Reputation: 1569
Azure Management Group Deny all
Sorry for this basic topic but I am pretty confused about azure Management Groups and policy.
I have a production subscription, on which I would like to deny all the manual creation of resource and allow only the creation the resource as code.
Which mean, if I try to create or change a resource from the portal, to get an error, but if I want to create the resource with terraform or bicep, to be able to do so with the terminal.
So what I did, in my Management Groups I added a child group and assigned the subscription. On the child group, I created the policy to deny all the Microsoft.* as follow:
{
"mode": "All",
"policyRule": {
"if": {
"field": "type",
"like": "Microsoft.*"
},
"then": {
"effect": "deny"
}
}
}
This works just fine, but how can I still be able to create resource with terraform or bicep using the terminal? Or maybe somebody can advice me on a better approach on how to solve this problem please?
Thank you very much
Upvotes: 0
Views: 213
Answers (1)
Reputation: 2489
If you apply this policy, it will be valid for service principals as well.
A better approach would be to restrict the RBACs of users(like Reader) and use only a Service Principal to deploy resource to Azure. That's a more simple approach.
Upvotes: 1
Related Questions
- Azure Management group does not have any valid subscriptions
- How to define and assign an Azure Policy on a Management Group Scope using Terraform?
- azure policy : only allow certain tag values in azure resources group tag
- How to apply Azure resource locks to Resource Groups via Policy
- Azure API management choose policy for restricting particular group
- Deny the creation of a new management group at root level
- Azure management groups permissions over subscription
- Azure Policy - ARM to exclude Resource Group
- Azure Policy Deny :if one of the tag not present in the resource group name
- azure arm policy to deny resource group without tags