/
Compute_disks_ZoneResilient_Audit.json
116 lines (116 loc) · 4 KB
/
Compute_disks_ZoneResilient_Audit.json
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
{
"properties": {
"displayName": "[Preview]: Managed Disks should be Zone Resilient",
"policyType": "BuiltIn",
"mode": "Indexed",
"description": "Managed Disks can be configured to be either Zone Aligned, Zone Redundant, or neither. Managed Disks with exactly one zone assignment are Zone Aligned. Managed Disks with a sku name that ends in ZRS are Zone Redundant. This policy assists in identifying and enforcing these resilience configurations for Managed Disks.",
"metadata": {
"category": "Resilience",
"version": "1.0.0-preview",
"preview": true
},
"version": "1.0.0-preview",
"parameters": {
"effect": {
"type": "String",
"metadata": {
"displayName": "Effect",
"description": "This parameter lets you choose the effect of the policy. If you choose Audit (default), the policy will only audit resources for compliance. If you choose Deny, the policy will deny the creation of non-compliant resources. If you choose Disabled, the policy will not enforce compliance (useful, for example, as a second assignment to ignore a subset of non-compliant resources in a single resource group)."
},
"allowedValues": [
"Audit",
"Deny",
"Disabled"
],
"defaultValue": "Audit"
},
"allow": {
"type": "String",
"metadata": {
"displayName": "Allowed Zone Configurations",
"description": "This parameter lets you choose what type of Zone Resilience you want to allow. Aligned will identify any resources that are not configured as Zone Aligned as non-compliant resources. Redundant will identify any resources that are not configured to be Zone Redundant as non-compliant resources. Both (default), will identify any resource configurations that are not Zone Aligned or Zone Redundant as non-compliant resources."
},
"allowedValues": [
"Both",
"Redundant",
"Aligned"
],
"defaultValue": "Both"
}
},
"policyRule": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.Compute/disks"
},
{
"anyOf": [
{
"allOf": [
{
"value": "[parameters('allow')]",
"equals": "Both"
},
{
"not": {
"field": "Microsoft.Compute/disks/sku.name",
"like": "*ZRS"
}
},
{
"not": {
"count": {
"field": "Microsoft.Compute/disks/zones[*]"
},
"equals": 1
}
}
]
},
{
"allOf": [
{
"value": "[parameters('allow')]",
"equals": "Redundant"
},
{
"not": {
"field": "Microsoft.Compute/disks/sku.name",
"like": "*ZRS"
}
}
]
},
{
"allOf": [
{
"value": "[parameters('allow')]",
"equals": "Aligned"
},
{
"not": {
"count": {
"field": "Microsoft.Compute/disks/zones[*]"
},
"equals": 1
}
}
]
}
]
}
]
},
"then": {
"effect": "[parameters('effect')]"
}
},
"versions": [
"1.0.0-PREVIEW"
]
},
"id": "/providers/Microsoft.Authorization/policyDefinitions/344ea7ca-2ba8-4d68-859b-317239714b2c",
"name": "344ea7ca-2ba8-4d68-859b-317239714b2c"
}