help me to make the mandatory tag using azure policy and users are not allowed to give their own tag name. the below code mandatory the mentioned tags and not to control the disallowed other tags
{
"mode": "All",
"policyRule": {
"if": {
"anyOf": [
{
"field": "tags['environment']",
"exists": "false"
},
{
"field": "tags['Location']",
"exists": "false"
}
]
},
"then": {
"effect": "deny"
}
},
"parameters": {}
}
Here is the example to make changes with Tag in Azure Policy
"policyRule": {
"if": {
"allOf": [{
"field": "type",
"equals": "Microsoft.Resources/subscriptions/resourceGroups"
},
{
"field": "name",
"like": "prd-*"
},
{
"field": "tags['Env']",
"notEquals": "Production"
}
]
},
"then": {
"effect": "modify",
"details": {
"roleDefinitionIds": [
"/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
],
"operations": [{
"operation": "addOrReplace",
"field": "tags['Env']",
"value": "Production"
}]
}
}
}
for further information could you please check the Azure Policy documentation
Related
I'm blocked about a policy Azure. As you can see on the title, i want to deny the Resource Group's creation if the name start with "DEMO" and if all these tags (ApplicationName, ManagedBy, Classification) aren't present.
{
"mode": "All",
"parameters": {},
"policyRule": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.Resources/subscriptions/resourceGroups"
},
{
"value": "[resourceGroup().name]",
"like": "DEMO*"
},
{
"anyOf": [
{
"field": "tags['ApplicationName']",
"exists": false
},
{
"field": "tags['ManagedBy']",
"exists": false
},
{
"field": "tags['Classification']",
"exists": false
}
]
}
]
},
"then": {
"effect": "deny"
}
}
}
Someone can tell me if something seem bad ?
With this code, actually, i can create my RG even if it starts with DEMO (exemple DEMO62) and one or multiple tags are missing.
But, in the policy dashboard, it displays that it doesn't match the criteria, so it seems to works but after the creation .. so .. too late.
Thanks everybody
i also tried in this format :
"field": "tags",
"containsKey": "ApplicationName"
But same result
I tried to reproduce the same in my environment to Block Azure Resource Group Creation if aren't present.
If I tried to create any Resource Group with name DEMO without required tags, it won't allow to create the resource group.
Policy:
{
"mode": "All",
"policyRule": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.Resources/subscriptions/resourceGroups"
},
{
"field": "name",
"like": "DEMO*"
},
{
"not": {
"field": "tags['ApplicationName']",
"equals": "testapp"
}
}
]
},
"then": {
"effect": "deny"
}
},
"parameters": {}
}
As part of the suggestion: https://github.com/microsoft/azure-container-apps/issues/338
I need some help in modifying the Azure Policy definition to include the below lines:
{
"allOf": [
{
"field": "type",
"equals": "Microsoft.Resources/subscriptions/resourceGroups"
},
{
"field": "[concat('tags[', parameters('tagName'), ']')]",
"exists": "false"
},
{
"anyOf": [
{
"value": "[startsWith(field('name'), 'MC_')]",
"notEquals": "true"
}
]
}
]
}
This is my existing Azure policy definition with allOf:
"policyRule": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.Network/virtualNetworks"
},
{
"field": "Microsoft.Network/virtualNetworks/addressSpace.addressPrefixes[*]",
"notContains": "11.22.33"
}
]
},
"then": {
"effect": "deny"
}
}
and another one with anyOf
"policyRule": {
"if": {
"anyOf": [
{
"not": {
"field": "[concat('tags[', parameters('tagnameteam'), ']')]",
"in": "[parameters('listofallowedtagvalues')]"
}
}
]
},
"then": {
"effect": "Deny"
}
}
}
How can I achieve it by modifying the existing Azure policy definition?
It really depends on when you want the policy to trigger the effect...
For example in the "allOf" policy:
"policyRule": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.Network/virtualNetworks"
},
{
"field": "Microsoft.Network/virtualNetworks/addressSpace.addressPrefixes[*]",
"notContains": "11.22.33"
},
{
"field": "type",
"equals": "Microsoft.Resources/subscriptions/resourceGroups"
},
{
"field": "[concat('tags[', parameters('tagName'), ']')]",
"exists": "false"
},
{
"anyOf": [
{
"value": "[startsWith(field('name'), 'MC_')]",
"notEquals": "true"
}
]
}
]
},
"then": {
"effect": "deny"
}
}
would mean that your old conditions AND the new ones have to apply (which is what I think you want?).
On the other hand, if you want that your old conditions OR the new ones should apply, you would need to add the two "allOf" parts in an "anyOf" part:
"policyRule": {
"if": {
"anyOf":[
{
"allOf": [
{
"field": "type",
"equals": "Microsoft.Network/virtualNetworks"
},
{
"field": "Microsoft.Network/virtualNetworks/addressSpace.addressPrefixes[*]",
"notContains": "11.22.33"
}
]
},
{
"allOf": [
{
"field": "type",
"equals": "Microsoft.Resources/subscriptions/resourceGroups"
},
{
"field": "[concat('tags[', parameters('tagName'), ']')]",
"exists": "false"
},
{
"anyOf": [
{
"value": "[startsWith(field('name'), 'MC_')]",
"notEquals": "true"
}
]
}
]
}
]
},
"then": {
"effect": "deny"
}
}
The same goes for the "anyOf" policy. If you want the old "anyOf" condition OR the new "allOf":
"policyRule": {
"if": {
"anyOf": [
{
"not": {
"field": "[concat('tags[', parameters('tagnameteam'), ']')]",
"in": "[parameters('listofallowedtagvalues')]"
}
},
{
"allOf": [
{
"field": "type",
"equals": "Microsoft.Resources/subscriptions/resourceGroups"
},
{
"field": "[concat('tags[', parameters('tagName'), ']')]",
"exists": "false"
},
{
"anyOf": [
{
"value": "[startsWith(field('name'), 'MC_')]",
"notEquals": "true"
}
]
}
]
}
]
},
"then": {
"effect": "Deny"
}
}
}
And if yo need to have both the "anyOf" and the new "allOf" parts to be true (which is the one, I think you want?):
"policyRule": {
"if": {
"allOf": [
{
"not": {
"field": "[concat('tags[', parameters('tagnameteam'), ']')]",
"in": "[parameters('listofallowedtagvalues')]"
}
},
{
"field": "type",
"equals": "Microsoft.Resources/subscriptions/resourceGroups"
},
{
"field": "[concat('tags[', parameters('tagName'), ']')]",
"exists": "false"
},
{
"anyOf": [
{
"value": "[startsWith(field('name'), 'MC_')]",
"notEquals": "true"
}
]
}
]
},
"then": {
"effect": "Deny"
}
}
I want to create a custom Azure Policy JSON that reads through Azure resources and makes sure that it is following our standardized naming convention. For example, I am trying to set it up for virtual machines, cloud services, and Redis cache.
{
"if": {
"allof": [
{
"field": "type",
"equals": "Microsoft.Compute/virtualMachines"
},
{
"not": {
"anyOf": [
{
"field": "name",
"match": "gz?????????#?##"
}
]
}
}
]
},
"then": {
"effect": "[parameters('effect')]"
}
"if": {
"allof": [
{
"field": "type",
"equals": "Microsoft.ClassicCompute/domainNames"
},
{
"not": {
"anyOf": [
{
"field": "name",
"match": "GZ?-??????-??#-???-??????-###"
}
]
}
}
]
},
"then": {
"effect": "[parameters('effect')]"
}
"if": {
"allof": [
{
"field": "type",
"equals": "Microsoft.Cache/Redis"
},
{
"not": {
"anyOf": [
{
"field": "name",
"match": "gz?????????#???###"
}
]
}
}
]
},
"then": {
"effect": "[parameters('effect')]"
}
}
I don't think Azure allows for there to be multiple IFs like how I am trying to set it up. What I want it to do is this:
If the resource is a VM and it does not match that convention, then audit.
If the resource is a cloud service and it does not match that convention, then audit.
If the resource is Redis cache and it does not match that convention, then audit.
Updated JSON
You should use an initiative (policy set definition) to organize multiple related policies like this. This will be easier to maintain than a single policy definition with conditions for each resource type, and will allow you to see compliance results both for the entire naming convention policy set, and for each individual policy.
For example:
"properties": {
"displayName": "Naming conventions",
"policyType": "Custom",
"parameters": {
"effect": {
"type": "String",
"defaultValue": "Audit"
}
},
"policyDefinitions": [
{
"policyDefinitionId": "/subscriptions/<SUBSCRIPTION ID>/providers/Microsoft.Authorization/policyDefinitions/<YOUR VIRTUAL MACHINE NAMING CONVENTION POLICY ID>",
"parameters": {
"effect": {
"value": "[parameters('effect')]"
}
}
},
{
"policyDefinitionId": "/subscriptions/<SUBSCRIPTION ID>/providers/Microsoft.Authorization/policyDefinitions/<YOUR DOMAIN NAME NAMING CONVENTION POLICY ID>",
"parameters": {
"effect": {
"value": "[parameters('effect')]"
}
}
}
]
}
}
I wouldn't recommend it, but if you must combine multiple types in a single definition, then you may use anyOf, for example:
{
"if": {
"anyOf": [
{
"allOf": [
{
"field": "type",
"equals": "Microsoft.Compute/virtualMachines"
},
{
"not": {
"field": "name",
"match": "gz?????????#?##"
}
}
]
},
{
"allOf": [
{
"field": "type",
"equals": "Microsoft.ClassicCompute/domainNames"
},
{
"not": {
"field": "name",
"match": "GZ?-??????-??#-???-??????-###"
}
}
]
}
]
},
"then" : {
"effect" : "audit"
}
}
I copied sample from: https://github.com/Azure/azure-policy/blob/master/samples/Network/no-route-table-in-ER-Network/azurepolicy.rules.json and instead tried to create policy which would deny subnets without NSG.
{
"if": {
"anyOf": [
{
"allOf": [
{
"field": "type",
"equals": "Microsoft.Network/virtualNetworks"
},
{
"field": "Microsoft.Network/virtualNetworks/subnets[*].networkSecurityGroup.id",
"exists": false
}
]
},
{
"allOf": [
{
"field": "type",
"equals": "Microsoft.Network/virtualNetworks/subnets"
},
{
"field": "Microsoft.Network/virtualNetworks/subnets/networkSecurityGroup.id",
"exists": false
}
]
}
]
},
"then": {
"effect": "deny"
}
}
Policy works fine and stops creating subnets without assigning NSG and removing NSG from subnet. However, it also reports the virtual network as non-compliant even though virtual network would be fine. How can I make this policy to only report subnets and not the virtual network?
I managed to get this working by little bit changing the logic:
{
"if": {
"anyOf": [
{
"allOf": [
{
"field": "type",
"equals": "Microsoft.Network/virtualNetworks"
},
{
"not": {
"field": "Microsoft.Network/virtualNetworks/subnets[*].networkSecurityGroup.id",
"exists": true
}
}
]
},
{
"allOf": [
{
"field": "type",
"equals": "Microsoft.Network/virtualNetworks/subnets"
},
{
"not": {
"field": "Microsoft.Network/virtualNetworks/subnets/networkSecurityGroup.id",
"exists": true
}
}
]
}
]
},
"then": {
"effect": "deny"
}
}
I've created an Azure Policy, i wanted to deny the resource group creation if user doesn't specify tag with key "Env" or "use"
But when i create the resource group with Env tag it blocks me, it only allows me when i add both the tag which is env and use.
As per my understanding "anyof" in azure policy is used as "OR" but my code isn't behaving the same wa
{
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.Resources/subscriptions/resourceGroups"
},
{
"anyof": [
{
"field": "tags.Env",
"exists": false
},
{
"field": "tags.use",
"exists": false
}
]
}
]
},
"then": {
"effect": "deny"
}
}
Based on the Chris's suggestion I've worked on the tag name and values but it is giving me an error in the policy and it is not taking the "NOT"
{
"mode": "all",
"policyRule": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.Resources/subscriptions/resourceGroups"
},
{
"not":{
{
"field": "tags.Env",
"equals" : "Prod"
},
{
"field": "tags.OS",
"equals" : "windows"
}
}
}
]
},
"then": {
"effect": "deny"
}
},
"parameters": {}
}
Right now, like you mentioned, the policy is evaluating if "tags.Env doesn't exist OR tags.use doesn't exist". If either tag does not exist you will be denied.
What you want is to deny if "tags.Env doesn't exist AND tags.use doesn't exist". That would imply that they are both missing which is what you are trying to prevent.
{
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.Resources/subscriptions/resourceGroups"
},
{
"field": "tags.Env",
"exists": false
},
{
"field": "tags.use",
"exists": false
}
]
},
"then": {
"effect": "deny"
}
}