feat(azure-policy): add alias normalization and denormalization#635
feat(azure-policy): add alias normalization and denormalization#635anakrish merged 2 commits intomicrosoft:mainfrom
Conversation
There was a problem hiding this comment.
Pull request overview
Adds Azure Policy “alias” support to Regorus by introducing an alias registry plus normalization/denormalization logic (control-plane and data-plane), along with extensive YAML-driven test coverage, documentation, benchmarks, and FFI/C# bindings to expose the registry to consumers.
Changes:
- Introduce
languages::azure_policy::aliases(types, registry, normalizer, denormalizer) and expose it behind theazure_policyfeature. - Add YAML-driven normalization/denormalization/round-trip tests and supporting alias catalogs/manifests.
- Add FFI + C# wrapper API for
AliasRegistry, plus a Criterion benchmark and dependency updates (incl. lockfiles).
Reviewed changes
Copilot reviewed 44 out of 50 changed files in this pull request and generated 6 comments.
Show a summary per file
| File | Description |
|---|---|
| tests/mod.rs | Conditionally enables Azure Policy test module under azure_policy feature. |
| tests/azure_policy/mod.rs | Azure Policy test root module. |
| tests/azure_policy/normalization/mod.rs | YAML-driven normalization/denormalization/envelope test runner. |
| tests/azure_policy/normalization/cases/round_trip.yaml | Round-trip normalization/denormalization scenarios (incl. versioned remap regression). |
| tests/azure_policy/normalization/cases/registry_api.yaml | Exercises public AliasRegistry APIs (normalize/denormalize/normalize_and_wrap). |
| tests/azure_policy/normalization/cases/normalize_sub_resources.yaml | Sub-resource array flattening test cases. |
| tests/azure_policy/normalization/cases/normalize_envelope.yaml | Envelope construction expectations. |
| tests/azure_policy/normalization/cases/normalize_basic.yaml | Basic normalization behaviors (flatten properties, root precedence, etc.). |
| tests/azure_policy/normalization/cases/malformed_input.yaml | Pins behavior for malformed/unexpected inputs. |
| tests/azure_policy/normalization/cases/envelope_pipeline.yaml | End-to-end normalize+wrap pipeline case. |
| tests/azure_policy/normalization/cases/edge_cases.yaml | Edge-case behavior pinning for ambiguous/malformed inputs. |
| tests/azure_policy/normalization/cases/denormalize_basic.yaml | Basic denormalization behaviors. |
| tests/azure_policy/normalization/cases/denormalize_aliases.yaml | Denormalization with alias-based casing restoration + arrays. |
| tests/azure_policy/normalization/cases/data_plane_manifest.yaml | Data-plane manifest loading + normalization coverage. |
| tests/azure_policy/normalization/cases/data_plane_breadth.yaml | Broader data-plane shape coverage across namespaces. |
| tests/azure_policy/normalization/cases/data_plane_advanced.yaml | Advanced data-plane shapes (top-level aliases, schemaVersions, arrays). |
| tests/azure_policy/aliases/versioned_aliases.json | Versioned alias catalog fixture for tests. |
| src/lib.rs | Exposes languages::azure_policy behind feature flag. |
| src/languages/mod.rs | Adds azure_policy to languages module file (currently unused by crate wiring). |
| src/languages/azure_policy/mod.rs | Defines Azure Policy language module + clippy allowances; exports aliases. |
| src/languages/azure_policy/aliases/types.rs | Alias/manifest schema types + resolved/precomputed structures. |
| src/languages/azure_policy/aliases/obj_map.rs | Internal hash map utilities + nested set helpers + ROOT_FIELDS. |
| src/languages/azure_policy/aliases/normalizer/mod.rs | Normalizer entry points + envelope builder. |
| src/languages/azure_policy/aliases/normalizer/flatten.rs | Recursive normalization helpers + sub-resource flattening. |
| src/languages/azure_policy/aliases/normalizer/element_remap.rs | Array element-level remap logic used for versioned wildcard aliases. |
| src/languages/azure_policy/aliases/normalizer/alias_resolution.rs | Applies alias resolution + precomputed aggregates to normalized output. |
| src/languages/azure_policy/aliases/denormalizer/mod.rs | Denormalization pipeline back to ARM JSON + aggregates application. |
| src/languages/azure_policy/aliases/denormalizer/helpers.rs | CI key lookup + element field removal utilities. |
| src/languages/azure_policy/aliases/denormalizer/sub_resource.rs | Rewraps sub-resource array elements back under properties. |
| src/languages/azure_policy/aliases/denormalizer/casing.rs | Restores key casing using alias metadata-derived map. |
| src/languages/azure_policy/aliases/denormalizer/tests.rs | Inline unit tests for denormalizer helpers/casing. |
| docs/azure-policy/aliases.md | Design discussion and rationale for alias approach. |
| docs/azure-policy/alias-normalization.md | Detailed normalization spec and end-to-end flow documentation. |
| check_aliases.py | Helper script to validate presence of needed aliases in fixtures. |
| benches/normalization_benchmark.rs | Criterion benchmark suite for normalization/denormalization performance. |
| Cargo.toml | Adds hashbrown dependency and new normalization_benchmark bench target. |
| Cargo.lock | Lockfile updates from new dependency graph. |
| bindings/ffi/src/lib.rs | Wires in new FFI module. |
| bindings/ffi/src/common.rs | Derives Debug/PartialEq for RegorusStatus (used in tests/interop). |
| bindings/ffi/src/alias_registry.rs | Adds FFI surface for AliasRegistry load/query/normalize/denormalize. |
| bindings/ffi/Cargo.lock | Lockfile updates from new dependency graph. |
| bindings/csharp/Regorus/SafeHandles.cs | Adds SafeHandle for alias registry native handle. |
| bindings/csharp/Regorus/NativeMethods.cs | Adds P/Invoke declarations for alias registry functions + struct. |
| bindings/csharp/Regorus/AliasRegistry.cs | Adds managed AliasRegistry wrapper API. |
| bindings/csharp/Regorus.Tests/AliasRegistryTests.cs | Adds managed tests covering alias registry API behavior. |
| bindings/java/Cargo.lock | Lockfile updates (hashbrown/foldhash). |
| bindings/python/Cargo.lock | Lockfile updates (hashbrown/foldhash). |
| bindings/wasm/Cargo.lock | Lockfile updates (hashbrown/foldhash). |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 44 out of 50 changed files in this pull request and generated 3 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
anakrish
force-pushed
the
normalizer
branch
2 times, most recently
from
788f861 to
2efd79d
Compare
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 41 out of 45 changed files in this pull request and generated 4 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 41 out of 45 changed files in this pull request and generated 1 comment.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 40 out of 44 changed files in this pull request and generated 1 comment.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 40 out of 46 changed files in this pull request and generated 4 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 40 out of 46 changed files in this pull request and generated 1 comment.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 40 out of 46 changed files in this pull request and generated 4 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
src/languages/azure_policy/aliases/normalizer/alias_resolution.rs
Outdated
Show resolved
Hide resolved
anakrish
changed the title
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 40 out of 46 changed files in this pull request and generated 1 comment.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 40 out of 46 changed files in this pull request and generated 1 comment.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 40 out of 46 changed files in this pull request and generated 1 comment.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 40 out of 46 changed files in this pull request and generated 1 comment.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Add normalizer and denormalizer for ARM JSON resources, enabling Azure Policy alias short names to become direct paths into a flat structure. - Normalizer: flattens properties wrappers, lowercases keys, resolves per-alias versioned ARM paths, handles sub-resource array flattening, element-level field remaps, and array base renames - Denormalizer: reverses all transformations with casing restoration - AliasRegistry: loads production alias catalogs and data policy manifests - Types: serde deserialization for ARM provider alias formats - YAML test suite: 13 test files covering normalize, denormalize, round-trip, data-plane, edge cases, malformed input, sub-resources, and registry API - Benchmark suite for normalization performance
- FFI: alias_registry.rs with C-compatible API for loading catalogs, normalizing resources, and denormalizing back to ARM JSON - C#: AliasRegistry wrapper class with NativeMethods P/Invoke bindings and integration tests - Updated Cargo.lock files for new serde_json dependency
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 40 out of 46 changed files in this pull request and generated no new comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Azure Policy Alias Normalization
Summary
Adds a normalizer and denormalizer for ARM resource JSON, bridging the
gap between Azure's ARM resource representation and the flat structure
that Azure Policy rules evaluate against.
After normalization, every known alias short name is a direct path into
the resource object — the compiler and VM never need to know about
aliases.
What it does
Normalizer (
ARM JSON → flat input.resource)propertiesinto the resource rootproperties(e.g.,NSG
securityRules[*].properties.protocol→securityRules[*].protocol)_p_type) when alias names shadow rootARM fields
.Data/) resource typesDenormalizer (
flat input.resource → ARM JSON)propertiesenvelopesAliasRegistry
Get-AzPolicyAliasformat)DataPolicyManifestformat)normalize_and_wrap/denormalizeconvenience APIFiles
src/languages/azure_policy/aliases/(normalizer, denormalizer, types, obj_map, registry)bindings/ffi/src/alias_registry.rsbindings/csharp/Regorus/AliasRegistry.cs, teststests/azure_policy/normalization/cases/benches/normalization_benchmark.rstests/azure_policy/aliases/(alias catalogs)Testing
reverse round-trip, sub-resources, data-plane, edge cases, malformed
input, versioned aliases, registry API, and envelope pipeline
-Dwarnings)