Merge pull request #86 from Azure/feature/export

Added export scripts
Azure · Nov 4, 2022 · 719d46b · 719d46b
2 parents 60e2266 + 88dc6f2
commit 719d46b
Show file tree

Hide file tree

Showing 3 changed files with 145 additions and 0 deletions.
diff --git a/Scripts/Operations/New-EPACPolicyAssignmentDefinition.ps1 b/Scripts/Operations/New-EPACPolicyAssignmentDefinition.ps1
@@ -0,0 +1,69 @@
+<#
+.SYNOPSIS
+    Exports a policy assignment from Azure to a local file in the EPAC format
+.DESCRIPTION
+    Exports a policy assignment from Azure to a local file in the EPAC format
+.EXAMPLE
+    New-EPACPolicyAssignmentDefinition.ps1 -PolicyDefinitionId "/providers/Microsoft.Management/managementGroups/epac/providers/Microsoft.Authorization/policyDefinitions/Append-KV-SoftDelete" -OutputFolder .\
+
+    Export the policy definition to the current folder. 
+#>
+
+[CmdletBinding()]
+
+Param(
+    [Parameter(Mandatory = $true, ValueFromPipeline = $true)]
+    [string]$PolicyAssignmentId,
+    [string]$OutputFolder
+)
+
+. "$PSScriptRoot/../Helpers/ConvertTo-HashTable.ps1"
+
+$PolicyAssignment = Get-AzPolicyAssignment -Id $PolicyAssignmentId
+if ($PolicyAssignment) {
+    if ($PolicyAssignment.Properties.PolicyDefinitionId -match "Microsoft.Authorization/policyDefinitions") {
+        $baseTemplate = @{
+            assignment      = @{
+                name        = $PolicyAssignment.Name
+                displayName = $PolicyAssignment.Properties.DisplayName
+                description = $PolicyAssignment.Properties.Description
+            }
+            definitionEntry = @{
+                policyName = $PolicyAssignment.Properties.PolicyDefinitionId.Split("/")[-1]
+            }
+            parameters      = @{} | ConvertTo-HashTable
+        }
+        ($PolicyAssignment.Properties.Parameters | ConvertTo-HashTable).GetEnumerator() | ForEach-Object {
+            $baseTemplate.parameters.Add($_.Name, $_.Value.Value)
+        }
+        if ($OutputFolder) {
+            $baseTemplate | ConvertTo-Json -Depth 50 | Out-File "$OutputFolder\$($policyAssignment.Name).json"
+        }
+        else {
+            $baseTemplate | ConvertTo-Json -Depth 50
+        }
+    }
+    if ($PolicyAssignment.Properties.PolicyDefinitionId -match "Microsoft.Authorization/policySetDefinitions") {
+        $baseTemplate = @{
+            assignment      = @{
+                name        = $PolicyAssignment.Name
+                displayName = $PolicyAssignment.Properties.DisplayName
+                description = $PolicyAssignment.Properties.Description
+            }
+            definitionEntry = @{
+                initiativeName = $PolicyAssignment.Properties.PolicyDefinitionId.Split("/")[-1]
+            }
+            parameters      = @{} | ConvertTo-HashTable
+        }
+        ($PolicyAssignment.Properties.Parameters | ConvertTo-HashTable).GetEnumerator() | ForEach-Object {
+            $baseTemplate.parameters.Add($_.Name, $_.Value.Value)
+        }
+        if ($OutputFolder) {
+            $baseTemplate | ConvertTo-Json -Depth 50 | Out-File "$OutputFolder\$($policyAssignment.Name).json"
+        }
+        else {
+            $baseTemplate | ConvertTo-Json -Depth 50
+        }
+    }
+
+}
diff --git a/Scripts/Operations/New-EPACPolicyDefinition.ps1 b/Scripts/Operations/New-EPACPolicyDefinition.ps1
@@ -0,0 +1,52 @@
+<#
+.SYNOPSIS
+    Exports a policy definition from Azure to a local file in the EPAC format
+.DESCRIPTION
+    Exports a policy definition from Azure to a local file in the EPAC format
+.EXAMPLE
+    New-EPACPolicyDefinition.ps1 -PolicyDefinitionId "/providers/Microsoft.Management/managementGroups/epac/providers/Microsoft.Authorization/policyDefinitions/Append-KV-SoftDelete" -OutputFolder .\
+
+    Export the policy definition to the current folder. 
+#>
+
+[CmdletBinding()]
+
+Param(
+    [Parameter(Mandatory = $true, ValueFromPipeline = $true)]
+    [string]$PolicyDefinitionId,
+    [string]$OutputFolder
+)
+
+. "$PSScriptRoot/../Helpers/ConvertTo-HashTable.ps1"
+
+if ($PolicyDefinitionId -match "Microsoft.Authorization/policyDefinitions") {
+    $policyDefinition = Get-AzPolicyDefinition -Id $PolicyDefinitionId
+    $baseTemplate = @{
+        name       = $PolicyDefinition.name
+        properties = $policyDefinition.Properties | Select-Object Description, DisplayName, Mode, Parameters, PolicyRule, @{n = "Metadata"; e = { $_.Metadata | Select-Object Version, Category } }
+    }
+    if ($OutputFolder) {
+        $baseTemplate | ConvertTo-Json -Depth 50 | Out-File "$OutputFolder\$($policyDefinition.Name).json"
+    }
+    else {
+        $baseTemplate | ConvertTo-Json -Depth 50
+    }
+}
+
+if ($PolicyDefinitionId -match "Microsoft.Authorization/policySetDefinitions") {
+    $policyDefinition = Get-AzPolicySetDefinition -Id $PolicyDefinitionId
+    $baseTemplate = @{
+        name       = $PolicyDefinition.Name
+        properties = $policyDefinition.Properties | Select-Object Description, DisplayName, Mode, PolicyDefinitionGroups, Parameters, PolicyDefinitions, @{n = "Metadata"; e = { $_.Metadata | Select-Object Version, Category } }
+    }
+    $baseTemplate.properties.PolicyDefinitions | Foreach-Object {
+        $_ | Add-Member -Type NoteProperty -Name policyDefinitionName -Value $_.policyDefinitionId.Split("/")[-1]
+        $_.psObject.Properties.Remove('policyDefinitionId')
+    }
+    if ($OutputFolder) {
+        $baseTemplate | ConvertTo-Json -Depth 50 | Out-File "$OutputFolder\$($policyDefinition.Name).json"
+    }
+    else {
+        $baseTemplate | ConvertTo-Json -Depth 50
+    }
+}
diff --git a/Scripts/Operations/README.md b/Scripts/Operations/README.md
@@ -13,6 +13,8 @@ Many scripts use a configuration value called `RootScope`. It denotes the locati
 - [Get-AzResourceTags.ps1](#get-azresourcetagsps1)
 - [Get-AzStorageNetworkConfig.ps1](#get-azstoragenetworkconfigps1)
 - [Get-AzUserRoleAssignments.ps1](#get-azuserroleassignmentsps1)
+- [New-EPACPolicyDefinition.ps1](#new-epacpolicydefinitionps1)
+- [New-EPACPolicyAssignmentDefinition.ps1](#new-epacpolicyassignmentdefinitionps1)
 - [Reading List](#reading-list)
 
 <br/>
@@ -128,6 +130,28 @@ Pull all policy aliases into a CSV file. This is helpful for Azure Policy develo
 | `ResourceTypeMatch` | Optional | Resource type match can also be used to filter out unnecessary aliases. More documentation here: https://learn.microsoft.com/en-us/powershell/module/az.resources/get-azpolicyalias?view=azps-8.3.0
 
 
+<br/>
+
+## New-EPACPolicyDefinition.ps1
+
+Exports a policy definition from Azure to a local file in the EPAC format. Works for both policy definitions and set definitions (initiatives)
+
+|Parameter | Required | Explanation |
+|----------|----------|-------------|
+| `PolicyDefinitionId`| Required | Resource ID in Azure for the policy you want to export - can take input from a pipeline |
+| `OutputFolder` | Optional | Output folder for the exported policy definition - default is JSON output to console |
+
+<br/>
+
+## New-EPACPolicyAssignmentDefinition.ps1
+
+Exports a policy assignment from Azure to a local file in the EPAC format. Provides a base template only - you may have to manipulate the file to fit in to your current assignment structure
+
+|Parameter | Required | Explanation |
+|----------|----------|-------------|
+| `PolicyAssignmentId`| Required | Resource ID in Azure for the policy assignment you want to export|
+| `OutputFolder` | Optional | Output folder for the exported policy assignment - - default is JSON output to console |
+
 <br/>
 
 ## Reading List