Greetings folks and welcome to the third chapter of Awesome Azure Policy, a blog series focused on highlighting the latest awesome content from across the community and official Microsoft sources. As there’s an abundance of posts, videos, and repos to share since my second post I’ve curated a large feed of content down to a few select pickings for this chapter.
EPAC Official YouTube Launch
The Enterprise Policy as Code (EPAC) project from Microsoft continues to grow from strength to strength with a recent launch of their official channel @EnterprisePolicyAsCode already filled with awesome content to support the project’s existing detailed documentation wiki.
With regular updates to the official repo from maintainers and the community translating to a healthy pipeline of content for this EPAC channel I’m excited to see the project continue to mature and innovate in the Azure policy as code space.
Getting Started with Enterprise Policy As Code
Continuing on with the awesome EPAC theme of this post – Sunny aka @SomeoneElsesCloud has just released new high-quality content covering how to get started with EPAC. I’ve shared the timestamps below so you can get a sense of the breadth and depth of what Sunny dives into. Great work!
00:00 Intro
00:13 What is EPAC?
00:41 Azure Policy Benefits
01:56 Policy Definitions, Initiatives & Assignments
04:56 Software Requirements
05:25 Azure RBAC Requirements
06:05 EPAC Folder Structure Explained
07:15 Global Settings Configuration File Explained
12:06 Deployment Scripts
14:00 EPAC Documentation + GitHub Repo
15:05 Demo Walkthrough
27:20 Azure DevOps Pipeline + Repo Governance and Controls
30:31 EPAC Tools – AzAdvertizer + AzGovViz
33:13 Wrap Up
Azure Policy Agents – Automated Testing Framework
Microsoft have recently made public a new concept for automating testing of Azure Policies leveraging Microsoft Foundry and Agent based testing. Architecture-wise the solution is fairly simple – agents hosted in Microsoft Foundry have custom instructions on testing policies – a single GitHub Action workflow uses PowerShell scripts to validate and detected changed policies in the branch before handing off the policy testing to the Agent which evaluates what’s needed to test the policy before creating and executing a PowerShell script to test the policy’s effect end to end (including creation of non-compliant resources).
At the time of writing Microsoft’s project AzurePolicyAgents only supports policies with Deny and Audit effects driven by GitHub Actions and there are backlog items to address these gaps. As part of a recent Arinco hackathon my team took on the challenge of forking and uplifting the project to support more policy effects and enhance the scalability and automation overall. Based on this recent experience I am quite happy with how the concept works overall given we were able to achieve a repeatable policy testing process for new/changed policies and I could see there were time savings with this approach vs other approaches I’ve seen out there in the wild. Watch this space!
Closing
Thanks again for reading about the latest awesome Azure Policy content from across the industry.
In my view, Azure Policy engines and deployment/management of policy objects is pretty much a ‘solved problem’ now with projects like EPAC. The largest gap to address now is testing of Azure policies in an automated scalable manner which has a level of accuracy and test coverage to ensure that compliance and business objectives are still maintained to the highest standards.
I hope you’ll join me for the next Awesome Azure Policy Chapter.
Until then,
Jesse
