stefangordon / azure-policy-samples Goto Github PK
View Code? Open in Web Editor NEWAzure Policy samples I put together which may be useful to others.
License: MIT License
Azure Policy samples I put together which may be useful to others.
License: MIT License
Require the HSM/Premium sku. If it makes sense, parameterize the required SKU with a fixed list of options.
Format as simple executable python3 script for now, e.g. #!/usr/bin/env python3
Deploy full form custom policy JSON (like the ones in this repo) to a specified scope (subscription or management group).
I'd just assume service principal auth for env variables for everything for now, e.g.
credentials = ServicePrincipalCredentials(
client_id=os.environ[constants.ENV_CLIENT_ID],
secret=os.environ[constants.ENV_CLIENT_SECRET],
tenant=os.environ[constants.ENV_TENANT_ID],
resource='https://management.core.windows.net/')
where
ENV_TENANT_ID = 'AZURE_TENANT_ID'
ENV_CLIENT_ID = 'AZURE_CLIENT_ID'
ENV_CLIENT_SECRET = 'AZURE_CLIENT_SECRET'
This isn't thought out all the way yet!
We need to have some concept of querying the list of definitions/assignments from the API and comparing that to our list in source control. (Presumably a pre-req is a bit of code to generate a list of definitions and assignments from a folder which is used here, along with looped over for deployments, tests, etc).
For instance we could just blindly create or update
everything, but what if something was deleted from source control, how would we know to go delete it from the subscription?
Also, just as an engineer, being able to print out or report on the delta seems like an important thing.
It must have a service endpoint and not be public
Lets make an ARM template which meets our storage policy of
https://github.com/stefangordon/azure-policy-samples/blob/master/Microsoft.Storage/deny-unrestricted-access.json
And lets make one that does not meet that policy.
This will allow us to experiment with python code to run a functional test of the custom policy.
Format as simple executable python3 script for now, e.g. #!/usr/bin/env python3
Should allow assigning a policy to a scope. Could be a CUSTOM or a BUILTIN policy definition assigned to scope of subscription, management group, or resource group.
Depends on #3
I'd just assume service principal auth for env variables for everything for now, e.g.
credentials = ServicePrincipalCredentials(
client_id=os.environ[constants.ENV_CLIENT_ID],
secret=os.environ[constants.ENV_CLIENT_SECRET],
tenant=os.environ[constants.ENV_TENANT_ID],
resource='https://management.core.windows.net/')
where
ENV_TENANT_ID = 'AZURE_TENANT_ID'
ENV_CLIENT_ID = 'AZURE_CLIENT_ID'
ENV_CLIENT_SECRET = 'AZURE_CLIENT_SECRET'
Basic python script to verify a policy definition. Perhaps it identifies the associated "assignments" and positive/negative templates to the definition and then tests them and verifies they succeed/fail as expected?
Likely outcome of this is not just a POC script, but some ideas on the best way to approach this, or if there is some other tooling/framework that would make it cleaner.
Define some artifacts that represent policy assignments (is the right way to do it with an ARM template that is parameterized perhaps?)
This will unblock #2
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.