DEVOPS-63 initial commit automation-to-remove-policies-using-python

Author: githubofkrishnadhas

.github/dependabot.yml

@@ -0,0 +1,31 @@
+version: 2
+updates:
+  - package-ecosystem: "pip"
+    directory: /
+    schedule:
+      interval: "weekly"
+      day: wednesday
+      time: "11:30"
+      timezone: Asia/Kolkata
+    # Assignees to set on pull requests
+    assignees:
+      - "githubofkrishnadhas"
+    # prefix specifies a prefix for all commit messages. When you specify a prefix for commit messages,
+    # GitHub will automatically add a colon between the defined prefix and the commit message provided the
+    # defined prefix ends with a letter, number, closing parenthesis, or closing bracket.
+    commit-message:
+      prefix: "dependabot python package"
+    # Use reviewers to specify individual reviewers or teams of reviewers for all pull requests raised for a package manager.
+    reviewers:
+      - "devwithkrishna/admin"
+    # Raise pull requests for version updates to pip against the `main` branch
+    target-branch: "main"
+    # Labels on pull requests for version updates only
+    labels:
+      - "pip dependencies"
+    # Increase the version requirements for Composer only when required
+    versioning-strategy: increase-if-necessary
+    # Dependabot opens a maximum of five pull requests for version updates. Once there are five open pull requests from Dependabot,
+    # Dependabot will not open any new requests until some of those open requests are merged or closed.
+    # Use open-pull-requests-limit to change this limit.
+    open-pull-requests-limit: 10

.github/workflows/policy_removal_worlflow.yaml

@@ -0,0 +1,38 @@
+name: automation-to-remove-policy-from-azure
+on:
+  workflow_dispatch:
+    inputs:
+      subscription_name:
+        description: 'Azure subscription name'
+        required: true
+        type: string
+        default: 'TECH-CLOUDCOE-NONPROD'
+      policy_name:
+        description: 'Azure policy name - the policy to be removed from above subscription'
+        default: 'tagging policy'
+        type: string
+        required: true
+jobs:
+  automation-to-remove-policy-from-azure:
+    runs-on: ubuntu-latest
+    steps:
+      - name: git checkout
+        uses: actions/checkout@v4
+      - name: set up python 3.10
+        uses: actions/setup-python@v4
+        with:
+          python-version: '3.10'
+      - name: package installations
+        run: |
+          pip install pipenv
+          pipenv install
+      - name: execute python program
+        env:
+          AZURE_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }}
+          AZURE_CLIENT_SECRET: ${{ secrets.AZURE_CLIENT_SECRET }}
+          AZURE_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }}
+        run: |
+          pipenv run python3 remove_azure_policy.py --subscription_name ${{ inputs.subscription_name }} --policy_name ${{ inputs.policy_name }}
+      - name: Completed
+        run: |
+          echo "program completed successfully"

.gitignore

@@ -157,4 +157,5 @@ cython_debug/
 #  be found at https://github.com/github/gitignore/blob/main/Global/JetBrains.gitignore
 #  and can be added to the global gitignore or merged into this file.  For a more nuclear
 #  option (not recommended) you can uncomment the following to ignore the entire idea folder.
-#.idea/
+.idea/
+*.json

Pipfile

@@ -0,0 +1,18 @@
+[[source]]
+url = "https://pypi.org/simple"
+verify_ssl = true
+name = "pypi"
+
+[packages]
+argparse = "=1.4.0"
+pytz = "=2024.1"
+python-dotenv = "=1.0.1"
+azure-mgmt-policyinsights = "=1.0.0"
+azure-identity = "=1.16.0"
+azure-mgmt-resource = "=23.0.1"
+azure-mgmt-resourcegraph = "=8.0.0"
+azure-core = "=1.30.1"
+typing = "*"
+
+[requires]
+python_version = "3"

Pipfile.lock

@@ -1,2 +1,58 @@
 # azure-automation-to-remove-policies-using-python
 automation to remove policy from a subscription by name - especially tagging policies with subscription name and policy name as input
+
+# References
+* https://learn.microsoft.com/en-us/python/api/azure-core/azure.core.exceptions.httpresponseerror?view=azure-python#azure-core-exceptions-httpresponseerror-message :heavy_check_mark:
+* https://learn.microsoft.com/en-us/python/api/azure-mgmt-resource/azure.mgmt.resource.policy.v2022_06_01.operations.policyassignmentsoperations?view=azure-python#azure-mgmt-resource-policy-v2022-06-01-operations-policyassignmentsoperations-delete :heavy_check_mark:
+* https://learn.microsoft.com/en-us/python/api/azure-mgmt-policyinsights/azure.mgmt.policyinsights.operations.operations?view=azure-python :heavy_check_mark:
+* https://learn.microsoft.com/en-us/python/api/azure-mgmt-resource/azure.mgmt.resource.policy.v2022_06_01.policyclient?view=azure-python :heavy_check_mark: 
+
+# What is azure policy
+
+```
+Azure Policy helps to enforce organizational standards and to assess compliance at-scale. 
+Through its compliance dashboard, it provides an aggregated view to evaluate the overall state of the environment,
+with the ability to drill down to the per-resource, per-policy granularity. It also helps to bring your resources to compliance through bulk remediation for existing resources and automatic remediation for new resources.
+```
+Read more here: [Azure Governance - Policy](https://learn.microsoft.com/en-us/azure/governance/policy/overview)
+
+# What the code does
+
+```
+As the name suggests, this is an automation to remove policy from a subscription by name especially tagging policies with subscription name and policy name as input
+```
+
+# Athentication 
+
+```markdown
+AZURE_CLIENT_ID= "xxxxxxxxxxx"
+AZURE_CLIENT_SECRET = "xxxxxxxxxxx"
+AZURE_SUBSCRIPTION_ID = "xxxxxxxxxxx"
+AZURE_TENANT_ID = "xxxxxxxxxxx"
+```
+* Replace ` "xxxxxxxxxxx" ` with proper values
+
+**Rest is taken care by `DefaultAzureCredential` from `azure-identity` module** 
+
+# How code works
+
+| file name | funtions |
+|-----------|----------|
+| azure_resource_graph_query.py | this file takes an argument, your subscription name and returns subscription id |
+| remove_azure_policy.py | this is the main py file. takes subscription id and policy name as inputs and removes policy if present |
+
+
+How to run the program manually from cmd line:
+
+`python3 remove_azure_policy.py --subscription_name "<Subscription name>" --policy_name "<Policy name>"`
+
+- replace the subscription name and policy names and provide correct values.
+
+# parameters 
+
+`Python-dotenv reads key-value pairs from a .env file and can set them as environment variables`
+
+| input name      | type | description                                                 | required |
+|-----------------|------|-------------------------------------------------------------|----------|
+| subscription_name  | string | Azure subscription name. Default - `TECH-ARCHITECTS-NONPROD` | :heavy_check_mark: |
+| policy_name    | string | Azure policy to be removed.  | :heavy_check_mark: |

README.md

@@ -0,0 +1,48 @@
+from azure.identity import DefaultAzureCredential
+import azure.mgmt.resourcegraph as arg
+import logging
+import os
+from dotenv import load_dotenv
+
+def run_azure_rg_query(subscription_name: str):
+    """
+    Run a resource graph query to get the subscription id of a subscription back
+    :return: subscription_id str
+    """
+    credential = DefaultAzureCredential()
+    # Create Azure Resource Graph client and set options
+    arg_client = arg.ResourceGraphClient(credential)
+
+    query = f"""
+             resourcecontainers 
+             | where type == 'microsoft.resources/subscriptions' and name == '{subscription_name}' 
+             | project subscriptionId 
+            """
+
+    print(f"query is {query}")
+
+    # Create query
+    arg_query = arg.models.QueryRequest( query=query)
+
+    # Run query
+    arg_result = arg_client.resources(arg_query)
+
+    # Show Python object
+    # print(arg_result)
+    subscription_id = arg_result.data[0]['subscriptionId']
+    # print(f"Subscription ID is : {subscription_id}")
+    return subscription_id
+
+def main():
+    """
+    To test the script
+    :return:
+    """
+    load_dotenv()
+    logging.info("ARG query being prepared......")
+    run_azure_rg_query(subscription_name="TECH-ARCHITECTS-NONPROD")
+    logging.info("ARG query Completed......")
+
+
+if __name__ == "__main__":
+    main()

azure_resource_graph_query.py

@@ -0,0 +1,105 @@
+import argparse
+import os
+import json
+from dotenv import load_dotenv
+from azure.identity import DefaultAzureCredential
+from azure.mgmt.policyinsights import PolicyInsightsClient
+from azure.core.exceptions import HttpResponseError
+from azure.mgmt.resource import PolicyClient
+from typing import List, Dict, Any
+from azure_resource_graph_query import run_azure_rg_query
+
+
+def list_azure_policy_in_a_subscription_scope(subscription_id:str):
+    """
+    subscription name --> scope
+    :return:
+    """
+    try:
+        credential = DefaultAzureCredential()
+        policy_insights_client = PolicyInsightsClient(credential, subscription_id={subscription_id})
+        policy_assignments = policy_insights_client.policy_states.list_query_results_for_subscription(policy_states_resource='latest',subscription_id=subscription_id)
+        policy_assignments_list = []
+        for assignment in policy_assignments:
+            print(f"Policy Assignment ID: {assignment.policy_assignment_id}")
+            print(f"Policy Assignment Name: {assignment.policy_assignment_name}")
+            print(f"Policy Assignment Scope: {assignment.policy_assignment_scope}")
+            print(f"Policy Definition ID: {assignment.policy_definition_id}")
+            print(f"Policy Definition Name: {assignment.policy_definition_name}")
+            print(f"Policy Assignment Created On: {assignment.timestamp.strftime('%Y-%m-%d %H:%M:%S')}")
+            print("------------------------------")
+            assignment_dict = {
+                "policy_assignment_id": assignment.policy_assignment_id,
+                "policy_assignment_name": assignment.policy_assignment_name,
+                "policy_assignment_scope": assignment.policy_assignment_scope,
+                "policy_definition_id": assignment.policy_definition_id,
+                "policy_definition_name": assignment.policy_definition_name,
+                "policy_assignment_created_on": assignment.timestamp.strftime('%Y-%m-%d %H:%M:%S')
+            }
+            policy_assignments_list.append(assignment_dict)
+            file_name = f'azure_policy_assignment_{subscription_id}.json'
+            print(file_name)
+            # Assuming policy_assignments_list is the list of dictionaries
+            with open(file_name, 'w') as json_file:
+                json.dump(policy_assignments_list, json_file, indent=4)
+            print(f"Policy assignments successfully retrieved and saved to {file_name} .")
+
+        return policy_assignments_list
+    except HttpResponseError as ex:
+        print(f"Failed to retrieve policy assignments. Error message: {ex.message}")
+
+    except Exception as ex:
+        print(f"An error occurred: {ex}")
+
+def validation_of_policy_name(policy_name: str,policy_assignments_list: list[dict[str, Any]]):
+    """
+    This function is used to validate the provided policy is there in current subscription scoped aassignment
+    :param policy_name:
+    :return:
+    """
+    for policy_assignment in policy_assignments_list:
+        if policy_name in policy_assignment['policy_assignment_name']:
+            print(f"Policy '{policy_name}' found in assignments")
+            return policy_name, policy_assignment['policy_assignment_scope']
+    raise Exception(f"Policy '{policy_name}' not found in assignments")
+
+
+def remove_azure_policy_from_subscription(credential,subscription_id: str, policy_name: str, scope:str):
+    """
+    Remove the policy specified from the subscription level
+    :param subscription_id:
+    :param policy_name:
+    :return:
+    """
+    try:
+        policy_client = PolicyClient(credential, subscription_id)
+        policy_client.policy_assignments.delete(scope=scope, policy_assignment_name=policy_name)
+        print(f"Policy '{policy_name}' removed from '{scope}' successfully.")
+    except HttpResponseError as ex:
+        print(f"Failed to delete policy assignment: {ex}")
+
+def main():
+    """ To test the code"""
+    parser = argparse.ArgumentParser("Remove azure policies")
+    parser.add_argument("--subscription_name", help="subscription name in azure", required=True, type=str)
+    parser.add_argument("--policy_name", help="policy name in azure", required=True, type=str)
+
+    args = parser.parse_args()
+    subscription_name = args.subscription_name
+    policy_name = args.policy_name
+    print(f"Process to remove azure policy - {policy_name} begining......")
+    load_dotenv()
+    credential = DefaultAzureCredential()
+    subscription_id = run_azure_rg_query(subscription_name=subscription_name)
+    print(f'Subscription id of {subscription_name} is : {subscription_id}')
+    os.environ['subscription_id'] = subscription_id
+    policy_assignments_list = list_azure_policy_in_a_subscription_scope(subscription_id=subscription_id)
+    policy_name, policy_assignment_scope = validation_of_policy_name(policy_name=policy_name, policy_assignments_list=policy_assignments_list)
+    if policy_name is not None:
+        print(f'Removing policy {policy_name} on the scope {policy_assignment_scope}')
+        remove_azure_policy_from_subscription(credential=credential,subscription_id=subscription_id, policy_name=policy_name, scope=policy_assignment_scope)
+
+
+
+if __name__ == "__main__":
+    main()