Skip to content

Instantly share code, notes, and snippets.

@mmckechney
Created June 20, 2019 19:34
Show Gist options
  • Save mmckechney/b4f63cb3b51577980406ef7046ba1935 to your computer and use it in GitHub Desktop.
Save mmckechney/b4f63cb3b51577980406ef7046ba1935 to your computer and use it in GitHub Desktop.
Azure Policy to add a specified Network Security Group to a Subnet if none is specified at creation time
{
"properties": {
"displayName": "Append NSG if missing",
"description": "Sets default NSG if none is specified",
"policyType": "Custom",
"mode": "All",
"parameters": {
"nsgResourceId": {
"type": "String",
"metadata": {
"description": "Full resource ID path for the NSG"
}
}
},
"policyRule": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.Network/virtualNetworks/subnets"
},
{
"field": "Microsoft.Network/virtualNetworks/subnets/networkSecurityGroup.id",
"exists": false
}
]
},
"then": {
"effect": "append",
"details": [
{
"field": "Microsoft.Network/virtualNetworks/subnets/networkSecurityGroup",
"value": {
"id": "[parameters('nsgResourceId')]"
}
}
]
}
}
}
}
@mmckechney
Copy link
Author

@vg22, an append policy will only effect resources at creation time. If you want to remediate existing resources, you will first need to change the effect to "modify" and then when you assign the policy, create a remediation task and identity to run the task. This is very straightforward via the Azure portal but can also be done via PowerShell of Azure CLI as per the link. Hope this helps!

@vg22
Copy link

vg22 commented May 6, 2022

@mmckechney I tried the modify action and I was able to see all the non compliant subnets, but remediate action seems to complain about

Reason
Failed to remediate resource: '/subscriptions/<sub-id>/resourceGroups/<rg_name>/providers/Microsoft.Network/virtualNetworks/v-net-name/subnets/subnet-name'. The 'PUT' request failed with status code: 'BadRequest'. Inner Error: 'Cannot parse the request.', Correlation Id: '87565527-4247-474f-b101-0dffd8606e78

Can you please review my policy here. This is my policy


{

	"if": {
		"allOf": [
			{
				"field": "type",
				"equals": "Microsoft.Network/virtualNetworks/subnets"
			},
			{
				"field": "Microsoft.Network/virtualNetworks/subnets/networkSecurityGroup.id",
				"exists": false
			}
		]
	},
	"then": {
		
		"effect": "modify",
		"details": {
		  "roleDefinitionIds": [
			"/providers/microsoft.authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7"
		  ],
		  "conflictEffect": "audit",
		  "operations": [
			
			{
			  "operation": "addOrReplace",
			  "field": "Microsoft.Network/virtualNetworks/subnets/networkSecurityGroup",
			  "value": "[parameters('nsgResourceId')]"
					}]
		}
	}
}

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment