From c12a502b13be8a2ddd81655a99eb662e43216010 Mon Sep 17 00:00:00 2001 From: Zach Trocinski Date: Tue, 8 Oct 2024 14:41:02 -0500 Subject: [PATCH 01/18] Initial ptn modules for policy exemptions --- ...avm.ptn.authorization.policy-exemption.yml | 88 +++ .../authorization/policy-exemption/README.md | 311 +++++++++ .../authorization/policy-exemption/main.bicep | 149 ++++ .../authorization/policy-exemption/main.json | 650 ++++++++++++++++++ .../modules/management-group.bicep | 68 ++ .../modules/resource-group.bicep | 68 ++ .../modules/subscription.bicep | 68 ++ .../tests/e2e/defaults/main.test.bicep | 48 ++ .../tests/e2e/waf-aligned/main.test.bicep | 48 ++ .../policy-exemption/version.json | 7 + 10 files changed, 1505 insertions(+) create mode 100644 .github/workflows/avm.ptn.authorization.policy-exemption.yml create mode 100644 avm/ptn/authorization/policy-exemption/README.md create mode 100644 avm/ptn/authorization/policy-exemption/main.bicep create mode 100644 avm/ptn/authorization/policy-exemption/main.json create mode 100644 avm/ptn/authorization/policy-exemption/modules/management-group.bicep create mode 100644 avm/ptn/authorization/policy-exemption/modules/resource-group.bicep create mode 100644 avm/ptn/authorization/policy-exemption/modules/subscription.bicep create mode 100644 avm/ptn/authorization/policy-exemption/tests/e2e/defaults/main.test.bicep create mode 100644 avm/ptn/authorization/policy-exemption/tests/e2e/waf-aligned/main.test.bicep create mode 100644 avm/ptn/authorization/policy-exemption/version.json diff --git a/.github/workflows/avm.ptn.authorization.policy-exemption.yml b/.github/workflows/avm.ptn.authorization.policy-exemption.yml new file mode 100644 index 0000000000..5c68e6f925 --- /dev/null +++ b/.github/workflows/avm.ptn.authorization.policy-exemption.yml @@ -0,0 +1,88 @@ +name: "avm.ptn.authorization.policy-exemption" + +on: + workflow_dispatch: + inputs: + staticValidation: + type: boolean + description: "Execute static validation" + required: false + default: true + deploymentValidation: + type: boolean + description: "Execute deployment validation" + required: false + default: true + removeDeployment: + type: boolean + description: "Remove deployed module" + required: false + default: true + customLocation: + type: string + description: "Default location overwrite (e.g., eastus)" + required: false + push: + branches: + - main + paths: + - ".github/actions/templates/avm-**" + - ".github/workflows/avm.template.module.yml" + - ".github/workflows/avm.ptn.authorization.policy-exemption.yml" + - "avm/ptn/authorization/policy-exemption/**" + - "avm/utilities/pipelines/**" + - "!avm/utilities/pipelines/platform/**" + - "!*/**/README.md" + +env: + modulePath: "avm/ptn/authorization/policy-exemption" + workflowPath: ".github/workflows/avm.ptn.authorization.policy-exemption.yml" + +concurrency: + group: ${{ github.workflow }} + +jobs: + ########################### + # Initialize pipeline # + ########################### + job_initialize_pipeline: + runs-on: ubuntu-latest + name: "Initialize pipeline" + steps: + - name: "Checkout" + uses: actions/checkout@v4 + with: + fetch-depth: 0 + - name: "Set input parameters to output variables" + id: get-workflow-param + uses: ./.github/actions/templates/avm-getWorkflowInput + with: + workflowPath: "${{ env.workflowPath}}" + - name: "Get module test file paths" + id: get-module-test-file-paths + uses: ./.github/actions/templates/avm-getModuleTestFiles + with: + modulePath: "${{ env.modulePath }}" + outputs: + workflowInput: ${{ steps.get-workflow-param.outputs.workflowInput }} + moduleTestFilePaths: ${{ steps.get-module-test-file-paths.outputs.moduleTestFilePaths }} + psRuleModuleTestFilePaths: ${{ steps.get-module-test-file-paths.outputs.psRuleModuleTestFilePaths }} + modulePath: "${{ env.modulePath }}" + + ############################## + # Call reusable workflow # + ############################## + call-workflow-passing-data: + name: "Run" + permissions: + id-token: write # For OIDC + contents: write # For release tags + needs: + - job_initialize_pipeline + uses: ./.github/workflows/avm.template.module.yml + with: + workflowInput: "${{ needs.job_initialize_pipeline.outputs.workflowInput }}" + moduleTestFilePaths: "${{ needs.job_initialize_pipeline.outputs.moduleTestFilePaths }}" + psRuleModuleTestFilePaths: "${{ needs.job_initialize_pipeline.outputs.psRuleModuleTestFilePaths }}" + modulePath: "${{ needs.job_initialize_pipeline.outputs.modulePath}}" + secrets: inherit diff --git a/avm/ptn/authorization/policy-exemption/README.md b/avm/ptn/authorization/policy-exemption/README.md new file mode 100644 index 0000000000..30387c930b --- /dev/null +++ b/avm/ptn/authorization/policy-exemption/README.md @@ -0,0 +1,311 @@ +# Policy Exemptions (All scopes) `[Authorization/PolicyExemption]` + +This module deploys a Policy Exemption at a Management Group, Subscription or Resource Group scope. + +## Navigation + +- [Resource Types](#Resource-Types) +- [Usage examples](#Usage-examples) +- [Parameters](#Parameters) +- [Outputs](#Outputs) +- [Data Collection](#Data-Collection) + +## Resource Types + +| Resource Type | API Version | +| :-- | :-- | +| `Microsoft.Authorization/policyExemptions` | [2022-07-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2022-07-01-preview/policyExemptions) | + +## Usage examples + +The following section provides usage examples for the module, which were used to validate and deploy the module successfully. For a full reference, please review the module's test folder in its repository. + +>**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. + +>**Note**: To reference the module, please use the following syntax `br/public:avm/ptn/authorization/policy-exemption:`. + +- [Defaults](#example-1-defaults) +- [Waf-Aligned](#example-2-waf-aligned) + +### Example 1: _Defaults_ + +
+ +via Bicep module + +```bicep +module policyExemption 'br/public:avm/ptn/authorization/policy-exemption:' = { + name: 'policyExemptionDeployment' + params: { + // Required parameters + name: 'apedef001' + location: '' + } +} +``` + +
+

+ +

+ +via JSON parameters file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "name": { + "value": "apedef001" + }, + "location": { + "value": "" + } + } +} +``` + +
+

+ +

+ +via Bicep parameters file + +```bicep-params +using 'br/public:avm/ptn/authorization/policy-exemption:' + +// Required parameters +param name = 'apedef001' +param location = '' +``` + +
+

+ +### Example 2: _Waf-Aligned_ + +

+ +via Bicep module + +```bicep +module policyExemption 'br/public:avm/ptn/authorization/policy-exemption:' = { + name: 'policyExemptionDeployment' + params: { + // Required parameters + name: 'apewaf001' + location: '' + } +} +``` + +
+

+ +

+ +via JSON parameters file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "name": { + "value": "apewaf001" + }, + "location": { + "value": "" + } + } +} +``` + +
+

+ +

+ +via Bicep parameters file + +```bicep-params +using 'br/public:avm/ptn/authorization/policy-exemption:' + +// Required parameters +param name = 'apewaf001' +param location = '' +``` + +
+

+ +## Parameters + +**Required parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`exemptionCategory`](#parameter-exemptioncategory) | string | The policy exemption category. | +| [`name`](#parameter-name) | string | Specifies the name of the policy exemption. Maximum length is 24 characters for management group scope. | +| [`policyAssignmentId`](#parameter-policyassignmentid) | string | Specifies the ID of the policy assignment that is being exempted. | + +**Optional parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`assignmentScopeValidation`](#parameter-assignmentscopevalidation) | string | The option to validate whether the exemption is at or under the assignment scope. | +| [`description`](#parameter-description) | string | This message will be part of response in case of policy violation. | +| [`displayName`](#parameter-displayname) | string | The display name of the policy exemption. Maximum length is 128 characters. | +| [`enableTelemetry`](#parameter-enabletelemetry) | bool | Enable/Disable usage telemetry for module. | +| [`expiresOn`](#parameter-expireson) | string | The expiration date and time (in UTC ISO 8601 format yyyy-MM-ddTHH:mm:ssZ) of the policy exemption. | +| [`location`](#parameter-location) | string | Location for all Resources. | +| [`managementGroupId`](#parameter-managementgroupid) | string | The Target Scope for the Policy. The name of the management group for the policy exemption. If not provided, will use the current scope for deployment. | +| [`metadata`](#parameter-metadata) | object | The policy exemption metadata. Metadata is an open ended object and is typically a collection of key-value pairs. | +| [`policyDefinitionReferenceIds`](#parameter-policydefinitionreferenceids) | array | The policy definition reference ID list when the associated policy assignment is an assignment of a policy set definition. | +| [`resourceGroupName`](#parameter-resourcegroupname) | string | The Target Scope for the Policy. The name of the resource group for the policy exemption. | +| [`resourceSelectors`](#parameter-resourceselectors) | array | The resource selector list to filter policies by resource properties. Facilitates safe deployment practices (SDP) by enabling gradual roll out Policy exemptions based on factors like resource location, resource type, or whether a resource has a location. | +| [`subscriptionId`](#parameter-subscriptionid) | string | The Target Scope for the Policy. The subscription ID of the subscription for the policy exemption. | + +### Parameter: `exemptionCategory` + +The policy exemption category. + +- Required: Yes +- Type: string +- Allowed: + ```Bicep + [ + 'Mitigated' + 'Waiver' + ] + ``` + +### Parameter: `name` + +Specifies the name of the policy exemption. Maximum length is 24 characters for management group scope. + +- Required: Yes +- Type: string + +### Parameter: `policyAssignmentId` + +Specifies the ID of the policy assignment that is being exempted. + +- Required: Yes +- Type: string + +### Parameter: `assignmentScopeValidation` + +The option to validate whether the exemption is at or under the assignment scope. + +- Required: Yes +- Type: string +- Allowed: + ```Bicep + [ + 'Default' + 'DoNotValidate' + ] + ``` + +### Parameter: `description` + +This message will be part of response in case of policy violation. + +- Required: No +- Type: string +- Default: `''` + +### Parameter: `displayName` + +The display name of the policy exemption. Maximum length is 128 characters. + +- Required: No +- Type: string +- Default: `''` + +### Parameter: `enableTelemetry` + +Enable/Disable usage telemetry for module. + +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `expiresOn` + +The expiration date and time (in UTC ISO 8601 format yyyy-MM-ddTHH:mm:ssZ) of the policy exemption. + +- Required: Yes +- Type: string + +### Parameter: `location` + +Location for all Resources. + +- Required: No +- Type: string +- Default: `[deployment().location]` + +### Parameter: `managementGroupId` + +The Target Scope for the Policy. The name of the management group for the policy exemption. If not provided, will use the current scope for deployment. + +- Required: No +- Type: string +- Default: `[managementGroup().name]` + +### Parameter: `metadata` + +The policy exemption metadata. Metadata is an open ended object and is typically a collection of key-value pairs. + +- Required: No +- Type: object +- Default: `{}` + +### Parameter: `policyDefinitionReferenceIds` + +The policy definition reference ID list when the associated policy assignment is an assignment of a policy set definition. + +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `resourceGroupName` + +The Target Scope for the Policy. The name of the resource group for the policy exemption. + +- Required: No +- Type: string +- Default: `''` + +### Parameter: `resourceSelectors` + +The resource selector list to filter policies by resource properties. Facilitates safe deployment practices (SDP) by enabling gradual roll out Policy exemptions based on factors like resource location, resource type, or whether a resource has a location. + +- Required: No +- Type: array +- Default: `[]` + +### Parameter: `subscriptionId` + +The Target Scope for the Policy. The subscription ID of the subscription for the policy exemption. + +- Required: No +- Type: string +- Default: `''` + +## Outputs + +| Output | Type | Description | +| :-- | :-- | :-- | +| `name` | string | Policy Exemption Name. | +| `resourceId` | string | Policy Exemption resource ID. | + +## Data Collection + +The software may collect information about you and your use of the software and send it to Microsoft. Microsoft may use this information to provide services and improve our products and services. You may turn off the telemetry as described in the [repository](https://aka.ms/avm/telemetry). There are also some features in the software that may enable you and Microsoft to collect data from users of your applications. If you use these features, you must comply with applicable law, including providing appropriate notices to users of your applications together with a copy of Microsoft’s privacy statement. Our privacy statement is located at . You can learn more about data collection and use in the help documentation and our privacy statement. Your use of the software operates as your consent to these practices. diff --git a/avm/ptn/authorization/policy-exemption/main.bicep b/avm/ptn/authorization/policy-exemption/main.bicep new file mode 100644 index 0000000000..a62bf4a7dc --- /dev/null +++ b/avm/ptn/authorization/policy-exemption/main.bicep @@ -0,0 +1,149 @@ +metadata name = 'Policy Exemptions (All scopes)' +metadata description = 'This module deploys a Policy Exemption at a Management Group, Subscription or Resource Group scope.' +metadata owner = 'Azure/module-maintainers' + +targetScope = 'managementGroup' + +@sys.description('Required. Specifies the name of the policy exemption. Maximum length is 24 characters for management group scope.') +@maxLength(24) +param name string + +@sys.description('Optional. The option to validate whether the exemption is at or under the assignment scope.') +@allowed([ + 'DoNotValidate' + 'Default' +]) +param assignmentScopeValidation string + +@sys.description('Optional. This message will be part of response in case of policy violation.') +param description string = '' + +@sys.description('Optional. The display name of the policy exemption. Maximum length is 128 characters.') +@maxLength(128) +param displayName string = '' + +@sys.description('Required. The policy exemption category.') +@allowed([ + 'Mitigated' + 'Waiver' +]) +param exemptionCategory string + +@sys.description('Optional. The expiration date and time (in UTC ISO 8601 format yyyy-MM-ddTHH:mm:ssZ) of the policy exemption.') +@maxLength(32) +@minLength(32) +param expiresOn string + +@sys.description('Optional. The policy exemption metadata. Metadata is an open ended object and is typically a collection of key-value pairs.') +param metadata object = {} + +@sys.description('Required. Specifies the ID of the policy assignment that is being exempted.') +param policyAssignmentId string + +@sys.description('Optional. The policy definition reference ID list when the associated policy assignment is an assignment of a policy set definition.') +param policyDefinitionReferenceIds array = [] + +@sys.description('Optional. The resource selector list to filter policies by resource properties. Facilitates safe deployment practices (SDP) by enabling gradual roll out Policy exemptions based on factors like resource location, resource type, or whether a resource has a location.') +param resourceSelectors array = [] + +@sys.description('Optional. The Target Scope for the Policy. The name of the management group for the policy exemption. If not provided, will use the current scope for deployment.') +param managementGroupId string = managementGroup().name + +@sys.description('Optional. The Target Scope for the Policy. The subscription ID of the subscription for the policy exemption.') +param subscriptionId string = '' + +@sys.description('Optional. The Target Scope for the Policy. The name of the resource group for the policy exemption.') +param resourceGroupName string = '' + +@sys.description('Optional. Location for all Resources.') +param location string = deployment().location +@sys.description('Optional. Enable/Disable usage telemetry for module.') +param enableTelemetry bool = true + +#disable-next-line no-deployments-resources +resource avmTelemetry 'Microsoft.Resources/deployments@2024-03-01' = if (enableTelemetry) { + name: take( + '46d3xbcp.ptn.authorization-policyexemption.${replace('-..--..-', '.', '-')}.${substring(uniqueString(deployment().name, location), 0, 4)}', + 64 + ) + location: location + properties: { + mode: 'Incremental' + template: { + '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' + contentVersion: '1.0.0.0' + resources: [] + outputs: { + telemetry: { + type: 'String' + value: 'For more information, see https://aka.ms/avm/TelemetryInfo' + } + } + } + } +} + +module policyExemption_mg 'modules/management-group.bicep' = if (empty(subscriptionId) && empty(resourceGroupName)) { + name: '${uniqueString(deployment().name, location)}-PolicyExemption-MG-Module' + scope: managementGroup(managementGroupId) + params: { + name: name + description: !empty(description) ? description : null + displayName: !empty(displayName) ? displayName : null + assignmentScopeValidation: assignmentScopeValidation + exemptionCategory: exemptionCategory + expiresOn: !empty(expiresOn) ? expiresOn : '' + metadata: !empty(metadata) ? metadata : null + policyAssignmentId: policyAssignmentId + policyDefinitionReferenceIds: !empty(policyDefinitionReferenceIds) ? policyDefinitionReferenceIds : null + resourceSelectors: !empty(resourceSelectors) ? resourceSelectors : null + } +} + +module policyExemption_sub 'modules/subscription.bicep' = if (!empty(subscriptionId) && empty(resourceGroupName)) { + name: '${uniqueString(deployment().name, location)}-PolicyExemption-Sub-Module' + scope: subscription(subscriptionId) + params: { + name: name + description: !empty(description) ? description : null + displayName: !empty(displayName) ? displayName : null + assignmentScopeValidation: assignmentScopeValidation + exemptionCategory: exemptionCategory + expiresOn: !empty(expiresOn) ? expiresOn : '' + metadata: !empty(metadata) ? metadata : null + policyAssignmentId: policyAssignmentId + policyDefinitionReferenceIds: !empty(policyDefinitionReferenceIds) ? policyDefinitionReferenceIds : null + resourceSelectors: !empty(resourceSelectors) ? resourceSelectors : null + } +} + +module policyExemption_rg 'modules/resource-group.bicep' = if (!empty(resourceGroupName) && !empty(subscriptionId)) { + name: '${uniqueString(deployment().name, location)}-PolicyExemption-RG-Module' + scope: resourceGroup(subscriptionId, resourceGroupName) + params: { + name: name + description: !empty(description) ? description : null + displayName: !empty(displayName) ? displayName : null + assignmentScopeValidation: assignmentScopeValidation + exemptionCategory: exemptionCategory + expiresOn: !empty(expiresOn) ? expiresOn : '' + metadata: !empty(metadata) ? metadata : null + policyAssignmentId: policyAssignmentId + policyDefinitionReferenceIds: !empty(policyDefinitionReferenceIds) ? policyDefinitionReferenceIds : null + resourceSelectors: !empty(resourceSelectors) ? resourceSelectors : null + } +} + +@sys.description('Policy Exemption Name.') +output name string = empty(subscriptionId) && empty(resourceGroupName) + ? policyExemption_mg.outputs.name + : (!empty(subscriptionId) && empty(resourceGroupName) + ? policyExemption_sub.outputs.name + : policyExemption_rg.outputs.name) + +@sys.description('Policy Exemption resource ID.') +output resourceId string = empty(subscriptionId) && empty(resourceGroupName) + ? policyExemption_mg.outputs.resourceId + : (!empty(subscriptionId) && empty(resourceGroupName) + ? policyExemption_sub.outputs.resourceId + : policyExemption_rg.outputs.resourceId) diff --git a/avm/ptn/authorization/policy-exemption/main.json b/avm/ptn/authorization/policy-exemption/main.json new file mode 100644 index 0000000000..03ddf3caa4 --- /dev/null +++ b/avm/ptn/authorization/policy-exemption/main.json @@ -0,0 +1,650 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "_generator": { + "name": "bicep", + "version": "0.30.23.60470", + "templateHash": "16386010349106137044" + }, + "name": "Policy Exemptions (All scopes)", + "description": "This module deploys a Policy Exemption at a Management Group, Subscription or Resource Group scope.", + "owner": "Azure/module-maintainers" + }, + "parameters": { + "name": { + "type": "string", + "maxLength": 24, + "metadata": { + "description": "Required. Specifies the name of the policy exemption. Maximum length is 24 characters for management group scope." + } + }, + "assignmentScopeValidation": { + "type": "string", + "allowedValues": [ + "DoNotValidate", + "Default" + ], + "metadata": { + "description": "Optional. The option to validate whether the exemption is at or under the assignment scope." + } + }, + "description": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. This message will be part of response in case of policy violation." + } + }, + "displayName": { + "type": "string", + "defaultValue": "", + "maxLength": 128, + "metadata": { + "description": "Optional. The display name of the policy exemption. Maximum length is 128 characters." + } + }, + "exemptionCategory": { + "type": "string", + "allowedValues": [ + "Mitigated", + "Waiver" + ], + "metadata": { + "description": "Required. The policy exemption category." + } + }, + "expiresOn": { + "type": "string", + "minLength": 32, + "maxLength": 32, + "metadata": { + "description": "Optional. The expiration date and time (in UTC ISO 8601 format yyyy-MM-ddTHH:mm:ssZ) of the policy exemption." + } + }, + "metadata": { + "type": "object", + "defaultValue": {}, + "metadata": { + "description": "Optional. The policy exemption metadata. Metadata is an open ended object and is typically a collection of key-value pairs." + } + }, + "policyAssignmentId": { + "type": "string", + "metadata": { + "description": "Required. Specifies the ID of the policy assignment that is being exempted." + } + }, + "policyDefinitionReferenceIds": { + "type": "array", + "defaultValue": [], + "metadata": { + "description": "Optional. The policy definition reference ID list when the associated policy assignment is an assignment of a policy set definition." + } + }, + "resourceSelectors": { + "type": "array", + "defaultValue": [], + "metadata": { + "description": "Optional. The resource selector list to filter policies by resource properties. Facilitates safe deployment practices (SDP) by enabling gradual roll out Policy exemptions based on factors like resource location, resource type, or whether a resource has a location." + } + }, + "managementGroupId": { + "type": "string", + "defaultValue": "[managementGroup().name]", + "metadata": { + "description": "Optional. The Target Scope for the Policy. The name of the management group for the policy exemption. If not provided, will use the current scope for deployment." + } + }, + "subscriptionId": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. The Target Scope for the Policy. The subscription ID of the subscription for the policy exemption." + } + }, + "resourceGroupName": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. The Target Scope for the Policy. The name of the resource group for the policy exemption." + } + }, + "location": { + "type": "string", + "defaultValue": "[deployment().location]", + "metadata": { + "description": "Optional. Location for all Resources." + } + }, + "enableTelemetry": { + "type": "bool", + "defaultValue": true, + "metadata": { + "description": "Optional. Enable/Disable usage telemetry for module." + } + } + }, + "resources": [ + { + "condition": "[parameters('enableTelemetry')]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2024-03-01", + "name": "[take(format('46d3xbcp.ptn.authorization-policyexemption.{0}.{1}', replace('-..--..-', '.', '-'), substring(uniqueString(deployment().name, parameters('location')), 0, 4)), 64)]", + "location": "[parameters('location')]", + "properties": { + "mode": "Incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [], + "outputs": { + "telemetry": { + "type": "String", + "value": "For more information, see https://aka.ms/avm/TelemetryInfo" + } + } + } + } + }, + { + "condition": "[and(empty(parameters('subscriptionId')), empty(parameters('resourceGroupName')))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2022-09-01", + "name": "[format('{0}-PolicyExemption-MG-Module', uniqueString(deployment().name, parameters('location')))]", + "scope": "[format('Microsoft.Management/managementGroups/{0}', parameters('managementGroupId'))]", + "location": "[deployment().location]", + "properties": { + "expressionEvaluationOptions": { + "scope": "inner" + }, + "mode": "Incremental", + "parameters": { + "name": { + "value": "[parameters('name')]" + }, + "description": "[if(not(empty(parameters('description'))), createObject('value', parameters('description')), createObject('value', null()))]", + "displayName": "[if(not(empty(parameters('displayName'))), createObject('value', parameters('displayName')), createObject('value', null()))]", + "assignmentScopeValidation": { + "value": "[parameters('assignmentScopeValidation')]" + }, + "exemptionCategory": { + "value": "[parameters('exemptionCategory')]" + }, + "expiresOn": "[if(not(empty(parameters('expiresOn'))), createObject('value', parameters('expiresOn')), createObject('value', ''))]", + "metadata": "[if(not(empty(parameters('metadata'))), createObject('value', parameters('metadata')), createObject('value', null()))]", + "policyAssignmentId": { + "value": "[parameters('policyAssignmentId')]" + }, + "policyDefinitionReferenceIds": "[if(not(empty(parameters('policyDefinitionReferenceIds'))), createObject('value', parameters('policyDefinitionReferenceIds')), createObject('value', null()))]", + "resourceSelectors": "[if(not(empty(parameters('resourceSelectors'))), createObject('value', parameters('resourceSelectors')), createObject('value', null()))]" + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "_generator": { + "name": "bicep", + "version": "0.30.23.60470", + "templateHash": "10692808437895827112" + }, + "name": "Policy Exemptions (Management Group scope)", + "description": "This module deploys a policy exemption at a Management Group scope.", + "owner": "Azure/module-maintainers" + }, + "parameters": { + "name": { + "type": "string", + "maxLength": 64, + "metadata": { + "description": "Required. Specifies the name of the policy exemption. Maximum length is 64 characters for management group scope." + } + }, + "assignmentScopeValidation": { + "type": "string", + "allowedValues": [ + "DoNotValidate", + "Default" + ], + "metadata": { + "description": "Optional. The option to validate whether the exemption is at or under the assignment scope." + } + }, + "description": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. This message will be part of response in case of policy violation." + } + }, + "displayName": { + "type": "string", + "defaultValue": "", + "maxLength": 128, + "metadata": { + "description": "Optional. The display name of the policy exemption. Maximum length is 128 characters." + } + }, + "exemptionCategory": { + "type": "string", + "allowedValues": [ + "Mitigated", + "Waiver" + ], + "metadata": { + "description": "Required. The policy exemption category." + } + }, + "expiresOn": { + "type": "string", + "minLength": 32, + "maxLength": 32, + "metadata": { + "description": "Optional. The expiration date and time (in UTC ISO 8601 format yyyy-MM-ddTHH:mm:ssZ) of the policy exemption." + } + }, + "metadata": { + "type": "object", + "defaultValue": {}, + "metadata": { + "description": "Optional. The policy exemption metadata. Metadata is an open ended object and is typically a collection of key-value pairs." + } + }, + "policyAssignmentId": { + "type": "string", + "metadata": { + "description": "Required. Specifies the ID of the policy assignment that is being exempted." + } + }, + "policyDefinitionReferenceIds": { + "type": "array", + "defaultValue": [], + "metadata": { + "description": "Optional. The policy definition reference ID list when the associated policy assignment is an assignment of a policy set definition." + } + }, + "resourceSelectors": { + "type": "array", + "defaultValue": [], + "metadata": { + "description": "Optional. The resource selector list to filter policies by resource properties. Facilitates safe deployment practices (SDP) by enabling gradual roll out Policy exemptions based on factors like resource location, resource type, or whether a resource has a location." + } + } + }, + "resources": [ + { + "type": "Microsoft.Authorization/policyExemptions", + "apiVersion": "2022-07-01-preview", + "name": "[parameters('name')]", + "properties": { + "description": "[if(not(empty(parameters('description'))), parameters('description'), null())]", + "displayName": "[if(not(empty(parameters('displayName'))), parameters('displayName'), null())]", + "assignmentScopeValidation": "[parameters('assignmentScopeValidation')]", + "exemptionCategory": "[parameters('exemptionCategory')]", + "expiresOn": "[if(not(empty(parameters('expiresOn'))), parameters('expiresOn'), null())]", + "metadata": "[if(not(empty(parameters('metadata'))), parameters('metadata'), null())]", + "policyAssignmentId": "[parameters('policyAssignmentId')]", + "policyDefinitionReferenceIds": "[if(not(empty(parameters('policyDefinitionReferenceIds'))), parameters('policyDefinitionReferenceIds'), null())]", + "resourceSelectors": "[if(not(empty(parameters('resourceSelectors'))), parameters('resourceSelectors'), null())]" + } + } + ], + "outputs": { + "name": { + "type": "string", + "metadata": { + "description": "Policy exemption name." + }, + "value": "[parameters('name')]" + }, + "resourceId": { + "type": "string", + "metadata": { + "description": "Policy exemption resource ID." + }, + "value": "[extensionResourceId(managementGroup().id, 'Microsoft.Authorization/policyExemptions', parameters('name'))]" + } + } + } + } + }, + { + "condition": "[and(not(empty(parameters('subscriptionId'))), empty(parameters('resourceGroupName')))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2022-09-01", + "name": "[format('{0}-PolicyExemption-Sub-Module', uniqueString(deployment().name, parameters('location')))]", + "subscriptionId": "[parameters('subscriptionId')]", + "location": "[deployment().location]", + "properties": { + "expressionEvaluationOptions": { + "scope": "inner" + }, + "mode": "Incremental", + "parameters": { + "name": { + "value": "[parameters('name')]" + }, + "description": "[if(not(empty(parameters('description'))), createObject('value', parameters('description')), createObject('value', null()))]", + "displayName": "[if(not(empty(parameters('displayName'))), createObject('value', parameters('displayName')), createObject('value', null()))]", + "assignmentScopeValidation": { + "value": "[parameters('assignmentScopeValidation')]" + }, + "exemptionCategory": { + "value": "[parameters('exemptionCategory')]" + }, + "expiresOn": "[if(not(empty(parameters('expiresOn'))), createObject('value', parameters('expiresOn')), createObject('value', ''))]", + "metadata": "[if(not(empty(parameters('metadata'))), createObject('value', parameters('metadata')), createObject('value', null()))]", + "policyAssignmentId": { + "value": "[parameters('policyAssignmentId')]" + }, + "policyDefinitionReferenceIds": "[if(not(empty(parameters('policyDefinitionReferenceIds'))), createObject('value', parameters('policyDefinitionReferenceIds')), createObject('value', null()))]", + "resourceSelectors": "[if(not(empty(parameters('resourceSelectors'))), createObject('value', parameters('resourceSelectors')), createObject('value', null()))]" + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "_generator": { + "name": "bicep", + "version": "0.30.23.60470", + "templateHash": "6471026360194122026" + }, + "name": "Policy Exemptions (Subscription scope)", + "description": "This module deploys a policy exemption at a Subscription scope.", + "owner": "Azure/module-maintainers" + }, + "parameters": { + "name": { + "type": "string", + "maxLength": 64, + "metadata": { + "description": "Required. Specifies the name of the policy exemption. Maximum length is 64 characters for subscription scope." + } + }, + "assignmentScopeValidation": { + "type": "string", + "allowedValues": [ + "DoNotValidate", + "Default" + ], + "metadata": { + "description": "Optional. The option to validate whether the exemption is at or under the assignment scope." + } + }, + "description": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. This message will be part of response in case of policy violation." + } + }, + "displayName": { + "type": "string", + "defaultValue": "", + "maxLength": 128, + "metadata": { + "description": "Optional. The display name of the policy exemption. Maximum length is 128 characters." + } + }, + "exemptionCategory": { + "type": "string", + "allowedValues": [ + "Mitigated", + "Waiver" + ], + "metadata": { + "description": "Required. The policy exemption category." + } + }, + "expiresOn": { + "type": "string", + "minLength": 32, + "maxLength": 32, + "metadata": { + "description": "Optional. The expiration date and time (in UTC ISO 8601 format yyyy-MM-ddTHH:mm:ssZ) of the policy exemption." + } + }, + "metadata": { + "type": "object", + "defaultValue": {}, + "metadata": { + "description": "Optional. The policy exemption metadata. Metadata is an open ended object and is typically a collection of key-value pairs." + } + }, + "policyAssignmentId": { + "type": "string", + "metadata": { + "description": "Required. Specifies the ID of the policy assignment that is being exempted." + } + }, + "policyDefinitionReferenceIds": { + "type": "array", + "defaultValue": [], + "metadata": { + "description": "Optional. The policy definition reference ID list when the associated policy assignment is an assignment of a policy set definition." + } + }, + "resourceSelectors": { + "type": "array", + "defaultValue": [], + "metadata": { + "description": "Optional. The resource selector list to filter policies by resource properties. Facilitates safe deployment practices (SDP) by enabling gradual roll out Policy exemptions based on factors like resource location, resource type, or whether a resource has a location." + } + } + }, + "resources": [ + { + "type": "Microsoft.Authorization/policyExemptions", + "apiVersion": "2022-07-01-preview", + "name": "[parameters('name')]", + "properties": { + "description": "[if(not(empty(parameters('description'))), parameters('description'), null())]", + "displayName": "[if(not(empty(parameters('displayName'))), parameters('displayName'), null())]", + "assignmentScopeValidation": "[parameters('assignmentScopeValidation')]", + "exemptionCategory": "[parameters('exemptionCategory')]", + "expiresOn": "[if(not(empty(parameters('expiresOn'))), parameters('expiresOn'), null())]", + "metadata": "[if(not(empty(parameters('metadata'))), parameters('metadata'), null())]", + "policyAssignmentId": "[parameters('policyAssignmentId')]", + "policyDefinitionReferenceIds": "[if(not(empty(parameters('policyDefinitionReferenceIds'))), parameters('policyDefinitionReferenceIds'), null())]", + "resourceSelectors": "[if(not(empty(parameters('resourceSelectors'))), parameters('resourceSelectors'), null())]" + } + } + ], + "outputs": { + "name": { + "type": "string", + "metadata": { + "description": "Policy exemption name." + }, + "value": "[parameters('name')]" + }, + "resourceId": { + "type": "string", + "metadata": { + "description": "Policy exemption resource ID." + }, + "value": "[subscriptionResourceId('Microsoft.Authorization/policyExemptions', parameters('name'))]" + } + } + } + } + }, + { + "condition": "[and(not(empty(parameters('resourceGroupName'))), not(empty(parameters('subscriptionId'))))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2022-09-01", + "name": "[format('{0}-PolicyExemption-RG-Module', uniqueString(deployment().name, parameters('location')))]", + "subscriptionId": "[parameters('subscriptionId')]", + "resourceGroup": "[parameters('resourceGroupName')]", + "properties": { + "expressionEvaluationOptions": { + "scope": "inner" + }, + "mode": "Incremental", + "parameters": { + "name": { + "value": "[parameters('name')]" + }, + "description": "[if(not(empty(parameters('description'))), createObject('value', parameters('description')), createObject('value', null()))]", + "displayName": "[if(not(empty(parameters('displayName'))), createObject('value', parameters('displayName')), createObject('value', null()))]", + "assignmentScopeValidation": { + "value": "[parameters('assignmentScopeValidation')]" + }, + "exemptionCategory": { + "value": "[parameters('exemptionCategory')]" + }, + "expiresOn": "[if(not(empty(parameters('expiresOn'))), createObject('value', parameters('expiresOn')), createObject('value', ''))]", + "metadata": "[if(not(empty(parameters('metadata'))), createObject('value', parameters('metadata')), createObject('value', null()))]", + "policyAssignmentId": { + "value": "[parameters('policyAssignmentId')]" + }, + "policyDefinitionReferenceIds": "[if(not(empty(parameters('policyDefinitionReferenceIds'))), createObject('value', parameters('policyDefinitionReferenceIds')), createObject('value', null()))]", + "resourceSelectors": "[if(not(empty(parameters('resourceSelectors'))), createObject('value', parameters('resourceSelectors')), createObject('value', null()))]" + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "_generator": { + "name": "bicep", + "version": "0.30.23.60470", + "templateHash": "6225706394162525731" + }, + "name": "Policy Exemptions (Resource Group scope)", + "description": "This module deploys a policy exemption at a Resource Group scope.", + "owner": "Azure/module-maintainers" + }, + "parameters": { + "name": { + "type": "string", + "maxLength": 64, + "metadata": { + "description": "Required. Specifies the name of the policy exemption. Maximum length is 64 characters for resource group scope." + } + }, + "assignmentScopeValidation": { + "type": "string", + "allowedValues": [ + "DoNotValidate", + "Default" + ], + "metadata": { + "description": "Optional. The option to validate whether the exemption is at or under the assignment scope." + } + }, + "description": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. This message will be part of response in case of policy violation." + } + }, + "displayName": { + "type": "string", + "defaultValue": "", + "maxLength": 128, + "metadata": { + "description": "Optional. The display name of the policy exemption. Maximum length is 128 characters." + } + }, + "exemptionCategory": { + "type": "string", + "allowedValues": [ + "Mitigated", + "Waiver" + ], + "metadata": { + "description": "Required. The policy exemption category." + } + }, + "expiresOn": { + "type": "string", + "minLength": 32, + "maxLength": 32, + "metadata": { + "description": "Optional. The expiration date and time (in UTC ISO 8601 format yyyy-MM-ddTHH:mm:ssZ) of the policy exemption." + } + }, + "metadata": { + "type": "object", + "defaultValue": {}, + "metadata": { + "description": "Optional. The policy exemption metadata. Metadata is an open ended object and is typically a collection of key-value pairs." + } + }, + "policyAssignmentId": { + "type": "string", + "metadata": { + "description": "Required. Specifies the ID of the policy assignment that is being exempted." + } + }, + "policyDefinitionReferenceIds": { + "type": "array", + "defaultValue": [], + "metadata": { + "description": "Optional. The policy definition reference ID list when the associated policy assignment is an assignment of a policy set definition." + } + }, + "resourceSelectors": { + "type": "array", + "defaultValue": [], + "metadata": { + "description": "Optional. The resource selector list to filter policies by resource properties. Facilitates safe deployment practices (SDP) by enabling gradual roll out Policy exemptions based on factors like resource location, resource type, or whether a resource has a location." + } + } + }, + "resources": [ + { + "type": "Microsoft.Authorization/policyExemptions", + "apiVersion": "2022-07-01-preview", + "name": "[parameters('name')]", + "properties": { + "description": "[if(not(empty(parameters('description'))), parameters('description'), null())]", + "displayName": "[if(not(empty(parameters('displayName'))), parameters('displayName'), null())]", + "assignmentScopeValidation": "[parameters('assignmentScopeValidation')]", + "exemptionCategory": "[parameters('exemptionCategory')]", + "expiresOn": "[if(not(empty(parameters('expiresOn'))), parameters('expiresOn'), null())]", + "metadata": "[if(not(empty(parameters('metadata'))), parameters('metadata'), null())]", + "policyAssignmentId": "[parameters('policyAssignmentId')]", + "policyDefinitionReferenceIds": "[if(not(empty(parameters('policyDefinitionReferenceIds'))), parameters('policyDefinitionReferenceIds'), null())]", + "resourceSelectors": "[if(not(empty(parameters('resourceSelectors'))), parameters('resourceSelectors'), null())]" + } + } + ], + "outputs": { + "name": { + "type": "string", + "metadata": { + "description": "Policy exemption name." + }, + "value": "[parameters('name')]" + }, + "resourceId": { + "type": "string", + "metadata": { + "description": "Policy exemption resource ID." + }, + "value": "[resourceId('Microsoft.Authorization/policyExemptions', parameters('name'))]" + } + } + } + } + } + ], + "outputs": { + "name": { + "type": "string", + "metadata": { + "description": "Policy Exemption Name." + }, + "value": "[if(and(empty(parameters('subscriptionId')), empty(parameters('resourceGroupName'))), reference(extensionResourceId(tenantResourceId('Microsoft.Management/managementGroups', parameters('managementGroupId')), 'Microsoft.Resources/deployments', format('{0}-PolicyExemption-MG-Module', uniqueString(deployment().name, parameters('location')))), '2022-09-01').outputs.name.value, if(and(not(empty(parameters('subscriptionId'))), empty(parameters('resourceGroupName'))), reference(subscriptionResourceId(parameters('subscriptionId'), 'Microsoft.Resources/deployments', format('{0}-PolicyExemption-Sub-Module', uniqueString(deployment().name, parameters('location')))), '2022-09-01').outputs.name.value, reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('subscriptionId'), parameters('resourceGroupName')), 'Microsoft.Resources/deployments', format('{0}-PolicyExemption-RG-Module', uniqueString(deployment().name, parameters('location')))), '2022-09-01').outputs.name.value))]" + }, + "resourceId": { + "type": "string", + "metadata": { + "description": "Policy Exemption resource ID." + }, + "value": "[if(and(empty(parameters('subscriptionId')), empty(parameters('resourceGroupName'))), reference(extensionResourceId(tenantResourceId('Microsoft.Management/managementGroups', parameters('managementGroupId')), 'Microsoft.Resources/deployments', format('{0}-PolicyExemption-MG-Module', uniqueString(deployment().name, parameters('location')))), '2022-09-01').outputs.resourceId.value, if(and(not(empty(parameters('subscriptionId'))), empty(parameters('resourceGroupName'))), reference(subscriptionResourceId(parameters('subscriptionId'), 'Microsoft.Resources/deployments', format('{0}-PolicyExemption-Sub-Module', uniqueString(deployment().name, parameters('location')))), '2022-09-01').outputs.resourceId.value, reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('subscriptionId'), parameters('resourceGroupName')), 'Microsoft.Resources/deployments', format('{0}-PolicyExemption-RG-Module', uniqueString(deployment().name, parameters('location')))), '2022-09-01').outputs.resourceId.value))]" + } + } +} \ No newline at end of file diff --git a/avm/ptn/authorization/policy-exemption/modules/management-group.bicep b/avm/ptn/authorization/policy-exemption/modules/management-group.bicep new file mode 100644 index 0000000000..eb5d13b81b --- /dev/null +++ b/avm/ptn/authorization/policy-exemption/modules/management-group.bicep @@ -0,0 +1,68 @@ +metadata name = 'Policy Exemptions (Management Group scope)' +metadata description = 'This module deploys a policy exemption at a Management Group scope.' +metadata owner = 'Azure/module-maintainers' + +targetScope = 'managementGroup' + +@sys.description('Required. Specifies the name of the policy exemption. Maximum length is 64 characters for management group scope.') +@maxLength(64) +param name string + +@sys.description('Optional. The option to validate whether the exemption is at or under the assignment scope.') +@allowed([ + 'DoNotValidate' + 'Default' +]) +param assignmentScopeValidation string + +@sys.description('Optional. This message will be part of response in case of policy violation.') +param description string = '' + +@sys.description('Optional. The display name of the policy exemption. Maximum length is 128 characters.') +@maxLength(128) +param displayName string = '' + +@sys.description('Required. The policy exemption category.') +@allowed([ + 'Mitigated' + 'Waiver' +]) +param exemptionCategory string + +@sys.description('Optional. The expiration date and time (in UTC ISO 8601 format yyyy-MM-ddTHH:mm:ssZ) of the policy exemption.') +@maxLength(32) +@minLength(32) +param expiresOn string + +@sys.description('Optional. The policy exemption metadata. Metadata is an open ended object and is typically a collection of key-value pairs.') +param metadata object = {} + +@sys.description('Required. Specifies the ID of the policy assignment that is being exempted.') +param policyAssignmentId string + +@sys.description('Optional. The policy definition reference ID list when the associated policy assignment is an assignment of a policy set definition.') +param policyDefinitionReferenceIds array = [] + +@sys.description('Optional. The resource selector list to filter policies by resource properties. Facilitates safe deployment practices (SDP) by enabling gradual roll out Policy exemptions based on factors like resource location, resource type, or whether a resource has a location.') +param resourceSelectors array = [] + +resource policyExemption 'Microsoft.Authorization/policyExemptions@2022-07-01-preview' = { + name: name + properties: { + description: !empty(description) ? description : null + displayName: !empty(displayName) ? displayName : null + assignmentScopeValidation: assignmentScopeValidation + exemptionCategory: exemptionCategory + expiresOn: !empty(expiresOn) ? expiresOn : null + metadata: !empty(metadata) ? metadata : null + policyAssignmentId: policyAssignmentId + policyDefinitionReferenceIds: !empty(policyDefinitionReferenceIds) ? policyDefinitionReferenceIds : null + resourceSelectors: !empty(resourceSelectors) ? resourceSelectors : null + } +} + +@sys.description('Policy exemption name.') +output name string = policyExemption.name + +@sys.description('Policy exemption resource ID.') +output resourceId string = policyExemption.id diff --git a/avm/ptn/authorization/policy-exemption/modules/resource-group.bicep b/avm/ptn/authorization/policy-exemption/modules/resource-group.bicep new file mode 100644 index 0000000000..43b720e473 --- /dev/null +++ b/avm/ptn/authorization/policy-exemption/modules/resource-group.bicep @@ -0,0 +1,68 @@ +metadata name = 'Policy Exemptions (Resource Group scope)' +metadata description = 'This module deploys a policy exemption at a Resource Group scope.' +metadata owner = 'Azure/module-maintainers' + +targetScope = 'resourceGroup' + +@sys.description('Required. Specifies the name of the policy exemption. Maximum length is 64 characters for resource group scope.') +@maxLength(64) +param name string + +@sys.description('Optional. The option to validate whether the exemption is at or under the assignment scope.') +@allowed([ + 'DoNotValidate' + 'Default' +]) +param assignmentScopeValidation string + +@sys.description('Optional. This message will be part of response in case of policy violation.') +param description string = '' + +@sys.description('Optional. The display name of the policy exemption. Maximum length is 128 characters.') +@maxLength(128) +param displayName string = '' + +@sys.description('Required. The policy exemption category.') +@allowed([ + 'Mitigated' + 'Waiver' +]) +param exemptionCategory string + +@sys.description('Optional. The expiration date and time (in UTC ISO 8601 format yyyy-MM-ddTHH:mm:ssZ) of the policy exemption.') +@maxLength(32) +@minLength(32) +param expiresOn string + +@sys.description('Optional. The policy exemption metadata. Metadata is an open ended object and is typically a collection of key-value pairs.') +param metadata object = {} + +@sys.description('Required. Specifies the ID of the policy assignment that is being exempted.') +param policyAssignmentId string + +@sys.description('Optional. The policy definition reference ID list when the associated policy assignment is an assignment of a policy set definition.') +param policyDefinitionReferenceIds array = [] + +@sys.description('Optional. The resource selector list to filter policies by resource properties. Facilitates safe deployment practices (SDP) by enabling gradual roll out Policy exemptions based on factors like resource location, resource type, or whether a resource has a location.') +param resourceSelectors array = [] + +resource policyExemption 'Microsoft.Authorization/policyExemptions@2022-07-01-preview' = { + name: name + properties: { + description: !empty(description) ? description : null + displayName: !empty(displayName) ? displayName : null + assignmentScopeValidation: assignmentScopeValidation + exemptionCategory: exemptionCategory + expiresOn: !empty(expiresOn) ? expiresOn : null + metadata: !empty(metadata) ? metadata : null + policyAssignmentId: policyAssignmentId + policyDefinitionReferenceIds: !empty(policyDefinitionReferenceIds) ? policyDefinitionReferenceIds : null + resourceSelectors: !empty(resourceSelectors) ? resourceSelectors : null + } +} + +@sys.description('Policy exemption name.') +output name string = policyExemption.name + +@sys.description('Policy exemption resource ID.') +output resourceId string = policyExemption.id diff --git a/avm/ptn/authorization/policy-exemption/modules/subscription.bicep b/avm/ptn/authorization/policy-exemption/modules/subscription.bicep new file mode 100644 index 0000000000..7e74aa426d --- /dev/null +++ b/avm/ptn/authorization/policy-exemption/modules/subscription.bicep @@ -0,0 +1,68 @@ +metadata name = 'Policy Exemptions (Subscription scope)' +metadata description = 'This module deploys a policy exemption at a Subscription scope.' +metadata owner = 'Azure/module-maintainers' + +targetScope = 'subscription' + +@sys.description('Required. Specifies the name of the policy exemption. Maximum length is 64 characters for subscription scope.') +@maxLength(64) +param name string + +@sys.description('Optional. The option to validate whether the exemption is at or under the assignment scope.') +@allowed([ + 'DoNotValidate' + 'Default' +]) +param assignmentScopeValidation string + +@sys.description('Optional. This message will be part of response in case of policy violation.') +param description string = '' + +@sys.description('Optional. The display name of the policy exemption. Maximum length is 128 characters.') +@maxLength(128) +param displayName string = '' + +@sys.description('Required. The policy exemption category.') +@allowed([ + 'Mitigated' + 'Waiver' +]) +param exemptionCategory string + +@sys.description('Optional. The expiration date and time (in UTC ISO 8601 format yyyy-MM-ddTHH:mm:ssZ) of the policy exemption.') +@maxLength(32) +@minLength(32) +param expiresOn string + +@sys.description('Optional. The policy exemption metadata. Metadata is an open ended object and is typically a collection of key-value pairs.') +param metadata object = {} + +@sys.description('Required. Specifies the ID of the policy assignment that is being exempted.') +param policyAssignmentId string + +@sys.description('Optional. The policy definition reference ID list when the associated policy assignment is an assignment of a policy set definition.') +param policyDefinitionReferenceIds array = [] + +@sys.description('Optional. The resource selector list to filter policies by resource properties. Facilitates safe deployment practices (SDP) by enabling gradual roll out Policy exemptions based on factors like resource location, resource type, or whether a resource has a location.') +param resourceSelectors array = [] + +resource policyExemption 'Microsoft.Authorization/policyExemptions@2022-07-01-preview' = { + name: name + properties: { + description: !empty(description) ? description : null + displayName: !empty(displayName) ? displayName : null + assignmentScopeValidation: assignmentScopeValidation + exemptionCategory: exemptionCategory + expiresOn: !empty(expiresOn) ? expiresOn : null + metadata: !empty(metadata) ? metadata : null + policyAssignmentId: policyAssignmentId + policyDefinitionReferenceIds: !empty(policyDefinitionReferenceIds) ? policyDefinitionReferenceIds : null + resourceSelectors: !empty(resourceSelectors) ? resourceSelectors : null + } +} + +@sys.description('Policy exemption name.') +output name string = policyExemption.name + +@sys.description('Policy exemption resource ID.') +output resourceId string = policyExemption.id diff --git a/avm/ptn/authorization/policy-exemption/tests/e2e/defaults/main.test.bicep b/avm/ptn/authorization/policy-exemption/tests/e2e/defaults/main.test.bicep new file mode 100644 index 0000000000..56af9ab567 --- /dev/null +++ b/avm/ptn/authorization/policy-exemption/tests/e2e/defaults/main.test.bicep @@ -0,0 +1,48 @@ +targetScope = 'subscription' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +// e.g., for a module 'network/private-endpoint' you could use 'dep-dev-network.privateendpoints-${serviceShort}-rg' +param resourceGroupName string = 'dep-${namePrefix}---${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param resourceLocation string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +// e.g., for a module 'network/private-endpoint' you could use 'npe' as a prefix and then 'waf' as a suffix for the waf-aligned test +param serviceShort string = 'apedef' + +@description('Optional. A token to inject into the name of each resource. This value can be automatically injected by the CI.') +param namePrefix string = '#_namePrefix_#' + +// ============ // +// Dependencies // +// ============ // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { + name: resourceGroupName + location: resourceLocation +} + +// ============== // +// Test Execution // +// ============== // + +@batchSize(1) +module testDeployment '../../../main.bicep' = [ + for iteration in ['init', 'idem']: { + scope: resourceGroup + name: '${uniqueString(deployment().name, resourceLocation)}-test-${serviceShort}-${iteration}' + params: { + // You parameters go here + name: '${namePrefix}${serviceShort}001' + location: resourceLocation + } + } +] diff --git a/avm/ptn/authorization/policy-exemption/tests/e2e/waf-aligned/main.test.bicep b/avm/ptn/authorization/policy-exemption/tests/e2e/waf-aligned/main.test.bicep new file mode 100644 index 0000000000..295de7aabe --- /dev/null +++ b/avm/ptn/authorization/policy-exemption/tests/e2e/waf-aligned/main.test.bicep @@ -0,0 +1,48 @@ +targetScope = 'subscription' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +// e.g., for a module 'network/private-endpoint' you could use 'dep-dev-network.privateendpoints-${serviceShort}-rg' +param resourceGroupName string = 'dep-${namePrefix}---${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param resourceLocation string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +// e.g., for a module 'network/private-endpoint' you could use 'npe' as a prefix and then 'waf' as a suffix for the waf-aligned test +param serviceShort string = 'apewaf' + +@description('Optional. A token to inject into the name of each resource. This value can be automatically injected by the CI.') +param namePrefix string = '#_namePrefix_#' + +// ============ // +// Dependencies // +// ============ // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { + name: resourceGroupName + location: resourceLocation +} + +// ============== // +// Test Execution // +// ============== // + +@batchSize(1) +module testDeployment '../../../main.bicep' = [ + for iteration in ['init', 'idem']: { + scope: resourceGroup + name: '${uniqueString(deployment().name, resourceLocation)}-test-${serviceShort}-${iteration}' + params: { + // You parameters go here + name: '${namePrefix}${serviceShort}001' + location: resourceLocation + } + } +] diff --git a/avm/ptn/authorization/policy-exemption/version.json b/avm/ptn/authorization/policy-exemption/version.json new file mode 100644 index 0000000000..8def869ede --- /dev/null +++ b/avm/ptn/authorization/policy-exemption/version.json @@ -0,0 +1,7 @@ +{ + "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", + "version": "0.1", + "pathFilters": [ + "./main.json" + ] +} From 2363f4dca32fead868b926ba7ec075f0e53e15c1 Mon Sep 17 00:00:00 2001 From: Zach Trocinski Date: Thu, 10 Oct 2024 15:23:33 -0500 Subject: [PATCH 02/18] Initial test files --- .../authorization/policy-exemption/README.md | 1005 ++++++++++++++++- .../authorization/policy-exemption/main.bicep | 14 +- .../modules/management-group.bicep | 8 +- .../modules/resource-group.bicep | 8 +- .../modules/subscription.bicep | 8 +- .../tests/e2e/defaults/main.test.bicep | 48 - .../tests/e2e/mg.defaults/main.test.bicep | 54 + .../tests/e2e/mg.max/main.test.bicep | 54 + .../tests/e2e/rg.defaults/main.test.bicep | 54 + .../tests/e2e/rg.max/main.test.bicep | 54 + .../tests/e2e/sub.defaults/main.test.bicep | 54 + .../tests/e2e/sub.max/main.test.bicep | 54 + .../tests/e2e/waf-aligned/main.test.bicep | 48 - 13 files changed, 1338 insertions(+), 125 deletions(-) delete mode 100644 avm/ptn/authorization/policy-exemption/tests/e2e/defaults/main.test.bicep create mode 100644 avm/ptn/authorization/policy-exemption/tests/e2e/mg.defaults/main.test.bicep create mode 100644 avm/ptn/authorization/policy-exemption/tests/e2e/mg.max/main.test.bicep create mode 100644 avm/ptn/authorization/policy-exemption/tests/e2e/rg.defaults/main.test.bicep create mode 100644 avm/ptn/authorization/policy-exemption/tests/e2e/rg.max/main.test.bicep create mode 100644 avm/ptn/authorization/policy-exemption/tests/e2e/sub.defaults/main.test.bicep create mode 100644 avm/ptn/authorization/policy-exemption/tests/e2e/sub.max/main.test.bicep delete mode 100644 avm/ptn/authorization/policy-exemption/tests/e2e/waf-aligned/main.test.bicep diff --git a/avm/ptn/authorization/policy-exemption/README.md b/avm/ptn/authorization/policy-exemption/README.md index 30387c930b..a5230818c4 100644 --- a/avm/ptn/authorization/policy-exemption/README.md +++ b/avm/ptn/authorization/policy-exemption/README.md @@ -24,10 +24,14 @@ The following section provides usage examples for the module, which were used to >**Note**: To reference the module, please use the following syntax `br/public:avm/ptn/authorization/policy-exemption:`. -- [Defaults](#example-1-defaults) -- [Waf-Aligned](#example-2-waf-aligned) +- [Mg.Defaults](#example-1-mgdefaults) +- [Mg.Max](#example-2-mgmax) +- [Rg.Defaults](#example-3-rgdefaults) +- [Rg.Max](#example-4-rgmax) +- [Sub.Defaults](#example-5-subdefaults) +- [Sub.Max](#example-6-submax) -### Example 1: _Defaults_ +### Example 1: _Mg.Defaults_

@@ -38,8 +42,146 @@ module policyExemption 'br/public:avm/ptn/authorization/policy-exemption: +

+ +

+ +via JSON parameters file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "assignmentScopeValidation": { + "value": "Default" + }, + "exemptionCategory": { + "value": "Mitigated" + }, + "expiresOn": { + "value": "2023-10-05T14:48:00Z" + }, + "name": { + "value": "apemgmin001" + }, + "policyAssignmentId": { + "value": "test" + } + } +} +``` + +
+

+ +

+ +via Bicep parameters file + +```bicep-params +using 'br/public:avm/ptn/authorization/policy-exemption:' + +// Required parameters +param assignmentScopeValidation = 'Default' +param exemptionCategory = 'Mitigated' +param expiresOn = '2023-10-05T14:48:00Z' +param name = 'apemgmin001' +param policyAssignmentId = 'test' +``` + +
+

+ +### Example 2: _Mg.Max_ + +

+ +via Bicep module + +```bicep +module policyExemption 'br/public:avm/ptn/authorization/policy-exemption:' = { + name: 'policyExemptionDeployment' + params: { + // Required parameters + // Non-required parameters + name: 'apamgmax001' + description: '[Description] Policy Assignment at the management group scope' + displayName: '[Display Name] Policy Assignment at the management group scope' + enforcementMode: 'DoNotEnforce' + identity: 'SystemAssigned' location: '' + managementGroupId: '' + metadata: { + assignedBy: 'Bicep' + category: 'Security' + version: '1.0' + } + nonComplianceMessages: [ + { + message: 'Violated Policy Assignment - This is a Non Compliance Message' + } + ] + notScopes: [ + '/subscriptions//resourceGroups/validation-rg' + ] + overrides: [ + { + kind: 'policyEffect' + selectors: [ + { + in: [ + 'ASC_DeployAzureDefenderForSqlAdvancedThreatProtectionWindowsAgent' + 'ASC_DeployAzureDefenderForSqlVulnerabilityAssessmentWindowsAgent' + ] + kind: 'policyDefinitionReferenceId' + } + ] + value: 'Disabled' + } + ] + parameters: { + effect: { + value: 'Disabled' + } + enableCollectionOfSqlQueriesForSecurityResearch: { + value: false + } + } + policyDefinitionId: '/providers/Microsoft.Authorization/policySetDefinitions/39a366e6-fdde-4f41-bbf8-3757f46d1611' + resourceSelectors: [ + { + name: 'resourceSelector-test' + selectors: [ + { + in: [ + 'Microsoft.Compute/virtualMachines' + ] + kind: 'resourceType' + } + { + in: [ + 'westeurope' + ] + kind: 'resourceLocation' + } + ] + } + ] + roleDefinitionIds: [ + '/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c' + ] } } ``` @@ -58,10 +200,101 @@ module policyExemption 'br/public:avm/ptn/authorization/policy-exemption:" + }, + "managementGroupId": { + "value": "" + }, + "metadata": { + "value": { + "assignedBy": "Bicep", + "category": "Security", + "version": "1.0" + } + }, + "nonComplianceMessages": { + "value": [ + { + "message": "Violated Policy Assignment - This is a Non Compliance Message" + } + ] + }, + "notScopes": { + "value": [ + "/subscriptions//resourceGroups/validation-rg" + ] + }, + "overrides": { + "value": [ + { + "kind": "policyEffect", + "selectors": [ + { + "in": [ + "ASC_DeployAzureDefenderForSqlAdvancedThreatProtectionWindowsAgent", + "ASC_DeployAzureDefenderForSqlVulnerabilityAssessmentWindowsAgent" + ], + "kind": "policyDefinitionReferenceId" + } + ], + "value": "Disabled" + } + ] + }, + "parameters": { + "value": { + "effect": { + "value": "Disabled" + }, + "enableCollectionOfSqlQueriesForSecurityResearch": { + "value": false + } + } + }, + "policyDefinitionId": { + "value": "/providers/Microsoft.Authorization/policySetDefinitions/39a366e6-fdde-4f41-bbf8-3757f46d1611" + }, + "resourceSelectors": { + "value": [ + { + "name": "resourceSelector-test", + "selectors": [ + { + "in": [ + "Microsoft.Compute/virtualMachines" + ], + "kind": "resourceType" + }, + { + "in": [ + "westeurope" + ], + "kind": "resourceLocation" + } + ] + } + ] + }, + "roleDefinitionIds": { + "value": [ + "/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c" + ] } } } @@ -78,14 +311,79 @@ module policyExemption 'br/public:avm/ptn/authorization/policy-exemption:' // Required parameters -param name = 'apedef001' +// Non-required parameters +param name = 'apamgmax001' +param description = '[Description] Policy Assignment at the management group scope' +param displayName = '[Display Name] Policy Assignment at the management group scope' +param enforcementMode = 'DoNotEnforce' +param identity = 'SystemAssigned' param location = '' +param managementGroupId = '' +param metadata = { + assignedBy: 'Bicep' + category: 'Security' + version: '1.0' +} +param nonComplianceMessages = [ + { + message: 'Violated Policy Assignment - This is a Non Compliance Message' + } +] +param notScopes = [ + '/subscriptions//resourceGroups/validation-rg' +] +param overrides = [ + { + kind: 'policyEffect' + selectors: [ + { + in: [ + 'ASC_DeployAzureDefenderForSqlAdvancedThreatProtectionWindowsAgent' + 'ASC_DeployAzureDefenderForSqlVulnerabilityAssessmentWindowsAgent' + ] + kind: 'policyDefinitionReferenceId' + } + ] + value: 'Disabled' + } +] +param parameters = { + effect: { + value: 'Disabled' + } + enableCollectionOfSqlQueriesForSecurityResearch: { + value: false + } +} +param policyDefinitionId = '/providers/Microsoft.Authorization/policySetDefinitions/39a366e6-fdde-4f41-bbf8-3757f46d1611' +param resourceSelectors = [ + { + name: 'resourceSelector-test' + selectors: [ + { + in: [ + 'Microsoft.Compute/virtualMachines' + ] + kind: 'resourceType' + } + { + in: [ + 'westeurope' + ] + kind: 'resourceLocation' + } + ] + } +] +param roleDefinitionIds = [ + '/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c' +] ```

-### Example 2: _Waf-Aligned_ +### Example 3: _Rg.Defaults_

@@ -96,8 +394,15 @@ module policyExemption 'br/public:avm/ptn/authorization/policy-exemption:' + metadata: { + assignedBy: 'Bicep' + } + policyDefinitionId: '/providers/Microsoft.Authorization/policyDefinitions/06a78e20-9358-41c9-923c-fb736d382a4d' + resourceGroupName: '' + subscriptionId: '' } } ``` @@ -116,10 +421,25 @@ module policyExemption 'br/public:avm/ptn/authorization/policy-exemption:" + }, + "metadata": { + "value": { + "assignedBy": "Bicep" + } + }, + "policyDefinitionId": { + "value": "/providers/Microsoft.Authorization/policyDefinitions/06a78e20-9358-41c9-923c-fb736d382a4d" + }, + "resourceGroupName": { + "value": "" + }, + "subscriptionId": { + "value": "" } } } @@ -136,8 +456,673 @@ module policyExemption 'br/public:avm/ptn/authorization/policy-exemption:' // Required parameters -param name = 'apewaf001' +// Non-required parameters +param name = 'apargmin001' param location = '' +param metadata = { + assignedBy: 'Bicep' +} +param policyDefinitionId = '/providers/Microsoft.Authorization/policyDefinitions/06a78e20-9358-41c9-923c-fb736d382a4d' +param resourceGroupName = '' +param subscriptionId = '' +``` + +
+

+ +### Example 4: _Rg.Max_ + +

+ +via Bicep module + +```bicep +module policyExemption 'br/public:avm/ptn/authorization/policy-exemption:' = { + name: 'policyExemptionDeployment' + params: { + // Required parameters + // Non-required parameters + name: 'apargmax001' + description: '[Description] Policy Assignment at the resource group scope' + displayName: '[Display Name] Policy Assignment at the resource group scope' + enforcementMode: 'DoNotEnforce' + identity: 'UserAssigned' + location: '' + metadata: { + assignedBy: 'Bicep' + category: 'Security' + version: '1.0' + } + nonComplianceMessages: [ + { + message: 'Violated Policy Assignment - This is a Non Compliance Message' + } + ] + notScopes: [ + '' + ] + overrides: [ + { + kind: 'policyEffect' + selectors: [ + { + in: [ + 'ASC_DeployAzureDefenderForSqlAdvancedThreatProtectionWindowsAgent' + 'ASC_DeployAzureDefenderForSqlVulnerabilityAssessmentWindowsAgent' + ] + kind: 'policyDefinitionReferenceId' + } + ] + value: 'Disabled' + } + ] + parameters: { + effect: { + value: 'Disabled' + } + enableCollectionOfSqlQueriesForSecurityResearch: { + value: false + } + } + policyDefinitionId: '/providers/Microsoft.Authorization/policySetDefinitions/39a366e6-fdde-4f41-bbf8-3757f46d1611' + resourceGroupName: '' + resourceSelectors: [ + { + name: 'resourceSelector-test' + selectors: [ + { + in: [ + 'Microsoft.Compute/virtualMachines' + ] + kind: 'resourceType' + } + { + in: [ + 'westeurope' + ] + kind: 'resourceLocation' + } + ] + } + ] + roleDefinitionIds: [ + '/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c' + ] + subscriptionId: '' + userAssignedIdentityId: '' + } +} +``` + +
+

+ +

+ +via JSON parameters file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "name": { + "value": "apargmax001" + }, + // Non-required parameters + "description": { + "value": "[Description] Policy Assignment at the resource group scope" + }, + "displayName": { + "value": "[Display Name] Policy Assignment at the resource group scope" + }, + "enforcementMode": { + "value": "DoNotEnforce" + }, + "identity": { + "value": "UserAssigned" + }, + "location": { + "value": "" + }, + "metadata": { + "value": { + "assignedBy": "Bicep", + "category": "Security", + "version": "1.0" + } + }, + "nonComplianceMessages": { + "value": [ + { + "message": "Violated Policy Assignment - This is a Non Compliance Message" + } + ] + }, + "notScopes": { + "value": [ + "" + ] + }, + "overrides": { + "value": [ + { + "kind": "policyEffect", + "selectors": [ + { + "in": [ + "ASC_DeployAzureDefenderForSqlAdvancedThreatProtectionWindowsAgent", + "ASC_DeployAzureDefenderForSqlVulnerabilityAssessmentWindowsAgent" + ], + "kind": "policyDefinitionReferenceId" + } + ], + "value": "Disabled" + } + ] + }, + "parameters": { + "value": { + "effect": { + "value": "Disabled" + }, + "enableCollectionOfSqlQueriesForSecurityResearch": { + "value": false + } + } + }, + "policyDefinitionId": { + "value": "/providers/Microsoft.Authorization/policySetDefinitions/39a366e6-fdde-4f41-bbf8-3757f46d1611" + }, + "resourceGroupName": { + "value": "" + }, + "resourceSelectors": { + "value": [ + { + "name": "resourceSelector-test", + "selectors": [ + { + "in": [ + "Microsoft.Compute/virtualMachines" + ], + "kind": "resourceType" + }, + { + "in": [ + "westeurope" + ], + "kind": "resourceLocation" + } + ] + } + ] + }, + "roleDefinitionIds": { + "value": [ + "/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c" + ] + }, + "subscriptionId": { + "value": "" + }, + "userAssignedIdentityId": { + "value": "" + } + } +} +``` + +
+

+ +

+ +via Bicep parameters file + +```bicep-params +using 'br/public:avm/ptn/authorization/policy-exemption:' + +// Required parameters +// Non-required parameters +param name = 'apargmax001' +param description = '[Description] Policy Assignment at the resource group scope' +param displayName = '[Display Name] Policy Assignment at the resource group scope' +param enforcementMode = 'DoNotEnforce' +param identity = 'UserAssigned' +param location = '' +param metadata = { + assignedBy: 'Bicep' + category: 'Security' + version: '1.0' +} +param nonComplianceMessages = [ + { + message: 'Violated Policy Assignment - This is a Non Compliance Message' + } +] +param notScopes = [ + '' +] +param overrides = [ + { + kind: 'policyEffect' + selectors: [ + { + in: [ + 'ASC_DeployAzureDefenderForSqlAdvancedThreatProtectionWindowsAgent' + 'ASC_DeployAzureDefenderForSqlVulnerabilityAssessmentWindowsAgent' + ] + kind: 'policyDefinitionReferenceId' + } + ] + value: 'Disabled' + } +] +param parameters = { + effect: { + value: 'Disabled' + } + enableCollectionOfSqlQueriesForSecurityResearch: { + value: false + } +} +param policyDefinitionId = '/providers/Microsoft.Authorization/policySetDefinitions/39a366e6-fdde-4f41-bbf8-3757f46d1611' +param resourceGroupName = '' +param resourceSelectors = [ + { + name: 'resourceSelector-test' + selectors: [ + { + in: [ + 'Microsoft.Compute/virtualMachines' + ] + kind: 'resourceType' + } + { + in: [ + 'westeurope' + ] + kind: 'resourceLocation' + } + ] + } +] +param roleDefinitionIds = [ + '/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c' +] +param subscriptionId = '' +param userAssignedIdentityId = '' +``` + +
+

+ +### Example 5: _Sub.Defaults_ + +

+ +via Bicep module + +```bicep +module policyExemption 'br/public:avm/ptn/authorization/policy-exemption:' = { + name: 'policyExemptionDeployment' + params: { + // Required parameters + name: 'apasubmin001' + location: '' + metadata: { + assignedBy: 'Bicep' + category: 'Security' + version: '1.0' + } + policyDefinitionId: '/providers/Microsoft.Authorization/policyDefinitions/06a78e20-9358-41c9-923c-fb736d382a4d' + subscriptionId: '' + } +} +``` + +
+

+ +

+ +via JSON parameters file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "name": { + "value": "apasubmin001" + }, + "location": { + "value": "" + }, + "metadata": { + "value": { + "assignedBy": "Bicep", + "category": "Security", + "version": "1.0" + } + }, + "policyDefinitionId": { + "value": "/providers/Microsoft.Authorization/policyDefinitions/06a78e20-9358-41c9-923c-fb736d382a4d" + }, + "subscriptionId": { + "value": "" + } + } +} +``` + +
+

+ +

+ +via Bicep parameters file + +```bicep-params +using 'br/public:avm/ptn/authorization/policy-exemption:' + +// Required parameters +param name = 'apasubmin001' +param location = '' +param metadata = { + assignedBy: 'Bicep' + category: 'Security' + version: '1.0' +} +param policyDefinitionId = '/providers/Microsoft.Authorization/policyDefinitions/06a78e20-9358-41c9-923c-fb736d382a4d' +param subscriptionId = '' +``` + +
+

+ +### Example 6: _Sub.Max_ + +

+ +via Bicep module + +```bicep +module policyExemption 'br/public:avm/ptn/authorization/policy-exemption:' = { + name: 'policyExemptionDeployment' + params: { + // Required parameters + // Non-required parameters + name: 'apasubmax001' + description: '[Description] Policy Assignment at the subscription scope' + displayName: '[Display Name] Policy Assignment at the subscription scope' + enforcementMode: 'DoNotEnforce' + identity: 'UserAssigned' + location: '' + metadata: { + assignedBy: 'Bicep' + category: 'Security' + version: '1.0' + } + nonComplianceMessages: [ + { + message: 'Violated Policy Assignment - This is a Non Compliance Message' + } + ] + notScopes: [ + '/subscriptions//resourceGroups/validation-rg' + ] + overrides: [ + { + kind: 'policyEffect' + selectors: [ + { + in: [ + 'ASC_DeployAzureDefenderForSqlAdvancedThreatProtectionWindowsAgent' + 'ASC_DeployAzureDefenderForSqlVulnerabilityAssessmentWindowsAgent' + ] + kind: 'policyDefinitionReferenceId' + } + ] + value: 'Disabled' + } + ] + parameters: { + effect: { + value: 'Disabled' + } + enableCollectionOfSqlQueriesForSecurityResearch: { + value: false + } + } + policyDefinitionId: '/providers/Microsoft.Authorization/policySetDefinitions/39a366e6-fdde-4f41-bbf8-3757f46d1611' + resourceSelectors: [ + { + name: 'resourceSelector-test' + selectors: [ + { + in: [ + 'Microsoft.Compute/virtualMachines' + ] + kind: 'resourceType' + } + { + in: [ + 'westeurope' + ] + kind: 'resourceLocation' + } + ] + } + ] + roleDefinitionIds: [ + '/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c' + ] + subscriptionId: '' + userAssignedIdentityId: '' + } +} +``` + +
+

+ +

+ +via JSON parameters file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "name": { + "value": "apasubmax001" + }, + // Non-required parameters + "description": { + "value": "[Description] Policy Assignment at the subscription scope" + }, + "displayName": { + "value": "[Display Name] Policy Assignment at the subscription scope" + }, + "enforcementMode": { + "value": "DoNotEnforce" + }, + "identity": { + "value": "UserAssigned" + }, + "location": { + "value": "" + }, + "metadata": { + "value": { + "assignedBy": "Bicep", + "category": "Security", + "version": "1.0" + } + }, + "nonComplianceMessages": { + "value": [ + { + "message": "Violated Policy Assignment - This is a Non Compliance Message" + } + ] + }, + "notScopes": { + "value": [ + "/subscriptions//resourceGroups/validation-rg" + ] + }, + "overrides": { + "value": [ + { + "kind": "policyEffect", + "selectors": [ + { + "in": [ + "ASC_DeployAzureDefenderForSqlAdvancedThreatProtectionWindowsAgent", + "ASC_DeployAzureDefenderForSqlVulnerabilityAssessmentWindowsAgent" + ], + "kind": "policyDefinitionReferenceId" + } + ], + "value": "Disabled" + } + ] + }, + "parameters": { + "value": { + "effect": { + "value": "Disabled" + }, + "enableCollectionOfSqlQueriesForSecurityResearch": { + "value": false + } + } + }, + "policyDefinitionId": { + "value": "/providers/Microsoft.Authorization/policySetDefinitions/39a366e6-fdde-4f41-bbf8-3757f46d1611" + }, + "resourceSelectors": { + "value": [ + { + "name": "resourceSelector-test", + "selectors": [ + { + "in": [ + "Microsoft.Compute/virtualMachines" + ], + "kind": "resourceType" + }, + { + "in": [ + "westeurope" + ], + "kind": "resourceLocation" + } + ] + } + ] + }, + "roleDefinitionIds": { + "value": [ + "/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c" + ] + }, + "subscriptionId": { + "value": "" + }, + "userAssignedIdentityId": { + "value": "" + } + } +} +``` + +
+

+ +

+ +via Bicep parameters file + +```bicep-params +using 'br/public:avm/ptn/authorization/policy-exemption:' + +// Required parameters +// Non-required parameters +param name = 'apasubmax001' +param description = '[Description] Policy Assignment at the subscription scope' +param displayName = '[Display Name] Policy Assignment at the subscription scope' +param enforcementMode = 'DoNotEnforce' +param identity = 'UserAssigned' +param location = '' +param metadata = { + assignedBy: 'Bicep' + category: 'Security' + version: '1.0' +} +param nonComplianceMessages = [ + { + message: 'Violated Policy Assignment - This is a Non Compliance Message' + } +] +param notScopes = [ + '/subscriptions//resourceGroups/validation-rg' +] +param overrides = [ + { + kind: 'policyEffect' + selectors: [ + { + in: [ + 'ASC_DeployAzureDefenderForSqlAdvancedThreatProtectionWindowsAgent' + 'ASC_DeployAzureDefenderForSqlVulnerabilityAssessmentWindowsAgent' + ] + kind: 'policyDefinitionReferenceId' + } + ] + value: 'Disabled' + } +] +param parameters = { + effect: { + value: 'Disabled' + } + enableCollectionOfSqlQueriesForSecurityResearch: { + value: false + } +} +param policyDefinitionId = '/providers/Microsoft.Authorization/policySetDefinitions/39a366e6-fdde-4f41-bbf8-3757f46d1611' +param resourceSelectors = [ + { + name: 'resourceSelector-test' + selectors: [ + { + in: [ + 'Microsoft.Compute/virtualMachines' + ] + kind: 'resourceType' + } + { + in: [ + 'westeurope' + ] + kind: 'resourceLocation' + } + ] + } +] +param roleDefinitionIds = [ + '/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c' +] +param subscriptionId = '' +param userAssignedIdentityId = '' ```
diff --git a/avm/ptn/authorization/policy-exemption/main.bicep b/avm/ptn/authorization/policy-exemption/main.bicep index a62bf4a7dc..b1b2bf747b 100644 --- a/avm/ptn/authorization/policy-exemption/main.bicep +++ b/avm/ptn/authorization/policy-exemption/main.bicep @@ -13,7 +13,7 @@ param name string 'DoNotValidate' 'Default' ]) -param assignmentScopeValidation string +param assignmentScopeValidation string = 'Default' @sys.description('Optional. This message will be part of response in case of policy violation.') param description string = '' @@ -30,9 +30,9 @@ param displayName string = '' param exemptionCategory string @sys.description('Optional. The expiration date and time (in UTC ISO 8601 format yyyy-MM-ddTHH:mm:ssZ) of the policy exemption.') -@maxLength(32) -@minLength(32) -param expiresOn string +@maxLength(20) +@minLength(20) +param expiresOn string? @sys.description('Optional. The policy exemption metadata. Metadata is an open ended object and is typically a collection of key-value pairs.') param metadata object = {} @@ -92,7 +92,7 @@ module policyExemption_mg 'modules/management-group.bicep' = if (empty(subscript displayName: !empty(displayName) ? displayName : null assignmentScopeValidation: assignmentScopeValidation exemptionCategory: exemptionCategory - expiresOn: !empty(expiresOn) ? expiresOn : '' + expiresOn: expiresOn metadata: !empty(metadata) ? metadata : null policyAssignmentId: policyAssignmentId policyDefinitionReferenceIds: !empty(policyDefinitionReferenceIds) ? policyDefinitionReferenceIds : null @@ -109,7 +109,7 @@ module policyExemption_sub 'modules/subscription.bicep' = if (!empty(subscriptio displayName: !empty(displayName) ? displayName : null assignmentScopeValidation: assignmentScopeValidation exemptionCategory: exemptionCategory - expiresOn: !empty(expiresOn) ? expiresOn : '' + expiresOn: expiresOn metadata: !empty(metadata) ? metadata : null policyAssignmentId: policyAssignmentId policyDefinitionReferenceIds: !empty(policyDefinitionReferenceIds) ? policyDefinitionReferenceIds : null @@ -126,7 +126,7 @@ module policyExemption_rg 'modules/resource-group.bicep' = if (!empty(resourceGr displayName: !empty(displayName) ? displayName : null assignmentScopeValidation: assignmentScopeValidation exemptionCategory: exemptionCategory - expiresOn: !empty(expiresOn) ? expiresOn : '' + expiresOn: expiresOn metadata: !empty(metadata) ? metadata : null policyAssignmentId: policyAssignmentId policyDefinitionReferenceIds: !empty(policyDefinitionReferenceIds) ? policyDefinitionReferenceIds : null diff --git a/avm/ptn/authorization/policy-exemption/modules/management-group.bicep b/avm/ptn/authorization/policy-exemption/modules/management-group.bicep index eb5d13b81b..acb1bc7544 100644 --- a/avm/ptn/authorization/policy-exemption/modules/management-group.bicep +++ b/avm/ptn/authorization/policy-exemption/modules/management-group.bicep @@ -13,7 +13,7 @@ param name string 'DoNotValidate' 'Default' ]) -param assignmentScopeValidation string +param assignmentScopeValidation string = 'Default' @sys.description('Optional. This message will be part of response in case of policy violation.') param description string = '' @@ -30,9 +30,9 @@ param displayName string = '' param exemptionCategory string @sys.description('Optional. The expiration date and time (in UTC ISO 8601 format yyyy-MM-ddTHH:mm:ssZ) of the policy exemption.') -@maxLength(32) -@minLength(32) -param expiresOn string +@maxLength(20) +@minLength(20) +param expiresOn string? @sys.description('Optional. The policy exemption metadata. Metadata is an open ended object and is typically a collection of key-value pairs.') param metadata object = {} diff --git a/avm/ptn/authorization/policy-exemption/modules/resource-group.bicep b/avm/ptn/authorization/policy-exemption/modules/resource-group.bicep index 43b720e473..e5878900e0 100644 --- a/avm/ptn/authorization/policy-exemption/modules/resource-group.bicep +++ b/avm/ptn/authorization/policy-exemption/modules/resource-group.bicep @@ -13,7 +13,7 @@ param name string 'DoNotValidate' 'Default' ]) -param assignmentScopeValidation string +param assignmentScopeValidation string = 'Default' @sys.description('Optional. This message will be part of response in case of policy violation.') param description string = '' @@ -30,9 +30,9 @@ param displayName string = '' param exemptionCategory string @sys.description('Optional. The expiration date and time (in UTC ISO 8601 format yyyy-MM-ddTHH:mm:ssZ) of the policy exemption.') -@maxLength(32) -@minLength(32) -param expiresOn string +@maxLength(20) +@minLength(20) +param expiresOn string? @sys.description('Optional. The policy exemption metadata. Metadata is an open ended object and is typically a collection of key-value pairs.') param metadata object = {} diff --git a/avm/ptn/authorization/policy-exemption/modules/subscription.bicep b/avm/ptn/authorization/policy-exemption/modules/subscription.bicep index 7e74aa426d..01bd3ea9b1 100644 --- a/avm/ptn/authorization/policy-exemption/modules/subscription.bicep +++ b/avm/ptn/authorization/policy-exemption/modules/subscription.bicep @@ -13,7 +13,7 @@ param name string 'DoNotValidate' 'Default' ]) -param assignmentScopeValidation string +param assignmentScopeValidation string = 'Default' @sys.description('Optional. This message will be part of response in case of policy violation.') param description string = '' @@ -30,9 +30,9 @@ param displayName string = '' param exemptionCategory string @sys.description('Optional. The expiration date and time (in UTC ISO 8601 format yyyy-MM-ddTHH:mm:ssZ) of the policy exemption.') -@maxLength(32) -@minLength(32) -param expiresOn string +@maxLength(20) +@minLength(20) +param expiresOn string? @sys.description('Optional. The policy exemption metadata. Metadata is an open ended object and is typically a collection of key-value pairs.') param metadata object = {} diff --git a/avm/ptn/authorization/policy-exemption/tests/e2e/defaults/main.test.bicep b/avm/ptn/authorization/policy-exemption/tests/e2e/defaults/main.test.bicep deleted file mode 100644 index 56af9ab567..0000000000 --- a/avm/ptn/authorization/policy-exemption/tests/e2e/defaults/main.test.bicep +++ /dev/null @@ -1,48 +0,0 @@ -targetScope = 'subscription' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -// e.g., for a module 'network/private-endpoint' you could use 'dep-dev-network.privateendpoints-${serviceShort}-rg' -param resourceGroupName string = 'dep-${namePrefix}---${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param resourceLocation string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -// e.g., for a module 'network/private-endpoint' you could use 'npe' as a prefix and then 'waf' as a suffix for the waf-aligned test -param serviceShort string = 'apedef' - -@description('Optional. A token to inject into the name of each resource. This value can be automatically injected by the CI.') -param namePrefix string = '#_namePrefix_#' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: resourceLocation -} - -// ============== // -// Test Execution // -// ============== // - -@batchSize(1) -module testDeployment '../../../main.bicep' = [ - for iteration in ['init', 'idem']: { - scope: resourceGroup - name: '${uniqueString(deployment().name, resourceLocation)}-test-${serviceShort}-${iteration}' - params: { - // You parameters go here - name: '${namePrefix}${serviceShort}001' - location: resourceLocation - } - } -] diff --git a/avm/ptn/authorization/policy-exemption/tests/e2e/mg.defaults/main.test.bicep b/avm/ptn/authorization/policy-exemption/tests/e2e/mg.defaults/main.test.bicep new file mode 100644 index 0000000000..1e178ac60a --- /dev/null +++ b/avm/ptn/authorization/policy-exemption/tests/e2e/mg.defaults/main.test.bicep @@ -0,0 +1,54 @@ +targetScope = 'managementGroup' +metadata name = 'Policy Exemptions (Management Group scope)' +metadata description = 'This module deploys a Policy Exemption at a Management Group scope using minimal parameters.' + +// ========== // +// Parameters // +// ========== // + +@description('Required. The name of the policy assignment to deploy.') +param policyAssignmentName string = 'audit-vm-managed-disks' + +@description('Required. The policy definition ID to assign the policy to.') +param policyDefinitionID string = '/providers/Microsoft.Authorization/policyDefinitions/06a78e20-9358-41c9-923c-fb736d382a4d' + +@description('Optional. The display name of the policy.') +param policyDisplayName string = 'Audit VM managed disks' + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'apemgmin' + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '#_namePrefix_#' + +@description('Optional. The location to deploy resources to.') +param resourceLocation string = deployment().location + +// ============== // +// Test Execution // +// ============== // + +resource policyAssignment 'Microsoft.Authorization/policyAssignments@2023-04-01' = { + name: policyAssignmentName + scope: managementGroup() + properties: { + policyDefinitionId: policyDefinitionID + description: 'Policy assignment to resource group scope created with Bicep file' + displayName: policyDisplayName + enforcementMode: 'DoNotEnforce' + nonComplianceMessages: [ + { + message: 'Virtual machines should use managed disks' + } + ] + } +} + +module testDeployment '../../../main.bicep' = { + name: '${uniqueString(deployment().name, resourceLocation)}-test-${serviceShort}' + params: { + name: '${namePrefix}${serviceShort}001' + exemptionCategory: 'Mitigated' + policyAssignmentId: policyAssignment.id + } +} diff --git a/avm/ptn/authorization/policy-exemption/tests/e2e/mg.max/main.test.bicep b/avm/ptn/authorization/policy-exemption/tests/e2e/mg.max/main.test.bicep new file mode 100644 index 0000000000..fe84f51e4a --- /dev/null +++ b/avm/ptn/authorization/policy-exemption/tests/e2e/mg.max/main.test.bicep @@ -0,0 +1,54 @@ +targetScope = 'managementGroup' +metadata name = 'Policy Assignments (Management Group scope)' +metadata description = 'This module deploys a Policy Assignment at a Management Group scope using common parameters.' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. The name of the management group to deploy for testing purposes.') +param policyAssignmentName string = 'audit-vm-managed-disks' + +@description('Optional. The policy definition ID to assign the policy to.') +param policyDefinitionID string = '/providers/Microsoft.Authorization/policyDefinitions/06a78e20-9358-41c9-923c-fb736d382a4d' + +@description('Optional. The display name of the policy.') +param policyDisplayName string = 'Audit VM managed disks' + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'apemgmax' + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '#_namePrefix_#' + +@description('Optional. The location to deploy resources to.') +param resourceLocation string = deployment().location + +// ============== // +// Test Execution // +// ============== // + +resource policyAssignment 'Microsoft.Authorization/policyAssignments@2023-04-01' = { + name: policyAssignmentName + scope: managementGroup() + properties: { + policyDefinitionId: policyDefinitionID + description: 'Policy assignment to resource group scope created with Bicep file' + displayName: policyDisplayName + enforcementMode: 'DoNotEnforce' + nonComplianceMessages: [ + { + message: 'Virtual machines should use managed disks' + } + ] + } +} + +module testDeployment '../../../main.bicep' = { + name: '${uniqueString(deployment().name, resourceLocation)}-test-${serviceShort}' + params: { + name: '${namePrefix}${serviceShort}001' + exemptionCategory: 'Mitigated' + policyAssignmentId: policyAssignment.id + } +} diff --git a/avm/ptn/authorization/policy-exemption/tests/e2e/rg.defaults/main.test.bicep b/avm/ptn/authorization/policy-exemption/tests/e2e/rg.defaults/main.test.bicep new file mode 100644 index 0000000000..310bd7b10e --- /dev/null +++ b/avm/ptn/authorization/policy-exemption/tests/e2e/rg.defaults/main.test.bicep @@ -0,0 +1,54 @@ +targetScope = 'managementGroup' +metadata name = 'Policy Assignments (Resource Group)' +metadata description = 'This module deploys a Policy Assignment at a Resource Group scope using minimal parameters.' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. The name of the management group to deploy for testing purposes.') +param policyAssignmentName string = 'audit-vm-managed-disks' + +@description('Optional. The policy definition ID to assign the policy to.') +param policyDefinitionID string = '/providers/Microsoft.Authorization/policyDefinitions/06a78e20-9358-41c9-923c-fb736d382a4d' + +@description('Optional. The display name of the policy.') +param policyDisplayName string = 'Audit VM managed disks' + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'apergmin' + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '#_namePrefix_#' + +@description('Optional. The location to deploy resources to.') +param resourceLocation string = deployment().location + +// ============== // +// Test Execution // +// ============== // + +resource policyAssignment 'Microsoft.Authorization/policyAssignments@2023-04-01' = { + name: policyAssignmentName + scope: managementGroup() + properties: { + policyDefinitionId: policyDefinitionID + description: 'Policy assignment to resource group scope created with Bicep file' + displayName: policyDisplayName + enforcementMode: 'DoNotEnforce' + nonComplianceMessages: [ + { + message: 'Virtual machines should use managed disks' + } + ] + } +} + +module testDeployment '../../../main.bicep' = { + name: '${uniqueString(deployment().name, resourceLocation)}-test-${serviceShort}' + params: { + name: '${namePrefix}${serviceShort}001' + exemptionCategory: 'Mitigated' + policyAssignmentId: policyAssignment.id + } +} diff --git a/avm/ptn/authorization/policy-exemption/tests/e2e/rg.max/main.test.bicep b/avm/ptn/authorization/policy-exemption/tests/e2e/rg.max/main.test.bicep new file mode 100644 index 0000000000..c7131004a2 --- /dev/null +++ b/avm/ptn/authorization/policy-exemption/tests/e2e/rg.max/main.test.bicep @@ -0,0 +1,54 @@ +targetScope = 'managementGroup' +metadata name = 'Policy Assignments (Resource Group)' +metadata description = 'This module deploys a Policy Assignment at a Resource Group scope using common parameters.' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. The name of the management group to deploy for testing purposes.') +param policyAssignmentName string = 'audit-vm-managed-disks' + +@description('Optional. The policy definition ID to assign the policy to.') +param policyDefinitionID string = '/providers/Microsoft.Authorization/policyDefinitions/06a78e20-9358-41c9-923c-fb736d382a4d' + +@description('Optional. The display name of the policy.') +param policyDisplayName string = 'Audit VM managed disks' + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'apergmax' + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '#_namePrefix_#' + +@description('Optional. The location to deploy resources to.') +param resourceLocation string = deployment().location + +// ============== // +// Test Execution // +// ============== // + +resource policyAssignment 'Microsoft.Authorization/policyAssignments@2023-04-01' = { + name: policyAssignmentName + scope: managementGroup() + properties: { + policyDefinitionId: policyDefinitionID + description: 'Policy assignment to resource group scope created with Bicep file' + displayName: policyDisplayName + enforcementMode: 'DoNotEnforce' + nonComplianceMessages: [ + { + message: 'Virtual machines should use managed disks' + } + ] + } +} + +module testDeployment '../../../main.bicep' = { + name: '${uniqueString(deployment().name, resourceLocation)}-test-${serviceShort}' + params: { + name: '${namePrefix}${serviceShort}001' + exemptionCategory: 'Mitigated' + policyAssignmentId: policyAssignment.id + } +} diff --git a/avm/ptn/authorization/policy-exemption/tests/e2e/sub.defaults/main.test.bicep b/avm/ptn/authorization/policy-exemption/tests/e2e/sub.defaults/main.test.bicep new file mode 100644 index 0000000000..b82d665094 --- /dev/null +++ b/avm/ptn/authorization/policy-exemption/tests/e2e/sub.defaults/main.test.bicep @@ -0,0 +1,54 @@ +targetScope = 'managementGroup' +metadata name = 'Policy Assignments (Subscription)' +metadata description = 'This module deploys a Policy Assignment at a Subscription scope using common parameters.' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. The name of the management group to deploy for testing purposes.') +param policyAssignmentName string = 'audit-vm-managed-disks' + +@description('Optional. The policy definition ID to assign the policy to.') +param policyDefinitionID string = '/providers/Microsoft.Authorization/policyDefinitions/06a78e20-9358-41c9-923c-fb736d382a4d' + +@description('Optional. The display name of the policy.') +param policyDisplayName string = 'Audit VM managed disks' + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'apesubmin' + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '#_namePrefix_#' + +@description('Optional. The location to deploy resources to.') +param resourceLocation string = deployment().location + +// ============== // +// Test Execution // +// ============== // + +resource policyAssignment 'Microsoft.Authorization/policyAssignments@2023-04-01' = { + name: policyAssignmentName + scope: managementGroup() + properties: { + policyDefinitionId: policyDefinitionID + description: 'Policy assignment to resource group scope created with Bicep file' + displayName: policyDisplayName + enforcementMode: 'DoNotEnforce' + nonComplianceMessages: [ + { + message: 'Virtual machines should use managed disks' + } + ] + } +} + +module testDeployment '../../../main.bicep' = { + name: '${uniqueString(deployment().name, resourceLocation)}-test-${serviceShort}' + params: { + name: '${namePrefix}${serviceShort}001' + exemptionCategory: 'Mitigated' + policyAssignmentId: policyAssignment.id + } +} diff --git a/avm/ptn/authorization/policy-exemption/tests/e2e/sub.max/main.test.bicep b/avm/ptn/authorization/policy-exemption/tests/e2e/sub.max/main.test.bicep new file mode 100644 index 0000000000..57581c355a --- /dev/null +++ b/avm/ptn/authorization/policy-exemption/tests/e2e/sub.max/main.test.bicep @@ -0,0 +1,54 @@ +targetScope = 'managementGroup' +metadata name = 'Policy Assignments (Subscription)' +metadata description = 'This module deploys a Policy Assignment at a Subscription scope using common parameters.' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. The name of the management group to deploy for testing purposes.') +param policyAssignmentName string = 'audit-vm-managed-disks' + +@description('Optional. The policy definition ID to assign the policy to.') +param policyDefinitionID string = '/providers/Microsoft.Authorization/policyDefinitions/06a78e20-9358-41c9-923c-fb736d382a4d' + +@description('Optional. The display name of the policy.') +param policyDisplayName string = 'Audit VM managed disks' + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'apesubmax' + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '#_namePrefix_#' + +@description('Optional. The location to deploy resources to.') +param resourceLocation string = deployment().location + +// ============== // +// Test Execution // +// ============== // + +resource policyAssignment 'Microsoft.Authorization/policyAssignments@2023-04-01' = { + name: policyAssignmentName + scope: managementGroup() + properties: { + policyDefinitionId: policyDefinitionID + description: 'Policy assignment to resource group scope created with Bicep file' + displayName: policyDisplayName + enforcementMode: 'DoNotEnforce' + nonComplianceMessages: [ + { + message: 'Virtual machines should use managed disks' + } + ] + } +} + +module testDeployment '../../../main.bicep' = { + name: '${uniqueString(deployment().name, resourceLocation)}-test-${serviceShort}' + params: { + name: '${namePrefix}${serviceShort}001' + exemptionCategory: 'Mitigated' + policyAssignmentId: policyAssignment.id + } +} diff --git a/avm/ptn/authorization/policy-exemption/tests/e2e/waf-aligned/main.test.bicep b/avm/ptn/authorization/policy-exemption/tests/e2e/waf-aligned/main.test.bicep deleted file mode 100644 index 295de7aabe..0000000000 --- a/avm/ptn/authorization/policy-exemption/tests/e2e/waf-aligned/main.test.bicep +++ /dev/null @@ -1,48 +0,0 @@ -targetScope = 'subscription' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -// e.g., for a module 'network/private-endpoint' you could use 'dep-dev-network.privateendpoints-${serviceShort}-rg' -param resourceGroupName string = 'dep-${namePrefix}---${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param resourceLocation string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -// e.g., for a module 'network/private-endpoint' you could use 'npe' as a prefix and then 'waf' as a suffix for the waf-aligned test -param serviceShort string = 'apewaf' - -@description('Optional. A token to inject into the name of each resource. This value can be automatically injected by the CI.') -param namePrefix string = '#_namePrefix_#' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: resourceLocation -} - -// ============== // -// Test Execution // -// ============== // - -@batchSize(1) -module testDeployment '../../../main.bicep' = [ - for iteration in ['init', 'idem']: { - scope: resourceGroup - name: '${uniqueString(deployment().name, resourceLocation)}-test-${serviceShort}-${iteration}' - params: { - // You parameters go here - name: '${namePrefix}${serviceShort}001' - location: resourceLocation - } - } -] From af7a95585e4c0a8c694fefdf53b794203873e85b Mon Sep 17 00:00:00 2001 From: Zach Trocinski Date: Tue, 15 Oct 2024 14:52:27 -0500 Subject: [PATCH 03/18] Fix issues with tests --- .github/CODEOWNERS | 1 + .../authorization/policy-exemption/README.md | 937 +++--------------- .../authorization/policy-exemption/main.json | 82 +- 3 files changed, 199 insertions(+), 821 deletions(-) diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS index da1572ec12..3b416d9ba3 100644 --- a/.github/CODEOWNERS +++ b/.github/CODEOWNERS @@ -6,6 +6,7 @@ /avm/ptn/aca-lza/hosting-environment/ @Azure/avm-ptn-acalza-hostingenvironment-module-owners-bicep @Azure/avm-module-reviewers-bicep /avm/ptn/ai-platform/baseline/ @Azure/avm-ptn-aiplatform-baseline-module-owners-bicep @Azure/avm-module-reviewers-bicep /avm/ptn/authorization/policy-assignment/ @Azure/avm-ptn-authorization-policyassignment-module-owners-bicep @Azure/avm-module-reviewers-bicep +/avm/ptn/authorization/policy-exemption/ @Azure/avm-ptn-authorization-policyexemption-module-owners-bicep @Azure/avm-module-reviewers-bicep /avm/ptn/authorization/resource-role-assignment/ @Azure/avm-ptn-authorization-resourceroleassignment-module-owners-bicep @Azure/avm-module-reviewers-bicep /avm/ptn/authorization/role-assignment/ @Azure/avm-ptn-authorization-roleassignment-module-owners-bicep @Azure/avm-module-reviewers-bicep #/avm/ptn/avd-lza/insights/ @Azure/avm-ptn-avd-lza-insights-module-owners-bicep @Azure/avm-module-reviewers-bicep diff --git a/avm/ptn/authorization/policy-exemption/README.md b/avm/ptn/authorization/policy-exemption/README.md index a5230818c4..95b1356c5b 100644 --- a/avm/ptn/authorization/policy-exemption/README.md +++ b/avm/ptn/authorization/policy-exemption/README.md @@ -24,14 +24,18 @@ The following section provides usage examples for the module, which were used to >**Note**: To reference the module, please use the following syntax `br/public:avm/ptn/authorization/policy-exemption:`. -- [Mg.Defaults](#example-1-mgdefaults) -- [Mg.Max](#example-2-mgmax) -- [Rg.Defaults](#example-3-rgdefaults) -- [Rg.Max](#example-4-rgmax) -- [Sub.Defaults](#example-5-subdefaults) -- [Sub.Max](#example-6-submax) +- [Policy Exemptions (Management Group scope)](#example-1-policy-exemptions-management-group-scope) +- [Policy Assignments (Management Group scope)](#example-2-policy-assignments-management-group-scope) +- [Policy Assignments (Resource Group)](#example-3-policy-assignments-resource-group) +- [Policy Assignments (Resource Group)](#example-4-policy-assignments-resource-group) +- [Policy Assignments (Subscription)](#example-5-policy-assignments-subscription) +- [Policy Assignments (Subscription)](#example-6-policy-assignments-subscription) +- [Waf-Aligned](#example-7-waf-aligned) + +### Example 1: _Policy Exemptions (Management Group scope)_ + +This module deploys a Policy Exemption at a Management Group scope using minimal parameters. -### Example 1: _Mg.Defaults_
@@ -42,11 +46,9 @@ module policyExemption 'br/public:avm/ptn/authorization/policy-exemption:' } } ``` @@ -64,20 +66,14 @@ module policyExemption 'br/public:avm/ptn/authorization/policy-exemption:" } } } @@ -94,17 +90,18 @@ module policyExemption 'br/public:avm/ptn/authorization/policy-exemption:' // Required parameters -param assignmentScopeValidation = 'Default' param exemptionCategory = 'Mitigated' -param expiresOn = '2023-10-05T14:48:00Z' param name = 'apemgmin001' -param policyAssignmentId = 'test' +param policyAssignmentId = '' ```

-### Example 2: _Mg.Max_ +### Example 2: _Policy Assignments (Management Group scope)_ + +This module deploys a Policy Assignment at a Management Group scope using common parameters. +

@@ -115,73 +112,9 @@ module policyExemption 'br/public:avm/ptn/authorization/policy-exemption:' - managementGroupId: '' - metadata: { - assignedBy: 'Bicep' - category: 'Security' - version: '1.0' - } - nonComplianceMessages: [ - { - message: 'Violated Policy Assignment - This is a Non Compliance Message' - } - ] - notScopes: [ - '/subscriptions//resourceGroups/validation-rg' - ] - overrides: [ - { - kind: 'policyEffect' - selectors: [ - { - in: [ - 'ASC_DeployAzureDefenderForSqlAdvancedThreatProtectionWindowsAgent' - 'ASC_DeployAzureDefenderForSqlVulnerabilityAssessmentWindowsAgent' - ] - kind: 'policyDefinitionReferenceId' - } - ] - value: 'Disabled' - } - ] - parameters: { - effect: { - value: 'Disabled' - } - enableCollectionOfSqlQueriesForSecurityResearch: { - value: false - } - } - policyDefinitionId: '/providers/Microsoft.Authorization/policySetDefinitions/39a366e6-fdde-4f41-bbf8-3757f46d1611' - resourceSelectors: [ - { - name: 'resourceSelector-test' - selectors: [ - { - in: [ - 'Microsoft.Compute/virtualMachines' - ] - kind: 'resourceType' - } - { - in: [ - 'westeurope' - ] - kind: 'resourceLocation' - } - ] - } - ] - roleDefinitionIds: [ - '/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c' - ] + exemptionCategory: 'Mitigated' + name: 'apemgmax001' + policyAssignmentId: '' } } ``` @@ -199,102 +132,14 @@ module policyExemption 'br/public:avm/ptn/authorization/policy-exemption:" - }, - "managementGroupId": { - "value": "" - }, - "metadata": { - "value": { - "assignedBy": "Bicep", - "category": "Security", - "version": "1.0" - } - }, - "nonComplianceMessages": { - "value": [ - { - "message": "Violated Policy Assignment - This is a Non Compliance Message" - } - ] - }, - "notScopes": { - "value": [ - "/subscriptions//resourceGroups/validation-rg" - ] - }, - "overrides": { - "value": [ - { - "kind": "policyEffect", - "selectors": [ - { - "in": [ - "ASC_DeployAzureDefenderForSqlAdvancedThreatProtectionWindowsAgent", - "ASC_DeployAzureDefenderForSqlVulnerabilityAssessmentWindowsAgent" - ], - "kind": "policyDefinitionReferenceId" - } - ], - "value": "Disabled" - } - ] - }, - "parameters": { - "value": { - "effect": { - "value": "Disabled" - }, - "enableCollectionOfSqlQueriesForSecurityResearch": { - "value": false - } - } - }, - "policyDefinitionId": { - "value": "/providers/Microsoft.Authorization/policySetDefinitions/39a366e6-fdde-4f41-bbf8-3757f46d1611" + "exemptionCategory": { + "value": "Mitigated" }, - "resourceSelectors": { - "value": [ - { - "name": "resourceSelector-test", - "selectors": [ - { - "in": [ - "Microsoft.Compute/virtualMachines" - ], - "kind": "resourceType" - }, - { - "in": [ - "westeurope" - ], - "kind": "resourceLocation" - } - ] - } - ] + "name": { + "value": "apemgmax001" }, - "roleDefinitionIds": { - "value": [ - "/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c" - ] + "policyAssignmentId": { + "value": "" } } } @@ -311,79 +156,18 @@ module policyExemption 'br/public:avm/ptn/authorization/policy-exemption:' // Required parameters -// Non-required parameters -param name = 'apamgmax001' -param description = '[Description] Policy Assignment at the management group scope' -param displayName = '[Display Name] Policy Assignment at the management group scope' -param enforcementMode = 'DoNotEnforce' -param identity = 'SystemAssigned' -param location = '' -param managementGroupId = '' -param metadata = { - assignedBy: 'Bicep' - category: 'Security' - version: '1.0' -} -param nonComplianceMessages = [ - { - message: 'Violated Policy Assignment - This is a Non Compliance Message' - } -] -param notScopes = [ - '/subscriptions//resourceGroups/validation-rg' -] -param overrides = [ - { - kind: 'policyEffect' - selectors: [ - { - in: [ - 'ASC_DeployAzureDefenderForSqlAdvancedThreatProtectionWindowsAgent' - 'ASC_DeployAzureDefenderForSqlVulnerabilityAssessmentWindowsAgent' - ] - kind: 'policyDefinitionReferenceId' - } - ] - value: 'Disabled' - } -] -param parameters = { - effect: { - value: 'Disabled' - } - enableCollectionOfSqlQueriesForSecurityResearch: { - value: false - } -} -param policyDefinitionId = '/providers/Microsoft.Authorization/policySetDefinitions/39a366e6-fdde-4f41-bbf8-3757f46d1611' -param resourceSelectors = [ - { - name: 'resourceSelector-test' - selectors: [ - { - in: [ - 'Microsoft.Compute/virtualMachines' - ] - kind: 'resourceType' - } - { - in: [ - 'westeurope' - ] - kind: 'resourceLocation' - } - ] - } -] -param roleDefinitionIds = [ - '/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c' -] +param exemptionCategory = 'Mitigated' +param name = 'apemgmax001' +param policyAssignmentId = '' ```

-### Example 3: _Rg.Defaults_ +### Example 3: _Policy Assignments (Resource Group)_ + +This module deploys a Policy Assignment at a Resource Group scope using minimal parameters. +

@@ -394,15 +178,9 @@ module policyExemption 'br/public:avm/ptn/authorization/policy-exemption:' - metadata: { - assignedBy: 'Bicep' - } - policyDefinitionId: '/providers/Microsoft.Authorization/policyDefinitions/06a78e20-9358-41c9-923c-fb736d382a4d' - resourceGroupName: '' - subscriptionId: '' + exemptionCategory: 'Mitigated' + name: 'apergmin001' + policyAssignmentId: '' } } ``` @@ -420,26 +198,14 @@ module policyExemption 'br/public:avm/ptn/authorization/policy-exemption:" - }, - "metadata": { - "value": { - "assignedBy": "Bicep" - } - }, - "policyDefinitionId": { - "value": "/providers/Microsoft.Authorization/policyDefinitions/06a78e20-9358-41c9-923c-fb736d382a4d" + "exemptionCategory": { + "value": "Mitigated" }, - "resourceGroupName": { - "value": "" + "name": { + "value": "apergmin001" }, - "subscriptionId": { - "value": "" + "policyAssignmentId": { + "value": "" } } } @@ -456,21 +222,18 @@ module policyExemption 'br/public:avm/ptn/authorization/policy-exemption:' // Required parameters -// Non-required parameters -param name = 'apargmin001' -param location = '' -param metadata = { - assignedBy: 'Bicep' -} -param policyDefinitionId = '/providers/Microsoft.Authorization/policyDefinitions/06a78e20-9358-41c9-923c-fb736d382a4d' -param resourceGroupName = '' -param subscriptionId = '' +param exemptionCategory = 'Mitigated' +param name = 'apergmin001' +param policyAssignmentId = '' ```

-### Example 4: _Rg.Max_ +### Example 4: _Policy Assignments (Resource Group)_ + +This module deploys a Policy Assignment at a Resource Group scope using common parameters. +

@@ -481,75 +244,9 @@ module policyExemption 'br/public:avm/ptn/authorization/policy-exemption:' - metadata: { - assignedBy: 'Bicep' - category: 'Security' - version: '1.0' - } - nonComplianceMessages: [ - { - message: 'Violated Policy Assignment - This is a Non Compliance Message' - } - ] - notScopes: [ - '' - ] - overrides: [ - { - kind: 'policyEffect' - selectors: [ - { - in: [ - 'ASC_DeployAzureDefenderForSqlAdvancedThreatProtectionWindowsAgent' - 'ASC_DeployAzureDefenderForSqlVulnerabilityAssessmentWindowsAgent' - ] - kind: 'policyDefinitionReferenceId' - } - ] - value: 'Disabled' - } - ] - parameters: { - effect: { - value: 'Disabled' - } - enableCollectionOfSqlQueriesForSecurityResearch: { - value: false - } - } - policyDefinitionId: '/providers/Microsoft.Authorization/policySetDefinitions/39a366e6-fdde-4f41-bbf8-3757f46d1611' - resourceGroupName: '' - resourceSelectors: [ - { - name: 'resourceSelector-test' - selectors: [ - { - in: [ - 'Microsoft.Compute/virtualMachines' - ] - kind: 'resourceType' - } - { - in: [ - 'westeurope' - ] - kind: 'resourceLocation' - } - ] - } - ] - roleDefinitionIds: [ - '/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c' - ] - subscriptionId: '' - userAssignedIdentityId: '' + exemptionCategory: 'Mitigated' + name: 'apergmax001' + policyAssignmentId: '' } } ``` @@ -567,108 +264,14 @@ module policyExemption 'br/public:avm/ptn/authorization/policy-exemption:" - }, - "metadata": { - "value": { - "assignedBy": "Bicep", - "category": "Security", - "version": "1.0" - } - }, - "nonComplianceMessages": { - "value": [ - { - "message": "Violated Policy Assignment - This is a Non Compliance Message" - } - ] - }, - "notScopes": { - "value": [ - "" - ] - }, - "overrides": { - "value": [ - { - "kind": "policyEffect", - "selectors": [ - { - "in": [ - "ASC_DeployAzureDefenderForSqlAdvancedThreatProtectionWindowsAgent", - "ASC_DeployAzureDefenderForSqlVulnerabilityAssessmentWindowsAgent" - ], - "kind": "policyDefinitionReferenceId" - } - ], - "value": "Disabled" - } - ] - }, - "parameters": { - "value": { - "effect": { - "value": "Disabled" - }, - "enableCollectionOfSqlQueriesForSecurityResearch": { - "value": false - } - } - }, - "policyDefinitionId": { - "value": "/providers/Microsoft.Authorization/policySetDefinitions/39a366e6-fdde-4f41-bbf8-3757f46d1611" - }, - "resourceGroupName": { - "value": "" - }, - "resourceSelectors": { - "value": [ - { - "name": "resourceSelector-test", - "selectors": [ - { - "in": [ - "Microsoft.Compute/virtualMachines" - ], - "kind": "resourceType" - }, - { - "in": [ - "westeurope" - ], - "kind": "resourceLocation" - } - ] - } - ] - }, - "roleDefinitionIds": { - "value": [ - "/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c" - ] + "exemptionCategory": { + "value": "Mitigated" }, - "subscriptionId": { - "value": "" + "name": { + "value": "apergmax001" }, - "userAssignedIdentityId": { - "value": "" + "policyAssignmentId": { + "value": "" } } } @@ -685,81 +288,84 @@ module policyExemption 'br/public:avm/ptn/authorization/policy-exemption:' // Required parameters -// Non-required parameters -param name = 'apargmax001' -param description = '[Description] Policy Assignment at the resource group scope' -param displayName = '[Display Name] Policy Assignment at the resource group scope' -param enforcementMode = 'DoNotEnforce' -param identity = 'UserAssigned' -param location = '' -param metadata = { - assignedBy: 'Bicep' - category: 'Security' - version: '1.0' -} -param nonComplianceMessages = [ - { - message: 'Violated Policy Assignment - This is a Non Compliance Message' - } -] -param notScopes = [ - '' -] -param overrides = [ - { - kind: 'policyEffect' - selectors: [ - { - in: [ - 'ASC_DeployAzureDefenderForSqlAdvancedThreatProtectionWindowsAgent' - 'ASC_DeployAzureDefenderForSqlVulnerabilityAssessmentWindowsAgent' - ] - kind: 'policyDefinitionReferenceId' - } - ] - value: 'Disabled' - } -] -param parameters = { - effect: { - value: 'Disabled' - } - enableCollectionOfSqlQueriesForSecurityResearch: { - value: false +param exemptionCategory = 'Mitigated' +param name = 'apergmax001' +param policyAssignmentId = '' +``` + +
+

+ +### Example 5: _Policy Assignments (Subscription)_ + +This module deploys a Policy Assignment at a Subscription scope using common parameters. + + +

+ +via Bicep module + +```bicep +module policyExemption 'br/public:avm/ptn/authorization/policy-exemption:' = { + name: 'policyExemptionDeployment' + params: { + // Required parameters + exemptionCategory: 'Mitigated' + name: 'apesubmin001' + policyAssignmentId: '' } } -param policyDefinitionId = '/providers/Microsoft.Authorization/policySetDefinitions/39a366e6-fdde-4f41-bbf8-3757f46d1611' -param resourceGroupName = '' -param resourceSelectors = [ - { - name: 'resourceSelector-test' - selectors: [ - { - in: [ - 'Microsoft.Compute/virtualMachines' - ] - kind: 'resourceType' - } - { - in: [ - 'westeurope' - ] - kind: 'resourceLocation' - } - ] +``` + +
+

+ +

+ +via JSON parameters file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "exemptionCategory": { + "value": "Mitigated" + }, + "name": { + "value": "apesubmin001" + }, + "policyAssignmentId": { + "value": "" + } } -] -param roleDefinitionIds = [ - '/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c' -] -param subscriptionId = '' -param userAssignedIdentityId = '' +} +``` + +
+

+ +

+ +via Bicep parameters file + +```bicep-params +using 'br/public:avm/ptn/authorization/policy-exemption:' + +// Required parameters +param exemptionCategory = 'Mitigated' +param name = 'apesubmin001' +param policyAssignmentId = '' ```

-### Example 5: _Sub.Defaults_ +### Example 6: _Policy Assignments (Subscription)_ + +This module deploys a Policy Assignment at a Subscription scope using common parameters. +

@@ -770,15 +376,9 @@ module policyExemption 'br/public:avm/ptn/authorization/policy-exemption:' - metadata: { - assignedBy: 'Bicep' - category: 'Security' - version: '1.0' - } - policyDefinitionId: '/providers/Microsoft.Authorization/policyDefinitions/06a78e20-9358-41c9-923c-fb736d382a4d' - subscriptionId: '' + exemptionCategory: 'Mitigated' + name: 'apesubmax001' + policyAssignmentId: '' } } ``` @@ -796,24 +396,14 @@ module policyExemption 'br/public:avm/ptn/authorization/policy-exemption:" - }, - "metadata": { - "value": { - "assignedBy": "Bicep", - "category": "Security", - "version": "1.0" - } + "exemptionCategory": { + "value": "Mitigated" }, - "policyDefinitionId": { - "value": "/providers/Microsoft.Authorization/policyDefinitions/06a78e20-9358-41c9-923c-fb736d382a4d" + "name": { + "value": "apesubmax001" }, - "subscriptionId": { - "value": "" + "policyAssignmentId": { + "value": "" } } } @@ -830,21 +420,15 @@ module policyExemption 'br/public:avm/ptn/authorization/policy-exemption:' // Required parameters -param name = 'apasubmin001' -param location = '' -param metadata = { - assignedBy: 'Bicep' - category: 'Security' - version: '1.0' -} -param policyDefinitionId = '/providers/Microsoft.Authorization/policyDefinitions/06a78e20-9358-41c9-923c-fb736d382a4d' -param subscriptionId = '' +param exemptionCategory = 'Mitigated' +param name = 'apesubmax001' +param policyAssignmentId = '' ```

-### Example 6: _Sub.Max_ +### Example 7: _Waf-Aligned_

@@ -855,74 +439,8 @@ module policyExemption 'br/public:avm/ptn/authorization/policy-exemption:' - metadata: { - assignedBy: 'Bicep' - category: 'Security' - version: '1.0' - } - nonComplianceMessages: [ - { - message: 'Violated Policy Assignment - This is a Non Compliance Message' - } - ] - notScopes: [ - '/subscriptions//resourceGroups/validation-rg' - ] - overrides: [ - { - kind: 'policyEffect' - selectors: [ - { - in: [ - 'ASC_DeployAzureDefenderForSqlAdvancedThreatProtectionWindowsAgent' - 'ASC_DeployAzureDefenderForSqlVulnerabilityAssessmentWindowsAgent' - ] - kind: 'policyDefinitionReferenceId' - } - ] - value: 'Disabled' - } - ] - parameters: { - effect: { - value: 'Disabled' - } - enableCollectionOfSqlQueriesForSecurityResearch: { - value: false - } - } - policyDefinitionId: '/providers/Microsoft.Authorization/policySetDefinitions/39a366e6-fdde-4f41-bbf8-3757f46d1611' - resourceSelectors: [ - { - name: 'resourceSelector-test' - selectors: [ - { - in: [ - 'Microsoft.Compute/virtualMachines' - ] - kind: 'resourceType' - } - { - in: [ - 'westeurope' - ] - kind: 'resourceLocation' - } - ] - } - ] - roleDefinitionIds: [ - '/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c' - ] - subscriptionId: '' - userAssignedIdentityId: '' } } ``` @@ -941,104 +459,10 @@ module policyExemption 'br/public:avm/ptn/authorization/policy-exemption:" - }, - "metadata": { - "value": { - "assignedBy": "Bicep", - "category": "Security", - "version": "1.0" - } - }, - "nonComplianceMessages": { - "value": [ - { - "message": "Violated Policy Assignment - This is a Non Compliance Message" - } - ] - }, - "notScopes": { - "value": [ - "/subscriptions//resourceGroups/validation-rg" - ] - }, - "overrides": { - "value": [ - { - "kind": "policyEffect", - "selectors": [ - { - "in": [ - "ASC_DeployAzureDefenderForSqlAdvancedThreatProtectionWindowsAgent", - "ASC_DeployAzureDefenderForSqlVulnerabilityAssessmentWindowsAgent" - ], - "kind": "policyDefinitionReferenceId" - } - ], - "value": "Disabled" - } - ] - }, - "parameters": { - "value": { - "effect": { - "value": "Disabled" - }, - "enableCollectionOfSqlQueriesForSecurityResearch": { - "value": false - } - } - }, - "policyDefinitionId": { - "value": "/providers/Microsoft.Authorization/policySetDefinitions/39a366e6-fdde-4f41-bbf8-3757f46d1611" - }, - "resourceSelectors": { - "value": [ - { - "name": "resourceSelector-test", - "selectors": [ - { - "in": [ - "Microsoft.Compute/virtualMachines" - ], - "kind": "resourceType" - }, - { - "in": [ - "westeurope" - ], - "kind": "resourceLocation" - } - ] - } - ] - }, - "roleDefinitionIds": { - "value": [ - "/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c" - ] - }, - "subscriptionId": { - "value": "" - }, - "userAssignedIdentityId": { - "value": "" } } } @@ -1055,74 +479,8 @@ module policyExemption 'br/public:avm/ptn/authorization/policy-exemption:' // Required parameters -// Non-required parameters -param name = 'apasubmax001' -param description = '[Description] Policy Assignment at the subscription scope' -param displayName = '[Display Name] Policy Assignment at the subscription scope' -param enforcementMode = 'DoNotEnforce' -param identity = 'UserAssigned' +param name = 'apewaf001' param location = '' -param metadata = { - assignedBy: 'Bicep' - category: 'Security' - version: '1.0' -} -param nonComplianceMessages = [ - { - message: 'Violated Policy Assignment - This is a Non Compliance Message' - } -] -param notScopes = [ - '/subscriptions//resourceGroups/validation-rg' -] -param overrides = [ - { - kind: 'policyEffect' - selectors: [ - { - in: [ - 'ASC_DeployAzureDefenderForSqlAdvancedThreatProtectionWindowsAgent' - 'ASC_DeployAzureDefenderForSqlVulnerabilityAssessmentWindowsAgent' - ] - kind: 'policyDefinitionReferenceId' - } - ] - value: 'Disabled' - } -] -param parameters = { - effect: { - value: 'Disabled' - } - enableCollectionOfSqlQueriesForSecurityResearch: { - value: false - } -} -param policyDefinitionId = '/providers/Microsoft.Authorization/policySetDefinitions/39a366e6-fdde-4f41-bbf8-3757f46d1611' -param resourceSelectors = [ - { - name: 'resourceSelector-test' - selectors: [ - { - in: [ - 'Microsoft.Compute/virtualMachines' - ] - kind: 'resourceType' - } - { - in: [ - 'westeurope' - ] - kind: 'resourceLocation' - } - ] - } -] -param roleDefinitionIds = [ - '/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c' -] -param subscriptionId = '' -param userAssignedIdentityId = '' ```
@@ -1187,8 +545,9 @@ Specifies the ID of the policy assignment that is being exempted. The option to validate whether the exemption is at or under the assignment scope. -- Required: Yes +- Required: No - Type: string +- Default: `'Default'` - Allowed: ```Bicep [ @@ -1225,7 +584,7 @@ Enable/Disable usage telemetry for module. The expiration date and time (in UTC ISO 8601 format yyyy-MM-ddTHH:mm:ssZ) of the policy exemption. -- Required: Yes +- Required: No - Type: string ### Parameter: `location` diff --git a/avm/ptn/authorization/policy-exemption/main.json b/avm/ptn/authorization/policy-exemption/main.json index 03ddf3caa4..c0685a2711 100644 --- a/avm/ptn/authorization/policy-exemption/main.json +++ b/avm/ptn/authorization/policy-exemption/main.json @@ -1,11 +1,12 @@ { "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#", + "languageVersion": "2.0", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.30.23.60470", - "templateHash": "16386010349106137044" + "templateHash": "15106257799829448772" }, "name": "Policy Exemptions (All scopes)", "description": "This module deploys a Policy Exemption at a Management Group, Subscription or Resource Group scope.", @@ -21,6 +22,7 @@ }, "assignmentScopeValidation": { "type": "string", + "defaultValue": "Default", "allowedValues": [ "DoNotValidate", "Default" @@ -56,8 +58,9 @@ }, "expiresOn": { "type": "string", - "minLength": 32, - "maxLength": 32, + "nullable": true, + "minLength": 20, + "maxLength": 20, "metadata": { "description": "Optional. The expiration date and time (in UTC ISO 8601 format yyyy-MM-ddTHH:mm:ssZ) of the policy exemption." } @@ -125,8 +128,8 @@ } } }, - "resources": [ - { + "resources": { + "avmTelemetry": { "condition": "[parameters('enableTelemetry')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2024-03-01", @@ -147,7 +150,7 @@ } } }, - { + "policyExemption_mg": { "condition": "[and(empty(parameters('subscriptionId')), empty(parameters('resourceGroupName')))]", "type": "Microsoft.Resources/deployments", "apiVersion": "2022-09-01", @@ -171,7 +174,9 @@ "exemptionCategory": { "value": "[parameters('exemptionCategory')]" }, - "expiresOn": "[if(not(empty(parameters('expiresOn'))), createObject('value', parameters('expiresOn')), createObject('value', ''))]", + "expiresOn": { + "value": "[parameters('expiresOn')]" + }, "metadata": "[if(not(empty(parameters('metadata'))), createObject('value', parameters('metadata')), createObject('value', null()))]", "policyAssignmentId": { "value": "[parameters('policyAssignmentId')]" @@ -181,12 +186,13 @@ }, "template": { "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#", + "languageVersion": "2.0", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.30.23.60470", - "templateHash": "10692808437895827112" + "templateHash": "8945677207858981388" }, "name": "Policy Exemptions (Management Group scope)", "description": "This module deploys a policy exemption at a Management Group scope.", @@ -202,6 +208,7 @@ }, "assignmentScopeValidation": { "type": "string", + "defaultValue": "Default", "allowedValues": [ "DoNotValidate", "Default" @@ -237,8 +244,9 @@ }, "expiresOn": { "type": "string", - "minLength": 32, - "maxLength": 32, + "nullable": true, + "minLength": 20, + "maxLength": 20, "metadata": { "description": "Optional. The expiration date and time (in UTC ISO 8601 format yyyy-MM-ddTHH:mm:ssZ) of the policy exemption." } @@ -271,8 +279,8 @@ } } }, - "resources": [ - { + "resources": { + "policyExemption": { "type": "Microsoft.Authorization/policyExemptions", "apiVersion": "2022-07-01-preview", "name": "[parameters('name')]", @@ -288,7 +296,7 @@ "resourceSelectors": "[if(not(empty(parameters('resourceSelectors'))), parameters('resourceSelectors'), null())]" } } - ], + }, "outputs": { "name": { "type": "string", @@ -308,7 +316,7 @@ } } }, - { + "policyExemption_sub": { "condition": "[and(not(empty(parameters('subscriptionId'))), empty(parameters('resourceGroupName')))]", "type": "Microsoft.Resources/deployments", "apiVersion": "2022-09-01", @@ -332,7 +340,9 @@ "exemptionCategory": { "value": "[parameters('exemptionCategory')]" }, - "expiresOn": "[if(not(empty(parameters('expiresOn'))), createObject('value', parameters('expiresOn')), createObject('value', ''))]", + "expiresOn": { + "value": "[parameters('expiresOn')]" + }, "metadata": "[if(not(empty(parameters('metadata'))), createObject('value', parameters('metadata')), createObject('value', null()))]", "policyAssignmentId": { "value": "[parameters('policyAssignmentId')]" @@ -342,12 +352,13 @@ }, "template": { "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#", + "languageVersion": "2.0", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.30.23.60470", - "templateHash": "6471026360194122026" + "templateHash": "15824117815009455792" }, "name": "Policy Exemptions (Subscription scope)", "description": "This module deploys a policy exemption at a Subscription scope.", @@ -363,6 +374,7 @@ }, "assignmentScopeValidation": { "type": "string", + "defaultValue": "Default", "allowedValues": [ "DoNotValidate", "Default" @@ -398,8 +410,9 @@ }, "expiresOn": { "type": "string", - "minLength": 32, - "maxLength": 32, + "nullable": true, + "minLength": 20, + "maxLength": 20, "metadata": { "description": "Optional. The expiration date and time (in UTC ISO 8601 format yyyy-MM-ddTHH:mm:ssZ) of the policy exemption." } @@ -432,8 +445,8 @@ } } }, - "resources": [ - { + "resources": { + "policyExemption": { "type": "Microsoft.Authorization/policyExemptions", "apiVersion": "2022-07-01-preview", "name": "[parameters('name')]", @@ -449,7 +462,7 @@ "resourceSelectors": "[if(not(empty(parameters('resourceSelectors'))), parameters('resourceSelectors'), null())]" } } - ], + }, "outputs": { "name": { "type": "string", @@ -469,7 +482,7 @@ } } }, - { + "policyExemption_rg": { "condition": "[and(not(empty(parameters('resourceGroupName'))), not(empty(parameters('subscriptionId'))))]", "type": "Microsoft.Resources/deployments", "apiVersion": "2022-09-01", @@ -493,7 +506,9 @@ "exemptionCategory": { "value": "[parameters('exemptionCategory')]" }, - "expiresOn": "[if(not(empty(parameters('expiresOn'))), createObject('value', parameters('expiresOn')), createObject('value', ''))]", + "expiresOn": { + "value": "[parameters('expiresOn')]" + }, "metadata": "[if(not(empty(parameters('metadata'))), createObject('value', parameters('metadata')), createObject('value', null()))]", "policyAssignmentId": { "value": "[parameters('policyAssignmentId')]" @@ -503,12 +518,13 @@ }, "template": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.30.23.60470", - "templateHash": "6225706394162525731" + "templateHash": "15838967744771621484" }, "name": "Policy Exemptions (Resource Group scope)", "description": "This module deploys a policy exemption at a Resource Group scope.", @@ -524,6 +540,7 @@ }, "assignmentScopeValidation": { "type": "string", + "defaultValue": "Default", "allowedValues": [ "DoNotValidate", "Default" @@ -559,8 +576,9 @@ }, "expiresOn": { "type": "string", - "minLength": 32, - "maxLength": 32, + "nullable": true, + "minLength": 20, + "maxLength": 20, "metadata": { "description": "Optional. The expiration date and time (in UTC ISO 8601 format yyyy-MM-ddTHH:mm:ssZ) of the policy exemption." } @@ -593,8 +611,8 @@ } } }, - "resources": [ - { + "resources": { + "policyExemption": { "type": "Microsoft.Authorization/policyExemptions", "apiVersion": "2022-07-01-preview", "name": "[parameters('name')]", @@ -610,7 +628,7 @@ "resourceSelectors": "[if(not(empty(parameters('resourceSelectors'))), parameters('resourceSelectors'), null())]" } } - ], + }, "outputs": { "name": { "type": "string", @@ -630,21 +648,21 @@ } } } - ], + }, "outputs": { "name": { "type": "string", "metadata": { "description": "Policy Exemption Name." }, - "value": "[if(and(empty(parameters('subscriptionId')), empty(parameters('resourceGroupName'))), reference(extensionResourceId(tenantResourceId('Microsoft.Management/managementGroups', parameters('managementGroupId')), 'Microsoft.Resources/deployments', format('{0}-PolicyExemption-MG-Module', uniqueString(deployment().name, parameters('location')))), '2022-09-01').outputs.name.value, if(and(not(empty(parameters('subscriptionId'))), empty(parameters('resourceGroupName'))), reference(subscriptionResourceId(parameters('subscriptionId'), 'Microsoft.Resources/deployments', format('{0}-PolicyExemption-Sub-Module', uniqueString(deployment().name, parameters('location')))), '2022-09-01').outputs.name.value, reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('subscriptionId'), parameters('resourceGroupName')), 'Microsoft.Resources/deployments', format('{0}-PolicyExemption-RG-Module', uniqueString(deployment().name, parameters('location')))), '2022-09-01').outputs.name.value))]" + "value": "[if(and(empty(parameters('subscriptionId')), empty(parameters('resourceGroupName'))), reference('policyExemption_mg').outputs.name.value, if(and(not(empty(parameters('subscriptionId'))), empty(parameters('resourceGroupName'))), reference('policyExemption_sub').outputs.name.value, reference('policyExemption_rg').outputs.name.value))]" }, "resourceId": { "type": "string", "metadata": { "description": "Policy Exemption resource ID." }, - "value": "[if(and(empty(parameters('subscriptionId')), empty(parameters('resourceGroupName'))), reference(extensionResourceId(tenantResourceId('Microsoft.Management/managementGroups', parameters('managementGroupId')), 'Microsoft.Resources/deployments', format('{0}-PolicyExemption-MG-Module', uniqueString(deployment().name, parameters('location')))), '2022-09-01').outputs.resourceId.value, if(and(not(empty(parameters('subscriptionId'))), empty(parameters('resourceGroupName'))), reference(subscriptionResourceId(parameters('subscriptionId'), 'Microsoft.Resources/deployments', format('{0}-PolicyExemption-Sub-Module', uniqueString(deployment().name, parameters('location')))), '2022-09-01').outputs.resourceId.value, reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('subscriptionId'), parameters('resourceGroupName')), 'Microsoft.Resources/deployments', format('{0}-PolicyExemption-RG-Module', uniqueString(deployment().name, parameters('location')))), '2022-09-01').outputs.resourceId.value))]" + "value": "[if(and(empty(parameters('subscriptionId')), empty(parameters('resourceGroupName'))), reference('policyExemption_mg').outputs.resourceId.value, if(and(not(empty(parameters('subscriptionId'))), empty(parameters('resourceGroupName'))), reference('policyExemption_sub').outputs.resourceId.value, reference('policyExemption_rg').outputs.resourceId.value))]" } } } \ No newline at end of file From ee27eaa9342653637c3a37482157e71e0afe61fc Mon Sep 17 00:00:00 2001 From: Zach Trocinski Date: Tue, 15 Oct 2024 21:03:49 -0500 Subject: [PATCH 04/18] Added applicable tests --- .../authorization/policy-exemption/README.md | 456 +++++++++++++++--- .../authorization/policy-exemption/main.bicep | 1 + .../tests/e2e/mg.defaults/main.test.bicep | 14 +- .../tests/e2e/mg.max/main.test.bicep | 54 ++- .../tests/e2e/rg.defaults/main.test.bicep | 44 +- .../tests/e2e/rg.max/main.test.bicep | 70 ++- .../tests/e2e/sub.defaults/main.test.bicep | 28 +- .../tests/e2e/sub.max/main.test.bicep | 57 ++- 8 files changed, 561 insertions(+), 163 deletions(-) diff --git a/avm/ptn/authorization/policy-exemption/README.md b/avm/ptn/authorization/policy-exemption/README.md index 95b1356c5b..f2050e568b 100644 --- a/avm/ptn/authorization/policy-exemption/README.md +++ b/avm/ptn/authorization/policy-exemption/README.md @@ -25,12 +25,11 @@ The following section provides usage examples for the module, which were used to >**Note**: To reference the module, please use the following syntax `br/public:avm/ptn/authorization/policy-exemption:`. - [Policy Exemptions (Management Group scope)](#example-1-policy-exemptions-management-group-scope) -- [Policy Assignments (Management Group scope)](#example-2-policy-assignments-management-group-scope) -- [Policy Assignments (Resource Group)](#example-3-policy-assignments-resource-group) -- [Policy Assignments (Resource Group)](#example-4-policy-assignments-resource-group) -- [Policy Assignments (Subscription)](#example-5-policy-assignments-subscription) -- [Policy Assignments (Subscription)](#example-6-policy-assignments-subscription) -- [Waf-Aligned](#example-7-waf-aligned) +- [Policy Exemptions (Management Group scope)](#example-2-policy-exemptions-management-group-scope) +- [Policy Exemption (Resource Group)](#example-3-policy-exemption-resource-group) +- [Policy Exemption (Resource Group)](#example-4-policy-exemption-resource-group) +- [Policy Exemption (Subscription)](#example-5-policy-exemption-subscription) +- [Policy Exemption (Subscription)](#example-6-policy-exemption-subscription) ### Example 1: _Policy Exemptions (Management Group scope)_ @@ -98,9 +97,9 @@ param policyAssignmentId = ''

-### Example 2: _Policy Assignments (Management Group scope)_ +### Example 2: _Policy Exemptions (Management Group scope)_ -This module deploys a Policy Assignment at a Management Group scope using common parameters. +This module deploys a Policy Exemption at a Management Group scope using common parameters.

@@ -115,6 +114,37 @@ module policyExemption 'br/public:avm/ptn/authorization/policy-exemption:' + // Non-required parameters + assignmentScopeValidation: 'Default' + description: '[Description] Policy Exemption at the management group scope' + displayName: '[DisplayName] Policy Exemption at the management group scope' + enableTelemetry: true + expiresOn: '2024-11-14T20:46:13Z' + location: '' + managementGroupId: 'alz-landingzones' + metadata: { + assignedBy: 'Bicep' + category: 'Security' + } + resourceSelectors: [ + { + name: 'resourceSelector-test' + selectors: [ + { + in: [ + 'Microsoft.Compute/virtualMachines' + ] + kind: 'resourceType' + } + { + in: [ + 'westeurope' + ] + kind: 'resourceLocation' + } + ] + } + ] } } ``` @@ -140,6 +170,55 @@ module policyExemption 'br/public:avm/ptn/authorization/policy-exemption:" + }, + // Non-required parameters + "assignmentScopeValidation": { + "value": "Default" + }, + "description": { + "value": "[Description] Policy Exemption at the management group scope" + }, + "displayName": { + "value": "[DisplayName] Policy Exemption at the management group scope" + }, + "enableTelemetry": { + "value": true + }, + "expiresOn": { + "value": "2024-11-14T20:46:13Z" + }, + "location": { + "value": "" + }, + "managementGroupId": { + "value": "alz-landingzones" + }, + "metadata": { + "value": { + "assignedBy": "Bicep", + "category": "Security" + } + }, + "resourceSelectors": { + "value": [ + { + "name": "resourceSelector-test", + "selectors": [ + { + "in": [ + "Microsoft.Compute/virtualMachines" + ], + "kind": "resourceType" + }, + { + "in": [ + "westeurope" + ], + "kind": "resourceLocation" + } + ] + } + ] } } } @@ -159,14 +238,45 @@ using 'br/public:avm/ptn/authorization/policy-exemption:' param exemptionCategory = 'Mitigated' param name = 'apemgmax001' param policyAssignmentId = '' +// Non-required parameters +param assignmentScopeValidation = 'Default' +param description = '[Description] Policy Exemption at the management group scope' +param displayName = '[DisplayName] Policy Exemption at the management group scope' +param enableTelemetry = true +param expiresOn = '2024-11-14T20:46:13Z' +param location = '' +param managementGroupId = 'alz-landingzones' +param metadata = { + assignedBy: 'Bicep' + category: 'Security' +} +param resourceSelectors = [ + { + name: 'resourceSelector-test' + selectors: [ + { + in: [ + 'Microsoft.Compute/virtualMachines' + ] + kind: 'resourceType' + } + { + in: [ + 'westeurope' + ] + kind: 'resourceLocation' + } + ] + } +] ```

-### Example 3: _Policy Assignments (Resource Group)_ +### Example 3: _Policy Exemption (Resource Group)_ -This module deploys a Policy Assignment at a Resource Group scope using minimal parameters. +This module deploys a Policy Exemption at a Resource Group scope using minimal parameters.

@@ -179,8 +289,11 @@ module policyExemption 'br/public:avm/ptn/authorization/policy-exemption:' + // Non-required parameters + resourceGroupName: '' + subscriptionId: '' } } ``` @@ -202,10 +315,17 @@ module policyExemption 'br/public:avm/ptn/authorization/policy-exemption:" + }, + // Non-required parameters + "resourceGroupName": { + "value": "" + }, + "subscriptionId": { + "value": "" } } } @@ -223,16 +343,19 @@ using 'br/public:avm/ptn/authorization/policy-exemption:' // Required parameters param exemptionCategory = 'Mitigated' -param name = 'apergmin001' +param name = 'apesubmin001' param policyAssignmentId = '' +// Non-required parameters +param resourceGroupName = '' +param subscriptionId = '' ```

-### Example 4: _Policy Assignments (Resource Group)_ +### Example 4: _Policy Exemption (Resource Group)_ -This module deploys a Policy Assignment at a Resource Group scope using common parameters. +This module deploys a Policy Exemption at a Resource Group scope using common parameters.

@@ -245,8 +368,40 @@ module policyExemption 'br/public:avm/ptn/authorization/policy-exemption:' + // Non-required parameters + assignmentScopeValidation: 'Default' + description: '[Description] Policy Exemption at the management group scope' + displayName: '[DisplayName] Policy Exemption at the management group scope' + enableTelemetry: true + expiresOn: '2024-11-14T20:46:13Z' + location: '' + metadata: { + assignedBy: 'Bicep' + category: 'Security' + } + resourceGroupName: '' + resourceSelectors: [ + { + name: 'resourceSelector-test' + selectors: [ + { + in: [ + 'Microsoft.Compute/virtualMachines' + ] + kind: 'resourceType' + } + { + in: [ + 'westeurope' + ] + kind: 'resourceLocation' + } + ] + } + ] + subscriptionId: '' } } ``` @@ -268,10 +423,62 @@ module policyExemption 'br/public:avm/ptn/authorization/policy-exemption:" + }, + // Non-required parameters + "assignmentScopeValidation": { + "value": "Default" + }, + "description": { + "value": "[Description] Policy Exemption at the management group scope" + }, + "displayName": { + "value": "[DisplayName] Policy Exemption at the management group scope" + }, + "enableTelemetry": { + "value": true + }, + "expiresOn": { + "value": "2024-11-14T20:46:13Z" + }, + "location": { + "value": "" + }, + "metadata": { + "value": { + "assignedBy": "Bicep", + "category": "Security" + } + }, + "resourceGroupName": { + "value": "" + }, + "resourceSelectors": { + "value": [ + { + "name": "resourceSelector-test", + "selectors": [ + { + "in": [ + "Microsoft.Compute/virtualMachines" + ], + "kind": "resourceType" + }, + { + "in": [ + "westeurope" + ], + "kind": "resourceLocation" + } + ] + } + ] + }, + "subscriptionId": { + "value": "" } } } @@ -289,16 +496,48 @@ using 'br/public:avm/ptn/authorization/policy-exemption:' // Required parameters param exemptionCategory = 'Mitigated' -param name = 'apergmax001' +param name = 'apesubmin001' param policyAssignmentId = '' +// Non-required parameters +param assignmentScopeValidation = 'Default' +param description = '[Description] Policy Exemption at the management group scope' +param displayName = '[DisplayName] Policy Exemption at the management group scope' +param enableTelemetry = true +param expiresOn = '2024-11-14T20:46:13Z' +param location = '' +param metadata = { + assignedBy: 'Bicep' + category: 'Security' +} +param resourceGroupName = '' +param resourceSelectors = [ + { + name: 'resourceSelector-test' + selectors: [ + { + in: [ + 'Microsoft.Compute/virtualMachines' + ] + kind: 'resourceType' + } + { + in: [ + 'westeurope' + ] + kind: 'resourceLocation' + } + ] + } +] +param subscriptionId = '' ```

-### Example 5: _Policy Assignments (Subscription)_ +### Example 5: _Policy Exemption (Subscription)_ -This module deploys a Policy Assignment at a Subscription scope using common parameters. +This module deploys a Policy Exemption at a Subscription scope using minimal parameters.

@@ -313,6 +552,8 @@ module policyExemption 'br/public:avm/ptn/authorization/policy-exemption:' + // Non-required parameters + subscriptionId: '' } } ``` @@ -338,6 +579,10 @@ module policyExemption 'br/public:avm/ptn/authorization/policy-exemption:" + }, + // Non-required parameters + "subscriptionId": { + "value": "" } } } @@ -357,14 +602,16 @@ using 'br/public:avm/ptn/authorization/policy-exemption:' param exemptionCategory = 'Mitigated' param name = 'apesubmin001' param policyAssignmentId = '' +// Non-required parameters +param subscriptionId = '' ```

-### Example 6: _Policy Assignments (Subscription)_ +### Example 6: _Policy Exemption (Subscription)_ -This module deploys a Policy Assignment at a Subscription scope using common parameters. +This module deploys a Policy Exemption at a Subscription scope using common parameters.

@@ -379,6 +626,37 @@ module policyExemption 'br/public:avm/ptn/authorization/policy-exemption:' + // Non-required parameters + assignmentScopeValidation: 'Default' + description: '[Description] Policy Exemption at the management group scope' + displayName: '[DisplayName] Policy Exemption at the management group scope' + enableTelemetry: true + expiresOn: '2024-11-14T20:46:13Z' + location: '' + metadata: { + assignedBy: 'Bicep' + category: 'Security' + } + resourceSelectors: [ + { + name: 'resourceSelector-test' + selectors: [ + { + in: [ + 'Microsoft.Compute/virtualMachines' + ] + kind: 'resourceType' + } + { + in: [ + 'westeurope' + ] + kind: 'resourceLocation' + } + ] + } + ] + subscriptionId: '' } } ``` @@ -404,6 +682,55 @@ module policyExemption 'br/public:avm/ptn/authorization/policy-exemption:" + }, + // Non-required parameters + "assignmentScopeValidation": { + "value": "Default" + }, + "description": { + "value": "[Description] Policy Exemption at the management group scope" + }, + "displayName": { + "value": "[DisplayName] Policy Exemption at the management group scope" + }, + "enableTelemetry": { + "value": true + }, + "expiresOn": { + "value": "2024-11-14T20:46:13Z" + }, + "location": { + "value": "" + }, + "metadata": { + "value": { + "assignedBy": "Bicep", + "category": "Security" + } + }, + "resourceSelectors": { + "value": [ + { + "name": "resourceSelector-test", + "selectors": [ + { + "in": [ + "Microsoft.Compute/virtualMachines" + ], + "kind": "resourceType" + }, + { + "in": [ + "westeurope" + ], + "kind": "resourceLocation" + } + ] + } + ] + }, + "subscriptionId": { + "value": "" } } } @@ -423,64 +750,37 @@ using 'br/public:avm/ptn/authorization/policy-exemption:' param exemptionCategory = 'Mitigated' param name = 'apesubmax001' param policyAssignmentId = '' -``` - -
-

- -### Example 7: _Waf-Aligned_ - -

- -via Bicep module - -```bicep -module policyExemption 'br/public:avm/ptn/authorization/policy-exemption:' = { - name: 'policyExemptionDeployment' - params: { - // Required parameters - name: 'apewaf001' - location: '' - } +// Non-required parameters +param assignmentScopeValidation = 'Default' +param description = '[Description] Policy Exemption at the management group scope' +param displayName = '[DisplayName] Policy Exemption at the management group scope' +param enableTelemetry = true +param expiresOn = '2024-11-14T20:46:13Z' +param location = '' +param metadata = { + assignedBy: 'Bicep' + category: 'Security' } -``` - -
-

- -

- -via JSON parameters file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - // Required parameters - "name": { - "value": "apewaf001" - }, - "location": { - "value": "" - } +param resourceSelectors = [ + { + name: 'resourceSelector-test' + selectors: [ + { + in: [ + 'Microsoft.Compute/virtualMachines' + ] + kind: 'resourceType' + } + { + in: [ + 'westeurope' + ] + kind: 'resourceLocation' + } + ] } -} -``` - -
-

- -

- -via Bicep parameters file - -```bicep-params -using 'br/public:avm/ptn/authorization/policy-exemption:' - -// Required parameters -param name = 'apewaf001' -param location = '' +] +param subscriptionId = '' ```
diff --git a/avm/ptn/authorization/policy-exemption/main.bicep b/avm/ptn/authorization/policy-exemption/main.bicep index b1b2bf747b..9cd6cc4100 100644 --- a/avm/ptn/authorization/policy-exemption/main.bicep +++ b/avm/ptn/authorization/policy-exemption/main.bicep @@ -57,6 +57,7 @@ param resourceGroupName string = '' @sys.description('Optional. Location for all Resources.') param location string = deployment().location + @sys.description('Optional. Enable/Disable usage telemetry for module.') param enableTelemetry bool = true diff --git a/avm/ptn/authorization/policy-exemption/tests/e2e/mg.defaults/main.test.bicep b/avm/ptn/authorization/policy-exemption/tests/e2e/mg.defaults/main.test.bicep index 1e178ac60a..cb4cd23374 100644 --- a/avm/ptn/authorization/policy-exemption/tests/e2e/mg.defaults/main.test.bicep +++ b/avm/ptn/authorization/policy-exemption/tests/e2e/mg.defaults/main.test.bicep @@ -6,15 +6,9 @@ metadata description = 'This module deploys a Policy Exemption at a Management G // Parameters // // ========== // -@description('Required. The name of the policy assignment to deploy.') -param policyAssignmentName string = 'audit-vm-managed-disks' - @description('Required. The policy definition ID to assign the policy to.') param policyDefinitionID string = '/providers/Microsoft.Authorization/policyDefinitions/06a78e20-9358-41c9-923c-fb736d382a4d' -@description('Optional. The display name of the policy.') -param policyDisplayName string = 'Audit VM managed disks' - @description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') param serviceShort string = 'apemgmin' @@ -28,13 +22,13 @@ param resourceLocation string = deployment().location // Test Execution // // ============== // -resource policyAssignment 'Microsoft.Authorization/policyAssignments@2023-04-01' = { - name: policyAssignmentName +resource policyAssignment 'Microsoft.Authorization/policyAssignments@2024-05-01' = { + name: 'audit-vm-managed-disks' scope: managementGroup() properties: { policyDefinitionId: policyDefinitionID - description: 'Policy assignment to resource group scope created with Bicep file' - displayName: policyDisplayName + description: ' This policy audits VMs that do not use managed disks' + displayName: 'Audit VMs that do not use managed disks' enforcementMode: 'DoNotEnforce' nonComplianceMessages: [ { diff --git a/avm/ptn/authorization/policy-exemption/tests/e2e/mg.max/main.test.bicep b/avm/ptn/authorization/policy-exemption/tests/e2e/mg.max/main.test.bicep index fe84f51e4a..c3d5f22918 100644 --- a/avm/ptn/authorization/policy-exemption/tests/e2e/mg.max/main.test.bicep +++ b/avm/ptn/authorization/policy-exemption/tests/e2e/mg.max/main.test.bicep @@ -1,26 +1,20 @@ targetScope = 'managementGroup' -metadata name = 'Policy Assignments (Management Group scope)' -metadata description = 'This module deploys a Policy Assignment at a Management Group scope using common parameters.' +metadata name = 'Policy Exemptions (Management Group scope)' +metadata description = 'This module deploys a Policy Exemption at a Management Group scope using common parameters.' // ========== // // Parameters // // ========== // -@description('Optional. The name of the management group to deploy for testing purposes.') -param policyAssignmentName string = 'audit-vm-managed-disks' - -@description('Optional. The policy definition ID to assign the policy to.') -param policyDefinitionID string = '/providers/Microsoft.Authorization/policyDefinitions/06a78e20-9358-41c9-923c-fb736d382a4d' - -@description('Optional. The display name of the policy.') -param policyDisplayName string = 'Audit VM managed disks' - @description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') param serviceShort string = 'apemgmax' @description('Optional. A token to inject into the name of each resource.') param namePrefix string = '#_namePrefix_#' +@description('Required. The policy definition ID to assign the policy to.') +param policyDefinitionID string = '/providers/Microsoft.Authorization/policyDefinitions/06a78e20-9358-41c9-923c-fb736d382a4d' + @description('Optional. The location to deploy resources to.') param resourceLocation string = deployment().location @@ -28,13 +22,13 @@ param resourceLocation string = deployment().location // Test Execution // // ============== // -resource policyAssignment 'Microsoft.Authorization/policyAssignments@2023-04-01' = { - name: policyAssignmentName +resource policyAssignment 'Microsoft.Authorization/policyAssignments@2024-05-01' = { + name: 'audit-vm-managed-disks' scope: managementGroup() properties: { policyDefinitionId: policyDefinitionID - description: 'Policy assignment to resource group scope created with Bicep file' - displayName: policyDisplayName + description: ' This policy audits VMs that do not use managed disks' + displayName: 'Audit VMs that do not use managed disks' enforcementMode: 'DoNotEnforce' nonComplianceMessages: [ { @@ -50,5 +44,35 @@ module testDeployment '../../../main.bicep' = { name: '${namePrefix}${serviceShort}001' exemptionCategory: 'Mitigated' policyAssignmentId: policyAssignment.id + assignmentScopeValidation: 'Default' + description: '[Description] Policy Exemption at the management group scope' + displayName: '[DisplayName] Policy Exemption at the management group scope' + enableTelemetry: true + expiresOn: '2024-11-14T20:46:13Z' + location: resourceLocation + managementGroupId: 'alz-landingzones' + metadata: { + category: 'Security' + assignedBy: 'Bicep' + } + resourceSelectors: [ + { + name: 'resourceSelector-test' + selectors: [ + { + kind: 'resourceType' + in: [ + 'Microsoft.Compute/virtualMachines' + ] + } + { + kind: 'resourceLocation' + in: [ + 'westeurope' + ] + } + ] + } + ] } } diff --git a/avm/ptn/authorization/policy-exemption/tests/e2e/rg.defaults/main.test.bicep b/avm/ptn/authorization/policy-exemption/tests/e2e/rg.defaults/main.test.bicep index 310bd7b10e..cc7c13fc9e 100644 --- a/avm/ptn/authorization/policy-exemption/tests/e2e/rg.defaults/main.test.bicep +++ b/avm/ptn/authorization/policy-exemption/tests/e2e/rg.defaults/main.test.bicep @@ -1,25 +1,26 @@ targetScope = 'managementGroup' -metadata name = 'Policy Assignments (Resource Group)' -metadata description = 'This module deploys a Policy Assignment at a Resource Group scope using minimal parameters.' +metadata name = 'Policy Exemption (Resource Group)' +metadata description = 'This module deploys a Policy Exemption at a Resource Group scope using minimal parameters.' // ========== // // Parameters // // ========== // -@description('Optional. The name of the management group to deploy for testing purposes.') -param policyAssignmentName string = 'audit-vm-managed-disks' +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'apesubmin' + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '#_namePrefix_#' @description('Optional. The policy definition ID to assign the policy to.') param policyDefinitionID string = '/providers/Microsoft.Authorization/policyDefinitions/06a78e20-9358-41c9-923c-fb736d382a4d' -@description('Optional. The display name of the policy.') -param policyDisplayName string = 'Audit VM managed disks' +@description('Optional. The target scope for the policy exemption. If not provided, will use the current scope for deployment.') +param subscriptionId string = '#_subscriptionId_#' -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'apergmin' - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '#_namePrefix_#' +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'dep-${namePrefix}-authorization.policyassignments-${serviceShort}-rg' @description('Optional. The location to deploy resources to.') param resourceLocation string = deployment().location @@ -28,13 +29,23 @@ param resourceLocation string = deployment().location // Test Execution // // ============== // -resource policyAssignment 'Microsoft.Authorization/policyAssignments@2023-04-01' = { - name: policyAssignmentName +module resourceGroup 'br/public:avm/res/resources/resource-group:0.2.3' = { + scope: subscription('${subscriptionId}') + name: '${uniqueString(deployment().name, resourceLocation)}-resourceGroup' + params: { + name: resourceGroupName + location: resourceLocation + } +} + + +resource policyAssignment 'Microsoft.Authorization/policyAssignments@2024-05-01' = { + name: 'audit-vm-managed-disks' scope: managementGroup() properties: { policyDefinitionId: policyDefinitionID - description: 'Policy assignment to resource group scope created with Bicep file' - displayName: policyDisplayName + description: ' This policy audits VMs that do not use managed disks' + displayName: 'Audit VMs that do not use managed disks' enforcementMode: 'DoNotEnforce' nonComplianceMessages: [ { @@ -49,6 +60,9 @@ module testDeployment '../../../main.bicep' = { params: { name: '${namePrefix}${serviceShort}001' exemptionCategory: 'Mitigated' + subscriptionId: subscriptionId + resourceGroupName: resourceGroup.outputs.name policyAssignmentId: policyAssignment.id } } + diff --git a/avm/ptn/authorization/policy-exemption/tests/e2e/rg.max/main.test.bicep b/avm/ptn/authorization/policy-exemption/tests/e2e/rg.max/main.test.bicep index c7131004a2..e3e57b297b 100644 --- a/avm/ptn/authorization/policy-exemption/tests/e2e/rg.max/main.test.bicep +++ b/avm/ptn/authorization/policy-exemption/tests/e2e/rg.max/main.test.bicep @@ -1,25 +1,26 @@ targetScope = 'managementGroup' -metadata name = 'Policy Assignments (Resource Group)' -metadata description = 'This module deploys a Policy Assignment at a Resource Group scope using common parameters.' +metadata name = 'Policy Exemption (Resource Group)' +metadata description = 'This module deploys a Policy Exemption at a Resource Group scope using common parameters.' // ========== // // Parameters // // ========== // -@description('Optional. The name of the management group to deploy for testing purposes.') -param policyAssignmentName string = 'audit-vm-managed-disks' +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'apesubmin' + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '#_namePrefix_#' @description('Optional. The policy definition ID to assign the policy to.') param policyDefinitionID string = '/providers/Microsoft.Authorization/policyDefinitions/06a78e20-9358-41c9-923c-fb736d382a4d' -@description('Optional. The display name of the policy.') -param policyDisplayName string = 'Audit VM managed disks' +@description('Optional. The target scope for the policy exemption. If not provided, will use the current scope for deployment.') +param subscriptionId string = '#_subscriptionId_#' -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'apergmax' - -@description('Optional. A token to inject into the name of each resource.') -param namePrefix string = '#_namePrefix_#' +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'dep-${namePrefix}-authorization.policyassignments-${serviceShort}-rg' @description('Optional. The location to deploy resources to.') param resourceLocation string = deployment().location @@ -27,14 +28,22 @@ param resourceLocation string = deployment().location // ============== // // Test Execution // // ============== // +module resourceGroup 'br/public:avm/res/resources/resource-group:0.2.3' = { + scope: subscription('${subscriptionId}') + name: '${uniqueString(deployment().name, resourceLocation)}-resourceGroup' + params: { + name: resourceGroupName + location: resourceLocation + } +} -resource policyAssignment 'Microsoft.Authorization/policyAssignments@2023-04-01' = { - name: policyAssignmentName +resource policyAssignment 'Microsoft.Authorization/policyAssignments@2024-05-01' = { + name: 'audit-vm-managed-disks' scope: managementGroup() properties: { policyDefinitionId: policyDefinitionID - description: 'Policy assignment to resource group scope created with Bicep file' - displayName: policyDisplayName + description: ' This policy audits VMs that do not use managed disks' + displayName: 'Audit VMs that do not use managed disks' enforcementMode: 'DoNotEnforce' nonComplianceMessages: [ { @@ -50,5 +59,36 @@ module testDeployment '../../../main.bicep' = { name: '${namePrefix}${serviceShort}001' exemptionCategory: 'Mitigated' policyAssignmentId: policyAssignment.id + assignmentScopeValidation: 'Default' + description: '[Description] Policy Exemption at the management group scope' + displayName: '[DisplayName] Policy Exemption at the management group scope' + enableTelemetry: true + expiresOn: '2024-11-14T20:46:13Z' + location: resourceLocation + subscriptionId: subscriptionId + resourceGroupName: resourceGroup.outputs.name + metadata: { + category: 'Security' + assignedBy: 'Bicep' + } + resourceSelectors: [ + { + name: 'resourceSelector-test' + selectors: [ + { + kind: 'resourceType' + in: [ + 'Microsoft.Compute/virtualMachines' + ] + } + { + kind: 'resourceLocation' + in: [ + 'westeurope' + ] + } + ] + } + ] } } diff --git a/avm/ptn/authorization/policy-exemption/tests/e2e/sub.defaults/main.test.bicep b/avm/ptn/authorization/policy-exemption/tests/e2e/sub.defaults/main.test.bicep index b82d665094..b46c006869 100644 --- a/avm/ptn/authorization/policy-exemption/tests/e2e/sub.defaults/main.test.bicep +++ b/avm/ptn/authorization/policy-exemption/tests/e2e/sub.defaults/main.test.bicep @@ -1,26 +1,23 @@ targetScope = 'managementGroup' -metadata name = 'Policy Assignments (Subscription)' -metadata description = 'This module deploys a Policy Assignment at a Subscription scope using common parameters.' +metadata name = 'Policy Exemption (Subscription)' +metadata description = 'This module deploys a Policy Exemption at a Subscription scope using minimal parameters.' // ========== // // Parameters // // ========== // -@description('Optional. The name of the management group to deploy for testing purposes.') -param policyAssignmentName string = 'audit-vm-managed-disks' - -@description('Optional. The policy definition ID to assign the policy to.') -param policyDefinitionID string = '/providers/Microsoft.Authorization/policyDefinitions/06a78e20-9358-41c9-923c-fb736d382a4d' - -@description('Optional. The display name of the policy.') -param policyDisplayName string = 'Audit VM managed disks' - @description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') param serviceShort string = 'apesubmin' @description('Optional. A token to inject into the name of each resource.') param namePrefix string = '#_namePrefix_#' +@description('Optional. The policy definition ID to assign the policy to.') +param policyDefinitionID string = '/providers/Microsoft.Authorization/policyDefinitions/06a78e20-9358-41c9-923c-fb736d382a4d' + +@description('Optional. The target Scope for the policy exemption. If not provided, will use the current scope for deployment.') +param subscriptionId string = '#_subscriptionId_#' + @description('Optional. The location to deploy resources to.') param resourceLocation string = deployment().location @@ -28,13 +25,13 @@ param resourceLocation string = deployment().location // Test Execution // // ============== // -resource policyAssignment 'Microsoft.Authorization/policyAssignments@2023-04-01' = { - name: policyAssignmentName +resource policyAssignment 'Microsoft.Authorization/policyAssignments@2024-05-01' = { + name: 'audit-vm-managed-disks' scope: managementGroup() properties: { policyDefinitionId: policyDefinitionID - description: 'Policy assignment to resource group scope created with Bicep file' - displayName: policyDisplayName + description: ' This policy audits VMs that do not use managed disks' + displayName: 'Audit VMs that do not use managed disks' enforcementMode: 'DoNotEnforce' nonComplianceMessages: [ { @@ -49,6 +46,7 @@ module testDeployment '../../../main.bicep' = { params: { name: '${namePrefix}${serviceShort}001' exemptionCategory: 'Mitigated' + subscriptionId: subscriptionId policyAssignmentId: policyAssignment.id } } diff --git a/avm/ptn/authorization/policy-exemption/tests/e2e/sub.max/main.test.bicep b/avm/ptn/authorization/policy-exemption/tests/e2e/sub.max/main.test.bicep index 57581c355a..9072ddcd2b 100644 --- a/avm/ptn/authorization/policy-exemption/tests/e2e/sub.max/main.test.bicep +++ b/avm/ptn/authorization/policy-exemption/tests/e2e/sub.max/main.test.bicep @@ -1,26 +1,23 @@ targetScope = 'managementGroup' -metadata name = 'Policy Assignments (Subscription)' -metadata description = 'This module deploys a Policy Assignment at a Subscription scope using common parameters.' +metadata name = 'Policy Exemption (Subscription)' +metadata description = 'This module deploys a Policy Exemption at a Subscription scope using common parameters.' // ========== // // Parameters // // ========== // -@description('Optional. The name of the management group to deploy for testing purposes.') -param policyAssignmentName string = 'audit-vm-managed-disks' - -@description('Optional. The policy definition ID to assign the policy to.') -param policyDefinitionID string = '/providers/Microsoft.Authorization/policyDefinitions/06a78e20-9358-41c9-923c-fb736d382a4d' - -@description('Optional. The display name of the policy.') -param policyDisplayName string = 'Audit VM managed disks' - @description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') param serviceShort string = 'apesubmax' @description('Optional. A token to inject into the name of each resource.') param namePrefix string = '#_namePrefix_#' +@description('Optional. The policy definition ID to assign the policy to.') +param policyDefinitionID string = '/providers/Microsoft.Authorization/policyDefinitions/06a78e20-9358-41c9-923c-fb736d382a4d' + +@description('Optional. The target Scope for the policy exemption. If not provided, will use the current scope for deployment.') +param subscriptionId string = '#_subscriptionId_#' + @description('Optional. The location to deploy resources to.') param resourceLocation string = deployment().location @@ -28,13 +25,13 @@ param resourceLocation string = deployment().location // Test Execution // // ============== // -resource policyAssignment 'Microsoft.Authorization/policyAssignments@2023-04-01' = { - name: policyAssignmentName +resource policyAssignment 'Microsoft.Authorization/policyAssignments@2024-05-01' = { + name: 'audit-vm-managed-disks' scope: managementGroup() properties: { policyDefinitionId: policyDefinitionID - description: 'Policy assignment to resource group scope created with Bicep file' - displayName: policyDisplayName + description: ' This policy audits VMs that do not use managed disks' + displayName: 'Audit VMs that do not use managed disks' enforcementMode: 'DoNotEnforce' nonComplianceMessages: [ { @@ -49,6 +46,36 @@ module testDeployment '../../../main.bicep' = { params: { name: '${namePrefix}${serviceShort}001' exemptionCategory: 'Mitigated' + subscriptionId: subscriptionId policyAssignmentId: policyAssignment.id + assignmentScopeValidation: 'Default' + description: '[Description] Policy Exemption at the management group scope' + displayName: '[DisplayName] Policy Exemption at the management group scope' + enableTelemetry: true + expiresOn: '2024-11-14T20:46:13Z' + location: resourceLocation + metadata: { + category: 'Security' + assignedBy: 'Bicep' + } + resourceSelectors: [ + { + name: 'resourceSelector-test' + selectors: [ + { + kind: 'resourceType' + in: [ + 'Microsoft.Compute/virtualMachines' + ] + } + { + kind: 'resourceLocation' + in: [ + 'westeurope' + ] + } + ] + } + ] } } From fac0f3cac1f03fa0c4039c841f6be0ed7abeff99 Mon Sep 17 00:00:00 2001 From: Zach Trocinski Date: Tue, 15 Oct 2024 21:09:56 -0500 Subject: [PATCH 05/18] Revert to older api version for policy assignments --- .../policy-exemption/tests/e2e/mg.defaults/main.test.bicep | 2 +- .../policy-exemption/tests/e2e/mg.max/main.test.bicep | 2 +- .../policy-exemption/tests/e2e/rg.defaults/main.test.bicep | 2 +- .../policy-exemption/tests/e2e/rg.max/main.test.bicep | 2 +- .../policy-exemption/tests/e2e/sub.defaults/main.test.bicep | 2 +- .../policy-exemption/tests/e2e/sub.max/main.test.bicep | 2 +- 6 files changed, 6 insertions(+), 6 deletions(-) diff --git a/avm/ptn/authorization/policy-exemption/tests/e2e/mg.defaults/main.test.bicep b/avm/ptn/authorization/policy-exemption/tests/e2e/mg.defaults/main.test.bicep index cb4cd23374..12173f151e 100644 --- a/avm/ptn/authorization/policy-exemption/tests/e2e/mg.defaults/main.test.bicep +++ b/avm/ptn/authorization/policy-exemption/tests/e2e/mg.defaults/main.test.bicep @@ -22,7 +22,7 @@ param resourceLocation string = deployment().location // Test Execution // // ============== // -resource policyAssignment 'Microsoft.Authorization/policyAssignments@2024-05-01' = { +resource policyAssignment 'Microsoft.Authorization/policyAssignments@2024-04-01' = { name: 'audit-vm-managed-disks' scope: managementGroup() properties: { diff --git a/avm/ptn/authorization/policy-exemption/tests/e2e/mg.max/main.test.bicep b/avm/ptn/authorization/policy-exemption/tests/e2e/mg.max/main.test.bicep index c3d5f22918..cba82825b6 100644 --- a/avm/ptn/authorization/policy-exemption/tests/e2e/mg.max/main.test.bicep +++ b/avm/ptn/authorization/policy-exemption/tests/e2e/mg.max/main.test.bicep @@ -22,7 +22,7 @@ param resourceLocation string = deployment().location // Test Execution // // ============== // -resource policyAssignment 'Microsoft.Authorization/policyAssignments@2024-05-01' = { +resource policyAssignment 'Microsoft.Authorization/policyAssignments@2024-04-01' = { name: 'audit-vm-managed-disks' scope: managementGroup() properties: { diff --git a/avm/ptn/authorization/policy-exemption/tests/e2e/rg.defaults/main.test.bicep b/avm/ptn/authorization/policy-exemption/tests/e2e/rg.defaults/main.test.bicep index cc7c13fc9e..3a771509fc 100644 --- a/avm/ptn/authorization/policy-exemption/tests/e2e/rg.defaults/main.test.bicep +++ b/avm/ptn/authorization/policy-exemption/tests/e2e/rg.defaults/main.test.bicep @@ -39,7 +39,7 @@ module resourceGroup 'br/public:avm/res/resources/resource-group:0.2.3' = { } -resource policyAssignment 'Microsoft.Authorization/policyAssignments@2024-05-01' = { +resource policyAssignment 'Microsoft.Authorization/policyAssignments@2024-04-01' = { name: 'audit-vm-managed-disks' scope: managementGroup() properties: { diff --git a/avm/ptn/authorization/policy-exemption/tests/e2e/rg.max/main.test.bicep b/avm/ptn/authorization/policy-exemption/tests/e2e/rg.max/main.test.bicep index e3e57b297b..7fef0b8541 100644 --- a/avm/ptn/authorization/policy-exemption/tests/e2e/rg.max/main.test.bicep +++ b/avm/ptn/authorization/policy-exemption/tests/e2e/rg.max/main.test.bicep @@ -37,7 +37,7 @@ module resourceGroup 'br/public:avm/res/resources/resource-group:0.2.3' = { } } -resource policyAssignment 'Microsoft.Authorization/policyAssignments@2024-05-01' = { +resource policyAssignment 'Microsoft.Authorization/policyAssignments@2024-04-01' = { name: 'audit-vm-managed-disks' scope: managementGroup() properties: { diff --git a/avm/ptn/authorization/policy-exemption/tests/e2e/sub.defaults/main.test.bicep b/avm/ptn/authorization/policy-exemption/tests/e2e/sub.defaults/main.test.bicep index b46c006869..a933d3c242 100644 --- a/avm/ptn/authorization/policy-exemption/tests/e2e/sub.defaults/main.test.bicep +++ b/avm/ptn/authorization/policy-exemption/tests/e2e/sub.defaults/main.test.bicep @@ -25,7 +25,7 @@ param resourceLocation string = deployment().location // Test Execution // // ============== // -resource policyAssignment 'Microsoft.Authorization/policyAssignments@2024-05-01' = { +resource policyAssignment 'Microsoft.Authorization/policyAssignments@2024-04-01' = { name: 'audit-vm-managed-disks' scope: managementGroup() properties: { diff --git a/avm/ptn/authorization/policy-exemption/tests/e2e/sub.max/main.test.bicep b/avm/ptn/authorization/policy-exemption/tests/e2e/sub.max/main.test.bicep index 9072ddcd2b..911c58c4de 100644 --- a/avm/ptn/authorization/policy-exemption/tests/e2e/sub.max/main.test.bicep +++ b/avm/ptn/authorization/policy-exemption/tests/e2e/sub.max/main.test.bicep @@ -25,7 +25,7 @@ param resourceLocation string = deployment().location // Test Execution // // ============== // -resource policyAssignment 'Microsoft.Authorization/policyAssignments@2024-05-01' = { +resource policyAssignment 'Microsoft.Authorization/policyAssignments@2024-04-01' = { name: 'audit-vm-managed-disks' scope: managementGroup() properties: { From fcff334a3eec6ffc08957a936346e36297d9ad99 Mon Sep 17 00:00:00 2001 From: Zach Trocinski Date: Tue, 15 Oct 2024 21:15:07 -0500 Subject: [PATCH 06/18] Fix serviceshort names --- avm/ptn/authorization/policy-exemption/README.md | 12 ++++++------ .../tests/e2e/rg.defaults/main.test.bicep | 2 +- .../tests/e2e/rg.max/main.test.bicep | 2 +- 3 files changed, 8 insertions(+), 8 deletions(-) diff --git a/avm/ptn/authorization/policy-exemption/README.md b/avm/ptn/authorization/policy-exemption/README.md index f2050e568b..2afbde766f 100644 --- a/avm/ptn/authorization/policy-exemption/README.md +++ b/avm/ptn/authorization/policy-exemption/README.md @@ -289,7 +289,7 @@ module policyExemption 'br/public:avm/ptn/authorization/policy-exemption:' // Non-required parameters resourceGroupName: '' @@ -315,7 +315,7 @@ module policyExemption 'br/public:avm/ptn/authorization/policy-exemption:" @@ -343,7 +343,7 @@ using 'br/public:avm/ptn/authorization/policy-exemption:' // Required parameters param exemptionCategory = 'Mitigated' -param name = 'apesubmin001' +param name = 'apergmin001' param policyAssignmentId = '' // Non-required parameters param resourceGroupName = '' @@ -368,7 +368,7 @@ module policyExemption 'br/public:avm/ptn/authorization/policy-exemption:' // Non-required parameters assignmentScopeValidation: 'Default' @@ -423,7 +423,7 @@ module policyExemption 'br/public:avm/ptn/authorization/policy-exemption:" @@ -496,7 +496,7 @@ using 'br/public:avm/ptn/authorization/policy-exemption:' // Required parameters param exemptionCategory = 'Mitigated' -param name = 'apesubmin001' +param name = 'apergmax001' param policyAssignmentId = '' // Non-required parameters param assignmentScopeValidation = 'Default' diff --git a/avm/ptn/authorization/policy-exemption/tests/e2e/rg.defaults/main.test.bicep b/avm/ptn/authorization/policy-exemption/tests/e2e/rg.defaults/main.test.bicep index 3a771509fc..20b5eb8a03 100644 --- a/avm/ptn/authorization/policy-exemption/tests/e2e/rg.defaults/main.test.bicep +++ b/avm/ptn/authorization/policy-exemption/tests/e2e/rg.defaults/main.test.bicep @@ -7,7 +7,7 @@ metadata description = 'This module deploys a Policy Exemption at a Resource Gro // ========== // @description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'apesubmin' +param serviceShort string = 'apergmin' @description('Optional. A token to inject into the name of each resource.') param namePrefix string = '#_namePrefix_#' diff --git a/avm/ptn/authorization/policy-exemption/tests/e2e/rg.max/main.test.bicep b/avm/ptn/authorization/policy-exemption/tests/e2e/rg.max/main.test.bicep index 7fef0b8541..97e73398ea 100644 --- a/avm/ptn/authorization/policy-exemption/tests/e2e/rg.max/main.test.bicep +++ b/avm/ptn/authorization/policy-exemption/tests/e2e/rg.max/main.test.bicep @@ -7,7 +7,7 @@ metadata description = 'This module deploys a Policy Exemption at a Resource Gro // ========== // @description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'apesubmin' +param serviceShort string = 'apergmax' @description('Optional. A token to inject into the name of each resource.') param namePrefix string = '#_namePrefix_#' From 23c76817322d0ff66b18417256c932777b2426fe Mon Sep 17 00:00:00 2001 From: Zach Trocinski Date: Tue, 15 Oct 2024 21:43:28 -0500 Subject: [PATCH 07/18] Add dash for codeowners --- .github/CODEOWNERS | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS index 3b416d9ba3..3b19aa72c8 100644 --- a/.github/CODEOWNERS +++ b/.github/CODEOWNERS @@ -6,7 +6,7 @@ /avm/ptn/aca-lza/hosting-environment/ @Azure/avm-ptn-acalza-hostingenvironment-module-owners-bicep @Azure/avm-module-reviewers-bicep /avm/ptn/ai-platform/baseline/ @Azure/avm-ptn-aiplatform-baseline-module-owners-bicep @Azure/avm-module-reviewers-bicep /avm/ptn/authorization/policy-assignment/ @Azure/avm-ptn-authorization-policyassignment-module-owners-bicep @Azure/avm-module-reviewers-bicep -/avm/ptn/authorization/policy-exemption/ @Azure/avm-ptn-authorization-policyexemption-module-owners-bicep @Azure/avm-module-reviewers-bicep +/avm/ptn/authorization/policy-exemption/ @Azure/avm-ptn-authorization-policy-exemption-module-owners-bicep @Azure/avm-module-reviewers-bicep /avm/ptn/authorization/resource-role-assignment/ @Azure/avm-ptn-authorization-resourceroleassignment-module-owners-bicep @Azure/avm-module-reviewers-bicep /avm/ptn/authorization/role-assignment/ @Azure/avm-ptn-authorization-roleassignment-module-owners-bicep @Azure/avm-module-reviewers-bicep #/avm/ptn/avd-lza/insights/ @Azure/avm-ptn-avd-lza-insights-module-owners-bicep @Azure/avm-module-reviewers-bicep From 6c08b1a9f99c04f644eecbb770f4f8f11c87765d Mon Sep 17 00:00:00 2001 From: Zach Trocinski Date: Fri, 8 Nov 2024 11:41:03 -0600 Subject: [PATCH 08/18] sync main.json --- avm/ptn/authorization/policy-exemption/main.json | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/avm/ptn/authorization/policy-exemption/main.json b/avm/ptn/authorization/policy-exemption/main.json index c0685a2711..7254f4ba5a 100644 --- a/avm/ptn/authorization/policy-exemption/main.json +++ b/avm/ptn/authorization/policy-exemption/main.json @@ -5,8 +5,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.30.23.60470", - "templateHash": "15106257799829448772" + "version": "0.31.34.60546", + "templateHash": "9698601063362201765" }, "name": "Policy Exemptions (All scopes)", "description": "This module deploys a Policy Exemption at a Management Group, Subscription or Resource Group scope.", @@ -191,8 +191,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.30.23.60470", - "templateHash": "8945677207858981388" + "version": "0.31.34.60546", + "templateHash": "7442089928163511887" }, "name": "Policy Exemptions (Management Group scope)", "description": "This module deploys a policy exemption at a Management Group scope.", @@ -357,8 +357,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.30.23.60470", - "templateHash": "15824117815009455792" + "version": "0.31.34.60546", + "templateHash": "12808389810477037615" }, "name": "Policy Exemptions (Subscription scope)", "description": "This module deploys a policy exemption at a Subscription scope.", @@ -523,8 +523,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.30.23.60470", - "templateHash": "15838967744771621484" + "version": "0.31.34.60546", + "templateHash": "17123408262609854269" }, "name": "Policy Exemptions (Resource Group scope)", "description": "This module deploys a policy exemption at a Resource Group scope.", From 4b9359be024cf038f4b37ab057496201e19eb960 Mon Sep 17 00:00:00 2001 From: Zach Trocinski Date: Thu, 12 Dec 2024 11:48:34 -0600 Subject: [PATCH 09/18] Fix team name --- .github/CODEOWNERS | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS index b90e5f2bc6..fbd8f957a5 100644 --- a/.github/CODEOWNERS +++ b/.github/CODEOWNERS @@ -6,7 +6,7 @@ /avm/ptn/aca-lza/hosting-environment/ @Azure/avm-ptn-acalza-hostingenvironment-module-owners-bicep @Azure/avm-module-reviewers-bicep /avm/ptn/ai-platform/baseline/ @Azure/avm-ptn-aiplatform-baseline-module-owners-bicep @Azure/avm-module-reviewers-bicep /avm/ptn/authorization/policy-assignment/ @Azure/avm-ptn-authorization-policyassignment-module-owners-bicep @Azure/avm-module-reviewers-bicep -/avm/ptn/authorization/policy-exemption/ @Azure/avm-ptn-authorization-policy-exemption-module-owners-bicep @Azure/avm-module-reviewers-bicep +/avm/ptn/authorization/policy-exemption/ @Azure/avm-ptn-authorization-policyexemption-module-owners-bicep @Azure/avm-module-reviewers-bicep /avm/ptn/authorization/resource-role-assignment/ @Azure/avm-ptn-authorization-resourceroleassignment-module-owners-bicep @Azure/avm-module-reviewers-bicep /avm/ptn/authorization/role-assignment/ @Azure/avm-ptn-authorization-roleassignment-module-owners-bicep @Azure/avm-module-reviewers-bicep #/avm/ptn/avd-lza/insights/ @Azure/avm-ptn-avd-lza-insights-module-owners-bicep @Azure/avm-module-reviewers-bicep From 09a0886474804fec561102e0acfe3acf53d66219 Mon Sep 17 00:00:00 2001 From: Zach Trocinski Date: Thu, 12 Dec 2024 11:53:26 -0600 Subject: [PATCH 10/18] Update tests to add metadata for policy assignment --- .../tests/e2e/mg.defaults/main.test.bicep | 3 ++ .../tests/e2e/mg.max/main.test.bicep | 3 ++ .../tests/e2e/rg.defaults/main.test.bicep | 3 ++ .../tests/e2e/rg.max/main.test.bicep | 3 ++ .../tests/e2e/sub.defaults/main.test.bicep | 3 ++ .../tests/e2e/sub.max/main.test.bicep | 3 ++ .../tests/e2e/waf-aligned/main.test.bicep | 48 +++++++++++++++++++ 7 files changed, 66 insertions(+) create mode 100644 avm/ptn/authorization/policy-exemption/tests/e2e/waf-aligned/main.test.bicep diff --git a/avm/ptn/authorization/policy-exemption/tests/e2e/mg.defaults/main.test.bicep b/avm/ptn/authorization/policy-exemption/tests/e2e/mg.defaults/main.test.bicep index 12173f151e..3e76cc2478 100644 --- a/avm/ptn/authorization/policy-exemption/tests/e2e/mg.defaults/main.test.bicep +++ b/avm/ptn/authorization/policy-exemption/tests/e2e/mg.defaults/main.test.bicep @@ -26,6 +26,9 @@ resource policyAssignment 'Microsoft.Authorization/policyAssignments@2024-04-01' name: 'audit-vm-managed-disks' scope: managementGroup() properties: { + metadata: { + assignedBy: 'Bicep' + } policyDefinitionId: policyDefinitionID description: ' This policy audits VMs that do not use managed disks' displayName: 'Audit VMs that do not use managed disks' diff --git a/avm/ptn/authorization/policy-exemption/tests/e2e/mg.max/main.test.bicep b/avm/ptn/authorization/policy-exemption/tests/e2e/mg.max/main.test.bicep index cba82825b6..93ddc8c175 100644 --- a/avm/ptn/authorization/policy-exemption/tests/e2e/mg.max/main.test.bicep +++ b/avm/ptn/authorization/policy-exemption/tests/e2e/mg.max/main.test.bicep @@ -26,6 +26,9 @@ resource policyAssignment 'Microsoft.Authorization/policyAssignments@2024-04-01' name: 'audit-vm-managed-disks' scope: managementGroup() properties: { + metadata: { + assignedBy: 'Bicep' + } policyDefinitionId: policyDefinitionID description: ' This policy audits VMs that do not use managed disks' displayName: 'Audit VMs that do not use managed disks' diff --git a/avm/ptn/authorization/policy-exemption/tests/e2e/rg.defaults/main.test.bicep b/avm/ptn/authorization/policy-exemption/tests/e2e/rg.defaults/main.test.bicep index 20b5eb8a03..1b6a7447e7 100644 --- a/avm/ptn/authorization/policy-exemption/tests/e2e/rg.defaults/main.test.bicep +++ b/avm/ptn/authorization/policy-exemption/tests/e2e/rg.defaults/main.test.bicep @@ -43,6 +43,9 @@ resource policyAssignment 'Microsoft.Authorization/policyAssignments@2024-04-01' name: 'audit-vm-managed-disks' scope: managementGroup() properties: { + metadata: { + assignedBy: 'Bicep' + } policyDefinitionId: policyDefinitionID description: ' This policy audits VMs that do not use managed disks' displayName: 'Audit VMs that do not use managed disks' diff --git a/avm/ptn/authorization/policy-exemption/tests/e2e/rg.max/main.test.bicep b/avm/ptn/authorization/policy-exemption/tests/e2e/rg.max/main.test.bicep index 97e73398ea..647665c4a3 100644 --- a/avm/ptn/authorization/policy-exemption/tests/e2e/rg.max/main.test.bicep +++ b/avm/ptn/authorization/policy-exemption/tests/e2e/rg.max/main.test.bicep @@ -41,6 +41,9 @@ resource policyAssignment 'Microsoft.Authorization/policyAssignments@2024-04-01' name: 'audit-vm-managed-disks' scope: managementGroup() properties: { + metadata: { + assignedBy: 'Bicep' + } policyDefinitionId: policyDefinitionID description: ' This policy audits VMs that do not use managed disks' displayName: 'Audit VMs that do not use managed disks' diff --git a/avm/ptn/authorization/policy-exemption/tests/e2e/sub.defaults/main.test.bicep b/avm/ptn/authorization/policy-exemption/tests/e2e/sub.defaults/main.test.bicep index a933d3c242..53619a3732 100644 --- a/avm/ptn/authorization/policy-exemption/tests/e2e/sub.defaults/main.test.bicep +++ b/avm/ptn/authorization/policy-exemption/tests/e2e/sub.defaults/main.test.bicep @@ -29,6 +29,9 @@ resource policyAssignment 'Microsoft.Authorization/policyAssignments@2024-04-01' name: 'audit-vm-managed-disks' scope: managementGroup() properties: { + metadata: { + assignedBy: 'Bicep' + } policyDefinitionId: policyDefinitionID description: ' This policy audits VMs that do not use managed disks' displayName: 'Audit VMs that do not use managed disks' diff --git a/avm/ptn/authorization/policy-exemption/tests/e2e/sub.max/main.test.bicep b/avm/ptn/authorization/policy-exemption/tests/e2e/sub.max/main.test.bicep index 911c58c4de..0df3365a2d 100644 --- a/avm/ptn/authorization/policy-exemption/tests/e2e/sub.max/main.test.bicep +++ b/avm/ptn/authorization/policy-exemption/tests/e2e/sub.max/main.test.bicep @@ -29,6 +29,9 @@ resource policyAssignment 'Microsoft.Authorization/policyAssignments@2024-04-01' name: 'audit-vm-managed-disks' scope: managementGroup() properties: { + metadata: { + assignedBy: 'Bicep' + } policyDefinitionId: policyDefinitionID description: ' This policy audits VMs that do not use managed disks' displayName: 'Audit VMs that do not use managed disks' diff --git a/avm/ptn/authorization/policy-exemption/tests/e2e/waf-aligned/main.test.bicep b/avm/ptn/authorization/policy-exemption/tests/e2e/waf-aligned/main.test.bicep new file mode 100644 index 0000000000..295de7aabe --- /dev/null +++ b/avm/ptn/authorization/policy-exemption/tests/e2e/waf-aligned/main.test.bicep @@ -0,0 +1,48 @@ +targetScope = 'subscription' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +// e.g., for a module 'network/private-endpoint' you could use 'dep-dev-network.privateendpoints-${serviceShort}-rg' +param resourceGroupName string = 'dep-${namePrefix}---${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param resourceLocation string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +// e.g., for a module 'network/private-endpoint' you could use 'npe' as a prefix and then 'waf' as a suffix for the waf-aligned test +param serviceShort string = 'apewaf' + +@description('Optional. A token to inject into the name of each resource. This value can be automatically injected by the CI.') +param namePrefix string = '#_namePrefix_#' + +// ============ // +// Dependencies // +// ============ // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { + name: resourceGroupName + location: resourceLocation +} + +// ============== // +// Test Execution // +// ============== // + +@batchSize(1) +module testDeployment '../../../main.bicep' = [ + for iteration in ['init', 'idem']: { + scope: resourceGroup + name: '${uniqueString(deployment().name, resourceLocation)}-test-${serviceShort}-${iteration}' + params: { + // You parameters go here + name: '${namePrefix}${serviceShort}001' + location: resourceLocation + } + } +] From e868b618b067e918212c8f639b24bcd3aac8b3f6 Mon Sep 17 00:00:00 2001 From: Zach Trocinski Date: Thu, 12 Dec 2024 11:55:42 -0600 Subject: [PATCH 11/18] Update readme --- avm/ptn/authorization/policy-exemption/README.md | 14 ++++++++++++++ avm/ptn/authorization/policy-exemption/main.json | 16 ++++++++-------- 2 files changed, 22 insertions(+), 8 deletions(-) diff --git a/avm/ptn/authorization/policy-exemption/README.md b/avm/ptn/authorization/policy-exemption/README.md index 2afbde766f..d36a7fcddf 100644 --- a/avm/ptn/authorization/policy-exemption/README.md +++ b/avm/ptn/authorization/policy-exemption/README.md @@ -30,6 +30,7 @@ The following section provides usage examples for the module, which were used to - [Policy Exemption (Resource Group)](#example-4-policy-exemption-resource-group) - [Policy Exemption (Subscription)](#example-5-policy-exemption-subscription) - [Policy Exemption (Subscription)](#example-6-policy-exemption-subscription) +- [Waf-Aligned](#example-7-waf-aligned) ### Example 1: _Policy Exemptions (Management Group scope)_ @@ -786,6 +787,19 @@ param subscriptionId = ''

+### Example 7: _Waf-Aligned_ + +

+ +via Bicep module + +```bicep + +``` + +
+

+ ## Parameters **Required parameters** diff --git a/avm/ptn/authorization/policy-exemption/main.json b/avm/ptn/authorization/policy-exemption/main.json index 7254f4ba5a..d53ff99c23 100644 --- a/avm/ptn/authorization/policy-exemption/main.json +++ b/avm/ptn/authorization/policy-exemption/main.json @@ -5,8 +5,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.31.34.60546", - "templateHash": "9698601063362201765" + "version": "0.32.4.45862", + "templateHash": "3002958387544113459" }, "name": "Policy Exemptions (All scopes)", "description": "This module deploys a Policy Exemption at a Management Group, Subscription or Resource Group scope.", @@ -191,8 +191,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.31.34.60546", - "templateHash": "7442089928163511887" + "version": "0.32.4.45862", + "templateHash": "14565994321429024704" }, "name": "Policy Exemptions (Management Group scope)", "description": "This module deploys a policy exemption at a Management Group scope.", @@ -357,8 +357,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.31.34.60546", - "templateHash": "12808389810477037615" + "version": "0.32.4.45862", + "templateHash": "10491130027469268041" }, "name": "Policy Exemptions (Subscription scope)", "description": "This module deploys a policy exemption at a Subscription scope.", @@ -523,8 +523,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.31.34.60546", - "templateHash": "17123408262609854269" + "version": "0.32.4.45862", + "templateHash": "1123885024493785932" }, "name": "Policy Exemptions (Resource Group scope)", "description": "This module deploys a policy exemption at a Resource Group scope.", From cae0edc9a029ac2f5562ed2865c158cefe7d2fc0 Mon Sep 17 00:00:00 2001 From: Zach Trocinski Date: Thu, 12 Dec 2024 12:10:02 -0600 Subject: [PATCH 12/18] Update readme --- .../tests/e2e/waf-aligned/main.test.bicep | 48 ------------------- 1 file changed, 48 deletions(-) delete mode 100644 avm/ptn/authorization/policy-exemption/tests/e2e/waf-aligned/main.test.bicep diff --git a/avm/ptn/authorization/policy-exemption/tests/e2e/waf-aligned/main.test.bicep b/avm/ptn/authorization/policy-exemption/tests/e2e/waf-aligned/main.test.bicep deleted file mode 100644 index 295de7aabe..0000000000 --- a/avm/ptn/authorization/policy-exemption/tests/e2e/waf-aligned/main.test.bicep +++ /dev/null @@ -1,48 +0,0 @@ -targetScope = 'subscription' - -// ========== // -// Parameters // -// ========== // - -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -// e.g., for a module 'network/private-endpoint' you could use 'dep-dev-network.privateendpoints-${serviceShort}-rg' -param resourceGroupName string = 'dep-${namePrefix}---${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param resourceLocation string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -// e.g., for a module 'network/private-endpoint' you could use 'npe' as a prefix and then 'waf' as a suffix for the waf-aligned test -param serviceShort string = 'apewaf' - -@description('Optional. A token to inject into the name of each resource. This value can be automatically injected by the CI.') -param namePrefix string = '#_namePrefix_#' - -// ============ // -// Dependencies // -// ============ // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: resourceLocation -} - -// ============== // -// Test Execution // -// ============== // - -@batchSize(1) -module testDeployment '../../../main.bicep' = [ - for iteration in ['init', 'idem']: { - scope: resourceGroup - name: '${uniqueString(deployment().name, resourceLocation)}-test-${serviceShort}-${iteration}' - params: { - // You parameters go here - name: '${namePrefix}${serviceShort}001' - location: resourceLocation - } - } -] From 15e0e9f8d94143adf082fc09d11cc650191966a1 Mon Sep 17 00:00:00 2001 From: Zach Trocinski Date: Thu, 12 Dec 2024 12:15:01 -0600 Subject: [PATCH 13/18] Update readme --- avm/ptn/authorization/policy-exemption/README.md | 14 -------------- 1 file changed, 14 deletions(-) diff --git a/avm/ptn/authorization/policy-exemption/README.md b/avm/ptn/authorization/policy-exemption/README.md index d36a7fcddf..2afbde766f 100644 --- a/avm/ptn/authorization/policy-exemption/README.md +++ b/avm/ptn/authorization/policy-exemption/README.md @@ -30,7 +30,6 @@ The following section provides usage examples for the module, which were used to - [Policy Exemption (Resource Group)](#example-4-policy-exemption-resource-group) - [Policy Exemption (Subscription)](#example-5-policy-exemption-subscription) - [Policy Exemption (Subscription)](#example-6-policy-exemption-subscription) -- [Waf-Aligned](#example-7-waf-aligned) ### Example 1: _Policy Exemptions (Management Group scope)_ @@ -787,19 +786,6 @@ param subscriptionId = ''

-### Example 7: _Waf-Aligned_ - -

- -via Bicep module - -```bicep - -``` - -
-

- ## Parameters **Required parameters** From 5b8494a6bcffdfc5ea837db568dff039b157b5ab Mon Sep 17 00:00:00 2001 From: Zach Trocinski Date: Thu, 12 Dec 2024 16:00:49 -0600 Subject: [PATCH 14/18] Update issue template --- .github/ISSUE_TEMPLATE/avm_module_issue.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/ISSUE_TEMPLATE/avm_module_issue.yml b/.github/ISSUE_TEMPLATE/avm_module_issue.yml index 8ac2ed9e6b..7983ad7d18 100644 --- a/.github/ISSUE_TEMPLATE/avm_module_issue.yml +++ b/.github/ISSUE_TEMPLATE/avm_module_issue.yml @@ -43,6 +43,7 @@ body: - "avm/ptn/authorization/policy-assignment" - "avm/ptn/authorization/resource-role-assignment" - "avm/ptn/authorization/role-assignment" + - "avm/ptn/authorization/policy-exemption" # - "avm/ptn/avd-lza/insights" # - "avm/ptn/avd-lza/management-plane" # - "avm/ptn/avd-lza/networking" From 7ea0ecf22a314a36ff3b1b18885a502207988136 Mon Sep 17 00:00:00 2001 From: Zach Trocinski Date: Thu, 12 Dec 2024 16:08:50 -0600 Subject: [PATCH 15/18] Fix ordering --- .github/ISSUE_TEMPLATE/avm_module_issue.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/ISSUE_TEMPLATE/avm_module_issue.yml b/.github/ISSUE_TEMPLATE/avm_module_issue.yml index 7983ad7d18..5c9ff454e1 100644 --- a/.github/ISSUE_TEMPLATE/avm_module_issue.yml +++ b/.github/ISSUE_TEMPLATE/avm_module_issue.yml @@ -41,9 +41,9 @@ body: - "avm/ptn/aca-lza/hosting-environment" - "avm/ptn/ai-platform/baseline" - "avm/ptn/authorization/policy-assignment" + - "avm/ptn/authorization/policy-exemption" - "avm/ptn/authorization/resource-role-assignment" - "avm/ptn/authorization/role-assignment" - - "avm/ptn/authorization/policy-exemption" # - "avm/ptn/avd-lza/insights" # - "avm/ptn/avd-lza/management-plane" # - "avm/ptn/avd-lza/networking" From 6247253c1151d05d46eaed4eb0058b1f308a0d08 Mon Sep 17 00:00:00 2001 From: Zach Trocinski Date: Thu, 12 Dec 2024 20:11:03 -0600 Subject: [PATCH 16/18] Remvoe expires property --- .../policy-exemption/tests/e2e/mg.max/main.test.bicep | 1 - .../policy-exemption/tests/e2e/rg.max/main.test.bicep | 1 - .../policy-exemption/tests/e2e/sub.max/main.test.bicep | 1 - 3 files changed, 3 deletions(-) diff --git a/avm/ptn/authorization/policy-exemption/tests/e2e/mg.max/main.test.bicep b/avm/ptn/authorization/policy-exemption/tests/e2e/mg.max/main.test.bicep index 93ddc8c175..8e8153485f 100644 --- a/avm/ptn/authorization/policy-exemption/tests/e2e/mg.max/main.test.bicep +++ b/avm/ptn/authorization/policy-exemption/tests/e2e/mg.max/main.test.bicep @@ -51,7 +51,6 @@ module testDeployment '../../../main.bicep' = { description: '[Description] Policy Exemption at the management group scope' displayName: '[DisplayName] Policy Exemption at the management group scope' enableTelemetry: true - expiresOn: '2024-11-14T20:46:13Z' location: resourceLocation managementGroupId: 'alz-landingzones' metadata: { diff --git a/avm/ptn/authorization/policy-exemption/tests/e2e/rg.max/main.test.bicep b/avm/ptn/authorization/policy-exemption/tests/e2e/rg.max/main.test.bicep index 647665c4a3..0c2a437fb7 100644 --- a/avm/ptn/authorization/policy-exemption/tests/e2e/rg.max/main.test.bicep +++ b/avm/ptn/authorization/policy-exemption/tests/e2e/rg.max/main.test.bicep @@ -66,7 +66,6 @@ module testDeployment '../../../main.bicep' = { description: '[Description] Policy Exemption at the management group scope' displayName: '[DisplayName] Policy Exemption at the management group scope' enableTelemetry: true - expiresOn: '2024-11-14T20:46:13Z' location: resourceLocation subscriptionId: subscriptionId resourceGroupName: resourceGroup.outputs.name diff --git a/avm/ptn/authorization/policy-exemption/tests/e2e/sub.max/main.test.bicep b/avm/ptn/authorization/policy-exemption/tests/e2e/sub.max/main.test.bicep index 0df3365a2d..75af475381 100644 --- a/avm/ptn/authorization/policy-exemption/tests/e2e/sub.max/main.test.bicep +++ b/avm/ptn/authorization/policy-exemption/tests/e2e/sub.max/main.test.bicep @@ -55,7 +55,6 @@ module testDeployment '../../../main.bicep' = { description: '[Description] Policy Exemption at the management group scope' displayName: '[DisplayName] Policy Exemption at the management group scope' enableTelemetry: true - expiresOn: '2024-11-14T20:46:13Z' location: resourceLocation metadata: { category: 'Security' From 9bc3151e0dc8f4b153eebb9215319737918eb84a Mon Sep 17 00:00:00 2001 From: Zach Trocinski Date: Thu, 12 Dec 2024 20:13:06 -0600 Subject: [PATCH 17/18] update json --- avm/ptn/authorization/policy-exemption/README.md | 15 --------------- 1 file changed, 15 deletions(-) diff --git a/avm/ptn/authorization/policy-exemption/README.md b/avm/ptn/authorization/policy-exemption/README.md index 2afbde766f..d7b42d200b 100644 --- a/avm/ptn/authorization/policy-exemption/README.md +++ b/avm/ptn/authorization/policy-exemption/README.md @@ -119,7 +119,6 @@ module policyExemption 'br/public:avm/ptn/authorization/policy-exemption:' managementGroupId: 'alz-landingzones' metadata: { @@ -184,9 +183,6 @@ module policyExemption 'br/public:avm/ptn/authorization/policy-exemption:" }, @@ -243,7 +239,6 @@ param assignmentScopeValidation = 'Default' param description = '[Description] Policy Exemption at the management group scope' param displayName = '[DisplayName] Policy Exemption at the management group scope' param enableTelemetry = true -param expiresOn = '2024-11-14T20:46:13Z' param location = '' param managementGroupId = 'alz-landingzones' param metadata = { @@ -375,7 +370,6 @@ module policyExemption 'br/public:avm/ptn/authorization/policy-exemption:' metadata: { assignedBy: 'Bicep' @@ -441,9 +435,6 @@ module policyExemption 'br/public:avm/ptn/authorization/policy-exemption:" }, @@ -503,7 +494,6 @@ param assignmentScopeValidation = 'Default' param description = '[Description] Policy Exemption at the management group scope' param displayName = '[DisplayName] Policy Exemption at the management group scope' param enableTelemetry = true -param expiresOn = '2024-11-14T20:46:13Z' param location = '' param metadata = { assignedBy: 'Bicep' @@ -631,7 +621,6 @@ module policyExemption 'br/public:avm/ptn/authorization/policy-exemption:' metadata: { assignedBy: 'Bicep' @@ -696,9 +685,6 @@ module policyExemption 'br/public:avm/ptn/authorization/policy-exemption:" }, @@ -755,7 +741,6 @@ param assignmentScopeValidation = 'Default' param description = '[Description] Policy Exemption at the management group scope' param displayName = '[DisplayName] Policy Exemption at the management group scope' param enableTelemetry = true -param expiresOn = '2024-11-14T20:46:13Z' param location = '' param metadata = { assignedBy: 'Bicep' From 6bbf552dcbced3202cba36db5ae8bb53d0b2e2db Mon Sep 17 00:00:00 2001 From: Zach Trocinski Date: Wed, 18 Dec 2024 16:11:27 -0600 Subject: [PATCH 18/18] Fix lint error --- .../tests/e2e/mg.defaults/main.test.bicep | 10 ++++++---- .../policy-exemption/tests/e2e/mg.max/main.test.bicep | 10 ++++++---- .../tests/e2e/rg.defaults/main.test.bicep | 9 +++++---- .../policy-exemption/tests/e2e/rg.max/main.test.bicep | 10 ++++++---- .../tests/e2e/sub.defaults/main.test.bicep | 10 ++++++---- .../policy-exemption/tests/e2e/sub.max/main.test.bicep | 10 ++++++---- 6 files changed, 35 insertions(+), 24 deletions(-) diff --git a/avm/ptn/authorization/policy-exemption/tests/e2e/mg.defaults/main.test.bicep b/avm/ptn/authorization/policy-exemption/tests/e2e/mg.defaults/main.test.bicep index 3e76cc2478..5d332a51d6 100644 --- a/avm/ptn/authorization/policy-exemption/tests/e2e/mg.defaults/main.test.bicep +++ b/avm/ptn/authorization/policy-exemption/tests/e2e/mg.defaults/main.test.bicep @@ -6,9 +6,6 @@ metadata description = 'This module deploys a Policy Exemption at a Management G // Parameters // // ========== // -@description('Required. The policy definition ID to assign the policy to.') -param policyDefinitionID string = '/providers/Microsoft.Authorization/policyDefinitions/06a78e20-9358-41c9-923c-fb736d382a4d' - @description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') param serviceShort string = 'apemgmin' @@ -22,6 +19,11 @@ param resourceLocation string = deployment().location // Test Execution // // ============== // +resource policyDefinition 'Microsoft.Authorization/policyDefinitions@2025-01-01' existing = { + name: '06a78e20-9358-41c9-923c-fb736d382a4d' + scope: tenant() +} + resource policyAssignment 'Microsoft.Authorization/policyAssignments@2024-04-01' = { name: 'audit-vm-managed-disks' scope: managementGroup() @@ -29,7 +31,7 @@ resource policyAssignment 'Microsoft.Authorization/policyAssignments@2024-04-01' metadata: { assignedBy: 'Bicep' } - policyDefinitionId: policyDefinitionID + policyDefinitionId: policyDefinition.id description: ' This policy audits VMs that do not use managed disks' displayName: 'Audit VMs that do not use managed disks' enforcementMode: 'DoNotEnforce' diff --git a/avm/ptn/authorization/policy-exemption/tests/e2e/mg.max/main.test.bicep b/avm/ptn/authorization/policy-exemption/tests/e2e/mg.max/main.test.bicep index 8e8153485f..c499c654f7 100644 --- a/avm/ptn/authorization/policy-exemption/tests/e2e/mg.max/main.test.bicep +++ b/avm/ptn/authorization/policy-exemption/tests/e2e/mg.max/main.test.bicep @@ -12,9 +12,6 @@ param serviceShort string = 'apemgmax' @description('Optional. A token to inject into the name of each resource.') param namePrefix string = '#_namePrefix_#' -@description('Required. The policy definition ID to assign the policy to.') -param policyDefinitionID string = '/providers/Microsoft.Authorization/policyDefinitions/06a78e20-9358-41c9-923c-fb736d382a4d' - @description('Optional. The location to deploy resources to.') param resourceLocation string = deployment().location @@ -22,6 +19,11 @@ param resourceLocation string = deployment().location // Test Execution // // ============== // +resource policyDefinition 'Microsoft.Authorization/policyDefinitions@2025-01-01' existing = { + name: '06a78e20-9358-41c9-923c-fb736d382a4d' + scope: tenant() +} + resource policyAssignment 'Microsoft.Authorization/policyAssignments@2024-04-01' = { name: 'audit-vm-managed-disks' scope: managementGroup() @@ -29,7 +31,7 @@ resource policyAssignment 'Microsoft.Authorization/policyAssignments@2024-04-01' metadata: { assignedBy: 'Bicep' } - policyDefinitionId: policyDefinitionID + policyDefinitionId: policyDefinition.id description: ' This policy audits VMs that do not use managed disks' displayName: 'Audit VMs that do not use managed disks' enforcementMode: 'DoNotEnforce' diff --git a/avm/ptn/authorization/policy-exemption/tests/e2e/rg.defaults/main.test.bicep b/avm/ptn/authorization/policy-exemption/tests/e2e/rg.defaults/main.test.bicep index 1b6a7447e7..1e680c9123 100644 --- a/avm/ptn/authorization/policy-exemption/tests/e2e/rg.defaults/main.test.bicep +++ b/avm/ptn/authorization/policy-exemption/tests/e2e/rg.defaults/main.test.bicep @@ -12,9 +12,6 @@ param serviceShort string = 'apergmin' @description('Optional. A token to inject into the name of each resource.') param namePrefix string = '#_namePrefix_#' -@description('Optional. The policy definition ID to assign the policy to.') -param policyDefinitionID string = '/providers/Microsoft.Authorization/policyDefinitions/06a78e20-9358-41c9-923c-fb736d382a4d' - @description('Optional. The target scope for the policy exemption. If not provided, will use the current scope for deployment.') param subscriptionId string = '#_subscriptionId_#' @@ -38,6 +35,10 @@ module resourceGroup 'br/public:avm/res/resources/resource-group:0.2.3' = { } } +resource policyDefinition 'Microsoft.Authorization/policyDefinitions@2025-01-01' existing = { + name: '06a78e20-9358-41c9-923c-fb736d382a4d' + scope: tenant() +} resource policyAssignment 'Microsoft.Authorization/policyAssignments@2024-04-01' = { name: 'audit-vm-managed-disks' @@ -46,7 +47,7 @@ resource policyAssignment 'Microsoft.Authorization/policyAssignments@2024-04-01' metadata: { assignedBy: 'Bicep' } - policyDefinitionId: policyDefinitionID + policyDefinitionId: policyDefinition.id description: ' This policy audits VMs that do not use managed disks' displayName: 'Audit VMs that do not use managed disks' enforcementMode: 'DoNotEnforce' diff --git a/avm/ptn/authorization/policy-exemption/tests/e2e/rg.max/main.test.bicep b/avm/ptn/authorization/policy-exemption/tests/e2e/rg.max/main.test.bicep index 0c2a437fb7..832dd7bb85 100644 --- a/avm/ptn/authorization/policy-exemption/tests/e2e/rg.max/main.test.bicep +++ b/avm/ptn/authorization/policy-exemption/tests/e2e/rg.max/main.test.bicep @@ -12,9 +12,6 @@ param serviceShort string = 'apergmax' @description('Optional. A token to inject into the name of each resource.') param namePrefix string = '#_namePrefix_#' -@description('Optional. The policy definition ID to assign the policy to.') -param policyDefinitionID string = '/providers/Microsoft.Authorization/policyDefinitions/06a78e20-9358-41c9-923c-fb736d382a4d' - @description('Optional. The target scope for the policy exemption. If not provided, will use the current scope for deployment.') param subscriptionId string = '#_subscriptionId_#' @@ -37,6 +34,11 @@ module resourceGroup 'br/public:avm/res/resources/resource-group:0.2.3' = { } } +resource policyDefinition 'Microsoft.Authorization/policyDefinitions@2025-01-01' existing = { + name: '06a78e20-9358-41c9-923c-fb736d382a4d' + scope: tenant() +} + resource policyAssignment 'Microsoft.Authorization/policyAssignments@2024-04-01' = { name: 'audit-vm-managed-disks' scope: managementGroup() @@ -44,7 +46,7 @@ resource policyAssignment 'Microsoft.Authorization/policyAssignments@2024-04-01' metadata: { assignedBy: 'Bicep' } - policyDefinitionId: policyDefinitionID + policyDefinitionId: policyDefinition.id description: ' This policy audits VMs that do not use managed disks' displayName: 'Audit VMs that do not use managed disks' enforcementMode: 'DoNotEnforce' diff --git a/avm/ptn/authorization/policy-exemption/tests/e2e/sub.defaults/main.test.bicep b/avm/ptn/authorization/policy-exemption/tests/e2e/sub.defaults/main.test.bicep index 53619a3732..1864acb75d 100644 --- a/avm/ptn/authorization/policy-exemption/tests/e2e/sub.defaults/main.test.bicep +++ b/avm/ptn/authorization/policy-exemption/tests/e2e/sub.defaults/main.test.bicep @@ -12,9 +12,6 @@ param serviceShort string = 'apesubmin' @description('Optional. A token to inject into the name of each resource.') param namePrefix string = '#_namePrefix_#' -@description('Optional. The policy definition ID to assign the policy to.') -param policyDefinitionID string = '/providers/Microsoft.Authorization/policyDefinitions/06a78e20-9358-41c9-923c-fb736d382a4d' - @description('Optional. The target Scope for the policy exemption. If not provided, will use the current scope for deployment.') param subscriptionId string = '#_subscriptionId_#' @@ -25,6 +22,11 @@ param resourceLocation string = deployment().location // Test Execution // // ============== // +resource policyDefinition 'Microsoft.Authorization/policyDefinitions@2025-01-01' existing = { + name: '06a78e20-9358-41c9-923c-fb736d382a4d' + scope: tenant() +} + resource policyAssignment 'Microsoft.Authorization/policyAssignments@2024-04-01' = { name: 'audit-vm-managed-disks' scope: managementGroup() @@ -32,7 +34,7 @@ resource policyAssignment 'Microsoft.Authorization/policyAssignments@2024-04-01' metadata: { assignedBy: 'Bicep' } - policyDefinitionId: policyDefinitionID + policyDefinitionId: policyDefinition.id description: ' This policy audits VMs that do not use managed disks' displayName: 'Audit VMs that do not use managed disks' enforcementMode: 'DoNotEnforce' diff --git a/avm/ptn/authorization/policy-exemption/tests/e2e/sub.max/main.test.bicep b/avm/ptn/authorization/policy-exemption/tests/e2e/sub.max/main.test.bicep index 75af475381..ba00f5e210 100644 --- a/avm/ptn/authorization/policy-exemption/tests/e2e/sub.max/main.test.bicep +++ b/avm/ptn/authorization/policy-exemption/tests/e2e/sub.max/main.test.bicep @@ -12,9 +12,6 @@ param serviceShort string = 'apesubmax' @description('Optional. A token to inject into the name of each resource.') param namePrefix string = '#_namePrefix_#' -@description('Optional. The policy definition ID to assign the policy to.') -param policyDefinitionID string = '/providers/Microsoft.Authorization/policyDefinitions/06a78e20-9358-41c9-923c-fb736d382a4d' - @description('Optional. The target Scope for the policy exemption. If not provided, will use the current scope for deployment.') param subscriptionId string = '#_subscriptionId_#' @@ -25,6 +22,11 @@ param resourceLocation string = deployment().location // Test Execution // // ============== // +resource policyDefinition 'Microsoft.Authorization/policyDefinitions@2025-01-01' existing = { + name: '06a78e20-9358-41c9-923c-fb736d382a4d' + scope: tenant() +} + resource policyAssignment 'Microsoft.Authorization/policyAssignments@2024-04-01' = { name: 'audit-vm-managed-disks' scope: managementGroup() @@ -32,7 +34,7 @@ resource policyAssignment 'Microsoft.Authorization/policyAssignments@2024-04-01' metadata: { assignedBy: 'Bicep' } - policyDefinitionId: policyDefinitionID + policyDefinitionId: policyDefinition.id description: ' This policy audits VMs that do not use managed disks' displayName: 'Audit VMs that do not use managed disks' enforcementMode: 'DoNotEnforce'