Compliance with Azure DevOps and Azure Policy. Add Azure Policy into your Azure DevOps Release Pipelines to make sure your deployments are compliant.
You can add Release Gate (sometimes called Quality Gates) into your Azure DevOps Release Pipeline to check for Azure Policy violations.
Adding Azure Policy compliance assessments into your Azure DevOps Release Pipelines gives your development teams more agility by streamlining the deployment approval process without sacrificing compliance.
In this post we’ll look at using the integration between Azure DevOps and Azure Policy to configure a Deployment Gate that checks for Azure Policy compliance before deploying our resources to a higher environment i.e. from DEV to TEST.
Prerequisites
To follow along with this post you’ll need the following:
- An Azure subscription. If you don’t have an Azure Subscription, you can create a free account).
- Two Resource Groups within your Azure Subscription (DEV and TEST).
- An Azure DevOps Organization, project with an Azure Resource Manager Service Connection to your Azure Subscription and Git repository.
A basic ARM Template stored in the Git repository of your Azure DevOps project. The ARM template that we used for this example can be found here.
Note: The Service Principal that you are using for your Azure DevOps Service Connection must have the Contributor role in both of the Resources Groups in as well as the Reader role on the Subscription.
Azure Policy
The first thing we need to do is to assign the Built-in Allowed Locations to our Azure Subscription with an exclusion scope.
1 – Log in to the Azure Portal and open the Azure Policy service.
2 – Find the Allowed Location policy definition and select Assign.
3 – Configure the Scope and Exclusions for the policy assignment. The Scope should be your Azure Subscription and the Exclusions should be the DEV Resource Group.
4 – Specify the Parameters for the policy assignments selecting an Allowed location and click Review + Save. In this example, we are using the Australia East location.
So now we should have our Allowed Location policy definition assigned to our Azure Subscription but not our DEV Resource Group i.e. are only able to create resources in the Australia East location in our Subscription except for the DEV Resource Group where we can create resources in any location.
Azure DevOps Release Pipeline
Now it’s time to configure Azure DevOps Release Pipeline.
1 – In Azure DevOps go to Pipelines, Releases and select New pipeline.
2 – Select Empty job from the right menu in the new Pipeline screen.
3 – Select Add artifact and specify the details for your Azure Git Repository.
4 – Add and configure the ARM Template deployment job to Stage 1 of your release pipeline and configure to point to the first Resource Group, defining Override template parameters for the storageAccountName and location.
5 – Clone Stage 1 renaming it to Stage 2 and updating the job details to point to the second Resource Group, updating the Override template parameters for the storageAccountName and location.
6 – Add Pre-deployment condition to Stage 2, enabling Gates and adding Check Azure Policy Compliance to check the Resource Group you defined in Stage 1.
Your release pipeline should look similar to the one below.
Note: Adjust the time values under the Evaluation option in the Check Policy Compliance Gate to shorten or increase the time between re-evaluation of gates and over time out for the gate.
Deploy Release and Check Results
Lastly we create a release to deploy our ARM Template to Stage 1 .
1 – Create release to start the deployment to Stage 1.
2 – After Stage 1 successfully finish the pre-deployment Check Policy Compliance Gate will be triggered.
Note: It is important to remember that we configured the Gate check that our first Resource Group and its Resources are compliant with all Azure Policies that have been assigned to it.
3 – Once of gate evaluates have succeeded your deployment will start deploying the ARM template to the second resource group we created.
Troubleshooting
If you need to troubleshoot your pre-deployment gate you can download all of the logs for the Release Pipeline. In the zip file there should be a Check Policy Compliance folder under the Stage -> PreGate.
In Summary
In this article, we explored the basics of using Release Gates in Azure DevOps by validating the state of our deployment with the built-in Check Azure Policy compliance task. More details on Azure DevOps Release Gates can be found here.
Thank you for reading. We hope that this article has provided you with some useful information.
Keith Jenneke
Managing Director | DevOps & Cloud Lead