terraform-azurerm-caf-enterprise-scale
terraform-azurerm-caf-enterprise-scale copied to clipboard
Published
20 hours ago •
Azure
Azure
feat: add policy exemption to overwrites
Overview/Summary
Replace this with a brief description of what this Pull Request fixes, changes, etc.
This PR fixes/adds/changes/removes
Add policy exemptions to the CAF using the archetype_config_overrides as discussed in #277 . It is possible to exempt a scope (either subscription, resource group or individual resources) from a policy/initiative or from one policy within an initiative. The exemption must be defined at the scope the policy is assigned.
locals {
archetype_config_overrides = {
escorp = {
# exempt a resource from a policy/initiative completely
policy_exemption = {
Deploy-MDFC-Config = [
"/subscriptions/00000000-0000-0000-0000-000000000000", # to exempt a complete subscription
"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/Default-ActivityLogAlerts", # to exempt a resource group
"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/demo-stephi", # to exempt a resource group
"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/demo-stephi/providers/Microsoft.Network/virtualNetworks/aks-network", # to exempt a specific resource
]
Deploy-VM-Monitoring = [
"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/demo-stephi", # to exempt a resource group
]
}
# to exempt from specific policies within an initiative
initiative_exemption = {
Deploy-VMSS-Monitoring = { # initiative name
LogAnalyticsExtension_Linux_VMSS_Deploy = [ # policy name
"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/demo-stephi", # to exempt a resource group
"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/Default-ActivityLogAlerts", # to exempt a resource group
]
DependencyAgentExtension_Windows_VMSS_Deploy= [
"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/demo-stephi", # to exempt a resource group
]
}
}
}
For every entry in the configuration above, one exemption is created.
There are several limitations to discuss:
- policy exemptions have a couple of parameters. It is possible to set them to "mitigated" or "waiver", the exemption can be temporary, a description can be added. I did not want to make the overwrite config to complex, so I always set it to mitigated, no expiration date, no description. I set the names for the exemptions to "caf-mitigated-{ID}-{assignmentName}".
- It is possible to write resourceSelectors to identify the resources which should be exempted. Those are more flexible than what is currently possible in the overwrite config where every subscription/resourcegroup/resource needs to be defined.
- In the portal, it is possible to create one exemption with multiple resources. This could be particularly interesting for the initiatives, e.g. by grouping all exemptions from one policy within the initiative in one exemption. I am not sure if this would make it easier to understand or not.
- The naming in the
archetype_config_overridesis confusing, as thepolicy_exemptionparameter actually works for both policies and initiatives (it makes a complete exemption), while theinitiative_exemptionparameter gives the possibility to select policies within the initiative to exempt from. - I am happy to write a documentation page again.
Breaking Changes
No breaking changes, as this is an optional configuration.
Testing Evidence
The exemptions are visible in the portal as expected.
As part of this Pull Request I have
- [x] Checked for duplicate Pull Requests
- [x] Associated it with relevant issues, for tracking and closure.
- [x] Ensured my code/branch is up-to-date with the latest changes in the
mainbranch - [x] Performed testing and provided evidence.
- [ ] Updated relevant and associated documentation.
