Trying to create a policy tied to a subscription in Azure that will deny the create of a resource group without a specific "costCenter" tag. I have the following policy assigned to the subscription with the "coreTagName1" completed as "costCenter":
"properties": {
"displayName": "manual_test_1",
"policyType": "Custom",
"mode": "Indexed",
"description": "manual test for tag enforcement",
"metadata": {
"category": "test",
"createdBy": "#########",
"createdOn": "2020-04-02T12:27:39.2686671Z",
"updatedBy": "#########",
"updatedOn": "2020-04-02T12:35:32.5608728Z"
},
"parameters": {
"coreTagName1": {
"type": "String",
"metadata": {
"displayName": "tagName to enforce",
"description": "Name of the tag, such as costCenter"
}
}
},
"policyRule": {
"if": {
"anyOf": [
{
"field": "type",
"equals": "Microsoft.Resources/subscriptions/resourceGroups"
},
{
"exists": "false",
"field": "[concat('tags[', parameters('coreTagName1'), ']')]"
}
]
},
"then": {
"effect": "deny"
}
}
},
"id": "/subscriptions/#########/providers/Microsoft.Authorization/policyDefinitions/########",
"type": "Microsoft.Authorization/policyDefinitions",
"name": "#######"
}
But i can still create a Resource Group and not specify any tags at all. I feel like I am missing something fundamental in my approach but cant get my head round it yet.
as Jagrati mentioned. Please allow for sometime for the policy to run a compliance scan before checking for compliance results. (Typically wait time is 30 mins, but it depends heavily on scope and # of resources).
Related
I'm struggling with a policy which should allow only certain values for tags.
Here is the code
{
"mode": "Indexed",
"policyRule": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.Compute/virtualMachines"
},
{
"field": "[concat('tags[', parameters('tagName'), ']')]",
"notIn": "[parameters('listOfAllowedValues')]"
}
]
},
"then": {
"effect": "deny"
}
},
"parameters": {
"tagName": {
"type": "String",
"metadata": {
"displayName": "Tag Name",
"description": "Name of the tag, such as 'environment'"
}
},
"listOfAllowedValues": {
"type": "Array",
"metadata": {
"displayName": "Allowed values",
"description": "The list of values which tag can have."
}
}
}
}
I put this array for assigments: ["Not Appliable","1","2","3","4"]
Policy evaluation works perfectly fine for numbers, but when I put tag value to be Not applicable policy always denies creation of VM.
Not sure what's wrong with it..Any help is appreciated!
In your policy definition, for the parameter listOfAllowedValues you are passing the allowed values as Notappliable and while creating the virtual machine you are passing the tag value as NotApplicable since there is spelling mistake that is the reason your policy valuation is getting failed.
I have test the above policy in my local and it working as expected from my end.
Requirement - I need to restrict all the users to create any resource in particular Locations. So I have created a Custom Policy by combining two builtin policies which are "Allowed locations" and "Not allowed resource types"
Issue - I am unable to created most of the resources but able to create few of them like Resource Group, Function Apps, App Service, SQL Database which is unexpected.
Below is the policy I have created -
{
"properties": {
"displayName": "NotAllowedResourcesinRestrictedLocation",
"policyType": "Custom",
"mode": "Indexed",
"metadata": {
"version": "1.0.0",
"updatedBy": null,
"updatedOn": null
},
"parameters": {
"listOfResourceTypesNotAllowed": {
"type": "Array",
"metadata": {
"displayName": "Not allowed resource types",
"description": "The list of resource types that cannot be deployed.",
"strongType": "resourceTypes"
}
},
"listOfAllowedLocations": {
"type": "Array",
"metadata": {
"displayName": "Allowed locations",
"description": "The list of locations that can be specified when deploying resources.",
"strongType": "location"
}
}
},
"policyRule": {
"if": {
"allOf": [
{
"field": "type",
"in": "[parameters('listOfResourceTypesNotAllowed')]"
},
{
"field": "location",
"notIn": "[parameters('listOfAllowedLocations')]"
},
{
"field": "location",
"notEquals": "global"
},
{
"field": "type",
"notEquals": "Microsoft.AzureActiveDirectory/b2cDirectories"
},
{
"value": "[field('type')]",
"exists": true
}
]
},
"then": {
"effect": "deny"
}
}
},
}
Please someone guide me on this.
My resource groups has an environment tag where only specific values are allowed: "dev,test,prod". I want to enforce that with an Azure Policy which will deny all the resource group creation which doesn't have one of this "dev,test,prod" values in their environment tag. My policy code is as below:
{
"properties": {
"displayName": "Allowed tag values for Resource Groups",
"description": "This policy enables you to restrict the tag values for Resource Groups.",
"policyType": "Custom",
"mode": "Indexed",
"metadata": {
"version": "1.0.0",
"category": "Tags"
},
"parameters": {
"allowedTagValues": {
"type": "array",
"metadata": {
"description": "The list of tag values that can be specified when deploying resource groups",
"displayName": "Allowed tag values"
},
"defaultValue": [
"dev","test","prod"
]
}
},
"policyRule": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.Resources/subscriptions/resourceGroups"
},
{
"field": "tags[environment]",
"notIn": "[parameters('allowedTagValues')]"
}
]
},
"then": {
"effect": "deny"
}
}
},
"id": "/providers/Microsoft.Authorization/policyDefinitions/xxxxxxx-xxxxxxx-xxxxxxxxxx-xxxxxxx",
"name": "xxxxxxx-xxxxxxx-xxxxxxxxxx-xxxxxxx"
}
This doesn't have any effect at all. I have tried this as well:
{
"not": {
"field": "tags[environment]",
"in": "[parameters('allowedTagValues')]"
}
}
Neither this does work.
Any suggestion?
You need to pass the tag values "dev","test","prod" as allowed values for the parameter listofallowedTags as shown below.
Based on your requirement we have created the below policy definition. we have tested this in our local environment which is working fine.
{
"mode": "All",
"policyRule": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.Resources/subscriptions/resourceGroups"
},
{
"not": {
"field": "[concat('tags[', parameters('tagName'), ']')]",
"in": "[parameters('listofallowedtagValues')]"
}
}
]
},
"then": {
"effect": "[parameters('effect')]"
}
},
"parameters": {
"effect": {
"type": "String",
"metadata": {
"displayName": "Effect",
"description": "Enable or disable the execution of the audit policy"
},
"allowedValues": [
"Audit",
"Deny",
"Disabled"
],
"defaultValue": "Deny"
},
"tagName": {
"type": "String",
"metadata": {
"displayName": "Tag Name",
"description": "Name of the tag, such as 'environment'"
},
"defaultValue": "environment"
},
"listofallowedtagValues": {
"type": "Array",
"metadata": {
"displayName": "Tag Values",
"description": "Value of the tag, such as 'production'"
},
"allowedValues": [
"dev",
"test",
"prod"
]
}
}
}
Note: As you can see from the below image, the custom policy has been assigned to subscription.
Here are the some sample outputs for reference:
In the below example, we have passed environment tag a different value apart from those 3 values defined in listofallowedtagValues parameter & while deploying the resource group it got failed since it doesn't met policy requirement.
In the below example, we have passed environment tag value as test resource group deployment got succeeded as it met the policy requirements.
I am trying to understand how Management group policies works but deploying some policies.
I have this ARM template, which its purpose it to block specific resources from being created. Which, in my case works, but I would like to deny the creation of storage account only if specific sku.name is selected
this is the azure policy.
{
"properties": {
"displayName": "Not allowed resource types",
"policyType": "BuiltIn",
"mode": "All",
"description": "This policy enables you to specify the resource types that your organization cannot deploy.",
"parameters": {
"listOfResourceTypesNotAllowed": {
"type": "Array",
"metadata": {
"description": "The list of resource types that cannot be deployed.",
"displayName": "Not allowed resource types",
"strongType": "resourceTypes"
}
}
},
"policyRule": {
"if": {
"field": "type",
"in": "[parameters('listOfResourceTypesNotAllowed')]"
},
"then": {
"effect": "Deny"
}
}
},
"id": "/providers/Microsoft.Authorization/policyDefinitions/6c112d4e-5bc7-47ae-a041-ea2d9dccd749",
"type": "Microsoft.Authorization/policyDefinitions",
"name": "6c112d4e-5bc7-47ae-a041-ea2d9dccd749"
}
and this my parameters:
{
"listOfResourceTypesNotAllowed": {
"type": "Array",
"metadata": {
"description": "The list of resource types that cannot be deployed.",
"displayName": "Not allowed resource types",
"strongType": "resourceTypes"
},
"allowedValues": [
"Microsoft.DocumentDB/databaseAccounts",
"Microsoft.Storage/storageAccounts"
]
}
}
and my rules:
{
"if": {
"field": "type",
"in": "[parameters('listOfResourceTypesNotAllowed')]"
},
"then": {
"effect": "Deny"
}
}
Can anyone help me to understand how can this be achieved please?
Thank you so much for anyone who can spend some time to help me to understand this type of deployment
You can use the below policy defination for allowing only allowed sku types of storage accounts to be deployed in your subscription:
{
"properties": {
"displayName": "Storage accounts should be limited by allowed SKUs",
"policyType": "BuiltIn",
"mode": "Indexed",
"description": "Restrict the set of storage account SKUs that your organization can deploy.",
"metadata": {
"version": "1.1.0",
"category": "Storage"
},
"parameters": {
"effect": {
"type": "String",
"metadata": {
"displayName": "Effect",
"description": "Enable or disable the execution of the audit policy"
},
"allowedValues": [
"Audit",
"Deny",
"Disabled"
],
"defaultValue": "Deny"
},
"listOfAllowedSKUs": {
"type": "Array",
"metadata": {
"description": "The list of SKUs that can be specified for storage accounts.",
"displayName": "Allowed SKUs",
"strongType": "StorageSKUs"
}
}
},
"policyRule": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.Storage/storageAccounts"
},
{
"not": {
"field": "Microsoft.Storage/storageAccounts/sku.name",
"in": "[parameters('listOfAllowedSKUs')]"
}
}
]
},
"then": {
"effect": "[parameters('effect')]"
}
}
},
"id": "/providers/Microsoft.Authorization/policyDefinitions/7433c107-6db4-4ad1-b57a-a76dce0154a1",
"type": "Microsoft.Authorization/policyDefinitions",
"name": "7433c107-6db4-4ad1-b57a-a76dce0154a1"
}
Reference:
List of built-in policy definitions - Azure Policy | Microsoft Docs
Storage accounts should be limited by allowed SKUs- policy
Is there a way to create an Azure policy that requires a Tag exist on a resource when it's created, but not check for a specific value? All the examples I've seen are for "check if tag X is there, and has value Y".
I want to simply let the user know "you need to put tag X on this resource" because the value is user-defined so I can't enforce a specific value.
For example - I need "BillingCode" on every resource, but only the person creating the resource knows their correct billing code since it's different for each person or project.
You can use subscription policies to accomplish this. They will prevent deployment of Azure resources unless certain rules are met.
Below example taken from here.
You could modify this example by using the notMatch operator instead of the direct match below. More operators here.
{
"properties": {
"displayName": "Enforce tag and its value on resource groups",
"description": "Enforces a required tag and its value on resource groups.",
"mode": "All",
"parameters": {
"tagName": {
"type": "String",
"metadata": {
"description": "Name of the tag, such as costCenter"
}
},
"tagValue": {
"type": "String",
"metadata": {
"description": "Value of the tag, such as headquarter"
}
}
},
"policyRule": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.Resources/subscriptions/resourceGroups"
},
{
"not": {
"field": "[concat('tags[',parameters('tagName'), ']')]",
"equals": "[parameters('tagValue')]"
}
}
]
},
"then": {
"effect": "deny"
}
}
}
}
You need the exists operator.
For example:
{
"policyRule": {
"if": {
"field": "[concat('tags[',parameters('tagName'), ']')]",
"exists": "false"
},
"then": {
"effect": "deny"
}
},
"parameters": {
"tagName": {
"type": "String",
"metadata": {
"description": "Name of the tag, such as costCenter"
}
}
}
}