Caution
This is a personal and very experimental project so don't expect anything from it.
Inspired by JanneMattila/azure-policy-evaluator and will to have way to test Azure policies before deployment this repo was established.
Goal is to offer simple tool that allows testing Azure policies already locally before the deployment. The implementation is planned to be based on rule engine so the actual policy files would be possible to be used as rules.
- Handles definitions, initiatives and assignments
- Downloads Built-in policies automatically
- Handles scope functions (subscription, resource group, management group). See Scope functions from Learn
- Highlighting of which policies cause the specific effect
- Support for parsing all possible policies
- Support for most of the functions usable in policies
- Acceptance of different cases in names and values
- Mutating policies
- Policy execution order
- Policy effect order
Application parses normal policy definition/initiative/assignment JSONs, and compares then those against given resource (one at the time).
Resource can be either given as plain resource JSON (available in e.g. Azure portal) or as JSON object containing resource and scope related data.
Example of JSON with resource and scope information:
{
"resource": {
"name": "githubFederation",
"type": "Microsoft.ManagedIdentity/userAssignedIdentities/federatedIdentityCredentials",
"id": "/subscriptions/c267c0e7-0a73-4789-9e17-d26aeb0904e5/resourcegroups/rgName/providers/Microsoft.ManagedIdentity/userAssignedIdentities/identityName/federatedIdentityCredentials/githubFederation",
"properties": {
"audiences": [
"api://AzureADTokenExchange"
],
"issuer": "https://token.actions.githubusercontent.com",
"subject": "repo:other_org/gh_federation_subject:pull_request"
}
},
"tenant": {
"countryCode": "US",
"displayName": "Contoso",
"id": "/tenants/00000000-0000-0000-0000-000000000000",
"tenantId": "aaaabbbb-0000-cccc-1111-dddd2222eeee"
},
"managementGroup": {
"id": "/providers/Microsoft.Management/managementGroups/examplemg1",
"name": "examplemg1",
"properties": {
"details": {
"parent": {
"displayName": "Tenant Root Group",
"id": "/providers/Microsoft.Management/managementGroups/00000000-0000-0000-0000-000000000000",
"name": "00000000-0000-0000-0000-000000000000"
},
"updatedBy": "00000000-0000-0000-0000-000000000000",
"updatedTime": "2020-07-23T21:05:52.661306Z",
"version": "1"
},
"displayName": "Example MG 1",
"tenantId": "aaaabbbb-0000-cccc-1111-dddd2222eeee"
}
},
"subscription": {
"id": "/subscriptions/{subscription-id}",
"subscriptionId": "{subscription-id}",
"tenantId": "{tenant-id}",
"displayName": "{name-of-subscription}",
"tags": {
"environment": "development"
}
},
"resourcegroup": {
"id": "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}",
"name": "{resourceGroupName}",
"type": "Microsoft.Resources/resourceGroups",
"location": "{resourceGroupLocation}",
"managedBy": "{identifier-of-managing-resource}",
"tags": {},
"properties": {
"provisioningState": "{status}"
}
}
}Note that (at least on Mac with zsh) directories with spaces would work, but those have to be both enclosed with double quotes and space should be escaped with backslash.
make run definition -- --rules samples/definitions --resources samples/resources
gape definition --rules samples/definitions --resources samples/resources
make run initiative -- --rules samples/initiatives/FIC_LimitIssuers.json --resources samples/resources
make run initiative -- --rules samples/initiatives/FIC_LimitIssuers.json --resources samples/resources
make run assignment -- --rules samples/assignments/audit-vm-managed-disks.json --resources samples/resources/Compute/audit-vm-without-managed-disks
make run initiative -- --rules samples/initiatives/FIC_LimitIssuers.json --resources "samples/resources/Managed\ Identity/approved-federation-sources"
Note that Make confuses itself with equality (=) sign, so better to run directly with Go:
go run main.go initiative --rules samples/initiatives/FIC_LimitIssuers.json --resources "samples/resources/Managed\ Identity/approved-federation-sources" --parameters key=value