Hi all,
I want to create an Azure policy that whitelistst resource types that are allowed to be used within a management group or subscription. I already found the builtin policy, but as the description states, only resource types that support 'tags' and 'location' will be affected by this policy. Since I actually want to be able to filter resources more granularly (on sub resource level), resource types that only support tags and location are not enough. The policy does state that this can be achieved by duplicating the policy and setting the mode to 'All' rather than 'Indexed', so I tried the following:
- I wrote a script that uses the resource graph to retrieve all resources (and sub resources) in use within a subscription
- I copied the builtin policy and changed the mode from Indexed to All.
- I assigned to policy definition to the subscription, and for the 'allowedResourceTypes' param I provided the list of in-use resource types that I retrieved using the script in step 1
Now the expected result would be that there are no non-compliant resources showing up under the policy assignment as I retrieved all resource types in use within the subscription. However, I get a lot of non-compliant resources for resource types that didn't show up in the resource graph results. Some examples are:
- microsoft.blueprint/blueprintassignments
- microsoft.cdn/profiles/endpoints/origins
- microsoft.costmanagement/views
- microsoft.datafactory/factories/dataflows
- microsoft.security/pricings
And the list goes on.. As stated, the issue seems to be that not all resources in use are showing up in the resource graph. So my question is simple: is there a way to retrieve all resources in use within a subscription/management group (including sub resources, resources that don't support tags and location, etc.)