Skip to content

Instantly share code, notes, and snippets.

@mmckechney

mmckechney/ApplyNSGIfMIssing.json

Created June 20, 2019 19:34
Show Gist options
  • Save mmckechney/b4f63cb3b51577980406ef7046ba1935 to your computer and use it in GitHub Desktop.
Save mmckechney/b4f63cb3b51577980406ef7046ba1935 to your computer and use it in GitHub Desktop.
Download ZIP
Azure Policy to add a specified Network Security Group to a Subnet if none is specified at creation time
Raw
ApplyNSGIfMIssing.json
{
"properties": {
"displayName": "Append NSG if missing",
"description": "Sets default NSG if none is specified",
"policyType": "Custom",
"mode": "All",
"parameters": {
"nsgResourceId": {
"type": "String",
"metadata": {
"description": "Full resource ID path for the NSG"
}
}
},
"policyRule": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.Network/virtualNetworks/subnets"
},
{
"field": "Microsoft.Network/virtualNetworks/subnets/networkSecurityGroup.id",
"exists": false
}
]
},
"then": {
"effect": "append",
"details": [
{
"field": "Microsoft.Network/virtualNetworks/subnets/networkSecurityGroup",
"value": {
"id": "[parameters('nsgResourceId')]"
}
}
]
}
}
}
}
@vg22
Copy link

vg22 commented May 6, 2022

@mmckechney I tried the modify action and I was able to see all the non compliant subnets, but remediate action seems to complain about

Reason
Failed to remediate resource: '/subscriptions/<sub-id>/resourceGroups/<rg_name>/providers/Microsoft.Network/virtualNetworks/v-net-name/subnets/subnet-name'. The 'PUT' request failed with status code: 'BadRequest'. Inner Error: 'Cannot parse the request.', Correlation Id: '87565527-4247-474f-b101-0dffd8606e78

Can you please review my policy here. This is my policy


{

	"if": {
		"allOf": [
			{
				"field": "type",
				"equals": "Microsoft.Network/virtualNetworks/subnets"
			},
			{
				"field": "Microsoft.Network/virtualNetworks/subnets/networkSecurityGroup.id",
				"exists": false
			}
		]
	},
	"then": {
		
		"effect": "modify",
		"details": {
		  "roleDefinitionIds": [
			"/providers/microsoft.authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7"
		  ],
		  "conflictEffect": "audit",
		  "operations": [
			
			{
			  "operation": "addOrReplace",
			  "field": "Microsoft.Network/virtualNetworks/subnets/networkSecurityGroup",
			  "value": "[parameters('nsgResourceId')]"
					}]
		}
	}
}

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment