Azure Governance for the Modern Enterprise

Learn How to Empower Azure Self-Service for Self-Organization

Written by Phil DeVeau | Jan 8, 2021 8:38:16 PM

Should I Hit it with a Hammer? 

When deploying to Azure whether through a CI/CD pipeline, Azure Portal, or any other supported method, there are gates we can add to help empower and support that deployment. Gem cutters must consider this question oftenShould I hit it with a hammerWhen gems are cut, they are carefully faceted to match an ideal solutionObviously gems that are cut well sell for more money than the cost of the raw stone and the work put into itWhen a gem cutter decides that it is not going to return that value, they hit it with a hammer and the waste scraps are put towards other usesAzure Policy will ask you the same question, for some similar reasons, “Should I hit this deployment with a hammer?” 

Effects of Deny vs Audit Policy 

Regardless of the methods used for deployment, we should be equally empowered within defined boundariesIt is possible with policy to “deny,” when a deny policy effect is handled the request returns a forbidden state and is stopped in its tracks, or in simpler terms, policy whacks the deployment with a hammerOften on a governance journey this is the first step, but is it the right stepSuch denials stop developmentThis may be right for production, but wrong for development; right for externally facing applications, but wrong for internally accessible applications; and on and onDialogue is important here.  Auditing deployments can be used to start that dialogueWhen an audit event is triggered warnings are issued instead of denials and work can continue. 

The audit rule snippet, when violated, allows our deployment to continue and is validated at the end of the deployment, messages are added to our audit log citing the warning on this deployment. 

The deny audit rules snippet, when violated, demands that before the deployment starts our deployment will fail with no further actions taken. 

“policyRule”: { 

   “if”: { 

      “allOf”: […] 

   }, 

   “then”: { 

      “effect”: “audit” 

   } 

} 

“policyRule”: { 

   “if”: { 

      “allOf”: […] 

   }, 

   “then”: { 

      “effect”: “deny 

   } 

} 

 

Deny! Deny! Deny? 

If I am safest with denial, should I not always denyProbably notThere are methods and patterns in Azure policy that will allow us to remediate deployments after the factFor instance, when resources are not properly tagged, rather than deny for a comparatively trivial missing tag, our remediation will properly tag after the fact, which keeps us moving forward as a team and keeps us moving forward with governanceOpen and consistent dialogues are especially important. We are all creating that ideal Azure gemstone together, taking the time to give us effective policy facets is key to effective empowerment. 

Empowering your organization in Azure within the bounds of your business goals takes time but is worth the effort for both development teams and business leaders. 

  1. Do you have assets in Azure that have been created inconsistently? 
  2. Are teams enabled to create resources in Azure? 
  3. Are your teams moving slowly because existing organizational structures are not cloud friendly? 

If you answered yes to one or more questions you likely have self-service issues working with Azure. For more assistance or a free consultation, contact InCycle. Alternatively, to learn more about enterprise governance, download Azure Governance Playbook!