Skip to content

Commit

Permalink
Adding the policy definition version to the reconstructed policy defi…
Browse files Browse the repository at this point in the history 
…nition object and check for the version element in 4 places. (#891)

* add version to splatted $definition object

* comment update

* compare policy set with policy set
  • Loading branch information
@JerJon
JerJon authored Mar 7, 2025
1 parent 5e7cf57 commit f4bf1fb
Show file tree
Hide file tree
Showing 3 changed files with 17 additions and 22 deletions.
6 changes: 4 additions & 2 deletions Scripts/Helpers/Build-PolicyPlan.ps1
View file
Original file line number Diff line number Diff line change
Expand Up @@ -49,12 +49,13 @@ function Build-PolicyPlan {

$definitionProperties = Get-PolicyResourceProperties -PolicyResource $definitionObject
$name = $definitionObject.name

$id = "$deploymentRootScope/providers/Microsoft.Authorization/policyDefinitions/$name"
$displayName = $definitionProperties.displayName
$description = $definitionProperties.description
$metadata = Get-DeepCloneAsOrderedHashtable $definitionProperties.metadata
$mode = $definitionProperties.mode
$version = $definitionProperties.version
$parameters = $definitionProperties.parameters
$policyRule = $definitionProperties.policyRule
if ($null -ne $metadata) {
Expand Down Expand Up @@ -114,6 +115,7 @@ function Build-PolicyPlan {
displayName = $displayName
description = $description
mode = $mode
version = $version
metadata = $metadata
parameters = $parameters
policyRule = $policyRule
Expand Down Expand Up @@ -193,7 +195,7 @@ function Build-PolicyPlan {
Write-Information "New '$($displayName)'"
}
}


$strategy = $PacEnvironment.desiredState.strategy
foreach ($id in $deleteCandidates.Keys) {
Expand Down
2 changes: 2 additions & 0 deletions Scripts/Helpers/Build-PolicySetPlan.ps1
View file
Original file line number Diff line number Diff line change
Expand Up @@ -49,6 +49,7 @@ function Build-PolicySetPlan {
$displayName = $definitionProperties.displayName
$description = $definitionProperties.description
$metadata = Get-DeepCloneAsOrderedHashtable $definitionProperties.metadata
$version = $definitionProperties.version
$parameters = $definitionProperties.parameters
$policyDefinitions = $definitionProperties.policyDefinitions
$policyDefinitionGroups = $definitionProperties.policyDefinitionGroups
Expand Down Expand Up @@ -182,6 +183,7 @@ function Build-PolicySetPlan {
displayName = $displayName
description = $description
metadata = $metadata
version = $version
parameters = $parameters
policyDefinitions = $policyDefinitionsFinal
policyDefinitionGroups = $policyDefinitionGroupsFinal
Expand Down
31 changes: 11 additions & 20 deletions Scripts/Helpers/Confirm-PolicyDefinitionsInPolicySetMatch.ps1
View file
Original file line number Diff line number Diff line change
Expand Up @@ -28,8 +28,8 @@ function Confirm-PolicyDefinitionsInPolicySetMatch {
return $false
}
for ($i = 0; $i -le $Object1.Count; $i++) {
$item1 = $Object1[$i]
$item2 = $Object2[$i]
$item1 = $Object1[$i] # this is the Azure Policy definition set
$item2 = $Object2[$i] # this is the local policy definition set
if ($item1 -ne $item2) {
$policyDefinitionReferenceIdMatches = $item1.policyDefinitionReferenceId -eq $item2.policyDefinitionReferenceId
if (!$policyDefinitionReferenceIdMatches) {
Expand All @@ -39,24 +39,15 @@ function Confirm-PolicyDefinitionsInPolicySetMatch {
if (!$policyDefinitionIdMatches) {
return $false
}
if ($null -ne $item2.definitionVersion) {
# ignore auto-generated definitionVersion, only compare if Policy definition entry has a definitionVersion
$deployedPolicyDefinitionVersion = $Definitions[$item1.policyDefinitionId].properties.version
if ($null -eq $deployedPolicyDefinitionVersion) {
# Custom policy definition - version is in a different place
$deployedPolicyDefinitionVersion = $Definitions[$item1.policyDefinitionId].metadata.version
}
# $definitionVersionMatches = $item1.definitionVersion -eq $item2.definitionVersion
# if (!$definitionVersionMatches) {
# return $false
# }
$definitionVersionMatches = Compare-SemanticVersion -Version1 $deployedPolicyDefinitionVersion -Version2 $item2.definitionVersion
if ($definitionVersionMatches -ne 0) {
Write-Verbose "Definition Id: $($item1.policyDefinitionId)"
Write-Verbose "DefinitionVersion does not match: Azure: $deployedPolicyDefinitionVersion, Local: $($item2.definitionVersion)"
return $false
}

# Validate the Azure definitionVersion with the local definitionVersion, if the local definitionVersion doesn't exist and the Azure definitionVersion is not equal to latest policy version then return false
$definitionVersionMatches = Compare-SemanticVersion -Version1 $($item1.definitionVersion ?? $Definitions[$item1.policyDefinitionId].properties.version ?? '1.*.*') -Version2 $($item2.definitionVersion ?? $Definitions[$item1.policyDefinitionId].properties.version ?? '1.*.*')
if ($definitionVersionMatches -ne 0) {
Write-Verbose "Definition Id: $($item1.policyDefinitionId)"
Write-Verbose "DefinitionVersion does not match: Azure: $($item1.definitionVersion), Local: $($item2.definitionVersion)"
return $false
}

$groupNames1 = $item1.groupNames
$groupNames2 = $item2.groupNames
if ($null -eq $groupNames1 -and $null -eq $groupNames2 -and $i -eq $Object1.Count) {
Expand All @@ -79,7 +70,7 @@ function Confirm-PolicyDefinitionsInPolicySetMatch {
return $false
}
}

$parametersUsageMatches = Confirm-ParametersUsageMatches `
-ExistingParametersObj $item1.parameters `
-DefinedParametersObj $item2.parameters `
Expand Down

0 comments on commit f4bf1fb

Please sign in to comment.