Jan 03 2021 06:24 PM
Hello all! I need to assign policies to my subscription for it to be compliant. How will I be able to assign the policies by updating the ARM template of the subscription? Also, I found out a way to assign policies through azure portal, will the policies assigned through portal will be also included in the ARM template? Where can I find and edit the ARM template for my subscription? And how will I deploy it? Thank you in advance!
Jan 04 2021 01:26 AM
Hi
To assign policy definitions or initiative you have many ways like :
- Assigning through the portal
- Assigning through Azure Blueprint
- Assigning through Infra as code (Arm Templates Terraform Pulumi...)
For Infra as code you will need to export the policy definition and customize it .
Once you have done that you deploy it like a regular resource in azure .
If you are not familiar with IaC you can simply use the UI and deploy it through the portal or Azure Blueprint ( Arm yemplate behind the scene)
Jan 04 2021 01:40 AM
Hi @ibnmbodji thank you for answering. Sorry I'm not yet familiar with this, but how do I export and deploy the policy definition? Also, if I assign the policy through portal, will it also be included in the ARM template for that subscription?
Jan 04 2021 01:58 AM - edited Jan 04 2021 02:03 AM
You're welcome .
To export the policy definition you need to go to the Azure Policy blade
Select Definitions and in the list select the definition you want to export . You need to have Github account to be able to do that .
You can do that in other ways documented below :
Export Azure Policy resources - Azure Policy | Microsoft Docs
Notice that you don't need to do that if there is no changes in the builtin policy . You can just assign to a scope directly .
If you want add changes you can simply add a policy definition
Edit the policy rule and hit save . You can also import the policy rule from Github .
There is no update mecanism for Arm templates .If you want to have custom definitions you need to export builtin definitions add changes and redeploy it .
If not you don't need to export anything . Identify the definitions or initiative and just assign them to a defined scope .
Jan 04 2021 04:38 AM
@ibnmbodji great! thank you for the answers. 🙂
Jan 04 2021 05:18 AM
Jan 04 2021 06:58 AM
I was looking at this for a previous job and found this info very helpful:
Export and manage Azure Policy as code with GitHub | Azure updates | Microsoft Azure
Using GitHub for Azure Policy as Code - Microsoft Tech Community
manage-azure-policy/azure-policy-as-code.md at main · Azure/manage-azure-policy (github.com)
Jan 04 2021 11:28 PM
@ibnmbodji Hi again, is it possible to create a template in the Template blade in Azure and specify all the needed policies there, then deploy it to my subscription? Also, can I deploy many ARM templates into one subscription?
Jan 06 2021 01:40 AM
@ibnmbodji Hi, can you answer the follow-up question for this post? Thank you!
Jan 06 2021 02:26 AM - edited Jan 06 2021 02:49 AM
Hi you can do that regarding the documentation below :
Quickstart: New policy assignment with templates - Azure Policy | Microsoft Docs
But you will notice that resource group is always necessary and it will be scope .So if you need the subscription as scope you will be blocked .
If you don't want to do it through Github try Azure Blueprint it's more flexible
Security compliance with Azure Policy and Azure Blueprints | Microsoft Docs
You can test this to see if it can fit your need :
Go to Blueprints Menu
https://portal.azure.com/#blade/Microsoft_Azure_Policy/BlueprintsMenuBlade/GetStarted
Click Create
Select Common Policies ( You can also start with blank blueprint)
Give a name a description and a location (The management group or subscription where the blueprint is saved)
Click Next:Artifacts
click on ... and remove artifacts you don't want
click add artifact and choose Policy assignment as artifact type
You will see all the iniative definitions and policy definitions
select and add
click on save draft
In the notifications blade click on saving blueprint definition succeeded
then publish blueprint
Give a version and a change notes and hit publish
Once published you can assign it by giving the necessary parameter values and click assign.