Unfamiliar with Azure Policies?
Azure Policies start off with you defining a policy within Azure which could be something as simple as implementing a naming convention for lets say a Virtual Machine.
The following policy definition states that when creating an Azure VM it must match the naming convention we specify
An example of how to do this would be as below (in JSON):-
So what we are saying here is that if any user tries to create a Virtual Machine within a Resource Group within Azure then it must be named something like VM-P-ABC-GS01.
To get started with trying this out within the Azure Portal search for Policy at the top of the Azure Portal and you’ll see a screen something like the below: –
Here I have loaded the Policy area of the portal for an existing project and you can see the level of detail and see that I have on overall compliance of 95% on my resources and listed are the Non-compliant state Resources (if I were to expand).
By clicking on any of the non-compliant areas I will be shown all of the non-conforming resources which is awesome.
With Azure policies in place we can enforce naming conventions for a Resource Group, if we want to go further we could use Azure Management Groups – which I will cover in a separate blog post.
But what if I already have resources in place and I want to start using naming conventions with Azure policies?
In that case we need to talk about the contents of a policy definition which you can read up on.
Lets review another Azure policy (in JSON)
In the screen shot above the import part here is the EFFECT part.
Policy supports the following types of effect:
- Deny: generates an event in the activity log and fails the request
- Audit: generates a warning event in activity log but doesn’t fail the request
- Append: adds the defined set of fields to the request
- AuditIfNotExists: enables auditing if a resource doesn’t exist
- DeployIfNotExists: deploys a resource if it doesn’t already exist
- Disabled: doesn’t evaluate resources for compliance to the policy rule
So if we have resource which we might want to change the name of going forward and we are able to then perhaps use Audit to start off with and then change them to Deny.
Note if you make use of Azure policies and use Azure Devops to create Infrastructure as Code (IaC) then the easiest place to find issues with failing releases is in the build summary log.
In summary, there is a lot more to Azure policies, here I just wanted to give you some idea of what you can use Azure policies for.