教程:通过 GitHub 实现 Azure Policy as CodeTutorial: Implement Azure Policy as Code with GitHub

通过使用 Azure Policy as Code 工作流,可以将策略定义和分配作为代码进行管理,控制更新这些定义的生命周期并自动验证符合性结果。An Azure Policy as Code workflow makes it possible to manage your policy definitions and assignments as code, control the lifecycle of updating those definitions, and automate the validating of compliance results. 在本教程中,你将了解如何通过 GitHub 使用 Azure Policy 功能来生成生命周期过程。In this tutorial, you learn to use Azure Policy features with GitHub to build a lifecycle process. 这些任务包括:These tasks include:

  • 将策略定义和分配导出到 GitHubExport policy definitions and assignments to GitHub
  • 将 GitHub 中更新的策略对象推送到 AzurePush policy objects updated in GitHub to Azure
  • 通过 GitHub 操作触发符合性扫描Trigger a compliance scan from the GitHub action

要分配一个策略用于识别现有资源的当前符合性状态,请参阅快速入门文章。If you would like to assign a policy to identify the current compliance state of your existing resources, the quickstart articles explain how to do so.

先决条件Prerequisites

从 Azure 门户导出 Azure Policy 对象Export Azure Policy objects from the Azure portal

要从 Azure 门户导出策略定义,请按照以下步骤操作:To export a policy definition from Azure portal, follow these steps:

  1. 在 Azure 门户中单击“所有服务”,然后搜索并选择“策略”,启动 Azure Policy 服务。 Launch the Azure Policy service in the Azure portal by clicking All services, then searching for and selecting Policy.

  2. 选择“Azure Policy”页左侧的“定义”。Select Definitions on the left side of the Azure Policy page.

  3. 使用“导出定义”按钮或选择策略定义行中的省略号,然后选择“导出定义” 。Use the Export definitions button or select the ellipsis on the row of a policy definition and then select Export definition.

  4. 选择“使用 GitHub 登录”按钮。Select the Sign in with GitHub button. 如果尚未通过 GitHub 进行身份验证并授权 Azure Policy 导出资源,请在打开的新窗口中查看 GitHub 操作所需的访问权限,然后选择“授权 AzureGitHubActions”以继续执行导出流程。If you haven't yet authenticated with GitHub to authorize Azure Policy to export the resource, review the access the GitHub Action needs in the new window that opens and select Authorize AzureGitHubActions to continue with the export process. 完成后,新窗口会自行关闭。Once complete, the new window self-closes.

  5. 在“基本信息”选项卡上,设置以下选项,然后选择“策略”选项卡或页面底部的“下一步: 策略”按钮。On the Basics tab, set the following options, then select the Policies tab or Next : Policies button at the bottom of the page.

    • 存储库筛选器:设置为“我的存储库”以仅查看自己拥有的存储库,或设置为“所有存储库”以查看为 GitHub 操作授予了访问权限的所有存储库 。Repository filter: Set to My repositories to see only repositories you own or All repositories to see all you granted the GitHub Action access to.
    • 存储库:设置为要将 Azure Policy 资源导出到的存储库。Repository: Set to the repository that you want to export the Azure Policy resources to.
    • 分支:在存储库中设置分支。Branch: Set the branch in the repository. 在将更新进一步合并到源代码中之前,非常适合使用非默认分支来验证更新。Using a branch other than the default is a good way to validate your updates before merging further into your source code.
    • 目录:要将 Azure Policy 资源导出到的根级别文件夹。Directory: The root level folder to export the Azure Policy resources to. 此目录下的子文件夹基于导出的资源而创建。Subfolders under this directory are created based on what resources are exported.
  6. 在“策略”选项卡上,选择省略号,然后选择管理组、订阅或资源组的组合,以设置搜索范围。On the Policies tab, set the scope to search by selecting the ellipsis and picking a combination of management groups, subscriptions, or resource groups.

  7. 使用“添加策略定义”按钮在相关范围中搜索要导出的对象。Use the Add policy definition(s) button to search the scope for which objects to export. 在打开的侧窗口中,选择要导出的每个对象。In the side window that opens, select each object to export. 根据搜索框或类型筛选选定内容。Filter the selection by the search box or the type. 选择所有要导出的对象后,使用页面底部的“添加”按钮。Once you've selected all objects to export, use the Add button at the bottom of the page.

  8. 对于每个选定对象,为策略定义选择所需的导出选项,例如“仅定义”或“定义和分配” 。For each selected object, select the desired export options such as Only Definition or Definition and Assignment(s) for a policy definition. 然后选择“查看 + 导出”选项卡或页面底部的“下一步: 查看 + 导出”按钮。Then select the Review + Export tab or Next : Review + Export button at the bottom of the page.

    备注

    如果选择“定义和分配”选项,则仅导出添加策略定义时通过筛选器设置的范围内的策略分配。If option Definition and Assignment(s) is chosen, only policy assignments within the scope set by the filter when the policy definition is added are exported.

  9. 在“查看 + 导出”选项卡上,检查详细信息是否匹配,然后使用页面底部的“导出”按钮 。On the Review + Export tab, check the details match and then use the Export button at the bottom of the page.

  10. 检查 GitHub 存储库、分支和根级别文件夹,查看所选资源现是否已导出到源代码管理。Check your GitHub repo, branch, and root level folder to see that the selected resources are now exported to your source control.

将 Azure Policy 资源导出到所选 GitHub 存储库和根级别文件夹内的以下结构中:The Azure Policy resources are exported into the following structure within the selected GitHub repository and root level folder:

|
|- <root level folder>/  ________________ # Root level folder set by Directory property
|  |- policies/  ________________________ # Subfolder for policy objects
|     |- <displayName>_<name>____________ # Subfolder based on policy displayName and name properties
|        |- policy.json _________________ # Policy definition
|        |- assign.<displayName>_<name>__ # Each assignment (if selected) based on displayName and name properties
|

将 GitHub 中更新的策略对象推送到 AzurePush policy objects updated in GitHub to Azure

  1. 导出策略对象时,系统还会创建一个名为 .github/workflows/manage-azure-policy-<randomLetters>.ymlGitHub 工作流文件,以便你开始操作。When policy objects are exported, a GitHub workflow file named .github/workflows/manage-azure-policy-<randomLetters>.yml is also created to get you started.

    备注

    每次使用导出都会创建 GitHub 工作流文件。The GitHub workflow file is created each time export is used. 文件的每个实例都特定于该导出操作期间的选项。Each instance of the file is specific to the options during that export action.

  2. 此工作流文件使用管理 Azure Policy 操作将对 GitHub 存储库中导出的策略对象所做的更改推送回 Azure Policy。This workflow file uses the Manage Azure Policy action to push changes made to the exported policy objects in the GitHub repository back to Azure Policy. 默认情况下,该操作仅考虑并同步那些与 Azure 中的现有文件不同的文件。By default, the action considers and syncs only those files that are different from the ones existing in Azure. 还可以在操作中使用 assignments 参数,以只同步对特定分配文件所做的更改。You can also use the assignments parameter in the action to only sync changes done to specific assignment files. 此参数可用于仅对特定环境应用策略分配。This parameter can be used to apply policy assignments only for a specific environment. 有关详细信息,请参阅管理 Azure Policy 存储库自述文档For more information, see the Manage Azure Policy repository readme.

  3. 默认情况下,必须手动触发工作流。By default, the workflow must be triggered manually. 为此,请使用 GitHub 中的“操作”,依次选择 manage-azure-policy-<randomLetters> 工作流和“运行工作流”,然后再次选择“运行工作流” 。To do so, use the Actions in GitHub, select the manage-azure-policy-<randomLetters> workflow, select Run workflow, and then Run workflow again.

    GitHub Web 界面中的“操作”选项卡、工作流和“运行工作流”按钮的屏幕截图。

    备注

    只能检测和手动运行位于默认分支中的工作流文件。The workflow file must be in the default branch to be detected and manually run.

  4. 工作流通过 Azure 同步对策略对象的更改,然后在日志中显示状态。The workflow syncs the changes done to policy objects with Azure and gives you the status in the logs.

    运行中的工作流和记录到日志中的详细信息的屏幕截图。

  5. 工作流还会将详细信息添加到 Azure Policy 对象 properties.metadata 中,以便用户跟踪。The workflow also adds details in Azure Policy objects properties.metadata for you to track.

    Azure 门户中 Azure Policy 定义的屏幕截图,其中更新了特定于 GitHub 操作的元数据。

使用 GitHub 操作触发符合性扫描Trigger compliance scans using GitHub action

通过使用 Azure Policy 符合性扫描操作,可以从 GitHub 工作流触发对一个或多个资源、资源组或订阅的按需符合性评估扫描,并基于这些资源的符合性状态更改工作流路径。Using the Azure Policy Compliance Scan action you can trigger an on-demand compliance evaluation scan from your GitHub workflow on one or multiple resources, resource groups, or subscriptions, and alter the workflow path based on the compliance state of those resources. 还可以将工作流配置为在计划的时间运行,以在方便时获取最新的符合性状态。You can also configure the workflow to run at a scheduled time to get the latest compliance status at a convenient time. (可选)此 GitHub 操作还可以生成有关已扫描资源的符合性状态报告,以用于进一步分析或存档。Optionally, this GitHub action can also generate a report on the compliance state of scanned resources for further analysis or for archiving.

以下示例对订阅运行符合性扫描。The following example runs a compliance scan for a subscription.


on:
  schedule:    
    - cron:  '0 8 * * *'  # runs every morning 8am
jobs:
  assess-policy-compliance:    
    runs-on: ubuntu-latest
    steps:         
    - name: Login to Azure
      uses: azure/login@v1
      with:
        creds: ${{secrets.AZURE_CREDENTIALS}} 

    
    - name: Check for resource compliance
      uses: azure/policy-compliance-scan@v0
      with:
        scopes: |
          /subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx

审阅Review

在本教程中,你已成功完成以下任务:In this tutorial, you successfully accomplished the following tasks:

  • 将策略定义和分配导出到 GitHubExported policy definitions and assignments to GitHub
  • 将 GitHub 中更新的策略对象推送到 AzurePushed policy objects updated in GitHub to Azure
  • 从 GitHub 操作触发合规性扫描Triggered a compliance scan from the GitHub action

后续步骤Next steps

若要了解有关策略定义结构的详细信息,请查看以下文章:To learn more about the structures of policy definitions, look at this article: