Private/Azure/Resolve-PolicyEffect.ps1
|
function Resolve-PolicyEffect { <# .SYNOPSIS Resolve effective policy effect from assignment and definition. .DESCRIPTION Determines the actual policy effect by checking in priority order: 1. Assignment-level parameter override 2. Policy definition's effect parameter default value 3. Policy rule's hardcoded or parameterized effect .PARAMETER Ref Policy reference object from assignment (contains parameter overrides). .PARAMETER PolicyDefinition Policy definition object containing rules and parameters. .PARAMETER PolicyDisplayName Display name of the policy (for logging). .PARAMETER PolicyDefinitionId Resource ID of the policy (for logging). .EXAMPLE $effect = Resolve-PolicyEffect -Ref $ref -PolicyDefinition $policyDef .OUTPUTS String - Policy effect (e.g., "Audit", "Deny", "DeployIfNotExists") or "N/A" if unresolvable #> [CmdletBinding()] param( [Parameter(Mandatory = $false)] $Ref, [Parameter(Mandatory = $true)] $PolicyDefinition, [Parameter(Mandatory = $false)] [string]$PolicyDisplayName, [Parameter(Mandatory = $false)] [string]$PolicyDefinitionId ) $effectValue = $null # Priority 1: Assignment override if ($Ref -and $Ref.parameters -and $Ref.parameters.effect -and $Ref.parameters.effect.value) { $effectValue = $Ref.parameters.effect.value Write-Debug "Effect resolved from assignment override: $effectValue" return $effectValue } # Priority 2: Parameter default value if ($PolicyDefinition.Parameter -and $PolicyDefinition.Parameter.effect -and $PolicyDefinition.Parameter.effect.defaultValue) { $effectValue = $PolicyDefinition.Parameter.effect.defaultValue Write-Debug "Effect resolved from parameter default: $effectValue" return $effectValue } # Priority 3: Policy rule effect if ($PolicyDefinition.PolicyRule -and $PolicyDefinition.PolicyRule.then -and $PolicyDefinition.PolicyRule.then.effect) { $rawEffect = $PolicyDefinition.PolicyRule.then.effect # Check if effect is parameterized if ($rawEffect -match "\[parameters\('(\w+)'\)\]") { $paramName = $Matches[1] # Try to resolve parameterized effect if ($PolicyDefinition.Parameter.$paramName -and $PolicyDefinition.Parameter.$paramName.defaultValue) { $effectValue = $PolicyDefinition.Parameter.$paramName.defaultValue Write-Debug "Effect resolved from parameterized rule (param: $paramName): $effectValue" return $effectValue } else { Write-Debug "Effect is parameterized but cannot resolve: $rawEffect" return "Parameterized" } } else { # Hardcoded effect $effectValue = $rawEffect Write-Debug "Effect resolved from hardcoded rule: $effectValue" return $effectValue } } # Could not resolve Write-Debug "Effect could not be resolved for policy: $PolicyDisplayName" return "N/A" } |