Azure Policy Automation using Azure DevOps CI/CD Pipleline


Without policies keeping control of Azure environment can be challenging. Azure Policy is a fundamental part of Azure Governance to maintain control of your environment. By using Azure Policy, you can enforce different rules over your resources. In this way, you can make it sure that resources are compliant with your corporate standards and service level agreements.  

Examples:

- Allow only desire Azure regions and block the rest of them.

- Allow only specific virtual machine types and sizes. 

By defining and assigning polices in Azure environment, you can still give access to different teams to Azure subscription but always stay in control.

Basic Understanding

Defining Azure policy is quite straight-forward but the understanding of key components is very important, which I have mentioned below

Policy Definition 

Azure provides built-in policies definition that covers most of the common cases but you can also create custom policies according to your own requirements.  You can find list of built-in policies definition here.

Initiative Definition  

Initiative definition is a collection of policy definition. It simplify managing and assigning policy definitions by grouping them. Similar to Policy definition, Azure also has built-in initiative definition. The SDK such as Azure CLI and Azure PowerShell, use properties and parameters name PolicySet to refer to initiatives. You can read more about initiate here.

Policy and Initiative Assignments

A policy assignment is a policy definition that has been assigned to take place within a specific scope. This can be a management group, subscription, resource group, or even a particular resource.  Similarly, initiative assignment is an initiative definition assigned to a specific scope. You can read more about assignments here.

Policy Definition Creation and Assignment

As now we have basic understanding about Azure Policy, we can move forward and see how we can create policy, assign policy and automate the whole process. 

Note: Policy creation and assignments can be configured using Azure Portal UI but in this blog, we will be using PowerShell as our ultimate goal is to automate the whole process using Azure DevOps pipeline. 

Create Custom Policy:

If built-in policies provided by Azure are not fulfilling your requirements, you can create your own custom policy according to your own requirements

Example

Azure SQL Data Warehouse is an expensive service so I want to restrict people so that they should not be able to create Azure SQL Data Warehouse in Sandbox subscription. There is no built-in policy definition that I can use for this purpose so I defined my custom rule in JSON format in a file "disable-datawarehouse.json" which is mentioned below.

{
  "if": {
    "field""Microsoft.Sql/servers/databases/edition",
    "equals""DataWarehouse"
  },
  "then": {
    "effect""deny"
  }
}

The next step is to deploy custom policy definition.

New-AzPolicyDefinition -Name "Sandbox_Disable_datawarehouse" `
-DisplayName "Sandbox - Disable datawarehouse" `
-description "This policy restricts the creation of SQL Datawarehouse." `
-Policy "$($rootPath)/policy-definitions\disable-datawarehouse.json" `
-Mode All -SubscriptionId $Subscription.Id

Now we have custom policy definition available in Azure sandbox subscription.

Policy Assignment

Once the custom policy definition is available in Azure Policy Definitions, we can do the assignments. 

$def = Get-AzPolicyDefinition -Name "Sandbox_Disable_datawarehouse" ´
-SubscriptionId $Subscription.Id
New-AzPolicyAssignment -Name "Sandbox_restrict_datawarehouse" `
-DisplayName "Sandbox - Restrict Datawarehouse creation" `
-Scope "/subscriptions/$($Subscription.Id)" -PolicyDefinition $def 

Now "Sandbox - Restrict Datawarehouse creation" assignment will not allow users in create Azure Data Warehouse service in Sandbox subscription. 

Initiative Definition Creation and Assignment

Similar to Policy definition, you can also create custom initiative definitions. As mentioned earlier, initiative definition is a collection of custom/built-in policy definitions. 

Example

Tags let you organize and categorize Azure resources according to whichever patterns make sense for your organization's needs. So I want to enforce people to add specified tags when they create Resource Group in Azure subscription. My second wish is to automatically appends the specified tag and value from the resource group  when any resource which is missing this tag is created or updated. As you can see, I have multiple requirements, one way of achieving this functionality is by assigning two built-in policy definition separately

 i) Add a tag on resource group
ii) Append a tag and its value from resource group.

But here I will take the benefit of Initiative definition and create a custom PolicySet to achieve my desire functionality.In this way, I will have to manage only one initiate/policySet that contains multiple policy definitions.

Create Custom Initiative Definition:

Let's create custom initiative definition. I created a new file Require-tags.json and added all the required policy definitions and their parameters. 

[
    {
        "policyDefinitionId""/providers/Microsoft.Authorization/policyDefinitions/96670d01-0a4d-4649-9c89-2d3abc0a5025",
        "parameters": {
            "tagName": {
                "value""billTo"
            }
        }
    },
    {
        "policyDefinitionId""/providers/Microsoft.Authorization/policyDefinitions/96670d01-0a4d-4649-9c89-2d3abc0a5025",
        "parameters": {
            "tagName": {
                "value""costcenter"
            }
        }
    },
    {
        "policyDefinitionId""/providers/Microsoft.Authorization/policyDefinitions/96670d01-0a4d-4649-9c89-2d3abc0a5025",
        "parameters": {
            "tagName": {
                "value""owner"
            }
        }
    },
    {
        "policyDefinitionId""/providers/Microsoft.Authorization/policyDefinitions/96670d01-0a4d-4649-9c89-2d3abc0a5025",
        "parameters": {
            "tagName": {
                "value""budget"
            }
        }
    },
    {
        "policyDefinitionId""/providers/Microsoft.Authorization/policyDefinitions/9ea02ca2-71db-412d-8b00-7c7ca9fcd32d",
        "parameters": {
            "tagName": {
                "value""billTo"
            }
        }
    },
    {
        "policyDefinitionId""/providers/Microsoft.Authorization/policyDefinitions/9ea02ca2-71db-412d-8b00-7c7ca9fcd32d",
        "parameters": {
            "tagName": {
                "value""costcenter"
            }
        }
    },
    {
        "policyDefinitionId""/providers/Microsoft.Authorization/policyDefinitions/9ea02ca2-71db-412d-8b00-7c7ca9fcd32d",
        "parameters": {
            "tagName": {
                "value""owner"
            }
        }
    }
]        

The next step is to deploy custom initiative definition in Azure.

New-AzPolicySetDefinition -Name 'RequireTags' ´
-SubscriptionId $Subscription.Id ´
-Metadata '{"category":"Azure Governance"}' ´
-PolicyDefinition  "$($rootPath)/initiative-definitions\require-tags.json"

Now custom initiative definition is available in Azure sandbox subscription.  

Initiative Assignments

Once the initiative is available in Azure, we can configure assignments and define the scope. 

$def = Get-AzPolicySetDefinition -Name "RequireTags" ´
-SubscriptionId $Subscription.Id
New-AzPolicyAssignment -Name "Sandbox_Require_tags" ´
-DisplayName "Sandbox - Require tags" ´
-Scope "/subscriptions/$($Subscription.Id)" -PolicySetDefinition $def 

 After the successful assignment, specified tags are required when you create Azure Resource Group and when you create any resource with-in resource group it will copy the specified tags and its value from resource group. 

Automation using Azure DevOps

As now we have good understanding of Azure policy, we will move one step further and try to automate the whole process. As we are using PowerShell  for the deployment and assignments of Policy and Initiative definitions so it is quite easy to make it as a part of CI/CD pipeline.

Source Control   

For source control, we will use Azure DevOps Repos (Git).

Build Pipeline  

During the build pipeline, you can add some validation and unit tasks. For validating PowerShell script,  I am using Validate Powershell Syntax task as shown below.

 

Release Pipeline

During the release stage, policies can be deploy into multiple environments but here I am only deploying into one sandbox environment. In Sandbox stage, there is one task "Azure Powershell" in which I have provided path to the PowerShell script and subscription name as a parameter. 


Conclusion

Without automation, it can be quite challenging to deploy and define assignments for custom/built-in policies when you have large number of policies. I had hard time to find a way to deploy Azure policies, initiative and assignments using CI/CD pipelines as there is no straight-forward way to  achieve the desire functionality. By defining everything in PowerShell did the trick and make it easy for me to make it as a part of CI/CD pipelines.

I hope this gives you a good overview of Azure Policy and how they can be useful. 


















 


Location: Helsinki, Finland

Comments

Post a Comment

Popular posts from this blog

Customer Association Using DPOR/CPOR/PAL

Image
Recently, I spent a lot of my time reading Microsoft docs and talking to Microsoft Partners about the best way to get recognized for the work they do with customers and how they can best earn incentives for that work. I’m absolutely terrible at remembering all the details so this blog post is as much a reference for me as it is for you! First, I will explain the old way of doing the association and then I will explain how it should be done according to the new ways.  DPOR - Digital Partner of Record (The old way) Digital Partner of Record associates servicing partners to a Microsoft cloud subscription. It is an online capability to attach a partner to a customer’s Microsoft online subscription. DPOR benefits the customer, the partner, and Microsoft. Partners can qualify for competencies and incentives by being the DPOR and enable them to help customers optimize their usage for desired business outcomes.  DPOR can be configured for the following below services  Microsoft Office 365  CRM
Read more

AZURE DEVOPS PIPELINES WITH AZURE AUTOMATION

Image
Writing is fun especially when you have free time and you want to spend it productively. This week, I was configuring governance for Azure subscription. One of the requirement was to implement policy that shutdown VMs in sandbox subscription everyday at 7 o'clock. It can be done in several ways but I planned to implement using Azure Automation as I like to work with PowerShell script. Azure automation is a robust, cross platform and powerful automation engine for script based process automation so why not Azure Automation. I don't only wanted to implement runbooks in Azure Automation but I also wanted to implement automation pipeline. So in future, I don't have to do manual steps to deploy changes in Automation Account. During the implementation, I came across some nice features and limitations of Azure Automation Account which I though would be good to share with others. As you know, Sharing is caring :) In this blog, I am going to discuss following below topics. Azure Dev
Read more