Microsoft provides a JSON-Template for an Azure policy:
{
"properties": {
"displayName": "Hostname pattern with match condition.",
"description": "Enforce a naming pattern on Hostnames with the match condition.",
"mode": "All",
"parameters": {
"namePattern": {
"type": "String",
"metadata": {
"description": "Pattern to use for Hostnames. Can include ? for letters and # for numbers."
}
}
},
"policyRule": {
"if": {
"not": {
"field": "name",
"match": "[parameters('namePattern')]"
}
},
"then": {
"effect": "deny"
}
}
}
}
But this JSON checks for ALL resources in Azure (NICs, Disks, etc). I want only a Policy for Hostnames.
I think I have somewhere to inject the qualifier for /Microsoft.Compute/virtualMachines/ - but where? Every try ends up in an invalid JSON-File. Thanks for helping!
You can restrict the types of resources by specifying a check on the type field. We need to add "allOf" because we need all the conditions to be satisfied for a deny.
I think below change to your policy rule should work.
"policyRule": {
"if": {
"allof":[
{
"field": "type",
"equals": "Microsoft.Compute/VirtualMachines"
},
{
"not": {
"field": "name",
"match": "[parameters('namePattern')]"
}
}
]
},
"then": {
"effect": "deny"
}
}
Related
I need to add the resource type as the tag value. Can someone help me to create this ?
So far I have this sample policy applied. I need to add the tag name resource_class with the resource type and it should get it from the type and I can split the name into Type name in value.
{
"mode": "Indexed",
"policyRule": {
"if": {
"anyOf": [
{
"field": "tags[division]",
"exists": "false"
},
{
"field": "tags[division_code]",
"exists": "false"
}
]
},
"then": {
"effect": "append",
"details": [
{
"field": "tags[division]",
"value": "[tolower(parameters('division'))]"
},
{
"field": "tags[division_code]",
"value": "[tolower(parameters('division_code'))]"
}
]
}
},
"parameters": {
"division": {
"type": "String",
"metadata": {
"displayName": "division",
"description": "Value of the tag, such as 'production'"
}
},
"division_code": {
"type": "String",
"metadata": {
"displayName": "division_code",
"description": "Value of the tag, such as '1234'"
}
}
}
}
My understanding is that you are trying to add resource type as a tag value. if it's correct you can write like below
{
"field": "tags[division]",
"value": "[field('type')]"
}
As per the documentation Currently, Not all resource types support tags. To determine if you can apply a tag to a resource type, see Tag support for Azure resources.
You can use Azure Policy Framework and there is built-in definition to reach your requirement.
Based on the doc..
For more information please refer the below links:
. Azure Policy pattern: tags| MS DOC .
.Azure Poilicy Sample| MS DOC.
I'm doing something incorrectly here regarding an Azure Policy I'm creating. Trying to create a naming policy that blocks creation of a resource (in this case a resource group) that doesn't match.
{
"properties": {
"mode": "All",
"displayName": "Company Naming Convention - Resource Groups",
"description": "This policy governs the naming standard for resource groups and should be assigned at the resource group scope. The naming scheme is rg-region-workload name-environment-optional instance number'.",
"metadata": {
"category": "Governance"
},
"policyRule": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.Resources/resourceGroups"
},
{
"allOf": [
{
"field": "name",
"notLike": "rg-useast-*"
},
{
"field": "name",
"notLike": "rg-useast2-*"
},
{
"field": "name",
"notLike": "rg-uscentral-*"
},
{
"field": "name",
"notLike": "rg-uksouth-*"
}
]
},
{
"allOf": [
{
"field": "name",
"notLike": "*-production.###"
},
{
"field": "name",
"notLike": "*-development.###"
},
{
"field": "name",
"notLike": "*-qualityassurance.###"
},
{
"field": "name",
"notLike": "*-testing.###"
}
]
}
]
},
"then": {
"effect": "deny"
}
}
}
}
I'd ALSO like to create a policy to audit existing resources that don't match this name, but I can address that later. Anyone have a suggestion what I'm doing wrong or a better way to go about this?
Ok... so the original policy works great... if I actually looked at the right resource. Should be "Microsoft.Resources/subscriptions/resourceGroups" not "Microsoft.Resources/resourceGroups". Dang do I feel like an idiot...
You are using incorrect syntax in your Azure Policy Definition. The allOf syntax requires all conditions to be true and you can keep all the conditions in single allOf Operator.
Modified version of Policy for reference :
{
"properties": {
"mode": "All",
"displayName": "Company Naming Convention - Resource Groups",
"description": "This policy governs the naming standard for resource groups and should be assigned at the resource group scope. The naming scheme is rg-region-workload name-environment-optional instance number'.",
"metadata": {
"category": "Governance"
},
"policyRule": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.Resources/subscriptions/resourceGroups"
},
{
"field": "name",
"notLike": "rg-useast-*"
},
{
"field": "name",
"notLike": "rg-useast2-*"
},
{
"field": "name",
"notLike": "rg-uscentral-*"
},
{
"field": "name",
"notLike": "rg-uksouth-*"
},
{
"field": "name",
"notLike": "*-production.###"
},
{
"field": "name",
"notLike": "*-development.###"
},
{
"field": "name",
"notLike": "*-qualityassurance.###"
},
{
"field": "name",
"notLike": "*-testing.###"
}
]
},
"then": {
"effect": "deny"
}
}
}
}
Also note, it takes around 30 minutes for the assignment to be applied to the defined scope. For more information on evaluation cycle of Azure Policy, refer this document.
For on-demand evaluation , use az cli command : az policy state trigger-scan
I'd like to enforce tag value pattern "RJGVM-###" for a Tag which will be required for resource groups.
I manage to make it required, but whenever I put in any value it still passes.
{
"mode": "All",
"policyRule": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.Resources/subscriptions/resourceGroups"
},
{
"not": {
"field": "[concat('tags[',parameters('tagName'), ']')]",
"exists": "true"
}
},
{
"value": "[resourceGroup().tags[parameters('tagName')]]",
"notMatch": "RJGVM-###"
}
]
},
"then": {
"effect": "deny"
}
},
"parameters": {
"tagName": {
"type": "String",
"metadata": {
"displayName": "Tag Name",
"description": "Name of the tag, such as 'environment'"
}
}
}
}
Please refer this example mentioned in the below link to ensure match pattern on tag value :
https://github.com/Azure/azure-policy/tree/master/samples/TextPatterns/enforce-tag-match-pattern
I've trying to create a custom policy that will deny based on tag value. The tag is "external VM". The policy then allows a set of approved extensions to be deployed. However when I try to add the tag using "tag.external vm" it shows an error, which is the same as at the end of this essay (The value of 'field' property 'Tag' of the policy rule must be one of 'Name, Type, Location, Tags, Kind, FullName, Identity.type' or an alias, e.g.).
{
"mode": "All",
"policyRule": {
"if": {
"allOf": [
{
"field": "tag.External VM",
"equals": "Third Party"
},
{
"field": "Microsoft.Compute/virtualMachines/extensions/publisher",
"equals": "Microsoft.Compute"
},
{
"field": "Microsoft.Compute/virtualMachines/extensions/type",
"notin": "[parameters('AllowedExtensions')]"
}
]
},
"then": {
"effect": "deny"
}
},
"parameters": {
"AllowedExtensions": {
"type": "Array",
"metadata": {
"displayName": "AllowedExtensions",
"description": "Allowed VM Extensions"
}
}
}
}
The parameter file is
{
"AllowedExtensions": {
"type": "Array",
"metadata": {
"description": "The list of extensions that will be Allowed.",
"strongType": "type",
"displayName": "Allowed extension"
}
},
"tagName": {
"type": "String",
"metadata": {
"description": "The Referenced Tag Name.",
"displayName": "Tag to Query"
}
}
}
Is there a way to assign the tag name with the space in it. There other option was to have it re-tagged with "external-vm" or to parameterise the tagname such as
{
"field": "[parameters('tagName')]",
"equals": "Third Party"
},
But this gives me the error
The value of 'field' property 'Tag' of the policy rule must be one of 'Name, Type, Location, Tags, Kind, FullName, Identity.type' or an alias, e.g.
Any thought?
Thanks in advance.
Parameter was incorrect
"[concat('tags[', parameters('tagName'), ']')]",
adding it as a parameter resolved the tissue.
There is a requirement where I need to write a policy to turn Firewall ON for DataLake Store. this policy should be written in JSON and need to deploy on Azure.
Anyone, who can help me on JSON part.
To enable firewall when creating the DataLake Store , you could refer to my sample policy, it works fine on my side.
{
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.DataLakeStore/accounts"
},
{
"field": "Microsoft.DataLakeStore/accounts/firewallState",
"equals": "Disabled"
}
]
},
"then": {
"effect": "deny"
}
}
You need to use Append mode in effect to change the value.
{
"if": {
"field": "Microsoft.DataLakeStore/accounts/firewallState",
"equals": "Disabled"
},
"then": {
"effect": "append",
"details": [
{
"field": "Microsoft.DataLakeStore/accounts/firewallState",
"value": "Enabled"
}
]
}
}