Azure Policy Automation

Deploy Azure Policy with Bicep

Azure Policy Definitions and Initiatives with Bicep and Azure DevOps

Introduction

Azure Policy is a service in Azure that enables you to create, assign, and manage policies that enforce different rules and effects over your resources. These policies help ensure that your resources comply with your organisation’s standards and service level agreements. In this blog post, we will explore how to define and manage Azure Policy definitions and initiatives using Bicep and Azure DevOps, providing a streamlined and automated approach to governance.

Step-by-Step Implementation Guide

Step 1: Set Up Your Azure Environment

  1. Create a Resource Group:

    1
2
3
4

    resource rg 'Microsoft.Resources/resourceGroups@2021-04-01' = {
  name: 'myResourceGroup'
  location: 'australiaeast'
}

Step 2: Define Azure Policy

  1. Create a Policy Definition:

     1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24

    resource policyDefinition 'Microsoft.Authorization/policyDefinitions@2021-06-01' = {
  name: 'myPolicyDefinition'
  properties: {
    policyType: 'Custom'
    mode: 'All'
    displayName: 'Allowed Storage Account SKUs'
    description: 'This policy allows only specified SKUs for storage accounts.'
    policyRule: {
      if: {
        field: 'type'
        equals: 'Microsoft.Storage/storageAccounts'
      }
      then: {
        effect: 'Deny'
        details: {
          allowedValues: [
            'Standard_LRS'
            'Standard_GRS'
          ]
        }
      }
    }
  }
}

Step 3: Create a Policy Initiative

  1. Create an Initiative Definition:

     1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12

    resource initiativeDefinition 'Microsoft.Authorization/policySetDefinitions@2021-06-01' = {
  name: 'myInitiativeDefinition'
  properties: {
    displayName: 'Storage Account Governance'
    description: 'Initiative to enforce storage account governance policies.'
    policyDefinitions: [
      {
        policyDefinitionId: policyDefinition.id
      }
    ]
  }
}

Step 4: Assign Policies and Initiatives

  1. Assign a Policy:

    1
2
3
4
5
6
7
8

    resource policyAssignment 'Microsoft.Authorization/policyAssignments@2021-06-01' = {
  name: 'myPolicyAssignment'
  properties: {
    displayName: 'Enforce Allowed Storage Account SKUs'
    policyDefinitionId: policyDefinition.id
    scope: rg.id
  }
}

  2. Assign an Initiative:

    1
2
3
4
5
6
7
8

    resource initiativeAssignment 'Microsoft.Authorization/policyAssignments@2021-06-01' = {
  name: 'myInitiativeAssignment'
  properties: {
    displayName: 'Enforce Storage Account Governance'
    policyDefinitionId: initiativeDefinition.id
    scope: rg.id
  }
}

Step 5: Automate Deployment with Azure DevOps

  1. Create a New Pipeline:

    • Navigate to your Azure DevOps project.
    • Click on “Pipelines” and then “Create Pipeline”.
    • Select your repository and choose “YAML” for the pipeline configuration.

  2. Define the Pipeline YAML:

     1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14

    trigger:
- main

pool:
  vmImage: 'ubuntu-latest'

steps:
- task: AzureCLI@2
  inputs:
    azureSubscription: 'YOUR_AZURE_SUBSCRIPTION'
    scriptType: 'bash'
    scriptLocation: 'inlineScript'
    inlineScript: |
      az deployment group create --resource-group myResourceGroup --template-file main.bicep

Conclusion

By following this guide, you can define and manage Azure Policy definitions and initiatives using Bicep and Azure DevOps, ensuring a secure and automated governance process. This approach simplifies the management of your policies and enhances the compliance of your resources.

Learn More