Azure Policy Visual Studio Code Extension
Azure Policy enforces standards and evaluates compliance at scale for your Azure environment. This extension is to help streamline the management and authoring of Resource Manager mode policy definitions and assignments.
Azure Policy Visual Studio Code extension simplifies the experience of finding, understanding, and authoring policies by putting your policy definitions, assignments, and initiatives, and your resources, in JSON format into a convenient tree view allowing fast navigation. You are able to see aliases that apply to a resource, discover available aliases, and even evaluate your policies against a resource. You are able to quickly run a resource compliance evaluation by selecting a definition, assignment and deployed azure resource.
Note: the Azure Policy Visual Studio Code extension supports evaluation of ++Resource Manager mode++ policies only. Some namespaces also support Resource Provider mode policies, but evaluation of those types of policies is not supported by the extension at this time. We are working on an approach to support this scenario.
We have been working hard to make VSCode an indespensible tool for policy authors. With this release, we are very excited to be bringing you something that many of you have been asking for: live policy evaluation right from VSCode! Using the new Evaluation area in the lower left of the policy extension, you can select a policy definition and a resource and perform policy evaluation with a few mouse clicks.
Another major enhancement in this release is full completion lists for policy aliases. One difficulty faced by policy authors is discovering policy aliases. Previously, you had to have an instance of a given resource type containing the specific property in order to discover the alias for one of its properties or run a Powershell cmdlet from the command line. Now you can discover aliases inline while editing your policy definition. Just start typing after the "field": keywoard and and completion lists will show available matching fields, including aliases.
How to Use the Azure Policy Extension
The Azure Policy VSCode extension is a generally useful tool to help with developing policy definitions. The two primary scenarios are to view the JSON contents of a resource or a policy object, and to see the result of evaluating a policy definition against a resource.
In the top left 'Resources' tree view, under each subscription there are two folders: 'Resource Providers' and 'Resource Groups'. Under 'Resource Providers', resources are divided by resource provider such as 'Microsoft.Compute' or 'Microsoft.Network' that are registered to that subscription. This view shows all resources, including proxy resources, organized by Resource Provider namespace and resource type hierarchy. Under 'Resource Groups', resources are divided by resource group. The 'Resource Groups' view shows only tracked resources (resources that are members of a resource group). To see proxy resources, you need to browse to the resource type under the 'Resource Providers' folder.
Selecting a resource will display its JSON contents in an editor tab on the right. By default it will be opened in Preview mode, which means that when another node in the treeview is selected, the new resource contents will replace the previous contents in the same editor tab. If you want to keep a tab open to a particular resource even after you navigate away, select the Pin this resource in a tab command on the item in the treeview. If you want to save and/or edit a copy of the resource, use the Save this resource as... command on the item. Editing a resource is useful as a fast way to test policy compliance evaluation on different resource values.
View policy definitions, assignments, and initiatives
In the middle left 'Policies' tree view, under each subscription there are four folders: 'Assignments', 'Built-in Definitions', 'Custom Definitions', and 'Initiatives'. This view shows all of the policy objects for the given subscription divided by those types.
Similar to viewing resources above, select a policy item in the treeview to display its JSON contents in a tab on the right. The policy treeview items have similar commands: Pin this policy item in a tab, and Save this policy item as... for keeping the item in its tab or saving the item to a file for separate storage or editing. When you are satisfied with the contents of a policy definition, you can copy to the clipboard and paste it into the portal to create a new policy or update an existing one.
View the result of evaluating a policy against a resource
In the bottom left 'Evaluation' view, you will see a list of currently open resources and policy items. Commands within that view allow you to select a policy definition and a resource for evaluation. If the policy definition requires parameter values, you will also need to select an assignment to provide the parameter values. If the policy definition effect is DeployIfNotExists or AuditIfNotExists, you will also need to select a related resource for the existence check. After you have selected these items, run the Evaluate policy selection against resource selection command at the top right corner of the Evaluation pane to get the evaluation results. As you make changes to a policy definition or resource, you can immediately reevaluate compliance of the resource without needing to update the policy in Azure and wait for the Azure Policy service to perform a compliance evaluation each time.
Summary of Features
This extension requires VSCode build 1.48.0 or newer. Supported operating systems (architectures):
however, see Known issues below for current limitations.
Visual Studio Code extension documentation: https://docs.microsoft.com/azure/governance/policy/how-to/extension-for-vscode
What we're working on...
Ideas, feature requests and bugs: Email email@example.com! We are open to all ideas and we want to get rid of bugs!
See the changelog for this extension
Visual Studio Code collects usage data and sends it to Microsoft to help improve our products and services. Read our privacy statement to learn more. If you don’t wish to send usage data to Microsoft, you can set the telemetry.enableTelemetry setting to false. Learn more in our FAQ.
This extension is licensed under the MIT license. By downloading and using the Visual Studio Azure Policy extension and its related components, you agree to the product license terms and privacy statement.