How can I create a custom Azure policy to prevent/deny manual resource creation in resource groups while allowing automated creation through GitHub Actions or Azure Automation?

Priyanka Varma 60 Reputation points
2024-04-01T05:49:52.1833333+00:00

How can I create a custom Azure policy to restrict end users from manually creating resources in resource groups and prevent unauthorized peerings with existing VNets, while also allowing the creation of resources through GitHub action automation or through the Automation account in Azure? I've already created a policy to restrict manual resource creation, but I'm struggling to find out how to give an exception for the automation account to allow it to create resources. Can anyone help me out with this?

Azure Automation
Azure Automation
An Azure service that is used to automate, configure, and install updates across hybrid environments.
1,271 questions
Azure Policy
Azure Policy
An Azure service that is used to implement corporate governance and standards at scale for Azure resources.
932 questions
0 comments No comments
{count} votes

Accepted answer
  1. Deepanshukatara-6769 11,545 Reputation points
    2024-04-01T07:40:47.8266667+00:00

    Hi, Yes you can achieve this by create a custom Azure policy

    Exemption Policy (for Automation Account):

    {
      "properties": {
        "policyAssignmentId": "/subscriptions/{subId}/providers/Microsoft.Authorization/policyAssignments/YourPolicyAssignmentName",
        "policyDefinitionReferenceIds": [
          "yourPolicyDefinitionId"
        ],
        "exemptionCategory": "Waiver",
        "resourceSelectors": [
          {
            "name": "AutomationAccountResourceCreationExemption",
            "selectors": [
              {
                "kind": "resourceType",
                "matches": [
                  "Microsoft.Automation/automationAccounts"
                ]
              }
            ]
          }
        ]
      },
      "systemData": { },
      "id": "/subscriptions/{subId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Authorization/policyExemptions/AutomationAccountCreationExemption",
      "type": "Microsoft.Authorization/policyExemptions",
      "name": "AutomationAccountCreationExemption"
    }
    
    
    

    This policy allows resources with a "CreatedBy" tag set to "AutomationAccount" to bypass the default denial.

    • "policyAssignmentId": Replace this with the ID of your policy assignment where the policy is applied.
    • "policyDefinitionReferenceIds": Replace this with the ID of your policy definition.
    • "resourceSelectors": This section specifies the resources to which the exemption applies. In this case, it targets resources of type Microsoft.Automation/automationAccounts, which corresponds to Azure Automation accounts.

    Make sure to replace placeholders such as {subId}, {resourceGroupName}, YourPolicyAssignmentName, and yourPolicyDefinitionId with your actual values.

    Please find ref doc --> https://learn.microsoft.com/en-us/azure/governance/policy/concepts/exemption-structure

    Kindly accept answer if it helps , Thanks!


0 additional answers

Sort by: Most helpful

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.