diff --git a/Scripts/Deploy/Build-DeploymentPlans.ps1 b/Scripts/Deploy/Build-DeploymentPlans.ps1 index fcfbdead..342e671a 100644 --- a/Scripts/Deploy/Build-DeploymentPlans.ps1 +++ b/Scripts/Deploy/Build-DeploymentPlans.ps1 @@ -317,6 +317,14 @@ if ($buildSelections.buildAny) { $allAssignments[$id] = $deployedPolicyAssignments.$id } + #region Process Deprecated + $deprecatedHash = @{} + foreach ($key in $combinedPolicyDetails.policies.keys) { + if ($combinedPolicyDetails.policies.$key.isDeprecated) { + $deprecatedHash[$combinedPolicyDetails.policies.$key.name] = $combinedPolicyDetails.policies.$key + } + } + if ($buildSelections.buildPolicyAssignments) { # Process Assignment JSON files Build-AssignmentPlan ` @@ -329,7 +337,8 @@ if ($buildSelections.buildAny) { -AllAssignments $allAssignments ` -ReplaceDefinitions $replaceDefinitions ` -PolicyRoleIds $policyRoleIds ` - -CombinedPolicyDetails $combinedPolicyDetails + -CombinedPolicyDetails $combinedPolicyDetails ` + -DeprecatedHash $deprecatedHash } if ($buildSelections.buildPolicyExemptions) { diff --git a/Scripts/Helpers/Build-AssignmentDefinitionNode.ps1 b/Scripts/Helpers/Build-AssignmentDefinitionNode.ps1 index 874960cd..795b4dd5 100644 --- a/Scripts/Helpers/Build-AssignmentDefinitionNode.ps1 +++ b/Scripts/Helpers/Build-AssignmentDefinitionNode.ps1 @@ -8,7 +8,8 @@ function Build-AssignmentDefinitionNode { [hashtable] $AssignmentDefinition, # Collected values in tree branch [hashtable] $CombinedPolicyDetails, [hashtable] $PolicyRoleIds, - [hashtable] $RoleDefinitions + [hashtable] $RoleDefinitions, + [hashtable] $DeprecatedHash # Returns a list os completed assignmentValues ) @@ -153,14 +154,6 @@ function Build-AssignmentDefinitionNode { } #endregion definitionEntry or definitionEntryList (required exactly once per branch) - #region Process Deprecated - $deprecatedHash = @{} - foreach ($key in $CombinedPolicyDetails.policies.keys) { - if ($true -eq $CombinedPolicyDetails.policies.$key.isDeprecated) { - $deprecatedHash[$CombinedPolicyDetails.policies.$key.name] = $CombinedPolicyDetails.policies.$key - } - } - #region metadata if ($DefinitionNode.metadata) { # merge metadata @@ -191,7 +184,7 @@ function Build-AssignmentDefinitionNode { $rawParameterValue = $addedParameters.$parameterName $currentParameterHash = $parameterHash.$parameterName if ($null -ne $currentParameterHash.name) { - if ($deprecatedHash.ContainsKey($($currentParameterHash.name)) -and $currentParameterHash.parameters.$parameterName.isEffect) { + if ($DeprecatedHash.ContainsKey($($currentParameterHash.name)) -and $currentParameterHash.parameters.$parameterName.isEffect) { $null = $deprecatedInJSON.Add("Assignment: '$($assignment.name)' with Parameter: '$parameterName' ($($currentParameterHash))") if (!$PacEnvironment.desiredState.doNotDisableDeprecatedPolicies) { $rawParameterValue = "Disabled" @@ -228,7 +221,7 @@ function Build-AssignmentDefinitionNode { # Replace CSV effect with Disabled if Deprecated foreach ($entry in $csvParameterArray) { # If policy in csv is found to be deprecated - if ($deprecatedHash.ContainsKey($entry.name)) { + if ($DeprecatedHash.ContainsKey($entry.name)) { # For each child in the assignment foreach ($child in $DefinitionNode.children) { # If that child is using a parameterSelector with the CSV @@ -478,7 +471,8 @@ function Build-AssignmentDefinitionNode { -AssignmentDefinition $definition ` -CombinedPolicyDetails $CombinedPolicyDetails ` -PolicyRoleIds $PolicyRoleIds ` - -RoleDefinitions $RoleDefinitions + -RoleDefinitions $RoleDefinitions ` + -DeprecatedHash $DeprecatedHash if ($hasErrorsLocal) { $hasErrors = $true diff --git a/Scripts/Helpers/Build-AssignmentPlan.ps1 b/Scripts/Helpers/Build-AssignmentPlan.ps1 index 8ed2fb5a..d60b7517 100644 --- a/Scripts/Helpers/Build-AssignmentPlan.ps1 +++ b/Scripts/Helpers/Build-AssignmentPlan.ps1 @@ -10,7 +10,8 @@ function Build-AssignmentPlan { [hashtable] $AllAssignments, [hashtable] $ReplaceDefinitions, [hashtable] $PolicyRoleIds, - [hashtable] $CombinedPolicyDetails + [hashtable] $CombinedPolicyDetails, + [hashtable] $DeprecatedHash ) Write-Information "===================================================================================================" @@ -94,7 +95,8 @@ function Build-AssignmentPlan { -AssignmentDefinition $rootAssignmentDefinition ` -CombinedPolicyDetails $CombinedPolicyDetails ` -PolicyRoleIds $PolicyRoleIds ` - -RoleDefinitions $roleDefinitions + -RoleDefinitions $roleDefinitions ` + -DeprecatedHash $DeprecatedHash if ($hasErrors) { Write-Error "Assignment definitions content errors" -ErrorAction Stop diff --git a/Scripts/Helpers/Get-GlobalSettings.ps1 b/Scripts/Helpers/Get-GlobalSettings.ps1 index ca2e6d10..ff7cfeda 100644 --- a/Scripts/Helpers/Get-GlobalSettings.ps1 +++ b/Scripts/Helpers/Get-GlobalSettings.ps1 @@ -192,11 +192,6 @@ function Get-GlobalSettings { if ($skipResourceValidationForExemptionsRaw) { $skipResourceValidationForExemptions = $true } - $doNotDisableDeprecatedPolicies = $false - $doNotDisableDeprecatedPoliciesRaw = $pacEnvironment.doNotDisableDeprecatedPolicies - if ($doNotDisableDeprecatedPoliciesRaw) { - $doNotDisableDeprecatedPolicies = $true - } $desiredState = @{ strategy = "undefined" @@ -321,6 +316,9 @@ function Get-GlobalSettings { Add-ErrorMessage -ErrorInfo $errorInfo -ErrorString "Global settings error: pacEnvironment $pacSelector field desiredState.doNotDisableDeprecatedPolicies ($doNotDisableDeprecatedPolicies) must be a boolean value." } } + else { + $doNotDisableDeprecatedPolicies = $false + } } $pacEnvironmentDefinition = @{ diff --git a/Scripts/Helpers/Out-DocumentationForPolicyAssignments.ps1 b/Scripts/Helpers/Out-DocumentationForPolicyAssignments.ps1 index 63ec30f2..c9caeefe 100644 --- a/Scripts/Helpers/Out-DocumentationForPolicyAssignments.ps1 +++ b/Scripts/Helpers/Out-DocumentationForPolicyAssignments.ps1 @@ -6,7 +6,7 @@ function Out-DocumentationForPolicyAssignments { $DocumentationSpecification, [hashtable] $AssignmentsByEnvironment, [switch] $IncludeManualPolicies, - [bool] $doNotDisableDeprecatedPolicies + [hashtable] $PacEnvironments ) [string] $fileNameStem = $DocumentationSpecification.fileNameStem @@ -153,9 +153,9 @@ function Out-DocumentationForPolicyAssignments { #region Process Deprecated $deprecatedHash = @{} - foreach ($key in $CombinedPolicyDetails.policies.keys) { - if ($true -eq $CombinedPolicyDetails.policies.$key.isDeprecated) { - $deprecatedHash[$CombinedPolicyDetails.policies.$key.name] = $CombinedPolicyDetails.policies.$key + foreach ($key in $policyResourceDetails.policies.keys) { + if ($true -eq $policyResourceDetails.policies.$key.isDeprecated) { + $deprecatedHash[$policyResourceDetails.policies.$key.name] = $policyResourceDetails.policies.$key } } #region Review Duplicates @@ -286,6 +286,9 @@ function Out-DocumentationForPolicyAssignments { if ($environmentList.ContainsKey($environmentCategory)) { $environmentCategoryValues = $environmentList.$environmentCategory $effectValue = $environmentCategoryValues.effectValue + if ($effectValue.StartsWith("[if(contains(parameters('resourceTypeList')")) { + $effectValue = "SetByParameter" + } $effectAllowedValues = $_.effectAllowedValues $text = Convert-EffectToMarkdownString ` -Effect $effectValue ` @@ -451,52 +454,58 @@ function Out-DocumentationForPolicyAssignments { $flatPolicyListAcrossEnvironments.Values | Sort-Object -Property { $_.category }, { $_.displayName } | ForEach-Object -Process { # If statement to skip over duplicates and ensure not to include Deprecated Policies if ( $true -ne $_.isReferencePathMatch) { - if (!$deprecatedHash.ContainsKey($_.name) -or $doNotDisableDeprecatedPolicies) { - # Initialize row - with empty strings - $rowObj = [ordered]@{} - foreach ($key in $columnHeaders) { - $null = $rowObj.Add($key, "") - } + # Initialize row - with empty strings + $rowObj = [ordered]@{} + foreach ($key in $columnHeaders) { + $null = $rowObj.Add($key, "") + } - # Cache loop values - # $effectAllowedValues = $_.effectAllowedValues - # $groupNames = $_.groupNames - # $policySetEffectStrings = $_.policySetEffectStrings - $effectAllowedValues = $_.effectAllowedValues - $isEffectParameterized = $_.isEffectParameterized - $effectAllowedOverrides = $_.effectAllowedOverrides - $groupNames = $_.groupNames - $effectDefault = $_.effectDefault - $policySetEffectStrings = $_.policySetEffectStrings - - # Build common columns - $rowObj.name = $_.name - $rowObj.referencePath = $_.referencePath - $rowObj.policyType = $_.policyType - $rowObj.category = $_.category - $rowObj.displayName = $_.displayName - $rowObj.description = $_.description - $groupNames = $_.groupNames - if ($groupNames.Count -gt 0) { - $sortedGroupNameList = $groupNames | Sort-Object -Unique - $rowObj.groupNames = $sortedGroupNameList -join $inCellSeparator3 - } - if ($policySetEffectStrings.Count -gt 0) { - $rowObj.policySets = $policySetEffectStrings -join $inCellSeparator3 - } - $rowObj.allowedEffects = Convert-AllowedEffectsToCsvString ` - -DefaultEffect $effectDefault ` - -IsEffectParameterized $isEffectParameterized ` - -EffectAllowedValues $effectAllowedValues.Keys ` - -EffectAllowedOverrides $effectAllowedOverrides ` - -InCellSeparator1 $inCellSeparator1 ` - -InCellSeparator2 $inCellSeparator2 + # Cache loop values + # $effectAllowedValues = $_.effectAllowedValues + # $groupNames = $_.groupNames + # $policySetEffectStrings = $_.policySetEffectStrings + $effectAllowedValues = $_.effectAllowedValues + $isEffectParameterized = $_.isEffectParameterized + $effectAllowedOverrides = $_.effectAllowedOverrides + $groupNames = $_.groupNames + $effectDefault = $_.effectDefault + $policySetEffectStrings = $_.policySetEffectStrings + + # Build common columns + $rowObj.name = $_.name + $rowObj.referencePath = $_.referencePath + $rowObj.policyType = $_.policyType + $rowObj.category = $_.category + $rowObj.displayName = $_.displayName + $rowObj.description = $_.description + $groupNames = $_.groupNames + if ($groupNames.Count -gt 0) { + $sortedGroupNameList = $groupNames | Sort-Object -Unique + $rowObj.groupNames = $sortedGroupNameList -join $inCellSeparator3 + } + if ($policySetEffectStrings.Count -gt 0) { + $rowObj.policySets = $policySetEffectStrings -join $inCellSeparator3 + } + $rowObj.allowedEffects = Convert-AllowedEffectsToCsvString ` + -DefaultEffect $effectDefault ` + -IsEffectParameterized $isEffectParameterized ` + -EffectAllowedValues $effectAllowedValues.Keys ` + -EffectAllowedOverrides $effectAllowedOverrides ` + -InCellSeparator1 $inCellSeparator1 ` + -InCellSeparator2 $inCellSeparator2 - $environmentList = $_.environmentList - # Build environmentCategory columns - foreach ($environmentCategory in $environmentCategories) { - if ($environmentList.ContainsKey($environmentCategory)) { - $perEnvironment = $environmentList.$environmentCategory + $environmentList = $_.environmentList + # Build environmentCategory columns + $doNotSkip = $false + foreach ($environmentCategory in $environmentCategories) { + if ($environmentList.ContainsKey($environmentCategory)) { + $perEnvironment = $environmentList.$environmentCategory + + # Valide doNotDisableDeprecatedPolicies for env + $envPacSelector = $AssignmentsByEnvironment."$($perEnvironment.environmentCategory)".pacEnvironmentSelector + $doNotDisableDeprecatedPolicies = $PacEnvironments.$envPacSelector.doNotDisableDeprecatedPolicies + + if (!$deprecatedHash.ContainsKey($_.name) -or $doNotDisableDeprecatedPolicies) { if ($null -ne $perEnvironment.effectValue) { $rowObj["$($environmentCategory)Effect"] = Convert-EffectToCsvString $perEnvironment.effectValue } @@ -506,10 +515,13 @@ function Out-DocumentationForPolicyAssignments { $text = Convert-ParametersToString -Parameters $perEnvironment.parameters -OutputType "csvValues" $rowObj["$($environmentCategory)Parameters"] = $text + $doNotSkip = $true } } + } - # Add row to spreadsheet + # Add row to spreadsheet + if ($doNotSkip) { $null = $allRows.Add($rowObj) } } diff --git a/Scripts/Operations/Build-PolicyDocumentation.ps1 b/Scripts/Operations/Build-PolicyDocumentation.ps1 index 7aabb2ec..a1065dde 100644 --- a/Scripts/Operations/Build-PolicyDocumentation.ps1 +++ b/Scripts/Operations/Build-PolicyDocumentation.ps1 @@ -299,9 +299,7 @@ foreach ($file in $files) { } ) } - # Build documents - $doNotDisableDeprecatedPolicies = $pacEnvironments[$($globalSettings.pacEnvironmentPrompt)].'doNotDisableDeprecatedPolicies' $documentationSpecifications = $documentAssignments.documentationSpecifications foreach ($documentationSpecification in $documentationSpecifications) { $documentationType = $documentationSpecification.type @@ -314,7 +312,7 @@ foreach ($file in $files) { -DocumentationSpecification $documentationSpecification ` -AssignmentsByEnvironment $assignmentsByEnvironment ` -IncludeManualPolicies:$IncludeManualPolicies ` - -doNotDisableDeprecatedPolicies:$doNotDisableDeprecatedPolicies + -PacEnvironments $pacEnvironments # Out-DocumentationForPolicyAssignments ` # -OutputPath $outputPath ` # -WindowsNewLineCells:$true `