Azure Policy – deuzk

Afin d’ajouter une gouvernance sur Azure, il est possible d’obliger l’affectation de tags aux ressouces

Les création se font dans Definitions. https://portal.azure.com/#view/Microsoft_Azure_Policy/PolicyMenuBlade/~/Definitions
Dans l’idéal, dupliquer un modèle existant.

Créer 3 stratégies :
– Inherit all tags from the resource group
– Require all tags on resource groups
– Require all tags on resources

Table of Contents

Inherit all tags from the resource group

{
  "mode": "Indexed",
  "policyRule": {
    "if": {
      "allOf": [
        {
          "value": "[resourceGroup().tags['application']]",
          "exists": "true"
        },
        {
          "value": "[resourceGroup().tags['mmb:billing:application']]",
          "notEquals": ""
        },
        {
          "value": "[resourceGroup().tags['mmb:billing:domain']]",
          "exists": "true"
        },
        {
          "value": "[resourceGroup().tags['mmb:billing:domain']]",
          "notEquals": ""
        },
        {
          "value": "[resourceGroup().tags['mmb:billing:environnement']]",
          "exists": "true"
        },
        {
          "value": "[resourceGroup().tags['mmb:billing:environnement']]",
          "notEquals": ""
        },
     ]
    },
    "then": {
      "effect": "modify",
      "details": {
        "roleDefinitionIds": [
          "/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
        ],
        "operations": [
          {
            "operation": "addOrReplace",
            "field": "tags['application']",
            "value": "[resourceGroup().tags['application']]"
          },
          {
            "operation": "addOrReplace",
            "field": "tags['domain']",
            "value": "[resourceGroup().tags['domain']]"
          },
          {
            "operation": "addOrReplace",
            "field": "tags['environnement']",
            "value": "[resourceGroup().tags['environnement']]"
          },
          {
            "operation": "addOrReplace",
            "field": "tags['niveau-service']",
            "value": "[resourceGroup().tags['niveau-service']]"
          }
        ]
      }
    }
  },
  "parameters": {}
}

Require all tags on resource groups

{
  "mode": "All",
  "policyRule": {
    "if": {
      "allOf": [
        {
          "field": "type",
          "equals": "Microsoft.Resources/subscriptions/resourceGroups"
        },
        {
          "field": "tags['application']",
          "exists": "false"
        },
        {
          "field": "tags['domain']",
          "exists": "false"
        },
        {
          "field": "tags[':environnement']",
          "exists": "false"
        }
      ]
    },
    "then": {
      "effect": "deny"
    }
  },
  "parameters": {}
}

Require all tags on resources :

{
  "mode": "Indexed",
  "policyRule": {
    "if": {
      "allOf": [
        {
          "field": "tags['application']",
          "exists": "false"
        },
        {
          "field": "tags['domain']",
          "exists": "false"
        },
        {
          "field": "tags['environnement']",
          "exists": "false"
        }
      ]
    },
    "then": {
      "effect": "deny"
    }
  },
  "parameters": {}
}