Azure Policy Visual Studio Code Extension
Azure Policy enforces standards and evaluates compliance at scale for your Azure environment. This extension is to help streamline the management and authoring of Resource Manager mode policy definitions and assignments.
Azure Policy Visual Studio Code extension simplifies the experience of finding, understanding, and authoring policies by putting your policy definitions, assignments, and initiatives, and your resources, in JSON format into a convenient tree view allowing fast navigation. You are able to see aliases that apply to a resource, discover available aliases, and even evaluate your policies against a resource. You are able to quickly run a resource compliance evaluation by selecting a definition, assignment and deployed azure resource. You are able to quickly generate an Azure Policy definition from a constraint template YAML for use with Azure-enabled Kubernetes clusters.
Note: the Azure Policy Visual Studio Code extension supports evaluation of ++Resource Manager mode++ policies only. Some namespaces also support Resource Provider mode policies, but evaluation of those types of policies is not supported by the extension at this time. We are working on an approach to support this scenario.
We are introducing a new tool: create an Azure Policy definition from a constraint template YAML. Authoring policies for Kubernetes can be very hard, especially if coming from a Kubernetes background. If you are familiar with Gatekeeper constraint templates and want to monitor compliance states and enforce policies in your Kubernetes clusters through Azure, you can get started by generating an Azure Policy from a constraint template. Once the policy is generated, just fill in the missing pieces and create the policy definition in Azure as you would with any other type of Azure Policy.
How to Use the Azure Policy Extension
The Azure Policy VSCode extension is a generally useful tool to help with developing policy definitions. The two primary scenarios are to view the JSON contents of a resource or a policy object, and to see the result of evaluating a policy definition against a resource.
In the top left 'Resources' tree view, under each subscription there are two folders: 'Resource Providers' and 'Resource Groups'. Under 'Resource Providers', resources are divided by resource provider such as 'Microsoft.Compute' or 'Microsoft.Network' that are registered to that subscription. This view shows all resources, including proxy resources, organized by Resource Provider namespace and resource type hierarchy. Under 'Resource Groups', resources are divided by resource group. The 'Resource Groups' view shows only tracked resources (resources that are members of a resource group). To see proxy resources, you need to browse to the resource type under the 'Resource Providers' folder.
Selecting a resource will display its JSON contents in an editor tab on the right. By default it will be opened in Preview mode, which means that when another node in the treeview is selected, the new resource contents will replace the previous contents in the same editor tab. If you want to keep a tab open to a particular resource even after you navigate away, select the Pin this resource in a tab command on the item in the treeview. If you want to save and/or edit a copy of the resource, use the Save this resource as... command on the item. Editing a resource is useful as a fast way to test policy compliance evaluation on different resource values.
View policy definitions, assignments, and initiatives
In the middle left 'Policies' tree view, under each subscription there are four folders: 'Assignments', 'Built-in Definitions', 'Custom Definitions', and 'Initiatives'. This view shows all of the policy objects for the given subscription divided by those types.
Similar to viewing resources above, select a policy item in the treeview to display its JSON contents in a tab on the right. The policy treeview items have similar commands: Pin this policy item in a tab, and Save this policy item as... for keeping the item in its tab or saving the item to a file for separate storage or editing. When you are satisfied with the contents of a policy definition, you can copy to the clipboard and paste it into the portal to create a new policy or update an existing one.
Discover aliases inline while editing your policy definition
Previously, you had to have an instance of a given resource type containing the specific property in order to discover the alias for one of its properties or run a Powershell cmdlet from the command line. Now you can discover aliases inline while editing your policy definition. Just start typing after the "field": keyword and full completion lists will show available matching fields, including policy aliases.
View the result of evaluating a policy against a resource
In the bottom left 'Evaluation' view, you will see a list of currently open resources and policy items. Commands within that view allow you to select a policy definition and a resource for evaluation. If the policy definition requires parameter values, you will also need to select an assignment to provide the parameter values. If the policy definition effect is DeployIfNotExists or AuditIfNotExists, you will also need to select a related resource for the existence check. After you have selected these items, run the Evaluate policy selection against resource selection command at the top right corner of the Evaluation pane to get the evaluation results.
Test local changes to policy definitions or resources
You can use Save As commands to save any policy item or resource to a local file and continue to use it for policy inner loop testing. As you make changes to a policy definition or resource, you can immediately reevaluate compliance of the resource without needing to update the policy in Azure and wait for the Azure Policy service to perform a compliance evaluation each time.
This can be particularly helpful for trying different parameter values. First save a policy assignment to a file, then use it in evaluations after manually editing it to try different values. This is also an easy way to add and remove parameter values without needing to create a new policy assignment for testing.
After your are satisfied with the operation of your policy definition, you can copy-paste it to the Azure Policy portal to update it in Azure.
Understanding evaluation results
The evaluation results contain the same JSON information that evaluations in the real service return. The main thing to look for is the "policyEvaluations" array, which normally contains 0 or 1 object. No policy evaluations means the policy didn't apply to the resource. One policy evaluation can be expected to contain an "evaluationResult" value of Compliant or NonCompliant and some details about the policy that was evaluated. The "modifiedFields" indicates which fields, if any, would be updated by the policy and "updatedRequestContent" gives the full resource as updated by the policy. The messages array is for internal debugging and can be ignored. If the evaluation fails with an error, the message field contains all available information about the failure.
Generate an Azure Policy definition from a constraint template
To generate an Azure Policy definition from a constraint template open your constraint template YAML file in the editor, select 'View' -> 'Command Palette' and select 'Azure Policy for Kubernetes: Create Policy Definition from Constraint Template'. A second panel will appear with options for the constraint template source type. Select 'PublicURL' if you want to reference your constraint template with a public url. Select 'Base64Encoded' if you want to reference your constraint template as a base 64 encoded string embedded within the newly generated policy definition JSON. After the policy definition has been generated, make sure to fill in all the missing properties with the / EDIT HERE / prompts. Create and assign the policy definition as you would with any other Azure Policy.
Summary of Features
This extension requires VSCode build 1.58.0 or newer. Supported operating systems (architectures):
however, see Known issues below for current limitations.
Visual Studio Code extension documentation: https://docs.microsoft.com/azure/governance/policy/how-to/extension-for-vscode
This extension requires and automatically installs two other extensions
What we're working on...
Ideas, feature requests and bugs: Email firstname.lastname@example.org! We are open to all ideas and we want to get rid of bugs!
Reports of limited functionality on some Mac models with M1 processor
This problem is still under investigation
See the changelog for this extension
Visual Studio Code collects usage data and sends it to Microsoft to help improve our products and services. Read our privacy statement to learn more. If you don’t wish to send usage data to Microsoft, you can set the telemetry.enableTelemetry setting to false. Learn more in our FAQ.
This extension is licensed under the MIT license. By downloading and using the Visual Studio Azure Policy extension and its related components, you agree to the product license terms and privacy statement.