Skip to content
Permalink
Fetching contributors…
Cannot retrieve contributors at this time
46 lines (29 sloc) 2.37 KB

Azure: Disallowed Regions

What it does

This Policy Template accepts an input that defines which Azure regions are allowed by your compliance policies. Any Azure resource that exists outside of your approved regions will be raised in an Incident. Incidents will escalate to an email notification and will trigger an approval workflow prior to executing Cloud Workflow to delete the resources.

Pre-reqs

  • Azure Service Principal (AKA Azure Active Directory Application) with the appropriate permissions to manage resources in the target subscription
  • The following RightScale Credentials
    • AZURE_APPLICATION_ID
    • AZURE_APPLICATION_KEY
  • The policy_designer, policy_manager & policy_publisher roles

Installation

  1. Follow steps to Create an Azure Active Directory Application
  2. Grant the Azure AD Application access to the necessary subscription(s)
  3. Retrieve the Application ID & Authentication Key
  4. Create RightScale Credentials with values that match the Application ID (Credential name: AZURE_APPLICATION_ID) & Authentication Key (Credential name: AZURE_APPLICATION_KEY)
  5. Retrieve your Tenant ID

Input Parameters

This policy has the following input parameters required when launching the policy.

  • Azure AD Tenant ID - the Azure AD Tenant ID used for the Azure API Authentication
  • Azure Subscription ID - the Azure Subscription ID used for the Azure API Authentication
  • Approved Azure Region(s) - list of approved Azure regions
  • Email addresses of the recipients you wish to notify - A list of email addresses to notify

Policy Actions

The following policy actions are taken on any resources found to be out of compliance.

  • An email is sent to the Email lists provided of the resources out of compliance
  • Delete any resource that are in regions not in the Approved Regions list.

Supported Clouds

  • Azure

Cost

This Policy Template does not launch any instances, and so does not incur any cloud costs.

You can’t perform that action at this time.