Remediation Tasks naming
pmalczuk opened this issue · comments
Prerequisites
- I am running the latest version
- I checked the documentation and found no answer
- I checked to make sure that this issue has not already been filed
Context
I have a question about timestamp in name for remeditation tasks.
In what cases they would not be created? I can't understand it.
Now on every apply all remeditation tasks are always recreated.
Hi @pmalczuk,
This is by design to ensure continuous on-demand compliance; for example if you wished to schedule this through a pipeline to run daily remediation.
Setting skip_remediation=true
will prevent the task creation. You can also add this as a global variable to be accepted at runtime -var "skip_remediation=true"
.
Hope this helps
Hi @gettek
Thanks for explanation. I think it should help in my pipeline.
I checked that the variable skip_remediation is only defined in module set_assignment but not used there. Maybe you missed it in this module?
Hi @pmalczuk,
Yes you're correct, I noticed it was missing also a few days ago and was wrongly removed in version 2.2.0 but will create a fix for the upcoming release in a few days.
@pmalczuk can you try with working branch 2.6.0 and let me know?
I just ran into this as well (skip_remediation not implemented). Will try the 2.6.0 version....
so it seems to work, although when NOT skipping remediation tasks, I think it's creating them for policies that don't have DINE/modify effects. For example, in my initiative I have a policy with a deny effect, and a remediation task is being created for it.
thanks @timwebster9 have added that fix to 2.6.0 now
@gettek I updated set_assignment/variables.tf with your latest changes, and it still creates remediation tasks for 'deny' policies...
Apologies, I will devote some time to this over the coming days, planning to also implement a parameter to change remediation_scope