I am creating an Azure policy to enforce some naming conventions. I want to enforce this policy only for any new resources being created. I am planning to use Deny as an Effect.
Will the Deny effect block the existing resources being re-provisioned?
Is there any way to implement this without impacting the re-provisioning of old resources? As per the document here, it says updating will be prohibited.
As mentioned in the link that you provided the policy is applied "When creating or updating a matched resource".
However, you can enforce a policy per resource group.
So, if you have the possiblity to have all the existing resources in one resource group and all the new resources in a second resource group. Then you can get around it by applying the policy only to the second resource group.
Related
Azure Policy can be used to define conventions that, when Policy Enforcement is enabled, will prevent non-compliant resources from being created.
In scenarios where non-compliant resources need to be exempted this leads to having to coordinate several steps:
Disable policy Enforcement
Create the non-compliant resource
Add the exemption for the non-compliant resource to the Policy Assignment
Re-enable Enforcement
Review if any unexpected changes occurred during the period of time Enforcement was disabled -- and how to bring things back to compliance
While the above is acceptable, I'm curious if there is an ability to simultaneously create the non-compliant resource and the exemption without the need to coordinate other steps and create the chance for other issues to be introduced.
Is there a way to create a resource and an policy assignment exemption for it simultaneously? Is this potentially in a preview or private preview feature?
From my experience a resource needs to exist before it can be included in an exemption. However, these docs confirm that exemptions do work on the hierarchy in Azure. This means that you could in steps create a resourcegroup to hold your non-compliant resources, then create the exemption with the scope of that resourcegroup and then create the non-compliant resources.
It sounds like you are looking for an automated solution.
I have not done this or seen anyone else do this - still unsure of your use case. Why deploy a resource that needs to be exempted automatically?
Anyway, you might have a chance of achieving this with:
Blueprints: https://learn.microsoft.com/en-us/azure/governance/blueprints/overview
Manually executing a PowerShell script: https://learn.microsoft.com/en-us/cli/azure/policy/exemption?view=azure-cli-latest#az-policy-exemption-create (or API).
IaC adding this to your ARM template https://learn.microsoft.com/en-us/azure/templates/microsoft.authorization/policyexemptions?pivots=deployment-language-arm-template
Policy using Modify or DeployIfNotExists using https://learn.microsoft.com/en-us/azure/templates/microsoft.authorization/policyexemptions?pivots=deployment-language-arm-template
I'm not too familiar with azure blueprints but I have a task to update an existing blueprint definition. This involves adding a couple of artifacts and a new resource group. I have a couple of questions about this process:
If the blueprint definition is updated as a result, does it affect the existing blueprint assignments?
The azure documentation strictly talks about blueprints and does not mention the affect on resources as a result of updates, is there a risk in destroying resources as a result of updating a blueprint?
This documentation provides answers to your questions -
If the parameters of the policy assignment are changed, the existing assignment is updated.
If the definition of the policy assignment is changed, a new policy assignment is created. Policy assignments previously deployed are left in place.
If the policy assignment artifact is removed from the blueprint, deployed policy assignments are left in place.
I want to create a policy that ensures all indexed resources are tagged. This will help us with organization and tracking, and make it easier to log when things go wrong.
In detail, how do you create a policy that ensures all indexed resources in your subscription have tags and deny deployment if they do not. I'd love to possibly do this from the CLI.
Any help, please
I am not sure what you mean exactly by "all indexed" resources. There are canned policies for tags here. The first several policies 'modify' resources or resource groups to add tags to existing, the last few policies will deny the creation of a resource or RG if a tag is not present. The links will take you directly to the policies in the Azure Portal.
https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/tag-policies
This is probably an elemental question, but why would you want to ensure that resources are deployed to the same locations as their resource groups? I'm getting out of compliance issues with HIPPA and from CloudSploit about this and I'd like to get some more details around it as I know it deals with meta data but I'm not crystal clear.
Thanks in advance
Resources within a resource group need not always be deployed in the same location as the resource group. But there is a built-in Azure Policy available to audit this condition that one may choose to enable.
The resource group location serves two purposes:
First: The resource group stores metadata about the resources. When you specify a location for the resource group, you're specifying where that metadata is stored. Now, for compliance reasons, you may need to ensure that your data is stored within a particular region.
Second: If the resource group's region is temporarily unavailable, you can't update resources in the resource group because the metadata is unavailable. The resources in other regions will still function as expected, but you can't update them.
For knowing more about the factors to consider while defining your resrouce groups, check the Azure Resource Manager documentation.
When I create an AKS cluster using Azure portal I can see that new resource groups are created. It seems that I have no control over how they are named, especially the one with with "MC_" prefix. I also don't see an option to change its name when using ARM template.
In addition, if I create a cluster in customer's subscription, where I only have access to 1 resource group, I don't even see the newly created RG and can't manage it.
Is there a way to force deployment of all AKS components into a single resource group?
No, there is no way to force it at this point in time. As for the access, you should request access to that RG. No real workarounds.
Secondary resource group name can be inferred, I think, its something like:
MC_original-resource-group-name_aks-resource-name_location
it also creates OMS resource group (if you enable OMS) and Network Watcher (this can be disabled, btw, but its a provider setting). you have no control over that as well.
there is a not implemented yet nodeResourceGroup property: https://learn.microsoft.com/en-us/rest/api/aks/managedclusters/createorupdate#examples
EDIT: this is actually working right now, so the nodeResourceGroup property can be used. But it would still be a new resource group, so you would still need to request access to that group and using this property is not possible with the portal (so ARM Templates\pulumi\terraform)