Deny deletion using Azure policy

Dushyant Priyadarshee 121 Reputation points
2022-08-17T21:18:10.173+00:00

Say we have a private dns zone called privatezone.com and it has entries such as

A test1                      10.2.2.0  
A test2                      10.2.2.1  
A critical-resource1  10.2.2.3  
A critical-resource2  10.2.2.4  

Of those records, we want to be able to delete all A records except those which contain the term critical-resource. Can we do this via a policy?
Maybe in the lines of:

{  
    "mode": "All",  
    "policyRule": {  
      "if": {  
        "allOf": [  
          {  
            "field": "type",  
            "equals": "Microsoft.Network/privateDnsZones/A"  
          },  
          {  
            "field": "name",  
            "contains": "critical-resource"  
          },  
          {  
            "field": "name",  
            "exists": false  
          }  
        ]  
      },  
      "then": {  
        "effect": "deny"  
      }  
    },  
    "parameters": {}  
  }  

Thinking if "deny deletion" cannot be done via policies hence we have resource locks, but then how do we deny with such granularity?

Azure Policy
Azure Policy
An Azure service that is used to implement corporate governance and standards at scale for Azure resources.
788 questions
0 comments No comments
{count} votes

Accepted answer
  1. AnuragSingh-MSFT 19,686 Reputation points
    2022-08-22T15:23:01.43+00:00

    Hi @rubberduckdev,

    Thank you for reaching out to Microsoft Q&A.

    This approach via Azure Policy is not going to work for the scenario mentioned in the question. The deny affect is used to prevent a resource request that doesn't match defined standards through a policy definition and fails the request. A basic example would be that "deny all operation on a resource which does not have a particular tag. This would not not work selectively - to allow modification to one property and deny for other". This affect is not selective and will operate on the entire resource.

    For the use case mentioned in the question, "Locks" and "RBAC to follow principle of least privilege" are the best way to proceed forward.
    Locks: you can lock an Azure subscription, resource group, or resource to protect them from accidental user deletions and modifications.
    Role based access control (RBAC): To ensure that critical resources are accessible to only those who have the requirement.

    Please let me know if you have any questions.

    ---
    Please 'Accept as answer' and ‘Upvote’ if it helped so that it can help others in the community looking for help on similar topics.

    0 comments No comments

1 additional answer

Sort by: Most helpful
  1. George Ollis 86 Reputation points
    2022-12-02T19:56:13.707+00:00

    There is a new effect called denyAction that is currently in public preview and available to all tenants. You can find more information here: https://www.youtube.com/watch?v=SboRUcRZqyc&list=WL&index=5

    1 person found this answer helpful.
    0 comments No comments