[confcom] Add a --with-containers flag to policy and fragment gen

[DomAyre]

Why

We currently have a custom input json format to describe containers to be permitted in a policy. This can be used by acipolicygen and acifragmentgen.

This json is basically the same as the final container definition in the policy except it's arbitrarily different, e.g. "env_rules" vs "environmentVariables".

Therefore it would make more sense to just be able to supply the container definition directly. In future PRs we will provide tools to generate these from inputs such as arm_templates.

How

• Add new flag --with-containers to acipolicygen and acifragmentgen
• Define a schema for the container definition in the final policy
• When flag is set, put the container definition given into the final serialised policy (filling out default values where missing)

---

This checklist is used to make sure that common guidelines for a pull request are followed.

Related command

General Guidelines

• Have you run azdev style <YOUR_EXT> locally? (pip install azdev required)
• Have you run python scripts/ci/test_index.py -q locally? (pip install wheel==0.30.0 required)
• My extension version conforms to the Extension version schema

[azure-client-tools-bot-prd]

⚠️Azure CLI Extensions Breaking Change Test

⚠️confcom

rule	cmd_name	rule_message	suggest_message
⚠️ 1006 - ParaAdd	confcom acifragmentgen	cmd confcom acifragmentgen added parameter container_definitions
⚠️ 1006 - ParaAdd	confcom acipolicygen	cmd confcom acipolicygen added parameter container_definitions

[azure-client-tools-bot-prd]

Hi @DomAyre,
Please write the description of changes which can be perceived by customers into HISTORY.rst.
If you want to release a new extension version, please update the version in setup.py as well.

[yonzhan]

Thank you for your contribution! We will review the pull request and get back to you soon.

[github-actions]

The git hooks are available for azure-cli and azure-cli-extensions repos. They could help you run required checks before creating the PR.

Please sync the latest code with latest dev branch (for azure-cli) or main branch (for azure-cli-extensions).
After that please run the following commands to enable git hooks:

pip install azdev --upgrade
azdev setup -c <your azure-cli repo path> -r <your azure-cli-extensions repo path>

[github-actions]

• For more info about extension versioning, please refer to Extension version schema

[Copilot]

Pull Request Overview

This PR adds support for specifying container definitions directly via a new --with-containers parameter, enabling policy generation without requiring ARM templates, YAML files, or image names as input sources.

Key changes:

• Introduces dataclass-based policy structure definitions in a new lib/policy.py module
• Extends policy generation commands to accept container definitions as JSON strings
• Updates source validation logic to recognize container definitions as a valid input type

Reviewed Changes

Copilot reviewed 8 out of 8 changed files in this pull request and generated 6 comments.

Show a summary per file

File	Description
lib/policy.py	New module defining dataclass structures for Container, Policy, Fragment, and related configuration objects
security_policy.py	Adds container_definitions parameter and serializes them into the policy output
custom.py	Updates acipolicygen_confcom and acifragmentgen_confcom to handle container_definitions input
_validators.py	Extends source validation to include container_definitions as a valid input option
_params.py	Adds --with-containers argument definition to both acipolicygen and acifragmentgen commands
.gitignore	Excludes the lib/ directory from being ignored

[azclibot]

[Release] Update index.json for extension [ confcom ] : https://dev.azure.com/msazure/One/_build/results?buildId=143411526&view=results