Cloud technologies like Azure can appear deceptively simple, but not setting up a governance system in the initial stages can result in operational roadblocks further down the line.
While roles and groups enable flexible permissions for users, policies in Azure enable you to apply rules for resources in your organization to govern compliance, cost limits, consistency, and security.
In this article, we’ll briefly explain the basics of policies, and then show how you can assign them to a scope of resources using the Azure CLI.
Understanding Policies in Azure
Azure policies are sets of rules that dictate what is allowed in either a specific resource group or across the account. For example, policies can be instituted to prevent over-provisioning and unexpected resource costs.
In practice, these policy definitions are described using JSON format and are then assigned to a certain scope of resources. If you have more than one related policy, that’s referred to as a policy initiative.
If a resource is updated or created in a way that violates a policy you have configured, then depending on your preference, deny the change, log the issue, or make additional remediations.
You can either use built-in policy options or fully customize them. For more details on creating policy definitions, you can read up on that here.
Here’s what a policy definition looks like in practice:
Assigning a Policy to a Scope
Once you have a policy definition that you are looking to implement, you do that with the az policy assignment create command:
As you can see, you have lots of parameters you can use to customize your policy assignment, including enforcement options. These are the different types of scopes you can use when you’re assigning a policy:
- Management group: a container that manages policies across multiple subscriptions
- Subscription: uniquely-billed Azure account/plan
- Resource group: a container that holds related resources
- Resource: any entity managed by Azure (virtual machines, virtual networks, storage accounts, etc.)
Here’s an example using a management group as a scope.
Now that your policy is implemented, it will check compliance whenever a new resource in the scope is created or updated, policies in the scope are added or updated, as well as once every 24 hours.
Updating an Existing Policy Assignment
If you need to make updates to a policy, you can run the az policy assignment update command:
This update example changes the description of an existing policy:
Instead of updating a description, you might want to update these parameters:
- --enforcement-mode -e: change the enforcement mode for the policy
- --not-scopes: create exceptions within the scope where this policy doesn’t apply
- --params -p: change the JSON formatted string or a path to a file where the policy definition exists
Now that we’ve covered creating and updating policies, let’s look at deleting policies that are no longer relevant.
Deleting a Policy Assignment
To delete a policy assignment, you can use the az policy assignment delete command:
You can delete the entire policy by just using the name parameter.
Alternatively, you can delete the policy in the context of a certain scope by including a scope or resource-group parameters additionally.
Simplify Policy Updates with Blink
Instead of having to look up the specific command for each of these actions, tools like Blink enable you to keep your policies up to date easily with a low-code/ no-code UI.
Get started and create your free Blink account today.