From a template reference standpoint, all resources that you would require to create and assign policies is part of the Microsoft.Authorization namespace. You can find details in the reference.
Here is an example of an Azure SQL Policy that looks for a dependent resource (Microsoft.Sql/server/administrators) to ensure that AAD Authentication has been enabled on a particular SQL server.
{ "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", "contentVersion": "1.0.0.0", "parameters":{}, "variables":{}, "resources":[ { "type":"Microsoft.Authorization/policyDefinitions", "name":"ks-azuresql-azureadmin-auditifnotexists", "apiVersion": "2018-05-01", "properties":{ "policyType":"Custom", "mode":"all", "displayName":"KS-AzureSQL - Audit if AAD Admin not enabled", "description":"Audit to ensure that the AAD Admin is enabled on all servers", "parameters":{}, "policyRule":{ "if":{ "field":"type", "equals":"Microsoft.SQL/server" }, "then":{ "effect":"auditIfNotExists", "details":{ "type":"Microsoft.SQL/servers/administrators" } } } } } ] }
As you can see, this is a pretty standard Azure ARM Template deployment, with all the required sections. The policy definition is added to the template as a resource, and you will need to follow the applicable rules. Important to note is that if "mode" is not specified, it defaults to indexed, which is likely not what you want.
In order to deploy the ARM template, you will need to make use of the New-AzureRMDeployment command. Azure Policy is a subscription level resource, and therefore, is not deployed to a particular resource group. Here is an example:
New-AzureRmDeployment -Name ks-azuresql-azureadmin `
-Location westus -TemplateFile ./ks-azuresql.azureadmin.auditifnotexists.json
After running the deployment command, you can now see your policy in the portal.
Enjoy!
Thank you for your valuable content , Easy to understand and follow. As said, the migration to cloud is very essential for the protection of the database.
ReplyDeleteCloud Migration services
Aws Cloud Migration services
Azure Cloud Migration services
Vmware Cloud Migration services
Database Migration services
Lia Infraservices