Azure has a number of built-in VM agent related policies. E.g. for installing the dependency agent, log analytics agent or the new Azure Monitoring Agent via a deployifnotexists effect.
Examples are:
Configure Linux machines to run Azure Monitor Agent and associate them to a Data Collection Rule
Configure Windows machines to run Azure Monitor Agent and associate them to a Data Collection Rule
Since we are only using CIS images from the marketplace our VM's are ignored in the policy evaluation.
Both these initatives contain a parameter for additional virtual machine image ID's. It accepts an array of image ID's something like: listOfWindowsImageIdToInclude or listOfLinuxImageIdToInclude.
However when I inspect the properties of my VM (ImageReference) the property ID is always empty:
cis image
windows image
If I query the marketplace it shows something like this:
cis images
I already included those Ids in the intiative parameter but without success.
All these built-in policies evaluate a custom image ID as follows:
"anyOf": [
{
"field": "Microsoft.Compute/imageId",
"in": "[parameters('listOfLinuxImageIdToInclude')]"
},
But like I said the image ID of these marketplace images is empty...
Following this documentation (Apply policies to Windows VMs with Azure Resource Manager and Apply policies to Linux VMs with Azure Resource Manager)
Could this policy be:
{
"if": {
"allOf": [
{
"field": "type",
"in": [
"Microsoft.Compute/virtualMachines",
"Microsoft.Compute/VirtualMachineScaleSets"
]
},
{
"not": {
"allOf": [
{
"field": "Microsoft.Compute/imagePublisher",
"in": [
"center-for-internet-security-inc"
]
},
{
"field": "Microsoft.Compute/imageOffer",
"in": [
"cis-ubuntu-linux-2004-11"
]
},
{
"field": "Microsoft.Compute/imageSku",
"in": [
"cis-ubuntu2004-11"
]
},
{
"field": "Microsoft.Compute/imageVersion",
"in": [
"latest"
]
}
]
}
}
]
},
"then": {
"effect": "deny"
}
}
If it doesn't work, please share your JSON policy
Hope this helps!
Related
Goal: my aiming to set up resource health alerts
Method: using the ARM template to deploy the alerts, Microsoft's guide is found here.
Bug: I would like to pass an array of resources but I am encountering a problem. When I try to the Alert Blade crashes.
Details:
In the link above, MS shows this method for adding resources:
"condition": {
"allOf": [
...,
{
"anyOf": [
{
"field": "resourceType",
"equals": "MICROSOFT.COMPUTE/VIRTUALMACHINES",
"containsAny": null
},
{
"field": "resourceType",
"equals": "MICROSOFT.STORAGE/STORAGEACCOUNTS",
"containsAny": null
},
...
]
}
]
},
I would like to use the "ContainsAny" : < _____ > and pass an array.
Here is how it is done for the service health alert template:
{
"field": "properties.impactedServices[*].ServiceName",
"equals": null,
"containsAny": "[parameters('ServiceHealthServices')]"
}
I tried doing exactly the same, except while keeping the field as "resourceType":
{
"field": "resourceType",
"equals": null,
"containsAny": "[parameters('resourceHealthServices')]"
},
With either passing resource type:
$targetResources = #(
“MICROSOFT.STORAGE/STORAGEACCOUNTS”,
"MICROSOFT.COMPUTE/VIRTUALMACHINES"
)
Or with passing user facing name (like service health alerts):
$targetResources = #(
“Action Groups”,
“Activity Logs & Alerts”
)
When I try either, the alert Blade crashes with this issue:
Additional;
In the portal the "target resource types" field look like this;
MICROSOFT.COMPUTE/VIRTUALMACHINES, Storage account and 1 more
Which suggests the values that can be passed maybe ether resource type or FE name.
Thoughts, ideas solutions?
I need to create an Azure policy for adding tags to resources which are being created without tags (eg name, support, costcenter)
The issue is that if for example I create a VM and I add Name tag, but I forget support and costcenter I want that my policy adds this two and keep my Name value tag.
Can I add some condition to modify effect? Or multiples if/then objects in the definition?
Thanks,
Yes, you can add multiples conditional statements.
More information about Combining Logical operators
{
"properties": {
"displayName": "Audit Azure Spring Cloud instances where distributed tracing is not enabled",
"description": "Distributed tracing tools in Azure Spring Cloud allow debugging and monitoring the complex interconnections between microservices in an application. Distributed tracing tools should be enabled and in a healthy state.",
"mode": "Indexed",
"policyRule": {
"if": {
"allOf": [{
"field": "type",
"equals": "Microsoft.AppPlatform/Spring"
},
{
"anyOf": [{
"field": "Microsoft.AppPlatform/Spring/trace.enabled",
"notEquals": "true"
},
{
"field": "Microsoft.AppPlatform/Spring/trace.state",
"notEquals": "Succeeded"
}
]
}
]
},
"then": {
"effect": "audit"
}
}
}
}
I have a azure custom policy, it checks all storage account, if there's no VNet and subnet setup on them as selected network, it would go and modify them to have VNet integration according to the parameters I entered. The parameter I entered is an array of subnet info as following
"allowedNetworks": {
"type": "array",
"metadata": {
"description": "The list of allowed virtual networks",
"displayName": "Allowed Networks"
},
"defaultValue": [
{
"id": "/subscriptions/xxx/resourceGroups/test3/providers/Microsoft.Network/virtualNetworks/rogertest3-vnet/subnets/default",
"action": "Allow",
"state": "Succeeded"
},
{
"id": "/subscriptions/xxx/resourceGroups/test3/providers/Microsoft.Network/virtualNetworks/rogertest3-vnet/subnets/AzureBastionSubnet",
"action": "Allow",
"state": "Succeeded"
}
]
}
and the effect is as following
"then": {
"effect": "[parameters('effect')]",
"details": {
"roleDefinitionIds": [
"/providers/microsoft.authorization/roleDefinitions/17d1049b-9a84-46fb-8f53-869881c3d3ab"
],
"conflictEffect": "audit",
"operations": [
{
"operation": "addOrReplace",
"field": "Microsoft.Storage/storageAccounts/networkAcls.virtualNetworkRules",
"value": "[parameters('allowednetworks')]"
},
{
"operation": "addOrReplace",
"field": "Microsoft.Storage/storageAccounts/networkAcls.defaultAction",
"value": "Deny"
}
]
}
}
it works well, however there're some behaviours around this modify effect I'm bit confused about.
If I create a new storage account, and it falls under the scope of this policy. I notice it would automatically adds this VNet integration, even if I select "all networks" at the time of creation
If I try manually change any storage account to all network, the UI would quickly revert to VNet integration, so it's not doing anything, and it would not give an error message. Doing with powershell gives the same result.
This is a bit contradictory to what I understand as modify effect, I thought modify effect is not mandatory, it would only apply to storage accounts, if you go with remediation
actually It is by design, just found out.
Modify effect gives this desired state configuration effect, so when you create something, policy will evaluate it, if it fits with the policy, Policy will take effect.
I'm trying to create a policy that will block releasing a database to a resource group if it doesn't have an Elastic Pool in the settings.
Unfortunately, every attempt to set the conditions ends with blocking database releases, regardless of whether they have this option enabled or not.
I tried to use various fields types as a parameter (starting from the simplest as example):
"if": {
"allOf": [
{
"field": "type",
"notEquals": "Microsoft.Sql/servers/elasticPools"
},
"then": {
"effect": "Deny"
}
but it fails every time. How to correctly formulate the condition in JSON for policy to work? Maybe someone has an example of a ready configuration? Maybe is an example of a ready configuration somewhere?
I am working through a similar problem, and it seems the filter needs to be more explicit to work properly. You can see from the example below, I am filtering on databases AND the non-existence of the ElasticPoolID value...
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.Sql/servers/databases"
},
{
"not": {
"field": "Microsoft.Sql/servers/databases/elasticPoolId",
"exists": "true"
}
}
]
},
"then": {
"effect": "audit"
}
I haven't tried it denying creation yet, but it appears to work auditing existing DBs.
You are missing a closed bracket for the allof. You should be able to do this:
"if": {
"field": "type",
"notEquals": "Microsoft.Sql/servers/elasticPools"
},
"then": {
"effect": "Deny"
}
I'm trying to force anyone that is provisioning resources or services in Azure to only be able to select a specific region(s). For example, when they provision a resource group, the dropdown only shows a specific region(s). I was hoping there is some global setting that will affect all users. We are also using Azure AD; does that help or matter? I tried searching the Azure docs and the PowerShell commands, but I just can't find any mention of this setting.
You could use Azure Policy to do it.
Here is a sample policy requires that all resources are deployed to the approved location, refer to this link, you could try to deploy with portal or with powershell.
This policy requires that all resources are deployed to the approved locations. You specify an array of approved locations.
Sample template:
{
"properties": {
"displayName": "Allowed locations",
"policyType": "BuiltIn",
"description": "This policy enables you to restrict the locations your organization can specify when deploying resources. Use to enforce your geo-compliance requirements.",
"parameters": {
"listOfAllowedLocations": {
"type": "Array",
"metadata": {
"description": "The list of locations that can be specified when deploying resources.",
"strongType": "location",
"displayName": "Allowed locations"
}
}
},
"policyRule": {
"if": {
"not": {
"field": "location",
"in": "[parameters('listOfAllowedLocations')]"
}
},
"then": {
"effect": "Deny"
}
}
},
"id": "/providers/Microsoft.Authorization/policyDefinitions/e56962a6-4747-49cd-b67b-bf8b01975c4c",
"type": "Microsoft.Authorization/policyDefinitions",
"name": "e56962a6-4747-49cd-b67b-bf8b01975c4c"
}