Assigning Azure Policies: A Code-based Approach (please)

In this post, we will continue our discussion on Azure policies and dive into how you can easily assign policies in Azure via code.

As mentioned in the previous post, policies help ensure that your resources are configured consistently and in accordance with your organizational standards, industry regulations, and security best practices. By defining policies, you can set rules and constraints that prevent non-compliant resources from being created or modified.

Manually assigning policies can be time-consuming, error-prone, and difficult to scale. Luckily, Azure provides several ways to automate policy assignment, including PowerShell, Azure CLI, REST API, .NET core, Python and others.

In this post, we will focus on PowerShell.

Before we dive in, let's take a quick look at the basic structure of an Azure policy:
• Policy definition: A JSON file that defines the policy, including its name, description, and rules.
• Policy assignment: An instance of a policy definition that is applied to a specific scope, such as a subscription, resource group, or resource.
• Policy effect: The action that is taken when a resource violates the policy, such as denying the creation of the resource or auditing the violation.

To assign a policy via code, we need to perform the following steps:

1. Authenticate: Before you can do anything, you need to authenticate your application or user. You can use Azure Active Directory (AAD) to authenticate and obtain a token that is required for subsequent calls.
2. Create a policy definition: You can create a new policy definition or use an existing one.
3. Create a policy assignment: Once you have a policy definition, you can create a policy assignment that applies the policy to a specific scope.
4. Verify the policy assignment: After creating a policy assignment, you can verify that it was successfully applied by checking the status of the assignment.

Here's a sample code snippet in PowerShell that demonstrates how to assign a built-in policy definition to a subscription:

# Authenticate
Connect-AzAccount

# Define the policy definition
$definition = Get-AzPolicyDefinition -Id '/providers/Microsoft.Authorization/policyDefinitions/28b0b1e5-17ba-4963-a7a4-5a1ab4400a0b'

# Create the policy assignment
New-AzPolicyAssignment -Name 'MyPolicyAssignment' -DisplayName 'My Policy Assignment' -Scope '/subscriptions/<your_subscription_id_here>' -PolicyDefinition $definition

In this example, we first authenticate to Azure using the 'Connect-AzAccount' cmdlet. Then, we use the 'Get-AzPolicyDefinition' cmdlet to retrieve a built-in policy definition by its ID. Next, we use the 'New-AzPolicyAssignment' cmdlet to create a new policy assignment with a name, display name, scope, and policy definition.

You can modify this code to create policy assignments for other scopes, such as a resource group or a resource. You can also use custom policy definitions that you have defined yourself. In that case, you can define it in a JSON file and, in PowerShell, use the 'New-AzPolicyDefinition' cmdlet to create it.
Here we are referencing an existing policy (disables SQL Server public network access, follow this link for a list of built-in policy definitions for Azure SQL).

Conclusion

In conclusion, assigning policies via code can save you time, reduce errors, and enable you to scale policy management in your cloud environment. Azure provides several APIs and tools that make it easy to automate policy assignment, and you can use any programming language that supports HTTP requests to interact with the Azure Policy APIs.