From e38aa0098d67f35478b89b602997a688b7f35d09 Mon Sep 17 00:00:00 2001 From: Heinrich Gantenbein <6719941+techlake@users.noreply.github.com> Date: Wed, 9 Aug 2023 16:31:07 -0500 Subject: [PATCH] Minor cleanup (#307) --- Docs/export-non-compliance.md | 41 +++++++++++-------- Scripts/Helpers/Build-AssignmentPlan.ps1 | 10 ++--- .../Helpers/Convert-PolicySetsToFlatList.ps1 | 16 +++++++- .../Helpers/Find-AzNonCompliantResources.ps1 | 12 +++--- .../Out-PolicySetsDocumentationToFile.ps1 | 16 +++++--- Scripts/Helpers/Switch-PacEnvironment.ps1 | 2 +- Scripts/Helpers/Write-AssignmentDetails.ps1 | 4 +- .../Operations/Create-AzRemediationTasks.ps1 | 2 +- .../Export-NonComplianceReports.ps1 | 14 +++---- .../policyAssignments/tag-assignments.jsonc | 10 ++--- 10 files changed, 75 insertions(+), 52 deletions(-) diff --git a/Docs/export-non-compliance.md b/Docs/export-non-compliance.md index 56e3a68a..5acaa590 100644 --- a/Docs/export-non-compliance.md +++ b/Docs/export-non-compliance.md @@ -1,9 +1,13 @@ # Exporting Non-Compliance Reports -The script `Export-AzPolicyNonCompliance` exports non-compliance reports for EPAC environments in the `global-settings.jsonc` file. It outputs the reports in the `$outputFolders/non-compliance-reports` folder in two files: +The script `Export-AzPolicyNonCompliance` exports non-compliance reports for EPAC environments in the `global-settings.jsonc` file. It outputs the reports in the `$outputFolders/non-compliance-reports` folder: -- `summary.csv` contains the summary of the non-compliant resources including the non-compliant resource count -- `details.csv` contains the details of the non-compliant resources including the non-compliant resource ids +- `summary-by-policy.csv` contains the summary of the non-compliant resources by Policy definition. The columns contain the resource counts. +- `summary-by-resource.csv` contains the summary of the non-compliant resources. The columns contain the number of Policies causing the non-compliance. +- `details-by-policy.csv` contains the details of the non-compliant resources by Policy definition including the non-compliant resource ids. Assignments are combined by Policy definition. +- `details-by-resource.csv` contains the details of the non-compliant resources sorted by Resource id. Assignments are combined by Resource id. +- `full-details-by-assignment.csv` contains the details of the non-compliant resources sorted by Policy Assignment id. +- `full-details-by-resource.csv` contains the details of the non-compliant resources sorted by Resource id including the Policy Assignment details. ## Script parameters @@ -15,9 +19,11 @@ The script `Export-AzPolicyNonCompliance` exports non-compliance reports for EPA | `WindowsNewLineCells` | Formats CSV multi-object cells to use new lines and saves it as UTF-8 with BOM - works only fro Excel in Windows. Default uses commas to separate array elements within a cell | | `Interactive` | Set to false if used non-interactive | | `OnlyCheckManagedAssignments` | Include non-compliance data only for Policy assignments owned by this Policy as Code repo | +| `PolicyDefinitionFilter` | Filter by Policy definition names (array) or ids (array). | | `PolicySetDefinitionFilter` | Filter by Policy Set definition names (array) or ids (array). Can only be used when PolicyAssignmentFilter is not used. | | `PolicyAssignmentFilter` | Filter by Policy Assignment names (array) or ids (array). Can only be used when PolicySetDefinitionFilter is not used. | | `PolicyEffectFilter` | Filter by Policy effect (array). | +| `RemediationOnly` | Filter by Policy Effect "deployifnotexists" and "modify" and compliance status "NonCompliant" ## Examples @@ -45,21 +51,22 @@ Export-NonComplianceReports -PolicySetDefinitionFilter "org-sec-initiative", "/p Export-NonComplianceReports -PolicyAssignmentFilter "/providers/microsoft.management/managementgroups/11111111-1111-1111-1111-111111111111/providers/microsoft.authorization/policyassignments/taginh-env", "prod-asb" ``` -## Example output +## Sample Output -### `summary.csv` +### `summary-by-policy.csv` -|Category|Policy|Policy Id|Non-Compliant|Unknown|Exempt|Conflicting|Not-Started|Error| -|-|-|-|-|-|-|-|-|-| -API Management|API Management APIs should use only encrypted protocols|/providers/microsoft.authorization/policydefinitions/ee7495e7-3ba7-40b6-bfee-c29e22cc75d4|1|0|0|0|0|0 -API Management|API Management services should use a virtual network|/providers/microsoft.authorization/policydefinitions/ef619a2c-cc4d-4d03-b2ba-8c94a834d85b|1|0|0|0|0|0 -App Configuration|App Configuration should use private link|/providers/microsoft.authorization/policydefinitions/ca610c1d-041c-4332-9d88-7ed3094967c7|1|0|0|0|0|0 -App Service|App Service apps should have resource logs enabled|/providers/microsoft.authorization/policydefinitions/91a78b24-f231-4a8a-8da9-02c35b2b6510|1|0|0|0|0|0 -App Service|App Service apps should only be accessible over HTTPS|/providers/microsoft.authorization/policydefinitions/a4af4a39-4135-47fb-b175-47fbdf85311d|4|0|0|0|0|0 +| Category | Policy Name | Policy Id | Non Compliant | Unknown | Not Started | Exempt | Conflicting | Error | Assignment Ids | Group Names | +| --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | +| General | Audit usage of custom RBAC roles | /providers/microsoft.authorization/policydefinitions/a451c1ef-c6ca-483d-87ed-f49761e3ffb5 | 9 | 0 | 0 | 0 | 0 | 0 | /providers/microsoft.management/managementgroups/pac-heinrich-dev-dev/providers/microsoft.authorization/policyassignments/dev-nist-800-53-r5,/providers/microsoft.management/managementgroups/pac-heinrich-dev-dev/providers/microsoft.authorization/policyassignments/dev-asb | azure_security_benchmark_v3.0_pa-7,nist_sp_800-53_r5_ac-6(7),nist_sp_800-53_r5_ac-2(7),nist_sp_800-53_r5_ac-6,nist_sp_800-53_r5_ac-2 | +| Regulatory Compliance | Control use of portable storage devices | /providers/microsoft.authorization/policydefinitions/0a8a1a7d-16d3-4d8e-9f2c-6b8d9e1c7c1d | 0 | 0 | 0 | 0 | 0 | 0 | /providers/microsoft.management/managementgroups/pac-heinrich-dev-dev/providers/microsoft.authorization/policyassignments/dev-nist-800-53-r5,/providers/microsoft.management/managementgroups/pac-heinrich-dev-dev/providers/microsoft.authorization/policyassignments/dev-asb | azure_security_benchmark_v3.0_pa-7,nist_sp_800-53_r5_ac-6(7),nist_sp_800-53_r5_ac-2(7),nist_sp_800-53_r5_ac-6,nist_sp_800-53_r5_ac-2 | +| Regulatory Compliance | Deploy Azure Policy to audit Windows VMs that do not use managed disks | /providers/microsoft.authorization/policydefinitions/0b2b84f2-eb8a-4f0a-8a1c-0c0d6e4cdeea | 0 | 0 | 0 | 0 | 0 | 0 | /providers/microsoft.management/managementgroups/pac-heinrich-dev-dev/providers/microsoft.authorization/policyassignments/dev-nist-800-53-r5,/providers/microsoft.management/managementgroups/pac-heinrich-dev-dev/providers/microsoft.authorization/policyassignments/dev-asb | azure_security_benchmark_v3.0_pa-7,nist_sp_800-53_r5_ac-6(7),nist_sp_800-53_r5_ac-2(7),nist_sp_800-53_r5_ac-6,nist_sp_800-53_r5_ac-2 | +| Regulatory Compliance | Deploy Azure Policy to audit Windows VMs that do not use managed disks | /providers/microsoft.authorization/policydefinitions/0b2b84f2-eb8a-4f0a-8a1c-0c0d6e4cdeea | 0 | 0 | 0 | 0 | 0 | 0 | /providers/microsoft.management/managementgroups/pac-heinrich-dev-dev/providers/microsoft.authorization/policyassignments/dev-nist-800-53-r5,/providers/microsoft.management/managementgroups/pac-heinrich-dev-dev/providers/microsoft.authorization/policyassignments/dev-asb | azure_security_benchmark_v3.0_pa-7,nist_sp_800-53_r5_ac-6(7),nist_sp_800-53_r5_ac-2(7),nist_sp_800-53_r5_ac-6,nist_sp_800-53_r5_ac-2 | -### `details.csv` +### `summary-by-resource.csv` -|Category|Policy|Effect|State|Resource Id|Policy Id|Group Names|Assignments| -|-|-|-|-|-|-|-|-| -|API Management|API Management APIs should use only encrypted protocols|audit|NonCompliant|/subscriptions/11111111-1111-1111-1111-111111111111/resourcegroups/rg001/providers/microsoft.apimanagement/service/*****|/providers/microsoft.authorization/policydefinitions/ee7495e7-3ba7-40b6-bfee-c29e22cc75d4|azure_security_benchmark_v3.0_dp-3|/providers/microsoft.management/managementgroups/mg-1/providers/microsoft.authorization/policyassignments/prod-asb| -|API Management|API Management calls to API backends should be authenticated|audit|NonCompliant|/subscriptions/11111111-1111-1111-1111-111111111111/resourcegroups/rg001/providers/microsoft.apimanagement/service/*****|/providers/microsoft.authorization/policydefinitions/c15dcc82-b93c-4dcb-9332-fbf121685b54|azure_security_benchmark_v3.0_im-4|/providers/microsoft.management/managementgroups/mg-1/providers/microsoft.authorization/policyassignments/prod-asb| +| Resource Id | Subscription Id | Subscription Name | Resource Group | Resource Type | Resource Name | Resource Qualifier | Non Compliant | Unknown | Not Started | Exempt | Conflicting | Error | +| --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | +| /subscriptions/******************************** | ******************************** | PAC-DEV-001 | | subscriptions | | | 25 | 481 | 0 | 0 | 0 | 0 | +| /subscriptions/********************************/providers/microsoft.authorization/roledefinitions/0b00bc79-2207-410c-b9d5-d5d182ad514f | ******************************** | PAC-DEV-001 | | microsoft.authorization/roledefinitions | 0b00bc79-2207-410c-b9d5-d5d182ad514f | | 0 | 0 | 0 | 0 | 0 | 0 | +| /subscriptions/********************************/providers/microsoft.authorization/roledefinitions/0b00bc79-2207-410c-b9d5-d5d182ad514f | ******************************** | PAC-DEV-001 | | microsoft.authorization/roledefinitions | 0b00bc79-2207-410c-b9d5-d5d182ad514f | | 0 | 0 | 0 | 0 | 0 | 0 | +| /subscriptions/********************************/providers/microsoft.authorization/roledefinitions/0b00bc79-2207-410c-b9d5-d5d182ad514f | ******************************** | PAC-DEV-001 | | microsoft.authorization/roledefinitions | 0b00bc79-2207-410c-b9d5-d5d182ad514f | | 0 | 0 | 0 | 0 | 0 | 0 | diff --git a/Scripts/Helpers/Build-AssignmentPlan.ps1 b/Scripts/Helpers/Build-AssignmentPlan.ps1 index b76b8ad1..45b1ba46 100644 --- a/Scripts/Helpers/Build-AssignmentPlan.ps1 +++ b/Scripts/Helpers/Build-AssignmentPlan.ps1 @@ -61,9 +61,9 @@ function Build-AssignmentPlan { # Process each assignment file foreach ($assignmentFile in $assignmentFiles) { $Json = Get-Content -Path $assignmentFile.FullName -Raw -ErrorAction Stop - Write-Information "" + # Write-Information "" if ((Test-Json $Json)) { - Write-Information "Processing file '$($assignmentFile.FullName)'" + # Write-Information "Processing file '$($assignmentFile.FullName)'" } else { Write-Error "Assignment JSON file '$($assignmentFile.FullName)' is not valid." -ErrorAction Stop @@ -182,7 +182,7 @@ function Build-AssignmentPlan { Write-AssignmentDetails -DisplayName $DisplayName -Scope $Scope -Prefix "Update($($IdentityStatus.changedIdentityStrings))" -IdentityStatus $IdentityStatus } else { - Write-AssignmentDetails -DisplayName $DisplayName -Scope $Scope -Prefix "Unchanged" -IdentityStatus $IdentityStatus + # Write-AssignmentDetails -DisplayName $DisplayName -Scope $Scope -Prefix "Unchanged" -IdentityStatus $IdentityStatus } } else { @@ -265,7 +265,6 @@ function Build-AssignmentPlan { $strategy = $PacEnvironment.desiredState.strategy if ($deleteCandidates.psbase.Count -gt 0) { - Write-Information "Cleanup removed Policy Assignments (delete)" foreach ($id in $deleteCandidates.Keys) { $deleteCandidate = $deleteCandidates.$id $deleteCandidateProperties = Get-PolicyResourceProperties $deleteCandidate @@ -290,7 +289,7 @@ function Build-AssignmentPlan { if ($IdentityStatus.isUserAssigned) { $isUserAssignedAny = $true } - Write-AssignmentDetails -DisplayName $DisplayName -Scope $Scope -Prefix "" -IdentityStatus $IdentityStatus + Write-AssignmentDetails -DisplayName $DisplayName -Scope $Scope -Prefix "Delete" -IdentityStatus $IdentityStatus $splat = @{ id = $id name = $name @@ -309,7 +308,6 @@ function Build-AssignmentPlan { } } - Write-Information "" if ($isUserAssignedAny) { Write-Warning "EPAC does not manage role assignments for Policy Assignments with user-assigned Managed Identities." } diff --git a/Scripts/Helpers/Convert-PolicySetsToFlatList.ps1 b/Scripts/Helpers/Convert-PolicySetsToFlatList.ps1 index 63d50e03..0093d545 100644 --- a/Scripts/Helpers/Convert-PolicySetsToFlatList.ps1 +++ b/Scripts/Helpers/Convert-PolicySetsToFlatList.ps1 @@ -214,7 +214,21 @@ function Convert-PolicySetsToFlatList { $flatPolicyEntry.effectValue = $effectDefault $flatPolicyEntry.effectDefault = $effectDefault } - $effectString = "$($effectDefault) ($($effectReason))" + $effectString = switch ($effectReason) { + "PolicySet Default" { + "$($effectDefault) (default: $($effectParameterName))" + break + } + "PolicySet No Default" { + # Very unnusul to have a policy set effect parameter with no default + "$($effectReason) ($($effectParameterName))" + break + } + default { + "$($effectDefault) ($($effectReason))" + break + } + } } $perPolicySet.effectString = $effectString diff --git a/Scripts/Helpers/Find-AzNonCompliantResources.ps1 b/Scripts/Helpers/Find-AzNonCompliantResources.ps1 index 7bf9d701..fb547ace 100644 --- a/Scripts/Helpers/Find-AzNonCompliantResources.ps1 +++ b/Scripts/Helpers/Find-AzNonCompliantResources.ps1 @@ -1,7 +1,7 @@ function Find-AzNonCompliantResources { [CmdletBinding()] param ( - [switch] $RemmediationOnly, + [switch] $RemediationOnly, $PacEnvironment, [switch] $OnlyCheckManagedAssignments, [string[]] $PolicyDefinitionFilter, @@ -19,8 +19,8 @@ function Find-AzNonCompliantResources { if ($PolicyEffectFilter -and $ExcludeManualPolicyEffect) { Write-Error "Parameter PolicyEffectFilter cannot be used with parameter ExcludeManualPolicyEffect" -ErrorAction Stop } - elseif ($ExcludeManualPolicyEffect -and $RemmediationOnly) { - Write-Error "Parameter ExcludeManualPolicyEffect cannot be used with parameter RemmediationOnly" -ErrorAction Stop + elseif ($ExcludeManualPolicyEffect -and $RemediationOnly) { + Write-Error "Parameter ExcludeManualPolicyEffect cannot be used with parameter RemediationOnly" -ErrorAction Stop } elseif ($ExcludeManualPolicyEffect) { $effectFilter = " and properties.policyDefinitionAction <> `"manual`"" @@ -29,7 +29,7 @@ function Find-AzNonCompliantResources { if ($PolicyEffectFilter -and $PolicyEffectFilter.Count -ne 0) { $effectFilter = " and (" foreach ($filterValue in $PolicyEffectFilter) { - if ($RemmediationOnly) { + if ($RemediationOnly) { if ($filterValue -in @("deployifnotexists", "modify")) { $effectFilter += "properties.policyDefinitionAction == `"$filterValue`" or " } @@ -48,12 +48,12 @@ function Find-AzNonCompliantResources { } $effectFilter = $effectFilter.Substring(0, $effectFilter.Length - 4) + ")" } - elseif ($RemmediationOnly) { + elseif ($RemediationOnly) { $effectFilter = " and (properties.policyDefinitionAction == `"deployifnotexists`" or properties.policyDefinitionAction == `"modify`")" } } $query = "" - if ($RemmediationOnly) { + if ($RemediationOnly) { $query = "policyresources | where type == `"microsoft.policyinsights/policystates`" and properties.complianceState == `"NonCompliant`"$($effectFilter)" } else { diff --git a/Scripts/Helpers/Out-PolicySetsDocumentationToFile.ps1 b/Scripts/Helpers/Out-PolicySetsDocumentationToFile.ps1 index 79c1d527..11125035 100644 --- a/Scripts/Helpers/Out-PolicySetsDocumentationToFile.ps1 +++ b/Scripts/Helpers/Out-PolicySetsDocumentationToFile.ps1 @@ -112,9 +112,13 @@ function Out-PolicySetsDocumentationToFile { } # deal with multi value cells - $inCellSeparator = "," + $inCellSeparator1 = ": " + $inCellSeparator2 = "," + $inCellSeparator3 = "," if ($WindowsNewLineCells) { - $inCellSeparator = ",`n" + $inCellSeparator1 = ":`n " + $inCellSeparator2 = ",`n " + $inCellSeparator3 = ",`n" } $allRows.Clear() @@ -143,16 +147,16 @@ function Out-PolicySetsDocumentationToFile { $rowObj.displayName = $_.displayName $rowObj.description = $_.description if ($groupNamesList.Count -gt 0) { - $rowObj.groupNames = $groupNamesList -join $inCellSeparator + $rowObj.groupNames = $groupNamesList -join $inCellSeparator3 } if ($policySetEffectStrings.Count -gt 0) { - $rowObj.policySets = $policySetEffectStrings -join $inCellSeparator + $rowObj.policySets = $policySetEffectStrings -join $inCellSeparator3 } if ($isEffectParameterized -and $effectAllowedValues.Count -gt 1) { - $rowObj.allowedEffects = $effectAllowedValues.Keys -join $inCellSeparator + $rowObj.allowedEffects = "parameter$inCellSeparator1$($effectAllowedValues.Keys -join $inCellSeparator2)" } elseif ($effectAllowedOverrides.Count -gt 0) { - $rowObj.allowedEffects = $effectAllowedOverrides -join $inCellSeparator + $rowObj.allowedEffects = "override$inCellSeparator1$($effectAllowedOverrides -join $inCellSeparator2)" } # Per environment columns diff --git a/Scripts/Helpers/Switch-PacEnvironment.ps1 b/Scripts/Helpers/Switch-PacEnvironment.ps1 index 0f70565c..3471e6ce 100644 --- a/Scripts/Helpers/Switch-PacEnvironment.ps1 +++ b/Scripts/Helpers/Switch-PacEnvironment.ps1 @@ -16,7 +16,7 @@ function Switch-PacEnvironment { else { Write-Error " pacEnvironment '$PacEnvironmentSelector' in definition on lines $DefinitionStartingLine - $DefinitionEndingLine does not exist" -ErrorAction Stop } - Set-AzCloudTenantSubscription ` + $null = Set-AzCloudTenantSubscription ` -Cloud $pacEnvironment.cloud ` -TenantId $pacEnvironment.tenantId ` -Interactive $Interactive diff --git a/Scripts/Helpers/Write-AssignmentDetails.ps1 b/Scripts/Helpers/Write-AssignmentDetails.ps1 index e0dd8226..3c3944fa 100644 --- a/Scripts/Helpers/Write-AssignmentDetails.ps1 +++ b/Scripts/Helpers/Write-AssignmentDetails.ps1 @@ -9,10 +9,10 @@ function Write-AssignmentDetails { $shortScope = $Scope -replace "/providers/Microsoft.Management", "" if ($Prefix -ne "") { - Write-Information " $($Prefix) '$($DisplayName)' at $($shortScope)" + Write-Information "$($Prefix) '$($DisplayName)' at $($shortScope)" } else { - Write-Information " '$($DisplayName)' at $($shortScope)" + Write-Information "'$($DisplayName)' at $($shortScope)" } if ($IdentityStatus.requiresRoleChanges) { foreach ($role in $IdentityStatus.added) { diff --git a/Scripts/Operations/Create-AzRemediationTasks.ps1 b/Scripts/Operations/Create-AzRemediationTasks.ps1 index 5bcdcbbb..257d5f87 100644 --- a/Scripts/Operations/Create-AzRemediationTasks.ps1 +++ b/Scripts/Operations/Create-AzRemediationTasks.ps1 @@ -94,7 +94,7 @@ $pacEnvironment = Select-PacEnvironment $PacEnvironmentSelector -DefinitionsRoot $null = Set-AzCloudTenantSubscription -Cloud $pacEnvironment.cloud -TenantId $pacEnvironment.tenantId -Interactive $pacEnvironment.interactive $rawNonCompliantList, $deployedPolicyResources, $scopeTable = Find-AzNonCompliantResources ` - -RemmediationOnly ` + -RemediationOnly ` -PacEnvironment $pacEnvironment ` -OnlyCheckManagedAssignments:$onlyCheckManagedAssignments ` -PolicyDefinitionFilter:$policyDefinitionFilter ` diff --git a/Scripts/Operations/Export-NonComplianceReports.ps1 b/Scripts/Operations/Export-NonComplianceReports.ps1 index 8f5dd0bd..479e08d2 100644 --- a/Scripts/Operations/Export-NonComplianceReports.ps1 +++ b/Scripts/Operations/Export-NonComplianceReports.ps1 @@ -33,9 +33,9 @@ Filter by Policy Assignment names (array) or ids (array). Filter by Policy Effect (array). .PARAMETER ExcludeManualPolicyEffect -Switch parmeter to filter out Policy Effect Manual +Switch parameter to filter out Policy Effect Manual -.PARAMETER RemmediationOnly +.PARAMETER RemediationOnly Filter by Policy Effect "deployifnotexists" and "modify" and compliance status "NonCompliant" .EXAMPLE @@ -103,7 +103,7 @@ param( [switch] $ExcludeManualPolicyEffect, [Parameter(Mandatory = $false, HelpMessage = "Filter by Policy Effect `"deployifnotexists`" and `"modify`" and compliance status `"NonCompliant`"")] - [switch] $RemmediationOnly + [switch] $RemediationOnly ) # Dot Source Helper Scripts @@ -116,7 +116,7 @@ $policySetDefinitionFilter = $PolicySetDefinitionFilter $policyAssignmentFilter = $PolicyAssignmentFilter $policyEffectFilter = $PolicyEffectFilter $excludeManualPolicyEffect = $ExcludeManualPolicyEffect.IsPresent -$remmediationOnly = $RemmediationOnly.IsPresent +$remediationOnly = $RemediationOnly.IsPresent # Setting the local copies of parameters to simplify debugging # $windowsNewLineCells = $true @@ -125,7 +125,7 @@ $remmediationOnly = $RemmediationOnly.IsPresent # $policyAssignmentFilter = @( "/providers/microsoft.management/managementgroups/11111111-1111-1111-1111-111111111111/providers/microsoft.authorization/policyassignments/taginh-env", "prod-asb" ) # $policyEffectFilter = @( "auditifnotexists", "deny" ) # $excludeManualPolicyEffect = $true -# $remmediationOnly = $true +# $remediationOnly = $true $InformationPreference = "Continue" $pacEnvironment = Select-PacEnvironment $PacEnvironmentSelector -DefinitionsRootFolder $DefinitionsRootFolder -OutputFolder $OutputFolder -Interactive $Interactive @@ -142,7 +142,7 @@ $rawNonCompliantList, $deployedPolicyResources, $scopeTable = Find-AzNonComplian -PolicyAssignmentFilter:$policyAssignmentFilter ` -PolicyEffectFilter $policyEffectFilter ` -ExcludeManualPolicyEffect:$excludeManualPolicyEffect ` - -RemmediationOnly:$remmediationOnly + -RemediationOnly:$remediationOnly Write-Information "===================================================================================================" Write-Information "Collating non-compliant resources into simplified lists" @@ -670,7 +670,7 @@ else { #endregion simplified details by Policy CSV #region simplified details by Resource Id CSV - $detailsCsvPath = Join-Path $pacEnvironment.outputFolder "non-compliance-report" "details-by-resource-id.csv" + $detailsCsvPath = Join-Path $pacEnvironment.outputFolder "non-compliance-report" "details-by-resource.csv" Write-Information "Writing simplfied details by Resource Id to $detailsCsvPath" $sortedDetailsList = $detailsListByResource | Sort-Object { $_.resourceId }, { $_.category }, { $_.policyName } | ForEach-Object { $normalizedDetails = [ordered]@{ diff --git a/StarterKit/Definitions/policyAssignments/tag-assignments.jsonc b/StarterKit/Definitions/policyAssignments/tag-assignments.jsonc index 4ae3eabf..a8b6b07e 100644 --- a/StarterKit/Definitions/policyAssignments/tag-assignments.jsonc +++ b/StarterKit/Definitions/policyAssignments/tag-assignments.jsonc @@ -48,14 +48,14 @@ ], "children": [ { - "nodeName": "AppName", + "nodeName": "Project", "assignment": { - "name": "AppName", - "displayName": "AppName", - "description": "AppName" + "name": "Project", + "displayName": "Project", + "description": "Project" }, "parameters": { - "tagName": "AppName" + "tagName": "Project" } }, {