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "../../stable/2019-10-01/policyMetadata.json#/definitions/ErrorResponse" + } + } + }, + "x-ms-examples": { + "Check policy restrictions at management group scope": { + "$ref": "./examples/PolicyRestrictions_CheckAtManagementGroupScope.json" + } + } + } + } + }, + "definitions": { + "CheckRestrictionsRequest": { + "description": "The check policy restrictions parameters describing the resource that is being evaluated.", + "properties": { + "resourceDetails": { + "description": "The information about the resource that will be evaluated.", + "$ref": "#/definitions/CheckRestrictionsResourceDetails" + }, + "pendingFields": { + "description": "The list of fields and values that should be evaluated for potential restrictions.", + "type": "array", + "items": { + "$ref": "#/definitions/PendingField" + } + }, + "includeAuditEffect": { + "description": "Whether to include policies with the 'audit' effect in the results. Defaults to false.", + "type": "boolean", + "default": false + } + }, + "required": [ + "resourceDetails" + ] + }, + "CheckManagementGroupRestrictionsRequest": { + "type": "object", + "description": "The check policy restrictions parameters describing the resource that is being evaluated.", + "properties": { + "resourceDetails": { + "description": "The information about the resource that will be evaluated.", + "$ref": "#/definitions/CheckRestrictionsResourceDetails" + }, + "pendingFields": { + "description": "The list of fields and values that should be evaluated for potential restrictions.", + "type": "array", + "items": { + "$ref": "#/definitions/PendingField" + }, + "x-ms-identifiers": [] + } + } + }, + "CheckRestrictionsResourceDetails": { + "description": "The information about the resource that will be evaluated.", + "properties": { + "resourceContent": { + "description": "The resource content. This should include whatever properties are already known and can be a partial set of all resource properties.", + "type": "object" + }, + "apiVersion": { + "description": "The api-version of the resource content.", + "type": "string" + }, + "scope": { + "description": "The scope where the resource is being created. For example, if the resource is a child resource this would be the parent resource's resource ID.", + "type": "string" + } + }, + "required": [ + "resourceContent" + ] + }, + "PendingField": { + "description": "A field that should be evaluated against Azure Policy to determine restrictions.", + "properties": { + "field": { + "description": "The name of the field. This can be a top-level property like 'name' or 'type' or an Azure Policy field alias.", + "type": "string" + }, + "values": { + "description": "The list of potential values for the field that should be evaluated against Azure Policy.", + "type": "array", + "items": { + "type": "string" + } + } + }, + "required": [ + "field" + ] + }, + "CheckRestrictionsResult": { + "description": "The result of a check policy restrictions evaluation on a resource.", + "properties": { + "fieldRestrictions": { + "description": "The restrictions that will be placed on various fields in the resource by policy.", + "type": "array", + "items": { + "$ref": "#/definitions/FieldRestrictions" + }, + "readOnly": true + }, + "contentEvaluationResult": { + "description": "Evaluation results for the provided partial resource content.", + "properties": { + "policyEvaluations": { + "description": "Policy evaluation results against the given resource content. This will indicate if the partial content that was provided will be denied as-is.", + "type": "array", + "items": { + "$ref": "#/definitions/PolicyEvaluationResult" + } + } + }, + "readOnly": true + } + } + }, + "FieldRestrictions": { + "description": "The restrictions that will be placed on a field in the resource by policy.", + "properties": { + "field": { + "description": "The name of the field. This can be a top-level property like 'name' or 'type' or an Azure Policy field alias.", + "type": "string", + "readOnly": true + }, + "restrictions": { + "description": "The restrictions placed on that field by policy.", + "type": "array", + "items": { + "$ref": "#/definitions/FieldRestriction" + } + } + } + }, + "FieldRestriction": { + "description": "The restrictions on a field imposed by a specific policy.", + "properties": { + "result": { + "description": "The type of restriction that is imposed on the field.", + "type": "string", + "enum": [ + "Required", + "Removed", + "Deny", + "Audit" + ], + "x-ms-enum": { + "name": "FieldRestrictionResult", + "modelAsString": true, + "values": [ + { + "value": "Required", + "description": "The field and/or values are required by policy." + }, + { + "value": "Removed", + "description": "The field will be removed by policy." + }, + { + "value": "Deny", + "description": "The field and/or values will be denied by policy." + }, + { + "value": "Audit", + "description": "The field and/or values will be audited by policy." + } + ] + }, + "readOnly": true + }, + "defaultValue": { + "description": "The value that policy will set for the field if the user does not provide a value.", + "type": "string", + "readOnly": true + }, + "values": { + "description": "The values that policy either requires or denies for the field.", + "type": "array", + "items": { + "type": "string" + }, + "readOnly": true + }, + "policy": { + "description": "The details of the policy that is causing the field restriction.", + "$ref": "#/definitions/PolicyReference", + "readOnly": true + }, + "policyEffect": { + "description": "The effect of the policy that is causing the field restriction. http://aka.ms/policyeffects", + "type": "string", + "readOnly": true + }, + "reason": { + "description": "The reason for the restriction.", + "type": "string", + "readOnly": true + } + } + }, + "PolicyEvaluationResult": { + "description": "The result of a non-compliant policy evaluation against the given resource content.", + "properties": { + "policyInfo": { + "description": "The details of the policy that was evaluated.", + "$ref": "#/definitions/PolicyReference", + "readOnly": true + }, + "evaluationResult": { + "description": "The result of the policy evaluation against the resource. This will typically be 'NonCompliant' but may contain other values if errors were encountered.", + "type": "string", + "readOnly": true + }, + "evaluationDetails": { + "description": "The detailed results of the policy expressions and values that were evaluated.", + "$ref": "#/definitions/CheckRestrictionEvaluationDetails", + "readOnly": true + }, + "effectDetails": { + "description": "The details of the effect that was applied to the resource.", + "$ref": "#/definitions/PolicyEffectDetails", + "readOnly": true + } + } + }, + "PolicyReference": { + "description": "Resource identifiers for a policy.", + "properties": { + "policyDefinitionId": { + "description": "The resource identifier of the policy definition.", + "type": "string", + "readOnly": true + }, + "policySetDefinitionId": { + "description": "The resource identifier of the policy set definition.", + "type": "string", + "readOnly": true + }, + "policyDefinitionReferenceId": { + "description": "The reference identifier of a specific policy definition within a policy set definition.", + "type": "string", + "readOnly": true + }, + "policyAssignmentId": { + "description": "The resource identifier of the policy assignment.", + "type": "string", + "readOnly": true + } + } + }, + "PolicyEffectDetails": { + "type": "object", + "description": "The details of the effect that was applied to the resource.", + "properties": { + "policyEffect": { + "description": "The effect that was applied to the resource. http://aka.ms/policyeffects", + "type": "string", + "readOnly": true + } + } + }, + "CheckRestrictionEvaluationDetails": { + "type": "object", + "description": "Policy evaluation details.", + "properties": { + "evaluatedExpressions": { + "description": "Details of the evaluated expressions.", + "type": "array", + "items": { + "$ref": "../../stable/2019-10-01/policyStates.json#/definitions/ExpressionEvaluationDetails" + }, + "x-ms-identifiers": [] + }, + "ifNotExistsDetails": { + "description": "Evaluation details of IfNotExists effect.", + "type": "object", + "$ref": "../../stable/2019-10-01/policyStates.json#/definitions/IfNotExistsEvaluationDetails" + }, + "reason": { + "description": "The reason for the evaluation result.", + "type": "string", + "readOnly": true + } + } + } + }, + "parameters": { + "managementGroupsNamespaceParameter": { + "name": "managementGroupsNamespace", + "in": "path", + "required": true, + "type": "string", + "enum": [ + "Microsoft.Management" + ], + "x-ms-enum": { + "name": "ManagementGroupsNamespaceType", + "modelAsString": false + }, + "description": "The namespace for Microsoft Management RP; only \"Microsoft.Management\" is allowed.", + "x-ms-parameter-location": "method" + }, + "managementGroupIdParameter": { + "name": "managementGroupId", + "in": "path", + "required": true, + "type": "string", + "description": "Management group ID.", + "x-ms-parameter-location": "method" + } + } +} diff --git a/specification/policyinsights/resource-manager/Microsoft.PolicyInsights/stable/2023-03-01/examples/PolicyRestrictions_CheckAtManagementGroupScope.json b/specification/policyinsights/resource-manager/Microsoft.PolicyInsights/stable/2023-03-01/examples/PolicyRestrictions_CheckAtManagementGroupScope.json new file mode 100644 index 0000000000..02a3df4eb0 --- /dev/null +++ b/specification/policyinsights/resource-manager/Microsoft.PolicyInsights/stable/2023-03-01/examples/PolicyRestrictions_CheckAtManagementGroupScope.json @@ -0,0 +1,45 @@ +{ + "parameters": { + "managementGroupsNamespace": "Microsoft.Management", + "managementGroupId": "financeMg", + "api-version": "2023-03-01", + "parameters": { + "pendingFields": [ + { + "field": "type" + } + ] + } + }, + "responses": { + "200": { + "headers": {}, + "body": { + "fieldRestrictions": [ + { + "field": "type", + "restrictions": [ + { + "result": "Required", + "values": [ + "Microsoft.Compute/virtualMachines" + ], + "policy": { + "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/financeMg/providers/microsoft.authorization/policyDefinitions/allowedTypes", + "policyAssignmentId": "/providers/Microsoft.Management/managementGroups/financeMg/providers/microsoft.authorization/policyAssignments/7EB1508A", + "policySetDefinitionId": "/providers/Microsoft.Management/managementGroups/financeMg/providers/microsoft.authorization/policySetDefinitions/735551F1", + "policyDefinitionReferenceId": "DefRef" + }, + "policyEffect": "Deny", + "reason": "type not allowed" + } + ] + } + ], + "contentEvaluationResult": { + "policyEvaluations": [] + } + } + } + } +} diff --git a/specification/policyinsights/resource-manager/Microsoft.PolicyInsights/stable/2023-03-01/examples/PolicyRestrictions_CheckAtResourceGroupScope.json b/specification/policyinsights/resource-manager/Microsoft.PolicyInsights/stable/2023-03-01/examples/PolicyRestrictions_CheckAtResourceGroupScope.json new file mode 100644 index 0000000000..1995fc6cb3 --- /dev/null +++ b/specification/policyinsights/resource-manager/Microsoft.PolicyInsights/stable/2023-03-01/examples/PolicyRestrictions_CheckAtResourceGroupScope.json @@ -0,0 +1,148 @@ +{ + "parameters": { + "subscriptionId": "35ee058e-5fa0-414c-8145-3ebb8d09b6e2", + "resourceGroupName": "vmRg", + "api-version": "2023-03-01", + "parameters": { + "resourceDetails": { + "resourceContent": { + "type": "Microsoft.Compute/virtualMachines", + "properties": { + "priority": "Spot" + } + }, + "apiVersion": "2019-12-01" + }, + "pendingFields": [ + { + "field": "name", + "values": [ + "myVMName" + ] + }, + { + "field": "location", + "values": [ + "eastus", + "westus", + "westus2", + "westeurope" + ] + }, + { + "field": "tags" + } + ] + } + }, + "responses": { + "200": { + "headers": {}, + "body": { + "fieldRestrictions": [ + { + "field": "tags.newtag", + "restrictions": [ + { + "result": "Required", + "defaultValue": "defaultVal", + "policy": { + "policyDefinitionId": "/subscriptions/d8db6de6-2b96-46af-b825-07aef2033c0b/providers/microsoft.authorization/policyDefinitions/1D0906C3", + "policyAssignmentId": "/subscriptions/d8db6de6-2b96-46af-b825-07aef2033c0b/providers/microsoft.authorization/policyAssignments/57DAC8A0", + "policySetDefinitionId": "/subscriptions/d8db6de6-2b96-46af-b825-07aef2033c0b/providers/microsoft.authorization/policySetDefinitions/05D92080", + "policyDefinitionReferenceId": "DefRef" + }, + "policyEffect": "Deny", + "reason": "tags.newtag is required" + } + ] + }, + { + "field": "tags.environment", + "restrictions": [ + { + "result": "Required", + "values": [ + "Prod", + "Int", + "Test" + ], + "policy": { + "policyDefinitionId": "/subscriptions/d8db6de6-2b96-46af-b825-07aef2033c0b/providers/microsoft.authorization/policyDefinitions/30BD79F6", + "policyAssignmentId": "/subscriptions/d8db6de6-2b96-46af-b825-07aef2033c0b/providers/microsoft.authorization/policyAssignments/7EB1508A", + "policySetDefinitionId": "/subscriptions/d8db6de6-2b96-46af-b825-07aef2033c0b/providers/microsoft.authorization/policySetDefinitions/735551F1", + "policyDefinitionReferenceId": "DefRef" + }, + "policyEffect": "Deny", + "reason": "tags.environment is required" + } + ] + }, + { + "field": "location", + "restrictions": [ + { + "result": "Deny", + "values": [ + "west europe" + ], + "policy": { + "policyDefinitionId": "/subscriptions/d8db6de6-2b96-46af-b825-07aef2033c0b/providers/microsoft.authorization/policyDefinitions/0711CCC1", + "policyAssignmentId": "/subscriptions/d8db6de6-2b96-46af-b825-07aef2033c0b/providers/microsoft.authorization/policyAssignments/1563EBD3", + "policySetDefinitionId": "/subscriptions/d8db6de6-2b96-46af-b825-07aef2033c0b/providers/microsoft.authorization/policySetDefinitions/1E17783A", + "policyDefinitionReferenceId": "DefRef" + }, + "policyEffect": "Deny", + "reason": "location must be one of the following: eastus, westus, westus2" + }, + { + "result": "Deny", + "values": [ + "eastus", + "westus" + ], + "policy": { + "policyDefinitionId": "/subscriptions/d8db6de6-2b96-46af-b825-07aef2033c0b/providers/microsoft.authorization/policyDefinitions/25C9F66B", + "policyAssignmentId": "/subscriptions/d8db6de6-2b96-46af-b825-07aef2033c0b/providers/microsoft.authorization/policyAssignments/5382A69D", + "policySetDefinitionId": "/subscriptions/d8db6de6-2b96-46af-b825-07aef2033c0b/providers/microsoft.authorization/policySetDefinitions/392D107B", + "policyDefinitionReferenceId": "DefRef" + }, + "policyEffect": "Deny", + "reason": "location must be one of the following: westus2" + } + ] + } + ], + "contentEvaluationResult": { + "policyEvaluations": [ + { + "policyInfo": { + "policyDefinitionId": "/subscriptions/d8db6de6-2b96-46af-b825-07aef2033c0b/providers/microsoft.authorization/policyDefinitions/435CAE41", + "policySetDefinitionId": "/subscriptions/d8db6de6-2b96-46af-b825-07aef2033c0b/providers/microsoft.authorization/policySetDefinitions/2162358E", + "policyDefinitionReferenceId": "defref222", + "policyAssignmentId": "/subscriptions/d8db6de6-2b96-46af-b825-07aef2033c0b/providers/microsoft.authorization/policyAssignments/2FF66C37" + }, + "evaluationResult": "NonCompliant", + "evaluationDetails": { + "evaluatedExpressions": [ + { + "result": "True", + "expressionKind": "field", + "expression": "type", + "path": "type", + "expressionValue": "microsoft.compute/virtualmachines", + "targetValue": "microsoft.compute/virtualmachines", + "operator": "equals" + } + ] + }, + "effectDetails": { + "policyEffect": "Deny" + } + } + ] + } + } + } + } +} diff --git a/specification/policyinsights/resource-manager/Microsoft.PolicyInsights/stable/2023-03-01/examples/PolicyRestrictions_CheckAtResourceGroupScopeIncludeAuditEffect.json b/specification/policyinsights/resource-manager/Microsoft.PolicyInsights/stable/2023-03-01/examples/PolicyRestrictions_CheckAtResourceGroupScopeIncludeAuditEffect.json new file mode 100644 index 0000000000..1ac5c59e89 --- /dev/null +++ b/specification/policyinsights/resource-manager/Microsoft.PolicyInsights/stable/2023-03-01/examples/PolicyRestrictions_CheckAtResourceGroupScopeIncludeAuditEffect.json @@ -0,0 +1,150 @@ +{ + "parameters": { + "subscriptionId": "35ee058e-5fa0-414c-8145-3ebb8d09b6e2", + "resourceGroupName": "vmRg", + "api-version": "2023-03-01", + "parameters": { + "resourceDetails": { + "resourceContent": { + "type": "Microsoft.Compute/virtualMachines", + "properties": { + "priority": "Spot" + } + }, + "apiVersion": "2019-12-01" + }, + "pendingFields": [ + { + "field": "name", + "values": [ + "myVMName" + ] + }, + { + "field": "location", + "values": [ + "eastus", + "westus", + "westus2", + "westeurope" + ] + }, + { + "field": "tags" + } + ], + "includeAuditEffect": true + } + }, + "responses": { + "200": { + "headers": {}, + "body": { + "fieldRestrictions": [ + { + "field": "tags.newtag", + "restrictions": [ + { + "result": "Required", + "defaultValue": "defaultVal", + "policy": { + "policyDefinitionId": "/subscriptions/d8db6de6-2b96-46af-b825-07aef2033c0b/providers/microsoft.authorization/policyDefinitions/1D0906C3", + "policyAssignmentId": "/subscriptions/d8db6de6-2b96-46af-b825-07aef2033c0b/providers/microsoft.authorization/policyAssignments/57DAC8A0", + "policySetDefinitionId": "/subscriptions/d8db6de6-2b96-46af-b825-07aef2033c0b/providers/microsoft.authorization/policySetDefinitions/05D92080", + "policyDefinitionReferenceId": "DefRef" + }, + "policyEffect": "Deny", + "reason": "tags.newtag is required" + } + ] + }, + { + "field": "tags.environment", + "restrictions": [ + { + "result": "Required", + "values": [ + "Prod", + "Int", + "Test" + ], + "policy": { + "policyDefinitionId": "/subscriptions/d8db6de6-2b96-46af-b825-07aef2033c0b/providers/microsoft.authorization/policyDefinitions/30BD79F6", + "policyAssignmentId": "/subscriptions/d8db6de6-2b96-46af-b825-07aef2033c0b/providers/microsoft.authorization/policyAssignments/7EB1508A", + "policySetDefinitionId": "/subscriptions/d8db6de6-2b96-46af-b825-07aef2033c0b/providers/microsoft.authorization/policySetDefinitions/735551F1", + "policyDefinitionReferenceId": "DefRef" + }, + "policyEffect": "Audit", + "reason": "tags.environment is required" + } + ] + }, + { + "field": "location", + "restrictions": [ + { + "result": "Deny", + "values": [ + "west europe" + ], + "policy": { + "policyDefinitionId": "/subscriptions/d8db6de6-2b96-46af-b825-07aef2033c0b/providers/microsoft.authorization/policyDefinitions/0711CCC1", + "policyAssignmentId": "/subscriptions/d8db6de6-2b96-46af-b825-07aef2033c0b/providers/microsoft.authorization/policyAssignments/1563EBD3", + "policySetDefinitionId": "/subscriptions/d8db6de6-2b96-46af-b825-07aef2033c0b/providers/microsoft.authorization/policySetDefinitions/1E17783A", + "policyDefinitionReferenceId": "DefRef" + }, + "policyEffect": "Deny", + "reason": "The selected location is not allowed" + }, + { + "result": "Audit", + "values": [ + "eastus", + "westus" + ], + "policy": { + "policyDefinitionId": "/subscriptions/d8db6de6-2b96-46af-b825-07aef2033c0b/providers/microsoft.authorization/policyDefinitions/25C9F66B", + "policyAssignmentId": "/subscriptions/d8db6de6-2b96-46af-b825-07aef2033c0b/providers/microsoft.authorization/policyAssignments/5382A69D", + "policySetDefinitionId": "/subscriptions/d8db6de6-2b96-46af-b825-07aef2033c0b/providers/microsoft.authorization/policySetDefinitions/392D107B", + "policyDefinitionReferenceId": "DefRef" + }, + "policyEffect": "Audit", + "reason": "The selected location is not allowed" + } + ] + } + ], + "contentEvaluationResult": { + "policyEvaluations": [ + { + "policyInfo": { + "policyDefinitionId": "/subscriptions/d8db6de6-2b96-46af-b825-07aef2033c0b/providers/microsoft.authorization/policyDefinitions/435CAE41", + "policySetDefinitionId": "/subscriptions/d8db6de6-2b96-46af-b825-07aef2033c0b/providers/microsoft.authorization/policySetDefinitions/2162358E", + "policyDefinitionReferenceId": "defref222", + "policyAssignmentId": "/subscriptions/d8db6de6-2b96-46af-b825-07aef2033c0b/providers/microsoft.authorization/policyAssignments/2FF66C37" + }, + "evaluationResult": "NonCompliant", + "evaluationDetails": { + "evaluatedExpressions": [ + { + "result": "True", + "expressionKind": "field", + "expression": "type", + "path": "type", + "expressionValue": "microsoft.compute/virtualmachines", + "targetValue": "microsoft.compute/virtualmachines", + "operator": "equals" + } + ], + "reason": "Resource creation of the selected type is not allowed" + }, + "effectDetails": { + "policyEffect": "Audit" + } + } + ] + } + } + } + } +} diff --git a/specification/policyinsights/resource-manager/Microsoft.PolicyInsights/stable/2023-03-01/examples/PolicyRestrictions_CheckAtSubscriptionScope.json b/specification/policyinsights/resource-manager/Microsoft.PolicyInsights/stable/2023-03-01/examples/PolicyRestrictions_CheckAtSubscriptionScope.json new file mode 100644 index 0000000000..8c64aedf75 --- /dev/null +++ b/specification/policyinsights/resource-manager/Microsoft.PolicyInsights/stable/2023-03-01/examples/PolicyRestrictions_CheckAtSubscriptionScope.json @@ -0,0 +1,147 @@ +{ + "parameters": { + "subscriptionId": "35ee058e-5fa0-414c-8145-3ebb8d09b6e2", + "api-version": "2023-03-01", + "parameters": { + "resourceDetails": { + "resourceContent": { + "type": "Microsoft.Compute/virtualMachines", + "properties": { + "priority": "Spot" + } + }, + "apiVersion": "2019-12-01" + }, + "pendingFields": [ + { + "field": "name", + "values": [ + "myVMName" + ] + }, + { + "field": "location", + "values": [ + "eastus", + "westus", + "westus2", + "westeurope" + ] + }, + { + "field": "tags" + } + ] + } + }, + "responses": { + "200": { + "headers": {}, + "body": { + "fieldRestrictions": [ + { + "field": "tags.newtag", + "restrictions": [ + { + "result": "Required", + "defaultValue": "defaultVal", + "policy": { + "policyDefinitionId": "/subscriptions/d8db6de6-2b96-46af-b825-07aef2033c0b/providers/microsoft.authorization/policyDefinitions/1D0906C3", + "policyAssignmentId": "/subscriptions/d8db6de6-2b96-46af-b825-07aef2033c0b/providers/microsoft.authorization/policyAssignments/57DAC8A0", + "policySetDefinitionId": "/subscriptions/d8db6de6-2b96-46af-b825-07aef2033c0b/providers/microsoft.authorization/policySetDefinitions/05D92080", + "policyDefinitionReferenceId": "DefRef" + }, + "policyEffect": "Deny", + "reason": "tags.newtag is required" + } + ] + }, + { + "field": "tags.environment", + "restrictions": [ + { + "result": "Required", + "values": [ + "Prod", + "Int", + "Test" + ], + "policy": { + "policyDefinitionId": "/subscriptions/d8db6de6-2b96-46af-b825-07aef2033c0b/providers/microsoft.authorization/policyDefinitions/30BD79F6", + "policyAssignmentId": "/subscriptions/d8db6de6-2b96-46af-b825-07aef2033c0b/providers/microsoft.authorization/policyAssignments/7EB1508A", + "policySetDefinitionId": "/subscriptions/d8db6de6-2b96-46af-b825-07aef2033c0b/providers/microsoft.authorization/policySetDefinitions/735551F1", + "policyDefinitionReferenceId": "DefRef" + }, + "policyEffect": "Deny", + "reason": "tags.environment is required" + } + ] + }, + { + "field": "location", + "restrictions": [ + { + "result": "Deny", + "values": [ + "west europe" + ], + "policy": { + "policyDefinitionId": "/subscriptions/d8db6de6-2b96-46af-b825-07aef2033c0b/providers/microsoft.authorization/policyDefinitions/0711CCC1", + "policyAssignmentId": "/subscriptions/d8db6de6-2b96-46af-b825-07aef2033c0b/providers/microsoft.authorization/policyAssignments/1563EBD3", + "policySetDefinitionId": "/subscriptions/d8db6de6-2b96-46af-b825-07aef2033c0b/providers/microsoft.authorization/policySetDefinitions/1E17783A", + "policyDefinitionReferenceId": "DefRef" + }, + "policyEffect": "Deny", + "reason": "location must be one of the following: eastus, westus, westus2" + }, + { + "result": "Deny", + "values": [ + "eastus", + "westus" + ], + "policy": { + "policyDefinitionId": "/subscriptions/d8db6de6-2b96-46af-b825-07aef2033c0b/providers/microsoft.authorization/policyDefinitions/25C9F66B", + "policyAssignmentId": "/subscriptions/d8db6de6-2b96-46af-b825-07aef2033c0b/providers/microsoft.authorization/policyAssignments/5382A69D", + "policySetDefinitionId": "/subscriptions/d8db6de6-2b96-46af-b825-07aef2033c0b/providers/microsoft.authorization/policySetDefinitions/392D107B", + "policyDefinitionReferenceId": "DefRef" + }, + "policyEffect": "Deny", + "reason": "location must be one of the following: westus2" + } + ] + } + ], + "contentEvaluationResult": { + "policyEvaluations": [ + { + "policyInfo": { + "policyDefinitionId": "/subscriptions/d8db6de6-2b96-46af-b825-07aef2033c0b/providers/microsoft.authorization/policyDefinitions/435CAE41", + "policySetDefinitionId": "/subscriptions/d8db6de6-2b96-46af-b825-07aef2033c0b/providers/microsoft.authorization/policySetDefinitions/2162358E", + "policyDefinitionReferenceId": "defref222", + "policyAssignmentId": "/subscriptions/d8db6de6-2b96-46af-b825-07aef2033c0b/providers/microsoft.authorization/policyAssignments/2FF66C37" + }, + "evaluationResult": "NonCompliant", + "evaluationDetails": { + "evaluatedExpressions": [ + { + "result": "True", + "expressionKind": "field", + "expression": "type", + "path": "type", + "expressionValue": "microsoft.compute/virtualmachines", + "targetValue": "microsoft.compute/virtualmachines", + "operator": "equals" + } + ] + }, + "effectDetails": { + "policyEffect": "Deny" + } + } + ] + } + } + } + } +} diff --git a/specification/policyinsights/resource-manager/Microsoft.PolicyInsights/stable/2023-03-01/examples/PolicyRestrictions_CheckAtSubscriptionScopeIncludeAuditEffect.json b/specification/policyinsights/resource-manager/Microsoft.PolicyInsights/stable/2023-03-01/examples/PolicyRestrictions_CheckAtSubscriptionScopeIncludeAuditEffect.json new file mode 100644 index 0000000000..7b6d8a3414 --- /dev/null +++ b/specification/policyinsights/resource-manager/Microsoft.PolicyInsights/stable/2023-03-01/examples/PolicyRestrictions_CheckAtSubscriptionScopeIncludeAuditEffect.json @@ -0,0 +1,149 @@ +{ + "parameters": { + "subscriptionId": "35ee058e-5fa0-414c-8145-3ebb8d09b6e2", + "api-version": "2023-03-01", + "parameters": { + "resourceDetails": { + "resourceContent": { + "type": "Microsoft.Compute/virtualMachines", + "properties": { + "priority": "Spot" + } + }, + "apiVersion": "2019-12-01" + }, + "pendingFields": [ + { + "field": "name", + "values": [ + "myVMName" + ] + }, + { + "field": "location", + "values": [ + "eastus", + "westus", + "westus2", + "westeurope" + ] + }, + { + "field": "tags" + } + ], + "includeAuditEffect": true + } + }, + "responses": { + "200": { + "headers": {}, + "body": { + "fieldRestrictions": [ + { + "field": "tags.newtag", + "restrictions": [ + { + "result": "Required", + "defaultValue": "defaultVal", + "policy": { + "policyDefinitionId": "/subscriptions/d8db6de6-2b96-46af-b825-07aef2033c0b/providers/microsoft.authorization/policyDefinitions/1D0906C3", + "policyAssignmentId": "/subscriptions/d8db6de6-2b96-46af-b825-07aef2033c0b/providers/microsoft.authorization/policyAssignments/57DAC8A0", + "policySetDefinitionId": "/subscriptions/d8db6de6-2b96-46af-b825-07aef2033c0b/providers/microsoft.authorization/policySetDefinitions/05D92080", + "policyDefinitionReferenceId": "DefRef" + }, + "policyEffect": "Deny", + "reason": "tags.newtag is required" + } + ] + }, + { + "field": "tags.environment", + "restrictions": [ + { + "result": "Required", + "values": [ + "Prod", + "Int", + "Test" + ], + "policy": { + "policyDefinitionId": "/subscriptions/d8db6de6-2b96-46af-b825-07aef2033c0b/providers/microsoft.authorization/policyDefinitions/30BD79F6", + "policyAssignmentId": "/subscriptions/d8db6de6-2b96-46af-b825-07aef2033c0b/providers/microsoft.authorization/policyAssignments/7EB1508A", + "policySetDefinitionId": "/subscriptions/d8db6de6-2b96-46af-b825-07aef2033c0b/providers/microsoft.authorization/policySetDefinitions/735551F1", + "policyDefinitionReferenceId": "DefRef" + }, + "policyEffect": "Audit", + "reason": "tags.environment is required" + } + ] + }, + { + "field": "location", + "restrictions": [ + { + "result": "Deny", + "values": [ + "west europe" + ], + "policy": { + "policyDefinitionId": "/subscriptions/d8db6de6-2b96-46af-b825-07aef2033c0b/providers/microsoft.authorization/policyDefinitions/0711CCC1", + "policyAssignmentId": "/subscriptions/d8db6de6-2b96-46af-b825-07aef2033c0b/providers/microsoft.authorization/policyAssignments/1563EBD3", + "policySetDefinitionId": "/subscriptions/d8db6de6-2b96-46af-b825-07aef2033c0b/providers/microsoft.authorization/policySetDefinitions/1E17783A", + "policyDefinitionReferenceId": "DefRef" + }, + "policyEffect": "Deny", + "reason": "The selected location is not allowed" + }, + { + "result": "Audit", + "values": [ + "eastus", + "westus" + ], + "policy": { + "policyDefinitionId": "/subscriptions/d8db6de6-2b96-46af-b825-07aef2033c0b/providers/microsoft.authorization/policyDefinitions/25C9F66B", + "policyAssignmentId": "/subscriptions/d8db6de6-2b96-46af-b825-07aef2033c0b/providers/microsoft.authorization/policyAssignments/5382A69D", + "policySetDefinitionId": "/subscriptions/d8db6de6-2b96-46af-b825-07aef2033c0b/providers/microsoft.authorization/policySetDefinitions/392D107B", + "policyDefinitionReferenceId": "DefRef" + }, + "policyEffect": "Audit", + "reason": "The selected location is not allowed" + } + ] + } + ], + "contentEvaluationResult": { + "policyEvaluations": [ + { + "policyInfo": { + "policyDefinitionId": "/subscriptions/d8db6de6-2b96-46af-b825-07aef2033c0b/providers/microsoft.authorization/policyDefinitions/435CAE41", + "policySetDefinitionId": "/subscriptions/d8db6de6-2b96-46af-b825-07aef2033c0b/providers/microsoft.authorization/policySetDefinitions/2162358E", + "policyDefinitionReferenceId": "defref222", + "policyAssignmentId": "/subscriptions/d8db6de6-2b96-46af-b825-07aef2033c0b/providers/microsoft.authorization/policyAssignments/2FF66C37" + }, + "evaluationResult": "NonCompliant", + "evaluationDetails": { + "evaluatedExpressions": [ + { + "result": "True", + "expressionKind": "field", + "expression": "type", + "path": "type", + "expressionValue": "microsoft.compute/virtualmachines", + "targetValue": "microsoft.compute/virtualmachines", + "operator": "equals" + } + ], + "reason": "Resource creation of the selected type is not allowed" + }, + "effectDetails": { + "policyEffect": "Audit" + } + } + ] + } + } + } + } +} diff --git a/specification/policyinsights/resource-manager/readme.md b/specification/policyinsights/resource-manager/readme.md index 68a6f94680..e662847a1b 100644 --- a/specification/policyinsights/resource-manager/readme.md +++ b/specification/policyinsights/resource-manager/readme.md @@ -27,7 +27,7 @@ These are the global settings for the PolicyInsights API. ``` yaml title: PolicyInsightsClient openapi-type: arm -tag: package-2022-09 +tag: package-2023-03 ``` ### Validations @@ -139,11 +139,27 @@ directive: ``` +### Tag: package-2023-03 + +These settings apply only when `--tag=package-2023-03` is specified on the command line. + +```yaml $(tag) == 'package-2023-03' +input-file: + - Microsoft.PolicyInsights/preview/2018-07-01-preview/policyTrackedResources.json + - Microsoft.PolicyInsights/stable/2021-10-01/remediations.json + - Microsoft.PolicyInsights/stable/2019-10-01/policyEvents.json + - Microsoft.PolicyInsights/stable/2019-10-01/policyStates.json + - Microsoft.PolicyInsights/stable/2019-10-01/policyMetadata.json + - Microsoft.PolicyInsights/stable/2023-03-01/checkPolicyRestrictions.json + - Microsoft.PolicyInsights/stable/2022-04-01/componentPolicyStates.json + - Microsoft.PolicyInsights/stable/2022-04-01/operations.json + - Microsoft.PolicyInsights/stable/2022-09-01/attestations.json +``` ### Tag: package-2022-09 These settings apply only when `--tag=package-2022-09` is specified on the command line. -```yaml $(tag) == 'package-2022-09' +``` yaml $(tag) == 'package-2022-09' input-file: - Microsoft.PolicyInsights/preview/2018-07-01-preview/policyTrackedResources.json - Microsoft.PolicyInsights/stable/2021-10-01/remediations.json @@ -155,11 +171,12 @@ input-file: - Microsoft.PolicyInsights/stable/2022-04-01/operations.json - Microsoft.PolicyInsights/stable/2022-09-01/attestations.json ``` + ### Tag: package-2022-04 These settings apply only when `--tag=package-2022-04` is specified on the command line. -```yaml $(tag) == 'package-2022-04' +``` yaml $(tag) == 'package-2022-04' input-file: - Microsoft.PolicyInsights/preview/2018-07-01-preview/policyTrackedResources.json - Microsoft.PolicyInsights/stable/2021-10-01/remediations.json @@ -347,6 +364,7 @@ output-folder: $(azure-libraries-for-java-folder)/azure-mgmt-policyinsights ``` yaml $(java) && $(multiapi) batch: + - tag: package-2023-03 - tag: package-2022-09 - tag: package-2022-04 - tag: package-2022-03 @@ -358,6 +376,19 @@ batch: - tag: package-2018-04 ``` +### Tag: package-2023-03 and java + +These settings apply only when `--tag=package-2023-03 --java` is specified on the command line. +Please also specify `--azure-libraries-for-java-folder=`. + +``` yaml $(tag) == 'package-2023-03' && $(java) +java: + namespace: com.microsoft.azure.management.policyinsights.v2023_03_01 + output-folder: $(azure-libraries-for-java-folder)/sdk/policyinsights/mgmt-v2023_03_01 +regenerate-manager: true +generate-interface: true +``` + ### Tag: package-2022-09 and java These settings apply only when `--tag=package-2022-09 --java` is specified on the command line. @@ -370,6 +401,7 @@ java: regenerate-manager: true generate-interface: true ``` + ### Tag: package-2022-04 and java These settings apply only when `--tag=package-2022-04 --java` is specified on the command line.