Related
I am using this code below to attempt to lock just the VM's in a subscription, but the effect is to place a lock on the Resource Groups. How can I make this apply only to vm's only and not the RG?
{
"properties": {
"displayName": "All Azure Vm's should be Delete Locked",
"mode": "Indexed",
"description": "This policy will add an CanNotDelete Resource Lock.",
"metadata": {
"version": "1.1.0",
"category": "Compute"
},
"parameters": {
"effect" : {
"type" : "String",
"metadata" : {
"displayName" : "Effect",
"description" : "Enable a Delete Lock"
},
"allowedValues" : [
"CanNotDelete",
"ReadOnly",
"NotSpecified"
],
"defaultValue": "CanNotDelete"
}
},
"policyRule": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.Compute/virtualMachines"
}
]
},
"then": {
"effect": "auditIfNotExists",
"details": {
"type": "Microsoft.Authorization/locks",
"existenceCondition": {
"field": "Microsoft.Authorization/locks/level",
"equals": "CanNotDelete"
}
}
}
}
}
}
Created a policy to place locks on Virtual machines in Azure. Locks are placed on the Resource Group, which does lock the vm, but I only want the lock on the vm and not the resource group.
You are missing the deployment part of deployment template.
https://learn.microsoft.com/en-us/azure/governance/policy/samples/pattern-deploy-resources#deployment-template
You can only assign the resource lock on a single resource, if you do not want to assign it on the resource group:
https://learn.microsoft.com/en-us/azure/azure-resource-manager/templates/scope-extension-resources?tabs=azure-cli#apply-to-resource
For a single resource resource lock, then you need to use and define a scope:
https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/lock-resources?tabs=json#template
Under the "resources": [ you can do multiple deployments, see code #2:
#1
{
"properties": {
"displayName": "All Azure Vm's should be Delete Locked",
"description": "This policy will add an CanNotDelete Resource Lock.",
"mode": "all",
"metadata": {
"version": "1.1.0",
"category": "Compute"
},
"parameters": {
"effect": {
"type": "String",
"metadata": {
"displayName": "Effect",
"description": "Enable a Delete Lock"
},
"allowedValues": [
"CanNotDelete",
"ReadOnly",
"NotSpecified"
],
"defaultValue": "CanNotDelete"
}
},
"policyRule": {
"if": {
"field": "type",
"equals": "Microsoft.Compute/virtualMachines"
},
"then": {
"effect": "DeployIfNotExists",
"details": {
"type": "Microsoft.Authorization/locks",
"existenceCondition": {
"field": "Microsoft.Authorization/locks/level",
"equals": "[parameters('effect')]"
},
"roleDefinitionIds": [
"/providers/Microsoft.Authorization/roleDefinitions/8e3af657-a8ff-443c-a75c-2fe8c4bcb635"
],
"deployment": {
"properties": {
"mode": "incremental",
"template": {
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json",
"contentVersion": "1.0.0.0",
"parameters": {},
"variables": {
"vmName": "vm-niclas01"
},
"resources": [
{
"type": "Microsoft.Authorization/locks",
"apiVersion": "2020-05-01",
"name": "DenyDelete",
"scope": "[concat('Microsoft.Compute/virtualMachines/', variables('vmName'))]",
"properties": {
"level": "CanNotDelete",
"notes": "Prevents deletion of resource."
}
}
]
}
}
}
}
}
}
}
}
#2 - Deploy lock on multiple VMs, not on RG:
{
"properties": {
"displayName": "Test 2 - All Azure Vm's should be Delete Locked",
"policyType": "Custom",
"mode": "All",
"metadata": {
"version": "1.1.0"
},
"parameters": {
"effect": {
"type": "String",
"metadata": {
"displayName": "Effect",
"description": "Enable a Delete Lock"
},
"allowedValues": [
"CanNotDelete",
"ReadOnly",
"NotSpecified"
],
"defaultValue": "CanNotDelete"
},
"vmName": {
"type": "Array",
"metadata": {
"displayName": "VM Names",
"description": "The list of VM names that should have resource locks"
},
"allowedValues": [
"vm-niclas01",
"vm-niclas02",
"vm-linuxniclas"
]
}
},
"policyRule": {
"if": {
"allOf": [
{
"field": "name",
"in": "[parameters('vmName')]"
},
{
"field": "type",
"equals": "Microsoft.Compute/virtualMachines"
}
]
},
"then": {
"effect": "DeployIfNotExists",
"details": {
"type": "Microsoft.Authorization/locks",
"existenceCondition": {
"field": "Microsoft.Authorization/locks/level",
"equals": "[parameters('effect')]"
},
"roleDefinitionIds": [
"/providers/Microsoft.Authorization/roleDefinitions/8e3af657-a8ff-443c-a75c-2fe8c4bcb635"
],
"deployment": {
"properties": {
"mode": "incremental",
"template": {
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json",
"contentVersion": "1.0.0.0",
"parameters": {
"vmName": {
"type": "Array"
}
},
"variables": {
"vmName1": "[concat('/', parameters('vmName')[0])]",
"vmName2": "[concat('/', parameters('vmName')[1])]"
},
"resources": [
{
"type": "Microsoft.Authorization/locks",
"apiVersion": "2020-05-01",
"name": "DenyDelete",
"scope": "[concat('Microsoft.Compute/virtualMachines', variables('vmName1'))]",
"properties": {
"level": "CanNotDelete",
"notes": "Prevents deletion of resource."
}
},
{
"type": "Microsoft.Authorization/locks",
"apiVersion": "2020-05-01",
"name": "DenyDelete",
"scope": "[concat('Microsoft.Compute/virtualMachines/', variables('vmName2'))]",
"properties": {
"level": "CanNotDelete",
"notes": "Prevents deletion of resource."
}
}
],
"outputs": {}
},
"parameters": {
"vmName": {
"value": "[parameters('vmName')]"
}
}
}
}
}
}
}
}
}
3 VMs in the same RG:
Policy assignment with parameter:
Resource Lock deployed:
Resource Lock not deployed, because it is not part of policy parameter:
I have a resource whitelist policy defined as follows:
{
"properties": {
"displayName": "Deny resource creation if not in whitelist",
"policyType": "Custom",
"mode": "Indexed",
"description": "This policy denies the creation resources which are not allowed in the whitelist.",
"policyRule": {
"if": {
"not": {
"field": "type",
"in": [
"Microsoft.KeyVault/vaults",
"Microsoft.Storage/storageAccounts"
]
}
},
"then": {
"effect": "Deny"
}
}
},
"id": "<POLICYDEFINITIONID>",
"type": "Microsoft.Authorization/policyDefinitions",
"name": "Deny_resource_creation_if_not_in_whitelist",
}
This policy works as expected when assigned to a resource group.
I also have a second policy assigned at the subscription level to deploy the first policy on resource groups with names starting with "rg-*":
{
"properties": {
"displayName": "Deploy resource whitelist policy",
"policyType": "Custom",
"mode": "All",
"description": "This policy assigns the resource whitelist policy to resource groups starting with rg-*.",
"policyRule": {
"if": {
"allOf": [
{
"equals": "Microsoft.Resources/subscriptions/resourceGroups",
"field": "type"
},
{
"field": "name",
"like": "rg-*"
}
]
},
"then": {
"details": {
"deployment": {
"properties": {
"mode": "incremental",
"template": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"apiVersion": "2022-06-01",
"name": "[guid('<POLICYDEFINITIONID>', resourceGroup().name)]",
"properties": {
"displayName": "Deny resource creation if not in whitelist",
"enforcementMode": "Default",
"policyDefinitionId": "<POLICYDEFINITIONID>"
},
"type": "Microsoft.Authorization/policyAssignments"
}
]
}
}
},
"evaluationDelay": "AfterProvisioning",
"roleDefinitionIds": [
"/providers/Microsoft.Authorization/roleDefinitions/8e3af657-a8ff-443c-a75c-2fe8c4bcb635"
],
"type": "Microsoft.Authorization/policyAssignments"
},
"effect": "DeployIfNotExists"
}
}
},
"id": "",
"type": "Microsoft.Authorization/policyDefinitions",
"name": "Deploy_resource_whitelist_policy",
}
The second policy is evaluated, I can see a successful deployIfNotExists event but in fact the assignment is not created.
A few additional facts:
I successfully deployed the policy assignment ARM template from the Azure portal
When replacing the policy assignment ARM template with a simple storage account ARM template it works, a storage account is created in the resource group.
Any help would be much appreciated.
Your policy assignment in the example seems to be missing a scope property to assign it to the given resourcegroup. Try adding a scope property to the policy assignment.
"template": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"apiVersion": "2022-06-01",
"name": "[guid('<POLICYDEFINITIONID>', resourceGroup().name)]",
"properties": {
"displayName": "Deny resource creation if not in whitelist",
"enforcementMode": "Default",
"policyDefinitionId": "<POLICYDEFINITIONID>"
"scope": "[subscriptionResourceId('Microsoft.Resources/resourceGroups', resourceGroup().name)]"
},
"type": "Microsoft.Authorization/policyAssignments"
}```
I finally solved this using only the first policy and a value expression condition:
{
"properties": {
"displayName": "Deny resource creation if not in whitelist",
"policyType": "Custom",
"mode": "Indexed",
"description": "This policy denies the creation resources which are not allowed in the whitelist.",
"policyRule": {
"if": {
"allOf": [
{
"field": "type",
"notIn": [
"Microsoft.KeyVault/vaults",
"Microsoft.Storage/storageAccounts"
]
},
{
"value": "[resourceGroup().name]",
"like": "rg-*"
}
]
},
"then": {
"effect": "Deny"
}
}
},
"id": "<POLICYDEFINITIONID>",
"type": "Microsoft.Authorization/policyDefinitions",
"name": "Deny_resource_creation_if_not_in_whitelist",
}
I created an azure policy via devops . I had a role enabled as given below(storage contributor). The identity was created for the policy but there was no role assigned to it. So I had to manually create it to run the remediation task. Shouldn't the policy create the role itself? or the deployment?
"roleDefinitionIds": [
"/providers/Microsoft.Authorization/roleDefinitions/17d1049b-9a84-46fb-8f53-869881c3d3ab"
],
We deploy it as an arm template using New-AzDeployment
This is the full template
{
"$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"policyDefinitionName": {
"type": "string"
}
},
"resources": [{
"type": "Microsoft.Authorization/policyDefinitions",
"name": "[parameters('policyDefinitionName')]",
"apiVersion": "2019-09-01",
"properties": {
"displayName": "Deploy Soft-Delete for Blobs",
"mode": "All",
"description": "This policy enables soft-delete for blobs.",
"parameters": {
"retentionInDays": {
"type": "Integer",
"metadata": {
"displayName": "Retention in days",
"description": "This defines how long the deleted object should be retained for. Allowed values are 1 to 365."
}
}
},
"policyRule": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.Storage/storageAccounts"
},
{
"field": "kind",
"in": [
"Storage",
"StorageV2",
"BlobStorage",
"BlockBlobStorage"
]
},
{
"field": "Microsoft.Storage/storageAccounts/isHnsEnabled",
"equals": false
},
]
},
"then": {
"effect": "DeployIfNotExists",
"details": {
"type": "Microsoft.Storage/storageAccounts/blobServices",
"existenceCondition": {
"field": "Microsoft.Storage/storageAccounts/blobServices/default.deleteRetentionPolicy.enabled",
"equals": true
},
"roleDefinitionIds": [
"/providers/Microsoft.Authorization/roleDefinitions/17d1049b-9a84-46fb-8f53-869881c3d3ab"
],
"deployment": {
"properties": {
"mode": "incremental",
"template": {
"$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"storageAccountName": {
"type": "string"
},
"retentionInDays": {
"type": "int"
}
},
"variables": {},
"resources": [
{
"name": "[[concat(parameters('storageAccountName'), '/default')]",
"type": "Microsoft.Storage/storageAccounts/blobServices",
"apiVersion": "2019-06-01",
"properties": {
"deleteRetentionPolicy": {
"enabled": true,
"days": "[[parameters('retentionInDays')]"
}
}
}
],
"outputs": {}
},
"parameters": {
"storageAccountName": {
"value": "[[field('name')]"
},
"retentionInDays": {
"value": "[[parameters('retentionInDays')]"
}
}
}
}
}
}
}
}
}]
}
POLICY DEFINITION DEPLOYMENT
(Optional) INITIATIVE DEFINTION DEPLOYMENT
POLICY ASSIGNMENT DEPLOYMENT <- This is where you add your role assignment.
The role assignment must be made for the managed identity created by the policy assignment. If you create the policy assignment from the portal, I believe this is done automatically for you. An ARM template in DevOps will require a manual definition.
The policy assignment therefore must also be deployed with a role assignment.
I would recommend using a separate ARM template for assignments due to issues using "dependsOn" between definitions, initiatives, and assignments. Therefore your policy assignment template with the role assignment would stand alone and look something like the example template below.
I know it's not related to your question, but it's annoying enough to mention. In my experience, I've had to delay 2 minutes between definition deployments and subsequent initiative deployments and then another 2 minutes before assignment deployments in order to avoid 404 errors on dependencies.
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {},
"variables": {
"scope": "[concat('/subscriptions/', subscription().subscriptionId, '/')]"
},
"resources": [
{
"type": "Microsoft.Authorization/policyAssignments",
"apiVersion": "2019-09-01",
"name": "my-policy-assignment",
"location": "westus2",
"identity": {
"type": "SystemAssigned"
},
"properties": {
"displayName": "My Policy Assignment",
"policyDefinitionId": "[concat(variables('scope'), 'providers/Microsoft.Authorization/policySetDefinitions/my-policy-initiative')]",
"scope": "[variables('scope')]",
"notScopes": [],
"parameters": {},
"description": "This is an example assignment for a Stack Overflow post.",
"metadata": {
"category": "My Category"
}
}
},
{
"type": "Microsoft.Authorization/roleAssignments",
"apiVersion": "2019-04-01-preview",
"name": "b74efc56-19fa-44a3-9665-49b08f7c384d",
"dependsOn": [
"my-policy-assignment"
],
"properties": {
"roleDefinitionId": "[concat(subscription().id, '/providers/Microsoft.Authorization/roleDefinitions/', '17d1049b-9a84-46fb-8f53-869881c3d3ab')]",
"principalType": "ServicePrincipal",
"delegatedManagedIdentityResourceId": "[concat(subscription().id, '/providers/Microsoft.Authorization/policyAssignments/', 'my-policy-assignment')]",
"principalId": "[toLower(reference(concat('/providers/Microsoft.Authorization/policyAssignments/', 'my-policy-assignment'), '2018-05-01', 'Full' ).identity.principalId)]"
}
}
]
}
I am trying to create an automated process that adds the Azure Active Directory on a SQL Server to an Azure group once the SQL server deploys. The group I want to add too is a security group. I am thinking about using Azure policy to implement this. What would the policy rule look like? If there is a better Azure service/feature to implement my task what is it?
Here is sample policy definition that has worked for me which evaluates and provides the complaint and non-complaint resources on the existing resources. Also kindly note, during an evaluation cycle, policy definitions with a "DeployIfNotExists" effect that match resources are marked as non-compliant, but no action is taken on that resource. Existing non-compliant resources can be remediated with a remediation task.
{
"mode": "All",
"policyRule": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.Sql/servers"
}
]
},
"then": {
"effect": "deployIfNotExists",
"details": {
"type": "Microsoft.Sql/servers/administrators",
"existenceCondition": {
"allOf": [
{
"field": "Microsoft.Sql/servers/administrators/administratorType",
"equals": "ActiveDirectory"
},
{
"field": "Microsoft.Sql/servers/administrators/login",
"equals": "xxxx#xxxxxx.com"
},
{
"field": "Microsoft.Sql/servers/administrators/sid",
"equals": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxx"
},
{
"field": "Microsoft.Sql/servers/administrators/tenantId",
"equals": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxx"
}
]
},
"deployment": {
"properties": {
"mode": "incremental",
"template": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"location": {
"type": "string"
},
"sqlServerName": {
"type": "string"
}
},
"variables": {},
"resources": [
{
"name": "[parameters('sqlServerName')]",
"type": "Microsoft.Sql/servers",
"apiVersion": "2019-06-01-preview",
"location": "[parameters('location')]",
"resources": [
{
"type": "Microsoft.Sql/servers/administrators",
"apiVersion": "2019-06-01-preview",
"name": "[concat(parameters('sqlServerName'), '/ActiveDirectory')]",
"dependsOn": [
"[resourceId('Microsoft.Sql/servers', parameters('sqlServerName'))]"
],
"properties": {
"administratorType": "ActiveDirectory",
"login": "xxxx#xxxxxx.com",
"sid": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxx",
"tenantId": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxx"
}
}
]
}
]
},
"parameters": {
"sqlServerName": {
"value": "[field('Name')]"
},
"location": {
"value": "[field('Location')]"
}
}
}
},
"roleDefinitionIds": [
"/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c",
"/providers/Microsoft.Authorization/roleDefinitions/8e3af657-a8ff-443c-a75c-2fe8c4bcb635"
]
}
}
},
"parameters": {}
}
We are referring this documentation here which talks about Creating diagnostic setting in Azure using a Resource Manager template.
We have managed to provision resources with ARM template along with diagnostic setting for resource logs, however snippet in the documentation to enable the activity logs diagnostic setting does not seem to work as the template deployment command (new-azresourcegroupdeployment) returns the Bad request error.
New-AzResourceGroupDeployment : Resource Microsoft.Insights/diagnosticSettings 'test-vnet' failed with message '{
"Code": "BadRequest",
"Message": ""
}'
Here is the template (trimmed some code to avoid noise)
{
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
...
},
"variables": {
...
},
"resources": [
{
"apiVersion": "2018-08-01",
"type": "Microsoft.Network/virtualNetworks",
"name": "[parameters('virtualNetworkName')]",
"location": "[parameters('resourceLocation')]",
"properties": {
"addressSpace": {
"addressPrefixes": [
"[parameters('addressPrefix')]"
]
},
"subnets": "[parameters('subnets')]",
"dhcpOptions": {
"dnsServers": "[parameters('dnsServers')]"
}
},
"resources":
[
{
"type": "Microsoft.Insights/diagnosticSettings",
"apiVersion": "2017-05-01-preview",
"name": "[variables('diagnosticsSettingsName')]",
"dependsOn": [
"[parameters('virtualNetworkName')]"
],
"location": "global",
"properties":
{
"storageAccountId": "..valid_id_here",
"logs":
[
{
"category": "Administrative",
"enabled": true
},
{
"category": "Security",
"enabled": true
},
{
"category": "ServiceHealth",
"enabled": true
},
{
"category": "ResourceHealth",
"enabled": true
}
]
}
}
]
}
],
"outputs": {
..
}
The documentation here which you are referring for Creating diagnostic settings.
So If you will check the Deployment Methods in this document, it says that you can deploy Resource Manager templates using any valid method including PowerShell and CLI. Diagnostic settings for Activity log must deploy to a subscription using az deployment create for CLI or New-AzDeployment for PowerShell.
Use New-AzDeployment instead of New-AzResourceGroupDeployment to deploy the ARM Template.
Hope this helps!!
This policy works for me, note that it is Subscription level deployment:
{
"properties": {
"displayName": "Deploy diagnostic setting profile for Subscription Activity Logs to Log Analytics workspace",
"description": "Deploys the diagnostic settings for Subscription Activity Logs to stream to a regional Log Analytics workspace when any Subscription which is missing this diagnostic settings is created or updated.",
"mode": "All",
"metadata": {
"version": "1.0.0",
"category": "audit"
},
"parameters": {
"effect": {
"type": "String",
"metadata": {
"displayName": "Effect",
"description": "Enable or disable the execution of the policy"
},
"allowedValues": [
"DeployIfNotExists",
"Disabled"
],
"defaultValue": "DeployIfNotExists"
},
"settingsProfileName": {
"type": "String",
"metadata": {
"displayName": "Settings profile name",
"description": "The diagnostic settings profile name"
},
"defaultValue": "setbypolicy_logAnalytics"
},
"logAnalyticsResourceId": {
"type": "String",
"metadata": {
"displayName": "Log Analytics resourceId",
"description": "Set to full Log Analytics workspace resorceId. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID."
}
}
},
"policyRule": {
"if": {
"field": "type",
"equals": "Microsoft.Resources/subscriptions"
},
"then": {
"effect": "[parameters('effect')]",
"details": {
"type": "Microsoft.Insights/diagnosticSettings",
"name": "[parameters('settingsProfileName')]",
"existenceCondition": {
"allOf": [
{
"field": "Microsoft.Insights/diagnosticSettings/workspaceId",
"equals": "[parameters('logAnalyticsResourceId')]"
}
]
},
"deploymentScope": "subscription",
"roleDefinitionIds": [
"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa",
"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293"
],
"deployment": {
"location": "westeurope",
"properties": {
"mode": "incremental",
"template": {
"$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"settingsProfileName": {
"type": "string"
},
"logAnalyticsResourceId": {
"type": "string"
}
},
"variables": {},
"resources": [
{
"type": "Microsoft.Insights/diagnosticSettings",
"apiVersion": "2017-05-01-preview",
"name": "[parameters('settingsProfileName')]",
"properties": {
"workspaceId": "[parameters('logAnalyticsResourceId')]",
"logs": [
{
"category": "Administrative",
"enabled": "true"
},
{
"category": "Alert",
"enabled": "true"
},
{
"category": "Autoscale",
"enabled": "true"
},
{
"category": "Policy",
"enabled": "true"
},
{
"category": "Recommendation",
"enabled": "true"
},
{
"category": "ResourceHealth",
"enabled": "true"
},
{
"category": "Security",
"enabled": "true"
},
{
"category": "ServiceHealth",
"enabled": "true"
}
]
}
}
],
"outputs": {}
},
"parameters": {
"settingsProfileName": {
"value": "[parameters('settingsProfileName')]"
},
"logAnalyticsResourceId": {
"value": "[parameters('logAnalyticsResourceId')]"
}
}
}
}
}
}
}
}
}