The 100 Foot View in a 5 min read
“Azure Policy helps you manage and prevent IT issues with policy definitions that enforce rules and effects for your resources.” Azure Policy evaluates resources and actions in Azure by comparing the properties of those resources to organizational business rules or guard rails. Azure Policy uses a JSON format to form the logic the evaluation uses to determine whether a resource is compliant or not. Policy definitions represent these guard rails in the form of JSON. This JSON form represents the logic the evaluation uses to determine whether a resource is compliant or not. The defined rule can leverage functions, parameters, logical operators, conditions, and property aliases to match exactly the scenario you want. These policy rules determine which resources in the scope of the assignment get evaluated.
Once the evaluation has completed there are several different outcomes that are available. Each policy definition will have a single effect in its policy definition or rule. That effect determines what happens when the policy rule is evaluated to match. The effects behave differently if they are for a new resource, an updated resource, or an existing resource.
Options you have available are listed below
- Deny the resource change
- Log the change to the resource
- Alter the resource before the change
- Alter the resource after the change
- Deploy related compliant resources
- Block actions on resources
- addToNetworkGroup
- append
- audit
- auditIfNotExists
- deny
- denyAction
- deployIfNotExists
- disabled
- manual
- modify
- mutate
Note: Azure Policy’s first evaluation is for requests to create or update a resource
The sequence of policy rule evaluation is as follows:
First, ‘Disabled’ is checked to ascertain if the policy rule warrants evaluation.
Next, ‘Append’ and ‘Modify’ are assessed. As both can change the request, any modification might preclude the triggering of an audit or deny effect. These effects are exclusive to Resource Manager mode.
‘Deny’ is then considered. Evaluating ‘Deny’ prior to ‘Audit’ avoids redundant logging of an unwanted resource.
Following this, ‘Audit’ is evaluated.
‘Annual’ is evaluated thereafter.
‘AuditIfNotExists’ is then reviewed.
Finally, ‘DenyAction’ is evaluated as the last step.
Azure policies can be created and managed in the following ways
- PowerShell
- ARMClient
- Azure CLI
- Terraform
- Azure Resource Manager
The following example goes through a sample tagging exercise via Azure Policy. This policy will add tags to all resources.
Note: The contributor role can create and manage Policy definitions and assignments
Sample Policy JSON:
{
“properties”: {
“displayName”: “Add a tag to resources”,
“policyType”: “BuiltIn”,
“mode”: “Indexed”,
“description”: “Adds the specified tag and value when any resource missing this tag is created or updated. Existing resources can be remediated by triggering a remediation task. If the tag exists with a different value it will not be changed. Does not modify tags on resource groups.”,
“metadata”: {
“version”: “1.0.0”,
“category”: “Tags”
},
“version”: “1.0.0”,
“parameters”: {
“tagName”: {
“type”: “String”,
“metadata”: {
“displayName”: “Tag Name”,
“description”: “Name of the tag, such as ‘environment’”
}
},
“tagValue”: {
“type”: “String”,
“metadata”: {
“displayName”: “Tag Value”,
“description”: “Value of the tag, such as ‘production’”
}
}
},
“policyRule”: {
“if”: {
“field”: “[concat(‘tags[‘, parameters(‘tagName’), ‘]’)]”,
“exists”: “false”
},
“then”: {
“effect”: “modify”,
“details”: {
“roleDefinitionIds”: [
“/providers/microsoft.authorization/roleDefinitions/8fdscfdb-30c1-320c-c63a-adsh30125d26”
],
“operations”: [
{
“operation”: “add”,
“field”: “[concat(‘tags[‘, parameters(‘tagName’), ‘]’)]”,
“value”: “[parameters(‘tagValue’)]”
}
]
}
}
},
“versions”: [
“1.0.0”
]
},
“id”: “/providers/Microsoft.Authorization/policyDefinitions/8fdscfdb-30c1-320c-c63a-adsh30125d26”,
“type”: “Microsoft.Authorization/policyDefinitions”,
“name”: “TestResourceTag”
}
Policy definition (JSON) explanation:
The display name and description identify the policy definition and provide context for when and where the definition is used.
The mode determines which resource types are evaluated for a policy definition.
The definition location must be a management group or a subscription. This location determines the scope to which the initiative or policy can be assigned.
Microsoft Azure provides several Built in ready to use policy definitions.
After finalizing a policy, it can be implemented across various scopes. A scope defines the level within an Azure environment where a policy, permission, or action is active. The primary scopes include management groups, subscriptions, resource groups, and individual resources.