Skip to content

berkeleyo/azure-governance-baseline-framework

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

1 Commit
docs
docs
 
 
policies
policies
 
 
scripts
scripts
 
 
.gitignore
.gitignore
 
 
README.md
README.md
 
 
RUNBOOK.md
RUNBOOK.md
 
 

Repository files navigation

Azure Governance Baseline Framework

Redacted

Production-grade baseline for Azure governance across subscriptions:

  • naming convention validation and reporting
  • tag baseline enforcement and drift detection
  • policy-as-code scaffolding (definitions, initiatives, assignments)
  • cost hygiene hooks (budgets, ownership tags) without embedding sensitive details

Redaction statement: This repo contains no secrets, no tenant/org identifiers, and no real IPs/hostnames/UPNs.
All examples use neutral placeholders only (e.g., 00000000-0000-0000-0000-000000000000, example.com, 203.0.113.0/24).

What this framework provides

  • Governance guardrails you can apply incrementally
  • Evidence-first reporting for non-compliance (CSV/JSON exports)
  • Reversible change patterns (plan → apply → validate → rollback where applicable)
  • A clean separation between:
    • standards (what good looks like)
    • policy (what is enforced)
    • automation (how you measure and remediate)

Design

Standards

  • Naming conventions (resource type prefixes, environment codes, region codes)
  • Tag baseline (owner, cost centre, service, environment, data classification)

Enforcement

  • Azure Policy initiatives for:
    • required tags
    • allowed locations/SKUs (optional)
    • deny public IP on NIC (optional)
  • Non-blocking mode supported (Audit / DeployIfNotExists) before Deny

Automation

  • PowerShell-first scripts for:
    • discovery and reporting
    • validation and drift detection
    • controlled remediation

Governance lifecycle

Plan → Build → Test → Deploy → Operate → Improve

  • Plan: define naming/tag standards, rollout scope, success metrics
  • Build: implement policy set + reporting scripts
  • Test: run discovery against a subset of subscriptions and validate outputs
  • Deploy: apply initiatives in audit-first mode; then tighten over time
  • Operate: scheduled drift detection, monthly governance review
  • Improve: add new controls, reduce exceptions, automate remediation safely

Architecture

flowchart LR
  A[Standards<br/>Naming + Tags] --> B[Policy-as-Code<br/>Definitions + Initiatives]
  B --> C[Assignments<br/>Mgmt Group / Subscriptions]
  C --> D[Compliance Signals<br/>Azure Policy + Resource Graph]
  D --> E[Automation<br/>Reports + Optional Remediation]
  E --> F[Ops Loop<br/>Review → Improve]
  F --> A
Loading

Repository structure

  • RUNBOOK.md — operational rollout guide with validation and rollback steps
  • docs/ — concise design and checklists
  • scripts/ — PowerShell scaffolding for reporting and remediation
  • policies/ — example policy definition + initiative placeholders
  • .gitignore — clean cross-platform engineering defaults

Quick start

  1. Read docs/OVERVIEW.md and docs/ARCHITECTURE.md
  2. Update standards in:
    • scripts/config/naming-rules.example.json
    • scripts/config/tag-baseline.example.json
  3. Run discovery (non-destructive):
    • scripts/Report-NonCompliance.ps1
  4. If appropriate, remediate tags in controlled mode:
    • scripts/Remediate-Tags.ps1 -Apply

Notes

  • This is a baseline framework intended for real environments.
  • Start in Audit mode, publish reporting, then tighten controls once teams have adapted.

About

Production-grade Azure governance baseline covering naming standards, tag enforcement, policy-as-code scaffolding, drift detection, and controlled remediation with validation and rollback (redacted).

Resources

Readme

Security policy

Security policy
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages