Policy as rules#
PSRule for Azure allows you to export your current Azure Policy assignments out as rules to enforce controls during development. This allows you to:
- Reuse controls — that have already deployed with implementation of guardrails in your environment. For example: Azure Cloud Adoption Framework or regulatory compliance standards.
- Reduce deployment issues — by identifying Azure Policy controls that could prevent a deployment from succeeding.
Abstract
This topic covers using policy as rules which allows you to use Azure Policy as rules to test Infrastructure as Code.
Experimental - Learn more
Policy as rules are a work in progress. As always if you find bugs/ errors or if something just doesn't work as your expect it to, please let us know. You can log a bug on GitHub or provide feedback here.
Limitations#
This feature does not support:
- Resource provider modes — evaluate data plane information exposed at runtime. Policies that target resource provider modes are automatically ignored.
- Disabled policies — Policy definitions with the effect
Disabled
are ignored. - Unassigned policies — Only policy definitions assigned to a scope are exported.
- Policies that check for assessment status — Some policies use additional detection tools to check for compliance. Policies that check for assessment status are ignored.
- Importing rules — Rules generated from policy assignments cannot be imported back into Azure Policy.
Using policy as rules#
Using policy as rules is a two step process:
- Export assignment data from Azure.
- Convert assignments to rules.
Export assignment data#
Run Export-AzPolicyAssignmentData
to export assignments from Azure to an *.assignment.json
file.
Key points:
- Before running this command, connect to an Azure subscription by installing the
Az
PowerShell module and usingConnect-AzAccount
. - This command has no required parameters, and by default will export all assignments from you current Azure subscription.
You can change the current Azure subscription by using
Set-AzContext
.
Convert assignments to rules#
Run Export-AzPolicyAssignmentRuleData
to convert assignments to rules.
To run this command an -AssignmentFile
parameter with the path to the assignment JSON file generated in the previous step.
After the command completes a new file *.Rule.jsonc
should be generated containing generated rules.
Customizing the generated rules#
PSRule for Azure allows you to:
- Set a name prefix — to help identify generated rules.
By default, generated rules and baselines are prefixed with
Azure
. To change the prefix:- Use the
-RulePrefix
parameter when runningExport-AzPolicyAssignmentRuleData
. OR - Set the
AZURE_POLICY_RULE_PREFIX
configuration option inps-rule.yaml
.
- Use the
- Exclude specific policies — by setting the
AZURE_POLICY_IGNORE_LIST
configuration option inps-rule.yaml
. This option allows you to prevent specific policies from being exported as rules.
For example:
configuration:
AZURE_POLICY_RULE_PREFIX: MyOrg
AZURE_POLICY_IGNORE_LIST:
- /providers/Microsoft.Authorization/policyDefinitions/1f314764-cb73-4fc9-b863-8eca98ac36e9
- /providers/Microsoft.Authorization/policyDefinitions/b54ed75b-3e1a-44ac-a333-05ba39b99ff0
Generated baseline#
When exporting policies, PSRule for Azure will automatically generate a baseline including any generated rules.
By default, this baseline is called Azure.PolicyBaseline.All
.
If you change the prefix of generated rules the baseline will be named <Prefix>.PolicyBaseline.All
.
See Using baselines for examples on how to use a baseline in a run.
Duplicate policies#
When exporting policies, you may encounter definitions that are duplicates of existing rules shipped with PSRule for Azure. By default, built-in Azure policies that are duplicates of existing rules are ignored. Additionally, PSRule for Azure will automatically switch in existing rules into the generated baseline.
Note
This only applies to built-in Azure policies that are duplicates of existing rules. Custom policies are not effected.
The list of built-in policies that are duplicates can be viewed here. If you believe a policy is missing from this list, please open an issue.
This allows you to:
- Focus on policies that are unique to your environment and not already covered by PSRule for Azure.
- Benefit from the additional references and examples provided by PSRule for Azure.
- Reduce noise reporting the same issue multiple times.
To override this behavior use the -KeepDuplicates
parameter switch when running Export-AzPolicyAssignmentRuleData
.