terraform-azurerm-caf-enter.../resources.policy_assignment...

resource "azurerm_policy_assignment" "enterprise_scale" {
  for_each = local.azurerm_policy_assignment_enterprise_scale

  # Mandatory resource attributes
  # The policy assignment name length must not exceed '24' characters, but Terraform plan is unable to validate this in the plan stage. The following logic forces an error during plan if an invalid name length is specified.
  name                 = tonumber(length(each.value.template.name) > 24 ? "The policy assignment name '${each.value.template.name}' is invalid. The policy assignment name length must not exceed '24' characters." : length(each.value.template.name)) > 24 ? null : each.value.template.name
  scope                = each.value.scope_id
  policy_definition_id = each.value.template.properties.policyDefinitionId

  # Optional resource attributes
  identity {
    type = try(each.value.template.identity.type, "None")
  }

  location         = try(each.value.template.location, null)
  description      = try(each.value.template.properties.description, "${each.value.template.name} Policy Assignment at scope ${each.value.scope_id}")
  display_name     = try(each.value.template.properties.displayName, each.value.template.name)
  metadata         = try(length(each.value.template.properties.metadata) > 0, false) ? jsonencode(each.value.template.properties.metadata) : null
  parameters       = try(length(each.value.parameters) > 0, false) ? jsonencode(each.value.parameters) : null
  not_scopes       = try(each.value.template.properties.notScopes, local.empty_list)
  enforcement_mode = each.value.enforcement_mode

  # Set explicit dependency on Management Group, Policy Definition and Policy Set Definition deployments
  depends_on = [
    time_sleep.after_azurerm_management_group,
    time_sleep.after_azurerm_policy_definition,
    time_sleep.after_azurerm_policy_set_definition,
  ]

}

resource "time_sleep" "after_azurerm_policy_assignment" {
  depends_on = [
    time_sleep.after_azurerm_management_group,
    time_sleep.after_azurerm_policy_definition,
    time_sleep.after_azurerm_policy_set_definition,
    azurerm_policy_assignment.enterprise_scale,
  ]

  triggers = {
    "azurerm_policy_assignment_enterprise_scale" = jsonencode(keys(azurerm_policy_assignment.enterprise_scale))
  }

  create_duration  = local.create_duration_delay["after_azurerm_policy_assignment"]
  destroy_duration = local.destroy_duration_delay["after_azurerm_policy_assignment"]
}
Initial module upload to repository 2020-09-25 22:39:19 +03:00			`resource "azurerm_policy_assignment" "enterprise_scale" {`
Refactor for_each logic on resources 2020-10-09 15:45:50 +03:00			`for_each = local.azurerm_policy_assignment_enterprise_scale`
Initial module upload to repository 2020-09-25 22:39:19 +03:00
			`# Mandatory resource attributes`
			`# The policy assignment name length must not exceed '24' characters, but Terraform plan is unable to validate this in the plan stage. The following logic forces an error during plan if an invalid name length is specified.`
			`name = tonumber(length(each.value.template.name) > 24 ? "The policy assignment name '${each.value.template.name}' is invalid. The policy assignment name length must not exceed '24' characters." : length(each.value.template.name)) > 24 ? null : each.value.template.name`
			`scope = each.value.scope_id`
			`policy_definition_id = each.value.template.properties.policyDefinitionId`

			`# Optional resource attributes`
			`identity {`
Fix enforcement_mode and simplify try() logic (#68) * Fix incorrect logic for policy enforcement mode * Add enforcement mode to policy assignment templates * Remove obsolete SKU block from policy assignments * Simplify try() logic on resources 2021-04-07 18:14:39 +03:00			`type = try(each.value.template.identity.type, "None")`
Initial module upload to repository 2020-09-25 22:39:19 +03:00			`}`

Fix enforcement_mode and simplify try() logic (#68) * Fix incorrect logic for policy enforcement mode * Add enforcement mode to policy assignment templates * Remove obsolete SKU block from policy assignments * Simplify try() logic on resources 2021-04-07 18:14:39 +03:00			`location = try(each.value.template.location, null)`
			`description = try(each.value.template.properties.description, "${each.value.template.name} Policy Assignment at scope ${each.value.scope_id}")`
			`display_name = try(each.value.template.properties.displayName, each.value.template.name)`
			`metadata = try(length(each.value.template.properties.metadata) > 0, false) ? jsonencode(each.value.template.properties.metadata) : null`
Add management landing zone resources (#69) - Adds support for Terraform `v0.15.0` - Adds "Management resources" capability to enable deploying the "Management landing zone", including: - Log Analytics workspace - Automation Account (integrated with Log Analytics workspace) - Recommended Log Analytics solutions - Automated integration of Log Analytics workspace config into Policy Assignments - "Feature switches" to control additional Policy Assignment settings relating to the Management capabilities - Documentation to reflect additions, including update to release v0.2.0 - Remove `Deploy-Diagnostics-PublicIP` Policy Definition (now built-in) - Add multiple Policy Definitions for ASC Defender configuration - Replace `Deploy-ASC-Standard` Policy Definition with `Deploy-ASC-Config` Policy Set Definition - Update Log Analytics workspace configuration settings in `Deploy-Log-Analytics` Policy Definition - Fix incorrect logic for handling `enforcement_mode` setting for Policy Assignments - Remove deprecated `skip_service_principal_aad_check` setting from Role Assignments - Update minimum supported AzureRM provider version to `v2.41.0` 2021-04-29 00:07:14 +03:00			`parameters = try(length(each.value.parameters) > 0, false) ? jsonencode(each.value.parameters) : null`
Fix enforcement_mode and simplify try() logic (#68) * Fix incorrect logic for policy enforcement mode * Add enforcement mode to policy assignment templates * Remove obsolete SKU block from policy assignments * Simplify try() logic on resources 2021-04-07 18:14:39 +03:00			`not_scopes = try(each.value.template.properties.notScopes, local.empty_list)`
Add management landing zone resources (#69) - Adds support for Terraform `v0.15.0` - Adds "Management resources" capability to enable deploying the "Management landing zone", including: - Log Analytics workspace - Automation Account (integrated with Log Analytics workspace) - Recommended Log Analytics solutions - Automated integration of Log Analytics workspace config into Policy Assignments - "Feature switches" to control additional Policy Assignment settings relating to the Management capabilities - Documentation to reflect additions, including update to release v0.2.0 - Remove `Deploy-Diagnostics-PublicIP` Policy Definition (now built-in) - Add multiple Policy Definitions for ASC Defender configuration - Replace `Deploy-ASC-Standard` Policy Definition with `Deploy-ASC-Config` Policy Set Definition - Update Log Analytics workspace configuration settings in `Deploy-Log-Analytics` Policy Definition - Fix incorrect logic for handling `enforcement_mode` setting for Policy Assignments - Remove deprecated `skip_service_principal_aad_check` setting from Role Assignments - Update minimum supported AzureRM provider version to `v2.41.0` 2021-04-29 00:07:14 +03:00			`enforcement_mode = each.value.enforcement_mode`
Initial module upload to repository 2020-09-25 22:39:19 +03:00
Update dependencies to support partial deployments 2020-10-19 22:22:24 +03:00			`# Set explicit dependency on Management Group, Policy Definition and Policy Set Definition deployments`
Initial module upload to repository 2020-09-25 22:39:19 +03:00			`depends_on = [`
Library template update automation, and bug fixes (#44) - Update Unit and E2E test pipelines to use YML templates and dynamic matrix generation. - Add custom PS module for `Enterprise Scale Library Tools` to handle automated library template updates. - Add script and GitHub Action to enable automated library template updates from [Azure/Enterprise-Scale](https://github.com/Azure/Enterprise-Scale) repository using a CI pipeline. - Add offline ProviderApiVersions cache in `Enterprise Scale Library Tools` to negate the need for Azure credentials. - Update Library Templates (automated) using new CI process. - Manual remediations to updated library templates to ensure full compatibility with Terraform (needs to be fixed at source to prevent regression). - Update Policy Assignments and archetypes to provide parity with [WingTip reference Enterprise-Scale foundations](https://github.com/Azure/Enterprise-Scale/blob/main/docs/reference/wingtip/README.md). - Update Resource definitions in base module to use `name` field instead of `properties.displayName` to allow setting a more "human-friendly" displayName on policies and roles. - Fix bug where duplicate roles are created at the same scope for policy assignments with managed identity. - Add customizable delay between deployment of different resource types to reduce deployment errors due to caching and replication in the Azure API (Improvement to help Fix #37). - Update `root_parent_id` validation regex to include support for additional supported characters (Fix #43). 2021-03-06 22:29:26 +03:00			`time_sleep.after_azurerm_management_group,`
			`time_sleep.after_azurerm_policy_definition,`
			`time_sleep.after_azurerm_policy_set_definition,`
Initial module upload to repository 2020-09-25 22:39:19 +03:00			`]`

			`}`
Library template update automation, and bug fixes (#44) - Update Unit and E2E test pipelines to use YML templates and dynamic matrix generation. - Add custom PS module for `Enterprise Scale Library Tools` to handle automated library template updates. - Add script and GitHub Action to enable automated library template updates from [Azure/Enterprise-Scale](https://github.com/Azure/Enterprise-Scale) repository using a CI pipeline. - Add offline ProviderApiVersions cache in `Enterprise Scale Library Tools` to negate the need for Azure credentials. - Update Library Templates (automated) using new CI process. - Manual remediations to updated library templates to ensure full compatibility with Terraform (needs to be fixed at source to prevent regression). - Update Policy Assignments and archetypes to provide parity with [WingTip reference Enterprise-Scale foundations](https://github.com/Azure/Enterprise-Scale/blob/main/docs/reference/wingtip/README.md). - Update Resource definitions in base module to use `name` field instead of `properties.displayName` to allow setting a more "human-friendly" displayName on policies and roles. - Fix bug where duplicate roles are created at the same scope for policy assignments with managed identity. - Add customizable delay between deployment of different resource types to reduce deployment errors due to caching and replication in the Azure API (Improvement to help Fix #37). - Update `root_parent_id` validation regex to include support for additional supported characters (Fix #43). 2021-03-06 22:29:26 +03:00
			`resource "time_sleep" "after_azurerm_policy_assignment" {`
			`depends_on = [`
			`time_sleep.after_azurerm_management_group,`
			`time_sleep.after_azurerm_policy_definition,`
			`time_sleep.after_azurerm_policy_set_definition,`
			`azurerm_policy_assignment.enterprise_scale,`
			`]`

			`triggers = {`
			`"azurerm_policy_assignment_enterprise_scale" = jsonencode(keys(azurerm_policy_assignment.enterprise_scale))`
			`}`

			`create_duration = local.create_duration_delay["after_azurerm_policy_assignment"]`
			`destroy_duration = local.destroy_duration_delay["after_azurerm_policy_assignment"]`
			`}`