Skip to content

Commit

Permalink
Fixes #10 - better command line options for generate-terraform command
Browse files Browse the repository at this point in the history
  • Loading branch information
@kmcquade
kmcquade committed Mar 12, 2021
1 parent 6790bee commit 313a5bb
Show file tree
Hide file tree
Showing 2 changed files with 56 additions and 33 deletions.
65 changes: 44 additions & 21 deletions azure_guardrails/command/generate_terraform.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -44,7 +44,7 @@
default=False,
help="Deny bad actions instead of auditing them.",
)
@optgroup.group("Config Section", help="")
@optgroup.group("Configuration", help="")
@optgroup.option(
"--config-file",
"-c",
Expand All @@ -53,17 +53,39 @@
required=False,
help="The config file",
)
@optgroup.group("Parameter Options", help="")
@optgroup.group(
"Parameter Options",
cls=RequiredMutuallyExclusiveOptionGroup,
help="",
)
@optgroup.option(
"--parameter-options",
"-o",
type=click.Choice(["defaults", "empty"], case_sensitive=True),
multiple=True,
required=False,
default=None,
help="Include Policies with Parameters that have default values (defaults) and/or Policies that have empty defaults that you must fill in (empty).",
# callback=validate.click_validate_supported_azure_service, # TODO: Write this validation
"--no-params",
is_flag=True,
default=False,
help="Only generate policies that do NOT require parameters",
)
@optgroup.option(
"--params-optional",
is_flag=True,
default=False,
help="Only generate policies where parameters are OPTIONAL",
)
@optgroup.option(
"--params-required",
is_flag=True,
default=False,
help="Only generate policies where parameters are REQUIRED",
)
# @optgroup.option(
# "--parameter-options",
# "-o",
# type=click.Choice(["defaults", "empty"], case_sensitive=True),
# multiple=True,
# required=False,
# default=None,
# help="Include Policies with Parameters that have default values (defaults) and/or Policies that have empty defaults that you must fill in (empty).",
# # callback=validate.click_validate_supported_azure_service, # TODO: Write this validation
# )
# Mutually exclusive option groups
# https://github.com/click-contrib/click-option-group
# https://stackoverflow.com/questions/37310718/mutually-exclusive-option-groups-in-python-click
Expand Down Expand Up @@ -102,11 +124,13 @@
def generate_terraform(
service: str,
exclude_services: list,
config_file: str,
no_params: bool,
params_optional: bool,
params_required: bool,
subscription: str,
management_group: str,
enforcement_mode: bool,
parameter_options: list,
config_file: str,
no_summary: bool,
verbosity: int
):
Expand All @@ -115,9 +139,6 @@ def generate_terraform(
"""
set_log_level(verbosity)

# TODO: Remove initiative
initiative = "example"

if not config_file:
logger.info(
"You did not supply an config file. Consider creating one to exclude different policies. We will use the default one.")
Expand All @@ -143,12 +164,14 @@ def generate_terraform(
# else:
with_parameters = False
include_empty_defaults = False
parameter_options = list(parameter_options)
if parameter_options:
if "defaults" in parameter_options:
with_parameters = True
if "empty" in parameter_options:
include_empty_defaults = True

if no_params:
include_empty_defaults = False
with_parameters = False
elif params_required:
include_empty_defaults = True
elif params_optional:
with_parameters = True

if service == "all":
services = Services(config=config)
Expand Down
24 changes: 12 additions & 12 deletions examples/terraform-demo-with-parameters/main.tf
View file
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
variable "name" { default = "GrdRlz-example-params" }
variable "name" { default = "example-params" }
variable "subscription_name" { default = "example" }
variable "management_group" { default = "" }
variable "enforcement_mode" { default = false }
Expand Down Expand Up @@ -97,34 +97,34 @@ locals {
"Resource logs in Azure Stream Analytics should be enabled",
]
policy_definition_map = zipmap(
data.azurerm_policy_definition.GrdRlz_example_params_definition_lookups.*.display_name,
data.azurerm_policy_definition.GrdRlz_example_params_definition_lookups.*.id
data.azurerm_policy_definition.example_params_definition_lookups.*.display_name,
data.azurerm_policy_definition.example_params_definition_lookups.*.id
)
}

# ---------------------------------------------------------------------------------------------------------------------
# Conditional data lookups: If the user supplies management group, look up the ID of the management group
# ---------------------------------------------------------------------------------------------------------------------
data "azurerm_management_group" "GrdRlz_example_params" {
data "azurerm_management_group" "example_params" {
count = var.management_group != "" ? 1 : 0
name = var.management_group
}

### If the user supplies subscription, look up the ID of the subscription
data "azurerm_subscriptions" "GrdRlz_example_params" {
data "azurerm_subscriptions" "example_params" {
count = var.subscription_name != "" ? 1 : 0
display_name_contains = var.subscription_name
}

locals {
scope = var.management_group != "" ? data.azurerm_management_group.GrdRlz_example_params[0].id : element(data.azurerm_subscriptions.GrdRlz_example_params[0].subscriptions.*.id, 0)
scope = var.management_group != "" ? data.azurerm_management_group.example_params[0].id : element(data.azurerm_subscriptions.example_params[0].subscriptions.*.id, 0)
}

# ---------------------------------------------------------------------------------------------------------------------
# Azure Policy Definition Lookups
# ---------------------------------------------------------------------------------------------------------------------

data "azurerm_policy_definition" "GrdRlz_example_params_definition_lookups" {
data "azurerm_policy_definition" "example_params_definition_lookups" {
count = length(local.policy_names)
display_name = local.policy_names[count.index]
}
Expand All @@ -133,7 +133,7 @@ data "azurerm_policy_definition" "GrdRlz_example_params_definition_lookups" {
# Azure Policy Initiative Definition
# ---------------------------------------------------------------------------------------------------------------------

resource "azurerm_policy_set_definition" "GrdRlz_example_params_guardrails" {
resource "azurerm_policy_set_definition" "example_params_guardrails" {
name = var.name
policy_type = "Custom"
display_name = var.name
Expand Down Expand Up @@ -577,9 +577,9 @@ PARAMETERS
# Azure Policy Assignments
# Apply the Policy Initiative to the specified scope
# ---------------------------------------------------------------------------------------------------------------------
//resource "azurerm_policy_assignment" "GrdRlz_example_params_guardrails" {
//resource "azurerm_policy_assignment" "example_params_guardrails" {
// name = var.name
// policy_definition_id = azurerm_policy_set_definition.GrdRlz_example_params_guardrails.id
// policy_definition_id = azurerm_policy_set_definition.example_params_guardrails.id
// scope = local.scope
// enforcement_mode = var.enforcement_mode
//}
Expand All @@ -589,7 +589,7 @@ PARAMETERS
# Outputs
# ---------------------------------------------------------------------------------------------------------------------
//output "policy_assignment_ids" {
// value = azurerm_policy_assignment.GrdRlz_example_params_guardrails.*.id
// value = azurerm_policy_assignment.example_params_guardrails.*.id
// description = "The IDs of the Policy Assignments."
//}
//
Expand All @@ -599,7 +599,7 @@ PARAMETERS
//}
//
//output "policy_set_definition_id" {
// value = azurerm_policy_set_definition.GrdRlz_example_params_guardrails.id
// value = azurerm_policy_set_definition.example_params_guardrails.id
// description = "The ID of the Policy Set Definition."
//}

0 comments on commit 313a5bb

Please sign in to comment.