Introduction
In the world of cloud infrastructure management, maintaining security and compliance is crucial. Azure Policy helps in enforcing organizational standards and assessing compliance at scale. When combined with Terraform, an Infrastructure as Code tool, you can automate the deployment of Azure policies, ensuring a consistent and error-free implementation. In this blog post, we’ll walk through how to use Terraform to deploy Azure policies, using a specific policy as an example.
What is Azure Policy?
Azure Policy is a service in Azure that you can use to create, assign, and manage policies. These policies enforce different rules over your resources, so they stay compliant with your corporate standards and service level agreements. Azure Policy is a set of rules that govern your cloud resources, ensuring that they are aligned and compliant.
Why Terraform?
Terraform is an open-source tool that allows you to define and provision infrastructure using a high-level configuration language. It’s particularly powerful for managing cloud infrastructure and has robust support for Azure resources.
Example Policy: Enforcing HTTPS Traffic Only on Storage Accounts
For demonstration purposes, we will use a policy that ensures all Azure Storage accounts enforce HTTPS traffic only. This is a common requirement for enhancing the security of data in transit.
Policy Definition
Here’s the Terraform code for our Azure policy:
resource "azurerm_policy_definition" "modify-storage-account-enable-Https-Only" {
name = "Modify - Storage Account - Enable HTTPS Traffic Only"
policy_type = "Custom"
mode = "All"
display_name = "Modify - Storage Account - Enable HTTPS Traffic Only"
description = "This Azure Policy will remediate a storage account resource to enable HTTPS only connections."
management_group_id = var.managementGroupId
metadata = <<METADATA
{
"category": "",
"version": "1.0.0"
}
METADATA
policy_rule = <<POLICY_RULE
{
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.Storage/storageAccounts"
},
{
"field": "Microsoft.Storage/storageAccounts/supportsHttpsTrafficOnly",
"notEquals": "[parameters('enableHttpsOnly')]"
}
]
},
"then": {
"effect": "DeployIfNotExists",
"details": {
"type": "Microsoft.Storage/storageAccounts",
"roleDefinitionIds": [
"/providers/microsoft.authorization/roleDefinitions/17d1049b-9a84-46fb-8f53-869881c3d3ab"
],
"existenceCondition": {
"allOf": [
{
"field": "Microsoft.Storage/storageAccounts/supportsHttpsTrafficOnly",
"equals": "[parameters('enableHttpsOnly')]"
}
]
},
"deployment": {
"properties": {
"mode": "Incremental",
"template": {
"$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"resourceName": {
"type": "String"
},
"location": {
"type": "String"
},
"enableHttpsOnly": {
"type": "String"
}
},
"variables": {},
"resources": [
{
"type": "Microsoft.Storage/storageAccounts",
"apiVersion": "2019-06-01",
"name": "[parameters('resourceName')]",
"location": "[parameters('location')]",
"properties": {
"supportsHttpsTrafficOnly": "[equals(parameters('enableHttpsOnly'), 'true')]"
}
}
],
"outputs": {}
},
"parameters": {
"resourceName": {
"value": "[field('name')]"
},
"enableHttpsOnly": {
"value": "[parameters('enableHttpsOnly')]"
},
"location": {
"value": "[field('location')]"
}
}
}
}
}
}
}
POLICY_RULE
parameters = <<PARAMETERS
{
"enableHttpsOnly": {
"type": "String",
"metadata": {
"displayName": "Enable HTTPS Traffic Only",
"description": "Specify whether to enable HTTPS Traffic Only."
},
"defaultValue": "true",
"allowedValues": [
"true",
"false"
]
}
}
PARAMETERS
}
This Terraform resource defines a custom policy in Azure that checks if the supportsHttpsTrafficOnly
property on storage accounts is set to true.
Breaking Down the Policy
-
- Policy Properties:
-
name
,policy_type
,mode
,display_name
,description
: These properties define the basic attributes of the policy.
-
management_group_id
: Specifies the management group ID where the policy will be applied.
-
- Policy Properties:
-
- Metadata:
-
- This section includes metadata about the policy such as the category and version.
-
- Metadata:
-
- Policy Rule:
-
- The
if
andthen
blocks define the conditions and effects of the policy.
- The
-
- The
existenceCondition
ensures that the policy only gets applied if the condition is not already met.
- The
-
- Policy Rule:
-
- Parameters:
-
- The policy includes a parameter
enableHttpsOnly
which allows for flexibility. It’s set to “true” by default.
- The policy includes a parameter
-
- Parameters:
Deploying the Policy
Deploying this policy with Terraform involves a few simple steps:
-
- Write the Terraform Configuration: Start by creating a Terraform configuration file with the policy definition.
-
- Initialize Terraform: Run
terraform init
to initialize the working directory.
- Initialize Terraform: Run
-
- Plan the Deployment: Execute
terraform plan
to see the execution plan.
- Plan the Deployment: Execute
-
- Apply the Configuration: Finally, run
terraform apply
to apply the configuration and deploy the policy.
- Apply the Configuration: Finally, run
provider "azurerm" {
features {}
}
module "azure_policy" {
source = "./path_to_policy_main"
managementGroupId = var.managementGroupId
}
Conclusion
By leveraging Terraform to deploy Azure policies, IT teams can ensure consistent policy enforcement across their Azure environment. This approach not only saves time but also reduces the risk of manual errors, thereby maintaining a strong security posture in the cloud.
Remember, while the example here focused on enforcing HTTPS on storage accounts, Terraform and Azure Policy can be used together to enforce a wide range of rules and policies across your Azure resources.