Is there a way to exclude resource groups that Azure create for AzureBackup from policy assignment ?

Question

Is there a way to exclude resource groups that Azure create for AzureBackup from policy assignment ?

asked

Sameed Shaikh 1

I am using a policy for Tags which prevents "Resource groups" from getting deployed if specified tags will be missing. This causes Azure Backup failure.
I'd like to find a way to automatically exclude resource groups that contain a specific name e.g AzureBackupRG_{region}_{number}, but I can't figure out the logic for that.
Sharing the Policy here:

{
"mode": "All",
"policyRule": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.Resources/subscriptions/resourceGroups"
},
{
"field": "tags['application']",
"exists": false
},
{
"field": "tags['contact']",
"exists": false
},
{
"field": "tags['createdBy']",
"exists": false
},
{
"field": "tags['status']",
"exists": false
},
{
"not": {
"value": "[resourceGroup().name]",
"like": "AzureBackupRG*"
}
}
]
},
"then": {
"effect": "deny"
}
},
"parameters": {}
}

Answer 1

answered

Swathi Dhanwada 9,381 Microsoft Employee

@Sameed Shaikh Welcome to Microsoft Q & A Community Forum. I understand that you want to exclude the default resource groups that are created by Azure Backup service from tagging. I would recommend you use exclusions via the policy assignments or create exemptions rather modifying the rule. The Azure Policy exemptions feature is used to exempt a resource hierarchy or an individual resource from evaluation of initiatives or definitions. Resources that are exempt count toward overall compliance but can't be evaluated or have a temporary waiver. For more information about Policy Exemptions, refer this document.

To create a new exemption, please go to the assignment or the compliance section and click on "Create Exemption" as highlighted in below image.

You can mention the exemption scope in highlighted area and Click on Create. Regarding the exemption category, you can choose based on your requirement.

Please note that there is a limitation that you can select only one scope each exemption.

Sameed Shaikh 1 Reputation point

2022-06-16T06:37:52.207+00:00

Thank you, Swathi,

This Exemption option will list only those resource groups which already been created. Some of Azure's Managed services like AzureBackup, Databrick, and Networkwachter require their own resource group and auto-create themself. You can't pre-created it. example AzureBackup_Westus2_1. But we are aware what will be RG name.

I want to exempt RG before its creation.
Swathi Dhanwada 9,381 Reputation points Microsoft Employee

2022-06-16T14:00:32.55+00:00
@Sameed Shaikh I have tested the policy you have provided. According to your policy, only if all the conditions are evaluated to true then it denies the creation of the resource group. Here are my observations for the same.

When AzureBackupRG is being created, each of the conditions evaluate to false if there are no tags created and resource group name evaluates to true. Ultimately, the policy denies creation of the RG with naming convention "AzureBackupRG*". To avoid this case, one way is to create another custom policy, which automatically adds tags to the default resource groups, when they are created. As per order of evaluation, Append and Modify are evaluated before Deny.

For the existing AzureBackupRG resource groups, I noticed that they are being evaluated as "Compliant" even though there are no tags. For Deny effect, during evaluation of existing resources, resources that match a deny policy definition are marked as non-compliant.

As far as I know, the requirement you have can't be implemented in single policy. I understand that this might not be the anticipated response. However, it is the current situation of things. So, you have two options to do so.

One is to create another custom policy, which adds all the required tags to default resource groups like "AzureBackUpRG". This option works well because, it considers future resource groups.

Second is to create exemption or exclusions as I mentioned in my previous comment.

Is there a way to exclude resource groups that Azure create for AzureBackup from policy assignment ?

1 answer

Activity