Prevent remediation when assignment_enforcement_mode=false

examples-machine-config/data.tf

@@ -25,5 +25,5 @@ data "azurerm_storage_container" "guest_config_container" {
 #      [GA]: 12794019-7a00-42cf-95c2-882eed337cc8 "Deploy prerequisites to enable Guest Configuration policies on virtual machines" (SystemAssigned)
 # [Preview]: 2b0ce52e-301c-4221-ab38-1601e2b4cee3 "[Preview]: Deploy prerequisites to enable Guest Configuration policies on virtual machines using user-assigned managed identity" (UserAssigned)
 data "azurerm_policy_set_definition" "deploy_guest_config_prereqs_initiative" {
-  display_name = "Deploy prerequisites to enable Guest Configuration policies on virtual machines"
+  name = "12794019-7a00-42cf-95c2-882eed337cc8" #"Deploy prerequisites to enable Guest Configuration policies on virtual machines"
 }

examples/built-in.tf

@@ -2,7 +2,7 @@
 # Built-In Initiative
 ##################
 data "azurerm_policy_set_definition" "configure_az_monitor_and_security_vm_initiative" {
-  display_name = "[Preview]: Configure machines to automatically install the Azure Monitor and Azure Security agents on virtual machines"
+  name = "a15f3269-2e10-458c-87a4-d5989e678a73" #"[Preview]: Configure machines to automatically install the Azure Monitor and Azure Security agents on virtual machines"
 }
 
 

modules/def_assignment/README.md

@@ -54,13 +54,14 @@ module team_a_mg_inherit_resource_group_tags_modify {
 ### Create a Built-In Policy Definition Assignment with Custom Non-Compliance Message
 
 ```hcl
-data azurerm_policy_definition deploy_law_on_linux_vms {
-  display_name = "Deploy Log Analytics extension for Linux VMs"
+# Should use name instead of display name, as Microsoft changes the display names.
+data azurerm_policy_definition_built_in deploy_law_on_linux_vms {
+  name =  "053d3325-282c-4e5c-b944-24faffd30d77" #"Deploy Log Analytics extension for Linux VMs"
 }
 
 module team_a_mg_inherit_resource_group_tags_modify {
   source            = "gettek/policy-as-code/azurerm//modules/def_assignment"
-  definition        = data.azurerm_policy_definition.deploy_law_on_linux_vms
+  definition        = data.azurerm_policy_definition_built_in.deploy_law_on_linux_vms
   assignment_scope  = data.azurerm_management_group.org.id
   skip_remediation  = var.skip_remediation
 
@@ -114,7 +115,7 @@ The example below demonstrates the acceptable format for this module:
 
 ```hcl
 module "org_mg_whitelist_regions" {
-  source            = "..//modules/def_assignment"
+  source            = "gettek/policy-as-code/azurerm//modules/def_assignment"
   definition        = module.whitelist_regions.definition
   assignment_scope  = data.azurerm_management_group.org.id
   assignment_effect = "Deny"
@@ -211,4 +212,4 @@ No modules.
 | <a name="output_id"></a> [id](#output\_id) | The Policy Assignment Id |
 | <a name="output_identity_id"></a> [identity\_id](#output\_identity\_id) | The Managed Identity block containing Principal Id & Tenant Id of this Policy Assignment if type is SystemAssigned |
 | <a name="output_remediation_id"></a> [remediation\_id](#output\_remediation\_id) | The Id of the remediation task |
-| <a name="output_role_definition_ids"></a> [role\_definition\_ids](#output\_role\_definition\_ids) | The List of Role Defenition Ids assignable to the managed identity |
+| <a name="output_role_definition_ids"></a> [role\_definition\_ids](#output\_role\_definition\_ids) | The List of Role Definition Ids assignable to the managed identity |

modules/def_assignment/TEMPLATE.md

@@ -54,13 +54,14 @@ module team_a_mg_inherit_resource_group_tags_modify {
 ### Create a Built-In Policy Definition Assignment with Custom Non-Compliance Message
 
 ```hcl
-data azurerm_policy_definition deploy_law_on_linux_vms {
-  display_name = "Deploy Log Analytics extension for Linux VMs"
+# Should use name instead of display name, as Microsoft changes the display names.
+data azurerm_policy_definition_built_in deploy_law_on_linux_vms {
+  name =  "053d3325-282c-4e5c-b944-24faffd30d77" #"Deploy Log Analytics extension for Linux VMs"
 }
 
 module team_a_mg_inherit_resource_group_tags_modify {
   source            = "gettek/policy-as-code/azurerm//modules/def_assignment"
-  definition        = data.azurerm_policy_definition.deploy_law_on_linux_vms
+  definition        = data.azurerm_policy_definition_built_in.deploy_law_on_linux_vms
   assignment_scope  = data.azurerm_management_group.org.id
   skip_remediation  = var.skip_remediation
 
@@ -114,7 +115,7 @@ The example below demonstrates the acceptable format for this module:
 
 ```hcl
 module "org_mg_whitelist_regions" {
-  source            = "..//modules/def_assignment"
+  source            = "gettek/policy-as-code/azurerm//modules/def_assignment"
   definition        = module.whitelist_regions.definition
   assignment_scope  = data.azurerm_management_group.org.id
   assignment_effect = "Deny"

modules/def_assignment/main.tf

@@ -80,6 +80,7 @@ resource "azurerm_subscription_policy_assignment" "def" {
   }
 }
 
+
 resource "azurerm_resource_group_policy_assignment" "def" {
   count                = local.assignment_scope.rg
   policy_definition_id = var.definition.id

modules/def_assignment/outputs.tf

@@ -14,6 +14,6 @@ output "remediation_id" {
 }
 
 output "role_definition_ids" {
-  description = "The List of Role Defenition Ids assignable to the managed identity"
+  description = "The List of Role Definition Ids assignable to the managed identity"
   value       = local.role_definition_ids
 }

modules/def_assignment/variables.tf

@@ -169,7 +169,7 @@ locals {
   role_assignment_scope = try(coalesce(var.role_assignment_scope, var.assignment_scope), "")
 
   # if creating role assignments also create a remediation task for policies with DeployIfNotExists and Modify effects
-  create_remediation = var.skip_remediation == false && length(local.identity_type) > 0 ? 1 : 0
+  create_remediation = var.assignment_enforcement_mode == true && var.skip_remediation == false && length(local.identity_type) > 0 ? 1 : 0
 
   # assignment location is required when identity is specified
   assignment_location = length(local.identity_type) > 0 ? var.assignment_location : null

modules/definition/README.md

@@ -47,7 +47,7 @@ module "configure_asc" {
 
 ```hcl
 module "file_path_test" {
-  source              = "..//modules/definition"
+  source              = "gettek/policy-as-code/azurerm//modules/definition"
   file_path           = "../path/to/file/onboard_to_automation_dsc_linux.json"
   management_group_id = data.azurerm_management_group.org.id
 }
@@ -60,7 +60,7 @@ locals {
 }
 
 module "parameterised_test" {
-  source              = "..//modules/definition"
+  source              = "gettek/policy-as-code/azurerm//modules/definition"
   policy_name         = "Custom Name"
   display_name        = "Custom Display Name"
   policy_description  = "Custom Description"
@@ -80,7 +80,7 @@ module "parameterised_test" {
 | Name | Version |
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 0.13 |
-| <a name="requirement_azurerm"></a> [azurerm](#requirement\_azurerm) | >=3.23.0 |
+| <a name="requirement_azurerm"></a> [azurerm](#requirement\_azurerm) | >=3.49.0 |
 
 ## Providers
 

modules/definition/TEMPLATE.md

@@ -47,7 +47,7 @@ module "configure_asc" {
 
 ```hcl
 module "file_path_test" {
-  source              = "..//modules/definition"
+  source              = "gettek/policy-as-code/azurerm//modules/definition"
   file_path           = "../path/to/file/onboard_to_automation_dsc_linux.json"
   management_group_id = data.azurerm_management_group.org.id
 }
@@ -60,7 +60,7 @@ locals {
 }
 
 module "parameterised_test" {
-  source              = "..//modules/definition"
+  source              = "gettek/policy-as-code/azurerm//modules/definition"
   policy_name         = "Custom Name"
   display_name        = "Custom Display Name"
   policy_description  = "Custom Description"

modules/exemption/README.md

@@ -109,7 +109,7 @@ module exemption_team_a_mg_key_vaults_require_purge_protection {
 | Name | Version |
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 0.13 |
-| <a name="requirement_azurerm"></a> [azurerm](#requirement\_azurerm) | >=3.23.0 |
+| <a name="requirement_azurerm"></a> [azurerm](#requirement\_azurerm) | >=3.49.0 |
 
 ## Providers
 

modules/initiative/README.md

@@ -99,7 +99,7 @@ module guest_config_prereqs_initiative {
 | Name | Version |
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 0.13 |
-| <a name="requirement_azurerm"></a> [azurerm](#requirement\_azurerm) | >=3.23.0 |
+| <a name="requirement_azurerm"></a> [azurerm](#requirement\_azurerm) | >=3.49.0 |
 
 ## Providers
 

modules/set_assignment/README.md

@@ -62,8 +62,9 @@ module org_mg_configure_asc_initiative {
 
 ### Built-In Policy Initiative Assignment
 ```hcl
+# Should use name instead of display name, as Microsoft changes the display names.
 data "azurerm_policy_set_definition" "cis_1_3_0" {
-  display_name = "CIS Microsoft Azure Foundations Benchmark v1.3.0"
+  name = "612b5213-9160-4969-8578-1518bd2a000c" #"CIS Microsoft Azure Foundations Benchmark v1.3.0"
 }
 
 module org_mg_cis_1_3_0_benchmark {
@@ -80,8 +81,9 @@ module org_mg_cis_1_3_0_benchmark {
 ### Built-In Policy Initiative Containing DINE/Modify Assignment
 
 ```hcl
+# Should use name instead of display name, as Microsoft changes the display names.
 data "azurerm_policy_set_definition" "configure_az_monitor_linux_vm_initiative" {
-  display_name = "Configure Linux machines to run Azure Monitor Agent and associate them to a Data Collection Rule"
+  name = "118f04da-0375-44d1-84e3-0fd9e1849403" #"Configure Linux machines to run Azure Monitor Agent and associate them to a Data Collection Rule"
 }
 
 data "azurerm_role_definition" "vm_contributor" {

modules/set_assignment/TEMPLATE.md

@@ -62,8 +62,9 @@ module org_mg_configure_asc_initiative {
 
 ### Built-In Policy Initiative Assignment
 ```hcl
+# Should use name instead of display name, as Microsoft changes the display names.
 data "azurerm_policy_set_definition" "cis_1_3_0" {
-  display_name = "CIS Microsoft Azure Foundations Benchmark v1.3.0"
+  name = "612b5213-9160-4969-8578-1518bd2a000c" #"CIS Microsoft Azure Foundations Benchmark v1.3.0"
 }
 
 module org_mg_cis_1_3_0_benchmark {
@@ -80,8 +81,9 @@ module org_mg_cis_1_3_0_benchmark {
 ### Built-In Policy Initiative Containing DINE/Modify Assignment
 
 ```hcl
+# Should use name instead of display name, as Microsoft changes the display names.
 data "azurerm_policy_set_definition" "configure_az_monitor_linux_vm_initiative" {
-  display_name = "Configure Linux machines to run Azure Monitor Agent and associate them to a Data Collection Rule"
+  name = "118f04da-0375-44d1-84e3-0fd9e1849403" #"Configure Linux machines to run Azure Monitor Agent and associate them to a Data Collection Rule"
 }
 
 data "azurerm_role_definition" "vm_contributor" {

modules/set_assignment/variables.tf

@@ -196,7 +196,7 @@ locals {
   })
 
   # retrieve definition references & create a remediation task for policies with DeployIfNotExists and Modify effects
-  definitions = var.skip_remediation == false && length(local.identity_type) > 0 ? try(var.initiative.policy_definition_reference, []) : []
+  definitions = var.assignment_enforcement_mode == true && var.skip_remediation == false && length(local.identity_type) > 0 ? try(var.initiative.policy_definition_reference, []) : []
   definition_reference = try({
     mg       = local.remediate.mg > 0 ? local.definitions : []
     sub      = local.remediate.sub > 0 ? local.definitions : []

policies/README.md

@@ -1,6 +1,6 @@
 
 # Custom Policy Definition Library
-Compile time: 04/05/2023 10:58:28 UTC
+Compile time: 04/17/2023 15:46:07 UTC
 Example custom definitions located in the local library
 
 ## Categories