Governance Policies Integration Event Driven - Azure/az-prototype GitHub Wiki
Governance policies for Event Driven
Domain: integration
| Name | Description |
|---|---|
| Event Grid to Function App with dead-letter | System topic subscription delivering to Azure Function with managed identity and dead-letter storage |
| Service Bus trigger with managed identity | Function App consuming Service Bus queue using managed identity connection string-free binding |
| Event Hub to Stream Analytics pipeline | Real-time stream processing with Event Hub input, Stream Analytics windowed query, and blob output |
| Description | Instead |
|---|---|
| Do not use connection strings for event source authentication | Use managed identity with RBAC role assignments for all event source connections |
| Do not skip dead-letter configuration on any event subscription or queue | Always configure dead-letter storage for Event Grid and ensure deadLetteringOnMessageExpiration for Service Bus |
| Do not process events without idempotency checks | Use message deduplication (requiresDuplicateDetection) and implement idempotent event handlers |
- Event Grid dead-letter and retry
- Service Bus dead-letter queues
- Azure Functions Service Bus trigger
- Stream Analytics with Event Hubs
- Event Grid managed identity delivery
| Check | Severity | Description |
|---|---|---|
| CC-INT-ED-001 | Required | Wire Event Grid subscriptions to Function App or Container App endpoints with dead-letter storage and managed identity delivery |
| CC-INT-ED-002 | Required | Wire Service Bus triggers to Function App or Container App using managed identity connections |
| CC-INT-ED-003 | Required | Wire Event Hubs to Stream Analytics to Storage/SQL for real-time stream processing pipelines |
| CC-INT-ED-004 | Required | Configure dead-letter queues for Service Bus and dead-letter storage for Event Grid |
| CC-INT-ED-005 | Required | Implement poison message handling patterns for failed message processing |
Wire Event Grid subscriptions to Function App or Container App endpoints with dead-letter storage and managed identity delivery
Severity: Required
Rationale: Event Grid provides at-least-once delivery; dead-letter captures undeliverable events; managed identity eliminates connection strings
Agents: cloud-architect, terraform-agent, bicep-agent, app-developer, csharp-developer, python-developer
- Microsoft.EventGrid/topics
- Microsoft.ServiceBus/namespaces
- Microsoft.EventHub/namespaces
- Microsoft.Web/sites
- Microsoft.App/containerApps
- Microsoft.StreamAnalytics/streamingjobs
| Resource | Name | Purpose |
|---|---|---|
| Microsoft.EventGrid/systemTopics | system-topic | System topic with managed identity for secure event delivery |
| Microsoft.Storage/storageAccounts | dead-letter-storage | Storage account with blob container for dead-letter event capture |
| Microsoft.Authorization/roleAssignments | eg-dlq-role | Storage Blob Data Contributor role for Event Grid to write dead-letter blobs |
Wire Service Bus triggers to Function App or Container App using managed identity connections
Severity: Required
Rationale: Service Bus provides reliable ordered messaging; managed identity eliminates connection string management and rotation burden
Agents: cloud-architect, terraform-agent, bicep-agent, app-developer, csharp-developer, python-developer
- Microsoft.EventGrid/topics
- Microsoft.ServiceBus/namespaces
- Microsoft.EventHub/namespaces
- Microsoft.Web/sites
- Microsoft.App/containerApps
- Microsoft.StreamAnalytics/streamingjobs
| Resource | Name | Purpose |
|---|---|---|
| Microsoft.Authorization/roleAssignments | fn-sb-data-receiver | Azure Service Bus Data Receiver role (4f6d3b9b-027b-4f4c-9142-0e5a2a2247e0) for Function App identity |
Wire Event Hubs to Stream Analytics to Storage/SQL for real-time stream processing pipelines
Severity: Required
Rationale: Event Hubs provides high-throughput ingestion; Stream Analytics handles windowed aggregation; output to durable storage completes the pipeline
Agents: cloud-architect, terraform-agent, bicep-agent, app-developer, csharp-developer, python-developer
- Microsoft.EventGrid/topics
- Microsoft.ServiceBus/namespaces
- Microsoft.EventHub/namespaces
- Microsoft.Web/sites
- Microsoft.App/containerApps
- Microsoft.StreamAnalytics/streamingjobs
| Resource | Name | Purpose |
|---|---|---|
| Microsoft.EventHub/namespaces/eventhubs/consumergroups | asa-consumer-group | Dedicated consumer group for Stream Analytics — never use $Default |
| Microsoft.Authorization/roleAssignments | asa-eh-receiver | Azure Event Hubs Data Receiver role for Stream Analytics managed identity |
Configure dead-letter queues for Service Bus and dead-letter storage for Event Grid
Severity: Required
Rationale: Dead-letter captures messages/events that cannot be delivered or processed, enabling investigation and replay
Agents: cloud-architect, terraform-agent, bicep-agent, app-developer, csharp-developer, python-developer
- Microsoft.EventGrid/topics
- Microsoft.ServiceBus/namespaces
- Microsoft.EventHub/namespaces
- Microsoft.Web/sites
- Microsoft.App/containerApps
- Microsoft.StreamAnalytics/streamingjobs
Implement poison message handling patterns for failed message processing
Severity: Required
Rationale: Poison messages that repeatedly fail processing block other messages; explicit handling prevents queue stalls
Agents: cloud-architect, app-developer, csharp-developer, python-developer, terraform-agent, bicep-agent
- Microsoft.EventGrid/topics
- Microsoft.ServiceBus/namespaces
- Microsoft.EventHub/namespaces
- Microsoft.Web/sites
- Microsoft.App/containerApps
- Microsoft.StreamAnalytics/streamingjobs
| Resource | Name | Purpose |
|---|---|---|
| Microsoft.Insights/metricAlerts | dlq-depth-alert | Alert when dead-letter queue depth exceeds threshold — triggers investigation |
| Microsoft.Insights/actionGroups | ops-action-group | Action group for dead-letter alerts — email and webhook notifications |