Edit

Share via

Implement Azure Policy with Azure DevOps release pipelines

  • Article

Azure DevOps Services

Learn how to enforce compliance policies on your Azure resources before and after deployment with Azure Pipelines. Azure Pipelines lets you build, test, and deploy with continuous integration (CI) and continuous delivery (CD) using Azure DevOps. One scenario for adding Azure Policy to a pipeline is when you want to ensure that resources are deployed only to authorized regions and are configured to send diagnostics logs to Azure Log Analytics.

You can use either the classic pipeline or YAML pipeline processes to implement Azure Policy in your CI/CD pipelines.

For more information, see What is Azure Pipelines? and Create your first pipeline.

Prepare

  1. Create an Azure Policy in the Azure portal. There are several predefined sample policies that can be applied to a management group, subscription, and resource group.

  2. In Azure DevOps, create a release pipeline that contains at least one stage, or open an existing release pipeline.

  3. Add a pre- or post-deployment condition that includes the Check Azure Policy compliance task as a gate. More details.

    Screenshot of Azure Policy Gate.

If you're using a YAML pipeline definition, then use the AzurePolicyCheckGate@0 Azure Pipelines task.

Validate for any violation(s) during a release

Note

Use the AzurePolicyCheckGate task to check for policy compliance in YAML. This task can only be used as a gate and not in a build or a release pipeline.

  1. Navigate to your team project in Azure DevOps.

  2. In the Pipelines section, open the Releases page and create a new release.

  3. Choose the In progress link in the release view to open the live logs page.

  4. When the release is in progress and attempts to perform an action disallowed by the defined policy, the deployment is marked as Failed. The error message contains a link to view the policy violations.

    Screenshot of Azure Policy failure message.

  5. An error message is written to the logs and displayed in the stage status panel in the releases page of Azure Pipelines.

    Screenshot of Azure Policy failure in log.

  6. When the policy compliance gate passes the release, a Succeeded status is displayed.

    Screenshot of Policy Gates.

  7. Choose the successful deployment to view the detailed logs.

    Screenshot of Policy Logs.

Next steps

To learn more about the structures of policy definitions, look at this article:

Azure Policy definition structure