Terraform modules that simplify the workflow of custom and built-in Azure Policies
Fixes #52 - initiative module now populates parameter displayName making it easier to identify definition references in the Azure Portal
Full Changelog: https://github.com/gettek/terraform-azurerm-policy-as-code/compare/2.6.4...2.6.5
Better handling of empty parameters (second fix: https://github.com/gettek/terraform-azurerm-policy-as-code/issues/46)
Full Changelog: https://github.com/gettek/terraform-azurerm-policy-as-code/compare/2.6.3...2.6.4
set_assignment module - Initiative Remediation tasks now use policy_definition_reference_id in favour of policy_definition_id (requires AzureRM Provider Version: 3.23.0). See: https://github.com/hashicorp/terraform-provider-azurerm/pull/18037
*-assignment modules:
resource_count, parallel_deployments and failure_percentage
hashicorp/azurerm >=3.21.0
convert_from_tf_plan.ps1: export policies from a terraform plan output for easy library importsprecommit.ps1: precommit tasks that generate tf docsmerge_parameters = false will create unique parameter references for each member definitiondefinition module:
coalesce() did not correctly evaluate policy object metadata into local.metadata
initiative module:
var.merge_effects allows member definitions to have unique "effect" parameters at assignment*-assignment modules:
var.assignment_metadata
set_assignment module:
var.non_compliance_message attribute changed to var.non_compliance_messages to allow both default and definition-specific messagesdefinition module:
file_path for custom policies located outside the module library*-assignment modules:
remediation_scope
set_assignment module:
role_definition_ids attribute no longer an explicit requirement to successfully assign rolesskip_remediation=true (see: https://github.com/gettek/terraform-azurerm-policy-as-code/issues/21)resource_discovery_mode from azurerm_management_group_policy_remediation (see: https://github.com/hashicorp/terraform-provider-azurerm/issues/17007)set_assignment would suffer from an Error: Invalid for_each argument. Now there is no need to run -var="skip_remediation=true" on first time plan/apply.policy_definition_reference_ids are no longer md5 hashed making it easier to identify references.def_assignment & set_assignment modules now use the split remediation resources (#13) (AzureRM >=3.0.0):
azurerm_management_group_policy_remediation
azurerm_subscription_policy_remediation
azurerm_resource_group_policy_remediation
azurerm_resource_policy_remediation
exemption module replaces arm template deployment in favor of new provider resources (AzureRM >=3.2.0):
azurerm_management_group_policy_exemption
azurerm_subscription_policy_exemption
azurerm_resource_group_policy_exemption
azurerm_resource_policy_exemption
management_group => management_group_id
Error: no schema available for module.{assignment_name}.azurerm_policy_remediation.rem[0] while reading state; this is a bug in Terraform and should be reported
Use def_assignment and set_assignment module <=2.4.0 to safely remove all existing remediation resources before upgrading to this version. To do this simply specify skip_remediation=true.
management_group_name is deprecated in favour of management_group_id
management_group_name => management_group
name or group_id attribute, but not id
try {} block from policy_object local in the definition module to better present errors when definition files are not foundexamples-guest-config
markdown_generator.ps1 script to better present local definition library