[Stream Analytics] Fix #9708: Policy isn't triggered when creating a stream analytics input (#9734)

* Update test case version

* Fix authentication mode bug

* Added test case and recording for this development

* Added log and update version

* Update test case and re-record test case

* Update test case recording version

Author: william051200

src/stream-analytics/HISTORY.rst

@@ -3,6 +3,10 @@
 Release History
 ===============
 
+1.0.2
++++++++++++++++
+* Fix creating stream analytics input not triggering policy bug
+
 1.0.1
 +++++++++++++++
 * Supports stream-analytics output type: Microsoft.AzureFunction

src/stream-analytics/azext_stream_analytics/tests/latest/recordings/test_input_create_policy_violation.yaml

@@ -2935,7 +2935,7 @@ interactions:
       User-Agent:
       - AZURECLI/2.77.0 azsdk-python-core/1.35.0 Python/3.12.10 (Windows-11-10.0.26100-SP0)
     method: GET
-    uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_stream_analytics_000001/providers/Microsoft.Storage/storageAccounts/pl000002?api-version=2024-01-01
+    uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_stream_analytics_000001/providers/Microsoft.Storage/storageAccounts/pl000002?api-version=2025-06-01
   response:
     body:
       string: '{"sku":{"name":"Standard_LRS","tier":"Standard"},"kind":"StorageV2","id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_stream_analytics_000001/providers/Microsoft.Storage/storageAccounts/pl000002","name":"pl000002","type":"Microsoft.Storage/storageAccounts","location":"westus","tags":{},"properties":{"keyCreationTime":{"key1":"2025-09-19T03:45:19.3246476Z","key2":"2025-09-19T03:45:19.3246476Z"},"allowCrossTenantReplication":false,"privateEndpointConnections":[],"minimumTlsVersion":"TLS1_0","allowBlobPublicAccess":false,"networkAcls":{"ipv6Rules":[],"bypass":"AzureServices","virtualNetworkRules":[],"ipRules":[],"defaultAction":"Allow"},"supportsHttpsTrafficOnly":true,"encryption":{"services":{"file":{"keyType":"Account","enabled":true,"lastEnabledTime":"2025-09-19T03:45:19.3402678Z"},"blob":{"keyType":"Account","enabled":true,"lastEnabledTime":"2025-09-19T03:45:19.3402678Z"}},"keySource":"Microsoft.Storage"},"accessTier":"Hot","provisioningState":"Succeeded","creationTime":"2025-09-19T03:45:19.1840227Z","primaryEndpoints":{"dfs":"https://pl000002.dfs.core.windows.net/","web":"https://pl000002.z22.web.core.windows.net/","blob":"https://pl000002.blob.core.windows.net/","queue":"https://pl000002.queue.core.windows.net/","table":"https://pl000002.table.core.windows.net/","file":"https://pl000002.file.core.windows.net/"},"primaryLocation":"westus","statusOfPrimary":"available"}}'
@@ -2981,7 +2981,7 @@ interactions:
       User-Agent:
       - AZURECLI/2.77.0 azsdk-python-core/1.35.0 Python/3.12.10 (Windows-11-10.0.26100-SP0)
     method: GET
-    uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_stream_analytics_000001/providers/Microsoft.Storage/storageAccounts/pl000002/privateLinkResources?api-version=2024-01-01
+    uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_stream_analytics_000001/providers/Microsoft.Storage/storageAccounts/pl000002/privateLinkResources?api-version=2025-06-01
   response:
     body:
       string: '{"value":[{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_stream_analytics_000001/providers/Microsoft.Storage/storageAccounts/pl000002/privateLinkResources/blob","name":"blob","type":"Microsoft.Storage/storageAccounts/privateLinkResources","properties":{"groupId":"blob","requiredMembers":["blob"],"requiredZoneNames":["privatelink.blob.core.windows.net"]}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_stream_analytics_000001/providers/Microsoft.Storage/storageAccounts/pl000002/privateLinkResources/table","name":"table","type":"Microsoft.Storage/storageAccounts/privateLinkResources","properties":{"groupId":"table","requiredMembers":["table"],"requiredZoneNames":["privatelink.table.core.windows.net"]}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_stream_analytics_000001/providers/Microsoft.Storage/storageAccounts/pl000002/privateLinkResources/queue","name":"queue","type":"Microsoft.Storage/storageAccounts/privateLinkResources","properties":{"groupId":"queue","requiredMembers":["queue"],"requiredZoneNames":["privatelink.queue.core.windows.net"]}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_stream_analytics_000001/providers/Microsoft.Storage/storageAccounts/pl000002/privateLinkResources/file","name":"file","type":"Microsoft.Storage/storageAccounts/privateLinkResources","properties":{"groupId":"file","requiredMembers":["file"],"requiredZoneNames":["privatelink.file.core.windows.net"]}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_stream_analytics_000001/providers/Microsoft.Storage/storageAccounts/pl000002/privateLinkResources/web","name":"web","type":"Microsoft.Storage/storageAccounts/privateLinkResources","properties":{"groupId":"web","requiredMembers":["web"],"requiredZoneNames":["privatelink.web.core.windows.net"]}},{"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_stream_analytics_000001/providers/Microsoft.Storage/storageAccounts/pl000002/privateLinkResources/dfs","name":"dfs","type":"Microsoft.Storage/storageAccounts/privateLinkResources","properties":{"groupId":"dfs","requiredMembers":["dfs"],"requiredZoneNames":["privatelink.dfs.core.windows.net"]}}]}'

src/stream-analytics/azext_stream_analytics/tests/latest/recordings/test_input_crud.yaml

@@ -188,6 +188,85 @@ def test_input_crud(self, storage_account):
         # delete an input
         self.cmd("stream-analytics input delete -n {input_name} -g {rg} --job-name {job_name} --yes")
 
+    @ResourceGroupPreparer(name_prefix="cli_test_stream_analytics_")
+    @StorageAccountPreparer(parameter_name="storage_account")
+    def test_input_create_policy_violation(self, storage_account):
+        self.kwargs.update({
+            "job_name": "job",
+            "input_name": "input",
+            "locale": "en-US",
+            "account": storage_account,
+            "container": "container"
+        })
+
+        policy_param = {
+            "effect": {
+                "value": "Deny"
+            }
+        }
+        self.kwargs["policy_param"] = json.dumps(policy_param)
+        self.cmd(
+            "policy assignment create --name deny-asa-mi --display-name 'Deny ASA non-MI authentication' \
+            --policy ea6c4923-510a-4346-be26-1894919a5b97 \
+            --params '{policy_param}'"
+        )
+
+        # create a streaming job
+        self.cmd(
+            "stream-analytics job create -n {job_name} -g {rg} \
+            --data-locale {locale} \
+            --output-error-policy Drop --out-of-order-policy Drop \
+            --order-max-delay 0 --arrival-max-delay 5"
+        )
+
+        # prepare storage account
+        self.kwargs["key"] = self.cmd(
+            "storage account keys list --account-name {account}"
+        ).get_output_in_json()[0]["value"]
+        self.cmd(
+            "storage container create -n {container} \
+            --account-name {account} --account-key {key}"
+        )
+
+        # create/test an input
+        props = {
+            "type": "Stream",
+            "datasource": {
+                "type": "Microsoft.Storage/Blob",
+                "properties": {
+                    "container": self.kwargs["container"],
+                    "dateFormat": "yyyy/MM/dd",
+                    "pathPattern": "{date}/{time}",
+                    "storageAccounts": [{
+                        "accountName": self.kwargs["account"],
+                        "accountKey": self.kwargs["key"]
+                    }],
+                    "timeFormat": "HH",
+                    "authenticationMode": "ConnectionString"
+                }
+            },
+            "serialization": {
+                "type": "Csv",
+                "properties": {
+                    "encoding": "UTF8",
+                    "fieldDelimiter": ","
+                }
+            }
+        }
+        self.kwargs["properties"] = json.dumps(props)
+
+        # Make sure it raises an exception error and the error is correct
+        from azure.core.exceptions import HttpResponseError
+        with self.assertRaises(HttpResponseError) as cm:
+            self.cmd(
+                "stream-analytics input create -n {input_name} -g {rg} \
+                --job-name {job_name} \
+                --properties '{properties}'"
+            )
+
+        self.assertIn("RequestDisallowedByPolicy", str(cm.exception))
+
+
     @AllowLargeResponse()
     @ResourceGroupPreparer(name_prefix="cli_test_stream_analytics_", location="westus")
     @StorageAccountPreparer(parameter_name="storage_account")

src/stream-analytics/azext_stream_analytics/tests/latest/recordings/test_job_scale.yaml

@@ -1000,6 +1000,9 @@ class BlobDataSourceProperties(msrest.serialization.Model):
     :param time_format: The time format. Wherever {time} appears in pathPattern, the value of this
      property is used as the time format instead.
     :type time_format: str
+    :param authentication_mode: Authentication Mode. Possible values include: "Msi", "UserToken",
+     "ConnectionString".
+    :type authentication_mode: str or ~stream_analytics_management_client.models.AuthenticationMode
     """
 
     _attribute_map = {
@@ -1008,6 +1011,7 @@ class BlobDataSourceProperties(msrest.serialization.Model):
         'path_pattern': {'key': 'pathPattern', 'type': 'str'},
         'date_format': {'key': 'dateFormat', 'type': 'str'},
         'time_format': {'key': 'timeFormat', 'type': 'str'},
+        'authentication_mode': {'key': 'authenticationMode', 'type': 'str'},
     }
 
     def __init__(
@@ -1020,6 +1024,7 @@ def __init__(
         self.path_pattern = kwargs.get('path_pattern', None)
         self.date_format = kwargs.get('date_format', None)
         self.time_format = kwargs.get('time_format', None)
+        self.authentication_mode = kwargs.get('authentication_mode', None)
 
 
 class BlobOutputDataSource(OutputDataSource):
@@ -1156,6 +1161,9 @@ class BlobReferenceInputDataSource(ReferenceInputDataSource):
     :param time_format: The time format. Wherever {time} appears in pathPattern, the value of this
      property is used as the time format instead.
     :type time_format: str
+    :param authentication_mode: Authentication Mode. Possible values include: "Msi", "UserToken",
+     "ConnectionString".
+    :type authentication_mode: str or ~stream_analytics_management_client.models.AuthenticationMode
     """
 
     _validation = {
@@ -1169,6 +1177,7 @@ class BlobReferenceInputDataSource(ReferenceInputDataSource):
         'path_pattern': {'key': 'properties.pathPattern', 'type': 'str'},
         'date_format': {'key': 'properties.dateFormat', 'type': 'str'},
         'time_format': {'key': 'properties.timeFormat', 'type': 'str'},
+        'authentication_mode': {'key': 'properties.authenticationMode', 'type': 'str'},
     }
 
     def __init__(
@@ -1182,6 +1191,7 @@ def __init__(
         self.path_pattern = kwargs.get('path_pattern', None)
         self.date_format = kwargs.get('date_format', None)
         self.time_format = kwargs.get('time_format', None)
+        self.authentication_mode = kwargs.get('authentication_mode', None)
 
 
 class BlobReferenceInputDataSourceProperties(BlobDataSourceProperties):
@@ -1207,6 +1217,9 @@ class BlobReferenceInputDataSourceProperties(BlobDataSourceProperties):
     :param time_format: The time format. Wherever {time} appears in pathPattern, the value of this
      property is used as the time format instead.
     :type time_format: str
+    :param authentication_mode: Authentication Mode. Possible values include: "Msi", "UserToken",
+     "ConnectionString".
+    :type authentication_mode: str or ~stream_analytics_management_client.models.AuthenticationMode
     """
 
     _attribute_map = {
@@ -1215,6 +1228,7 @@ class BlobReferenceInputDataSourceProperties(BlobDataSourceProperties):
         'path_pattern': {'key': 'pathPattern', 'type': 'str'},
         'date_format': {'key': 'dateFormat', 'type': 'str'},
         'time_format': {'key': 'timeFormat', 'type': 'str'},
+        'authentication_mode': {'key': 'authenticationMode', 'type': 'str'},
     }
 
     def __init__(
@@ -1288,6 +1302,9 @@ class BlobStreamInputDataSource(StreamInputDataSource):
     :param source_partition_count: The partition count of the blob input data source. Range 1 -
      256.
     :type source_partition_count: int
+    :param authentication_mode: Authentication Mode. Possible values include: "Msi", "UserToken",
+     "ConnectionString".
+    :type authentication_mode: str or ~stream_analytics_management_client.models.AuthenticationMode
     """
 
     _validation = {
@@ -1302,6 +1319,7 @@ class BlobStreamInputDataSource(StreamInputDataSource):
         'date_format': {'key': 'properties.dateFormat', 'type': 'str'},
         'time_format': {'key': 'properties.timeFormat', 'type': 'str'},
         'source_partition_count': {'key': 'properties.sourcePartitionCount', 'type': 'int'},
+        'authentication_mode': {'key': 'properties.authenticationMode', 'type': 'str'},
     }
 
     def __init__(
@@ -1316,6 +1334,7 @@ def __init__(
         self.date_format = kwargs.get('date_format', None)
         self.time_format = kwargs.get('time_format', None)
         self.source_partition_count = kwargs.get('source_partition_count', None)
+        self.authentication_mode = kwargs.get('authentication_mode', None)
 
 
 class BlobStreamInputDataSourceProperties(BlobDataSourceProperties):
@@ -1344,6 +1363,9 @@ class BlobStreamInputDataSourceProperties(BlobDataSourceProperties):
     :param source_partition_count: The partition count of the blob input data source. Range 1 -
      256.
     :type source_partition_count: int
+    :param authentication_mode: Authentication Mode. Possible values include: "Msi", "UserToken",
+     "ConnectionString".
+    :type authentication_mode: str or ~stream_analytics_management_client.models.AuthenticationMode
     """
 
     _attribute_map = {
@@ -1353,6 +1375,7 @@ class BlobStreamInputDataSourceProperties(BlobDataSourceProperties):
         'date_format': {'key': 'dateFormat', 'type': 'str'},
         'time_format': {'key': 'timeFormat', 'type': 'str'},
         'source_partition_count': {'key': 'sourcePartitionCount', 'type': 'int'},
+        'authentication_mode': {'key': 'authenticationMode', 'type': 'str'},
     }
 
     def __init__(
@@ -1361,6 +1384,7 @@ def __init__(
     ):
         super(BlobStreamInputDataSourceProperties, self).__init__(**kwargs)
         self.source_partition_count = kwargs.get('source_partition_count', None)
+        self.authentication_mode = kwargs.get('authentication_mode', None)
 
 
 class Resource(msrest.serialization.Model):