Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: add policy exemption to overwrites #696

Open
wants to merge 3 commits into
base: main
Choose a base branch
from
Open

feat: add policy exemption to overwrites #696

wants to merge 3 commits into from

Conversation

steph409
Copy link
Contributor

@steph409 steph409 commented May 2, 2023
edited
Loading

Overview/Summary

Replace this with a brief description of what this Pull Request fixes, changes, etc.

This PR fixes/adds/changes/removes

Add policy exemptions to the CAF using the archetype_config_overrides as discussed in #277 . It is possible to exempt a scope (either subscription, resource group or individual resources) from a policy/initiative or from one policy within an initiative. The exemption must be defined at the scope the policy is assigned.

locals {
  archetype_config_overrides = {
    escorp = {
      # exempt a resource from a policy/initiative completely
      policy_exemption = {
        Deploy-MDFC-Config     = [
          "/subscriptions/00000000-0000-0000-0000-000000000000", # to exempt a complete subscription
          "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/Default-ActivityLogAlerts", # to exempt a resource group
          "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/demo-stephi", # to exempt a resource group
          "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/demo-stephi/providers/Microsoft.Network/virtualNetworks/aks-network", # to exempt a specific resource
        ]
        Deploy-VM-Monitoring   = [
          "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/demo-stephi", # to exempt a resource group
        ]
      }
      # to exempt from specific policies within an initiative
      initiative_exemption = {
        Deploy-VMSS-Monitoring = { # initiative name
          LogAnalyticsExtension_Linux_VMSS_Deploy = [ # policy name
            "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/demo-stephi", # to exempt a resource group
            "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/Default-ActivityLogAlerts", # to exempt a resource group
            ]
            DependencyAgentExtension_Windows_VMSS_Deploy= [          
            "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/demo-stephi", # to exempt a resource group
            ]
        }
      }
    }

For every entry in the configuration above, one exemption is created.

There are several limitations to discuss:

  1. policy exemptions have a couple of parameters. It is possible to set them to "mitigated" or "waiver", the exemption can be temporary, a description can be added. I did not want to make the overwrite config to complex, so I always set it to mitigated, no expiration date, no description. I set the names for the exemptions to "caf-mitigated-{ID}-{assignmentName}".
  2. It is possible to write resourceSelectors to identify the resources which should be exempted. Those are more flexible than what is currently possible in the overwrite config where every subscription/resourcegroup/resource needs to be defined.
  3. In the portal, it is possible to create one exemption with multiple resources. This could be particularly interesting for the initiatives, e.g. by grouping all exemptions from one policy within the initiative in one exemption. I am not sure if this would make it easier to understand or not.
  4. The naming in the archetype_config_overrides is confusing, as the policy_exemption parameter actually works for both policies and initiatives (it makes a complete exemption), while the initiative_exemption parameter gives the possibility to select policies within the initiative to exempt from.
  5. I am happy to write a documentation page again.

Breaking Changes

No breaking changes, as this is an optional configuration.

Testing Evidence

The exemptions are visible in the portal as expected.

As part of this Pull Request I have

  • Checked for duplicate Pull Requests
  • Associated it with relevant issues, for tracking and closure.
  • Ensured my code/branch is up-to-date with the latest changes in the main branch
  • Performed testing and provided evidence.
  • Updated relevant and associated documentation.

@matt-FFFFFF
Copy link
Member

Hi @steph409 thanks for your PR!

We will consider this, as it's a balance of being opinionated about the exemptions, vs. more complex inputs adding more features.

@matt-FFFFFF
Copy link
Member

I think we need to modify the schema for the variable:

https://github.com/Azure/terraform-azurerm-caf-enterprise-scale?tab=readme-ov-file#input_archetype_config_overrides

Otherwise this seems workable

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@steph409 @matt-FFFFFF