Introduction
Before creating Azure custom policies, I want to explain a bit of background regarding the policies. It is an integral part of Azure governance so here the question comes what governance is. Azure governance is same like the other governance principals applied by our government and all the organization those wanted to implement their own policies in the organization in order to be compliant. Nowadays we have also heard about the word "GDPR" this is also the type of governance that has been imposed globally and it is related to personal data protection policies, so organizations that are dealing with any kind of personal data need to be compliant with this.
We talked too much about governance, let's come back to the Azure policies, these are the policies that can be implemented by the organizations on Azure subscriptions or management group level in order to secure the environment, meaning via Azure policies we can control the behavior of resource provisioning in Azure. Resources with undesired configuration can be denied by the policy or an additional resource/service can be deployed/audited by the policy. Some use cases for Azure policy include implementing governance for resource consistency, regulatory compliance, security, cost, and management.
For e.g. suppose an XYZ organization that is operating only in Asia pacific and doesn't want to provide the resources in the US region. So by using an Azure policy we can restrict this behavior.
Types of policies
Basically, there are two types of policies available in Azure,
- Built-in
These are pre-inbuilt policies that are provided by Microsoft and can be used as it is according to the requirement but cannot be altered.
- Custom
These policies can be created by own as per our requirement and customized accordingly, here I will explain how to create a custom policy.
Type of Effects
As we all know and its name suggests, a policy is basically a kind of rule that has some effect if that particular rule is implemented. In the same way, the Azure policy also contains a Rule and Effect of that Rule after assigned.
There are some common effects that can be used while creation of a custom policy in Azure.
Deny
Deny Resource creation if the checked condition is true
Audit
Resource creation won't be denied but an alert will show the non-compliance of the resource
AuditIfNotExists
If the existing condition is true, resource compliant; if not, resource non-compliant. Resource creation won't be blocked
DeployIfNotExists
If the existing condition is true, no effect, no deployment; if the existence condition is false, effect activated, deployment of a right configuration or of a sub-resource.
Effects Categorization
- Detection Effects - Audit , auditIfnotExists
- Prevention Effects - Deny
- Remediation effects - DeployIfnotExists
A policy can be implemented and deployed in two parts,
- Create the policy definition
- Assign the definition to a subscription/management group.
Let's see how a custom policy can be created using the Azure portal.
Steps
- Go to the portal and search for "Policy" in the marketplace then click on highlighted service.
- Click on “definitions”.
- Click on +Policy definition.
- You can choose “definition location” either your subscription/management group and definition name, description, policy rule, and then click on “Save”.
- {
- "mode": "All",
- "policyRule": {
- "if": {
- "allOf": [
- {
- "field": "type",
- "equals": "Microsoft.Resources/subscriptions/resourceGroups"
- },
- {
- "field": "[concat('tags[', parameters('tagName'), ']')]",
- "exists": "false"
- }
- ]
- },
- "then": {
- "effect": "deny"
- }
- },
- "parameters": {
- "tagName": {
- "type": "String",
- "metadata": {
- "displayName": "Tag Name",
- "description": "Name of the tag, such as 'environment'"
- }
- }
- }
- }
- After saving, go to the “definitions” section again and filter the policies by selecting “custom” from the Type dropdown.
- You will be able to view all your custom policies here,
- You need to click on the created policy, and it will redirect to the policy assignment page. Here you can review/edit/delete the policy definition if you want and in case everything looks fine then go ahead with the assignment.
- Now when you click on “Assign”, it will end up with the below screen. All the default values will be shown here, you can change the scope if you have multiple subscriptions and want to assign this policy to a different subscription than the selected one by clicking the "…" launcher button. If everything looks fine then click Next.
- Since our policy requires a parameter so enter the TagName which will be mandatory for each resource group creation and click Next.
- We don’t have any remediation tasks as of now so go ahead with default.
- Here you can provide a user-friendly message of a non-compliant resource but it is optional. Click Next.
Go to the “definitions” section again and filter the policies by select.
- Click on “Create”.
- Policy deployment is successful but it takes around 30 minutes to take effect, so we will verify our custom policy after 30 minutes.
- You can go to the “Assignment” section and view our policy assignment in the assigned policies list.
- After waiting almost 30 min, let’s try to verify the policy effect. Let’s create a resource group.
- Enter the name of the resource group and click Next.
- Do not enter Tag under the “Tags” tab, click on the Next button.
- We can see that Validation is Passed but as soon as we click on “Create” the resource, it will be failed.
- Now we go back to the “Tags” tab and enter a Tag Name and its Value. Resource Group will be created. Click on the Next button.
- Click on “Create”. We can see that deployment is successful.
- Go to resource Group to confirm, we can see that the new resource group “mytagspolicy_rg” has been created and the correct Tag has also been applied.
Conclusion
We have successfully created a custom policy in Azure with Deny effect and are able to validate the effect in action. It is easy to create these policies and secure the environment against undesired configuration resource creation. It works well in big organizations that have a lot of subscriptions to manage the resource and governance.