Azure Policy : What if you test your policies ?

Amine Charot
4 min readSep 10, 2021

--

Hey everyone ! I hope you are doing well !

I know, I just disappered ! I joint Microsoft as Azure Infrastructure Consultant, so I had to take my time for the integration ! Now that everything is going well, I write this post to talk about testing the Policies that you use in your organization.

Use Case — MAIM & Co

Maim & Co is a catering Consulting Agency (which does not exist in the real life, it’s just a fictitious company used for this post).

Marouane (yes the Old Marouane that we were talking about in an older post) moved to Maim & Co. He has to build a security tour for his new company.

He started by defining the services that should be validated, then he started creating and deploying some policies in Azure. He created a list of tasks to organize his job

  • Task-001 : Prevent deploying a Storage Account without a firewall

Following the architecture of MAIM & Co, each deployed subscription contains a VNet.

A new subscrption

The architecture above represents a new empty subscription. It contains a VNet by default.

The idea of the TASK-001 is when we deploy a Storage Account, it must integrates atleast one subnet that belongs to the VNet.

Marouane thought about the problem, he decided to create a policy :

  • Storage-vnet-deny : This policy will deny any creation tentative of a storage without a firewall

To deploy this policy, Marouane decided to use Terraform and GitHub Actions.

Here is the link of the repo that contains all the code used : charotAmine/policyTests (github.com)

Actually, the Yaml below defines the pipeline used to deploy the terraform scripts (not necessary the Policies, you can use it to deploy any resource :) )

  • How to deploy the policies using Terraform :

Thanks to this post : Deploy azure policy using terraform — YD’s cloud life (wordpress.com), which explains how to deploy policies through terraform.

How to automatically test the policy

Testing if the policies that we have deployed is becoming a mandatory step so we can ensure a continuous deployment/delivery.

Actually you must think like a developer, Azure Policies are a code, so they must be tested before they got deployed.

Back to Marouane’s use case, now that he closed the Task-001. He wanted to test the policy, so he went to the portal, he MANUALLY creates a new storage without a firewall and he got the error :

That’s ok, but will you do the same thing for all the environments ? for all the policies ? What if you do something wrong ? Believe me, you don’t want to dive into this !

The idea is to try to automatically pass these tests ? How to do this ?

We will deploy the resource using Terraform or Bicep (or ARM Templates), if it is a Deny Policy, you will get an error saying that the resource was not deployed because of the policy. Otherwise, you may write a test scenario to test the Modify/Append policies !

  • Technically, how to do it ?

Well, Marouane will write tests using Pester :

He wrote the script above to test the policy. He is deploying the Public Storage inside TerraformFiles and he is checking if the policy articlePost_PA blocked it.

The result :

We see that his test is OK ! So the policy is working :).

The full GitHub Actions pipeline :

Link to the repo : charotAmine/policyTests (github.com)

Thank you,

Ciao !

--

--

No responses yet