An automation to programmatically create policy exceptions in Azure Cloud
In modern cloud environments, policies play a crucial role in maintaining security, compliance, and governance. However, there are instances where exceptions to these policies are necessary due to specific circumstances or operational needs. Automating the process of creating and managing policy exemptions offers several key benefits:
- Efficiency
- Consistency
- Scalability
- Auditability
- Reduced Administrative Overhead
Policy exemption automation simplifies the process of managing exceptions to cloud policies.
Note
Policy Exemptions are applied at Subscription level scope
Here’s a brief overview of how it works:
Automation can be triggered manually (e.g., via a request form) or automatically (e.g., based on specific conditions or events).
Gather necessary details such as policy name, exemption reason, scope (e.g., subscription or resource group), and expiration date.
Validate inputs to ensure they meet the criteria and constraints. checks of the entered policy assignmentexists on the scope provided.
Use Azure python SDKs to create or update the policy exemption based on the provided details.
| Input | Description | Required |
|---|---|---|
| policy_name | Policy Name to be given Exception to | ✔️ |
| subscription_name | From which subscription we need to provide exemption. the scope | ✔️ |
| expires_after | Policy exemption should be automatically revoked after how long | ✔️ |
| unit | How long . Possible values are hour , day, month |
✔️ |
-
The Expiration of Policy Exemption depends on 2 factors . expires_after value and the unit.
-
Lets say the value of expires_after is
3and unit isday- the expiration will be after3 daysof executing the job -
If value of expires_after is
2and unit ishour- the expiration will be after2 hoursof executing the job -
If value of expires_after is
4and unit ismonth- the expiration will be after4 monthsof executing the job
- Using streamlit to Create pythin application
-
Provide valid Subscription Name
-
This returns the Subscription Id corresponding to the Subscription name
-
If entered Subscription Name is not found, None value is returned for Subscription Id
-
Once a valid subscription Id is returned using it, it will show us all assigned policies at the subscription level
-
Select the policy from dropdown which needs exemption
-
Provide a expires after value like 1 or 2 or 10 or 4.5 etc and unit value like day or month or hour.
-
Click on Apply Exemption to apply exemption.
-
Clone the repository and change direcctory into this
-
Install all dependancies using
poetry install -
Execute
poetry run streamlit run .\streamlit_app.py
use azure-identity for auth
-
The Azure Identity library provides Microsoft Entra ID (formerly Azure Active Directory) token authentication support across the Azure SDK azure-identity for auth
-
We need the below Env variables present for the code to execute without any exceptions environmentcredential
Service principal with secret:
AZURE_TENANT_ID: ID of the service principal's tenant. Also called its 'directory' ID.
AZURE_CLIENT_ID: the service principal's client ID
AZURE_CLIENT_SECRET: one of the service principal's client secrets-
This is the Microsoft Azure Resource Management Client Library azure-mgmt-resource-policy
-
This is Microsoft python SDK for executing resource graph query azure.mgmt.resourcegraph
-
This package is used to throw detailed exceptions of exceptions azure.core.exceptions
Tip
The policy exemption name length must not exceed '64' characters. I am using the same as policy name for exception. You can choose to change it as you see fit