Manage your policy definitions and assignments as code, control the lifecycle of modifying those definitions, and automate the validation of compliance results with an Azure Policy as Code workflow.
GitHub is a great place to store policy definitions and assignments. You can trigger a compliance scan from the GitHub activity by pushing policy objects modified in GitHub to Azure.
Azure policies export
Sign-in to GitHub
When You have signed in You can see all the repositories.
For demonstrative purposes, let’s choose two policies.
You can export Definitions and Assignments or only one of them.
Then choose Export.
When You browse to Your repository You will see the files.
And the policies will tell they were exported from Azure policy.
When You open a JSON file and press “.” when the file is open.
You will get web-based Visual studio code right there in the browser.
And below You can see the editing in done inside GitHub.
You will find the workflow file under Workflows. The GitHub workflow file is created each time export is used. Each instance of the file is specific to the options during that export action.
This workflow file uses the Manage Azure Policy action to push changes made to the exported policy objects in the GitHub repository back to Azure Policy. By default, the action considers and syncs only those files that are different from the ones existing in Azure. You can also use the
assignments parameter in the action to only sync changes done to specific assignment files. This parameter can be used to apply policy assignments only for a specific environment. For more information, see the Manage Azure Policy repository readme.
By default, the workflow must be triggered manually. To do so, use the Actions in GitHub, select the
manage-azure-policy-<randomLetters> workflow, select Run workflow, and then Run workflow again.
GitHub self-hosted runner
Basically Self-hosted runner is a Azure VM that You will assign System-managed Identity and use it to run GitHub runners.
A self-hosted runner is automatically removed from GitHub if it has not connected to GitHub Actions for more than 30 days.
- Red Hat Enterprise Linux 7 or later
- CentOS 7 or later
- Oracle Linux 7
- Fedora 29 or later
- Debian 9 or later
- Ubuntu 16.04 or later
- Linux Mint 18 or later
- openSUSE 15 or later
- SUSE Enterprise Linux (SLES) 12 SP2 or later
- Windows 7 64-bit
- Windows 8.1 64-bit
- Windows 10 64-bit
- Windows Server 2012 R2 64-bit
- Windows Server 2016 64-bit
- Windows Server 2019 64-bit
- macOS 10.13 (High Sierra) or later
What it does?
The self-hosted runner checks GitHub for application updates and to see if there are any jobs waiting to be processed. The self-hosted runner uses an HTTPS long poll that opens a connection to GitHub for 50 seconds, then times out and begins a new long poll if no answer is received. To accept and run GitHub Actions jobs, the application must be running on the system.
You don’t need to enable GitHub to establish inbound connections to your self-hosted runner because the self-hosted runner opens a connection to GitHub.