From 972a454a19c3e9272f489e8ab7784e5d06351cf8 Mon Sep 17 00:00:00 2001
From: Christian Campo <christian.campo@compeople.de>
Date: Mon, 15 Jun 2020 21:22:08 +0200
Subject: [PATCH 1/3] added parameter enforcement_mode to resource
 azurerm_policy_assignment

---
 .../policy/policy_assignment_resource.go      | 13 ++-
 .../tests/policy_assignment_resource_test.go  | 88 +++++++++++++++++++
 .../docs/r/policy_assignment.html.markdown    |  1 +
 3 files changed, 101 insertions(+), 1 deletion(-)

diff --git a/azurerm/internal/services/policy/policy_assignment_resource.go b/azurerm/internal/services/policy/policy_assignment_resource.go
index 843b3b5fa6b8..9f6acaf8276e 100644
--- a/azurerm/internal/services/policy/policy_assignment_resource.go
+++ b/azurerm/internal/services/policy/policy_assignment_resource.go
@@ -113,6 +113,16 @@ func resourceArmPolicyAssignment() *schema.Resource {
 				DiffSuppressFunc: structure.SuppressJsonDiff,
 			},
 
+			"enforcement_mode": {
+				Type:     schema.TypeString,
+				Optional: true,
+				ForceNew: true,
+				ValidateFunc: validation.StringInSlice([]string{
+					string(policy.Default),
+					string(policy.DoNotEnforce),
+				}, false),
+			},
+
 			"not_scopes": {
 				Type:     schema.TypeList,
 				Optional: true,
@@ -129,7 +139,7 @@ func resourceArmPolicyAssignmentCreateUpdate(d *schema.ResourceData, meta interf
 
 	name := d.Get("name").(string)
 	scope := d.Get("scope").(string)
-
+	enforcementMode := policy.EnforcementMode(d.Get("enforcement_mode").(string))
 	policyDefinitionId := d.Get("policy_definition_id").(string)
 	displayName := d.Get("display_name").(string)
 
@@ -151,6 +161,7 @@ func resourceArmPolicyAssignmentCreateUpdate(d *schema.ResourceData, meta interf
 			PolicyDefinitionID: utils.String(policyDefinitionId),
 			DisplayName:        utils.String(displayName),
 			Scope:              utils.String(scope),
+			EnforcementMode:    enforcementMode,
 		},
 	}
 
diff --git a/azurerm/internal/services/policy/tests/policy_assignment_resource_test.go b/azurerm/internal/services/policy/tests/policy_assignment_resource_test.go
index d00e4568b366..fb24eb8feb27 100644
--- a/azurerm/internal/services/policy/tests/policy_assignment_resource_test.go
+++ b/azurerm/internal/services/policy/tests/policy_assignment_resource_test.go
@@ -138,6 +138,24 @@ func TestAccAzureRMPolicyAssignment_not_scopes(t *testing.T) {
 	})
 }
 
+func TestAccAzureRMPolicyAssignment_enforcement_mode(t *testing.T) {
+	data := acceptance.BuildTestData(t, "azurerm_policy_assignment", "test")
+	resource.ParallelTest(t, resource.TestCase{
+		PreCheck:     func() { acceptance.PreCheck(t) },
+		Providers:    acceptance.SupportedProviders,
+		CheckDestroy: testCheckAzureRMPolicyAssignmentDestroy,
+		Steps: []resource.TestStep{
+			{
+				Config: testAzureRMPolicyAssignment_enforcement_mode(data),
+				Check: resource.ComposeTestCheckFunc(
+					testCheckAzureRMPolicyAssignmentExists(data.ResourceName),
+				),
+			},
+			data.ImportStep(),
+		},
+	})
+}
+
 func testCheckAzureRMPolicyAssignmentExists(resourceName string) resource.TestCheckFunc {
 	return func(s *terraform.State) error {
 		client := acceptance.AzureProvider.Meta().(*clients.Client).Policy.AssignmentsClient
@@ -516,3 +534,73 @@ PARAMETERS
 }
 `, data.RandomInteger, data.RandomInteger, data.RandomInteger, data.Locations.Primary, data.RandomInteger, data.RandomInteger, data.Locations.Primary)
 }
+
+func testAzureRMPolicyAssignment_enforcement_mode(data acceptance.TestData) string {
+	return fmt.Sprintf(`
+provider "azurerm" {
+  features {}
+}
+
+data "azurerm_subscription" "current" {
+}
+
+resource "azurerm_policy_definition" "test" {
+  name         = "acctestpol-%d"
+  policy_type  = "Custom"
+  mode         = "All"
+  display_name = "acctestpol-%d"
+
+  policy_rule = <<POLICY_RULE
+	{
+    "if": {
+      "not": {
+        "field": "location",
+        "in": "[parameters('allowedLocations')]"
+      }
+    },
+    "then": {
+      "effect": "audit"
+    }
+  }
+POLICY_RULE
+
+
+  parameters = <<PARAMETERS
+	{
+    "allowedLocations": {
+      "type": "Array",
+      "metadata": {
+        "description": "The list of allowed locations for resources.",
+        "displayName": "Allowed locations",
+        "strongType": "location"
+      }
+    }
+  }
+PARAMETERS
+
+}
+
+resource "azurerm_resource_group" "test" {
+  name     = "acctestRG-%d"
+  location = "%s"
+}
+
+resource "azurerm_policy_assignment" "test" {
+  name                 = "acctestpa-%d"
+  scope                = data.azurerm_subscription.current.id
+  policy_definition_id = azurerm_policy_definition.test.id
+  description          = "Policy Assignment created via an Acceptance Test"
+  enforcement_mode     = "DoNotEnforce"
+  display_name         = "Acceptance Test Run %d"
+
+  parameters = <<PARAMETERS
+{
+  "allowedLocations": {
+    "value": [ "%s" ]
+  }
+}
+PARAMETERS
+
+}
+`, data.RandomInteger, data.RandomInteger, data.RandomInteger, data.Locations.Primary, data.RandomInteger, data.RandomInteger, data.Locations.Primary)
+}
diff --git a/website/docs/r/policy_assignment.html.markdown b/website/docs/r/policy_assignment.html.markdown
index 2dbb952569f2..756742ca2c88 100644
--- a/website/docs/r/policy_assignment.html.markdown
+++ b/website/docs/r/policy_assignment.html.markdown
@@ -96,6 +96,7 @@ The following arguments are supported:
 
 * `not_scopes` - (Optional) A list of the Policy Assignment's excluded scopes. The list must contain Resource IDs (such as Subscriptions e.g. `/subscriptions/00000000-0000-0000-000000000000` or Resource Groups e.g.`/subscriptions/00000000-0000-0000-000000000000/resourceGroups/myResourceGroup`).
 
+* `enforcement_mode`- (Optional) Can be set to 'Default' or 'DoNotEnforce' to control whether the assignment is enforced. Default is 'Default'.
 ---
 
 An `identity` block supports the following:

From 609dddfea31ae919494706303d50c93cdd131f45 Mon Sep 17 00:00:00 2001
From: Christian Campo <christian.campo@compeople.de>
Date: Tue, 16 Jun 2020 09:20:41 +0200
Subject: [PATCH 2/3] update enforcement_mode, remove ForceNew, changed it into
 a boolean parameter and added a Default and adressed the other comments (read
 property)

---
 .../policy/policy_assignment_resource.go      | 19 ++++++++++++-------
 .../tests/policy_assignment_resource_test.go  |  2 +-
 .../docs/r/policy_assignment.html.markdown    |  2 +-
 3 files changed, 14 insertions(+), 9 deletions(-)

diff --git a/azurerm/internal/services/policy/policy_assignment_resource.go b/azurerm/internal/services/policy/policy_assignment_resource.go
index 9f6acaf8276e..2e439f59c05d 100644
--- a/azurerm/internal/services/policy/policy_assignment_resource.go
+++ b/azurerm/internal/services/policy/policy_assignment_resource.go
@@ -114,13 +114,9 @@ func resourceArmPolicyAssignment() *schema.Resource {
 			},
 
 			"enforcement_mode": {
-				Type:     schema.TypeString,
+				Type:     schema.TypeBool,
 				Optional: true,
-				ForceNew: true,
-				ValidateFunc: validation.StringInSlice([]string{
-					string(policy.Default),
-					string(policy.DoNotEnforce),
-				}, false),
+				Default:  true,
 			},
 
 			"not_scopes": {
@@ -139,7 +135,7 @@ func resourceArmPolicyAssignmentCreateUpdate(d *schema.ResourceData, meta interf
 
 	name := d.Get("name").(string)
 	scope := d.Get("scope").(string)
-	enforcementMode := policy.EnforcementMode(d.Get("enforcement_mode").(string))
+	enforcementMode := convertEnforcementMode(utils.Bool(d.Get("enforcement_mode").(bool)))
 	policyDefinitionId := d.Get("policy_definition_id").(string)
 	displayName := d.Get("display_name").(string)
 
@@ -262,6 +258,7 @@ func resourceArmPolicyAssignmentRead(d *schema.ResourceData, meta interface{}) e
 		d.Set("policy_definition_id", props.PolicyDefinitionID)
 		d.Set("description", props.Description)
 		d.Set("display_name", props.DisplayName)
+		d.Set("enforcement_mode", props.EnforcementMode)
 
 		if params := props.Parameters; params != nil {
 			json, err := flattenParameterValuesValueToString(params)
@@ -350,3 +347,11 @@ func expandAzureRmPolicyNotScopes(d *schema.ResourceData) *[]string {
 
 	return &notScopesRes
 }
+
+func convertEnforcementMode(mode *bool) policy.EnforcementMode {
+	if *mode {
+		return policy.Default
+	} else {
+		return policy.DoNotEnforce
+	}
+}
diff --git a/azurerm/internal/services/policy/tests/policy_assignment_resource_test.go b/azurerm/internal/services/policy/tests/policy_assignment_resource_test.go
index fb24eb8feb27..414713850161 100644
--- a/azurerm/internal/services/policy/tests/policy_assignment_resource_test.go
+++ b/azurerm/internal/services/policy/tests/policy_assignment_resource_test.go
@@ -590,7 +590,7 @@ resource "azurerm_policy_assignment" "test" {
   scope                = data.azurerm_subscription.current.id
   policy_definition_id = azurerm_policy_definition.test.id
   description          = "Policy Assignment created via an Acceptance Test"
-  enforcement_mode     = "DoNotEnforce"
+  enforcement_mode     = false
   display_name         = "Acceptance Test Run %d"
 
   parameters = <<PARAMETERS
diff --git a/website/docs/r/policy_assignment.html.markdown b/website/docs/r/policy_assignment.html.markdown
index 756742ca2c88..4e2fbf0820f1 100644
--- a/website/docs/r/policy_assignment.html.markdown
+++ b/website/docs/r/policy_assignment.html.markdown
@@ -96,7 +96,7 @@ The following arguments are supported:
 
 * `not_scopes` - (Optional) A list of the Policy Assignment's excluded scopes. The list must contain Resource IDs (such as Subscriptions e.g. `/subscriptions/00000000-0000-0000-000000000000` or Resource Groups e.g.`/subscriptions/00000000-0000-0000-000000000000/resourceGroups/myResourceGroup`).
 
-* `enforcement_mode`- (Optional) Can be set to 'Default' or 'DoNotEnforce' to control whether the assignment is enforced. Default is 'Default'.
+* `enforcement_mode`- (Optional) Can be set to 'true' or 'false' to control whether the assignment is enforced (true) or not (false). Default is 'true'.
 ---
 
 An `identity` block supports the following:

From 97cdd0b37b489bfd64c4dc42ba3b9f0e4603a503 Mon Sep 17 00:00:00 2001
From: Christian Campo <christian.campo@compeople.de>
Date: Tue, 16 Jun 2020 22:11:54 +0200
Subject: [PATCH 3/3] added suggested changes, simplify code

---
 .../services/policy/policy_assignment_resource.go         | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/azurerm/internal/services/policy/policy_assignment_resource.go b/azurerm/internal/services/policy/policy_assignment_resource.go
index 2e439f59c05d..cecf045e59ed 100644
--- a/azurerm/internal/services/policy/policy_assignment_resource.go
+++ b/azurerm/internal/services/policy/policy_assignment_resource.go
@@ -135,7 +135,7 @@ func resourceArmPolicyAssignmentCreateUpdate(d *schema.ResourceData, meta interf
 
 	name := d.Get("name").(string)
 	scope := d.Get("scope").(string)
-	enforcementMode := convertEnforcementMode(utils.Bool(d.Get("enforcement_mode").(bool)))
+	enforcementMode := convertEnforcementMode(d.Get("enforcement_mode").(bool))
 	policyDefinitionId := d.Get("policy_definition_id").(string)
 	displayName := d.Get("display_name").(string)
 
@@ -258,7 +258,7 @@ func resourceArmPolicyAssignmentRead(d *schema.ResourceData, meta interface{}) e
 		d.Set("policy_definition_id", props.PolicyDefinitionID)
 		d.Set("description", props.Description)
 		d.Set("display_name", props.DisplayName)
-		d.Set("enforcement_mode", props.EnforcementMode)
+		d.Set("enforcement_mode", props.EnforcementMode == policy.Default)
 
 		if params := props.Parameters; params != nil {
 			json, err := flattenParameterValuesValueToString(params)
@@ -348,8 +348,8 @@ func expandAzureRmPolicyNotScopes(d *schema.ResourceData) *[]string {
 	return &notScopesRes
 }
 
-func convertEnforcementMode(mode *bool) policy.EnforcementMode {
-	if *mode {
+func convertEnforcementMode(mode bool) policy.EnforcementMode {
+	if mode {
 		return policy.Default
 	} else {
 		return policy.DoNotEnforce