PolicyDeepDive
In the ALZ-Bicep project we provide the ability to deploy all of the custom Azure Policy Definitions and Initiatives that are included as part of the Azure Landing Zones (Enterprise-Scale) repo by using the Custom Policy Definitions module.
The definitions in the lib folder of the Custom Policy Definitions module. are kept up-to-date with the contents of the eslzArm/managementGroupTemplates/PolicyDefinitions folder via a GitHub Action and associated PowerShell scripts/modules that runs once a day.
You can also make all of the Azure Landing Zone default Azure Policy Assignments using the ALZ Default Policy Assignments module.
Azure US Gov (aka Fairfax) is not covered today in ALZ-Bicep. Please raise a feature request if you would like to see this added via the issues 👍
What Azure Policies does Azure Landing Zone (Enterprise-Scale) provide additionally to those already built-in?
Great question! There are around 104 custom Azure Policy Definitions included and around 7 Custom Azure Policy Initiatives included as part of Azure Landing Zones (Enterprise-Scale) implementations that add on to those already built-in within each Azure customers tenant.
All of these custom Azure Policy Definitions and Initiatives are the same across all 3 implementation options there are for Azure Landing Zones; Terraform Module, Bicep Modules, Portal Accelerator Experience.
This is because the single source of truth is the Enterprise-Scale repo that both the Terraform and Bicep implementation options pull from to build their lib folders respectively.
You can see a fairly up-to-date list of these policies here: Policies included in Enterprise-Scale Landing Zones reference implementations
Our goal is always to try and use built-in policies where available and also work with product teams to adopt our custom policies and make them built-in, which takes time. This means there will always be a requirement for custom policies.
We have worked with the creator of AzAdvertizer to integrate all of the custom Azure Policy Definitions and Initiatives as part of Azure Landing Zones into it to help customers use the tool to look at the policies further in easy to use tool that is popular in the community.
On either the Policy or Initiative section of the site, set the 'Type' column drop down (last one on the right hand side) to 'ESLZ' and you will see all the policies as mentioned above in the tool for you to investigate further.
AzAdvertizer also updates once per day!
As mentioned above in Azure Landing Zones (Enterprise-Scale) we have a single source of truth for all of the custom Azure Policy Definitions and Initiatives which is the Enterprise-Scale repo. This is done so we only have a single location to update the policies in and then we can use automation in the Bicep and Terraform implementations of ALZ to pull these policies from the Enterprise-Scale repo.
The ALZ-Bicep repo uses a GitHub Action with a couple of PowerShell scripts/modules to pull all of the custom Azure Policy Definitions and Initiatives from the Enterprise-Scale repo and split them into individual files, make some minor changes replacing some placeholder values and generating a couple of .txt files that contain a Bicep friendly block of variables for all of the custom definitions with references to their new paths.
The GitHub action runs every weekday at 0800 UTC.
Useful Links:
update-policy.yml- GitHub ActionInvoke-LibraryUpdate.ps1- PowerShell ScriptInvoke-PolicyToBicep.ps1- PowerShell Script
We will explain this process further below in a series of diagrams:
Please see the following wiki article that explains this process further: Adding Custom Azure Policy Definitions
Please see the following wiki article that explains this process further: Assigning Azure Policies