Created
June 20, 2019 19:34
-
-
Save mmckechney/b4f63cb3b51577980406ef7046ba1935 to your computer and use it in GitHub Desktop.
Azure Policy to add a specified Network Security Group to a Subnet if none is specified at creation time
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| { | |
| "properties": { | |
| "displayName": "Append NSG if missing", | |
| "description": "Sets default NSG if none is specified", | |
| "policyType": "Custom", | |
| "mode": "All", | |
| "parameters": { | |
| "nsgResourceId": { | |
| "type": "String", | |
| "metadata": { | |
| "description": "Full resource ID path for the NSG" | |
| } | |
| } | |
| }, | |
| "policyRule": { | |
| "if": { | |
| "allOf": [ | |
| { | |
| "field": "type", | |
| "equals": "Microsoft.Network/virtualNetworks/subnets" | |
| }, | |
| { | |
| "field": "Microsoft.Network/virtualNetworks/subnets/networkSecurityGroup.id", | |
| "exists": false | |
| } | |
| ] | |
| }, | |
| "then": { | |
| "effect": "append", | |
| "details": [ | |
| { | |
| "field": "Microsoft.Network/virtualNetworks/subnets/networkSecurityGroup", | |
| "value": { | |
| "id": "[parameters('nsgResourceId')]" | |
| } | |
| } | |
| ] | |
| } | |
| } | |
| } | |
| } |
@vg22, an append policy will only effect resources at creation time. If you want to remediate existing resources, you will first need to change the effect to "modify" and then when you assign the policy, create a remediation task and identity to run the task. This is very straightforward via the Azure portal but can also be done via PowerShell of Azure CLI as per the link. Hope this helps!
@mmckechney I tried the modify action and I was able to see all the non compliant subnets, but remediate action seems to complain about
Reason
Failed to remediate resource: '/subscriptions/<sub-id>/resourceGroups/<rg_name>/providers/Microsoft.Network/virtualNetworks/v-net-name/subnets/subnet-name'. The 'PUT' request failed with status code: 'BadRequest'. Inner Error: 'Cannot parse the request.', Correlation Id: '87565527-4247-474f-b101-0dffd8606e78
Can you please review my policy here. This is my policy
{
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.Network/virtualNetworks/subnets"
},
{
"field": "Microsoft.Network/virtualNetworks/subnets/networkSecurityGroup.id",
"exists": false
}
]
},
"then": {
"effect": "modify",
"details": {
"roleDefinitionIds": [
"/providers/microsoft.authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7"
],
"conflictEffect": "audit",
"operations": [
{
"operation": "addOrReplace",
"field": "Microsoft.Network/virtualNetworks/subnets/networkSecurityGroup",
"value": "[parameters('nsgResourceId')]"
}]
}
}
}
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Thanks @mmckechney . I have a question regarding the "append" effect. When I save the subnet from the portal I can see the nsg gets associated with it. However if I run compliance scan, it does not take effect. Any idea why?