Coder Social home page Coder Social logo

azure-policy's Introduction

Azure Policy

Implementing governance of resources with Azure Policy. Several Policy samples can be found in the Azure/Community-Policy repository.

Create the baseline resources:

terraform init
terraform apply -auto-approve

Next sections will build upon this.

Simple tags policy

Create the tags policy:

You may optionally add policy parameters

az policy definition create --name CostCenter --rules @policies/costcenter/rules.json

Replace the SUBSCRIPTION_ID placeholder and execute the following to create the initiative:

Initiative can have groups, initiative parameters, and also policy parameters.

az policy set-definition create -n requireCostCenterTag \
    --definitions '[ { "policyDefinitionId": "/subscriptions/SUBSCRIPTION_ID/providers/Microsoft.Authorization/policyDefinitions/CostCenter" } ]'

Assign the initiative:

Assignments can have exclusions, enforcement (enabled/disabled), and most importantly Remediation.

On Preview, there's also resource selectors and overrides.

az policy assignment create -n CostCenter --policy-set-definition requireCostCenterTag \
    --scope /subscriptions/SUBSCRIPTION_ID/resourceGroups/rg-bigfactory

Effects

Create the base resource group:

az group create -n rg-policy-sandbox -l brazilsouth

To force/refresh a policy scan:

az policy state trigger-scan --resource-group "rg-policy-sandbox"

Load the subscription id for the following commands.

subscriptionId=$(az account show --query id -o tsv)

Get your public IP in case of customization of parameters:

curl ipinfo.io/ip

When creating a policy, identify the correct Resource Provider mode:

The mode determines which resource types are evaluated for a policy definition. The supported modes are:

  • all: evaluate resource groups, subscriptions, and all resource types
  • indexed: only evaluate resource types that support tags and location

Append

Create the policy and assign the policy:

az policy definition create --name AppendSample \
    --rules @policies/effects/append-rules.json \
    --params @policies/effects/append-params.json

az policy assignment create -n AppendRuleToStorage --policy AppendSample \
    --scope "/subscriptions/$subscriptionId/resourceGroups/rg-policy-sandbox" \
    --enforcement-mode Default

Create the storage account:

az storage account create \
    --name sandbox \
    --resource-group rg-policy-sandbox \
    --location brazilsouth \
    --sku Standard_LRS \
    --allow-blob-public-access false \
    --default-action Deny \
    --bypass AzureServices Logging Metrics \
    --tags PolicySandbox

Audit

Audit effect sample:

az policy definition create --name AuditSample \
    --rules @policies/effects/audit-rules.json

az policy assignment create -n AuditSample --policy AuditSample \
    --scope "/subscriptions/$subscriptionId/resourceGroups/rg-policy-sandbox" \
    --enforcement-mode Default

AuditIfNotExists

az vm create \
  --resource-group rg-policy-sandbox \
  --location brazilsouth \
  --name vm-debian \
  --image Debian11 \
  --admin-username debianadmin \
  --generate-ssh-keys \
  --public-ip-sku Standard \
  --size Standard_B1s

Set the policy:

az policy definition create --name AuditIfNotExistsSample \
    --rules @policies/effects/auditIfNotExists-rules.json

az policy assignment create -n AuditIfNotExistsSample --policy AuditIfNotExistsSample \
    --scope "/subscriptions/$subscriptionId/resourceGroups/rg-policy-sandbox" \
    --enforcement-mode Default

Deny

Set the Deny policy:

az policy definition create --name DenySample \
    --rules @policies/effects/deny-rules.json

az policy assignment create -n DenySample --policy DenySample \
    --scope "/subscriptions/$subscriptionId/resourceGroups/rg-policy-sandbox" \
    --enforcement-mode Default

Try to create the storage. This command should be denied by the policy:

az storage account create \
    --name sandbox \
    --resource-group rg-policy-sandbox \
    --location brazilsouth \
    --sku Standard_LRS \
    --allow-blob-public-access false

DenyAction

Set the DenyAction policy:

az policy definition create --name DenyActionSample \
    --rules @policies/effects/denyAction-rules.json

az policy assignment create -n DenyActionSample --policy DenyActionSample \
    --scope "/subscriptions/$subscriptionId/resourceGroups/rg-policy-sandbox" \
    --enforcement-mode Default

Create the storage, or tag one existing with a environment=prod tag:

az storage account create \
    --name sandbox \
    --resource-group rg-policy-sandbox \
    --location brazilsouth \
    --sku Standard_LRS \
    --allow-blob-public-access false \
    --tags environment=prod

DeployIfNotExists

Copied from the functionapp-enforce-https-only-dine sample.

az policy definition create --name DeployIfNotExistsSample \
    --rules @policies/effects/DeployIfNotExists-rules.json \
    --params @policies/effects/DeployIfNotExists-params.json

az policy assignment create -n DeployIfNotExistsSample --policy DeployIfNotExistsSample \
    --scope "/subscriptions/$subscriptionId/resourceGroups/rg-policy-sandbox" \
    --enforcement-mode Default \
    --mi-system-assigned \
    --location brazilsouth

Create the function and check that HTTPS Only will be set to true after the deployment is complete.

az functionapp create -n funcappdeploypolicy -g rg-policy-sandbox \
    --storage-account <some storage> \
    --consumption-plan-location brazilsouth \
    --runtime dotnet \
    --functions-version 4 \
    --https-only false

Disabled

Set the Disabled policy:

az policy definition create --name DisabledActionSample \
    --rules @policies/effects/disabled.rules.json \
    --params @policies/effects/disabled.params.json

az policy assignment create -n DisabledActionSample --policy DisabledActionSample \
    --scope "/subscriptions/$subscriptionId/resourceGroups/rg-policy-sandbox" \
    --params "{ \"effect\": { \"value\": \"Disabled\" } }" \
    --enforcement-mode Default

Create the storage, or tag one existing with a environment=prod tag:

az storage account create \
    --name sandbox \
    --resource-group rg-policy-sandbox \
    --location brazilsouth \
    --sku Standard_LRS \
    --tags TriggerDisabledEffect=true

Modify

Create the policy:

az policy definition create --name ModifySample \
    --rules @policies/effects/modify.rules.json

az policy assignment create -n ModifySample --policy ModifySample \
    --scope "/subscriptions/$subscriptionId/resourceGroups/rg-policy-sandbox" \
    --enforcement-mode Default \
    --mi-system-assigned \
    --location brazilsouth

Create a Storage resource to test the policy:

az storage account create \
    --name sandbox \
    --resource-group rg-policy-sandbox \
    --location brazilsouth \
    --sku Standard_LRS

azure-policy's People

Contributors

epomatti avatar

Watchers

avatar

azure-policy's Issues

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.