diff --git a/Docs/Images/azdoServiceConnectionMGConf.png b/Docs/Images/azdoServiceConnectionMGConf.png new file mode 100644 index 00000000..fcac14df Binary files /dev/null and b/Docs/Images/azdoServiceConnectionMGConf.png differ diff --git a/Docs/Images/azdoServiceConnectionSubConf.png b/Docs/Images/azdoServiceConnectionSubConf.png new file mode 100644 index 00000000..4cf0deaa Binary files /dev/null and b/Docs/Images/azdoServiceConnectionSubConf.png differ diff --git a/README.md b/README.md index c5e06a57..ee96a126 100644 --- a/README.md +++ b/README.md @@ -103,6 +103,7 @@ The solution has a starter kit (folder `StarterKit`). Copy the contents of the ` ### EPAC Policy Reader role (custom) Create a custom role to be used by the planing stages' service connections **EPAC Policy Reader role**. Script `./Scripts/Operations/New-AzPolicyReaderRole.ps1` will create the role at the scope defined in `global-settings.json`. It will contain: + - `Microsoft.Management/register/action` - `Microsoft.Authorization/policyassignments/read` - `Microsoft.Authorization/policydefinitions/read` - `Microsoft.Authorization/policyexemptions/read` @@ -139,6 +140,13 @@ Create Service Principals for the pipeline execution and setup your DevOps envir - Security Reader and Policy Contributor for deploying Policies, Initiatives and Assignments in the EPAC prod environment - User Administrator for assigning roles to the Assignments' Managed Identities (for remediation tasks) in the EPAC prod environment +> **Note:** +> When creating a Service Connection in Azure DevOps you can set up the service connections on Subscription or a Management Group scope level, when configuring the service connection for the EPAC Developer and Test subscriptions the service connections scope level is **Subscription**, however when creating a Service Connections for EPAC Prod Plan, EPAC Prod Deployment and EPAC Role Assignment the service connection scope level is **Management Group**. + +Subscription scope level | Management Group scope level +:-----------:|:----------------: +![image](./Docs/Images/azdoServiceConnectionSubConf.png) | ![image](./Docs/Images/azdoServiceConnectionMGConf.png) + ### EPAC environments setup Like any other software or X as Code solution, EPAC needs areas for developing and testing new Policies, Initiatives and Assignments before any deployment to EPAC prod environments. In most cases you will need one subscription each for development and testing. EPAC's prod environment will govern all other IaC environments (e.g., sandbox, development, integration, test/qa, pre-prod, prod, ...). This can be slightly confusing. diff --git a/Scripts/Operations/New-AzPolicyReaderRole.ps1 b/Scripts/Operations/New-AzPolicyReaderRole.ps1 index 28f24359..f33bd32c 100644 --- a/Scripts/Operations/New-AzPolicyReaderRole.ps1 +++ b/Scripts/Operations/New-AzPolicyReaderRole.ps1 @@ -32,6 +32,7 @@ $role.Description = 'Read access to Azure Policy.' $role.IsCustom = $true $perms = @( "*/read", + "Microsoft.Management/register/action", "Microsoft.Authorization/policyassignments/read", "Microsoft.Authorization/policydefinitions/read", "Microsoft.Authorization/policyexemptions/read", diff --git a/Scripts/Operations/README.md b/Scripts/Operations/README.md index 41858117..e615afc0 100644 --- a/Scripts/Operations/README.md +++ b/Scripts/Operations/README.md @@ -19,11 +19,15 @@ Many scripts use a configuration value called `RootScope`. It denotes the locati ## New-AzPolicyReaderRole.ps1 -Creates a custom role `Policy Contributor` at the scope selected with `PacEnvironmentSelector`: - -- `Microsoft.Authorization/policyAssignments/read` -- `Microsoft.Authorization/policyDefinitions/read` -- `Microsoft.Authorization/policySetDefinitions/read` +Creates a custom role `Policy Reader` at the scope selected with `PacEnvironmentSelector`: + +- `Microsoft.Management/register/action` +- `Microsoft.Authorization/policyassignments/read` +- `Microsoft.Authorization/policydefinitions/read` +- `Microsoft.Authorization/policyexemptions/read` +- `Microsoft.Authorization/policysetdefinitions/read` +- `Microsoft.PolicyInsights/*` +- `Microsoft.Support/*` |Parameter | Required | Explanation | |----------|----------|-------------|