I have question with respect to resource violating Azure Policy. Suppose in my subscription I have one VM in UK west and another VM in UK South. IF I create policy to restrict VM to only UK south , what happens to the VM in UK West? Does it becomes non functional or will be forced tp move to UK South or just reported as non compliant? Also what will happen to new requests for UK west , will those get denied?
If you assign a policy while existing resources are present nothing should happen to them by default, if you are using built in policy's.
If you're assigning a policy from the portal you should see the following statement:
By default, this assignment will only take effect on newly created resources. Existing resources can be updated via a remediation task after the policy is assigned. For deployIfNotExists policies, the remediation task will deploy the specified template. For modify policies, the remediation task will edit tags on the existing resources.
In short the existing VMs in UK West should be marked as non-compliant and future deployments outside of UK south will be blocked by the policy.
You can see this in the built in "Allow Locations" policy:
{
"properties": {
"displayName": "Allowed locations",
"policyType": "BuiltIn",
"mode": "Indexed",
"description": "This policy enables you to restrict the locations your organization can specify when deploying resources. Use to enforce your geo-compliance requirements. Excludes resource groups, Microsoft.AzureActiveDirectory/b2cDirectories, and resources that use the 'global' region.",
"metadata": {
"version": "1.0.0",
"category": "General"
},
"parameters": {
"listOfAllowedLocations": {
"type": "Array",
"metadata": {
"description": "The list of locations that can be specified when deploying resources.",
"strongType": "location",
"displayName": "Allowed locations"
}
}
},
"policyRule": {
"if": {
"allOf": [
{
"field": "location",
"notIn": "[parameters('listOfAllowedLocations')]"
},
{
"field": "location",
"notEquals": "global"
},
{
"field": "type",
"notEquals": "Microsoft.AzureActiveDirectory/b2cDirectories"
}
]
},
"then": {
"effect": "deny"
}
}
},
"id": "/providers/Microsoft.Authorization/policyDefinitions/e56962a6-4747-49cd-b67b-bf8b01975c4c",
"type": "Microsoft.Authorization/policyDefinitions",
"name": "e56962a6-4747-49cd-b67b-bf8b01975c4c"
}
It simply performs a Deny if the conditions are not met. Of course if you are using custom policys it's possible other actions might also be performed.
Related
I am looking to assign the resource policy that to limit the allowed locations where the resources can be deployed, so that I can be use only the particular resources for my work and the cost will be low.
I found This but this is like manually restricted I need it in the script way.
I searched in the network but didn't find any related doc.
Can anyone help on this, thanks in advance.
I have followed the below configuration to deny the allowed locations for resources
Go-To Portal → and search for Policy and policy definition
I have filled the appropriate fields and i have used the below script to deny allocated locations
{
"properties": {
"displayName": "Allowed resource types",
"policyType": "BuiltIn",
"mode": "Indexed",
"description": "This policy enables you to specify the resource types that your organization can deploy. Only resource types that support 'tags' and 'location' will be affected by this policy. To restrict all resources please duplicate this policy and change the 'mode' to 'All'.",
"metadata": {
"version": "1.0.0",
"category": "General"
},
"parameters": {
"listOfResourceTypesAllowed": {
"type": "Array",
"metadata": {
"description": "The list of resource types that can be deployed.",
"displayName": "Allowed resource types",
"strongType": "resourceTypes"
}
}
},
"policyRule": {
"if": {
"not": {
"field": "type",
"in": "[parameters('listOfResourceTypesAllowed')]"
}
},
"then": {
"effect": "deny"
}
}
I have assigned the policy and when I check in the assignments I am able to see
When I check to create resource group with non allowed locations I am not able to create
I'm working on testing out using GitHub and GitHub Actions to do policy as code for Azure. I have been successful in following the tutorials that Microsoft has where you export the policy you want to manage to GitHub from the Azure portal. This works fine and I'm able to edit and run the workflows to update Azure with changes to policies.
What I'd like to know is, can you create NEW policies in GitHub and push them to Azure? It seems that you need to first export a custom policy from Azure into GitHub, then you can manage that policy. I say this because when I create a new policy and a workflow for that policy I get the following error in GitHub from the workflow:
> Did not find any policies to create/update. No policy files match the
> given patterns or no changes were detected.
The policy I have in the folder is called "policy.json"
I also see:
Error occured while reading policy in path :
policies/global_tagging_policy. Error : Error: Path :
policies/global_tagging_policy. Property id is missing from the policy
definition. Please add id to the definition file.
That leads me to believe I need an ID prior to being able to push a policy, that says to me that Azure must have assigned one... I can't just make one up.
This is the policy I'm trying to push - just a tagging policy for testing, I don't have an ID in there, I read that you don't need to add one... that Azure would do it for you. Am I wrong?:
{
"properties": {
"displayName": "test-policy",
"description": "this is a test policy",
"mode": "indexed",
"parameters": {
"tagName": {
"type": "String",
"metadata": {
"displayName": "Tag Name",
"description": "Name of the tag, such as 'environment'"
}
},
"tagValue": {
"type": "String",
"metadata": {
"displayName": "Tag Value",
"description": "Value of the tag, such as 'production'"
}
}
}
},
"policyRule": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.Resources/subscriptions/resourceGroups"
},
{
"field": "[concat('tags[', parameters('tagName'), ']')]",
"exists": "false"
}
]
},
"then": {
"effect": "modify",
"details": {
"roleDefinitionIds": [
"/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
],
"operations": [
{
"operation": "add",
"field": "[concat('tags[', parameters('tagName'), ']')]",
"value": "[parameters('tagValue')]"
}
]
}
}
}
}
This tripped me up too so I did some exploring of the APIs and files. I've written about this in greater detail here.
To create a custom Policy, Initiative or Assignment file using GitHub Actions you'll need to generate an id, name & type at the root of the JSON.
The name property needs to be unique at the scope you assign it, I use GUIDs for this but you don't have to. Bear in mind if you define/assign at the Management Group scope then the name needs to be 24 characters or less.
The type denotes the type of file, the options are:
Microsoft.Authorization/policyDefinitions --> Policies
Microsoft.Authorization/policySetDefinitions --> Initiatives
Microsoft.Authorization/policyAssignments --> Assignments
The id is a bit more complex, and is a concatenation of the name and type values with other values mixed in.
The prefix depends on the scope which you want to define your Policy/Initiative/Assignment.
For Management Groups it would be:
/providers/Microsoft.Management/managementGroups/00000000-0000-0000-0000-000000000000
Subscriptions would be:
/subscrptions/00000000-0000-0000-0000-000000000000
Resource Groups:
/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/myResourceGroup
This is followed by: providers in all cases
Next is the type value, so whatever you've used for that use again here.
Finally the last segment of the id is the same value you've used for the name property.
In one line that is
/{scope}/providers/{type}/{name}
So as an example:
Policy Definition scoped at a Management Group
{
"id": "/providers/Microsoft.Management/managementGroups/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/5f44e572-5d2d-4edf-9d61",
"name": "5f44e572-5d2d-4edf-9d61",
"type": "Microsoft.Authorization/policyDefinitions",
"properties":{}
}
Policy Definition scoped at a Subscription
{
"id": "/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/8e4a8c58-1938-4467-8698",
"name": "8e4a8c58-1938-4467-8698",
"type": "Microsoft.Authorization/policyDefinitions",
"properties":{}
}
Initiative scoped at a Management Group
{
"id": "/providers/Microsoft.Management/managementGroups/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policySetDefinitions/be09f23f-0252-4d8a-a805",
"name": "5f44e572-5d2d-4edf-9d61",
"type": "Microsoft.Authorization/policySetDefinitions",
"properties":{}
}
Initiative scoped at a Subscription
{
"id": "/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policySetDefinitions/8e4a8c58-1938-4467-8698",
"name": "8e4a8c58-1938-4467-8698",
"type": "Microsoft.Authorization/policySetDefinitions",
"properties":{}
}
I need to enforce that when user creates a storage account in azure, it should get appended with customer managed keys. Platform managed keys are prohibited to be used by storage account. Below is the policy that's created . Although the policy is successfully deployed, the storage accounts that we create after the policy deployment does not append the customer manged key details that's defined inside the Azure policy even after 2 hours. When we try adding customer managed key, it instead throws error telling- "Policies attempted to append some fields which already exist in the request with different values. Fields: 'Microsoft.Storage/storageAccounts/encryption.KeySource'. Policy identifiers:'[{"policyAssignment":{"name":"Encryption settings to Storage Account for customer-provided key","id":"funRulerg-mj/providers/Microsoft.Authorization/policyAssignments/"
Can someone pls help me understand, why inspite of "append" effect the policy is not appending the customer managed keys to the storage account. And the error clearly tells that the policy is already in effect due to which it is not allowing to add any customer managed key as well to the storage accounts.
{
"properties": {
"displayName": "Append encryption settings to Storage Account for customer-provided key",
"description": "If customer-provided key isn't configured, append encryption settings to Storage Account using customer-provided key",
"mode": "all",
"parameters": {
"keyvaulturi": {
"type": "String",
"metadata": {
"description": "Uri location of the Key Vault to use for Storage Service Encryption"
}
},
"keyname": {
"type": "String",
"metadata": {
"description": "Name of the Key to use for Storage Service Encryption"
}
}
},
"policyRule": {
"if": {
"allof": [
{
"field": "type",
"equals": "Microsoft.Storage/storageAccounts"
},
{
"field": "Microsoft.Storage/storageAccounts/encryption.KeySource",
"equals": "Microsoft.Storage"
}
]
},
"then": {
"effect": "append",
"details": [
{
"field": "Microsoft.Storage/storageAccounts/encryption.KeySource",
"value": "Microsoft.Keyvault"
},
{
"field": "Microsoft.Storage/storageAccounts/encryption.keyvaultproperties.keyvaulturi",
"value": "[parameters('keyvaulturi')]"
},
{
"field": "Microsoft.Storage/storageAccounts/encryption.keyvaultproperties.keyname",
"value": "[parameters('keyname')]"
}
]
}
}
}
}
The field "Microsoft.Storage/storageAccounts/encryption.KeySource" is set to "Microsoft.Storage", and according to this https://rjygraham.com/posts/azure-policy-append-as-gentler-deny.html, "Append evaluates before the request gets processed by a Resource Provider during the creation or updating of a resource. Append adds fields to the resource when the if condition of the policy rule is met. If the append effect would override a value in the original request with a different value, then it acts as a deny effect and rejects the request". In the "details" policy is trying to change the vaule of field "Microsoft.Storage/storageAccounts/encryption.KeySource" to "Microsoft.Keyvault" this might be the issue.
I'm trying to force anyone that is provisioning resources or services in Azure to only be able to select a specific region(s). For example, when they provision a resource group, the dropdown only shows a specific region(s). I was hoping there is some global setting that will affect all users. We are also using Azure AD; does that help or matter? I tried searching the Azure docs and the PowerShell commands, but I just can't find any mention of this setting.
You could use Azure Policy to do it.
Here is a sample policy requires that all resources are deployed to the approved location, refer to this link, you could try to deploy with portal or with powershell.
This policy requires that all resources are deployed to the approved locations. You specify an array of approved locations.
Sample template:
{
"properties": {
"displayName": "Allowed locations",
"policyType": "BuiltIn",
"description": "This policy enables you to restrict the locations your organization can specify when deploying resources. Use to enforce your geo-compliance requirements.",
"parameters": {
"listOfAllowedLocations": {
"type": "Array",
"metadata": {
"description": "The list of locations that can be specified when deploying resources.",
"strongType": "location",
"displayName": "Allowed locations"
}
}
},
"policyRule": {
"if": {
"not": {
"field": "location",
"in": "[parameters('listOfAllowedLocations')]"
}
},
"then": {
"effect": "Deny"
}
}
},
"id": "/providers/Microsoft.Authorization/policyDefinitions/e56962a6-4747-49cd-b67b-bf8b01975c4c",
"type": "Microsoft.Authorization/policyDefinitions",
"name": "e56962a6-4747-49cd-b67b-bf8b01975c4c"
}
is there any way how to restrict access or buy permissions at Azure Marketplace?
You can create a policy like the one below to restrict compute resources from a specific publisher -
{
"policyRule": {
"if": {
"allOf": [
{
"field": "Microsoft.Compute/imagePublisher",
"match": "[parameters('NotAllowedImage')]"
}
]
},
"then": {
"effect": "Deny"
}
},
"parameters": {
"NotAllowedImage": {
"type": "String",
"metadata": {
"displayName": "Not Allowed Image",
"description": "Not Allowed Image for Virtual Machine/Compute"
}
}
},
"metadata": {
"category": "Compute"
}
}
When you assign this image to a subscription or a resource group then at the time you will be asked to enter a value for the image name you would like to restrict , please enter "checkpoint" as your publisher name as this is the one you want to restrict. Save the assignment.
Now once you create a vm/compute resource from "checkpoint" this would fail the validation step as the policy would not allow to create such vm/compute resource.
The Category of the check point resources I see in market place is compute only.
We might not have restrictions on what we can choose from market place but we can utilize azure policy for certain resource regulation/compliance.
These policies would help enforce different rules over your resources(VM'S , VM-SKU , Network , Storage etc.). If you need resources created to stay compliant with your company standards/service level agreements.
Whenever we create resource which has policy tied to it these are evaluated and scanned for compliance with that policy.
More info here - https://learn.microsoft.com/en-us/azure/azure-policy/azure-policy-introduction