I've seen Azure Policy become the go-to mechanism for enforcing compliance and governance requirements across Azure resources. As of 2022, the tooling for managing Azure Policy as code has matured significantly, allowing us to treat policy as a first-class software artifact.
So how does Azure Policy work? It evaluates resource properties against defined rules. For instance, a policy that requires all storage accounts to use HTTPS evaluates the httpsTrafficOnly property on each storage account in scope.
Policies are assigned at management group, subscription, or resource group scope, and policy effects determine what happens on non-compliance. You can log the violation, block the resource creation, or deploy a remediation resource if the compliant configuration is absent.
In my experience with large-scale Azure deployments, managing policy at scale can become complex. For example, we had a customer with over 500 storage accounts across 20 subscriptions, and they needed to enforce HTTPS for all of them. We used Azure Policy to evaluate the httpsTrafficOnly property and deploy a remediation resource to enable HTTPS for non-compliant accounts.
Policy initiatives are another key concept, grouping related policies for a compliance framework. Built-in initiatives for CIS, NIST, PCI, and HIPAA group the controls into a single assignment that applies all relevant policies.
You can also define custom initiatives to meet your organisation's specific governance requirements as a composable set of policies. Assigning an initiative at the management group level applies all policies to all subscriptions below it, which is really powerful. I've seen this approach work well for organisations with complex governance requirements, such as a financial services company that needed to enforce a custom set of policies across 50 subscriptions.
I've been using Bicep to write Azure Policy definitions, and it's been a significant improvement over traditional ARM templates. For instance, I can define a policy to restrict resource locations to a specific set of regions, and then deploy it via ARM template deployment. Because Bicep files are in version control, I can review them via pull request and deploy them through a pipeline using the GitHub Action for Azure Resource Manager deployment.
The GitHub Action for Azure Resource Manager deployment can apply policy definitions and assignments as part of a governance pipeline. This approach allows us to integrate policy deployment with our existing CI/CD pipeline, ensuring that policy changes are reviewed and tested before they're deployed to production.
Azure Policy exemptions are also worth mentioning. They allow specific resources or resource groups to be excluded from a policy assignment for a defined period. The exemptions are auditable in the Azure Policy compliance view, which is important for tracking and managing them.
Managing exemptions rigorously is crucial, as it prevents them from becoming permanent workarounds that undermine the governance intent. You need to track expiry, justification, and owner to ensure that exemptions are used responsibly.