Azure ARM policy Template Deny specific Resources - azure

I am trying to understand how Management group policies works but deploying some policies.
I have this ARM template, which its purpose it to block specific resources from being created. Which, in my case works, but I would like to deny the creation of storage account only if specific sku.name is selected
this is the azure policy.
{
"properties": {
"displayName": "Not allowed resource types",
"policyType": "BuiltIn",
"mode": "All",
"description": "This policy enables you to specify the resource types that your organization cannot deploy.",
"parameters": {
"listOfResourceTypesNotAllowed": {
"type": "Array",
"metadata": {
"description": "The list of resource types that cannot be deployed.",
"displayName": "Not allowed resource types",
"strongType": "resourceTypes"
}
}
},
"policyRule": {
"if": {
"field": "type",
"in": "[parameters('listOfResourceTypesNotAllowed')]"
},
"then": {
"effect": "Deny"
}
}
},
"id": "/providers/Microsoft.Authorization/policyDefinitions/6c112d4e-5bc7-47ae-a041-ea2d9dccd749",
"type": "Microsoft.Authorization/policyDefinitions",
"name": "6c112d4e-5bc7-47ae-a041-ea2d9dccd749"
}
and this my parameters:
{
"listOfResourceTypesNotAllowed": {
"type": "Array",
"metadata": {
"description": "The list of resource types that cannot be deployed.",
"displayName": "Not allowed resource types",
"strongType": "resourceTypes"
},
"allowedValues": [
"Microsoft.DocumentDB/databaseAccounts",
"Microsoft.Storage/storageAccounts"
]
}
}
and my rules:
{
"if": {
"field": "type",
"in": "[parameters('listOfResourceTypesNotAllowed')]"
},
"then": {
"effect": "Deny"
}
}
Can anyone help me to understand how can this be achieved please?
Thank you so much for anyone who can spend some time to help me to understand this type of deployment


You can use the below policy defination for allowing only allowed sku types of storage accounts to be deployed in your subscription:
{
"properties": {
"displayName": "Storage accounts should be limited by allowed SKUs",
"policyType": "BuiltIn",
"mode": "Indexed",
"description": "Restrict the set of storage account SKUs that your organization can deploy.",
"metadata": {
"version": "1.1.0",
"category": "Storage"
},
"parameters": {
"effect": {
"type": "String",
"metadata": {
"displayName": "Effect",
"description": "Enable or disable the execution of the audit policy"
},
"allowedValues": [
"Audit",
"Deny",
"Disabled"
],
"defaultValue": "Deny"
},
"listOfAllowedSKUs": {
"type": "Array",
"metadata": {
"description": "The list of SKUs that can be specified for storage accounts.",
"displayName": "Allowed SKUs",
"strongType": "StorageSKUs"
}
}
},
"policyRule": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.Storage/storageAccounts"
},
{
"not": {
"field": "Microsoft.Storage/storageAccounts/sku.name",
"in": "[parameters('listOfAllowedSKUs')]"
}
}
]
},
"then": {
"effect": "[parameters('effect')]"
}
}
},
"id": "/providers/Microsoft.Authorization/policyDefinitions/7433c107-6db4-4ad1-b57a-a76dce0154a1",
"type": "Microsoft.Authorization/policyDefinitions",
"name": "7433c107-6db4-4ad1-b57a-a76dce0154a1"
}
Reference:
List of built-in policy definitions - Azure Policy | Microsoft Docs
Storage accounts should be limited by allowed SKUs- policy

Related

Azure policy fails to deploy a policy assignment with deployIfNotExists

I have a resource whitelist policy defined as follows:
{
"properties": {
"displayName": "Deny resource creation if not in whitelist",
"policyType": "Custom",
"mode": "Indexed",
"description": "This policy denies the creation resources which are not allowed in the whitelist.",
"policyRule": {
"if": {
"not": {
"field": "type",
"in": [
"Microsoft.KeyVault/vaults",
"Microsoft.Storage/storageAccounts"
]
}
},
"then": {
"effect": "Deny"
}
}
},
"id": "<POLICYDEFINITIONID>",
"type": "Microsoft.Authorization/policyDefinitions",
"name": "Deny_resource_creation_if_not_in_whitelist",
}
This policy works as expected when assigned to a resource group.
I also have a second policy assigned at the subscription level to deploy the first policy on resource groups with names starting with "rg-*":
{
"properties": {
"displayName": "Deploy resource whitelist policy",
"policyType": "Custom",
"mode": "All",
"description": "This policy assigns the resource whitelist policy to resource groups starting with rg-*.",
"policyRule": {
"if": {
"allOf": [
{
"equals": "Microsoft.Resources/subscriptions/resourceGroups",
"field": "type"
},
{
"field": "name",
"like": "rg-*"
}
]
},
"then": {
"details": {
"deployment": {
"properties": {
"mode": "incremental",
"template": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"apiVersion": "2022-06-01",
"name": "[guid('<POLICYDEFINITIONID>', resourceGroup().name)]",
"properties": {
"displayName": "Deny resource creation if not in whitelist",
"enforcementMode": "Default",
"policyDefinitionId": "<POLICYDEFINITIONID>"
},
"type": "Microsoft.Authorization/policyAssignments"
}
]
}
}
},
"evaluationDelay": "AfterProvisioning",
"roleDefinitionIds": [
"/providers/Microsoft.Authorization/roleDefinitions/8e3af657-a8ff-443c-a75c-2fe8c4bcb635"
],
"type": "Microsoft.Authorization/policyAssignments"
},
"effect": "DeployIfNotExists"
}
}
},
"id": "",
"type": "Microsoft.Authorization/policyDefinitions",
"name": "Deploy_resource_whitelist_policy",
}
The second policy is evaluated, I can see a successful deployIfNotExists event but in fact the assignment is not created.
A few additional facts:
I successfully deployed the policy assignment ARM template from the Azure portal
When replacing the policy assignment ARM template with a simple storage account ARM template it works, a storage account is created in the resource group.
Any help would be much appreciated.

Your policy assignment in the example seems to be missing a scope property to assign it to the given resourcegroup. Try adding a scope property to the policy assignment.
"template": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"apiVersion": "2022-06-01",
"name": "[guid('<POLICYDEFINITIONID>', resourceGroup().name)]",
"properties": {
"displayName": "Deny resource creation if not in whitelist",
"enforcementMode": "Default",
"policyDefinitionId": "<POLICYDEFINITIONID>"
"scope": "[subscriptionResourceId('Microsoft.Resources/resourceGroups', resourceGroup().name)]"
},
"type": "Microsoft.Authorization/policyAssignments"
}```

I finally solved this using only the first policy and a value expression condition:
{
"properties": {
"displayName": "Deny resource creation if not in whitelist",
"policyType": "Custom",
"mode": "Indexed",
"description": "This policy denies the creation resources which are not allowed in the whitelist.",
"policyRule": {
"if": {
"allOf": [
{
"field": "type",
"notIn": [
"Microsoft.KeyVault/vaults",
"Microsoft.Storage/storageAccounts"
]
},
{
"value": "[resourceGroup().name]",
"like": "rg-*"
}
]
},
"then": {
"effect": "Deny"
}
}
},
"id": "<POLICYDEFINITIONID>",
"type": "Microsoft.Authorization/policyDefinitions",
"name": "Deny_resource_creation_if_not_in_whitelist",
}

My Custom Policy is not working as expected

Requirement - I need to restrict all the users to create any resource in particular Locations. So I have created a Custom Policy by combining two builtin policies which are "Allowed locations" and "Not allowed resource types"
Issue - I am unable to created most of the resources but able to create few of them like Resource Group, Function Apps, App Service, SQL Database which is unexpected.
Below is the policy I have created -
{
"properties": {
"displayName": "NotAllowedResourcesinRestrictedLocation",
"policyType": "Custom",
"mode": "Indexed",
"metadata": {
"version": "1.0.0",
"updatedBy": null,
"updatedOn": null
},
"parameters": {
"listOfResourceTypesNotAllowed": {
"type": "Array",
"metadata": {
"displayName": "Not allowed resource types",
"description": "The list of resource types that cannot be deployed.",
"strongType": "resourceTypes"
}
},
"listOfAllowedLocations": {
"type": "Array",
"metadata": {
"displayName": "Allowed locations",
"description": "The list of locations that can be specified when deploying resources.",
"strongType": "location"
}
}
},
"policyRule": {
"if": {
"allOf": [
{
"field": "type",
"in": "[parameters('listOfResourceTypesNotAllowed')]"
},
{
"field": "location",
"notIn": "[parameters('listOfAllowedLocations')]"
},
{
"field": "location",
"notEquals": "global"
},
{
"field": "type",
"notEquals": "Microsoft.AzureActiveDirectory/b2cDirectories"
},
{
"value": "[field('type')]",
"exists": true
}
]
},
"then": {
"effect": "deny"
}
}
},
}
Please someone guide me on this.

azure policy : only allow certain tag values in azure resources group tag

My resource groups has an environment tag where only specific values are allowed: "dev,test,prod". I want to enforce that with an Azure Policy which will deny all the resource group creation which doesn't have one of this "dev,test,prod" values in their environment tag. My policy code is as below:
{
"properties": {
"displayName": "Allowed tag values for Resource Groups",
"description": "This policy enables you to restrict the tag values for Resource Groups.",
"policyType": "Custom",
"mode": "Indexed",
"metadata": {
"version": "1.0.0",
"category": "Tags"
},
"parameters": {
"allowedTagValues": {
"type": "array",
"metadata": {
"description": "The list of tag values that can be specified when deploying resource groups",
"displayName": "Allowed tag values"
},
"defaultValue": [
"dev","test","prod"
]
}
},
"policyRule": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.Resources/subscriptions/resourceGroups"
},
{
"field": "tags[environment]",
"notIn": "[parameters('allowedTagValues')]"
}
]
},
"then": {
"effect": "deny"
}
}
},
"id": "/providers/Microsoft.Authorization/policyDefinitions/xxxxxxx-xxxxxxx-xxxxxxxxxx-xxxxxxx",
"name": "xxxxxxx-xxxxxxx-xxxxxxxxxx-xxxxxxx"
}
This doesn't have any effect at all. I have tried this as well:
{
"not": {
"field": "tags[environment]",
"in": "[parameters('allowedTagValues')]"
}
}
Neither this does work.
Any suggestion?

You need to pass the tag values "dev","test","prod" as allowed values for the parameter listofallowedTags as shown below.
Based on your requirement we have created the below policy definition. we have tested this in our local environment which is working fine.
{
"mode": "All",
"policyRule": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.Resources/subscriptions/resourceGroups"
},
{
"not": {
"field": "[concat('tags[', parameters('tagName'), ']')]",
"in": "[parameters('listofallowedtagValues')]"
}
}
]
},
"then": {
"effect": "[parameters('effect')]"
}
},
"parameters": {
"effect": {
"type": "String",
"metadata": {
"displayName": "Effect",
"description": "Enable or disable the execution of the audit policy"
},
"allowedValues": [
"Audit",
"Deny",
"Disabled"
],
"defaultValue": "Deny"
},
"tagName": {
"type": "String",
"metadata": {
"displayName": "Tag Name",
"description": "Name of the tag, such as 'environment'"
},
"defaultValue": "environment"
},
"listofallowedtagValues": {
"type": "Array",
"metadata": {
"displayName": "Tag Values",
"description": "Value of the tag, such as 'production'"
},
"allowedValues": [
"dev",
"test",
"prod"
]
}
}
}
Note: As you can see from the below image, the custom policy has been assigned to subscription.
Here are the some sample outputs for reference:
In the below example, we have passed environment tag a different value apart from those 3 values defined in listofallowedtagValues parameter & while deploying the resource group it got failed since it doesn't met policy requirement.
In the below example, we have passed environment tag value as test resource group deployment got succeeded as it met the policy requirements.

All network port restricted on network security group which have dev Tag

I am creating the custom policy with my requirements, I want the definition policy in which "All network port should be restricted on Network Security Group which has Tag of dev only".
ERROR:
Failed to parse policy rule: 'Could not find member 'exits' on object of type 'LeafExpressionDefinition'. Path 'exits'.'.
there are two builtin policy exist in azure policy definition:
All network ports should be restricted on network security groups associated to your virtual machine.
link https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2fproviders%2fMicrosoft.Authorization%2fpolicyDefinitions%2f9daedab3-fb2d-461e-b861-71790eead4f6
Require a tag on resource groups.
link https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F871b6d14-10aa-478d-b590-94f262ecfa99
I combine and update my requirements, you can check the created custom policy, I think all is ok.
{
"properties": {
"displayName": "All network ports should be restricted on network security groups associated to your virtual machine",
"policyType":"Indexed",
"mode": "All",
"description": "Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources.",
"metadata": {
"version": "3.0.0",
"category": "Security Center"
},
"parameters": {
"effect": {
"type": "String",
"metadata": {
"displayName": "Effect",
"description": "Enable or disable the execution of the policy"
},
"allowedValues": [
"AuditIfNotExists",
"Disabled"
],
"defaultValue": "AuditIfNotExists"
},
"tagName": {
"type": "String",
"metadata": {
"displayName": "dev",
"description": "Name of the tag, such as 'develpment'"
}
}
},
"policyRule": {
"if": {
"allOf": [
{
"field":"Microsoft.Network/networkInterfaces/networkSecurityGroup.id",
"exits": "true"
},
{
"field": "[concat('tags[', parameters('dev'), ']')]",
"Equals": "[parameters('tagValue')]"
}
]
},
"then": {
"effect": "[parameters('effect')]",
"details": {
"type": "Microsoft.Security/assessments",
"name": "3b20e985-f71f-483b-b078-f30d73936d43",
"existenceCondition": {
"field": "Microsoft.Security/assessments/status.code",
"in": [
"NotApplicable",
"Healthy"
]
}
}
}
}
},
"id": "/providers/Microsoft.Authorization/policyDefinitions/9daedab3-fb2d-461e-b861-71790eead4f6",
"type": "Microsoft.Authorization/policyDefinitions",
"name": "9daedab3-fb2d-461e-b861-71790eead4f6"
}
#syedasadrazadevops

You seem to have a typo in "exists" -- "exits" --> "exists"
I don't believe you can create a custom policy based on the built-in Security Center policy that relies on an assessment code ("field": "Microsoft.Security/assessments/status.code"). These are implemented by internal APIs, so cannot be replicated for customization.

I make the solution for this problem, to block all ports in network security group or subscription level scop. but need to set the port value "*" to block all, you can block any port just type your required port number in the port parameter and it done.
{
"mode": "all",
"policyRule": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.Network/networkSecurityGroups/securityRules"
},
{
"allOf": [
{
"field": "Microsoft.Network/networkSecurityGroups/securityRules/access",
"equals": "Allow"
},
{
"field": "Microsoft.Network/networkSecurityGroups/securityRules/direction",
"equals": "Inbound"
},
{
"anyOf": [
{
"field": "Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange",
"in": "[parameters('deniedPorts')]"
},
{
"not": {
"field": "Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]",
"notIn": "[parameters('deniedPorts')]"
}
}
]
},
{
"anyOf": [
{
"field": "Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefix",
"in": [
"*",
"Internet"
]
}
]
}
]
}
]
},
"then": {
"effect": "audit"
}
},
"parameters": {
"deniedPorts": {
"type": "Array",
"metadata": {
"displayName": "Ports to block",
"description": "The inbound ports that should be blocked"
}
}
}
}

Azure Policy not enforced

Trying to create a policy tied to a subscription in Azure that will deny the create of a resource group without a specific "costCenter" tag. I have the following policy assigned to the subscription with the "coreTagName1" completed as "costCenter":
"properties": {
"displayName": "manual_test_1",
"policyType": "Custom",
"mode": "Indexed",
"description": "manual test for tag enforcement",
"metadata": {
"category": "test",
"createdBy": "#########",
"createdOn": "2020-04-02T12:27:39.2686671Z",
"updatedBy": "#########",
"updatedOn": "2020-04-02T12:35:32.5608728Z"
},
"parameters": {
"coreTagName1": {
"type": "String",
"metadata": {
"displayName": "tagName to enforce",
"description": "Name of the tag, such as costCenter"
}
}
},
"policyRule": {
"if": {
"anyOf": [
{
"field": "type",
"equals": "Microsoft.Resources/subscriptions/resourceGroups"
},
{
"exists": "false",
"field": "[concat('tags[', parameters('coreTagName1'), ']')]"
}
]
},
"then": {
"effect": "deny"
}
}
},
"id": "/subscriptions/#########/providers/Microsoft.Authorization/policyDefinitions/########",
"type": "Microsoft.Authorization/policyDefinitions",
"name": "#######"
}
But i can still create a Resource Group and not specify any tags at all. I feel like I am missing something fundamental in my approach but cant get my head round it yet.

as Jagrati mentioned. Please allow for sometime for the policy to run a compliance scan before checking for compliance results. (Typically wait time is 30 mins, but it depends heavily on scope and # of resources).

Resources