Azure Policy pattern: effects

Azure Policy has many effects that determine how the service reacts to non-compliant resources. Some effects are simple and require no additional properties in the policy definition while others require several properties.

Sample 1: Simple effect

This policy definition checks to see whether the tag defined in parameter tagName exists on the evaluated resource. If the tag doesn't yet exist, the modify effect is triggered to add the tag with the value in parameter tagValue.

{
    "properties": {
        "displayName": "Add a tag to resource groups",
        "policyType": "BuiltIn",
        "mode": "All",
        "description": "Adds the specified tag and value when any resource group missing this tag is created or updated. Existing resource groups can be remediated by triggering a remediation task. If the tag exists with a different value it will not be changed.",
        "metadata": {
            "version": "1.0.0",
            "category": "Tags"
        },
        "parameters": {
            "tagName": {
                "type": "String",
                "metadata": {
                    "displayName": "Tag Name",
                    "description": "Name of the tag, such as 'environment'"
                }
            },
            "tagValue": {
                "type": "String",
                "metadata": {
                    "displayName": "Tag Value",
                    "description": "Value of the tag, such as 'production'"
                }
            }
        },
        "policyRule": {
            "if": {
                "allOf": [{
                        "field": "type",
                        "equals": "Microsoft.Resources/subscriptions/resourceGroups"
                    },
                    {
                        "field": "[concat('tags[', parameters('tagName'), ']')]",
                        "exists": "false"
                    }
                ]
            },
            "then": {
                "effect": "modify",
                "details": {
                    "roleDefinitionIds": [
                        "/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
                    ],
                    "operations": [{
                        "operation": "add",
                        "field": "[concat('tags[', parameters('tagName'), ']')]",
                        "value": "[parameters('tagValue')]"
                    }]
                }
            }
        }
    }
}

Sample 1: Explanation

"effect": "modify",
"details": {
    "roleDefinitionIds": [
        "/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
    ],
    "operations": [{
        "operation": "add",
        "field": "[concat('tags[', parameters('tagName'), ']')]",
        "value": "[parameters('tagValue')]"
    }]
}

A modify effect requires the policyRule.then.details block that defines roleDefinitionIds and operations. These parameters inform Azure Policy what roles are needed to add the tag and remediate the resource and which modify operation to use. In this example, the add operation and the parameters are used to set the tag and its value.

Sample 2: Complex effect

This policy definition audits each virtual machine for when an extension, defined in parameters publisher and type, doesn't exist. It uses auditIfNotExists to check a resource related to the virtual machine to see whether an instance exists that matches the defined parameters. This example checks the extensions type.

{
    "type": "Microsoft.Authorization/policyDefinitions",
    "name": "audit-vm-extension",
    "properties": {
        "displayName": "Audit if extension does not exist",
        "description": "This policy audits if a required extension doesn't exist.",
        "parameters": {
            "publisher": {
                "type": "String",
                "metadata": {
                    "description": "The publisher of the extension",
                    "displayName": "Extension Publisher"
                }
            },
            "type": {
                "type": "String",
                "metadata": {
                    "description": "The type of the extension",
                    "displayName": "Extension Type"
                }
            }
        },
        "policyRule": {
            "if": {
                "allOf": [{
                        "field": "type",
                        "equals": "Microsoft.Compute/virtualMachines"
                    },
                    {
                        "field": "Microsoft.Compute/imagePublisher",
                        "in": [
                            "MicrosoftWindowsServer"
                        ]
                    },
                    {
                        "field": "Microsoft.Compute/imageOffer",
                        "in": [
                            "WindowsServer"
                        ]
                    }
                ]
            },
            "then": {
                "effect": "auditIfNotExists",
                "details": {
                    "type": "Microsoft.Compute/virtualMachines/extensions",
                    "existenceCondition": {
                        "allOf": [{
                                "field": "Microsoft.Compute/virtualMachines/extensions/publisher",
                                "equals": "[parameters('publisher')]"
                            },
                            {
                                "field": "Microsoft.Compute/virtualMachines/extensions/type",
                                "equals": "[parameters('type')]"
                            }
                        ]
                    }
                }
            }
        }
    }
}

Sample 2: Explanation

"details": {
    "type": "Microsoft.Compute/virtualMachines/extensions",
    "existenceCondition": {
        "allOf": [{
                "field": "Microsoft.Compute/virtualMachines/extensions/publisher",
                "equals": "[parameters('publisher')]"
            },
            {
                "field": "Microsoft.Compute/virtualMachines/extensions/type",
                "equals": "[parameters('type')]"
            }
        ]
    }
}

An auditIfNotExists effect requires the policyRule.then.details block to define both a type and the existenceCondition to look for. The existenceCondition uses policy language elements, such as logical operators, to determine whether a matching related resource exists. In this example, the values checked against each alias are defined in parameters.

Next steps