- Infrastructure as Code with ARM Templates and Bicep: Part 1 – ARM Template Fundamentals
- Infrastructure as Code with ARM Templates and Bicep: Part 2 – Building Production-Ready Infrastructure
- Infrastructure as Code with ARM Templates and Bicep: Part 3 – Advanced ARM Template Patterns
- Infrastructure as Code with ARM Templates and Bicep: Part 4 – Introduction to Bicep
- Infrastructure as Code with ARM Templates and Bicep: Part 5 – Advanced Bicep Patterns
- Infrastructure as Code with ARM Templates and Bicep: Part 6 – CI/CD Integration and Advanced Deployment
- Infrastructure as Code with ARM Templates and Bicep: Part 7 – Enterprise Governance and Compliance
Enterprise Infrastructure as Code requires robust governance, compliance automation, and cost management. This final part covers Azure Policy integration, compliance frameworks, automated cost optimization, and enterprise-scale governance patterns.
What You’ll Learn
- Policy as Code implementation
- Compliance automation and reporting
- Advanced cost optimization strategies
- Enterprise governance patterns
- Regulatory compliance automation
Policy as Code Framework
// Enterprise Policy Framework
targetScope = 'managementGroup'
@description('Management group ID')
param managementGroupId string
@description('Compliance framework')
@allowed(['SOC2', 'ISO27001', 'HIPAA', 'PCI-DSS'])
param complianceFramework string = 'SOC2'
// Storage Security Policy
resource storageHttpsOnlyPolicy 'Microsoft.Authorization/policyDefinitions@2023-04-01' = {
name: 'storage-https-only'
properties: {
displayName: 'Storage accounts should use HTTPS only'
policyType: 'Custom'
mode: 'All'
policyRule: {
if: {
allOf: [
{
field: 'type'
equals: 'Microsoft.Storage/storageAccounts'
}
{
field: 'Microsoft.Storage/storageAccounts/supportsHttpsTrafficOnly'
notEquals: true
}
]
}
then: {
effect: 'Deny'
}
}
}
}
// Required Tags Policy
resource requiredTagsPolicy 'Microsoft.Authorization/policyDefinitions@2023-04-01' = {
name: 'required-tags'
properties: {
displayName: 'Require specific tags on resources'
policyType: 'Custom'
mode: 'All'
policyRule: {
if: {
field: 'tags'
exists: 'false'
}
then: {
effect: 'Deny'
}
}
}
}
// Policy Initiative
resource policySet 'Microsoft.Authorization/policySetDefinitions@2023-04-01' = {
name: 'enterprise-governance-${complianceFramework}'
properties: {
displayName: 'Enterprise Governance - ${complianceFramework}'
policyType: 'Custom'
policyDefinitions: [
{
policyDefinitionId: storageHttpsOnlyPolicy.id
policyDefinitionReferenceId: 'storageHttpsOnly'
}
{
policyDefinitionId: requiredTagsPolicy.id
policyDefinitionReferenceId: 'requiredTags'
}
]
}
}
// Policy Assignment
resource policyAssignment 'Microsoft.Authorization/policyAssignments@2023-04-01' = {
name: 'enterprise-governance-assignment'
properties: {
displayName: 'Enterprise Governance Assignment'
policyDefinitionId: policySet.id
enforcementMode: 'Default'
}
}Cost Optimization Automation
// Cost Optimization Framework
targetScope = 'subscription'
@description('Cost threshold for alerts')
param costAlertThreshold int = 1000
// Budget with Alerts
resource monthlyBudget 'Microsoft.Consumption/budgets@2023-05-01' = {
name: 'monthly-budget'
properties: {
category: 'Cost'
amount: costAlertThreshold
timeGrain: 'Monthly'
timePeriod: {
startDate: '${utcNow('yyyy-MM')}-01'
endDate: '${dateTimeAdd(utcNow('yyyy-MM-01'), 'P1Y')}'
}
notifications: {
'Actual_GreaterThan_80_Percent': {
enabled: true
operator: 'GreaterThan'
threshold: 80
contactEmails: ['finance@company.com']
thresholdType: 'Actual'
}
}
}
}
// VM Auto-Shutdown Policy
resource vmAutoShutdownPolicy 'Microsoft.Authorization/policyDefinitions@2023-04-01' = {
name: 'vm-auto-shutdown-policy'
properties: {
displayName: 'Deploy auto-shutdown for virtual machines'
policyType: 'Custom'
mode: 'All'
policyRule: {
if: {
allOf: [
{
field: 'type'
equals: 'Microsoft.Compute/virtualMachines'
}
{
field: 'tags[\'Environment\']'
in: ['dev', 'test', 'staging']
}
]
}
then: {
effect: 'DeployIfNotExists'
}
}
}
}HIPAA Compliance Automation
// HIPAA Compliance Framework
@description('Organization name')
param organizationName string
// HIPAA Audit Logging Policy
resource auditLoggingPolicy 'Microsoft.Authorization/policyDefinitions@2023-04-01' = {
name: 'hipaa-audit-logging'
properties: {
displayName: 'HIPAA: Enable audit logging for PHI access'
policyType: 'Custom'
mode: 'All'
policyRule: {
if: {
anyOf: [
{
field: 'type'
equals: 'Microsoft.Storage/storageAccounts'
}
{
field: 'type'
equals: 'Microsoft.Sql/servers'
}
]
}
then: {
effect: 'DeployIfNotExists'
}
}
}
}
// HIPAA Encryption Policy
resource encryptionPolicy 'Microsoft.Authorization/policyDefinitions@2023-04-01' = {
name: 'hipaa-encryption-required'
properties: {
displayName: 'HIPAA: Require encryption for PHI data'
policyType: 'Custom'
mode: 'All'
policyRule: {
if: {
field: 'type'
equals: 'Microsoft.Storage/storageAccounts'
}
then: {
effect: 'Deny'
}
}
}
}Enterprise Landing Zone
// Enterprise Landing Zone
targetScope = 'managementGroup'
@description('Organization prefix')
param orgPrefix string
@description('Environment type')
@allowed(['platform', 'landing-zones', 'sandbox'])
param environmentType string
// Management Group
resource managementGroup 'Microsoft.Management/managementGroups@2023-04-01' = {
name: '${orgPrefix}-${environmentType}'
properties: {
displayName: '${orgPrefix} ${environmentType}'
}
}
// Budget for Management Group
resource managementGroupBudget 'Microsoft.Consumption/budgets@2023-05-01' = {
name: '${managementGroup.name}-budget'
scope: managementGroup
properties: {
category: 'Cost'
amount: environmentType == 'platform' ? 10000 : 5000
timeGrain: 'Monthly'
timePeriod: {
startDate: '${utcNow('yyyy-MM')}-01'
endDate: '${dateTimeAdd(utcNow('yyyy-MM-01'), 'P1Y')}'
}
}
}Deployment Script
#!/bin/bash
# Enterprise Deployment Script
set -e
ORG_PREFIX="${ORG_PREFIX:-contoso}"
ENVIRONMENT="${ENVIRONMENT:-prod}"
log() {
echo -e "\033[0;34m[$(date +'%Y-%m-%d %H:%M:%S')]\033[0m $1"
}
# Deploy governance policies
deploy_governance() {
log "Deploying governance policies..."
az deployment mg create \
--management-group-id "${ORG_PREFIX}-platform" \
--location "eastus" \
--template-file governance/policy-framework.bicep \
--parameters managementGroupId="${ORG_PREFIX}-platform"
}
# Deploy cost optimization
deploy_cost_optimization() {
log "Deploying cost optimization..."
az deployment sub create \
--location "eastus" \
--template-file cost-optimization/cost-automation.bicep \
--parameters costAlertThreshold=10000
}
# Main execution
main() {
log "Starting enterprise deployment..."
deploy_governance
deploy_cost_optimization
log "Deployment completed!"
}
main "$@"Series Conclusion
This comprehensive 7-part series has covered Infrastructure as Code from fundamentals to enterprise-scale implementation:
- Part 1: ARM Template foundations
- Part 2: Production-ready infrastructure
- Part 3: Advanced ARM patterns
- Part 4: Introduction to Bicep
- Part 5: Advanced Bicep patterns
- Part 6: CI/CD integration
- Part 7: Enterprise governance and compliance
Key Takeaways
- Start Simple: Begin with basic templates and add complexity gradually
- Embrace Bicep: Use Bicep for new projects
- Implement Governance: Establish policies early
- Automate Everything: Use CI/CD for deployments
- Monitor Costs: Implement cost optimization
- Security First: Implement security best practices
You now have the knowledge to implement enterprise-scale Infrastructure as Code solutions using Azure Resource Manager templates and Bicep.
This concludes our 7-part series on Infrastructure as Code with ARM Templates and Bicep. Thank you for following along!
