Stop remediation happening on policies where the assignment_enforceme…

…nt_mode is set to false. (#72) Co-authored-by: Paul Matthews <[email protected]>
gettek · Apr 21, 2023 · a4dd521 · a4dd521
1 parent c8506c4
commit a4dd521
Show file tree

Hide file tree

Showing 16 changed files with 36 additions and 30 deletions.
diff --git a/examples-machine-config/README.md b/examples-machine-config/README.md
@@ -42,7 +42,7 @@ Definitions will stored in the local repo library under [Guest Configuration](..
 
 | Name | Version |
 |------|---------|
-| <a name="provider_azurerm"></a> [azurerm](#provider\_azurerm) | 3.50.0 |
+| <a name="provider_azurerm"></a> [azurerm](#provider\_azurerm) | 3.53.0 |
 | <a name="provider_null"></a> [null](#provider\_null) | 3.2.1 |
 
 ## Modules

diff --git a/examples-machine-config/data.tf b/examples-machine-config/data.tf
@@ -25,5 +25,5 @@ data "azurerm_storage_container" "guest_config_container" {
 #      [GA]: 12794019-7a00-42cf-95c2-882eed337cc8 "Deploy prerequisites to enable Guest Configuration policies on virtual machines" (SystemAssigned)
 # [Preview]: 2b0ce52e-301c-4221-ab38-1601e2b4cee3 "[Preview]: Deploy prerequisites to enable Guest Configuration policies on virtual machines using user-assigned managed identity" (UserAssigned)
 data "azurerm_policy_set_definition" "deploy_guest_config_prereqs_initiative" {
-  display_name = "Deploy prerequisites to enable Guest Configuration policies on virtual machines"
+  name = "12794019-7a00-42cf-95c2-882eed337cc8" #"Deploy prerequisites to enable Guest Configuration policies on virtual machines"
 }
diff --git a/examples/README.md b/examples/README.md
@@ -15,7 +15,7 @@ This examples folder demonstrates an effective deployment of Azure Policy Defini
 
 | Name | Version |
 |------|---------|
-| <a name="provider_azurerm"></a> [azurerm](#provider\_azurerm) | 3.50.0 |
+| <a name="provider_azurerm"></a> [azurerm](#provider\_azurerm) | 3.53.0 |
 
 ## Modules
 

diff --git a/examples/built-in.tf b/examples/built-in.tf
@@ -2,7 +2,7 @@
 # Built-In Initiative
 ##################
 data "azurerm_policy_set_definition" "configure_az_monitor_and_security_vm_initiative" {
-  display_name = "[Preview]: Configure machines to automatically install the Azure Monitor and Azure Security agents on virtual machines"
+  name = "a15f3269-2e10-458c-87a4-d5989e678a73" #"[Preview]: Configure machines to automatically install the Azure Monitor and Azure Security agents on virtual machines"
 }
 
 

diff --git a/modules/def_assignment/README.md b/modules/def_assignment/README.md
@@ -54,13 +54,14 @@ module team_a_mg_inherit_resource_group_tags_modify {
 ### Create a Built-In Policy Definition Assignment with Custom Non-Compliance Message
 
 ```hcl
-data azurerm_policy_definition deploy_law_on_linux_vms {
-  display_name = "Deploy Log Analytics extension for Linux VMs"
+# Should use name instead of display name, as Microsoft changes the display names.
+data azurerm_policy_definition_built_in deploy_law_on_linux_vms {
+  name =  "053d3325-282c-4e5c-b944-24faffd30d77" #"Deploy Log Analytics extension for Linux VMs"
 }
 
 module team_a_mg_inherit_resource_group_tags_modify {
   source            = "gettek/policy-as-code/azurerm//modules/def_assignment"
-  definition        = data.azurerm_policy_definition.deploy_law_on_linux_vms
+  definition        = data.azurerm_policy_definition_built_in.deploy_law_on_linux_vms
   assignment_scope  = data.azurerm_management_group.org.id
   skip_remediation  = var.skip_remediation
 
@@ -114,7 +115,7 @@ The example below demonstrates the acceptable format for this module:
 
 ```hcl
 module "org_mg_whitelist_regions" {
-  source            = "..//modules/def_assignment"
+  source            = "gettek/policy-as-code/azurerm//modules/def_assignment"
   definition        = module.whitelist_regions.definition
   assignment_scope  = data.azurerm_management_group.org.id
   assignment_effect = "Deny"
@@ -155,7 +156,7 @@ module "org_mg_whitelist_regions" {
 
 | Name | Version |
 |------|---------|
-| <a name="provider_azurerm"></a> [azurerm](#provider\_azurerm) | 3.50.0 |
+| <a name="provider_azurerm"></a> [azurerm](#provider\_azurerm) | 3.53.0 |
 
 ## Modules
 
@@ -211,4 +212,4 @@ No modules.
 | <a name="output_id"></a> [id](#output\_id) | The Policy Assignment Id |
 | <a name="output_identity_id"></a> [identity\_id](#output\_identity\_id) | The Managed Identity block containing Principal Id & Tenant Id of this Policy Assignment if type is SystemAssigned |
 | <a name="output_remediation_id"></a> [remediation\_id](#output\_remediation\_id) | The Id of the remediation task |
-| <a name="output_role_definition_ids"></a> [role\_definition\_ids](#output\_role\_definition\_ids) | The List of Role Defenition Ids assignable to the managed identity |
+| <a name="output_role_definition_ids"></a> [role\_definition\_ids](#output\_role\_definition\_ids) | The List of Role Definition Ids assignable to the managed identity |
diff --git a/modules/def_assignment/TEMPLATE.md b/modules/def_assignment/TEMPLATE.md
@@ -54,13 +54,14 @@ module team_a_mg_inherit_resource_group_tags_modify {
 ### Create a Built-In Policy Definition Assignment with Custom Non-Compliance Message
 
 ```hcl
-data azurerm_policy_definition deploy_law_on_linux_vms {
-  display_name = "Deploy Log Analytics extension for Linux VMs"
+# Should use name instead of display name, as Microsoft changes the display names.
+data azurerm_policy_definition_built_in deploy_law_on_linux_vms {
+  name =  "053d3325-282c-4e5c-b944-24faffd30d77" #"Deploy Log Analytics extension for Linux VMs"
 }
 
 module team_a_mg_inherit_resource_group_tags_modify {
   source            = "gettek/policy-as-code/azurerm//modules/def_assignment"
-  definition        = data.azurerm_policy_definition.deploy_law_on_linux_vms
+  definition        = data.azurerm_policy_definition_built_in.deploy_law_on_linux_vms
   assignment_scope  = data.azurerm_management_group.org.id
   skip_remediation  = var.skip_remediation
 
@@ -114,7 +115,7 @@ The example below demonstrates the acceptable format for this module:
 
 ```hcl
 module "org_mg_whitelist_regions" {
-  source            = "..//modules/def_assignment"
+  source            = "gettek/policy-as-code/azurerm//modules/def_assignment"
   definition        = module.whitelist_regions.definition
   assignment_scope  = data.azurerm_management_group.org.id
   assignment_effect = "Deny"

diff --git a/modules/def_assignment/outputs.tf b/modules/def_assignment/outputs.tf
@@ -14,6 +14,6 @@ output "remediation_id" {
 }
 
 output "role_definition_ids" {
-  description = "The List of Role Defenition Ids assignable to the managed identity"
+  description = "The List of Role Definition Ids assignable to the managed identity"
   value       = local.role_definition_ids
 }
diff --git a/modules/def_assignment/variables.tf b/modules/def_assignment/variables.tf
@@ -169,7 +169,7 @@ locals {
   role_assignment_scope = try(coalesce(var.role_assignment_scope, var.assignment_scope), "")
 
   # if creating role assignments also create a remediation task for policies with DeployIfNotExists and Modify effects
-  create_remediation = var.skip_remediation == false && length(local.identity_type) > 0 ? 1 : 0
+  create_remediation = var.assignment_enforcement_mode == true && var.skip_remediation == false && length(local.identity_type) > 0 ? 1 : 0
 
   # assignment location is required when identity is specified
   assignment_location = length(local.identity_type) > 0 ? var.assignment_location : null

diff --git a/modules/definition/README.md b/modules/definition/README.md
@@ -47,7 +47,7 @@ module "configure_asc" {
 
 ```hcl
 module "file_path_test" {
-  source              = "..//modules/definition"
+  source              = "gettek/policy-as-code/azurerm//modules/definition"
   file_path           = "../path/to/file/onboard_to_automation_dsc_linux.json"
   management_group_id = data.azurerm_management_group.org.id
 }
@@ -60,7 +60,7 @@ locals {
 }
 
 module "parameterised_test" {
-  source              = "..//modules/definition"
+  source              = "gettek/policy-as-code/azurerm//modules/definition"
   policy_name         = "Custom Name"
   display_name        = "Custom Display Name"
   policy_description  = "Custom Description"
@@ -86,7 +86,7 @@ module "parameterised_test" {
 
 | Name | Version |
 |------|---------|
-| <a name="provider_azurerm"></a> [azurerm](#provider\_azurerm) | 3.50.0 |
+| <a name="provider_azurerm"></a> [azurerm](#provider\_azurerm) | 3.53.0 |
 
 ## Modules
 

diff --git a/modules/definition/TEMPLATE.md b/modules/definition/TEMPLATE.md
@@ -47,7 +47,7 @@ module "configure_asc" {
 
 ```hcl
 module "file_path_test" {
-  source              = "..//modules/definition"
+  source              = "gettek/policy-as-code/azurerm//modules/definition"
   file_path           = "../path/to/file/onboard_to_automation_dsc_linux.json"
   management_group_id = data.azurerm_management_group.org.id
 }
@@ -60,7 +60,7 @@ locals {
 }
 
 module "parameterised_test" {
-  source              = "..//modules/definition"
+  source              = "gettek/policy-as-code/azurerm//modules/definition"
   policy_name         = "Custom Name"
   display_name        = "Custom Display Name"
   policy_description  = "Custom Description"

diff --git a/modules/exemption/README.md b/modules/exemption/README.md
@@ -115,7 +115,7 @@ module exemption_team_a_mg_key_vaults_require_purge_protection {
 
 | Name | Version |
 |------|---------|
-| <a name="provider_azurerm"></a> [azurerm](#provider\_azurerm) | 3.50.0 |
+| <a name="provider_azurerm"></a> [azurerm](#provider\_azurerm) | 3.53.0 |
 
 ## Modules
 

diff --git a/modules/initiative/README.md b/modules/initiative/README.md
@@ -105,7 +105,7 @@ module guest_config_prereqs_initiative {
 
 | Name | Version |
 |------|---------|
-| <a name="provider_azurerm"></a> [azurerm](#provider\_azurerm) | 3.50.0 |
+| <a name="provider_azurerm"></a> [azurerm](#provider\_azurerm) | 3.53.0 |
 
 ## Modules
 

diff --git a/modules/set_assignment/README.md b/modules/set_assignment/README.md
@@ -62,8 +62,9 @@ module org_mg_configure_asc_initiative {
 
 ### Built-In Policy Initiative Assignment
 ```hcl
+# Should use name instead of display name, as Microsoft changes the display names.
 data "azurerm_policy_set_definition" "cis_1_3_0" {
-  display_name = "CIS Microsoft Azure Foundations Benchmark v1.3.0"
+  name = "612b5213-9160-4969-8578-1518bd2a000c" #"CIS Microsoft Azure Foundations Benchmark v1.3.0"
 }
 
 module org_mg_cis_1_3_0_benchmark {
@@ -80,8 +81,9 @@ module org_mg_cis_1_3_0_benchmark {
 ### Built-In Policy Initiative Containing DINE/Modify Assignment
 
 ```hcl
+# Should use name instead of display name, as Microsoft changes the display names.
 data "azurerm_policy_set_definition" "configure_az_monitor_linux_vm_initiative" {
-  display_name = "Configure Linux machines to run Azure Monitor Agent and associate them to a Data Collection Rule"
+  name = "118f04da-0375-44d1-84e3-0fd9e1849403" #"Configure Linux machines to run Azure Monitor Agent and associate them to a Data Collection Rule"
 }
 
 data "azurerm_role_definition" "vm_contributor" {
@@ -117,7 +119,7 @@ module org_mg_configure_az_monitor_linux_vm_initiative {
 
 | Name | Version |
 |------|---------|
-| <a name="provider_azurerm"></a> [azurerm](#provider\_azurerm) | 3.50.0 |
+| <a name="provider_azurerm"></a> [azurerm](#provider\_azurerm) | 3.53.0 |
 
 ## Modules
 

diff --git a/modules/set_assignment/TEMPLATE.md b/modules/set_assignment/TEMPLATE.md
@@ -62,8 +62,9 @@ module org_mg_configure_asc_initiative {
 
 ### Built-In Policy Initiative Assignment
 ```hcl
+# Should use name instead of display name, as Microsoft changes the display names.
 data "azurerm_policy_set_definition" "cis_1_3_0" {
-  display_name = "CIS Microsoft Azure Foundations Benchmark v1.3.0"
+  name = "612b5213-9160-4969-8578-1518bd2a000c" #"CIS Microsoft Azure Foundations Benchmark v1.3.0"
 }
 
 module org_mg_cis_1_3_0_benchmark {
@@ -80,8 +81,9 @@ module org_mg_cis_1_3_0_benchmark {
 ### Built-In Policy Initiative Containing DINE/Modify Assignment
 
 ```hcl
+# Should use name instead of display name, as Microsoft changes the display names.
 data "azurerm_policy_set_definition" "configure_az_monitor_linux_vm_initiative" {
-  display_name = "Configure Linux machines to run Azure Monitor Agent and associate them to a Data Collection Rule"
+  name = "118f04da-0375-44d1-84e3-0fd9e1849403" #"Configure Linux machines to run Azure Monitor Agent and associate them to a Data Collection Rule"
 }
 
 data "azurerm_role_definition" "vm_contributor" {

diff --git a/modules/set_assignment/variables.tf b/modules/set_assignment/variables.tf
@@ -196,7 +196,7 @@ locals {
   })
 
   # retrieve definition references & create a remediation task for policies with DeployIfNotExists and Modify effects
-  definitions = var.skip_remediation == false && length(local.identity_type) > 0 ? try(var.initiative.policy_definition_reference, []) : []
+  definitions = var.assignment_enforcement_mode == true && var.skip_remediation == false && length(local.identity_type) > 0 ? try(var.initiative.policy_definition_reference, []) : []
   definition_reference = try({
     mg       = local.remediate.mg > 0 ? local.definitions : []
     sub      = local.remediate.sub > 0 ? local.definitions : []

diff --git a/policies/README.md b/policies/README.md
@@ -1,6 +1,6 @@
 
 # Custom Policy Definition Library
-Compile time: 04/05/2023 10:58:28 UTC
+Compile time: 04/21/2023 17:19:05 UTC
 Example custom definitions located in the local library
 
 ## Categories