Deny - prevent deployment of resources not confirming to standard

KjetilTiE 1 Reputation point
2020-12-15T15:15:44.77+00:00

I'm trying to get some examples of the Deny effect, where the goal is NOT to prevent any specific resource.
But instead, deny deployment of resources which is lacking for example tags and diagnostic/activity logging. I know I can use DeployIfNotExist, but that's a retro effort. It would be better to prevent resources to be deployed at all, instead of letting Azure Policy deploy it later on.

We deploy all our resources with terraform, and ideally the DevOps team should get denied if they are missing key elements in their deployments.
Any examples of this? Thanks

Azure Policy
Azure Policy
An Azure service that is used to implement corporate governance and standards at scale for Azure resources.
912 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Jesse Loudon 336 Reputation points
    2020-12-26T07:01:18.917+00:00

    @KjetilTiE here's 4 examples of built-in policies (Tagging) which have Deny effects:

    1) Require a tag and its value on resource groups

    {  
       "properties": {  
          "displayName": "Require a tag and its value on resource groups",  
          "policyType": "BuiltIn",  
          "mode": "All",  
          "description": "Enforces a required tag and its value on resource groups.",  
          "metadata": {  
             "version": "1.0.0",  
             "category": "Tags"  
          },  
          "parameters": {  
             "tagName": {  
                "type": "String",  
                "metadata": {  
                   "displayName": "Tag Name",  
                   "description": "Name of the tag, such as 'environment'"  
                }  
             },  
             "tagValue": {  
                "type": "String",  
                "metadata": {  
                   "displayName": "Tag Value",  
                   "description": "Value of the tag, such as 'production'"  
                }  
             }  
          },  
          "policyRule": {  
             "if": {  
                "allOf": [  
                   {  
                      "field": "type",  
                      "equals": "Microsoft.Resources/subscriptions/resourceGroups"  
                   },  
                   {  
                      "field": "[concat('tags[', parameters('tagName'), ']')]",  
                      "notEquals": "[parameters('tagValue')]"  
                   }  
                ]  
             },  
             "then": {  
                "effect": "deny"  
             }  
          }  
       },  
       "id": "/providers/Microsoft.Authorization/policyDefinitions/8ce3da23-7156-49e4-b145-24f95f9dcb46",  
       "name": "8ce3da23-7156-49e4-b145-24f95f9dcb46"  
    }  
    

    2) Require a tag and its value on resources

    {  
       "properties": {  
          "displayName": "Require a tag and its value on resources",  
          "policyType": "BuiltIn",  
          "mode": "Indexed",  
          "description": "Enforces a required tag and its value. Does not apply to resource groups.",  
          "metadata": {  
             "version": "1.0.1",  
             "category": "Tags"  
          },  
          "parameters": {  
             "tagName": {  
                "type": "String",  
                "metadata": {  
                   "displayName": "Tag Name",  
                   "description": "Name of the tag, such as 'environment'"  
                }  
             },  
             "tagValue": {  
                "type": "String",  
                "metadata": {  
                   "displayName": "Tag Value",  
                   "description": "Value of the tag, such as 'production'"  
                }  
             }  
          },  
          "policyRule": {  
             "if": {  
                "not": {  
                   "field": "[concat('tags[', parameters('tagName'), ']')]",  
                   "equals": "[parameters('tagValue')]"  
                }  
             },  
             "then": {  
                "effect": "deny"  
             }  
          }  
       },  
       "id": "/providers/Microsoft.Authorization/policyDefinitions/1e30110a-5ceb-460c-a204-c1c3969c6d62",  
       "name": "1e30110a-5ceb-460c-a204-c1c3969c6d62"  
    }  
    

    3) Require a tag on resource groups

    {  
       "properties": {  
          "displayName": "Require a tag on resource groups",  
          "policyType": "BuiltIn",  
          "mode": "All",  
          "description": "Enforces existence of a tag on resource groups.",  
          "metadata": {  
             "version": "1.0.0",  
             "category": "Tags"  
          },  
          "parameters": {  
             "tagName": {  
                "type": "String",  
                "metadata": {  
                   "displayName": "Tag Name",  
                   "description": "Name of the tag, such as 'environment'"  
                }  
             }  
          },  
          "policyRule": {  
             "if": {  
                "allOf": [  
                   {  
                      "field": "type",  
                      "equals": "Microsoft.Resources/subscriptions/resourceGroups"  
                   },  
                   {  
                      "field": "[concat('tags[', parameters('tagName'), ']')]",  
                      "exists": "false"  
                   }  
                ]  
             },  
             "then": {  
                "effect": "deny"  
             }  
          }  
       },  
       "id": "/providers/Microsoft.Authorization/policyDefinitions/96670d01-0a4d-4649-9c89-2d3abc0a5025",  
       "name": "96670d01-0a4d-4649-9c89-2d3abc0a5025"  
    }  
    

    4) Require a tag on resources

    {  
       "properties": {  
          "displayName": "Require a tag on resources",  
          "policyType": "BuiltIn",  
          "mode": "Indexed",  
          "description": "Enforces existence of a tag. Does not apply to resource groups.",  
          "metadata": {  
             "version": "1.0.1",  
             "category": "Tags"  
          },  
          "parameters": {  
             "tagName": {  
                "type": "String",  
                "metadata": {  
                   "displayName": "Tag Name",  
                   "description": "Name of the tag, such as 'environment'"  
                }  
             }  
          },  
          "policyRule": {  
             "if": {  
                "field": "[concat('tags[', parameters('tagName'), ']')]",  
                "exists": "false"  
             },  
             "then": {  
                "effect": "deny"  
             }  
          }  
       },  
       "id": "/providers/Microsoft.Authorization/policyDefinitions/871b6d14-10aa-478d-b590-94f262ecfa99",  
       "name": "871b6d14-10aa-478d-b590-94f262ecfa99"  
    }  
    
    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.