From a4dd52163793ae6294b3df7eb45f87b317df1dd7 Mon Sep 17 00:00:00 2001 From: Paul Matthews Date: Fri, 21 Apr 2023 21:51:17 +0100 Subject: [PATCH] Stop remediation happening on policies where the assignment_enforcement_mode is set to false. (#72) Co-authored-by: Paul Matthews --- examples-machine-config/README.md | 2 +- examples-machine-config/data.tf | 2 +- examples/README.md | 2 +- examples/built-in.tf | 2 +- modules/def_assignment/README.md | 13 +++++++------ modules/def_assignment/TEMPLATE.md | 9 +++++---- modules/def_assignment/outputs.tf | 2 +- modules/def_assignment/variables.tf | 2 +- modules/definition/README.md | 6 +++--- modules/definition/TEMPLATE.md | 4 ++-- modules/exemption/README.md | 2 +- modules/initiative/README.md | 2 +- modules/set_assignment/README.md | 8 +++++--- modules/set_assignment/TEMPLATE.md | 6 ++++-- modules/set_assignment/variables.tf | 2 +- policies/README.md | 2 +- 16 files changed, 36 insertions(+), 30 deletions(-) diff --git a/examples-machine-config/README.md b/examples-machine-config/README.md index 23ce56d..72ae607 100644 --- a/examples-machine-config/README.md +++ b/examples-machine-config/README.md @@ -42,7 +42,7 @@ Definitions will stored in the local repo library under [Guest Configuration](.. | Name | Version | |------|---------| -| [azurerm](#provider\_azurerm) | 3.50.0 | +| [azurerm](#provider\_azurerm) | 3.53.0 | | [null](#provider\_null) | 3.2.1 | ## Modules diff --git a/examples-machine-config/data.tf b/examples-machine-config/data.tf index 37b2319..15402cf 100644 --- a/examples-machine-config/data.tf +++ b/examples-machine-config/data.tf @@ -25,5 +25,5 @@ data "azurerm_storage_container" "guest_config_container" { # [GA]: 12794019-7a00-42cf-95c2-882eed337cc8 "Deploy prerequisites to enable Guest Configuration policies on virtual machines" (SystemAssigned) # [Preview]: 2b0ce52e-301c-4221-ab38-1601e2b4cee3 "[Preview]: Deploy prerequisites to enable Guest Configuration policies on virtual machines using user-assigned managed identity" (UserAssigned) data "azurerm_policy_set_definition" "deploy_guest_config_prereqs_initiative" { - display_name = "Deploy prerequisites to enable Guest Configuration policies on virtual machines" + name = "12794019-7a00-42cf-95c2-882eed337cc8" #"Deploy prerequisites to enable Guest Configuration policies on virtual machines" } diff --git a/examples/README.md b/examples/README.md index 4ad44c4..4fb31a5 100644 --- a/examples/README.md +++ b/examples/README.md @@ -15,7 +15,7 @@ This examples folder demonstrates an effective deployment of Azure Policy Defini | Name | Version | |------|---------| -| [azurerm](#provider\_azurerm) | 3.50.0 | +| [azurerm](#provider\_azurerm) | 3.53.0 | ## Modules diff --git a/examples/built-in.tf b/examples/built-in.tf index c8b2653..2f99c1b 100644 --- a/examples/built-in.tf +++ b/examples/built-in.tf @@ -2,7 +2,7 @@ # Built-In Initiative ################## data "azurerm_policy_set_definition" "configure_az_monitor_and_security_vm_initiative" { - display_name = "[Preview]: Configure machines to automatically install the Azure Monitor and Azure Security agents on virtual machines" + name = "a15f3269-2e10-458c-87a4-d5989e678a73" #"[Preview]: Configure machines to automatically install the Azure Monitor and Azure Security agents on virtual machines" } diff --git a/modules/def_assignment/README.md b/modules/def_assignment/README.md index d1f108f..6314e62 100644 --- a/modules/def_assignment/README.md +++ b/modules/def_assignment/README.md @@ -54,13 +54,14 @@ module team_a_mg_inherit_resource_group_tags_modify { ### Create a Built-In Policy Definition Assignment with Custom Non-Compliance Message ```hcl -data azurerm_policy_definition deploy_law_on_linux_vms { - display_name = "Deploy Log Analytics extension for Linux VMs" +# Should use name instead of display name, as Microsoft changes the display names. +data azurerm_policy_definition_built_in deploy_law_on_linux_vms { + name = "053d3325-282c-4e5c-b944-24faffd30d77" #"Deploy Log Analytics extension for Linux VMs" } module team_a_mg_inherit_resource_group_tags_modify { source = "gettek/policy-as-code/azurerm//modules/def_assignment" - definition = data.azurerm_policy_definition.deploy_law_on_linux_vms + definition = data.azurerm_policy_definition_built_in.deploy_law_on_linux_vms assignment_scope = data.azurerm_management_group.org.id skip_remediation = var.skip_remediation @@ -114,7 +115,7 @@ The example below demonstrates the acceptable format for this module: ```hcl module "org_mg_whitelist_regions" { - source = "..//modules/def_assignment" + source = "gettek/policy-as-code/azurerm//modules/def_assignment" definition = module.whitelist_regions.definition assignment_scope = data.azurerm_management_group.org.id assignment_effect = "Deny" @@ -155,7 +156,7 @@ module "org_mg_whitelist_regions" { | Name | Version | |------|---------| -| [azurerm](#provider\_azurerm) | 3.50.0 | +| [azurerm](#provider\_azurerm) | 3.53.0 | ## Modules @@ -211,4 +212,4 @@ No modules. | [id](#output\_id) | The Policy Assignment Id | | [identity\_id](#output\_identity\_id) | The Managed Identity block containing Principal Id & Tenant Id of this Policy Assignment if type is SystemAssigned | | [remediation\_id](#output\_remediation\_id) | The Id of the remediation task | -| [role\_definition\_ids](#output\_role\_definition\_ids) | The List of Role Defenition Ids assignable to the managed identity | +| [role\_definition\_ids](#output\_role\_definition\_ids) | The List of Role Definition Ids assignable to the managed identity | diff --git a/modules/def_assignment/TEMPLATE.md b/modules/def_assignment/TEMPLATE.md index 1ee11de..d838679 100644 --- a/modules/def_assignment/TEMPLATE.md +++ b/modules/def_assignment/TEMPLATE.md @@ -54,13 +54,14 @@ module team_a_mg_inherit_resource_group_tags_modify { ### Create a Built-In Policy Definition Assignment with Custom Non-Compliance Message ```hcl -data azurerm_policy_definition deploy_law_on_linux_vms { - display_name = "Deploy Log Analytics extension for Linux VMs" +# Should use name instead of display name, as Microsoft changes the display names. +data azurerm_policy_definition_built_in deploy_law_on_linux_vms { + name = "053d3325-282c-4e5c-b944-24faffd30d77" #"Deploy Log Analytics extension for Linux VMs" } module team_a_mg_inherit_resource_group_tags_modify { source = "gettek/policy-as-code/azurerm//modules/def_assignment" - definition = data.azurerm_policy_definition.deploy_law_on_linux_vms + definition = data.azurerm_policy_definition_built_in.deploy_law_on_linux_vms assignment_scope = data.azurerm_management_group.org.id skip_remediation = var.skip_remediation @@ -114,7 +115,7 @@ The example below demonstrates the acceptable format for this module: ```hcl module "org_mg_whitelist_regions" { - source = "..//modules/def_assignment" + source = "gettek/policy-as-code/azurerm//modules/def_assignment" definition = module.whitelist_regions.definition assignment_scope = data.azurerm_management_group.org.id assignment_effect = "Deny" diff --git a/modules/def_assignment/outputs.tf b/modules/def_assignment/outputs.tf index 7a35791..577c7a3 100644 --- a/modules/def_assignment/outputs.tf +++ b/modules/def_assignment/outputs.tf @@ -14,6 +14,6 @@ output "remediation_id" { } output "role_definition_ids" { - description = "The List of Role Defenition Ids assignable to the managed identity" + description = "The List of Role Definition Ids assignable to the managed identity" value = local.role_definition_ids } diff --git a/modules/def_assignment/variables.tf b/modules/def_assignment/variables.tf index 0c91807..be84db6 100644 --- a/modules/def_assignment/variables.tf +++ b/modules/def_assignment/variables.tf @@ -169,7 +169,7 @@ locals { role_assignment_scope = try(coalesce(var.role_assignment_scope, var.assignment_scope), "") # if creating role assignments also create a remediation task for policies with DeployIfNotExists and Modify effects - create_remediation = var.skip_remediation == false && length(local.identity_type) > 0 ? 1 : 0 + create_remediation = var.assignment_enforcement_mode == true && var.skip_remediation == false && length(local.identity_type) > 0 ? 1 : 0 # assignment location is required when identity is specified assignment_location = length(local.identity_type) > 0 ? var.assignment_location : null diff --git a/modules/definition/README.md b/modules/definition/README.md index 1a36b18..b30c027 100644 --- a/modules/definition/README.md +++ b/modules/definition/README.md @@ -47,7 +47,7 @@ module "configure_asc" { ```hcl module "file_path_test" { - source = "..//modules/definition" + source = "gettek/policy-as-code/azurerm//modules/definition" file_path = "../path/to/file/onboard_to_automation_dsc_linux.json" management_group_id = data.azurerm_management_group.org.id } @@ -60,7 +60,7 @@ locals { } module "parameterised_test" { - source = "..//modules/definition" + source = "gettek/policy-as-code/azurerm//modules/definition" policy_name = "Custom Name" display_name = "Custom Display Name" policy_description = "Custom Description" @@ -86,7 +86,7 @@ module "parameterised_test" { | Name | Version | |------|---------| -| [azurerm](#provider\_azurerm) | 3.50.0 | +| [azurerm](#provider\_azurerm) | 3.53.0 | ## Modules diff --git a/modules/definition/TEMPLATE.md b/modules/definition/TEMPLATE.md index e582b53..52f7d28 100644 --- a/modules/definition/TEMPLATE.md +++ b/modules/definition/TEMPLATE.md @@ -47,7 +47,7 @@ module "configure_asc" { ```hcl module "file_path_test" { - source = "..//modules/definition" + source = "gettek/policy-as-code/azurerm//modules/definition" file_path = "../path/to/file/onboard_to_automation_dsc_linux.json" management_group_id = data.azurerm_management_group.org.id } @@ -60,7 +60,7 @@ locals { } module "parameterised_test" { - source = "..//modules/definition" + source = "gettek/policy-as-code/azurerm//modules/definition" policy_name = "Custom Name" display_name = "Custom Display Name" policy_description = "Custom Description" diff --git a/modules/exemption/README.md b/modules/exemption/README.md index 63dda15..5016de3 100644 --- a/modules/exemption/README.md +++ b/modules/exemption/README.md @@ -115,7 +115,7 @@ module exemption_team_a_mg_key_vaults_require_purge_protection { | Name | Version | |------|---------| -| [azurerm](#provider\_azurerm) | 3.50.0 | +| [azurerm](#provider\_azurerm) | 3.53.0 | ## Modules diff --git a/modules/initiative/README.md b/modules/initiative/README.md index 29a0581..285cc55 100644 --- a/modules/initiative/README.md +++ b/modules/initiative/README.md @@ -105,7 +105,7 @@ module guest_config_prereqs_initiative { | Name | Version | |------|---------| -| [azurerm](#provider\_azurerm) | 3.50.0 | +| [azurerm](#provider\_azurerm) | 3.53.0 | ## Modules diff --git a/modules/set_assignment/README.md b/modules/set_assignment/README.md index 94d3d6b..d0b9a36 100644 --- a/modules/set_assignment/README.md +++ b/modules/set_assignment/README.md @@ -62,8 +62,9 @@ module org_mg_configure_asc_initiative { ### Built-In Policy Initiative Assignment ```hcl +# Should use name instead of display name, as Microsoft changes the display names. data "azurerm_policy_set_definition" "cis_1_3_0" { - display_name = "CIS Microsoft Azure Foundations Benchmark v1.3.0" + name = "612b5213-9160-4969-8578-1518bd2a000c" #"CIS Microsoft Azure Foundations Benchmark v1.3.0" } module org_mg_cis_1_3_0_benchmark { @@ -80,8 +81,9 @@ module org_mg_cis_1_3_0_benchmark { ### Built-In Policy Initiative Containing DINE/Modify Assignment ```hcl +# Should use name instead of display name, as Microsoft changes the display names. data "azurerm_policy_set_definition" "configure_az_monitor_linux_vm_initiative" { - display_name = "Configure Linux machines to run Azure Monitor Agent and associate them to a Data Collection Rule" + name = "118f04da-0375-44d1-84e3-0fd9e1849403" #"Configure Linux machines to run Azure Monitor Agent and associate them to a Data Collection Rule" } data "azurerm_role_definition" "vm_contributor" { @@ -117,7 +119,7 @@ module org_mg_configure_az_monitor_linux_vm_initiative { | Name | Version | |------|---------| -| [azurerm](#provider\_azurerm) | 3.50.0 | +| [azurerm](#provider\_azurerm) | 3.53.0 | ## Modules diff --git a/modules/set_assignment/TEMPLATE.md b/modules/set_assignment/TEMPLATE.md index 8c411eb..cd9a999 100644 --- a/modules/set_assignment/TEMPLATE.md +++ b/modules/set_assignment/TEMPLATE.md @@ -62,8 +62,9 @@ module org_mg_configure_asc_initiative { ### Built-In Policy Initiative Assignment ```hcl +# Should use name instead of display name, as Microsoft changes the display names. data "azurerm_policy_set_definition" "cis_1_3_0" { - display_name = "CIS Microsoft Azure Foundations Benchmark v1.3.0" + name = "612b5213-9160-4969-8578-1518bd2a000c" #"CIS Microsoft Azure Foundations Benchmark v1.3.0" } module org_mg_cis_1_3_0_benchmark { @@ -80,8 +81,9 @@ module org_mg_cis_1_3_0_benchmark { ### Built-In Policy Initiative Containing DINE/Modify Assignment ```hcl +# Should use name instead of display name, as Microsoft changes the display names. data "azurerm_policy_set_definition" "configure_az_monitor_linux_vm_initiative" { - display_name = "Configure Linux machines to run Azure Monitor Agent and associate them to a Data Collection Rule" + name = "118f04da-0375-44d1-84e3-0fd9e1849403" #"Configure Linux machines to run Azure Monitor Agent and associate them to a Data Collection Rule" } data "azurerm_role_definition" "vm_contributor" { diff --git a/modules/set_assignment/variables.tf b/modules/set_assignment/variables.tf index fef3da8..9c5f0c4 100644 --- a/modules/set_assignment/variables.tf +++ b/modules/set_assignment/variables.tf @@ -196,7 +196,7 @@ locals { }) # retrieve definition references & create a remediation task for policies with DeployIfNotExists and Modify effects - definitions = var.skip_remediation == false && length(local.identity_type) > 0 ? try(var.initiative.policy_definition_reference, []) : [] + definitions = var.assignment_enforcement_mode == true && var.skip_remediation == false && length(local.identity_type) > 0 ? try(var.initiative.policy_definition_reference, []) : [] definition_reference = try({ mg = local.remediate.mg > 0 ? local.definitions : [] sub = local.remediate.sub > 0 ? local.definitions : [] diff --git a/policies/README.md b/policies/README.md index 2a1bbee..4882237 100644 --- a/policies/README.md +++ b/policies/README.md @@ -1,6 +1,6 @@ # Custom Policy Definition Library -Compile time: 04/05/2023 10:58:28 UTC +Compile time: 04/21/2023 17:19:05 UTC Example custom definitions located in the local library ## Categories