| description | author |
|---|---|
This topic covers using policy as rules which allows you to use Azure Policy as rules to test Infrastructure as Code. |
BernieWhite |
PSRule for Azure allows you to export your current Azure Policy assignments out as rules to enforce controls during development. This allows you to:
- Reuse controls — that have already deployed with implementation of guardrails in your environment. For example: Azure Cloud Adoption Framework or regulatory compliance standards.
- Reduce deployment issues — by identifying Azure Policy controls that could prevent a deployment from succeeding.
!!! Abstract This topic covers using policy as rules which allows you to use Azure Policy as rules to test Infrastructure as Code.
!!! Experimental "Experimental - Learn more" Policy as rules are a work in progress. As always if you find bugs/ errors or if something just doesn't work as your expect it to, please let us know. You can log a bug on GitHub or provide feedback here.
This feature does not support:
- Resource provider modes — evaluate data plane information exposed at runtime. Policies that target resource provider modes are automatically ignored.
- Disabled policies — Policy definitions with the effect
Disabledare ignored. - Unassigned policies — Only policy definitions assigned to a scope are exported.
- Policies that check for assessment status — Some policies use additional detection tools to check for compliance. Policies that check for assessment status are ignored.
- Importing rules — Rules generated from policy assignments cannot be imported back into Azure Policy.
Using policy as rules is a two step process:
- Export assignment data from Azure.
- Convert assignments to rules.
Run Export-AzPolicyAssignmentData to export assignments from Azure to an *.assignment.json file.
Key points:
- Before running this command, connect to an Azure subscription by installing the
AzPowerShell module and usingConnect-AzAccount. - This command has no required parameters, and by default will export all assignments from you current Azure subscription.
You can change the current Azure subscription by using
Set-AzContext.
!!! Bug
Currently a known incompatibility exists with 7.x of Az.Resources which introduced a breaking change.
Please use Az.Resources >= v6.7.0 and < v7.0.0.
For more information see Issues with Az.Resources
For example:
# Install and import required modules.
Install-Module Az.Resources -RequiredVersion '6.7.0' -Force -Scope CurrentUser
Import-Module Az.Resources -RequiredVersion '6.7.0'
Import-Module PSRule.Rules.Azure
# Connect to Azure
Connect-AzAccount
Set-AzContext -Subscription '<subscriptionId>'
# Export assignments
Export-AzPolicyAssignmentDataRun Export-AzPolicyAssignmentRuleData to convert assignments to rules.
To run this command an -AssignmentFile parameter with the path to the assignment JSON file generated in the previous step.
After the command completes a new file *.Rule.jsonc should be generated containing generated rules.
For example:
Export-AzPolicyAssignmentRuleData -AssignmentFile '.\<subscriptionId>.assignment.json'Rules and an initial baseline are generated in a file ending in .Rule.jsonc.
This file extension and format are automatically detected by PSRule when it is run from an included source path.
To start using the policy rules, copy the file to the default include sub-directory (.ps-rule/) in the root of your repository.
Additionally, the following setup is required to scan Infrastructure as Code (IaC):
- Set a binding configuration.
- Configure expansion for processing Bicep or ARM templates.
- Include the
PSRule.Rules.Azuremodule. - Optionally specify a baseline to limit the rules evaluated to policy rules.
When exporting policies, PSRule for Azure will automatically generate a baseline including any generated rules.
By default, this baseline is called Azure.PolicyBaseline.All.
If you change the prefix of generated rules the baseline will be named <Prefix>.PolicyBaseline.All.
See Using baselines for examples on how to use a baseline in a run.
PSRule for Azure allows you to:
- Set a name prefix — to help identify generated rules.
By default, generated rules and baselines are prefixed with
Azure. To change the prefix:- Use the
-RulePrefixparameter when runningExport-AzPolicyAssignmentRuleData. OR - Set the
AZURE_POLICY_RULE_PREFIXconfiguration option inps-rule.yaml.
- Use the
- Exclude specific policies — by setting the
AZURE_POLICY_IGNORE_LISTconfiguration option inps-rule.yaml. This option allows you to prevent specific policies from being exported as rules.
For example:
configuration:
AZURE_POLICY_RULE_PREFIX: MyOrg
AZURE_POLICY_IGNORE_LIST:
- /providers/Microsoft.Authorization/policyDefinitions/1f314764-cb73-4fc9-b863-8eca98ac36e9
- /providers/Microsoft.Authorization/policyDefinitions/b54ed75b-3e1a-44ac-a333-05ba39b99ff0When exporting policies, you may encounter definitions that are duplicates of existing rules shipped with PSRule for Azure. By default, built-in Azure policies that are duplicates of existing rules are ignored. Additionally, PSRule for Azure will automatically switch in existing rules into the generated baseline.
!!! Note This only applies to built-in Azure policies that are duplicates of existing rules. Custom policies are not effected.
The list of built-in policies that are duplicates can be viewed [here][3].
If you believe a policy is missing from this list, please [open an issue][4].
[3]: https://github.com/Azure/PSRule.Rules.Azure/blob/main/data/policy-ignore.json
[4]: https://github.com/Azure/PSRule.Rules.Azure/issues/new/choose
This allows you to:
- Focus on policies that are unique to your environment and not already covered by PSRule for Azure.
- Benefit from the additional references and examples provided by PSRule for Azure.
- Reduce noise reporting the same issue multiple times.
To override this behavior use the -KeepDuplicates parameter switch when running Export-AzPolicyAssignmentRuleData.