Comments (4)
Are you deploying the plan using the command below: specifically adding the pacEnvironment
parameter?
Deploy-PolicyPlan -definitionsRootFolder $env:definitionsRootFolder -inputFolder $env:planFolder -pacEnvironment $env:pacEnvironment
There is an example workflow in the StarterKit which you can copy - it should work...
from enterprise-azure-policy-as-code.
Are you deploying the plan using the command below: specifically adding the
pacEnvironment
parameter?Deploy-PolicyPlan -definitionsRootFolder $env:definitionsRootFolder -inputFolder $env:planFolder -pacEnvironment $env:pacEnvironment
There is an example workflow in the StarterKit which you can copy - it should work...
Thank for the quick reply. I figured out my problem this morning. I guess there is just some thing I didn't understand with the deployment process when using the github action workflow. And I still don't completely understand this workflow and the intention. I guess this workflow is a simplified workflow only meant to run a plan against 1 environment and then deploy against the same environment. This is where it went wrong for me. I thought the intention was to test against dev/test management group and then deploy against prod. When I read the documentation I understood it as a test deployment against dev/test management group, then a prod deployment against prod, and I see that is probably what is solved with the azure devops single tenant workflow. We might not actually need this complexity as of now, but for the arguments sake. How could we solve this in github action workflow? I have now managed to deploy to the dev/test management group, but if I was to now deploy the same policies and policy set to a prod management group in the same tenant, if I duplicated the same workflows, pointed them to prod and then ran it, would it understand that the policies and policy sets should be moved to prod?
My next question would be what happens when you then add more policies and definitions for testing and run the test build, wouldn't it then move everything back the t\dev/test management group? Or is there something keeping track of what's been deployed to test, and then to prod so it isn't moved back?
I realize that this is maybe outside the scope of your support, and we probably can live just fine with deploy directly to prod.
Some feedback:
- Have you looked into OIDC authentication against github? I needed to modify the workflow in order to leverage OIDC instead. Let me know if you want that setup as well and maybe i can contribute?
- Also, not sure if there has been som changes on the type of permissions you have in a github repo, or if it's because we are on a free version, but i needed to grant specific permission for the jobs in order to have enough permission for the github_token to create pull requests and clean up etc. I ended up with giving write-all under jobs on both the build and deploy workflow. It didn't work giving permission in the github GUI for the repo to have read/write and to create PR.
- I think also the .gitignore created some issues, as it then does not create the Output folder when creating it locally and pushing to remote repo. I ended up removing the remove item from .gitignore in the workflow as well. Maybe I need it for something, but I couldn't figure out for what. To me it seemed like it actually made the build workflow omit the plan file from the pull request, so only the body.txt was sent.
from enterprise-azure-policy-as-code.
Yes I've looked into OIDC - just haven't had a chance to implement. I am missing the instructions for setting up the GitHub permissions. It is only designed for a simple workflow - the background is that we have done a lot in Azure DevOps around the pipeline so this was the first foray into GitHub actions. I need to have a good think about what this would look like in dev/test workflow - just haven't had time.
from enterprise-azure-policy-as-code.
Ok. Thanks for your feedback. You can close this issue, and I will change the workflow to deploy against prod instead. Great work with this solution though. Looking forward to testing it more!
from enterprise-azure-policy-as-code.
Related Issues (20)
- Improve regression tests
- Assignment always replaced when using userAssignedIdentity HOT 1
- Remediation Task could not be created HOT 3
- Non EPAC exemptions are not being removed. HOT 1
- Outdated Policy-Exemption Schema HOT 2
- EPAC service principal does not have authorization to perform action 'Microsoft.Management/register/action' over scopes HOT 3
- Sudden issues with 'Code bug: Our root is not in this tree' HOT 5
- Build-DeploymentPlans fails in workflow because az.login is using an earlier version of Az.Accounts HOT 9
- Exemption counting does not support paging and fails above 1000 resources
- Not possible to have an exemption against an assignment where the scope is included in the assignment excluded scopes HOT 2
- Exporting policies resources for PSRule throwing exception HOT 4
- BUG - Github workflows fails to evaluate plan path
- Export-AzPolicyResources not producing ampersand in active-exemptions.csv
- Sync-ALZPolicies outdated Assignment files HOT 2
- Check groupNames against policyDefinitionGroups during plan
- Role Assignments that fail due to a read-only resource lock do not throw an error HOT 1
- groupNames missing when exporting existing initiatives HOT 2
- Build-ExemptionsPlan MethodInvocationException HOT 8
- Support for Snowflakev2 policy parameter using builtin assignment ADF_allowed_linked_service_resource_types HOT 2
- Getting the following error when pulling existing exemptions in the plan
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from enterprise-azure-policy-as-code.