Skip to content

Commit

Permalink
azurerm_policy_assignment - added support for enforcement_mode (#…
Browse files Browse the repository at this point in the history
  • Loading branch information
ccampo authored Jun 16, 2020
1 parent abcd96a commit f1b22dd
Show file tree
Hide file tree
Showing 3 changed files with 106 additions and 1 deletion.
18 changes: 17 additions & 1 deletion azurerm/internal/services/policy/policy_assignment_resource.go
Original file line number Diff line number Diff line change
Expand Up @@ -113,6 +113,12 @@ func resourceArmPolicyAssignment() *schema.Resource {
DiffSuppressFunc: structure.SuppressJsonDiff,
},

"enforcement_mode": {
Type: schema.TypeBool,
Optional: true,
Default: true,
},

"not_scopes": {
Type: schema.TypeList,
Optional: true,
Expand All @@ -129,7 +135,7 @@ func resourceArmPolicyAssignmentCreateUpdate(d *schema.ResourceData, meta interf

name := d.Get("name").(string)
scope := d.Get("scope").(string)

enforcementMode := convertEnforcementMode(d.Get("enforcement_mode").(bool))
policyDefinitionId := d.Get("policy_definition_id").(string)
displayName := d.Get("display_name").(string)

Expand All @@ -151,6 +157,7 @@ func resourceArmPolicyAssignmentCreateUpdate(d *schema.ResourceData, meta interf
PolicyDefinitionID: utils.String(policyDefinitionId),
DisplayName: utils.String(displayName),
Scope: utils.String(scope),
EnforcementMode: enforcementMode,
},
}

Expand Down Expand Up @@ -251,6 +258,7 @@ func resourceArmPolicyAssignmentRead(d *schema.ResourceData, meta interface{}) e
d.Set("policy_definition_id", props.PolicyDefinitionID)
d.Set("description", props.Description)
d.Set("display_name", props.DisplayName)
d.Set("enforcement_mode", props.EnforcementMode == policy.Default)

if params := props.Parameters; params != nil {
json, err := flattenParameterValuesValueToString(params)
Expand Down Expand Up @@ -339,3 +347,11 @@ func expandAzureRmPolicyNotScopes(d *schema.ResourceData) *[]string {

return &notScopesRes
}

func convertEnforcementMode(mode bool) policy.EnforcementMode {
if mode {
return policy.Default
} else {
return policy.DoNotEnforce
}
}
Original file line number Diff line number Diff line change
Expand Up @@ -138,6 +138,24 @@ func TestAccAzureRMPolicyAssignment_not_scopes(t *testing.T) {
})
}

func TestAccAzureRMPolicyAssignment_enforcement_mode(t *testing.T) {
data := acceptance.BuildTestData(t, "azurerm_policy_assignment", "test")
resource.ParallelTest(t, resource.TestCase{
PreCheck: func() { acceptance.PreCheck(t) },
Providers: acceptance.SupportedProviders,
CheckDestroy: testCheckAzureRMPolicyAssignmentDestroy,
Steps: []resource.TestStep{
{
Config: testAzureRMPolicyAssignment_enforcement_mode(data),
Check: resource.ComposeTestCheckFunc(
testCheckAzureRMPolicyAssignmentExists(data.ResourceName),
),
},
data.ImportStep(),
},
})
}

func testCheckAzureRMPolicyAssignmentExists(resourceName string) resource.TestCheckFunc {
return func(s *terraform.State) error {
client := acceptance.AzureProvider.Meta().(*clients.Client).Policy.AssignmentsClient
Expand Down Expand Up @@ -516,3 +534,73 @@ PARAMETERS
}
`, data.RandomInteger, data.RandomInteger, data.RandomInteger, data.Locations.Primary, data.RandomInteger, data.RandomInteger, data.Locations.Primary)
}

func testAzureRMPolicyAssignment_enforcement_mode(data acceptance.TestData) string {
return fmt.Sprintf(`
provider "azurerm" {
features {}
}
data "azurerm_subscription" "current" {
}
resource "azurerm_policy_definition" "test" {
name = "acctestpol-%d"
policy_type = "Custom"
mode = "All"
display_name = "acctestpol-%d"
policy_rule = <<POLICY_RULE
{
"if": {
"not": {
"field": "location",
"in": "[parameters('allowedLocations')]"
}
},
"then": {
"effect": "audit"
}
}
POLICY_RULE
parameters = <<PARAMETERS
{
"allowedLocations": {
"type": "Array",
"metadata": {
"description": "The list of allowed locations for resources.",
"displayName": "Allowed locations",
"strongType": "location"
}
}
}
PARAMETERS
}
resource "azurerm_resource_group" "test" {
name = "acctestRG-%d"
location = "%s"
}
resource "azurerm_policy_assignment" "test" {
name = "acctestpa-%d"
scope = data.azurerm_subscription.current.id
policy_definition_id = azurerm_policy_definition.test.id
description = "Policy Assignment created via an Acceptance Test"
enforcement_mode = false
display_name = "Acceptance Test Run %d"
parameters = <<PARAMETERS
{
"allowedLocations": {
"value": [ "%s" ]
}
}
PARAMETERS
}
`, data.RandomInteger, data.RandomInteger, data.RandomInteger, data.Locations.Primary, data.RandomInteger, data.RandomInteger, data.Locations.Primary)
}
1 change: 1 addition & 0 deletions website/docs/r/policy_assignment.html.markdown
Original file line number Diff line number Diff line change
Expand Up @@ -96,6 +96,7 @@ The following arguments are supported:

* `not_scopes` - (Optional) A list of the Policy Assignment's excluded scopes. The list must contain Resource IDs (such as Subscriptions e.g. `/subscriptions/00000000-0000-0000-000000000000` or Resource Groups e.g.`/subscriptions/00000000-0000-0000-000000000000/resourceGroups/myResourceGroup`).

* `enforcement_mode`- (Optional) Can be set to 'true' or 'false' to control whether the assignment is enforced (true) or not (false). Default is 'true'.
---

An `identity` block supports the following:
Expand Down

0 comments on commit f1b22dd

Please sign in to comment.