diff --git a/src/confcom/azext_confcom/_help.py b/src/confcom/azext_confcom/_help.py index 144dbf32ebb..f1f455134e3 100644 --- a/src/confcom/azext_confcom/_help.py +++ b/src/confcom/azext_confcom/_help.py @@ -86,8 +86,8 @@ text: az confcom acipolicygen --template-file "./template.json" - name: Input an ARM Template file to create a human-readable Confidential Container Security Policy text: az confcom acipolicygen --template-file "./template.json" --outraw-pretty-print - - name: Input an ARM Template file to save a Confidential Container Security Policy to a file - text: az confcom acipolicygen --template-file "./template.json" -s "./output-file.txt" + - name: Input an ARM Template file to save a Confidential Container Security Policy to a file as base64 encoded text + text: az confcom acipolicygen --template-file "./template.json" -s "./output-file.txt" --print-policy - name: Input an ARM Template file and use a tar file as the image source instead of the Docker daemon text: az confcom acipolicygen --template-file "./template.json" --tar "./image.tar" """ diff --git a/src/confcom/azext_confcom/custom.py b/src/confcom/azext_confcom/custom.py index aa15771846e..3ebdaa42fb6 100644 --- a/src/confcom/azext_confcom/custom.py +++ b/src/confcom/azext_confcom/custom.py @@ -53,14 +53,18 @@ def acipolicygen_confcom( "Can only use ARM Template Parameters if ARM Template is also present" ) sys.exit(1) + elif save_to_file and arm_template and not (print_policy_to_terminal or outraw or outraw_pretty_print): + logger.error("Must print policy to terminal when saving to file") + sys.exit(1) if print_existing_policy: - if not arm_template: - logger.error("Can only print existing policy from ARM Template") - sys.exit(1) - else: - print_existing_policy_from_arm_template(arm_template, arm_template_parameters) - sys.exit(0) + print_existing_policy_from_arm_template(arm_template, arm_template_parameters) + sys.exit(0) + + if debug_mode: + logger.warning("WARNING: %s %s", + "Debug mode must only be used for debugging purposes. ", + "It should not be used for production systems.\n") tar_mapping = tar_mapping_validation(tar_mapping_location) @@ -69,13 +73,7 @@ def acipolicygen_confcom( container_group_policies = None # warn user that input infrastructure_svn is less than the configured default value - if infrastructure_svn and parse_version(infrastructure_svn) < parse_version( - DEFAULT_REGO_FRAGMENTS[0]["minimum_svn"] - ): - logger.warning( - "Input Infrastructure Fragment Software Version Number is less than the default Infrastructure SVN: %s", - DEFAULT_REGO_FRAGMENTS[0]["minimum_svn"], - ) + check_infrastructure_svn(infrastructure_svn) # telling the user what operation we're doing logger.warning( @@ -122,7 +120,7 @@ def acipolicygen_confcom( exit_code = validate_sidecar_in_policy(policy, output_type == security_policy.OutputType.PRETTY_PRINT) elif diff: exit_code = get_diff_outputs(policy, output_type == security_policy.OutputType.PRETTY_PRINT) - elif arm_template and (not print_policy_to_terminal and not outraw and not outraw_pretty_print): + elif arm_template and not (print_policy_to_terminal or outraw or outraw_pretty_print): result = inject_policy_into_template(arm_template, arm_template_parameters, policy.get_serialized_output(), count) if result: @@ -134,6 +132,12 @@ def acipolicygen_confcom( print(f"{policy.get_serialized_output(output_type)}\n\n") # output to file if save_to_file: + logger.warning( + "%s %s %s", + "(Deprecation Warning) the --save-to-file (-s) flag is deprecated ", + "and will be removed in a future release. ", + "Please print to the console and redirect to a file instead." + ) policy.save_to_file(save_to_file, output_type) sys.exit(exit_code) @@ -145,6 +149,16 @@ def update_confcom(cmd, instance, tags=None): return instance +def check_infrastructure_svn(infrastructure_svn): + if infrastructure_svn and parse_version(infrastructure_svn) < parse_version( + DEFAULT_REGO_FRAGMENTS[0]["minimum_svn"] + ): + logger.warning( + "Input Infrastructure Fragment Software Version Number is less than the default Infrastructure SVN: %s", + DEFAULT_REGO_FRAGMENTS[0]["minimum_svn"], + ) + + def validate_sidecar_in_policy(policy: security_policy.AciPolicy, outraw_pretty_print: bool): is_valid, output = policy.validate_sidecars() diff --git a/src/confcom/azext_confcom/template_util.py b/src/confcom/azext_confcom/template_util.py index 5db3902d7b3..7a76b6f609e 100644 --- a/src/confcom/azext_confcom/template_util.py +++ b/src/confcom/azext_confcom/template_util.py @@ -399,7 +399,10 @@ def replace_params_and_vars(params: dict, vars_dict: dict, attribute): full_param_name = next(param_name, None) if full_param_name: full_param_name = full_param_name.group(0) - out = attribute.replace(full_param_name, find_value_in_params_and_vars(params, vars_dict, attribute)) + # cast to string + out = f"{out}" + out = attribute.replace(full_param_name, out) + elif isinstance(attribute, list): out = [] for item in attribute: @@ -791,6 +794,8 @@ def get_container_group_name( def print_existing_policy_from_arm_template(arm_template_path, parameter_data_path): + if not arm_template_path: + eprint("Can only print existing policy from ARM Template") input_arm_json = os_util.load_json_from_file(arm_template_path) parameter_data = None if parameter_data_path: