Initial policies and method for creating policy definition.

This adds some initial example policies: - One for region restrictions - One for service restrictions Note that the MS ARM team has said that region restrictions may be controlled by ARM, so that policy might prove unnecessary. The parameters list for the service restrictions is stubbed for now, pending the full list. I also added an internal method for adding policy definitions to a management group. This method is agnostic about what tier of management group the policy is being defined at. It requires that a dictionary representing the properties section of a valid Azure JSON policy definition be passed as an argument.
2019-12-13 16:32:46 -05:00
parent 7dbdeb3ae7
commit b61956080e
8 changed files with 309 additions and 87 deletions
--- a/policies/portfolios/allowed-resource-types.json
+++ b/policies/portfolios/allowed-resource-types.json
@@ -0,0 +1,40 @@
+{
+  "definitionPoint": "portfolio-parent",
+  "policyDefinition": {
+    "properties": {
+      "displayName": "Allowed resource types",
+      "policyType": "Custom",
+      "mode": "Indexed",
+      "description": "This policy enables you to specify the resource types that your organization can deploy.",
+      "parameters": {
+        "listOfResourceTypesAllowed": {
+          "type": "Array",
+          "metadata": {
+            "description": "The list of resource types that can be deployed.",
+            "displayName": "Allowed resource types",
+            "strongType": "resourceTypes"
+          }
+        }
+      },
+      "policyRule": {
+        "if": {
+          "not": {
+            "field": "type",
+            "in": "[parameters('listOfResourceTypesAllowed')]"
+          }
+        },
+        "then": {
+          "effect": "deny"
+        }
+      }
+    },
+    "type": "Microsoft.Authorization/policyDefinitions"
+  },
+  "parameters": {
+    "listOfResourceTypesAllowed": {
+      "value": [
+        "Microsoft.Cache"
+      ]
+    }
+  }
+}
--- a/policies/portfolios/region-restriction.json
+++ b/policies/portfolios/region-restriction.json
@@ -0,0 +1,51 @@
+{
+  "definitionPoint": "portfolio-parent",
+  "policyDefinition": {
+    "properties": {
+      "displayName": "Custom - Region Restriction",
+      "policyType": "Custom",
+      "mode": "Indexed",
+      "parameters": {
+        "listOfAllowedLocations": {
+          "type": "Array",
+          "metadata": {
+            "displayName": "Allowed locations",
+            "description": "The list of locations that can be specified when deploying resources.",
+            "strongType": "location"
+          }
+        }
+      },
+      "policyRule": {
+        "if": {
+          "allOf": [
+            {
+              "field": "location",
+              "notIn": "[parameters('listOfAllowedLocations')]"
+            },
+            {
+              "field": "location",
+              "notEquals": "global"
+            },
+            {
+              "field": "type",
+              "notEquals": "Microsoft.AzureActiveDirectory/b2cDirectories"
+            }
+          ]
+        },
+        "then": {
+          "effect": "Deny"
+        }
+      }
+    },
+    "type": "Microsoft.Authorization/policyDefinitions"
+  },
+  "parameters": {
+    "listOfAllowedLocations": {
+      "value": [
+        "eastus",
+        "southcentralus",
+        "westus"
+      ]
+    }
+  }
+}