Azure Policy : what if we use Bicep ?
Hey everyone ! I hope you are doing well !
Recently, I wrote a post about deploying and testing policies using Terraform ! Many of you requested the same but using the all new Bicep !
What is Bicep ?
In simple words, Bicep is an ARM Domain Specific Language (DSL), when we compile the Bicep, we will get an ARM Template as output. The resulting ARM Template will be used to deploy the resources in Azure.
Azure Bicep is an abstraction of ARM Template. Everything that we do with ARM Templates, we can do it with Azure Bicep ! It adds some features that makes it easier than ARM Templates.
Wait, wait ! why a new language ? I should train my developers again ? Does it worth it ? As you know, ARM Template can become heavy to work with. I invite you to visit this website: Bicep Playground 0.4.1-ge2387595c9 (windows.net). It shows the ARM Template and its equivalent using Bicep.
How to deploy policies with Bicep ?
Deploying the policies was always a challenge. Should we deploy them using an Infra-As-Code tool? Should we use a scripting tool ? How can we update them ?
Bicep simplified it. Yes, we can deploy the definitions and assign them using Bicep !
- Deploy a policy definition :
To deploy the policy definition, we use the resource Microsoft.Authorization/policyDefinitions , It should give something like :
But wait, what if we have several policies ? What if we already have the JSON of the definitions ? Should we drop them and restart from scratch with Bicep ? What if we have huge policies ?
No worries ! As I told you, Bicep makes it very easy ! Let’s assume that I already have JSON files and I want to deploy several policies. The directory is organized as below :
--|Policies --|Policy-1.json
--|Policy-2.json
Using Bicep, we will get the policies inside the directory, and we will encode them so we can use the object inside the Bicep template.
Unfortunately, there is no function like Get-ChildItem (if you are familial with Powershell) to get all the items inside a directory. So for now, we will put the paths inside an array. The bicep template will look like :
The target scope is the subscription.
Then we get all the policies defined in the variable stringArray, we iterate over this array, then we load the content as objects inside the policies variable.
I will show how it looks using the ARM Templates to show how Bicep makes it very easy :
Well, yes, Bicep is easier and more understandable.
- Assign the policy :
To assign the policy, we simply use this part :
For each policy, we get its deployed definition and we assign it. Easy !
How to test the the policies ?
Testing if the policies that we have deployed is becoming a mandatory step so we can ensure a continuous deployment/delivery.
Actually you must think like a developer, Azure Policies are a code, so they must be tested before they got deployed.
We will deploy the resource using Bicep, if it is a Deny Policy, you will get an error saying that the resource was not deployed because of the policy.
Using Pester :
We deploy a Bicep template, we get the error and we compare it to see if it contains the policy name to be sure that it was denied with the policy.
The Bicep looks like :
It uses a module that deploys the Storage :
Putting all together with GitHub Actions
When we finish, we should automate all this, and deploy it continuously through a CI/CD tool.
Using the pipeline below, we will deploy the policy and run the tests :
the result looks like :
That’s it ! If you have a question, feel free to contact me on Linkedin :)
GitHub Repo : charotAmine/azurepolicy_Bicep (github.com)
Bella ciao,
