Skip to content

Getting Started

EPAC scripts can be installed in the following ways:

EPAC Quick Start

In this quick start you can get set up with EPAC and use it to extract the policies and assignments in your own environment. From that point you can either choose to let EPAC manage the policies or look at some of the more advanced features allowing you to complete a gradual rollout.

For this example all you need is Reader permission in your Azure environment and to follow the steps below.

  1. Install PowerShell 7.
  2. Install the Az PowerShell modules and connect to Azure.
        Install-Module Az -Scope CurrentUser
        Connect-AzAccount
    
  3. Install the Enterprise Policy as Code module.
        Install-Module EnterprisePolicyAsCode -Scope CurrentUser
    
  4. Many scripts use parameters for input and output folders. They default to the current directory. We recommend that you do one of the following approaches instead of accepting the default to prevent your files being created in the wrong location:

    • Set the environment variables PAC_DEFINITIONS_FOLDER, PAC_OUTPUT_FOLDER, and PAC_INPUT_FOLDER.
    • Use the script parameters -DefinitionsRootFolder, -OutputFolder, and -InputFolder.
  5. Create a new EPAC definitions folder to hold policy objects.

        New-EPACDefinitionFolder -DefinitionsRootFolder Definitions
    

  6. This will create a folder called Definitions with a number of subfolder and a global-settings.jsonc file where the environment is defined.
  7. Edit the global-settings.jsonc file by copying the sample below. Modify the commented sections as appropriate.
        {
            "$schema": "https://raw.githubusercontent.com/Azure/enterprise-azure-policy-as-code/main/Schemas/global-settings-schema.json",
            "pacOwnerId": "f2ce1aea-944e-4517-94fb-edada00633ae", // Generate a guid using New-Guid and place it here
            "managedIdentityLocations": {
                "*": "australiaeast" // Update the default location for managed identities
            },
            "globalNotScopes": {
                "*": [
                    "/resourceGroupPatterns/excluded-rg*"
                ]
            },
            "pacEnvironments": [
                {
                    "pacSelector": "quick-start",
                    "cloud": "AzureCloud",
                    "tenantId": "bdb8ea1c-17da-4423-8895-6b79af002b4e", // Replace this with your tenant Id
                    "deploymentRootScope": "/providers/Microsoft.Management/managementGroups/root" // Replace this with a management group that represents the functional root in your environment. 
                }
            ]
        }
    
  8. Extract all the existing policies and assignments at the scope indicated above by running the script below.
        Export-AzPolicyResources -DefinitionsRootFolder .\Definitions -OutputFolder Output
    

In the Output folder you should now find all the custom policy definitions and assignments which have been deployed in your environment. From this point you can make some choices about how to best utilize EPAC to handle Azure Policy in your environment including:-

  • Copy the Output files into the appropriate folders in your Definitions folder and use the Build-DeploymentPlans command to generate a plan for policy deployment. Once the plan is generated you can use the Deploy-PolicyPlan and Deploy-RolesPlan commands to start managing deployed policies with EPAC.
  • Read up on Desired State Strategy and plan a gradual rollout of policy using EPAC.
  • Use the artifacts in the Starter Kit for some in-depth examples and sample pipelines for CI/CD integration.
  • Review the rest of this documentation to examine some of the more complex EPAC features.

If there are any issue please raise them in the (GitHub Repository)[https://github.com/Azure/enterprise-azure-policy-as-code/issues].

Create your environment

  • Setup DevOps Environment for your developers (on their workstations) and your CI/CD pipeline runners/agents (on a VM or set of VMs) to facilitate correct implementations.
    Operating Environment Prerequisites: The EPAC Deployment process is designed for DevOps CI/CD. It requires the installation of several tools to facilitate effective development, testing, and deployment during the course of a successful implementation.
  • Acquire the PowerShell scripts (options)
  • Import Azure PowerShell Module
  • Create a source repository and import the source code from this repository.

Define your deployment scenarios

Create the CI/CD (skip if using the semi-automated approach)

Build your definitions and assignments

Manage your Policy environment

Debug EPAC issues

Should you encounter issues with the expected behavior of EPAC, try the following: