my goal is to limit the creation of resource type per owner/collaborator of a specific Resource Group.
Example:
User_Group_XXX accessed by account YYY:
MAX 2 VM - Standard D2s v3
MAX 1 Kubernetes Cluster with 2 node - Standard DS2 v2
NO more than that and NO other type of resources.
How can I include those limits?
this is not possible by definition. Azure Policy looks at individual resource properties, so there is no way to have it do something like that (so check other resources and apply policy based on those resource to a the resource in question).
although, you could easily create a policy to only allow virtual machines\aks clusters.
again, policies cannot be scoped to users
Related
We have a requirement to force certain tags to our azure resources. Some tags which we need to enforce from subscription level say(eg: st1=st1, st2=st2..), But some are needed to be resourcegroup level(rt1-rt1, rt2=rt2..) and others are to specific resource type (like, aks, appservice, storage account).
By going through the MS doc I found that this can be achieved using azure policy. So the plan is to create azure policy with allowed tags and tag values which need to be enforced on
i) in subscription level
2) resource group level
3) Resource type wise
4) and for other remaining app specific tags to the resources use "az tag update" command.
We need to use automated solution to achieve all these with Azurepipleine and shell commands or scripts as we have only linux machines.
so for the 4th point i got some working pipeline solution to add the app specific tags to the resource level.
But for the requirements 1 to 3, will there any arm or script already available , so that we can integrate them with our azurepipelines.
Any automated solution or suggestion you already tried on this?
update on 12/12
As this docs for Use Tags to organize your azure resources sharing to us, you could use rest api or sdk to add the tags for your resource.
And for the loop for giving the resources with the tags from the resource groups. You could look into this potential workaround for reference. Bash Script
I want to create an Azure Policy for storage accounts. During the creation of a storage account, it will count the number of storage accounts in the subscription which has a specific tag (like env:dev). If the number of this count exceeds 10, It should deny the creation of that storage account.
How I can count the number of storage account which has certain tag inside an Azure Policy declaration?
That is not something you can do using Azure Policy.
Even though the approach seems valid, the count operator is meant to be used with [*] aliases - see official documentation. One could think of scanning Microsoft.Subscription aliases, but running the command az provider show --namespace Microsoft.Subscription --expand "resourceTypes/aliases" --query "resourceTypes[].aliases[].name", what you get as an output is so far not extensive :
[
"Microsoft.Subscription/SubscriptionDefinitions/subscriptionId",
"Microsoft.Subscription/SubscriptionDefinitions/subscriptionDisplayName",
"Microsoft.Subscription/SubscriptionDefinitions/offerType",
"Microsoft.Subscription/SubscriptionDefinitions/etag",
"Microsoft.Subscription/aliases/subscriptionId"
]
Also, the way the policy engine works wouldn't allow you to count the number of instances meeting a particular rule : each ARM component is scanned individually and compared to the rules defined in the policy. You cannot see "all Storage Accounts in a given scope" - each one is scanned without the whole picture being seen at any point. That is why I started with looking if the Subscription object had something like a Resources [*] alias.
This is probably an elemental question, but why would you want to ensure that resources are deployed to the same locations as their resource groups? I'm getting out of compliance issues with HIPPA and from CloudSploit about this and I'd like to get some more details around it as I know it deals with meta data but I'm not crystal clear.
Thanks in advance
Resources within a resource group need not always be deployed in the same location as the resource group. But there is a built-in Azure Policy available to audit this condition that one may choose to enable.
The resource group location serves two purposes:
First: The resource group stores metadata about the resources. When you specify a location for the resource group, you're specifying where that metadata is stored. Now, for compliance reasons, you may need to ensure that your data is stored within a particular region.
Second: If the resource group's region is temporarily unavailable, you can't update resources in the resource group because the metadata is unavailable. The resources in other regions will still function as expected, but you can't update them.
For knowing more about the factors to consider while defining your resrouce groups, check the Azure Resource Manager documentation.
When I create an AKS cluster using Azure portal I can see that new resource groups are created. It seems that I have no control over how they are named, especially the one with with "MC_" prefix. I also don't see an option to change its name when using ARM template.
In addition, if I create a cluster in customer's subscription, where I only have access to 1 resource group, I don't even see the newly created RG and can't manage it.
Is there a way to force deployment of all AKS components into a single resource group?
No, there is no way to force it at this point in time. As for the access, you should request access to that RG. No real workarounds.
Secondary resource group name can be inferred, I think, its something like:
MC_original-resource-group-name_aks-resource-name_location
it also creates OMS resource group (if you enable OMS) and Network Watcher (this can be disabled, btw, but its a provider setting). you have no control over that as well.
there is a not implemented yet nodeResourceGroup property: https://learn.microsoft.com/en-us/rest/api/aks/managedclusters/createorupdate#examples
EDIT: this is actually working right now, so the nodeResourceGroup property can be used. But it would still be a new resource group, so you would still need to request access to that group and using this property is not possible with the portal (so ARM Templates\pulumi\terraform)
I understand that resources from different locations can all reside within one resource group. But when creating a new Resource Group, what is the purpose of choosing a location? Does it have any meaning?
Thanks
When creating a resource group, you need to provide a location for that resource group. You may be wondering, "Why does a resource group need a location? And, if the resources can have different locations than the resource group, why does the resource group location matter at all?" The resource group stores metadata about the resources. Therefore, when you specify a location for the resource group, you are specifying where that metadata is stored. For compliance reasons, you may need to ensure that your data is stored in a particular region.
https://learn.microsoft.com/en-us/azure/azure-resource-manager/resource-group-overview
Actually it does matter:
Azure Resource Manager overview:
If the resource group's region is temporarily unavailable, you can't update resources in the resource group because the metadata is unavailable. The resources in other regions will still function as expected, but you can't update them.
For more information about building reliable applications, see Designing reliable Azure applications.
So we could imagine a situation where resource group is defined in LocationA, and all resources in that group are located in different region. When resource group region is unavailble then they may be issues when accessing metadata. Without metadata, it may not be able to failover.
Most templates in Azure ask you to specify a location(which is Azure Data Center Location) for each of the resources in a resource group.
Every resource is located in an Azure data center, but not every Azure data center supports every resource type.
Select any location that supports the resource type. You do not have to create all of the resources in a resource group in the same location;
However, whenever possible, you will want to create resources in the same location to optimize performance.
In particular, you will want to make sure that your database is in the same location as the app accessing it.
The resource group stores metadata about the resources. Therefore,
when you specify a location for the resource group, you are specifying
where that metadata is stored. For compliance reasons, you may need to
ensure that your data is stored in a particular region.
https://learn.microsoft.com/en-us/azure/azure-resource-manager/resource-group-overview