I am trying to write a policy which identifies all VM's attached to a specified subnet and ensure that they are backed up to a specified Backup Vault within the same location. Identifying the VM's is easy but restricting the VM's that are attached to a specified subnet is proving difficult.
My test environment contains 3 VM's 2 connected to 1 subnet with the other connected to a different subnet but I have been unable to get this to correctly select the affected resources (1 or 2 VM's) depending on the subnet chosen when running the policy.
Below is the basis of the test but it is not working. Any help would be appreciated.
"parameters": {
"subnetId": {
"type": "String",
"metadata": {
"displayName": "Subnet which contains the VM's to backup.",
"description": "Specify to subnet the the VM's are connected to.",
"strongType": "Microsoft.Network/virtualNetworks/subnets"
}
},
"vaultLocation": {
"type": "String",
"metadata": {
"displayName": "Location (Specify the location of the VMs that you want to protect)",
"description": "Specify the location of the VMs that you want to protect. VMs should be backed up to a vault in the same location. For example - CanadaCentral",
"strongType": "location"
}
}
....
"policyRule": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.Compute/virtualMachines"
},
{
"field": "Microsoft.Compute/virtualMachines/networkProfile.networkInterfaceConfigurations[*].ipConfigurations[*].subnet.id",
"equals": "[parameters('subnetId')]"
},
{
"field": "location",
"equals": "[parameters('vaultLocation')]"
}
]
}
....
}
Related
I am looking to assign the resource policy that to limit the allowed locations where the resources can be deployed, so that I can be use only the particular resources for my work and the cost will be low.
I found This but this is like manually restricted I need it in the script way.
I searched in the network but didn't find any related doc.
Can anyone help on this, thanks in advance.
I have followed the below configuration to deny the allowed locations for resources
Go-To Portal → and search for Policy and policy definition
I have filled the appropriate fields and i have used the below script to deny allocated locations
{
"properties": {
"displayName": "Allowed resource types",
"policyType": "BuiltIn",
"mode": "Indexed",
"description": "This policy enables you to specify the resource types that your organization can deploy. Only resource types that support 'tags' and 'location' will be affected by this policy. To restrict all resources please duplicate this policy and change the 'mode' to 'All'.",
"metadata": {
"version": "1.0.0",
"category": "General"
},
"parameters": {
"listOfResourceTypesAllowed": {
"type": "Array",
"metadata": {
"description": "The list of resource types that can be deployed.",
"displayName": "Allowed resource types",
"strongType": "resourceTypes"
}
}
},
"policyRule": {
"if": {
"not": {
"field": "type",
"in": "[parameters('listOfResourceTypesAllowed')]"
}
},
"then": {
"effect": "deny"
}
}
I have assigned the policy and when I check in the assignments I am able to see
When I check to create resource group with non allowed locations I am not able to create
I am looking to configure policy to audit resource groups that contains resources, whether have the particular tag or not. If the resource group does not have any resources, then there is no need to audit. My requirement is only to perform audit for tags, if the resource group contains resources. Is it a possible scenario for creating policy?
Assuming it is fair to say that your requirement is to audit for resources and not the resource groups, you can achieve this by using the built-in policy definition "Require a tag on resources" and set it to "audit" instead of "deny".
EDIT:
Considering your clarification, you can perform the reverse check - meaning a check on resources, inspecting their resource groups:
"parameters": {
"tagName": {
"type": "String",
"metadata": {
"displayName": "Tag Name",
"description": "Name of the tag, such as 'environment'"
}
}
},
"policyRule": {
"if": {
"allOf": [
{
"field": "type",
"notEquals": "Microsoft.Resources/subscriptions/resourceGroups"
},
{
"not": {
"field": "[resourceGroup().tags[parameters('tagName')]]",
"exists": "false"
}
}
]
},
"then": {
"effect": "audit"
}
}
Here we are checking that we are not looking at a resource group directly. Then, we check if the parent resource group does not have the specified tag (notExists).
/MMT
I have question with respect to resource violating Azure Policy. Suppose in my subscription I have one VM in UK west and another VM in UK South. IF I create policy to restrict VM to only UK south , what happens to the VM in UK West? Does it becomes non functional or will be forced tp move to UK South or just reported as non compliant? Also what will happen to new requests for UK west , will those get denied?
If you assign a policy while existing resources are present nothing should happen to them by default, if you are using built in policy's.
If you're assigning a policy from the portal you should see the following statement:
By default, this assignment will only take effect on newly created resources. Existing resources can be updated via a remediation task after the policy is assigned. For deployIfNotExists policies, the remediation task will deploy the specified template. For modify policies, the remediation task will edit tags on the existing resources.
In short the existing VMs in UK West should be marked as non-compliant and future deployments outside of UK south will be blocked by the policy.
You can see this in the built in "Allow Locations" policy:
{
"properties": {
"displayName": "Allowed locations",
"policyType": "BuiltIn",
"mode": "Indexed",
"description": "This policy enables you to restrict the locations your organization can specify when deploying resources. Use to enforce your geo-compliance requirements. Excludes resource groups, Microsoft.AzureActiveDirectory/b2cDirectories, and resources that use the 'global' region.",
"metadata": {
"version": "1.0.0",
"category": "General"
},
"parameters": {
"listOfAllowedLocations": {
"type": "Array",
"metadata": {
"description": "The list of locations that can be specified when deploying resources.",
"strongType": "location",
"displayName": "Allowed locations"
}
}
},
"policyRule": {
"if": {
"allOf": [
{
"field": "location",
"notIn": "[parameters('listOfAllowedLocations')]"
},
{
"field": "location",
"notEquals": "global"
},
{
"field": "type",
"notEquals": "Microsoft.AzureActiveDirectory/b2cDirectories"
}
]
},
"then": {
"effect": "deny"
}
}
},
"id": "/providers/Microsoft.Authorization/policyDefinitions/e56962a6-4747-49cd-b67b-bf8b01975c4c",
"type": "Microsoft.Authorization/policyDefinitions",
"name": "e56962a6-4747-49cd-b67b-bf8b01975c4c"
}
It simply performs a Deny if the conditions are not met. Of course if you are using custom policys it's possible other actions might also be performed.
In the Azure Policy "allowed resource type" you can supply an array of resource types. When I want to allow SQL Elastic pool I need also to include all the subtypes of SQL Elastic pool.
I would like to use:
'Microsoft.Sql/servers/elasticpools/*'
'Microsoft.Sql/servers/elasticPools/advisors/*'
'Microsoft.Sql/servers/elasticpools/elasticpool/advisors/*'
'microsoft.web/serverfarms/*
'microsoft.web/sites/*
But this doesn't work.
We now use:
'Microsoft.Sql/servers/elasticpools'
'Microsoft.Sql/servers/elasticPools/advisors'
'Microsoft.Sql/servers/elasticpools/advisors/createindex'
'Microsoft.Sql/servers/elasticpools/advisors/dbparameterization'
'Microsoft.Sql/servers/elasticpools/advisors/defragmentindex'
'Microsoft.Sql/servers/elasticpools/advisors/dropindex'
'Microsoft.Sql/servers/elasticpools/advisors/forcelastgoodplan'
'Microsoft.Sql/servers/elasticpools/elasticpool/advisors/createindex'
'Microsoft.Sql/servers/elasticpools/elasticpool/advisors/dbparameterization'
'Microsoft.Sql/servers/elasticpools/elasticpool/advisors/defragmentindex'
'Microsoft.Sql/servers/elasticpools/elasticpool/advisors/dropindex'
'Microsoft.Sql/servers/elasticpools/elasticpool/advisors/forcelastgoodplan'
'Microsoft.Web/sites/config'
'Microsoft.Web/sites/...'
Policy we use is:
{
"if": {
"not": {
"field": "type",
"in": "[parameters('listOfResourceTypesAllowed')]"
}
},
"then": {
"effect": "[parameters('Effect')]"
}
}
Policy parameter:
{
"listOfResourceTypesAllowed": {
"type": "array",
"metadata": {
"displayName": "Allowed resource types",
"description": "The list of resource types that can be deployed.",
"strongType": "resourceTypes"
}
},
"Effect": {
"type": "string",
"metadata": {
"description": "The effect of the policy."
}
}
}
Question is it possible to use wildcards or something like that?
I'm trying to force anyone that is provisioning resources or services in Azure to only be able to select a specific region(s). For example, when they provision a resource group, the dropdown only shows a specific region(s). I was hoping there is some global setting that will affect all users. We are also using Azure AD; does that help or matter? I tried searching the Azure docs and the PowerShell commands, but I just can't find any mention of this setting.
You could use Azure Policy to do it.
Here is a sample policy requires that all resources are deployed to the approved location, refer to this link, you could try to deploy with portal or with powershell.
This policy requires that all resources are deployed to the approved locations. You specify an array of approved locations.
Sample template:
{
"properties": {
"displayName": "Allowed locations",
"policyType": "BuiltIn",
"description": "This policy enables you to restrict the locations your organization can specify when deploying resources. Use to enforce your geo-compliance requirements.",
"parameters": {
"listOfAllowedLocations": {
"type": "Array",
"metadata": {
"description": "The list of locations that can be specified when deploying resources.",
"strongType": "location",
"displayName": "Allowed locations"
}
}
},
"policyRule": {
"if": {
"not": {
"field": "location",
"in": "[parameters('listOfAllowedLocations')]"
}
},
"then": {
"effect": "Deny"
}
}
},
"id": "/providers/Microsoft.Authorization/policyDefinitions/e56962a6-4747-49cd-b67b-bf8b01975c4c",
"type": "Microsoft.Authorization/policyDefinitions",
"name": "e56962a6-4747-49cd-b67b-bf8b01975c4c"
}