Skip to content

alguadam/AzurePoliciesLab

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

40 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

Welcome

Welcome to this lab

This lab will guide you through the creation and management of Azure Policies and Assignments using Azure DevOps

Lab prerequisites

Theoretical prerequisites

The goal of this Lab is to put focus on how to create and deploy Azure Policies and assignments using ARM Templates, Azure DevOps Repos or Github and Azure DevOps Pipelines.

However, this Lab will not explain the required DevOps toolset, so in order to succeed with this lab you need to know how to work with:

  • ARM Templates
  • Azure Repos / Github
  • Azure Pipelines (Classic and YAML)

Recommended software for your PC

Azure PowerShell Az module

The Azure Az PowerShell module will be needed.

# Install Module Azure Az
Register-PSRepository -Default
Install-Module Az -Force

Git

You will need Git to work with your Github / Azure Repo. You can install Git at https://git-scm.com/downloads

IDE (Visual Studio Code)

You will need a IDE to let you work with an Azure DevOps or GitHub Repository and ARM Templates. We recommend that you use Visual Studio Code for this lab with at least the following extensions installed:

Pre-provisioned Environment

You can use a pre-provisioned environment for this lab in Cloud Labs.

This environment will provision for you:

  • An Azure DevOps Organization
  • An Azure Subscription
  • An Azure Resource Group
  • An AAD User with Owner permissions assigned to the Resource Group and permissions to work with Policies at subscription level
  • An AAD Service Principal with Owner permissions assigned to the Resource Group and permissions to work with Policies at subscription level.

Once provisioned, make sure that follow these steps:

  • Create an Azure DevOps Project inside the provided Organization, it can created following this steps.
  • Configure to add the provisioned Service Principal to the Azure DevOps project as a Azure RM Service Connection.

With this configuration ready, you can use Visual Studio Code to clone your Github repository or the DevOps Repo in this project and start the lab.

Configure your own environment

If you want to do this lab in your own environment instead of the Pre-provisioned environment, you need to configure the prerequisites listed below:

Git Repository (Azure DevOps Repo / Github)

You will write and version your ARM Templates using a Git Repo. We recommend the following options for using as Git repository:

See how to clone your Repo with Visual Studio Code

Azure Pipelines

You will configure CD and CI using Azure Pipelines. You will need an Azure DevOps Project here in order to use Pipelines.

You can use both Azure Repos and Github with your Pipelines

Azure DevOps Service Connection (Azure Active Directory Service Principal)

You wil use a Service Principal connected to your Azure DevOps pipelines that will allow you to deploy resources to Azure.

If you have your own Azure Subscription, you can let Azure DevOps create one Service Principal for you.

If you don't have access to your own subscription, you can use the following Service Principal:

Subscription ID : 67e1610d-40e5-4d22-9346-f860a28825d7
Application (client) ID : e1aae0bd-8491-4262-a237-5fddd2dbc7e2
Directory (tenant) ID : 72f988bf-86f1-41af-91ab-2d7cd011db47
Password : xlBI/mVq7MH8A7jQU3QTPb+ffbbLZS]-

Azure Subscription and Permissions

Custom Policies and Initiatives are defined at Subscription level, so for this lab you will need to have access to one Azure Subscription.

If you don't have one, we will grant you access to our Azure Policies Lab subscription

In this subscription:

Your Deployment Service Principal needs to have at least the following permissions:

Action Description
*/read Read resources of all types, except secrets
Microsoft.Authorization/policyassignments/* Create and manage policy assignments
Microsoft.Authorization/policydefinitions/* Create and manage policy definitions
Microsoft.Authorization/policysetdefinitions/* Create and manage policy sets
Microsoft.PolicyInsights/* Work with compliance information
Microsoft.Resources/checkPolicyCompliance/* Check the compliance status of a given resource against resource policies
Microsoft.Resources/deployments/* Manage Deployments at Subscription level
Microsoft.Resources/subscriptions/resourcegroups/* Manage Deployments at Resource Group level
Microsoft.KeyVault/* Work with Key Vaults
Microsoft.Compute/* Work with Virtual Machines
Microsoft.Storage/* Work with Storage Accounts
Microsoft.Network/* Work with Virtual Networks

Your user needs to have at least the following permissions:

Action Description
*/read Read resources of all types, except secrets.
Microsoft.Authorization/policyassignments/* Create and manage policy assignments
Microsoft.Authorization/policydefinitions/* Create and manage policy definitions
Microsoft.Authorization/policysetdefinitions/* Create and manage policy sets
Microsoft.PolicyInsights/* Work with compliance information
Microsoft.Resources/checkPolicyCompliance/* Check the compliance status of a given resource against resource policies
Microsoft.Resources/deployments/* Manage Deployments at Subscription level
Microsoft.Resources/subscriptions/resourcegroups/* Manage Deployments at Resource Group level
Microsoft.Storage/* Work with Storage Accounts

Register the Azure Policy Insights resource provider

Register the Azure Policy Insights resource provider using Azure PowerShell to validate that your subscription works with the resource provider. To register a resource provider, you must have permission to run the register action operation for the resource provider. This operation is included in the Contributor and Owner roles.

Run the following command to register the resource provider:

Register-AzResourceProvider -ProviderNamespace 'Microsoft.PolicyInsights'