policy-exemptions #3
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: policy-exemptions | |
| on: | |
| workflow_dispatch: # allows a manual run from the UI | |
| inputs: | |
| debug: | |
| description: "Enable debug logging" | |
| type: boolean | |
| default: false | |
| workflow_run: | |
| workflows: ["policy-assignments"] # name of the triggering workflow | |
| types: [completed] | |
| branches: [main] | |
| permissions: | |
| contents: read | |
| env: | |
| ACTIONS_STEP_DEBUG: ${{ inputs.debug }} | |
| variablesPath: "settings.yml" | |
| templateName: "PolicyExemption" | |
| templateFileDirectory: "bicep/templates/policyExemptions" | |
| devConfigFileDirectory: "policyExemptions/dev" | |
| prodConfigFileDirectory: "policyExemptions/prod" | |
| configurationSchemaFilePath: "policyExemptions/policyExemption.schema.json" | |
| templateFileName: "main.bicep" | |
| outputFileArtifactSuffix: "Output" | |
| bicepVariableName: "policyExemptions" | |
| configSyntaxTestScriptPath: "tests/policyExemption/configuration-syntax/exemptionConfigurationsSyntaxTest.ps1" | |
| jobs: | |
| job_call_initiation: | |
| name: Initiation | |
| runs-on: ubuntu-latest | |
| if: ${{ github.event.workflow_run.conclusion == 'success' || github.event_name == 'workflow_dispatch' }} | |
| steps: | |
| - name: "Checkout" | |
| uses: actions/checkout@v6 | |
| with: | |
| fetch-depth: 0 | |
| persist-credentials: false | |
| - name: "Initiation" | |
| uses: ./.github/actions/templates/initiation | |
| with: | |
| variablesPath: "${{ env.variablesPath }}" | |
| job_build_dev: | |
| name: Build Dev | |
| runs-on: ubuntu-latest | |
| needs: job_call_initiation | |
| env: | |
| AZURE_CREDENTIALS: ${{ secrets.POLICY_DEV_MG_OWNER }} | |
| steps: | |
| - name: "Checkout" | |
| uses: actions/checkout@v6 | |
| with: | |
| fetch-depth: 0 | |
| persist-credentials: false | |
| - name: Import Variables | |
| shell: pwsh # PowerShell Core | |
| env: | |
| variablesPath: "settings.yml" | |
| run: | | |
| echo '::group::Import Variables from ${{ env.variablesPath }}' | |
| ./scripts/pipelines/github-set-variables.ps1 -configFilePath ${{ env.variablesPath }} | |
| echo '::endgroup::' | |
| - name: "Update Files" | |
| uses: ./.github/actions/templates/build-policy-assignment-and-exemption | |
| with: | |
| resource-type: "exemption" | |
| config-files-path: "${{ env.devConfigFileDirectory }}" | |
| template-file-directory: "${{ env.templateFileDirectory }}" | |
| bicep-file-path: "${{ env.templateFileDirectory }}/${{ env.templateFileName }}" | |
| bicep-variable-name: "${{ env.bicepVariableName }}" | |
| output-dir: "${{ env.devConfigFileDirectory }}" | |
| policy-location-resource-id: "/providers/Microsoft.Management/managementGroups/${{ env.devManagementGroup }}" | |
| bicep-template-build-artifact-name: "policy_exemption_bicep_${{ env.devEnv }}" | |
| job_build_prod: | |
| name: Build Prod | |
| runs-on: ubuntu-latest | |
| needs: job_call_initiation | |
| env: | |
| AZURE_CREDENTIALS: ${{ secrets.POLICY_PROD_MG_OWNER }} | |
| steps: | |
| - name: "Checkout" | |
| uses: actions/checkout@v6 | |
| with: | |
| fetch-depth: 0 | |
| persist-credentials: false | |
| - name: Import Variables | |
| shell: pwsh # PowerShell Core | |
| env: | |
| variablesPath: "settings.yml" | |
| run: | | |
| echo '::group::Import Variables from ${{ env.variablesPath }}' | |
| ./scripts/pipelines/github-set-variables.ps1 -configFilePath ${{ env.variablesPath }} | |
| echo '::endgroup::' | |
| - name: "Update Files" | |
| uses: ./.github/actions/templates/build-policy-assignment-and-exemption | |
| with: | |
| resource-type: "exemption" | |
| config-files-path: "${{ env.prodConfigFileDirectory }}" | |
| template-file-directory: "${{ env.templateFileDirectory }}" | |
| bicep-file-path: "${{ env.templateFileDirectory }}/${{ env.templateFileName }}" | |
| bicep-variable-name: "${{ env.bicepVariableName }}" | |
| output-dir: "${{ env.prodConfigFileDirectory }}" | |
| policy-location-resource-id: "/providers/Microsoft.Management/managementGroups/${{ env.prodManagementGroup }}" | |
| bicep-template-build-artifact-name: "policy_exemption_bicep_${{ env.prodEnv }}" | |
| job_test_dev: | |
| name: Test Dev | |
| runs-on: ubuntu-latest | |
| needs: job_build_dev | |
| env: | |
| AZURE_CREDENTIALS: ${{ secrets.POLICY_DEV_MG_OWNER }} | |
| steps: | |
| - name: "Checkout" | |
| uses: actions/checkout@v6 | |
| with: | |
| fetch-depth: 0 | |
| persist-credentials: false | |
| - name: "Install PowerShell-Yaml Module" | |
| shell: pwsh | |
| run: | | |
| echo '::group::Install PowerShell-Yaml Module if not present' | |
| if (-not (Get-Module -ListAvailable -Name powershell-yaml)) { | |
| Write-Output "Installing powershell-yaml module..." | |
| Install-Module -Name powershell-yaml -Force -Scope CurrentUser | |
| } | |
| echo '::endgroup::' | |
| - name: Import Variables | |
| shell: pwsh # PowerShell Core | |
| env: | |
| variablesPath: "settings.yml" | |
| run: | | |
| echo '::group::Import Variables from ${{ env.variablesPath }}' | |
| ./scripts/pipelines/github-set-variables.ps1 -configFilePath ${{ env.variablesPath }} | |
| echo '::endgroup::' | |
| - name: "Validate Configuration Files Syntax" | |
| uses: ./.github/actions/templates/validate-policy-assignment-and-exemption-config-syntax | |
| with: | |
| config-file-directory: "${{ env.devConfigFileDirectory }}" | |
| config-schema-file-path: "${{ env.configurationSchemaFilePath }}" | |
| test-script-path: "${{ env.configSyntaxTestScriptPath }}" | |
| output-file-prefix: "TEST-ExemptionConfigSyntax-${{ env.devEnv }}" | |
| test-run-title: "DevExemptionConfigSyntaxTest" | |
| skip-passed-tests-report: true | |
| - name: "Test and Validate Bicep Template" | |
| uses: ./.github/actions/templates/test-validate | |
| with: | |
| template-name: "${{ env.templateName }}" | |
| template-file-directory: "${{ env.templateFileDirectory }}" | |
| template-file-artifact-name: "policy_exemption_bicep_${{ env.devEnv }}" | |
| template-file-name: "${{ env.templateFileName }}" | |
| psrule-baseline-name: "Azure.Default" | |
| psrule-test-title: "PSRule Validation Summary - Dev" | |
| run-bicep-support-files-tests: true | |
| run-psrule-tests: true | |
| run-template-validation: true | |
| run-whatif-in-template-validation: false | |
| run-bicep-linter: true | |
| whatif-max-retry: 3 | |
| template-scope: "managementGroup" | |
| target-name: ${{ env.devManagementGroup }} | |
| azure-location: ${{ env.default-region }} | |
| skip-passed-tests-report: false | |
| job_test_prod: | |
| name: Test Prod | |
| runs-on: ubuntu-latest | |
| needs: job_build_prod | |
| env: | |
| AZURE_CREDENTIALS: ${{ secrets.POLICY_PROD_MG_OWNER }} | |
| steps: | |
| - name: "Checkout" | |
| uses: actions/checkout@v6 | |
| with: | |
| fetch-depth: 0 | |
| persist-credentials: false | |
| - name: "Install PowerShell-Yaml Module" | |
| shell: pwsh | |
| run: | | |
| echo '::group::Install PowerShell-Yaml Module if not present' | |
| if (-not (Get-Module -ListAvailable -Name powershell-yaml)) { | |
| Write-Output "Installing powershell-yaml module..." | |
| Install-Module -Name powershell-yaml -Force -Scope CurrentUser | |
| } | |
| echo '::endgroup::' | |
| - name: Import Variables | |
| shell: pwsh # PowerShell Core | |
| env: | |
| variablesPath: "settings.yml" | |
| run: | | |
| echo '::group::Import Variables from ${{ env.variablesPath }}' | |
| ./scripts/pipelines/github-set-variables.ps1 -configFilePath ${{ env.variablesPath }} | |
| echo '::endgroup::' | |
| - name: "Validate Configuration Files Syntax" | |
| uses: ./.github/actions/templates/validate-policy-assignment-and-exemption-config-syntax | |
| with: | |
| config-file-directory: "${{ env.prodConfigFileDirectory }}" | |
| config-schema-file-path: "${{ env.configurationSchemaFilePath }}" | |
| test-script-path: "${{ env.configSyntaxTestScriptPath }}" | |
| output-file-prefix: "TEST-ExemptionConfigSyntax-${{ env.prodEnv }}" | |
| test-run-title: "ProdExemptionConfigSyntaxTest" | |
| skip-passed-tests-report: true | |
| - name: "Test and Validate Bicep Template" | |
| uses: ./.github/actions/templates/test-validate | |
| with: | |
| template-name: "${{ env.templateName }}" | |
| template-file-directory: "${{ env.templateFileDirectory }}" | |
| template-file-artifact-name: "policy_exemption_bicep_${{ env.prodEnv }}" | |
| template-file-name: "${{ env.templateFileName }}" | |
| psrule-baseline-name: "Azure.Default" | |
| psrule-test-title: "PSRule Validation Summary - Prod" | |
| run-bicep-support-files-tests: true | |
| run-psrule-tests: true | |
| run-template-validation: true | |
| run-whatif-in-template-validation: false | |
| run-bicep-linter: true | |
| whatif-max-retry: 3 | |
| template-scope: "managementGroup" | |
| target-name: ${{ env.prodManagementGroup }} | |
| azure-location: ${{ env.default-region }} | |
| skip-passed-tests-report: false | |
| job_deploy_dev: | |
| name: "Deploy Dev" | |
| runs-on: ubuntu-latest | |
| needs: | |
| - job_test_dev | |
| env: | |
| AZURE_CREDENTIALS: ${{ secrets.POLICY_DEV_MG_OWNER }} | |
| steps: | |
| - name: "Checkout" | |
| uses: actions/checkout@v6 | |
| with: | |
| fetch-depth: 0 | |
| persist-credentials: false | |
| - name: "Install PowerShell-Yaml Module" | |
| shell: pwsh | |
| run: | | |
| echo '::group::Install PowerShell-Yaml Module if not present' | |
| if (-not (Get-Module -ListAvailable -Name powershell-yaml)) { | |
| Write-Output "Installing powershell-yaml module..." | |
| Install-Module -Name powershell-yaml -Force -Scope CurrentUser | |
| } | |
| echo '::endgroup::' | |
| - name: Import Variables | |
| shell: pwsh # PowerShell Core | |
| env: | |
| variablesPath: "settings.yml" | |
| run: | | |
| echo '::group::Import Variables from ${{ env.variablesPath }}' | |
| ./scripts/pipelines/github-set-variables.ps1 -configFilePath ${{ env.variablesPath }} | |
| echo '::endgroup::' | |
| - name: Deploy Template | |
| uses: ./.github/actions/templates/bicep-deployments | |
| with: | |
| template-name: "${{env.templateName}}" | |
| template-file-directory: "${{ env.templateFileDirectory }}" | |
| template-file-name: "${{ env.templateFileName }}" | |
| template-file-artifact-name: "policy_exemption_bicep_${{ env.devEnv }}" | |
| template-scope: "managementGroup" | |
| target-name: ${{ env.devManagementGroup }} | |
| azure-location: ${{ env.default-region }} | |
| publish-deployment-outputs: true | |
| retry-failed-deployment: true | |
| deployment-output-variable-prefix: "${{ env.devEnv }}" | |
| max-wait-minutes: 60 | |
| http-timeout-seconds: 1000 | |
| job_deploy_prod: | |
| name: "Deploy Prod" | |
| if: github.ref == 'refs/heads/main' | |
| runs-on: ubuntu-latest | |
| needs: | |
| - job_test_prod | |
| - job_deploy_dev | |
| env: | |
| AZURE_CREDENTIALS: ${{ secrets.POLICY_PROD_MG_OWNER }} | |
| steps: | |
| - name: "Checkout" | |
| uses: actions/checkout@v6 | |
| with: | |
| fetch-depth: 0 | |
| persist-credentials: false | |
| - name: "Install PowerShell-Yaml Module" | |
| shell: pwsh | |
| run: | | |
| echo '::group::Install PowerShell-Yaml Module if not present' | |
| if (-not (Get-Module -ListAvailable -Name powershell-yaml)) { | |
| Write-Output "Installing powershell-yaml module..." | |
| Install-Module -Name powershell-yaml -Force -Scope CurrentUser | |
| } | |
| echo '::endgroup::' | |
| - name: Import Variables | |
| shell: pwsh # PowerShell Core | |
| env: | |
| variablesPath: "settings.yml" | |
| run: | | |
| echo '::group::Import Variables from ${{ env.variablesPath }}' | |
| ./scripts/pipelines/github-set-variables.ps1 -configFilePath ${{ env.variablesPath }} | |
| echo '::endgroup::' | |
| - name: Deploy Template | |
| uses: ./.github/actions/templates/bicep-deployments | |
| with: | |
| template-name: "${{env.templateName}}" | |
| template-file-directory: "${{ env.templateFileDirectory }}" | |
| template-file-name: "${{ env.templateFileName }}" | |
| template-file-artifact-name: "policy_exemption_bicep_${{ env.prodEnv }}" | |
| template-scope: "managementGroup" | |
| target-name: ${{ env.prodManagementGroup }} | |
| azure-location: ${{ env.default-region }} | |
| publish-deployment-outputs: true | |
| retry-failed-deployment: true | |
| deployment-output-variable-prefix: "${{ env.prodEnv }}" | |
| max-wait-minutes: 60 | |
| http-timeout-seconds: 1000 |