Skip to content

Commit

Permalink
Various fixes (#657)
Browse files Browse the repository at this point in the history 
Co-authored-by: Anthony Watherston <[email protected]>
  • Loading branch information
@anwather
anwather and Anthony Watherston authored Jun 6, 2024
1 parent 5bb617c commit 7867c8c
Show file tree
Hide file tree
Showing 8 changed files with 298 additions and 159 deletions.
35 changes: 29 additions & 6 deletions Docs/operational-scripts-documenting-policy.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -136,22 +136,45 @@ Each file must contain one or both documentation topics. This example file in th

Markdown processors vary slightly. This shipt has settings to tune the output to match the Markdown processor you are using.

Azure DevOps Wikis (and maybe others) recognize `[[_TOC_]]` to insert a table of contents. Setting to `addMarkdownAdoWikiToc` to true enables generating the table of content.
### Azure DevOps Wiki Markdown

- Some Markdown processors (including Azure DevOps Wikis) recognize `[[_TOC_]]` to insert a table of contents. Setting to `markdownAddToc` to `true` enables generating the table of content.
- Azure DevOps Wikis do not need a heading (title) at level 1. It needs the subheadings at level 1 instead. Setting `markdownAdoWiki` to true enables formatting the headings for Azure DevOps Wiki and generating the table of content (implicitly sets `markdownAddToc` to `true`).

```jsonc
"markdownAddToc": true, // default is false, set to true to add a table of contents
```

```jsonc
"markdownAdoWiki": true, // default is false, set to true to format headings for Azure DevOps Wiki and generate a table of contents
```

### Embedded HTML in Markdown Tables

EPAC uses embedded HTML to format Markdown tables. Some Markdown processors, such as SharePoint, do not recognize embedded HTML. Setting `markdownNoEmbeddedHtml` to `true` emits commas `, ` instead of the HTML tag `<br/>`.

```jsonc
"markdownNoEmbeddedHtml": true, // default is false, set to true to remove embedded HTML in Markdown tables
```

### Improve Markdown Readability

Policy definition group names are not included in Markdown to reduce clutter. You can include a column by setting `markdownIncludeComplianceGroupNames` to `true`,

```jsonc
"addMarkdownAdoWikiToc": true, // default is false, set to true to add markdown ADO Wiki TOC
"markdownIncludeComplianceGroupNames": true, // default is false, set to true to include compliance group names
```

SharePoint (and maybe others) do not recognize embedded HTML, such as line braeks (`<br/>`) within a Markdown table. Setting `noMarkdownInTableLineBreaks` to true emits commas instead of the HTML tag.
In some markdown processors very long parameter name break the display. You can set `markdownSuppressParameterSection` to true to completely suppress the parameter section in the Markdown output.

```jsonc
"noMarkdownInTableLineBreaks": true, // default is false, set to true to remove markdown in table line breaks
"markdownSuppressParameterSection": true, // default is false, set to true to suppress the parameter section in the Markdown output
```

Policy definition group names are not included in Markdown to reduce clutter. You can include a column by setting `includeComplianceGroupNamesInMarkdown` to true,
Alternatively, you can set `markdownMaxParameterLength` to a maximum length. EPAC will truncate the name at that length and append an ellipsis. The default is 40 characters. The minimum is 16 characters.

```jsonc
"includeComplianceGroupNamesInMarkdown": true, // default is false, set to true to include compliance group names
"markdownMaxParameterLength": 42, // default is 42
```

## Assignment Documentation
Expand Down
6 changes: 6 additions & 0 deletions Docs/policy-exemptions.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -361,3 +361,9 @@ Legacy column `policyAssignmentId` is still supported for backward compatibility
- Column `policyDefinitionReferenceIds` must be an ampersand separated list containing any of the following:
- Empty to exempt all Policies in the Policy Set
- One of the [options as detailed above](#specifying-policydefinitionreferenceids)

## Moving from Excluded Scopes to Exemptions

If you are moving from using excluded scopes to the use of exemptions the by default EPAC will not deploy new exemptions that are part of an assignment excluded scopes. As well as this - EPAC will delete any exemption if finds that is deployed to an excluded scope.

You can override this behavior by using the switch ```-SkipNotScopedExemptions``` when you call ```Build-DeploymentPlans```.
33 changes: 30 additions & 3 deletions Schemas/policy-documentation-schema.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -80,14 +80,23 @@
"title": {
"type": "string"
},
"addMarkdownAdoWikiToc": {
"markdownAddToc": {
"type": "boolean"
},
"noMarkdownInTableLineBreaks": {
"markdownAdoWiki": {
"type": "boolean"
},
"includeComplianceGroupNamesInMarkdown": {
"markdownNoEmbeddedHtml": {
"type": "boolean"
},
"markdownIncludeComplianceGroupNames": {
"type": "boolean"
},
"markdownSuppressParameterSection": {
"type": "boolean"
},
"markdownMaxParameterLength": {
"type": "integer"
}
},
"required": [
Expand Down Expand Up @@ -149,6 +158,24 @@
"type": "string"
}
]
},
"markdownAddToc": {
"type": "boolean"
},
"markdownAdoWiki": {
"type": "boolean"
},
"markdownNoEmbeddedHtml": {
"type": "boolean"
},
"markdownIncludeComplianceGroupNames": {
"type": "boolean"
},
"markdownSuppressParameterSection": {
"type": "boolean"
},
"markdownMaxParameterLength": {
"type": "integer"
}
},
"required": [
Expand Down
42 changes: 30 additions & 12 deletions Scripts/Deploy/Build-DeploymentPlans.ps1
View file
Original file line number Diff line number Diff line change
Expand Up @@ -53,7 +53,9 @@ param (

[Parameter(HelpMessage = "If set, outputs variables consumable by conditions in a DevOps pipeline.")]
[ValidateSet("ado", "gitlab", "")]
[string] $DevOpsType = ""
[string] $DevOpsType = "",

[switch]$SkipNotScopedExemptions
)

$PSDefaultParameterValues = @{
Expand Down Expand Up @@ -332,17 +334,33 @@ if ($buildSelections.buildAny) {

if ($buildSelections.buildPolicyExemptions) {
# Process Exemption JSON files
Build-ExemptionsPlan `
-ExemptionsRootFolder $policyExemptionsFolderForPacEnvironment `
-ExemptionsAreNotManagedMessage $exemptionsAreNotManagedMessage `
-PacEnvironment $pacEnvironment `
-ScopeTable $scopeTable `
-AllDefinitions $allDefinitions `
-AllAssignments $allAssignments `
-CombinedPolicyDetails $combinedPolicyDetails `
-Assignments $assignments `
-DeployedExemptions $deployedPolicyResources.policyExemptions `
-Exemptions $exemptions
if ($SkipNotScopedExemptions) {
Build-ExemptionsPlan `
-ExemptionsRootFolder $policyExemptionsFolderForPacEnvironment `
-ExemptionsAreNotManagedMessage $exemptionsAreNotManagedMessage `
-PacEnvironment $pacEnvironment `
-ScopeTable $scopeTable `
-AllDefinitions $allDefinitions `
-AllAssignments $allAssignments `
-CombinedPolicyDetails $combinedPolicyDetails `
-Assignments $assignments `
-DeployedExemptions $deployedPolicyResources.policyExemptions `
-Exemptions $exemptions `
-SkipNotScopedExemptions
}
else {
Build-ExemptionsPlan `
-ExemptionsRootFolder $policyExemptionsFolderForPacEnvironment `
-ExemptionsAreNotManagedMessage $exemptionsAreNotManagedMessage `
-PacEnvironment $pacEnvironment `
-ScopeTable $scopeTable `
-AllDefinitions $allDefinitions `
-AllAssignments $allAssignments `
-CombinedPolicyDetails $combinedPolicyDetails `
-Assignments $assignments `
-DeployedExemptions $deployedPolicyResources.policyExemptions `
-Exemptions $exemptions
}
}

Write-Information "==================================================================================================="
Expand Down
13 changes: 10 additions & 3 deletions Scripts/Helpers/Build-AssignmentDefinitionNode.ps1
View file
Original file line number Diff line number Diff line change
Expand Up @@ -344,11 +344,18 @@ function Build-AssignmentDefinitionNode {
$thisScopeGlobalNotScopeList = $thisScopeDetails.notScopesList
$thisScopeGlobalNotScopeTable = $thisScopeDetails.notScopesTable
foreach ($notScope in $definition.notScopesList) {
if (-not $thisScopeGlobalNotScopeTable.ContainsKey($notScope)) {
if ($thisScopeChildren.ContainsKey($notScope)) {
$individualResource = $false
$notScopeTrimmed = $notScope
$splits = $notScope -split "/"
if ($splits.Count -gt 5) {
$individualResource = $true
$notScopeTrimmed = $splits[0..4] -join "/"
}
if (-not $thisScopeGlobalNotScopeTable.ContainsKey($notScopeTrimmed)) {
if ($thisScopeChildren.ContainsKey($notScopeTrimmed)) {
$null = $thisNotScopeList.Add($notScope)
}
elseif ($notScope.Contains("*")) {
elseif (!$individualResource -and $notScope.Contains("*")) {
foreach ($scopeChildId in $thisScopeChildren.Keys) {
if ($scopeChildId -like $notScope) {
$null = $thisNotScopeList.Add($scopeChildId)
Expand Down
14 changes: 11 additions & 3 deletions Scripts/Helpers/Build-ExemptionsPlan.ps1
View file
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,8 @@ function Build-ExemptionsPlan {
$CombinedPolicyDetails,
$Assignments,
$DeployedExemptions,
$Exemptions
$Exemptions,
[switch]$SkipNotScopedExemptions
)

Write-Information "==================================================================================================="
Expand Down Expand Up @@ -618,8 +619,15 @@ function Build-ExemptionsPlan {
if ($includeAssignment) {
foreach ($notScope in $calculatedPolicyAssignment.notScopes) {
if ($trimmedScope -eq $notScope -or $parentTable.ContainsKey($notScope)) {
$includeAssignment = $false
break
if ($SkipNotScopedExemptions) {
$includeAssignment = $true
break
}
else {
$includeAssignment = $false
break
}

}
}
if ($includeAssignment) {
Expand Down
Loading

0 comments on commit 7867c8c

Please sign in to comment.