Flexible policy deployment using PowerShell & GitHub Actions (Azure#300)

Author: SenthuranSivananthan

.github/workflows/0-everything.yml

@@ -121,22 +121,123 @@ jobs:
           -GitHubRepo ${env:GITHUB_REPOSITORY} `
           -GitHubRef ${env:GITHUB_REF}
 
-  Policy:
+  Custom_Policy_Definitions:
+    name: Custom policy definitions
+    needs: Logging
+
+    runs-on: ubuntu-latest
+    steps:
+
+    - name: Checkout
+      uses: actions/checkout@v3
+
+    - name: Configure PowerShell modules
+      run: |
+        Install-Module Az -Force
+        Install-Module powershell-yaml -Force
+
+    - name: Deploy policy definitions
+      run: |
+        ./RunWorkflows.ps1 `
+          -DeployCustomPolicyDefinitions `
+          -EnvironmentName '${{github.event.inputs.environmentName}}' `
+          -LoginServicePrincipalJson (ConvertTo-SecureString -String '${{secrets.ALZ_CREDENTIALS}}' -AsPlainText -Force) `
+          -GitHubRepo ${env:GITHUB_REPOSITORY} `
+          -GitHubRef ${env:GITHUB_REF}
+
+  Custom_Policy_Set_Definitions:
+    name: Define custom
+    needs: Custom_Policy_Definitions
+
+    strategy:
+      matrix:
+        policySetDefinitionName:
+          - AKS
+          - DefenderForCloud
+          - LogAnalytics
+          - Network
+          - DNSPrivateEndpoints
+          - Tags
+      fail-fast: false
+
+    runs-on: ubuntu-latest
+    steps:
+
+    - name: Checkout
+      uses: actions/checkout@v3
+
+    - name: Configure PowerShell modules
+      run: |
+        Install-Module Az -Force
+        Install-Module powershell-yaml -Force
+
+    - name: Deploy policy set definition
+      run: |
+        ./RunWorkflows.ps1 `
+          -DeployCustomPolicySetDefinitions `
+          -CustomPolicySetDefinitionNames '${{ matrix.policySetDefinitionName }}' `
+          -EnvironmentName '${{github.event.inputs.environmentName}}' `
+          -LoginServicePrincipalJson (ConvertTo-SecureString -String '${{secrets.ALZ_CREDENTIALS}}' -AsPlainText -Force) `
+          -GitHubRepo ${env:GITHUB_REPOSITORY} `
+          -GitHubRef ${env:GITHUB_REF}
+
+  Custom_Policy_Set_Assignments:
+    name: Assign custom
     needs:
-      - Logging
+      - Custom_Policy_Definitions
+      - Custom_Policy_Set_Definitions
 
-    name: Policy
+    strategy:
+      matrix:
+        policySetAssignmentName:
+          - AKS
+          - DefenderForCloud
+          - LogAnalytics
+          - Network
+          - Tags
+      fail-fast: false
 
     runs-on: ubuntu-latest
+    steps:
+
+    - name: Checkout
+      uses: actions/checkout@v3
+
+    - name: Configure PowerShell modules
+      run: |
+        Install-Module Az -Force
+        Install-Module powershell-yaml -Force
+
+    - name: Deploy policy set assignment
+      run: |
+        ./RunWorkflows.ps1 `
+          -DeployCustomPolicySetAssignments `
+          -CustomPolicySetAssignmentNames '${{ matrix.policySetAssignmentName }}' `
+          -EnvironmentName '${{github.event.inputs.environmentName}}' `
+          -LoginServicePrincipalJson (ConvertTo-SecureString -String '${{secrets.ALZ_CREDENTIALS}}' -AsPlainText -Force) `
+          -GitHubRepo ${env:GITHUB_REPOSITORY} `
+          -GitHubRef ${env:GITHUB_REF}
+
+  Builtin_Policy_Set_Assignments:
+    name: Assign built-in
+    needs: Logging
 
     strategy:
       matrix:
-        policyType:
-          - DeployBuiltInPolicy
-          - DeployCustomPolicy
+        policySetAssignmentName:
+          - asb
+          - nist80053r4
+          - nist80053r5
+          - pbmm
+          - cis-msft-130
+          - fedramp-moderate
+          - hitrust-hipaa
+          - location
       fail-fast: false
 
+    runs-on: ubuntu-latest
     steps:
+
     - name: Checkout
       uses: actions/checkout@v3
 
@@ -145,18 +246,20 @@ jobs:
         Install-Module Az -Force
         Install-Module powershell-yaml -Force
 
-    - name: Deploy Policy
+    - name: Deploy policy set assignment
       run: |
         ./RunWorkflows.ps1 `
-          -${{ matrix.policyType }} `
+          -DeployBuiltinPolicySetAssignments `
+          -BuiltinPolicySetAssignmentNames '${{ matrix.policySetAssignmentName }}' `
           -EnvironmentName '${{github.event.inputs.environmentName}}' `
           -LoginServicePrincipalJson (ConvertTo-SecureString -String '${{secrets.ALZ_CREDENTIALS}}' -AsPlainText -Force) `
           -GitHubRepo ${env:GITHUB_REPOSITORY} `
           -GitHubRef ${env:GITHUB_REF}
 
   HubNetworking:
     needs:
-      - Policy
+      - Custom_Policy_Set_Assignments
+      - Builtin_Policy_Set_Assignments
 
     name: Hub Networking (${{github.event.inputs.hubNetworkType}})
 

.github/workflows/4-policy.yml

@@ -23,14 +23,79 @@ defaults:
     working-directory: scripts/deployments
 
 jobs:
-  policy:
-    name: Policy
+  Custom_Policy_Definitions:
+    name: Custom policy definitions
+
+    runs-on: ubuntu-latest
+    steps:
+
+    - name: Checkout
+      uses: actions/checkout@v3
+
+    - name: Configure PowerShell modules
+      run: |
+        Install-Module Az -Force
+        Install-Module powershell-yaml -Force
+
+    - name: Deploy policy definitions
+      run: |
+        ./RunWorkflows.ps1 `
+          -DeployCustomPolicyDefinitions `
+          -EnvironmentName '${{github.event.inputs.environmentName}}' `
+          -LoginServicePrincipalJson (ConvertTo-SecureString -String '${{secrets.ALZ_CREDENTIALS}}' -AsPlainText -Force) `
+          -GitHubRepo ${env:GITHUB_REPOSITORY} `
+          -GitHubRef ${env:GITHUB_REF}
+
+  Custom_Policy_Set_Definitions:
+    name: Define custom
+    needs: Custom_Policy_Definitions
+
+    strategy:
+      matrix:
+        policySetDefinitionName:
+          - AKS
+          - DefenderForCloud
+          - LogAnalytics
+          - Network
+          - DNSPrivateEndpoints
+          - Tags
+      fail-fast: false
+
+    runs-on: ubuntu-latest
+    steps:
+
+    - name: Checkout
+      uses: actions/checkout@v3
+
+    - name: Configure PowerShell modules
+      run: |
+        Install-Module Az -Force
+        Install-Module powershell-yaml -Force
+
+    - name: Deploy policy set definition
+      run: |
+        ./RunWorkflows.ps1 `
+          -DeployCustomPolicySetDefinitions `
+          -CustomPolicySetDefinitionNames '${{ matrix.policySetDefinitionName }}' `
+          -EnvironmentName '${{github.event.inputs.environmentName}}' `
+          -LoginServicePrincipalJson (ConvertTo-SecureString -String '${{secrets.ALZ_CREDENTIALS}}' -AsPlainText -Force) `
+          -GitHubRepo ${env:GITHUB_REPOSITORY} `
+          -GitHubRef ${env:GITHUB_REF}
+
+  Custom_Policy_Set_Assignments:
+    name: Assign custom
+    needs:
+      - Custom_Policy_Definitions
+      - Custom_Policy_Set_Definitions
 
     strategy:
       matrix:
-        policyType:
-          - DeployBuiltInPolicy
-          - DeployCustomPolicy
+        policySetAssignmentName:
+          - AKS
+          - DefenderForCloud
+          - LogAnalytics
+          - Network
+          - Tags
       fail-fast: false
 
     runs-on: ubuntu-latest
@@ -44,11 +109,49 @@ jobs:
         Install-Module Az -Force
         Install-Module powershell-yaml -Force
 
-    - name: Deploy Policy
+    - name: Deploy policy set assignment
       run: |
         ./RunWorkflows.ps1 `
-          -${{ matrix.policyType }} `
+          -DeployCustomPolicySetAssignments `
+          -CustomPolicySetAssignmentNames '${{ matrix.policySetAssignmentName }}' `
           -EnvironmentName '${{github.event.inputs.environmentName}}' `
           -LoginServicePrincipalJson (ConvertTo-SecureString -String '${{secrets.ALZ_CREDENTIALS}}' -AsPlainText -Force) `
           -GitHubRepo ${env:GITHUB_REPOSITORY} `
           -GitHubRef ${env:GITHUB_REF}
+
+  Builtin_Policy_Set_Assignments:
+    name: Assign built-in
+
+    strategy:
+      matrix:
+        policySetAssignmentName:
+          - asb
+          - nist80053r4
+          - nist80053r5
+          - pbmm
+          - cis-msft-130
+          - fedramp-moderate
+          - hitrust-hipaa
+          - location
+      fail-fast: false
+
+    runs-on: ubuntu-latest
+    steps:
+
+    - name: Checkout
+      uses: actions/checkout@v3
+
+    - name: Configure PowerShell modules
+      run: |
+        Install-Module Az -Force
+        Install-Module powershell-yaml -Force
+
+    - name: Deploy policy set assignment
+      run: |
+        ./RunWorkflows.ps1 `
+          -DeployBuiltinPolicySetAssignments `
+          -BuiltinPolicySetAssignmentNames '${{ matrix.policySetAssignmentName }}' `
+          -EnvironmentName '${{github.event.inputs.environmentName}}' `
+          -LoginServicePrincipalJson (ConvertTo-SecureString -String '${{secrets.ALZ_CREDENTIALS}}' -AsPlainText -Force) `
+          -GitHubRepo ${env:GITHUB_REPOSITORY} `
+          -GitHubRef ${env:GITHUB_REF}

scripts/deployments/Functions/Policy.ps1

@@ -69,7 +69,8 @@ function Set-PolicySet-Defintions {
     $PopulatedParametersFilePath = "$($PolicySetDefinitionsDirectory)/$($policySetDefinitionName)-populated.parameters.json"
     $ParametersContent | Set-Content -Path $PopulatedParametersFilePath
 
-    Write-Output "Policy Set: $policySetDefinitionName"
+    Write-Output "Policy set: $policySetDefinitionName"
+    Write-Output "   - Management Group Id: $ManagementGroupId"
     Write-Output "   - Definition: $PolicySetDefinitionFilePath"
     Write-Output "   - Parameters: $PolicySetDefinitionParametersFilePath"
     Write-Output "   - Populated (temp): $PopulatedParametersFilePath"
@@ -114,7 +115,7 @@ function Set-PolicySet-Assignments {
   )
 
   foreach ($policySetAssignmentName in $PolicySetAssignmentNames) {
-    Write-Output "Policy Set assignment Name: $($policySetAssignmentName)"
+    Write-Output "Policy set assignment name: $($policySetAssignmentName)"
 
     $PolicySetAssignmentFilePath = "$($PolicySetAssignmentsDirectory)/$($policySetAssignmentName).bicep"
 
@@ -144,6 +145,7 @@ function Set-PolicySet-Assignments {
     $ParametersContent | Set-Content -Path $PopulatedParametersFilePath
 
     Write-Output "Policy: $policy"
+    Write-Output "   - Management Group Id: $PolicySetAssignmentManagementGroupId"
     Write-Output "   - Definition: $PolicySetAssignmentFilePath"
     Write-Output "   - Parameters: $PolicySetParameterFilePath"
     Write-Output "   - Populated (temp): $PopulatedParametersFilePath"