Azure Policy : What if you test your policies ?
Hey everyone ! I hope you are doing well !
I know, I just disappered ! I joint Microsoft as Azure Infrastructure Consultant, so I had to take my time for the integration ! Now that everything is going well, I write this post to talk about testing the Policies that you use in your organization.
Use Case — MAIM & Co
Maim & Co is a catering Consulting Agency (which does not exist in the real life, it’s just a fictitious company used for this post).
Marouane (yes the Old Marouane that we were talking about in an older post) moved to Maim & Co. He has to build a security tour for his new company.
He started by defining the services that should be validated, then he started creating and deploying some policies in Azure. He created a list of tasks to organize his job
- Task-001 : Prevent deploying a Storage Account without a firewall
Following the architecture of MAIM & Co, each deployed subscription contains a VNet.
The architecture above represents a new empty subscription. It contains a VNet by default.
The idea of the TASK-001 is when we deploy a Storage Account, it must integrates atleast one subnet that belongs to the VNet.
Marouane thought about the problem, he decided to create a policy :
- Storage-vnet-deny : This policy will deny any creation tentative of a storage without a firewall
To deploy this policy, Marouane decided to use Terraform and GitHub Actions.
Here is the link of the repo that contains all the code used : charotAmine/policyTests (github.com)
Actually, the Yaml below defines the pipeline used to deploy the terraform scripts (not necessary the Policies, you can use it to deploy any resource :) )
- How to deploy the policies using Terraform :
Thanks to this post : Deploy azure policy using terraform — YD’s cloud life (wordpress.com), which explains how to deploy policies through terraform.
How to automatically test the policy
Testing if the policies that we have deployed is becoming a mandatory step so we can ensure a continuous deployment/delivery.
Actually you must think like a developer, Azure Policies are a code, so they must be tested before they got deployed.
Back to Marouane’s use case, now that he closed the Task-001. He wanted to test the policy, so he went to the portal, he MANUALLY creates a new storage without a firewall and he got the error :
That’s ok, but will you do the same thing for all the environments ? for all the policies ? What if you do something wrong ? Believe me, you don’t want to dive into this !
The idea is to try to automatically pass these tests ? How to do this ?
We will deploy the resource using Terraform or Bicep (or ARM Templates), if it is a Deny Policy, you will get an error saying that the resource was not deployed because of the policy. Otherwise, you may write a test scenario to test the Modify/Append policies !
- Technically, how to do it ?
Well, Marouane will write tests using Pester :
He wrote the script above to test the policy. He is deploying the Public Storage inside TerraformFiles and he is checking if the policy articlePost_PA blocked it.
The result :
We see that his test is OK ! So the policy is working :).
The full GitHub Actions pipeline :
Link to the repo : charotAmine/policyTests (github.com)
Thank you,
Ciao !
