How to keep policies up-to-date?

[vegazbabz]

How can I ensure that my deployed ESLZ policies are always on the latest version? Do I have to manually check each month or can it somehow be automated? For example, the update from February 2022: https://github.com/Azure/Enterprise-Scale/wiki/Whats-new#policy-1

[jtracey93]

Hey @vegazbabz,

Thanks for raising this.

The answer today depends on your implementation method.

If you are using the ALZ Terraform Module, https://aka.ms/alz/tf this is handled for you as you upgrade to the latest module versions.

For the portal, ARM or Bicep today you will need to keeping checking the whats new page, https://aka.ms/alz/whatsnew, and see whats changed. If new policies are added you can deploy the policy definitions again and the new ones will be added. However, if an already assigned policy is updated, if its parameters are changed you may not be able to update the definition in place due to policy limitations today.

If this happens you would have to remove the assignment then update the definition and then re-assign the policy.

We are aware this is a bit of a pain point today and are just starting to invest in a workstream called "evergreen" where we are investigating bits like this. Looping in @paulgrimley & @jfaurskov as they are scoping this currently.

Thanks

Jack

[jtracey93]

Linking to #662

[jtracey93]

Trigger ADO Sync 1

[jtracey93]

Trigger ADO Sync 2

[jtracey93]

@paulgrimley can this now be closed?

[paulgrimley]

@jtracey93 yes we can close this as we now have the guidance https://aka.ms/alz/update @vegazbabz let us know if you have any feedback from consuming these and raise a new issue. Thanks