Policy definitions can also be packaged using initiative definitions and applied to a scope using initiative assignments. Policy and initiative definitions both support parameter sets, which help simplify the reuse of a policy at multiple scopes.
A policy definition describes your desired behavior for Azure resources at the time resources are created or updated. Through a policy definition, you declare what resources and resource features are considered compliant within your Azure environment and what should happen when a resource is noncompliant. For example, you can create a policy that states that resources can only be created in the East US and West US regions for an entire subscrip- tion. If a user attempts to create a resource in East US 2, Azure Policy can deny the creation of the resource because it does not meet the stated compliance goal for allowed regions. In this example, Policy is used to deny the creation of a resource and to enforce organizational stan- dards. As you further explore Policy, you will learn that Policy can be used not just as a deny mechanism but also as an auditing and creation mechanism.
Policy definitions are authored in JSON. The schema for Azure Policy can be downloaded from https://schema.management.azure.com/schemas/2020-10-01/policyDefinition.json. A policy definition contains these elements:
- Mode
- Parameters
- Display Name
- Description
- Metadata
- Policy Rule
- Logical Evaluation
- Effect
Policy definitions can be created through the Azure portal by browsing to the Policy service at All Services and then choosing Policy, Definitions. From this blade, you can manage both built-in policies and any custom policies that you create. Figure 1-32 shows a list of the built-in policies for selected subscription.
FIGURE 1-32 Azure built-in policies
Keep in mind that Policy can also be managed and applied at the management group scope. By associating policies with management groups, policy definitions and policy assign- ments can be shared across multiple subscriptions. This includes the ability to monitor multiple subscriptions for compliance. It also allows you to secure the management of organization- wide policy at a level above a single subscription.
When managing resource groups—and in many cases the multiple Azure services that reside within them—Azure Policy with policy definitions and policy assignments can be used to govern those resources. Initiative definitions and initiative assignments can be used to govern those same resources, but instead of applying multiple policy definitions and making multiple policy assignments, you can package or group multiple definitions into a single initiative and then assign that initiative to your desired scope.