Custom Azure Policies

  2 minute read  

This is a collection of custom Azure policies that can be useful to govern your Azure resources.

Tag: Create a CreatedOnDate tag for resources and resource groups

This policy will create a new tag for all resources and resource groups with the UTC date as a value. This is useful for automation tasks and other activites that may require the knowledge of when the resource was created as this information is not easily knowlable through traditional route such as the activity log.

Create the policy definition

  • In Azure Policy create a new policy definition
  • The definition location can be either a management group or subscription
  • Give the definition a useful name which can be descriptive and contain spaces
    • For example; Add a CreatedOnDate tag to all resources
  • In the description add some useful text explaining what the tag does
  • Choose to catergoize the new policy with a new custom name or use an existing one
    • I like to group my custom policies together for example; custom: Tags
  • Go to my GitHub repo and copy/paste the JSON data then save the policy (it will have no effect and is safe to save)

https://github.com/grinntec/azure/blob/3ab6422faeba7f1f74bbb363d93d30b62ad5aad7/governance/azure-policy/CreatedOnDate.json

Assign the policy definition

  • In Azure Policy locate the new policy definition
  • From the elipses choose assign
  • The policy scope can be assigned to take effect at any level you choose under the scope where you created the policy definition above. So if you chose to create the policy definition at a subscription level you can only assign the policy to resources within that subscription. Good practice for this type of design query is to use Azure management groups high enough up the chain so you can choose your targets more easily.
    • Conversely you can choose a root scope then exlcude specific targets
  • Choose to edit the assignment name if you wish
  • Choose to add a descriotion if you wish
  • When enforcement mode is disabled, the policy effect isn’t enforced (i.e. deny policy won’t deny resources). Compliance assessment results are still available.
  • There are no parameters for this policy
  • There is no remediation for this policy as the current timestamp is used and any remediated resources will have the current date and not the correct date
  • If you wish enter a non-compliance message for example, This resource was created before the Azure policy CreatedOnDate policy was put into effect and cannot be remeidated
  • Review and create the assignement
  • Now create a resource and see if the tag is generated as designed

image

References

https://jrudlin.github.io/2019-07-18-azure-policy-createdon-date/

Last modified July 21, 2024: update (e2ae86c)