Skip to content

Latest commit

 

History

History
110 lines (86 loc) · 11 KB

README.md

File metadata and controls

110 lines (86 loc) · 11 KB

manage-azure-policy-mvp

Content

Share Azure Policies with the community.

Published in the Blog post An Azure Policy journey.

The approach is to use built-in Azure policies whenever they exist, otherwise we use custom policies with the trigram "MVP".

These are the guidelines used for the remediation activities (effect "DeployIfNotExists"):

  • Use of ARM template whenever the remediation action creates a new resource.
  • Use of deployment scripts in ARM templates whenever the remediation action need to modify a resource that already exist.

I do recommend these guidelines to prevent some change to be pushed by ARM template on parameters you don't want to touch. You can consult this article ARM template deployment what-if operation for more information.

Reference

Pre-requisites

Policies

High Level View

  1. A list of policies and policies initiatives definitions are created in a management group called core
  2. Role assignment are done at the subscription level per policy initiative definition

hlv

[MVP] Monitoring Guidelines

[MVP] Security Guidelines

[MVP] Backup Guidelines

How to

Create or Update Azure Policies Definition and Azure Policies Initiative Definition

Method 1: with PowerShell

Prerequisites

  • Use an account that has the privilege Resource Policy Contributor on the management group that will host your policies.
  • If you are processing role assignment use an account that has the User Access Administrator privilege on the target scope of your role assignment.

Action

Execute the script launch.ps1.

  • Note: this script launches also a compliance scan on each scope where you have assigned your policy.

Method 2: with GitHub Action

  1. Set up Secrets in GitHub Action workflows Some detail are explained here, in addition you can assign the privilege Resource Policy Contributor to the service principal you have just created for GitHub Action.

  2. Use Azure GiHub Action with azure/manage-azure-policy@v0, see file ./.github/workflows/manage-azure-policy.yml

  • Sample to create or update all policies:
    • name: Create or Update Azure Policies uses: azure/manage-azure-policy@v0 with: paths: | policies/** initiatives/**

Important note: if you want to proceed assignment of policies that use make sure to fill in the App Registration detail into the following brackets on the assign..json file

"identity": {
  "principalId": "The Identity principalId",
  "tenantId": "Your Tenant Id",
  "type": "SystemAssigned"
}

Disclaimer

The sample scripts are not supported under any Microsoft standard support program or service. The sample scripts are provided AS IS without warranty of any kind. Microsoft further disclaims all implied warranties including, without limitation, any implied warranties of merchantability or of fitness for a particular purpose. The entire risk arising out of the use or performance of the sample scripts and documentation remains with you. In no event shall Microsoft, its authors, or anyone else involved in the creation, production, or delivery of the scripts be liable for any damages whatsoever (including, without limitation, damages for loss of business profits, business interruption, loss of business information, or other pecuniary loss) arising out of the use of or inability to use the sample scripts or documentation, even if Microsoft has been advised of the possibility of such damages.