There is a requirement where I need to write a policy to turn Firewall ON for DataLake Store. this policy should be written in JSON and need to deploy on Azure.
Anyone, who can help me on JSON part.
To enable firewall when creating the DataLake Store , you could refer to my sample policy, it works fine on my side.
{
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.DataLakeStore/accounts"
},
{
"field": "Microsoft.DataLakeStore/accounts/firewallState",
"equals": "Disabled"
}
]
},
"then": {
"effect": "deny"
}
}
You need to use Append mode in effect to change the value.
{
"if": {
"field": "Microsoft.DataLakeStore/accounts/firewallState",
"equals": "Disabled"
},
"then": {
"effect": "append",
"details": [
{
"field": "Microsoft.DataLakeStore/accounts/firewallState",
"value": "Enabled"
}
]
}
}
Related
Hey I am looking to assign Azure Policy which will deny creation of Network Interfaces without NSG attached.
I looked with build-in role and couldn't find anything related. Maybe someone have script that does the job.
Thanks for your help in advance.
I tried to create the azure policy to deny creation of network interface without NSG
I have created the policy definition named network
In the policy rule write the below json script to create the policy rules to deny the virtual network without NSG rules
I took the example reference from git URL #withstu
{
"name": "Deny-Subnet-Without-Nsg",
"type": "Microsoft.Authorization/policyDefinitions",
"apiVersion": "2022-11-22",
"scope": null,
"properties": {
"policyType": "Custom",
"mode": "All",
"displayName": "Subnets should have a Network Security Group",
"description": " policy will deny the creation of a network/subnet with out an NSG.",
"metadata": {
"version": "1.1.0",
"category": "Network"
},
"parameters": {
"effect": {
"type": "String",
"allowedValues": [
"Audit",
"Deny",
"Disabled"
],
"defaultValue": "Deny",
"metadata": {
"displayName": "Effect",
"description": " disable the execution of the policy"
}
},
"excludedSubnets": {
"type": "Array",
"metadata": {
"displayName": "Excluded Subnets",
"description": "subnets excluded from this policy"
},
"defaultValue": [
"GatewaySubnet",
"AzureFirewallSubnet",
"AzureFirewallManagementSubnet"
]
}
},
"policyRule": {
"if": {
"anyOf": [
{
"allOf": [
{
"equals": "Microsoft.Network/virtualNetworks",
"field": "type"
},
{
"exists": "false",
"field": "Microsoft.Network/virtualNetworks/subnets[*].networkSecurityGroup.id"
}
]
},
{
"allOf": [
{
"equals": "Microsoft.Network/virtualNetworks/subnets",
"field": "type"
},
{
"field": "name",
"notIn": "[parameters('excludedSubnets')]"
},
{
"exists": "false",
"field": "Microsoft.Network/virtualNetworks/subnets/networkSecurityGroup.id"
}
]
}
]
},
"then": {
"effect": "[parameters('effect')]"
}
}
}
}
I have assigned the policy to the policy definition
In left side of the menu click on Assignment => click on assign policy and added the appropriate fields to create
After assigning the polices it will take 30 minutes to reflect
I am trying to creating the virtual network , I got the error because of deny subnet without NSG
I need to add the resource type as the tag value. Can someone help me to create this ?
So far I have this sample policy applied. I need to add the tag name resource_class with the resource type and it should get it from the type and I can split the name into Type name in value.
{
"mode": "Indexed",
"policyRule": {
"if": {
"anyOf": [
{
"field": "tags[division]",
"exists": "false"
},
{
"field": "tags[division_code]",
"exists": "false"
}
]
},
"then": {
"effect": "append",
"details": [
{
"field": "tags[division]",
"value": "[tolower(parameters('division'))]"
},
{
"field": "tags[division_code]",
"value": "[tolower(parameters('division_code'))]"
}
]
}
},
"parameters": {
"division": {
"type": "String",
"metadata": {
"displayName": "division",
"description": "Value of the tag, such as 'production'"
}
},
"division_code": {
"type": "String",
"metadata": {
"displayName": "division_code",
"description": "Value of the tag, such as '1234'"
}
}
}
}
My understanding is that you are trying to add resource type as a tag value. if it's correct you can write like below
{
"field": "tags[division]",
"value": "[field('type')]"
}
As per the documentation Currently, Not all resource types support tags. To determine if you can apply a tag to a resource type, see Tag support for Azure resources.
You can use Azure Policy Framework and there is built-in definition to reach your requirement.
Based on the doc..
For more information please refer the below links:
. Azure Policy pattern: tags| MS DOC .
.Azure Poilicy Sample| MS DOC.
I'm currently using the following exsistance condition:
"existenceCondition": {
"allOf": [
{
"field": "Microsoft.Compute/virtualMachines/extensions/instanceView.name",
"equals": "customextensionname"
},
{
"field": "Microsoft.Compute/virtualMachines/extensions/publisher",
"equals": "Microsoft.Compute"
},
{
"field": "Microsoft.Compute/virtualMachines/extensions/provisioningState",
"equals": "Succeeded"
}
]
I tried using extension/name and I get an error that it's not available. My policy checks for all windows VMs, but I'm not sure how to check the name of the extension. It's there, but it reports non compliant and that there is no value for instanceView.name..
i think it should be something like this:
{
"field": "type",
"equals": "Microsoft.Compute/VirtualMachines/extensions"
},
{
"not": {
"field": "name",
"equals": "customextensionname"
}
}
You don't need an alias for name. It's a supported top level field. Within the existence condition it will refer to the related resource - the extension in your case - not the evaluated resource.
Your existence condition will work like this:
"existenceCondition": {
"allOf": [
{
"field": "name",
"equals": "customextensionname"
},
{
"field": "Microsoft.Compute/virtualMachines/extensions/publisher",
"equals": "Microsoft.Compute"
},
{
"field": "Microsoft.Compute/virtualMachines/extensions/provisioningState",
"equals": "Succeeded"
}
]
Microsoft provides a JSON-Template for an Azure policy:
{
"properties": {
"displayName": "Hostname pattern with match condition.",
"description": "Enforce a naming pattern on Hostnames with the match condition.",
"mode": "All",
"parameters": {
"namePattern": {
"type": "String",
"metadata": {
"description": "Pattern to use for Hostnames. Can include ? for letters and # for numbers."
}
}
},
"policyRule": {
"if": {
"not": {
"field": "name",
"match": "[parameters('namePattern')]"
}
},
"then": {
"effect": "deny"
}
}
}
}
But this JSON checks for ALL resources in Azure (NICs, Disks, etc). I want only a Policy for Hostnames.
I think I have somewhere to inject the qualifier for /Microsoft.Compute/virtualMachines/ - but where? Every try ends up in an invalid JSON-File. Thanks for helping!
You can restrict the types of resources by specifying a check on the type field. We need to add "allOf" because we need all the conditions to be satisfied for a deny.
I think below change to your policy rule should work.
"policyRule": {
"if": {
"allof":[
{
"field": "type",
"equals": "Microsoft.Compute/VirtualMachines"
},
{
"not": {
"field": "name",
"match": "[parameters('namePattern')]"
}
}
]
},
"then": {
"effect": "deny"
}
}
Unable to check api version in Definition JSON. Below is the definition along with JSON.
New-AzureRmPolicyDefinition -Policy '{
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.DataFactory/factories"
},
{
"field": "apiVersion",
"equals": "2017-09-01-preview"
}
]
},
"then": {
"effect": "deny"
}
}' -Name 'DataFactoryVersionRestriction'
When I run above definition, it is throwing error related to alias. Can someone please help?
Use the alias Microsoft.DataFactory/factories/version