Policy parameters support in New-AzureRmPolicyDefinition and New-AzureRmPolicyAssignment

[luanshixia]

Description

Added support for policy parameters to the 2 cmdlets to use the feature provided by API version 2016-12-01.

---

This checklist is used to make sure that common guidelines for a pull request are followed. You can find a more complete discussion of PowerShell cmdlet best practices here.

• I have read the contribution guidelines.
• If changes were made to any cmdlet, the XML help was regenerated using the platyPSHelp module.
• If any large changes are made to a service, they are reflected in the respective change log.

General Guidelines

• Title of the pull request is clear and informative.
• There are a small number of commits, each of which have an informative message. This means that previously merged commits do not appear in the history of the PR. For more information on cleaning up the commits in your PR, see this page.
• The pull request does not introduce breaking changes (unless a major version change occurs in the assembly and module).

Testing Guidelines

• Pull request includes test coverage for the included changes.
• PowerShell scripts used in tests should do any necessary setup as part of the test or suite setup, and should not use hard-coded values for locations or existing resources.

Cmdlet Signature Guidelines

• New cmdlets that make changes or have side effects should implement ShouldProcess and have SupportShouldProcess=true specified in the cmdlet attribute. You can find more information on ShouldProcess here.
• Cmdlet specifies OutputType attribute if any output is produced - if the cmdlet produces no output, it should implement a PassThru parameter.

Cmdlet Parameter Guidelines

• Parameter types should not expose types from the management library - complex parameter types should be defined in the module.
• Cmdlet parameter sets should be mutually exclusive - each parameter set must have at least one mandatory parameter not in other parameter sets.
• Complex parameter types are discouraged - a parameter type should be simple types as often as possible. If complex types are used, they should be shallow and easily creatable from a constructor or another cmdlet.

[azurecla]

Hi @luanshixia, I'm your friendly neighborhood Azure Pull Request Bot (You can call me AZPRBOT). Thanks for your contribution!

It looks like you're working at Microsoft (wayan). If you're full-time, we DON'T require a contribution license agreement.

If you are a vendor, DO please sign the electronic contribution license agreement. It will take 2 minutes and there's no faxing! https://cla.azure.com.

TTYL, AZPRBOT;

[azuresdkci]

Can one of the admins verify this patch?

[maphad]

Typo in the help message "pollicy" should be "policy"

[maphad]

Typo in the help message "pollicy"

[maphad]

we usually scope the function calls, so this should be this.GetParameters()

[maphad]

We should have validation so that user cannot specify both PolicyParameterObject and PolicyParameters.
This can be implemented using parameter sets.

[maphad]

Should we rename this to PolicyParametersFile?

[luanshixia]

Just confirmed with Mike that it is the expected behavior.

[maphad]

I think it is confusing to use a single parameter as maybe a file name or maybe a string representing parameters.
We should explicitly make them two separate parameters. So in total we should have three parameters:
PolicyParameters
PolicyParametersFile
PolicyParametersObject.
Each should be in its own ParameterSet so that user can only specify one of them.

Were you specifically asked to use just two parameters?

[maphad]

For how to use ParameterSets u can refer to this documentation https://msdn.microsoft.com/en-us/library/dd878348(v=vs.85).aspx. Also several of our existing cmdlets use parameter sets.

[luanshixia]

For the 1st one: Just confirmed with Mike that it is the expected behavior.
For the 2nd one: Yes will do that.

[maphad]

No need of else here since you are returning control from if

[maphad]

scope it as this.PolicyDefinition, everywhere

[maphad]

As above I think we shouldn't use the same parameter as maybe a filePath or a parameter. It would be cleaner to have two separate parameters in two different parameter sets.

[luanshixia]

Just confirmed with Mike that it is the expected behavior.

[maphad]

who calls this method and can u point me to how dynamic parameters work?

[luanshixia]

This interface method is called by the PowerShell engine (thus a callback), so PowerShell can know what parameters are defined dynamically in the cmdlet and allow users to provide values for them.

[maphad]

this.GetParametersObject

[maphad]

This looks like it has 3 commits. We should squash changes to a single commit, so that it is easy to revert the entire change if required.

[luanshixia]

This can be a 1-click when merging on this page, though I don't have permission to do that now.

[maphad]

ok please squash before merging then.

[maphad]

You can add scenario tests once you have addressed the PR comments.
Also get this PR reviewed by vivsrini.

[cormacpayne]

@azuresdkci add to whitelist

[vivsriaus]

This doesn't look like it belongs here. Can we move this out to a common/util file?

[luanshixia]

This is the implementation of the interface IDynamicParameters, which the class conforms to.

[vivsriaus]

Please add scenario tests/moq tests for both these cmdlets

[vivsriaus]

Can you please confirm that there are no changes required for other policy cmdlets? i.e.,

1. Get/set/remove policy definition works with and without parameters
2. Get/set/remove policy assignment works with and without parameters

[luanshixia]

AFAIK, no impact at this time.

[vivsriaus]

PolicyDefinitionParameters?

[vivsriaus]

PolicyAssignmentParameters?

TBH, the names are confusing as-is (what is the difference between parameters in policy def vs policy assignment?)

[vivsriaus]

Also, please ensure the help files are updated accordingly

[luanshixia]

For 1: So the parameters in policy def are declarations and those in policy assignment are actual values. I know the names are confusing, but I have confirmed with Mike about these names.
For 2: Will do that.

[vivsriaus]

:)

[vivsriaus]

No api-version change for policy cmdlets?

[cormacpayne]

@luanshixia the build is failing since you are introducing parameters PolicyParameters and Parameters, which do not follow the PowerShell convention of parameters having a singular noun

[maphad]

just curious as to why the new API version date is set to December instead of a more recent date?

[luanshixia]

Per the resource schema seen on Azure Portal, the latest version for policy is 2016-12-01:

        {
            "resourceType": "policyDefinitions",
            "locations": [],
            "apiVersions": [
                "2016-12-01",
                "2016-04-01",
                "2015-10-01-preview"
            ]
        },
        {
            "resourceType": "policyAssignments",
            "locations": [],
            "apiVersions": [
                "2016-12-01",
                "2016-04-01",
                "2015-10-01-preview"
            ]
        },

[maphad]

You can rename this to Parameter to be consistent with the PolicyDefinitionProperties class

[luanshixia]

Unfortunately this property cannot be renamed because that should match the REST API. (I also only realized this when I caught an error after trying to keep consistency). Of course we can match names using JsonProperty attribute, but no need.

[luanshixia]

@cormacpayne Thanks so much for the help. I will rollback my workaround once you have a fix.

[maphad]

Add a newline at end of file.

[maphad]

you can use var instead of string as is the convention.

[luanshixia]

Here "keys" is of type IEnumerable not IEnumerable<string> so paramKey will not be inferred as string unless declared specific.

[maphad]

The method name ToParameterObject is specific to its use in the policy commandlet.
Since this is a utility method it can be used from elsewhere. Can we use a more generic name like ToJsonObject or ToJObject?

[maphad]

Is this line required?

[luanshixia]

So @cormacpayne is working on a fix for BreakingChangeAnalyzer which prevents this PR from passing the build (the reason: the analyzer compares the parameter set with the previous build. In previous build this property belongs to the default parameter set, so it enforces this for later builds). This line is a workaround which can be removed after his fix.

[maphad]

Add newline at end of file.

[maphad]

scope local method calls as this.GetParametersObject()

[vivsriaus]

LGTM

[luanshixia]

@cormacpayne I have already got two peer approvals but I don't have the permission to merge it. Could you please merge it so that it can make the 2/15 deadline? Thanks!

[cormacpayne]

@luanshixia a couple of comments

[cormacpayne]

@luanshixia if this parameter is required in every single parameter set, why make this change? Previously it was a globally required parameter, so it was required in any parameter set you used. The same applies now with the changes you are trying to make here.

[luanshixia]

@cormacpayne So there are 3 usages:

• PolicyDefinition only
• PolicyDefinition + PolicyParameterObject
• PolicyDefinition + PolicyParameter

We don't want users to set both PolicyParameterObject and PolicyParameter, so we use two different sets for them. But we also need to allow users to set none of PolicyParameterObject and PolicyParameter, which comes the third set. Note we have to set Mandatory=true for PolicyParameterObject and PolicyParameter or we will get parameter set resolving conflict.

[cormacpayne]

@luanshixia I am fine with the three different parameter sets, but there is no need to change PolicyDefinition from a global parameter to a parameter that's in each of the three parameter sets (that is what is implied by being a global parameter).

[cormacpayne]

@luanshixia the name of this parameter set is misleading - Name and Scope (and PolicyDefinition based on its implementation) parameters are globally required parameters, so you are always going to need to provide a value for them, meaning you'll never have a parameter set that is "parameterless"

[luanshixia]

@cormacpayne No, "parameter" here refers to the policy parameters, not the cmdlet parameters.. This is similar to what is done for template parameters in NewAzureRmResourceGroupDeployment.

[cormacpayne]

@luanshixia why do you need to add dynamic parameters to this cmdlet? We try to avoid using them as much as possible since they cannot be picked up by our StaticAnalysis tooling and don't allow us to easily check any public interface changes

[luanshixia]

@cormacpayne Because we want to allow users to specify the policy parameters through cmdlet parameters, so we have to dynamically parse the policy definition and extract a list of defined parameters. That is from the requirements. In the future, we also want to add IntelliSense for the dynamic parameters, just like what we did for template deployment.

[cormacpayne]

@luanshixia please move "```yaml" to a new line since it is causing errors with the displayed markdown

[cormacpayne]

@luanshixia same comment

[cormacpayne]

@luanshixia same comment

[cormacpayne]

@vivsriaus can you approve the review you have started? You commented with LGTM, but it still says you have changes requested.

[cormacpayne]

@luanshixia a couple of more comments after talking with @markcowl

[cormacpayne]

@luanshixia can you leverage typeString to include a switch case for types you would want to define (e.g., int, bool, etc.)? It seems like a bad idea to have the default type of non-arrays as string

[luanshixia]

@cormacpayne Per Policy doc, "the type of a parameter can be either string or array".

[cormacpayne]

@luanshixia what kind of scenario would lend users to use the ValueFromPipelineByPropertyName for these dynamic parameters?

[luanshixia]

@cormacpayne Similarly, the user can put dynamic parameters in an object (say $param) and say: $param | New-AzureRmPolicyAssignment

[cormacpayne]

@luanshixia this is not good help for users, it's just repeating the parameter name

[cormacpayne]

@luanshixia the dynamic parameters will need to be in the Parameterless parameter set, or else users will be able to use them with the provided hashtable or json, which will defeat the purpose of having the dynamic parameters

[luanshixia]

@cormacpayne Good catch.

[cormacpayne]

@luanshixia how will users use this ValueFromPipelineByPropertyName attribute for this parameter? Will there be an object they can pass through the pipeline to this cmdlet that contains the PolicyDefinition property? Will it also include the below parameters you are trying to add since they also have the ValueFromPipelineByPropertyName attribute as well?

[luanshixia]

@cormacpayne I checked the existing code and found pipeline usage is supported across all Resources cmdlets. So the user can do like: @{"PolicyDefinition": @{...} ...} | New-AzureRmPolicyAssignment

[cormacpayne]

On-demand: http://azuresdkci.cloudapp.net/view/1-AzurePowerShell/job/powershell-demand/1397/

[cormacpayne]

LGTM once on-demand passes