[confcom] Add --platform commandline option

MahatiC · MahatiC · commit 608d1297429a · 2026-04-14T17:41:54.000+01:00
diff --git a/src/confcom/azext_confcom/_params.py b/src/confcom/azext_confcom/_params.py
@@ -114,6 +114,14 @@ def load_arguments(self, _):
             help="Image Name",
             validator=validate_aci_source
         )
+        c.argument(
+            "platform",
+            options_list=("--platform",),
+            required=False,
+            default="linux/amd64",
+            help="Target platform for policy generation. Defaults to linux/amd64.",
+            choices=["linux/amd64", "windows/amd64"],
+        )
         c.argument(
             "tar_mapping_location",
             options_list=("--tar",),
diff --git a/src/confcom/azext_confcom/custom.py b/src/confcom/azext_confcom/custom.py
@@ -42,6 +42,7 @@ def acipolicygen_confcom(
     virtual_node_yaml_path: str,
     infrastructure_svn: str,
     tar_mapping_location: str,
+    platform: str = "linux/amd64",
     container_definitions: Optional[list] = None,
     approve_wildcards: str = False,
     outraw: bool = False,
@@ -120,6 +121,7 @@ def acipolicygen_confcom(
         if output_type == security_policy.OutputType.DEFAULT
         else "clear text",
     )
+    logger.warning("Using platform: %s", platform)
     # error checking for making sure an input is provided is above
     if input_path:
         container_group_policies = security_policy.load_policy_from_json_file(
@@ -128,6 +130,7 @@ def acipolicygen_confcom(
             infrastructure_svn=infrastructure_svn,
             disable_stdio=(not stdio_enabled),
             exclude_default_fragments=exclude_default_fragments,
+            platform=platform,
         )
     elif arm_template:
         container_group_policies = security_policy.load_policy_from_arm_template_file(
@@ -140,10 +143,12 @@ def acipolicygen_confcom(
             diff_mode=diff,
             rego_imports=fragments_list,
             exclude_default_fragments=exclude_default_fragments,
+            platform=platform,
         )
     elif image_name:
         container_group_policies = security_policy.load_policy_from_image_name(
-            image_name, debug_mode=debug_mode, disable_stdio=(not stdio_enabled)
+            image_name, debug_mode=debug_mode, disable_stdio=(not stdio_enabled),
+            platform=platform,
         )
     elif virtual_node_yaml_path:
         container_group_policies = security_policy.load_policy_from_virtual_node_yaml_file(
@@ -155,6 +160,7 @@ def acipolicygen_confcom(
             rego_imports=fragments_list,
             exclude_default_fragments=exclude_default_fragments,
             infrastructure_svn=infrastructure_svn,
+            platform=platform,
         )
     elif container_definitions:
         container_group_policies = AciPolicy(
diff --git a/src/confcom/azext_confcom/lib/containers.py b/src/confcom/azext_confcom/lib/containers.py
@@ -5,7 +5,7 @@
 
 
 from dataclasses import asdict
-from azext_confcom.lib.images import get_image_layers, get_image_config, get_image_platform
+from azext_confcom.lib.images import get_image_layers, get_image_config, get_image_platform  # pylint: disable=unused-import
 from azext_confcom.lib.platform import ACI_MOUNTS, VN2_MOUNTS
 
 
@@ -36,20 +36,18 @@ def merge_containers(*args) -> dict:
     return merged_container
 
 
-def from_image(image: str, aci_or_vn2: str) -> dict:
+def from_image(image: str, aci_or_vn2: str, platform: str = "linux/amd64") -> dict:
 
     mounts = {
         "aci": [asdict(mount) for mount in ACI_MOUNTS],
         "vn2": VN2_MOUNTS,
     }.get(aci_or_vn2, None)
 
-    image_platform = get_image_platform(image)
-
     return {
         "id": image,
         "name": image,
-        "layers": get_image_layers(image, platform=image_platform),
-        "platform": image_platform,
+        "layers": get_image_layers(image, platform=platform),
+        "platform": platform,
         **({"mounts": mounts} if mounts else {}),
         **get_image_config(image),
     }
diff --git a/src/confcom/azext_confcom/security_policy.py b/src/confcom/azext_confcom/security_policy.py
@@ -41,9 +41,8 @@
                                          process_fragment_imports,
                                          process_mounts,
                                          process_mounts_from_config,
-                                         readable_diff,
-                                         find_value_in_params_and_vars)
-from azext_confcom.lib.images import get_image_platform
+                                         readable_diff)
+from azext_confcom.lib.images import get_image_platform  # pylint: disable=unused-import
 from azext_confcom.lib.defaults import get_debug_mode_exec_procs
 from knack.log import get_logger
 from tqdm import tqdm
@@ -281,7 +280,7 @@ def validate_sidecars(self) -> Tuple[bool, Dict]:
         if len(policy_ids) == 0:
             eprint("No sidecar images found in the policy.")
 
-        policy = load_policy_from_image_name(policy_ids)
+        policy = load_policy_from_image_name(policy_ids, platform=self._platform or "linux/amd64")
 
         policy.populate_policy_content_for_all_images(individual_image=True)
         policy_str = self.get_serialized_output(
@@ -678,6 +677,7 @@ def load_policy_from_arm_template_str(
     rego_imports: Any = None,
     fragment_contents: Any = None,
     exclude_default_fragments: bool = False,
+    platform: str = "linux/amd64",
 ) -> List[AciPolicy]:
     """Function that converts ARM template string to an ACI Policy"""
     input_arm_json = os_util.load_json_from_str(template_data)
@@ -737,6 +737,18 @@ def load_policy_from_arm_template_str(
         container_group_properties = case_insensitive_dict_get(
             resource, config.ACI_FIELD_TEMPLATE_PROPERTIES
         )
+
+        # Validate that osType in the ARM template matches the specified platform
+        os_type = case_insensitive_dict_get(container_group_properties, "osType")
+        if os_type:
+            expected_os = "linux" if platform.startswith("linux") else "windows"
+            if os_type.lower() != expected_os:
+                eprint(
+                    f'ARM template osType "{os_type}" does not match '
+                    f'the supplied platform "{platform}". '
+                    f'Please use --platform to specify a consistent platform.'
+                )
+
         container_list = case_insensitive_dict_get(
             container_group_properties, config.ACI_FIELD_TEMPLATE_CONTAINERS
         )
@@ -818,16 +830,6 @@ def load_policy_from_arm_template_str(
             extract_probe(exec_processes, image_properties, config.ACI_FIELD_CONTAINERS_READINESS_PROBE)
             extract_probe(exec_processes, image_properties, config.ACI_FIELD_CONTAINERS_LIVENESS_PROBE)
 
-            # Use platform from template if specified, otherwise try to auto-detect from image
-            platform = case_insensitive_dict_get(image_properties, "platform")
-            if not platform:
-                # By this point, we have not substituted any parameters or
-                # variables yet, but in order to get the image we have to know
-                # the final image name.  So resolve it here temporarily (later
-                # on, the constructor of AciPolicy will resolve it again)
-                image_name_with_param_substituted = find_value_in_params_and_vars(all_params, all_vars, image_name)
-                platform = get_image_platform(image_name_with_param_substituted)
-
             containers.append(
                 {
                     config.ACI_FIELD_CONTAINERS_ID: image_name,
@@ -882,6 +884,7 @@ def load_policy_from_arm_template_file(
     rego_imports: list = None,
     fragment_contents: list = None,
     exclude_default_fragments: bool = False,
+    platform: str = "linux/amd64",
 ) -> List[AciPolicy]:
     """Utility function: generate policy object from given arm template and parameter file paths"""
     input_arm_json = os_util.load_str_from_file(template_path)
@@ -899,11 +902,13 @@ def load_policy_from_arm_template_file(
         diff_mode=diff_mode,
         fragment_contents=fragment_contents,
         exclude_default_fragments=exclude_default_fragments,
+        platform=platform,
     )
 
 
 def load_policy_from_image_name(
-    image_names: Union[List[str], str], debug_mode: bool = False, disable_stdio: bool = False
+    image_names: Union[List[str], str], debug_mode: bool = False, disable_stdio: bool = False,
+    platform: str = "linux/amd64",
 ) -> AciPolicy:
     # can either take a list of image names or a single image name
     if isinstance(image_names, str):
@@ -925,7 +930,7 @@ def load_policy_from_image_name(
         container[config.ACI_FIELD_CONTAINERS_CONTAINERIMAGE] = image_name
         container[config.ACI_FIELD_CONTAINERS_ALLOW_STDIO_ACCESS] = not disable_stdio
 
-        container["platform"] = get_image_platform(image_name)
+        container["platform"] = platform
 
         containers.append(container)
 
@@ -945,14 +950,16 @@ def load_policy_from_json_file(
     disable_stdio: bool = False,
     infrastructure_svn: str = None,
     exclude_default_fragments: bool = False,
+    platform: str = "linux/amd64",
 ) -> AciPolicy:
     json_content = os_util.load_str_from_file(data)
     return load_policy_from_json(
         json_content,
         debug_mode=debug_mode,
         disable_stdio=disable_stdio,
         infrastructure_svn=infrastructure_svn,
-        exclude_default_fragments=exclude_default_fragments
+        exclude_default_fragments=exclude_default_fragments,
+        platform=platform,
     )
 
 
@@ -962,6 +969,7 @@ def load_policy_from_json(
     disable_stdio: bool = False,
     infrastructure_svn: str = None,
     exclude_default_fragments: bool = False,
+    platform: str = "linux/amd64",
 ) -> AciPolicy:
     output_containers = []
     # 1) Parse incoming string as JSON
@@ -1070,8 +1078,6 @@ def load_policy_from_json(
 
         envs += process_env_vars_from_config(container_properties)
 
-        platform = get_image_platform(image_name)
-
         output_containers.append(
             {
                 config.ACI_FIELD_CONTAINERS_ID: image_name,
@@ -1129,6 +1135,7 @@ def load_policy_from_virtual_node_yaml_file(
         exclude_default_fragments: bool = False,
         fragment_contents: list = None,
         infrastructure_svn: str = None,
+        platform: str = "linux/amd64",
 ) -> List[AciPolicy]:
     yaml_contents_str = os_util.load_str_from_file(virtual_node_yaml_path)
     return load_policy_from_virtual_node_yaml_str(
@@ -1141,6 +1148,7 @@ def load_policy_from_virtual_node_yaml_file(
         exclude_default_fragments=exclude_default_fragments,
         fragment_contents=fragment_contents,
         infrastructure_svn=infrastructure_svn,
+        platform=platform,
     )
 
 
@@ -1155,6 +1163,7 @@ def load_policy_from_virtual_node_yaml_str(
         exclude_default_fragments: bool = False,
         fragment_contents: Any = None,
         infrastructure_svn: str = None,
+        platform: str = "linux/amd64",
 ) -> List[AciPolicy]:
     """
     Load a virtual node yaml file and generate a policy object
@@ -1343,8 +1352,6 @@ def load_policy_from_virtual_node_yaml_str(
             extract_lifecycle_hook(exec_processes, container, config.VIRTUAL_NODE_YAML_LIFECYCLE_POST_START)
             extract_lifecycle_hook(exec_processes, container, config.VIRTUAL_NODE_YAML_LIFECYCLE_PRE_STOP)
 
-            platform = get_image_platform(image)
-
             policy_containers.append(
                 {
                     config.ACI_FIELD_CONTAINERS_ID: image,
