diff --git a/.github/workflows/build-policy-sets.yml b/.github/workflows/build-policy-sets.yml new file mode 100644 index 0000000..b76d94f --- /dev/null +++ b/.github/workflows/build-policy-sets.yml @@ -0,0 +1,143 @@ +name: Build Policy Sets + +on: + push: + branches: + - main + workflow_dispatch: # This allows the workflow to be triggered manually + +jobs: + cleanup-arm-templates: + runs-on: ubuntu-latest + steps: + - name: Checkout repository + uses: actions/checkout@v4 + + - name: Delete ARMTemplates folder if it exists + run: | + if [ -d "ARMTemplates" ]; then + rm -rf ARMTemplates + fi + + - name: Commit changes + run: | + git config --global user.name "github-actions[bot]" + git config --global user.email "github-actions[bot]@users.noreply.github.com" + git add -A + git commit -m "Delete ARMTemplates folder" --allow-empty + git push --force + + cleanup-readme-files: + needs: cleanup-arm-templates + runs-on: ubuntu-latest + steps: + - name: Checkout repository + uses: actions/checkout@v4 + + - name: Sync with main branch + run: git pull + + - name: Remove Deploy to Azure button from README.md files + run: | + find PolicyInitiatives -name "README.md" | while read file; do + sed -i '/\[!\[Deploy to Azure\](.*)\](.*)/d' "$file" + done + + - name: Commit changes + run: | + git config --global user.name "github-actions[bot]" + git config --global user.email "github-actions[bot]@users.noreply.github.com" + git add -A + git commit -m "Remove Deploy to Azure button from README.md files" --allow-empty + git push --force + + list-bicep-files: + needs: cleanup-readme-files + runs-on: ubuntu-latest + outputs: + files: ${{ steps.list.outputs.files }} + steps: + - name: Checkout repository + uses: actions/checkout@v4 + + - name: List Bicep files + id: list + run: | + files=$(find PolicyInitiatives -name "*.bicep" | jq -R -s -c 'split("\n")[:-1]') + echo "FILES=$files" >> "$GITHUB_OUTPUT" + + build: + needs: list-bicep-files + runs-on: ubuntu-latest + strategy: + matrix: + file: ${{ fromJson(needs.list-bicep-files.outputs.FILES) }} + steps: + - name: Checkout repository + uses: actions/checkout@v4 + + - name: Sync with main branch + run: git pull + + - name: Extract branch name + id: extract_branch + run: echo "BRANCH_NAME=${GITHUB_REF#refs/heads/}" >> "$GITHUB_OUTPUT" + + - name: Make output directory + run: mkdir -p ARMTemplates + + - name: Set output file path + id: set-output-path + run: echo "OUTPUT_FILE_PATH=ARMTemplates/$(basename ${{ matrix.file }} .bicep).json" >> "$GITHUB_OUTPUT" + + - name: Set output file name + id: set-output-name + run: echo "OUTPUT_FILE_NAME=$(basename ${{ matrix.file }} .bicep).json" >> "$GITHUB_OUTPUT" + + - name: Bicep Build + uses: Azure/bicep-build-action@v1.0.1 + with: + bicepFilePath: ${{ matrix.file }} + outputFilePath: ${{ steps.set-output-path.outputs.OUTPUT_FILE_PATH }} + + - name: Update README.md with Deploy to Azure button + run: | + urlencode() { + local length="${#1}" + for (( i = 0; i < length; i++ )); do + local c="${1:i:1}" + case $c in + [a-zA-Z0-9.~_-]) printf "$c" ;; + *) printf '%%%02X' "'$c" ;; + esac + done + } + + dir=$(dirname ${{ matrix.file }}) + readme="$dir/README.md" + if [ -f "$readme" ]; then + arm_template_url="https://raw.githubusercontent.com/${{ github.repository }}/${{ steps.extract_branch.outputs.BRANCH_NAME }}/ARMTemplates/${{ steps.set-output-name.outputs.OUTPUT_FILE_NAME }}" + encoded_url=$(urlencode "$arm_template_url") + button="[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/$encoded_url)" + first_line=$(head -n 1 $readme) + if [[ $first_line == *"[![Deploy to Azure]"* ]]; then + tail -n +2 $readme > $readme.tmp + echo -e "$button\n$(cat $readme.tmp)" > $readme + rm $readme.tmp + else + temp_file=$(mktemp) + echo -e "$button\n$(cat $readme)" > $temp_file + mv $temp_file $readme + fi + fi + + - name: Set git user + run: git config --global user.name "GitHub Actions" && git config --global user.email "GitHub Actions" + + - name: Commit changes + run: | + git pull + git add ${{ steps.set-output-path.outputs.OUTPUT_FILE_PATH }} + git add $(dirname ${{ matrix.file }})/README.md + git commit -m "Add generated ARM templates and update README.md" --allow-empty + git push --force \ No newline at end of file diff --git a/PolicyInitiatives/ACN/AcnPolicySetDefinitions.bicep b/PolicyInitiatives/ACN/AcnPolicySetDefinitions.bicep new file mode 100644 index 0000000..cb720d5 --- /dev/null +++ b/PolicyInitiatives/ACN/AcnPolicySetDefinitions.bicep @@ -0,0 +1,26 @@ +targetScope = 'managementGroup' + +var a21 = loadJsonContent('Initiative A2_1_Ordinari.json') +var a22 = loadJsonContent('Initiative A2_2_Critici.json') +var b21 = loadJsonContent('Initiative B2_1_Ordinari.json') +var b22 = loadJsonContent('Initiative B2_2_Critici.json') + +resource policySet1 'Microsoft.Authorization/policySetDefinitions@2020-09-01' = { + name: a21.name + properties: a21.properties +} + +resource policySet2 'Microsoft.Authorization/policySetDefinitions@2020-09-01' = { + name: a22.name + properties: a22.properties +} + +resource policySet3 'Microsoft.Authorization/policySetDefinitions@2020-09-01' = { + name: b21.name + properties: b21.properties +} + +resource policySet4 'Microsoft.Authorization/policySetDefinitions@2020-09-01' = { + name: b22.name + properties: b22.properties +} diff --git a/PolicyInitiatives/CSA CCM v4/Cloud_Security_Alliance_Cloud_Controls_v4 Mapping.xlsx b/PolicyInitiatives/CCMv4/Cloud_Security_Alliance_Cloud_Controls_v4 Mapping.xlsx similarity index 100% rename from PolicyInitiatives/CSA CCM v4/Cloud_Security_Alliance_Cloud_Controls_v4 Mapping.xlsx rename to PolicyInitiatives/CCMv4/Cloud_Security_Alliance_Cloud_Controls_v4 Mapping.xlsx diff --git a/PolicyInitiatives/CSA CCM v4/Cloud_Security_Alliance_Cloud_Controls_v4.json b/PolicyInitiatives/CCMv4/Cloud_Security_Alliance_Cloud_Controls_v4.json similarity index 99% rename from PolicyInitiatives/CSA CCM v4/Cloud_Security_Alliance_Cloud_Controls_v4.json rename to PolicyInitiatives/CCMv4/Cloud_Security_Alliance_Cloud_Controls_v4.json index fd649e0..d4faf46 100644 --- a/PolicyInitiatives/CSA CCM v4/Cloud_Security_Alliance_Cloud_Controls_v4.json +++ b/PolicyInitiatives/CCMv4/Cloud_Security_Alliance_Cloud_Controls_v4.json @@ -7,7 +7,6 @@ "version": "1.0", "category": "Regulatory Compliance" }, - "version": "1.0", "policyDefinitionGroups": [ { "name": "CSA_CCM_v4_AaA-01", diff --git a/PolicyInitiatives/CCMv4/CsaPolicySetDefinition.bicep b/PolicyInitiatives/CCMv4/CsaPolicySetDefinition.bicep new file mode 100644 index 0000000..fd8487c --- /dev/null +++ b/PolicyInitiatives/CCMv4/CsaPolicySetDefinition.bicep @@ -0,0 +1,8 @@ +targetScope = 'managementGroup' + +var csa = loadJsonContent('Cloud_Security_Alliance_Cloud_Controls_v4.json') + +resource policySet1 'Microsoft.Authorization/policySetDefinitions@2020-09-01' = { + name: csa.name + properties: csa.properties +} diff --git a/PolicyInitiatives/CSA CCM v4/README.md b/PolicyInitiatives/CCMv4/README.md similarity index 100% rename from PolicyInitiatives/CSA CCM v4/README.md rename to PolicyInitiatives/CCMv4/README.md