Initial policies and method for creating policy definition.

This adds some initial example policies:

- One for region restrictions
- One for service restrictions

Note that the MS ARM team has said that region restrictions may be
controlled by ARM, so that policy might prove unnecessary. The
parameters list for the service restrictions is stubbed for now, pending
the full list.

I also added an internal method for adding policy definitions to a
management group. This method is agnostic about what tier of management
group the policy is being defined at. It requires that a dictionary
representing the properties section of a valid Azure JSON policy
definition be passed as an argument.

atst/domain/csp/cloud.py

@@ -401,6 +401,7 @@ REMOTE_ROOT_ROLE_DEF_ID = "/providers/Microsoft.Authorization/roleDefinitions/00
 class AzureSDKProvider(object):
     def __init__(self):
         from azure.mgmt import subscription, authorization, managementgroups
+        from azure.mgmt.resource import policy
         import azure.graphrbac as graphrbac
         import azure.common.credentials as credentials
         from msrestazure.azure_cloud import AZURE_PUBLIC_CLOUD
@@ -410,6 +411,7 @@ class AzureSDKProvider(object):
         self.managementgroups = managementgroups
         self.graphrbac = graphrbac
         self.credentials = credentials
+        self.policy = policy
         # may change to a JEDI cloud
         self.cloud = AZURE_PUBLIC_CLOUD
 
@@ -561,6 +563,51 @@ class AzureCloudProvider(CloudProviderInterface):
             # but we just don't have a valid ID
             pass
 
+    AZURE_MANAGEMENT_API = "https://management.azure.com"
+
+    def _create_policy_definition(
+        self, credentials, subscription_id, management_group_id, properties,
+    ):
+        """
+        Requires credentials that have AZURE_MANAGEMENT_API
+        specified as the resource. The Service Principal
+        specified in the credentials must have the "Resource
+        Policy Contributor" role assigned with a scope at least
+        as high as the management group specified by
+        management_group_id.
+
+        Arguments:
+            credentials -- ServicePrincipalCredentials
+            subscription_id -- str, ID of the subscription (just the UUID, not the path)
+            management_group_id -- str, ID of the management group (just the UUID, not the path)
+            properties -- dictionary, the "properties" section of a valid Azure policy definition document
+
+        Returns:
+            azure.mgmt.resource.policy.[api version].models.PolicyDefinition: the PolicyDefinition object provided to Azure
+
+        Raises:
+            TBD
+        """
+        # TODO: which subscription would this be?
+        client = self.sdk.policy.PolicyClient(credentials, subscription_id)
+
+        definition = client.policy_definitions.models.PolicyDefinition(
+            policy_type=properties.get("policyType"),
+            mode=properties.get("mode"),
+            display_name=properties.get("displayName"),
+            description=properties.get("description"),
+            policy_rule=properties.get("policyRule"),
+            parameters=properties.get("parameters"),
+        )
+
+        name = properties.get("displayName")
+
+        return client.policy_definitions.create_or_update_at_management_group(
+            policy_definition_name=name,
+            parameters=definition,
+            management_group_id=management_group_id,
+        )
+
     def _get_management_service_principal(self):
         # we really should be using graph.microsoft.com, but i'm getting
         # "expired token" errors for that

atst/domain/csp/policy.py

@@ -0,0 +1,12 @@
+class AzurePolicyManager:
+    def __init__(self, static_policy_location):
+        self._static_policy_location = static_policy_location
+
+    def portfolio_definitions():
+        pass
+
+    def application_definitions():
+        pass
+
+    def environment_definitions():
+        pass