Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Flexible policy assignment scope #147

Merged
merged 12 commits into from
Jan 22, 2022
Merged

Flexible policy assignment scope #147

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
12 commits
Select commit Hold shift + click to select a range
3f53dff
Add deployment scope for policy assignment
SenthuranSivananthan Jan 21, 2022
72014b8
Add branch test config
SenthuranSivananthan Jan 21, 2022
38c0670
Set new parameter for policy assignment scope: var-policyAssignmentM…
SenthuranSivananthan Jan 21, 2022
838d225
Update pipeline for new var
SenthuranSivananthan Jan 21, 2022
8b5916e
Add separate scope for testing
SenthuranSivananthan Jan 21, 2022
75d78cf
Update pipeline parameter name
SenthuranSivananthan Jan 21, 2022
db7afcc
Ensure new temp file is created to populate the parameters.
SenthuranSivananthan Jan 21, 2022
86a7b61
Remove test job
SenthuranSivananthan Jan 21, 2022
85a35f6
Remove branch config
SenthuranSivananthan Jan 21, 2022
ad16d44
Update readme
SenthuranSivananthan Jan 21, 2022
1f45444
Update authoring guide with new parameter
SenthuranSivananthan Jan 21, 2022
52751e4
Merge branch 'main' into flexiblePolicyAssignmentScope
SenthuranSivananthan Jan 21, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 3 additions & 0 deletions .pipelines/policy.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -98,6 +98,7 @@ stages:
description: 'Assign Policy Set'
deployTemplates: [AKS, DefenderForCloud, LogAnalytics, Network, Tags]
deployOperation: ${{ variables['deployOperation'] }}
policyAssignmentManagementGroupScope: $(var-topLevelManagementGroupName)
workingDir: $(System.DefaultWorkingDirectory)/policy/custom/assignments

- job: BuiltInPolicyJob
Expand All @@ -119,4 +120,6 @@ stages:
description: 'Assign Policy Set'
deployTemplates: [asb, cis-msft-130, location, nist80053r4, nist80053r5, pbmm, hitrust-hipaa, fedramp-moderate]
deployOperation: ${{ variables['deployOperation'] }}
policyAssignmentManagementGroupScope: $(var-topLevelManagementGroupName)
workingDir: $(System.DefaultWorkingDirectory)/policy/builtin/assignments

27 changes: 17 additions & 10 deletions .pipelines/templates/steps/assign-policy.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,8 @@ parameters:
values:
- create
- what-if
- name: policyAssignmentManagementGroupScope
type: string
- name: workingDir
type: string

Expand All @@ -34,24 +36,29 @@ steps:
$(var-bashPreInjectScript)

echo "Populating templated parameters in ${{ policy }}.parameters.json"
sed -i 's~{{var-topLevelManagementGroupName}}~$(var-topLevelManagementGroupName)~g' ${{ policy }}.parameters.json

sed -i 's~{{var-logging-logAnalyticsWorkspaceResourceId}}~$(var-logging-logAnalyticsWorkspaceResourceId)~g' ${{ policy }}.parameters.json
sed -i 's~{{var-logging-logAnalyticsWorkspaceId}}~$(var-logging-logAnalyticsWorkspaceId)~g' ${{ policy }}.parameters.json
sed -i 's~{{var-logging-logAnalyticsResourceGroupName}}~$(var-logging-logAnalyticsResourceGroupName)~g' ${{ policy }}.parameters.json
sed -i 's~{{var-logging-logAnalyticsRetentionInDays}}~$(var-logging-logAnalyticsRetentionInDays)~g' ${{ policy }}.parameters.json
cp ${{ policy }}.parameters.json ${{ policy }}.populated.parameters.json

sed -i 's~{{var-topLevelManagementGroupName}}~$(var-topLevelManagementGroupName)~g' ${{ policy }}.populated.parameters.json

sed -i 's~{{var-logging-logAnalyticsWorkspaceResourceId}}~$(var-logging-logAnalyticsWorkspaceResourceId)~g' ${{ policy }}.populated.parameters.json
sed -i 's~{{var-logging-logAnalyticsWorkspaceId}}~$(var-logging-logAnalyticsWorkspaceId)~g' ${{ policy }}.populated.parameters.json
sed -i 's~{{var-logging-logAnalyticsResourceGroupName}}~$(var-logging-logAnalyticsResourceGroupName)~g' ${{ policy }}.populated.parameters.json
sed -i 's~{{var-logging-logAnalyticsRetentionInDays}}~$(var-logging-logAnalyticsRetentionInDays)~g' ${{ policy }}.populated.parameters.json

sed -i 's~{{var-logging-diagnosticSettingsforNetworkSecurityGroupsStoragePrefix}}~$(var-logging-diagnosticSettingsforNetworkSecurityGroupsStoragePrefix)~g' ${{ policy }}.parameters.json
sed -i 's~{{var-logging-diagnosticSettingsforNetworkSecurityGroupsStoragePrefix}}~$(var-logging-diagnosticSettingsforNetworkSecurityGroupsStoragePrefix)~g' ${{ policy }}.populated.parameters.json

sed -i 's~{{var-policyAssignmentManagementGroupId}}~${{ parameters.policyAssignmentManagementGroupScope }}~g' ${{ policy }}.populated.parameters.json

cat ${{ policy }}.parameters.json ; echo
cat ${{ policy }}.populated.parameters.json ; echo

echo "Deploying ${{ policy }}.bicep using ${{ parameters.deployOperation}} operation..."
echo "Deploying ${{ policy }}.bicep using ${{ parameters.deployOperation}} operation at ${{ parameters.policyAssignmentManagementGroupScope }} scope ..."

az deployment mg ${{ parameters.deployOperation }} \
--location $(deploymentRegion) \
--management-group-id $(var-topLevelManagementGroupName) \
--management-group-id ${{ parameters.policyAssignmentManagementGroupScope }} \
--template-file ${{ policy }}.bicep \
--parameters ${{ policy }}.parameters.json
--parameters ${{ policy }}.populated.parameters.json

$(var-bashPostInjectScript)
workingDirectory: ${{ parameters.workingDir }}
8 changes: 4 additions & 4 deletions docs/policy/authoring-guide.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -284,7 +284,7 @@ The built-in policy sets are used as-is to ensure future improvements from Azure
"contentVersion": "1.0.0.0",
"parameters": {
"policyAssignmentManagementGroupId": {
"value": "{{var-topLevelManagementGroupName}}"
"value": "{{var-policyAssignmentManagementGroupId}}"
},
"enforcementMode": {
"value": "Default"
Expand All @@ -307,7 +307,7 @@ The built-in policy sets are used as-is to ensure future improvements from Azure
"contentVersion": "1.0.0.0",
"parameters": {
"policyAssignmentManagementGroupId": {
"value": "{{var-topLevelManagementGroupName}}"
"value": "{{var-policyAssignmentManagementGroupId}}"
},
"enforcementMode": {
"value": "Default"
Expand Down Expand Up @@ -827,7 +827,7 @@ When there are deployment errors:
"value": "{{var-topLevelManagementGroupName}}"
},
"policyAssignmentManagementGroupId": {
"value": "{{var-topLevelManagementGroupName}}"
"value": "{{var-policyAssignmentManagementGroupId}}"
},
"enforcementMode": {
"value": "Default"
Expand All @@ -853,7 +853,7 @@ When there are deployment errors:
"value": "{{var-topLevelManagementGroupName}}"
},
"policyAssignmentManagementGroupId": {
"value": "{{var-topLevelManagementGroupName}}"
"value": "{{var-policyAssignmentManagementGroupId}}"
},
"enforcementMode": {
"value": "Default"
Expand Down
4 changes: 4 additions & 0 deletions docs/policy/readme.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -41,6 +41,7 @@ Azure DevOps Pipeline ([.pipelines/policy.yml](../../.pipelines/policy.yml)) is
description: 'Assign Policy Set'
deployTemplates: [asb, cis-msft-130, location, nist80053r4, nist80053r5, pbmm, hitrust-hipaa, fedramp-moderate]
deployOperation: ${{ variables['deployOperation'] }}
policyAssignmentManagementGroupScope: $(var-topLevelManagementGroupName)
workingDir: $(System.DefaultWorkingDirectory)/policy/builtin/assignments
```

Expand Down Expand Up @@ -101,6 +102,7 @@ Azure DevOps Pipeline ([.pipelines/policy.yml](../../.pipelines/policy.yml)) is
description: 'Define Policy Set'
deployTemplates: [AKS, DefenderForCloud, LogAnalytics, Network, DNSPrivateEndpoints, Tags]
deployOperation: ${{ variables['deployOperation'] }}
policyAssignmentManagementGroupScope: $(var-topLevelManagementGroupName)
workingDir: $(System.DefaultWorkingDirectory)/policy/custom/definitions/policyset
```

Expand Down Expand Up @@ -130,6 +132,7 @@ Azure DevOps Pipeline ([.pipelines/policy.yml](../../.pipelines/policy.yml)) is
description: 'Assign Policy Set'
deployTemplates: [AKS, DefenderForCloud, LogAnalytics, Network, Tags]
deployOperation: ${{ variables['deployOperation'] }}
policyAssignmentManagementGroupScope: $(var-topLevelManagementGroupName)
workingDir: $(System.DefaultWorkingDirectory)/policy/custom/assignments
```

Expand Down Expand Up @@ -157,6 +160,7 @@ Parameters can be templated using the syntax `{{PARAMETER_NAME}}`. Following pa
| {{var-logging-logAnalyticsResourceGroupName}} | Environment configuration file such as [config/variables/CanadaESLZ-main.yml](../../config/variables/CanadaESLZ-main.yml) | `pubsec-central-logging-rg`
| {{var-logging-logAnalyticsRetentionInDays}} | Environment configuration file such as [config/variables/CanadaESLZ-main.yml](../../config/variables/CanadaESLZ-main.yml) | `730`
| {{var-logging-diagnosticSettingsforNetworkSecurityGroupsStoragePrefix}} | Environment configuration file such as [config/variables/CanadaESLZ-main.yml](../../config/variables/CanadaESLZ-main.yml) | `pubsecnsg`
| {{var-policyAssignmentManagementGroupId}} | The management group scope for policy assignment. | `pubsec`

---

Expand Down
2 changes: 1 addition & 1 deletion policy/builtin/assignments/asb.parameters.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@
"contentVersion": "1.0.0.0",
"parameters": {
"policyAssignmentManagementGroupId": {
"value": "{{var-topLevelManagementGroupName}}"
"value": "{{var-policyAssignmentManagementGroupId}}"
},
"enforcementMode": {
"value": "Default"
Expand Down
2 changes: 1 addition & 1 deletion policy/builtin/assignments/cis-msft-130.parameters.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@
"contentVersion": "1.0.0.0",
"parameters": {
"policyAssignmentManagementGroupId": {
"value": "{{var-topLevelManagementGroupName}}"
"value": "{{var-policyAssignmentManagementGroupId}}"
},
"enforcementMode": {
"value": "Default"
Expand Down
2 changes: 1 addition & 1 deletion policy/builtin/assignments/fedramp-moderate.parameters.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@
"contentVersion": "1.0.0.0",
"parameters": {
"policyAssignmentManagementGroupId": {
"value": "{{var-topLevelManagementGroupName}}"
"value": "{{var-policyAssignmentManagementGroupId}}"
},
"enforcementMode": {
"value": "Default"
Expand Down
2 changes: 1 addition & 1 deletion policy/builtin/assignments/hitrust-hipaa.parameters.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@
"contentVersion": "1.0.0.0",
"parameters": {
"policyAssignmentManagementGroupId": {
"value": "{{var-topLevelManagementGroupName}}"
"value": "{{var-policyAssignmentManagementGroupId}}"
},
"enforcementMode": {
"value": "Default"
Expand Down
2 changes: 1 addition & 1 deletion policy/builtin/assignments/location.parameters.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@
"contentVersion": "1.0.0.0",
"parameters": {
"policyAssignmentManagementGroupId": {
"value": "{{var-topLevelManagementGroupName}}"
"value": "{{var-policyAssignmentManagementGroupId}}"
},
"enforcementMode": {
"value": "Default"
Expand Down
2 changes: 1 addition & 1 deletion policy/builtin/assignments/nist80053r4.parameters.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@
"contentVersion": "1.0.0.0",
"parameters": {
"policyAssignmentManagementGroupId": {
"value": "{{var-topLevelManagementGroupName}}"
"value": "{{var-policyAssignmentManagementGroupId}}"
},
"enforcementMode": {
"value": "Default"
Expand Down
2 changes: 1 addition & 1 deletion policy/builtin/assignments/nist80053r5.parameters.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@
"contentVersion": "1.0.0.0",
"parameters": {
"policyAssignmentManagementGroupId": {
"value": "{{var-topLevelManagementGroupName}}"
"value": "{{var-policyAssignmentManagementGroupId}}"
},
"enforcementMode": {
"value": "Default"
Expand Down
2 changes: 1 addition & 1 deletion policy/builtin/assignments/pbmm.parameters.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@
"contentVersion": "1.0.0.0",
"parameters": {
"policyAssignmentManagementGroupId": {
"value": "{{var-topLevelManagementGroupName}}"
"value": "{{var-policyAssignmentManagementGroupId}}"
},
"enforcementMode": {
"value": "Default"
Expand Down
2 changes: 1 addition & 1 deletion policy/custom/assignments/AKS.parameters.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@
"value": "{{var-topLevelManagementGroupName}}"
},
"policyAssignmentManagementGroupId": {
"value": "{{var-topLevelManagementGroupName}}"
"value": "{{var-policyAssignmentManagementGroupId}}"
},
"enforcementMode": {
"value": "Default"
Expand Down
2 changes: 1 addition & 1 deletion policy/custom/assignments/DDoS.parameters.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@
"value": "{{var-topLevelManagementGroupName}}"
},
"policyAssignmentManagementGroupId": {
"value": "{{var-topLevelManagementGroupName}}"
"value": "{{var-policyAssignmentManagementGroupId}}"
},
"enforcementMode": {
"value": "Default"
Expand Down
2 changes: 1 addition & 1 deletion policy/custom/assignments/DNSPrivateEndpoints.parameters.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@
"value": "{{var-topLevelManagementGroupName}}"
},
"policyAssignmentManagementGroupId": {
"value": "{{var-topLevelManagementGroupName}}"
"value": "{{var-policyAssignmentManagementGroupId}}"
},
"enforcementMode": {
"value": "Default"
Expand Down
2 changes: 1 addition & 1 deletion policy/custom/assignments/DefenderForCloud.parameters.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@
"value": "{{var-topLevelManagementGroupName}}"
},
"policyAssignmentManagementGroupId": {
"value": "{{var-topLevelManagementGroupName}}"
"value": "{{var-policyAssignmentManagementGroupId}}"
},
"enforcementMode": {
"value": "Default"
Expand Down
2 changes: 1 addition & 1 deletion policy/custom/assignments/LogAnalytics.parameters.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@
"value": "{{var-topLevelManagementGroupName}}"
},
"policyAssignmentManagementGroupId": {
"value": "{{var-topLevelManagementGroupName}}"
"value": "{{var-policyAssignmentManagementGroupId}}"
},
"enforcementMode": {
"value": "Default"
Expand Down
2 changes: 1 addition & 1 deletion policy/custom/assignments/Network.parameters.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@
"value": "{{var-topLevelManagementGroupName}}"
},
"policyAssignmentManagementGroupId": {
"value": "{{var-topLevelManagementGroupName}}"
"value": "{{var-policyAssignmentManagementGroupId}}"
},
"enforcementMode": {
"value": "Default"
Expand Down
2 changes: 1 addition & 1 deletion policy/custom/assignments/Tags.parameters.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@
"value": "{{var-topLevelManagementGroupName}}"
},
"policyAssignmentManagementGroupId": {
"value": "{{var-topLevelManagementGroupName}}"
"value": "{{var-policyAssignmentManagementGroupId}}"
},
"enforcementMode": {
"value": "Default"
Expand Down