Restructure to nested policies object in database YAML

alex-slynko · Copilot · alex-slynko · commit d87ca96ee8fa · 2026-04-09T19:26:04.000+01:00
Introduce DatabasePolicies class so managed identity lives under
policies.managedIdentity in YAML, making it extensible for future
database-level policies.

- Add DatabasePolicies model with ManagedIdentity property
- Replace Database.ManagedIdentityPolicies with Database.Policies
- Update DatabaseChanges, loader, tests, and demo YAML

Co-authored-by: Copilot &lt;223556219+Copilot@users.noreply.github.com&gt;
diff --git a/KustoSchemaTools.Tests/DemoData/DemoDeployment/DemoDatabase/database.yml b/KustoSchemaTools.Tests/DemoData/DemoDeployment/DemoDatabase/database.yml
@@ -13,11 +13,12 @@ admins:
 - name: SPN-ADMIN
   id: aadapp=f678ce29-8f92-4d6e-b95d-f2ed8fa7713f;7396cfeb-2920-488f-b0bb-81a584d34a24
 
-managedIdentityPolicies:
-- objectId: 12345678-1234-1234-1234-123456789abc
-  allowedUsages:
-  - NativeIngestion
-  - ExternalTable
+policies:
+  managedIdentity:
+  - objectId: 12345678-1234-1234-1234-123456789abc
+    allowedUsages:
+    - NativeIngestion
+    - ExternalTable
 
 tables:
   sourceTable:
diff --git a/KustoSchemaTools.Tests/Model/ManagedIdentityPolicyTests.cs b/KustoSchemaTools.Tests/Model/ManagedIdentityPolicyTests.cs
@@ -129,12 +129,15 @@ public void DatabaseChanges_WithManagedIdentityPolicies_GeneratesScript()
             var newState = new Database
             {
                 Name = "TestDb",
-                ManagedIdentityPolicies = new List<ManagedIdentityPolicy>
+                Policies = new DatabasePolicies
                 {
-                    new ManagedIdentityPolicy
+                    ManagedIdentity = new List<ManagedIdentityPolicy>
                     {
-                        ObjectId = "12345678-1234-1234-1234-123456789abc",
-                        AllowedUsages = new List<string> { "NativeIngestion" }
+                        new ManagedIdentityPolicy
+                        {
+                            ObjectId = "12345678-1234-1234-1234-123456789abc",
+                            AllowedUsages = new List<string> { "NativeIngestion" }
+                        }
                     }
                 }
             };
@@ -161,17 +164,20 @@ public void DatabaseChanges_WithMultipleManagedIdentityPolicies_GeneratesSingleS
             var newState = new Database
             {
                 Name = "TestDb",
-                ManagedIdentityPolicies = new List<ManagedIdentityPolicy>
+                Policies = new DatabasePolicies
                 {
-                    new ManagedIdentityPolicy
+                    ManagedIdentity = new List<ManagedIdentityPolicy>
                     {
-                        ObjectId = "aaaaaaaa-1111-2222-3333-444444444444",
-                        AllowedUsages = new List<string> { "NativeIngestion" }
-                    },
-                    new ManagedIdentityPolicy
-                    {
-                        ObjectId = "bbbbbbbb-1111-2222-3333-444444444444",
-                        AllowedUsages = new List<string> { "ExternalTable" }
+                        new ManagedIdentityPolicy
+                        {
+                            ObjectId = "aaaaaaaa-1111-2222-3333-444444444444",
+                            AllowedUsages = new List<string> { "NativeIngestion" }
+                        },
+                        new ManagedIdentityPolicy
+                        {
+                            ObjectId = "bbbbbbbb-1111-2222-3333-444444444444",
+                            AllowedUsages = new List<string> { "ExternalTable" }
+                        }
                     }
                 }
             };
@@ -202,17 +208,23 @@ public void DatabaseChanges_WithUnchangedManagedIdentityPolicies_GeneratesNoChan
             var oldState = new Database
             {
                 Name = "TestDb",
-                ManagedIdentityPolicies = new List<ManagedIdentityPolicy> { policy }
+                Policies = new DatabasePolicies
+                {
+                    ManagedIdentity = new List<ManagedIdentityPolicy> { policy }
+                }
             };
             var newState = new Database
             {
                 Name = "TestDb",
-                ManagedIdentityPolicies = new List<ManagedIdentityPolicy>
+                Policies = new DatabasePolicies
                 {
-                    new ManagedIdentityPolicy
+                    ManagedIdentity = new List<ManagedIdentityPolicy>
                     {
-                        ObjectId = "12345678-1234-1234-1234-123456789abc",
-                        AllowedUsages = new List<string> { "NativeIngestion" }
+                        new ManagedIdentityPolicy
+                        {
+                            ObjectId = "12345678-1234-1234-1234-123456789abc",
+                            AllowedUsages = new List<string> { "NativeIngestion" }
+                        }
                     }
                 }
             };
diff --git a/KustoSchemaTools.Tests/Parser/YamlDatabaseHandlerTests.cs b/KustoSchemaTools.Tests/Parser/YamlDatabaseHandlerTests.cs
@@ -43,9 +43,10 @@ public async Task GetDatabase()
             Assert.Equal("120d", tt.Policies?.Retention);
 
             // Verify managed identity policies are loaded from database.yml
-            Assert.NotNull(db.ManagedIdentityPolicies);
-            Assert.Single(db.ManagedIdentityPolicies);
-            var miPolicy = db.ManagedIdentityPolicies[0];
+            Assert.NotNull(db.Policies);
+            Assert.NotNull(db.Policies.ManagedIdentity);
+            Assert.Single(db.Policies.ManagedIdentity);
+            var miPolicy = db.Policies.ManagedIdentity[0];
             Assert.Equal("12345678-1234-1234-1234-123456789abc", miPolicy.ObjectId);
             Assert.Equal(2, miPolicy.AllowedUsages.Count);
             Assert.Contains("NativeIngestion", miPolicy.AllowedUsages);
diff --git a/KustoSchemaTools/Changes/DatabaseChanges.cs b/KustoSchemaTools/Changes/DatabaseChanges.cs
@@ -22,17 +22,17 @@ public static List<IChange> GenerateChanges(Database oldState, Database newState
                     otherFromScripts.AddRange(oldState.Scripts.Select(itm => new DatabaseScriptContainer(itm, "DatabaseScript")));
                 if (oldState.DefaultRetentionAndCache != null)
                     otherFromScripts.AddRange(oldState.DefaultRetentionAndCache.CreateScripts(name, "database"));
-                if (oldState.ManagedIdentityPolicies != null && oldState.ManagedIdentityPolicies.Any())
-                    otherFromScripts.Add(ManagedIdentityPolicy.CreateCombinedScript(name, oldState.ManagedIdentityPolicies));
+                if (oldState.Policies?.ManagedIdentity != null && oldState.Policies.ManagedIdentity.Any())
+                    otherFromScripts.Add(ManagedIdentityPolicy.CreateCombinedScript(name, oldState.Policies.ManagedIdentity));
             }
 
             var otherToScripts = new List<DatabaseScriptContainer>();
             if (newState.Scripts != null)
                 otherToScripts.AddRange(newState.Scripts.Select(itm => new DatabaseScriptContainer(itm, "DatabaseScript")));
             if (newState.DefaultRetentionAndCache != null)
                 otherToScripts.AddRange(newState.DefaultRetentionAndCache.CreateScripts(name, "database"));
-            if (newState.ManagedIdentityPolicies != null && newState.ManagedIdentityPolicies.Any())
-                otherToScripts.Add(ManagedIdentityPolicy.CreateCombinedScript(name, newState.ManagedIdentityPolicies));
+            if (newState.Policies?.ManagedIdentity != null && newState.Policies.ManagedIdentity.Any())
+                otherToScripts.Add(ManagedIdentityPolicy.CreateCombinedScript(name, newState.Policies.ManagedIdentity));
 
             if (otherToScripts.Count > 0)
             {
diff --git a/KustoSchemaTools/Model/Database.cs b/KustoSchemaTools/Model/Database.cs
@@ -37,7 +37,7 @@ public class Database
 
         public Dictionary<string, FollowerDatabase> Followers { get; set; } = new Dictionary<string, FollowerDatabase>();
 
-        public List<ManagedIdentityPolicy> ManagedIdentityPolicies { get; set; } = new List<ManagedIdentityPolicy>();
+        public DatabasePolicies Policies { get; set; } = new DatabasePolicies();
 
         public string EscapedName => Name.BracketIfIdentifier();
     }
diff --git a/KustoSchemaTools/Model/DatabasePolicies.cs b/KustoSchemaTools/Model/DatabasePolicies.cs
@@ -0,0 +1,7 @@
+namespace KustoSchemaTools.Model
+{
+    public class DatabasePolicies
+    {
+        public List<ManagedIdentityPolicy> ManagedIdentity { get; set; } = new List<ManagedIdentityPolicy>();
+    }
+}
diff --git a/KustoSchemaTools/Parser/KustoLoader/KustoManagedIdentityPolicyLoader.cs b/KustoSchemaTools/Parser/KustoLoader/KustoManagedIdentityPolicyLoader.cs
@@ -17,7 +17,9 @@ public async Task Load(Database database, string databaseName, KustoClient kusto
         {
             var response = await kusto.Client.ExecuteQueryAsync(databaseName, script, new ClientRequestProperties());
             var rows = response.As<ManagedIdentityRow>();
-            database.ManagedIdentityPolicies = rows
+            if (database.Policies == null)
+                database.Policies = new DatabasePolicies();
+            database.Policies.ManagedIdentity = rows
                 .Select(r => new ManagedIdentityPolicy
                 {
                     ObjectId = r.ObjectId,

Original file line number	Diff line number	Diff line change
`@@ -129,12 +129,15 @@ public void DatabaseChanges_WithManagedIdentityPolicies_GeneratesScript()`
`129`	`129`	`var newState = new Database`
`130`	`130`	`{`
`131`	`131`	`Name = "TestDb",`
`132`		`- ManagedIdentityPolicies = new List<ManagedIdentityPolicy>`
	`132`	`+ Policies = new DatabasePolicies`
`133`	`133`	`{`
`134`		`- new ManagedIdentityPolicy`
	`134`	`+ ManagedIdentity = new List<ManagedIdentityPolicy>`
`135`	`135`	`{`
`136`		`- ObjectId = "12345678-1234-1234-1234-123456789abc",`
`137`		`- AllowedUsages = new List<string> { "NativeIngestion" }`
	`136`	`+ new ManagedIdentityPolicy`
	`137`	`+ {`
	`138`	`+ ObjectId = "12345678-1234-1234-1234-123456789abc",`
	`139`	`+ AllowedUsages = new List<string> { "NativeIngestion" }`
	`140`	`+ }`
`138`	`141`	`}`
`139`	`142`	`}`
`140`	`143`	`};`
`@@ -161,17 +164,20 @@ public void DatabaseChanges_WithMultipleManagedIdentityPolicies_GeneratesSingleS`
`161`	`164`	`var newState = new Database`
`162`	`165`	`{`
`163`	`166`	`Name = "TestDb",`
`164`		`- ManagedIdentityPolicies = new List<ManagedIdentityPolicy>`
	`167`	`+ Policies = new DatabasePolicies`
`165`	`168`	`{`
`166`		`- new ManagedIdentityPolicy`
	`169`	`+ ManagedIdentity = new List<ManagedIdentityPolicy>`
`167`	`170`	`{`
`168`		`- ObjectId = "aaaaaaaa-1111-2222-3333-444444444444",`
`169`		`- AllowedUsages = new List<string> { "NativeIngestion" }`
`170`		`- },`
`171`		`- new ManagedIdentityPolicy`
`172`		`- {`
`173`		`- ObjectId = "bbbbbbbb-1111-2222-3333-444444444444",`
`174`		`- AllowedUsages = new List<string> { "ExternalTable" }`
	`171`	`+ new ManagedIdentityPolicy`
	`172`	`+ {`
	`173`	`+ ObjectId = "aaaaaaaa-1111-2222-3333-444444444444",`
	`174`	`+ AllowedUsages = new List<string> { "NativeIngestion" }`
	`175`	`+ },`
	`176`	`+ new ManagedIdentityPolicy`
	`177`	`+ {`
	`178`	`+ ObjectId = "bbbbbbbb-1111-2222-3333-444444444444",`
	`179`	`+ AllowedUsages = new List<string> { "ExternalTable" }`
	`180`	`+ }`
`175`	`181`	`}`
`176`	`182`	`}`
`177`	`183`	`};`
`@@ -202,17 +208,23 @@ public void DatabaseChanges_WithUnchangedManagedIdentityPolicies_GeneratesNoChan`
`202`	`208`	`var oldState = new Database`
`203`	`209`	`{`
`204`	`210`	`Name = "TestDb",`
`205`		`- ManagedIdentityPolicies = new List<ManagedIdentityPolicy> { policy }`
	`211`	`+ Policies = new DatabasePolicies`
	`212`	`+ {`
	`213`	`+ ManagedIdentity = new List<ManagedIdentityPolicy> { policy }`
	`214`	`+ }`
`206`	`215`	`};`
`207`	`216`	`var newState = new Database`
`208`	`217`	`{`
`209`	`218`	`Name = "TestDb",`
`210`		`- ManagedIdentityPolicies = new List<ManagedIdentityPolicy>`
	`219`	`+ Policies = new DatabasePolicies`
`211`	`220`	`{`
`212`		`- new ManagedIdentityPolicy`
	`221`	`+ ManagedIdentity = new List<ManagedIdentityPolicy>`
`213`	`222`	`{`
`214`		`- ObjectId = "12345678-1234-1234-1234-123456789abc",`
`215`		`- AllowedUsages = new List<string> { "NativeIngestion" }`
	`223`	`+ new ManagedIdentityPolicy`
	`224`	`+ {`
	`225`	`+ ObjectId = "12345678-1234-1234-1234-123456789abc",`
	`226`	`+ AllowedUsages = new List<string> { "NativeIngestion" }`
	`227`	`+ }`
`216`	`228`	`}`
`217`	`229`	`}`
`218`	`230`	`};`
Original file line number	Diff line number	Diff line change
`@@ -37,7 +37,7 @@ public class Database`
`37`	`37`
`38`	`38`	`public Dictionary<string, FollowerDatabase> Followers { get; set; } = new Dictionary<string, FollowerDatabase>();`
`39`	`39`
`40`		`- public List<ManagedIdentityPolicy> ManagedIdentityPolicies { get; set; } = new List<ManagedIdentityPolicy>();`
	`40`	`+ public DatabasePolicies Policies { get; set; } = new DatabasePolicies();`
`41`	`41`
`42`	`42`	`public string EscapedName => Name.BracketIfIdentifier();`
`43`	`43`	`}`
Original file line number	Diff line number	Diff line change
`@@ -17,7 +17,9 @@ public async Task Load(Database database, string databaseName, KustoClient kusto`
`17`	`17`	`{`
`18`	`18`	`var response = await kusto.Client.ExecuteQueryAsync(databaseName, script, new ClientRequestProperties());`
`19`	`19`	`var rows = response.As<ManagedIdentityRow>();`
`20`		`- database.ManagedIdentityPolicies = rows`
	`20`	`+ if (database.Policies == null)`
	`21`	`+ database.Policies = new DatabasePolicies();`
	`22`	`+ database.Policies.ManagedIdentity = rows`
`21`	`23`	`.Select(r => new ManagedIdentityPolicy`
`22`	`24`	`{`
`23`	`25`	`ObjectId = r.ObjectId,`