The Policy Exemptions GitHub Actions Workflow deploys all required policy exemptions to the target Azure environments.
The workflow consists of the following jobs:
- Initiation
- Build Dev
- Build Prod
- Test Dev
- Test Prod
- Deploy Dev
- Deploy Prod
- After the
Initiationjob, theBuild DevandBuild Prodjobs are kicked off concurrently. These jobs are responsible for building the policy exemption Bicep template for the development and production environments respectively. - The
Test DevandTest Prodjobs are responsible for performing additional tests in their respective environments. They are kicked off after theBuild DevandBuild Prodjobs respectively. - The
Deploy Devjob is kicked off upon successful completion of theTest Devjob. It is responsible for deploying the policy exemptions to the development environment. - The
Deploy Prodjob will only be kicked off when all the following conditions are met:- The
Deploy Devjob has completed successfully. - The
Test Prodjob has completed successfully. - The workflow is triggered from the
mainbranch or a git tag.
- The
The Policy Exemptions workflow is designed to be triggered by the following methods:
- Manually
- Upon the successful completion of the Policy Assignments workflow when the
Deploy Prodjob is completed and the workflow is triggered from themainbranch.
This job is the entry point of the workflow. It uses the custom action initiation. It simply displays the current UTC time and environment variables on the agent for debugging purposes.
These jobs use the custom action build-policy-assignment-and-exemption to populate the paths of each policy exemption configuration file and add them to the Policy exemption Bicep template file.
The workflow evaluates each policy exemption configuration file and filters out the ones that are already expired because there is no point to deploy expired exemptions.
These JSON files will then get loaded at compile time by the Policy Exemptions bicep module using the LoadJsonContent() Bicep function.
The updated Bicep template file is then stored as build artifacts.
These jobs use the following custom actions to perform a set of tests on the Bicep templates generated in the Build Dev and Build Prod jobs respectively:
The tests include:
- Policy Exemption Configuration Syntax tests (exemptionConfigurationsSyntaxTest.ps1)
- Bicep Support File tests (BicepRequiredSupportFilesTests.ps1)
- Bicep Linter tests by calling the
bicep buildcommand. - PSRule tests
- Template deployment validation tests
The test results are then published in the workflow run.
The test results are summarized and written to the job summary using the custom action parse-pester-results.
NOTE: At the time of writing this document, the PSRule for Azure module does not provide any tests for policy resources. Also the ARM What-If validation does not work with policy resources (This issue has been reported on What-If's issue tracker on GitHub).
This job uses the custom action bicep-deployments.
It deploys the policy exemptions Bicep template generated from the Build Dev job upon successful completion of the Test Dev job.
The policy exemptions Bicep template does not require any parameter files.
Although only a single deployment job is created to deploy all the policy exemptions, the bicep templates are designed to create them concurrently (with up to 15 concurrent resource deployment defined in Bicep).
Same as the Deploy Dev job, this job uses the custom action bicep-deployments.
It deploys the policy exemptions Bicep template generated from the Build Prod job upon successful completion of the Test Prod and Deploy Dev jobs.
The condition for this job also dictates that the workflow must be triggered from the main branch for this job to start.