From 0cf71ca1d31613315b5b0b3733b60a4afd8c5218 Mon Sep 17 00:00:00 2001 From: Jesse Json <13147870+jesseloudon@users.noreply.github.com> Date: Sat, 30 Oct 2021 09:25:42 +1100 Subject: [PATCH 1/4] removed provider --- provider.tf | 3 --- 1 file changed, 3 deletions(-) delete mode 100644 provider.tf diff --git a/provider.tf b/provider.tf deleted file mode 100644 index 615cb43..0000000 --- a/provider.tf +++ /dev/null @@ -1,3 +0,0 @@ -provider "azurerm" { - features {} -} \ No newline at end of file From eb72530da9ba96191ea00ff2dd904009be4555be Mon Sep 17 00:00:00 2001 From: Jesse Json <13147870+jesseloudon@users.noreply.github.com> Date: Sat, 30 Oct 2021 09:26:09 +1100 Subject: [PATCH 2/4] add example for count usage --- examples/count/README.md | 66 +++++++++++++++++++++++++++++++++++++ examples/count/main.tf | 53 +++++++++++++++++++++++++++++ examples/count/outputs.tf | 4 +++ examples/count/provider.tf | 3 ++ examples/count/variables.tf | 5 +++ examples/count/versions.tf | 3 ++ 6 files changed, 134 insertions(+) create mode 100644 examples/count/README.md create mode 100644 examples/count/main.tf create mode 100644 examples/count/outputs.tf create mode 100644 examples/count/provider.tf create mode 100644 examples/count/variables.tf create mode 100644 examples/count/versions.tf diff --git a/examples/count/README.md b/examples/count/README.md new file mode 100644 index 0000000..2b2a267 --- /dev/null +++ b/examples/count/README.md @@ -0,0 +1,66 @@ +# Terraform AzureRM Policy Exemptions + +Leverges Terraform's [resource group template deployment](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/resource_group_template_deployment) for managing [policy exemptions](https://docs.microsoft.com/en-us/azure/templates/microsoft.authorization/policyexemptions). + +Learn more about [Azure Policy Exemptions](https://docs.microsoft.com/en-us/azure/governance/policy/concepts/exemption-structure) + +# Example Usage + +* Use a count expression on a variable to determine if policy exemptions are created. +* Create 3 policy exemptions with only 'exemption1' referencing select policies to be exempted (via policyDefinitionReferenceIds). + +```hcl +module "policy_exemptions" { + count = var.exemptions_required ? 1 : 0 + source = "globalbao/policy-exemptions/azurerm" + version = "0.2.1" + policyExemptions = { + exemption1 = { + deploymentMode = "Incremental" + name = "exemption1" + displayName = "exemption1 for Insert-Your-RG-Name1" + description = "exemption1 waives compliance on an resource group" + resourceGroupName = "Insert-Your-RG-Name1" + policyAssignmentId = "/providers/Microsoft.Management/managementGroups/production/providers/Microsoft.Authorization/policyAssignments/2f97de7d41f348529e23d8ae" + policyDefinitionReferenceIds = [ + "installLogAnalyticsAgentOnVmMonitoring", + "installLogAnalyticsAgentOnVmssMonitoring", + "windowsDefenderExploitGuardMonitoring", + "useRbacRulesMonitoring" + ] + exemptionCategory = "Waiver" + expiresOn = "2025-12-30" + metadata = { + "requestedBy" : "RG team", + "approvedBy" : "DrGovernance", + "approvedOn" : "2021-07-26", + "ticketRef" : "123456" + } + }, + exemption2 = { + deploymentMode = "Incremental" + name = "exemption2" + displayName = "exemption2 for Insert-Your-RG-Name2" + description = "exemption2 waives compliance on an resource group" + resourceGroupName = "Insert-Your-RG-Name2" + policyAssignmentId = "/providers/Microsoft.Management/managementGroups/production/providers/Microsoft.Authorization/policyAssignments/2f97de7d41f348529e23d8ae" + policyDefinitionReferenceIds = [] + exemptionCategory = "Mitigated" + expiresOn = "2025-12-31" + metadata = {} + }, + exemption3 = { + deploymentMode = "Incremental" + name = "exemption3" + displayName = "exemption3 for Insert-Your-RG-Name3" + description = "exemption3 waives compliance on an resource group" + resourceGroupName = "Insert-Your-RG-Name3" + policyAssignmentId = "/providers/Microsoft.Management/managementGroups/production/providers/Microsoft.Authorization/policyAssignments/2f97de7d41f348529e23d8ae" + policyDefinitionReferenceIds = [] + exemptionCategory = "Waiver" + expiresOn = "2025-12-29" + metadata = {} + } + } +} +``` \ No newline at end of file diff --git a/examples/count/main.tf b/examples/count/main.tf new file mode 100644 index 0000000..a4adb35 --- /dev/null +++ b/examples/count/main.tf @@ -0,0 +1,53 @@ +module "policy_exemptions" { + count = var.exemptions_required ? 1 : 0 + source = "globalbao/policy-exemptions/azurerm" + version = "0.2.1" + policyExemptions = { + exemption1 = { + deploymentMode = "Incremental" + name = "exemption1" + displayName = "exemption1 for Insert-Your-RG-Name1" + description = "exemption1 waives compliance on an resource group" + resourceGroupName = "Insert-Your-RG-Name1" + policyAssignmentId = "/providers/Microsoft.Management/managementGroups/production/providers/Microsoft.Authorization/policyAssignments/2f97de7d41f348529e23d8ae" + policyDefinitionReferenceIds = [ + "installLogAnalyticsAgentOnVmMonitoring", + "installLogAnalyticsAgentOnVmssMonitoring", + "windowsDefenderExploitGuardMonitoring", + "useRbacRulesMonitoring" + ] + exemptionCategory = "Waiver" + expiresOn = "2025-12-30" + metadata = { + "requestedBy" : "RG team", + "approvedBy" : "DrGovernance", + "approvedOn" : "2021-07-26", + "ticketRef" : "123456" + } + }, + exemption2 = { + deploymentMode = "Incremental" + name = "exemption2" + displayName = "exemption2 for Insert-Your-RG-Name2" + description = "exemption2 waives compliance on an resource group" + resourceGroupName = "Insert-Your-RG-Name2" + policyAssignmentId = "/providers/Microsoft.Management/managementGroups/production/providers/Microsoft.Authorization/policyAssignments/2f97de7d41f348529e23d8ae" + policyDefinitionReferenceIds = [] + exemptionCategory = "Mitigated" + expiresOn = "2025-12-31" + metadata = {} + }, + exemption3 = { + deploymentMode = "Incremental" + name = "exemption3" + displayName = "exemption3 for Insert-Your-RG-Name3" + description = "exemption3 waives compliance on an resource group" + resourceGroupName = "Insert-Your-RG-Name3" + policyAssignmentId = "/providers/Microsoft.Management/managementGroups/production/providers/Microsoft.Authorization/policyAssignments/2f97de7d41f348529e23d8ae" + policyDefinitionReferenceIds = [] + exemptionCategory = "Waiver" + expiresOn = "2025-12-29" + metadata = {} + } + } +} \ No newline at end of file diff --git a/examples/count/outputs.tf b/examples/count/outputs.tf new file mode 100644 index 0000000..8526778 --- /dev/null +++ b/examples/count/outputs.tf @@ -0,0 +1,4 @@ +output "policy_exemptions" { + value = module.policy_exemptions + description = "All output variables for policy exemptions module" +} \ No newline at end of file diff --git a/examples/count/provider.tf b/examples/count/provider.tf new file mode 100644 index 0000000..615cb43 --- /dev/null +++ b/examples/count/provider.tf @@ -0,0 +1,3 @@ +provider "azurerm" { + features {} +} \ No newline at end of file diff --git a/examples/count/variables.tf b/examples/count/variables.tf new file mode 100644 index 0000000..5c9b42c --- /dev/null +++ b/examples/count/variables.tf @@ -0,0 +1,5 @@ +variable "exemptions_required" { + type = bool + default = true + description = "Determines if policy exemptions are required" +} \ No newline at end of file diff --git a/examples/count/versions.tf b/examples/count/versions.tf new file mode 100644 index 0000000..684b365 --- /dev/null +++ b/examples/count/versions.tf @@ -0,0 +1,3 @@ +terraform { + required_version = ">= 0.13" +} \ No newline at end of file From c7d73336ebc673ac323713ca52395fb245f06a90 Mon Sep 17 00:00:00 2001 From: Jesse Json <13147870+jesseloudon@users.noreply.github.com> Date: Sat, 30 Oct 2021 09:26:54 +1100 Subject: [PATCH 3/4] add descriptions and update docs --- README.md | 40 ++++++++++++++++++++-------------------- outputs.tf | 4 +++- 2 files changed, 23 insertions(+), 21 deletions(-) diff --git a/README.md b/README.md index 8fdb533..ae580d1 100644 --- a/README.md +++ b/README.md @@ -13,7 +13,7 @@ Note: Terraform v0.13 or greater is required to use this module. Download the la ```hcl module "policy_exemptions" { source = "globalbao/policy-exemptions/azurerm" - version = "0.1.1" + version = "0.2.1" policyExemptions = { exemption1 = { deploymentMode = "Incremental" @@ -36,7 +36,7 @@ module "policy_exemptions" { ```hcl module "policy_exemptions" { source = "globalbao/policy-exemptions/azurerm" - version = "0.1.1" + version = "0.2.1" policyExemptions = { exemption1 = { deploymentMode = "Incremental" @@ -61,28 +61,28 @@ module "policy_exemptions" { } }, exemption2 = { - deploymentMode = "Incremental" - name = "exemption2" - displayName = "exemption2 for Insert-Your-RG-Name2" - description = "exemption2 waives compliance on an resource group" - resourceGroupName = "Insert-Your-RG-Name2" - policyAssignmentId = "/providers/Microsoft.Management/managementGroups/production/providers/Microsoft.Authorization/policyAssignments/2f97de7d41f348529e23d8ae" + deploymentMode = "Incremental" + name = "exemption2" + displayName = "exemption2 for Insert-Your-RG-Name2" + description = "exemption2 waives compliance on an resource group" + resourceGroupName = "Insert-Your-RG-Name2" + policyAssignmentId = "/providers/Microsoft.Management/managementGroups/production/providers/Microsoft.Authorization/policyAssignments/2f97de7d41f348529e23d8ae" policyDefinitionReferenceIds = [] - exemptionCategory = "Mitigated" - expiresOn = "2025-12-31" - metadata = {} + exemptionCategory = "Mitigated" + expiresOn = "2025-12-31" + metadata = {} }, exemption3 = { - deploymentMode = "Incremental" - name = "exemption3" - displayName = "exemption3 for Insert-Your-RG-Name3" - description = "exemption3 waives compliance on an resource group" - resourceGroupName = "Insert-Your-RG-Name3" - policyAssignmentId = "/providers/Microsoft.Management/managementGroups/production/providers/Microsoft.Authorization/policyAssignments/2f97de7d41f348529e23d8ae" + deploymentMode = "Incremental" + name = "exemption3" + displayName = "exemption3 for Insert-Your-RG-Name3" + description = "exemption3 waives compliance on an resource group" + resourceGroupName = "Insert-Your-RG-Name3" + policyAssignmentId = "/providers/Microsoft.Management/managementGroups/production/providers/Microsoft.Authorization/policyAssignments/2f97de7d41f348529e23d8ae" policyDefinitionReferenceIds = [] - exemptionCategory = "Waiver" - expiresOn = "2025-12-29" - metadata = {} + exemptionCategory = "Waiver" + expiresOn = "2025-12-29" + metadata = {} } } } diff --git a/outputs.tf b/outputs.tf index a046cd2..1c18421 100644 --- a/outputs.tf +++ b/outputs.tf @@ -1,5 +1,6 @@ output "variables" { - value = var.policyExemptions + value = var.policyExemptions + description = "Outputs the policy exemption variables" } output "template_deployment" { @@ -7,4 +8,5 @@ output "template_deployment" { for k, v in try(azurerm_resource_group_template_deployment.this.*, {}) : k => try(jsondecode(v), v) } + description = "Outputs the policy exemption ARM template" } \ No newline at end of file From eac8fcfd6568304d61bc461b3586624f93ac78df Mon Sep 17 00:00:00 2001 From: Jesse Json <13147870+jesseloudon@users.noreply.github.com> Date: Sat, 30 Oct 2021 09:27:15 +1100 Subject: [PATCH 4/4] update docs and desc --- examples/default/README.md | 38 ++++++++++++++++++------------------- examples/default/main.tf | 38 ++++++++++++++++++------------------- examples/default/outputs.tf | 9 +++------ 3 files changed, 41 insertions(+), 44 deletions(-) diff --git a/examples/default/README.md b/examples/default/README.md index b7890d9..516c735 100644 --- a/examples/default/README.md +++ b/examples/default/README.md @@ -11,7 +11,7 @@ Learn more about [Azure Policy Exemptions](https://docs.microsoft.com/en-us/azur ```hcl module "policy_exemptions" { source = "globalbao/policy-exemptions/azurerm" - version = "0.1.0" + version = "0.2.1" policyExemptions = { exemption1 = { deploymentMode = "Incremental" @@ -36,28 +36,28 @@ module "policy_exemptions" { } }, exemption2 = { - deploymentMode = "Incremental" - name = "exemption2" - displayName = "exemption2 for Insert-Your-RG-Name2" - description = "exemption2 waives compliance on an resource group" - resourceGroupName = "Insert-Your-RG-Name2" - policyAssignmentId = "/providers/Microsoft.Management/managementGroups/production/providers/Microsoft.Authorization/policyAssignments/2f97de7d41f348529e23d8ae" + deploymentMode = "Incremental" + name = "exemption2" + displayName = "exemption2 for Insert-Your-RG-Name2" + description = "exemption2 waives compliance on an resource group" + resourceGroupName = "Insert-Your-RG-Name2" + policyAssignmentId = "/providers/Microsoft.Management/managementGroups/production/providers/Microsoft.Authorization/policyAssignments/2f97de7d41f348529e23d8ae" policyDefinitionReferenceIds = [] - exemptionCategory = "Mitigated" - expiresOn = "2025-12-31" - metadata = {} + exemptionCategory = "Mitigated" + expiresOn = "2025-12-31" + metadata = {} }, exemption3 = { - deploymentMode = "Incremental" - name = "exemption3" - displayName = "exemption3 for Insert-Your-RG-Name3" - description = "exemption3 waives compliance on an resource group" - resourceGroupName = "Insert-Your-RG-Name3" - policyAssignmentId = "/providers/Microsoft.Management/managementGroups/production/providers/Microsoft.Authorization/policyAssignments/2f97de7d41f348529e23d8ae" + deploymentMode = "Incremental" + name = "exemption3" + displayName = "exemption3 for Insert-Your-RG-Name3" + description = "exemption3 waives compliance on an resource group" + resourceGroupName = "Insert-Your-RG-Name3" + policyAssignmentId = "/providers/Microsoft.Management/managementGroups/production/providers/Microsoft.Authorization/policyAssignments/2f97de7d41f348529e23d8ae" policyDefinitionReferenceIds = [] - exemptionCategory = "Waiver" - expiresOn = "2025-12-29" - metadata = {} + exemptionCategory = "Waiver" + expiresOn = "2025-12-29" + metadata = {} } } } diff --git a/examples/default/main.tf b/examples/default/main.tf index 59b66fa..98133b4 100644 --- a/examples/default/main.tf +++ b/examples/default/main.tf @@ -1,6 +1,6 @@ module "policy_exemptions" { source = "globalbao/policy-exemptions/azurerm" - version = "0.1.1" + version = "0.2.1" policyExemptions = { exemption1 = { deploymentMode = "Incremental" @@ -25,28 +25,28 @@ module "policy_exemptions" { } }, exemption2 = { - deploymentMode = "Incremental" - name = "exemption2" - displayName = "exemption2 for Insert-Your-RG-Name2" - description = "exemption2 waives compliance on an resource group" - resourceGroupName = "Insert-Your-RG-Name2" - policyAssignmentId = "/providers/Microsoft.Management/managementGroups/production/providers/Microsoft.Authorization/policyAssignments/2f97de7d41f348529e23d8ae" + deploymentMode = "Incremental" + name = "exemption2" + displayName = "exemption2 for Insert-Your-RG-Name2" + description = "exemption2 waives compliance on an resource group" + resourceGroupName = "Insert-Your-RG-Name2" + policyAssignmentId = "/providers/Microsoft.Management/managementGroups/production/providers/Microsoft.Authorization/policyAssignments/2f97de7d41f348529e23d8ae" policyDefinitionReferenceIds = [] - exemptionCategory = "Mitigated" - expiresOn = "2025-12-31" - metadata = {} + exemptionCategory = "Mitigated" + expiresOn = "2025-12-31" + metadata = {} }, exemption3 = { - deploymentMode = "Incremental" - name = "exemption3" - displayName = "exemption3 for Insert-Your-RG-Name3" - description = "exemption3 waives compliance on an resource group" - resourceGroupName = "Insert-Your-RG-Name3" - policyAssignmentId = "/providers/Microsoft.Management/managementGroups/production/providers/Microsoft.Authorization/policyAssignments/2f97de7d41f348529e23d8ae" + deploymentMode = "Incremental" + name = "exemption3" + displayName = "exemption3 for Insert-Your-RG-Name3" + description = "exemption3 waives compliance on an resource group" + resourceGroupName = "Insert-Your-RG-Name3" + policyAssignmentId = "/providers/Microsoft.Management/managementGroups/production/providers/Microsoft.Authorization/policyAssignments/2f97de7d41f348529e23d8ae" policyDefinitionReferenceIds = [] - exemptionCategory = "Waiver" - expiresOn = "2025-12-29" - metadata = {} + exemptionCategory = "Waiver" + expiresOn = "2025-12-29" + metadata = {} } } } \ No newline at end of file diff --git a/examples/default/outputs.tf b/examples/default/outputs.tf index 39c106f..8526778 100644 --- a/examples/default/outputs.tf +++ b/examples/default/outputs.tf @@ -1,7 +1,4 @@ -output "variables" { - value = module.policy_exemptions.variables -} - -output "template_deployment" { - value = module.policy_exemptions.template_deployment +output "policy_exemptions" { + value = module.policy_exemptions + description = "All output variables for policy exemptions module" } \ No newline at end of file