Skip to content

Policy as rules#

PSRule for Azure allows you to export your current Azure Policy assignments out as rules to enforce controls during development. This allows you to:

  • Reuse controls — that have already deployed with implementation of guardrails in your environment. For example: Azure Cloud Adoption Framework or regulatory compliance standards.
  • Reduce deployment issues — by identifying Azure Policy controls that could prevent a deployment from succeeding.

Abstract

This topic covers using policy as rules which allows you to use Azure Policy as rules to test Infrastructure as Code.

Experimental - Learn more

Policy as rules are a work in progress. As always if you find bugs/ errors or if something just doesn't work as your expect it to, please let us know. You can log a bug on GitHub or provide feedback here.

Limitations#

This feature does not support:

  • Resource provider modes — evaluate data plane information exposed at runtime. Policies that target resource provider modes are automatically ignored.
  • Disabled policies — Policy definitions with the effect Disabled are ignored.
  • Unassigned policies — Only policy definitions assigned to a scope are exported.
  • Policies that check for assessment status — Some policies use additional detection tools to check for compliance. Policies that check for assessment status are ignored.
  • Importing rules — Rules generated from policy assignments cannot be imported back into Azure Policy.

Using policy as rules#

Using policy as rules is a two step process:

  1. Export assignment data from Azure.
  2. Convert assignments to rules.

Export assignment data#

Run Export-AzPolicyAssignmentData to export assignments from Azure to an *.assignment.json file.

Key points:

  • Before running this command, connect to an Azure subscription by installing the Az PowerShell module and using Connect-AzAccount.
  • This command has no required parameters, and by default will export all assignments from you current Azure subscription. You can change the current Azure subscription by using Set-AzContext.

Bug

Currently a known incompatibility exists with 7.x of Az.Resources which introduced a breaking change. Please use Az.Resources >= v6.7.0 and < v7.0.0. For more information see Issues with Az.Resources

For example:

PowerShell
# Install and import required modules.
Install-Module Az.Resources -RequiredVersion '6.7.0' -Force -Scope CurrentUser
Import-Module Az.Resources -RequiredVersion '6.7.0'
Import-Module PSRule.Rules.Azure

# Connect to Azure
Connect-AzAccount
Set-AzContext -Subscription '<subscriptionId>'

# Export assignments
Export-AzPolicyAssignmentData

Convert assignments to rules#

Run Export-AzPolicyAssignmentRuleData to convert assignments to rules. To run this command an -AssignmentFile parameter with the path to the assignment JSON file generated in the previous step.

After the command completes a new file *.Rule.jsonc should be generated containing generated rules.

For example:

PowerShell
Export-AzPolicyAssignmentRuleData -AssignmentFile '.\<subscriptionId>.assignment.json'

Running policy rules#

Rules and an initial baseline are generated in a file ending in .Rule.jsonc. This file extension and format are automatically detected by PSRule when it is run from an included source path. To start using the policy rules, copy the file to the default include sub-directory (.ps-rule/) in the root of your repository.

Additionally, the following setup is required to scan Infrastructure as Code (IaC):

  1. Set a binding configuration.
  2. Configure expansion for processing Bicep or ARM templates.
  3. Include the PSRule.Rules.Azure module.
  4. Optionally specify a baseline to limit the rules evaluated to policy rules.

Generated baseline#

v1.33.0

When exporting policies, PSRule for Azure will automatically generate a baseline including any generated rules. By default, this baseline is called Azure.PolicyBaseline.All. If you change the prefix of generated rules the baseline will be named <Prefix>.PolicyBaseline.All.

See Using baselines for examples on how to use a baseline in a run.

Customizing the generated rules#

PSRule for Azure allows you to:

  • Set a name prefix — to help identify generated rules. By default, generated rules and baselines are prefixed with Azure. To change the prefix:
    • Use the -RulePrefix parameter when running Export-AzPolicyAssignmentRuleData. OR
    • Set the AZURE_POLICY_RULE_PREFIX configuration option in ps-rule.yaml.
  • Exclude specific policies — by setting the AZURE_POLICY_IGNORE_LIST configuration option in ps-rule.yaml. This option allows you to prevent specific policies from being exported as rules.

For example:

ps-rule.yaml
configuration:
  AZURE_POLICY_RULE_PREFIX: MyOrg
  AZURE_POLICY_IGNORE_LIST:
  - /providers/Microsoft.Authorization/policyDefinitions/1f314764-cb73-4fc9-b863-8eca98ac36e9
  - /providers/Microsoft.Authorization/policyDefinitions/b54ed75b-3e1a-44ac-a333-05ba39b99ff0

Duplicate policies#

v1.33.0

When exporting policies, you may encounter definitions that are duplicates of existing rules shipped with PSRule for Azure. By default, built-in Azure policies that are duplicates of existing rules are ignored. Additionally, PSRule for Azure will automatically switch in existing rules into the generated baseline.

Note

This only applies to built-in Azure policies that are duplicates of existing rules. Custom policies are not effected.

The list of built-in policies that are duplicates can be viewed here. If you believe a policy is missing from this list, please open an issue.

This allows you to:

  • Focus on policies that are unique to your environment and not already covered by PSRule for Azure.
  • Benefit from the additional references and examples provided by PSRule for Azure.
  • Reduce noise reporting the same issue multiple times.

To override this behavior use the -KeepDuplicates parameter switch when running Export-AzPolicyAssignmentRuleData.

Recommended content#

Comments