Unable to check api version in Definition JSON. Below is the definition along with JSON.
New-AzureRmPolicyDefinition -Policy '{
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.DataFactory/factories"
},
{
"field": "apiVersion",
"equals": "2017-09-01-preview"
}
]
},
"then": {
"effect": "deny"
}
}' -Name 'DataFactoryVersionRestriction'
When I run above definition, it is throwing error related to alias. Can someone please help?
Use the alias Microsoft.DataFactory/factories/version
Related
I need to add the resource type as the tag value. Can someone help me to create this ?
So far I have this sample policy applied. I need to add the tag name resource_class with the resource type and it should get it from the type and I can split the name into Type name in value.
{
"mode": "Indexed",
"policyRule": {
"if": {
"anyOf": [
{
"field": "tags[division]",
"exists": "false"
},
{
"field": "tags[division_code]",
"exists": "false"
}
]
},
"then": {
"effect": "append",
"details": [
{
"field": "tags[division]",
"value": "[tolower(parameters('division'))]"
},
{
"field": "tags[division_code]",
"value": "[tolower(parameters('division_code'))]"
}
]
}
},
"parameters": {
"division": {
"type": "String",
"metadata": {
"displayName": "division",
"description": "Value of the tag, such as 'production'"
}
},
"division_code": {
"type": "String",
"metadata": {
"displayName": "division_code",
"description": "Value of the tag, such as '1234'"
}
}
}
}
My understanding is that you are trying to add resource type as a tag value. if it's correct you can write like below
{
"field": "tags[division]",
"value": "[field('type')]"
}
As per the documentation Currently, Not all resource types support tags. To determine if you can apply a tag to a resource type, see Tag support for Azure resources.
You can use Azure Policy Framework and there is built-in definition to reach your requirement.
Based on the doc..
For more information please refer the below links:
. Azure Policy pattern: tags| MS DOC .
.Azure Poilicy Sample| MS DOC.
I'm currently using the following exsistance condition:
"existenceCondition": {
"allOf": [
{
"field": "Microsoft.Compute/virtualMachines/extensions/instanceView.name",
"equals": "customextensionname"
},
{
"field": "Microsoft.Compute/virtualMachines/extensions/publisher",
"equals": "Microsoft.Compute"
},
{
"field": "Microsoft.Compute/virtualMachines/extensions/provisioningState",
"equals": "Succeeded"
}
]
I tried using extension/name and I get an error that it's not available. My policy checks for all windows VMs, but I'm not sure how to check the name of the extension. It's there, but it reports non compliant and that there is no value for instanceView.name..
i think it should be something like this:
{
"field": "type",
"equals": "Microsoft.Compute/VirtualMachines/extensions"
},
{
"not": {
"field": "name",
"equals": "customextensionname"
}
}
You don't need an alias for name. It's a supported top level field. Within the existence condition it will refer to the related resource - the extension in your case - not the evaluated resource.
Your existence condition will work like this:
"existenceCondition": {
"allOf": [
{
"field": "name",
"equals": "customextensionname"
},
{
"field": "Microsoft.Compute/virtualMachines/extensions/publisher",
"equals": "Microsoft.Compute"
},
{
"field": "Microsoft.Compute/virtualMachines/extensions/provisioningState",
"equals": "Succeeded"
}
]
Microsoft provides a JSON-Template for an Azure policy:
{
"properties": {
"displayName": "Hostname pattern with match condition.",
"description": "Enforce a naming pattern on Hostnames with the match condition.",
"mode": "All",
"parameters": {
"namePattern": {
"type": "String",
"metadata": {
"description": "Pattern to use for Hostnames. Can include ? for letters and # for numbers."
}
}
},
"policyRule": {
"if": {
"not": {
"field": "name",
"match": "[parameters('namePattern')]"
}
},
"then": {
"effect": "deny"
}
}
}
}
But this JSON checks for ALL resources in Azure (NICs, Disks, etc). I want only a Policy for Hostnames.
I think I have somewhere to inject the qualifier for /Microsoft.Compute/virtualMachines/ - but where? Every try ends up in an invalid JSON-File. Thanks for helping!
You can restrict the types of resources by specifying a check on the type field. We need to add "allOf" because we need all the conditions to be satisfied for a deny.
I think below change to your policy rule should work.
"policyRule": {
"if": {
"allof":[
{
"field": "type",
"equals": "Microsoft.Compute/VirtualMachines"
},
{
"not": {
"field": "name",
"match": "[parameters('namePattern')]"
}
}
]
},
"then": {
"effect": "deny"
}
}
There is a requirement where I need to write a policy to turn Firewall ON for DataLake Store. this policy should be written in JSON and need to deploy on Azure.
Anyone, who can help me on JSON part.
To enable firewall when creating the DataLake Store , you could refer to my sample policy, it works fine on my side.
{
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.DataLakeStore/accounts"
},
{
"field": "Microsoft.DataLakeStore/accounts/firewallState",
"equals": "Disabled"
}
]
},
"then": {
"effect": "deny"
}
}
You need to use Append mode in effect to change the value.
{
"if": {
"field": "Microsoft.DataLakeStore/accounts/firewallState",
"equals": "Disabled"
},
"then": {
"effect": "append",
"details": [
{
"field": "Microsoft.DataLakeStore/accounts/firewallState",
"value": "Enabled"
}
]
}
}
**Edit: I thought I'd tried this before posting, but I guess not - the solution was:
"listPublishingUsername": {
"value": "[list(resourceId('Microsoft.Web/sites/config', variables('websiteName'), 'publishingcredentials'), '2016-08-01').properties.publishingUserName]",
"type": "string"
},
"listPublishingPassword": {
"value": "[list(resourceId('Microsoft.Web/sites/config', variables('websiteName'), 'publishingcredentials'), '2016-08-01').properties.publishingPassword]",
"type": "string"
}
I'm trying to get the publishingUsername/publishingPassword nested values from an Azure JSON deployment.
With:
"outputs": {
"listPublishingCredentials": {
"value": "[list(resourceId('Microsoft.Web/sites/config', parameters('sites_testdsfsdfsfsfs_name'), 'publishingcredentials'), '2014-06-01')]",
"type": "object"
I'm able to get all values that I can see in the resource portal
if I suffix it with .parameters I'm able to get down a level to just the parameters, however if I try parameters.publishingPassword (which would be the nested value based on the resource view) it returns an error
"code": "DeploymentOutputEvaluationFailed",
"target": "listPublishingCredentials",
"message": "The template output 'listPublishingCredentials' is not valid: Index (zero based) must be greater than or equal to zero and less than the size of the argument list..""
Alternatively is there any documentation that explains what parameters/syntax is valid for resources like Microsoft.Web/sites/config?
edit:
"outputs": {
"listPublishingCredentials": {
"value": "[list(resourceId('Microsoft.Web/sites/config', parameters('sites_testdsfsdfsfsfs_name'), 'publishingcredentials'), '2016-08-01').properties]",
"type": "object"
}
works
"outputs": {
"listPublishingCredentials": {
"value": "[list(resourceId('Microsoft.Web/sites/config', parameters('sites_testdsfsdfsfsfs_name'), 'publishingcredentials'), '2016-08-01').properties.publishingPassword]",
"type": "object"
}
doesn't
"listPublishingUsername": {
"value": "[list(resourceId('Microsoft.Web/sites/config', variables('websiteName'), 'publishingcredentials'), '2016-08-01').properties.publishingUserName]",
"type": "string"
},
"listPublishingPassword": {
"value": "[list(resourceId('Microsoft.Web/sites/config', variables('websiteName'), 'publishingcredentials'), '2016-08-01').properties.publishingPassword]",
"type": "string"
}