Skip to content
This repository has been archived by the owner on Dec 1, 2022. It is now read-only.

Commit

Permalink
Merge pull request #10 from globalbao/remove-provider-and-more-examples
Browse files Browse the repository at this point in the history 
Remove provider and add count example
  • Loading branch information
@jesseloudon
jesseloudon authored Oct 29, 2021
2 parents c821815 + eac8fcf commit d4aedbd
Show file tree
Hide file tree
Showing 11 changed files with 195 additions and 65 deletions.
40 changes: 20 additions & 20 deletions README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -13,7 +13,7 @@ Note: Terraform v0.13 or greater is required to use this module. Download the la
```hcl
module "policy_exemptions" {
source = "globalbao/policy-exemptions/azurerm"
version = "0.1.1"
version = "0.2.1"
policyExemptions = {
exemption1 = {
deploymentMode = "Incremental"
Expand All @@ -36,7 +36,7 @@ module "policy_exemptions" {
```hcl
module "policy_exemptions" {
source = "globalbao/policy-exemptions/azurerm"
version = "0.1.1"
version = "0.2.1"
policyExemptions = {
exemption1 = {
deploymentMode = "Incremental"
Expand All @@ -61,28 +61,28 @@ module "policy_exemptions" {
}
},
exemption2 = {
deploymentMode = "Incremental"
name = "exemption2"
displayName = "exemption2 for Insert-Your-RG-Name2"
description = "exemption2 waives compliance on an resource group"
resourceGroupName = "Insert-Your-RG-Name2"
policyAssignmentId = "/providers/Microsoft.Management/managementGroups/production/providers/Microsoft.Authorization/policyAssignments/2f97de7d41f348529e23d8ae"
deploymentMode = "Incremental"
name = "exemption2"
displayName = "exemption2 for Insert-Your-RG-Name2"
description = "exemption2 waives compliance on an resource group"
resourceGroupName = "Insert-Your-RG-Name2"
policyAssignmentId = "/providers/Microsoft.Management/managementGroups/production/providers/Microsoft.Authorization/policyAssignments/2f97de7d41f348529e23d8ae"
policyDefinitionReferenceIds = []
exemptionCategory = "Mitigated"
expiresOn = "2025-12-31"
metadata = {}
exemptionCategory = "Mitigated"
expiresOn = "2025-12-31"
metadata = {}
},
exemption3 = {
deploymentMode = "Incremental"
name = "exemption3"
displayName = "exemption3 for Insert-Your-RG-Name3"
description = "exemption3 waives compliance on an resource group"
resourceGroupName = "Insert-Your-RG-Name3"
policyAssignmentId = "/providers/Microsoft.Management/managementGroups/production/providers/Microsoft.Authorization/policyAssignments/2f97de7d41f348529e23d8ae"
deploymentMode = "Incremental"
name = "exemption3"
displayName = "exemption3 for Insert-Your-RG-Name3"
description = "exemption3 waives compliance on an resource group"
resourceGroupName = "Insert-Your-RG-Name3"
policyAssignmentId = "/providers/Microsoft.Management/managementGroups/production/providers/Microsoft.Authorization/policyAssignments/2f97de7d41f348529e23d8ae"
policyDefinitionReferenceIds = []
exemptionCategory = "Waiver"
expiresOn = "2025-12-29"
metadata = {}
exemptionCategory = "Waiver"
expiresOn = "2025-12-29"
metadata = {}
}
}
}
Expand Down
66 changes: 66 additions & 0 deletions examples/count/README.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,66 @@
# Terraform AzureRM Policy Exemptions

Leverges Terraform's [resource group template deployment](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/resource_group_template_deployment) for managing [policy exemptions](https://docs.microsoft.com/en-us/azure/templates/microsoft.authorization/policyexemptions).

Learn more about [Azure Policy Exemptions](https://docs.microsoft.com/en-us/azure/governance/policy/concepts/exemption-structure)

# Example Usage

* Use a count expression on a variable to determine if policy exemptions are created.
* Create 3 policy exemptions with only 'exemption1' referencing select policies to be exempted (via policyDefinitionReferenceIds).

```hcl
module "policy_exemptions" {
count = var.exemptions_required ? 1 : 0
source = "globalbao/policy-exemptions/azurerm"
version = "0.2.1"
policyExemptions = {
exemption1 = {
deploymentMode = "Incremental"
name = "exemption1"
displayName = "exemption1 for Insert-Your-RG-Name1"
description = "exemption1 waives compliance on an resource group"
resourceGroupName = "Insert-Your-RG-Name1"
policyAssignmentId = "/providers/Microsoft.Management/managementGroups/production/providers/Microsoft.Authorization/policyAssignments/2f97de7d41f348529e23d8ae"
policyDefinitionReferenceIds = [
"installLogAnalyticsAgentOnVmMonitoring",
"installLogAnalyticsAgentOnVmssMonitoring",
"windowsDefenderExploitGuardMonitoring",
"useRbacRulesMonitoring"
]
exemptionCategory = "Waiver"
expiresOn = "2025-12-30"
metadata = {
"requestedBy" : "RG team",
"approvedBy" : "DrGovernance",
"approvedOn" : "2021-07-26",
"ticketRef" : "123456"
}
},
exemption2 = {
deploymentMode = "Incremental"
name = "exemption2"
displayName = "exemption2 for Insert-Your-RG-Name2"
description = "exemption2 waives compliance on an resource group"
resourceGroupName = "Insert-Your-RG-Name2"
policyAssignmentId = "/providers/Microsoft.Management/managementGroups/production/providers/Microsoft.Authorization/policyAssignments/2f97de7d41f348529e23d8ae"
policyDefinitionReferenceIds = []
exemptionCategory = "Mitigated"
expiresOn = "2025-12-31"
metadata = {}
},
exemption3 = {
deploymentMode = "Incremental"
name = "exemption3"
displayName = "exemption3 for Insert-Your-RG-Name3"
description = "exemption3 waives compliance on an resource group"
resourceGroupName = "Insert-Your-RG-Name3"
policyAssignmentId = "/providers/Microsoft.Management/managementGroups/production/providers/Microsoft.Authorization/policyAssignments/2f97de7d41f348529e23d8ae"
policyDefinitionReferenceIds = []
exemptionCategory = "Waiver"
expiresOn = "2025-12-29"
metadata = {}
}
}
}
```
53 changes: 53 additions & 0 deletions examples/count/main.tf
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,53 @@
module "policy_exemptions" {
count = var.exemptions_required ? 1 : 0
source = "globalbao/policy-exemptions/azurerm"
version = "0.2.1"
policyExemptions = {
exemption1 = {
deploymentMode = "Incremental"
name = "exemption1"
displayName = "exemption1 for Insert-Your-RG-Name1"
description = "exemption1 waives compliance on an resource group"
resourceGroupName = "Insert-Your-RG-Name1"
policyAssignmentId = "/providers/Microsoft.Management/managementGroups/production/providers/Microsoft.Authorization/policyAssignments/2f97de7d41f348529e23d8ae"
policyDefinitionReferenceIds = [
"installLogAnalyticsAgentOnVmMonitoring",
"installLogAnalyticsAgentOnVmssMonitoring",
"windowsDefenderExploitGuardMonitoring",
"useRbacRulesMonitoring"
]
exemptionCategory = "Waiver"
expiresOn = "2025-12-30"
metadata = {
"requestedBy" : "RG team",
"approvedBy" : "DrGovernance",
"approvedOn" : "2021-07-26",
"ticketRef" : "123456"
}
},
exemption2 = {
deploymentMode = "Incremental"
name = "exemption2"
displayName = "exemption2 for Insert-Your-RG-Name2"
description = "exemption2 waives compliance on an resource group"
resourceGroupName = "Insert-Your-RG-Name2"
policyAssignmentId = "/providers/Microsoft.Management/managementGroups/production/providers/Microsoft.Authorization/policyAssignments/2f97de7d41f348529e23d8ae"
policyDefinitionReferenceIds = []
exemptionCategory = "Mitigated"
expiresOn = "2025-12-31"
metadata = {}
},
exemption3 = {
deploymentMode = "Incremental"
name = "exemption3"
displayName = "exemption3 for Insert-Your-RG-Name3"
description = "exemption3 waives compliance on an resource group"
resourceGroupName = "Insert-Your-RG-Name3"
policyAssignmentId = "/providers/Microsoft.Management/managementGroups/production/providers/Microsoft.Authorization/policyAssignments/2f97de7d41f348529e23d8ae"
policyDefinitionReferenceIds = []
exemptionCategory = "Waiver"
expiresOn = "2025-12-29"
metadata = {}
}
}
}
4 changes: 4 additions & 0 deletions examples/count/outputs.tf
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
output "policy_exemptions" {
value = module.policy_exemptions
description = "All output variables for policy exemptions module"
}
0 provider.tf → examples/count/provider.tf
View file
File renamed without changes.
5 changes: 5 additions & 0 deletions examples/count/variables.tf
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
variable "exemptions_required" {
type = bool
default = true
description = "Determines if policy exemptions are required"
}
3 changes: 3 additions & 0 deletions examples/count/versions.tf
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
terraform {
required_version = ">= 0.13"
}
38 changes: 19 additions & 19 deletions examples/default/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,7 @@ Learn more about [Azure Policy Exemptions](https://docs.microsoft.com/en-us/azur
```hcl
module "policy_exemptions" {
source = "globalbao/policy-exemptions/azurerm"
version = "0.1.0"
version = "0.2.1"
policyExemptions = {
exemption1 = {
deploymentMode = "Incremental"
Expand All @@ -36,28 +36,28 @@ module "policy_exemptions" {
}
},
exemption2 = {
deploymentMode = "Incremental"
name = "exemption2"
displayName = "exemption2 for Insert-Your-RG-Name2"
description = "exemption2 waives compliance on an resource group"
resourceGroupName = "Insert-Your-RG-Name2"
policyAssignmentId = "/providers/Microsoft.Management/managementGroups/production/providers/Microsoft.Authorization/policyAssignments/2f97de7d41f348529e23d8ae"
deploymentMode = "Incremental"
name = "exemption2"
displayName = "exemption2 for Insert-Your-RG-Name2"
description = "exemption2 waives compliance on an resource group"
resourceGroupName = "Insert-Your-RG-Name2"
policyAssignmentId = "/providers/Microsoft.Management/managementGroups/production/providers/Microsoft.Authorization/policyAssignments/2f97de7d41f348529e23d8ae"
policyDefinitionReferenceIds = []
exemptionCategory = "Mitigated"
expiresOn = "2025-12-31"
metadata = {}
exemptionCategory = "Mitigated"
expiresOn = "2025-12-31"
metadata = {}
},
exemption3 = {
deploymentMode = "Incremental"
name = "exemption3"
displayName = "exemption3 for Insert-Your-RG-Name3"
description = "exemption3 waives compliance on an resource group"
resourceGroupName = "Insert-Your-RG-Name3"
policyAssignmentId = "/providers/Microsoft.Management/managementGroups/production/providers/Microsoft.Authorization/policyAssignments/2f97de7d41f348529e23d8ae"
deploymentMode = "Incremental"
name = "exemption3"
displayName = "exemption3 for Insert-Your-RG-Name3"
description = "exemption3 waives compliance on an resource group"
resourceGroupName = "Insert-Your-RG-Name3"
policyAssignmentId = "/providers/Microsoft.Management/managementGroups/production/providers/Microsoft.Authorization/policyAssignments/2f97de7d41f348529e23d8ae"
policyDefinitionReferenceIds = []
exemptionCategory = "Waiver"
expiresOn = "2025-12-29"
metadata = {}
exemptionCategory = "Waiver"
expiresOn = "2025-12-29"
metadata = {}
}
}
}
Expand Down
38 changes: 19 additions & 19 deletions examples/default/main.tf
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
module "policy_exemptions" {
source = "globalbao/policy-exemptions/azurerm"
version = "0.1.1"
version = "0.2.1"
policyExemptions = {
exemption1 = {
deploymentMode = "Incremental"
Expand All @@ -25,28 +25,28 @@ module "policy_exemptions" {
}
},
exemption2 = {
deploymentMode = "Incremental"
name = "exemption2"
displayName = "exemption2 for Insert-Your-RG-Name2"
description = "exemption2 waives compliance on an resource group"
resourceGroupName = "Insert-Your-RG-Name2"
policyAssignmentId = "/providers/Microsoft.Management/managementGroups/production/providers/Microsoft.Authorization/policyAssignments/2f97de7d41f348529e23d8ae"
deploymentMode = "Incremental"
name = "exemption2"
displayName = "exemption2 for Insert-Your-RG-Name2"
description = "exemption2 waives compliance on an resource group"
resourceGroupName = "Insert-Your-RG-Name2"
policyAssignmentId = "/providers/Microsoft.Management/managementGroups/production/providers/Microsoft.Authorization/policyAssignments/2f97de7d41f348529e23d8ae"
policyDefinitionReferenceIds = []
exemptionCategory = "Mitigated"
expiresOn = "2025-12-31"
metadata = {}
exemptionCategory = "Mitigated"
expiresOn = "2025-12-31"
metadata = {}
},
exemption3 = {
deploymentMode = "Incremental"
name = "exemption3"
displayName = "exemption3 for Insert-Your-RG-Name3"
description = "exemption3 waives compliance on an resource group"
resourceGroupName = "Insert-Your-RG-Name3"
policyAssignmentId = "/providers/Microsoft.Management/managementGroups/production/providers/Microsoft.Authorization/policyAssignments/2f97de7d41f348529e23d8ae"
deploymentMode = "Incremental"
name = "exemption3"
displayName = "exemption3 for Insert-Your-RG-Name3"
description = "exemption3 waives compliance on an resource group"
resourceGroupName = "Insert-Your-RG-Name3"
policyAssignmentId = "/providers/Microsoft.Management/managementGroups/production/providers/Microsoft.Authorization/policyAssignments/2f97de7d41f348529e23d8ae"
policyDefinitionReferenceIds = []
exemptionCategory = "Waiver"
expiresOn = "2025-12-29"
metadata = {}
exemptionCategory = "Waiver"
expiresOn = "2025-12-29"
metadata = {}
}
}
}
9 changes: 3 additions & 6 deletions examples/default/outputs.tf
View file
Original file line number Diff line number Diff line change
@@ -1,7 +1,4 @@
output "variables" {
value = module.policy_exemptions.variables
}

output "template_deployment" {
value = module.policy_exemptions.template_deployment
output "policy_exemptions" {
value = module.policy_exemptions
description = "All output variables for policy exemptions module"
}
4 changes: 3 additions & 1 deletion outputs.tf
View file
Original file line number Diff line number Diff line change
@@ -1,10 +1,12 @@
output "variables" {
value = var.policyExemptions
value = var.policyExemptions
description = "Outputs the policy exemption variables"
}

output "template_deployment" {
value = {
for k, v in try(azurerm_resource_group_template_deployment.this.*, {}) :
k => try(jsondecode(v), v)
}
description = "Outputs the policy exemption ARM template"
}

0 comments on commit d4aedbd

Please sign in to comment.