In this link a policy to lock resource group is given. Once it is implemented I would like the Devops pipeline to delete resources(as part of re-creation). I do not want the policy to prevent me from doing this(or temporarily allow me). How can I do it? As soon as the devops is done, Policy should act on this newly created object to lock it again.
Assuming that you have used 'deployIfNotExists', if you remove the lock the policy will put the lock on again.
Therefore the devops pipline must:
Disable the policy
Remove the lock from the resources that need to be recreated
Recreate the resource
Enable the policy
Related
Azure Policy can be used to define conventions that, when Policy Enforcement is enabled, will prevent non-compliant resources from being created.
In scenarios where non-compliant resources need to be exempted this leads to having to coordinate several steps:
Disable policy Enforcement
Create the non-compliant resource
Add the exemption for the non-compliant resource to the Policy Assignment
Re-enable Enforcement
Review if any unexpected changes occurred during the period of time Enforcement was disabled -- and how to bring things back to compliance
While the above is acceptable, I'm curious if there is an ability to simultaneously create the non-compliant resource and the exemption without the need to coordinate other steps and create the chance for other issues to be introduced.
Is there a way to create a resource and an policy assignment exemption for it simultaneously? Is this potentially in a preview or private preview feature?
From my experience a resource needs to exist before it can be included in an exemption. However, these docs confirm that exemptions do work on the hierarchy in Azure. This means that you could in steps create a resourcegroup to hold your non-compliant resources, then create the exemption with the scope of that resourcegroup and then create the non-compliant resources.
It sounds like you are looking for an automated solution.
I have not done this or seen anyone else do this - still unsure of your use case. Why deploy a resource that needs to be exempted automatically?
Anyway, you might have a chance of achieving this with:
Blueprints: https://learn.microsoft.com/en-us/azure/governance/blueprints/overview
Manually executing a PowerShell script: https://learn.microsoft.com/en-us/cli/azure/policy/exemption?view=azure-cli-latest#az-policy-exemption-create (or API).
IaC adding this to your ARM template https://learn.microsoft.com/en-us/azure/templates/microsoft.authorization/policyexemptions?pivots=deployment-language-arm-template
Policy using Modify or DeployIfNotExists using https://learn.microsoft.com/en-us/azure/templates/microsoft.authorization/policyexemptions?pivots=deployment-language-arm-template
I am creating an Azure policy to enforce some naming conventions. I want to enforce this policy only for any new resources being created. I am planning to use Deny as an Effect.
Will the Deny effect block the existing resources being re-provisioned?
Is there any way to implement this without impacting the re-provisioning of old resources? As per the document here, it says updating will be prohibited.
As mentioned in the link that you provided the policy is applied "When creating or updating a matched resource".
However, you can enforce a policy per resource group.
So, if you have the possiblity to have all the existing resources in one resource group and all the new resources in a second resource group. Then you can get around it by applying the policy only to the second resource group.
If Azure Databricks will be deleted by someone and which contains Notebooks as well. So, if we want to recover that databricks along with notebooks , is it possible?
If so please explain how we can achieve this type of condition.
If you are looking to prevent deletion, you can set Azure Resource locks. Specifically you can set the CanNotDelete lock. This lock means authorized users can still read and modify a resource, but they can't delete the resource.
Some Azure services, such as Azure Databricks, use managed applications to implement the service. In that case, the service creates two resource groups. One resource group contains an overview of the service and isn't locked. The other resource group contains the infrastructure for the service and is locked. You should lock the resource containing the service to prevent accidental deletion.
If you try to delete the infrastructure resource group, you get an error stating that the resource group is locked. If you try to delete the lock for the infrastructure resource group, you get an error stating that the lock can't be deleted because it's owned by a system application.
https://learn.microsoft.com/en-us/azure/azure-resource-manager/resource-group-lock-resources
We have a policy on our subscription that forces all subnets to have an NSG. Terraform works well when creating the Subnet / NSG. However, it encounters policy error when doing terraform destroy because it tries to remove the NSG from the subnet first. This gets blocked because of the policy for requiring NSGs on all subnets. Is there a way to work around this in terraform or possibly make the subnet / nsg removal an atomic operation?
Terraform v0.11.13
+ provider.azurerm v1.25.0
This is a difficult problem to solve, and there are only sloppy solutions. I am speaking generically to handling policy with terraform. Essentially you want to inject the exclusion of a scope on the fly to the resource:
Options
Simply go to the Azure Portal and exclude the policy on the resource prior to the destroy. If you disable the policy you need to put it back.
Build an on the fly terraform for the policy assignment in a pipeline prior to a run which would add a not_scope for the targeted resource. Since the policy assignment is already deployed, a step of importing it will be required.
Come up with a way of signaling a policy engine (what ever you are using automate your Azure policy). Add a not_scope that to your pipeline.
Skip using terraform use Azure CLI or REST interface to update the scope.
For options 2, 3 or 4 a pause is needed for the policy assignment to become active. My experience is it will vary and sometimes fail, but if you are executing a pipeline you can alert on it and rerun.
In the Azure Container Registry blade in the Azure portal, there is a "Lock" section on the left hand side and I can't find it anywhere in the ACR documentation.
What is it?
Its a general Azure (not specific to ACR) feature to prevent accidental deletion (or modification) of a resource. You can create a lock that would prevent users from deleting or modifying the resource while the lock is there (even if they have the permissions to delete\modify the resource).
https://learn.microsoft.com/en-us/azure/azure-resource-manager/resource-group-lock-resources