Merge pull request #51 from salesforce/fix/GH-45-resource-name-enforcement-mode

Terraform Resource names have suffixes; added Tests to validate Terraform output

Author: kmcquade

.actrc

@@ -0,0 +1 @@
+-P ubuntu-latest=nektos/act-environments-ubuntu:18.04

.github/workflows/ci.yml

@@ -19,6 +19,11 @@ jobs:
         with:
           python-version: ${{ matrix.python-version }}
 
+      - name: Setup Terraform
+        uses: hashicorp/setup-terraform@v1
+        with:
+          terraform_version: 0.12.28
+
       - name: Install dependencies
         run: |
           make setup-dev
@@ -28,6 +33,10 @@ jobs:
           make security-test
           make test
 
+      - name: Validate Terraform output
+        run: |
+          make terraform-validate
+
       - name: Install the package to make sure nothing is randomly broken
         run: |
           make install

Makefile

@@ -86,10 +86,15 @@ count-loc:
 	echo "Website: https://github.com/XAMPPRocky/tokei#installation'"
 	tokei ./* --exclude --exclude '**/*.html' --exclude '**/*.json' --exclude azure_guardrails/shared/data/ --exclude azure_guardrails/shared/azure-policy --exclude examples --exclude docs --exclude tmp --exclude venv
 
-.PHONY: terraform-demo
-terraform-demo: install
-	azure-guardrails --help
-	azure-guardrails generate-terraform --service all --subscription example --no-params > examples/terraform-demo/main.tf
+.PHONY: github-actions-test
+github-actions-test:
+	act -l
+	# Run the CI job
+	act -j ci
+
+.PHONY: terraform-validate
+terraform-validate: install
+	sh utils/terraform-demo.sh
 
 .PHONY: update-policy-table
 update-policy-table: install

azure_guardrails/shared/utils.py

@@ -108,15 +108,18 @@ def get_github_link(service_name: str, file_name: str) -> str:
 
 # shorten the name if it is over a certain length to avoid hitting limits
 
-def format_policy_name(name: str, parameter_requirement_str) -> str:
+def format_policy_name(name: str, parameter_requirement_str: str) -> str:
     """
     Shortens a name to 24 characters minimum to avoid hitting Policy Assignment limit.
 
     Azure Policy Assignment names require 24 characters or less
     """
-    # 21, because we want to append '-NP', '-OP', or '_RP'
-    if len(name) > 21:
-        name = name[0:21]
+    suffix_length = len(parameter_requirement_str)
+    # 24 is the policy assignment name limit
+    # If the suffix is '-NP', '-OP', or '-RP'. the name_length_limit will be 21
+    name_length_limit = 24 - suffix_length
+    if len(name) > name_length_limit:
+        name = name[0:name_length_limit-1]
     initiative_name = f"{name}-{parameter_requirement_str}"
     initiative_name = initiative_name.replace("-", "_")
     # initiative_name = initiative_name.lower()

azure_guardrails/terraform/terraform.py

@@ -17,6 +17,7 @@ def __init__(
             category: str = "Testing"
     ):
         self.label = "no_params"  # This is just used for naming Terraform resources and variables
+        self.enforce = enforcement_mode
         self.initiative_name = self._initiative_name(
             subscription_name=subscription_name, management_group=management_group
         )
@@ -29,13 +30,16 @@ def __init__(
             self.enforcement_string = "false"
         self.category = category
 
-    @staticmethod
-    def _initiative_name(subscription_name: str, management_group: str) -> str:
+    def _initiative_name(self, subscription_name: str, management_group: str) -> str:
         if subscription_name == "" and management_group == "":
             raise Exception(
                 "Please supply a value for the subscription name or the management group"
             )
         parameter_requirement_str = "NP"
+        if self.enforce:
+            parameter_requirement_str = "NP-Enforce"
+        else:
+            parameter_requirement_str = f"{parameter_requirement_str}-Audit"
         if subscription_name:
             initiative_name = utils.format_policy_name(subscription_name, parameter_requirement_str)
         else:
@@ -163,6 +167,7 @@ def __init__(
             enforcement_mode: bool = False,
             category: str = "Testing"
     ):
+        self.enforce = enforcement_mode
         self.name = self._initiative_name(
             subscription_name=subscription_name, management_group=management_group,
             parameter_requirement_str=parameter_requirement_str
@@ -177,13 +182,15 @@ def __init__(
         else:
             self.enforcement_string = "false"
 
-    @staticmethod
-    def _initiative_name(subscription_name: str, management_group: str, parameter_requirement_str: str) -> str:
+    def _initiative_name(self, subscription_name: str, management_group: str, parameter_requirement_str: str) -> str:
         if subscription_name == "" and management_group == "":
             raise Exception(
                 "Please supply a value for the subscription name or the management group"
             )
-
+        if self.enforce:
+            parameter_requirement_str = f"{parameter_requirement_str}-Enforce"
+        else:
+            parameter_requirement_str = f"{parameter_requirement_str}-Audit"
         if subscription_name:
             initiative_name = utils.format_policy_name(subscription_name, parameter_requirement_str)
         else: