public void PolicyRestrictions_ResourceGroupScope() { const string ResourceGroupName = "checkRestrictSdkTests"; using (var context = MockContext.Start(this.GetType())) { // Create a resource group var armClient = context.GetServiceClient <ResourceManagementClient>(); var armResourceTypes = armClient.ProviderResourceTypes.List("Microsoft.Resources"); var resourceGroupType = armResourceTypes.Value.First(resourceType => resourceType.ResourceType.Equals("resourceGroups", StringComparison.OrdinalIgnoreCase)); armClient.ResourceGroups.CreateOrUpdate(ResourceGroupName, new ResourceGroup(location: resourceGroupType.Locations[0])); // Add a policy assignment (allowed storage account SKUs) that can be used to validate checkPolicyRestrictions var armPolicyClient = context.GetServiceClient <PolicyClient>(); var policyAssignmentParams = new PolicyAssignment { PolicyDefinitionId = "/providers/Microsoft.Authorization/policyDefinitions/7433c107-6db4-4ad1-b57a-a76dce0154a1", Parameters = new Dictionary <string, ParameterValuesValue> { ["effect"] = new ParameterValuesValue("Deny"), ["listOfAllowedSKUs"] = new ParameterValuesValue(new[] { "Standard_LRS" }) } }; var scope = $"/subscriptions/{armPolicyClient.SubscriptionId}/resourceGroups/{ResourceGroupName}"; armPolicyClient.PolicyAssignments.Create(scope: scope, policyAssignmentName: "checkRestrictSdkTest", parameters: policyAssignmentParams); // Send a check restrictions request with a potential list of SKUs, two will be denied var checkRestrictionsParams = new CheckRestrictionsRequest { ResourceDetails = new CheckRestrictionsResourceDetails { ApiVersion = "2021-04-01", ResourceContent = new JObject(new JProperty("type", "Microsoft.Storage/storageAccounts")) }, PendingFields = new[] { new PendingField { Field = "Microsoft.Storage/storageAccounts/sku.name", Values = new[] { "Standard_ZRS", "Premium_LRS", "Standard_LRS" } } } }; var policyRestrictionsClient = context.GetServiceClient <PolicyInsightsClient>(); var checkRestrictionsResult = policyRestrictionsClient.PolicyRestrictions.CheckAtResourceGroupScope(subscriptionId: armPolicyClient.SubscriptionId, resourceGroupName: ResourceGroupName, parameters: checkRestrictionsParams); Assert.Equal(0, checkRestrictionsResult.ContentEvaluationResult.PolicyEvaluations.Count); Assert.Equal(1, checkRestrictionsResult.FieldRestrictions.Count); var fieldRestriction = checkRestrictionsResult.FieldRestrictions[0]; Assert.Equal("Microsoft.Storage/storageAccounts/sku.name", fieldRestriction.Field); Assert.Equal(1, fieldRestriction.Restrictions.Count); Assert.Equal("Deny", fieldRestriction.Restrictions[0].Result); Assert.Equal(2, fieldRestriction.Restrictions[0].Values.Count); Assert.Equal(new[] { "Standard_ZRS", "Premium_LRS" }, fieldRestriction.Restrictions[0].Values, StringComparer.OrdinalIgnoreCase); armClient.ResourceGroups.Delete(ResourceGroupName); } }
/// <summary> /// Checks what restrictions Azure Policy will place on a resource within a /// subscription. /// </summary> /// <param name='subscriptionId'> /// The ID of the target subscription. /// </param> /// <param name='parameters'> /// The check policy restrictions parameters. /// </param> /// <param name='customHeaders'> /// Headers that will be added to request. /// </param> /// <param name='cancellationToken'> /// The cancellation token. /// </param> /// <exception cref="ErrorResponseException"> /// Thrown when the operation returned an invalid status code /// </exception> /// <exception cref="SerializationException"> /// Thrown when unable to deserialize the response /// </exception> /// <exception cref="ValidationException"> /// Thrown when a required parameter is null /// </exception> /// <exception cref="System.ArgumentNullException"> /// Thrown when a required parameter is null /// </exception> /// <return> /// A response object containing the response body and response headers. /// </return> public async Task <AzureOperationResponse <CheckRestrictionsResult> > CheckAtSubscriptionScopeWithHttpMessagesAsync(string subscriptionId, CheckRestrictionsRequest parameters, Dictionary <string, List <string> > customHeaders = null, CancellationToken cancellationToken = default(CancellationToken)) { if (subscriptionId == null) { throw new ValidationException(ValidationRules.CannotBeNull, "subscriptionId"); } if (subscriptionId != null) { if (subscriptionId.Length < 1) { throw new ValidationException(ValidationRules.MinLength, "subscriptionId", 1); } } if (parameters == null) { throw new ValidationException(ValidationRules.CannotBeNull, "parameters"); } if (parameters != null) { parameters.Validate(); } string apiVersion = "2020-07-01"; // Tracing bool _shouldTrace = ServiceClientTracing.IsEnabled; string _invocationId = null; if (_shouldTrace) { _invocationId = ServiceClientTracing.NextInvocationId.ToString(); Dictionary <string, object> tracingParameters = new Dictionary <string, object>(); tracingParameters.Add("subscriptionId", subscriptionId); tracingParameters.Add("apiVersion", apiVersion); tracingParameters.Add("parameters", parameters); tracingParameters.Add("cancellationToken", cancellationToken); ServiceClientTracing.Enter(_invocationId, this, "CheckAtSubscriptionScope", tracingParameters); } // Construct URL var _baseUrl = Client.BaseUri.AbsoluteUri; var _url = new System.Uri(new System.Uri(_baseUrl + (_baseUrl.EndsWith("/") ? "" : "/")), "subscriptions/{subscriptionId}/providers/Microsoft.PolicyInsights/checkPolicyRestrictions").ToString(); _url = _url.Replace("{subscriptionId}", System.Uri.EscapeDataString(subscriptionId)); List <string> _queryParameters = new List <string>(); if (apiVersion != null) { _queryParameters.Add(string.Format("api-version={0}", System.Uri.EscapeDataString(apiVersion))); } if (_queryParameters.Count > 0) { _url += (_url.Contains("?") ? "&" : "?") + string.Join("&", _queryParameters); } // Create HTTP transport objects var _httpRequest = new HttpRequestMessage(); HttpResponseMessage _httpResponse = null; _httpRequest.Method = new HttpMethod("POST"); _httpRequest.RequestUri = new System.Uri(_url); // Set Headers if (Client.GenerateClientRequestId != null && Client.GenerateClientRequestId.Value) { _httpRequest.Headers.TryAddWithoutValidation("x-ms-client-request-id", System.Guid.NewGuid().ToString()); } if (Client.AcceptLanguage != null) { if (_httpRequest.Headers.Contains("accept-language")) { _httpRequest.Headers.Remove("accept-language"); } _httpRequest.Headers.TryAddWithoutValidation("accept-language", Client.AcceptLanguage); } if (customHeaders != null) { foreach (var _header in customHeaders) { if (_httpRequest.Headers.Contains(_header.Key)) { _httpRequest.Headers.Remove(_header.Key); } _httpRequest.Headers.TryAddWithoutValidation(_header.Key, _header.Value); } } // Serialize Request string _requestContent = null; if (parameters != null) { _requestContent = Rest.Serialization.SafeJsonConvert.SerializeObject(parameters, Client.SerializationSettings); _httpRequest.Content = new StringContent(_requestContent, System.Text.Encoding.UTF8); _httpRequest.Content.Headers.ContentType = System.Net.Http.Headers.MediaTypeHeaderValue.Parse("application/json; charset=utf-8"); } // Set Credentials if (Client.Credentials != null) { cancellationToken.ThrowIfCancellationRequested(); await Client.Credentials.ProcessHttpRequestAsync(_httpRequest, cancellationToken).ConfigureAwait(false); } // Send Request if (_shouldTrace) { ServiceClientTracing.SendRequest(_invocationId, _httpRequest); } cancellationToken.ThrowIfCancellationRequested(); _httpResponse = await Client.HttpClient.SendAsync(_httpRequest, cancellationToken).ConfigureAwait(false); if (_shouldTrace) { ServiceClientTracing.ReceiveResponse(_invocationId, _httpResponse); } HttpStatusCode _statusCode = _httpResponse.StatusCode; cancellationToken.ThrowIfCancellationRequested(); string _responseContent = null; if ((int)_statusCode != 200) { var ex = new ErrorResponseException(string.Format("Operation returned an invalid status code '{0}'", _statusCode)); try { _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); ErrorResponse _errorBody = Rest.Serialization.SafeJsonConvert.DeserializeObject <ErrorResponse>(_responseContent, Client.DeserializationSettings); if (_errorBody != null) { ex.Body = _errorBody; } } catch (JsonException) { // Ignore the exception } ex.Request = new HttpRequestMessageWrapper(_httpRequest, _requestContent); ex.Response = new HttpResponseMessageWrapper(_httpResponse, _responseContent); if (_shouldTrace) { ServiceClientTracing.Error(_invocationId, ex); } _httpRequest.Dispose(); if (_httpResponse != null) { _httpResponse.Dispose(); } throw ex; } // Create Result var _result = new AzureOperationResponse <CheckRestrictionsResult>(); _result.Request = _httpRequest; _result.Response = _httpResponse; if (_httpResponse.Headers.Contains("x-ms-request-id")) { _result.RequestId = _httpResponse.Headers.GetValues("x-ms-request-id").FirstOrDefault(); } // Deserialize Response if ((int)_statusCode == 200) { _responseContent = await _httpResponse.Content.ReadAsStringAsync().ConfigureAwait(false); try { _result.Body = Rest.Serialization.SafeJsonConvert.DeserializeObject <CheckRestrictionsResult>(_responseContent, Client.DeserializationSettings); } catch (JsonException ex) { _httpRequest.Dispose(); if (_httpResponse != null) { _httpResponse.Dispose(); } throw new SerializationException("Unable to deserialize the response.", _responseContent, ex); } } if (_shouldTrace) { ServiceClientTracing.Exit(_invocationId, _result); } return(_result); }
/// <summary> /// Checks what restrictions Azure Policy will place on a resource within a /// resource group. Use this when the resource group the resource will be /// created in is already known. /// </summary> /// <param name='operations'> /// The operations group for this extension method. /// </param> /// <param name='subscriptionId'> /// The ID of the target subscription. /// </param> /// <param name='resourceGroupName'> /// The name of the resource group. The name is case insensitive. /// </param> /// <param name='parameters'> /// The check policy restrictions parameters. /// </param> public static CheckRestrictionsResult CheckAtResourceGroupScope(this IPolicyRestrictionsOperations operations, string subscriptionId, string resourceGroupName, CheckRestrictionsRequest parameters) { return(operations.CheckAtResourceGroupScopeAsync(subscriptionId, resourceGroupName, parameters).GetAwaiter().GetResult()); }
/// <summary> /// Checks what restrictions Azure Policy will place on a resource within a /// subscription. /// </summary> /// <param name='operations'> /// The operations group for this extension method. /// </param> /// <param name='subscriptionId'> /// The ID of the target subscription. /// </param> /// <param name='parameters'> /// The check policy restrictions parameters. /// </param> /// <param name='cancellationToken'> /// The cancellation token. /// </param> public static async Task <CheckRestrictionsResult> CheckAtSubscriptionScopeAsync(this IPolicyRestrictionsOperations operations, string subscriptionId, CheckRestrictionsRequest parameters, CancellationToken cancellationToken = default(CancellationToken)) { using (var _result = await operations.CheckAtSubscriptionScopeWithHttpMessagesAsync(subscriptionId, parameters, null, cancellationToken).ConfigureAwait(false)) { return(_result.Body); } }