Security as a Code - Azure Policy

I have been going deep to understand how #AzurePolicy works and can be configured/customized and utilized along Infrastructure as Code (IaC), mainly Terraform.

Here are some of good resources, for any Azure Policy enthusiast who wants to build strong guardrails around Azure Landscape.

• Understanding Basics of Definition Structure. Policy Definition is JSON. Unless you understand elements, you cannot write or operate it correctly or move ahead. https://docs.microsoft.com/en-us/azure/governance/policy/concepts/definition-structure
• Single Source of Truth where Azure Policy Engineering maintain `Built-In` policies https://github.com/Azure/azure-policy Star this repo
• `AzPolicyAdvertizer` and `AzInitiativeAdvertizer`?is excellent community project which gives portal type experience to search policies, initiatives with respect to name, id, description etc. Kudos to @julianhayward for putting this together

Now comes to #AzurePolicy @ Infrastructure as a Code (IaC)

• What is Archetype Definition, when operating on IaC? There is great Wiki part under Azure Terraform Landing Zone. Build-Test-Master it https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/wiki/%5BUser-Guide%5D-Archetype-Definitions
• What come as Base Archetype as part of Azure Landing Zone? There are area standard built-in policies automatically get configure if you deploy Landing Zone, as part of Module. Knowing them upfront help so that they can you exclude or expand (watch out how to "extension/exclusion") certain definition/initiative/assignment https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/wiki/%5BExamples%5D-Expand-Built-in-Archetype-Definitions#example-root-module
• All good, but how to write Custom Policy Set and Perform Assignment at IaC level. [Examples] Create Custom Policies Policy Sets and Assignments · Azure/terraform-azurerm-caf-enterprise-scale Wiki (github.com)
• Use Visual Studio Code to write and check policy format and use Azure Policy extension for Visual Studio Code to check correctness of its prior pushing to your environment.

So, by now, hop you have built some understanding around Azure Policy and most importantly how we use it as Scale using IaC.

For day 2 operation, you should regularly review Policy Compliance Status Dashboard. There is another amazing utility that can be deployed `AzGovViz - Azure Governance Visualizer`. This creates html view of your landscape and by few click you can quickly visualize which policy/initiative is being assigned at which level of management group hierarchy and scope.

In coming 13-Oct-2022, I shall be covering some of these elements in upcoming session "Security as a Code: Enabling Flexibility on platform with Control (Register here for this session)" as part of #AzureDevFest (Register here for Azure DevFest session, we shall cover some of those topics mentioned above and demonstrate some real-world scenario. Till then, happy learning.