Proposal for Adding Azure Policies to check list and converting Azure Resource Graph Queries to Azure Policies

[ealtili]

In this repo we are converting statements to Azure Resource Graph Queries. However we can use Azure Policies to audit and policy actions to modify resources to match the statements. Which is aligned with Policy as code approach.

Attaching Excel Sheet that has most of the statement in the review checklist per azure service and

All the built-in Azure Policies from https://github.com/Azure/azure-policy
Custom Community Policies from https://github.com/Azure/Community-Policy
Azure Landing Zone Policies from https://github.com/Azure/Enterprise-Scale/tree/main/src/resources/Microsoft.Authorization
Azure Monitoring Baseline Alerts from https://github.com/Azure/azure-monitor-baseline-alerts/tree/main/patterns/alz

How To Convert Existing Statements to Azure Policies

Azure resource graph queries are a way of querying the properties and relationships of Azure resources using the Kusto query language. Azure policies are a way of enforcing rules and effects over resources to ensure compliance with standards and best practices.

To convert an existing Azure resource graph query into a policy, we need to follow these steps:

Define the policy effect, such as deny, audit, or append.
Define the policy rule, which is a logical expression that evaluates to true or false for each resource.
Use the where clause of the resource graph query to filter the resources that the policy applies to.
Use the summarize clause of the resource graph query to aggregate the results and check for compliance conditions.
Use the project clause of the resource graph query to select the properties that the policy returns.

We can use existing tools that can help with this task, such as the ConvertToPolicy tool by robinchapas, which is a script that converts a resource graph query into a policy rule.

We can also use the Azure Resource Graph sample queries for Azure Policy article to learn from some examples of how to write policy rules based on resource graph queries.

azpolicy.xlsx

If this proposal is okay by the community we can work together

[erjosito]

Hey @ealtili I like this idea! What do you think about generating bicep templates containing the policies resulting from the queries, so that folks can deploy them to their subscriptions?

[ealtili]

Hi @erjosito Indeed this is what I was going to recommend as well. Deploying policies using Bicep Deployment Stacks

So we can have folder Structure

• Policy
  • PolicySet
  • PolicyDefinition
  • PolicyAssignment

I can create this bicep structure and make a pull request.

I appreciate If you let me know to use an existing branch to use or I can create a branch and make a pull request.

Once we create policy structure we can also discuss about incorporating Azure Well Architected review tool Basically then may be for each service it can be aligned with the checklist.

[erjosito]

Do you think it is going to be feasible creating the bicep files automatically from the ARG queries in the JSON checklists? I would probably have that in a branch, before the automation works.

[erjosito]

Hey I have been having a look at https://github.com/robinchapas/ConvertToPolicy/blob/master/GraphToPolicy.ps1, and finding some challenges here:

• The REST API /providers/Microsoft.ResourceGraph/resources/policy doesn't seem to be documented in https://learn.microsoft.com/rest/api/azure-resourcegraph/.
• I am getting the error message The query returned an error. Adjust the query directly with Resource Graph to validate expected results, then try again, but without docs it is hard to troubleshoot.
• In any case, the queries stored in the checklist need to be massaged, since they return the extended field compliant, which needs to be changed into a valid rule for policies.