Azure Policy is a service within Azure that is currently in Preview. It has been designed to help you to enforce different rules and actions over your resources, which enables your resources to stay compliant with your corporate standards. It comes with a lot of "out of the box" or "built in" policy templates that you can start using but this week I've been looking at using Azure Policy, both the built in examples and creating custom ones. I thought it would be good to write an article explaining some of the basics of the product.
- Mode - this defines the resource types to be considered by the policy. There are two types of modes, all, or indexed. If you specify all, which is the recommended mode then your policy will apply to allow resource types. If you specify indexed then the policy will only apply to those resources that support tags and locations;
- Parameters - if you are familiar with any programming language you will be familiar with parameters. A parameter is special kind of variable which refers to a piece of data, it's there to also help reduce code;
- Display Name & Description - this is just to help identify the policy and add some meaning;
- Policy Rule - this is the core of the policy. It is where it describes what the policy is doing using logical operators, conditions and effect. Policies can be set to deny, audit, append, audit if not exists or deploy if not exists.
Within Azure Policy you are allowed to group policies together to help make it similar when applying policies. When you group policies together it is called an Initiative. An example of this would be to create an initiative called "Security" and include all your security policies in it.
It's worth mentioning again that Azure Policy is currently a preview feature. A preview feature is one that Microsoft have released to you for evaluation purposes. Preview features within Azure are subject to reduced or different pricing plans and service terms.
Using Azure Policy
You can apply policies via the Azure Portal (https://portal.azure.com) graphical interface, via PowerShell commands, CLI (Command Line Interface) commands or via an API (application programming interface). As I mentioned at the start of this article there are a number of built in policies that can help you get started on your Azure Policy journey. However, the Azure team have set up a GitHub repository that has extra examples both from them and from the community. You can find the repository at https://www.github.com/Azure/azure-policy It is definitely worth following the repository and contributing to it to correct any errors or share your examples with.
If you are a contributor to an Azure subscription you won't have the right access rights to define or assign policies or define or assign initiatives. To carry out these actions you need the following permissions via role-based access control (RBAC):
- Microsoft.Authorization/policydefinitions/write permission to define a policy;
- Microsoft.Authorization/policyassignments/write permission to assign a policy;
- Microsoft.Authorization/policySetDefinitions/write_ permission to_ define an initiative;
- Microsoft.Authorization/policyassignments/write permission to assign an initiative.
If you want to grant someone access to define and assigns policies and definitions within your environment you should look at assigning them the "Resource Policy Contributor (Preview)" role.
At the moment as Azure Policy is a preview feature state there is no pricing available however there are two tiers available when assigning policies. Free and Standard. Standard gives you compliance evaluation where as Free does not. As always if you've you got any questions or would like to discuss what I've talked about in this article please reach out to me on Twitter @Techielass