As described in the previous post, policies can be downloaded from the Enterprise Scale Architecture Repository and deployed into your own tenant. In addition to the mentioned policies, the repo also provides interesting Policy Initiatives (Policy Sets) that can also be used.
To deploy the Policy Set, we use the same steps as we used for the policies. That means we download the Policy Set (line 1), export a few properties for later use (lines 2-4), and then deploy the Policy Set to a subscription using the New-AzPolicySetDefinition
command (with policies the command New-AzPolicyDefinition
is used).
To assign the Policy Set, the New-AzPolicyAssignment
(line 8) command is used, as with the policies. But this time the parameter -PolicySetDefinition
is used to provide the Policy Set definition, that must previously be loaded with Get-AzPolicySetDefinition
(line 6). If the default parameters of the Policy Set do not fit, they can be overwritten. In this example the parameter for appConfigPublicIpDenyEffect
(default is Deny
) will be overwritten with Audit
(line 7). The parameters must be handed over with -PolicyParameter
(line 8). If no parameters must be overwritten, this parameter can be skipped.
$set = Invoke-WebRequest https://raw.githubusercontent.com/Azure/terraform-azurerm-caf-enterprise-scale/main/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_deny_publicpaasendpoints.tmpl.json $jsonset = $set.Content | ConvertFrom-Json -Depth 20 $set_def = $jsonset.properties.policyDefinitions | ConvertTo-Json -Depth 20 $set_params = $jsonset.properties.parameters | ConvertTo-Json -Depth 20 New-AzPolicySetDefinition -Name $jsonset.Name -SubscriptionId <SUBSCRIPTION ID> -Metadata '{"Category":"Network"}' -DisplayName $jsonset.properties.displayName -Description $jsonset.properties.description -Parameter $set_params -PolicyDefinition $set_def $plcySet = Get-AzPolicySetDefinition -Name $jsonset.Name $overwrite_params = '{ "appConfigPublicIpDenyEffect": { "value": "Audit" } }' New-AzPolicyAssignment -Name $jsonset.Name -PolicySetDefinition $plcySet -Scope "/subscriptions/<SUBSCRIOTION ID>/resourceGroups/rg-acr" -PolicyParameter $overwrite_params
Once the assignment has been made, the assigned Policy Set/Initiative can be seen in the portal. It is noticeable that the appConfigPublicIpenyEffect
was successfully overwritten.
⚠️ But keep in mind, that you can only assign Initiatives whose referenced policies have already been deployed. If the policies of the Initiative are missing, they will not be downloaded automatically and must be deployed manually before being assigned.
1 Pingback