First release candidate of EntraOps

Cloud-Architekt · Jun 21, 2024 · e6ce5ed · e6ce5ed
1 parent f4a3cea
commit e6ce5ed
Show file tree

Hide file tree

Showing 59 changed files with 10,365 additions and 1 deletion.
diff --git a/.github/actions/Git-Initialize/action.yml b/.github/actions/Git-Initialize/action.yml
@@ -0,0 +1,18 @@
+name: "Git - Initialize"
+
+on:
+  workflow_call:
+
+runs:
+  using: "composite"
+  steps:
+    - name: "Configure GitUser"
+      shell: bash
+      run: |
+        git config --global user.email "EntraOpsGHActions@ghActions.com"
+        git config --global user.name "$GITHUB_ACTOR"
+
+    - name: "Checkout"
+      shell: bash
+      run: |
+        git checkout -b ${{ env.branch }} main
diff --git a/.github/actions/Git-PullRequest/action.yml b/.github/actions/Git-PullRequest/action.yml
@@ -0,0 +1,53 @@
+name: "Git - Commit and Pull Request"
+
+on:
+  workflow_call:
+
+runs:
+  using: "composite"
+  steps:
+    - name: "Configure GitUser"
+      shell: bash
+      run: |
+        git config --global user.email "EntraOpsGHActions@ghActions.com"
+        git config --global user.name "$GITHUB_ACTOR"
+
+    - name: Git - Status for changed files
+      id: status
+      shell: bash
+      run: |
+        STATUS=$(git status --short)
+        echo $STATUS
+        if [ -z "$STATUS" ]
+        then
+          echo "state=stop" >> $GITHUB_OUTPUT
+        else
+          echo "state=continue" >> $GITHUB_OUTPUT
+          fi
+
+    - name: Git - Add file content to index
+      if: steps.status.outputs.state == 'continue'
+      run: |
+        git add "./${{ env.folder }}"
+      shell: bash
+
+    - name: Git - Commit changes to the repository
+      if: steps.status.outputs.state == 'continue'
+      shell: bash
+      run: |
+        git commit -m "${{ env.commit_message }}"
+
+    - name: Git - Push Update remote refs along with associated objects
+      if: steps.status.outputs.state == 'continue'
+      shell: bash
+      run: |
+        git push origin ${{ env.branch }} -f
+
+    - name: Git Merge - Automatically merge the head branch into base
+      if: steps.status.outputs.state == 'continue'
+      shell: bash
+      run: |
+        gh pr create --title "${{ env.pull_request }}" --body "-" --base 'main' --head ${{ env.branch }}
+        gh pr merge "${{ env.branch }}" --squash --delete-branch
+      env:
+        GITHUB_TOKEN: ${{ env.TOKEN }}
diff --git a/.github/actions/Git-Push/action.yml b/.github/actions/Git-Push/action.yml
@@ -0,0 +1,20 @@
+name: "Git - Push"
+
+on:
+  workflow_call:
+
+runs:
+  using: "composite"
+  steps:
+    - name: Push output to repository
+      shell: bash
+      run: |
+        git config --global user.email "EntraOpsGHActions@ghActions.com"
+        git config --global user.name "$GITHUB_ACTOR"      
+        git config pull.rebase false
+        git add --all
+        git add -A
+        git diff-index --quiet HEAD || git commit -m "$GITHUB_WORKFLOW $GITHUB_JOB"
+        git push
+      env:
+        GITHUB_TOKEN: ${{ env.GITHUB_TOKEN }}
diff --git a/.github/workflows/Pull-EntraOpsPrivilegedEAM.yaml b/.github/workflows/Pull-EntraOpsPrivilegedEAM.yaml
@@ -0,0 +1,63 @@
+name: Pull-EntraOpsPrivilegedEAM
+env:
+  ClientId: YourClientId
+  TenantId: YourTenantId
+  TenantName: YourTenantName
+  ConfigFile: ./EntraOpsConfig.json
+  ApplyAutomatedClassificationUpdate: false
+  ApplyAutomatedControlPlaneScopeUpdate: false
+on:
+  # Allows you to run this workflow manually from the Actions tab
+  workflow_dispatch:
+  # Allows you to run this workflow automatically on a schedule
+  schedule:
+    - cron: YourCronSchedule
+permissions:
+  id-token: write
+  contents: write
+jobs:
+  Pull-EntraOpsPrivilegedEAM:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+      - name: Connect Azure OIDC
+        uses: azure/login@v2
+        with:
+          client-id: ${{env.ClientId}}
+          tenant-id: ${{env.TenantId}}
+          allow-no-subscriptions: true
+          enable-AzPSSession: true
+      - name: Get updated definition files for classification
+        if: env.ApplyAutomatedClassificationUpdate == 'true'
+        uses: azure/powershell@v2
+        with:
+          inlineScript: |
+            Import-Module ./EntraOps
+            Connect-EntraOps -AuthenticationType FederatedCredentials -TenantName ${env:TenantName} -ConfigFile ${env:ConfigFile}
+            $ClassificationUpdateParams = $EntraOpsConfig.AutomatedClassificationUpdate
+            Update-EntraOpsClassificationFiles @ClassificationUpdateParams
+          azPSVersion: latest
+      - name: Get updated scope for definition of Control Plane in Entra ID
+        if: env.ApplyAutomatedControlPlaneScopeUpdate == 'true'
+        uses: azure/powershell@v2
+        with:
+          inlineScript: |
+            Import-Module ./EntraOps
+            Connect-EntraOps -AuthenticationType FederatedCredentials -TenantName ${env:TenantName} -ConfigFile ${env:ConfigFile}
+            $CpUpdateParams = $EntraOpsConfig.AutomatedControlPlaneScopeUpdate
+            Update-EntraOpsClassificationControlPlaneScope @CpUpdateParams
+          azPSVersion: latest
+      - name: Run Save-EntraOpsPrivilegedEAMJson
+        uses: azure/powershell@v2
+        with:
+          inlineScript: |
+            Import-Module ./EntraOps
+            Connect-EntraOps -AuthenticationType FederatedCredentials -TenantName ${env:TenantName} -ConfigFile ${env:ConfigFile}
+            Save-EntraOpsPrivilegedEAMJson -RbacSystems $($EntraOpsConfig.RbacSystems)
+            Disconnect-EntraOps
+          azPSVersion: latest
+      - name: Git - Commit and Push to repository
+        uses: ./.github/actions/Git-Push
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
diff --git a/.github/workflows/Push-EntraOpsPrivilegedEAM.yaml b/.github/workflows/Push-EntraOpsPrivilegedEAM.yaml
@@ -0,0 +1,65 @@
+name: Push-EntraOpsPrivilegedEAM
+
+env:
+  ClientId: YourClientId
+  TenantId: YourTenantId
+  TenantName: YourTenantName
+  ConfigFile: ./EntraOpsConfig.json
+  IngestToWatchLists: false
+  IngestToLogAnalytics: false
+
+on:
+  # Allows you to run this workflow manually from the Actions tab
+  workflow_dispatch:
+  # Allows to run this workflow automatically after the completion of pull pipeline
+  workflow_run:
+    workflows: [Pull-EntraOpsPrivilegedEAM]
+    types:
+      - completed
+permissions:
+  id-token: write
+  contents: read
+
+jobs:
+  Push-EntraOpsPrivilegedEAM:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Connect Azure OIDC
+        uses: azure/login@v2
+        with:
+          client-id: ${{env.ClientId}}
+          tenant-id: ${{env.TenantId}}
+          allow-no-subscriptions: true
+          enable-AzPSSession: true
+
+      - name: Upload Data to Log Analytics via Logs ingestion API
+        if: env.IngestToLogAnalytics == 'true'
+        uses: azure/powershell@v2
+        with:
+          inlineScript: |
+            Import-Module ./EntraOps
+            Connect-EntraOps -AuthenticationType FederatedCredentials -TenantName ${env:TenantName} -ConfigFile ${env:ConfigFile}
+            $LogAnalyticsParam = $EntraOpsConfig.LogAnalytics
+            Save-EntraOpsPrivilegedEAMInsightsCustomTable @LogAnalyticsParam
+          azPSVersion: latest
+
+      - name: Upload Data to WatchList
+        if: env.IngestToWatchLists == 'true'
+        uses: azure/powershell@v2
+        with:
+          inlineScript: |
+            Import-Module ./EntraOps
+            Connect-EntraOps -AuthenticationType FederatedCredentials -TenantName ${env:TenantName} -ConfigFile ${env:ConfigFile}
+            $SentinelWatchListsParams = $EntraOpsConfig.SentinelWatchLists
+            Save-EntraOpsPrivilegedEAMWatchLists @SentinelWatchListsParams
+          azPSVersion: "latest"
+      - name: Disconnect EntraOps
+        uses: azure/powershell@v2
+        with:
+          inlineScript: |
+            Import-Module ./EntraOps
+            Disconnect-EntraOps
+          azPSVersion: latest
diff --git a/.github/workflows/Update-EntraOps.yaml b/.github/workflows/Update-EntraOps.yaml
@@ -0,0 +1,42 @@
+name: Update-EntraOps
+env:
+  ClientId: YourClientId
+  TenantId: YourTenantId
+  TenantName: YourTenantName
+  ConfigFile: ./EntraOpsConfig.json
+  ApplyAutomatedEntraOpsUpdate: true
+on:
+  # Allows you to run this workflow manually from the Actions tab
+  workflow_dispatch:
+  # Allows you to run this workflow automatically on a schedule
+  schedule:
+    - cron: YourCronSchedule
+permissions:
+  id-token: write
+  contents: write
+jobs:
+  Update-EntraOps:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+      - name: Connect Azure OIDC
+        uses: azure/login@v2
+        with:
+          client-id: ${{env.ClientId}}
+          tenant-id: ${{env.TenantId}}
+          allow-no-subscriptions: true
+          enable-AzPSSession: true
+      - name: Update EntraOps module and workflows
+        if: env.ApplyAutomatedEntraOpsUpdate == 'true'
+        uses: azure/powershell@v2
+        with:
+          inlineScript: |
+            Import-Module ./EntraOps
+            Update-EntraOps -ConfigFile ${env:ConfigFile} -TargetUpdateFolders @("./EntraOps","./Queries","./Parsers","./Samples","./Workbooks")
+            Disconnect-EntraOps
+          azPSVersion: latest
+      - name: Git - Commit and Push to repository
+        uses: ./.github/actions/Git-Push
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
diff --git a/Classification/Global.json b/Classification/Global.json
@@ -0,0 +1,5 @@
+[
+    {
+    "ExcludedPrincipalId": []
+    }
+]