Azure Policy
Last updated:
AZUREGOVERNANCE
Part of [[202404051739 Governance Overview|azure governance]]
- Sits at top of ARM and any [[202404061358 CRUD|CRUD]] operations have to go through it
- Can be used for enforcement and audit
- Start with audit (to figure out how things are being used)
- then later you can move to enforcement
- Uses json format to form the logic
- Can create a compliance report
- Historically focused around resource
- Recently focusing on actions (DenyActions, e.g. Delete) that one can take on resources
- Does not apply to existing [[202404061212 Azure Resources|resources]] (need to update resource)
How
flowchart LR
policy --> initiative --> scope- Policy is business rules defined in json
- Set of policies can be grouped into an initiative
- which is then assigned to a scope ([[202401101441 Azure subscriptions|subscription]],[[202404051818 Resource Groups|resource groups]],[[202404051803 Management groups|management group]] or [[202404061212 Azure Resources|resources]])
Example Policy Definition
{
"properties": {
"displayName": "Allowed locations",
"description": "This policy enables you to restrict the locations your organization can specify when deploying resources.",
"mode": "Indexed",
"metadata": {
"version": "1.0.0",
"category": "Locations"
},
"parameters": {
"allowedLocations": {
"type": "array",
"metadata": {
"description": "The list of locations that can be specified when deploying resources",
"strongType": "location",
"displayName": "Allowed locations"
},
"defaultValue": [
"westus2"
]
}
},
"policyRule": {
"if": {
"not": {
"field": "location",
"in": "[parameters('allowedLocations')]"
}
},
"then": {
"effect": "deny"
}
}
}
}