Implementing governance of resources with Azure Policy. Several Policy samples can be found in the Azure/Community-Policy repository.
Create the baseline resources:
terraform init
terraform apply -auto-approveNext sections will build upon this.
Create the tags policy:
You may optionally add policy parameters
az policy definition create --name CostCenter --rules @policies/costcenter/rules.jsonReplace the SUBSCRIPTION_ID placeholder and execute the following to create the initiative:
Initiative can have groups, initiative parameters, and also policy parameters.
az policy set-definition create -n requireCostCenterTag \
--definitions '[ { "policyDefinitionId": "/subscriptions/SUBSCRIPTION_ID/providers/Microsoft.Authorization/policyDefinitions/CostCenter" } ]'Assign the initiative:
Assignments can have exclusions, enforcement (enabled/disabled), and most importantly Remediation.
On Preview, there's also resource selectors and overrides.
az policy assignment create -n CostCenter --policy-set-definition requireCostCenterTag \
--scope /subscriptions/SUBSCRIPTION_ID/resourceGroups/rg-bigfactoryCreate the base resource group:
az group create -n rg-policy-sandbox -l brazilsouthTo force/refresh a policy scan:
az policy state trigger-scan --resource-group "rg-policy-sandbox"Load the subscription id for the following commands.
subscriptionId=$(az account show --query id -o tsv)Get your public IP in case of customization of parameters:
curl ipinfo.io/ipWhen creating a policy, identify the correct Resource Provider mode:
The mode determines which resource types are evaluated for a policy definition. The supported modes are:
all: evaluate resource groups, subscriptions, and all resource typesindexed: only evaluate resource types that support tags and location
Create the policy and assign the policy:
az policy definition create --name AppendSample \
--rules @policies/effects/append-rules.json \
--params @policies/effects/append-params.json
az policy assignment create -n AppendRuleToStorage --policy AppendSample \
--scope "/subscriptions/$subscriptionId/resourceGroups/rg-policy-sandbox" \
--enforcement-mode DefaultCreate the storage account:
az storage account create \
--name sandbox \
--resource-group rg-policy-sandbox \
--location brazilsouth \
--sku Standard_LRS \
--allow-blob-public-access false \
--default-action Deny \
--bypass AzureServices Logging Metrics \
--tags PolicySandboxAudit effect sample:
az policy definition create --name AuditSample \
--rules @policies/effects/audit-rules.json
az policy assignment create -n AuditSample --policy AuditSample \
--scope "/subscriptions/$subscriptionId/resourceGroups/rg-policy-sandbox" \
--enforcement-mode Defaultaz vm create \
--resource-group rg-policy-sandbox \
--location brazilsouth \
--name vm-debian \
--image Debian11 \
--admin-username debianadmin \
--generate-ssh-keys \
--public-ip-sku Standard \
--size Standard_B1sSet the policy:
az policy definition create --name AuditIfNotExistsSample \
--rules @policies/effects/auditIfNotExists-rules.json
az policy assignment create -n AuditIfNotExistsSample --policy AuditIfNotExistsSample \
--scope "/subscriptions/$subscriptionId/resourceGroups/rg-policy-sandbox" \
--enforcement-mode DefaultSet the Deny policy:
az policy definition create --name DenySample \
--rules @policies/effects/deny-rules.json
az policy assignment create -n DenySample --policy DenySample \
--scope "/subscriptions/$subscriptionId/resourceGroups/rg-policy-sandbox" \
--enforcement-mode DefaultTry to create the storage. This command should be denied by the policy:
az storage account create \
--name sandbox \
--resource-group rg-policy-sandbox \
--location brazilsouth \
--sku Standard_LRS \
--allow-blob-public-access falseSet the DenyAction policy:
az policy definition create --name DenyActionSample \
--rules @policies/effects/denyAction-rules.json
az policy assignment create -n DenyActionSample --policy DenyActionSample \
--scope "/subscriptions/$subscriptionId/resourceGroups/rg-policy-sandbox" \
--enforcement-mode DefaultCreate the storage, or tag one existing with a environment=prod tag:
az storage account create \
--name sandbox \
--resource-group rg-policy-sandbox \
--location brazilsouth \
--sku Standard_LRS \
--allow-blob-public-access false \
--tags environment=prodCopied from the functionapp-enforce-https-only-dine sample.
az policy definition create --name DeployIfNotExistsSample \
--rules @policies/effects/DeployIfNotExists-rules.json \
--params @policies/effects/DeployIfNotExists-params.json
az policy assignment create -n DeployIfNotExistsSample --policy DeployIfNotExistsSample \
--scope "/subscriptions/$subscriptionId/resourceGroups/rg-policy-sandbox" \
--enforcement-mode Default \
--mi-system-assigned \
--location brazilsouthCreate the function and check that HTTPS Only will be set to true after the deployment is complete.
az functionapp create -n funcappdeploypolicy -g rg-policy-sandbox \
--storage-account <some storage> \
--consumption-plan-location brazilsouth \
--runtime dotnet \
--functions-version 4 \
--https-only falseSet the Disabled policy:
az policy definition create --name DisabledActionSample \
--rules @policies/effects/disabled.rules.json \
--params @policies/effects/disabled.params.json
az policy assignment create -n DisabledActionSample --policy DisabledActionSample \
--scope "/subscriptions/$subscriptionId/resourceGroups/rg-policy-sandbox" \
--params "{ \"effect\": { \"value\": \"Disabled\" } }" \
--enforcement-mode DefaultCreate the storage, or tag one existing with a environment=prod tag:
az storage account create \
--name sandbox \
--resource-group rg-policy-sandbox \
--location brazilsouth \
--sku Standard_LRS \
--tags TriggerDisabledEffect=trueCreate the policy:
az policy definition create --name ModifySample \
--rules @policies/effects/modify.rules.json
az policy assignment create -n ModifySample --policy ModifySample \
--scope "/subscriptions/$subscriptionId/resourceGroups/rg-policy-sandbox" \
--enforcement-mode Default \
--mi-system-assigned \
--location brazilsouthCreate a Storage resource to test the policy:
az storage account create \
--name sandbox \
--resource-group rg-policy-sandbox \
--location brazilsouth \
--sku Standard_LRS