Skip to content

Commit

Permalink
Add support to automatically generate ARM templates and Deploy to Azu…
Browse files Browse the repository at this point in the history
…… (#8)

* Add support to automatically generate ARM templates and Deploy to Azure buttons

* Allow manual triggering of the workflow

* Update URL with branch name of workflow
  • Loading branch information
KevinRabun authored Aug 7, 2024
1 parent e72866e commit 34a37b2
Show file tree
Hide file tree
Showing 6 changed files with 177 additions and 1 deletion.
143 changes: 143 additions & 0 deletions .github/workflows/build-policy-sets.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,143 @@
name: Build Policy Sets

on:
push:
branches:
- main
workflow_dispatch: # This allows the workflow to be triggered manually

jobs:
cleanup-arm-templates:
runs-on: ubuntu-latest
steps:
- name: Checkout repository
uses: actions/checkout@v4

- name: Delete ARMTemplates folder if it exists
run: |
if [ -d "ARMTemplates" ]; then
rm -rf ARMTemplates
fi
- name: Commit changes
run: |
git config --global user.name "github-actions[bot]"
git config --global user.email "github-actions[bot]@users.noreply.github.com"
git add -A
git commit -m "Delete ARMTemplates folder" --allow-empty
git push --force
cleanup-readme-files:
needs: cleanup-arm-templates
runs-on: ubuntu-latest
steps:
- name: Checkout repository
uses: actions/checkout@v4

- name: Sync with main branch
run: git pull

- name: Remove Deploy to Azure button from README.md files
run: |
find PolicyInitiatives -name "README.md" | while read file; do
sed -i '/\[!\[Deploy to Azure\](.*)\](.*)/d' "$file"
done
- name: Commit changes
run: |
git config --global user.name "github-actions[bot]"
git config --global user.email "github-actions[bot]@users.noreply.github.com"
git add -A
git commit -m "Remove Deploy to Azure button from README.md files" --allow-empty
git push --force
list-bicep-files:
needs: cleanup-readme-files
runs-on: ubuntu-latest
outputs:
files: ${{ steps.list.outputs.files }}
steps:
- name: Checkout repository
uses: actions/checkout@v4

- name: List Bicep files
id: list
run: |
files=$(find PolicyInitiatives -name "*.bicep" | jq -R -s -c 'split("\n")[:-1]')
echo "FILES=$files" >> "$GITHUB_OUTPUT"
build:
needs: list-bicep-files
runs-on: ubuntu-latest
strategy:
matrix:
file: ${{ fromJson(needs.list-bicep-files.outputs.FILES) }}
steps:
- name: Checkout repository
uses: actions/checkout@v4

- name: Sync with main branch
run: git pull

- name: Extract branch name
id: extract_branch
run: echo "BRANCH_NAME=${GITHUB_REF#refs/heads/}" >> "$GITHUB_OUTPUT"

- name: Make output directory
run: mkdir -p ARMTemplates

- name: Set output file path
id: set-output-path
run: echo "OUTPUT_FILE_PATH=ARMTemplates/$(basename ${{ matrix.file }} .bicep).json" >> "$GITHUB_OUTPUT"

- name: Set output file name
id: set-output-name
run: echo "OUTPUT_FILE_NAME=$(basename ${{ matrix.file }} .bicep).json" >> "$GITHUB_OUTPUT"

- name: Bicep Build
uses: Azure/[email protected]
with:
bicepFilePath: ${{ matrix.file }}
outputFilePath: ${{ steps.set-output-path.outputs.OUTPUT_FILE_PATH }}

- name: Update README.md with Deploy to Azure button
run: |
urlencode() {
local length="${#1}"
for (( i = 0; i < length; i++ )); do
local c="${1:i:1}"
case $c in
[a-zA-Z0-9.~_-]) printf "$c" ;;
*) printf '%%%02X' "'$c" ;;
esac
done
}
dir=$(dirname ${{ matrix.file }})
readme="$dir/README.md"
if [ -f "$readme" ]; then
arm_template_url="https://raw.githubusercontent.com/${{ github.repository }}/${{ steps.extract_branch.outputs.BRANCH_NAME }}/ARMTemplates/${{ steps.set-output-name.outputs.OUTPUT_FILE_NAME }}"
encoded_url=$(urlencode "$arm_template_url")
button="[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/$encoded_url)"
first_line=$(head -n 1 $readme)
if [[ $first_line == *"[![Deploy to Azure]"* ]]; then
tail -n +2 $readme > $readme.tmp
echo -e "$button\n$(cat $readme.tmp)" > $readme
rm $readme.tmp
else
temp_file=$(mktemp)
echo -e "$button\n$(cat $readme)" > $temp_file
mv $temp_file $readme
fi
fi
- name: Set git user
run: git config --global user.name "GitHub Actions" && git config --global user.email "GitHub Actions"

- name: Commit changes
run: |
git pull
git add ${{ steps.set-output-path.outputs.OUTPUT_FILE_PATH }}
git add $(dirname ${{ matrix.file }})/README.md
git commit -m "Add generated ARM templates and update README.md" --allow-empty
git push --force
26 changes: 26 additions & 0 deletions PolicyInitiatives/ACN/AcnPolicySetDefinitions.bicep
Original file line number Diff line number Diff line change
@@ -0,0 +1,26 @@
targetScope = 'managementGroup'

var a21 = loadJsonContent('Initiative A2_1_Ordinari.json')
var a22 = loadJsonContent('Initiative A2_2_Critici.json')
var b21 = loadJsonContent('Initiative B2_1_Ordinari.json')
var b22 = loadJsonContent('Initiative B2_2_Critici.json')

resource policySet1 'Microsoft.Authorization/policySetDefinitions@2020-09-01' = {
name: a21.name
properties: a21.properties
}

resource policySet2 'Microsoft.Authorization/policySetDefinitions@2020-09-01' = {
name: a22.name
properties: a22.properties
}

resource policySet3 'Microsoft.Authorization/policySetDefinitions@2020-09-01' = {
name: b21.name
properties: b21.properties
}

resource policySet4 'Microsoft.Authorization/policySetDefinitions@2020-09-01' = {
name: b22.name
properties: b22.properties
}
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,6 @@
"version": "1.0",
"category": "Regulatory Compliance"
},
"version": "1.0",
"policyDefinitionGroups": [
{
"name": "CSA_CCM_v4_AaA-01",
Expand Down
8 changes: 8 additions & 0 deletions PolicyInitiatives/CCMv4/CsaPolicySetDefinition.bicep
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
targetScope = 'managementGroup'

var csa = loadJsonContent('Cloud_Security_Alliance_Cloud_Controls_v4.json')

resource policySet1 'Microsoft.Authorization/policySetDefinitions@2020-09-01' = {
name: csa.name
properties: csa.properties
}
File renamed without changes.

0 comments on commit 34a37b2

Please sign in to comment.