From 88dc6f2d309529de8759497807b6c0c694a61dbf Mon Sep 17 00:00:00 2001 From: Anthony Watherston Date: Fri, 4 Nov 2022 12:03:22 +1100 Subject: [PATCH] Added export scripts --- .../New-EPACPolicyAssignmentDefinition.ps1 | 69 +++++++++++++++++++ .../Operations/New-EPACPolicyDefinition.ps1 | 52 ++++++++++++++ Scripts/Operations/README.md | 24 +++++++ 3 files changed, 145 insertions(+) create mode 100644 Scripts/Operations/New-EPACPolicyAssignmentDefinition.ps1 create mode 100644 Scripts/Operations/New-EPACPolicyDefinition.ps1 diff --git a/Scripts/Operations/New-EPACPolicyAssignmentDefinition.ps1 b/Scripts/Operations/New-EPACPolicyAssignmentDefinition.ps1 new file mode 100644 index 00000000..69b28b88 --- /dev/null +++ b/Scripts/Operations/New-EPACPolicyAssignmentDefinition.ps1 @@ -0,0 +1,69 @@ +<# +.SYNOPSIS + Exports a policy assignment from Azure to a local file in the EPAC format +.DESCRIPTION + Exports a policy assignment from Azure to a local file in the EPAC format +.EXAMPLE + New-EPACPolicyAssignmentDefinition.ps1 -PolicyDefinitionId "/providers/Microsoft.Management/managementGroups/epac/providers/Microsoft.Authorization/policyDefinitions/Append-KV-SoftDelete" -OutputFolder .\ + + Export the policy definition to the current folder. +#> + +[CmdletBinding()] + +Param( + [Parameter(Mandatory = $true, ValueFromPipeline = $true)] + [string]$PolicyAssignmentId, + [string]$OutputFolder +) + +. "$PSScriptRoot/../Helpers/ConvertTo-HashTable.ps1" + +$PolicyAssignment = Get-AzPolicyAssignment -Id $PolicyAssignmentId +if ($PolicyAssignment) { + if ($PolicyAssignment.Properties.PolicyDefinitionId -match "Microsoft.Authorization/policyDefinitions") { + $baseTemplate = @{ + assignment = @{ + name = $PolicyAssignment.Name + displayName = $PolicyAssignment.Properties.DisplayName + description = $PolicyAssignment.Properties.Description + } + definitionEntry = @{ + policyName = $PolicyAssignment.Properties.PolicyDefinitionId.Split("/")[-1] + } + parameters = @{} | ConvertTo-HashTable + } + ($PolicyAssignment.Properties.Parameters | ConvertTo-HashTable).GetEnumerator() | ForEach-Object { + $baseTemplate.parameters.Add($_.Name, $_.Value.Value) + } + if ($OutputFolder) { + $baseTemplate | ConvertTo-Json -Depth 50 | Out-File "$OutputFolder\$($policyAssignment.Name).json" + } + else { + $baseTemplate | ConvertTo-Json -Depth 50 + } + } + if ($PolicyAssignment.Properties.PolicyDefinitionId -match "Microsoft.Authorization/policySetDefinitions") { + $baseTemplate = @{ + assignment = @{ + name = $PolicyAssignment.Name + displayName = $PolicyAssignment.Properties.DisplayName + description = $PolicyAssignment.Properties.Description + } + definitionEntry = @{ + initiativeName = $PolicyAssignment.Properties.PolicyDefinitionId.Split("/")[-1] + } + parameters = @{} | ConvertTo-HashTable + } + ($PolicyAssignment.Properties.Parameters | ConvertTo-HashTable).GetEnumerator() | ForEach-Object { + $baseTemplate.parameters.Add($_.Name, $_.Value.Value) + } + if ($OutputFolder) { + $baseTemplate | ConvertTo-Json -Depth 50 | Out-File "$OutputFolder\$($policyAssignment.Name).json" + } + else { + $baseTemplate | ConvertTo-Json -Depth 50 + } + } + +} \ No newline at end of file diff --git a/Scripts/Operations/New-EPACPolicyDefinition.ps1 b/Scripts/Operations/New-EPACPolicyDefinition.ps1 new file mode 100644 index 00000000..887efd35 --- /dev/null +++ b/Scripts/Operations/New-EPACPolicyDefinition.ps1 @@ -0,0 +1,52 @@ +<# +.SYNOPSIS + Exports a policy definition from Azure to a local file in the EPAC format +.DESCRIPTION + Exports a policy definition from Azure to a local file in the EPAC format +.EXAMPLE + New-EPACPolicyDefinition.ps1 -PolicyDefinitionId "/providers/Microsoft.Management/managementGroups/epac/providers/Microsoft.Authorization/policyDefinitions/Append-KV-SoftDelete" -OutputFolder .\ + + Export the policy definition to the current folder. +#> + +[CmdletBinding()] + +Param( + [Parameter(Mandatory = $true, ValueFromPipeline = $true)] + [string]$PolicyDefinitionId, + [string]$OutputFolder +) + +. "$PSScriptRoot/../Helpers/ConvertTo-HashTable.ps1" + +if ($PolicyDefinitionId -match "Microsoft.Authorization/policyDefinitions") { + $policyDefinition = Get-AzPolicyDefinition -Id $PolicyDefinitionId + $baseTemplate = @{ + name = $PolicyDefinition.name + properties = $policyDefinition.Properties | Select-Object Description, DisplayName, Mode, Parameters, PolicyRule, @{n = "Metadata"; e = { $_.Metadata | Select-Object Version, Category } } + } + if ($OutputFolder) { + $baseTemplate | ConvertTo-Json -Depth 50 | Out-File "$OutputFolder\$($policyDefinition.Name).json" + } + else { + $baseTemplate | ConvertTo-Json -Depth 50 + } +} + +if ($PolicyDefinitionId -match "Microsoft.Authorization/policySetDefinitions") { + $policyDefinition = Get-AzPolicySetDefinition -Id $PolicyDefinitionId + $baseTemplate = @{ + name = $PolicyDefinition.Name + properties = $policyDefinition.Properties | Select-Object Description, DisplayName, Mode, PolicyDefinitionGroups, Parameters, PolicyDefinitions, @{n = "Metadata"; e = { $_.Metadata | Select-Object Version, Category } } + } + $baseTemplate.properties.PolicyDefinitions | Foreach-Object { + $_ | Add-Member -Type NoteProperty -Name policyDefinitionName -Value $_.policyDefinitionId.Split("/")[-1] + $_.psObject.Properties.Remove('policyDefinitionId') + } + if ($OutputFolder) { + $baseTemplate | ConvertTo-Json -Depth 50 | Out-File "$OutputFolder\$($policyDefinition.Name).json" + } + else { + $baseTemplate | ConvertTo-Json -Depth 50 + } +} \ No newline at end of file diff --git a/Scripts/Operations/README.md b/Scripts/Operations/README.md index e615afc0..e7b2a191 100644 --- a/Scripts/Operations/README.md +++ b/Scripts/Operations/README.md @@ -13,6 +13,8 @@ Many scripts use a configuration value called `RootScope`. It denotes the locati - [Get-AzResourceTags.ps1](#get-azresourcetagsps1) - [Get-AzStorageNetworkConfig.ps1](#get-azstoragenetworkconfigps1) - [Get-AzUserRoleAssignments.ps1](#get-azuserroleassignmentsps1) +- [New-EPACPolicyDefinition.ps1](#new-epacpolicydefinitionps1) +- [New-EPACPolicyAssignmentDefinition.ps1](#new-epacpolicyassignmentdefinitionps1) - [Reading List](#reading-list)
@@ -128,6 +130,28 @@ Pull all policy aliases into a CSV file. This is helpful for Azure Policy develo | `ResourceTypeMatch` | Optional | Resource type match can also be used to filter out unnecessary aliases. More documentation here: https://learn.microsoft.com/en-us/powershell/module/az.resources/get-azpolicyalias?view=azps-8.3.0 +
+ +## New-EPACPolicyDefinition.ps1 + +Exports a policy definition from Azure to a local file in the EPAC format. Works for both policy definitions and set definitions (initiatives) + +|Parameter | Required | Explanation | +|----------|----------|-------------| +| `PolicyDefinitionId`| Required | Resource ID in Azure for the policy you want to export - can take input from a pipeline | +| `OutputFolder` | Optional | Output folder for the exported policy definition - default is JSON output to console | + +
+ +## New-EPACPolicyAssignmentDefinition.ps1 + +Exports a policy assignment from Azure to a local file in the EPAC format. Provides a base template only - you may have to manipulate the file to fit in to your current assignment structure + +|Parameter | Required | Explanation | +|----------|----------|-------------| +| `PolicyAssignmentId`| Required | Resource ID in Azure for the policy assignment you want to export| +| `OutputFolder` | Optional | Output folder for the exported policy assignment - - default is JSON output to console | +
## Reading List