Observe and Identify Gaps
- Regulatory compliance requirements
- News, blogs, industry expectations
- Bet practice guidelines
- Internal teams’ recommendation
- Built-in policies and GitHub policies
- And so on
Authoring Custom Policy
Can I use policy for this?
- Resource configurations
- Azure resources and (selectively) objects within the resource
- Auto-generation of aliases – Aliases abstract API versions.
- Resource type for compliance state
Resource Property Alias
- 95% coverage for all resource properties.
- If there is a swagger API then there should be an alias
- If not – open a support case
Authoring a Custom Policy
4 basic steps:
- Determine resource properties
- Find alias
- The ese first two in VS Code extension
- And 3 other steps 😊
Browse resources in VS Code. Find the property alias. Copy/paste into new policy definition.
Test The Policy
- PUT & PATCH
- Property is compliance, is non-compliance, or doesn’t exist
Enforcement mode setting (recently introduced):
- Quick what-if testing (coming, January I think) test the result before you roll out the remediation.
Shows a released DevOps pipeline.
- Create Initiative
- Create Initiative
- Test Assignment
- Deploy (Enforcement Mode set to enabled)
- Azure Portal compliance experience
- Policy Insights API for summary and raw data
- Export compliance data (coming), e.g. Power BI – they are doing usability studies at Ignite this week.
Road Ahead For Azure Policy
- Regulatory compliance
- Multi-tenancy support with Azure Lighthouse
- Authoring and language improvement
- And more
Policy for Objects within a Resource
Announcing Key Vault preview. Demo shows ability to control child objects in the Key Vault resource.
And something for AKS engine – slide moved too quick. Demo shows assessment of pods inside an AKS cluster. Enables control of source images. Trying to deploy an unauthorised image to a pod fails because of the policy.
Organizing Resources with Resource Graph
- Management Group: hierarchy. Define hierarchical organization
- Tag: Metadata. Apply tags as metadata to logically organize resources into a taxonomy
- Resource graph: Visibility. Query, explore, and analyse cloud resources at scale
Why Resource Graph
Scale. A query of large number of resource will require a complex query via ARM. That query fans out to resource providers and it just doesn’t scale because of performance – available capacity and quota limits.
Resource Graph sends the query to ARM which then makes ONE call to the ARG. ARG is like a big cache of all your resources. Any time that there is a change, that change is notified to ARG very quickly.
ARG – What’s New
Resource Group/Subscription Support
- Stored in ResourceContainers table
- Resources is default table for all existing resources
- mvexpand – expand an array/collection property
Support For Shared Queries
Save the queries into Graph Explorer.
- Priavete query
- Shared (Microsoft.resourcegraph/queries ARM resource)
- Saved to RG
- Subject to RBAC
Road Ahead For ARG
- Support for management groups
- Support for more dimensions
- Support for more resource properties, e.g. VM power state
Visibility To Resource Changes
Change History went into public preview earlier this year. Build on resource graph – already constantly informed about changes to resources. They take snapshots, identify the differences, and report on those changes. This is available in all regions and is free because it’s built on already existing functionality in ARG.
- Support for create/delete changes
- Support for change types
- Support for property breakdown
- Support for change category
- At scale – ability to query across resource containers
- Notifications – subscribe to notifications on resources
- Correlating “who” – Ability to correlate a change with the user or ID that performed the call