Thursday, January 3, 2019

Deploying Azure Policy via ARM Template

Azure policy is a great way to take control of the governance of your Azure environments. There are multiple ways to deploy policy, and management them at scale, and in this article we will talk about using ARM templates to deploy your Azure Policy.

From a template reference standpoint, all resources that you would require to create and assign policies is part of the Microsoft.Authorization namespace. You can find details in the reference.

Here is an example of an Azure SQL Policy that looks for a dependent resource (Microsoft.Sql/server/administrators) to ensure that AAD Authentication has been enabled on a particular SQL server.


{
    "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
    "contentVersion": "1.0.0.0",
    "parameters":{},
    "variables":{},
    "resources":[
        {
            "type":"Microsoft.Authorization/policyDefinitions",
            "name":"ks-azuresql-azureadmin-auditifnotexists",
            "apiVersion": "2018-05-01",
            "properties":{
                "policyType":"Custom",
                "mode":"all",
                "displayName":"KS-AzureSQL - Audit if AAD Admin not enabled",
                "description":"Audit to ensure that the AAD Admin is enabled on all servers",
                "parameters":{},
                "policyRule":{
                    "if":{
                        "field":"type",
                        "equals":"Microsoft.SQL/server"
                    },
                    "then":{
                        "effect":"auditIfNotExists",
                        "details":{
                            "type":"Microsoft.SQL/servers/administrators"
                        }
                    }
                }
            }
        }
    ]
}

As you can see, this is a pretty standard Azure ARM Template deployment, with all the required sections. The policy definition is added to the template as a resource, and you will need to follow the applicable rules. Important to note is that if "mode" is not specified, it defaults to indexed, which is likely not what you want.

In order to deploy the ARM template, you will need to make use of the New-AzureRMDeployment command. Azure Policy is a subscription level resource, and therefore, is not deployed to a particular resource group. Here is an example:


New-AzureRmDeployment -Name ks-azuresql-azureadmin `
-Location westus -TemplateFile ./ks-azuresql.azureadmin.auditifnotexists.json

After running the deployment command, you can now see your policy in the portal.



Enjoy!