Handle policy definition modes

[VeraBE]

Policy definitions can have different modes; https://learn.microsoft.com/en-us/azure/governance/policy/concepts/definition-structure#mode and the logic to translate policy assignments to rules doesn't account for those

For example, some ASB assignments are indexed and some are all

[BernieWhite]

@VeraBE So I understand it correctly we want to honor existing indexed and all to limit rules generated from policies to the types they were originally intended for. Is this correct?

• all: evaluate resource groups, subscriptions, and all resource types
• indexed: only evaluate resource types that support tags and location

---

If so I think we can limit indexed to the Azure.Resource.SupportsTags selector unless we have an internal list of which resources fall into indexed vs all.

[VeraBE]

Yes, that sounds good to me!

Regarding the resource provider modes, do you think we need to account for those in any way when generating the PSRule rules? I think we don't but I'm not sure if I understand those properly

[BernieWhite]

Yes, that sounds good to me!

Regarding the resource provider modes, do you think we need to account for those in any way when generating the PSRule rules? I think we don't but I'm not sure if I understand those properly

I don't think we need to handle resource provider modes (at least the current resource provider modes) because they don't relate to the management plane.

[BernieWhite]

@VeraBE This should be improved with PSRule for Azure: v1.23.0-B0072