Skip to content

test(azure_policy): add foundation test cases #698

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
anakrish merged 1 commit into from
Apr 28, 2026
Merged

test(azure_policy): add foundation test cases #698

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1,131 changes: 1,131 additions & 0 deletions tests/azure_policy/cases/aliases.yaml
View file
Open in desktop

Large diffs are not rendered by default.

1,214 changes: 1,214 additions & 0 deletions tests/azure_policy/cases/azure_policies.yaml
View file
Open in desktop

Large diffs are not rendered by default.

1,155 changes: 1,155 additions & 0 deletions tests/azure_policy/cases/casing.yaml
View file
Open in desktop

Large diffs are not rendered by default.

482 changes: 482 additions & 0 deletions tests/azure_policy/cases/complex_policies.yaml
View file
Open in desktop

Large diffs are not rendered by default.

617 changes: 617 additions & 0 deletions tests/azure_policy/cases/count.yaml
View file
Open in desktop

Large diffs are not rendered by default.

684 changes: 684 additions & 0 deletions tests/azure_policy/cases/deep_nesting.yaml
View file
Open in desktop

Large diffs are not rendered by default.

539 changes: 539 additions & 0 deletions tests/azure_policy/cases/effect_details.yaml
View file
Open in desktop

Large diffs are not rendered by default.

428 changes: 428 additions & 0 deletions tests/azure_policy/cases/effects.yaml
View file
Open in desktop

Large diffs are not rendered by default.

463 changes: 463 additions & 0 deletions tests/azure_policy/cases/exists.yaml
View file
Open in desktop

Large diffs are not rendered by default.

541 changes: 541 additions & 0 deletions tests/azure_policy/cases/expressions.yaml
View file
Open in desktop

Large diffs are not rendered by default.

253 changes: 253 additions & 0 deletions tests/azure_policy/cases/field_wildcard_collect.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,253 @@
# Copyright (c) Microsoft Corporation.
# Licensed under the MIT License.

# Field Wildcard Collection Test Suite
# Tests field('path[*]') and field('path[*].prop') as value expressions
# that return arrays, including missing-array → empty-array handling.

cases:
# =========================================================================
# field('path[*]') — collect all elements
# =========================================================================

- note: field_wildcard_collect_all_elements
policy_rule: |
{
"if": {
"value": "[length(field('items[*]'))]",
"equals": 3
},
"then": { "effect": "deny" }
}
resource:
items:
- "a"
- "b"
- "c"
want_effect: "deny"

- note: field_wildcard_collect_all_elements_no_match
policy_rule: |
{
"if": {
"value": "[length(field('items[*]'))]",
"equals": 5
},
"then": { "effect": "deny" }
}
resource:
items:
- "a"
- "b"
- "c"
want_undefined: true

# =========================================================================
# field('path[*].prop') — collect property from each element
# =========================================================================

- note: field_wildcard_collect_property
policy_rule: |
{
"if": {
"value": "[first(field('rules[*].action'))]",
"equals": "Allow"
},
"then": { "effect": "deny" }
}
resource:
rules:
- { "action": "Allow", "priority": 100 }
- { "action": "Deny", "priority": 200 }
want_effect: "deny"

- note: field_wildcard_collect_property_length
policy_rule: |
{
"if": {
"value": "[length(field('securityRules[*].access'))]",
"equals": 4
},
"then": { "effect": "audit" }
}
resource:
securityRules:
- { "access": "Allow" }
- { "access": "Deny" }
- { "access": "Allow" }
- { "access": "Deny" }
want_effect: "audit"

# =========================================================================
# Nested property path after [*]
# =========================================================================

- note: field_wildcard_nested_property
policy_rule: |
{
"if": {
"value": "[length(field('rules[*].target.name'))]",
"greater": 0
},
"then": { "effect": "deny" }
}
resource:
rules:
- target:
name: "web-app"
- target:
name: "api-app"
want_effect: "deny"

# =========================================================================
# Dotted prefix before [*]
# =========================================================================

- note: field_wildcard_dotted_prefix
policy_rule: |
{
"if": {
"value": "[length(field('properties.ipRules[*].value'))]",
"equals": 2
},
"then": { "effect": "deny" }
}
resource:
properties:
ipRules:
- { "value": "10.0.0.0/8" }
- { "value": "192.168.0.0/16" }
want_effect: "deny"

# =========================================================================
# Missing array → empty collection
# =========================================================================

- note: field_wildcard_missing_array_length_zero
policy_rule: |
{
"if": {
"value": "[length(field('items[*]'))]",
"equals": 0
},
"then": { "effect": "deny" }
}
resource:
type: "some.type"
want_effect: "deny"

- note: field_wildcard_missing_array_empty_true
policy_rule: |
{
"if": {
"value": "[empty(field('properties.ipRules[*]'))]",
"equals": true
},
"then": { "effect": "deny" }
}
resource:
properties:
enabled: true
want_effect: "deny"

- note: field_wildcard_missing_nested_prefix
policy_rule: |
{
"if": {
"value": "[length(field('config.logging.entries[*].level'))]",
"equals": 0
},
"then": { "effect": "deny" }
}
resource:
type: "some.type"
want_effect: "deny"

# =========================================================================
# Empty array → empty collection (not missing, but zero elements)
# =========================================================================

- note: field_wildcard_empty_array
policy_rule: |
{
"if": {
"value": "[length(field('items[*]'))]",
"equals": 0
},
"then": { "effect": "deny" }
}
resource:
items: []
want_effect: "deny"

# =========================================================================
# Doubly-nested wildcards: field('a[*].b[*].c') — flat-map
# =========================================================================

- note: field_wildcard_doubly_nested
policy_rule: |
{
"if": {
"value": "[length(field('groups[*].members[*].name'))]",
"equals": 4
},
"then": { "effect": "deny" }
}
resource:
groups:
- members:
- { "name": "alice" }
- { "name": "bob" }
- members:
- { "name": "carol" }
- { "name": "dave" }
want_effect: "deny"

- note: field_wildcard_doubly_nested_no_suffix
policy_rule: |
{
"if": {
"value": "[length(field('groups[*].tags[*]'))]",
"equals": 5
},
"then": { "effect": "deny" }
}
resource:
groups:
- tags: ["a", "b", "c"]
- tags: ["d", "e"]
want_effect: "deny"

- note: field_wildcard_doubly_nested_partial_missing
policy_rule: |
{
"if": {
"value": "[length(field('groups[*].members[*].name'))]",
"equals": 2
},
"then": { "effect": "deny" }
}
resource:
groups:
- members:
- { "name": "alice" }
- { "name": "bob" }
- other_field: "no members here"
want_effect: "deny"

# =========================================================================
# Real-world pattern: field() with [*] used in condition comparisons
# =========================================================================

- note: field_wildcard_first_equals
policy_rule: |
{
"if": {
"value": "[first(field('ports[*]'))]",
"equals": 80
},
"then": { "effect": "deny" }
}
resource:
ports: [80, 443, 8080]
want_effect: "deny"
Loading
Loading