Export Azure Policy assignments and linked definitions to a file

[ArmaanMcleod]

Related to #181, we should provide a way to export Azure Policy assignments and linked definitions to a file.

Default to subscription scope, and exclude defintions that are not assigned.

[ArmaanMcleod]

@BernieWhite

Do you think these are appropriate Cmdlet parameters:

function Export-AzPolicyAssignmentData {
    [CmdletBinding()]
    param (
        [Parameter(Position = 0, Mandatory = $False)]
        [String]$Name,

        [Parameter(Mandatory = $True, ValueFromPipelineByPropertyName = $True)]
        [String]$AssignmentFile,

        [Parameter(Mandatory = $False)]
        [String]$Scope,

        [Parameter(Mandatory = $False)]
        [String]$OutputPath = $PWD,

        [Parameter(Mandatory = $False)]
        [Switch]$PassThru = $False
    )
}

Where Scope would be defaulted to the current /subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx scope.

Might be worth bringing in an Id parameter as well in another parameter set.

[BernieWhite]

@ArmaanMcleod I'm not super clear on how the additional parameters would be used, Scope I get which is currently how Get-AzPolicyAssignment works.

Also how does AssignmentFile work is it for input or output?

Originally, I though that we would point to a scope and enumerate all assignments at that scope or higher, then find all the policy/ initiative definitions for those assignments. But if we have a different line of thinking then that is fine.

[ArmaanMcleod]

@BernieWhite Yeah that was my thinking as well, was trying to line up this cmdlet with Get-AzPolicyAssignment as much as possible. I will just stick with similar parameters to that cmdlet to keep this simple.

I'll review the other parameters as I'm doing this to see if they need to be added. AssignmentFile is probably not needed since I don't think we need to export assignment data from input. Export-AzPolicyAssignmentData would probably just export in-flight data from policy assignments, similar to Export-AzRuleData.

I think two parameter sets like this would be useful:

Export-AzPolicyAssignmentData -Name <string> [-Scope <string>] [-OutputPath <string>] [-PassThru] [<CommonParameters>]

Export-AzPolicyAssignmentData -Id <string> [-OutputPath <string>] [-PassThru] [<CommonParameters>]

Gives the ability to pass in name & scope together(subscription default scope if not supplied), or a fully qualified resource ID.

[BernieWhite]

@ArmaanMcleod Ok sounds good. A tweak to that would be to make the Name parameter optional.

[ArmaanMcleod]

@BernieWhite Thanks, will add that in 👍.

Also wondering how we should handle contexts for this cmdlet? Should it just run from the default context or should we give the ability to set contexts with -Subscription, -Tenant parameters? Similar to Export-AzRuleData.

Export-AzPolicyAssignmentData [-Name <string>] [-Scope <string>] [-Subscription <string>] [-Tenant <string>] [-OutputPath <string>] [-PassThru] [-WhatIf] [-Confirm] [<CommonParameters>]

Export-AzPolicyAssignmentData -Id <string> [-Subscription <string>] [-Tenant <string>] [-OutputPath <string>] [-PassThru] [-WhatIf] [-Confirm] [<CommonParameters>]

Might be easier just to expect these parameters to be provided.

[BernieWhite]

@ArmaanMcleod It is a good point.

Using one of No parameter or -Scope or -Id is going to tell us the at a minimum the subscription and management groups, unless the scope is higher at a MG which again will fill this blank.

I adding -tenant is a good idea. We can't really work that out easily.

If -subscription is an array then it might be helpful for bulk exports, but maybe let's not over complicate in the first iteration, we can always add it later.

[ArmaanMcleod]

@BernieWhite Should this cmdlet enforce a naming standard on output files? Like *.assignment.json?

I assume this will be needed for #1278 to visit the exported assignment files.

[BernieWhite]

@ArmaanMcleod Fine with that. It might make finding these files slightly faster.