Hi all,
This post is about Azure Resource Policy, and specifically, about the creation of an ARP via a template.
If you want to understand what is an ARP and why do you need it, you can refer to the official documentation here : Link1
When you start testing the resource policy, things are not complicated, you can use Powershell to create the policy definition, and then the assignment. But when you start creating real usage policies with a lot of variables, you may want a better way of defining the core of the ARP, and hence, you think about the templates.
So the template is just, as usual, a JSON file where you put the policy definition in a structured way, and then use this file to create the policy. This stills easy since, at the end, you will paste the policy definition to a json file, and then use the same command by just putting the file path. This is documented here : Link2
But, what is missing documentation today, is how to create templates of ARPs that relies on parameters.
1- Why do I need parameters on an ARP ?
The answer to this question is very easy. Let’s suppose you want to apply a policy to different subscriptions, or different resource groups. You may found out or notice that the policy is the same but some properties values are just different.
Example : I want that only a set of vm sizes are used within my subscriptions. So the goal is the same ! But I do know that every subscription will have specific sizes.
- Subscription A : A-Series
- Subscription B: A-Series, D-Series
- Subscription C : A-Series, D-Series, F- Series
So In a world without parameters, I will have to create 3 policy definitions. I will assign 1 Policy to each subscription
#Powershell example
#Policy A
PolicyName = “AllowedVMSizesA”
$PolicyFile = “C:\path\AllowedVMSizesA.json”
definition = New-AzureRmPolicyDefinition -Name $PolicyName -Policy $PolicyFile
New-AzureRMPolicyAssignment -Name $PolicyName -Scope “/subscriptions/SubA-ID” -PolicyDefinition $definition
#Policy B
PolicyName = “AllowedVMSizesB”
$PolicyFile = “C:\path\AllowedVMSizesB.json”
definition = New-AzureRmPolicyDefinition -Name $PolicyName -Policy $PolicyFile
New-AzureRMPolicyAssignment -Name $PolicyName -Scope “/subscriptions/SubB-ID” -PolicyDefinition $definition
#Policy C
PolicyName = “AllowedVMSizesC”
$PolicyFile = “C:\path\AllowedVMSizesC.json”
definition = New-AzureRmPolicyDefinition -Name $PolicyName -Policy $PolicyFile
New-AzureRMPolicyAssignment -Name $PolicyName -Scope “/subscriptions/SubC-ID” -PolicyDefinition $definition
In a world with parameters, I will have to create 1 policy with a parameter which is the list of allowed sizes. When assigning the policy to Sub X, I will just pass the list of the related sizes
So the application, and the need for parameters is very crucial.
2- What is the solution?
The solution is this case is to define a policy with parameters, and each time you assign the policy to a scope, you supply the parameter(s) value(s).
A parametrized ARP template, is composed of 2 or 3 files:
- The policy definition file : The file that contains the policy rule, that rely on parameters
- The policy parameter file : The file that contains the parameters
- The parameter file
NB: These first 2 files are only used when creating the policy, the third is used to make the assignment
3- What is the syntax of each file ?
The policy definition file is the copy/paste of the policy definition as described on the MS link : Link1
You have just to copy and paste your definition to a JSON file. Include the parameters into your definition. The parameters have the following format : [parameters(‘paramterName’)]
The policy parameter file have the following syntax (The example file can be used)
#########################
{
“paramterName” : {
“type” : “string”,
“metadata” : {
“description” : “The description”
}
}, “paramterName2” : {
“type” : “string”,
“metadata” : {
“description” : “The description”
}
},
“paramterName3” : {
“type” : “string”,
“metadata” : {
“description” : “The description”
}
}
}
################################
Important : If a parameter is present on the definition file, and not present on the parameter file, an error will be thrown during the Policy creation.
4- How to create and assign the policy ?
Use the following script to create and assign the policy
###################
#Variables
$PolicyName = “PolicyName”
$PolicyFile = “Path of json Policy Definition File”
$PolicyFileparam = ” Path of json Policy parameter File “
$ScopeID = “Type here the scope ID”
#Params
$param1value = “the value of the parameter 1”
$param2value = “the value of the parameter 2”
$paramNvalue = “the value of the parameter N”
#Create the definition
$definition = New-AzureRmPolicyDefinition -Name $PolicyName -Policy $PolicyFile -Parameter $PolicyFileparam
#Assign the policy
New-AzureRMPolicyAssignment -Name $PolicyName -Scope $ScopeID -PolicyDefinition $definition -PolicyParameterObject @{“Param1=$param1value, “Param2″=$param2value,…, “ParamN”=$paramNvalue, }
###################
buildwindows 