Share via

how to make azure policy definition script that limits the number of resources per resource group? how to make azure policy definition script that limits the number of resources per resource group?

elice-cloud-practice-dev 0 Reputation points
2024-01-21T15:52:02.56+00:00

I want to limit the number of resources per resource group.

For example, I would like to limit the creation of a maximum of 2 virtual machines and a maximum of 1 DB per resource group.

My questions are:

  • Does an Azure Policy Definition that satisfies these conditions exist? If yes, please give me an example
  • If counting resources within a resource group before creating do not support, how can i restrict users from creating resources?
Azure Policy
Azure Policy
An Azure service that is used to implement corporate governance and standards at scale for Azure resources.
818 questions

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Michael Durkan 12,186 Reputation points MVP
    2024-01-21T16:21:58.63+00:00

    Hi

    Answers to your questions below:

    - Does an Azure Policy Definition that satisfies these conditions exist? If yes, please give me an example

    Not that I'm aware of, so you'd need to create a custom Initiative - something like this:

       "parameters": {
      "maxResourceCount": {
         "type": "Integer",
         "metadata": {
            "displayName": "Maximum Resource Count",
            "description": "Enter the maximum number of resources allowed in a resource group."
         },
         "defaultValue": 10
      }
   },
   "policyDefinitions": [
      {
         "displayName": "ResourceGroupResourceLimit",
         "description": "Limits the number of resources in a resource group",
         "policyType": "Custom",
         "mode": "Indexed",
         "parameters": {
            "maxResourceCount": {
               "value": "[parameters('maxResourceCount')]"
            }

    - If counting resources within a resource group before creating do not support, how can i restrict users from creating resources?

    You can by creating "Deny" assignments in a policy, but IMHO, this isn't a policy question - its more to do with making sure your RBAC and the permissions assigned to the Resource Group and your subscriptions in general are set up correctly so that users only have the necessary permissions they need.

    Hope this helps,

    Thanks

    Michael Durkan

    • If the reply was helpful please upvote and/or accept as answer as this helps others in the community with similar questions. Thanks!
    0 comments
  2. Tabut, Olivier 0 Reputation points
    2024-03-12T14:55:10.71+00:00

    Hi

    Answers to your questions below:

    - Does an Azure Policy Definition that satisfies these conditions exist? If yes, please give me an example

    From my perspective, Azure Policy is an admission controller. That means it checks that the submitted payload is compliant against standards and rules, but it isn't aware of the whole picture.

    - If counting resources within a resource group before creating do not support, how can i restrict users from creating resources?

    There might have a workaround that relies on Azure policy's ability to retrieve properties from parent resource group :

    • create 2 tags at resource group level : CurrentUsage and MaxUsage (can be created for each resource type)
    • create and schedule a Powershell script in Azure Automation (for example) that regularily updates the CurrentUsage tag (<10 lines of code)
    • create an Azure Policy that leverages on resourceGroup().tags function to retrieve those values and compare them to allow or deny resource creation

    Like I said, it's a workaround, not a perfect solution. But it acts like quotas at resource group level (quotas are only supported at subscription level in Azure).

    Regards

    0 comments