Stage 5 · Platform
Infrastructure as Code on Azure
Azure Policy as Code
Built-in policies, custom policy definitions, initiatives, and compliance.
What Is Azure Policy?
Azure Policy is a service that evaluates Azure resources against rules (policies) and enforces compliance. Policies can audit, modify, or block resource creation to ensure adherence to organizational standards.
- Audit — Flag non-compliant resources without blocking creation
- Deny — Block resource creation or modification that violates policy
- Modify — Automatically add tags, append settings, or deploy extensions
- DeployIfNotExists — Deploy a related resource when a condition is met
- Append — Add fields to a resource during creation
Policy Effects
| Effect | Behavior | Use Case |
|---|---|---|
| Deny | Blocks non-compliant creation | Enforce naming, restrict regions |
| Audit | Flags without blocking | Monitor compliance gradually |
| Modify | Adds/modifies properties | Auto-tag resources |
| DeployIfNotExists | Deploys missing resources | Enable diagnostics |
| Disabled | Turns off policy | Testing, temporary exclusion |
Built-in Policies
# List policies related to allowed locations
az policy definition list \
--query "[?contains(displayName, 'Allowed location')].{name:name, displayName:displayName}" \
--output table
# Assign a built-in policy
az policy assignment create \
--name allowed-locations \
--policy "/providers/Microsoft.Authorization/policyDefinitions/e56962a6-4747-49cd-b67b-bf8b01975c4c" \
--params '{"listOfAllowedLocations": ["eastus", "westus2", "westeurope"]}' \
--scope "/subscriptions/{sub-id}"
# Check compliance
az policy state list \
--policy-assignment-name allowed-locations \
--query "[].{resource:resourceId, compliance:complianceState}" \
--output tableThe --scope parameter determines where the policy applies. Apply at management group level for organization-wide enforcement.
Deploy new policies with Audit effect first. Review compliance results, then switch to Deny after confirming the policy does not block legitimate resources.
Custom Policy Definitions
{
"mode": "Indexed",
"policyRule": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.Compute/virtualMachines"
},
{
"anyOf": [
{
"field": "tags['Environment']",
"exists": "false"
},
{
"field": "tags['Team']",
"exists": "false"
}
]
}
]
},
"then": {
"effect": "deny",
"details": {
"message": "VMs must have both 'Environment' and 'Team' tags."
}
}
}
}The mode 'Indexed' only evaluates resource types that support tags. 'All' evaluates all resource types. Use Indexed for tag-based policies.
# Create the policy definition
az policy definition create \
--name require-tags-vm \
--display-name "Require Tags on VMs" \
--description "VMs must have Environment and Team tags" \
--rules ./policy-rules.json \
--mode Indexed
# Assign it at the subscription level
az policy assignment create \
--name require-tags-vm \
--policy require-tags-vm \
--scope "/subscriptions/{sub-id}"Custom policy definitions are stored in the subscription or management group where they are created. They can be exported and reused across subscriptions.
Policy Initiatives
Policy Initiatives (formerly Policy Set Definitions) group multiple policies into a single assignable unit. They simplify management and ensure related policies are deployed together.
# Create an initiative with multiple policies
az policy set-definition create \
--name initiative-aks-security \
--display-name "AKS Security Baseline" \
--description "Security policies for AKS clusters" \
--definitions '[
{
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/00842834-eb2e-4a8a-a43a-d7b7af27e704",
"policyDefinitionReferenceId": "aksApiServerAccess"
},
{
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/3657f845-2541-4e97-89a4-4297a921c09c",
"policyDefinitionReferenceId": "aksRbacEnabled"
}
]'
# Assign the initiative
az policy assignment create \
--name aks-security-baseline \
--policy-set-definition initiative-aks-security \
--scope "/subscriptions/{sub-id}"Initiatives can be deployed via ARM templates, Bicep, or Terraform. Store initiative definitions in version control for auditability.
Compliance Reporting
# Get compliance state for a policy assignment
az policy state list \
--policy-assignment-name allowed-locations \
--query "[].{resource:resourceId, compliance:complianceState, reason:reason}" \
--output table
# Get overall compliance percentage
az policy state summarized \
--scope "/subscriptions/{sub-id}" \
--query "{compliant:complianceDetails[0].percentage, nonCompliant:nonCompliantResources}" \
--output json
# Export compliance report
az policy state export \
--scope "/subscriptions/{sub-id}" \
--output-file compliance-report.jsonCompliance data is updated periodically (typically every 24 hours). Use the Azure Portal for visual compliance dashboards and export for audit reports.
Azure Policy evaluates resources at creation and periodically thereafter. Changes may take up to 24 hours to appear in compliance reports. Do not rely on real-time compliance for blocking changes.
Mark this lesson complete to store local progress and unlock a cleaner resume path the next time you visit.