Policy-as-code

Policy defines an organization's business rules and governance around areas like compliance, security, cost, and consistency. Policy can be applied to entities at different levels of granularity. It can be used either to surface non-compliance for audit purposes and/or to enforce compliance through policy gates for control purposes.

Policy as code is an approach that treats policy artifacts as source code. This is conceptually similar to Infrastructure as Code (IaC) and provides similar benefits around repeatability and version control.

Understanding the characteristics of policy

Policy constraints are rules or conditions defined within a policy to regulate the behavior of the system to which the policy applies. These constraints can include various characteristics, such as:

  • Scope: Defines the extent or area to which a policy is relevant, such as a subscription, management group, resource group, or resource.
  • Effect: Specifies the outcome that occurs when the policy rule is evaluated, such as audit, deny, or modify actions.
  • Parameters: These are values passed to the policy that can influence its behavior, allowing for customization and flexibility.
  • Template Info: The component of a policy definition used to define the constraint template, specific to Kubernetes clusters in Azure Policy.
  • Policy Extensions: Additional requirements or conditions that can be added to a policy to extend its functionality.

Audits

You often need to report the compliance status of entities against a given policy without enforcing it. Performing an audit prior to formally updating policy can identify noncompliant entities without breaking systems. Manual intervention to remediate issues with entities may be preferred to automatic enforcement and decrease risk of disruption.

Examples of audit capability include the Azure Policy audit effect and Azure Policy states of compliance, and Gatekeeper Audit.

Policy definitions

A policy definition is a policy artifact that at a minimum typically describes a collection of parameters, a set of compliance conditions, and the actions to take if the conditions aren't met.

Examples of policy definitions include Azure Policy definition structure basics in the Azure Policy ecosystem as well as Constraint Templates in the Gatekeeper ecosystem.

Policy assignment

A policy assignment is a policy artifact that applies an instance of a policy definition to a collection of entities through parameter values and scopes. You can assign a policy definition to a group of entities by applying an instance of it through specific parameter values and scopes, effectively creating a policy assignment.

Examples of policy assignments include: Azure Policy assignment structure and Gatekeeper Constraints.

Policy enforcement

A policy gate is used to enforce policy against entities being added to or modified within a system. You enforce policy against entities being added to or modified within a system by using a policy gate. This policy gate is typically built using a policy engine, policy definitions, and policy assignments.

Examples of services and tools that enforce policy include What is Azure Policy and Gatekeeper Introduction.

Solution examples

To help you identify solutions, several examples are listed below:

For more information