Reputation: 195
Azure Policy allowed resource types with a like/match pattern
In the Azure Policy "allowed resource type" you can supply an array of resource types. When I want to allow SQL Elastic pool I need also to include all the subtypes of SQL Elastic pool.
I would like to use:
'Microsoft.Sql/servers/elasticpools/*'
'Microsoft.Sql/servers/elasticPools/advisors/*'
'Microsoft.Sql/servers/elasticpools/elasticpool/advisors/*'
'microsoft.web/serverfarms/*
'microsoft.web/sites/*
But this doesn't work.
We now use:
'Microsoft.Sql/servers/elasticpools'
'Microsoft.Sql/servers/elasticPools/advisors'
'Microsoft.Sql/servers/elasticpools/advisors/createindex'
'Microsoft.Sql/servers/elasticpools/advisors/dbparameterization'
'Microsoft.Sql/servers/elasticpools/advisors/defragmentindex'
'Microsoft.Sql/servers/elasticpools/advisors/dropindex'
'Microsoft.Sql/servers/elasticpools/advisors/forcelastgoodplan'
'Microsoft.Sql/servers/elasticpools/elasticpool/advisors/createindex'
'Microsoft.Sql/servers/elasticpools/elasticpool/advisors/dbparameterization'
'Microsoft.Sql/servers/elasticpools/elasticpool/advisors/defragmentindex'
'Microsoft.Sql/servers/elasticpools/elasticpool/advisors/dropindex'
'Microsoft.Sql/servers/elasticpools/elasticpool/advisors/forcelastgoodplan'
'Microsoft.Web/sites/config'
'Microsoft.Web/sites/...'
Policy we use is:
{
"if": {
"not": {
"field": "type",
"in": "[parameters('listOfResourceTypesAllowed')]"
}
},
"then": {
"effect": "[parameters('Effect')]"
}
}
Policy parameter:
{
"listOfResourceTypesAllowed": {
"type": "array",
"metadata": {
"displayName": "Allowed resource types",
"description": "The list of resource types that can be deployed.",
"strongType": "resourceTypes"
}
},
"Effect": {
"type": "string",
"metadata": {
"description": "The effect of the policy."
}
}
}
Question is it possible to use wildcards or something like that?
Upvotes: 1
Views: 2426
Answers (1)
Reputation: 450
So you can only use wildcards with like or notLike conditions.
When using the like and notLike conditions, you provide a wildcard * in the value. The value shouldn't have more than one wildcard *. Source
This works for me, im sure you could create the inverse easily enough.
{
"policyRule": {
"if": {
"allOf": [
{
"not": {
"field": "type",
"like": "Microsoft.Storage/storageAccounts*"
}
},
{
"not": {
"field": "type",
"like": "Microsoft.Resources/storageAccounts*"
}
}
]
},
"then": {
"effect": "deny"
}
}
}
This will not allow storage accounts to be created.
Finding out the field types is a whole thing...
I've figured out a little one-liner which will create the JSON for you. It will create about 1500 lines of JSON, you can just remove what you don't want.
az provider list | jq '[ .[].namespace + "/*" ] | unique | sort | [.[] | { "not" : { "field" : "type", "like": . } }]'
Whats interesting in my example is that Microsoft.Resources wasnt enough to stop storage accounts, i also needed Microsoft.Storage.
Upvotes: 0
Related Questions
- Resource was disallowed by policy
- azure policy : only allow certain tag values in azure resources group tag
- Azure Custom Tag Policy, Exclude resource type
- azure policy if condition, can not have 2 resource types?
- Azure Custom Policy: Resource Must Not Have Unknown Tag - How?
- How do we define azure policy rules for dependent resources?
- Azure Policy Assignment - Exclude Resource Type(s)
- Checking referenced resources with an Azure Policy
- Multiple Name Pattern and Parameter definition
- Querying Resource Sub-Types in Azure Resource Graph