- Resource Policy is a service that controls which resources can be created and what for they take, such as naming conventions, locations, and sizes.
- Ensure that resources created in the cloud comply with corporate standards and service level agreements.
- E.g. preventing users from creating resources in specific locations and of specific types and sizes
- Contains two elements, a policy definition, and a policy assignment
- There are many pre-defined policy definitions built into Azure.
- RBAC controls user access, permissions, privileges, and actions at different scopes.
- Policy evaluates resource properties for already existing resources and during deployment
- E.g. control which type of resource is available for deployment in your organization
- E.g. limit the locations in which you deploy resources or require your resources to follow naming conventions
- Azure policy is a default allow, and explicit deny system as opposed to RBAC.
- The
contributorrole does not contain the necessary permissions. - You need:
- Microsoft.Authorization/policydefinitions/ write permission to define a policy.
- Microsoft.Authorization/policyassignments/ write permission to assign a policy.
- E.g. allowed locations, allowed resource types, allowed storage account SKUs, allowed virtual machine SKUs, apply tag and default value, enforce tag and value, not allowed resource types, require SQL Server version 12.0, require storage account encryption.
- Inclusion is to limit the number a user is required to create to manage their subscription efficiently.
-
Every policy definition contains a minimum of two elements:
- Conditions under which it is enforced.
- An action that triggers if the conditions are met.
-
Policy definition JSON elements: • mode • parameters • display name • description • policy rule • logical evaluation • effect
-
E.g.
{ "if": { "field": "type", "in": "[parameters('listOfResourceNotAllowed')]" }, "then": { "effect": "Deny" } } -
During assignment, the list of resource types not allowed parameter is populated and evaluated against all current resources in scope for the assignments.
-
Any non-compliant resources will be identified. When creating new resources, the deployment will fail if they are non-compliant.
-
The definition can contain multiple if, then blocks and combines logical operators, conditions, and fields to build out the policy.
-
The policy can define alternative effects.
- Alternate effects: • Deny • Audit • Append • AuditIfNotExists • DeployIfNotExists
-
You can assign any of these policy definitions through the Azure portal, PowerShell, or Azure CLI.
- Occurs over a specific scope.
- A scope is the list of all the resource groups, subscriptions, or management groups that the policy definition is assigned to.
- Policy assignments are inherited by all child resources.
- This can be altered or prevented using the exclusion option at the time of assignment.
- The scope, exclusions, and parameters of the
NotAllowedresource types are shown in the policy assignments blade when assigning a definition.
- Collection of policy definitions that are designed to achieve a design goal.
- Can be assigned as a group to simplify the process of achieving that goal.
- Appears as a single item.
- These can use wildcards, patterns tags, and multiple patterns to apply restrictions to your Azure resource names.
- E.g. a pattern match asserting that is the resource name does not begin contoso and have six characters as the rest of the name then it will be non-compliant.
-
E.g. the resource name must begin contoso and have six characters as the rest of the name.
{ "if": { "not": { "field": "name", "match": "contoso??????" } }, "then": { "effect": "deny" } }
-
- Groups multiple subscriptions within an enterprise.
- Allows you to enforce policies on multiple subscriptions.