Merge pull request #145 from Azure/feature/v6.2

v6.2
Azure · Feb 3, 2023 · 1b3e5ac · 1b3e5ac
2 parents f506bc7 + 81b98d2
commit 1b3e5ac
Show file tree

Hide file tree

Showing 49 changed files with 1,299 additions and 678 deletions.
diff --git a/Docs/breaking-changes-v6.0.md b/Docs/breaking-changes-v6.0.md
@@ -116,15 +116,18 @@ The implementation was changed from Azure AD to MS Graph API impacting the roles
 * [Setup DevOps Environment](operating-environment.md) .
 * [Create a source repository and import the source code](clone-github.md) from this repository.
 * [Select the desired state strategy](desired-state-strategy.md)
-* Copy starter kit pipeline definition and definition folder to your folders.
+* Copy starter kit pipeline definition.
 * [Define your deployment environment](definitions-and-global-settings.md) in `global-settings.jsonc`.
 * [Build your CI/CD pipeline](ci-cd-pipeline.md) using a starter kit.
+* Optional: generate a starting point for the `Definitions` folders:
+  * [Extract existing Policy resources from an environment](extract-existing-policy-resources.md).
+  * [Import Policies from the Cloud Adoption Framework](cloud-adoption-framework.md).
+  * Copy the sample Policy resource definitions in the starter kit to your `Definitions` folders.
 * [Add custom Policy definitions](policy-definitions.md).
 * [Add custom Policy Set definitions](policy-set-definitions.md).
 * [Create Policy Assignments](policy-assignments.md).
 * Import Policies from the [Cloud Adoption Framework](cloud-adoption-framework.md).
 * [Manage Policy Exemptions](policy-exemptions.md).
 * [Document your deployments](documenting-assignments-and-policy-sets.md).
-* [Execute operational tasks](operational-scripts.md).
 
 **[Return to the main page](../README.md)**
diff --git a/Docs/ci-cd-pipeline.md b/Docs/ci-cd-pipeline.md
@@ -77,8 +77,8 @@ Create Service Principals and associated service connections in Azure DevOps or
 
 | Connection | Stages  | MG: epac-dev-mg | MG: Tenant Root |
 | :--- | :--- | :--- | :--- |
-| sc-pac-dev | devStage  | Owner ||||
-| sc-pac-plan | tenantPlanFeatureStage <br/> tenantPlanMainStage || EPAC Policy Reader<br/>MS Graph Permissions |
+| sc-pac-dev | devStage  | Owner <br/> [Graph Permissions](#ms-graph-permissions) ||||
+| sc-pac-plan | tenantPlanFeatureStage <br/> tenantPlanMainStage || [EPAC Policy Reader](#custom-epac-resource-policy-reader-role) <br/> [Graph Permissions](#ms-graph-permissions) |
 | sc-pac-prod | tenantDeployStage || Policy Contributor |
 | sc-pac-roles | tenantRolesStage-1 || User Access Administrator |
 
@@ -105,9 +105,9 @@ Create Service Principals and associated service connections in Azure DevOps or
 
 | Connection | Stages  | MG: epac-dev-mg | MG: Tenant 1 Root | MG: Tenant 2 Root |
 | :--- | :--- | :--- | :--- | :--- |
-| sc-pac-dev | devStage  | Owner ||||
-| sc-pac-plan-1 | tenantPlanFeatureStage-1 <br/> tenantPlanMainStage-1 || EPAC Policy Reader<br/>MS Graph Permissions ||
-| sc-pac-plan-2 | tenantPlanFeatureStage-2 <br/> tenantPlanMainStage-2 ||| EPAC Policy Reader |
+| sc-pac-dev | devStage  | Owner <br/> [Graph Permissions](#ms-graph-permissions) ||||
+| sc-pac-plan-1 | tenantPlanFeatureStage-1 <br/> tenantPlanMainStage-1 || [EPAC Policy Reader](#custom-epac-resource-policy-reader-role) <br/> [Graph Permissions](#ms-graph-permissions) ||
+| sc-pac-plan-2 | tenantPlanFeatureStage-2 <br/> tenantPlanMainStage-2 ||| [EPAC Policy Reader](#custom-epac-resource-policy-reader-role) <br/> [Graph Permissions](#ms-graph-permissions) |
 | sc-pac-prod-1 | tenantDeployStage-1 || Policy Contributor ||
 | sc-pac-prod-2 | tenantDeployStage-2 ||| Policy Contributor |
 | sc-pac-roles-1 | tenantRolesStage-1 || User Access Administrator ||
@@ -204,7 +204,6 @@ Create distinct ADO environment to configure approval gates. Refer to the follow
 
 <br/>
 
-
 ![image.pmg](Images/epac-deployment-scripts.png)
 
 <br/>
@@ -296,9 +295,11 @@ Detail view:
 * [Setup DevOps Environment](operating-environment.md) .
 * [Create a source repository and import the source code](clone-github.md) from this repository.
 * [Select the desired state strategy](desired-state-strategy.md)
-* Copy starter kit pipeline definition and definition folder to your folders.
 * [Define your deployment environment](definitions-and-global-settings.md) in `global-settings.jsonc`.
 * [Build your CI/CD pipeline](ci-cd-pipeline.md) using a starter kit.
+* Optional: generate a starting point for the `Definitions` folders:
+  * [Extract existing Policy resources from an environment](extract-existing-policy-resources.md).
+  * [Import Policies from the Cloud Adoption Framework](cloud-adoption-framework.md).
 * [Add custom Policy definitions](policy-definitions.md).
 * [Add custom Policy Set definitions](policy-set-definitions.md).
 * [Create Policy Assignments](policy-assignments.md).

diff --git a/Docs/clone-github.md b/Docs/clone-github.md
@@ -51,16 +51,17 @@ The repo contains a script to synchronize directories in both directions: `Sync-
 | `sourceDirectory` | Required | Directory with the source (forked repo) |
 | `destinationDirectory` | Required | Directory with the destination (your private repo) |
 | `suppressDeleteFiles` | Optional | Switch parameter to suppress deleting files in `$destinationDirectory` tree |
-| `omitDocFiles` | Optional | Switch parameter to exclude documentation files *.md, LICENSE, and this script from synchronization |
 
 ## Reading List
 
 * [Setup DevOps Environment](operating-environment.md) .
 * [Create a source repository and import the source code](clone-github.md) from this repository.
 * [Select the desired state strategy](desired-state-strategy.md)
-* Copy starter kit pipeline definition and definition folder to your folders.
 * [Define your deployment environment](definitions-and-global-settings.md) in `global-settings.jsonc`.
 * [Build your CI/CD pipeline](ci-cd-pipeline.md) using a starter kit.
+* Optional: generate a starting point for the `Definitions` folders:
+  * [Extract existing Policy resources from an environment](extract-existing-policy-resources.md).
+  * [Import Policies from the Cloud Adoption Framework](cloud-adoption-framework.md).
 * [Add custom Policy definitions](policy-definitions.md).
 * [Add custom Policy Set definitions](policy-set-definitions.md).
 * [Create Policy Assignments](policy-assignments.md).

diff --git a/Docs/cloud-adoption-framework.md b/Docs/cloud-adoption-framework.md
@@ -79,9 +79,11 @@ Several of the assignment files also have parameters which need to be in place.
 * [Setup DevOps Environment](operating-environment.md) .
 * [Create a source repository and import the source code](clone-github.md) from this repository.
 * [Select the desired state strategy](desired-state-strategy.md)
-* Copy starter kit pipeline definition and definition folder to your folders.
 * [Define your deployment environment](definitions-and-global-settings.md) in `global-settings.jsonc`.
 * [Build your CI/CD pipeline](ci-cd-pipeline.md) using a starter kit.
+* Optional: generate a starting point for the `Definitions` folders:
+  * [Extract existing Policy resources from an environment](extract-existing-policy-resources.md).
+  * [Import Policies from the Cloud Adoption Framework](cloud-adoption-framework.md).
 * [Add custom Policy definitions](policy-definitions.md).
 * [Add custom Policy Set definitions](policy-set-definitions.md).
 * [Create Policy Assignments](policy-assignments.md).

diff --git a/Docs/definitions-and-global-settings.md b/Docs/definitions-and-global-settings.md
@@ -137,9 +137,11 @@ The arrays can have the following entries:
 - [Setup DevOps Environment](operating-environment.md) .
 - [Create a source repository and import the source code](clone-github.md) from this repository.
 - [Select the desired state strategy](desired-state-strategy.md)
-- Copy starter kit pipeline definition and definition folder to your folders.
 - [Define your deployment environment](definitions-and-global-settings.md) in `global-settings.jsonc`.
 - [Build your CI/CD pipeline](ci-cd-pipeline.md) using a starter kit.
+- Optional: generate a starting point for the `Definitions` folders:
+  - [Extract existing Policy resources from an environment](extract-existing-policy-resources.md).
+  - [Import Policies from the Cloud Adoption Framework](cloud-adoption-framework.md).
 - [Add custom Policy definitions](policy-definitions.md).
 - [Add custom Policy Set definitions](policy-set-definitions.md).
 - [Create Policy Assignments](policy-assignments.md).

diff --git a/Docs/desired-state-strategy.md b/Docs/desired-state-strategy.md
@@ -109,9 +109,11 @@ By default, Policy Assignments at resource groups are not managed by EPAC. Prior
 * [Setup DevOps Environment](operating-environment.md) .
 * [Create a source repository and import the source code](clone-github.md) from this repository.
 * [Select the desired state strategy](desired-state-strategy.md)
-* Copy starter kit pipeline definition and definition folder to your folders.
 * [Define your deployment environment](definitions-and-global-settings.md) in `global-settings.jsonc`.
 * [Build your CI/CD pipeline](ci-cd-pipeline.md) using a starter kit.
+* Optional: generate a starting point for the `Definitions` folders:
+  * [Extract existing Policy resources from an environment](extract-existing-policy-resources.md).
+  * [Import Policies from the Cloud Adoption Framework](cloud-adoption-framework.md).
 * [Add custom Policy definitions](policy-definitions.md).
 * [Add custom Policy Set definitions](policy-set-definitions.md).
 * [Create Policy Assignments](policy-assignments.md).

diff --git a/Docs/documenting-assignments-and-policy-sets.md b/Docs/documenting-assignments-and-policy-sets.md
@@ -222,9 +222,11 @@ Compares Policy and Initiative definitions to  Initiative definitions for Policy
 * [Setup DevOps Environment](operating-environment.md) .
 * [Create a source repository and import the source code](clone-github.md) from this repository.
 * [Select the desired state strategy](desired-state-strategy.md)
-* Copy starter kit pipeline definition and definition folder to your folders.
 * [Define your deployment environment](definitions-and-global-settings.md) in `global-settings.jsonc`.
 * [Build your CI/CD pipeline](ci-cd-pipeline.md) using a starter kit.
+* Optional: generate a starting point for the `Definitions` folders:
+  * [Extract existing Policy resources from an environment](extract-existing-policy-resources.md).
+  * [Import Policies from the Cloud Adoption Framework](cloud-adoption-framework.md).
 * [Add custom Policy definitions](policy-definitions.md).
 * [Add custom Policy Set definitions](policy-set-definitions.md).
 * [Create Policy Assignments](policy-assignments.md).

diff --git a/Docs/extract-existing-policy-resources.md b/Docs/extract-existing-policy-resources.md
@@ -0,0 +1,84 @@
+# Extract existing Policy Resources from an Environment
+
+**On this page**
+
+* [\[Preview\] Script `Build-DefinitionsFolder`](#preview-script-build-definitionsfolder)
+* [Preview Caveats](#preview-caveats)
+* [Reading List](#reading-list)
+
+## [Preview] Script `Build-DefinitionsFolder`
+
+> ---
+> ---
+>
+> **WARNING:** <br/>
+> This is a preview version which [may produce strange assignment files](#preview-caveats) in rare circumstances. If you see such a problem, please [raise a GitHub issue](https://github.com/Azure/enterprise-azure-policy-as-code/issues/new).
+>
+> ---
+> ---
+
+<br/>
+
+Extracts existing Policy definitions, Policy Set definitions, and Policy Assignments and outputs them in EPAC format into subfolders in folder (`$outputFolders/Definitions`). The subfolders are `policyDefinitions`, `policySetDefinitions`, and `policyAssignments`. In a new EPAC instance these subfolders can be directly copied to the`Definitions` folder enabling an initial transition from a pre-EPAC to EPAC environment.
+
+> ---
+> ---
+>
+> **WARNING:** <br/>
+> The script deletes the `$outputFolders/Definitions` folder before creating a new set of files. In interactive mode it will ask for confirmation before deleting the directory.
+>
+> ---
+> ---
+
+|Parameter | Required | Explanation |
+|----------|----------|-------------|
+| `PacEnvironmentSelector` | Optional | Defines which Policy as Code (PAC) environment we are using, if omitted, the script prompts for a value. The values are read from `$DefinitionsRootFolder/global-settings.jsonc`. |
+| `definitionsRootFolder` | Optional | Definitions folder path. Defaults to environment variable `$env:PAC_DEFINITIONS_FOLDER` or `./Definitions`. It contains `global-settings.jsonc`.
+| `outputFolder` | Optional | Output Folder. Defaults to environment variable `$env:PAC_OUTPUT_FOLDER` or `./Outputs`.
+| `interactive` | Optional | Script is being run interactively and can request az login. It will also prompt for each file to process or skip. Defaults to $true. |
+| `includeChildScopes` | Optional | Switch parameter to include Policy and Policy Set definitions in child scopes; child scopes are normally ignored for definitions. This does not impact Policy Assignments. |
+
+<br/>
+
+The scripts creates a `Definitions` folder in the `outputFolder` and subfolders for `policyDefinitions`, `policySetDefinitions` and `policyAssignments`. To use the genaerated files copy them to your `Definitions` folder.
+
+* `policyDefinitions`, `policySetDefinitions` have a subfolder based on `metadata.category`. If the definition has no `category` `metadata` they are put ina subfolder labeled `Unknown Category`. Duplicates when including child scopes are sorted into the `Duplicates` folder. Creates one file per Policy and Policy Set.
+* `policyAssignments` have a subfolder `policy` for assignments of a single Policy, or a subfolder `policySet` for assignment of a Policy Set (Initiative). Creates one file per unique assigned Policy or Policy Set spanning multiple Assignments.
+
+## Preview Caveats
+
+The extraction are subject to the following assumptions and caveats:
+
+* Names of Policy and Policy Set (Initiative) definitions are unique across multiple scopes (switch `includeChildScopes` is used)
+* Assignment names are the same if the parameters match across multiple assignments across scopes for the same `policyDefinitionId` to enable optimization of the JSON.
+* Ignores Assignments auto-assigned by Security Center (Defender for Cloud) at subscription level.
+* Does not collate across multiple tenants.
+* Does not calculate any additionalRoleAssignments.
+* Only optimizes the tree structure from the three levels in the following order:
+  * `policyDefinition` (name or id)
+  * `parameters` per parameter set for the `policyDefinition`
+  * Assignment name, **scopes**, and other attributes
+* In some cases, ordering scope would yield a more compact tree structure:
+  * `policyDefinition` (name or id)
+  * Assignment name, **scopes**, and other attributes
+  * `parameters` per parameter set for the `policyDefinition`
+* Doesn't (yet) collate multiple assignments in support of CSV files for parameters. Use `Build-PolicyDocumentation.ps1` to generate CSV files and edit the corresponding assignments to reference the CSV file
+* Doesn't generate Exemptions; use `Get-AzExemptions.ps1` instead.
+
+## Reading List
+
+* [Setup DevOps Environment](operating-environment.md) .
+* [Create a source repository and import the source code](clone-github.md) from this repository.
+* [Select the desired state strategy](desired-state-strategy.md)
+* [Define your deployment environment](definitions-and-global-settings.md) in `global-settings.jsonc`.
+* [Build your CI/CD pipeline](ci-cd-pipeline.md) using a starter kit.
+* Optional: generate a starting point for the `Definitions` folders:
+  * [Extract existing Policy resources from an environment](extract-existing-policy-resources.md).
+  * [Import Policies from the Cloud Adoption Framework](cloud-adoption-framework.md).
+* [Add custom Policy definitions](policy-definitions.md).
+* [Add custom Policy Set definitions](policy-set-definitions.md).
+* [Create Policy Assignments](policy-assignments.md).
+* Import Policies from the [Cloud Adoption Framework](cloud-adoption-framework.md).
+* [Manage Policy Exemptions](policy-exemptions.md).
+* [Document your deployments](documenting-assignments-and-policy-sets.md).
+* [Execute operational tasks](operational-scripts.md).
diff --git a/Docs/operating-environment.md b/Docs/operating-environment.md
@@ -13,7 +13,7 @@
 
 Your operating environment will include two repos, a runner, and at least one developer machine. The following software is required on the runners and any developer workstation.
 
-* PowerShell 7.2 or later, 7.3.1 (latest) recommended
+* PowerShell 7.3.1 or later, 7.3.2 (latest) recommended
 * PowerShell Modules
   * Az required 9.3.0 or later - **9.2.x has a bug which causes EPAC to fail**
   * ImportExcel (required only if using Excel functionality)
@@ -67,9 +67,11 @@ Agents (also called runners) are often hosted in VMs within Azure itself. It is
 * [Setup DevOps Environment](operating-environment.md) .
 * [Create a source repository and import the source code](clone-github.md) from this repository.
 * [Select the desired state strategy](desired-state-strategy.md)
-* Copy starter kit pipeline definition and definition folder to your folders.
 * [Define your deployment environment](definitions-and-global-settings.md) in `global-settings.jsonc`.
 * [Build your CI/CD pipeline](ci-cd-pipeline.md) using a starter kit.
+* Optional: generate a starting point for the `Definitions` folders:
+  * [Extract existing Policy resources from an environment](extract-existing-policy-resources.md).
+  * [Import Policies from the Cloud Adoption Framework](cloud-adoption-framework.md).
 * [Add custom Policy definitions](policy-definitions.md).
 * [Add custom Policy Set definitions](policy-set-definitions.md).
 * [Create Policy Assignments](policy-assignments.md).