diff --git a/specification/policyinsights/resource-manager/Microsoft.PolicyInsights/preview/2020-07-01-preview/checkPolicyRestrictions.json b/specification/policyinsights/resource-manager/Microsoft.PolicyInsights/preview/2020-07-01-preview/checkPolicyRestrictions.json new file mode 100644 index 000000000000..a04d6737e3ef --- /dev/null +++ b/specification/policyinsights/resource-manager/Microsoft.PolicyInsights/preview/2020-07-01-preview/checkPolicyRestrictions.json @@ -0,0 +1,320 @@ +{ + "swagger": "2.0", + "info": { + "title": "CheckPolicyRestrictionsClient", + "version": "2020-07-01-preview" + }, + "host": "management.azure.com", + "schemes": [ + "https" + ], + "produces": [ + "application/json" + ], + "security": [ + { + "azure_auth": [ + "user_impersonation" + ] + } + ], + "securityDefinitions": { + "azure_auth": { + "type": "oauth2", + "authorizationUrl": "https://login.microsoftonline.com/common/oauth2/authorize", + "flow": "implicit", + "description": "Azure Active Directory OAuth2 Flow", + "scopes": { + "user_impersonation": "impersonate your user account" + } + } + }, + "paths": { + "/subscriptions/{subscriptionId}/providers/Microsoft.PolicyInsights/checkPolicyRestrictions": { + "post": { + "operationId": "PolicyRestrictions_CheckAtSubscriptionScope", + "description": "Checks what restrictions Azure Policy will place on a resource within a subscription.", + "parameters": [ + { + "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/ApiVersionParameter" + }, + { + "name": "parameters", + "in": "body", + "required": true, + "schema": { + "$ref": "#/definitions/CheckRestrictionsRequest" + }, + "description": "The check policy restrictions parameters." + } + ], + "responses": { + "200": { + "description": "The restrictions that will be placed on the resource by Azure Policy.", + "schema": { + "$ref": "#/definitions/CheckRestrictionsResult" + } + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "../../stable/2019-10-01/policyMetadata.json#/definitions/ErrorResponse" + } + } + }, + "x-ms-examples": { + "Check policy restrictions at subscription scope": { + "$ref": "./examples/PolicyRestrictions_CheckAtSubscriptionScope.json" + } + } + } + }, + "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.PolicyInsights/checkPolicyRestrictions": { + "post": { + "operationId": "PolicyRestrictions_CheckAtResourceGroupScope", + "description": "Checks what restrictions Azure Policy will place on a resource within a resource group. Use this when the resource group the resource will be created in is already known.", + "parameters": [ + { + "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/ResourceGroupNameParameter" + }, + { + "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/ApiVersionParameter" + }, + { + "name": "parameters", + "in": "body", + "required": true, + "schema": { + "$ref": "#/definitions/CheckRestrictionsRequest" + }, + "description": "The check policy restrictions parameters." + } + ], + "responses": { + "200": { + "description": "The restrictions that will be placed on the resource by Azure Policy.", + "schema": { + "$ref": "#/definitions/CheckRestrictionsResult" + } + }, + "default": { + "description": "Error response describing why the operation failed.", + "schema": { + "$ref": "../../stable/2019-10-01/policyMetadata.json#/definitions/ErrorResponse" + } + } + }, + "x-ms-examples": { + "Check policy restrictions at resource group scope": { + "$ref": "./examples/PolicyRestrictions_CheckAtResourceGroupScope.json" + } + } + } + } + }, + "definitions": { + "CheckRestrictionsRequest": { + "description": "The check policy restrictions parameters describing the resource that is being evaluated.", + "properties": { + "resourceDetails": { + "description": "The information about the resource that will be evaluated.", + "$ref": "#/definitions/CheckRestrictionsResourceDetails" + }, + "pendingFields": { + "description": "The list of fields and values that should be evaluated for potential restrictions.", + "type": "array", + "items": { + "$ref": "#/definitions/PendingField" + } + } + }, + "required": [ + "resourceDetails" + ] + }, + "CheckRestrictionsResourceDetails": { + "description": "The information about the resource that will be evaluated.", + "properties": { + "resourceContent": { + "description": "The resource content. This should include whatever properties are already known and can be a partial set of all resource properties.", + "type": "object" + }, + "apiVersion": { + "description": "The api-version of the resource content.", + "type": "string" + }, + "scope": { + "description": "The scope where the resource is being created. For example, if the resource is a child resource this would be the parent resource's resource ID.", + "type": "string" + } + }, + "required": [ + "resourceContent" + ] + }, + "PendingField": { + "description": "A field that should be evaluated against Azure Policy to determine restrictions.", + "properties": { + "field": { + "description": "The name of the field. This can be a top-level property like 'name' or 'type' or an Azure Policy field alias.", + "type": "string" + }, + "values": { + "description": "The list of potential values for the field that should be evaluated against Azure Policy.", + "type": "array", + "items": { + "type": "string" + } + } + }, + "required": [ + "field" + ] + }, + "CheckRestrictionsResult": { + "description": "The result of a check policy restrictions evaluation on a resource.", + "properties": { + "fieldRestrictions": { + "description": "The restrictions that will be placed on various fields in the resource by policy.", + "type": "array", + "items": { + "$ref": "#/definitions/FieldRestrictions" + }, + "readOnly": true + }, + "contentEvaluationResult": { + "description": "Evaluation results for the provided partial resource content.", + "properties": { + "policyEvaluations": { + "description": "Policy evaluation results against the given resource content. This will indicate if the partial content that was provided will be denied as-is.", + "type": "array", + "items": { + "$ref": "#/definitions/PolicyEvaluationResult" + } + } + }, + "readOnly": true + } + } + }, + "FieldRestrictions": { + "description": "The restrictions that will be placed on a field in the resource by policy.", + "properties": { + "field": { + "description": "The name of the field. This can be a top-level property like 'name' or 'type' or an Azure Policy field alias.", + "type": "string", + "readOnly": true + }, + "restrictions": { + "description": "The restrictions placed on that field by policy.", + "type": "array", + "items": { + "$ref": "#/definitions/FieldRestriction" + } + } + } + }, + "FieldRestriction": { + "description": "The restrictions on a field imposed by a specific policy.", + "properties": { + "result": { + "description": "The type of restriction that is imposed on the field.", + "type": "string", + "enum": [ + "Required", + "Removed", + "Deny" + ], + "x-ms-enum": { + "name": "FieldRestrictionResult", + "modelAsString": true, + "values": [ + { + "value": "Required", + "description": "The field and/or values are required by policy." + }, + { + "value": "Removed", + "description": "The field will be removed by policy." + }, + { + "value": "Deny", + "description": "The field and/or values will be denied by policy." + } + ] + }, + "readOnly": true + }, + "defaultValue": { + "description": "The value that policy will set for the field if the user does not provide a value.", + "type": "string", + "readOnly": true + }, + "values": { + "description": "The values that policy either requires or denies for the field.", + "type": "array", + "items": { + "type": "string" + }, + "readOnly": true + }, + "policy": { + "description": "The details of the policy that is causing the field restriction.", + "$ref": "#/definitions/PolicyReference", + "readOnly": true + } + } + }, + "PolicyEvaluationResult": { + "description": "The result of a non-compliant policy evaluation against the given resource content.", + "properties": { + "policyInfo": { + "description": "The details of the policy that was evaluated.", + "$ref": "#/definitions/PolicyReference", + "readOnly": true + }, + "evaluationResult": { + "description": "The result of the policy evaluation against the resource. This will typically be 'NonCompliant' but may contain other values if errors were encountered.", + "type": "string", + "readOnly": true + }, + "evaluationDetails": { + "description": "The detailed results of the policy expressions and values that were evaluated.", + "$ref": "../../stable/2019-10-01/policyStates.json#/definitions/PolicyEvaluationDetails", + "readOnly": true + } + } + }, + "PolicyReference": { + "description": "Resource identifiers for a policy.", + "properties": { + "policyDefinitionId": { + "description": "The resource identifier of the policy definition.", + "type": "string", + "readOnly": true + }, + "policySetDefinitionId": { + "description": "The resource identifier of the policy set definition.", + "type": "string", + "readOnly": true + }, + "policyDefinitionReferenceId": { + "description": "The reference identifier of a specific policy definition within a policy set definition.", + "type": "string", + "readOnly": true + }, + "policyAssignmentId": { + "description": "The resource identifier of the policy assignment.", + "type": "string", + "readOnly": true + } + } + } + } +} diff --git a/specification/policyinsights/resource-manager/Microsoft.PolicyInsights/preview/2020-07-01-preview/examples/PolicyRestrictions_CheckAtResourceGroupScope.json b/specification/policyinsights/resource-manager/Microsoft.PolicyInsights/preview/2020-07-01-preview/examples/PolicyRestrictions_CheckAtResourceGroupScope.json new file mode 100644 index 000000000000..4ee7a707de9e --- /dev/null +++ b/specification/policyinsights/resource-manager/Microsoft.PolicyInsights/preview/2020-07-01-preview/examples/PolicyRestrictions_CheckAtResourceGroupScope.json @@ -0,0 +1,137 @@ +{ + "parameters": { + "subscriptionId": "35ee058e-5fa0-414c-8145-3ebb8d09b6e2", + "resourceGroupName": "vmRg", + "api-version": "2020-07-01-preview", + "parameters": { + "resourceDetails": { + "resourceContent": { + "type": "Microsoft.Compute/virtualMachines", + "properties": { + "priority": "Spot" + } + }, + "apiVersion": "2019-12-01" + }, + "pendingFields": [ + { + "field": "name", + "values": [ + "myVMName" + ] + }, + { + "field": "location", + "values": [ + "eastus", + "westus", + "westus2", + "westeurope" + ] + }, + { + "field": "tags" + } + ] + } + }, + "responses": { + "200": { + "headers": {}, + "body": { + "fieldRestrictions": [ + { + "field": "tags.newtag", + "restrictions": [ + { + "result": "Required", + "defaultValue": "defaultVal", + "policy": { + "policyDefinitionId": "/subscriptions/d8db6de6-2b96-46af-b825-07aef2033c0b/providers/microsoft.authorization/policyDefinitions/1D0906C3", + "policyAssignmentId": "/subscriptions/d8db6de6-2b96-46af-b825-07aef2033c0b/providers/microsoft.authorization/policyAssignments/57DAC8A0", + "policySetDefinitionId": "/subscriptions/d8db6de6-2b96-46af-b825-07aef2033c0b/providers/microsoft.authorization/policySetDefinitions/05D92080", + "policyDefinitionReferenceId": "DefRef" + } + } + ] + }, + { + "field": "tags.environment", + "restrictions": [ + { + "result": "Required", + "values": [ + "Prod", + "Int", + "Test" + ], + "policy": { + "policyDefinitionId": "/subscriptions/d8db6de6-2b96-46af-b825-07aef2033c0b/providers/microsoft.authorization/policyDefinitions/30BD79F6", + "policyAssignmentId": "/subscriptions/d8db6de6-2b96-46af-b825-07aef2033c0b/providers/microsoft.authorization/policyAssignments/7EB1508A", + "policySetDefinitionId": "/subscriptions/d8db6de6-2b96-46af-b825-07aef2033c0b/providers/microsoft.authorization/policySetDefinitions/735551F1", + "policyDefinitionReferenceId": "DefRef" + } + } + ] + }, + { + "field": "location", + "restrictions": [ + { + "result": "Deny", + "values": [ + "west europe" + ], + "policy": { + "policyDefinitionId": "/subscriptions/d8db6de6-2b96-46af-b825-07aef2033c0b/providers/microsoft.authorization/policyDefinitions/0711CCC1", + "policyAssignmentId": "/subscriptions/d8db6de6-2b96-46af-b825-07aef2033c0b/providers/microsoft.authorization/policyAssignments/1563EBD3", + "policySetDefinitionId": "/subscriptions/d8db6de6-2b96-46af-b825-07aef2033c0b/providers/microsoft.authorization/policySetDefinitions/1E17783A", + "policyDefinitionReferenceId": "DefRef" + } + }, + { + "result": "Deny", + "values": [ + "eastus", + "westus" + ], + "policy": { + "policyDefinitionId": "/subscriptions/d8db6de6-2b96-46af-b825-07aef2033c0b/providers/microsoft.authorization/policyDefinitions/25C9F66B", + "policyAssignmentId": "/subscriptions/d8db6de6-2b96-46af-b825-07aef2033c0b/providers/microsoft.authorization/policyAssignments/5382A69D", + "policySetDefinitionId": "/subscriptions/d8db6de6-2b96-46af-b825-07aef2033c0b/providers/microsoft.authorization/policySetDefinitions/392D107B", + "policyDefinitionReferenceId": "DefRef" + } + } + ] + } + ], + "contentEvaluationResult": { + "policyEvaluations": [ + { + "policyInfo": { + "policyDefinitionId": "/subscriptions/d8db6de6-2b96-46af-b825-07aef2033c0b/providers/microsoft.authorization/policyDefinitions/435CAE41", + "policySetDefinitionId": "/subscriptions/d8db6de6-2b96-46af-b825-07aef2033c0b/providers/microsoft.authorization/policySetDefinitions/2162358E", + "policyDefinitionReferenceId": "defref222", + "policyAssignmentId": "/subscriptions/d8db6de6-2b96-46af-b825-07aef2033c0b/providers/microsoft.authorization/policyAssignments/2FF66C37" + }, + "evaluationResult": "NonCompliant", + "evaluationDetails": { + "evaluatedExpressions": [ + { + "result": "True", + "expressionKind": "field", + "expression": "type", + "path": "type", + "expressionValue": "microsoft.compute/virtualmachines", + "targetValue": "microsoft.compute/virtualmachines", + "operator": "equals" + } + ] + } + } + ] + } + } + } + } +} diff --git a/specification/policyinsights/resource-manager/Microsoft.PolicyInsights/preview/2020-07-01-preview/examples/PolicyRestrictions_CheckAtSubscriptionScope.json b/specification/policyinsights/resource-manager/Microsoft.PolicyInsights/preview/2020-07-01-preview/examples/PolicyRestrictions_CheckAtSubscriptionScope.json new file mode 100644 index 000000000000..fb598eda4f9e --- /dev/null +++ b/specification/policyinsights/resource-manager/Microsoft.PolicyInsights/preview/2020-07-01-preview/examples/PolicyRestrictions_CheckAtSubscriptionScope.json @@ -0,0 +1,136 @@ +{ + "parameters": { + "subscriptionId": "35ee058e-5fa0-414c-8145-3ebb8d09b6e2", + "api-version": "2020-07-01-preview", + "parameters": { + "resourceDetails": { + "resourceContent": { + "type": "Microsoft.Compute/virtualMachines", + "properties": { + "priority": "Spot" + } + }, + "apiVersion": "2019-12-01" + }, + "pendingFields": [ + { + "field": "name", + "values": [ + "myVMName" + ] + }, + { + "field": "location", + "values": [ + "eastus", + "westus", + "westus2", + "westeurope" + ] + }, + { + "field": "tags" + } + ] + } + }, + "responses": { + "200": { + "headers": {}, + "body": { + "fieldRestrictions": [ + { + "field": "tags.newtag", + "restrictions": [ + { + "result": "Required", + "defaultValue": "defaultVal", + "policy": { + "policyDefinitionId": "/subscriptions/d8db6de6-2b96-46af-b825-07aef2033c0b/providers/microsoft.authorization/policyDefinitions/1D0906C3", + "policyAssignmentId": "/subscriptions/d8db6de6-2b96-46af-b825-07aef2033c0b/providers/microsoft.authorization/policyAssignments/57DAC8A0", + "policySetDefinitionId": "/subscriptions/d8db6de6-2b96-46af-b825-07aef2033c0b/providers/microsoft.authorization/policySetDefinitions/05D92080", + "policyDefinitionReferenceId": "DefRef" + } + } + ] + }, + { + "field": "tags.environment", + "restrictions": [ + { + "result": "Required", + "values": [ + "Prod", + "Int", + "Test" + ], + "policy": { + "policyDefinitionId": "/subscriptions/d8db6de6-2b96-46af-b825-07aef2033c0b/providers/microsoft.authorization/policyDefinitions/30BD79F6", + "policyAssignmentId": "/subscriptions/d8db6de6-2b96-46af-b825-07aef2033c0b/providers/microsoft.authorization/policyAssignments/7EB1508A", + "policySetDefinitionId": "/subscriptions/d8db6de6-2b96-46af-b825-07aef2033c0b/providers/microsoft.authorization/policySetDefinitions/735551F1", + "policyDefinitionReferenceId": "DefRef" + } + } + ] + }, + { + "field": "location", + "restrictions": [ + { + "result": "Deny", + "values": [ + "west europe" + ], + "policy": { + "policyDefinitionId": "/subscriptions/d8db6de6-2b96-46af-b825-07aef2033c0b/providers/microsoft.authorization/policyDefinitions/0711CCC1", + "policyAssignmentId": "/subscriptions/d8db6de6-2b96-46af-b825-07aef2033c0b/providers/microsoft.authorization/policyAssignments/1563EBD3", + "policySetDefinitionId": "/subscriptions/d8db6de6-2b96-46af-b825-07aef2033c0b/providers/microsoft.authorization/policySetDefinitions/1E17783A", + "policyDefinitionReferenceId": "DefRef" + } + }, + { + "result": "Deny", + "values": [ + "eastus", + "westus" + ], + "policy": { + "policyDefinitionId": "/subscriptions/d8db6de6-2b96-46af-b825-07aef2033c0b/providers/microsoft.authorization/policyDefinitions/25C9F66B", + "policyAssignmentId": "/subscriptions/d8db6de6-2b96-46af-b825-07aef2033c0b/providers/microsoft.authorization/policyAssignments/5382A69D", + "policySetDefinitionId": "/subscriptions/d8db6de6-2b96-46af-b825-07aef2033c0b/providers/microsoft.authorization/policySetDefinitions/392D107B", + "policyDefinitionReferenceId": "DefRef" + } + } + ] + } + ], + "contentEvaluationResult": { + "policyEvaluations": [ + { + "policyInfo": { + "policyDefinitionId": "/subscriptions/d8db6de6-2b96-46af-b825-07aef2033c0b/providers/microsoft.authorization/policyDefinitions/435CAE41", + "policySetDefinitionId": "/subscriptions/d8db6de6-2b96-46af-b825-07aef2033c0b/providers/microsoft.authorization/policySetDefinitions/2162358E", + "policyDefinitionReferenceId": "defref222", + "policyAssignmentId": "/subscriptions/d8db6de6-2b96-46af-b825-07aef2033c0b/providers/microsoft.authorization/policyAssignments/2FF66C37" + }, + "evaluationResult": "NonCompliant", + "evaluationDetails": { + "evaluatedExpressions": [ + { + "result": "True", + "expressionKind": "field", + "expression": "type", + "path": "type", + "expressionValue": "microsoft.compute/virtualmachines", + "targetValue": "microsoft.compute/virtualmachines", + "operator": "equals" + } + ] + } + } + ] + } + } + } + } +} diff --git a/specification/policyinsights/resource-manager/readme.md b/specification/policyinsights/resource-manager/readme.md index cefb975388db..cbc00aac1872 100644 --- a/specification/policyinsights/resource-manager/readme.md +++ b/specification/policyinsights/resource-manager/readme.md @@ -163,6 +163,19 @@ input-file: - Microsoft.PolicyInsights/stable/2020-07-01/checkPolicyRestrictions.json ``` +### Tag: package-2020-07-preview + +These settings apply only when `--tag=package-2020-07-preview` is specified on the command line. + +``` yaml $(tag) == 'package-2020-07-preview' +input-file: +- Microsoft.PolicyInsights/preview/2018-07-01-preview/policyTrackedResources.json +- Microsoft.PolicyInsights/stable/2019-07-01/remediations.json +- Microsoft.PolicyInsights/stable/2019-10-01/policyEvents.json +- Microsoft.PolicyInsights/stable/2019-10-01/policyStates.json +- Microsoft.PolicyInsights/stable/2019-10-01/policyMetadata.json +- Microsoft.PolicyInsights/preview/2020-07-01-preview/checkPolicyRestrictions.json +``` ### Tag: package-2019-10