Azure Governance. Do or Do Not. There is No Try.

Posted by Phil DeVeau - January 12, 2021

Azure Governance artifacts, such as json files with deployment scripts, are visible and human-readable artifacts that can be stored along with source code


Governance as Code, this is the Way 

Azure Governance artifacts, such as json files with deployment scripts, are visible and human-readable artifacts that can be stored along with source codeThis concept is called Governance as Code (GaC)Traditional governance is often, in its earliest stages, subject to interpretationIn later stages of maturity there are still policy documents that update, and trickle down through various programs and initiatives, requiring some interpretationThis will not work well in Azure.  When GaC Interpretation is not required, this is the way. 

Most Teams are Already Expert in Required Patterns   

Most developers and teams have switched over to storing code in cloud repositories like Azure DevOps and GitHubThey are already branching to write code and required testsThe branches link back to work items being tracked and expressed in terms of business valueThey are already gating check-ins so that team members and stakeholders all agree to the changeOnce the change has been accepted the change is promoted to the correct environment. At various stages of acceptance, the change is further promotedThere is no try, this is happening todayChanges are accepted or they are notChanges are promoted, or they are notInfrastructure as Code is following the same patterns, the same goalsAzure Governance should follow the same process. 

Azure Governance Playbook  FREE DOWNLOAD

Azure Governance Change Scenario 

A team wants to deploy a new feature to an application that is working on an Azure Virtual Machine. They know that from a cost perspective the required SKU is more than they have asked for before, and the required OS is different than they have deployed in the past.  As part of the assessment phase of this project they want to evaluate the policy to ensure they will still be compliant with policies and not have deployments denied.

azure-blueprints-web The team inspects Governance as Code and sees that they can provide the operating system and VM SKU as parametersThe OS parameter is without limitation, but they have discovered that the VM SKU is not currently allowedThe team updates the policy document and requests that their change be accepted with clear reasons why they are pointing back to business cases. The team and stakeholders all agree this is required, but further we want to limit it, so add some additional scoping so that this only applies to their team and productFinally, when the change is accepted the Azure Governance change is executed and the team can progress. 

Use the Force! 

Okay that sounds great, in fact your compliance officer just did cartwheels past your officeWe can take it a step further, not only policies and management groups, but also to describe our entire architecture as wellWith an Azure Blueprint we have an entire reusable artifact dedicated to delivering enterprise classes of infrastructure, policy, security all in the same package, and it is all versionedYou might even be able to go on vacation after this! 

To learn more about enterprise and cloud governance, download the Governance Playbook today!

Topics: Implementation & Adoption

Modern Enterprise & Cloud Governance Playbook

Recent Posts

Collaborative Cloud Governance: Auditability & Visibility

read more

How Does the Cloud & Azure Transform Traditional Governance?

read more

DevOps Enables Modern Governance

read more