Azure Policy As Code – Accelerate governance in cloud

The cloud, in the context of technology, has many definitions and types—ranging from
its simplest form of using shared resources, to a fully automated environment with
extreme standardization. Various departments in your organization would be creating, updating and terminating resources in cloud. What does this really mean in practice, and how is it relevant to your organization?
The answer is simple: technology exists to enable a business to deliver on its vision,
mission, and goals. So, very much like using a tool to create an artifact, technology
enables businesses of all sizes to generate value in order to deliver on why it exists.
Governance maps to the standards of your organization, and typically, the rules of the
industry of your business.

The focus of this blog post is automating cloud governance on Microsoft Azure and explains why it matters and how to go from planning to implementation.

Traditional Approach

Traditional approaches allowed cloud custodians to perform gated checks and ensured compliance and control but sacrificed speed of delivery. Cloud native approaches using policy and configuration enabled both speed and control with flexibility to changes during BAU scenarios.

Cloud Native Approach

This brings me to Azure Policy which is a native tool that allows you to apply governance decisions by specifying policy effects such as:

  • Append
  • Audit
  • AuditIfNotExists
  • Deny
  • DeployIfNotExists
  • Disabled
  • Modify

It’s also a tool which appears to grow in value, almost in lockstep, with your monthly Azure invoices. How cool is that?

Today, there’s nearly 300 built-in policy definitions across 32 categories for you to start using. That’s not a small number and demonstrates a significant effort by Microsoft to cover a wide range of use cases for Azure Policy.

Cloud Governance at Scale

When managing multiple Azure tenants and subscriptions there’s an increasing need for governance at scale because you often need to do more (governance) with less (people).

Azure Policy provides that governance at scale by giving you the ability to:

  • Define your governance rules and effects through policy definitions (.JSON format) which are either built-in or custom.
  • Create your custom policy definitions at the management group scope.
  • Assign your policies to management groups, subscriptions, and resource groups and, if you wish, exclude certain resources and resource groups.
  • Specify your policy assignments.
  • Evaluate compliance of your policies and kick-off remediation tasks for non-compliant resources.
  • Access Azure Policy via the Azure Portal, CLI, PowerShell, REST, SDKs, and ARM templates.
  • Having multiple access points into Azure Policy gives you more choice on deployment tooling when executing a policy as code workflow.

How to Deploy Azure Policies as Code?

  1. Prerequisites:
    1. Terraform
    2. Git
    3. Visual Studio code
    4. Azure CLI
    5. Powershell
  2. Azure Resources are assumed to be located in South East Asia (single region) for the scope of this automation script.
  3. Git clone https://github.com/suneelsunkara/terraform-azurerm-policy.git
  4. Create “workspaces” folder under the root folder.
  5. Copy the tenant_id, subscription_id, client_id and client_secret from the Step 8 below(az ad sp create-for-rbac) into the “.\workspaces\subscriptionName1\subscriptionName1.tfvars” file
  6. Sample subscriptionName1.tfvars file for reference
tenant_id       = "51764065-92df-4cf7-8553-704d807f96a1"
subscription_id = "xxxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxx"
client_id       = "xxxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxx"
client_secret   = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"

7. In the Azure Portal Create Azure Action group as “AlertOperationsGroup” and Resource group for action group as “AzMonitorAlertGroups”

Execute the below steps for the deployment of Policy Initiatives, definitions, assignment

terraform fmt -recursive
terraform validate
terraform providers
terraform init 

az login
az account list
az account set --subscription="xxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxx"

az ad sp create-for-rbac --name "Terraform-AzureRM-Policy" --role "Resource Policy Contributor" --scopes "/subscriptions/xxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxx"

terraform plan -var-file=".\workspaces\subscriptionName1\subscriptionName1.tfvars"
terraform apply -var-file=".\workspaces\subscriptionName1\subscriptionName1.tfvars"
  • Once you execute the above steps and login to Azure portal — > Policy service, the custom policy initiatives, definitions, assignments gets deployed automatically for
    • Identity management Governance
    • Tag Governance
    • Security Governance
    • Data Protection Governance
    • Monitoring Governance
  • The benefit of this approach is to have the policy based compliance enabled by default for all the services customized in the terraform modules in IaC code
  • Ability to customize existing policies and add new custom policies to easily and push policy based governance without manual intervention
Policy Dashboard in Azure Portal

Remediation process: Non-compliant resources and resource groups can be remediated by automated process using either “deploIfNotExists” or “modify” based policy effects depending the policy created for the respective resource.

Login-AzAccount

# in case you have multiple subscriptions...
select-azsubscription -SubscriptionName "Pay-As-You-Go"

# get all non-compliant policies that can be remediated
$nonCompliantPolicies = Get-AzPolicyState | Where-Object { $_.ComplianceState -eq "NonCompliant" } -and $_.PolicyDefinitionAction -eq "deployIfNotExists" }

# loop through ans start individual tasks per policy 
foreach ($policy in $nonCompliantPolicies) {

    $remediationName = "rem." + $policy.PolicyDefinitionName
    #Write-Host $remediationName
    Start-AzPolicyRemediation -Name $remediationName -PolicyAssignmentId $policy.PolicyAssignmentId -PolicyDefinitionReferenceId $policy.PolicyDefinitionReferenceId
}

You can choose to delete custom policies and respective dependencies using the below script

terraform destroy -var-file=".\workspaces\subscriptionName1\subscriptionName1.tfvars"

References:

Happy Learning!!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s