The Policy Definitions GitHub Actions Workflow deploys all required custom policy definitions to the target Azure environments.
The workflow consists of the following jobs:
- Initiation
- Policy Tests
- Build Dev
- Build Prod
- Test Dev
- Test Prod
- Deploy Dev
- Deploy Prod
- After the
Initiationjob, thePolicy Testsjob performs a number of predefined Pester tests for each policy definition file that are to be deployed. - The
Build DevandBuild Prodjobs are kicked off concurrently upon the successful completion of thePolicy Testsjob. These jobs are responsible for building the policy definition Bicep template for the development and production environments respectively. - The
Test DevandTest Prodjobs are responsible for performing additional tests in their respective environments. They are kicked off after theBuild DevandBuild Prodjobs respectively. - The
Deploy Devjob is kicked off upon successful completion of theTest Devjob. It is responsible for deploying the policy definitions to the development environment. - The
Deploy Prodjob will only be kicked off when all the following conditions are met:- The
Deploy Devjob has completed successfully. - The
Test Prodjob has completed successfully. - The workflow is triggered from the
mainbranch or a git tag.
- The
The Policy Definitions workflow is designed to be triggered manually. It is not configured to be triggered by code changes in the repository.
This job is the entry point of the workflow. It uses the custom action initiation. It simply displays the current UTC time and environment variables on the agent for debugging purposes.
This job uses the custom action test-policy-def to perform Pester tests defined in the open-source PowerShell module AzPolicyTest.
The test results are summarized and written to the job summary using the custom action parse-pester-results.
These jobs use the custom action build-policy-def to populate the paths of each policy definition JSON file and add them to the Policy Definition Bicep template file.
These JSON files will then get loaded at compile time by the Policy Definition bicep module using the LoadJsonContent() Bicep function.
The updated Bicep template file is then stored as build artifacts.
These jobs use the custom action test-validate to perform a set of tests on the Bicep templates generated in the Build Dev and Build Prod jobs respectively.
The tests include:
- Bicep Support File tests (BicepRequiredSupportFilesTests.ps1)
- Bicep Linter tests by calling the
bicep buildcommand. - PSRule tests
- Template deployment validation tests
NOTE: At the time of writing this document, the PSRule for Azure module does not provide any tests for policy resources. Also the ARM What-If validation does not work with policy resources (This issue has been reported on What-If's issue tracker on GitHub).
This job uses the custom action bicep-deployment to deploy the policy definitions Bicep template generated from the Build Dev job upon successful completion of the Test Dev job.
The policy definitions Bicep template does not require any parameter files.
Although only a single deployment job is created to deploy all the policy definitions, the bicep templates are designed to create them concurrently (with up to 15 concurrent resource deployment defined in Bicep).
Same as the Deploy Dev job, this job uses the custom action bicep-deployment.
It deploys the policy definitions Bicep template generated from the Build Prod job upon successful completion of the Test Prod and Deploy Dev jobs.
The condition for this job also dictates that the workflow must be triggered from the main branch for this job to start.