Policy as rules#
PSRule for Azure allows you to export your current Azure Policy assignments out as rules to enforce controls during development. This allows you to:
- Reuse controls — that have already deployed with implementation of guardrails in your environment. For example: Azure Cloud Adoption Framework or regulatory compliance standards.
- Reduce deployment issues — by identifying Azure Policy controls that could prevent a deployment from succeeding.
This topic covers using policy as rules which allows you to use Azure Policy as rules to test Infrastructure as Code.
Experimental - Learn more
Policy as rules are a work in progress. As always if you find bugs/ errors or if something just doesn't work as your expect it to, please let us know. You can log a bug on GitHub or provide feedback here.
This feature does not support:
- Resource provider modes — evaluate data plane information exposed at runtime. Policies that target resource provider modes are automatically ignored.
- Disabled policies — Policy definitions with the effect
- Unassigned policies — Only policy definitions assigned to a scope are exported.
- Policies that check for assessment status — Some policies use additional detection tools to check for compliance. Policies that check for assessment status are ignored.
- Importing rules — Rules generated from policy assignments cannot be imported back into Azure Policy.
Using policy as rules#
Using policy as rules is a two step process:
- Export assignment data from Azure.
- Convert assignments to rules.
Export assignment data#
Export-AzPolicyAssignmentData to export assignments from Azure to an
- Before running this command, connect to an Azure subscription by installing the
AzPowerShell module and using
- This command has no required parameters, and by default will export all assignments from you current Azure subscription.
You can change the current Azure subscription by using
Convert assignments to rules#
Export-AzPolicyAssignmentRuleData to convert assignments to rules.
To run this command an
-AssignmentFile parameter with the path to the assignment JSON file generated in the previous step.
After the command completes a new file
*.Rule.jsonc should be generated containing generated rules.