- Introduction
- Prerequisites
- Create Azure Policies for Managed Disks with Azure PowerShell
- Removing Azure Policies with PowerShell
- Create Azure Policies for Managed Disks with the Azure CLI
- Removing Azure Policies with the Azure CLI
The goal of these solutions is to provide you a walkthrough to deploy Azure Policies in your subscription to audit and prevent the deployment of Virtual Machines and Virtual Machine Scale Sets not leveraging Managed Disks.
To complete this walkthrough, you will need:
- You must have access and be able to deploy into a Microsoft Azure Subscription
- Access to either the Azure PowerShell modules or the Azure CLI
-
Open a PowerShell session with the Azure PowerShell modules loaded.
-
Login to Azure and select the subscripton to create the policy.
Note: Substitute the placeholder in the code with your subscription ID.
Login-AzureRmAccount
Select-AzureRmSubscription -SubscrpitionId xxxxxx-xxxxxx-xxxxxx-xxxxxx- Define the variables to name the policy definition, the policy description, and the policy rule. The policy rule in this walkthrough is set to deny the creation of VMs and VM Scale Sets not leveraging managed disks. If you want to audit the creation of VMs and VM Scale Sets not leveraging managed disks, simply replace deny with audit in the policy definition.
$policyName = "DenyUnmanagedDisks"
$policyDescription = "This policy will deny the creation of VMs and VMSSs that do not use naged disks"
$policyRule = '
{
"if": {
"anyOf": [
{
"allOf": [
{
"field": "type",
"equals": "Microsoft.Compute/virtualMachines"
},
{
"field": "Microsoft.Compute/virtualMachines/osDisk.uri",
"exists": "True"
}
]
},
{
"allOf": [
{
"field": "type",
"equals": "Microsoft.Compute/VirtualMachineScaleSets"
},
{
"anyOf": [
{
"field": "Microsoft.Compute/VirtualMachineScaleSets/osDisk.vhdContainers",
"exists": "True"
},
{
"field": "Microsoft.Compute/VirtualMachineScaleSets/osdisk.imageUrl",
"exists": "True"
}
]
}
]
}
]
},
"then": {
"effect": "deny"
}
}'- Create the policy definition. This is only creating the definition of the policy and it is not being enforced.
New-AzureRmPolicyDefinition -Name $policyName -Description $policyDescription -Policy $policyRule- Prepare variables to create a policy assignment where the scope is the entire subscription.
$policyDefinition = Get-AzureRmPolicyDefinition -Name $policyName
$sub = "/subscriptions/" + (Get-AzureRmContext).Subscription.Id
$assignmentName = "DenyUnmanagedDisksAssignment"- Create the policy assignment. After this completes successfully, the policy will be enforced in the specified scope.
New-AzureRmPolicyAssignment -Name $assignmentName -Scope $sub -PolicyDefinition $policyDefinition -Description $policyDescription- Remove the policy assignment. This will stop the enforcement of the policy but it will not remove the policy definition from the subscription.
Remove-AzureRmPolicyAssignment -Name $assignmentName -Scope $sub- Remove the policy definition. A policy definition can only be removed after all assignments of the definition have been removed.
Remove-AzureRmPolicyDefinition -Name $policyName-
Open a command line session where the Azure CLI has been installed.
-
Login to Azure and select the subscripton to create the policy.
az login
az account set -s xxxxxx-xxxxxx-xxxxxx-xxxxxx
- Create the policy definition with name the policy definition, the policy description, and the policy rule included. The policy rule in this walkthrough is set to deny the creation of VMs and VM Scale Sets not leveraging managed disks. If you want to audit the creation of VMs and VM Scale Sets not leveraging managed disks, simply replace deny with audit in the policy definition.
az policy definition create --name DenyUnmanagedDisks --description "This policy will deny the creation of VMs and VMSSs that do not use managed disks" --rules '
{
"if": {
"anyOf": [
{
"allOf": [
{
"field": "type",
"equals": "Microsoft.Compute/virtualMachines"
},
{
"field": "Microsoft.Compute/virtualMachines/osDisk.uri",
"exists": "True"
}
]
},
{
"allOf": [
{
"field": "type",
"equals": "Microsoft.Compute/VirtualMachineScaleSets"
},
{
"anyOf": [
{
"field": "Microsoft.Compute/VirtualMachineScaleSets/osDisk.vhdContainers",
"exists": "True"
},
{
"field": "Microsoft.Compute/VirtualMachineScaleSets/osdisk.imageUrl",
"exists": "True"
}
]
}
]
}
]
},
"then": {
"effect": "deny"
}
}'
- Create the policy assignment. After this completes successfully, the policy will be enforced in the specified scope.
Note: Substitute
{subscription_id}in the code with your subscription ID.
az policy assignment create --name DenyUnmanagedDisksAssignment --policy DenyUnmanagedDisks --scope /subscriptions/{subscription_id}
- View the policy assignment.
az policy assignment show --name DenyUnmanagedDisksAssignment
- Remove the policy assignment. This will stop the enforcement of the policy but it will not remove the policy definition from the subscription.
az policy assignment delete --name DenyUnmanagedDisksAssignment
- Remove the policy definition. A policy definition can only be removed after all assignments of the definition have been removed.
az policy definition delete --name DenyUnmanagedDisksAssignment