Azure Policy which only allows RGs to be created via IAC? - azure

I want to restrict the manner of which resource groups are created on my Azure Subscriptions.
I only want to allow the creation of RGs via Azure Pipelines using Terraform.
Is this possible? and how can i attack this?
THank you

You can't achieve it using Azure policy rather you need to create custom role by providing necessary permissions using RBAC and assign it to respective scope.
Also, if in case you are using Azure blueprints then I would suggest first to check deny assignments.
Here is the document for creating resource Group using terraform.
Also, you can go through this document which has related discussions.

Related

Azure IAM - is it possible to audit group memberships using Azure Policy?

I want to first audit (and later enforce) that user names added to a specific AD Group follow certain naming convention. Is this achievable via Azure Policy? It would be straightforward to get such report through scripting, but in our case we want to see clear audit status with Azure policies and eventually prevent them from being added in the first place with Policy deny effect.
No, I believe Azure Policy can only be used on the Azure Resource Manager scope. Azure AD objects like users and groups can't be managed using Azure Policy. So one way to think of it is that if you can deploy something with an ARM template, you can likely govern only those objects using Azure Policy.
The alternative to having nice audit reports for Azure AD stuff would be Azure AD Privileged Identity Management (PIM). It's pretty awesome but I don't think your use case around enforcing and auditing naming conventions of users is supported. Cheers!

How to create an user in azure portal with read only access to all resources in all subscription?

I want to create an user in azure portal with read only access to all resources in all of my subscription.
This user should not be able to modify any thing in any of my available subscriptions.
Seems You are trying to add a user who should have read only access to all resources in all of your subscription beside This user should not be able to modify anything on the tenant.
So the best way is to add that user as Global Reader(Can read everything that a global administrator can, but not update anything.) Role
Which provides authority to access all resources in all of your
subscription but cannot modify anything among the available
subscriptions.
Hope this would help you.
This only covers Azure Active Directory resources. If you are trying to give read-only to Azure SUBSCRIPTION Resources, add the users to the Azure Role: "Readers".
The best recommendation here will be to add users with the reader permission to each subscription.
You would need to set your RBAC assignments per subscription. In case you have many subscriptions, you can automate this with a Logic App and doing requests to the Management API. Reference here. So on your logic app, you basically get a list of subscriptions, and then iterate them, and make the RBAC add assignment request for each of the subscriptions and for your given user(s).

Azure role that can't create resources

I want to find or create an azure role that has the same capabilities as an Owner, or at the very least a contributer. But this role should not have access to create azure resources.
I've been going through the pre-defined roles that exist.
this makes no sense in Azure RBAC context. you cant edit but not create resources, because this is being governed by the same permission: resource/write.
you can achieve something like that by having a role that can do anything except writes, but that would mean that it cannot edit resources, which is not what you are after, probably.
technically you can grant contributor permissions to each individual resource, that way user wont be able to create new resources, only modify existing ones (he would be able to delete resource).
I have the same requirements, and I managed to configure it by taking the Contributor role as base and adding
"Microsoft.Resources/*/write"
in notActions section of role JSON configuration.
What it does is that it prevents deployments. Every resource creation is a deployment.
As far as I have tested every "edit" operation on resources works, even deployment slot creation for Web Apps, but you can disable that too if you need.

Azure Subscription Policies

I would need to create a policy in subscription level contributor cannot able to create virtual machines and virtual network or any vnets. Only owner are able to create Vnets. How to do this
It looks like you might need to create a custom role.
You can add various roles using RBAC for Access management of cloud resources.
The following document has the information on all the built-in roles in Azure RBAC:
https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles
If built-in roles do not fulfill your requirements, you can also use create your own custom roles using PowerShell:
https://learn.microsoft.com/en-us/azure/role-based-access-control/tutorial-custom-role-powershell
Here is the Azure doc on understanding various roles and create in Azure portal:
https://learn.microsoft.com/en-us/azure/role-based-access-control/rbac-and-directory-admin-roles

How can I create an Azure Role-Based Access Control rule to authorize a user the ability to invoke an azure function?

I would like to give a specific user the ability to invoke (but not modify or delete) an Azure function through the Azure web portal.
I am following the documentation for creating custom roles in Azure, but it is unclear which action I should assign the user to. I am referencing the corresponding Azure Resource Manager Resource Provider Options documentation, but can't seem to find an action that would apply the permissions that I am looking for.
Azure Functions cannot be invoked via ARM, which means that RBAC doesn't factor into it. The portal actually uses ARM to fetch the admin key for the Function App and uses that to invoke the manual test APIs.
What you're trying to do won't work because of the lack of more granular RBAC permissions (plus its a data plane API)
If you just want to give certain folks access to certain Functions, there are other options like adding AAD in front of your Function App and then giving them the URL to the Function. If you expand on what your scenario is, I can try to give more specific advice.

Resources