Enforce Governance with Azure Policy via CLI
Introduction
Azure Policy is a powerful governance tool that allows organizations to enforce compliance with internal standards and regulatory requirements across their Azure resources. By utilizing Azure Policy, you can define and assign policies that automatically assess and manage the compliance state of your resources. This is particularly important in cloud environments where resources can be provisioned rapidly, making it easy for non-compliant resources to proliferate.
The primary command for managing Azure policies via the Azure CLI is az policy assignment create. This command enables you to create policy assignments that apply specific policies to defined scopes, such as subscriptions, resource groups, or individual resources. The use cases for Azure Policy include enforcing tag compliance, ensuring resource configurations meet security standards, and managing resource lifecycle policies.
In this tutorial, we will explore the az policy assignment create command in detail, covering how to create policy assignments, manage non-compliance, and perform remediation tasks. We will also provide practical examples and best practices for effectively leveraging Azure Policy in your governance strategy.
Prerequisites
Before you begin, ensure you have the following:
- Azure CLI installed (version 2.0 or later).
- An active Azure subscription.
- Appropriate permissions to create policy assignments (e.g.,
Policy Contributorrole). - Authentication to your Azure account using
az login.
Fundamental Concepts
Key Terminology
- Policy Definition: A JSON document that describes the conditions under which a resource is compliant or non-compliant, as well as the actions to take when a resource is non-compliant.
- Policy Assignment: The act of applying a policy definition to a specific scope (e.g., management group, subscription, or resource group).
- Initiative: A collection of policy definitions that share common goals, allowing for centralized management.
- Non-compliance: A state indicating that a resource does not meet the requirements specified in the assigned policy.
- Remediation: The process of correcting non-compliant resources to bring them back into compliance with the policy.
When to Use Azure Policy
Azure Policy is used when you need to:
- Enforce compliance across a large number of resources.
- Ensure resources comply with organizational standards.
- Automatically remediate non-compliant resources.
- Monitor compliance over time.
Command Syntax
The syntax for the az policy assignment create command is as follows:
az policy assignment create --name <name> --policy <policy_definition> --scope <scope> [--display-name <display_name>] [--description <description>] [--params <parameters>] [--enforcement-mode <mode>] [--location <location>]
Parameters Table
| Parameter | Description |
|---|---|
--name |
The name of the policy assignment. |
--policy |
The name or resource ID of the policy definition to assign. |
--scope |
The scope of the policy assignment (e.g., subscription, resource group). |
--display-name |
A friendly name for the policy assignment (optional). |
--description |
A description for the policy assignment (optional). |
--params |
Parameter values for the assigned policy rule (optional). |
--enforcement-mode |
The enforcement mode (e.g., Default or DoNotEnforce) (optional). |
--location |
The location of the policy assignment (optional). |
Practical Examples
Example 1: Create a Basic Policy Assignment
az policy assignment create --name 'audit-vm-managed-disks' \
--policy 'Audit VMs that do not use managed disks' \
--scope '/subscriptions/<subscription_id>/resourceGroups/<resource_group_name>' \
--display-name 'Audit VM Managed Disks'
This command creates a policy assignment to audit VMs that do not use managed disks within a specified resource group.
Example 2: Create a Policy Assignment with Parameters
az policy assignment create --name 'enforce-tags' \
--policy 'Require a tag on resource groups' \
--scope '/subscriptions/<subscription_id>' \
--params '{ "tagName": { "value": "Environment" } }' \
--display-name 'Require Environment Tag'
This example enforces that all resource groups within a subscription must have an "Environment" tag.
Example 3: View Policy Assignment Details
az policy assignment show --name 'audit-vm-managed-disks' --scope '/subscriptions/<subscription_id>/resourceGroups/<resource_group_name>'
This command retrieves details about the specified policy assignment.
Example 4: List Non-Compliant Resources
az policy state list --policy-assignment 'audit-vm-managed-disks' --scope '/subscriptions/<subscription_id>/resourceGroups/<resource_group_name>'
This retrieves a list of resources that are non-compliant with the specified policy assignment.
Example 5: Remediate Non-Compliant Resources
az policy remediation create --name 'remediate-vm-managed-disks' \
--policy-assignment 'audit-vm-managed-disks' \
--scope '/subscriptions/<subscription_id>/resourceGroups/<resource_group_name>'
This command creates a remediation task to correct non-compliant VMs that do not use managed disks.
Example 6: Create a Policy Assignment with Enforcement Mode
az policy assignment create --name 'deny-public-access' \
--policy 'Deny public access to storage accounts' \
--scope '/subscriptions/<subscription_id>/resourceGroups/<resource_group_name>' \
--enforcement-mode 'Default'
This enforces a policy that denies public access to storage accounts in the specified resource group.
Example 7: Create a Policy Assignment with Description
az policy assignment create --name 'enforce-tag-on-rg' \
--policy 'Require a tag on resource groups' \
--scope '/subscriptions/<subscription_id>/resourceGroups/<resource_group_name>' \
--description 'Ensure all resource groups have the required tags.'
This assigns a policy to ensure that all resource groups have the required tags with an accompanying description.
Example 8: Exclude Specific Scopes from Policy Assignment
az policy assignment create --name 'audit-vm-managed-disks' \
--policy 'Audit VMs that do not use managed disks' \
--scope '/subscriptions/<subscription_id>/resourceGroups/<resource_group_name>' \
--not-scopes '/subscriptions/<subscription_id>/resourceGroups/<excluded_resource_group>'
This command assigns a policy while excluding a specific resource group from evaluation.
Real-World Use Cases
Scenario 1: Enforcing Compliance for Regulatory Standards
An organization in the financial sector must comply with strict regulations that dictate how data must be stored and accessed. By using Azure Policy, the organization can enforce compliance through policies that restrict the types of resources that can be deployed and require specific tags for data classification.
Scenario 2: Automating Resource Management
A company uses Azure for its development and production environments. They assign policies to ensure that all production resources have specific security configurations and tags. If any resource becomes non-compliant, Azure Policy automatically remediates the resource to bring it back into compliance, ensuring adherence to company standards.
Scenario 3: Monitoring and Reporting Compliance
A large enterprise wants to maintain visibility over its Azure resources' compliance state. By using Azure Policy assignments, the company can regularly evaluate compliance across all subscriptions and resource groups, generating reports that highlight non-compliant resources and the necessary actions to take.
Best Practices
- Use Built-in Policies: Leverage Azure's built-in policies to save time and ensure best practices are followed.
- Combine Policies into Initiatives: Group related policies into initiatives for easier management and compliance tracking.
- Regularly Review and Update Policies: Periodically review your policies to ensure they reflect current organizational standards and compliance requirements.
- Monitor Compliance States: Use Azure Policy compliance reports to track non-compliant resources and take remedial actions.
- Implement Remediation Tasks: Set up remediation tasks for non-compliant resources to automate correction processes.
Common Errors
Error: Policy Assignment Creation Failed
- Cause: The specified policy definition does not exist or is misspelled.
- Solution: Verify the policy definition name and ensure it exists in your Azure environment.
Error: Insufficient Permissions
- Cause: The user does not have the required permissions to create policy assignments.
- Solution: Ensure the user has the
Policy Contributorrole or equivalent permissions.
Error: Non-Compliant Resource
- Cause: The resources being evaluated do not meet the specified policy requirements.
- Solution: Review the policy definition and the resources to identify compliance issues.
Error: Invalid Scope
- Cause: The specified scope is incorrectly formatted or does not exist.
- Solution: Validate the scope format and ensure the resource group or subscription exists.
Related Commands
| Command | Description |
|---|---|
az policy definition create |
Create a new policy definition. |
az policy assignment list |
List all policy assignments in a given scope. |
az policy state summarize |
Get a summary of the compliance state for policy assignments. |
az policy remediation list |
List all remediation tasks for a specific policy assignment. |
Automation Script
Here’s a simple automation script to create a policy assignment that audits VMs without managed disks and remediates any non-compliant resources:
#!/bin/bash
# Variables
resourceGroupName="<your_resource_group>"
subscriptionId="<your_subscription_id>"
policyName="audit-vm-managed-disks"
# Login to Azure
az login
# Create policy assignment
az policy assignment create --name "$policyName" \
--policy "Audit VMs that do not use managed disks" \
--scope "/subscriptions/$subscriptionId/resourceGroups/$resourceGroupName" \
--display-name "Audit VM Managed Disks"
# Create remediation task
az policy remediation create --name "remediate-vm-managed-disks" \
--policy-assignment "$policyName" \
--scope "/subscriptions/$subscriptionId/resourceGroups/$resourceGroupName"
echo "Policy assignment and remediation task created successfully!"
Conclusion
In this tutorial, we explored how to enforce governance in Azure using Azure Policy via the CLI. We covered the essential command az policy assignment create, its syntax, and various practical examples. By leveraging Azure Policy, organizations can automate compliance checks, manage non-compliant resources, and ensure that their Azure environments adhere to established governance standards.
As a next step, consider exploring more about Azure Policy initiatives and how they can help manage multiple policies in a single assignment. For further reading, check the official documentation.