In a previous article I covered off what Azure Policy was and explained some of the features that it had.  At the time I mentioned that there are a number of built in/pre configured policies and initiatives that you can use, however I have been looking at designing and implementing custom policies to meet additional needs. While looking at creating the policies from scratch I learnt some valuable lessons and wanted to share them with you all.

Assigning policies with PowerShell or CLI

When you create policy assignments with PowerShell or CLI remember to assign a pricing tier/SKU within your command. If you don't specify a pricing tier/SKU it will automatically default to the Free tier. With the Free tier you can only enforce policies on future resources, with Standard, you can also enforce them on existing resources. Within PowerShell use the following addition to your New-AzureRMPolicyAssignment command: -sku @{"Name" = "A1"; "Tier" = "Standard"} Within CLI use the following addition to your az policy assignment create command: --sku 'standard'

PowerShell Example

Below is an example of the code you would use to create a policy definition with PowerShell and then create the policy assignment including the Standard SKU.

#Define allowed publishers $allowedpublishers = "Canonical", "MicrosoftWindowsServer", "RedHat" #Define ResourceGroup Policy will be applied to $ResourceGroup = Get-AzureRMResourceGroup -Name "ResourceGroup1" #Setup Policy Defintion $definition = New-AzureRmPolicyDefinition -Name "allowed-image-publishers-policy" -DisplayName "Only allow a certain image publishers offerings to be deployed" -description "This policy ensures that only allowed image publisher offerings are selected from the image repository" -Policy 'https://raw.githubusercontent.com/weeyin83/azurepolicyexamples/master/Compute/allowed-image-publishers/azurepolicy.rules.json' -Parameter 'https://raw.githubusercontent.com/weeyin83/azurepolicyexamples/master/Compute/allowed-image-publishers/azurepolicy.parameters.json' -Mode All $definition #Create Policy assignment using the new definition $assignment = New-AzureRMPolicyAssignment -Name "Canonical-RedHat-WindowsServer-only-policy" -Scope $ResourceGroup.ResourceId -sku @{"Name" = "A1"; "Tier" = "Standard"} -listOfAllowedimagePublisher $allowedpublishers -PolicyDefinition $definition $assignment

CLI Example

Below is an example of the code you would use to create a policy definition with CLI and then create the policy assignment including the Standard SKU.

az policy definition create --name 'enforce-storage-skus' --display-name 'Ensure deployment of allowed Storage SKUs only' --description 'Ensure only approved Storage SKUs can be deployed' --rules 'https://raw.githubusercontent.com/weeyin83/azurepolicyexamples/master/Storage/enforce-storage-skus/azurepolicy.rules.json' --params 'https://raw.githubusercontent.com/weeyin83/azurepolicyexamples/master/Storage/enforce-storage-skus/azurepolicy.parameters.json' --mode All az policy assignment create --name 'enforce storage' --scope '/subscriptions/00000000-0000-0000-000000000000' --policy "enforce-storage-skus" \--params

Syntax for Parameters

When you create a policy definition you can choose to have a field that uses dynamic entries.

GUI Syntax

When you use try to create an assignment of one of the policies you will be asked for the values, within the GUI the synatx for adding multiple values use a ; between values with no spaces. Below is a screenshot demonstrating this syntax:

Code Syntax

When you are using static parameter entries within your policy definitions the correct syntax for adding mutliple values is to using quotation marks around each entry, followed by a comma and then a space before the next value. Below is a screenshot demonstrating this:

Overview

Azure Policy is a great tool within Azure that can help you implement Governance within your tenant.  I've shared some of the policies that I have written within GitHub over at https://github.com/weeyin83/azurepolicyexamples, please do check it out and contribute to any of them if you can. And as ever I'm happy to take questions or chat with this in more detail via Twitter @Techielass

Next Post Previous Post