2.9.0 (#100)

duplicate_members, replacement triggers, non_compliance_messages

modules/definition/TEMPLATE.md → .config/templ-definition.md

@@ -53,7 +53,22 @@ module "file_path_test" {
 }
 ```
 
+Loop around a folders contents to create multiple definitions:
+
+```hcl
+module "iam_test" {
+  source = "gettek/policy-as-code/azurerm//modules/definition"
+  for_each = {
+    for p in fileset(path.module, "../../azure/governance/policies/Storage/*.json") :
+    trimsuffix(basename(p), ".json") => pathexpand(p)
+  }
+  file_path           = each.value
+  management_group_id = data.azurerm_management_group.org.id
+}
+```
+
 You will also be able to supply object properties at runtime such as:
+
 ```hcl
 locals {
   policy_file = jsondecode(file("onboard_to_automation_dsc_linux.json"))

modules/initiative/TEMPLATE.md → .config/templ-initiative.md

@@ -4,10 +4,19 @@ Dynamically creates a policy set based on multiple custom or built-in policy def
 
 > ⚠️ **Warning:** To simplify assignments, if any `member_definitions` contain the same parameter names they will be [merged](https://www.terraform.io/language/functions/merge) unless you specify `merge_effects = false` or `merge_parameters = false` as described in the second example below.
 
-> 💡 **Note:** Multiple entries of the same `member_definitions` are not currently supported, if you require the same definition to be present more than once you may use this module to create the initiative json which you can then edit to add unique parameter and definition references. Some examples can be found in discussion [#67](https://github.com/gettek/terraform-azurerm-policy-as-code/discussions/67)
-
 ## Examples
 
+
+### Create an Initiative with a duplicate member definitions
+
+In many cases, some initiatives such as those for tagging, may need to reuse the same definition multiple times but with different parameters to simplify assignments.
+
+Please see [duplicate_members.tf](../../examples/duplicate_members.tf) as en example use case.
+
+> 💡 **Note:** you must set `duplicate_members=true` and `merge_parameters=false` when building initiatives with duplicate members.
+> 💡 **Note:** Be cautious when changing the position of `member_definitions` as these reflect the index numbers used in `assignment_parameters`.
+
+
 ### Create an Initiative with custom Policy definitions
 
 ```hcl
@@ -63,7 +72,7 @@ output "list_of_initiative_parameters" {
 }
 ```
 
-### Populate member_definitions with a for loop (not explicit)
+### Populate member_definitions with a for loop
 
 ```hcl
 locals {

modules/set_assignment/TEMPLATE.md → .config/templ-set_assignment.md

@@ -36,11 +36,9 @@ module org_mg_configure_asc_initiative {
     data.azurerm_management_group.team_a.id
   ]
 
-  # optional non-compliance messages. Key/Value pairs map as policy_definition_reference_id = 'content'
-  non_compliance_messages = {
-    null                    = "The Default non-compliance message for all member definitions"
-    AutoEnrollSubscriptions = "The non-compliance message for the auto_enroll_subscriptions definition"
-  }
+  # use the 'non_compliance_messages' output from the initiative module to use auto generated messages based off policy properties: descriptions/display names/custom ones found in metadata
+  # override with your own Key/Value pairs map as 'policy_definition_reference_id = content', use null = 'content' to specify the Default non-compliance message for all member definitions.
+  non_compliance_messages = module.configure_asc_initiative.non_compliance_messages
 
   # optional overrides (preview)
   overrides = [

.config/terraform-docs.yml

@@ -0,0 +1,28 @@
+---
+formatter: "markdown"
+
+settings:
+  anchor: false
+  lockfile: false
+  escape: false
+  hide-empty: true
+
+output:
+  file: "README.md"
+
+sections:
+  hide: [providers]
+
+content: |-
+  {{ .Header }}
+
+  {{ .Requirements }}
+
+  {{ .Modules }}
+
+  {{ .Resources }}
+
+  {{ .Inputs }}
+
+  {{ .Outputs }}
+...

.github/workflows/cd.yml

@@ -12,6 +12,7 @@ jobs:
     env:
       TF_IN_AUTOMATION: true
       TF_INPUT: false
+      TF_CLI_ARGS_init: "-backend-config=storage_account_name=${{ secrets.STORAGE_NAME }} -backend-config=resource_group_name=cgc-cd -backend-config=container_name=tfstate -backend-config=key=policy.tfstate"
       TF_CLI_ARGS_apply: "-auto-approve -parallelism=30"
       ARM_CLIENT_ID: ${{ secrets.ARM_CLIENT_ID }}
       ARM_CLIENT_SECRET: ${{ secrets.ARM_CLIENT_SECRET }}
@@ -22,7 +23,7 @@ jobs:
       - uses: actions/checkout@v3
       - uses: hashicorp/setup-terraform@v2
         with:
-          terraform_version: ~1.3.0
+          terraform_version: ~1.4.0
 
       - name: Terraform Init
         id: init
@@ -34,25 +35,3 @@ jobs:
         if: ${{ success() }}
         run: terraform apply
         working-directory: examples
-
-      - name: Azure Login
-        uses: azure/login@v1
-        if: ${{ failure() }} || ${{ success() }}
-        with:
-          creds: ${{ secrets.AZURE_CREDENTIALS }}
-          enable-AzPSSession: true
-
-      # Used by GitHub Workflows to clean deployed resources quicker than tf destroy
-      # Quicker during CD as remediation tasks must be in a terminal provisioning state (Succeeded, Canceled, Failed) before they can be deleted.
-      - name: Clean Resources with PowerShell
-        id: destroy
-        uses: azure/powershell@v1
-        if: ${{ failure() }} || ${{ success() }}
-        with:
-          azPSVersion: "latest"
-          inlineScript: |
-            Get-AzPolicyAssignment -Scope "/providers/Microsoft.Management/managementgroups/team_a" | Remove-AzPolicyAssignment -Verbose
-            Get-AzPolicyAssignment -Scope "/providers/Microsoft.Management/managementgroups/policy_dev" | Remove-AzPolicyAssignment -Verbose
-            Get-AzPolicySetDefinition -ManagementGroupName "policy_dev" -Custom | Remove-AzPolicySetDefinition -Force -Verbose
-            Get-AzPolicyDefinition -ManagementGroupName "policy_dev" -Custom | Remove-AzPolicyDefinition -Force -Verbose
-            Remove-AzPolicyExemption -Name "Subscription Diagnostic Settings Exemption" -Scope ("/subscriptions/" + (Get-AzContext).Subscription.Id) -Force -Verbose -ErrorAction SilentlyContinue

.github/workflows/ci.yml

@@ -11,6 +11,7 @@ jobs:
       TF_IN_AUTOMATION: true
       TF_INPUT: false
       TF_WORKING_DIR: examples
+      TF_CLI_ARGS_init: "-backend-config=storage_account_name=${{ secrets.STORAGE_NAME }} -backend-config=resource_group_name=cgc-cd -backend-config=container_name=tfstate -backend-config=key=policy.tfstate"
       ARM_CLIENT_ID: ${{ secrets.ARM_CLIENT_ID }}
       ARM_CLIENT_SECRET: ${{ secrets.ARM_CLIENT_SECRET }}
       ARM_SUBSCRIPTION_ID: ${{ secrets.ARM_SUBSCRIPTION_ID }}
@@ -20,7 +21,7 @@ jobs:
       - uses: actions/checkout@v3
       - uses: hashicorp/setup-terraform@v2
         with:
-          terraform_version: ~1.3.0
+          terraform_version: ~1.4.0
 
       - name: Terraform Format
         id: fmt

README.md

@@ -153,7 +153,7 @@ module org_mg_platform_diagnostics_initiative {
     workspaceId                 = data.azurerm_log_analytics_workspace.workspace.id
     storageAccountId            = data.azurerm_storage_account.sa.id
     eventHubName                = data.azurerm_eventhub_namespace.ehn.name
-    eventHubAuthorizationRuleId = data.azurerm_eventhub_namespace_authorization_rule.ehnar.id
+    eventHubAuthorizationRuleId = data.azurerm_eventhub_namespace_authorization_rule.ehr.id
     metricsEnabled              = "True"
     logsEnabled                 = "True"
   }
@@ -259,7 +259,7 @@ To trigger an on-demand [compliance scan](https://learn.microsoft.com/en-us/azur
 
 ## Limitations
 
-- `DefinitionName` and `InitiativeName` has a maximum length of **64** characters
+- `DefinitionName` and `InitiativeName` have a maximum length of **64** characters
 - `AssignmentName` has maximum length of **24** characters at Management Group Scope and **64** characters at all other Scopes
 - `DisplayName` has a maximum length of **128** characters and `description` a maximum length of **512** characters
 - There's a [maximum count](https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/azure-subscription-service-limits#azure-policy-limits) for each object type for Azure Policy. For definitions, an entry of Scope means the management group or subscription. For assignments and exemptions, an entry of Scope means the management group, subscription, resource group, or individual resource:

examples-machine-config/README.md

@@ -1,3 +1,4 @@
+<!-- BEGIN_TF_DOCS -->
 # Azure Policy Machine Configuration for Virtual Machines
 
 [![cd-machine-config](https://github.com/gettek/terraform-azurerm-policy-as-code/actions/workflows/cd-guest-config.yml/badge.svg)](https://github.com/gettek/terraform-azurerm-policy-as-code/actions/workflows/cd-guest-config.yml)
@@ -31,28 +32,20 @@ Definitions will stored in the local repo library under [Guest Configuration](..
 - 📙 [DSC GitHub Community](https://github.com/dsccommunity)
 - 📙 [Terraform Provider: azurerm_policy_virtual_machine_configuration_assignment](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/policy_virtual_machine_configuration_assignment)
 
-
 ## Requirements
 
 | Name | Version |
 |------|---------|
-| <a name="requirement_azurerm"></a> [azurerm](#requirement\_azurerm) | >=3.49.0 |
-
-## Providers
-
-| Name | Version |
-|------|---------|
-| <a name="provider_azurerm"></a> [azurerm](#provider\_azurerm) | 3.53.0 |
-| <a name="provider_null"></a> [null](#provider\_null) | 3.2.1 |
+| azurerm | >=3.49.0 |
 
 ## Modules
 
 | Name | Source | Version |
 |------|--------|---------|
-| <a name="module_custom_guest_configs"></a> [custom\_guest\_configs](#module\_custom\_guest\_configs) | ..//modules/definition | n/a |
-| <a name="module_custom_guest_configs_initiative"></a> [custom\_guest\_configs\_initiative](#module\_custom\_guest\_configs\_initiative) | ..//modules/initiative | n/a |
-| <a name="module_team_a_mg_guest_config_prereqs_initiative"></a> [team\_a\_mg\_guest\_config\_prereqs\_initiative](#module\_team\_a\_mg\_guest\_config\_prereqs\_initiative) | ..//modules/set_assignment | n/a |
-| <a name="module_team_a_mg_vm_custom_guest_configs"></a> [team\_a\_mg\_vm\_custom\_guest\_configs](#module\_team\_a\_mg\_vm\_custom\_guest\_configs) | ..//modules/set_assignment | n/a |
+| custom_guest_configs | ..//modules/definition | n/a |
+| custom_guest_configs_initiative | ..//modules/initiative | n/a |
+| team_a_mg_guest_config_prereqs_initiative | ..//modules/set_assignment | n/a |
+| team_a_mg_vm_custom_guest_configs | ..//modules/set_assignment | n/a |
 
 ## Resources
 
@@ -70,10 +63,9 @@ Definitions will stored in the local repo library under [Guest Configuration](..
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
-| <a name="input_re_evaluate_compliance"></a> [re\_evaluate\_compliance](#input\_re\_evaluate\_compliance) | Should the module re-evaluate compliant resources for policies that DeployIfNotExists and Modify | `bool` | `false` | no |
-| <a name="input_skip_remediation"></a> [skip\_remediation](#input\_skip\_remediation) | Skip creation of all remediation tasks for policies that DeployIfNotExists and Modify | `bool` | `true` | no |
-| <a name="input_skip_role_assignment"></a> [skip\_role\_assignment](#input\_skip\_role\_assignment) | Should the module skip creation of role assignment for policies that DeployIfNotExists and Modify | `bool` | `false` | no |
+| re_evaluate_compliance | Should the module re-evaluate compliant resources for policies that DeployIfNotExists and Modify | `bool` | `false` | no |
+| skip_remediation | Skip creation of all remediation tasks for policies that DeployIfNotExists and Modify | `bool` | `true` | no |
+| skip_role_assignment | Should the module skip creation of role assignment for policies that DeployIfNotExists and Modify | `bool` | `false` | no |
 
-## Outputs
 
-No outputs.
+<!-- END_TF_DOCS -->

examples/README.md

@@ -1,47 +1,45 @@
+<!-- BEGIN_TF_DOCS -->
 # Azure Policy Deployments
 
 This examples folder demonstrates an effective deployment of Azure Policy Definitions and Assignments. The order of execution is generally from `definitions.tf` -> `initiatives.tf` -> `assignments_<scope>.tf` -> `exemptions.tf`
 
 > 💡 **Note:** `built-in.tf` demonstrates how to assign Built-In definitions.
 
-
 ## Requirements
 
 | Name | Version |
 |------|---------|
-| <a name="requirement_azurerm"></a> [azurerm](#requirement\_azurerm) | >=3.49.0 |
-
-## Providers
-
-| Name | Version |
-|------|---------|
-| <a name="provider_azurerm"></a> [azurerm](#provider\_azurerm) | 3.53.0 |
+| terraform | >= 1.4 |
+| azurerm | >=3.49.0 |
 
 ## Modules
 
 | Name | Source | Version |
 |------|--------|---------|
-| <a name="module_configure_asc"></a> [configure\_asc](#module\_configure\_asc) | ..//modules/definition | n/a |
-| <a name="module_configure_asc_initiative"></a> [configure\_asc\_initiative](#module\_configure\_asc\_initiative) | ..//modules/initiative | n/a |
-| <a name="module_deny_nic_public_ip"></a> [deny\_nic\_public\_ip](#module\_deny\_nic\_public\_ip) | ..//modules/definition | n/a |
-| <a name="module_deny_resource_types"></a> [deny\_resource\_types](#module\_deny\_resource\_types) | ..//modules/definition | n/a |
-| <a name="module_deploy_resource_diagnostic_setting"></a> [deploy\_resource\_diagnostic\_setting](#module\_deploy\_resource\_diagnostic\_setting) | ..//modules/definition | n/a |
-| <a name="module_exemption_subscription_diagnostics_settings"></a> [exemption\_subscription\_diagnostics\_settings](#module\_exemption\_subscription\_diagnostics\_settings) | ..//modules/exemption | n/a |
-| <a name="module_inherit_resource_group_tags_modify"></a> [inherit\_resource\_group\_tags\_modify](#module\_inherit\_resource\_group\_tags\_modify) | ..//modules/definition | n/a |
-| <a name="module_org_mg_configure_asc_initiative"></a> [org\_mg\_configure\_asc\_initiative](#module\_org\_mg\_configure\_asc\_initiative) | ..//modules/set_assignment | n/a |
-| <a name="module_org_mg_configure_az_monitor_and_security_vm_initiative"></a> [org\_mg\_configure\_az\_monitor\_and\_security\_vm\_initiative](#module\_org\_mg\_configure\_az\_monitor\_and\_security\_vm\_initiative) | ..//modules/set_assignment | n/a |
-| <a name="module_org_mg_platform_diagnostics_initiative"></a> [org\_mg\_platform\_diagnostics\_initiative](#module\_org\_mg\_platform\_diagnostics\_initiative) | ..//modules/set_assignment | n/a |
-| <a name="module_org_mg_storage_enforce_https"></a> [org\_mg\_storage\_enforce\_https](#module\_org\_mg\_storage\_enforce\_https) | ..//modules/def_assignment | n/a |
-| <a name="module_org_mg_storage_enforce_minimum_tls1_2"></a> [org\_mg\_storage\_enforce\_minimum\_tls1\_2](#module\_org\_mg\_storage\_enforce\_minimum\_tls1\_2) | ..//modules/def_assignment | n/a |
-| <a name="module_org_mg_whitelist_regions"></a> [org\_mg\_whitelist\_regions](#module\_org\_mg\_whitelist\_regions) | ..//modules/def_assignment | n/a |
-| <a name="module_parameterised_test"></a> [parameterised\_test](#module\_parameterised\_test) | ..//modules/definition | n/a |
-| <a name="module_platform_diagnostics_initiative"></a> [platform\_diagnostics\_initiative](#module\_platform\_diagnostics\_initiative) | ..//modules/initiative | n/a |
-| <a name="module_storage_enforce_https"></a> [storage\_enforce\_https](#module\_storage\_enforce\_https) | ..//modules/definition | n/a |
-| <a name="module_storage_enforce_minimum_tls1_2"></a> [storage\_enforce\_minimum\_tls1\_2](#module\_storage\_enforce\_minimum\_tls1\_2) | ..//modules/definition | n/a |
-| <a name="module_team_a_mg_deny_nic_public_ip"></a> [team\_a\_mg\_deny\_nic\_public\_ip](#module\_team\_a\_mg\_deny\_nic\_public\_ip) | ..//modules/def_assignment | n/a |
-| <a name="module_team_a_mg_deny_resource_types"></a> [team\_a\_mg\_deny\_resource\_types](#module\_team\_a\_mg\_deny\_resource\_types) | ..//modules/def_assignment | n/a |
-| <a name="module_team_a_mg_inherit_resource_group_tags_modify"></a> [team\_a\_mg\_inherit\_resource\_group\_tags\_modify](#module\_team\_a\_mg\_inherit\_resource\_group\_tags\_modify) | ..//modules/def_assignment | n/a |
-| <a name="module_whitelist_regions"></a> [whitelist\_regions](#module\_whitelist\_regions) | ..//modules/definition | n/a |
+| configure_asc | ..//modules/definition | n/a |
+| configure_asc_initiative | ..//modules/initiative | n/a |
+| deny_nic_public_ip | ..//modules/definition | n/a |
+| deny_resource_types | ..//modules/definition | n/a |
+| deploy_resource_diagnostic_setting | ..//modules/definition | n/a |
+| exemption_subscription_diagnostics_settings | ..//modules/exemption | n/a |
+| file_path_test | ..//modules/definition | n/a |
+| inherit_resource_group_tags_modify | ..//modules/definition | n/a |
+| org_mg_configure_asc_initiative | ..//modules/set_assignment | n/a |
+| org_mg_configure_az_monitor_and_security_vm_initiative | ..//modules/set_assignment | n/a |
+| org_mg_platform_diagnostics_initiative | ..//modules/set_assignment | n/a |
+| org_mg_storage_enforce_https | ..//modules/def_assignment | n/a |
+| org_mg_storage_enforce_minimum_tls1_2 | ..//modules/def_assignment | n/a |
+| org_mg_whitelist_regions | ..//modules/def_assignment | n/a |
+| parameterised_test | ..//modules/definition | n/a |
+| platform_diagnostics_initiative | ..//modules/initiative | n/a |
+| require_resource_group_tags | ..//modules/definition | n/a |
+| resource_group_tags | ..//modules/initiative | n/a |
+| storage_enforce_https | ..//modules/definition | n/a |
+| storage_enforce_minimum_tls1_2 | ..//modules/definition | n/a |
+| team_a_mg_deny_nic_public_ip | ..//modules/def_assignment | n/a |
+| team_a_mg_deny_resource_types | ..//modules/def_assignment | n/a |
+| team_a_mg_resource_group_tags | ..//modules/set_assignment | n/a |
+| whitelist_regions | ..//modules/definition | n/a |
 
 ## Resources
 
@@ -60,10 +58,9 @@ This examples folder demonstrates an effective deployment of Azure Policy Defini
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
-| <a name="input_re_evaluate_compliance"></a> [re\_evaluate\_compliance](#input\_re\_evaluate\_compliance) | Should the module re-evaluate compliant resources for policies that DeployIfNotExists and Modify | `bool` | `false` | no |
-| <a name="input_skip_remediation"></a> [skip\_remediation](#input\_skip\_remediation) | Skip creation of all remediation tasks for policies that DeployIfNotExists and Modify | `bool` | `false` | no |
-| <a name="input_skip_role_assignment"></a> [skip\_role\_assignment](#input\_skip\_role\_assignment) | Should the module skip creation of role assignment for policies that DeployIfNotExists and Modify | `bool` | `false` | no |
+| re_evaluate_compliance | Should the module re-evaluate compliant resources for policies that DeployIfNotExists and Modify | `bool` | `false` | no |
+| skip_remediation | Skip creation of all remediation tasks for policies that DeployIfNotExists and Modify | `bool` | `false` | no |
+| skip_role_assignment | Should the module skip creation of role assignment for policies that DeployIfNotExists and Modify | `bool` | `false` | no |
 
-## Outputs
 
-No outputs.
+<!-- END_TF_DOCS -->