feat: [DTOSS-8469] implement policy remediation

Author: nc-shahidazim

infrastructure/modules/policy/policy-assignments/main.tf

@@ -1,6 +1,6 @@
 # Configure a policy assignment for a specific resource
 resource "azurerm_resource_policy_assignment" "res_assignment" {
-  count = var.resource_id != "" && local.resource_id_type == "resource" ? 1 : 0
+  count = var.resource_id != null && local.resource_id_type == "resource" ? 1 : 0
 
   name                 = var.assignment_name
   resource_id          = var.resource_id
@@ -19,7 +19,7 @@ resource "azurerm_resource_policy_assignment" "res_assignment" {
 
 # Configure a policy assignment for a specific resource group
 resource "azurerm_resource_group_policy_assignment" "rg_assignment" {
-  count = var.resource_id != "" && local.resource_id_type == "resource-group" ? 1 : 0
+  count = var.resource_id != null && local.resource_id_type == "resource-group" ? 1 : 0
 
   name                 = var.assignment_name
   resource_group_id    = var.resource_id
@@ -38,7 +38,7 @@ resource "azurerm_resource_group_policy_assignment" "rg_assignment" {
 
 # Configure a policy assignment for a specific resource group
 resource "azurerm_subscription_policy_assignment" "sub_assignment" {
-  count = var.resource_id != "" && local.resource_id_type == "subscription" ? 1 : 0
+  count = var.resource_id != null && local.resource_id_type == "subscription" ? 1 : 0
 
   name                 = var.assignment_name
   subscription_id      = var.resource_id
@@ -59,7 +59,7 @@ resource "azurerm_role_assignment" "role" {
   count = var.create_remediator_role ? 1 : 0
 
   scope                = var.policy_assignment_scope
-  principal_id         = var.policy_assignment_principal_id
+  principal_id         = var.policy_assignment_principal_id != null ? var.policy_assignment_principal_id : local.principal_id
   role_definition_name = "Resource Policy Contributor"
 
   condition         = <<EOT

infrastructure/modules/policy/policy-assignments/variables.tf

@@ -49,7 +49,6 @@ variable "parameters" {
   description = "Parameters for the policy assignment."
 }
 
-
 variable "policy_assignment_scope" {
   type        = string
   description = "The scope at which this assignment is assigned"
@@ -58,6 +57,7 @@ variable "policy_assignment_scope" {
 variable "policy_assignment_principal_id" {
   type        = string
   description = "The identifier of a specific service principal to use for the policy assignment"
+  default     = null
 }
 
 variable "policy_identities" {
@@ -87,5 +87,3 @@ variable "requires_identity" {
   description = "True if the policy requires a managed identity, false otherwise"
   default     = false
 }
-
-

infrastructure/modules/policy/policy-definition/main.tf

@@ -1,4 +1,4 @@
-resource "azurerm_policy_definition" "item" {
+resource "azurerm_policy_definition" "definition" {
   name         = var.name
   policy_type  = coalesce(var.policy_type, "custom")
   mode         = coalesce(var.mode, "all")
@@ -17,4 +17,3 @@ resource "azurerm_policy_definition" "item" {
 locals {
   requires_identity = contains(["deployIfNotExists", "modify", "append"], var.policy_rule.then.effect)
 }
-

infrastructure/modules/policy/policy-definition/outputs.tf

@@ -1,5 +1,5 @@
 output "policy_definition_id" {
-  value       = azurerm_policy_definition.item.id
+  value       = azurerm_policy_definition.definition.id
   description = "The ID of the created policy definition."
 }
 

infrastructure/modules/policy/policy-definition/variables.tf

@@ -1,4 +1,3 @@
-
 variable "name" {
   type        = string
   description = "Policy definition name."
@@ -52,7 +51,8 @@ variable "policy_rule" {
   type = object({
     if = any
     then = object({
-      effect = string
+      effect  = string
+      details = optional(any)
     })
   })
   validation {
@@ -70,6 +70,7 @@ Azure Policy Rule object. Must follow Microsoft schema:
   },
   "then": {
     "effect": "deny | audit | modify | denyAction | append | auditIfNotExists | deployIfNotExists | disabled"
+    "details": <policy details>
   }
 }
 EOT

infrastructure/modules/policy/policy-remediation/main.tf

@@ -1,2 +1,6 @@
-
-
+resource "azurerm_resource_policy_remediation" "remediation" {
+  name                    = var.remediation_name
+  policy_assignment_id    = var.policy_assignment_id
+  resource_discovery_mode = "ExistingNonCompliant"
+  resource_id             = var.resource_id
+}

infrastructure/modules/policy/policy-remediation/outputs.tf

@@ -1 +1,4 @@
-
+output "policy_remediation_id" {
+  value       = azurerm_resource_policy_remediation.remediation.id
+  description = "The ID of the created policy remediation."
+}

infrastructure/modules/policy/policy-remediation/variables.tf

@@ -1,10 +1,15 @@
+variable "remediation_name" {
+  type        = string
+  description = "The policy remediation name."
+}
 
-variable "policy_assignment_scope" {
+variable "policy_assignment_id" {
   type        = string
-  description = "The scope at which this assignment is assigned"
+  description = "The identifier of a specific policy assignment."
 }
 
-variable "policy_assignment_principal_id" {
+variable "resource_id" {
   type        = string
-  description = "The identifier of a specific service principal to use for the policy assignment"
+  description = "The identifier of a specific resource to apply this policy onto."
+  default     = null
 }

infrastructure/modules/shared-config/output.tf

@@ -93,6 +93,8 @@ locals {
     network-interface                   = upper("${var.env}-${var.location_map[var.location]}-${var.application}")
     network-security-group              = upper("NSG-${var.env}-${var.location_map[var.location]}-${var.application}")
     postgres-sql-server                 = lower("postgres-${var.application}-${var.env}-${var.location_map[var.location]}")
+    policy-definition                   = lower("policy-def-${var.application}-${var.env}-${var.location_map[var.location]}")
+    policy-assignment                   = lower("policy-assign-${var.application}-${var.env}-${var.location_map[var.location]}")
     private-ssh-key                     = lower("ssh-pri-${var.env}${var.location_map[var.location]}${var.application}")
     private-link-scope                  = lower("ampls-${var.env}${var.application}")
     private-link-scope-private-endpoint = lower("ampls-${var.env}${var.location_map[var.location]}${var.application}-private-endpoint")