Merge pull request #43 from salesforce/refactor/single-iam-data-defin…

…ition-file Terraform includes Policy IDs instead of Display Names
salesforce · Mar 23, 2021 · b4c5a84 · b4c5a84
2 parents b18d40d + 07756aa
commit b4c5a84
Show file tree

Hide file tree

Showing 28 changed files with 149,581 additions and 2,938 deletions.
diff --git a/azure_guardrails/bin/version.py b/azure_guardrails/bin/version.py
@@ -1 +1 @@
-__version__ = "0.1.5"
+__version__ = "0.1.9"
diff --git a/azure_guardrails/command/describe_policy.py b/azure_guardrails/command/describe_policy.py
@@ -7,8 +7,7 @@
 import click
 from azure_guardrails import set_log_level
 from click_option_group import optgroup, RequiredMutuallyExclusiveOptionGroup
-from azure_guardrails.shared import utils, validate
-from azure_guardrails.guardrails.services import Services
+from azure_guardrails.shared.iam_definition import AzurePolicies
 from azure_guardrails.shared.config import get_empty_config
 logger = logging.getLogger(__name__)
 
@@ -41,12 +40,12 @@
 )
 def describe_policy(display_name: str, policy_id: str, verbosity: bool):
     set_log_level(verbosity)
-
-    services = Services(config=get_empty_config())
+    azure_policies = AzurePolicies(config=get_empty_config())
+    # services = Services(config=get_empty_config())
     if policy_id:
-        policy_definition = services.get_policy_definition_by_id(policy_id=policy_id)
+        policy_definition = azure_policies.get_policy_definition(policy_id=policy_id)
     else:
-        policy_definition = services.get_policy_definition(display_name=display_name)
+        policy_definition = azure_policies.get_policy_definition_by_display_name(display_name=display_name)
     results_json = policy_definition.json()
     results_json.pop("id", None)
     results_str = ruamel.yaml.dump(results_json, Dumper=ruamel.yaml.RoundTripDumper)

diff --git a/azure_guardrails/command/generate_terraform.py b/azure_guardrails/command/generate_terraform.py
@@ -7,9 +7,9 @@
 from click_option_group import optgroup, RequiredMutuallyExclusiveOptionGroup
 from azure_guardrails import set_log_level
 from azure_guardrails.terraform.terraform import TerraformTemplateNoParams, TerraformTemplateWithParams
+from azure_guardrails.shared.iam_definition import AzurePolicies
 from azure_guardrails.shared import utils, validate
 from azure_guardrails.shared.config import get_default_config, get_config_from_file
-from azure_guardrails.guardrails.services import Services
 
 logger = logging.getLogger(__name__)
 
@@ -153,29 +153,32 @@ def generate_terraform(
         parameter_requirement_str = "params-optional"
 
     if service == "all":
-        services = Services(config=config)
+        azure_policies = AzurePolicies(service_names=["all"], config=config)
     else:
-        services = Services(service_names=[service], config=config)
+        azure_policies = AzurePolicies(service_names=[service], config=config)
 
     if no_params:
-        display_names = services.get_display_names_sorted_by_service_no_params()
+        audit_only = False
+        policy_id_pairs = azure_policies.get_all_policy_ids_sorted_by_service(
+            no_params=True, params_optional=params_optional, params_required=params_required,
+            audit_only=audit_only)
         terraform_template = TerraformTemplateNoParams(
-            policy_names=display_names,
+            policy_id_pairs=policy_id_pairs,
             subscription_name=subscription,
             management_group=management_group,
             enforcement_mode=enforcement_mode,
         )
     else:
-        display_names = services.get_display_names_sorted_by_service_with_params(
-            params_required=params_required
-        )
-
+        audit_only = False
+        policy_id_pairs = azure_policies.get_all_policy_ids_sorted_by_service(
+            no_params=no_params, params_optional=params_optional, params_required=params_required,
+            audit_only=audit_only)
         terraform_template = TerraformTemplateWithParams(
-            parameter_requirement_str=parameter_requirement_str,
-            parameters=display_names,
+            policy_id_pairs=policy_id_pairs,
             subscription_name=subscription,
             management_group=management_group,
             enforcement_mode=enforcement_mode,
+            parameter_requirement_str=parameter_requirement_str,
         )
     result = terraform_template.rendered()
     print(result)
@@ -184,7 +187,7 @@ def generate_terraform(
 
         def markdown_summary(file_prefix: str) -> str:
             # Write Markdown summary
-            markdown_table = services.markdown_table(no_params=no_params, params_optional=params_optional, params_required=params_required)
+            markdown_table = azure_policies.markdown_table(no_params=no_params, params_optional=params_optional, params_required=params_required)
             markdown_file_name = f"{file_prefix}.md"
             if os.path.exists(markdown_file_name):
                 if verbosity >= 1:
@@ -204,4 +207,4 @@ def markdown_summary(file_prefix: str) -> str:
 
         # Write CSV summary
         csv_file = f"{parameter_requirement_str}.csv"
-        services.csv_summary(csv_file, verbosity=verbosity, no_params=no_params, params_optional=params_optional, params_required=params_required)
+        azure_policies.csv_summary(csv_file, verbosity=verbosity, no_params=no_params, params_optional=params_optional, params_required=params_required)
diff --git a/azure_guardrails/command/list_policies.py b/azure_guardrails/command/list_policies.py
@@ -8,7 +8,7 @@
 import click
 from click_option_group import optgroup, RequiredMutuallyExclusiveOptionGroup
 from azure_guardrails import set_log_level
-from azure_guardrails.guardrails.services import Services
+from azure_guardrails.shared.iam_definition import AzurePolicies
 from azure_guardrails.shared import utils, validate
 
 logger = logging.getLogger(__name__)
@@ -130,13 +130,19 @@ def get_display_names_sorted_by_service(
         params_required: bool,
 ) -> dict:
     if service == "all":
-        services = Services()
+        azure_policies = AzurePolicies()
     else:
-        services = Services(service_names=[service])
+        azure_policies = AzurePolicies(service_names=[service])
     if all_policies:
-        display_names = services.get_all_display_names_sorted_by_service(no_params=True, params_optional=True, params_required=True, audit_only=audit_only)
+        display_names = azure_policies.get_all_display_names_sorted_by_service(no_params=True, params_optional=True, params_required=True, audit_only=audit_only)
     else:
-        display_names = services.get_all_display_names_sorted_by_service(no_params=no_params, params_optional=params_optional, params_required=params_required, audit_only=audit_only)
+        display_names = azure_policies.get_all_display_names_sorted_by_service(no_params=no_params, params_optional=params_optional, params_required=params_required, audit_only=audit_only)
+    if service != "all":
+        if display_names.get(service, None):
+            trimmed_display_names = {service: display_names[service].copy()}
+            display_names = trimmed_display_names.copy()
+        else:
+            display_names = {service: {}}
     return display_names
 
 
@@ -175,7 +181,7 @@ def print_policies_in_stdout(
         params_required: bool,
         verbosity: int,
 ):
-    # TODO: Figure out if I should just print all of the policies as a list or if they should be indented. If indented, uncomment the commented lines below.
+
     display_names = get_display_names_sorted_by_service(
         service=service,
         audit_only=audit_only,

diff --git a/azure_guardrails/guardrails/builtin_definitions.py b/azure_guardrails/guardrails/builtin_definitions.py
@@ -0,0 +1,65 @@
+import os
+import json
+import copy
+from azure_guardrails.shared import utils
+from azure_guardrails.guardrails.policy_definition import PolicyDefinition
+default_service_names = utils.get_service_names()
+default_service_names.sort()
+
+
+def get_service_policy_files(service_policy_directory: str) -> list:
+    policy_files = [
+        f
+        for f in os.listdir(service_policy_directory)
+        if os.path.isfile(os.path.join(service_policy_directory, f))
+    ]
+    policy_files.sort()
+    return policy_files
+
+
+def create_azure_builtin_definition() -> dict:
+    results = {
+        "service_definitions": {},
+        "policy_definitions": {}
+    }
+    for service_name in default_service_names:
+        # Get paths for all the policy files for that service
+        service_policy_directory = os.path.join(
+            utils.AZURE_POLICY_SERVICE_DIRECTORY, service_name
+        )
+        policy_files = get_service_policy_files(service_policy_directory)
+        # Add the service to the service definitions
+        results["service_definitions"][service_name] = {}
+
+        for policy_file_name in policy_files:
+            policy_content = utils.read_json_file(str(os.path.join(service_policy_directory, policy_file_name)))
+            policy_definition = PolicyDefinition(
+                policy_content=policy_content, service_name=service_name, file_name=str(policy_file_name)
+            )
+            # Look up by unique ID, like "051cba44-2429-45b9-9649-46cec11c7119"
+            short_id = policy_definition.name
+
+            # Add to service_definitions
+            service_definition_entry = dict(
+                display_name=policy_definition.display_name,
+                short_id=short_id,
+                service_name=policy_definition.service_name,
+                description=policy_definition.properties.description,
+                github_link=policy_definition.github_link,
+                file_name=policy_file_name,
+                allowed_effects=policy_definition.allowed_effects,
+                no_params=policy_definition.no_params,
+                params_optional=policy_definition.params_optional,
+                params_required=policy_definition.params_required,
+                is_deprecated=policy_definition.is_deprecated,
+                audit_only=policy_definition.audit_only,
+                modifies_resources=policy_definition.modifies_resources,
+                parameter_names=policy_definition.parameter_names,
+            )
+            results["service_definitions"][service_name][short_id] = service_definition_entry
+
+            # Add to policy_definitions
+            policy_definition_entry = copy.deepcopy(service_definition_entry)
+            policy_definition_entry["policy_content"] = policy_content
+            results["policy_definitions"][short_id] = policy_definition_entry
+    return results
diff --git a/azure_guardrails/guardrails/policy_definition.py b/azure_guardrails/guardrails/policy_definition.py
@@ -18,6 +18,7 @@ def __init__(self, policy_content: dict, service_name: str, file_name: str = Non
 
         self.id = policy_content.get("id")
         self.name = policy_content.get("name")
+        self.short_id = policy_content.get("name")
         self.file_name = file_name
         self.github_link = utils.get_github_link(service_name=service_name, file_name=file_name)
         self.category = (

diff --git a/azure_guardrails/shared/config.py b/azure_guardrails/shared/config.py
@@ -195,7 +195,7 @@ def get_default_config(exclude_services: list = None, match_only_keywords: list
         cfg_exclude_keywords.extend(exclude_keywords)
     config = Config(
         exclude_policies=exclude_policies,
-        exclude_services=exclude_services,
+        exclude_services=cfg_exclude_services,
         match_only_keywords=cfg_match_only_keywords,
         exclude_keywords=cfg_exclude_keywords,
     )