### Install Hydration Kit Source: https://github.com/azure/enterprise-azure-policy-as-code/blob/main/Docs/start-hydration-kit.md Use the `Install-HydrationEpac` cmdlet to start the Hydration Kit Installer. Specify the `TenantIntermediateRoot` for the installation. ```PowerShell $tenantIntermediateRoot = "contoso" # Replace with your Management Group ID Install-HydrationEpac -TenantIntermediateRoot $tenantIntermediateRoot ``` -------------------------------- ### Example Global Settings Configuration Source: https://github.com/azure/enterprise-azure-policy-as-code/blob/main/Docs/settings-global-setting-file.md This example demonstrates the required elements for the `global-settings.jsonc` file, including `pacOwnerId` and `pacEnvironments` definitions. ```json { "$schema": "https://raw.githubusercontent.com/Azure/enterprise-azure-policy-as-code/main/Schemas/global-settings-schema.json", "pacOwnerId": "00000000-0000-0000-0000-000000000000", "pacEnvironments": [ { "pacSelector": "epac-dev", "cloud": "AzureCloud", "tenantId": "00000000-0000-0000-0000-000000000000", "deploymentRootScope": "/providers/Microsoft.Management/managementGroups/mg-Epac-Dev", "desiredState": { "strategy": "full", "keepDfcSecurityAssignments": false, "doNotDisableDeprecatedPolicies": false }, "skipResourceValidationForExemptions": false, "managedIdentityLocation": "eastus2" }, { "pacSelector": "tenant", "cloud": "AzureCloud", "tenantId": "00000000-0000-0000-0000-000000000000", "deploymentRootScope": "/providers/Microsoft.Management/managementGroups/mg-Enterprise", "desiredState": { "strategy": "full", "keepDfcSecurityAssignments": false, "doNotDisableDeprecatedPolicies": false }, "skipResourceValidationForExemptions": false, "managedIdentityLocation": "eastus2", "globalNotScopes": [ "/providers/Microsoft.Management/managementGroups/mg-Epac-Dev" ] } ] } ``` -------------------------------- ### High Contrast Theme Output Example Source: https://github.com/azure/enterprise-azure-policy-as-code/blob/main/Scripts/Helpers/THEME-README.md This example shows the output with the 'high-contrast' theme, using text-based indicators and distinct background colors for accessibility. ```text +------------------------+ | Building Policy Plan | +------------------------+ >> Processing Policies ====================== [OK] 5 policies processed successfully (white text on green background) [WARN] 2 warnings found (black text on yellow background) [ERROR] 1 error occurred (white text on red background) ``` -------------------------------- ### Screen Reader Theme Output Example Source: https://github.com/azure/enterprise-azure-policy-as-code/blob/main/Scripts/Helpers/THEME-README.md This example demonstrates the output for the 'screen-reader' theme, which uses plain text labels and no decorative characters for optimal screen reader compatibility. ```text Building Policy Plan SECTION: Processing Policies SUCCESS: 5 policies processed successfully WARNING: 2 warnings found ``` -------------------------------- ### EPAC Default Theme Configuration Example Source: https://github.com/azure/enterprise-azure-policy-as-code/blob/main/Docs/settings-output-themes.md An example of a complete EPAC theme configuration, including definitions for header, section, and status characters and colors. This can be copied and customized. ```json { "themeName": "default", "themes": { "default": { "name": "Default Modern Theme", "description": "Standard colorful theme with Unicode characters", "characters": { "header": { "topLeft": "┏", "topRight": "┓", "bottomLeft": "┗", "bottomRight": "┛", "horizontal": "━", "vertical": "┃" }, "section": { "arrow": "▶", "underline": "━" }, "status": { "success": "✓", "warning": "⚠", "error": "✗", "info": "•", "skip": "⊘", "update": "⭮", "processing": "🔄" } }, "colors": { "header": { "primary": "Cyan", "secondary": "DarkCyan" }, "section": "Blue", "status": { "success": "Green", "warning": "Yellow", "error": "Red", "info": "White", "skip": "DarkGray", "update": "Cyan", "processing": "Yellow" } } } } } ``` -------------------------------- ### EPAC Target Subscription Configuration Example Source: https://github.com/azure/enterprise-azure-policy-as-code/blob/main/Docs/guidance-lighthouse.md Example configuration for a target subscription within EPAC. Ensure 'tenantId' points to your tenant, and 'deploymentRootScope' and 'managedTenantId' are set for the customer's subscription and tenant. ```json { "pacSelector": "epac-ManagedCustomerSubscription1", "cloud": "AzureCloud", "tenantId": "00000000-1111-2222-3333-444444444444", <----My Tenant "deploymentRootScope": "/subscriptions/999999-8888-7777-6666-555555555555", <----Customer subscription "managedTenantId": "aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee", <----Customer tenant ID "desiredState": { ``` -------------------------------- ### Screen Reader Theme Output Example Source: https://github.com/azure/enterprise-azure-policy-as-code/blob/main/Docs/settings-output-themes.md Example of the output generated when the 'screen-reader' theme is active. This output is designed for clarity and compatibility with text-to-speech software. ```text Building Policy Plan SECTION: Processing Policies SUCCESS: 5 policies processed successfully WARNING: 2 warnings found ERROR: 1 error occurred ``` -------------------------------- ### PAC Configuration Example Source: https://github.com/azure/enterprise-azure-policy-as-code/blob/main/Docs/guidance-lighthouse.md This snippet shows a configuration for a Policy as Code deployment, specifying the strategy and deployment details. Ensure 'full' strategy is used for comprehensive policy application. ```json { "strategy": "full", "keepDfcSecurityAssignments": false }, "deployedBy": "My Org Admins" } ``` -------------------------------- ### Lighthouse Managed Tenant Configuration Example Source: https://github.com/azure/enterprise-azure-policy-as-code/blob/main/Docs/settings-global-setting-file.md This JSON configuration demonstrates how to set up policy assignments for a Lighthouse Managed Tenant, including specifying tenant IDs, deployment scopes, desired states, and global exclusions. ```json { "pacOwnerId": "00000000-0000-0000-0000-000000000000", "pacEnvironments": [ { "pacSelector": "epac-dev", "cloud": "AzureCloud", "tenantId": "11000000-0000-0000-0000-000000000000", "deploymentRootScope": "/providers/Microsoft.Management/managementGroups/PAC-Heinrich-Dev", "desiredState": { "strategy": "full", "keepDfcSecurityAssignments": false, "doNotDisableDeprecatedPolicies": false }, "skipResourceValidationForExemptions": false, "mangedIdentityLocation": "eastus2" }, { "pacSelector": "tenant", "cloud": "AzureCloud", "tenantId": "11000000-0000-0000-0000-000000000000", "deploymentRootScope": "/providers/Microsoft.Management/managementGroups/Contoso-Root", "desiredState": { "strategy": "full", "keepDfcSecurityAssignments": false, "doNotDisableDeprecatedPolicies": false }, "globalNotScopes": [ "/providers/Microsoft.Management/managementGroups/PAC-Heinrich-Dev" ], "skipResourceValidationForExemptions": false, "managedIdentityLocation": "eastus2" }, { "pacSelector": "lightHouseTenant", "cloud": "AzureCloud", "tenantId": "11000000-0000-0000-0000-000000000000", "managedTenantId": "22000000-0000-0000-0000-000000000000", "deploymentRootScope": "/providers/Microsoft.Management/managementGroups/Contoso-Root", "desiredState": { "strategy": "full", "keepDfcSecurityAssignments": false, "doNotDisableDeprecatedPolicies": false }, "skipResourceValidationForExemptions": false, "managedIdentityLocation": "eastus2" } ] } ``` -------------------------------- ### Default Theme Output Example Source: https://github.com/azure/enterprise-azure-policy-as-code/blob/main/Scripts/Helpers/THEME-README.md This is an example of the output generated using the default EPAC theme, which includes colorful Unicode characters and box drawing for headers. ```text ┏━━━━━━━━━━━━━━━━━━━━━━━━┓ ┃ Building Policy Plan ┃ ┗━━━━━━━━━━━━━━━━━━━━━━━━┛ ▶ Processing Policies ━━━━━━━━━━━━━━━━━━━━━ ✓ 5 policies processed successfully ⚠ 2 warnings found ``` -------------------------------- ### Switching to High Contrast Theme Source: https://github.com/azure/enterprise-azure-policy-as-code/blob/main/Docs/settings-output-themes.md Modify the `themeName` in your `.epac/theme.json` file to switch to the 'high-contrast' theme. This example shows the structure for defining multiple themes. ```json { "themeName": "high-contrast", "themes": { "default": { /* ... */ }, "high-contrast": { /* ... */ }, "screen-reader": { /* ... */ } } } ``` -------------------------------- ### Create Global Settings with New-EpacGlobalSettings Source: https://github.com/azure/enterprise-azure-policy-as-code/blob/main/Docs/operational-scripts-reference.md Creates a global-settings.jsonc file with a new GUID, managed identity location, and tenant information. Requires specifying the managed identity location, tenant ID, definitions root folder, and deployment scope. ```powershell New-EpacGlobalSettings [-ManagedIdentityLocation] [-TenantId] [-DefinitionsRootFolder] [-DeploymentRootScope] [] ``` -------------------------------- ### New-EpacGlobalSettings Source: https://github.com/azure/enterprise-azure-policy-as-code/blob/main/Docs/operational-scripts-reference.md Creates a global-settings.jsonc file with a new GUID, managed identity location, and tenant information. It requires specifying the managed identity location, tenant ID, definitions root folder, and deployment root scope. ```APIDOC ## New-EpacGlobalSettings ### Description Creates a global-settings.jsonc file with a new GUID, managed identity location and tenant information ### Method POST (Conceptual - this is a script, not a direct API endpoint) ### Endpoint N/A (PowerShell Script) ### Parameters #### Path Parameters None #### Query Parameters None #### Request Body None ### Parameters #### `-ManagedIdentityLocation` Managed Identity Location #### `-TenantId` Tenant ID #### `-DefinitionsRootFolder` Definitions folder path. #### `-DeploymentRootScope` Deployment root scope. ``` -------------------------------- ### Azure DevOps Pipeline for Policy Documentation Source: https://github.com/azure/enterprise-azure-policy-as-code/blob/main/Docs/operational-scripts-documenting-policy.md An example Azure DevOps pipeline step to execute the policy documentation script using a Service Principal. This requires a Service Connection configured with the Service Principal. ```yaml steps: - task: AzurePowerShell@5 displayName: Build policy documentation → ADO Wiki via SPN inputs: azureSubscription: $(ServiceConnectionName) # SPN-based service connection ScriptPath: Scripts/Operations/Build-PolicyDocumentation.ps1 ScriptArguments: -PacSelector -WikiSPN azurePowerShellVersion: LatestVersion ``` -------------------------------- ### Simple Policy Assignment Example (Allowed Locations) Source: https://github.com/azure/enterprise-azure-policy-as-code/blob/main/Docs/policy-assignments.md This JSON defines a simple policy assignment for 'Allowed Locations'. It includes details for the policy definition, assignment properties, parameters, and deployment scope. Ensure assignments have a `displayName` when managing Azure Virtual Network Manager policies. ```json { "nodeName": "/root", "definitionEntry": { "displayName": "Allowed Locations Initiative", "policySetName": "general-allowed-locations-policy-set" }, "assignment": { "name": "allowed-locations", "displayName": "Allowed Locations", "description": "Sets the allowed locations" }, "metadata": {}, "enforcementMode": "Default", "parameters": { "AllowedLocations": [ "centralus", "eastus", "eastus2", "southcentralus" ] }, "scope": { "epac-dev": [ "/providers/Microsoft.Management/managementGroups/Epac-Mg-1" ], "tenant": [ "/providers/Microsoft.Management/managementGroups/c" ] } } ``` -------------------------------- ### New-PipelineFromStarterKit Source: https://github.com/azure/enterprise-azure-policy-as-code/blob/main/Docs/operational-scripts-reference.md Copies pipelines and templates from the starter kit to a new folder, assembling them based on specified criteria. ```APIDOC ## New-PipelineFromStarterKit ### Description This script copies pipelines and templates from the starter kit to a new folder. The script assembles the pipelines/workflows based on the type of pipeline to create, the branching flow to implement, and the type of script to use. ### Method POST ### Endpoint /api/pipelines/starterkit ### Parameters #### Query Parameters - **StarterKitFolder** (String) - Optional - Starter kit folder - **PipelinesFolder** (String) - Optional - New pipeline folder - **PipelineType** (String) - Optional - Type of DevOps pipeline to create AzureDevOps or GitHubActions? - **BranchingFlow** (String) - Optional - Implementing branching flow Release or GitHub - **ScriptType** (String) - Optional - Using Powershell module or script? ### Request Example ```json { "StarterKitFolder": "C:\\StarterKit", "PipelinesFolder": "C:\\NewPipelines", "PipelineType": "AzureDevOps", "BranchingFlow": "Release", "ScriptType": "Powershell" } ``` ### Response #### Success Response (200) - **Status** (String) - Indicates the success of the operation. #### Response Example ```json { "Status": "Pipelines created successfully from starter kit." } ``` ``` -------------------------------- ### Example Expiration Date Update Source: https://github.com/azure/enterprise-azure-policy-as-code/blob/main/Docs/guidance-exemptions.md An example of how to update the 'expiresOn' field with a new timestamp in the required format. ```text "2025-01-01T01:00:00Z" ``` -------------------------------- ### CSV Policy Exemption Example Source: https://github.com/azure/enterprise-azure-policy-as-code/blob/main/Docs/policy-exemptions.md Provides an example of policy exemptions in CSV format. CSV files are still supported. ```csv name,displayName,description,exemptionCategory,expiresOn,scope,policyAssignmentId,policyDefinitionReferenceIds,metadata,assignmentScopeValidation Exemption_00000000000001,My display Name,Mitigated,,,,,,, ``` -------------------------------- ### Build Deployment Plans using Module Source: https://github.com/azure/enterprise-azure-policy-as-code/blob/main/Docs/ci-cd-overview.md Use the `Build-DeploymentPlans` cmdlet from the EnterprisePolicyAsCode module to analyze policy changes and create deployment plans. This is the recommended method for building plans. ```powershell Build-DeploymentPlans ``` -------------------------------- ### Create GitHub Workflows from Starter Kit Source: https://github.com/azure/enterprise-azure-policy-as-code/blob/main/Docs/ci-cd-overview.md Use these commands to generate GitHub Workflows from the starter kit. Specify the starter kit folder, pipelines folder, pipeline type, branching flow, and script type. ```powershell New-PipelinesFromStarterKit -StarterKitFolder .\StarterKit -PipelinesFolder .\.github/workflows -PipelineType GitHubActions -BranchingFlow GitHub -ScriptType script ``` ```powershell New-PipelinesFromStarterKit -StarterKitFolder .\StarterKit -PipelinesFolder .\.github/workflows -PipelineType GitHubActions -BranchingFlow Release -ScriptType script ``` ```powershell New-PipelinesFromStarterKit -StarterKitFolder .\StarterKit -PipelinesFolder .\.github/workflows -PipelineType GitHubActions -BranchingFlow GitHub -ScriptType module ``` ```powershell New-PipelinesFromStarterKit -StarterKitFolder .\StarterKit -PipelinesFolder .\.github/workflows -PipelineType GitHubActions -BranchingFlow Release -ScriptType module ``` -------------------------------- ### Example Policy Assignment ID Source: https://github.com/azure/enterprise-azure-policy-as-code/blob/main/Docs/guidance-exemptions.md This is an example of a full policy assignment path used to identify specific policies for exemption. ```json "policyAssignmentId": "/providers/Microsoft.Management/managementGroups/[ManagementGroupName]/providers/Microsoft.Authorization/policyAssignments/[PolicyAssignmentName]" ``` -------------------------------- ### Download EPAC StarterKit for Local Script Execution Source: https://github.com/azure/enterprise-azure-policy-as-code/blob/main/Docs/start-hydration-kit.md This is an optional step required only if using local scripts for deployment instead of the EnterprisePolicyAsCode module. It downloads the EPAC StarterKit from GitHub. ```powershell $null = New-Item -ItemType Directory -Path ./temp git clone https://github.com/Azure/enterprise-azure-policy-as-code.git ./temp Copy-Item ./temp/Scripts ./ -Recurse -Force Remove-Item ./temp -Recurse -Force ``` -------------------------------- ### Create Pipeline from Starter Kit Source: https://github.com/azure/enterprise-azure-policy-as-code/blob/main/Docs/operational-scripts-reference.md Copies pipelines and templates from a starter kit to a new folder. This script allows customization based on pipeline type, branching flow, and script type. ```powershell New-PipelineFromStarterKit [[-StarterKitFolder] ] [[-PipelinesFolder] ] [[-PipelineType] ] [[-BranchingFlow] ] [[-ScriptType] ] [] ``` -------------------------------- ### Deploy Policies using Module Source: https://github.com/azure/enterprise-azure-policy-as-code/blob/main/Docs/ci-cd-overview.md Use the `Deploy-PolicyPlan` cmdlet from the EnterprisePolicyAsCode module to deploy policies, policy sets, assignments, and exemptions based on the generated plan. This is the recommended deployment method. ```powershell Deploy-PolicyPlan ``` -------------------------------- ### Get Missing Tags with Get-AzMissingTags Source: https://github.com/azure/enterprise-azure-policy-as-code/blob/main/Docs/operational-scripts-reference.md Gets all resources that are missing tags in the current subscription. Customize the PAC environment, definition folder, and output file name. Set to non-interactive if needed. ```powershell Get-AzMissingTags [[-PacEnvironmentSelector] ] [-DefinitionsRootFolder ] [-OutputFileName ] [-Interactive ] [] ``` -------------------------------- ### Create Azure DevOps Pipelines from Starter Kit Source: https://github.com/azure/enterprise-azure-policy-as-code/blob/main/Docs/ci-cd-overview.md Use these commands to generate Azure DevOps Pipelines from the starter kit. Specify the starter kit folder, pipelines folder, pipeline type, branching flow, and script type. ```powershell New-PipelinesFromStarterKit -StarterKitFolder .\StarterKit -PipelinesFolder .\pipelines -PipelineType AzureDevOps -BranchingFlow GitHub -ScriptType script ``` ```powershell New-PipelinesFromStarterKit -StarterKitFolder .\StarterKit -PipelinesFolder .\pipelines -PipelineType AzureDevOps -BranchingFlow Release -ScriptType script ``` ```powershell New-PipelinesFromStarterKit -StarterKitFolder .\StarterKit -PipelinesFolder .\pipelines -PipelineType AzureDevOps -BranchingFlow GitHub -ScriptType module ``` ```powershell New-PipelinesFromStarterKit -StarterKitFolder .\StarterKit -PipelinesFolder .\pipelines -PipelineType AzureDevOps -BranchingFlow Release -ScriptType module ``` -------------------------------- ### Get-AzPolicyAliasOutputCSV Source: https://github.com/azure/enterprise-azure-policy-as-code/blob/main/Docs/operational-scripts-reference.md Gets all policy aliases and outputs them to a CSV file. This script takes no parameters other than common parameters. ```APIDOC ## Get-AzPolicyAliasOutputCSV ### Description Gets all aliases and outputs them to a CSV file. ### Method GET (Conceptual - this is a script, not a direct API endpoint) ### Endpoint N/A (PowerShell Script) ### Parameters #### Path Parameters None #### Query Parameters None #### Request Body None ``` -------------------------------- ### Initiate Remediation with Start-AzPolicyRemediation Source: https://github.com/azure/enterprise-azure-policy-as-code/blob/main/Docs/guidance-remediation.md Use the Start-AzPolicyRemediation cmdlet to incrementally update the environment to reach the desired security posture. Review and update Effect parameters as needed. ```powershell Start-AzPolicyRemediation ``` -------------------------------- ### Example Expiration Timestamp Format Source: https://github.com/azure/enterprise-azure-policy-as-code/blob/main/Docs/guidance-exemptions.md Specifies the required format for the 'expiresOn' field when setting an expiration date for a policy exemption. ```text "YYYY-MM-DDTmm:hh:ssZ" ``` -------------------------------- ### Output Policy Aliases to CSV with Get-AzPolicyAliasOutputCSV Source: https://github.com/azure/enterprise-azure-policy-as-code/blob/main/Docs/operational-scripts-reference.md Gets all aliases and outputs them to a CSV file. This script accepts common parameters for execution. ```powershell Get-AzPolicyAliasOutputCSV [] ``` -------------------------------- ### Build Deployment Plans using Script Source: https://github.com/azure/enterprise-azure-policy-as-code/blob/main/Docs/ci-cd-overview.md Execute the `Build-DeploymentPlans.ps1` script directly to build deployment plans. This is an alternative to using the PowerShell module. ```powershell Build-DeploymentPlans.ps1 ``` -------------------------------- ### Modify Default Enforcement Mode Source: https://github.com/azure/enterprise-azure-policy-as-code/blob/main/Docs/integrating-with-alz-library.md Example of how to modify the default enforcement mode within the generated policy structure file. Options are 'Default' or 'DoNotEnforce'. ```json "enforcementMode": "Default" // Can be Default or DoNotEnforce ```