1

Define Azure Resource Manager Policies

Azure Resource Manager policies provide you with the ability to manage risk within you Azure environment. You can write policies to enforce certain situations.

  • A policy setting is default set to allow.
  • Policies are described by policy definitions in a policy definition language (if-then conditions).
  • You create polices with JSON formatted files.

Policies that you have defined can be assigned to certain scopes:

  • Subscription
  • Resource Group
  • Resource type

Within the definition of the policies you can define the below actions:

  • Deny: Blocks the resource request
  • Audit: Allows the request but adds a line to the activity log. These can be used to start action within Azure Automation.
  • Append: Adds specified information to the resource. For example tagging the resource with useful information.

I started to create Azure Resource Manager Policies and created a GitHub repository to save them and share them.

Within this repository you have the option to add policies and work together on them to get a default set of policies.

The repository also contains a script files to assign the policies to specific resources.

Implementation

One of the policies within the repository is a policy to ensure that resources are created within the Europe regions.

The policy is described in if-then conditions, if the resource is not created in West-Europe (westeurope) or North-Europe (northeurope) the creation of the resource will be declined (deny).

{
    "$schema": "http://schema.management.azure.com/schemas/2015-10-01-preview/policyDefinition.json",
    "if": {
        "not": {
            "field": "location",
            "in" : ["northeurope" , "westeurope"]
        }
    },
    "then": {
     "effect": "deny"   
    }
}

In the policy file the schema file specified to get type-ahead functionality within JSON editors.

This policy can be assigned to a resource with executing two PowerShell commands:

  1. New-AzureRmPolicyDefinition
  2. New-AzureRmPolicyAssignment

With the first command the definition is created, and saved to a PowerShell object.

$policy = New-AzureRmPolicyDefinition -Name [Policy Name] -Description [Policy Description] -Policy [Path to Policy JSON File]

The second command is then used to assign the policy to a certain scope.

New-AzureRmPolicyAssignment -Name [Policy Name] -PolicyDefinition $policy -Scope [Scope]

Putting everything together and making the script as generic as possible you have the following script to assign a policy to a resource group.

$policyName = Read-Host "Specify the name of the policy";
$policyDescription = Read-Host "Specify the description of the policy"
$policyFile = Read-Host "Path to json policy file";
$resourceGroup = Read-Host "Specify the resource group";

#Login to the Azure Resource Management Account
Login-AzureRmAccount

#Let the user choose the right subscrition
Write-Host "---------------------------------------------------------------------"
Write-Host "Your current subscriptions: " -ForegroundColor Yellow
Get-AzureRMSubscription
Write-Host "Enter the Subscription ID to deploy to: " -ForegroundColor Green
$sub = Read-Host 
Set-AzureRmContext -SubscriptionId $sub
clear

$subId = (Get-AzureRmContext).Subscription.SubscriptionId
$subName = (Get-AzureRmContext).Subscription.SubscriptionName

Write-Host "Policy is applied to the resource group: $resourceGroup in subscription: $subName"
$policy = New-AzureRmPolicyDefinition -Name $policyName -Description $policyDescription -Policy $policyFile;

#Assign the Azure Policy
New-AzureRmPolicyAssignment -Name $policyName -PolicyDefinition $policy -Scope "/subscriptions/$sub/resourceGroups/$resourcegroup"

After assigning the policy and trying to create a resource in another region will result in a error message. Sometimes this can still be a really descriptive message as shown in the image below.

Policy Message

GitHub

Check out the GitHub for the script files and the policies and when you have policy definitions share them:

https://github.com/MaikvanderGaag/MSFT-Azure-Policy

Related Posts

Azure DevOps Automation A couple of weeks ago the rename / rebranding of Visual Studio Team Services to Azure DevOps was announced. The rebranding is a great step forward int...
AKS (Kubernetes) and no connection could be made because the target machine acti... A client of my had an error while connecting to different resources within their Kubernetes cluster in Azure (AKS). Kubectl error On the kubectl com...
Kubernetes (AKS) attached to Azure Storage (Files) Kubernetes (AKS) can be used for many situations. For a client we needed to make files available trough a Kubernetes Pod. The files needed to be share...
Resource Group deployment via ARM templates When deploying an Azure Resource Manager (ARM) template you have to create a resource group within Azure. To deploy a template via script your script ...
Azure Managed Service Identity and Local Development Instead of storing user credentials of an external system in a configuration file, you should store them in the Azure Key Vault. Before MSI (Managed S...
The securitydata Azure resource group Most of the times companies have rules in place for managing their Azure environment. The main rules that should be in place are “Azure Policies” and ...

One Comment

  1. Thank you for your article, i have been working on enforcing the windows policy to users

    $PolicyAssignmentName = “LimitVMTest”
    $rg = Get-AzureRmResourceGroup -Name “AzureResourcePolicyTest”
    $Scope = “/subscriptions/$($Sub.Subscription.SubscriptionId)/resourceGroups/$($rg.ResourceId)”

    Hope the scope above is correct?

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.