diff --git a/assets/policyAssignment.go b/assets/policyAssignment.go index 211707b..bdabe16 100644 --- a/assets/policyAssignment.go +++ b/assets/policyAssignment.go @@ -186,6 +186,35 @@ func ValidatePolicyAssignment(pa *PolicyAssignment) error { pa.Properties.Overrides = make([]*armpolicy.Override, 0) } + if pa.Properties.NonComplianceMessages == nil { + pa.Properties.NonComplianceMessages = make([]*armpolicy.NonComplianceMessage, 0) + } + + var defaultNonComplianceMessageCount int + + for _, msg := range pa.Properties.NonComplianceMessages { + if msg == nil { + return fmt.Errorf( + "ValidatePolicyAssignment: policy assignment %s has a nil non-compliance message entry", + *pa.Name, + ) + } + + if msg.PolicyDefinitionReferenceID == nil || *msg.PolicyDefinitionReferenceID == "" { + defaultNonComplianceMessageCount++ + if defaultNonComplianceMessageCount > 1 { + break + } + } + } + + if defaultNonComplianceMessageCount > 1 { + return fmt.Errorf( + "ValidatePolicyAssignment: policy assignment %s has more than 1 default non-compliance messages, only 1 is allowed", + *pa.Name, + ) + } + if pa.Properties.Parameters == nil { pa.Properties.Parameters = make(map[string]*armpolicy.ParameterValuesValue) } diff --git a/assets/policyAssignment_test.go b/assets/policyAssignment_test.go index 83088ab..a9d89f2 100644 --- a/assets/policyAssignment_test.go +++ b/assets/policyAssignment_test.go @@ -218,6 +218,78 @@ func TestValidatePolicyAssignment(t *testing.T) { }, expectedErr: "property 'properties.description' length must be between 1 and 512, but is 0", }, + { + name: "Single default non-compliance message", + assignment: armpolicy.Assignment{ + Name: to.Ptr("validName"), + Properties: &armpolicy.AssignmentProperties{ + PolicyDefinitionID: to.Ptr( + "/subscriptions/123/resourceGroups/rg1/providers/Microsoft.Authorization/policyDefinitions/pd1", + ), + DisplayName: to.Ptr("Valid Display Name"), + Description: to.Ptr("Valid Description"), + NonComplianceMessages: []*armpolicy.NonComplianceMessage{ + {Message: to.Ptr("default message")}, + {Message: to.Ptr("ref message"), PolicyDefinitionReferenceID: to.Ptr("ref1")}, + }, + }, + }, + expectedErr: "", + }, + { + name: "Multiple default non-compliance messages", + assignment: armpolicy.Assignment{ + Name: to.Ptr("validName"), + Properties: &armpolicy.AssignmentProperties{ + PolicyDefinitionID: to.Ptr( + "/subscriptions/123/resourceGroups/rg1/providers/Microsoft.Authorization/policyDefinitions/pd1", + ), + DisplayName: to.Ptr("Valid Display Name"), + Description: to.Ptr("Valid Description"), + NonComplianceMessages: []*armpolicy.NonComplianceMessage{ + {Message: to.Ptr("default message 1")}, + {Message: to.Ptr("default message 2")}, + }, + }, + }, + expectedErr: "has more than 1 default non-compliance messages, only 1 is allowed", + }, + { + name: "Multiple default non-compliance messages with empty reference ID", + assignment: armpolicy.Assignment{ + Name: to.Ptr("validName"), + Properties: &armpolicy.AssignmentProperties{ + PolicyDefinitionID: to.Ptr( + "/subscriptions/123/resourceGroups/rg1/providers/Microsoft.Authorization/policyDefinitions/pd1", + ), + DisplayName: to.Ptr("Valid Display Name"), + Description: to.Ptr("Valid Description"), + NonComplianceMessages: []*armpolicy.NonComplianceMessage{ + {Message: to.Ptr("default message 1")}, + {Message: to.Ptr("default message 2"), PolicyDefinitionReferenceID: to.Ptr("")}, + }, + }, + }, + expectedErr: "has more than 1 default non-compliance messages, only 1 is allowed", + }, + { + name: "Nil element in non-compliance messages slice", + assignment: armpolicy.Assignment{ + Name: to.Ptr("validName"), + Properties: &armpolicy.AssignmentProperties{ + PolicyDefinitionID: to.Ptr( + "/subscriptions/123/resourceGroups/rg1/providers/Microsoft.Authorization/policyDefinitions/pd1", + ), + DisplayName: to.Ptr("Valid Display Name"), + Description: to.Ptr("Valid Description"), + NonComplianceMessages: []*armpolicy.NonComplianceMessage{ + nil, + {Message: to.Ptr("ref message"), PolicyDefinitionReferenceID: to.Ptr("ref1")}, + }, + }, + }, + expectedErr: "has a nil non-compliance message entry", + }, } for _, tt := range tests {