[confcom] Add commands to support radius policy generation

[DomAyre]

Why

Being able to generate security policies will make it easy to deploy confidential radius applications.

How

The general approach can be summed up with:

• Add command to generate container policy definitions from radius bicep templates
• Add a flag to the existing tooling to include container definitions (which we will get from the previous step)

Here's a more detailed breakdown

• Add a new flag to acipolicygen --with-containers which lets the user specify partial rego container definitions which will be added to the final policy
  • Add library code for serialising and deserialising rego policy into a dataclass representation
  • Update acipolicygen code to generate an empty policy if only --with-containers is specified
• Add the same --with-container flag to acifragmentgen
• Add a new command az confcom containers from_radius my_radius.bicep which outputs a partial container definition based on the information in the radius template (by partial I mean differences from a base default container)
  • Add library code for parsing both bicep and json into a single deployment representation
  • Ensure all properties that can be specified in a radius template are emitted in the policy container definition
    • Container image layers and env rules
    • Env variables defined in template
    • Connections to wild carded env variable
• Add command to insert the ccePolicy that was generated into the radius definition
• Fix issue with --parameters since we edit the bicep file to avoid errors

Usage

To try this out, you can first try generating the partial container policy definition from a radius.bicep

az confcom containers from_radius radius.bicep

Then you can try generating a full policy

az confcom acipolicygen \
    --with-containers "$(az confcom containers from_radius radius.bicep)" \
    --outraw

You can also generate a fragment in the same way

az confcom acifragmentgen \
    --namespace myfragment \
    --svn "1" \
    --with-containers "$(az confcom containers from_radius radius.bicep)" \
    --outraw

Once you have your policy, you can programatically insert it into your radius template with

az confcom radius policy insert my_policy.rego -f my_deployment.bicep

---

This checklist is used to make sure that common guidelines for a pull request are followed.

Related command

General Guidelines

• Have you run azdev style <YOUR_EXT> locally? (pip install azdev required)
• Have you run python scripts/ci/test_index.py -q locally? (pip install wheel==0.30.0 required)
• My extension version conforms to the Extension version schema

[azure-client-tools-bot-prd]

⚠️Azure CLI Extensions Breaking Change Test

⚠️confcom

rule	cmd_name	rule_message	suggest_message
⚠️ 1015 - SubgroupPropUpdate	confcom	sub group confcom updated property sub_groups from {} to {'confcom containers': {'name': 'confcom containers', 'commands': {'confcom containers from_radius': {'name': 'confcom containers from_radius', 'is_aaz': False, 'parameters': [{'name': 'template', 'options': [], 'type': 'string', 'required': True}, {'name': 'parameters', 'options': ['--parameters', '-p'], 'nargs': '+', 'has_completer': True}, {'name': 'container_index', 'options': ['--idx'], 'type': 'int'}, {'name': 'platform', 'options': ['--platform'], 'type': 'string', 'default': 'aci'}]}}, 'sub_groups': {}}, 'confcom radius': {'name': 'confcom radius', 'commands': {}, 'sub_groups': {'confcom radius policy': {'name': 'confcom radius policy', 'commands': {'confcom radius policy insert': {'name': 'confcom radius policy insert', 'is_aaz': False, 'parameters': [{'name': 'policy_file', 'options': [], 'type': 'custom_type', 'required': True, 'nargs': '?', 'default': "<_io.BufferedReader name='<stdin>'>"}, {'name': 'template_path', 'options': ['--template-file', '-f']}, {'name': 'container_index', 'options': ['--idx'], 'type': 'int'}]}}, 'sub_groups': {}}}}}

[azure-client-tools-bot-prd]

Hi @DomAyre,
Please write the description of changes which can be perceived by customers into HISTORY.rst.
If you want to release a new extension version, please update the version in setup.py as well.

[yonzhan]

Thank you for your contribution! We will review the pull request and get back to you soon.

[github-actions]

The git hooks are available for azure-cli and azure-cli-extensions repos. They could help you run required checks before creating the PR.

Please sync the latest code with latest dev branch (for azure-cli) or main branch (for azure-cli-extensions).
After that please run the following commands to enable git hooks:

pip install azdev --upgrade
azdev setup -c <your azure-cli repo path> -r <your azure-cli-extensions repo path>

[github-actions]

Hi @DomAyre

Release Suggestions

Module: confcom

• Please log updates into to src/confcom/HISTORY.rst
• Update VERSION to 1.5.0 in src/confcom/setup.py

Notes

• For more info about extension versioning, please refer to Extension version schema