Im trying to create an Azure Policy definition that audits whether a NSG contains a certain rule.
So in the following code im trying to audit NSGs that dont have this rule:
name: deny-rule, access: deny, sourceAddresses: 10.124.0.0/16,... (see code)
It doesnt seem to work, Im struggling with the sourceAddresses array part, which I want to ensure that rule contains all 4 items in the array exactly.
"policyRule": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.Network/networkSecurityGroups"
},
{
"count": {
"field": "Microsoft.Network/networkSecurityGroups/securityRules[*]",
"where": {
"allOf": [
{
"field": "Microsoft.Network/networkSecurityGroups/securityRules[*].name",
"equals": "deny-rule"
},
{
"field": "Microsoft.Network/networkSecurityGroups/securityRules[*].access",
"equals": "deny"
},
{
"count": {
"value": [
"10.124.0.0/16",
"10.125.0.0/16",
"10.74.0.0/16",
"10.75.0.0/16"
],
"name": "ranges",
"where": {
"field": "Microsoft.Network/networkSecurityGroups/securityRules[*].sourceAddressPrefixes[*]",
"equals": "[current('ranges')]"
}
},
"equals": 4
}
]
}
},
"less": 1
}
]
},
"then": {
"effect": "audit"
}
}
**Update: I think this is the right direction, https://learn.microsoft.com/en-us/azure/governance/policy/concepts/definition-structure#value-count-examples
Related
I'm blocked about a policy Azure. As you can see on the title, i want to deny the Resource Group's creation if the name start with "DEMO" and if all these tags (ApplicationName, ManagedBy, Classification) aren't present.
{
"mode": "All",
"parameters": {},
"policyRule": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.Resources/subscriptions/resourceGroups"
},
{
"value": "[resourceGroup().name]",
"like": "DEMO*"
},
{
"anyOf": [
{
"field": "tags['ApplicationName']",
"exists": false
},
{
"field": "tags['ManagedBy']",
"exists": false
},
{
"field": "tags['Classification']",
"exists": false
}
]
}
]
},
"then": {
"effect": "deny"
}
}
}
Someone can tell me if something seem bad ?
With this code, actually, i can create my RG even if it starts with DEMO (exemple DEMO62) and one or multiple tags are missing.
But, in the policy dashboard, it displays that it doesn't match the criteria, so it seems to works but after the creation .. so .. too late.
Thanks everybody
i also tried in this format :
"field": "tags",
"containsKey": "ApplicationName"
But same result
I tried to reproduce the same in my environment to Block Azure Resource Group Creation if aren't present.
If I tried to create any Resource Group with name DEMO without required tags, it won't allow to create the resource group.
Policy:
{
"mode": "All",
"policyRule": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.Resources/subscriptions/resourceGroups"
},
{
"field": "name",
"like": "DEMO*"
},
{
"not": {
"field": "tags['ApplicationName']",
"equals": "testapp"
}
}
]
},
"then": {
"effect": "deny"
}
},
"parameters": {}
}
help me to make the mandatory tag using azure policy and users are not allowed to give their own tag name. the below code mandatory the mentioned tags and not to control the disallowed other tags
{
"mode": "All",
"policyRule": {
"if": {
"anyOf": [
{
"field": "tags['environment']",
"exists": "false"
},
{
"field": "tags['Location']",
"exists": "false"
}
]
},
"then": {
"effect": "deny"
}
},
"parameters": {}
}
Here is the example to make changes with Tag in Azure Policy
"policyRule": {
"if": {
"allOf": [{
"field": "type",
"equals": "Microsoft.Resources/subscriptions/resourceGroups"
},
{
"field": "name",
"like": "prd-*"
},
{
"field": "tags['Env']",
"notEquals": "Production"
}
]
},
"then": {
"effect": "modify",
"details": {
"roleDefinitionIds": [
"/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
],
"operations": [{
"operation": "addOrReplace",
"field": "tags['Env']",
"value": "Production"
}]
}
}
}
for further information could you please check the Azure Policy documentation
In Azure I have an NSG Rule configured as follows:
Im trying to write an Azure Policy, to audit if the Source IP addresses/CIDR ranges is not set correctly.
The value should always be exactly equal to: 192.168.0.0/24,192.168.1.0/24.
If it is not that exact value, it should audit.
This is the definition I have written:
{
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.Network/networkSecurityGroups"
},
{
"field": "name",
"like": "jeffweb2-dr-sm-nsg"
},
{
"count": {
"field": "Microsoft.Network/networkSecurityGroups/securityRules[*]",
"where": {
"allOf": [
{
"field": "Microsoft.Network/networkSecurityGroups/securityRules[*].name",
"equals": "SQL"
},
{
"anyof": [
{
"field": "Microsoft.Network/networkSecurityGroups/securityRules[*].sourceAddressPrefix",
"notEquals": [
"192.168.0.0/24",
"192.168.1.0/24"
]
}
]
}
]
}
},
"greater": 0
}
]
},
"then": {
"effect": "audit"
}
}
But when trying to create the definition with this json, I get the error:
New-AzPolicyDefinition : InvalidPolicyRule : Failed to parse policy rule: 'Error reading string. Unexpected token: StartArray. Path 'notEquals'.'.
Question: How do you pass multiple CIDR ranges into the notEquals, I believe this is my problem I believe.
Instead of notEquals, you can use notIn condition to check the values in array. notIn works as it expects an array and you can get rid of above error.
{
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.Network/networkSecurityGroups"
},
{
"field": "name",
"like": "jeffweb2-dr-sm-nsg"
},
{
"count": {
"field": "Microsoft.Network/networkSecurityGroups/securityRules[*]",
"where": {
"allOf": [
{
"field": "Microsoft.Network/networkSecurityGroups/securityRules[*].name",
"equals": "SQL"
},
{
"anyof": [
{
"field": "Microsoft.Network/networkSecurityGroups/securityRules[*].sourceAddressPrefix",
"notIn": [
"192.168.0.0/24",
"192.168.1.0/24"
]
}
]
}
]
}
},
"greater": 0
}
]
},
"then": {
"effect": "audit"
}
}
I want to create a custom Azure Policy JSON that reads through Azure resources and makes sure that it is following our standardized naming convention. For example, I am trying to set it up for virtual machines, cloud services, and Redis cache.
{
"if": {
"allof": [
{
"field": "type",
"equals": "Microsoft.Compute/virtualMachines"
},
{
"not": {
"anyOf": [
{
"field": "name",
"match": "gz?????????#?##"
}
]
}
}
]
},
"then": {
"effect": "[parameters('effect')]"
}
"if": {
"allof": [
{
"field": "type",
"equals": "Microsoft.ClassicCompute/domainNames"
},
{
"not": {
"anyOf": [
{
"field": "name",
"match": "GZ?-??????-??#-???-??????-###"
}
]
}
}
]
},
"then": {
"effect": "[parameters('effect')]"
}
"if": {
"allof": [
{
"field": "type",
"equals": "Microsoft.Cache/Redis"
},
{
"not": {
"anyOf": [
{
"field": "name",
"match": "gz?????????#???###"
}
]
}
}
]
},
"then": {
"effect": "[parameters('effect')]"
}
}
I don't think Azure allows for there to be multiple IFs like how I am trying to set it up. What I want it to do is this:
If the resource is a VM and it does not match that convention, then audit.
If the resource is a cloud service and it does not match that convention, then audit.
If the resource is Redis cache and it does not match that convention, then audit.
Updated JSON
You should use an initiative (policy set definition) to organize multiple related policies like this. This will be easier to maintain than a single policy definition with conditions for each resource type, and will allow you to see compliance results both for the entire naming convention policy set, and for each individual policy.
For example:
"properties": {
"displayName": "Naming conventions",
"policyType": "Custom",
"parameters": {
"effect": {
"type": "String",
"defaultValue": "Audit"
}
},
"policyDefinitions": [
{
"policyDefinitionId": "/subscriptions/<SUBSCRIPTION ID>/providers/Microsoft.Authorization/policyDefinitions/<YOUR VIRTUAL MACHINE NAMING CONVENTION POLICY ID>",
"parameters": {
"effect": {
"value": "[parameters('effect')]"
}
}
},
{
"policyDefinitionId": "/subscriptions/<SUBSCRIPTION ID>/providers/Microsoft.Authorization/policyDefinitions/<YOUR DOMAIN NAME NAMING CONVENTION POLICY ID>",
"parameters": {
"effect": {
"value": "[parameters('effect')]"
}
}
}
]
}
}
I wouldn't recommend it, but if you must combine multiple types in a single definition, then you may use anyOf, for example:
{
"if": {
"anyOf": [
{
"allOf": [
{
"field": "type",
"equals": "Microsoft.Compute/virtualMachines"
},
{
"not": {
"field": "name",
"match": "gz?????????#?##"
}
}
]
},
{
"allOf": [
{
"field": "type",
"equals": "Microsoft.ClassicCompute/domainNames"
},
{
"not": {
"field": "name",
"match": "GZ?-??????-??#-???-??????-###"
}
}
]
}
]
},
"then" : {
"effect" : "audit"
}
}
I've created an Azure Policy, i wanted to deny the resource group creation if user doesn't specify tag with key "Env" or "use"
But when i create the resource group with Env tag it blocks me, it only allows me when i add both the tag which is env and use.
As per my understanding "anyof" in azure policy is used as "OR" but my code isn't behaving the same wa
{
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.Resources/subscriptions/resourceGroups"
},
{
"anyof": [
{
"field": "tags.Env",
"exists": false
},
{
"field": "tags.use",
"exists": false
}
]
}
]
},
"then": {
"effect": "deny"
}
}
Based on the Chris's suggestion I've worked on the tag name and values but it is giving me an error in the policy and it is not taking the "NOT"
{
"mode": "all",
"policyRule": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.Resources/subscriptions/resourceGroups"
},
{
"not":{
{
"field": "tags.Env",
"equals" : "Prod"
},
{
"field": "tags.OS",
"equals" : "windows"
}
}
}
]
},
"then": {
"effect": "deny"
}
},
"parameters": {}
}
Right now, like you mentioned, the policy is evaluating if "tags.Env doesn't exist OR tags.use doesn't exist". If either tag does not exist you will be denied.
What you want is to deny if "tags.Env doesn't exist AND tags.use doesn't exist". That would imply that they are both missing which is what you are trying to prevent.
{
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.Resources/subscriptions/resourceGroups"
},
{
"field": "tags.Env",
"exists": false
},
{
"field": "tags.use",
"exists": false
}
]
},
"then": {
"effect": "deny"
}
}