forked from Azure/CanadaPubSecALZ
-
Notifications
You must be signed in to change notification settings - Fork 0
/
policy.yml
122 lines (100 loc) · 4.15 KB
/
policy.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
# ----------------------------------------------------------------------------------
# Copyright (c) Microsoft Corporation.
# Licensed under the MIT license.
#
# THIS CODE AND INFORMATION ARE PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND,
# EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES
# OF MERCHANTABILITY AND/OR FITNESS FOR A PARTICULAR PURPOSE.
# ----------------------------------------------------------------------------------
trigger:
batch: true
branches:
include:
- main
paths:
include:
- policy
- .pipelines/policy.yml
- .pipelines/templates/steps/deploy-policy.yml
pr: none
resources:
pipelines:
# Trigger this pipeline when platform-logging-ci pipeline completes
- pipeline: PlatformLogging
source: platform-logging-ci
trigger:
branches:
include:
- refs/heads/main
variables:
- name: devops-org-name
value: ${{ replace(replace(variables['System.CollectionUri'], 'https://dev.azure.com/' , ''), '/', '') }}
- name: variable-template-file
value: ${{ variables['devops-org-name'] }}-${{ variables['Build.SourceBranchName'] }}.yml
- template: ../config/variables/common.yml
- template: ../config/variables/${{ variables['variable-template-file'] }}
pool:
vmImage: $[ variables.vmImage ]
stages:
- stage: DeployPolicyStage
displayName: Deploy Policy Stage
# Policy deployment is divided into 2 jobs, one for Built-In and
# one for Custom policy definitions and assignments. Jobs are
# implicitly parallel, so these jobs may run concurrently if
# you have enough parallel job capacity.
# Added one more job (total 3) that runs before the two existing
# jobs to run Environment Approvals and Checks. The two policy
# jobs (built-in and custom) only run once any/all environment
# approvals and checks are satisfied.
jobs:
- deployment: EnvionmentApprovalsAndChecks
displayName: Environment Approvals and Checks
environment: ${{ variables['Build.SourceBranchName'] }}
strategy:
runOnce:
deploy:
steps:
- script: |
echo "Environment Approvals and Checks completed for environment: ${{ variables['Build.SourceBranchName'] }}"
- job: CustomPolicyJob
displayName: Custom Policy Job
dependsOn:
- EnvionmentApprovalsAndChecks
condition: succeeded('EnvionmentApprovalsAndChecks')
steps:
- template: templates/steps/load-log-analytics-vars.yml
- template: templates/steps/show-variables.yml
parameters:
json: ${{ convertToJson(variables) }}
- template: templates/steps/define-policy.yml
parameters:
description: 'Define Policies'
workingDir: $(System.DefaultWorkingDirectory)/policy/custom/definitions/policy
- template: templates/steps/define-policyset.yml
parameters:
description: 'Define Policy Set'
deployTemplates: [AKS, DefenderForCloud, LogAnalytics, Network, DNSPrivateEndpoints, Tags]
deployOperation: ${{ variables['deployOperation'] }}
workingDir: $(System.DefaultWorkingDirectory)/policy/custom/definitions/policyset
- template: templates/steps/assign-policy.yml
parameters:
description: 'Assign Policy Set'
deployTemplates: [AKS, DefenderForCloud, LogAnalytics, Network, Tags]
deployOperation: ${{ variables['deployOperation'] }}
workingDir: $(System.DefaultWorkingDirectory)/policy/custom/assignments
- job: BuiltInPolicyJob
displayName: Built In Policy Job
dependsOn:
- EnvionmentApprovalsAndChecks
condition: succeeded('EnvionmentApprovalsAndChecks')
steps:
- template: templates/steps/load-log-analytics-vars.yml
- template: templates/steps/show-variables.yml
parameters:
json: ${{ convertToJson(variables) }}
- template: templates/steps/assign-policy.yml
parameters:
description: 'Assign Policy Set'
deployTemplates: [asb, cis-msft-130, location, nist80053r4, nist80053r5, pbmm, hitrust-hipaa, fedramp-moderate]
deployOperation: ${{ variables['deployOperation'] }}
workingDir: $(System.DefaultWorkingDirectory)/policy/builtin/assignments