Azure Policy… 📜
Azure Policy is a service in Azure that you can use to create, assign, and manage policies. These policies enforce different rules and effects over your resources, so those resources stay compliant with your corporate standards and service level agreements. Azure Policy meets this need by evaluating your resources for non-compliance with assigned policies. For example, you can have a policy to allow only a certain SKU size of virtual machines in your environment. Once this policy is implemented, new and existing resources are evaluated for compliance. With the right type of policy, existing resources can be brought into compliance.
(Thank you GitHub Copilot for this definition, the rest I’ll write myself… ;-))
… as Code 🤖
When your organization grows, you will probably have more and more policies to manage. For a while you can manage it through the portal, but you quickly understand the complexity and you realize you need something more sustainable. This is where Enterprise Policy as Code (EPAC) comes into play.
What did I checked out before landing on EPAC? 🔎
During our journey to EPAC we checked out a few other options. I will list them here and explain why we didn’t choose them.
|We were trying to make something work but we quickly abandoned it. It would be too much work to maintain it.
|Azure Policy GitHub Action
|The Github Action was a bit fidly to implement, but we got something working. During a review of the Github Action we found out it is not actively maintained. This was a no-go for us.
|As the project I was working on had a Microsoft first (or native) approach, we didn’t want to introduce Terraform for this. So we did not explore this option.
Why use EPAC? 🤔
The main reasons we choose to go with EPAC are:
- It is actively maintained by Microsoft
- It is relatively easy to implement. You only need to import some Powershell modules in your pipeline and you are good to go.
- It integrates with Azure Landing Zones and Azadvertizer.net.
- You can manage your whole tenant or parts of it (on Management Group level).
- It makes Policy Assignments easier to read and understand.
It also creates a great runway if you want to introduce the concept of Azure Landing Zones in your organization at a later stage. 🚀
How to get started? 🚀
- Before you start with EPAC, make sure you have a good understanding of Azure Policy. If you don’t, you will probably get lost in the complexity of it all. The Microsoft Learn modules are a good starting point. But experimenting with it is the best way to learn. Start easy with some location restrictions for example.
- Start reading the complete EPAC documentation. Again, it can be complex and have a big impact on your environment. 📖
- Install the Powershell modules and begin with an export of your current policies, everything what you need to know is in the Getting Started guide! This will give you a good idea of how the policies and assignments are structured and applied. 💻
- Really use time to understand the solution and engineer a good setup for your organization. Make sure you put in some controls in your pipelines to make sure changes are handled correctly.
Some notes… 📝
Some notes I made during our journey:
- Policy Initiatives are called Policy Sets in EPAC. 💡
- Make sure you use the least amount of privileges to test things, policies can have a big impact on your environment. 💥
- EPAC Environments. Get your head around this. In our case we used one for dev/test (a playground management group) and one for production. But this config depends on the size of your tenant and the way your organization is structured. 🏗️
- There is a possibility to create documentation of your policies in EPAC. We did not use this because it lacked some information we needed. So together with GitHub Copilot we created our own scripts that generate documentation for us. It used all json files in the repository and creates a markdown file with all the information we need. 👩✈️
- Great blogpost from the Rabobank about their journey with EPAC.