From 6504e142e5df2927490199adcdbf5cb6abb50ae0 Mon Sep 17 00:00:00 2001 From: Your Name Date: Thu, 7 Dec 2023 09:53:46 -0800 Subject: [PATCH] test20 --- .../workflows/4-00-policy-Root optimized.yml | 152 ++++++++++ .github/workflows/@001test.yml | 10 +- .github/workflows/@4-00-policy-Root copy.yml | 273 ------------------ 3 files changed, 154 insertions(+), 281 deletions(-) create mode 100644 .github/workflows/4-00-policy-Root optimized.yml delete mode 100644 .github/workflows/@4-00-policy-Root copy.yml diff --git a/.github/workflows/4-00-policy-Root optimized.yml b/.github/workflows/4-00-policy-Root optimized.yml new file mode 100644 index 00000000..1f2508c4 --- /dev/null +++ b/.github/workflows/4-00-policy-Root optimized.yml @@ -0,0 +1,152 @@ +# ---------------------------------------------------------------------------------- +# Copyright (c) Microsoft Corporation. +# Licensed under the MIT license. +# +# THIS CODE AND INFORMATION ARE PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND, +# EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES +# OF MERCHANTABILITY AND/OR FITNESS FOR A PARTICULAR PURPOSE. +# ---------------------------------------------------------------------------------- + +name: 4-00 - Policy Root + +on: + workflow_dispatch: + +defaults: + run: + shell: pwsh + working-directory: scripts/deployments + +jobs: + + Custom_Policy_Definitions: + name: Custom policy definitions + environment: ${{ github.ref == 'refs/heads/main' && 'Prod' || 'Lab' }} + runs-on: ubuntu-latest + + steps: + + - name: Checkout + uses: actions/checkout@v3 + + - name: Configure PowerShell modules + run: | + Install-Module Az -Force + Install-Module powershell-yaml -Force + + - name: Deploy policy definitions + run: | + ./RunWorkflows.ps1 ` + -DeployCustomPolicyDefinitions ` + -EnvironmentName '${{vars.ENVIRONMENTNAME}}' ` + -LoginServicePrincipalJson (ConvertTo-SecureString -String '${{secrets.ALZ_SPN_CREDENTIALS}}' -AsPlainText -Force) ` + -GitHubRepo ${env:GITHUB_REPOSITORY} ` + -GitHubRef ${env:GITHUB_REF} + + Custom_Policy_Set_Definitions: + name: Define custom Policysets + environment: ${{ github.ref == 'refs/heads/main' && 'Prod' || 'Lab' }} + needs: Custom_Policy_Definitions + + strategy: + matrix: + policySetDefinitionName: + - LogAnalytics + - Network + - Tags + fail-fast: false + + runs-on: ubuntu-latest + + steps: + + - name: Checkout + uses: actions/checkout@v3 + + - name: Configure PowerShell modules + run: | + Install-Module Az -Force + Install-Module powershell-yaml -Force + + - name: Deploy policy set definition + run: | + ./RunWorkflows.ps1 ` + -DeployCustomPolicySetDefinitions ` + -CustomPolicySetDefinitionNames '${{ matrix.policySetDefinitionName }}' ` + -EnvironmentName '${{vars.ENVIRONMENTNAME}}' ` + -LoginServicePrincipalJson (ConvertTo-SecureString -String '${{secrets.ALZ_SPN_CREDENTIALS}}' -AsPlainText -Force) ` + -GitHubRepo ${env:GITHUB_REPOSITORY} ` + -GitHubRef ${env:GITHUB_REF} + + Custom_Policy_Set_Assignments: + name: Assign custom policyset + environment: ${{ github.ref == 'refs/heads/main' && 'Prod' || 'Lab' }} + needs: + - Custom_Policy_Definitions + - Custom_Policy_Set_Definitions + + strategy: + matrix: + policySetAssignmentName: + - ${{ vars.PolicyPrefix }}-network-root-audit + - ${{ vars.PolicyPrefix }}-tags-root-audit + fail-fast: false + + runs-on: ubuntu-latest + + steps: + + - name: Checkout + uses: actions/checkout@v3 + + - name: Configure PowerShell modules + run: | + Install-Module Az -Force + Install-Module powershell-yaml -Force + + - name: Deploy policy set assignment in Lab Environment + run: | + ./RunWorkflows.ps1 ` + -DeployCustomPolicySetAssignments ` + -CustomPolicySetAssignmentNames '${{ matrix.policySetAssignmentName }}' ` + -EnvironmentName '${{vars.ENVIRONMENTNAME}}' ` + -LoginServicePrincipalJson (ConvertTo-SecureString -String '${{secrets.ALZ_SPN_CREDENTIALS}}' -AsPlainText -Force) ` + -GitHubRepo ${env:GITHUB_REPOSITORY} ` + -GitHubRef ${env:GITHUB_REF} ` + -CustomPolicySetAssignmentManagementGroupId '${{ vars.RootManagementGroupID }}' + + Builtin_Policy_Set_Assignments: + name: Assign built-in policyset + environment: ${{ github.ref == 'refs/heads/main' && 'Prod' || 'Lab' }} + + strategy: + matrix: + policySetAssignmentName: + - ${{ vars.PolicyPrefix }}-asb-root-audit + - ${{ vars.PolicyPrefix }}-pbmm-root-audit + - ${{ vars.PolicyPrefix }}-cis-msft-130-root-audit + - ${{ vars.PolicyPrefix }}-location-root-audit + - ${{ vars.PolicyPrefix }}-nist80053r5-root-audit + fail-fast: false + + runs-on: ubuntu-latest + steps: + + - name: Checkout + uses: actions/checkout@v3 + + - name: Configure PowerShell modules + run: | + Install-Module Az -Force + Install-Module powershell-yaml -Force + + - name: Deploy policy set assignment + run: | + ./RunWorkflows.ps1 ` + -DeployBuiltinPolicySetAssignments ` + -BuiltinPolicySetAssignmentNames '${{ matrix.policySetAssignmentName }}' ` + -EnvironmentName '${{vars.ENVIRONMENTNAME}}' ` + -LoginServicePrincipalJson (ConvertTo-SecureString -String '${{secrets.ALZ_SPN_CREDENTIALS}}' -AsPlainText -Force) ` + -GitHubRepo ${env:GITHUB_REPOSITORY} ` + -GitHubRef ${env:GITHUB_REF} ` + -BuiltinPolicySetAssignmentManagementGroupId '${{ vars.RootManagementGroupID }}' \ No newline at end of file diff --git a/.github/workflows/@001test.yml b/.github/workflows/@001test.yml index f137f0c6..2a66ac60 100644 --- a/.github/workflows/@001test.yml +++ b/.github/workflows/@001test.yml @@ -13,13 +13,7 @@ jobs: - name: Checkout code uses: actions/checkout@v3 - - name: Display Variable for Lab - if: vars.ENVIRONMENTNAME == 'bchealth-cloud-azure-alz-lab' + - name: Display Variable run: - echo ${{ vars.ENVIRONMENTNAME }}-network-bchealth - - - name: Display Variable for Prod - if: vars.ENVIRONMENTNAME == 'bchealth-cloud-azure-alz-main' - run: - echo ${{ vars.ENVIRONMENTNAME }}-network-bchealth + echo ${{ vars.ENVIRONMENTNAME }} diff --git a/.github/workflows/@4-00-policy-Root copy.yml b/.github/workflows/@4-00-policy-Root copy.yml deleted file mode 100644 index 1f48c49a..00000000 --- a/.github/workflows/@4-00-policy-Root copy.yml +++ /dev/null @@ -1,273 +0,0 @@ -# ---------------------------------------------------------------------------------- -# Copyright (c) Microsoft Corporation. -# Licensed under the MIT license. -# -# THIS CODE AND INFORMATION ARE PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND, -# EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES -# OF MERCHANTABILITY AND/OR FITNESS FOR A PARTICULAR PURPOSE. -# ---------------------------------------------------------------------------------- - -name: 4-00 - Policy Root - -on: - workflow_dispatch: - -defaults: - run: - shell: pwsh - working-directory: scripts/deployments - -jobs: - - Custom_Policy_Definitions: - name: Custom policy definitions - runs-on: ubuntu-latest - environment: ${{ github.ref == 'refs/heads/main' && 'Prod' || 'Lab' }} - - steps: - - - name: Checkout - uses: actions/checkout@v3 - - - name: Configure PowerShell modules - run: | - Install-Module Az -Force - Install-Module powershell-yaml -Force - - - name: Deploy policy definitions in Lab Environment - if: github.event.inputs.environmentName == 'bchealth-cloud-azure-alz-lab' - run: | - ./RunWorkflows.ps1 ` - -DeployCustomPolicyDefinitions ` - -EnvironmentName '${{env.ENVIRONMENTNAME}}' ` - -LoginServicePrincipalJson (ConvertTo-SecureString -String '${{secrets.ALZ_SPN_CREDENTIALS}}' -AsPlainText -Force) ` - -GitHubRepo ${env:GITHUB_REPOSITORY} ` - -GitHubRef ${env:GITHUB_REF} - - - name: Deploy policy definitions in Prod Environment - if: github.event.inputs.environmentName == 'bchealth-cloud-azure-alz-main' - run: | - ./RunWorkflows.ps1 ` - -DeployCustomPolicyDefinitions ` - -EnvironmentName '${{env.ENVIRONMENTNAME}}' ` - -LoginServicePrincipalJson (ConvertTo-SecureString -String '${{secrets.ALZ_SPN_CREDENTIALS}}' -AsPlainText -Force) ` - -GitHubRepo ${env:GITHUB_REPOSITORY} ` - -GitHubRef ${env:GITHUB_REF} - - Custom_Policy_Set_Definitions_Lab: - if: github.event.inputs.environmentName == 'bchealth-cloud-azure-alz-lab' - name: Define custom Policysets_Lab - needs: Custom_Policy_Definitions - - strategy: - matrix: - policySetDefinitionName: - - LogAnalytics - - Network - - Tags - fail-fast: false - - runs-on: ubuntu-latest - environment: ${{ github.ref == 'refs/heads/main' && 'Prod' || 'Lab' }} - steps: - - - name: Checkout - uses: actions/checkout@v3 - - - name: Configure PowerShell modules - run: | - Install-Module Az -Force - Install-Module powershell-yaml -Force - - - name: Deploy policy set definition in Lab Environment - run: | - ./RunWorkflows.ps1 ` - -DeployCustomPolicySetDefinitions ` - -CustomPolicySetDefinitionNames '${{ matrix.policySetDefinitionName }}' ` - -EnvironmentName '${{env.ENVIRONMENTNAME}}' ` - -LoginServicePrincipalJson (ConvertTo-SecureString -String '${{secrets.ALZ_SPN_CREDENTIALS}}' -AsPlainText -Force) ` - -GitHubRepo ${env:GITHUB_REPOSITORY} ` - -GitHubRef ${env:GITHUB_REF} - - Custom_Policy_Set_Definitions_Prod: - if: github.event.inputs.environmentName == 'bchealth-cloud-azure-alz-main' - name: Define custom Policysets_Prod - needs: Custom_Policy_Definitions - - strategy: - matrix: - policySetDefinitionName: - - LogAnalytics - - Network - - Tags - fail-fast: false - - runs-on: ubuntu-latest - environment: ${{ github.ref == 'refs/heads/main' && 'Prod' || 'Lab' }} - steps: - - - name: Checkout - uses: actions/checkout@v3 - - - name: Configure PowerShell modules - run: | - Install-Module Az -Force - Install-Module powershell-yaml -Force - - - name: Deploy policy set definition in Prod Environment - run: | - ./RunWorkflows.ps1 ` - -DeployCustomPolicySetDefinitions ` - -CustomPolicySetDefinitionNames '${{ matrix.policySetDefinitionName }}' ` - -EnvironmentName '${{env.ENVIRONMENTNAME}}' ` - -LoginServicePrincipalJson (ConvertTo-SecureString -String '${{secrets.ALZ_SPN_CREDENTIALS}}' -AsPlainText -Force) ` - -GitHubRepo ${env:GITHUB_REPOSITORY} ` - -GitHubRef ${env:GITHUB_REF} - - Custom_Policy_Set_Assignments_Lab: - name: Assign custom policyset_Lab - if: github.event.inputs.environmentName == 'bchealth-cloud-azure-alz-lab' - needs: - - Custom_Policy_Definitions - - Custom_Policy_Set_Definitions_Lab - - strategy: - matrix: - policySetAssignmentName: - - lab-network-root-audit - - lab-tags-root-audit - fail-fast: false - - runs-on: ubuntu-latest - environment: ${{ github.ref == 'refs/heads/main' && 'Prod' || 'Lab' }} - steps: - - - name: Checkout - uses: actions/checkout@v3 - - - name: Configure PowerShell modules - run: | - Install-Module Az -Force - Install-Module powershell-yaml -Force - - - name: Deploy policy set assignment in Lab Environment - run: | - ./RunWorkflows.ps1 ` - -DeployCustomPolicySetAssignments ` - -CustomPolicySetAssignmentNames '${{ matrix.policySetAssignmentName }}' ` - -EnvironmentName '${{env.ENVIRONMENTNAME}}' ` - -LoginServicePrincipalJson (ConvertTo-SecureString -String '${{secrets.ALZ_SPN_CREDENTIALS}}' -AsPlainText -Force) ` - -GitHubRepo ${env:GITHUB_REPOSITORY} ` - -GitHubRef ${env:GITHUB_REF} ` - -CustomPolicySetAssignmentManagementGroupId '1c0dd63b-ccb3-4433-a6e0-f9a0a2890e14' - - Custom_Policy_Set_Assignments_Prod: - name: Assign custom policyset_Prod - if: github.event.inputs.environmentName == 'bchealth-cloud-azure-alz-main' - needs: - - Custom_Policy_Definitions - - Custom_Policy_Set_Definitions_Prod - - strategy: - matrix: - policySetAssignmentName: - - prod-network-root-audit - - prod-tags-root-audit - fail-fast: false - - runs-on: ubuntu-latest - environment: ${{ github.ref == 'refs/heads/main' && 'Prod' || 'Lab' }} - steps: - - - name: Checkout - uses: actions/checkout@v3 - - - name: Configure PowerShell modules - run: | - Install-Module Az -Force - Install-Module powershell-yaml -Force - - - name: Deploy policy set assignment in Prod Environment - run: | - ./RunWorkflows.ps1 ` - -DeployCustomPolicySetAssignments ` - -CustomPolicySetAssignmentNames '${{ matrix.policySetAssignmentName }}' ` - -EnvironmentName '${{env.ENVIRONMENTNAME}}' ` - -LoginServicePrincipalJson (ConvertTo-SecureString -String '${{secrets.ALZ_SPN_CREDENTIALS}}' -AsPlainText -Force) ` - -GitHubRepo ${env:GITHUB_REPOSITORY} ` - -GitHubRef ${env:GITHUB_REF} ` - -CustomPolicySetAssignmentManagementGroupId '31f660a5-192a-4db3-92ba-ca424f1b259e' - - Builtin_Policy_Set_Assignments_Lab: - name: Assign built-in policyset in Lab Environment - if: github.event.inputs.environmentName == 'bchealth-cloud-azure-alz-lab' - - strategy: - matrix: - policySetAssignmentName: - - lab-asb-root-audit - - lab-pbmm-root-audit - - lab-cis-msft-130-root-audit - - lab-location-root-audit - - lab-nist80053r5-root-audit - fail-fast: false - - runs-on: ubuntu-latest - environment: ${{ github.ref == 'refs/heads/main' && 'Prod' || 'Lab' }} - steps: - - - name: Checkout - uses: actions/checkout@v3 - - - name: Configure PowerShell modules - run: | - Install-Module Az -Force - Install-Module powershell-yaml -Force - - - name: Deploy policy set assignment in Lab Environment - run: | - ./RunWorkflows.ps1 ` - -DeployBuiltinPolicySetAssignments ` - -BuiltinPolicySetAssignmentNames '${{ matrix.policySetAssignmentName }}' ` - -EnvironmentName '${{env.ENVIRONMENTNAME}}' ` - -LoginServicePrincipalJson (ConvertTo-SecureString -String '${{secrets.ALZ_SPN_CREDENTIALS}}' -AsPlainText -Force) ` - -GitHubRepo ${env:GITHUB_REPOSITORY} ` - -GitHubRef ${env:GITHUB_REF} ` - -BuiltinPolicySetAssignmentManagementGroupId '1c0dd63b-ccb3-4433-a6e0-f9a0a2890e14' - - Builtin_Policy_Set_Assignments_Prod: - name: Assign built-in policyset in Prod Environment - if: github.event.inputs.environmentName == 'bchealth-cloud-azure-alz-main' - - strategy: - matrix: - policySetAssignmentName: - - prod-asb-root-audit - - prod-pbmm-root-audit - - prod-cis-msft-130-root-audit - - prod-location-root-audit - - prod-nist80053r5-root-audit - fail-fast: false - - runs-on: ubuntu-latest - environment: ${{ github.ref == 'refs/heads/main' && 'Prod' || 'Lab' }} - steps: - - - name: Checkout - uses: actions/checkout@v3 - - - name: Configure PowerShell modules - run: | - Install-Module Az -Force - Install-Module powershell-yaml -Force - - - name: Deploy policy set assignment in Prod Environment - run: | - ./RunWorkflows.ps1 ` - -DeployBuiltinPolicySetAssignments ` - -BuiltinPolicySetAssignmentNames '${{ matrix.policySetAssignmentName }}' ` - -EnvironmentName '${{env.ENVIRONMENTNAME}}' ` - -LoginServicePrincipalJson (ConvertTo-SecureString -String '${{secrets.ALZ_SPN_CREDENTIALS}}' -AsPlainText -Force) ` - -GitHubRepo ${env:GITHUB_REPOSITORY} ` - -GitHubRef ${env:GITHUB_REF} ` - -BuiltinPolicySetAssignmentManagementGroupId '31f660a5-192a-4db3-92ba-ca424f1b259e' \ No newline at end of file