Flexible policy deployment using PowerShell & GitHub Actions - Githubissues

Azure / CanadaPubSecALZ

This reference implementation is based on Cloud Adoption Framework for Azure and provides an opinionated implementation that enables ITSG-33 regulatory compliance by using NIST SP 800-53 Rev. 4 and Canada Federal PBMM Regulatory Compliance Policy Sets.

MIT License

124 stars 86 forks source link

Flexible policy deployment using PowerShell & GitHub Actions #300

Closed SenthuranSivananthan closed 2 years ago

SenthuranSivananthan commented 2 years ago

Overview/Summary

Externalize policy & policy set deployment from PowerShell scripts
Set defaults for simper PowerShell execution
Breakout policy deployments into separate jobs and use matrix to run them in parallel

Methods for deploying policy definitions & assignments

Deploy Built-In & Custom Policy Sets, including all default custom policy/policy set definitions.

.\RunWorkflows.ps1
 -EnvironmentName CanadaESLZ-main `
 -DeployCustomPolicyDefinitions `
 -DeployCustomPolicySetDefinitions `
 -DeployCustomPolicySetAssignments `
 -DeployBuiltinPolicySetAssignments

Deploy Custom Policy Definitions

.\RunWorkflows.ps1 `
 -EnvironmentName CanadaESLZ-main `
 -DeployCustomPolicyDefinitions

Deploy one Custom Policy Set Assignment at management group

.\RunWorkflows.ps1 `
     -EnvironmentName CanadaESLZ-main `
     -DeployCustomPolicySetAssignments `
     -CustomPolicySetAssignmentManagementGroupId pubsec `
     -CustomPolicySetAssignmentNames DefenderForCloud

Deploy Built In Policy Assignments

.\RunWorkflows.ps1 `
     -EnvironmentName CanadaESLZ-main `
     -DeployBuiltinPolicySetAssignments

Deploy one Built In Policy Assignment at management group

.\RunWorkflows.ps1 `
     -EnvironmentName CanadaESLZ-main `
     -DeployBuiltinPolicySetAssignments `
     -BuiltinPolicySetAssignmentManagementGroupId pubsec `
     -BuiltinPolicySetAssignmentNames asb

This PR fixes/adds/changes/removes

Fixes #301

Breaking Changes

None

Testing Evidence

Policy Workflow

Custom policy definitions in separate job
Custom policy set definitions in separate job and run in matrix
Custom policy set assignment in separate job and run in matrix
Built-in policy set assignment in separate job and run in matrix

Everything Workflow

Custom policy definitions in separate job
Custom policy set definitions in separate job and run in matrix
Custom policy set assignment in separate job and run in matrix
Built-in policy set assignment in separate job and run in matrix
Dependencies
- Depends on: Logging
- Dependents: Hub Networking

As part of this Pull Request I have

[x] Checked for duplicate Pull Requests
[x] Associated it with relevant GitHub Issues
[x] Ensured my code/branch is up-to-date with the latest changes in the main branch
[x] Performed testing and provided evidence.
[x] Updated relevant and associated documentation.