public void PolicyRestrictions_ResourceGroupScope()
{
const string ResourceGroupName = "checkRestrictSdkTests";
using (var context = MockContext.Start(this.GetType()))
{
// Create a resource group
var armClient = context.GetServiceClient <ResourceManagementClient>();
var armResourceTypes = armClient.ProviderResourceTypes.List("Microsoft.Resources");
var resourceGroupType = armResourceTypes.Value.First(resourceType => resourceType.ResourceType.Equals("resourceGroups", StringComparison.OrdinalIgnoreCase));
armClient.ResourceGroups.CreateOrUpdate(ResourceGroupName, new ResourceGroup(location: resourceGroupType.Locations[0]));
// Add a policy assignment (allowed storage account SKUs) that can be used to validate checkPolicyRestrictions
var armPolicyClient = context.GetServiceClient <PolicyClient>();
var policyAssignmentParams = new PolicyAssignment
{
PolicyDefinitionId = "/providers/Microsoft.Authorization/policyDefinitions/7433c107-6db4-4ad1-b57a-a76dce0154a1",
Parameters = new Dictionary <string, ParameterValuesValue> {
["effect"] = new ParameterValuesValue("Deny"), ["listOfAllowedSKUs"] = new ParameterValuesValue(new[] { "Standard_LRS" })
}
};
var scope = $"/subscriptions/{armPolicyClient.SubscriptionId}/resourceGroups/{ResourceGroupName}";
armPolicyClient.PolicyAssignments.Create(scope: scope, policyAssignmentName: "checkRestrictSdkTest", parameters: policyAssignmentParams);
// Send a check restrictions request with a potential list of SKUs, two will be denied
var checkRestrictionsParams = new CheckRestrictionsRequest
{
ResourceDetails = new CheckRestrictionsResourceDetails
{
ApiVersion = "2021-04-01",
ResourceContent = new JObject(new JProperty("type", "Microsoft.Storage/storageAccounts"))
},
PendingFields = new[]
{
new PendingField
{
Field = "Microsoft.Storage/storageAccounts/sku.name",
Values = new[] { "Standard_ZRS", "Premium_LRS", "Standard_LRS" }
}
}
};
var policyRestrictionsClient = context.GetServiceClient <PolicyInsightsClient>();
var checkRestrictionsResult = policyRestrictionsClient.PolicyRestrictions.CheckAtResourceGroupScope(subscriptionId: armPolicyClient.SubscriptionId, resourceGroupName: ResourceGroupName, parameters: checkRestrictionsParams);
Assert.Equal(0, checkRestrictionsResult.ContentEvaluationResult.PolicyEvaluations.Count);
Assert.Equal(1, checkRestrictionsResult.FieldRestrictions.Count);
var fieldRestriction = checkRestrictionsResult.FieldRestrictions[0];
Assert.Equal("Microsoft.Storage/storageAccounts/sku.name", fieldRestriction.Field);
Assert.Equal(1, fieldRestriction.Restrictions.Count);
Assert.Equal("Deny", fieldRestriction.Restrictions[0].Result);
Assert.Equal(2, fieldRestriction.Restrictions[0].Values.Count);
Assert.Equal(new[] { "Standard_ZRS", "Premium_LRS" }, fieldRestriction.Restrictions[0].Values, StringComparer.OrdinalIgnoreCase);
armClient.ResourceGroups.Delete(ResourceGroupName);
}
}
/// <summary>
/// Checks what restrictions Azure Policy will place on a resource within a
/// subscription.
/// </summary>
/// <param name='subscriptionId'>
/// The ID of the target subscription.
/// </param>
/// <param name='parameters'>
/// The check policy restrictions parameters.
/// </param>
/// <param name='customHeaders'>
/// Headers that will be added to request.
/// </param>
/// <param name='cancellationToken'>
/// The cancellation token.
/// </param>
/// <exception cref="ErrorResponseException">
/// Thrown when the operation returned an invalid status code
/// </exception>
/// <exception cref="SerializationException">
/// Thrown when unable to deserialize the response
/// </exception>
/// <exception cref="ValidationException">
/// Thrown when a required parameter is null
/// </exception>
/// <exception cref="System.ArgumentNullException">
/// Thrown when a required parameter is null
/// </exception>
/// <return>
/// A response object containing the response body and response headers.
/// </return>
public async Task <AzureOperationResponse <CheckRestrictionsResult> > CheckAtSubscriptionScopeWithHttpMessagesAsync(string subscriptionId, CheckRestrictionsRequest parameters, Dictionary <string, List <string> > customHeaders = null, CancellationToken cancellationToken = default(CancellationToken))
{
if (subscriptionId == null)
{
throw new ValidationException(ValidationRules.CannotBeNull, "subscriptionId");
}
if (subscriptionId != null)
{
if (subscriptionId.Length < 1)
{
throw new ValidationException(ValidationRules.MinLength, "subscriptionId", 1);
}
}
if (parameters == null)
{
throw new ValidationException(ValidationRules.CannotBeNull, "parameters");
}
if (parameters != null)
{
parameters.Validate();
}
string apiVersion = "2020-07-01";
// Tracing
bool _shouldTrace = ServiceClientTracing.IsEnabled;
string _invocationId = null;
if (_shouldTrace)
{
_invocationId = ServiceClientTracing.NextInvocationId.ToString();
Dictionary <string, object> tracingParameters = new Dictionary <string, object>();
tracingParameters.Add("subscriptionId", subscriptionId);
tracingParameters.Add("apiVersion", apiVersion);
tracingParameters.Add("parameters", parameters);
tracingParameters.Add("cancellationToken", cancellationToken);
ServiceClientTracing.Enter(_invocationId, this, "CheckAtSubscriptionScope", tracingParameters);
}
// Construct URL
var _baseUrl = Client.BaseUri.AbsoluteUri;
var _url = new System.Uri(new System.Uri(_baseUrl + (_baseUrl.EndsWith("/") ? "" : "/")), "subscriptions/{subscriptionId}/providers/Microsoft.PolicyInsights/checkPolicyRestrictions").ToString();
_url = _url.Replace("{subscriptionId}", System.Uri.EscapeDataString(subscriptionId));
List <string> _queryParameters = new List <string>();
if (apiVersion != null)
{
_queryParameters.Add(string.Format("api-version={0}", System.Uri.EscapeDataString(apiVersion)));
}
if (_queryParameters.Count > 0)
{
_url += (_url.Contains("?") ? "&" : "?") + string.Join("&", _queryParameters);
}
// Create HTTP transport objects
var _httpRequest = new HttpRequestMessage();
HttpResponseMessage _httpResponse = null;
_httpRequest.Method = new HttpMethod("POST");
_httpRequest.RequestUri = new System.Uri(_url);
// Set Headers
if (Client.GenerateClientRequestId != null && Client.GenerateClientRequestId.Value)
{
_httpRequest.Headers.TryAddWithoutValidation("x-ms-client-request-id", System.Guid.NewGuid().ToString());
}
if (Client.AcceptLanguage != null)
{
if (_httpRequest.Headers.Contains("accept-language"))
{
_httpRequest.Headers.Remove("accept-language");
}
_httpRequest.Headers.TryAddWithoutValidation("accept-language", Client.AcceptLanguage);
}
if (customHeaders != null)
{
foreach (var _header in customHeaders)
{
if (_httpRequest.Headers.Contains(_header.Key))
{
_httpRequest.Headers.Remove(_header.Key);
}
_httpRequest.Headers.TryAddWithoutValidation(_header.Key, _header.Value);
}
}
// Serialize Request
string _requestContent = null;
if (parameters != null)
{
_requestContent = Rest.Serialization.SafeJsonConvert.SerializeObject(parameters, Client.SerializationSettings);
_httpRequest.Content = new StringContent(_requestContent, System.Text.Encoding.UTF8);
_httpRequest.Content.Headers.ContentType = System.Net.Http.Headers.MediaTypeHeaderValue.Parse("application/json; charset=utf-8");
}
// Set Credentials
if (Client.Credentials != null)
{
cancellationToken.ThrowIfCancellationRequested();
await Client.Credentials.ProcessHttpRequestAsync(_httpRequest, cancellationToken).ConfigureAwait(false);
}
// Send Request
if (_shouldTrace)
{
ServiceClientTracing.SendRequest(_invocationId, _httpRequest);
}
cancellationToken.ThrowIfCancellationRequested();
_httpResponse = await Client.HttpClient.SendAsync(_httpRequest, cancellationToken).ConfigureAwait(false);
if (_shouldTrace)
{
ServiceClientTracing.ReceiveResponse(_invocationId, _httpResponse);
}
HttpStatusCode _statusCode = _httpResponse.StatusCode;
cancellationToken.ThrowIfCancellationRequested();
string _responseContent = null;
if ((int)_statusCode != 200)
{
var ex = new ErrorResponseException(string.Format("Operation returned an invalid status code '{0}'", _statusCode));
try
{
_responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false);
ErrorResponse _errorBody = Rest.Serialization.SafeJsonConvert.DeserializeObject <ErrorResponse>(_responseContent, Client.DeserializationSettings);
if (_errorBody != null)
{
ex.Body = _errorBody;
}
}
catch (JsonException)
{
// Ignore the exception
}
ex.Request = new HttpRequestMessageWrapper(_httpRequest, _requestContent);
ex.Response = new HttpResponseMessageWrapper(_httpResponse, _responseContent);
if (_shouldTrace)
{
ServiceClientTracing.Error(_invocationId, ex);
}
_httpRequest.Dispose();
if (_httpResponse != null)
{
_httpResponse.Dispose();
}
throw ex;
}
// Create Result
var _result = new AzureOperationResponse <CheckRestrictionsResult>();
_result.Request = _httpRequest;
_result.Response = _httpResponse;
if (_httpResponse.Headers.Contains("x-ms-request-id"))
{
_result.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault();
}
// Deserialize Response
if ((int)_statusCode == 200)
{
_responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false);
try
{
_result.Body = Rest.Serialization.SafeJsonConvert.DeserializeObject <CheckRestrictionsResult>(_responseContent, Client.DeserializationSettings);
}
catch (JsonException ex)
{
_httpRequest.Dispose();
if (_httpResponse != null)
{
_httpResponse.Dispose();
}
throw new SerializationException("Unable to deserialize the response.", _responseContent, ex);
}
}
if (_shouldTrace)
{
ServiceClientTracing.Exit(_invocationId, _result);
}
return(_result);
}
/// <summary>
/// Checks what restrictions Azure Policy will place on a resource within a
/// resource group. Use this when the resource group the resource will be
/// created in is already known.
/// </summary>
/// <param name='operations'>
/// The operations group for this extension method.
/// </param>
/// <param name='subscriptionId'>
/// The ID of the target subscription.
/// </param>
/// <param name='resourceGroupName'>
/// The name of the resource group. The name is case insensitive.
/// </param>
/// <param name='parameters'>
/// The check policy restrictions parameters.
/// </param>
public static CheckRestrictionsResult CheckAtResourceGroupScope(this IPolicyRestrictionsOperations operations, string subscriptionId, string resourceGroupName, CheckRestrictionsRequest parameters)
{
return(operations.CheckAtResourceGroupScopeAsync(subscriptionId, resourceGroupName, parameters).GetAwaiter().GetResult());
}
/// <summary>
/// Checks what restrictions Azure Policy will place on a resource within a
/// subscription.
/// </summary>
/// <param name='operations'>
/// The operations group for this extension method.
/// </param>
/// <param name='subscriptionId'>
/// The ID of the target subscription.
/// </param>
/// <param name='parameters'>
/// The check policy restrictions parameters.
/// </param>
/// <param name='cancellationToken'>
/// The cancellation token.
/// </param>
public static async Task <CheckRestrictionsResult> CheckAtSubscriptionScopeAsync(this IPolicyRestrictionsOperations operations, string subscriptionId, CheckRestrictionsRequest parameters, CancellationToken cancellationToken = default(CancellationToken))
{
using (var _result = await operations.CheckAtSubscriptionScopeWithHttpMessagesAsync(subscriptionId, parameters, null, cancellationToken).ConfigureAwait(false))
{
return(_result.Body);
}
}
