Cache Azure Policy Aliases

[ArmaanMcleod]

Related to #181, we should cache Azure Policy Aliases in a JSON file

The format could be something like below:

"Microsoft.AlertsManagement": {
    "smartDetectorAlertRules": {
      "locations": "global",
      "aliasMappings": {
        "Microsoft.AlertsManagement/smartDetectorAlertRules/actionGroups": "properties.actionGroups",
        "Microsoft.AlertsManagement/smartDetectorAlertRules/actionGroups.customEmailSubject": "properties.actionGroups.customEmailSubject",
        "Microsoft.AlertsManagement/smartDetectorAlertRules/actionGroups.customWebhookPayload": "properties.actionGroups.customWebhookPayload",
        "Microsoft.AlertsManagement/smartDetectorAlertRules/actionGroups.groupIds": "properties.actionGroups.groupIds",
        "Microsoft.AlertsManagement/smartDetectorAlertRules/actionGroups.groupIds[*]": "properties.actionGroups.groupIds[*]",
        "Microsoft.AlertsManagement/smartDetectorAlertRules/description": "properties.description",
        "Microsoft.AlertsManagement/smartDetectorAlertRules/detector": "properties.detector",
        "Microsoft.AlertsManagement/smartDetectorAlertRules/detector.description": "properties.detector.description",
        "Microsoft.AlertsManagement/smartDetectorAlertRules/detector.id": "properties.detector.id",
        "Microsoft.AlertsManagement/smartDetectorAlertRules/detector.imagePaths": "properties.detector.imagePaths",
        "Microsoft.AlertsManagement/smartDetectorAlertRules/detector.imagePaths[*]": "properties.detector.imagePaths[*]",
        "Microsoft.AlertsManagement/smartDetectorAlertRules/detector.name": "properties.detector.name",
        "Microsoft.AlertsManagement/smartDetectorAlertRules/detector.parameters": "properties.detector.parameters",
        "Microsoft.AlertsManagement/smartDetectorAlertRules/detector.supportedResourceTypes": "properties.detector.supportedResourceTypes",
        "Microsoft.AlertsManagement/smartDetectorAlertRules/detector.supportedResourceTypes[*]": "properties.detector.supportedResourceTypes[*]",
        "Microsoft.AlertsManagement/smartDetectorAlertRules/frequency": "properties.frequency",
        "Microsoft.AlertsManagement/smartDetectorAlertRules/scope": "properties.scope",
        "Microsoft.AlertsManagement/smartDetectorAlertRules/scope[*]": "properties.scope[*]",
        "Microsoft.AlertsManagement/smartDetectorAlertRules/severity": "properties.severity",
        "Microsoft.AlertsManagement/smartDetectorAlertRules/state": "properties.state",
        "Microsoft.AlertsManagement/smartDetectorAlertRules/throttling": "properties.throttling",
        "Microsoft.AlertsManagement/smartDetectorAlertRules/throttling.duration": "properties.throttling.duration"
      },
      "apiVersions": [
        "2018-02-01-privatepreview",
        "2019-03-01",
        "2019-06-01",
        "2021-04-01"
      ]
    }

Which would allow us to quickly lookup property paths for a given alias.

The other option was to use Get-AzPolicyAlias, but this would require an API call everytime an alias is needed, which would lead to slower performance.

[BernieWhite]

@ArmaanMcleod Let's be aware of any performance cost of the index. We don't really want to do any iteration down resource types to find the aliases.

[ArmaanMcleod]

@ArmaanMcleod Let's be aware of any performance cost of the index. We don't really want to do any iteration down resource types to find the aliases.

@BernieWhite I think performance cost should be fine, since we can get namespace & resource type from the alias, then index the full alias to get the path. This should be a constant time lookup since no iteration is involved.

Another idea is not even caring about the namespace and resource types, and just dumping aliasMappings as a simple key:value object in the file. That would make things even simpler in terms of lookup and serialization/deserialization. Just not sure if we need to keep the other information.

What do you think?

[BernieWhite]

@ArmaanMcleod Yes, that might reduce memory and allocations.

[ArmaanMcleod]

@BernieWhite The issue with it is some aliases like Microsoft.Compute/imageId are duplicated across resources. Wouldn't reliably be able to keep alias name as a key for everything.

I think I will keep the first approach for now and think of a better way down the line.

[ArmaanMcleod]

I guess another thing to consider is if we should replace the aliases with the path when assignments are exported, or if the aliases should be expanded when the assignments are being visited.

To me it would be easier to just convert them when JSON rules are being emitted after the policy rule is visited.

[BernieWhite]

I guess another thing to consider is if we should replace the aliases with the path when assignments are exported, or if the aliases should be expanded when the assignments are being visited.

To me it would be easier to just convert them when JSON rules are being emitted after the policy rule is visited.

Agreed.

[ArmaanMcleod]

Will also add a github actions workflow for this.