-
Notifications
You must be signed in to change notification settings - Fork 5
/
New-PolicySets.ps1
120 lines (106 loc) · 5.26 KB
/
New-PolicySets.ps1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
# Copyright (c) Microsoft Corporation.
# Licensed under the MIT License.
<#
.SYNOPSIS
This is standalone powershell script to deploy policy sets.
#>
using namespace System.Collections
param (
[Parameter(Position = 0, mandatory = $true)]
[string]
$parFolderPath = $(Read-Host -prompt "Please choose the relative folder path where the policy initiative JSON files reside. For example, D:\Repository\MCFSPolicyPortfolio\PolicyPacks\BIO"),
[Parameter(Position = 1, mandatory = $true)]
[string]
$parManagementGroupId = $(Read-Host -prompt "Please type the management group ID where the policies will be deployed. The root management group ID is the same as your AAD tenant ID. For example, SLZ")
)
#variables
$varMaxRetryAttemptTransientErrorRetry = 6
$varRetryWaitTimeTransientErrorRetry = 60
<#
.Description
Installs the default policy sets for the root management group.
#>
function New-InstallPolicySets {
param($parFolderPath, $parManagementGroupId)
$varPolicySetDefinitionFiles = Get-ChildItem $parFolderPath -Filter "*.json"
ForEach ($varPolicySetDefinitionFile in $varPolicySetDefinitionFiles) {
$varLoopCounter = 0;
$varRetry = $true
while ($varRetry) {
try {
Write-Host "Importing policy file: " + $varPolicySetDefinitionFile.Name
$varPolicySetDefinitionJson = Get-Content -Raw -Path $varPolicySetDefinitionFile.FullName | ConvertFrom-Json
$varDisplayName = $varPolicySetDefinitionJson.properties.displayName + " v" + $varPolicySetDefinitionJson.properties.metadata.version
$varName = $varPolicySetDefinitionJson.name + ".v" + $varPolicySetDefinitionJson.properties.metadata.version
$varDescription = $varPolicySetDefinitionJson.properties.description + " v" + $varPolicySetDefinitionJson.properties.metadata.version
$varPolicyDefinitions = ConvertTo-Json $varPolicySetDefinitionJson.properties.policyDefinitions -Depth 100
$varPolicyMetadata = $varPolicySetDefinitionJson.properties.metadata | ConvertTo-Json -Depth 100
$varPolicyParameters = $varPolicySetDefinitionJson.properties.parameters | ConvertTo-Json -Depth 100
$varPolicyDefinitionGroups = ConvertTo-Json $varPolicySetDefinitionJson.properties.policyDefinitionGroups -Depth 100
$varPolicyDefinitions = $varPolicyDefinitions -Replace '\[\[', '['
$varPolicyDefinitionGroups = $varPolicyDefinitionGroups -Replace '\[\[', '['
if (Confirm-ValueIsNullOrEmpty($varPolicyDefinitions)) {
Write-Host "No policy definitions in the policy file: " + $varPolicySetDefinitionFile.Name
break
}
if (-Not (Confirm-ValueIsNullOrEmpty($varPolicyDefinitionGroups))) {
$varResult = New-AzPolicySetDefinition `
-Name $varName `
-DisplayName $varDisplayName `
-Description $varDescription `
-PolicyDefinition $varPolicyDefinitions `
-Metadata $varPolicyMetadata `
-Parameter $varPolicyParameters `
-GroupDefinition $varPolicyDefinitionGroups `
-ManagementGroupName $parManagementGroupId `
-ApiVersion "2023-04-01"
}
else {
$varResult = New-AzPolicySetDefinition `
-Name $varName `
-DisplayName $varDisplayName `
-Description $varDescription `
-PolicyDefinition $varPolicyDefinitions `
-Metadata $varPolicyMetadata `
-Parameter $varPolicyParameters `
-ManagementGroupName $parManagementGroupId `
-ApiVersion "2023-04-01"
}
if ($null -ne $varResult) {
Write-Output $varResult
$varRetry = $false
}
else {
throw
}
}
catch {
$varLoopCounter++
if ($varLoopCounter -lt $varMaxRetryAttemptTransientErrorRetry) {
Write-Information ">>> Retrying policy deployment after waiting for $varRetryWaitTimeTransientErrorRetry secs" -InformationAction Continue
Start-Sleep -Seconds $varRetryWaitTimeTransientErrorRetry
}
else {
$varRetry = $false
Write-Error ">>> Error occurred in install policy sets from file $varPolicySetDefinitionFile. Please try after addressing the above error." -ErrorAction Stop
}
}
}
}
}
<#
.Description
Confirm the value is null or empty.
#>
function Confirm-ValueIsNullOrEmpty {
param($parValue)
if (($null -eq $parValue) -or [string]::IsNullOrEmpty($parValue) -or $parValue -eq "[]" -or $parValue -eq "{}") {
return $true
}
elseif ($parValue -is [array] -and $parValue.Length -eq 0) {
return $true
}
return $false
}
#Install new policy sets
New-InstallPolicySets $parFolderPath $parManagementGroupId