Wednesday, February 14, 2024

Mother of AzureDevops repository policy - Create custom policy to monitor recommended repository policies are enabled

Branch policy are always an important factor in protecting your branch and deciding the work flow. Enabling certain branch policies help you always to protect from others being contributing.

As part of quality and to protect your branches, stakeholders always recommend to align with certain git repo policies in Azure Devops. In addition to quality, it helps keep your repos from changing the code from your default branches. By default, ADO has Require a minimum number of reviewers, Check for linked work items, Check for comment resolution, Limit merge types, Build Validation, Status checks..

Why we need Custom policy?

Generally, when a PR is raised if the default polices are enabled then it will be auto applied to a PR. But the users who have permission to alter with polices can alter them and complete the PR which can have serious security and quality impacts. So there is always a question, how to make sure/monitor that all the polices are enabled.

To overcome this, we can create a custom policy which will act as policy to monitor other policies. The advantage of custom policy is even if the custom policy is not added to repo policy as required, it will evaluate the policies applied over a repo and respond against PR as optional policy. This is because the service hook gets triggered when the PR is PR created and left part all happens in Azure and not in ADO. When the custom policy executes we can insert the repo evaluation details to a data base which can be in turn used for reporting on repo compliances.

What does Custom Policy do?

As mentioned, custom policy will be utilized to evaluate whether we have all recommended policies enabled over the repo. If all the policies are enabled, then custom policy will respond back to PR as passed else if will be failed. Also if the custom policy is enabled as required policy in repo settings then the user will not be able to complete the PR unless the custom policy passes based on the evaluation – result of evaluation whether we all policies enabled.

How it works:

Here, I am going to discuss on creating a custom policy which will make sure that all these policies are enabled for Pull request, unless the custom policy passes the developer will not be able to merge the code. The custom policy will act as mother of all policies.

There are 2 parts for the custom policy to work. I would recommend Azure function and Queue Storage to implement custom policies. First part is you need service hook which triggers when a pull request is created and add the request JSON from service hook to Queue Storage using a http trigger azure function. 


Second part is a Queue triggered azure function which will trigger when an JSON reaches the Queue Storage.

When the Queue triggered Azure function runs, it fetches the JSON from Queue storage which was send from service hooks. The JSON will have details like project id, repository id and PR id. Using these data we can use PR evaluation API to get the polices applied over that PR: Evaluations PR .Once the evaluation is completed, we can respond back to PR as Custom Policy : Creating Custom Policy.

Hope this idea helps in monitoring the repository policies and protect your branch!