globalbao / azure-policy-as-code Goto Github PK

azurerm_policy_assignment is being deprecated and needs to be replaced by new AzureRM resources

Warning: Deprecated Resource

  on modules/policy-assignments/main.tf line 1, in resource "azurerm_policy_assignment" "monitoring_governance":
   1: resource "azurerm_policy_assignment" "monitoring_governance" {

The `azurerm_policy_assignment` resource is deprecated in favour of the:

- `azurerm_management_group_policy_assignment`
- `azurerm_resource_policy_assignment`
- `azurerm_resource_group_policy_assignment`
- `azurerm_subscription_policy_assignment`

resources and will be removed in version 3.0 of the Azure Provider.

(and 5 more similar warnings elsewhere)

Describe the bug

ERROR: "status":"Failed","error":"code":"DeploymentFailed","message":"At least one resource deployment operation failed. Please list deployment operations for details. Please see https://aka.ms/DeployOperations for usage details.","details":["code":"Conflict","message":"\r\n "status": "Failed",\r\n "error": ***\r\n "code": "ResourceDeploymentFailure",\r\n "message": "The resource operation completed with terminal provisioning state 'Failed'.",\r\n "details": [\r\n ***\r\n "code": "DeploymentFailed",\r\n "message": "At least one resource deployment operation failed. Please list deployment operations for details. Please see https://aka.ms/DeployOperations for usage details.",\r\n "details": [\r\n \r\n "code": "Conflict",\r\n "message": "\r\n \"status\": \"Failed\",\r\n \"error\": ***\r\n \"code\": \"ResourceDeploymentFailure\",\r\n \"message\": \"The resource operation completed with terminal provisioning state 'Failed'.\",\r\n \"details\": [\r\n ***\r\n \"code\": \"DeploymentFailed\",\r\n \"message\": \"At least one resource deployment operation failed. Please list deployment operations for details. Please see https://aka.ms/DeployOperations for usage details.\",\r\n \"details\": [\r\n \r\n \"code\": \"BadRequest\",\r\n \"message\": \"\\r\\n \\\"error\\\": ***\\r\\n \\\"code\\\": \\\"InvalidCreatePolicySetDefinitionRequest\\\",\\r\\n \\\"message\\\": \\\"The policy set definition 'tagging_initiative' request is invalid. Referenced policy definitions must be of type 'Microsoft.Authorization/policyDefinitions'.\\\"\\r\\n \\r\\n\"\r\n ***\r\n ]\r\n ***\r\n ]\r\n \r\n"\r\n ***,\r\n \r\n "code": "Conflict",\r\n "message": "\r\n \"status\": \"Failed\",\r\n \"error\": ***\r\n \"code\": \"ResourceDeploymentFailure\",\r\n \"message\": \"The resource operation completed with terminal provisioning state 'Failed'.\",\r\n \"details\": [\r\n ***\r\n \"code\": \"DeploymentFailed\",\r\n \"message\": \"At least one resource deployment operation failed. Please list deployment operations for details. Please see https://aka.ms/DeployOperations for usage details.\",\r\n \"details\": [\r\n \r\n \"code\": \"BadRequest\",\r\n \"message\": \"\\r\\n \\\"error\\\": ***\\r\\n \\\"code\\\": \\\"InvalidCreatePolicySetDefinitionRequest\\\",\\r\\n \\\"message\\\": \\\"The policy set definition 'iam_initiative' request is invalid. Referenced policy definitions must be of type 'Microsoft.Authorization/policyDefinitions'.\\\"\\r\\n \\r\\n\"\r\n ***\r\n ]\r\n ***\r\n ]\r\n \r\n"\r\n \r\n ]\r\n \r\n ]\r\n \r\n"]

To Reproduce
Steps to reproduce the behavior:
Run Bicep-CD-Tests on MG deployment step

Is your feature request related to a problem? Please describe.
Community members may like to contribute a custom policy to this repo but don't know how.

Describe the solution you'd like
Add a community contribution guide with steps defining:

• Branch process
• Language selection
• Folder selection
• Custom Policy creation
• Custom Policy testing
• Language Linting/Validation checks
• PR process

Describe the bug
Terraform plan fails when run with the default configuration:

Error: reading Policy Definition (Display Name "Audit usage of custom RBAC rules"): loading Policy
Definition List: could not find policy 'Audit usage of custom RBAC rules' with
module.policyset_definitions.data.azurerm_policy_definition.builtin_policies_iam_governance[0], on
modules/policyset-definitions/variables.tf line 100, in data "azurerm_policy_definition"
"builtin_policies_iam_governance": 100: data "azurerm_policy_definition" "builtin_policies_iam_governance {

To Reproduce
Steps to reproduce the behavior:

1. Clone Repo
2. Configure Backend
3. Run terraform plan
4. See error

Expected behavior
terraform plan would complete and display the plan as usual.

Additional context
It appears the policy has been renamed to "Audit usage of custom RBAC roles"

Is your feature request related to a problem? Please describe.
Let's assume a policy have more than one parameter. We want to be able to set those parameters when deploying the policy (in Bicep). Is it possible to have all the parameters of a policy in one object defined in the parameters property of policySetDefinitions? If it's possible, how do we later set this object parameter in policyDefinitions?

Example:
This policy definition seems to have more than one parameter:
https://github.com/globalbao/azure-policy-as-code/blob/main/Bicep/demos/security-governance/deploy-sub-dev.bicep#L75

Currently, the parameters are hard-coded. How can we set those parameters when deploying (for example using parameters files). Please note that there might be several policies with parameters which have similar name. "Effect" is a common parameter name. That is the reason, I am looking for an object per policy.

Describe the errors

Error: reading Policy Definition (Display Name "RDP access from the Internet should be blocked"): loading Policy Definition List: could not find policy 'RDP access from the Internet should be blocked'

with module.policyset_definitions.data.azurerm_policy_definition.builtin_policies_security_governance[6],
on modules/policyset-definitions/variables.tf line 109, in data "azurerm_policy_definition" "builtin_policies_security_governance":
109: data "azurerm_policy_definition" "builtin_policies_security_governance" {

Error: reading Policy Definition (Display Name "SSH access from the Internet should be blocked"): loading Policy Definition List: could not find policy 'SSH access from the Internet should be blocked'

with module.policyset_definitions.data.azurerm_policy_definition.builtin_policies_security_governance[7],
on modules/policyset-definitions/variables.tf line 109, in data "azurerm_policy_definition" "builtin_policies_security_governance":
109: data "azurerm_policy_definition" "builtin_policies_security_governance" {

Describe the bug
GitHub Action azure/CLI@v1 fails with

ERROR: Could not retrieve credential from local cache for service principal xyz. Run az login for this service principal.

Issue tracking: Azure/login#162

Workaround:
Change azcliversion in azure/CLI@v1 to 2.29.2 which is compatible with azure/login@v1:

- name: Azure CLI script
  uses: azure/CLI@v1
  with:
    azcliversion: 2.29.2

Is your feature request related to a problem? Please describe.
Bicep users may like some guidance on creating and using an SPN for managing policy as code workflows

Describe the solution you'd like
SPN creation steps should cover:

• Azure CLI e.g. az ad sp create-for-rbac
• Suitable built-in RBAC roles
• Onboarding credentials to GitHub secrets for use with GitHub Actions

Describe the bug

Bicep CI validation step failure for PR #9

To Reproduce

Run Bicep CI on a PR

Expected behavior

Bicep CI is successful on PR

Logs

https://github.com/globalbao/azure-policy-as-code/actions/runs/1369747466

You are not currently on a branch.
Please specify which branch you want to merge with.
See git-pull(1) for details.

    git pull <remote> <branch>

fatal: Invalid symmetric difference expression main...901b6845f8521b31aaea46bf06723925c6461dae
2021-10-21 22:27:39 [WARN]   No files were found in the GITHUB_WORKSPACE:[/github/workspace] to lint!
2021-10-21 22:27:39 [ERROR]   Failed to switch back to branch!
2021-10-21 22:27:39 [FATAL]   [fatal: reference is not a tree: 901b6845f8521b31aaea46bf06723925c6461dae]

Bicep parameters are used extensively throughout Subscription/Management Group modules

Need to add Decorators where appropriate to assist usage and provide further context for module users

For example:

• Secure parameters
• Allowed values
• Length constraints
• Integer constraints
• Description