-
Notifications
You must be signed in to change notification settings - Fork 517
AddingPolicyDefs
The Custom Policy Definitions module in ALZ-Bicep
deploys all of the custom Azure Policy Definitions and Initiatives (also know as Definition Sets) that are part of Azure Landing Zones (Enterprise-Scale) as described in more detail in the wiki article How Does ALZ-Bicep Implement Azure Policies?
However, it is expected that most customers will want or need to add their own custom Azure Policy Definitions and Initiatives and deploy them to their Intermediate Root Management Group (e.g. Contoso
) to then assign them at scopes beneath this Management Group to help them meet their requirements.
This is where this wiki article will help explain how this is possible and advise of the various ways this can also be done.
Install the ALZ PowerShell Module on your local development machine or within the Azure Cloud Shell using the following command:
Warning: In order to use this module, PowerShell 7.1 or higher needs to be installed
Install-Module -Name ALZ
Version
0.2.8
or higher must be installed of theALZ
module, you can check this withGet-Module -Name ALZ
There are a few options for you to deploy your own custom Azure Policy Definitions and Initiatives using Bicep and more specifically ALZ-Bicep
.
- Extend the Custom Policy Definitions module from
ALZ-Bicep
- Adding a definition as a
.json
file to thelib
and updating the variable ofvarCustomPolicyDefinitionsArray
orvarCustomPolicySetDefinitionsArray
- Can use
Invoke-PolicyToBicep.ps1
script as explained in How Does ALZ-Bicep Implement Azure Policies? to generate variables
- Can use
- Adding a definition as a
- Define the definition via "native" Bicep and deploy as a separate deployment
- Using API schema for Policy Definitions or Policy Initiatives (Sets)
- Example can be seen here
We recommend were possible to use option 1 and extend the current ALZ-Bicep
approach for deploying custom policies as this keeps the deployment process simplified as it's a single deployment to manage for all custom policies.
✋ Where possible avoid using
-
's (hyphens/dashes) as these are an unsupported character in Bicep. camelCase or use_
instead 👍
To extend the Custom Policy Definitions module from ALZ-Bicep
follow the below process.
- Navigate to the relevant
lib
directory- Policy Definition =
infra-as-code\bicep\modules\policy\definitions\lib\policy_definitions
- Policy Initiative (Set) =
infra-as-code\bicep\modules\policy\definitions\lib\policy_set_definitions
- Policy Definition =
- Copy/clone an existing
.json
file and rename it to something appropriate- Try to copy a policy with the same effect as the policy you are wanting to add
-
Important: The file name of the
.json
file is not important. It can be anything you like as long as it ends.json
- Amend contents of new file to values for the new policy definition/initiative
- Common properties to change:
name
,mode
,displayName
,description
,metadata
,parameters
,policyRule
,then
,effect
- Common properties to change:
- Run the
Invoke-PolicyToBicep.ps1
script to update the_policyDefinitionsBicepInput.txt
and/or_policySetDefinitionsBicepInput.txt
files in thelib
folders- Copy the entire contents of the relevant
.txt
file and replace the contents of the associated variable in the Custom Policy Definitions module- Policy Definition =
_policyDefinitionsBicepInput.txt
placed into variable namedvarCustomPolicyDefinitionsArray
(place copied contents inside of array[]
) - Policy Initiative (Set) & Parameter Variables = Copy the entire contents of
_policySetDefinitionsBicepInput.txt
and replace variable namedvarCustomPolicySetDefinitionsArray
and parameter variables below it with copied contents
- Policy Definition =
- Copy the entire contents of the relevant
- Redeploy the updated Custom Policy Definitions module via your configured method (locally via Azure CLI or PowerShell or via Azure DevOps pipeline or GitHub action)
- New Policy Definitions now deployed to intermediate root Management Group (e.g.
Contoso
)
For step 4 you could also manually copy and add the object for your new Policy Definitions into the array variables of
varCustomPolicyDefinitionsArray
orvarCustomPolicySetDefinitionsArray
following the defined schema already inside the array of objects.
As Bicep is ultimately just compiling ARM templates behind the scenes, deployments of Bicep files/modules are still subject to the same limits as ARM Templates. The main limit to be aware of here is the 4 MB
total size limit for a single ARM Template.
Today the Custom Policy Definitions module from ALZ-Bicep
results in a 874 KB
ARM Template file JSON
file being created.
This has plenty of room for expansion but it is worth keeping in mind as you may hit the 4 MB
limit and see the errors of JobSizeExceededException
or DeploymentJobSizeExceededException
.
To get around this, split the policy definitions into 2 or more Bicep files.
For example, you could leave the Custom Policy Definitions module from ALZ-Bicep
as is and then copy/clone this module and add your own custom Policy Definitions and Initiatives into this separate module.
Ensure you deploy all of your Custom Policy Definitions at the correct stage of your deployment as per the guidance in the Deployment Flow wiki article.
If you have any issues or require any assistance or advice please raise a GitHub Issue on the repo and we will work with you to assist where possible.
If you discover any documentation bugs or would like to request new content, please raise them as an issue on the repo.
Contributions to this wiki are done through the main repo under docs/wiki.
- Wiki Home
- Deployment Flow
- Consumer Guide
- How Does ALZ-Bicep Implement Azure Policies?
- How Does ALZ-Bicep Implement resilient deployments across availability zones?
- Contributing
- Telemetry Tracking Using Customer Usage Attribution (PID)
- Azure Container Registry Deployment - Private Bicep Registry
- Sample Pipelines
- Code tours