Github Actions

The starter kit contains a sample pipeline to use GitHub Actions to deploy Enterprise Policy as Code. It features a review process and is driven by pull requests and approvals.

We have revised our approach to GitHub Actions simplifying the process and make it easier to understand. The new approach is documented below and is included in the starter kit with v8.5 and later.

The previous version is still available in the starter kit in folder Legacy and the documentation is retained at the end of this page.

Setup in GitHub

Create GitHub Deployment Environments

You will need one GitHub deployment environment for the epac-dev workflow and three environments each for your epac-prod or tenant workflows. This documentation assumes the include starter kit pipelines.

Environment	Purpose	App Registration (SPN)
EPAC-DEV	Plan and deploy to `epac-dev`	ci-cd-epac-dev-owner
TENANT-PLAN	Build deployment plan for `tenant`	ci-cd-root-policy-reader
TENANT-DEPLOY-POLICY	Deploy Policy resources for `tenant`	ci-cd-root-policy-contributor
TENANT-DEPLOY-ROLES	Deploy Roles for `tenant`	ci-cd-root-user-assignments

For each environment, add to the environment secrets for the tenant id, client id and client secret for the SPN. The secrets must be named TENANT_ID, CLIENT_ID and CLIENT_SECRET respectively.

Hardening each Environment

Global setting for the repo: protect the main branch with branch protection rules.
Configure required reviewers for TENANT-DEPLOY-POLICY and TENANT-DEPLOY-ROLES environments.
Restrict branch to main branch for TENANT-DEPLOY-POLICY and TENANT-DEPLOY-ROLES environments.
Do not allow administrators to bypass configured protection rules for TENANT-DEPLOY-POLICY and TENANT-DEPLOY-ROLES environments.

Legacy GitHub CI/CD Workflows

This section is retained from the previous documentation to enable you to continue using the previous approach. It is recommended that you migrate to the new approach as soon as possible.

Action Flow -- Legacy

Changes are made to files in the Definitions folder (e.g. new policy definition/assignment, removing files) and pushed to GitHub
The Build Deployment Plan action is triggered. This runs the Build-DeploymentPlans function against the environment specified in the pacEnvironment variable in global-settings.jsonc
If there are changes detected the plan is committed to a new branch and a pull request is created. A label of PolicyDeployment is attached and a reviewer is added.
At this stage you can browse the plan created by the action before approving. It is important to not merge this branch as it will remove the .gitignore file from the base branch and will cause the Output folder to be permanently committed to the project.
If the changes are ready to be deployed - the pull request must be approved.
The approval action will start the Deploy Policy Plan and Roles workflow.
The policy plan will be deployed using Deploy-RolesPlan. When this is complete one of two things can happen.
- If there are no role changes to be processed the PR is closed (not merged) and the branch containing the plan is deleted. (End of process)
- If there are role changes a label of RoleDeployment is added - and the reviewer is removed and re-added. This triggers another review on the pipeline which must be approved before role changes are deployed.
For role changes when the PR is approved again the same action runs - this time using the Deploy-RolesPlan for deployment.
When complete the PR is closed and the branch containing the plan is deleted.

Setup in GitHub -- Legacy

There are some steps to be performed in GitHub to ensure the action runs correctly.

Create two labels in the project called PolicyDeployment and RoleDeployment. Instructions to create new labels are here.
Create secrets representing an SPN in GitHub for the repository as below - these are used to authenticate to Azure

Secret Name Value

CLIENT_ID Application ID for SPN

CLIENT_SECRET Client secret

TENANT_ID Azure AD Tenant

SUBSCRIPTION_ID Any subscription ID. Used to login but not in the process

In the .github\workflows\build.yaml and .github\workflows\deploy.yaml file updated the env: section as below.

Environment Variable Name	Value	Notes
REVIEWER	Add a GitHub user to review the PR
definitionsRootFolder	The folder containing `global-settings.jsonc` and definitions
pacEnvironment	The policy as code environment specified in `global-settings.jsonc`
planFolder	A folder that plans will be saved to and deployed from	Must be the same folder in `deploy.yaml`

In the .github\workflows\build.yaml and .github\workflows\deploy.yaml file updated the trigger's path setting to ensure it is triggered when a file change is made.

Skipping a Workflow Run -- Legacy

To skip the workflow run add a file called NO_ACTIONS in the definitions folder. An action will be started on push however the build will not occur.

Generating Build Results Only -- Legacy

If you want to run just the Build-DeploymentPlans but not save the output - add a file called NO_DEPLOY. This will run the build step and then cancel the action. You can review the summary output by checking the logs in the cancelled action.

Secret Name	Value
CLIENT_ID	Application ID for SPN
CLIENT_SECRET	Client secret
TENANT_ID	Azure AD Tenant
SUBSCRIPTION_ID	Any subscription ID. Used to login but not in the process