2.9.1 (#102)

Author: gettek

README.md

@@ -37,35 +37,12 @@
 
 ```bash
 📦examples
-  ├──📜assignments_mg.tf
-  ├──📜backend.tf
-  ├──📜built-in.tf
-  ├──📜data.tf
-  ├──📜definitions.tf
-  ├──📜exemptions.tf
-  ├──📜initiatives.tf
-  ├──📜variables.tf
 📦modules
   └──📂def_assignment
-      ├──📜main.tf
-      ├──📜outputs.tf
-      └──📜variables.tf
   └──📂definition
-      ├──📜main.tf
-      ├──📜outputs.tf
-      └──📜variables.tf
   └──📂exemption
-      ├──📜main.tf
-      ├──📜outputs.tf
-      └──📜variables.tf
   └──📂initiative
-      ├──📜main.tf
-      ├──📜outputs.tf
-      └──📜variables.tf
   └──📂set_assignment
-      ├──📜main.tf
-      ├──📜outputs.tf
-      └──📜variables.tf
 📦policies
   └──📂policy_category (e.g. General, should correspond to [var.policy_category])
       └──📜policy_name.json (e.g. whitelist_regions, should correspond to [var.policy_name])
@@ -162,10 +139,7 @@ module org_mg_platform_diagnostics_initiative {
     data.azurerm_management_group.team_a.id
   ]
 
-  non_compliance_messages = {
-    null                                      = "The Default non-compliance message for all member definitions"
-    DeployApplicationGatewayDiagnosticSetting = "The non-compliance message for the deploy_application_gateway_diagnostic_setting definition"
-  }
+  non_compliance_messages = module.platform_diagnostics_initiative.non_compliance_messages
 }
 ```
 

examples/initiatives.tf

@@ -7,6 +7,7 @@ module "configure_asc_initiative" {
   initiative_display_name = "[Security]: Configure Azure Security Center"
   initiative_description  = "Deploys and configures Azure Security Center settings and defines exports"
   initiative_category     = "Security Center"
+  initiative_version      = "2.0.0"
   management_group_id     = data.azurerm_management_group.org.id
 
   # Populate member_definitions

modules/exemption/variables.tf

@@ -1,16 +1,31 @@
 variable "name" {
   type        = string
   description = "Name for the Policy Exemption"
+
+  validation {
+    condition     = length(var.name) <= 64
+    error_message = "Exemption names have a maximum 64 character limit."
+  }
 }
 
 variable "display_name" {
   type        = string
   description = "Display name for the Policy Exemption"
+
+  validation {
+    condition     = length(var.display_name) <= 128
+    error_message = "Exemption display names have a maximum 128 character limit."
+  }
 }
 
 variable "description" {
   type        = string
   description = "Description for the Policy Exemption"
+
+  validation {
+    condition     = length(var.description) <= 512
+    error_message = "Exemption descriptions have a maximum 512 character limit."
+  }
 }
 
 variable "scope" {
@@ -72,7 +87,7 @@ locals {
 
   # generate reference Ids when unknown, assumes the set was created with the initiative module
   policy_definition_reference_ids = length(var.member_definition_names) > 0 ? [for name in var.member_definition_names :
-    replace(substr(title(replace(name, "/-|_|\\s/", " ")), 0, 64), "/\\s/", "")
+    replace(title(replace(name, "/-|_|\\s/", " ")), "/\\s/", "")
   ] : var.policy_definition_reference_ids
 
   exemption_id = try(

modules/initiative/README.md

@@ -134,7 +134,7 @@ module guest_config_prereqs_initiative {
 | initiative_name | Policy initiative name. Changing this forces a new resource to be created | `string` | n/a | yes |
 | initiative_version | The version for this initiative, defaults to 1.0.0 | `string` | `"1.0.0"` | no |
 | management_group_id | The management group scope at which the initiative will be defined. Defaults to current Subscription if omitted. Changing this forces a new resource to be created. Note: if you are using azurerm_management_group to assign a value to management_group_id, be sure to use name or group_id attribute, but not id. | `string` | `null` | no |
-| member_definitions | Policy Definition resource nodes that will be members of this initiative | `list(any)` | n/a | yes |
+| member_definitions | Policy Definition resource nodes that will be members of this initiative | `any` | n/a | yes |
 | merge_effects | Should the module merge all member definition effects? Defaults to true | `bool` | `true` | no |
 | merge_parameters | Should the module merge all member definition parameters? Defaults to true | `bool` | `true` | no |
 

modules/initiative/main.tf

@@ -1,5 +1,5 @@
 resource "terraform_data" "set_replace" {
-  input = md5(jsonencode(local.parameters))
+  input = local.replace_trigger
 }
 
 resource "azurerm_policy_set_definition" "set" {

modules/initiative/outputs.tf

@@ -41,5 +41,6 @@ output "initiative" {
     policy_definition_reference = azurerm_policy_set_definition.set.policy_definition_reference
     reference_ids               = try(azurerm_policy_set_definition.set.policy_definition_reference.*.reference_id, [])
     role_definition_ids         = local.all_role_definition_ids
+    replace_trigger             = local.replace_trigger
   }
 }

modules/initiative/variables.tf

@@ -48,7 +48,7 @@ variable "initiative_version" {
 }
 
 variable "member_definitions" {
-  type        = list(any)
+  type        = any
   description = "Policy Definition resource nodes that will be members of this initiative"
 }
 
@@ -77,17 +77,20 @@ variable "duplicate_members" {
 }
 
 locals {
-  # colate all definition properties into a single reusable object
-  # index numbers (idx) will be prefixed to references when using duplicate member definitions
+  # colate all definition properties into a single reusable object:
+  # - definition references take their policy name transformed to upper camel case
+  # - index numbers (idx) will be prefixed to references when using duplicate member definitions
   member_properties = {
     for idx, d in var.member_definitions :
     var.duplicate_members == false ? d.name : "${idx}_${d.name}" => {
       id                     = d.id
-      reference              = var.duplicate_members == false ? "${replace(substr(title(replace(d.name, "/-|_|\\s/", " ")), 0, 64), "/\\s/", "")}" : "${idx}_${replace(substr(title(replace(d.name, "/-|_|\\s/", " ")), 0, 61), "/\\s/", "")}"
-      parameters             = coalesce(null, jsondecode(d.parameters), null)
       mode                   = try(d.mode, "")
-      role_definition_ids    = try(jsondecode(d.policy_rule).then.details.roleDefinitionIds, [])
+      reference              = var.duplicate_members == false ? replace(title(replace(d.name, "/-|_|\\s/", " ")), "/\\s/", "") : "${idx}_${replace(title(replace(d.name, "/-|_|\\s/", " ")), "/\\s/", "")}"
+      parameters             = coalesce(null, jsondecode(d.parameters), null)
+      category               = try(jsondecode(d.metadata).category, "")
+      version                = try(jsondecode(d.metadata).version, "1.*.*")
       non_compliance_message = try(jsondecode(d.metadata).non_compliance_message, d.description, d.display_name, "Flagged by Policy: ${d.name}")
+      role_definition_ids    = try(jsondecode(d.policy_rule).then.details.roleDefinitionIds, [])
     }
   }
 
@@ -112,6 +115,9 @@ locals {
     }
   })...)
 
+  # generate replacement trigger by hashing parameters, included as an output to prevent regen at assignment
+  replace_trigger = md5(jsonencode(local.parameters))
+
   # combine all role definition IDs present in the policyRule
   all_role_definition_ids = try(distinct([for v in flatten(values({
     for k, v in local.member_properties :

modules/set_assignment/main.tf

@@ -1,5 +1,5 @@
 resource "terraform_data" "set_assign_replace" {
-  input = md5(jsonencode(var.initiative.parameters))
+  input = try(var.initiative.replace_trigger, md5(jsonencode(var.initiative.parameters)))
 }
 
 resource "azurerm_management_group_policy_assignment" "set" {