Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Azure Policy Support for Definitions and Assignments #550

Closed
Pbolkun opened this issue Aug 7, 2024 · 6 comments · Fixed by #552 or #565
Closed

Azure Policy Support for Definitions and Assignments #550

Pbolkun opened this issue Aug 7, 2024 · 6 comments · Fixed by #552 or #565
Labels
enhancement New feature or request

Comments

@Pbolkun
Copy link

Pbolkun commented Aug 7, 2024

It would be great if we could export Azure Policy Definition and Policy Assignments. When you use the az definition show and az assignment show commands with appropriate queries you can export the definitions, but to get those into HCL can be tedious. It especially becomes a problem when you attempt to export an entire initiative definition set.

Look forward to seeing if there's any support here!
@magodo
Copy link
Collaborator

magodo commented Aug 8, 2024

There is an option: --include-role-assignment that allows you to export role assignments directly assigned to the resources being exported.

@magodo magodo added the question Further information is requested label Aug 8, 2024
@Pbolkun
Copy link
Author

Pbolkun commented Aug 8, 2024

That's fantastic to hear that role assignments are supported! When I mention Azure Policy assignments, I'm referring to a global resource that helps to enforce organizational standards and to assess compliance at-scale. Through its compliance dashboard, it provides an aggregated view to evaluate the overall state of the environment. https://learn.microsoft.com/en-us/azure/governance/policy/overview

@magodo magodo added enhancement New feature or request question Further information is requested and removed question Further information is requested enhancement New feature or request labels Aug 9, 2024
@magodo
Copy link
Collaborator

magodo commented Aug 9, 2024

@Pbolkun I'm sorry to mix the role vs policy..

The policy assignment/definition can be exported by the aztfexport res command, by providing the resource id.

You can get the list of those ids via az, e.g. for assignments:

az policy assignment list | jq -r '.[].id'

In order to export a bunch of assignments and definitions, you can construct a rseource map file, then fed it to aztfexport map command.

Idealy, it helps if the aztfexport res subcommand can take a list of resource ids, so that you can just list all the resource ids of the assignments and definitions. Is that something you are seeking for?

@magodo magodo mentioned this issue Aug 9, 2024
Merged
@jefutte
Copy link

jefutte commented Sep 25, 2024
edited
Loading

@magodo while a list of resources like #552 helped me, it would also be great to have aztfexport query understand ARG queries fully. Tried using
policyresources | where type == 'microsoft.authorization/policydefinitions' | where properties.policyType == 'Custom'

but it fails with the below error:

`--------------------------------------------------------------------------------
RESPONSE 400: 400 Bad Request
ERROR CODE: BadRequest

{
"error": {
"code": "BadRequest",
"message": "Please provide below info when asking for support: timestamp = 2024-09-25T12:10:37.6190263Z, correlationId = 582a865b-380f-4e46-80e3-5414a725ea65.",
"details": [
{
"code": "InvalidQuery",
"message": "Query is invalid. Please refer to the documentation for the Azure Resource Graph service and fix the error before retrying."
},
{
"code": "Operator_FailedToResolveEntity",
"message": "'where' operator: Failed to resolve scalar expression named 'policyresources'"
},
{
"code": "Default",
"message": "Filter expression should be Boolean"
}
]
}
}
--------------------------------------------------------------------------------`
image

@stemaMSFT
Copy link
Member

@magodo what's the complexity of supporting copy-paste of preexisting ARG queries? I know that in this scenario we could just use the and operator repeatedly, but thought it's worth asking.

@magodo
Copy link
Collaborator

magodo commented Sep 26, 2024
edited
Loading

@stemaMSFT The reason to restrict the KQL is to avoid too flexible usage that might change the returned data format, which can breaks the assumption of the program.

While I revisited the ARG tables, looks like the (default) Resources doesn't contain all the available resource types. So probably we should allow users to specify the table name.

Especially, for the Azure Policy resources asked in this thread, needs more thoughts:

The AuthorizationScopeFilter parameter enables you to list Azure Policy assignments and Azure role-based access control (Azure RBAC) role assignments in the AuthorizationResources table that are inherited from upper scopes. The AuthorizationScopeFilter parameter accepts the following values for the PolicyResources and AuthorizationResources tables:

AtScopeAndBelow (default if not specified): Returns assignments for the given scope and all child scopes.
AtScopeAndAbove: Returns assignments for the given scope and all parent scopes, but not child scopes.
AtScopeAboveAndBelow: Returns assignments for the given scope, all parent scopes, and all child scopes.
AtScopeExact: Returns assignments only for the given scope; no parent or child scopes are included.

@magodo magodo added enhancement New feature or request and removed question Further information is requested labels Sep 26, 2024
@magodo magodo reopened this Sep 26, 2024
This was referenced Sep 26, 2024
Merged
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
4 participants
@magodo @jefutte @Pbolkun @stemaMSFT