How Can I create deny policy for AKS Clusters creation if the subscription doesn't have a specific tag of "AKS-Enabled"? Every way I try it complains of multiple resources.

Kalra, sakshi 0 Reputation points
2023-11-30T20:17:54.9+00:00

Below is my code for Deny:

{
    "mode": "All",
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Resources/subscriptions"
          },
          {
            "field": "[concat('tags[', parameters('tagName'), ']')]",
            "notEquals": "[parameters('tagValue')]"
          },
          {
            "field": "type",
            "equals": "Microsoft.ContainerService/managedClusters"
          }
        ]
      },
      "then": {
        "effect": "deny"
        }
      },
    "parameters": {
      "tagName": {
        "type": "String",
        "metadata": {
          "displayName": "Tag Name",
          "description": "Name of the tag, such as 'environment'"
        },
        "defaultValue": "AKS-Enabled"
      },
      "tagValue": {
        "type": "String",
        "metadata": {
          "displayName": "Tag Value",
          "description": "Value of the tag, such as 'production'"
        },
        "defaultValue": "true"
      }
    }
  }
Azure Kubernetes Service (AKS)
Azure Kubernetes Service (AKS)
An Azure service that provides serverless Kubernetes, an integrated continuous integration and continuous delivery experience, and enterprise-grade security and governance.
1,990 questions
Azure Policy
Azure Policy
An Azure service that is used to implement corporate governance and standards at scale for Azure resources.
832 questions
{count} votes

5 answers

Sort by: Most helpful
  1. shiva patpi 13,171 Reputation points Microsoft Employee
    2023-12-01T00:40:25.4333333+00:00

    @Kalra, sakshi

    Please remove the below section and try creating it - it should go through!

    {
                "field": "type",
                "equals": "Microsoft.Resources/subscriptions"
              },
    
    
    

    I just tried your same policy file , it was failing with below error:

    User's image

    Once I removed the section , it got created successfully:

    {
                "field": "type",
                "equals": "Microsoft.Resources/subscriptions"
              },
    

    User's image


  2. Ammar-Abdelqader01 1,156 Reputation points Microsoft Employee
    2023-12-01T06:32:53.2633333+00:00

    Hello @Kalra, sakshi

    can you try an example of a custom policy definition in JSON format that blocks AKS Clusters creation if the subscription is not compliant with your organization's policies:

    {
        "if": {
            "allOf": [
                {
                    "field": "type",
                    "equals": "Microsoft.ContainerService/managedClusters"
                },
                {
                    "not": {
                        "field": "Microsoft.ContainerService/managedClusters/subscriptionId",
                        "in": "[parameters('allowedSubscriptionIds')]"
                    }
                }
            ]
        },
        "then": {
            "effect": "deny"
        }
    }
        "if": {
            "allOf": [
                {
                    "field": "type",
                    "equals": "Microsoft.ContainerService/managedClusters"
                },
                {
                    "not": {
                        "field": "Microsoft.ContainerService/managedClusters/subscriptionId",
                        "in": "[parameters('allowedSubscriptionIds')]"
                    }
                }
            ]
        },
        "then": {
            "effect": "deny"
        }
    }
    
    
    

    This policy definition checks if the subscription ID of the AKS cluster is in the allowedSubscriptionIds parameter. If it is not, the policy denies the creation of the AKS cluster.

    Please note that this is just an example, and you should customize the policy definition to fit your organization's policies.

    https://learn.microsoft.com/en-us/azure/aks/use-azure-policy

    If an answer has been helpful, please consider accepting the answer to help increase visibility of this question for other members of the Microsoft Q&A community. If not, please let us know what is still needed in the comments so the question can be answered. Thank you for helping to improve Microsoft Q&A!

    User's image


  3. Deleted

    This answer has been deleted due to a violation of our Code of Conduct. The answer was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.


    Comments have been turned off. Learn more

  4. Deleted

    This answer has been deleted due to a violation of our Code of Conduct. The answer was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.


    Comments have been turned off. Learn more

  5. Kalra, sakshi 0 Reputation points
    2023-12-01T17:30:21.3033333+00:00

    This creates a policy but doesn't do the needful