Add instructions for customizing policy set assignments (Azure#215)

16Rookie16 · Mar 24, 2022 · bf5e94b · bf5e94b
1 parent 0538d4d
commit bf5e94b
Showing 1 changed file with 45 additions and 1 deletion.
diff --git a/docs/onboarding/azure-devops-pipelines.md b/docs/onboarding/azure-devops-pipelines.md
@@ -476,7 +476,51 @@ In order to configure audit stream for Azure Monitor, identify the following inf
     7. Save the pipeline (don't run it yet)
     8. Rename the pipeline to `policy-ci`
 
-2. Run pipeline and wait for completion.
+2. By default, the pipeline will configure built-in policy assignments (i.e. PBMM, NIST 800-53 Rev 4, NIST 800-53 Rev 5, HIPAA, etc.) and custom policy assignments (i.e. Log Analytics, Defender for Cloud, Networking, Tag Governance, etc.).  The assignments are scoped to the top management group (i.e. `pubsec`).  These policy sets are documented in [Azure Policy for Guardrails](../policy) and you may choose to customize them for your Azure environment.  To customize:
+
+    1. Edit [/.pipelines/policy.yml](../../.pipelines/policy.yml)
+    2. Navigate to the `CustomPolicyJob` Job definition
+    3. Navigate to the `Define Policy Set` Step definition and remove the policy definition name from the `deployTemplates` array parameter
+
+          ```yaml
+              - template: templates/steps/define-policyset.yml
+                parameters:
+                  description: 'Define Policy Set'
+                  deployTemplates: [AKS, DefenderForCloud, LogAnalytics, Network, DNSPrivateEndpoints, Tags]
+                  deployOperation: ${{ variables['deployOperation'] }}
+                  workingDir: $(System.DefaultWorkingDirectory)/policy/custom/definitions/policyset
+                
+          ```
+
+    4. Navigate to the `Assign Policy Set` Step definition and remove the policy assignment name from the `deployTemplates` array parameter
+
+        ```yaml
+            - template: templates/steps/assign-policy.yml
+              parameters:
+                description: 'Assign Policy Set'
+                deployTemplates: [AKS, DefenderForCloud, LogAnalytics, Network, Tags]
+                deployOperation: ${{ variables['deployOperation'] }}
+                policyAssignmentManagementGroupScope: $(var-topLevelManagementGroupName)
+                workingDir: $(System.DefaultWorkingDirectory)/policy/custom/assignments
+        ```
+
+    5. Navigate to the `BuiltInPolicyJob` Job definition
+    6. Navigate to the `Assign Policy Set` Step definition
+    7. Remove the policy set assignment from the `deployTemplates` array parameter
+
+        ```yaml
+            - template: templates/steps/assign-policy.yml
+              parameters:
+                description: 'Assign Policy Set'
+                deployTemplates: [asb, cis-msft-130, location, nist80053r4, nist80053r5, pbmm, hitrust-hipaa, fedramp-moderate]
+                deployOperation: ${{ variables['deployOperation'] }}
+                policyAssignmentManagementGroupScope: $(var-topLevelManagementGroupName)
+                workingDir: $(System.DefaultWorkingDirectory)/policy/builtin/assignments
+        ```
+
+3. Commit the changes to git repository.
+
+4. Run pipeline and wait for completion.
 
 ---