A comprehensive toolkit for automated Azure Policy development, testing, and validation using GitHub Actions and Azure AI Foundry agents.
π Ready to get started? Follow our Getting Started Guide for step-by-step setup instructions.
Azure Policy Agents streamlines the Azure Policy development lifecycle by providing:
-
Automated Policy Testing: GitHub Actions workflow that automatically deploys and tests Azure Policy definitions
-
AI-Powered Validation: Uses Azure AI Foundry agents to generate intelligent test scenarios and validate policy behavior
-
Infrastructure as Code: Bicep templates for deploying policies and AI infrastructure
-
Local Development Support: Integration with VS Code through Model Context Protocol (MCP) Server for Azure Resource Graph
β οΈ Important: ReplaceYOUR_SUBSCRIPTION_IDin the VS Code configuration after installation with your actual Azure Subscription ID.) for policy development, authoring, Azure resource interaction, and best practices for security, compliance, and governance.
| Effect | Status | Description |
|---|---|---|
| Deny | β Supported | Prevents non-compliant resource deployments |
| Audit | β Supported | Logs compliance violations without blocking deployments |
| Modify | π§ Coming Soon | Automatically modifies resources to ensure compliance |
| AuditIfNotExists | π§ Coming Soon | Audits when related resources don't exist |
| DeployIfNotExists | π§ Coming Soon | Automatically deploys missing required resources |
- π Automated GitHub Workflows: Deploy and test policies on PR creation with AI-powered analysis
- π€ AI-Powered Policy Analysis: Generate intelligent test scenarios and validate policy behavior
- π οΈ Development Tools: Bicep templates, PowerShell utilities, and VS Code integration
- π Detailed Reporting: Comprehensive feedback on policy effectiveness and best practices
AzurePolicyAgents/
βββ .github/
β βββ workflows/
β β βββ PolicyAgent.yml # Main GitHub Action workflow
β βββ scripts/
β βββ deploy-policies.ps1 # Policy deployment orchestration
β βββ test-policies.ps1 # AI testing coordination
β βββ get-changed-files.sh # File change detection
βββ policyDefinitions/
β βββ allowedLocations.json.sample # Sample policy definition
βββ utilities/
β βββ policyAgent/
β βββ deployDef.ps1 # Core deployment utility
β βββ policyDef.bicep # Bicep template for policies
β βββ policyDef.parameters.json # Template parameters
βββ infra/
β βββ bicep/ # Azure AI infrastructure
β βββ agentsSetup.bicep # Main infrastructure template
β βββ agentInstructions/ # AI agent system prompts
βββ docs/
βββ Getting-Started.md # Setup and usage guide
- Use this repository as a template to create your own Azure Policy Agents repository
- Deploy the Azure AI infrastructure using the provided Bicep templates
- Configure GitHub authentication with federated identity credentials
- Add your policy definitions to the
policyDefinitions/folder - Create pull requests to automatically test your policies
Prerequisites: Azure subscription with Owner permissions, Azure CLI or PowerShell
π Complete Setup Guide - Step-by-step instructions with commands and screenshots
Pull Request with Policy Changes
β
PolicyDefinition Job
βββ Detect changed JSON files in policyDefinitions/
βββ Deploy policies to Azure using Bicep templates
βββ Validate policy syntax and structure
βββ Prepare policy content for AI analysis
β
PolicyAgent Job
βββ Send policy definitions to Azure AI Foundry agent
βββ AI generates intelligent test scenarios
βββ Execute simulated policy enforcement tests
βββ Post comprehensive results as PR comments
- PolicyAgent.yml: Main GitHub Actions workflow
- deploy-policies.ps1: Handles policy deployment using Bicep templates
- test-policies.ps1: Orchestrates AI-powered testing
- deployDef.ps1: Core utility for policy deployment
- policyDef.bicep: Bicep template for creating Azure Policy definitions
Triggers: Pull requests with changes to policyDefinitions/*.json files or pushes to main branch
- Create JSON policy definition files in the
policyDefinitions/folder - Commit your changes and create a pull request
- The workflow will automatically deploy and test your policies
- Review AI-generated feedback in the PR comments
{
"properties": {
"displayName": "Allowed locations for resources",
"policyType": "Custom",
"mode": "Indexed",
"description": "This policy restricts the locations where resources can be deployed",
"parameters": {
"listOfAllowedLocations": {
"type": "Array",
"defaultValue": ["eastus", "westus2"]
}
},
"policyRule": {
"if": {
"not": {
"field": "location",
"in": "[parameters('listOfAllowedLocations')]"
}
},
"then": {
"effect": "deny"
}
}
}
}## Azure Policy Test Results
### β
Policy Test Completed Successfully for `allowed-locations.json`
The Policy 'Allowed locations for resources' successfully validated.
**Details:**
- Policy correctly blocks resource deployment to unauthorized regions
- Test scenarios confirmed expected deny behavior
- No syntax or logic issues detectedThe workflow requires these secrets and variables in your GitHub repository:
Required Secrets (from Bicep deployment outputs):
AZURE_CLIENT_ID- User-Assigned Managed Identity Client IDAZURE_TENANT_ID- Azure AD Tenant IDAZURE_SUBSCRIPTION_ID- Target Azure Subscription ID
Required Variables (from Bicep deployment outputs):
PROJECT_ENDPOINT- Azure AI Foundry Project EndpointASSISTANT_ID- Azure AI Agent/Assistant ID
Authentication: Uses federated identity credentials with user-assigned managed identity
For complete configuration instructions, see the Getting Started Guide.
- GitHub Actions: Check workflow execution in the Actions tab
- Azure Costs: Monitor AI Foundry usage and compute costs
- Policy Deployments: Track deployed policies in Azure Policy portal
- Resource Usage: Monitor any test resource creation/deletion
- AI Usage: AI agents only run when policies are changed in PRs
- Resource Cleanup: Test resources are automatically cleaned up after testing
- Efficient Triggers: Workflow only processes changed policy files
We welcome contributions! Please see our Contributing Guide for details.
- Fork the repository
- Create a feature branch:
git checkout -b feature/your-feature - Make your changes and test with sample policies
- Ensure your changes work with the GitHub Actions workflow
- Commit your changes:
git commit -m 'Add some feature' - Push to the branch:
git push origin feature/your-feature - Submit a pull request
- Authentication Failures: Verify your managed identity Client ID and federated credentials
- Permission Errors: Ensure Contributor permissions on the target subscription
- AI Agent Issues: Check that your
ASSISTANT_IDandPROJECT_ENDPOINTare correct - Policy Deployment Failures: Review Bicep template logs and policy JSON structure
For detailed troubleshooting, see the Getting Started Guide.
- Getting Started Guide - Complete setup and usage instructions
- Contributing Guide - How to contribute to the project
- Security Policy - Security guidelines and reporting
- Only supports JSON policy definition files in
policyDefinitions/folder - Requires manual setup of Azure AI Foundry infrastructure via Bicep deployment
- AI-generated tests are simulated and may not cover all real-world scenarios
- Limited to pull request and main branch workflow triggers
- Requires federated identity configuration for each repository
This project is licensed under the MIT License - see the LICENSE file for details.
- Issues: Report bugs and request features via GitHub Issues
- Discussions: Join conversations in GitHub Discussions
- Documentation: Start with our Getting Started Guide
- Microsoft Azure Policy team
- VS Code MCP community
- Contributors and maintainers
Made with β€οΈ for the Azure Policy community