[confcom] Fix multiple issues with acipolicygen --diff

[DomAyre]

Why

We recently discovered that running acipolicygen with an allow_all policy already in the ccePolicy field causes policy generation to break.

This is because of two separate reasons

• We attempt to parse the ccePolicy even if we don't need to (we only need to if we use --diff)
• The code which compares policies only looks at container definitions and has a couple of places to error out if it doesn't find any (allow_all doesn't have any)

The two issues are tightly coupled so I have decided to fix both in one PR

How

• Change the load_policy_from_arm_template_str code to only attempt to load the existing policy if diff mode is enabled
• Remove checks which treat no container definitions as a hard error and instead treat them as an empty list of containers
• Add new sample arm templates to test which have existing ccePolicies (both the one that matches any newly generated policy, and an allow_all policy)
• Add new tests which use --diff and assert expected differences

---

This checklist is used to make sure that common guidelines for a pull request are followed.

Related command

General Guidelines

• Have you run azdev style <YOUR_EXT> locally? (pip install azdev required)
• Have you run python scripts/ci/test_index.py -q locally? (pip install wheel==0.30.0 required)
• My extension version conforms to the Extension version schema

This is a small change so no version bump is needed

[azure-client-tools-bot-prd]

️✔️Azure CLI Extensions Breaking Change Test

️✔️Non Breaking Changes

[azure-client-tools-bot-prd]

Hi @DomAyre,
Please write the description of changes which can be perceived by customers into HISTORY.rst.
If you want to release a new extension version, please update the version in setup.py as well.

[yonzhan]

Thank you for your contribution! We will review the pull request and get back to you soon.

[github-actions]

The git hooks are available for azure-cli and azure-cli-extensions repos. They could help you run required checks before creating the PR.

Please sync the latest code with latest dev branch (for azure-cli) or main branch (for azure-cli-extensions).
After that please run the following commands to enable git hooks:

pip install azdev --upgrade
azdev setup -c <your azure-cli repo path> -r <your azure-cli-extensions repo path>

[Copilot]

Pull Request Overview

This PR fixes multiple issues with the acipolicygen --diff functionality to handle cases where ARM templates contain existing ccePolicy fields, particularly when they contain "allow_all" policies that don't define container specifications.

Key changes include:

• Only parsing existing policies when --diff mode is enabled
• Treating missing container definitions as empty lists rather than hard errors
• Adding comprehensive test coverage for diff functionality

Reviewed Changes

Copilot reviewed 18 out of 18 changed files in this pull request and generated 1 comment.

Show a summary per file

File	Description
src/confcom/samples/policies/allow_all.rego	Adds sample allow_all policy for testing
src/confcom/samples/aci/existing_policy_allow_all/*	Adds test ARM templates and policies with allow_all configurations
src/confcom/samples/aci/existing_policy/*	Adds test ARM templates and policies with existing policy configurations
src/confcom/azext_confcom/tests/latest/test_confcom_acipolicygen_arm.py	Adds comprehensive tests for diff functionality
src/confcom/azext_confcom/template_util.py	Changes error handling from eprint to logger warning
src/confcom/azext_confcom/security_policy.py	Updates policy loading and validation to handle empty container lists

[github-actions]

Hi @DomAyre

Release Suggestions

Module: confcom

• Please log updates into to src/confcom/HISTORY.rst
• Update VERSION to 1.2.9 in src/confcom/setup.py

Notes

• For more info about extension versioning, please refer to Extension version schema