How to assign policies by updating ARM template?

Question

Hello all! I need to assign policies to my subscription for it to be compliant. How will I be able to assign the policies by updating the ARM template of the subscription? Also, I found out a way to assign policies through azure portal, will the policies assigned through portal will be also included in the ARM template? Where can I find and edit the ARM template for my subscription? And how will I deploy it? Thank you in advance!

ibnmbodji · Answer

UserID707597&nbsp;&nbsp;You're welcome .&nbsp;&nbsp;To export the policy definition you need to go to the Azure Policy blade&nbsp;Policy - Microsoft Azure&nbsp;Select Definitions and in the list select the definition you want to export . You need to have Github account to be able to do that .&nbsp;You can do that in other ways documented below :&nbsp;Export Azure Policy resources - Azure Policy | Microsoft DocsNotice that you don't need to do that if there is no changes in the builtin policy . You can just assign to a scope directly .&nbsp;If you want add changes you can simply add a policy definition&nbsp;Policy - Microsoft AzureEdit the policy rule and hit save . You can also import the policy rule from Github .&nbsp;&nbsp;There is no update mecanism for Arm templates .If&nbsp; you want to have custom definitions you need to export builtin definitions add changes and redeploy it .&nbsp;If not you don't need to export anything . Identify the definitions or initiative and just assign them to a defined scope .&nbsp;

pbradz · Answer

UserID707597&nbsp;I was looking at this for a previous job and found this info very helpful:Export and manage Azure Policy as code with GitHub | Azure updates | Microsoft AzureUsing GitHub for Azure Policy as Code - Microsoft Tech Communitymanage-azure-policy/azure-policy-as-code.md at main · Azure/manage-azure-policy (github.com)

ibnmbodji · Answer

nabi04&nbsp;&nbsp;Hi you can do that regarding the documentation below :&nbsp;Quickstart: New policy assignment with templates - Azure Policy | Microsoft DocsBut you will notice that resource group is always necessary and it will be scope .So if you need the subscription as scope you will be blocked .If you don't want to do it through Github try Azure Blueprint it's more flexible&nbsp;Security compliance with Azure Policy and Azure Blueprints | Microsoft Docs&nbsp;You can test this to see if it can fit your need :&nbsp;Go to Blueprints Menu&nbsp;https://portal.azure.com/#blade/Microsoft_Azure_Policy/BlueprintsMenuBlade/GetStarted&nbsp;Click Create&nbsp;Select Common Policies&nbsp; ( You can also start with blank blueprint)Give a name a description and a location (The management group or subscription where the blueprint is saved)Click Next:Artifactsclick on ... and remove artifacts you don't want&nbsp; click add artifact&nbsp; and choose Policy assignment as artifact type&nbsp;You will see all the iniative definitions and policy definitions&nbsp;select and add click on save draft In the notifications blade click on saving blueprint definition succeeded&nbsp;then publish blueprint &nbsp;Give a version and a change notes and hit publish&nbsp;Once published you can assign it by giving the necessary parameter values and click assign.&nbsp;&nbsp;

ibnmbodji · Answer

UserID707597&nbsp;&nbsp;Hi&nbsp;&nbsp;To assign policy definitions or initiative you have many&nbsp; ways like :&nbsp;&nbsp;- Assigning&nbsp; through the portal&nbsp;&nbsp;- Assigning through Azure Blueprint&nbsp;&nbsp;- Assigning through Infra as code (Arm Templates Terraform Pulumi...)&nbsp;&nbsp;For Infra as code you will need to export the policy definition&nbsp; and customize it .&nbsp;Once you have&nbsp; done that&nbsp; you deploy it like a regular resource in azure .&nbsp;If you are not familiar with IaC you can simply use the UI and deploy it through the portal or Azure Blueprint ( Arm yemplate behind the scene)&nbsp;

userid707597 · Answer

Hi ibnmbodji&nbsp; thank you for answering. Sorry I'm not yet familiar with this, but how do I export and deploy the policy definition? Also, if I assign the policy through portal, will it also be included in the ARM template for that subscription?

Forum Discussion

How to assign policies by updating ARM template?

Resources