Setting up for use with Azure DevOps pipelines: No documentations about epac-remediation-pipeline.yml #710
Unanswered
LarsVidingSE
asked this question in
Q&A
Replies: 2 comments 1 reply
-
|
Lars-
The SPN for the remediation pipeline requires Azure RBAC Role Based Access Control Administrator assignment, and the scope should be from the root of the particular EPAC environment (ex, whatever the intermediate root MG is for the particular environment).
This is documented at https://azure.github.io/enterprise-azure-policy-as-code/ci-cd-app-registrations/
Let us know if you still have questions.
Brian
From: Lars Viding ***@***.***>
Sent: Tuesday, July 23, 2024 6:57 AM
To: Azure/enterprise-azure-policy-as-code ***@***.***>
Cc: Subscribed ***@***.***>
Subject: [Azure/enterprise-azure-policy-as-code] Setting up for use with Azure DevOps pipelines: No documentations about epac-remediation-pipeline.yml (Discussion #710)
Hi everyone,
I am following the EPAC documentations "Start the Enterprise Policy as Code (EPAC) Implementation"
https://github.com/Azure/enterprise-azure-policy-as-code/blob/main/Docs/start-implementing.md#create-the-definitions-folder
In the step number 9, implement your CI/CD pipelines.
I have done everything and are using Workload Identity federation for all Service Connection.
https://github.com/Azure/enterprise-azure-policy-as-code/blob/main/Docs/ci-cd-overview.md
In the documentation of App Registration Setup there is instructions about creating for SPNs.
https://github.com/Azure/enterprise-azure-policy-as-code/blob/main/Docs/ci-cd-app-registrations.md
image.png (view on web)<https://github.com/user-attachments/assets/8e5d4804-309d-4c35-96d4-90ec328c3352>
At the end of the process, I run below command to create the pipelines.
New-PipelinesFromStarterKit -StarterKitFolder .\StarterKit -PipelinesFolder .\pipelines -PipelineType AzureDevOps -BranchingFlow GitHub -ScriptType module
The New-PipelinesFromStarterKit created three pipelines.
epac-dev-pipeline.yml
epac-remidation-pipeline.yml
epac-tenant-pipeline.yml
epac-dev-pipeline.yml and epac-tenant-pipeline.yml have corresponding service connections which is describe in the documentation.
But epac-remidation-pipeline.yml is referring to sc-epac-tenant-remediation which is not described in any documentation that I have found?
Can anyone give me some advice about the epac-tenant-remediation SPN and needed Azure Role Assignment and Assignment scope?
Thanks in advance.
Lars Viding
-
Reply to this email directly, view it on GitHub<#710>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/ASWPRUYJR76WCXL2TJYJSBLZNZOLPAVCNFSM6AAAAABLKP4AZOVHI2DSMVQWIX3LMV43ERDJONRXK43TNFXW4OZWHE3DQNRYGU>.
You are receiving this because you are subscribed to this thread.Message ID: ***@***.***>
|
Beta Was this translation helpful? Give feedback.
1 reply
-
|
Thanks for super-fast reply :) So, the epac-remidation-pipeline.yml could use the spn-epac-tenant-roles and corresponding Service Connection? In my case that spn has the condition = [Allow user to assign all roles except privileged administrator roles Owner, UAA, RBAC.] |
Beta Was this translation helpful? Give feedback.
-
|
Yes, the SPN spn-epac-tenant-roles is intended to be used for the remediation pipeline. As one of the "Tip"s notes on https://azure.github.io/enterprise-azure-policy-as-code/ci-cd-app-registrations/
"For the EPAC Development Environment, a single service principal can be used for both the Policy Deployment & Role Deployment to simplify management. While it is recommended to separate these to maintain a separation of duties and enable additional security controls, the nature and isolation of the EPAC Development environment does not create the need for separation. Note: If you wish to use a single Service Principal for EPAC Development, both role assignments are still required."
Also on that page, probably the clearest delineation of recommended SPNs and role assignments, scopes. We might want to include a column mapping the pipeline names/purpose as well.
"The following Service Principals & Role assignments would be created to support this structure:
Service Principal
Azure Role Assignment
Assignment Scope
spn-epac-plan
Reader
Tenant Root Group
spn-epac-dev
Resource Policy Contributor
Role Based Access Control Administrator
epac-contoso
spn-epac-tenant-deploy
Resource Policy Contributor
Contoso
spn-epac-tenant-roles
Role Based Access Control Administrator
Contoso
"
From: Lars Viding ***@***.***>
Sent: Tuesday, July 23, 2024 7:27 AM
To: Azure/enterprise-azure-policy-as-code ***@***.***>
Cc: Brian Moore ***@***.***>; Comment ***@***.***>
Subject: Re: [Azure/enterprise-azure-policy-as-code] Setting up for use with Azure DevOps pipelines: No documentations about epac-remediation-pipeline.yml (Discussion #710)
Thanks for super-fast reply :)
So, the epac-remidation-pipeline.yml could use the spn-epac-tenant-roles and corresponding Service Connection?
Which has Role Based Access Control Administrator assignment.
Have I understood correctly?
In my case that spn has the condition = [Allow user to assign all roles except privileged administrator roles Owner, UAA, RBAC.]
And not [Allow user to assign all roles]
-
Reply to this email directly, view it on GitHub<#710 (reply in thread)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/ASWPRU44BEISDXVQN44KYD3ZNZRZVAVCNFSM6AAAAABLKP4AZOVHI2DSMVQWIX3LMV43URDJONRXK43TNFXW4Q3PNVWWK3TUHMYTAMJSG42DMNI>.
You are receiving this because you commented.Message ID: ***@***.***>
|
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
Hi everyone,
I am following the EPAC documentations "Start the Enterprise Policy as Code (EPAC) Implementation"
https://github.com/Azure/enterprise-azure-policy-as-code/blob/main/Docs/start-implementing.md#create-the-definitions-folder
In the step number 9, implement your CI/CD pipelines.
I have done everything and are using Workload Identity federation for all Service Connection.
https://github.com/Azure/enterprise-azure-policy-as-code/blob/main/Docs/ci-cd-overview.md
In the documentation of App Registration Setup there is instructions about creating for SPNs.
https://github.com/Azure/enterprise-azure-policy-as-code/blob/main/Docs/ci-cd-app-registrations.md
At the end of the process, I run below command to create the pipelines.
New-PipelinesFromStarterKit -StarterKitFolder .\StarterKit -PipelinesFolder .\pipelines -PipelineType AzureDevOps -BranchingFlow GitHub -ScriptType module
The New-PipelinesFromStarterKit created three pipelines.
epac-dev-pipeline.yml
epac-remidation-pipeline.yml
epac-tenant-pipeline.yml
epac-dev-pipeline.yml and epac-tenant-pipeline.yml have corresponding service connections which is describe in the documentation.
But epac-remidation-pipeline.yml is referring to sc-epac-tenant-remediation which is not described in any documentation that I have found?
Can anyone give me some advice about the epac-tenant-remediation SPN and needed Azure Role Assignment and Assignment scope?
Thanks in advance.
Lars Viding
Beta Was this translation helpful? Give feedback.
All reactions