Export Azure policy compliance report
As a Cloud Security Administrator, you might need to govern your cloud subscription to make sure all resources are compliant per you organization security standards and policies. One of your action items might be start assigning a BuiltIn or Custom Azure policies on your Azure subscription.
Now you have a need to generate report from policy assignment with all non-compliant resources to take necessary remediation.
So are you looking to automate “exporting Azure policy compliance report” with all non-compliant resources on a schedule basis? Or are you planning to share this report with all cloud users to make sure they identify and fix their resources?
Then you are at right place!!! This tutorial explain “how to export Azure policy compliance report?” using Azure Powershell script, with added automated work flow leveraging Azure Pipelines, Storage Account, Logic Apps, to run the script and post the report to Microsoft team channel.
Prerequisites:
To complete this tutorial, you need following
1) Azure AD registered application with client secret(service principal)
2) Azure Storage Account and Logic App(enabled with self-managed Identity)
3) Azure “Resource Policy Contributor” or “Security Admin” role
4) Microsoft Teams channel email and your team DL email
5) Azure build pipeline with Azure Powershell and Azure File Copy tasks
Steps:
1) Create a service connection using service principal (step 1 pre-requisite) and provide access to your pipeline
2) Create a storage account and grant “Storage Blob Data Contributor”, “Storage Account Contributor” access for above service principal
4) Create a pipeline with variables name ‘AzureDevOps.AzPolicyAssignmentName’ (with value as your AzPolicyAssignmentID) and name ‘AzureDevOps.AzSubscriptionID’ (with value as your Azure Subscription ID)
5) Add a Azure Powershell task, to generate report
And add this script as inline script
# Set array$azPolicy = @()#Get Subscription.#If you want to run through all subscriptions that you have access for,#then don't give subscriptionID as shown below commented line#$azSubs = Get-AzSubscription$azSubs = Get-AzSubscription -SubscriptionId $(AzSubscriptionID)# Loop through all Azure Subscriptionsforeach ($azSub in $azSubs) {Set-AzContext $azSub.id | Out-Null$nonCompliantResources = Get-AzPolicyState -PolicyAssignmentName $(AzPolicyAssignmentName) -Filter "ComplianceState eq 'NonCompliant'"$nonCompliantResources | Select-Object resourcegroup, @{N='ResourceName';E={$_.resourceId.Split('/')[-1]}},resourcetype,compliancestate,resourcelocation | Export-Csv .\$(AzSubscriptionID).csv -NoTypeInformation}
6) As your storage account access is enabled from selected Virtual networks and IP address, you need to add your pipeline agent IP address.
Don’t worry, this can also be done through this pipeline, by adding another Azure Powershell task (to provide access for pipeline agent IP to Storage account)
Add this inline script
$IP= Invoke-RestMethod http://ipinfo.io/json | Select -exp ipAdd-AzStorageAccountNetworkRule -ResourceGroupName "<storage account resource group name>" -AccountName "<storage Account Name>" -IPAddressOrRange "$IP"
7) Now copy the report generated in step 5 to Azure storage container using “Azure File Copy” Task
8) Now add another Azure Powershell task to remove access to build agent as the file copied to Blob container
Add this inline script
$IP= Invoke-RestMethod http://ipinfo.io/json | Select -exp ipRemove-AzStorageAccountNetworkRule -ResourceGroupName "<storage account resource group name>" -AccountName "<storage Account Name>" -IPAddressOrRange "$IP"
9) Now under pipeline triggers section, configure your schedule to generate the report like once in a week and then “Save and Queue” pipeline, to check for no errors… and once the build completed successfully, you should see the report in your storage account container.
10) Now create Azure Logic App with “consumption” based tier(to save cost) and enable managed identity. Now grant access to read file from storage account container
The following flow will trigger when report added to storage account container from pipeline and post it to teams channel/ email list that you configure for.
Here is the detailed configuration each step
Save the logic app
11) Now manually trigger your pipeline to see how the complete flow works.
