-
Notifications
You must be signed in to change notification settings - Fork 91
/
Copy pathpolicy.yml
136 lines (112 loc) · 4.99 KB
/
policy.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
# ----------------------------------------------------------------------------------
# Copyright (c) Microsoft Corporation.
# Licensed under the MIT license.
#
# THIS CODE AND INFORMATION ARE PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND,
# EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES
# OF MERCHANTABILITY AND/OR FITNESS FOR A PARTICULAR PURPOSE.
# ----------------------------------------------------------------------------------
trigger:
batch: true
branches:
include:
- main
paths:
include:
- policy
- .pipelines/policy.yml
- .pipelines/templates/steps/deploy-policy.yml
pr: none
resources:
pipelines:
# Trigger this pipeline when platform-logging-ci pipeline completes
- pipeline: PlatformLogging
source: platform-logging-ci
trigger:
branches:
include:
- refs/heads/main
variables:
- name: devops-org-name
value: ${{ replace(replace(variables['System.CollectionUri'], 'https://dev.azure.com/' , ''), '/', '') }}
- name: logging-config-directory
value: $(System.DefaultWorkingDirectory)/$(loggingPathFromRoot)/${{ variables['devops-org-name'] }}-${{ variables['Build.SourceBranchName'] }}
- name: variable-template-file
value: ${{ variables['devops-org-name'] }}-${{ variables['Build.SourceBranchName'] }}.yml
- template: ../config/variables/common.yml
- template: ../config/variables/${{ variables['variable-template-file'] }}
pool:
vmImage: $[ variables.vmImage ]
stages:
- stage: DeployPolicyStage
displayName: Deploy Policy Stage
# Policy deployment is divided into 2 jobs, one for Built-In and
# one for Custom policy definitions and assignments. Jobs are
# implicitly parallel, so these jobs may run concurrently if
# you have enough parallel job capacity.
# Added one more job (total 3) that runs before the two existing
# jobs to run Environment Approvals and Checks. The two policy
# jobs (built-in and custom) only run once any/all environment
# approvals and checks are satisfied.
jobs:
- deployment: EnvironmentApprovalsAndChecks
displayName: Environment Approvals and Checks
environment: ${{ variables['Build.SourceBranchName'] }}
strategy:
runOnce:
deploy:
steps:
- script: |
echo "Environment Approvals and Checks completed for environment: ${{ variables['Build.SourceBranchName'] }}"
- job: CustomPolicyJob
displayName: Custom Policy Job
dependsOn:
- EnvironmentApprovalsAndChecks
condition: succeeded('EnvironmentApprovalsAndChecks')
steps:
- template: templates/steps/load-variables.yml
- template: templates/steps/load-log-analytics-vars.yml
parameters:
logAnalyticsSubscriptionId: $(var-logging-subscriptionId)
logAnalyticsConfigurationFile: ${{ variables['logging-config-directory'] }}/$(var-logging-configurationFileName)
- template: templates/steps/show-variables.yml
parameters:
json: ${{ convertToJson(variables) }}
- template: templates/steps/define-policy.yml
parameters:
description: 'Define Policies'
workingDir: $(System.DefaultWorkingDirectory)/policy/custom/definitions/policy
- template: templates/steps/define-policyset.yml
parameters:
description: 'Define Policy Set'
deployTemplates: [AKS, DefenderForCloud, DNSPrivateEndpoints, LogAnalytics, Network, Tags]
deployOperation: ${{ variables['deployOperation'] }}
workingDir: $(System.DefaultWorkingDirectory)/policy/custom/definitions/policyset
- template: templates/steps/assign-policy.yml
parameters:
description: 'Assign Policy Set'
deployTemplates: [AKS, DefenderForCloud, LogAnalytics, Network, Tags]
deployOperation: ${{ variables['deployOperation'] }}
policyAssignmentManagementGroupScope: $(var-topLevelManagementGroupName)
workingDir: $(System.DefaultWorkingDirectory)/policy/custom/assignments
- job: BuiltInPolicyJob
displayName: Built In Policy Job
dependsOn:
- EnvironmentApprovalsAndChecks
condition: succeeded('EnvironmentApprovalsAndChecks')
steps:
- template: templates/steps/load-variables.yml
- template: templates/steps/load-log-analytics-vars.yml
parameters:
logAnalyticsSubscriptionId: $(var-logging-subscriptionId)
logAnalyticsConfigurationFile: ${{ variables['logging-config-directory'] }}/$(var-logging-configurationFileName)
- template: templates/steps/show-variables.yml
parameters:
json: ${{ convertToJson(variables) }}
- template: templates/steps/assign-policy.yml
parameters:
description: 'Assign Policy Set'
deployTemplates: [asb, cis-msft-130, location, nist80053r4, nist80053r5, pbmm, hitrust-hipaa, fedramp-moderate]
deployOperation: ${{ variables['deployOperation'] }}
policyAssignmentManagementGroupScope: $(var-topLevelManagementGroupName)
workingDir: $(System.DefaultWorkingDirectory)/policy/builtin/assignments