Close

Policies

Policies define rules on resources and resource properties. If the specified condition applies, we can specify the actions to be taken (= effect). The effect is either alter, audit or deny creation of a resource. Typically you start of by auditing and then enforcement.

Policies can be grouped into Initiatives. 

For background information: Microsoft Docs. There’s a library with about 470 built-in Azure policies. There are for example policies for “Allowed Resource Types” and “Allowed Locations”. Good to know is that you can export the json definition of the policy of the Azure Portal. You also have built-in initiatives. As an example you have the initiative ASC Default (= Azure Securtiy Center Default) with about 100 policies. You will get the json, but you will have to specify the correct parameter values yourself.

After creating the policy (policy definition), you will have to assign the policy to the management group, subscription or resource group level. 

As an example, we can look at naming policies for resource consistency. If we create a resource or resourcegroup with an invalid name, we will receive an error message “Naming is not compliant with policy definition”. You can define initiative parameters and policy parameters. For example (at the initiative level):

  • Environment (Environment) of type array: ["dev","tst","acc","prod"]
  • ApplicationShortNames of type array: ["common","bi","integratie","app1"]

The format of a policy rule is: if <condition> then /alter/deny/audit. The condition often starts with “allOf” which basically means “And”.

{
  "mode": "All",
  "parameters": {
    "environmentShortname": {
      "type": "Array",
      "metadata": {
        "displayName": "Environment short name",
        "description": null
      },
      "defaultValue": []
    },
    "applicationShortNames": {
      "type": "Array",
      "metadata": {
        "displayName": "List of allowed application short names",
        "description": null
      },
      "defaultValue": []
    }
  },
  "policyRule": {
    "if": {
      "allOf": [
        {
          "field": "type",
          "equals": "Microsoft.Resources/subscriptions/resourceGroups"
        },
        {
          "not": {
            "allOf": [
              {
                "count": {
                  "value": "[parameters('environmentShortname')]",
                  "where": {
                    "field": "name",
                    "like": "[concat('*-', current(), '-rg')]"
                  }
                },
                "greater": 0
              },
              {
                "count": {
                  "value": "[parameters('applicationShortNames')]",
                  "where": {
                    "field": "name",
                    "like": "[concat(current(),'-*')]"
                  }
                },
                "greater": 0
              }
            ]
          }
        }
      ]
    },
    "then": {
      "effect": "deny"
    }
  }

}

In this example the creation of a resource group is denied when the resource group doesn’t contain one of the allowed application names and or environment. You can go the Overview page of the Azure Policy section in the portal, to get an overall view of the policy compliance. The overview page is automatically refreshed.