Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Updated nzism deployment cloud shell instructions #432

Merged
merged 1 commit into from
Apr 3, 2024
Merged
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
88 changes: 77 additions & 11 deletions policySetDefinitions/regulatorycompliance-nzism/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,12 @@ Before deploying this initiative in a Production subscription or management grou

To move to a more scalable and audited pattern for managing Azure Policy, utilise a CI/CD pipeline to deploy the policy initiative and manage it as code. For more details about policy management as code, please see the Enterprise Policy As Code documentation and code repo https://aka.ms/epac

## Deployment and Assignment

There are two methods documented here for manual deployment either through powershell on your local PC, or via the Azure Cloud Shell. This allows you to deploy to either a specific Subscription or Management Group for targeted assignment of a resource within that scope. This is useful for testing or tightly scoped deployments in small environments.

In larger environments, it would be recommended to wrap this initiative into an automated solution from your own git repo via a pipeline to ensure quality control and audit capabilities.

## Prerequisites
To install the NZISM Restricted Policy Initiative, you will need:

Expand All @@ -24,14 +30,14 @@ In this GitHub repo, select the deployment subfolder and download all of the fil
## Files in this package

Included in this package should be the following files:
1. azurepolicyset.definitions.json - definitions file
1. nzism3.6.definitions.json - definitions file
>The definitions file contains all of the policies and their linked groups and parameters for the NZISM initiative. The definitions file is used to create the initiative in your subscription or management group. The definitions file is also used to create the policy assignments for the initiative.
2. azurepolicyset.groups.json - groups file
2. nzism3.6.groups.json - groups file
>The groups file contains the details of each control from the NZISM, including links to the initiative published on the NCSC website.
3. azurepolicyset.parameters.json
3. nzism3.6.parameters.json
>The parameters file contains any configurable parameter for each policy in the initiative and the appropriate values for each parameter where it is not covered by the default value. All of these are set to Audit or have a specific value that mateches the NZISM control requirement. e.g. Minimum RSA Key size is 3072
4. README.md
>This document
4. nzism_deployment.md
>This document you are reading.
5. deploy-initiative.ps1
>Sample PowerShell script to deploy the initiative to your subscription or management group

Expand All @@ -49,13 +55,8 @@ Once complete with no errors, you will see the initiative in the Azure portal un

FYI - if you want to output the policy file that gets created as part of this deployment, you can append the command above with the following
```powershell
.\deploy-initiative.ps1 -subscriptionId <subscriptionId> -managementGroupId <managementGroupId> | Out-File -FilePath .\azurepolicyset.json
.\deploy-initiative.ps1 -subscriptionId <subscriptionId> -managementGroupId <managementGroupId> | Out-File -FilePath .\nzism3.6.policy.json
```

## Deploy initiative using Azure shell

TBC

## Create an assignment in the Policy portal

Once the initiative is deployed, you can create an assignment to apply the initiative to a subscription or management group. Remember that you cannot assign a policy to a different level to which it is deployed so ensure your deployment matches the intended scope of the assignment.
Expand All @@ -81,6 +82,70 @@ az policy state trigger-scan

This defaults to the selected subscription, but you can specify a Resource Group to return a faster response on a smaller scope.

## Deploy initiative using Azure shell

As an alternative to running the script locally on your PC, you can take advantage of the cloud shell. This is far more reliable as the cmdlets are always up to date and authentication is already established within the shell

1. Log into the Azure portal and open the cloud shell
>Git is preinstalled in the cloud shell so no need to install it
2. You should be in the clouddrive folder by default, but if not, change directory so you are in the clouddrive folder
```bash
cd /home/<username>/clouddrive
```
3. Create a folder for your repos you use in your clouid shell. For this example I will use 'repos'. Once created, CD into the new dir
```bash
mkdir repos
cd repos
```
4. Clone the Azure Community repo to your cloud shell
```bash
git clone https://github.com/Azure/Community-Policy
```
5. Change directory to the NZISM Policy Definition folder
```bash
cd Community-Policy/policySetDefinitions/regulatorycompliance-nzism
```
6. Run one of the following 2 commands to deploy to either a Management Group or a Subscription

### To deploy to a Management Group use this command and replace *MANAGEMENT GROUP ID* with your Management Group GUID
```bash
az policy set-definition create --name nzism-3.6-policyset --display-name "New Zealand ISM Restricted v3.6" --metadata "category=Regulatory Compliance","version=1.1" --description "This initiative includes policies that address a subset of New Zealand Information Security Manual v3.6 controls. Additional policies will be added in upcoming releases. For more information, visit https://aka.ms/nzism-initiative." --definitions 'azurepolicyset.definitions.json' --params 'azurepolicyset.parameters.json' --definition-groups 'azurepolicyset.groups.json' --management-group <MANGEMENT GROUP ID>
```

### To deploy to a Subscription use this command and replace *SUBSCRIPTION ID* with your Subscription GUID
```bash
az policy set-definition create --name nzism-3.6-policyset --display-name "New Zealand ISM Restricted v3.6" --metadata "category=Regulatory Compliance","version=1.1" --description "This initiative includes policies that address a subset of New Zealand Information Security Manual v3.6 controls. Additional policies will be added in upcoming releases. For more information, visit https://aka.ms/nzism-initiative." --definitions 'azurepolicyset.definitions.json' --params 'azurepolicyset.parameters.json' --definition-groups 'azurepolicyset.groups.json' --subscription <SUBSCRIPTION ID>
```

7. After about 30 seconds the initiative will appear in the Policies console, ready to be assigned.

## Assignment via the Cloud Shell

Once the Policy is deployed to the Management Group or Subscription, you can run the following command to assign the policy.

Valid scopes are management group, subscription, resource group, and resource, for example:

| Scope | Parameter Format|
|-------|-----------------|
| Management Group | /providers/Microsoft.Management/managementGroups/MyManagementGroup |
| Subscription | /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333 |
| Resource Group | /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup |
| Resource | /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup/providers/Microsoft.Compute/virtualMachines/myVM |

This example expects the policy initiative to have been deployed to the subscription, and creates an assignment on the subscription. If you have deployed it to the Management Group, change the --policy parameter to match your Management Group scope as per the format above.

```bash
az policy assignment create --name 'New Zealand ISM Restricted v3.6' --policy '/subscriptions/<SUBSCRIPTION ID>/providers/Microsoft.Authorization/policySetDefinitions/nzism-3.6-policyset' --enforcement-mode 'DoNotEnforce' --scope "/subscriptions/<SUBSCRIPTION ID>"
```

Once applied, you will see the initiative in the list of assignments for the subscription or management group. You can click on the assignment to see the compliance state of the assignment. Compliance is run once per day by default, but if you want to run this on demand, you can type the following command at the powershell or Azure shell prompt.

```bash
az policy state trigger-scan
```

This defaults to the selected subscription, but you can specify a Resource Group to return a faster response on a smaller scope.

## Feedback

Your use and feedback on this initiative is appreciated. Please send any feedback to the email addresses mentioned at the top of this document.
Expand All @@ -91,3 +156,4 @@ Your use and feedback on this initiative is appreciated. Please send any feedba
* [Enterprise Policy As Code](https://aka.ms/epac)
* [Azure safe deployment practices for Policy](https://learn.microsoft.com/en-us/azure/governance/policy/how-to/policy-safe-deployment-practices)
* [Azure Policy Compliance](https://learn.microsoft.com/en-us/azure/governance/policy/how-to/get-compliance-data)
* [Az policy command reference](https://learn.microsoft.com/en-us/cli/azure/policy?view=azure-cli-latest)
Loading