tessl/pypi-azure-mgmt-policyinsights
Microsoft Azure Policy Insights Client Library for Python providing comprehensive Azure Policy services management.
—
Pending
Quality
Pending
Does it follow best practices?
Impact
Pending
No eval scenarios have been run
policy-restrictions.mddocs/
Policy Restrictions Operations
Overview
Policy Restrictions operations enable checking what policy restrictions would apply to resource operations before attempting to perform them, providing proactive compliance validation across different Azure scopes.
Core Functionality
Restriction Check Operations
check_at_subscription_scope
def check_at_subscription_scope(
subscription_id: str,
parameters: CheckRestrictionsRequest,
**kwargs
) -> CheckRestrictionsResult{ .api }
Check policy restrictions at subscription scope.
Parameters:
subscription_id: Azure subscription IDparameters: CheckRestrictionsRequest with resource details
Returns: CheckRestrictionsResult with restriction information
check_at_resource_group_scope
def check_at_resource_group_scope(
subscription_id: str,
resource_group_name: str,
parameters: CheckRestrictionsRequest,
**kwargs
) -> CheckRestrictionsResult{ .api }
Check policy restrictions at resource group scope.
Parameters:
subscription_id: Azure subscription IDresource_group_name: Resource group nameparameters: CheckRestrictionsRequest with resource details
Returns: CheckRestrictionsResult with restriction information
check_at_management_group_scope
def check_at_management_group_scope(
management_group_id: str,
parameters: CheckRestrictionsRequest,
**kwargs
) -> CheckRestrictionsResult{ .api }
Check policy restrictions at management group scope.
Parameters:
management_group_id: Management group IDparameters: CheckRestrictionsRequest with resource details
Returns: CheckRestrictionsResult with restriction information
Related Types
CheckRestrictionsRequest
class CheckRestrictionsRequest:
resource_details: CheckRestrictionsResourceDetails
pending_fields: Optional[List[PendingField]]{ .api }
CheckRestrictionsResourceDetails
class CheckRestrictionsResourceDetails:
resource_content: Dict[str, Any]
api_version: Optional[str]
scope: Optional[str]{ .api }
CheckRestrictionsResult
class CheckRestrictionsResult:
field_restrictions: Optional[List[FieldRestrictions]]
content_evaluation_result: Optional[CheckRestrictionsResultContentEvaluationResult]{ .api }
FieldRestrictions
class FieldRestrictions:
field: Optional[str]
restrictions: Optional[List[FieldRestriction]]{ .api }
FieldRestriction
class FieldRestriction:
result: Optional[Union[str, FieldRestrictionResult]]
default_value: Optional[str]
values: Optional[List[str]]
policy: Optional[PolicyReference]{ .api }
PendingField
class PendingField:
field: str
values: Optional[List[str]]{ .api }
CheckRestrictionsResultContentEvaluationResult
class CheckRestrictionsResultContentEvaluationResult:
policy_evaluations: Optional[List[PolicyEvaluationResult]]{ .api }
PolicyEvaluationResult
class PolicyEvaluationResult:
policy_info: Optional[PolicyReference]
evaluation_result: Optional[str]
evaluation_details: Optional[PolicyEvaluationDetails]{ .api }
PolicyReference
class PolicyReference:
policy_definition_id: Optional[str]
policy_set_definition_id: Optional[str]
policy_definition_reference_id: Optional[str]
policy_assignment_id: Optional[str]{ .api }
FieldRestrictionResult Enum
class FieldRestrictionResult(str, Enum):
REQUIRED = "Required"
REMOVED = "Removed"
DENY = "Deny"{ .api }
Usage Examples
Check Storage Account Creation Restrictions
from azure.mgmt.policyinsights.models import (
CheckRestrictionsRequest,
CheckRestrictionsResourceDetails
)
# Check what restrictions apply to creating a storage account
resource_content = {
"type": "Microsoft.Storage/storageAccounts",
"location": "eastus",
"sku": {
"name": "Standard_LRS"
},
"kind": "StorageV2",
"properties": {
"supportsHttpsTrafficOnly": False, # This might be restricted
"minimumTlsVersion": "TLS1_0" # This might be restricted
}
}
request = CheckRestrictionsRequest(
resource_details=CheckRestrictionsResourceDetails(
resource_content=resource_content,
api_version="2021-04-01"
)
)
restrictions = client.policy_restrictions.check_at_subscription_scope(
subscription_id=subscription_id,
parameters=request
)
# Analyze field restrictions
if restrictions.field_restrictions:
print("Policy restrictions found:")
for field_restriction in restrictions.field_restrictions:
print(f"\nField: {field_restriction.field}")
for restriction in field_restriction.restrictions:
print(f" - Result: {restriction.result}")
if restriction.values:
print(f" Allowed values: {restriction.values}")
if restriction.default_value:
print(f" Default value: {restriction.default_value}")
if restriction.policy:
print(f" Policy: {restriction.policy.policy_definition_id}")
else:
print("No field restrictions apply to this resource")Validate VM Configuration
# Check restrictions for VM creation with specific configuration
vm_config = {
"type": "Microsoft.Compute/virtualMachines",
"location": "westus2",
"properties": {
"hardwareProfile": {
"vmSize": "Standard_D4s_v3" # Check if this size is allowed
},
"osProfile": {
"computerName": "myVM",
"adminUsername": "azureuser"
},
"storageProfile": {
"imageReference": {
"publisher": "Canonical",
"offer": "UbuntuServer",
"sku": "18.04-LTS",
"version": "latest"
},
"osDisk": {
"createOption": "FromImage",
"managedDisk": {
"storageAccountType": "Premium_LRS"
}
}
}
}
}
request = CheckRestrictionsRequest(
resource_details=CheckRestrictionsResourceDetails(
resource_content=vm_config,
api_version="2021-07-01"
)
)
restrictions = client.policy_restrictions.check_at_resource_group_scope(
subscription_id=subscription_id,
resource_group_name="production-rg",
parameters=request
)
# Check for any restrictions
if restrictions.field_restrictions:
print("VM configuration restrictions:")
for field_restriction in restrictions.field_restrictions:
field_name = field_restriction.field
print(f"\n{field_name}:")
for restriction in field_restriction.restrictions:
if restriction.result == "Deny":
print(f" ❌ DENIED - This value is not allowed")
elif restriction.result == "Required":
print(f" ⚠️ REQUIRED - This field must be specified")
if restriction.values:
print(f" Allowed values: {', '.join(restriction.values)}")
elif restriction.result == "Removed":
print(f" 🔄 MODIFIED - This field will be removed/modified")
if restriction.default_value:
print(f" Will be set to: {restriction.default_value}")Batch Check Multiple Resources
# Check restrictions for multiple resource types
resource_configs = [
{
"name": "Storage Account",
"config": {
"type": "Microsoft.Storage/storageAccounts",
"location": "eastus",
"sku": {"name": "Standard_LRS"},
"properties": {"supportsHttpsTrafficOnly": True}
}
},
{
"name": "Key Vault",
"config": {
"type": "Microsoft.KeyVault/vaults",
"location": "eastus",
"properties": {
"enableSoftDelete": False, # Might be restricted
"publicNetworkAccess": "Enabled"
}
}
}
]
for resource_info in resource_configs:
print(f"\nChecking restrictions for {resource_info['name']}:")
request = CheckRestrictionsRequest(
resource_details=CheckRestrictionsResourceDetails(
resource_content=resource_info['config'],
api_version="2021-04-01"
)
)
restrictions = client.policy_restrictions.check_at_subscription_scope(
subscription_id=subscription_id,
parameters=request
)
if restrictions.field_restrictions:
for field_restriction in restrictions.field_restrictions:
print(f" Field '{field_restriction.field}' has restrictions")
else:
print(f" ✅ No restrictions")Check with Pending Fields
from azure.mgmt.policyinsights.models import PendingField
# Check restrictions while specifying potential values for certain fields
pending_fields = [
PendingField(
field="location",
values=["eastus", "westus2", "centralus"] # Consider these locations
),
PendingField(
field="properties.supportsHttpsTrafficOnly",
values=["true", "false"] # Consider both options
)
]
request = CheckRestrictionsRequest(
resource_details=CheckRestrictionsResourceDetails(
resource_content={
"type": "Microsoft.Storage/storageAccounts",
"sku": {"name": "Standard_LRS"}
},
api_version="2021-04-01"
),
pending_fields=pending_fields
)
restrictions = client.policy_restrictions.check_at_subscription_scope(
subscription_id=subscription_id,
parameters=request
)
print("Restrictions considering pending field values:")
if restrictions.field_restrictions:
for field_restriction in restrictions.field_restrictions:
print(f"\nField: {field_restriction.field}")
for restriction in field_restriction.restrictions:
print(f" Result: {restriction.result}")
if restriction.values:
allowed_values = [v for v in restriction.values]
print(f" Allowed from pending values: {allowed_values}")Validate Against Management Group Policies
# Check restrictions at management group level (inherits all policies)
request = CheckRestrictionsRequest(
resource_details=CheckRestrictionsResourceDetails(
resource_content={
"type": "Microsoft.Compute/virtualMachines",
"location": "eastus",
"properties": {
"hardwareProfile": {"vmSize": "Standard_B1s"}
}
},
api_version="2021-07-01"
)
)
restrictions = client.policy_restrictions.check_at_management_group_scope(
management_group_id="my-management-group",
parameters=request
)
# Check content evaluation results
if restrictions.content_evaluation_result:
eval_result = restrictions.content_evaluation_result
if eval_result.policy_evaluations:
print("Policy evaluations:")
for evaluation in eval_result.policy_evaluations:
print(f" Policy: {evaluation.policy_info.policy_definition_id}")
print(f" Result: {evaluation.evaluation_result}")
if evaluation.evaluation_details:
details = evaluation.evaluation_details
print(f" Details: {details}")
print(f"\nField restrictions: {len(restrictions.field_restrictions or [])}")Install with Tessl CLI
npx tessl i tessl/pypi-azure-mgmt-policyinsights