You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
title: Safe deployment of Azure Policy assignments
3
3
description: Learn how to apply the safe deployment practices (SDP) framework to your Azure Policy assignments.
4
-
author: timwarner-msft
5
-
ms.date: 11/14/2022
4
+
ms.date: 04/21/2023
6
5
ms.topic: conceptual
7
-
ms.author: timwarner
8
6
---
7
+
9
8
# Safe deployment of Azure Policy assignments
10
9
11
10
As your environment expands, so does the demand for a controlled continuous deployment (CD)
@@ -30,77 +29,78 @@ Policy assignments that use the `deny` or `append` policy effects.
30
29
> [!NOTE]
31
30
> To learn more about Azure policy effects, see [Understand how effects work](../concepts/effects.md).
32
31
33
-
:::image type="content" source="safe-deployment-practices-flowchart-1.png" alt-text="Flowchart with steps one through eight showing safe deployment practices deployment of a new Azure Policy definition." border="true":::
32
+
:::image type="content" source="../media/policy-safe-deployment-practices/safe-deployment-practices-flowchart-1.png" alt-text="Flowchart with steps one through eight showing safe deployment practices deployment of a new Azure Policy definition." border="true":::
33
+
34
+
Flowchart step numbers:
34
35
35
-
1. Begin the release by creating a policy definition at the highest designated Azure management scope.
36
-
We recommend storing Azure Policy definitions at the management group scope for maximum flexibility.
36
+
1. Begin the release by creating a policy definition at the highest designated Azure management scope. We recommend storing Azure Policy definitions at the management group scope for maximum flexibility.
37
37
38
38
2. Once you've created your policy definition, assign the policy at the highest-level scope inclusive
39
39
of all deployment rings. Apply _resource selectors_ to narrow the applicability to the least
40
40
critical ring by using the `"kind": "resource location"` property. Configure the `audit` effect type
41
-
by using _assignment overrides_. Sample selector with eastUS location and effect as audit
41
+
by using _assignment overrides_. Sample selector with `eastUS` location and effect as `audit`:
42
42
43
-
```json
43
+
```json
44
44
"resourceSelectors": [{
45
-
"name": "SDPRegions",
46
-
"selectors": [{
47
-
"kind": "resourceLocation",
48
-
"in": [ "eastUS" ]
49
-
}]
45
+
"name": "SDPRegions",
46
+
"selectors": [{
47
+
"kind": "resourceLocation",
48
+
"in": [ "eastUS" ]
49
+
}]
50
50
}],
51
51
"overrides":[{
52
-
"kind": "policyEffect",
53
-
"value": "Audit"
52
+
"kind": "policyEffect",
53
+
"value": "Audit"
54
54
}]
55
-
```
55
+
```
56
56
57
57
3. Once the assignment is deployed and the initial compliance scan has completed,
58
58
validate that the compliance result is as expected.
59
59
60
-
You should also configure automated tests that run compliance checks. A compliance check should
61
-
encompass the following logic:
62
-
63
-
- Gather compliance results
64
-
- If compliance results are as expected, the pipeline should continue
65
-
- If compliance results aren't as expected, the pipeline should fail and you should start debugging
66
-
67
-
For example, you can configure the compliance check by using other tools within
68
-
your particular continuous integration/continuous deployment (CI/CD) pipeline.
69
-
70
-
At each rollout stage, the application health checks should confirm the stability of the service
71
-
and impact of the policy. If the results aren't as expected due to application configuration,
72
-
refactor the application as appropriate.
73
-
74
-
4. Repeat by expanding the resource selector property values to include the next rings’
60
+
You should also configure automated tests that run compliance checks. A compliance check should
61
+
encompass the following logic:
62
+
63
+
- Gather compliance results
64
+
- If compliance results are as expected, the pipeline should continue
65
+
- If compliance results aren't as expected, the pipeline should fail and you should start debugging
66
+
67
+
For example, you can configure the compliance check by using other tools within
68
+
your particular continuous integration/continuous deployment (CI/CD) pipeline.
69
+
70
+
At each rollout stage, the application health checks should confirm the stability of the service
71
+
and impact of the policy. If the results aren't as expected due to application configuration,
72
+
refactor the application as appropriate.
73
+
74
+
4. Repeat by expanding the resource selector property values to include the next rings'
75
75
locations and validating the expected compliance results and application health. Example selector with an added location value:
76
76
77
-
```json
77
+
```json
78
78
"resourceSelectors": [{
79
-
"name": "SDPRegions",
80
-
"selectors": [{
81
-
"kind": "resourceLocation",
82
-
"in": [ "eastUS", "westUS"]
83
-
}]
79
+
"name": "SDPRegions",
80
+
"selectors": [{
81
+
"kind": "resourceLocation",
82
+
"in": [ "eastUS", "westUS"]
83
+
}]
84
84
}]
85
-
```
85
+
```
86
86
87
87
5. Once you have successfully assigned the policy to all rings using `audit` mode,
88
88
the pipeline should trigger a task that changes the policy effect to `deny` and reset
89
89
the resource selectors to the location associated with _Ring 0_. Example selector with one region and effect set to deny:
90
90
91
-
```json
91
+
```json
92
92
"resourceSelectors": [{
93
-
"name": "SDPRegions",
94
-
"selectors": [{
95
-
"kind": "resourceLocation",
96
-
"in": [ "eastUS" ]
97
-
}]
93
+
"name": "SDPRegions",
94
+
"selectors": [{
95
+
"kind": "resourceLocation",
96
+
"in": [ "eastUS" ]
97
+
}]
98
98
}],
99
99
"overrides":[{
100
-
"kind": "policyEffect",
101
-
"value": "Deny"
100
+
"kind": "policyEffect",
101
+
"value": "Deny"
102
102
}]
103
-
```
103
+
```
104
104
105
105
6. Once the effect is changed, automated tests should check whether enforcement is taking place as
106
106
expected.
@@ -114,7 +114,9 @@ expected.
114
114
Steps 1-4 for policies using the `modify` or `deployIfNotExists` effects are the same as steps previously explained.
115
115
Review the following flowchart with modified steps 5-9:
116
116
117
-
:::image type="content" source="safe-deployment-practices-flowchart-2.png" alt-text="Flowchart showing steps 5 through 9 in the Azure Policy safe deployment practices workflow." border="true":::
117
+
:::image type="content" source="../media/policy-safe-deployment-practices/safe-deployment-practices-flowchart-2.png" alt-text="Flowchart showing steps 5 through 9 in the Azure Policy safe deployment practices workflow." border="true":::
118
+
119
+
Flowchart step numbers:
118
120
119
121
5. Once you've assigned the policy to all rings using `audit` mode, the pipeline should trigger
120
122
a task that changes the policy effect to `modify` or `deployIfNotExists` and resets
@@ -131,8 +133,9 @@ as expected using compliance and application health checks.
131
133
132
134
> [!NOTE]
133
135
> For more information on Azure policy remediation tasks, read [Remediate non-compliant resources with Azure Policy](./remediate-resources.md).
136
+
134
137
## Next steps
135
138
136
-
- Learn how to [programmatically create policies](./programmatically-create.md)
137
-
- Review [Azure Policy as code workflows](../concepts/policy-as-code.md)
138
-
- Study Microsoft's guidance concerning [safe deployment practices](/devops/operate/safe-deployment-practices)
139
+
- Learn how to [programmatically create policies](./programmatically-create.md).
140
+
- Review [Azure Policy as code workflows](../concepts/policy-as-code.md).
141
+
- Study Microsoft's guidance concerning [safe deployment practices](/devops/operate/safe-deployment-practices).
0 commit comments