Merge pull request #107 from eitrtechnologies/fix-builtin-policies

Fix handling of builtin policies
eitrtechnologies · Jun 16, 2020 · 5da2f87 · 5da2f87
2 parents 6ed90a8 + 52afdee
commit 5da2f87
Show file tree

Hide file tree

Showing 5 changed files with 46 additions and 39 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -5,6 +5,20 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [2.3.2] - 2020-06-16
+
+### Added
+
+### Changed
+
+### Fixed
+
+- [#106](https://github.com/eitrtechnologies/idem-azurerm/pull/106) - Fix assignment of built-in policy definitions.
+
+### Deprecated
+
+### Removed
+
 ## [2.3.1] - 2020-06-16
 
 ### Added
@@ -151,6 +165,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - Initial release of execution and state modules from Salt along with some additional functionality ported from
   salt-cloud for virtual machines.
 
+[2.3.2]: https://github.com/eitrtechnologies/idem-azurerm/compare/v2.3.1...v2.3.2
 [2.3.1]: https://github.com/eitrtechnologies/idem-azurerm/compare/v2.3.0...v2.3.1
 [2.3.0]: https://github.com/eitrtechnologies/idem-azurerm/compare/v2.2.0...v2.3.0
 [2.2.0]: https://github.com/eitrtechnologies/idem-azurerm/compare/v2.1.0...v2.2.0

diff --git a/docs/conf.py b/docs/conf.py
@@ -22,7 +22,7 @@
 copyright = "2020, EITR Technologies, LLC"  # pylint: disable=redefined-builtin
 author = "EITR Technologies, LLC"
 version = "2.3"
-release = "2.3.1"
+release = "2.3.2"
 
 # -- General configuration ---------------------------------------------------
 

diff --git a/idem_azurerm/exec/azurerm/resource/policy.py b/idem_azurerm/exec/azurerm/resource/policy.py
@@ -4,6 +4,8 @@
 
 .. versionadded:: 1.0.0
 
+.. versionchanged:: 2.3.2
+
 :maintainer: <[email protected]>
 :configuration: This module requires Azure Resource Manager credentials to be passed as keyword arguments
     to every function or via acct in order to work properly.
@@ -35,6 +37,7 @@
 # Python libs
 from __future__ import absolute_import
 from json import loads, dumps
+from uuid import UUID
 import logging
 
 # Azure libs
@@ -88,6 +91,8 @@ async def assignment_create(hub, ctx, name, scope, definition_name, **kwargs):
     """
     .. versionadded:: 1.0.0
 
+    .. versionchanged:: 2.3.2
+
     Create a policy assignment.
 
     :param name: The name of the policy assignment to create.
@@ -106,29 +111,9 @@ async def assignment_create(hub, ctx, name, scope, definition_name, **kwargs):
     """
     polconn = await hub.exec.azurerm.utils.get_client(ctx, "policy", **kwargs)
 
-    # "get" doesn't work for built-in policies per https://github.com/Azure/azure-cli/issues/692
-    # Uncomment this section when the ticket above is resolved.
-    #  BEGIN
-    # definition = definition_get(
-    #     name=definition_name,
-    #     **kwargs
-    # )
-    #  END
-
-    # Delete this section when the ticket above is resolved.
-    #  BEGIN
-    definition_list = await hub.exec.azurerm.resource.policy.definitions_list(
-        ctx=ctx, **kwargs
+    definition = await hub.exec.azurerm.resource.policy.definition_get(
+        ctx=ctx, name=definition_name, **kwargs
     )
-    if definition_name in definition_list:
-        definition = definition_list[definition_name]
-    else:
-        definition = {
-            "error": 'The policy definition named "{0}" could not be found.'.format(
-                definition_name
-            )
-        }
-    #  END
 
     if "error" not in definition:
         definition_id = str(definition["id"])
@@ -350,14 +335,18 @@ async def definition_delete(hub, ctx, name, **kwargs):
     return result
 
 
-async def definition_get(hub, ctx, name, **kwargs):
+async def definition_get(hub, ctx, name, policy_type=None, **kwargs):
     """
     .. versionadded:: 1.0.0
 
+    .. versionchanged:: 2.3.2
+
     Get details about a specific policy definition.
 
     :param name: The name of the policy definition to query.
 
+    :param policy_type: Set to "BuiltIn" to get a built-in policy definition.
+
     CLI Example:
 
     .. code-block:: bash
@@ -366,8 +355,21 @@ async def definition_get(hub, ctx, name, **kwargs):
 
     """
     polconn = await hub.exec.azurerm.utils.get_client(ctx, "policy", **kwargs)
+
     try:
-        policy_def = polconn.policy_definitions.get(policy_definition_name=name)
+        if not policy_type:
+            UUID(name, version=4)
+            policy_type = "BuiltIn"
+    except ValueError:
+        pass
+
+    try:
+        if policy_type and policy_type.lower() == "builtin":
+            policy_def = polconn.policy_definitions.get_built_in(
+                policy_definition_name=name
+            )
+        else:
+            policy_def = polconn.policy_definitions.get(policy_definition_name=name)
         result = policy_def.as_dict()
     except CloudError as exc:
         await hub.exec.azurerm.utils.log_cloud_error("resource", str(exc), **kwargs)

diff --git a/idem_azurerm/states/azurerm/resource/policy.py b/idem_azurerm/states/azurerm/resource/policy.py
@@ -4,7 +4,7 @@
 
 .. versionadded:: 1.0.0
 
-.. versionchanged:: 2.0.0
+.. versionchanged:: 2.3.2, 2.0.0
 
 :maintainer: <[email protected]>
 :configuration: This module requires Azure Resource Manager credentials to be passed via acct. Note that the
@@ -417,14 +417,15 @@ async def assignment_present(
     definition_name,
     display_name=None,
     description=None,
-    assignment_type=None,
     parameters=None,
     connection_auth=None,
     **kwargs,
 ):
     """
     .. versionadded:: 1.0.0
 
+    .. versionchanged:: 2.3.2
+
     Ensure a security policy assignment exists.
 
     :param name:
@@ -442,9 +443,6 @@ async def assignment_present(
     :param description:
         The policy assignment description.
 
-    :param assignment_type:
-        The type of policy assignment.
-
     :param parameters:
         Required dictionary if a parameter is used in the policy rule.
 
@@ -484,12 +482,6 @@ async def assignment_present(
 
     if "error" not in policy:
         action = "update"
-        if (
-            assignment_type
-            and assignment_type.lower() != policy.get("type", "").lower()
-        ):
-            ret["changes"]["type"] = {"old": policy.get("type"), "new": assignment_type}
-
         if scope.lower() != policy["scope"].lower():
             ret["changes"]["scope"] = {"old": policy["scope"], "new": scope}
 
@@ -530,7 +522,6 @@ async def assignment_present(
                 "name": name,
                 "scope": scope,
                 "definition_name": definition_name,
-                "type": assignment_type,
                 "display_name": display_name,
                 "description": description,
                 "parameters": parameters,
@@ -552,7 +543,6 @@ async def assignment_present(
         name=name,
         scope=scope,
         definition_name=definition_name,
-        type=assignment_type,
         display_name=display_name,
         description=description,
         parameters=parameters,

diff --git a/idem_azurerm/version.py b/idem_azurerm/version.py
@@ -1 +1 @@
-version = "2.3.1"
+version = "2.3.2"