Skip to content

Commit

Permalink
Add instructions for customizing policy set assignments (Azure#215)
Browse files Browse the repository at this point in the history
  • Loading branch information
SenthuranSivananthan authored Mar 24, 2022
1 parent 0538d4d commit bf5e94b
Showing 1 changed file with 45 additions and 1 deletion.
46 changes: 45 additions & 1 deletion docs/onboarding/azure-devops-pipelines.md
Original file line number Diff line number Diff line change
Expand Up @@ -476,7 +476,51 @@ In order to configure audit stream for Azure Monitor, identify the following inf
7. Save the pipeline (don't run it yet)
8. Rename the pipeline to `policy-ci`

2. Run pipeline and wait for completion.
2. By default, the pipeline will configure built-in policy assignments (i.e. PBMM, NIST 800-53 Rev 4, NIST 800-53 Rev 5, HIPAA, etc.) and custom policy assignments (i.e. Log Analytics, Defender for Cloud, Networking, Tag Governance, etc.). The assignments are scoped to the top management group (i.e. `pubsec`). These policy sets are documented in [Azure Policy for Guardrails](../policy) and you may choose to customize them for your Azure environment. To customize:

1. Edit [/.pipelines/policy.yml](../../.pipelines/policy.yml)
2. Navigate to the `CustomPolicyJob` Job definition
3. Navigate to the `Define Policy Set` Step definition and remove the policy definition name from the `deployTemplates` array parameter

```yaml
- template: templates/steps/define-policyset.yml
parameters:
description: 'Define Policy Set'
deployTemplates: [AKS, DefenderForCloud, LogAnalytics, Network, DNSPrivateEndpoints, Tags]
deployOperation: ${{ variables['deployOperation'] }}
workingDir: $(System.DefaultWorkingDirectory)/policy/custom/definitions/policyset
```

4. Navigate to the `Assign Policy Set` Step definition and remove the policy assignment name from the `deployTemplates` array parameter

```yaml
- template: templates/steps/assign-policy.yml
parameters:
description: 'Assign Policy Set'
deployTemplates: [AKS, DefenderForCloud, LogAnalytics, Network, Tags]
deployOperation: ${{ variables['deployOperation'] }}
policyAssignmentManagementGroupScope: $(var-topLevelManagementGroupName)
workingDir: $(System.DefaultWorkingDirectory)/policy/custom/assignments
```

5. Navigate to the `BuiltInPolicyJob` Job definition
6. Navigate to the `Assign Policy Set` Step definition
7. Remove the policy set assignment from the `deployTemplates` array parameter

```yaml
- template: templates/steps/assign-policy.yml
parameters:
description: 'Assign Policy Set'
deployTemplates: [asb, cis-msft-130, location, nist80053r4, nist80053r5, pbmm, hitrust-hipaa, fedramp-moderate]
deployOperation: ${{ variables['deployOperation'] }}
policyAssignmentManagementGroupScope: $(var-topLevelManagementGroupName)
workingDir: $(System.DefaultWorkingDirectory)/policy/builtin/assignments
```

3. Commit the changes to git repository.

4. Run pipeline and wait for completion.

---

Expand Down

0 comments on commit bf5e94b

Please sign in to comment.