stefangordon / azure-policy-samples Goto Github PK

Lets make an ARM template which meets our storage policy of
https://github.com/stefangordon/azure-policy-samples/blob/master/Microsoft.Storage/deny-unrestricted-access.json

And lets make one that does not meet that policy.

This will allow us to experiment with python code to run a functional test of the custom policy.

Basic python script to verify a policy definition. Perhaps it identifies the associated "assignments" and positive/negative templates to the definition and then tests them and verifies they succeed/fail as expected?

Likely outcome of this is not just a POC script, but some ideas on the best way to approach this, or if there is some other tooling/framework that would make it cleaner.

This isn't thought out all the way yet!

We need to have some concept of querying the list of definitions/assignments from the API and comparing that to our list in source control. (Presumably a pre-req is a bit of code to generate a list of definitions and assignments from a folder which is used here, along with looped over for deployments, tests, etc).

For instance we could just blindly create or update everything, but what if something was deleted from source control, how would we know to go delete it from the subscription?

Also, just as an engineer, being able to print out or report on the delta seems like an important thing.

Require the HSM/Premium sku. If it makes sense, parameterize the required SKU with a fixed list of options.

Format as simple executable python3 script for now, e.g. #!/usr/bin/env python3

Deploy full form custom policy JSON (like the ones in this repo) to a specified scope (subscription or management group).

I'd just assume service principal auth for env variables for everything for now, e.g.

            credentials = ServicePrincipalCredentials(
                client_id=os.environ[constants.ENV_CLIENT_ID],
                secret=os.environ[constants.ENV_CLIENT_SECRET],
                tenant=os.environ[constants.ENV_TENANT_ID],
                resource='https://management.core.windows.net/')

where

ENV_TENANT_ID = 'AZURE_TENANT_ID'
ENV_CLIENT_ID = 'AZURE_CLIENT_ID'
ENV_CLIENT_SECRET = 'AZURE_CLIENT_SECRET'

It must have a service endpoint and not be public

Format as simple executable python3 script for now, e.g. #!/usr/bin/env python3

Should allow assigning a policy to a scope. Could be a CUSTOM or a BUILTIN policy definition assigned to scope of subscription, management group, or resource group.

Depends on #3

I'd just assume service principal auth for env variables for everything for now, e.g.

            credentials = ServicePrincipalCredentials(
                client_id=os.environ[constants.ENV_CLIENT_ID],
                secret=os.environ[constants.ENV_CLIENT_SECRET],
                tenant=os.environ[constants.ENV_TENANT_ID],
                resource='https://management.core.windows.net/')

where

ENV_TENANT_ID = 'AZURE_TENANT_ID'
ENV_CLIENT_ID = 'AZURE_CLIENT_ID'
ENV_CLIENT_SECRET = 'AZURE_CLIENT_SECRET'

Define some artifacts that represent policy assignments (is the right way to do it with an ARM template that is parameterized perhaps?)

This will unblock #2