Azure · msJinLei · Nov 6, 2019 · Oct 29, 2019 · Oct 31, 2019 · Nov 1, 2019
diff --git a/src/Resources/ResourceManager/Components/Constants.cs b/src/Resources/ResourceManager/Components/Constants.cs
@@ -77,17 +77,17 @@ public static class Constants
         /// <summary>
         /// The default policy definition API version.
         /// </summary>
-        public static readonly string PolicyDefinitionApiVersion = "2019-01-01";
+        public static readonly string PolicyDefinitionApiVersion = "2019-06-01";
 
         /// <summary>
         /// The default policy set definition API version.
         /// </summary>
-        public static readonly string PolicySetDefintionApiVersion = "2019-01-01";
+        public static readonly string PolicySetDefintionApiVersion = "2019-06-01";
 
         /// <summary>
         /// The default policy assignment API version.
         /// </summary>
-        public static readonly string PolicyAssignmentApiVersion = "2019-01-01";
+        public static readonly string PolicyAssignmentApiVersion = "2019-06-01";
 
         /// <summary>
         /// The default providers API version.

diff --git a/src/Resources/ResourceManager/Entities/Policy/PolicyAssignmentEnforcementMode.cs b/src/Resources/ResourceManager/Entities/Policy/PolicyAssignmentEnforcementMode.cs
@@ -0,0 +1,32 @@
+// ----------------------------------------------------------------------------------
+//
+// Copyright Microsoft Corporation
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+// http://www.apache.org/licenses/LICENSE-2.0
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+// ----------------------------------------------------------------------------------
+
+namespace Microsoft.Azure.Commands.ResourceManager.Cmdlets.Entities.Policy
+{
+    /// <summary>
+    /// The policy assignment enforcement mode.
+    /// </summary>
+    public enum PolicyAssignmentEnforcementMode
+    {
+        /// <summary>
+        /// The policy effect is enforced during resource creation or update.
+        /// </summary>
+        Default,
+
+        /// <summary>
+        /// The policy effect is not enforced during resource creation or update.
+        /// </summary>
+        DoNotEnforce
+    }
+}
diff --git a/src/Resources/ResourceManager/Entities/Policy/PolicyAssignmentProperties.cs b/src/Resources/ResourceManager/Entities/Policy/PolicyAssignmentProperties.cs
@@ -52,6 +52,12 @@ public class PolicyAssignmentProperties
         [JsonProperty(Required = Required.Default)]
         public JObject Metadata { get; set; }
 
+        /// <summary>
+        /// The policy assignment enforcement mode.
+        /// </summary>
+        [JsonProperty(Required = Required.Default)]
+        public PolicyAssignmentEnforcementMode? EnforcementMode { get; set; }
+
         /// <summary>
         /// The policy definition id.
         /// </summary>

diff --git a/src/Resources/ResourceManager/Implementation/Policy/NewAzurePolicyAssignment.cs b/src/Resources/ResourceManager/Implementation/Policy/NewAzurePolicyAssignment.cs
@@ -14,16 +14,17 @@
 
 namespace Microsoft.Azure.Commands.ResourceManager.Cmdlets.Implementation
 {
-    using Microsoft.Azure.Commands.ResourceManager.Cmdlets.Components;
-    using Microsoft.Azure.Commands.ResourceManager.Cmdlets.Entities.Policy;
-    using Microsoft.Azure.Commands.ResourceManager.Cmdlets.Extensions;
-    using Newtonsoft.Json.Linq;
-    using Policy;
     using System;
     using System.Collections;
     using System.Management.Automation;
-    using Microsoft.Azure.Commands.ResourceManager.Cmdlets.Entities.Resources;
+
     using Microsoft.Azure.Commands.ResourceManager.Common.ArgumentCompleters;
+    using Microsoft.Azure.Commands.ResourceManager.Cmdlets.Components;
+    using Microsoft.Azure.Commands.ResourceManager.Cmdlets.Entities.Policy;
+    using Microsoft.Azure.Commands.ResourceManager.Cmdlets.Entities.Resources;
+    using Microsoft.Azure.Commands.ResourceManager.Cmdlets.Extensions;    
+    using Newtonsoft.Json.Linq;
+    using Policy;
 
     /// <summary>
     /// Creates a policy assignment.
@@ -108,6 +109,13 @@ public class NewAzurePolicyAssignmentCmdlet : PolicyCmdletBase, IDynamicParamete
         [ValidateNotNullOrEmpty]
         public string Metadata { get; set; }
 
+        /// <summary>
+        /// Gets or sets the policy assignment enforcement mode.
+        /// </summary>
+        [Parameter(Mandatory = false, ValueFromPipelineByPropertyName = true, HelpMessage = PolicyHelpStrings.NewPolicyAssignmentEnforcementModeHelp)]        
+        [ValidateNotNullOrEmpty]
+        public PolicyAssignmentEnforcementMode? EnforcementMode { get; set; }
+
         /// <summary>
         /// Gets or sets a flag indicating whether a system assigned identity should be added to the policy assignment.
         /// </summary>
@@ -193,6 +201,7 @@ private JToken GetResource()
                     Scope = this.Scope,
                     NotScopes = this.NotScope ?? null,
                     Metadata = this.Metadata == null ? null : JObject.Parse(this.GetObjectFromParameter(this.Metadata).ToString()),
+                    EnforcementMode = EnforcementMode ?? PolicyAssignmentEnforcementMode.Default,
                     Parameters = this.GetParameters(this.PolicyParameter, this.PolicyParameterObject)
                 }
             };

diff --git a/src/Resources/ResourceManager/Implementation/Policy/PolicyHelpStrings.cs b/src/Resources/ResourceManager/Implementation/Policy/PolicyHelpStrings.cs
@@ -35,6 +35,7 @@ public static class PolicyHelpStrings
         public const string NewPolicyAssignmentPolicyParameterObjectHelp = "The policy parameters object for the new policy assignment.";
         public const string NewPolicyParameterHelp = "The policy parameters file path or string for the new policy assignment.";
         public const string NewPolicyAssignmentMetadataHelp = "The metadata for the new policy assignment. This can either be a path to a file name containing the metadata, or the metadata as a string.";
+        public const string NewPolicyAssignmentEnforcementModeHelp = "The enforcement mode for the new policy assignment, e.g. Default, DoNotEnforce. It indicates whether a policy effect will be enforced or not during assignment creation and update. Please visit https://aka.ms/azure-policyAssignment-enforcement-mode for more information.";
         public const string NewPolicyAssignmentSkuHelp = "A hash table which specifies sku properties. This parameter is deprecated and ignored.";
         public const string RemovePolicyAssignmentNameHelp = "The name of the policy assignment to delete.";
         public const string RemovePolicyAssignmentScopeHelp = "The scope of the policy assignment to delete, e.g. /providers/managementGroups/{managementGroupName}.";

diff --git a/src/Resources/ResourceManager/Implementation/Policy/SetAzurePolicyAssignment.cs b/src/Resources/ResourceManager/Implementation/Policy/SetAzurePolicyAssignment.cs
@@ -14,15 +14,17 @@
 
 namespace Microsoft.Azure.Commands.ResourceManager.Cmdlets.Implementation
 {
-    using Microsoft.Azure.Commands.ResourceManager.Cmdlets.Components;
-    using Microsoft.Azure.Commands.ResourceManager.Cmdlets.Entities.Policy;
-    using Microsoft.Azure.Commands.ResourceManager.Cmdlets.Extensions;
-    using Newtonsoft.Json.Linq;
-    using Policy;
+    using System;
     using System.Collections;
     using System.Management.Automation;
+
+    using Microsoft.Azure.Commands.ResourceManager.Cmdlets.Components;
+    using Microsoft.Azure.Commands.ResourceManager.Cmdlets.Entities.Policy;
     using Microsoft.Azure.Commands.ResourceManager.Cmdlets.Entities.Resources;
+    using Microsoft.Azure.Commands.ResourceManager.Cmdlets.Extensions;
     using Microsoft.Azure.Commands.ResourceManager.Common.ArgumentCompleters;
+    using Newtonsoft.Json.Linq;
+    using Policy;      
 
     /// <summary>
     /// Sets the policy assignment.
@@ -114,6 +116,13 @@ public class SetAzurePolicyAssignmentCmdlet : PolicyCmdletBase
         [LocationCompleter("Microsoft.ManagedIdentity/userAssignedIdentities")]
         public string Location { get; set; }
 
+        /// <summary>
+        /// Gets or sets the policy assignment enforcement mode.
+        /// </summary>
+        [Parameter(Mandatory = false, ValueFromPipelineByPropertyName = true, HelpMessage = PolicyHelpStrings.NewPolicyAssignmentEnforcementModeHelp)]
+        [ValidateNotNullOrEmpty]
+        public PolicyAssignmentEnforcementMode? EnforcementMode { get; set; }
+
         /// <summary>
         /// Executes the cmdlet.
         /// </summary>
@@ -154,6 +163,12 @@ private JToken GetResource(string resourceId, string apiVersion)
 
             var metaDataJson = string.IsNullOrEmpty(this.Metadata) ? resource.Properties["metadata"]?.ToString() : GetObjectFromParameter(this.Metadata).ToString();
 
+            PolicyAssignmentEnforcementMode? existingMode = null;
+            if (Enum.TryParse(resource.Properties["enforcementMode"]?.ToString(), true, out PolicyAssignmentEnforcementMode tempMode))
+            {
+                existingMode = tempMode;
+            }
+
             var policyAssignmentObject = new PolicyAssignment
             {
                 Name = this.Name ?? resource.Name,
@@ -167,6 +182,7 @@ private JToken GetResource(string resourceId, string apiVersion)
                     NotScopes = this.NotScope ?? resource.Properties["NotScopes"]?.ToString().Split(','),
                     PolicyDefinitionId = resource.Properties["policyDefinitionId"].ToString(),
                     Metadata = string.IsNullOrEmpty(this.Metadata) ? null : JObject.Parse(metaDataJson),
+                    EnforcementMode = this.EnforcementMode ?? existingMode,
                     Parameters = this.GetParameters(this.PolicyParameter, this.PolicyParameterObject) ?? (JObject)resource.Properties["parameters"]
                 }
             };

diff --git a/src/Resources/Resources.Test/ScenarioTests/PolicyTests.cs b/src/Resources/Resources.Test/ScenarioTests/PolicyTests.cs
@@ -66,6 +66,13 @@ public void TestPolicyAssignmentIdentity()
             TestRunner.RunTestScript("Test-PolicyAssignmentIdentity");
         }
 
+        [Fact]
+        [Trait(Category.AcceptanceType, Category.CheckIn)]
+        public void TestPolicyAssignmentEnforcementMode()
+        {
+            TestRunner.RunTestScript("Test-PolicyAssignmentEnforcementMode");
+        }
+
         [Fact]
         [Trait(Category.AcceptanceType, Category.CheckIn)]
         public void TestPolicyDefinitionWithParameters()

diff --git a/src/Resources/Resources.Test/ScenarioTests/PolicyTests.ps1 b/src/Resources/Resources.Test/ScenarioTests/PolicyTests.ps1
@@ -18,6 +18,8 @@ $updatedDescription = "Updated $description"
 $metadataName = 'testName'
 $metadataValue = 'testValue'
 $metadata = "{'$metadataName':'$metadataValue'}"
+$enforcementModeDefault = 'Default'
+$enforcementModeDoNotEnforce = 'DoNotEnforce'
 
 $updatedMetadataName = 'newTestName'
 $updatedMetadataValue = 'newTestValue'
@@ -414,6 +416,78 @@ function Test-PolicyAssignmentIdentity
     Assert-AreEqual True $remove
 }
 
+<#
+.SYNOPSIS
+Tests Policy assignment CRUD operations with an enforcement mode property
+#>
+function Test-PolicyAssignmentEnforcementMode
+{
+    # setup
+    $rgname = Get-ResourceGroupName
+    $policyName = Get-ResourceName
+    $location = "westus"
+
+    # make a new resource group and policy definition
+    $rg = New-AzResourceGroup -Name $rgname -Location $location
+    $policy = New-AzPolicyDefinition -Name $policyName -Policy "$TestOutputRoot\SamplePolicyDefinition.json" -Description $description
+
+    # assign the policy definition to the resource group, get the assignment back and validate
+    $actual = New-AzPolicyAssignment -Name testPA -PolicyDefinition $policy -Scope $rg.ResourceId -Description $description -Location $location -EnforcementMode DoNotEnforce
+    $expected = Get-AzPolicyAssignment -Name testPA -Scope $rg.ResourceId
+    Assert-AreEqual $expected.Name $actual.Name
+    Assert-AreEqual Microsoft.Authorization/policyAssignments $actual.ResourceType
+    Assert-AreEqual $expected.PolicyAssignmentId $actual.PolicyAssignmentId
+    Assert-AreEqual $expected.Properties.PolicyDefinitionId $policy.PolicyDefinitionId
+    Assert-AreEqual $expected.Properties.Scope $rg.ResourceId
+    Assert-AreEqual $expected.Properties.EnforcementMode $actual.Properties.EnforcementMode
+	Assert-AreEqual $expected.Properties.EnforcementMode $enforcementModeDoNotEnforce
+    Assert-AreEqual $location $actual.Location
+    Assert-AreEqual $expected.Location $actual.Location
+
+    # get it back by id and validate
+    $actualById = Get-AzPolicyAssignment -Id $actual.ResourceId    
+    Assert-AreEqual $actual.Properties.EnforcementMode $actualById.Properties.EnforcementMode    
+
+	# update the policy assignment, validate enforcement mode is updated correctly with Default enum value.
+    $setResult = Set-AzPolicyAssignment -Id $actualById.ResourceId -DisplayName "testDisplay" -EnforcementMode Default
+    Assert-AreEqual "testDisplay" $setResult.Properties.DisplayName
+    Assert-AreEqual $enforcementModeDefault $setResult.Properties.EnforcementMode
+
+    # update the policy assignment, validate enforcement mode is updated correctly with 'Default' enum as string value.
+    $setResult = Set-AzPolicyAssignment -Id $actualById.ResourceId -DisplayName "testDisplay" -EnforcementMode $enforcementModeDefault
+    Assert-AreEqual "testDisplay" $setResult.Properties.DisplayName
+    Assert-AreEqual $enforcementModeDefault $setResult.Properties.EnforcementMode	
+
+    # make another policy assignment without an enforcementMode, validate default mode is set
+    $withoutEnforcementMode = New-AzPolicyAssignment -Name test2 -Scope $rg.ResourceId -PolicyDefinition $policy -Description $description
+    Assert-AreEqual $enforcementModeDefault $withoutEnforcementMode.Properties.EnforcementMode
+
+    # set an enforcement mode to the new assignment using the SET cmdlet
+    $setResult = Set-AzPolicyAssignment -Id $withoutEnforcementMode.ResourceId -Location $location -EnforcementMode $enforcementModeDoNotEnforce
+    Assert-AreEqual $enforcementModeDoNotEnforce $setResult.Properties.EnforcementMode
+
+	# set an enforcement mode to the new assignment using the SET cmdlet enum value and validate
+    $setResult = Set-AzPolicyAssignment -Id $withoutEnforcementMode.ResourceId -Location $location -EnforcementMode DoNotEnforce
+    Assert-AreEqual $enforcementModeDoNotEnforce $setResult.Properties.EnforcementMode
+
+    # verify enforcement mode is returned in collection GET
+    $list = Get-AzPolicyAssignment -Scope $rg.ResourceId | ?{ $_.Name -in @('testPA', 'test2') }
+    Assert-AreEqual 2 @($list.Properties.EnforcementMode | Select -Unique).Count    
+
+    # clean up
+    $remove = Remove-AzPolicyAssignment -Name testPA -Scope $rg.ResourceId
+    Assert-AreEqual True $remove
+
+    $remove = Remove-AzPolicyAssignment -Name test2 -Scope $rg.ResourceId
+    Assert-AreEqual True $remove
+
+    $remove = Remove-AzPolicyDefinition -Name $policyName -Force
+    Assert-AreEqual True $remove
+
+    $remove = Remove-AzResourceGroup -Name $rgname -Force
+    Assert-AreEqual True $remove
+}
+
 <#
 .SYNOPSIS
 Tests Policy set definition CRUD operations

diff --git a/...rosoft.Azure.Commands.Resources.Test.ScenarioTests.PolicyTests/TestGetBuiltinsByName.json b/...rosoft.Azure.Commands.Resources.Test.ScenarioTests.PolicyTests/TestGetBuiltinsByName.json
diff --git a/...Azure.Commands.Resources.Test.ScenarioTests.PolicyTests/TestGetCmdletFilterParameter.json b/...Azure.Commands.Resources.Test.ScenarioTests.PolicyTests/TestGetCmdletFilterParameter.json