diff --git a/docs/onboarding/azure-devops-pipelines.md b/docs/onboarding/azure-devops-pipelines.md index 6afe8ba0..3561b5da 100644 --- a/docs/onboarding/azure-devops-pipelines.md +++ b/docs/onboarding/azure-devops-pipelines.md @@ -476,7 +476,51 @@ In order to configure audit stream for Azure Monitor, identify the following inf 7. Save the pipeline (don't run it yet) 8. Rename the pipeline to `policy-ci` -2. Run pipeline and wait for completion. +2. By default, the pipeline will configure built-in policy assignments (i.e. PBMM, NIST 800-53 Rev 4, NIST 800-53 Rev 5, HIPAA, etc.) and custom policy assignments (i.e. Log Analytics, Defender for Cloud, Networking, Tag Governance, etc.). The assignments are scoped to the top management group (i.e. `pubsec`). These policy sets are documented in [Azure Policy for Guardrails](../policy) and you may choose to customize them for your Azure environment. To customize: + + 1. Edit [/.pipelines/policy.yml](../../.pipelines/policy.yml) + 2. Navigate to the `CustomPolicyJob` Job definition + 3. Navigate to the `Define Policy Set` Step definition and remove the policy definition name from the `deployTemplates` array parameter + + ```yaml + - template: templates/steps/define-policyset.yml + parameters: + description: 'Define Policy Set' + deployTemplates: [AKS, DefenderForCloud, LogAnalytics, Network, DNSPrivateEndpoints, Tags] + deployOperation: ${{ variables['deployOperation'] }} + workingDir: $(System.DefaultWorkingDirectory)/policy/custom/definitions/policyset + + ``` + + 4. Navigate to the `Assign Policy Set` Step definition and remove the policy assignment name from the `deployTemplates` array parameter + + ```yaml + - template: templates/steps/assign-policy.yml + parameters: + description: 'Assign Policy Set' + deployTemplates: [AKS, DefenderForCloud, LogAnalytics, Network, Tags] + deployOperation: ${{ variables['deployOperation'] }} + policyAssignmentManagementGroupScope: $(var-topLevelManagementGroupName) + workingDir: $(System.DefaultWorkingDirectory)/policy/custom/assignments + ``` + + 5. Navigate to the `BuiltInPolicyJob` Job definition + 6. Navigate to the `Assign Policy Set` Step definition + 7. Remove the policy set assignment from the `deployTemplates` array parameter + + ```yaml + - template: templates/steps/assign-policy.yml + parameters: + description: 'Assign Policy Set' + deployTemplates: [asb, cis-msft-130, location, nist80053r4, nist80053r5, pbmm, hitrust-hipaa, fedramp-moderate] + deployOperation: ${{ variables['deployOperation'] }} + policyAssignmentManagementGroupScope: $(var-topLevelManagementGroupName) + workingDir: $(System.DefaultWorkingDirectory)/policy/builtin/assignments + ``` + +3. Commit the changes to git repository. + +4. Run pipeline and wait for completion. ---