How to assign policies by updating ARM template?

Brass Contributor

Hello all! I need to assign policies to my subscription for it to be compliant. How will I be able to assign the policies by updating the ARM template of the subscription? Also, I found out a way to assign policies through azure portal, will the policies assigned through portal will be also included in the ARM template? Where can I find and edit the ARM template for my subscription? And how will I deploy it? Thank you in advance!

9 Replies

@UserID707597 

 

Hi 

 

To assign policy definitions or initiative you have many  ways like :  

- Assigning  through the portal  

- Assigning through Azure Blueprint  

- Assigning through Infra as code (Arm Templates Terraform Pulumi...) 

 

For Infra as code you will need to export the policy definition  and customize it . 

Once you have  done that  you deploy it like a regular resource in azure . 

If you are not familiar with IaC you can simply use the UI and deploy it through the portal or Azure Blueprint ( Arm yemplate behind the scene) 

Hi @ibnmbodji  thank you for answering. Sorry I'm not yet familiar with this, but how do I export and deploy the policy definition? Also, if I assign the policy through portal, will it also be included in the ARM template for that subscription?

@UserID707597 

 

You're welcome . 

 

To export the policy definition you need to go to the Azure Policy blade 

Policy - Microsoft Azure

 

Select Definitions and in the list select the definition you want to export . You need to have Github account to be able to do that . 

You can do that in other ways documented below : 

Export Azure Policy resources - Azure Policy | Microsoft Docs

Notice that you don't need to do that if there is no changes in the builtin policy . You can just assign to a scope directly . 

If you want add changes you can simply add a policy definition 

Policy - Microsoft Azure

Edit the policy rule and hit save . You can also import the policy rule from Github .  

There is no update mecanism for Arm templates .If  you want to have custom definitions you need to export builtin definitions add changes and redeploy it . 

If not you don't need to export anything . Identify the definitions or initiative and just assign them to a defined scope . 

@ibnmbodji great! thank you for the answers. :)

@UserID707597 

 

No problem thanks .

@ibnmbodji Hi again, is it possible to create a template in the Template blade in Azure and specify all the needed policies there, then deploy it to my subscription? Also, can I deploy many ARM templates into one subscription?

UserID707597_1-1609831536022.png

 

@ibnmbodji Hi, can you answer the follow-up question for this post? Thank you!

@nabi04 

 

Hi you can do that regarding the documentation below : 

Quickstart: New policy assignment with templates - Azure Policy | Microsoft Docs

But you will notice that resource group is always necessary and it will be scope .So if you need the subscription as scope you will be blocked .

If you don't want to do it through Github try Azure Blueprint it's more flexible 

Security compliance with Azure Policy and Azure Blueprints | Microsoft Docs

 

You can test this to see if it can fit your need : 

Go to Blueprints Menu 

https://portal.azure.com/#blade/Microsoft_Azure_Policy/BlueprintsMenuBlade/GetStarted 

Click Create 

Select Common Policies  ( You can also start with blank blueprint)

Give a name a description and a location (The management group or subscription where the blueprint is saved)

Click Next:Artifacts

click on ... and remove artifacts you don't want 

click add artifact  and choose Policy assignment as artifact type 

You will see all the iniative definitions and policy definitions 

select and add

click on save draft

In the notifications blade click on saving blueprint definition succeeded 

then publish blueprint  

Give a version and a change notes and hit publish 

Once published you can assign it by giving the necessary parameter values and click assign.