I recently transitioned our company's Azure policy management from a manual process using the Azure web portal to an automated pipeline with Terraform. While it's functional, I still find it lacking in certain areas. I'm curious about how others handle their Azure Policies or AWS Service Control Policies (SCPs). Any tips or best practices?
7 Answers
You might want to look into the org-formation CLI from GitHub. It's helpful for structuring service control policies and governance across AWS accounts.
Using Terraform, OpenTofu, or Bicep is the way to go! Leverage tools like jsonencode() to manage parts of the provider that only accept JSON strings.
I'm still learning the ropes, but I've just moved all our Azure Policies into Terraform, and it's way better than the manual method! Everything is set up in one repo, running `terraform plan` and `apply` when things are merged. It functions, though it feels a bit clunky. I've heard about incorporating OPA for validation before changes, which sounds promising.
We use the AWS Landing Zone Accelerator (LZA) for SCPs and account governance. It works great but can be overkill unless you're dealing with serious compliance needs or multi-account setups. LZA provides policy as code, among other capabilities, but the learning curve is steep. If it's just about managing SCPs, I think your Terraform approach is likely the better fit unless you have dedicated resources to handle the complexity.
If you're working with Azure, check out EPAC (Enterprise Azure Policy as Code). They offer documentation and a hydration kit for kicking off a repo and pipeline, plus it helps export your Azure policies from the portal. It's a solid starting point, and you can expand on it based on your needs.
While Terraform has its limitations for Policy management, some advanced configurations can yield a solid setup. My suggestion is to handle remediation tasks manually; they have a limited lifespan, and managing them through Terraform can lead to issues. You might want to explore EPAC for a PowerShell-based solution as a foundational approach for what you'll eventually build in Terraform.
For handling AWS Service Control Policies, we just stick to Terraform and use a JSON file to manage our content. You could also utilize template files for dynamic values, but we opted for hardcoded values – not the most elegant solution, but it gets the job done.
We've got a similar setup but we incorporate parameters and use some bash scripts for deployment. It helps us manage the complex logic for assignments, but honestly, if I'm away, I worry it might become a bottleneck.
It annoys me a bit that it's called EPAC and not EAPAC. Can't quite put my finger on why.