Azure Policy team has a GitHub repository of Policy definitions examples. Recently I’ve been looking at some of the examples there and I’ve noticed that one of them was not working correctly. Specifically I am referring to Platform Image Policy. Additionally the example contains only the rules. It does not have ARM template for deploying the definition. You will notice also that the policy is pretty static as it does not contain parameters. Because of that based on that sample I would like to create an example on my own and show it to you.
Recently I’ve came into the following situation. I needed to store a json as Azure Automation string variable. To do that is easy as you just need to pass the json as text by first escaping it. That is easy peasy when using PowerShell. But what if you want to pass the json as object parameter via ARM template parameters file and do the escape completely within the ARM template. Apparently that is possible as well and I will show you how.
Subscription Level Template deployments is relatively new feature. Support for Azure CLI was added in version 2.0.40 and for AzureRM PowerShell module is yet to come. Basically instead of deploying resources at resource group you are doing that at subscription level. This opens a lot of possibilities some of which are:
My good friend and fellow MVP Tao Yang wrote a great post on Using ARM Templates to Deploying Azure Policy Definitions That Requires Input Parameters. Azure Policy has two terms that you should be aware:
- Policy Definition – This is the policy itself. This is the definition of what will be governed. The policy definition when created does not do anything until it is assigned. There are policy definitions available out of the box (created by Microsoft) and such that can be created on your own. Out of box policies are of type built-in and the ones created by you are custom.
- Policy Assignment – This assigns policy definition to be applied at specific level like subscription, management group or resource group.
Microsoft recently introduced a new model for purchasing Azure Log Analytics. To use this new model you will basically have to enable it on per subscription bases. In short you can either continue to use the old models or flip a switch on your subscription to use the new model. You cannot use both models for different workspaces in your subscription and you cannot move between the old models and the new ones without flipping that switch. Of course flipping that switch is easy as going into the Azure Portal -> Azure Monitor -> Usage and estimated costs blade but what about if you want to do this programmatically? Apparently there is a way to do it that way and in this blog post I will show you how.