Skip to content

Commit 986e437

Browse files
committed
policy restriction fix attempt
1 parent a0610ec commit 986e437

5 files changed

Lines changed: 24 additions & 18 deletions

File tree

.squad/agents/apimexpert/history.md

Lines changed: 4 additions & 15 deletions
Original file line numberDiff line numberDiff line change
@@ -99,22 +99,11 @@ the SDK surface, reference docs, or ad-hoc observation.
9999

100100
**Research output:** `.squad/decisions.md` entry (merged from inbox), full analysis in `specs/sku-upgrade.md`
101101

102-
### 2026-05-19: `policyRestrictions``scope` is a path, not an enum
102+
### 2026-05-19: `policyRestrictions``scope` is the full ARM resource ID of a policy document
103103

104-
**Resource:** `Microsoft.ApiManagement/service/policyRestrictions` (api-version `2025-09-01-preview`).
104+
`Microsoft.ApiManagement/service/policyRestrictions`: `scope` is the ARM resource ID of an existing policy document (e.g. `${apim.id}/policies/policy`, or the equivalent for an api/operation/product policy). Enum-like values (`'All'`, `'Tenant'`, etc.) and relative paths (`'/policies/policy'`) compile but fail at deploy with `"The specified scope is not supported for policy restriction."`
105105

106-
`scope` is a **path to a policy document**, not a free-form enum. `'All'` compiles in Bicep but deployment fails with:
106+
Inferred from the sibling `SubscriptionContractProperties.scope` in the same definitions file (description says `"Scope like /products/{productId}"` but real examples use full ARM IDs, e.g. `/subscriptions/{sub}/.../service/{name}/products/{id}`). All Microsoft policy-restriction examples use the placeholder string `"Sample Path to the policy document."`, so this is the best inference; verify by deployment. Classic Developer/Premium SKU only.
107107

108-
> ValidationError: "The specified scope is not supported for policy restriction."
109-
110-
Valid values: `Tenant`, `Workspace/{id}`, `Product/{id}`, `Api/{id}`, `Operation/{apiId}/{opId}`.
111-
112-
**SKU:** classic `Developer`/`Premium` only — not `StandardV2`/`PremiumV2`. Guard with `isClassicSku`.
113-
114-
**Refs:**
115-
- ARM template: <https://learn.microsoft.com/azure/templates/microsoft.apimanagement/service/policyrestrictions>
116-
- REST API: <https://learn.microsoft.com/rest/api/apimanagement/policy-restriction>
117-
- Source specs: <https://github.com/Azure/azure-rest-api-specs/tree/main/specification/apimanagement/resource-manager/Microsoft.ApiManagement>
118-
119-
**Fix:** `tests/integration/all-resource-types/source-apim.bicep`: `scope: 'All'``scope: 'Tenant'`.
108+
- <https://learn.microsoft.com/rest/api/apimanagement/policy-restriction>
120109

.squad/agents/securityexpert/history.md

Lines changed: 5 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -19,4 +19,8 @@
1919

2020
## Learnings
2121

22-
- When using PowerShell transcript/trace logging, always pass `-UseMinimalHeader` to `Start-Transcript` to prevent machine/host environment details from being written to logs.
22+
- `Start-Transcript -UseMinimalHeader` keeps machine/host details out of logs.
23+
- **ARM async-operation URLs** (`Azure-AsyncOperation` / `Location`) include `t/c/s/h` query params that act as short-lived bearer credentials. Regex-mask them. <https://learn.microsoft.com/azure/azure-resource-manager/management/async-operations>
24+
- **`x-ms-routing-request-id`** carries `REGION:UTC:GUID` — mask the whole value, not just the GUID. <https://learn.microsoft.com/azure/azure-resource-manager/management/request-limits-and-throttling>
25+
- **PowerShell `Start-Transcript` double-emits native stderr** when paired with `2>&1 | Write-Host`. Either regex-mask in `Protect-LogLine` (so both copies get masked) or redirect the child's stderr to a pipe via `System.Diagnostics.Process` so the transcript never sees the raw line. Both layers together = defense in depth.
26+
- **Do not mask all GUIDs.** Azure built-in role-definition IDs and ARM template hashes are public constants useful for debugging. Anchor secret regex to the path segment, header name, or query-parameter context that makes the value sensitive.

.squad/agents/testengineer/history.md

Lines changed: 13 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -160,3 +160,16 @@
160160
- History updated with dual-mode package consumption patterns
161161

162162
<!-- Append new learnings here after each session -->
163+
164+
### 2026-05-19: MaskingHelpers — capture child stderr directly
165+
166+
Rewrote [tests/integration/all-resource-types/MaskingHelpers.psm1](tests/integration/all-resource-types/MaskingHelpers.psm1) around `System.Diagnostics.Process` with `RedirectStandardOutput/Error = $true` so the child's raw bytes bypass PowerShell's ErrorRecord promotion and never reach the parent transcript. Per-stream `Start-ThreadJob` readers drain into `ConcurrentQueue[string]`s; main runspace polls every 100 ms and emits through `Protect-LogLine`.
167+
168+
Breaking signature: helpers now take `-Arguments [string[]]` instead of `-Command [scriptblock]`. All four call sites updated.
169+
170+
Gotchas for future PowerShell work:
171+
172+
- `Register-ObjectEvent` Action handlers do not drain reliably while the main runspace is in `Start-Sleep`. Use `Start-ThreadJob` (PS 7+) to bypass the engine event pump.
173+
- `$x = if ($cond) { [List[T]]::new() }` assigns `$null` — PowerShell enumerates the empty list. Use `$x = $null; if ($cond) { $x = ... }`.
174+
- `ProcessStartInfo.StandardOutputEncoding/StandardErrorEncoding` default to OEM on Windows; force UTF-8 or `az --debug` output mangles.
175+

tests/integration/all-resource-types/expected-structure.json

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -292,7 +292,7 @@
292292
"files": ["policyRestrictionInformation.json"],
293293
"spotChecks": {
294294
"policyRestrictionInformation.json": {
295-
"properties.scope": "All",
295+
"properties.scope": "exists",
296296
"properties.requireBase": "true"
297297
}
298298
}

tests/integration/all-resource-types/source-apim.bicep

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -667,7 +667,7 @@ resource policyRestriction 'Microsoft.ApiManagement/service/policyRestrictions@2
667667
parent: apim
668668
name: 'src-restriction-ip'
669669
properties: {
670-
scope: 'Tenant'
670+
scope: servicePolicy.id
671671
requireBase: 'true'
672672
}
673673
}

0 commit comments

Comments
 (0)