-
Notifications
You must be signed in to change notification settings - Fork 5
/
export-policies.ps1
75 lines (49 loc) · 2.34 KB
/
export-policies.ps1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
Param($TenantId, $Location)
(Get-Content ./assets/mg-structure.json) -replace '""', "`"$tenantId`"" | Set-Content ./assets/mg-structure.json
./assets/deploy-ManagementGroupStructure.ps1 -TenantId $TenantId -Location $Location
$gs = @"
{
"pacOwnerId": "4f5222f0-6677-4987-8de6-6fbc97ab631f",
"pacEnvironments": [
{
"pacSelector": "amba",
"cloud": "AzureCloud",
"tenantId": "$tenantId",
"deploymentRootScope": "/providers/Microsoft.Management/managementGroups/amba",
"globalNotScopes":[],
"desiredState": {
"strategy": "full",
"keepDfcSecurityAssignments": false
},
"managedIdentityLocation": "$Location"
}
]
}
"@
$gs | Out-File ./Definitions/global-settings.jsonc -Verbose
git clone https://github.com/Azure/azure-monitor-baseline-alerts.git tmp
Copy-Item "./tmp/patterns/alz/scripts/Old scripts/Start-AMBACleanup.ps1" ./assets/Start-AMBACleanup.ps1 -Verbose
$pseudoRootManagementGroup = "amba"
# Deploy AMBA
New-AzManagementGroupDeployment -ManagementGroupId $pseudoRootManagementGroup `
-Location $location `
-TemplateUri "https://raw.githubusercontent.com/Azure/azure-monitor-baseline-alerts/main/patterns/alz/alzArm.json" `
-TemplateParameterFile ".\assets\alzArm.param.json" `
-Verbose
Start-Sleep -Seconds 180
Remove-Item -Path tmp -Recurse -Force
Export-AzPolicyResources -DefinitionsRootFolder ./Definitions -OutputFolder ./Output
# Remove the folders first:
Remove-Item -Path ./Definitions/policyDefinitions -Recurse -Force
Remove-Item -Path ./Definitions/policySetDefinitions -Recurse -Force
Remove-Item -Path ./Definitions/policyAssignments -Recurse -Force
# Copy new files:
Copy-Item ./Output/export/Definitions/policyDefinitions ./Definitions -Force -Recurse
Copy-Item ./Output/export/Definitions/policySetDefinitions ./Definitions -Force -Recurse
Copy-Item ./Output/export/Definitions/policyAssignments ./Definitions -Force -Recurse
Remove-Item -Path Output -Recurse -Force
Remove-Item -Path ./Definitions/global-settings.jsonc -Force
# Remove managed identity parts
# Fix missing displaynames in the policy set definitions
./assets/Start-AMBACleanup.ps1 -pseudoRootManagementGroup $pseudoRootManagementGroup -Confirm:$false
Remove-Item -Path ./assets/Start-AMBACleanup.ps1 -Force