1.2.0 (#2)

* inconsistent plan fix, readme and policy updates
* restrict to TF <= 0.13.6 (see [issue 11327](hashicorp/terraform-provider-azurerm#11327))

README.md

@@ -25,6 +25,9 @@
 - [Definition and Assignment Scopes](#definition-and-assignment-scopes)
 - [Limitations](#limitations)
 - [Useful Resources](#useful-resources)
+- [Known Issues](#known-issues)
+  - [Parameter Values are nulled with TF >= 14](#parameter-values-are-nulled-with-tf--14)
+  - [Error: Invalid for_each argument](#error-invalid-for_each-argument)
 
 ## Repo Folder Structure
 
@@ -68,7 +71,7 @@
 ```hcl
 module whitelist_regions {
   source                = "gettek/policy-as-code/azurerm//modules/definition"
-  version               = "1.1.0"
+  version               = "1.2.0"
   policy_name           = "whitelist_regions"
   display_name          = "Allow resources only in whitelisted regions"
   policy_category       = "General"
@@ -91,7 +94,7 @@ Policy Initiatives are used to combine sets of definitions in order to simplify
 ```hcl
 module platform_baseline_initiative {
   source                  = "gettek/policy-as-code/azurerm//modules/initiative"
-  version                 = "1.1.0"
+  version                 = "1.2.0"
   initiative_name         = "platform_baseline_initiative"
   initiative_display_name = "[Platform]: Baseline Policy Set"
   initiative_description  = "Collection of policies representing the baseline platform requirements"
@@ -114,7 +117,7 @@ module platform_baseline_initiative {
 ```hcl
 module org_mg_whitelist_regions {
   source                = "gettek/policy-as-code/azurerm//modules/def_assignment"
-  version               = "1.1.0"
+  version               = "1.2.0"
   definition            = module.whitelist_regions.definition
   assignment_scope      = local.default_assignment_scope
   assignment_effect     = "Deny"
@@ -140,9 +143,9 @@ Azure Policy supports the following types of effect:
 
 ### Automate Remediation Tasks
 
-The `def_assignment` and `set_assignment` modules will automatically create [remediation tasks](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/policy_remediation) for policies with effects of `DeployIfNotExists` and `Modify`. The task name is suffixed with a timestamp to ensure a new task gets created on each `terraform apply`. This can be prevented with `-TF_VAR_skip_remediation=true`.
+The `def_assignment` and `set_assignment` modules will automatically create [remediation tasks](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/policy_remediation) for policies with effects of `DeployIfNotExists` and `Modify`. The task name is suffixed with a timestamp to ensure a new task gets created on each `terraform apply`. This can be prevented with `-var "skip_remediation=true"`.
 
-> :bulb: **Note:** To fully automate remediation tasks without manual intervention via the portal, it may be necessary in some instances to create custom role defenitions. This is a disadvantage by design as identified [in this GitHub issue](https://github.com/Azure/azure-powershell/issues/10196). However an example custom role definition [as seen here](policies/Monitoring/deploy_subscription_diagnostic_setting/README.md#cross-subscription-role-assignment) can be used by the system assigned managed identity, created by the policy assignment, to remediate cross-subscription activity log forwarders.
+> :bulb: **Note:** To fully automate remediation tasks without manual intervention via the portal, it may be necessary in some instances to create custom role definitions. This is a disadvantage by design as identified [in this GitHub issue](https://github.com/Azure/azure-powershell/issues/10196). However a Custom or [Built-In](https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles) Role definition reference can be assigned to the managed identity created by the policy assignment [as seen here](examples/assignments_org.tf#L60).
 
 ## Creating Custom Versions of Built-In Policies
 
@@ -252,3 +255,13 @@ module from_mono_repo_with_tags {
 - [Terraform Provider: azurerm_policy_set_definition](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/policy_set_definition)
 - [Terraform Provider: azurerm_policy_assignment](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/policy_assignment)
 - [Terraform Provider: azurerm_policy_remediation](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/policy_remediation)
+
+## Known Issues
+
+### Parameter Values are nulled with TF >= 14
+
+When using Terraform 14 and above it appears all `parameter_values` within a policy set definition are nulled, these are then recreated and removed on each consecutive plan/apply. **[Issue 11327 raised here](https://github.com/terraform-providers/terraform-provider-azurerm/issues/11327)**
+
+### Error: Invalid for_each argument
+
+You may sometimes experience plan/apply issues when running an initial deployment of the `set_assignment` module. To prevent this, set the flag `-var "skip_remediation=true"` and omit for consecutive builds.

examples/TEMPLATE.md

@@ -1,18 +1,3 @@
 # Azure Policy Deployments
 
-This examples folder demonstrates an effective deployment of Azure Policy Definitions and Assignments. The order of execution is generally from `definitions.tf` -> `initiatives.tf` -> `assignments_<scope>.tf`
-
-### Resources
-
-* azurerm_policy_definition.def
-* azurerm_policy_set_definition.set
-* azurerm_policy_set_definition.cis_benchmark
-* azurerm_policy_assignment.def
-* azurerm_policy_assignment.set
-* azurerm_policy_remediation.rem
-* random_uuid.org_mg_remediate_platform_diagnostics_initiative
-* random_uuid.org_mg_add_replace_resource_group_tag_key_modify
-* data.azurerm_role_definition.security_admin
-* azurerm_role_assignment.org_mg_configure_asc_initiative
-* azurerm_role_definition.org_mg_remediate_platform_diagnostics_initiative
-* azurerm_role_assignment.org_mg_add_replace_resource_group_tag_key_modify
+This examples folder demonstrates an effective deployment of Azure Policy Definitions and Assignments. The order of execution is generally from `definitions.tf` -> `initiatives.tf` -> `assignments_<scope>.tf`

examples/assignments_org.tf

@@ -60,7 +60,7 @@ module org_mg_configure_asc_initiative {
 resource azurerm_role_assignment org_mg_configure_asc_initiative {
   count              = var.skip_remediation ? 0 : 1
   scope              = azurerm_management_group.org.id
-  role_definition_id = data.azurerm_role_definition.security_admin.id
+  role_definition_id = data.azurerm_role_definition.contributor.id
   principal_id       = module.org_mg_configure_asc_initiative.identity_id
 }
 
@@ -98,41 +98,6 @@ module org_mg_network_deny_nat_rules_firewall {
 ##################
 # Monitoring
 ##################
-resource random_uuid org_mg_remediate_platform_diagnostics_initiative {}
-
-resource azurerm_role_definition org_mg_remediate_platform_diagnostic_settings {
-  name               = "policy_remediates_platform_diagnostic_settings"
-  role_definition_id = random_uuid.org_mg_remediate_platform_diagnostics_initiative.result
-  scope              = azurerm_management_group.org.id
-  description        = "Enables the managed identity created by policy assignment permissions to remediate non compliant resources"
-
-  permissions {
-    actions = [
-      "Microsoft.Authorization/*/read",
-      "Microsoft.Automation/automationAccounts/*",
-      "Microsoft.Compute/virtualMachines/extensions/write",
-      "Microsoft.Compute/virtualMachines/extensions/read",
-      "Microsoft.EventHub/namespaces/authorizationrules/listkeys/action",
-      "Microsoft.Insights/alertRules/*",
-      "Microsoft.Insights/components/*/read",
-      "Microsoft.Insights/alertRules/*",
-      "Microsoft.Insights/diagnosticSettings/*",
-      "Microsoft.OperationalInsights/*",
-      "Microsoft.OperationsManagement/*",
-      "Microsoft.Resources/deployments/*",
-      "Microsoft.Resources/subscriptions/resourceGroups/read",
-      "Microsoft.Resources/subscriptions/resourcegroups/deployments/*",
-      "Microsoft.Support/*",
-      "Microsoft.Storage/storageAccounts/listKeys/action",
-      "Microsoft.Storage/storageAccounts/read",
-    ]
-  }
-
-  assignable_scopes = [
-    azurerm_management_group.org.id
-  ]
-}
-
 module org_mg_platform_diagnostics_initiative {
   source            = "..//modules/set_assignment"
   initiative        = module.platform_diagnostics_initiative.initiative
@@ -157,35 +122,6 @@ module org_mg_platform_diagnostics_initiative {
 resource azurerm_role_assignment org_mg_remediate_platform_diagnostic_settings {
   count              = var.skip_remediation ? 0 : 1
   scope              = azurerm_management_group.org.id
-  role_definition_id = azurerm_role_definition.org_mg_remediate_platform_diagnostic_settings.role_definition_resource_id
+  role_definition_id = data.azurerm_role_definition.contributor.id
   principal_id       = module.org_mg_platform_diagnostics_initiative.identity_id
 }
-
-
-##################
-# Tags
-##################
-
-resource random_uuid org_mg_add_replace_resource_group_tag_key_modify {}
-
-resource azurerm_role_definition org_mg_add_replace_resource_group_tag_key_modify {
-  name               = "policy_remediates_add_replace_resource_group_tags"
-  role_definition_id = random_uuid.org_mg_add_replace_resource_group_tag_key_modify.result
-  scope              = azurerm_management_group.org.id
-  description        = "Enables the managed identity created by policy assignment permissions to remediate non resource group tags"
-  permissions {
-    actions = [
-      "Microsoft.Authorization/*/read",
-      "Microsoft.Automation/automationAccounts/*",
-      "Microsoft.Resources/deployments/*",
-      "Microsoft.Resources/subscriptions/resourceGroups/read",
-      "Microsoft.Resources/subscriptions/resourcegroups/deployments/*",
-      "Microsoft.Resources/tags/read",
-      "Microsoft.Resources/tags/write",
-      "Microsoft.Support/*"
-    ]
-  }
-  assignable_scopes = [
-    azurerm_management_group.org.id
-  ]
-}

examples/assignments_team_a.tf

@@ -40,7 +40,7 @@ module customer_mg_add_replace_resource_group_tag_key_modify {
 resource azurerm_role_assignment customer_mg_add_replace_resource_group_tag_key_modify {
   count              = var.skip_remediation ? 0 : 1
   scope              = azurerm_management_group.team_a.id
-  role_definition_id = azurerm_role_definition.org_mg_add_replace_resource_group_tag_key_modify.role_definition_resource_id
+  role_definition_id = data.azurerm_role_definition.tag_contributor.id
   principal_id       = module.customer_mg_add_replace_resource_group_tag_key_modify.identity_id
 }
 

examples/backend.tf

@@ -1,5 +1,5 @@
 terraform {
-  required_version = ">= 0.13"
+  required_version = "<= 0.13.6"
 
   required_providers {
     azurerm = {

examples/data.tf

@@ -8,7 +8,11 @@ locals {
   }
 }
 
-# Security Admin Built-In Role Definition
-data azurerm_role_definition security_admin {
-  name = "Security Admin"
+# Built-in Roles
+data "azurerm_role_definition" "contributor" {
+  name = "Contributor"
 }
+
+data "azurerm_role_definition" "tag_contributor" {
+  name = "Tag Contributor"
+}

modules/cis_benchmark/README.md

@@ -16,6 +16,8 @@ We do not want to assign the set defined by Azure as it is:
 ## Built-In Reference
 
 Modified from: [Built-In: CISv1_1_0_audit](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policySetDefinitions/Regulatory%20Compliance/CISv1_1_0_audit.json)
+
+
 ## Requirements
 
 No requirements.
@@ -24,26 +26,36 @@ No requirements.
 
 | Name | Version |
 |------|---------|
-| azurerm | n/a |
+| <a name="provider_azurerm"></a> [azurerm](#provider\_azurerm) | n/a |
+
+## Modules
+
+No modules.
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [azurerm_policy_set_definition.cis_benchmark](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/policy_set_definition) | resource |
+| [azurerm_client_config.current](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/client_config) | data source |
 
 ## Inputs
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
-| audit\_log\_analytics\_workspace\_retention\_id | The audit\_log\_analytics\_workspace\_retention custom policy Id to replace CISv110x5x1x2 | `any` | n/a | yes |
-| benchmark\_version | Usually the git tag version for this benchmark | `string` | `"1.0.0"` | no |
-| description | Benchmark description | `string` | n/a | yes |
-| display\_name | Benchmark display name | `string` | n/a | yes |
-| management\_group\_name | The scope at which the benchmark will be defined. Currently this must be the group\_id of a management group. Changing this forces a new resource to be created | `string` | n/a | yes |
-| name | Benchmark name. Changing this forces a new resource to be created | `string` | n/a | yes |
+| <a name="input_audit_log_analytics_workspace_retention_id"></a> [audit\_log\_analytics\_workspace\_retention\_id](#input\_audit\_log\_analytics\_workspace\_retention\_id) | The audit\_log\_analytics\_workspace\_retention custom policy Id to replace CISv110x5x1x2 | `any` | n/a | yes |
+| <a name="input_benchmark_version"></a> [benchmark\_version](#input\_benchmark\_version) | Usually the git tag version for this benchmark | `string` | `"1.0.0"` | no |
+| <a name="input_description"></a> [description](#input\_description) | Benchmark description | `string` | n/a | yes |
+| <a name="input_display_name"></a> [display\_name](#input\_display\_name) | Benchmark display name | `string` | n/a | yes |
+| <a name="input_management_group_name"></a> [management\_group\_name](#input\_management\_group\_name) | The scope at which the benchmark will be defined. Currently this must be the group\_id of a management group. Changing this forces a new resource to be created | `string` | n/a | yes |
+| <a name="input_name"></a> [name](#input\_name) | Benchmark name. Changing this forces a new resource to be created | `string` | n/a | yes |
 
 ## Outputs
 
 | Name | Description |
 |------|-------------|
-| id | The Id of the Benchmark Definition |
-| initiative | The complete CIS Benchmark Initiative resource node |
-| metadata | The metadata of the Benchmark Definition |
-| name | The name of the Benchmark Definition |
-| parameters | The combined parameters of the Benchmark Definition |
-
+| <a name="output_id"></a> [id](#output\_id) | The Id of the Benchmark Definition |
+| <a name="output_initiative"></a> [initiative](#output\_initiative) | The complete CIS Benchmark Initiative resource node |
+| <a name="output_metadata"></a> [metadata](#output\_metadata) | The metadata of the Benchmark Definition |
+| <a name="output_name"></a> [name](#output\_name) | The name of the Benchmark Definition |
+| <a name="output_parameters"></a> [parameters](#output\_parameters) | The combined parameters of the Benchmark Definition |

modules/cis_benchmark/data.tf

@@ -0,0 +1 @@
+data azurerm_client_config current {}