Azure Policy Evalution via Customer API
Currently Azure Policy is comprised of Definitions and Assigments applied at various scopes. From what I can gather, this leads to the policy assignments being evaluated during ARM requests for the applicable scope. I would assume this happens in some sort of processing pipeline for the resource request.
Within our org, we provide Azure services as a bundled product with opinionated configuration options enforced. To accomplish this, we work with multiple custom policies that have become too complex to declare in the current Policy object JSON syntax (think 500-1,000 line definition files with multiple nestings).
Ideally, we would like to call our own custom endpoint during the resource request, evaluate the proposed state against a comprehensive set of rules, and respond with a 200/401/403/500 HTTP response and appropriate messaging. This would be similar to the Azure DevOps ability to call an external function when creating a Deployment Gate.
The primary driver is the need to evaluate the resource against granular, constantly evolving rules dependent upon tagging conventions. These policies are not on the order of "can only be deployed in the following regions", but rather "if tagged XX-v2, must have TLS 1.0 disabled, virtualnetwork rules allowed only from X, Y, Z, and Autoscale settings must be a minimum of A and maximum of B". In the current state, we've abandoned Azure Policy and execute this enforcement using Azure Event Grid to detect and review post-change. In an ideal state, the Azure Policy runtime would allow us to define this evaluation in our own Function/Service in a language of our choosing.