Merge pull request #32 from salesforce/fix/GH-13-terraform-output-names

Fixes issue with Terraform output names (#13)

azure_guardrails/command/generate_terraform.py

@@ -144,13 +144,13 @@ def generate_terraform(
     else:
         subscription = ""
 
-    summary_file_prefix = ""
+    parameter_requirement_str = ""
     if no_params:
-        summary_file_prefix = "no-params"
+        parameter_requirement_str = "no-params"
     elif params_required:
-        summary_file_prefix = "params-required"
+        parameter_requirement_str = "params-required"
     elif params_optional:
-        summary_file_prefix = "params-optional"
+        parameter_requirement_str = "params-optional"
 
     if service == "all":
         services = Services(config=config)
@@ -171,6 +171,7 @@ def generate_terraform(
         )
 
         terraform_template = TerraformTemplateWithParams(
+            parameter_requirement_str=parameter_requirement_str,
             parameters=display_names,
             subscription_name=subscription,
             management_group=management_group,
@@ -193,14 +194,14 @@ def markdown_summary(file_prefix: str) -> str:
                 f.write(markdown_table)
             return markdown_file_name
 
-        summary_file_prefix = f"{summary_file_prefix}-{service}-table"
+        parameter_requirement_str = f"{parameter_requirement_str}-{service}-table"
 
         # Write Markdown summary
-        markdown_file = markdown_summary(file_prefix=summary_file_prefix)
+        markdown_file = markdown_summary(file_prefix=parameter_requirement_str)
 
         if verbosity >= 1:
             utils.print_grey(f"Markdown file written to: {markdown_file}")
 
         # Write CSV summary
-        csv_file = f"{summary_file_prefix}.csv"
+        csv_file = f"{parameter_requirement_str}.csv"
         services.csv_summary(csv_file, verbosity=verbosity, no_params=no_params, params_optional=params_optional, params_required=params_required)

azure_guardrails/terraform/parameters/policy-set-with-parameters.tf

@@ -1,14 +1,9 @@
-variable "name" { default = "{{ t.name }}" }
-variable "subscription_name" { default = "{{ t.subscription_name }}" }
-variable "management_group" { default = "{{ t.management_group }}" }
-variable "enforcement_mode" { default = {{ t.enforcement_mode }} }
-
-variable "category" {
-  type    = string
-  default = "Testing"
-}
-
 locals {
+  name_{{ t.name }} = "{{ t.name }}"
+  subscription_name_{{ t.name }} = "{{ t.subscription_name }}"
+  management_group_{{ t.name }} = "{{ t.management_group }}"
+  category_{{ t.name }} = "{{ t.category }}"
+  enforcement_mode_{{ t.name }} = {{ t.enforcement_mode }}
   policy_names = [{% for service_name, policies_with_params in t.policies_sorted_by_service.items() %}
     # -----------------------------------------------------------------------------------------------------------------
     # {{ service_name }}
@@ -25,18 +20,18 @@ locals {
 # Conditional data lookups: If the user supplies management group, look up the ID of the management group
 # ---------------------------------------------------------------------------------------------------------------------
 data "azurerm_management_group" "{{ t.name }}" {
-  count = var.management_group != "" ? 1 : 0
-  name  = var.management_group
+  count = local.management_group_{{ t.name }} != "" ? 1 : 0
+  display_name  = local.management_group_{{ t.name }}
 }
 
 ### If the user supplies subscription, look up the ID of the subscription
 data "azurerm_subscriptions" "{{ t.name }}" {
-  count                 = var.subscription_name != "" ? 1 : 0
-  display_name_contains = var.subscription_name
+  count                 = local.subscription_name_{{ t.name }} != "" ? 1 : 0
+  display_name_contains = local.subscription_name_{{ t.name }}
 }
 
 locals {
-  scope = var.management_group != "" ? data.azurerm_management_group.{{ t.name }}[0].id : element(data.azurerm_subscriptions.{{ t.name }}[0].subscriptions.*.id, 0)
+  scope = local.management_group_{{ t.name }} != "" ? data.azurerm_management_group.{{ t.name }}[0].id : element(data.azurerm_subscriptions.{{ t.name }}[0].subscriptions.*.id, 0)
 }
 
 # ---------------------------------------------------------------------------------------------------------------------
@@ -52,14 +47,14 @@ data "azurerm_policy_definition" "{{ t.name }}_definition_lookups" {
 # Azure Policy Initiative Definition
 # ---------------------------------------------------------------------------------------------------------------------
 
-resource "azurerm_policy_set_definition" "{{ t.name }}_guardrails" {
-  name                  = var.name
+resource "azurerm_policy_set_definition" "{{ t.name }}" {
+  name                  = local.name_{{ t.name }}
   policy_type           = "Custom"
-  display_name          = var.name
-  description           = var.name
-  management_group_name = var.management_group == "" ? null : var.management_group
+  display_name          = local.name_{{ t.name }}
+  description           = local.name_{{ t.name }}
+  management_group_name = local.management_group_{{ t.name }} == "" ? null : local.management_group_{{ t.name }}
   metadata = tostring(jsonencode({
-    category = var.category
+    category = local.category_{{ t.name }}
   }))
 
   {% for service_name, service_policy_details in t.policy_definition_reference_parameters.items() %}
@@ -82,11 +77,11 @@ PARAMETERS
 # Azure Policy Assignments
 # Apply the Policy Initiative to the specified scope
 # ---------------------------------------------------------------------------------------------------------------------
-resource "azurerm_policy_assignment" "{{ t.name }}_guardrails" {
-  name                 = var.name
-  policy_definition_id = azurerm_policy_set_definition.{{ t.name }}_guardrails.id
+resource "azurerm_policy_assignment" "{{ t.name }}" {
+  name                 = local.name_{{ t.name }}
+  policy_definition_id = azurerm_policy_set_definition.{{ t.name }}.id
   scope                = local.scope
-  enforcement_mode     = var.enforcement_mode
+  enforcement_mode     = local.enforcement_mode_{{ t.name }}
   parameters = jsonencode({
     {{ t.policy_assignment_parameters }}
 })
@@ -96,17 +91,17 @@ resource "azurerm_policy_assignment" "{{ t.name }}_guardrails" {
 # ---------------------------------------------------------------------------------------------------------------------
 # Outputs
 # ---------------------------------------------------------------------------------------------------------------------
-output "policy_assignment_ids" {
-  value       = azurerm_policy_assignment.{{ t.name }}_guardrails.*.id
+output "{{ t.name }}_policy_assignment_ids" {
+  value       = azurerm_policy_assignment.{{ t.name }}.*.id
   description = "The IDs of the Policy Assignments."
 }
 
-output "scope" {
+output "{{ t.name }}_scope" {
   value       = local.scope
   description = "The target scope - either the management group or subscription, depending on which parameters were supplied"
 }
 
-output "policy_set_definition_id" {
-  value       = azurerm_policy_set_definition.{{ t.name }}_guardrails.id
+output "{{ t.name }}_policy_set_definition_id" {
+  value       = azurerm_policy_set_definition.{{ t.name }}.id
   description = "The ID of the Policy Set Definition."
 }

azure_guardrails/terraform/terraform.py

@@ -29,6 +29,7 @@ def __init__(
             self.enforcement_string = "true"
         else:
             self.enforcement_string = "false"
+        self.category = "Testing"
 
     @staticmethod
     def _initiative_name(subscription_name: str, management_group: str) -> str:
@@ -57,6 +58,7 @@ def rendered(self) -> str:
             subscription_name=self.subscription_name,
             management_group=self.management_group,
             enforcement_mode=self.enforcement_string,
+            category=self.category
         )
         template_path = os.path.join(os.path.dirname(__file__), "no-parameters")
         env = Environment(loader=FileSystemLoader(template_path))  # nosec
@@ -136,37 +138,41 @@ class TerraformTemplateWithParams:
     def __init__(
         self,
         parameters: dict,
+        parameter_requirement_str: str,
         subscription_name: str = "",
         management_group: str = "",
         enforcement_mode: bool = False,
     ):
         self.name = self._initiative_name(
-            subscription_name=subscription_name, management_group=management_group
+            subscription_name=subscription_name, management_group=management_group,
+            parameter_requirement_str=parameter_requirement_str
         )
         self.service_parameters = self._parameters(parameters)
         self.subscription_name = subscription_name
         self.management_group = management_group
+        self.category = "Testing"
         if enforcement_mode:
             self.enforcement_string = "true"
         else:
             self.enforcement_string = "false"
 
     @staticmethod
-    def _initiative_name(subscription_name: str, management_group: str) -> str:
+    def _initiative_name(subscription_name: str, management_group: str, parameter_requirement_str: str) -> str:
         if subscription_name == "" and management_group == "":
             raise Exception(
                 "Please supply a value for the subscription name or the management group"
             )
-        # TODO: Differentiate between ParamsRequired and ParamsOptional
         if subscription_name:
             # shorten the name if it is over a certain length to avoid hitting limits
-            if len(subscription_name) > 55:
-                subscription_name = subscription_name[0:54]
-            initiative_name = f"{subscription_name}-params"
+            if len(subscription_name) > 50:
+                subscription_name = subscription_name[0:50]
+            initiative_name = f"{subscription_name}-{parameter_requirement_str}"
         else:
-            if len(management_group) > 55:
-                management_group = management_group[0:54]
-            initiative_name = f"{management_group}-params"
+            if len(management_group) > 50:
+                management_group = management_group[0:50]
+            initiative_name = f"{management_group}-{parameter_requirement_str}"
+        initiative_name = initiative_name.replace("-", "_")
+        initiative_name = initiative_name.lower()
         return initiative_name
 
     @staticmethod
@@ -241,7 +247,8 @@ def rendered(self) -> str:
             initiative_parameters=initiative_parameters,
             policies_sorted_by_service=self.policies_sorted_by_service,
             policy_definition_reference_parameters=self.service_parameters,
-            policy_assignment_parameters=self.policy_assignment_parameters
+            policy_assignment_parameters=self.policy_assignment_parameters,
+            category=self.category
         )
         template_path = os.path.join(os.path.dirname(__file__), "parameters")
         env = Environment(loader=FileSystemLoader(template_path))  # nosec