From 439aa90b2a60036f9a5f439fe0d5b869b1841067 Mon Sep 17 00:00:00 2001 From: JBakstPaloAlto Date: Tue, 3 Dec 2024 10:28:15 +0200 Subject: [PATCH 1/8] Initial commit --- .../custom-build-policies/code-editor.adoc | 26 +++++++++-- .../custom-build-policies.adoc | 16 +++++-- .../custom-build-policy-examples.adoc | 45 +++++++++++++++++++ .../custom-build-policies/visual-editor.adoc | 2 +- 4 files changed, 80 insertions(+), 9 deletions(-) diff --git a/docs/en/enterprise-edition/content-collections/governance/custom-build-policies/code-editor.adoc b/docs/en/enterprise-edition/content-collections/governance/custom-build-policies/code-editor.adoc index 8ad9a199e7..1a693a8436 100644 --- a/docs/en/enterprise-edition/content-collections/governance/custom-build-policies/code-editor.adoc +++ b/docs/en/enterprise-edition/content-collections/governance/custom-build-policies/code-editor.adoc @@ -3,7 +3,8 @@ [.task] == Code Editor -Prisma Cloud supports Code Editor capability where you can create a policy rule for custom Configuration policies during Build-time checks. Code Editor is the default view for Build policy rule and as an example a YAML policy template is always available on the Prisma Cloud console. +Prisma Cloud's Code Editor allows you to define advanced custom policies for build-time checks. Users can leverage YAML templates, logic operators, and framework support to create complex policies tailored to specific compliance or security requirements. + The Code Editor is a suitable option when you want to create complex custom policies that include both Attribute and Connection-State with a support of AND/OR logic. However, for custom secrets Code Editor supports only an OR logic. === How to Create Custom Policies @@ -14,9 +15,18 @@ The Code Editor is a suitable option when you want to create complex custom poli //+ //image::governance/code-editor.png + -The Code Editor is as a default view with an example of a YAML template. -+ -In this example, you see the YAML template with custom secrets where `secrets` is a `category`. +The Code Editor provides a default view with an example of a YAML template. + +THe Yaml file includes the following arguments: + +* *guidelines*: Sets general rules for policy creation +* *category*: Specifies the type of policy +* *frameworks*: Identifies the applicable framework. If no framework is specified, the policy applies to all frameworks. If a framework is specified, the policy applies only to the selected framework. +* *scope*: Defines the level of applicability for the policy +* *provider*: Specifies the cloud provider or source for the resources +* *definition*: Contains the logic and conditions for the policy, including attributes, operators, and resource connections +//+ +//In this example, you see the YAML template with custom secrets where `secrets` is a `category`. //+ //image::governance/code-editor-7.png @@ -425,3 +435,11 @@ definition: - "my-super-secret-password-regex" +=== ARM capabilities in the Code editor + +* ARM is an Azure-specific framework +* You can define a policy that either applies to both ARM and Bicep with shared arguments and syntax, or you can limit the policy to either ARM or Bicep +* The ARM framework supports explicit and implicit dependencies. This does not include embedded child and loop dependencies +* ARM amd Bicep share the same resource types. By default, an ARM policy applies to both ARM and Bicep unless unless explicitly restricted to ARM +* If you select ARM as the framework, the definitions are automatically updated to align with ARM's requirements +* ARM supports periodic scans, PR scans, IDEscans and CLI scans \ No newline at end of file diff --git a/docs/en/enterprise-edition/content-collections/governance/custom-build-policies/custom-build-policies.adoc b/docs/en/enterprise-edition/content-collections/governance/custom-build-policies/custom-build-policies.adoc index 8924be69df..f72438beb6 100644 --- a/docs/en/enterprise-edition/content-collections/governance/custom-build-policies/custom-build-policies.adoc +++ b/docs/en/enterprise-edition/content-collections/governance/custom-build-policies/custom-build-policies.adoc @@ -5,10 +5,18 @@ Prisma Cloud includes out-of-the-box policies that enable you to detect misconfi You can create custom build policies for the following frameworks: -* *Terraform* - Policies written using Terraform attributes will apply for Terraform (.tf and plan files). -* *Bicep*: Policies defined using Bicep resources and attributes will apply for tailored Azure Bicep resource governance. -* *CloudFormation* - Policies written using CloudFormation attributes will apply for CloudFormation, AWS Serverless Application Model (SAM), and Cloud Development Kit (CDK). -* *Kubernetes* - Policies written using Kubernetes attributes will apply for Kubernetes, Helm, and Kustomize. +* *Terraform* - Policies written using Terraform attributes will apply for Terraform (.tf and plan files) +* *Bicep*: Policies defined using Bicep resources and attributes will apply for tailored Azure Bicep resource governance +* *ARM* + +* ARM is an Azure-specific framework +* You can define a policy that either applies to both ARM and Bicep with shared arguments and syntax, or you can limit the policy to either ARM or Bicep +* The ARM framework supports explicit and implicit dependencies. This does not include embedded child and loop dependencies +* ARM amd Bicep share the same resource types. By default, an ARM policy applies to both ARM and Bicep unless unless explicitly restricted to ARM +* If you select ARM as the framework, the definitions are automatically updated to align with ARM's requirements +* ARM supports periodic scans, PR scans, IDEscans and CLI scans +* *CloudFormation* - Policies written using CloudFormation attributes will apply for CloudFormation, AWS Serverless Application Model (SAM), and Cloud Development Kit (CDK) +* *Kubernetes* - Policies written using Kubernetes attributes will apply for Kubernetes, Helm, and Kustomize An *AI & Machine Learning* category enables granular control over build configurations for machine learning and artificial intelligence workloads. This category can be leveraged in relevant dashboards through the IaC Category filter, facilitating streamlined policy management for AI resources. diff --git a/docs/en/enterprise-edition/content-collections/governance/custom-build-policies/custom-build-policy-examples.adoc b/docs/en/enterprise-edition/content-collections/governance/custom-build-policies/custom-build-policy-examples.adoc index e29b6dc628..520be265ca 100644 --- a/docs/en/enterprise-edition/content-collections/governance/custom-build-policies/custom-build-policy-examples.adoc +++ b/docs/en/enterprise-edition/content-collections/governance/custom-build-policies/custom-build-policy-examples.adoc @@ -4,6 +4,7 @@ To create code-based policies for your infrastructure, use these examples as gui * <> * <> +* << ARM Example,[#arm-example]>> * <> * <> * <> @@ -56,6 +57,50 @@ definition: value: Enabled ---- +[#arm-example] +=== ARM Example + +[source,json] +---- +metadata: + name: "Ensure Azure Synapse Workspace has extended audit logs" + guidelines: "..." + category: "logging" +definition: + and: + - cond_type: filter + attribute: resource_type + value: + - Microsoft.Synapse/workspaces + operator: within + - cond_type: connection + resource_types: + - Microsoft.Synapse/workspaces + connected_resource_types: + - Microsoft.Synapse/workspaces/extendedAuditingPolicies + operator: exists + - or: + - and: + - cond_type: attribute + resource_types: + - Microsoft.Synapse/workspaces/extendedAuditingPolicies + attribute: properties.state + operator: exists + + - cond_type: attribute + resource_types: + - Microsoft.Synapse/workspaces/extendedAuditingPolicies + attribute: properties.state + operator: equals + value: Enabled + - cond_type: attribute + resource_types: + - Microsoft.Synapse/workspaces/extendedAuditingPolicies + attribute: properties.state + operator: not_exists + +---- + [#terraform-examples] === Terraform Examples diff --git a/docs/en/enterprise-edition/content-collections/governance/custom-build-policies/visual-editor.adoc b/docs/en/enterprise-edition/content-collections/governance/custom-build-policies/visual-editor.adoc index 0a8c0c27fb..50ba2df2d9 100644 --- a/docs/en/enterprise-edition/content-collections/governance/custom-build-policies/visual-editor.adoc +++ b/docs/en/enterprise-edition/content-collections/governance/custom-build-policies/visual-editor.adoc @@ -57,7 +57,7 @@ Policies are categorized by type. Options include Elasticsearch, General, IAM, K . Select the target *Framework*. + -NOTE: Framework options include: Terraform, Kubernetes, CloudFormation and Bicep. +NOTE: Supported frameworks include Terraform, Kubernetes, CloudFormation, Bicep, and ARM. You can assign multiple frameworks to a single policy; for example, a policy can be configured to support both Bicep and ARM. . Select a *Cloud Provider*. From 51e0402bfdf4f0cdd57e22773b5e9a1062651dd0 Mon Sep 17 00:00:00 2001 From: JBakstPaloAlto Date: Tue, 3 Dec 2024 10:42:36 +0200 Subject: [PATCH 2/8] Revise yaml example --- .../custom-build-policies/code-editor.adoc | 8 -------- .../custom-build-policies.adoc | 13 ++++++------- .../custom-build-policy-examples.adoc | 6 ++---- 3 files changed, 8 insertions(+), 19 deletions(-) diff --git a/docs/en/enterprise-edition/content-collections/governance/custom-build-policies/code-editor.adoc b/docs/en/enterprise-edition/content-collections/governance/custom-build-policies/code-editor.adoc index 1a693a8436..12417be066 100644 --- a/docs/en/enterprise-edition/content-collections/governance/custom-build-policies/code-editor.adoc +++ b/docs/en/enterprise-edition/content-collections/governance/custom-build-policies/code-editor.adoc @@ -435,11 +435,3 @@ definition: - "my-super-secret-password-regex" -=== ARM capabilities in the Code editor - -* ARM is an Azure-specific framework -* You can define a policy that either applies to both ARM and Bicep with shared arguments and syntax, or you can limit the policy to either ARM or Bicep -* The ARM framework supports explicit and implicit dependencies. This does not include embedded child and loop dependencies -* ARM amd Bicep share the same resource types. By default, an ARM policy applies to both ARM and Bicep unless unless explicitly restricted to ARM -* If you select ARM as the framework, the definitions are automatically updated to align with ARM's requirements -* ARM supports periodic scans, PR scans, IDEscans and CLI scans \ No newline at end of file diff --git a/docs/en/enterprise-edition/content-collections/governance/custom-build-policies/custom-build-policies.adoc b/docs/en/enterprise-edition/content-collections/governance/custom-build-policies/custom-build-policies.adoc index f72438beb6..003b339090 100644 --- a/docs/en/enterprise-edition/content-collections/governance/custom-build-policies/custom-build-policies.adoc +++ b/docs/en/enterprise-edition/content-collections/governance/custom-build-policies/custom-build-policies.adoc @@ -8,13 +8,12 @@ You can create custom build policies for the following frameworks: * *Terraform* - Policies written using Terraform attributes will apply for Terraform (.tf and plan files) * *Bicep*: Policies defined using Bicep resources and attributes will apply for tailored Azure Bicep resource governance * *ARM* - -* ARM is an Azure-specific framework -* You can define a policy that either applies to both ARM and Bicep with shared arguments and syntax, or you can limit the policy to either ARM or Bicep -* The ARM framework supports explicit and implicit dependencies. This does not include embedded child and loop dependencies -* ARM amd Bicep share the same resource types. By default, an ARM policy applies to both ARM and Bicep unless unless explicitly restricted to ARM -* If you select ARM as the framework, the definitions are automatically updated to align with ARM's requirements -* ARM supports periodic scans, PR scans, IDEscans and CLI scans +** ARM is an Azure-specific framework +** You can define a policy that either applies to both ARM and Bicep with shared arguments and syntax, or you can limit the policy to either ARM or Bicep +** The ARM framework supports explicit and implicit dependencies. This does not include embedded child and loop dependencies +** ARM amd Bicep share the same resource types. By default, an ARM policy applies to both ARM and Bicep unless unless explicitly restricted to ARM +** If you select ARM as the framework, the definitions are automatically updated to align with ARM's requirements +** ARM supports periodic scans, PR scans, IDEscans and CLI scans * *CloudFormation* - Policies written using CloudFormation attributes will apply for CloudFormation, AWS Serverless Application Model (SAM), and Cloud Development Kit (CDK) * *Kubernetes* - Policies written using Kubernetes attributes will apply for Kubernetes, Helm, and Kustomize diff --git a/docs/en/enterprise-edition/content-collections/governance/custom-build-policies/custom-build-policy-examples.adoc b/docs/en/enterprise-edition/content-collections/governance/custom-build-policies/custom-build-policy-examples.adoc index 520be265ca..2146fe2a50 100644 --- a/docs/en/enterprise-edition/content-collections/governance/custom-build-policies/custom-build-policy-examples.adoc +++ b/docs/en/enterprise-edition/content-collections/governance/custom-build-policies/custom-build-policy-examples.adoc @@ -60,7 +60,7 @@ definition: [#arm-example] === ARM Example -[source,json] +[source,yaml] ---- metadata: name: "Ensure Azure Synapse Workspace has extended audit logs" @@ -86,19 +86,17 @@ definition: - Microsoft.Synapse/workspaces/extendedAuditingPolicies attribute: properties.state operator: exists - - cond_type: attribute resource_types: - Microsoft.Synapse/workspaces/extendedAuditingPolicies attribute: properties.state operator: equals value: Enabled - - cond_type: attribute + - cond_type: attribute # This line is correctly indented resource_types: - Microsoft.Synapse/workspaces/extendedAuditingPolicies attribute: properties.state operator: not_exists - ---- [#terraform-examples] From cfbd21ef218d268c79e587e281f6d553b75d19be Mon Sep 17 00:00:00 2001 From: JBakstPaloAlto Date: Tue, 3 Dec 2024 11:14:24 +0200 Subject: [PATCH 3/8] removed yaml definitions from procedure --- .../custom-build-policies/code-editor.adoc | 33 +++++++++++-------- .../custom-build-policy-examples.adoc | 2 +- .../custom-build-policies/visual-editor.adoc | 2 +- 3 files changed, 21 insertions(+), 16 deletions(-) diff --git a/docs/en/enterprise-edition/content-collections/governance/custom-build-policies/code-editor.adoc b/docs/en/enterprise-edition/content-collections/governance/custom-build-policies/code-editor.adoc index 12417be066..cdd649eb2c 100644 --- a/docs/en/enterprise-edition/content-collections/governance/custom-build-policies/code-editor.adoc +++ b/docs/en/enterprise-edition/content-collections/governance/custom-build-policies/code-editor.adoc @@ -11,32 +11,24 @@ The Code Editor is a suitable option when you want to create complex custom poli [.procedure] -.. Select *Policies > Add Policy > Config > Add Policy Details* and then select *Next*. +. Select *Policies > Add Policy > Config > Add Policy Details* and then select *Next*. //+ //image::governance/code-editor.png + -The Code Editor provides a default view with an example of a YAML template. +The Code Editor provides a default view with an example of a YAML template. See <<#yml_attr,YAML Policy Attribute>> below for details of the YAML file attributes. -THe Yaml file includes the following arguments: - -* *guidelines*: Sets general rules for policy creation -* *category*: Specifies the type of policy -* *frameworks*: Identifies the applicable framework. If no framework is specified, the policy applies to all frameworks. If a framework is specified, the policy applies only to the selected framework. -* *scope*: Defines the level of applicability for the policy -* *provider*: Specifies the cloud provider or source for the resources -* *definition*: Contains the logic and conditions for the policy, including attributes, operators, and resource connections //+ //In this example, you see the YAML template with custom secrets where `secrets` is a `category`. //+ //image::governance/code-editor-7.png -.. Select *More Options* and then select *Clear Editor* to remove the YAML template example. +. Select *More Options* and then select *Clear Editor* to remove the YAML template example. //+ //image::governance/code-editor-1.png -.. Add your custom YAML code. +. Add your custom YAML code. -.. Select *Test* to test your custom code. +. Select *Test* to test your custom code. //+ //image::governance/code-editor-2.png + @@ -56,12 +48,25 @@ If there are errors in your custom code during a test, the console displays a so //+ //image::governance/code-editor-5.png -.. Select *Validate and Next* to access *Compliance Standards* to complete the custom Build-time check policy. +. Select *Validate and Next* to access *Compliance Standards* to complete the custom Build-time check policy. //+ //image::governance/code-editor-6.png + NOTE: You are in *Step 2* of Create Custom Policies for Build-Time Checks. You are required to complete the rest of the steps to see your new custom Build-time check policy on the Prisma Cloud console. +[#yml_attr] +=== YAML Policy Attributes + +The Yaml file includes the following arguments: + +* *guidelines*: Sets general rules for policy creation +* *category*: Specifies the type of policy +* *frameworks*: Identifies the applicable framework. If no framework is specified, the policy applies to all frameworks. If a framework is specified, the policy applies only to the selected framework. +* *scope*: Defines the level of applicability for the policy +* *provider*: Specifies the cloud provider or source for the resources +* *definition*: Contains the logic and conditions for the policy, including attributes, operators, and resource connections + + === Limitation Nesting connection condition types within a 'NOT' block is not currently supported. diff --git a/docs/en/enterprise-edition/content-collections/governance/custom-build-policies/custom-build-policy-examples.adoc b/docs/en/enterprise-edition/content-collections/governance/custom-build-policies/custom-build-policy-examples.adoc index 2146fe2a50..de3b3696a2 100644 --- a/docs/en/enterprise-edition/content-collections/governance/custom-build-policies/custom-build-policy-examples.adoc +++ b/docs/en/enterprise-edition/content-collections/governance/custom-build-policies/custom-build-policy-examples.adoc @@ -4,7 +4,7 @@ To create code-based policies for your infrastructure, use these examples as gui * <> * <> -* << ARM Example,[#arm-example]>> +* << ARM Example,#arm-example>> * <> * <> * <> diff --git a/docs/en/enterprise-edition/content-collections/governance/custom-build-policies/visual-editor.adoc b/docs/en/enterprise-edition/content-collections/governance/custom-build-policies/visual-editor.adoc index 50ba2df2d9..a223633253 100644 --- a/docs/en/enterprise-edition/content-collections/governance/custom-build-policies/visual-editor.adoc +++ b/docs/en/enterprise-edition/content-collections/governance/custom-build-policies/visual-editor.adoc @@ -57,7 +57,7 @@ Policies are categorized by type. Options include Elasticsearch, General, IAM, K . Select the target *Framework*. + -NOTE: Supported frameworks include Terraform, Kubernetes, CloudFormation, Bicep, and ARM. You can assign multiple frameworks to a single policy; for example, a policy can be configured to support both Bicep and ARM. +NOTE: Supported frameworks include Terraform, Kubernetes, CloudFormation, Bicep, and ARM. You can assign multiple frameworks to a single policy. For example, a policy can be configured to support both Bicep and ARM. . Select a *Cloud Provider*. From d184378e9d9ad168d5f9f1d06922dd011f72e7ee Mon Sep 17 00:00:00 2001 From: JBakstPaloAlto Date: Tue, 3 Dec 2024 11:29:09 +0200 Subject: [PATCH 4/8] fix steps --- .../custom-build-policies/code-editor.adoc | 50 +++++++++---------- 1 file changed, 25 insertions(+), 25 deletions(-) diff --git a/docs/en/enterprise-edition/content-collections/governance/custom-build-policies/code-editor.adoc b/docs/en/enterprise-edition/content-collections/governance/custom-build-policies/code-editor.adoc index cdd649eb2c..0060264f9e 100644 --- a/docs/en/enterprise-edition/content-collections/governance/custom-build-policies/code-editor.adoc +++ b/docs/en/enterprise-edition/content-collections/governance/custom-build-policies/code-editor.adoc @@ -12,19 +12,10 @@ The Code Editor is a suitable option when you want to create complex custom poli [.procedure] . Select *Policies > Add Policy > Config > Add Policy Details* and then select *Next*. -//+ -//image::governance/code-editor.png + The Code Editor provides a default view with an example of a YAML template. See <<#yml_attr,YAML Policy Attribute>> below for details of the YAML file attributes. -//+ -//In this example, you see the YAML template with custom secrets where `secrets` is a `category`. -//+ -//image::governance/code-editor-7.png - . Select *More Options* and then select *Clear Editor* to remove the YAML template example. -//+ -//image::governance/code-editor-1.png . Add your custom YAML code. @@ -32,21 +23,8 @@ The Code Editor provides a default view with an example of a YAML template. See //+ //image::governance/code-editor-2.png + -For every test, the console displays up to 30 results. Each time you test your code, Prisma Cloud scans all integrated repositories to give you a list of up to 30 resources that match this custom code policy. -//+ -//image::governance/code-editor-3.png -+ -You can also review the results for more details on the impacted resource and misconfiguration. -//+ -//In this example you see the contextualized information about an impacted resource from your custom code. -//+ -//image::governance/code-editor-4.png -+ -If there are errors in your custom code during a test, the console displays a solution. -//+ -//In this example, you see solution for the errors from your code. -//+ -//image::governance/code-editor-5.png +Each test displays up to 30 results. Prisma Cloud scans all integrated repositories to identify resources that match your custom policy, providing a maximum of 30 results per test. You can review these results for detailed information about impacted resources and misconfigurations. If your custom code contains errors, the console will display suggested solutions. + . Select *Validate and Next* to access *Compliance Standards* to complete the custom Build-time check policy. //+ @@ -61,7 +39,7 @@ The Yaml file includes the following arguments: * *guidelines*: Sets general rules for policy creation * *category*: Specifies the type of policy -* *frameworks*: Identifies the applicable framework. If no framework is specified, the policy applies to all frameworks. If a framework is specified, the policy applies only to the selected framework. +* *frameworks*: Identifies the applicable framework. If no framework is specified, the policy applies to all frameworks. If a framework is specified, the policy applies only to the selected framework * *scope*: Defines the level of applicability for the policy * *provider*: Specifies the cloud provider or source for the resources * *definition*: Contains the logic and conditions for the policy, including attributes, operators, and resource connections @@ -440,3 +418,25 @@ definition: - "my-super-secret-password-regex" +//+ +//image::governance/code-editor.png +//+ +//In this example, you see the YAML template with custom secrets where `secrets` is a `category`. +//+ +//image::governance/code-editor-7.png +//+ +//image::governance/code-editor-1.png +//+ +//image::governance/code-editor-3.png +//+ +//You can also review the results for more details on the impacted resource and misconfiguration. +//+ +//In this example you see the contextualized information about an impacted resource from your custom code. +//+ +//image::governance/code-editor-4.png +//+ +//If there are errors in your custom code during a test, the console displays a solution. +//+ +//In this example, you see solution for the errors from your code. +//+ +//image::governance/code-editor-5.png From 72deda69c542255dfbbe0bdeb1d10970c3a76227 Mon Sep 17 00:00:00 2001 From: JBakstPaloAlto Date: Tue, 3 Dec 2024 11:34:02 +0200 Subject: [PATCH 5/8] fix link --- .../custom-build-policies/custom-build-policy-examples.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/en/enterprise-edition/content-collections/governance/custom-build-policies/custom-build-policy-examples.adoc b/docs/en/enterprise-edition/content-collections/governance/custom-build-policies/custom-build-policy-examples.adoc index de3b3696a2..6eb87846cf 100644 --- a/docs/en/enterprise-edition/content-collections/governance/custom-build-policies/custom-build-policy-examples.adoc +++ b/docs/en/enterprise-edition/content-collections/governance/custom-build-policies/custom-build-policy-examples.adoc @@ -4,7 +4,7 @@ To create code-based policies for your infrastructure, use these examples as gui * <> * <> -* << ARM Example,#arm-example>> +* << arm-example,ARM Example>> * <> * <> * <> From d6242bca4b39e99cb38d4f1eda40cd8756a8a962 Mon Sep 17 00:00:00 2001 From: JBakstPaloAlto Date: Tue, 3 Dec 2024 11:37:18 +0200 Subject: [PATCH 6/8] fix link2 --- .../custom-build-policies/custom-build-policy-examples.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/en/enterprise-edition/content-collections/governance/custom-build-policies/custom-build-policy-examples.adoc b/docs/en/enterprise-edition/content-collections/governance/custom-build-policies/custom-build-policy-examples.adoc index 6eb87846cf..a5ee2b0b77 100644 --- a/docs/en/enterprise-edition/content-collections/governance/custom-build-policies/custom-build-policy-examples.adoc +++ b/docs/en/enterprise-edition/content-collections/governance/custom-build-policies/custom-build-policy-examples.adoc @@ -4,7 +4,7 @@ To create code-based policies for your infrastructure, use these examples as gui * <> * <> -* << arm-example,ARM Example>> +* <> * <> * <> * <> From 6fee1fc15b753af17889e817c0a4728379e409a4 Mon Sep 17 00:00:00 2001 From: JBakstPaloAlto <106007740+JBakstPaloAlto@users.noreply.github.com> Date: Tue, 3 Dec 2024 12:18:50 +0200 Subject: [PATCH 7/8] Apply suggestions from code review Co-authored-by: Taylor <28880387+tsmithv11@users.noreply.github.com> --- .../governance/custom-build-policies/code-editor.adoc | 8 ++++---- .../custom-build-policies/custom-build-policies.adoc | 9 ++------- 2 files changed, 6 insertions(+), 11 deletions(-) diff --git a/docs/en/enterprise-edition/content-collections/governance/custom-build-policies/code-editor.adoc b/docs/en/enterprise-edition/content-collections/governance/custom-build-policies/code-editor.adoc index 0060264f9e..84ec940d70 100644 --- a/docs/en/enterprise-edition/content-collections/governance/custom-build-policies/code-editor.adoc +++ b/docs/en/enterprise-edition/content-collections/governance/custom-build-policies/code-editor.adoc @@ -11,7 +11,7 @@ The Code Editor is a suitable option when you want to create complex custom poli [.procedure] -. Select *Policies > Add Policy > Config > Add Policy Details* and then select *Next*. +. Select *Governance > Add Policy > Config > Add Details* and then select *Next*. + The Code Editor provides a default view with an example of a YAML template. See <<#yml_attr,YAML Policy Attribute>> below for details of the YAML file attributes. @@ -19,7 +19,7 @@ The Code Editor provides a default view with an example of a YAML template. See . Add your custom YAML code. -. Select *Test* to test your custom code. +. Select *Scan* to test your custom code. //+ //image::governance/code-editor-2.png + @@ -37,10 +37,10 @@ NOTE: You are in *Step 2* of Create Custom Policies for Build-Time Checks. You a The Yaml file includes the following arguments: -* *guidelines*: Sets general rules for policy creation +* *guidelines*: Provides guidance for developers who violate the policy * *category*: Specifies the type of policy * *frameworks*: Identifies the applicable framework. If no framework is specified, the policy applies to all frameworks. If a framework is specified, the policy applies only to the selected framework -* *scope*: Defines the level of applicability for the policy +* *scope*: Defines the cloud provider for the policy * *provider*: Specifies the cloud provider or source for the resources * *definition*: Contains the logic and conditions for the policy, including attributes, operators, and resource connections diff --git a/docs/en/enterprise-edition/content-collections/governance/custom-build-policies/custom-build-policies.adoc b/docs/en/enterprise-edition/content-collections/governance/custom-build-policies/custom-build-policies.adoc index 003b339090..5b1566e9c6 100644 --- a/docs/en/enterprise-edition/content-collections/governance/custom-build-policies/custom-build-policies.adoc +++ b/docs/en/enterprise-edition/content-collections/governance/custom-build-policies/custom-build-policies.adoc @@ -7,13 +7,8 @@ You can create custom build policies for the following frameworks: * *Terraform* - Policies written using Terraform attributes will apply for Terraform (.tf and plan files) * *Bicep*: Policies defined using Bicep resources and attributes will apply for tailored Azure Bicep resource governance -* *ARM* -** ARM is an Azure-specific framework -** You can define a policy that either applies to both ARM and Bicep with shared arguments and syntax, or you can limit the policy to either ARM or Bicep -** The ARM framework supports explicit and implicit dependencies. This does not include embedded child and loop dependencies -** ARM amd Bicep share the same resource types. By default, an ARM policy applies to both ARM and Bicep unless unless explicitly restricted to ARM -** If you select ARM as the framework, the definitions are automatically updated to align with ARM's requirements -** ARM supports periodic scans, PR scans, IDEscans and CLI scans +* *ARM*: Policies defined using ARM resources and attributes will apply for Azure ARM resource governance +** ARM and Bicep use the same policy syntax and can apply to both frameworks with a single attribute clause * *CloudFormation* - Policies written using CloudFormation attributes will apply for CloudFormation, AWS Serverless Application Model (SAM), and Cloud Development Kit (CDK) * *Kubernetes* - Policies written using Kubernetes attributes will apply for Kubernetes, Helm, and Kustomize From 36a1a0a20f460279958e69263c9c7b7e9c62af49 Mon Sep 17 00:00:00 2001 From: JBakstPaloAlto Date: Tue, 3 Dec 2024 12:25:54 +0200 Subject: [PATCH 8/8] replaced bullet with note --- .../governance/custom-build-policies/code-editor.adoc | 8 ++++---- .../custom-build-policies/custom-build-policies.adoc | 4 +++- 2 files changed, 7 insertions(+), 5 deletions(-) diff --git a/docs/en/enterprise-edition/content-collections/governance/custom-build-policies/code-editor.adoc b/docs/en/enterprise-edition/content-collections/governance/custom-build-policies/code-editor.adoc index 84ec940d70..119ff523ba 100644 --- a/docs/en/enterprise-edition/content-collections/governance/custom-build-policies/code-editor.adoc +++ b/docs/en/enterprise-edition/content-collections/governance/custom-build-policies/code-editor.adoc @@ -11,7 +11,7 @@ The Code Editor is a suitable option when you want to create complex custom poli [.procedure] -. Select *Governance > Add Policy > Config > Add Details* and then select *Next*. +. Select *Governance* > Add Policy > Config > Add Policy Details* and then select *Next*. + The Code Editor provides a default view with an example of a YAML template. See <<#yml_attr,YAML Policy Attribute>> below for details of the YAML file attributes. @@ -19,7 +19,7 @@ The Code Editor provides a default view with an example of a YAML template. See . Add your custom YAML code. -. Select *Scan* to test your custom code. +. Select *Test* to test your custom code. //+ //image::governance/code-editor-2.png + @@ -37,10 +37,10 @@ NOTE: You are in *Step 2* of Create Custom Policies for Build-Time Checks. You a The Yaml file includes the following arguments: -* *guidelines*: Provides guidance for developers who violate the policy +* *guidelines*: Sets general rules for policy creation * *category*: Specifies the type of policy * *frameworks*: Identifies the applicable framework. If no framework is specified, the policy applies to all frameworks. If a framework is specified, the policy applies only to the selected framework -* *scope*: Defines the cloud provider for the policy +* *scope*: Defines the level of applicability for the policy * *provider*: Specifies the cloud provider or source for the resources * *definition*: Contains the logic and conditions for the policy, including attributes, operators, and resource connections diff --git a/docs/en/enterprise-edition/content-collections/governance/custom-build-policies/custom-build-policies.adoc b/docs/en/enterprise-edition/content-collections/governance/custom-build-policies/custom-build-policies.adoc index 5b1566e9c6..848c34854d 100644 --- a/docs/en/enterprise-edition/content-collections/governance/custom-build-policies/custom-build-policies.adoc +++ b/docs/en/enterprise-edition/content-collections/governance/custom-build-policies/custom-build-policies.adoc @@ -8,7 +8,9 @@ You can create custom build policies for the following frameworks: * *Terraform* - Policies written using Terraform attributes will apply for Terraform (.tf and plan files) * *Bicep*: Policies defined using Bicep resources and attributes will apply for tailored Azure Bicep resource governance * *ARM*: Policies defined using ARM resources and attributes will apply for Azure ARM resource governance -** ARM and Bicep use the same policy syntax and can apply to both frameworks with a single attribute clause ++ +NOTE: ARM and Bicep use the same policy syntax and can apply to both frameworks with a single attribute clause + * *CloudFormation* - Policies written using CloudFormation attributes will apply for CloudFormation, AWS Serverless Application Model (SAM), and Cloud Development Kit (CDK) * *Kubernetes* - Policies written using Kubernetes attributes will apply for Kubernetes, Helm, and Kustomize