From cb772adef2b8f71910d6201501da05441f01c425 Mon Sep 17 00:00:00 2001
From: Dominic Ayre <domayre@outlook.com>
Date: Fri, 19 Sep 2025 15:36:25 +0000
Subject: [PATCH 1/4] Fix bug with --exclude-default-fragments

---
 src/confcom/azext_confcom/security_policy.py           | 10 +++++-----
 .../tests/latest/test_confcom_acipolicygen_arm.py      |  1 -
 2 files changed, 5 insertions(+), 6 deletions(-)

diff --git a/src/confcom/azext_confcom/security_policy.py b/src/confcom/azext_confcom/security_policy.py
index 8ab29f52032..d8d8a6615bd 100644
--- a/src/confcom/azext_confcom/security_policy.py
+++ b/src/confcom/azext_confcom/security_policy.py
@@ -675,13 +675,13 @@ def load_policy_from_arm_template_str(
         containers = []
         existing_containers = None
         fragments = None
-        exclude_default_fragments = False
+        exclude_default_fragments_this_group = exclude_default_fragments
 
         tags = case_insensitive_dict_get(resource, config.ACI_FIELD_TEMPLATE_TAGS)
         if tags:
-            exclude_default_fragments = case_insensitive_dict_get(tags, config.ACI_FIELD_TEMPLATE_ZERO_SIDECAR)
-            if isinstance(exclude_default_fragments, str):
-                exclude_default_fragments = exclude_default_fragments.lower() == "true"
+            exclude_default_fragments_this_group = case_insensitive_dict_get(tags, config.ACI_FIELD_TEMPLATE_ZERO_SIDECAR)
+            if isinstance(exclude_default_fragments_this_group, str):
+                exclude_default_fragments_this_group = exclude_default_fragments_this_group.lower() == "true"
 
         container_group_properties = case_insensitive_dict_get(
             resource, config.ACI_FIELD_TEMPLATE_PROPERTIES
@@ -725,7 +725,7 @@ def load_policy_from_arm_template_str(
                 # In non-diff mode, we ignore the error and proceed without the policy
                 existing_containers, fragments = ([], [])
 
-        rego_fragments = copy.deepcopy(config.DEFAULT_REGO_FRAGMENTS) if not exclude_default_fragments else []
+        rego_fragments = copy.deepcopy(config.DEFAULT_REGO_FRAGMENTS) if not exclude_default_fragments_this_group else []
         if infrastructure_svn:
             # assumes the first DEFAULT_REGO_FRAGMENT is always the
             # infrastructure fragment
diff --git a/src/confcom/azext_confcom/tests/latest/test_confcom_acipolicygen_arm.py b/src/confcom/azext_confcom/tests/latest/test_confcom_acipolicygen_arm.py
index a1959228c96..3bd551fa1d2 100644
--- a/src/confcom/azext_confcom/tests/latest/test_confcom_acipolicygen_arm.py
+++ b/src/confcom/azext_confcom/tests/latest/test_confcom_acipolicygen_arm.py
@@ -44,7 +44,6 @@ def test_acipolicygen(sample_directory, generated_policy_path):
 
     for failing_sample_directory, failing_generated_policy_path in [
         ("multi_container_groups", "policy_fragment.rego"), # TODO: https://github.com/Azure/azure-cli-extensions/issues/9229
-        (None, "policy_exclude_default_fragment.rego"), # TODO: https://github.com/Azure/azure-cli-extensions/issues/9198
     ]:
         if (
             failing_sample_directory in (None, sample_directory)

From 8c9db4a6e5fdb22642e0df8b7992773742c3237f Mon Sep 17 00:00:00 2001
From: Dominic Ayre <domayre@outlook.com>
Date: Fri, 19 Sep 2025 18:08:00 +0000
Subject: [PATCH 2/4] Satisfy azdev style

---
 src/confcom/azext_confcom/security_policy.py | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/src/confcom/azext_confcom/security_policy.py b/src/confcom/azext_confcom/security_policy.py
index d8d8a6615bd..7fa056a3b31 100644
--- a/src/confcom/azext_confcom/security_policy.py
+++ b/src/confcom/azext_confcom/security_policy.py
@@ -679,7 +679,8 @@ def load_policy_from_arm_template_str(
 
         tags = case_insensitive_dict_get(resource, config.ACI_FIELD_TEMPLATE_TAGS)
         if tags:
-            exclude_default_fragments_this_group = case_insensitive_dict_get(tags, config.ACI_FIELD_TEMPLATE_ZERO_SIDECAR)
+            exclude_default_fragments_this_group = \
+                case_insensitive_dict_get(tags, config.ACI_FIELD_TEMPLATE_ZERO_SIDECAR)
             if isinstance(exclude_default_fragments_this_group, str):
                 exclude_default_fragments_this_group = exclude_default_fragments_this_group.lower() == "true"
 
@@ -725,7 +726,10 @@ def load_policy_from_arm_template_str(
                 # In non-diff mode, we ignore the error and proceed without the policy
                 existing_containers, fragments = ([], [])
 
-        rego_fragments = copy.deepcopy(config.DEFAULT_REGO_FRAGMENTS) if not exclude_default_fragments_this_group else []
+        rego_fragments = (
+            copy.deepcopy(config.DEFAULT_REGO_FRAGMENTS)
+            if not exclude_default_fragments_this_group else []
+        )
         if infrastructure_svn:
             # assumes the first DEFAULT_REGO_FRAGMENT is always the
             # infrastructure fragment

From 643a621db6ae9a1237ca6891783e14bf60477588 Mon Sep 17 00:00:00 2001
From: Dominic Ayre <domayre@outlook.com>
Date: Fri, 19 Sep 2025 18:09:15 +0000
Subject: [PATCH 3/4] Bump the version

---
 src/confcom/HISTORY.rst | 4 ++++
 src/confcom/setup.py    | 2 +-
 2 files changed, 5 insertions(+), 1 deletion(-)

diff --git a/src/confcom/HISTORY.rst b/src/confcom/HISTORY.rst
index e813e3ad208..deb0c6ea43e 100644
--- a/src/confcom/HISTORY.rst
+++ b/src/confcom/HISTORY.rst
@@ -3,6 +3,10 @@
 Release History
 ===============
 
+1.2.9
+++++++
+* bugfix for --exclude-default-fragments flag not working as intended
+
 1.2.8
 ++++++
 * Made the default minimum SVN of the infrastructure fragment 4
diff --git a/src/confcom/setup.py b/src/confcom/setup.py
index 954d44b1874..617300d45d0 100644
--- a/src/confcom/setup.py
+++ b/src/confcom/setup.py
@@ -19,7 +19,7 @@
 
     logger.warn("Wheel is not available, disabling bdist_wheel hook")
 
-VERSION = "1.2.8"
+VERSION = "1.2.9"
 
 # The full list of classifiers is available at
 # https://pypi.python.org/pypi?%3Aaction=list_classifiers

From 45b57f56b24f8826cda93041a885597cb3269a79 Mon Sep 17 00:00:00 2001
From: Dominic Ayre <domayre@outlook.com>
Date: Fri, 17 Oct 2025 14:02:07 +0000
Subject: [PATCH 4/4] retrigger CI

---
 src/confcom/azext_confcom/security_policy.py | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/src/confcom/azext_confcom/security_policy.py b/src/confcom/azext_confcom/security_policy.py
index ef594bd71cb..c6eb55e8237 100644
--- a/src/confcom/azext_confcom/security_policy.py
+++ b/src/confcom/azext_confcom/security_policy.py
@@ -675,14 +675,14 @@ def load_policy_from_arm_template_str(
         containers = []
         existing_containers = None
         fragments = None
-        exclude_default_fragments_this_group = exclude_default_fragments
+        group_exclude_default_fragments = exclude_default_fragments
 
         tags = case_insensitive_dict_get(resource, config.ACI_FIELD_TEMPLATE_TAGS)
         if tags:
-            exclude_default_fragments_this_group = \
+            group_exclude_default_fragments = \
                 case_insensitive_dict_get(tags, config.ACI_FIELD_TEMPLATE_ZERO_SIDECAR)
-            if isinstance(exclude_default_fragments_this_group, str):
-                exclude_default_fragments_this_group = exclude_default_fragments_this_group.lower() == "true"
+            if isinstance(group_exclude_default_fragments, str):
+                group_exclude_default_fragments = group_exclude_default_fragments.lower() == "true"
 
         container_group_properties = case_insensitive_dict_get(
             resource, config.ACI_FIELD_TEMPLATE_PROPERTIES
@@ -723,7 +723,7 @@ def load_policy_from_arm_template_str(
 
         rego_fragments = (
             copy.deepcopy(config.DEFAULT_REGO_FRAGMENTS)
-            if not exclude_default_fragments_this_group else []
+            if not group_exclude_default_fragments else []
         )
         if infrastructure_svn:
             # assumes the first DEFAULT_REGO_FRAGMENT is always the