Quickstart: Create a policy assignment to identify non-compliant resources by using ARM template
Статия
In this quickstart, you use an Azure Resource Manager template (ARM template) to create a policy assignment that validates resource's compliance with an Azure policy. The policy is assigned to a resource group and audits virtual machines that don't use managed disks. After you create the policy assignment, you identify non-compliant virtual machines.
An Azure Resource Manager template is a JavaScript Object Notation (JSON) file that defines the infrastructure and configuration for your project. The template uses declarative syntax. You describe your intended deployment without writing the sequence of programming commands to create the deployment.
If your environment meets the prerequisites and you're familiar with using ARM templates,
select the Deploy to Azure button. The template opens in the Azure portal.
When assigning a built-in policy or initiative definition, it's optional to reference a version. Policy assignments of built-in definitions default to the latest version and automatically inherit minor version changes unless otherwise specified.
Prerequisites
If you don't have an Azure account, create a free account before you begin.
Microsoft.PolicyInsights must be registered in your Azure subscription. To register a resource provider, you must have permission to register resource providers. That permission is included in the Contributor and Owner roles.
A resource group with at least one virtual machine that doesn't use managed disks.
You can deploy the ARM template with Azure PowerShell or Azure CLI.
From a Visual Studio Code terminal session, connect to Azure. If you have more than one subscription, run the commands to set context to your subscription. Replace <subscriptionID> with your Azure subscription ID.
The $rg variable stores properties for the resource group. The $deployparms variable uses splatting to create parameter values and improve readability. The New-AzResourceGroupDeployment command uses the parameter values defined in the $deployparms variable.
Name is the deployment name displayed in the output and in Azure for the resource group's deployments.
ResourceGroupName uses the $rg.ResourceGroupName property to get the name of your resource group where the policy is assigned.
TemplateFile specifies the ARM template's name and location on your local computer.
Azure CLI
rgname=$(az group show --resource-group<resourceGroupName>--query name --output tsv)
az deployment group create \
--name PolicyDeployment \
--resource-group$rgname \
--template-file policy-assignment.json
The rgname variable uses an expression to get your resource group's name used in the deployment command.
name is the deployment name displayed in the output and in Azure for the resource group's deployments.
resource-group is the name of your resource group where the policy is assigned.
template-file specifies the ARM template's name and location on your local computer.
You can verify the policy assignment's deployment with the following command:
After the policy assignment is deployed, virtual machines that are deployed to the resource group are audited for compliance with the managed disk policy.
The compliance state for a new policy assignment takes a few minutes to become active and provide results about the policy's state.
policyid=$(az policy assignment show \
--name"audit-vm-managed-disks" \
--scope$rgid \
--query id \
--output tsv)
az policy state list --resource$policyid--filter"(isCompliant eq false)"
The policyid variable uses an expression to get the policy assignment's ID. The filter parameter limits the output to non-compliant resources.
The az policy state list output is verbose, but for this article the complianceState shows NonCompliant.