Azure Policy evaluates resources in Azure by comparing the properties of those resources to business rules. These business rules, described in JSON format, are known as policy definitions. To simplify management, several business rules can be grouped together to form a policy initiative (sometimes called a policySet). Once your business rules have been formed, the policy definition or initiative is assigned to any scope of resources that Azure supports, such as management groups, subscriptions, resource groups, or individual resources.
The compliance results generated by the assigned policy or intiatives can be viewed from the Azure portal > Policy > Compliance. However, currently there is no direct alerting mechanism built into Azure Policy. This project will help with the following objectives:
- Deploy the infrastructure required for this setup using Terraform
- Schedule an on-demand scan (every hour) to get the latest non-compliance results
- Report non-compliant resources via email notifications to team members in order to improve remediation time
Here are a few learning resources to get started with:
- Install Terraform
- Install Atom
- Install Azure CLI
- Install OpenSSL
- Microsoft Azure account
- Roles & permissions in Azure: These are some Azure built-in roles that may be required, if you are not an Owner for a given subscription:
The workflow is as follows:
- The Terraform code deploys all the required resources. However, you will have to manually authorize the automation accounts in the logic app (more information under post-deployment steps)
- The logic app is the backbone of this entire framework
- The logic app triggers the automation account to run the PowerShell-runbook once every hour to run an on-demand policy scan. This script looks for resources that are non-compliant in accordance to the assigned Azure policies that have effect as "deny". If you need all the non-compliant resources irrespective of the effect, you can change the command filter accordingly
- This non-compliant resource information is sent to the Log Analytics Workspace as custom logs
- The scheduled query runs every hour and gets the latest non-compliant resource information from logs and sends an email with the resource information to the notifiers
Clone this repository, unzip it and open it in Atom (or any source code editor of your choice).
After you have opened the folder, add the values of your environment in the following placeholders:
- In
variables.tfadd the email address of the team members to be added to the notifications group (line 7) - In
variables.tfadd tenant id, client id and subscription id (line 23-24, 30-31 and 38-39) - (Optional) In
variables.tf, you can change the app_id (line 12) - (Optional) In
deploy.tf, you can change the query values for the alert rule (line 162-167) - Under the folder
template:
5.1 Inazureautomation.json, add the subscription-id in the placeholder marked "subscription-id-here"
5.2 Inazureloganalytics.json, add the subscription-id in the placeholder marked "subscription-id-here>"
5.3 Intemplate.json, add the subscription-id in the placeholders marked "subscription-id-here" (line 10, 15, 96, 118, 133 and 139) - Add OpenSSL to the environement variable and use the following to generate a certificate:
openssl req -x509 -sha256 -nodes -days 730 -newkey rsa:2048 -keyout privateKey.key -out certificate.crt
openssl pkcs12 -export -keypbe NONE -certpbe NONE -inkey privateKey.key -in certificate.crt -out certificate.pfx - Add these generated certificates under the
alert-scriptsfolder
-
Add Azure CLI, Terraform path in the environment variables
-
Authenticate to Azure using
az logincommand from the command prompt
-
Open a command prompt (using elevated privilege) and redirect the directory to the
azurepolicyalerts\alerts-scriptfolder -
Type
terraform init -
Once your Terraform is initialized, type
terraform plan. -
After the plan is created, type
terraform apply. It should take between 3-5 mins to create all of the resources -
Go to your portal and check for all the resources under
rg-us-policy-resource-group -
Team members will also get an email notification as below
After the Terraform deployment is complete, follow the steps below:
- Select the API connectors from the resource group and "Authorize" them using your Azure account – this will allow the API to perform the underlying actions on your part
- Next, go to the logic app and select the
Logic app designerunder Development Tools
- Expand the
Connectionspart and select theazureautomationradio button. This should auto-fill all the parameters. You can also authorize this using your Azure account
- Expand the Condition action and further the
Trueaction. We need to add the log analytic workspace ID and primary key here for the collector API to send logs
- You can find these values from Log Analytics Workspace > Advanced Settings (under Settings) > Connected Sources > Agents Management
Note: You will not be able to see any custom logs until the logic app runs its schedule a couple of times.
Please read CODE_OF_CONDUCT.md for details about our code of conduct, and the process for submitting pull requests to us.
- Current version is 1.0
Please read version.md for details on versions.
- Rachana Kamat - Initial work
See also the list of contributors who participated in this project.
This project is licensed under the MIT License - see the LICENSE.md file for details.
The concept for the workflow has been referenced from the following blogs:
- Azure Monitor alerting rule to notify non-compliant resourrce by Marius Sandbu
- Using Log Analytics alerts for non-compliant Azure Policies by Andrew Kelleher
Special thanks to my mentors - Mike Virginio & Chris O'Connor – Security, Wayfair