diff --git a/examples-machine-config/README.md b/examples-machine-config/README.md
index 23ce56d..72ae607 100644
--- a/examples-machine-config/README.md
+++ b/examples-machine-config/README.md
@@ -42,7 +42,7 @@ Definitions will stored in the local repo library under [Guest Configuration](..
| Name | Version |
|------|---------|
-| [azurerm](#provider\_azurerm) | 3.50.0 |
+| [azurerm](#provider\_azurerm) | 3.53.0 |
| [null](#provider\_null) | 3.2.1 |
## Modules
diff --git a/examples-machine-config/data.tf b/examples-machine-config/data.tf
index 37b2319..15402cf 100644
--- a/examples-machine-config/data.tf
+++ b/examples-machine-config/data.tf
@@ -25,5 +25,5 @@ data "azurerm_storage_container" "guest_config_container" {
# [GA]: 12794019-7a00-42cf-95c2-882eed337cc8 "Deploy prerequisites to enable Guest Configuration policies on virtual machines" (SystemAssigned)
# [Preview]: 2b0ce52e-301c-4221-ab38-1601e2b4cee3 "[Preview]: Deploy prerequisites to enable Guest Configuration policies on virtual machines using user-assigned managed identity" (UserAssigned)
data "azurerm_policy_set_definition" "deploy_guest_config_prereqs_initiative" {
- display_name = "Deploy prerequisites to enable Guest Configuration policies on virtual machines"
+ name = "12794019-7a00-42cf-95c2-882eed337cc8" #"Deploy prerequisites to enable Guest Configuration policies on virtual machines"
}
diff --git a/examples/README.md b/examples/README.md
index 4ad44c4..4fb31a5 100644
--- a/examples/README.md
+++ b/examples/README.md
@@ -15,7 +15,7 @@ This examples folder demonstrates an effective deployment of Azure Policy Defini
| Name | Version |
|------|---------|
-| [azurerm](#provider\_azurerm) | 3.50.0 |
+| [azurerm](#provider\_azurerm) | 3.53.0 |
## Modules
diff --git a/examples/built-in.tf b/examples/built-in.tf
index c8b2653..2f99c1b 100644
--- a/examples/built-in.tf
+++ b/examples/built-in.tf
@@ -2,7 +2,7 @@
# Built-In Initiative
##################
data "azurerm_policy_set_definition" "configure_az_monitor_and_security_vm_initiative" {
- display_name = "[Preview]: Configure machines to automatically install the Azure Monitor and Azure Security agents on virtual machines"
+ name = "a15f3269-2e10-458c-87a4-d5989e678a73" #"[Preview]: Configure machines to automatically install the Azure Monitor and Azure Security agents on virtual machines"
}
diff --git a/modules/def_assignment/README.md b/modules/def_assignment/README.md
index d1f108f..6314e62 100644
--- a/modules/def_assignment/README.md
+++ b/modules/def_assignment/README.md
@@ -54,13 +54,14 @@ module team_a_mg_inherit_resource_group_tags_modify {
### Create a Built-In Policy Definition Assignment with Custom Non-Compliance Message
```hcl
-data azurerm_policy_definition deploy_law_on_linux_vms {
- display_name = "Deploy Log Analytics extension for Linux VMs"
+# Should use name instead of display name, as Microsoft changes the display names.
+data azurerm_policy_definition_built_in deploy_law_on_linux_vms {
+ name = "053d3325-282c-4e5c-b944-24faffd30d77" #"Deploy Log Analytics extension for Linux VMs"
}
module team_a_mg_inherit_resource_group_tags_modify {
source = "gettek/policy-as-code/azurerm//modules/def_assignment"
- definition = data.azurerm_policy_definition.deploy_law_on_linux_vms
+ definition = data.azurerm_policy_definition_built_in.deploy_law_on_linux_vms
assignment_scope = data.azurerm_management_group.org.id
skip_remediation = var.skip_remediation
@@ -114,7 +115,7 @@ The example below demonstrates the acceptable format for this module:
```hcl
module "org_mg_whitelist_regions" {
- source = "..//modules/def_assignment"
+ source = "gettek/policy-as-code/azurerm//modules/def_assignment"
definition = module.whitelist_regions.definition
assignment_scope = data.azurerm_management_group.org.id
assignment_effect = "Deny"
@@ -155,7 +156,7 @@ module "org_mg_whitelist_regions" {
| Name | Version |
|------|---------|
-| [azurerm](#provider\_azurerm) | 3.50.0 |
+| [azurerm](#provider\_azurerm) | 3.53.0 |
## Modules
@@ -211,4 +212,4 @@ No modules.
| [id](#output\_id) | The Policy Assignment Id |
| [identity\_id](#output\_identity\_id) | The Managed Identity block containing Principal Id & Tenant Id of this Policy Assignment if type is SystemAssigned |
| [remediation\_id](#output\_remediation\_id) | The Id of the remediation task |
-| [role\_definition\_ids](#output\_role\_definition\_ids) | The List of Role Defenition Ids assignable to the managed identity |
+| [role\_definition\_ids](#output\_role\_definition\_ids) | The List of Role Definition Ids assignable to the managed identity |
diff --git a/modules/def_assignment/TEMPLATE.md b/modules/def_assignment/TEMPLATE.md
index 1ee11de..d838679 100644
--- a/modules/def_assignment/TEMPLATE.md
+++ b/modules/def_assignment/TEMPLATE.md
@@ -54,13 +54,14 @@ module team_a_mg_inherit_resource_group_tags_modify {
### Create a Built-In Policy Definition Assignment with Custom Non-Compliance Message
```hcl
-data azurerm_policy_definition deploy_law_on_linux_vms {
- display_name = "Deploy Log Analytics extension for Linux VMs"
+# Should use name instead of display name, as Microsoft changes the display names.
+data azurerm_policy_definition_built_in deploy_law_on_linux_vms {
+ name = "053d3325-282c-4e5c-b944-24faffd30d77" #"Deploy Log Analytics extension for Linux VMs"
}
module team_a_mg_inherit_resource_group_tags_modify {
source = "gettek/policy-as-code/azurerm//modules/def_assignment"
- definition = data.azurerm_policy_definition.deploy_law_on_linux_vms
+ definition = data.azurerm_policy_definition_built_in.deploy_law_on_linux_vms
assignment_scope = data.azurerm_management_group.org.id
skip_remediation = var.skip_remediation
@@ -114,7 +115,7 @@ The example below demonstrates the acceptable format for this module:
```hcl
module "org_mg_whitelist_regions" {
- source = "..//modules/def_assignment"
+ source = "gettek/policy-as-code/azurerm//modules/def_assignment"
definition = module.whitelist_regions.definition
assignment_scope = data.azurerm_management_group.org.id
assignment_effect = "Deny"
diff --git a/modules/def_assignment/outputs.tf b/modules/def_assignment/outputs.tf
index 7a35791..577c7a3 100644
--- a/modules/def_assignment/outputs.tf
+++ b/modules/def_assignment/outputs.tf
@@ -14,6 +14,6 @@ output "remediation_id" {
}
output "role_definition_ids" {
- description = "The List of Role Defenition Ids assignable to the managed identity"
+ description = "The List of Role Definition Ids assignable to the managed identity"
value = local.role_definition_ids
}
diff --git a/modules/def_assignment/variables.tf b/modules/def_assignment/variables.tf
index 0c91807..be84db6 100644
--- a/modules/def_assignment/variables.tf
+++ b/modules/def_assignment/variables.tf
@@ -169,7 +169,7 @@ locals {
role_assignment_scope = try(coalesce(var.role_assignment_scope, var.assignment_scope), "")
# if creating role assignments also create a remediation task for policies with DeployIfNotExists and Modify effects
- create_remediation = var.skip_remediation == false && length(local.identity_type) > 0 ? 1 : 0
+ create_remediation = var.assignment_enforcement_mode == true && var.skip_remediation == false && length(local.identity_type) > 0 ? 1 : 0
# assignment location is required when identity is specified
assignment_location = length(local.identity_type) > 0 ? var.assignment_location : null
diff --git a/modules/definition/README.md b/modules/definition/README.md
index 1a36b18..b30c027 100644
--- a/modules/definition/README.md
+++ b/modules/definition/README.md
@@ -47,7 +47,7 @@ module "configure_asc" {
```hcl
module "file_path_test" {
- source = "..//modules/definition"
+ source = "gettek/policy-as-code/azurerm//modules/definition"
file_path = "../path/to/file/onboard_to_automation_dsc_linux.json"
management_group_id = data.azurerm_management_group.org.id
}
@@ -60,7 +60,7 @@ locals {
}
module "parameterised_test" {
- source = "..//modules/definition"
+ source = "gettek/policy-as-code/azurerm//modules/definition"
policy_name = "Custom Name"
display_name = "Custom Display Name"
policy_description = "Custom Description"
@@ -86,7 +86,7 @@ module "parameterised_test" {
| Name | Version |
|------|---------|
-| [azurerm](#provider\_azurerm) | 3.50.0 |
+| [azurerm](#provider\_azurerm) | 3.53.0 |
## Modules
diff --git a/modules/definition/TEMPLATE.md b/modules/definition/TEMPLATE.md
index e582b53..52f7d28 100644
--- a/modules/definition/TEMPLATE.md
+++ b/modules/definition/TEMPLATE.md
@@ -47,7 +47,7 @@ module "configure_asc" {
```hcl
module "file_path_test" {
- source = "..//modules/definition"
+ source = "gettek/policy-as-code/azurerm//modules/definition"
file_path = "../path/to/file/onboard_to_automation_dsc_linux.json"
management_group_id = data.azurerm_management_group.org.id
}
@@ -60,7 +60,7 @@ locals {
}
module "parameterised_test" {
- source = "..//modules/definition"
+ source = "gettek/policy-as-code/azurerm//modules/definition"
policy_name = "Custom Name"
display_name = "Custom Display Name"
policy_description = "Custom Description"
diff --git a/modules/exemption/README.md b/modules/exemption/README.md
index 63dda15..5016de3 100644
--- a/modules/exemption/README.md
+++ b/modules/exemption/README.md
@@ -115,7 +115,7 @@ module exemption_team_a_mg_key_vaults_require_purge_protection {
| Name | Version |
|------|---------|
-| [azurerm](#provider\_azurerm) | 3.50.0 |
+| [azurerm](#provider\_azurerm) | 3.53.0 |
## Modules
diff --git a/modules/initiative/README.md b/modules/initiative/README.md
index 29a0581..285cc55 100644
--- a/modules/initiative/README.md
+++ b/modules/initiative/README.md
@@ -105,7 +105,7 @@ module guest_config_prereqs_initiative {
| Name | Version |
|------|---------|
-| [azurerm](#provider\_azurerm) | 3.50.0 |
+| [azurerm](#provider\_azurerm) | 3.53.0 |
## Modules
diff --git a/modules/set_assignment/README.md b/modules/set_assignment/README.md
index 94d3d6b..d0b9a36 100644
--- a/modules/set_assignment/README.md
+++ b/modules/set_assignment/README.md
@@ -62,8 +62,9 @@ module org_mg_configure_asc_initiative {
### Built-In Policy Initiative Assignment
```hcl
+# Should use name instead of display name, as Microsoft changes the display names.
data "azurerm_policy_set_definition" "cis_1_3_0" {
- display_name = "CIS Microsoft Azure Foundations Benchmark v1.3.0"
+ name = "612b5213-9160-4969-8578-1518bd2a000c" #"CIS Microsoft Azure Foundations Benchmark v1.3.0"
}
module org_mg_cis_1_3_0_benchmark {
@@ -80,8 +81,9 @@ module org_mg_cis_1_3_0_benchmark {
### Built-In Policy Initiative Containing DINE/Modify Assignment
```hcl
+# Should use name instead of display name, as Microsoft changes the display names.
data "azurerm_policy_set_definition" "configure_az_monitor_linux_vm_initiative" {
- display_name = "Configure Linux machines to run Azure Monitor Agent and associate them to a Data Collection Rule"
+ name = "118f04da-0375-44d1-84e3-0fd9e1849403" #"Configure Linux machines to run Azure Monitor Agent and associate them to a Data Collection Rule"
}
data "azurerm_role_definition" "vm_contributor" {
@@ -117,7 +119,7 @@ module org_mg_configure_az_monitor_linux_vm_initiative {
| Name | Version |
|------|---------|
-| [azurerm](#provider\_azurerm) | 3.50.0 |
+| [azurerm](#provider\_azurerm) | 3.53.0 |
## Modules
diff --git a/modules/set_assignment/TEMPLATE.md b/modules/set_assignment/TEMPLATE.md
index 8c411eb..cd9a999 100644
--- a/modules/set_assignment/TEMPLATE.md
+++ b/modules/set_assignment/TEMPLATE.md
@@ -62,8 +62,9 @@ module org_mg_configure_asc_initiative {
### Built-In Policy Initiative Assignment
```hcl
+# Should use name instead of display name, as Microsoft changes the display names.
data "azurerm_policy_set_definition" "cis_1_3_0" {
- display_name = "CIS Microsoft Azure Foundations Benchmark v1.3.0"
+ name = "612b5213-9160-4969-8578-1518bd2a000c" #"CIS Microsoft Azure Foundations Benchmark v1.3.0"
}
module org_mg_cis_1_3_0_benchmark {
@@ -80,8 +81,9 @@ module org_mg_cis_1_3_0_benchmark {
### Built-In Policy Initiative Containing DINE/Modify Assignment
```hcl
+# Should use name instead of display name, as Microsoft changes the display names.
data "azurerm_policy_set_definition" "configure_az_monitor_linux_vm_initiative" {
- display_name = "Configure Linux machines to run Azure Monitor Agent and associate them to a Data Collection Rule"
+ name = "118f04da-0375-44d1-84e3-0fd9e1849403" #"Configure Linux machines to run Azure Monitor Agent and associate them to a Data Collection Rule"
}
data "azurerm_role_definition" "vm_contributor" {
diff --git a/modules/set_assignment/variables.tf b/modules/set_assignment/variables.tf
index fef3da8..9c5f0c4 100644
--- a/modules/set_assignment/variables.tf
+++ b/modules/set_assignment/variables.tf
@@ -196,7 +196,7 @@ locals {
})
# retrieve definition references & create a remediation task for policies with DeployIfNotExists and Modify effects
- definitions = var.skip_remediation == false && length(local.identity_type) > 0 ? try(var.initiative.policy_definition_reference, []) : []
+ definitions = var.assignment_enforcement_mode == true && var.skip_remediation == false && length(local.identity_type) > 0 ? try(var.initiative.policy_definition_reference, []) : []
definition_reference = try({
mg = local.remediate.mg > 0 ? local.definitions : []
sub = local.remediate.sub > 0 ? local.definitions : []
diff --git a/policies/README.md b/policies/README.md
index 2a1bbee..4882237 100644
--- a/policies/README.md
+++ b/policies/README.md
@@ -1,6 +1,6 @@
# Custom Policy Definition Library
-Compile time: 04/05/2023 10:58:28 UTC
+Compile time: 04/21/2023 17:19:05 UTC
Example custom definitions located in the local library
## Categories