test(azure_policy): add end-to-end policy test cases#699
Merged
anakrish merged 1 commit intomicrosoft:mainfrom Apr 27, 2026
Merged
test(azure_policy): add end-to-end policy test cases#699anakrish merged 1 commit intomicrosoft:mainfrom
anakrish merged 1 commit intomicrosoft:mainfrom
Conversation
There was a problem hiding this comment.
Pull request overview
Adds additional Azure Policy end-to-end YAML test cases (derived from real built-in/custom policies) to expand coverage across resource types, operators, template functions, and effect behaviors.
Changes:
- Add many new
tests/azure_policy/cases/e2e_*.yamlscenarios covering Modify/Deny/Audit/AINE/DINE effects. - Introduce new cases exercising complex
count/where, wildcard paths, dynamic tag fields, and requestContext()/subscription()/resourceGroup() template functions. - Add more cross-resource (
host_await) existenceCondition-driven tests for AINE/DINE policies.
Reviewed changes
Copilot reviewed 50 out of 50 changed files in this pull request and generated 6 comments.
Show a summary per file
| File | Description |
|---|---|
| tests/azure_policy/cases/e2e_vnet_ddos_modify.yaml | E2E case for VNet DDoS “Modify” policy behavior and operations. |
| tests/azure_policy/cases/e2e_vm_skus_allowed.yaml | E2E case for VM SKU allowlist deny policy (in + not). |
| tests/azure_policy/cases/e2e_vm_replication_dine.yaml | E2E DINE case using tags, empty(), and host_await existence checks. |
| tests/azure_policy/cases/e2e_vm_managed_disk.yaml | E2E audit case for unmanaged VM/VMSS disk patterns. |
| tests/azure_policy/cases/e2e_tags_inherit_modify.yaml | E2E modify case for inheriting tags from resource group. |
| tests/azure_policy/cases/e2e_tags_append.yaml | E2E append case for missing tag detection and append details. |
| tests/azure_policy/cases/e2e_stream_analytics_audit.yaml | E2E audit case for Stream Analytics trusted endpoints policy patterns. |
| tests/azure_policy/cases/e2e_storage_vnet_rules.yaml | E2E audit/deny effect parameterization for Storage network ACL checks. |
| tests/azure_policy/cases/e2e_storage_public_blob_modify.yaml | E2E modify case gated by requestContext API version and field existence. |
| tests/azure_policy/cases/e2e_storage_ip_allowlist_custom.yaml | Custom policy E2E for IP allowlisting using count + where + notIn. |
| tests/azure_policy/cases/e2e_storage_ip_allowlist.yaml | Custom policy E2E for IP allowlisting and default parameter handling. |
| tests/azure_policy/cases/e2e_storage_bypass_modify.yaml | E2E modify case for Storage network ACL bypass hardening. |
| tests/azure_policy/cases/e2e_sql_server_auditing.yaml | E2E AINE case for SQL auditing settings existenceCondition evaluation. |
| tests/azure_policy/cases/e2e_sql_audit_actions_aine.yaml | E2E AINE case for SQL audit action-groups with wildcard array logic. |
| tests/azure_policy/cases/e2e_signalr_public_network_modify.yaml | E2E modify case for SignalR public network access disablement. |
| tests/azure_policy/cases/e2e_shared_dashboard_deny.yaml | E2E deny/audit case for Portal dashboard inline markdown content checks. |
| tests/azure_policy/cases/e2e_servicebus_diagnostic_logs.yaml | E2E AINE case for diagnostic settings retention/count-with-where + padLeft. |
| tests/azure_policy/cases/e2e_portal_dashboard_deny.yaml | E2E deny/audit case variant for Portal dashboard inline markdown logic. |
| tests/azure_policy/cases/e2e_pg_audit_aine.yaml | E2E AINE case for PostgreSQL flexible server pgaudit configuration. |
| tests/azure_policy/cases/e2e_nsg_ssh_access.yaml | E2E audit case for NSG SSH exposure (port parsing + template expressions). |
| tests/azure_policy/cases/e2e_nsg_rdp_access.yaml | E2E audit case for NSG RDP exposure (port parsing + template expressions). |
| tests/azure_policy/cases/e2e_nic_public_ip_deny.yaml | E2E deny case for NIC public IP presence using double-negation. |
| tests/azure_policy/cases/e2e_monitoring_dine_existence.yaml | Targeted DINE existenceCondition stress case (nested counts and templates). |
| tests/azure_policy/cases/e2e_managed_disk_encryption_sets.yaml | E2E deny/audit case for allowed disk encryption set enforcement. |
| tests/azure_policy/cases/e2e_keyvault_firewall_enabled.yaml | E2E case for Key Vault firewall enforcement with nested counts/current(). |
| tests/azure_policy/cases/e2e_functionapp_https_modify.yaml | E2E modify case for Function App HTTPS-only policy with apiVersion gating. |
| tests/azure_policy/cases/e2e_fic_github_issuer.yaml | E2E case for GitHub federated identity credential issuer/subject parsing. |
| tests/azure_policy/cases/e2e_fic_aks_issuer.yaml | E2E case for AKS federated identity credential issuer validation. |
| tests/azure_policy/cases/e2e_double_encryption.yaml | E2E audit/deny case for disk encryption sets requiring double encryption. |
| tests/azure_policy/cases/e2e_datafactory_linked_secrets.yaml | Large anyOf audit case for detecting inline secrets in ADF linked services. |
| tests/azure_policy/cases/e2e_custom_owner_role.yaml | E2E audit case for detecting custom “Owner-like” RBAC roles. |
| tests/azure_policy/cases/e2e_cosmos_private_modify.yaml | E2E modify case for Cosmos public network access disablement. |
| tests/azure_policy/cases/e2e_cosmos_max_throughput.yaml | E2E deny/audit case for Cosmos throughput caps and autoscale detection. |
| tests/azure_policy/cases/e2e_cosmos_locations_deny.yaml | E2E deny case for allowed Cosmos locations via normalized comparisons. |
| tests/azure_policy/cases/e2e_cosmos_firewall_audit.yaml | E2E deny/audit case for Cosmos firewall/network rule presence checks. |
| tests/azure_policy/cases/e2e_container_diagnostics_append.yaml | E2E append case for container group Log Analytics diagnostics settings. |
| tests/azure_policy/cases/e2e_asc_internet_traffic_firewall.yaml | E2E AINE case for Azure Firewall existenceCondition with nested counts. |
| tests/azure_policy/cases/e2e_approved_vnet_audit.yaml | E2E audit case for NIC attachment to approved VNet via wildcard paths. |
| tests/azure_policy/cases/e2e_approved_subnets_deny.yaml | E2E deny case for NIC attachment to approved subnets with iterator counts. |
| tests/azure_policy/cases/e2e_aks_zone_redundant.yaml | E2E audit/deny case for AKS zone redundancy via nested counts. |
| tests/azure_policy/cases/e2e_activitylog_capture_all_regions.yaml | E2E AINE case for subscription activity log profile regions coverage. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
50 end-to-end test cases derived from real Azure built-in policies. Each file contains a complete policy definition, sample resources, and expected evaluation results. Coverage spans storage, networking, compute, security, monitoring, database, identity, governance, and update management scenarios. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> Signed-off-by: Anand Krishnamoorthi <anakrish@microsoft.com>
anakrish
force-pushed
the
azure-policy-compiler-pr-5b
branch
from
916cddf to
bf86eba
Compare
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 50 out of 50 changed files in this pull request and generated 1 comment.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 50 out of 50 changed files in this pull request and generated no new comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
dpokluda
approved these changes
Apr 27, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
50 end-to-end test cases derived from real Azure built-in policies. Each file contains a complete policy definition, sample resources, and expected evaluation results.
Coverage spans storage, networking, compute, security, monitoring, database, identity, governance, and update management scenarios.
Part 2 of 3 — split from #695 to enable Copilot review. Depends on #698.