137 строки
5.0 KiB
YAML
137 строки
5.0 KiB
YAML
# ----------------------------------------------------------------------------------
|
|
# Copyright (c) Microsoft Corporation.
|
|
# Licensed under the MIT license.
|
|
#
|
|
# THIS CODE AND INFORMATION ARE PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND,
|
|
# EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES
|
|
# OF MERCHANTABILITY AND/OR FITNESS FOR A PARTICULAR PURPOSE.
|
|
# ----------------------------------------------------------------------------------
|
|
|
|
trigger:
|
|
batch: true
|
|
branches:
|
|
include:
|
|
- main
|
|
paths:
|
|
include:
|
|
- policy
|
|
- .pipelines/policy.yml
|
|
- .pipelines/templates/steps/deploy-policy.yml
|
|
|
|
pr: none
|
|
|
|
resources:
|
|
pipelines:
|
|
# Trigger this pipeline when platform-logging-ci pipeline completes
|
|
- pipeline: PlatformLogging
|
|
source: platform-logging-ci
|
|
trigger:
|
|
branches:
|
|
include:
|
|
- refs/heads/main
|
|
|
|
variables:
|
|
- name: devops-org-name
|
|
value: ${{ replace(replace(variables['System.CollectionUri'], 'https://dev.azure.com/' , ''), '/', '') }}
|
|
- name: logging-config-directory
|
|
value: $(System.DefaultWorkingDirectory)/$(loggingPathFromRoot)/${{ variables['devops-org-name'] }}-${{ variables['Build.SourceBranchName'] }}
|
|
- name: variable-template-file
|
|
value: ${{ variables['devops-org-name'] }}-${{ variables['Build.SourceBranchName'] }}.yml
|
|
- template: ../config/variables/common.yml
|
|
- template: ../config/variables/${{ variables['variable-template-file'] }}
|
|
|
|
pool:
|
|
vmImage: $[ variables.vmImage ]
|
|
|
|
stages:
|
|
|
|
- stage: DeployPolicyStage
|
|
displayName: Deploy Policy Stage
|
|
|
|
# Policy deployment is divided into 2 jobs, one for Built-In and
|
|
# one for Custom policy definitions and assignments. Jobs are
|
|
# implicitly parallel, so these jobs may run concurrently if
|
|
# you have enough parallel job capacity.
|
|
# Added one more job (total 3) that runs before the two existing
|
|
# jobs to run Environment Approvals and Checks. The two policy
|
|
# jobs (built-in and custom) only run once any/all environment
|
|
# approvals and checks are satisfied.
|
|
|
|
jobs:
|
|
|
|
- deployment: EnvironmentApprovalsAndChecks
|
|
displayName: Environment Approvals and Checks
|
|
environment: ${{ variables['Build.SourceBranchName'] }}
|
|
strategy:
|
|
runOnce:
|
|
deploy:
|
|
steps:
|
|
- script: |
|
|
echo "Environment Approvals and Checks completed for environment: ${{ variables['Build.SourceBranchName'] }}"
|
|
|
|
- job: CustomPolicyJob
|
|
displayName: Custom Policy Job
|
|
dependsOn:
|
|
- EnvironmentApprovalsAndChecks
|
|
condition: succeeded('EnvironmentApprovalsAndChecks')
|
|
|
|
steps:
|
|
|
|
- template: templates/steps/load-variables.yml
|
|
|
|
- template: templates/steps/load-log-analytics-vars.yml
|
|
parameters:
|
|
logAnalyticsSubscriptionId: $(var-logging-subscriptionId)
|
|
logAnalyticsConfigurationFile: ${{ variables['logging-config-directory'] }}/$(var-logging-configurationFileName)
|
|
|
|
- template: templates/steps/show-variables.yml
|
|
parameters:
|
|
json: ${{ convertToJson(variables) }}
|
|
|
|
- template: templates/steps/define-policy.yml
|
|
parameters:
|
|
description: 'Define Policies'
|
|
workingDir: $(System.DefaultWorkingDirectory)/policy/custom/definitions/policy
|
|
|
|
- template: templates/steps/define-policyset.yml
|
|
parameters:
|
|
description: 'Define Policy Set'
|
|
deployTemplates: [AKS, DefenderForCloud, DNSPrivateEndpoints, LogAnalytics, Network, Tags]
|
|
deployOperation: ${{ variables['deployOperation'] }}
|
|
workingDir: $(System.DefaultWorkingDirectory)/policy/custom/definitions/policyset
|
|
|
|
- template: templates/steps/assign-policy.yml
|
|
parameters:
|
|
description: 'Assign Policy Set'
|
|
deployTemplates: [AKS, DefenderForCloud, LogAnalytics, Network, Tags]
|
|
deployOperation: ${{ variables['deployOperation'] }}
|
|
policyAssignmentManagementGroupScope: $(var-topLevelManagementGroupName)
|
|
workingDir: $(System.DefaultWorkingDirectory)/policy/custom/assignments
|
|
|
|
- job: BuiltInPolicyJob
|
|
displayName: Built In Policy Job
|
|
dependsOn:
|
|
- EnvironmentApprovalsAndChecks
|
|
condition: succeeded('EnvironmentApprovalsAndChecks')
|
|
|
|
steps:
|
|
|
|
- template: templates/steps/load-variables.yml
|
|
|
|
- template: templates/steps/load-log-analytics-vars.yml
|
|
parameters:
|
|
logAnalyticsSubscriptionId: $(var-logging-subscriptionId)
|
|
logAnalyticsConfigurationFile: ${{ variables['logging-config-directory'] }}/$(var-logging-configurationFileName)
|
|
|
|
- template: templates/steps/show-variables.yml
|
|
parameters:
|
|
json: ${{ convertToJson(variables) }}
|
|
|
|
- template: templates/steps/assign-policy.yml
|
|
parameters:
|
|
description: 'Assign Policy Set'
|
|
deployTemplates: [asb, cis-msft-130, location, nist80053r4, nist80053r5, pbmm, hitrust-hipaa, fedramp-moderate]
|
|
deployOperation: ${{ variables['deployOperation'] }}
|
|
policyAssignmentManagementGroupScope: $(var-topLevelManagementGroupName)
|
|
workingDir: $(System.DefaultWorkingDirectory)/policy/builtin/assignments
|