How can I create a custom Azure policy to prevent/deny manual resource creation in resource groups while allowing automated creation through GitHub Actions or Azure Automation?

Priyanka Varma 60 Reputation points
2024-04-01T05:49:52.1833333+00:00

How can I create a custom Azure policy to restrict end users from manually creating resources in resource groups and prevent unauthorized peerings with existing VNets, while also allowing the creation of resources through GitHub action automation or through the Automation account in Azure? I've already created a policy to restrict manual resource creation, but I'm struggling to find out how to give an exception for the automation account to allow it to create resources. Can anyone help me out with this?

Azure Automation
Azure Automation
An Azure service that is used to automate, configure, and install updates across hybrid environments.
1,106 questions
Azure Policy
Azure Policy
An Azure service that is used to implement corporate governance and standards at scale for Azure resources.
781 questions
0 comments No comments
{count} votes

Accepted answer
  1. Deepanshu katara 4,350 Reputation points
    2024-04-01T07:40:47.8266667+00:00

    Hi, Yes you can achieve this by create a custom Azure policy

    Exemption Policy (for Automation Account):

    {
      "properties": {
        "policyAssignmentId": "/subscriptions/{subId}/providers/Microsoft.Authorization/policyAssignments/YourPolicyAssignmentName",
        "policyDefinitionReferenceIds": [
          "yourPolicyDefinitionId"
        ],
        "exemptionCategory": "Waiver",
        "resourceSelectors": [
          {
            "name": "AutomationAccountResourceCreationExemption",
            "selectors": [
              {
                "kind": "resourceType",
                "matches": [
                  "Microsoft.Automation/automationAccounts"
                ]
              }
            ]
          }
        ]
      },
      "systemData": { },
      "id": "/subscriptions/{subId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Authorization/policyExemptions/AutomationAccountCreationExemption",
      "type": "Microsoft.Authorization/policyExemptions",
      "name": "AutomationAccountCreationExemption"
    }
    
    
    

    This policy allows resources with a "CreatedBy" tag set to "AutomationAccount" to bypass the default denial.

    • "policyAssignmentId": Replace this with the ID of your policy assignment where the policy is applied.
    • "policyDefinitionReferenceIds": Replace this with the ID of your policy definition.
    • "resourceSelectors": This section specifies the resources to which the exemption applies. In this case, it targets resources of type Microsoft.Automation/automationAccounts, which corresponds to Azure Automation accounts.

    Make sure to replace placeholders such as {subId}, {resourceGroupName}, YourPolicyAssignmentName, and yourPolicyDefinitionId with your actual values.

    Please find ref doc --> https://learn.microsoft.com/en-us/azure/governance/policy/concepts/exemption-structure

    Kindly accept answer if it helps , Thanks!


0 additional answers

Sort by: Most helpful