Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support for disabling policy enforcement for policy sets assignments #120

Merged
merged 9 commits into from
Dec 11, 2021
Merged

Support for disabling policy enforcement for policy sets assignments #120

merged 9 commits into from
Dec 11, 2021

Conversation

SenthuranSivananthan
Copy link
Contributor

@SenthuranSivananthan SenthuranSivananthan commented Dec 10, 2021
edited
Loading

Overview/Summary

Based on guidance from CAF - Adopting policy driven guardrails, we should allow for policy set assignments to have enforcement mode turned on (enabled/default) or off (disabled/DoNotEnforce).

This flexibility will allow departments to adopt policy guardrails with limited change in their environment through Policies until they are ready for automation.

Implementation adds a new enforcementMode parameter to each policy set assignment deployment. This parameter's default value is Default which translates to enabled. The possible values for this parameter are Default (means Enabled) or DoNotEnforce (means Disabled).

This change should be configurable per policy set assignment and affects built-in and custom policy sets.

This PR fixes/adds/changes/removes

Fixes #119

Breaking Changes

None

Testing Evidence

When enforcementMode = Default - Passed

image

When enfocementMode = DoNotEnforce - Passed

image

Custom Policy - Tags - the policy has Deny rules and policy set assignment enforcementMode = DoNotEnforce. Expect that the resource groups (RGs) can be created without the required tags. The policy will mark the RG as non-compliant, but will not block the creation of RGs.

  1. Tag policy assignment configuration

image

  1. RG created without any tags
    image

  2. Policy marks RG as non-compliant

image

As part of this Pull Request I have

  • Checked for duplicate Pull Requests
  • Associated it with relevant GitHub Issues
  • Ensured my code/branch is up-to-date with the latest changes in the main branch
  • Performed testing and provided evidence.
  • Updated relevant and associated documentation.

@SenthuranSivananthan SenthuranSivananthan marked this pull request as ready for review December 10, 2021 15:47
hudua
hudua approved these changes Dec 11, 2021
View reviewed changes
Copy link
Contributor

@hudua hudua left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Edits look good! Verified that all built-in policy assignments and custom assignments had enforcement mode as configurable.

@hudua hudua merged commit c6931b4 into Azure:main Dec 11, 2021
@CalvinRodo CalvinRodo mentioned this pull request Dec 13, 2021
Merged
@SenthuranSivananthan SenthuranSivananthan deleted the policyset-enforcementmode branch December 14, 2021 13:32
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@hudua hudua hudua approved these changes

@skeeler skeeler Awaiting requested review from skeeler skeeler is a code owner

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Support for disabling policy enforcement for policy sets assignments
2 participants
@SenthuranSivananthan @hudua