Include all virtual machines in Azure Policy

Question

Hi All,

We are deploying AMA agent using Azure policies "Configure Linux virtual machines to run Azure Monitor Agent with user-assigned managed identity-based authentication" and "Deploy Windows Azure Monitor Agent with user-assigned managed identity-based auth and associate with Data Collection Rule".

We have many customized images stored as managed images as well as Compute Gallery images. We are not able to add them in policy definition and it is not feasible to add each image version in policy parameter during assignment.

So is there a way to make sure all virtual machines are covered in policy definition. We will be duplicating the policy initiative and editing the policy definitions.

Currently the definitions has images mentioned using imagePublisher, imageOffer and imageSku. But the VMs deployed using custom or gallery images shows imagereference as image resource id, below is one example:

"imageReference": {
                        "id": "[concat(parameters('galleries_UE_GTS_SIG_01_externalid'), '/images/UE-GTS-PROD-RHEL8IMGDEF-01/versions/0.23234.44341')]"

So we want make sure we cover all VMs under subscription inside policy definition.

Answer 1

Hi, Shinde

Reviewing the Assign Built-in User Managed Identity to Virtual Machine policies, it has:

So you should be able to just target the virtual machines directly, independent of the publisher.

https://www.azadvertizer.net/azpolicyadvertizer/d367bd60-64ca-4364-98ea-276775bddd94.html

You could try changing ImageReference to:

          {
                    "field": "Microsoft.Compute/imageOffer",
                    "equals": "*"
                  },
 

  "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Compute/virtualMachines"
          }