Terraform modules that simplify the workflow of custom and built-in Azure Policies
Fixes #52 - initiative
module now populates parameter displayName
making it easier to identify definition references in the Azure Portal
Full Changelog: https://github.com/gettek/terraform-azurerm-policy-as-code/compare/2.6.4...2.6.5
Better handling of empty parameters (second fix: https://github.com/gettek/terraform-azurerm-policy-as-code/issues/46)
Full Changelog: https://github.com/gettek/terraform-azurerm-policy-as-code/compare/2.6.3...2.6.4
set_assignment
module - Initiative Remediation tasks now use policy_definition_reference_id
in favour of policy_definition_id
(requires AzureRM Provider Version: 3.23.0
). See: https://github.com/hashicorp/terraform-provider-azurerm/pull/18037
*-assignment
modules:
resource_count
, parallel_deployments
and failure_percentage
hashicorp/azurerm >=3.21.0
convert_from_tf_plan.ps1
: export policies from a terraform plan output for easy library importsprecommit.ps1
: precommit tasks that generate tf docsmerge_parameters = false
will create unique parameter references for each member definitiondefinition
module:
coalesce()
did not correctly evaluate policy object metadata into local.metadata
initiative
module:
var.merge_effects
allows member definitions to have unique "effect" parameters at assignment*-assignment
modules:
var.assignment_metadata
set_assignment
module:
var.non_compliance_message
attribute changed to var.non_compliance_messages
to allow both default and definition-specific messagesdefinition
module:
file_path
for custom policies located outside the module library*-assignment
modules:
remediation_scope
set_assignment
module:
role_definition_ids
attribute no longer an explicit requirement to successfully assign rolesskip_remediation=true
(see: https://github.com/gettek/terraform-azurerm-policy-as-code/issues/21)resource_discovery_mode
from azurerm_management_group_policy_remediation
(see: https://github.com/hashicorp/terraform-provider-azurerm/issues/17007)set_assignment
would suffer from an Error: Invalid for_each argument
. Now there is no need to run -var="skip_remediation=true"
on first time plan/apply.policy_definition_reference_ids
are no longer md5 hashed making it easier to identify references.def_assignment
& set_assignment
modules now use the split remediation resources (#13) (AzureRM >=3.0.0
):
azurerm_management_group_policy_remediation
azurerm_subscription_policy_remediation
azurerm_resource_group_policy_remediation
azurerm_resource_policy_remediation
exemption
module replaces arm template deployment in favor of new provider resources (AzureRM >=3.2.0
):
azurerm_management_group_policy_exemption
azurerm_subscription_policy_exemption
azurerm_resource_group_policy_exemption
azurerm_resource_policy_exemption
management_group
=> management_group_id
Error: no schema available for module.{assignment_name}.azurerm_policy_remediation.rem[0] while reading state; this is a bug in Terraform and should be reported
Use def_assignment
and set_assignment
module <=2.4.0
to safely remove all existing remediation resources before upgrading to this version. To do this simply specify skip_remediation=true
.
management_group_name
is deprecated in favour of management_group_id
management_group_name
=> management_group
name
or group_id
attribute, but not id
try {}
block from policy_object
local in the definition
module to better present errors when definition files are not foundexamples-guest-config
markdown_generator.ps1
script to better present local definition library