[confcom] Fix --exclude-default-fragments (#9248)

DomAyre · web-flow · commit 126476e72953 · 2025-11-03T14:32:50.000+08:00
* Fix bug with --exclude-default-fragments

* Satisfy azdev style

* Bump the version

* retrigger CI
diff --git a/src/confcom/HISTORY.rst b/src/confcom/HISTORY.rst
@@ -3,6 +3,10 @@
 Release History
 ===============
 
+1.3.1
+++++++
+* bugfix for --exclude-default-fragments flag not working as intended
+
 1.3.0
 ++++++
 * Add a new --enable-stdio flag, with a warning if neither this or --disable-stdio is set
diff --git a/src/confcom/azext_confcom/security_policy.py b/src/confcom/azext_confcom/security_policy.py
@@ -675,13 +675,14 @@ def load_policy_from_arm_template_str(
         containers = []
         existing_containers = None
         fragments = None
-        exclude_default_fragments = False
+        group_exclude_default_fragments = exclude_default_fragments
 
         tags = case_insensitive_dict_get(resource, config.ACI_FIELD_TEMPLATE_TAGS)
         if tags:
-            exclude_default_fragments = case_insensitive_dict_get(tags, config.ACI_FIELD_TEMPLATE_ZERO_SIDECAR)
-            if isinstance(exclude_default_fragments, str):
-                exclude_default_fragments = exclude_default_fragments.lower() == "true"
+            group_exclude_default_fragments = \
+                case_insensitive_dict_get(tags, config.ACI_FIELD_TEMPLATE_ZERO_SIDECAR)
+            if isinstance(group_exclude_default_fragments, str):
+                group_exclude_default_fragments = group_exclude_default_fragments.lower() == "true"
 
         container_group_properties = case_insensitive_dict_get(
             resource, config.ACI_FIELD_TEMPLATE_PROPERTIES
@@ -720,7 +721,10 @@ def load_policy_from_arm_template_str(
         else:
             existing_containers, fragments = ([], [])
 
-        rego_fragments = copy.deepcopy(config.DEFAULT_REGO_FRAGMENTS) if not exclude_default_fragments else []
+        rego_fragments = (
+            copy.deepcopy(config.DEFAULT_REGO_FRAGMENTS)
+            if not group_exclude_default_fragments else []
+        )
         if infrastructure_svn:
             # assumes the first DEFAULT_REGO_FRAGMENT is always the
             # infrastructure fragment
diff --git a/src/confcom/azext_confcom/tests/latest/test_confcom_acipolicygen_arm.py b/src/confcom/azext_confcom/tests/latest/test_confcom_acipolicygen_arm.py
@@ -54,7 +54,6 @@ def test_acipolicygen(sample_directory, generated_policy_path):
 
     for failing_sample_directory, failing_generated_policy_paths in [
         ("multi_container_groups", ("policy_fragment.rego", "policy_fragment_plus_infrastructure_svn.rego")), # TODO: https://github.com/Azure/azure-cli-extensions/issues/9229
-        (None, ("policy_exclude_default_fragment.rego",)), # TODO: https://github.com/Azure/azure-cli-extensions/issues/9198
     ]:
         if (
             (sample_directory == failing_sample_directory or failing_sample_directory is None)
