Introduction
In the world of cloud infrastructure management, maintaining security and compliance is crucial. Azure Policy helps in enforcing organizational standards and assessing compliance at scale. When combined with Terraform, an Infrastructure as Code tool, you can automate the deployment of Azure policies, ensuring a consistent and error-free implementation. In this blog post, we’ll walk through how to use Terraform to deploy Azure policies, using a specific policy as an example, and how to manage these policies efficiently through the Azure Portal.
What is Azure Policy?
Azure Policy is a service in Azure that you can use to create, assign, and manage policies. These policies enforce different rules over your resources, so they stay compliant with your corporate standards and service level agreements. An Azure Policy Definition is crucial for creating and managing custom policies within Azure, as it outlines the structure, dependencies, and tools like Terraform needed to manipulate these policies. For more details, you can refer to the official documentation on writing and implementing these policies.
Azure Policy is a set of policy definitions that govern your cloud resources, ensuring that they are aligned and compliant. These policy definitions include both custom and built-in policies, detailing the necessary steps and structures involved, such as specific JSON files and parameters, to enforce rules and effects on Azure resources.
Azure Policy Fundamentals
Azure Policy is a service in Microsoft Azure that allows you to create, assign, and manage policies that enforce different rules and effects on your Azure resources. These policies are essential for maintaining governance and compliance across your Azure environment, ensuring that resources are created and configured in a consistent and secure manner.
Azure Policy provides a centralized way to manage policies across your Azure environment. You can define policies at various scopes, including management groups, subscriptions, resource groups, and individual resources. This flexibility allows you to enforce a wide range of rules, from security and compliance to cost optimization.
One of the key features of Azure Policy is its ability to manage policy compliance and remediation. This includes policy assignments, which apply policies to specific resources, and exemptions, which allow certain resources to be excluded from policies. Additionally, remediation tasks help correct non-compliant resources, ensuring they meet the defined standards. With Azure Policy, you can ensure that your Azure resources are compliant with organizational policies and regulatory requirements.
Why Terraform Configuration?
Using Terraform for managing Azure Policy is an open-source tool that allows you to define and provision infrastructure using a high-level configuration language. It’s particularly powerful for managing cloud infrastructure and has robust support for Azure resources.
Deploying resources with Terraform ensures that both infrastructure and Azure Policies are automated, which is crucial for maintaining security and compliance within the Azure environment.
Organizing Resources with Management Groups and Resource Groups
In Azure, resources are organized into a hierarchical structure using management groups and resource groups. Management groups are used to group subscriptions together, allowing you to manage policies and access control at a higher level. This hierarchical structure makes it easier to apply and manage policies across multiple subscriptions, ensuring consistent governance.
Management groups provide a way to organize subscriptions into a logical hierarchy. You can create multiple management groups to organize your subscriptions, and each management group can have its own set of policies and access controls. This structure simplifies the management of large Azure environments by allowing you to apply policies and permissions at a higher level.
Resource groups, on the other hand, are used to group related resources together, such as virtual machines, storage accounts, and networks. This organization makes it easier to manage and monitor resources. Each resource group can have its own set of policies and access controls, providing a granular level of management. By using resource groups, you can ensure that related resources are managed together, improving efficiency and oversight.
Example Policy: Enforcing HTTPS Traffic Only on Storage Accounts
For demonstration purposes, we will use a policy that ensures all Azure Storage accounts enforce HTTPS traffic only. This is a common requirement for enhancing the security of data in transit. An initiative definition can be used to group related policies, making it easier to manage and assign them as a set.
At the end of the process, a policy assignment created for the specific resource group will ensure that the policy is applied correctly, highlighting the computational steps involved in executing Terraform commands and the importance of this assignment for managing policies efficiently.
Policy Definition
Here’s the Terraform code for our Azure policy:
resource "azurerm_policy_definition" "modify-storage-account-enable-Https-Only" {
name = "Modify - Storage Account - Enable HTTPS Traffic Only"
policy_type = "Custom"
mode = "All"
display_name = "Modify - Storage Account - Enable HTTPS Traffic Only"
description = "This Azure Policy will remediate a storage account resource to enable HTTPS only connections."
management_group_id = var.managementGroupId
metadata = <<METADATA
{
"category": "",
"version": "1.0.0"
}
METADATA
policy_rule = <<POLICY_RULE
{
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.Storage/storageAccounts"
},
{
"field": "Microsoft.Storage/storageAccounts/supportsHttpsTrafficOnly",
"notEquals": "[parameters('enableHttpsOnly')]"
}
]
},
"then": {
"effect": "DeployIfNotExists",
"details": {
"type": "Microsoft.Storage/storageAccounts",
"roleDefinitionIds": [
"/providers/microsoft.authorization/roleDefinitions/17d1049b-9a84-46fb-8f53-869881c3d3ab"
],
"existenceCondition": {
"allOf": [
{
"field": "Microsoft.Storage/storageAccounts/supportsHttpsTrafficOnly",
"equals": "[parameters('enableHttpsOnly')]"
}
]
},
"deployment": {
"properties": {
"mode": "Incremental",
"template": {
"$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"resourceName": {
"type": "String"
},
"location": {
"type": "String"
},
"enableHttpsOnly": {
"type": "String"
}
},
"variables": {},
"resources": [
{
"type": "Microsoft.Storage/storageAccounts",
"apiVersion": "2019-06-01",
"name": "[parameters('resourceName')]",
"location": "[parameters('location')]",
"properties": {
"supportsHttpsTrafficOnly": "[equals(parameters('enableHttpsOnly'), 'true')]"
}
}
],
"outputs": {}
},
"parameters": {
"resourceName": {
"value": "[field('name')]"
},
"enableHttpsOnly": {
"value": "[parameters('enableHttpsOnly')]"
},
"location": {
"value": "[field('location')]"
}
}
}
}
}
}
}
POLICY_RULE
parameters = <<PARAMETERS
{
"enableHttpsOnly": {
"type": "String",
"metadata": {
"displayName": "Enable HTTPS Traffic Only",
"description": "Specify whether to enable HTTPS Traffic Only."
},
"defaultValue": "true",
"allowedValues": [
"true",
"false"
]
}
}
PARAMETERS
}
This Terraform resource defines a custom policy in Azure that checks if the supportsHttpsTrafficOnly property on storage accounts is set to true.
Breaking Down the Policy
- Policy Properties:
- name, policy_type, mode, display_name, description: These properties define the basic attributes of the policy.
- management_group_id: Specifies the management group ID where the policy will be applied.
- Metadata:
- This section includes metadata about the policy such as the category and version.
- Policy Rule:
- The if and then blocks define the conditions and effects of the policy.
- The existenceCondition ensures that the policy only gets applied if the condition is not already met.
- Parameters:
- The policy includes a parameter enableHttpsOnly which allows for flexibility. It’s set to “true” by default.
Deploying the Policy Assignment
Deploying this policy with Terraform involves a few simple steps:
- Write the Terraform Configuration: Start by creating a Terraform configuration file with the policy definition.
- Initialize Terraform: Run terraform init to initialize the working directory.
- Plan the Deployment: Execute terraform plan to see the execution plan.
- Apply the Configuration: Finally, run terraform apply to apply the configuration and deploy the policy.
provider "azurerm" {
features {}
}
module "azure_policy" {
source = "./path_to_policy_main"
managementGroupId = var.managementGroupId
}
Policy Compliance and Remediation
Azure Policy provides a robust set of features for managing policy compliance and remediation. Policy compliance ensures that resources adhere to organizational policies and regulatory requirements, while remediation corrects non-compliant resources to bring them into compliance.
Policy assignments are used to apply policies to specific resources, ensuring they meet the defined standards. Exemptions allow certain resources to be excluded from policies, providing flexibility when necessary. Remediation tasks are essential for correcting non-compliant resources, ensuring they align with the required policies.
Azure Policy also offers a feature called “re-evaluate compliance,” which allows you to trigger an on-demand compliance scan for resources. This is particularly useful for ensuring that resources remain compliant after changes have been made. By leveraging these features, you can maintain a high level of compliance and security across your Azure environment.
Best Practices for Azure Policy Deployment
Here are some best practices for deploying Azure Policy:
- Start with a clear understanding of your organizational policies and regulatory requirements. This will help you define policies that are relevant and effective.
- Use management groups to organize your subscriptions. This will make it easier to manage policies and access control at a higher level.
- Use resource groups to organize your resources. This will make it easier to manage and monitor your resources.
- Define policies at the right scope. Policies can be defined at different scopes, including management groups, subscriptions, resource groups, and individual resources. Define policies at the scope that makes the most sense for your organization.
- Use policy assignments to assign policies to resources. Policy assignments are used to assign policies to resources, ensuring that resources are compliant with organizational policies and regulatory requirements.
- Use exemptions to exempt resources from policies. Exemptions are used to exempt resources from policies, allowing you to make exceptions to policies when necessary.
- Use remediation tasks to correct non-compliant resources. Remediation tasks are used to correct non-compliant resources and bring them into compliance.
- Monitor policy compliance regularly. Regularly monitoring policy compliance will help you identify non-compliant resources and take corrective action.
By following these best practices, you can ensure that your Azure Policy deployment is effective and efficient, and that your resources are compliant with organizational policies and regulatory requirements.
Conclusion
By leveraging Terraform to deploy Azure policies, IT teams can ensure consistent policy enforcement across their Azure environment. This approach not only saves time but also reduces the risk of manual errors, thereby maintaining a strong security posture in the cloud.
Remember, while the example here focused on enforcing HTTPS on storage accounts, Terraform and Azure Policy can be used together to enforce a wide range of rules and policies across your Azure resources.
