Azure Policy Pre-Flight Checker

Shift compliance left. Eliminate the deploy-fail-fix-redeploy cycle.

The Problem

Today's workflow when deploying Azure infrastructure:

Write Bicep/ARM template
Deploy to Azure
❌ Resources denied by Azure Policy
Scramble to understand which policy blocked you
Fix the template
Redeploy
Repeat until it works

There's zero pre-deployment policy validation in VS Code. You only discover policy violations after deployment fails.

The Solution

Azure Policy Pre-Flight Checker scans your Bicep/ARM templates before deployment against Azure Policy assignments — right inside VS Code.

Key Features

Feature	Description
🔍 Inline Policy Diagnostics	Shows violations as red squiggles directly in your editor — just like TypeScript errors
📋 Clear Explanations	Each violation tells you exactly which policy blocks you and why
🔧 Auto-Fix Suggestions	Lightbulb quick-fixes that add the required property/value (e.g., `minimumTlsVersion: 'TLS1_2'`)
☁️ Azure Integration	Fetch your actual policy assignments from your Azure subscription
📁 Custom Policy Import	Import custom policies via JSON files for offline/air-gapped environments
📊 15+ Built-in Policies	Ships with common security policies (TLS, HTTPS, public access, tags, managed identity)
⚡ Scan on Save	Automatically validates your template every time you save

How It Works

┌─────────────────┐     ┌──────────────────┐     ┌────────────────────┐
│  Bicep/ARM File  │────▶│  Template Parser  │────▶│  Resource Objects   │
└─────────────────┘     └──────────────────┘     └────────────────────┘
                                                          │
                                                          ▼
┌─────────────────┐     ┌──────────────────┐     ┌────────────────────┐
│  VS Code Editor  │◀────│  Diagnostics     │◀────│  Policy Engine      │
│  (Red Squiggles) │     │  + Code Actions  │     │  (Evaluates Rules)  │
└─────────────────┘     └──────────────────┘     └────────────────────┘
                                                          ▲
                                                          │
                        ┌──────────────────┐     ┌────────────────────┐
                        │  Azure SDK       │────▶│  Policy Definitions  │
                        │  Custom JSON     │     │  + Assignments       │
                        └──────────────────┘     └────────────────────┘

Getting Started

1. Install the Extension

Search for "Azure Policy Pre-Flight Checker" in the VS Code Marketplace, or install from the command line:

code --install-extension KimVaddi.azure-policy-preflight-checker

2. Open a Bicep or ARM Template

The extension activates automatically when you open .bicep or ARM template .json files.

3. Scan for Violations

Automatic: Save the file — violations appear as diagnostics
Manual: Use the Command Palette (Ctrl+Shift+P) → Azure Policy Pre-Flight: Scan Current File
Workspace: Azure Policy Pre-Flight: Scan Workspace to check all templates

4. Fix Violations

Click the 💡 lightbulb on any violation to apply the suggested fix automatically.

5. (Optional) Connect to Azure

To scan against your actual Azure Policy assignments:

Sign in to Azure: az login (or use the Azure Account extension)
Run: Azure Policy Pre-Flight: Fetch Policies from Azure Subscription
Enter your subscription ID

Built-in Policy Coverage

The extension ships with 15+ built-in policies covering critical security scenarios:

Category	Policies	Effect
Storage	HTTPS-only, TLS 1.2, disable public access	Deny
App Service	HTTPS-only, TLS 1.2, managed identity	Deny/Audit
Key Vault	Soft delete, purge protection	Deny
SQL Server	TDE enabled, TLS 1.2	Deny/Audit
Networking	No unrestricted inbound NSG rules	Deny
AKS	RBAC enabled	Deny
Cosmos DB	Disable public network access	Audit
Tags	Require Environment tag	Deny

All policies reference official Microsoft documentation. Click the policy name in the diagnostic to see the full details and Microsoft Learn link.

Custom Policies

Import from JSON

Command Palette → Azure Policy Pre-Flight: Import Custom Policies from JSON
Select one or more .json files containing policy definitions

Policy File Format

The extension accepts policies in Azure Policy definition format:

[
  {
    "name": "my-custom-policy",
    "displayName": "Require specific tag",
    "policyRule": {
      "if": {
        "field": "tags['CostCenter']",
        "exists": false
      },
      "then": {
        "effect": "deny"
      }
    }
  }
]

Workspace Policies

Place .policy.json files anywhere in your workspace — they're automatically loaded on startup.

Configuration

Setting	Default	Description
`azurePolicyPreflight.enableOnSave`	`true`	Auto-scan on file save
`azurePolicyPreflight.enableOnOpen`	`false`	Auto-scan when file opens
`azurePolicyPreflight.customPolicyPaths`	`[]`	Paths to custom policy JSON files
`azurePolicyPreflight.severityLevel`	`Error`	Diagnostic severity (`Error`, `Warning`, `Information`, `Hint`)
`azurePolicyPreflight.excludePatterns`	`[]`	Glob patterns to exclude from scanning
`azurePolicyPreflight.azureSubscriptionId`	`""`	Azure subscription ID for fetching policies
`azurePolicyPreflight.enableAutoFix`	`true`	Enable auto-fix code actions

Commands

Command	Description
`Azure Policy Pre-Flight: Scan Current File`	Scan the active editor for violations
`Azure Policy Pre-Flight: Scan Workspace`	Scan all Bicep/ARM files in the workspace
`Azure Policy Pre-Flight: Import Custom Policies from JSON`	Import policies from JSON files
`Azure Policy Pre-Flight: Fetch Policies from Azure Subscription`	Download policies from your Azure subscription
`Azure Policy Pre-Flight: Clear All Policy Diagnostics`	Remove all violation markers
`Azure Policy Pre-Flight: Show Policy Details`	View full policy information

Microsoft Best Practices & References

This extension is built following Microsoft's recommended approaches:

Azure Policy Overview — Understanding Azure Policy fundamentals
Policy as Code — Treating policy definitions as source code
Policy Definition Structure — The JSON structure of policy rules
Safe Deployment Practices — Rolling out policy assignments safely
Built-in Policy Definitions — Complete list of Microsoft's built-in policies
Well-Architected Framework — Security Pillar — Security best practices for Azure workloads
Cloud Adoption Framework — Enterprise-scale governance guidance
Azure Security Benchmark — Industry-standard security controls

Architecture

src/
├── extension.ts            # Extension entry point
├── engine/
│   ├── policyEngine.ts     # Core evaluation engine
│   ├── armParser.ts        # ARM template JSON parser
│   ├── bicepParser.ts      # Bicep file parser
│   ├── builtinPolicies.ts  # Built-in policy definitions
│   └── policyLoader.ts     # Multi-source policy loader
├── providers/
│   ├── diagnosticsProvider.ts  # VS Code diagnostics (red squiggles)
│   ├── codeActionProvider.ts   # Quick-fix code actions
│   └── statusBar.ts            # Status bar integration
├── azure/
│   └── azurePolicyClient.ts    # Azure SDK integration
├── models/
│   └── types.ts                # TypeScript type definitions
└── utils/
    └── config.ts               # Configuration reader

Contributing

Contributions are welcome! Please open an issue or pull request on GitHub.

License

MIT

Built by Kim Vaddi
Eliminating the deploy-fail-fix-redeploy cycle, one policy at a time.