feat: [DTOSS-8469] implement policy remediation

Author: nc-shahidazim

infrastructure/modules/policy/policy-assignments/variables.tf

@@ -49,7 +49,6 @@ variable "parameters" {
   description = "Parameters for the policy assignment."
 }
 
-
 variable "policy_assignment_scope" {
   type        = string
   description = "The scope at which this assignment is assigned"
@@ -87,5 +86,3 @@ variable "requires_identity" {
   description = "True if the policy requires a managed identity, false otherwise"
   default     = false
 }
-
-

infrastructure/modules/policy/policy-definition/variables.tf

@@ -52,7 +52,8 @@ variable "policy_rule" {
   type = object({
     if = any
     then = object({
-      effect = string
+      effect  = string
+      details = optional(any)
     })
   })
   validation {
@@ -70,6 +71,7 @@ Azure Policy Rule object. Must follow Microsoft schema:
   },
   "then": {
     "effect": "deny | audit | modify | denyAction | append | auditIfNotExists | deployIfNotExists | disabled"
+    "details": <policy details>
   }
 }
 EOT

infrastructure/modules/policy/policy-remediation/main.tf

@@ -1,2 +1,6 @@
-
-
+resource "azurerm_resource_policy_remediation" "remediation" {
+  name                    = var.remediation_name
+  policy_assignment_id    = var.policy_assignment_id
+  resource_discovery_mode = "ExistingNonCompliant"
+  resource_id             = var.resource_id
+}

infrastructure/modules/policy/policy-remediation/outputs.tf

@@ -1 +1,4 @@
-
+output "policy_remediation_id" {
+  value       = azurerm_resource_policy_remediation.remediation.id
+  description = "The ID of the created policy remediation."
+}

infrastructure/modules/policy/policy-remediation/variables.tf

@@ -1,10 +1,15 @@
+variable "remediation_name" {
+  type        = string
+  description = "The policy remediation name."
+}
 
-variable "policy_assignment_scope" {
+variable "policy_assignment_id" {
   type        = string
-  description = "The scope at which this assignment is assigned"
+  description = "The identifier of a specific policy assignment."
 }
 
-variable "policy_assignment_principal_id" {
+variable "resource_id" {
   type        = string
-  description = "The identifier of a specific service principal to use for the policy assignment"
+  description = "The identifier of a specific resource to apply this policy onto."
+  default     = null
 }

infrastructure/modules/shared-config/output.tf

@@ -93,6 +93,8 @@ locals {
     network-interface                   = upper("${var.env}-${var.location_map[var.location]}-${var.application}")
     network-security-group              = upper("NSG-${var.env}-${var.location_map[var.location]}-${var.application}")
     postgres-sql-server                 = lower("postgres-${var.application}-${var.env}-${var.location_map[var.location]}")
+    policy-definition                   = lower("policy-def-${var.application}-${var.env}-${var.location_map[var.location]}")
+    policy-assignment                   = lower("policy-assign-${var.application}-${var.env}-${var.location_map[var.location]}")
     private-ssh-key                     = lower("ssh-pri-${var.env}${var.location_map[var.location]}${var.application}")
     private-link-scope                  = lower("ampls-${var.env}${var.application}")
     private-link-scope-private-endpoint = lower("ampls-${var.env}${var.location_map[var.location]}${var.application}-private-endpoint")