Minor typos and bug fixes. (#453)

Azure · Jan 19, 2024 · 0a851ef · 0a851ef
1 parent 5e25af1
commit 0a851ef
Show file tree

Hide file tree

Showing 6 changed files with 41 additions and 43 deletions.
diff --git a/Docs/definitions-and-global-settings.md b/Docs/definitions-and-global-settings.md
@@ -56,7 +56,9 @@ EPAC has a concept of an environment identified by a string (unique per reposito
 - `rootDefinitionScope` - the deployment scope for the Policies and Policy Sets to be used in assignments later.
   - Policy Assignments can only defined at this scope and child scopes (recursive).
   - Operational tasks, such as `Create-AzRemediationTasks.ps1`, must use the same `rootDefinitionScope` or they will fail.
-- Optional: define `desiredState` strategy. This element is documented [here](desired-state-strategy.md).
+- Optional: define `desiredState` strategy. This element is documented in two places:
+  - [Desired State Strategy](desired-state-strategy.md). and 
+  - [Managing Defender for Cloud Assignments](dfc-assignments.md).
 
 Like any other software or IaC solution, EPAC needs areas for developing and testing new Policies, Policy Sets and Policy Assignments before any deployment to EPAC prod environments. In most cases you will need one management group hierarchy to simulate EPAC production management groups for development and testing of Policies. EPAC's prod environment will govern all other IaC environments (e.g., sandbox, development, integration, test/qa, pre-prod, prod, ...) and tenants. This can be confusing. We will use EPAC environment(s) and IaC environments to disambiguate the environments.
 

diff --git a/Docs/desired-state-strategy.md b/Docs/desired-state-strategy.md
@@ -1,4 +1,4 @@
-# Desired state strategy
+# Desired State Strategy
 
 Desired State strategy enables shared responsibility scenarios. the following documents the archetypical use cases. For complex scenarios it is possible to combine multiple use cases.
 

diff --git a/Docs/dfc-assignments.md b/Docs/dfc-assignments.md
@@ -13,10 +13,10 @@ Prior to v9.0.0 of EPAC, Defender for Cloud Assignments were removed by EPAC. Th
 
 ## Revised behavior of EPAC Starting with v9.0.0:
 
-* EPAC **no longer manages** Defender for Cloud Assignments required for Defender Plans. 
+* EPAC **no longer manages (removes)** `Defender for Cloud`'s Policy Assignments required for enabled Defender Plans. 
 * EPAC behavior for Security Policy **is controlled by** the `keepDfcSecurityAssignments` in `desiredState` setting per `pacEnvironment` in `global-settings.jsonc`.
-    * If set to `true`, EPAC will **not** remove Security Policy Set Assignments created by Defender for Cloud.
-    * If **omitted** or **set to `false`**, EPAC will remove Security Policy Set Assignments created by Defender for Cloud.
+    * If set to `true` or `strategy` is `ownedOnly`, EPAC will **not** remove Security Policy assignments created by Defender for Cloud.
+    * If **omitted** or **set to `false`** and `strategy` is `full`, EPAC will remove Security Policy Set Assignments created by Defender for Cloud.
 
     ```json
     "desiredState": {
@@ -25,7 +25,7 @@ Prior to v9.0.0 of EPAC, Defender for Cloud Assignments were removed by EPAC. Th
     }
     ```
 
-**Security Policies should be manged by EPAC at the Management Group level.**; This is the recommended approach for managing Security Policies instead of relying on the auto-assignments.
+**Security Policies should be manged by EPAC at the Management Group level**; this is the recommended approach for managing Security Policies instead of relying on the auto-assignments.
 
 ## Defender for Cloud Settings
 

diff --git a/Docs/index.md b/Docs/index.md
@@ -39,10 +39,10 @@ You have the right and means to **opt-out**; see [Usage Tracking](usage-tracking
 
 ## EPAC and Defender for Cloud Assignments
 
-Defender for Cloud uses Azure Policy Assignments to enable and configure the various capabilities. Prior to v9.0.0 of EPAC removed these subscription-level assignments.
+Defender for Cloud uses Azure Policy Assignments to enable and configure the various capabilities. Prior to v9.0.0 EPAC removed these subscription-level assignments.
 
 * Policy Assignments required for Defender plans (e.g., SQL, App Service, ...). These is no longer managed (removed) by EPAC v9.0.0 and later.
-* Policy Assignments required for Security policies (e.g., Microsoft Cloud Security Benchmark, NIST 800-53 Rev 5, NIST 800-171, ...). The defult `desiredState` behavior is to manage (remove) these assignments. Setting `keepDfcSecurityAssignments` to `true` disables the management (removal) by EPAC.
+* Policy Assignments required for Security policies (e.g., Microsoft Cloud Security Benchmark, NIST 800-53 Rev 5, NIST 800-171, ...). The default `desiredState` behavior is to manage (remove) these assignments. Setting `keepDfcSecurityAssignments` to `true` disables the management (removal) by EPAC.
 
 Carefully review [Managing Defender for Cloud Assignments](dfc-assignments.md) .
 

diff --git a/Scripts/Helpers/Build-AssignmentPlan.ps1 b/Scripts/Helpers/Build-AssignmentPlan.ps1
@@ -116,12 +116,12 @@ function Build-AssignmentPlan {
                 # Remove-NullFields $assignment
                 $id = $assignment.id
                 $AllAssignments[$id] = $assignment
-                $DisplayName = $assignment.displayName
+                $displayName = $assignment.displayName
                 $description = $assignment.description
                 $metadata = $assignment.metadata
                 $parameters = $assignment.parameters
                 $policyDefinitionId = $assignment.policyDefinitionId
-                $Scope = $assignment.scope
+                $scope = $assignment.scope
                 $notScopes = $assignment.notScopes
                 $enforcementMode = $assignment.enforcementMode
                 $nonComplianceMessages = $assignment.nonComplianceMessages
@@ -135,7 +135,7 @@ function Build-AssignmentPlan {
 
                     $replacedDefinition = $ReplaceDefinitions.ContainsKey($policyDefinitionId)
                     $changedPolicyDefinitionId = $policyDefinitionId -ne $deployedPolicyAssignmentProperties.policyDefinitionId
-                    $displayNameMatches = $DisplayName -eq $deployedPolicyAssignmentProperties.displayName
+                    $displayNameMatches = $displayName -eq $deployedPolicyAssignmentProperties.displayName
                     $descriptionMatches = $description -eq $deployedPolicyAssignmentProperties.description
                     $notScopesMatch = Confirm-ObjectValueEqualityDeep `
                         $deployedPolicyAssignmentProperties.notScopes `
@@ -185,10 +185,10 @@ function Build-AssignmentPlan {
                         $Assignments.numberUnchanged++
                         if ($identityStatus.requiresRoleChanges) {
                             # role assignments for Managed Identity changed - caused by a mangedIdentityLocation changed or a previously failed role assignment failure
-                            Write-AssignmentDetails -DisplayName $DisplayName -Scope $Scope -Prefix "Update($($identityStatus.changedIdentityStrings -join ','))" -IdentityStatus $identityStatus
+                            Write-AssignmentDetails -DisplayName $displayName -Scope $scope -Prefix "Update($($identityStatus.changedIdentityStrings -join ','))" -IdentityStatus $identityStatus
                         }
                         else {
-                            # Write-AssignmentDetails -DisplayName $DisplayName -Scope $Scope -Prefix "Unchanged" -IdentityStatus $identityStatus
+                            # Write-AssignmentDetails -DisplayName $displayName -Scope $scope -Prefix "Unchanged" -IdentityStatus $identityStatus
                         }
                     }
                     else {
@@ -239,11 +239,11 @@ function Build-AssignmentPlan {
                         if ($identityStatus.replaced) {
                             # Assignment must be deleted and recreated (new)
                             $null = $Assignments.replace.Add($id, $assignment)
-                            Write-AssignmentDetails -DisplayName $DisplayName -Scope $Scope -Prefix "Replace($changesString)" -IdentityStatus $identityStatus
+                            Write-AssignmentDetails -DisplayName $displayName -Scope $scope -Prefix "Replace($changesString)" -IdentityStatus $identityStatus
                         }
                         else {
                             $null = $Assignments.update.Add($id, $assignment)
-                            Write-AssignmentDetails -DisplayName $DisplayName -Scope $Scope -Prefix "Update($changesString)" -IdentityStatus $identityStatus
+                            Write-AssignmentDetails -DisplayName $displayName -Scope $scope -Prefix "Update($changesString)" -IdentityStatus $identityStatus
                         }
                         $Assignments.numberOfChanges++
                     }
@@ -264,7 +264,7 @@ function Build-AssignmentPlan {
                     if ($identityStatus.isUserAssigned) {
                         $isUserAssignedAny = $true
                     }
-                    Write-AssignmentDetails -DisplayName $DisplayName -Scope $Scope -Prefix "New" -IdentityStatus $identityStatus
+                    Write-AssignmentDetails -DisplayName $displayName -Scope $scope -Prefix "New" -IdentityStatus $identityStatus
                 }
             }
         }
@@ -276,8 +276,8 @@ function Build-AssignmentPlan {
                 $deleteCandidate = $deleteCandidates.$id
                 $deleteCandidateProperties = Get-PolicyResourceProperties $deleteCandidate
                 $name = $deleteCandidate.name
-                $DisplayName = $deleteCandidateProperties.displayName
-                $Scope = $deleteCandidateProperties.scope
+                $displayName = $deleteCandidateProperties.displayName
+                $scope = $deleteCandidateProperties.scope
                 $pacOwner = $deleteCandidate.pacOwner
                 $shallDelete = Confirm-DeleteForStrategy -PacOwner $pacOwner -Strategy $strategy -KeepDfcSecurityAssignments $keepDfcSecurityAssignments
                 if ($shallDelete) {
@@ -296,12 +296,12 @@ function Build-AssignmentPlan {
                     if ($identityStatus.isUserAssigned) {
                         $isUserAssignedAny = $true
                     }
-                    Write-AssignmentDetails -DisplayName $DisplayName -Scope $Scope -Prefix "Delete" -IdentityStatus $identityStatus
+                    Write-AssignmentDetails -DisplayName $displayName -Scope $scope -Prefix "Delete" -IdentityStatus $identityStatus
                     $splat = @{
                         id          = $id
                         name        = $name
-                        scopeId     = $Scope
-                        displayName = $DisplayName
+                        scopeId     = $scope
+                        displayName = $displayName
                     }
 
                     $AllAssignments.Remove($id)
@@ -319,27 +319,28 @@ function Build-AssignmentPlan {
                         replaced               = $false
                         isUserAssigned         = $false
                     }
-                    $shortScope = $Scope -replace "/providers/Microsoft.Management", ""
+                    $shortScope = $scope -replace "/providers/Microsoft.Management", ""
                     switch ($pacOwner) {
                         thisPaC { 
-                            Write-Error "Policy Assignment '$DisplayName' at $shortScope owned by this Policy as Code solution should have been deleted." -ErrorAction Stop
+                            Write-Error "Policy Assignment '$displayName' at $shortScope owned by this Policy as Code solution should have been deleted." -ErrorAction Stop
                         }
                         otherPaC {
                             if ($VerbosePreference -eq "Continue") {
-                                Write-AssignmentDetails -DisplayName $name -Scope $Scope -Prefix "Skipping delete (owened by other PaC):" -IdentityStatus $identityStatus
+                                Write-AssignmentDetails -DisplayName $displayName -Scope $shortScope -Prefix "Skipping delete (owened by other PaC):" -IdentityStatus $identityStatus
                             }
                         }
                         unknownOwner {
-                            Write-AssignmentDetails -DisplayName $name -Scope $Scope -Prefix "Skipping delete (strategy $strategy):" -IdentityStatus $identityStatus
+                            if ($VerbosePreference -eq "Continue") {
+                                Write-AssignmentDetails -DisplayName $displayName -Scope $shortScope -Prefix "Skipping delete (strategy $strategy):" -IdentityStatus $identityStatus
+                            }
                         }
                         managedByDfcSecurityPolicies {
-                            Write-AssignmentDetails -DisplayName $name -Scope $Scope -Prefix "Skipping delete (DfC Security Policies):" -IdentityStatus $identityStatus
+                            Write-AssignmentDetails -DisplayName $displayName -Scope $shortScope -Prefix "Skipping delete (DfC Security Policies):" -IdentityStatus $identityStatus
                         }
                         managedByDfcDefenderPlans {
-                            Write-AssignmentDetails -DisplayName $name -Scope $Scope -Prefix "Skipping delete (DfC Defender Plans):" -IdentityStatus $identityStatus
+                            Write-AssignmentDetails -DisplayName $displayName -Scope $shortScope -Prefix "Skipping delete (DfC Defender Plans):" -IdentityStatus $identityStatus
                         }
                     }
-
                 } 
             }
         }

diff --git a/Scripts/Helpers/Convert-EffectToOrdinal.ps1 b/Scripts/Helpers/Convert-EffectToOrdinal.ps1
@@ -3,21 +3,16 @@ function Convert-EffectToOrdinal {
         [string] $Effect
     )
 
-    $effect2sortOrdinal = @{
-        Modify            = 0
-        Append            = 0
-        DeployIfNotExists = 0
-        Deny              = 1
-        Audit             = 2
-        Manual            = 2
-        AuditIfNotExists  = 3
-        Disabled          = 4
-    }
-
-
-    $ordinal = -1 # should not be possible
-    if ($effect2sortOrdinal.ContainsKey($Effect)) {
-        $ordinal = $effect2sortOrdinal.$Effect
+    $ordinal = switch ($Effect) {
+        "Modify" { $ordinal = 0 }
+        "Append" { $ordinal = 0 }
+        "DeployIfNotExists" { $ordinal = 0 }
+        "Deny" { $ordinal = 1 }
+        "Audit" { $ordinal = 2 }
+        "Manual" { $ordinal = 2 }
+        "AuditIfNotExists" { $ordinal = 2 }
+        "Disabled" { $ordinal = 9 }
+        default { $ordinal = 9 }
     }
     return $ordinal
 }