Downloaded 41 times
![Conditions
“equals”: “value”
“like”: “value”
“match”: “value”
“contains”: “value”
“in”: [“val1”, “val2”]
“containsKey”: “keyName”
“exists”: “bool”
+ “not*” variants
Accessors
“field”: “fieldname”
“source”: “action”
Fields
name
kind
type
location
fullName
tags
tags.*
aliases](https://image.slidesharecdn.com/azureresourcemanagergovernance-180615112516/75/Stephane-Lapointe-Governance-in-Azure-keep-control-of-your-environments-26-2048.jpg)
!["properties": {
"displayName": "Allowed VM Skus",
"description": "This policy enables you to specify a set of virtual machine SKUs that your
organization can deploy."
},
"policyRule": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.Compute/virtualMachines"
},
{
"not": {
"field":"Microsoft.Compute/virtualMachines/sku.name",
"in": ["Basic_A0","Basic_A1","Basic_A2","Basic_A3","Basic_A4"]
}
}
]
},
"then": {
"effect": "Deny"
}
}](https://image.slidesharecdn.com/azureresourcemanagergovernance-180615112516/75/Stephane-Lapointe-Governance-in-Azure-keep-control-of-your-environments-29-2048.jpg)
!["properties": {
"displayName": "Allowed VM Skus",
"description": "This policy enables you to specify a set of virtual machine SKUs that your
organization can deploy.",
"parameters": {
"listOfAllowedSKUs": {"type": "array"}
}
},
"policyRule": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.Compute/virtualMachines"
},
{
"not": {
"field":"Microsoft.Compute/virtualMachines/sku.name",
"in": "[parameters('listOfAllowedSKUs’)]"
}
}
]
},
"then": {
"effect": "Deny"
}
}](https://image.slidesharecdn.com/azureresourcemanagergovernance-180615112516/75/Stephane-Lapointe-Governance-in-Azure-keep-control-of-your-environments-30-2048.jpg)
Uploaded byMSDEVMTL
Stephane Lapointe: Governance in Azure, keep control of your environments
Stephane Lapointe is a Cloud Solutions Specialist at GSoft with over 20 years of experience in Microsoft technologies, focusing on Microsoft Azure. He is dedicated to community engagement and automation practices using PowerShell, and he provides insights on governance in Azure, including access control, management groups, and Azure security policies. The document outlines various policies and practices for controlling cloud environments and ensuring compliance.
More Related Content
![[Azure Governance] Lesson 4 : Azure Policy](https://cdn.slidesharecdn.com/ss_thumbnails/azuregovernance-lesson4-azurepolicy-190519183014-thumbnail.jpg?width=640&height=640&fit=bounds)
![[Azure Governance] Lesson 3 : Azure Tags](https://cdn.slidesharecdn.com/ss_thumbnails/azuregovernance-lesson3-azuretags-190207132448-thumbnail.jpg?width=640&height=640&fit=bounds)
![[Azure Governance] Lesson 1 : Azure Naming Convention](https://cdn.slidesharecdn.com/ss_thumbnails/azuregovernance-lesson1-azurenamingconvention-181027154955-thumbnail.jpg?width=640&height=640&fit=bounds)
![[Azure Governance] Lesson 2 : Azure Locks](https://cdn.slidesharecdn.com/ss_thumbnails/azuregovernance-lesson2-azurelocks-190120120003-thumbnail.jpg?width=640&height=640&fit=bounds)
Similar to Stephane Lapointe: Governance in Azure, keep control of your environments
Stephane Lapointe: Governance in Azure, keep control of your environments
- 1. Stephane Lapointe Cloud SolutionsSpecialist - GSoft Governance in Azure keep control of your environments [email protected]
- 2. Email :[email protected] Twitter : @s_lapointe Facebook : stephane.lapointe.azure LinkedIn : ca.linkedin.com/in/stephanelapointe Over 20 years of experience with Microsoft technologies. He is working at GSoft where he’s a Cloud Solution Specialist. He is very passionate about everything that touches Microsoft Azure, the DevOps practice and automation of all sort of things using PowerShell. He is very dedicated to the Montreal MSDEVMTL community where he is a co- organizer for the Azure group. He is also an Microsoft Azure MVP & Advisor.
- 3. You will: Learn aboutmanagement groups Learn about role based access control (RBAC) Learn about tags Learn about policies Learn about Azure Security Center Learn about Azure Advisor
- 6. Block Dev/Ops fromdirectly accessing the cloud (portal/api/cli) to attain control Developers Operations Cloud Custodian / Engineers responsible for Cloud environment
- 7. Removing barriers tocompliance and enabling velocity Developers Built-in controls through policy instead of workflow Operations Cloud Custodian Team
- 14. Teams Built-in RoleCustom Role Storage Administrator Storage Account Contributor Network Operator Network Contributor + Authorization Network Engineer Network Contributor Platform Operator Virtual Machine Contributor + Authorization Platform Engineer Virtual Machine Contributor Security Engineer Security Admin + Security Manager
- 16.
- 17.
- 22. User Code ARM–CentralizedControlPlane AzurePolicy Resource Config Requests Declarative Always On: On Change OnPeriodic Cadence On Demand (coming soon)
- 23.
- 24.
- 25.
- 26. Conditions “equals”: “value” “like”: “value” “match”:“value” “contains”: “value” “in”: [“val1”, “val2”] “containsKey”: “keyName” “exists”: “bool” + “not*” variants Accessors “field”: “fieldname” “source”: “action” Fields name kind type location fullName tags tags.* aliases
- 27. $policy = New-AzureRmPolicyDefinition-Name costCenterTagPolicyDefinition -Description "Policy to deny resource creation if no costCenter tag is provided" -Policy '{ "if": { "not" : { "field" : "tags", "containsKey" : "costCenter" } }, "then" : { "effect" : "deny" } }'
- 28. { "if": { "not": { "field":"name", "like": "namePrefix*nameSuffix" } }, "then": { "effect": "deny" } }
- 29. "properties": { "displayName": "AllowedVM Skus", "description": "This policy enables you to specify a set of virtual machine SKUs that your organization can deploy." }, "policyRule": { "if": { "allOf": [ { "field": "type", "equals": "Microsoft.Compute/virtualMachines" }, { "not": { "field":"Microsoft.Compute/virtualMachines/sku.name", "in": ["Basic_A0","Basic_A1","Basic_A2","Basic_A3","Basic_A4"] } } ] }, "then": { "effect": "Deny" } }
- 30. "properties": { "displayName": "AllowedVM Skus", "description": "This policy enables you to specify a set of virtual machine SKUs that your organization can deploy.", "parameters": { "listOfAllowedSKUs": {"type": "array"} } }, "policyRule": { "if": { "allOf": [ { "field": "type", "equals": "Microsoft.Compute/virtualMachines" }, { "not": { "field":"Microsoft.Compute/virtualMachines/sku.name", "in": "[parameters('listOfAllowedSKUs’)]" } } ] }, "then": { "effect": "Deny" } }
- 35.
- 36. Stephane Lapointe Cloud SolutionsSpecialist - GSoft Governance in Azure keep control of your environments [email protected] Thank you
Editor's Notes
- #14 Can assign operations or exclude operations Excluded operations are not denying the action.