Update Microsoft.PolicyInsights module (#16832)

* Update Microsoft.PolicyInsights module

- New version (1.5.0) of the Microsoft.PolicyInsights module
- Update .NET SDK version
- Update Policy States and Policy Events commands to use the new paged API
- Update remediation commands to include new properties + improved paging behavior
- Generated help, added examples
- Move cancellation token implementation to base class so it can be used in multiple places
- Fixed excessive polling of jobs due to test mode always being "playback"

* Updated Microsoft.PolicyInsights tests

- Created a script for setting up the test environment from scratch
- Common.ps1 is used for defining the names of the test resources and it used by both the env setup and the tests.
- Updated policy states and policy events tests, add paging tests
- Updated remediation tests to test new properties + paging improvements
- Fixed indentation

* Add test recordings

* Fix cancellation issue

Cancellation source was disposed at the beginning, causing the cmdlets to
ignore it when the user press ctrl+C

* Updated ChangeLog.md

* Changed 'ParallelDeployments' param to 'ParallelDeploymentCount'

Regenerated help and re-recorded tests.

* Update EnvironmentSetupHelper.cs

* Update RMTestBase.cs

* Update RMTestBase.cs

* Update ChangeLog.md

Co-authored-by: Yunchi Wang <[email protected]>

Author: eladperets

src/PolicyInsights/PolicyInsights.Test/EnvSetup/CreateNSGsTemplate.json

@@ -0,0 +1,30 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "parameters": {
+    "resourceCount": {
+      "type": "int"
+    },
+    "resourceNamePrefix": {
+      "type": "string"
+    }
+  },
+  "variables": {
+    "locations": [ "westus", "eastus", "northcentralus", "southcentralus", "centralus", "eastus2", "westcentralus", "westus2", "westus3" ]
+  },
+  "resources": [
+    {
+      "type": "Microsoft.Network/networkSecurityGroups",
+      "apiVersion": "2020-11-01",
+      "name": "[format('{0}{1}', parameters('resourceNamePrefix'), copyIndex('nsgCopy'))]",
+      "location": "[variables('locations')[mod(copyIndex('nsgCopy'), length(variables('locations')))]]",
+      "properties": {},
+      "copy": {
+        "name": "nsgCopy",
+        "count": "[parameters('resourceCount')]",
+        "mode": "Serial",
+        "batchSize":  4
+      }
+    }
+  ]
+}

src/PolicyInsights/PolicyInsights.Test/EnvSetup/CreateRemediationsTemplate.json

@@ -0,0 +1,28 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "parameters": {
+    "remediationCount": {
+      "type": "int"
+    },
+    "assignmentId": {
+      "type": "string"
+    }
+  },
+  "resources": [
+    {
+      "type": "Microsoft.PolicyInsights/Remediations",
+      "apiVersion": "2021-10-01",
+      "name": "[format('testRemediation{0}', copyIndex('remediationCopy'))]",
+      "properties": {
+        "policyAssignmentId": "[parameters('assignmentId')]",
+        "resourceCount": 1
+      },
+      "copy": {
+        "name": "remediationCopy",
+        "count": "[parameters('remediationCount')]",
+        "mode": "Serial"
+      }
+    }
+  ]
+}

src/PolicyInsights/PolicyInsights.Test/EnvSetup/EnvironmentSetup.ps1

@@ -0,0 +1,93 @@
+# ----------------------------------------------------------------------------------
+#
+# Copyright Microsoft Corporation
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+# http://www.apache.org/licenses/LICENSE-2.0
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+# ----------------------------------------------------------------------------------
+
+# This script will set up the necessary resources and policies to record the policy insights tests.
+# This makes things a lot easier, since the tests require specific policies to be present in various scopes
+# as well as large number of non-compliant resources in order to test things like paging.
+# Both the tests and this script use the resource details defined in the common.ps1 script.
+# Before running env setup, make sure you have access to the MG and Subscription defined in common.ps1 (or change them to MG\subscription you do have acess to)
+. "..\ScenarioTests\Common.ps1"
+
+# Note: Once the script is finished, wait for full compliance results before running the tests.
+$subscriptionId = $(Get-TestSubscriptionId)
+$managementGroupId = $(Get-TestManagementGroupName)
+$emptyResourceGroupName = $(Get-EmptyTestResourceGroupName)
+$resourceGroup1 = $(Get-FirstTestResourceGroupName)
+$resourceGroup2 = $(Get-SecondTestResourceGroupName)
+
+# Connect
+Connect-AzAccount -DeviceCode
+Set-AzContext -SubscriptionId $subscriptionId
+
+#Create an empty RG
+Get-AzResourceGroup -Name $emptyResourceGroupName -ErrorVariable rgNotPresent -ErrorAction SilentlyContinue
+if ($rgNotPresent) {
+   New-AzResourceGroup -Name $emptyResourceGroupName -Location "eastus"
+}
+
+# Create 2 RGs
+foreach ($resourceGroupName in @($resourceGroup1, $resourceGroup2)) {
+   Get-AzResourceGroup -Name $resourceGroupName -ErrorVariable rgNotPresent -ErrorAction SilentlyContinue
+   if ($rgNotPresent) {
+      New-AzResourceGroup -Name $resourceGroupName -Location "northcentralus"
+   }
+}
+
+# Create DINE and modify definitions (MG-level)
+$deployIfNotExistsPolicyDefinition = New-AzPolicyDefinition -Name $(Get-TestDINEPolicyDefinitionName) -Policy "$PSScriptRoot/NSG_DINE_neverCompliant_policyDefinition.json" -DisplayName "PS cmdlet tests: never compliant DINE policy" -Mode Indexed -ManagementGroupName $managementGroupId
+$modifyPolicyDefinition = New-AzPolicyDefinition -Name $(Get-TestModifyPolicyDefinitionName) -Policy "$PSScriptRoot/NSG_modify_neverCompliant_policyDefinition.json" -DisplayName "PS cmdlet tests: never compliant modify policy" -Mode Indexed -ManagementGroupName $managementGroupId
+
+# Assign the DINE policy in both MG and subscription level
+$mgDINEAssignment = New-AzPolicyAssignment -Name $(Get-TestManagementGroupDINEAssignmentName) -Scope "/providers/microsoft.management/managementgroups/$managementGroupId" -DisplayName "PS cmdlet tests: never compliant DINE policy (MG)" -PolicyDefinition $deployIfNotExistsPolicyDefinition -AssignIdentity -Location "westus2"
+$subDINEAssignment = New-AzPolicyAssignment -Name $(Get-TestSubscriptionDINEAssignmentName) -Scope "/subscriptions/$subscriptionId" -DisplayName "PS cmdlet tests: never compliant DINE policy (Sub)" -PolicyDefinition $deployIfNotExistsPolicyDefinition -AssignIdentity -Location "westus2"
+
+# Assign the modify policy to the subscription
+$subModifyAssignment = New-AzPolicyAssignment -Name $(Get-TestSubscriptionModifyAssignmentName) -Scope "/subscriptions/$subscriptionId" -DisplayName "PS cmdlet tests: never compliant modify policy" -PolicyDefinition $modifyPolicyDefinition -AssignIdentity -Location "westus2"
+
+# Give the assignments permissions to perform remediations
+Start-Sleep -Seconds 60
+New-AzRoleAssignment -Scope "/providers/microsoft.management/managementgroups/$managementGroupId" -ObjectId $mgDINEAssignment.Identity.principalId -RoleDefinitionName "Key Vault Contributor"
+New-AzRoleAssignment -Scope "/subscriptions/$subscriptionId" -ObjectId $subDINEAssignment.Identity.principalId -RoleDefinitionName "Key Vault Contributor"
+New-AzRoleAssignment -Scope "/subscriptions/$subscriptionId" -ObjectId $subModifyAssignment.Identity.principalId -RoleDefinitionName "Tag Contributor"
+
+# Trigger 101 modify remediations with different names (don't care about the outcome, just want to have 101 remediation entities we can query)
+New-AzResourceGroupDeployment -ResourceGroupName $resourceGroup1 -TemplateFile "$PSScriptRoot/CreateRemediationsTemplate.json" -remediationCount 101 -assignmentId $subModifyAssignment.ResourceId
+
+# Create a subscription-level audit policy definition
+$partiallyCompliantAuditPolicyDefinition = New-AzPolicyDefinition -Name $(Get-TestAuditPolicyDefinitionName) -Policy "$PSScriptRoot/NSG_audit_partiallyCompliant_policyDefinition.json" -DisplayName "PS cmdlet tests: partially compliant audit policy" -Mode Indexed -SubscriptionId $subscriptionId
+
+# Assign the audit policy to subscription and RG levels
+New-AzPolicyAssignment -Name $(Get-TestSubscriptionAuditAssignmentName) -Scope "/subscriptions/$subscriptionId" -DisplayName "PS cmdlet tests: partially compliant audit policy (Sub)" -PolicyDefinition $partiallyCompliantAuditPolicyDefinition
+New-AzPolicyAssignment -Name $(Get-TestResourceGroupAuditAssignmentName) -Scope "/subscriptions/$subscriptionId/resourceGroups/$resourceGroup1" -DisplayName "PS cmdlet tests: partially compliant audit policy (RG)" -PolicyDefinition $partiallyCompliantAuditPolicyDefinition
+
+# Create an initiative for the audit policy
+$policyDefinitions = @"
+[
+   {
+      "policyDefinitionId": "$($partiallyCompliantAuditPolicyDefinition.ResourceId)"
+   }
+]
+"@
+
+$policySetDefinition = New-AzPolicySetDefinition -Name $(Get-TestPolicySetDefinitionName) -DisplayName "PS cmdlet tests: test initiative" -PolicyDefinition $policyDefinitions -SubscriptionId $subscriptionId
+
+# Assign the initiative to the subscription
+New-AzPolicyAssignment -Name $(Get-TestSubscriptionAuditInitiativeAssignmentName) -Scope "/subscriptions/$subscriptionId" -DisplayName "PS cmdlet tests: initiative with audit policy (Sub)" -PolicySetDefinition $policySetDefinition
+
+Start-Sleep -Seconds 60
+
+# In each RG, create 510 NSGs (will take a while)
+foreach ($resourceGroupName in @($resourceGroup1, $resourceGroup2)) {
+   New-AzResourceGroupDeployment -ResourceGroupName $resourceGroupName -TemplateFile "$PSScriptRoot/CreateNSGsTemplate.json" -resourceCount 510 -resourceNamePrefix $(Get-TestResourceNamePrefix)
+}

src/PolicyInsights/PolicyInsights.Test/EnvSetup/emptyDeployment_KeyVault_policyDefinition.json renamed to src/PolicyInsights/PolicyInsights.Test/EnvSetup/NSG_DINE_neverCompliant_policyDefinition.json

@@ -1,7 +1,15 @@
 {
   "if": {
-    "field": "type",
-    "equals": "Microsoft.KeyVault/vaults"
+    "allOf": [
+      {
+        "field": "type",
+        "equals": "Microsoft.Network/networkSecurityGroups"
+      },
+      {
+        "field": "name",
+        "like": "pstests*"
+      }
+    ]
   },
   "then": {
     "effect": "deployIfNotExists",
@@ -29,4 +37,4 @@
       }
     }
   }
-}
+}

src/PolicyInsights/PolicyInsights.Test/EnvSetup/NSG_audit_partiallyCompliant_policyDefinition.json

@@ -0,0 +1,17 @@
+{
+  "if": {
+    "allOf": [
+      {
+        "field": "type",
+        "equals": "Microsoft.Network/networkSecurityGroups"
+      },
+      {
+        "field": "name",
+        "like": "pstests1*"
+      }
+    ]
+  },
+  "then": {
+    "effect": "audit"
+  }
+}

src/PolicyInsights/PolicyInsights.Test/EnvSetup/NSG_modify_neverCompliant_policyDefinition.json

@@ -0,0 +1,29 @@
+{
+  "if": {
+    "allOf": [
+      {
+        "field": "type",
+        "equals": "Microsoft.Network/networkSecurityGroups"
+      },
+      {
+        "field": "name",
+        "like": "pstests*"
+      }
+    ]
+  },
+  "then": {
+    "effect": "modify",
+    "details": {
+      "roleDefinitionIds": [
+        "/providers/microsoft.authorization/roleDefinitions/4a9ae827-6dc8-4573-8ac7-8239d42aa03f"
+      ],
+      "operations": [
+        {
+          "operation": "addOrReplace",
+          "field": "tags.pstests",
+          "value": "testValue"
+        }
+      ]
+    }
+  }
+}

src/PolicyInsights/PolicyInsights.Test/EnvSetup/RemediationSetup.ps1

@@ -11,7 +11,7 @@
   </PropertyGroup>
 
   <ItemGroup>
-    <PackageReference Include="Microsoft.Azure.Management.PolicyInsights" Version="3.1.0" />
+    <PackageReference Include="Microsoft.Azure.Management.PolicyInsights" Version="5.0.0" />
   </ItemGroup>
 
 </Project>