Advanced Azure Policy management
This article describes how to manage Azure Policy at scale by using infrastructure as code (IaC). Policy-driven governance is a design principle for Azure landing zones. It helps to ensure that the applications you deploy comply with your organization's platform. It can take considerable effort to manage and test policy objects across an environment to ensure that compliance is met. Azure landing zone accelerators help to establish a secure baseline, but your organization might have further compliance requirements that you must meet by deploying other policies.
What is Enterprise Policy as Code (EPAC)?
EPAC is an open-source project that you can use to integrate IaC and manage Azure Policy. EPAC is built upon a PowerShell module and published to the PowerShell Gallery. You can use the features of this project to:
Create stateful policy deployments. The objects that are defined in the code become the source of truth for policy objects deployed in Azure.
Implement complex policy management scenarios, such as multitenant and sovereign-cloud deployments.
Export and integrate policies to incorporate existing custom policies that were developed prior to the Azure landing zone deployment.
Create and manage policy exemptions and policy documentation.
Use sample workflows to demonstrate Azure Policy deployments with GitHub Actions or Azure Pipelines.
Export noncompliance reports and create remediation tasks.
Reasons to use EPAC
You can use EPAC to deploy and manage Azure landing zone policies. You might want to consider implementing EPAC to manage policies if:
You have unmanaged policies in an existing brownfield environment that you want to deploy in a new Azure landing zone environment. Export the existing policies, and manage them with EPAC alongside the Azure landing zone policy objects.
You have an Azure deployment that doesn't fully align to an Azure landing zone, for example multiple management group structures for testing or a nonconventional management group structure. The default assignment structure that other Azure landing zone deployment methods provide might not fit your strategy.
You have a team that's not responsible for infrastructure deployment, for example a security team that might want to deploy and manage policies.
You require features from policies that aren't available in the Azure landing zone accelerator deployments, for example policy exemptions and documentation.
Get started
The EPAC GitHub repository provides detailed steps to start managing Azure Policy. Consider the following factors when determining whether the project is a good fit for your environment:
Environment topology: Multiple tenancies and complicated management group structures are supported. Consider how you want to structure your policy as code deployments to fit the topology, so multiple teams can manage policies and test new policy deployments.
Permissions: Consider how you manage permissions for the deployment, especially for roles and identities. EPAC provides multiple stages to deploy both the policies and role assignments, so separate identities can be used.
Existing policy deployments: In a brownfield scenario, you might have existing policies that must remain in place while EPAC is deployed. You can use the desired state strategy to ensure that EPAC manages only the defined policies and preserves existing policies.
Deployment methodology: EPAC supports Azure DevOps, GitHub Actions, and a PowerShell module to help deploy policies. You can use the sample pipelines in the EPAC starter kit and adapt them to your environment and requirements.
Follow the quickstart guide to export policy objects in your environment and get familiar with how EPAC manages Azure Policy.
For issues with the code or documentation, submit an issue in the GitHub repository.
Replace existing policy deployment solutions
EPAC replaces the policy deployment capabilities of the Azure landing zone accelerators. When you use these accelerators, you shouldn't use them to deploy Azure Policy because EPAC is the source of truth for policy in the environment.
For more information, see the following resources for policy management with Bicep and Terraform Azure landing zone accelerators:
Next steps
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for