Using GitHub for Azure Policy as Code

This post has been republished via RSS; it originally appeared at: New blog articles in Microsoft Tech Community.

As customers progress and mature in managing Azure Policy definitions and assignments, we have found it important to ease the management of these artifacts at scale. Azure Policy as code embodies this idea and focuses on managing the lifecycle of definitions and assignments in a repeatable and controlled manner. New integrations between GitHub and Azure Policy allow customers to better manage policy definitions and assignments using an "as code" approach.

More information on Azure Policy as Code workflows here.

 

Export Azure Policy Definitions and Assignments to GitHub directly from the Azure Portal

 

Screenshot of Azure Policy definition view blade from the Azure Portal with a red box highlighting the Export definitions buttonScreenshot of Azure Policy definition view blade from the Azure Portal with a red box highlighting the Export definitions button

 

The Azure Policy as Code and GitHub integration begins with the export function; the ability to export policy definitions and assignments from the Azure Portal to GitHub repositories. Now available in the definitions view, the export definition button will allow you to select your GitHub repository, branch, directory then instruct you to select the policy definitions and assignments you wish to export. After exporting, the selected artifacts will be exported to the GitHub. The files will be exported in the following recommended format:

 

 

 

|- <root level folder>/  ________________ # Root level folder set by Directory property | |- policies/  ________________________ # Subfolder for policy objects |  |- <displayName>_<name>____________ # Subfolder based on policy displayName and name properties |   |- policy.json _________________ # Policy definition |    |- assign.<displayName>_<name>__ # Each assignment (if selected) based on displayName and name properties

 

 

 

Naturally, GitHub keeps tracks of changes committed in files which will help in versioning of policy definitions and assignments as conditions and business requirements change. GitHub will also help organizing all Azure Policy artifacts in a central source control for easy management and scalability.

 

Leverage GitHub workflows to sync changes from GitHub to Azure

 

Screenshot of the Manage Azure Policy action within GitHubScreenshot of the Manage Azure Policy action within GitHub

 

An added feature of exporting is the creation of a GitHub workflow file in the repository. This workflow leverages the Manage Azure Policy action to aid in syncing changes from your source control repository to Azure. The workflow makes it quick and easy for customers to iterate on their policies and to deploy them to Azure. Since workflows are customizable, this workflow can be modified to control the deployment of those policies following safe deployment best practices.

Furthermore, the workflow will add in traceability URLs into the definition metadata for easy tracking of the GitHub workflow run that updated the policy.

More information on Manage Azure Policy GitHub Action here.

 

Trigger Azure Policy Compliance Scans in a GitHub workflow

 

Screenshot of the Azure Policy compliance scan on GitHub ActionsScreenshot of the Azure Policy compliance scan on GitHub Actions

 

We also rolled out the Azure Policy Compliance Scan that triggers an on-demand compliance evaluation scan. This can be triggered from a GitHub workflow to test and verify policy compliance during deployments. The workflow also allows for the compliance scan to be targeted at specific scopes and resources by leveraging the scopes and scopes-ignore inputs. Furthermore, the workflow is able to upload a CSV file with list of resources that are non-compliant after the scan is complete. This is great for rolling out new policies at scale and verifying the compliance of your environment is as expected.

More information on the Azure Policy Compliance Scan here.

 

These three integration points between GitHub and Azure Policy create a great foundation for leveraging policies in ‘as code’ approach. As always, we look forward to your valuable feedback and adding more capabilities.

 

Tutorial on Azure Policy and GitHub integrations

REMEMBER: these articles are REPUBLISHED. Your best bet to get a reply is to follow the link at the top of the post to the ORIGINAL post! BUT you're more than welcome to start discussions here:

This site uses Akismet to reduce spam. Learn how your comment data is processed.