Posted in : Azure, Microsoft By Tobias Vuorenmaa Translate with Google ⟶
5 years ago
If you have used Resource graph to query resources you might realized it comes very handy when creating Azure Policy’s, for example you might check the SKU of virtual machines before you create the policy to audit specific sizes of virtual machines or even prevent creation of them. (If you haven’t yet used Azure Resource Graph you can check my previous post out – https://xenit.se/techblogg/azure-resource-graph/)
Let’s take it further and actually create a Policy based on our Resource Graph query.
In my example below i query all storage accounts that allows connection from all Virtual Networks and the where environment is set to Prod.
Iam running all commands in Cloud Shell and CLI, but you could just aswell use Powershell.
CLI
az graph query -q "where type =~ 'microsoft.storage/storageaccounts' | where aliases['Microsoft.Storage/storageAccounts/networkAcls.defaultAction'] =='Allow' and tags.environment== 'Prod'|summarize count()"
[
{
"count_": 1
}
]
The query is looking for below setting, it can be found under Firewalls and virtual networks under your storage accounts.
Creating the policy
To create the Policy, I am using the tool GraphToPolicy. The tool and instructions can be found here http://aka.ms/graph2policy
Follow the instructions for the tool and when you have the tool imported to your cloud shell environment you are ready to go.
Iam using the same query as before and creates a Policy to Audit all storage accounts that allows connections from all Virtual Networks and have the environment tag set to Prod.
CLI
graph2policy --query "where type =~ 'microsoft.storage/storageaccounts' | where aliases['Microsoft.Storage/storageAccounts/networkAcls.defaultAction'] =='Allow' and tags.environment== 'Prod'|summarize count()" --effect "audit" --create "Audit Storage Account that Allows Connections from all Vnet"
Output:
{
"description": null,
"displayName": "Audit Storage Account that Allows Connections from all Vnet",
"id": "/subscriptions/b770c4d0-c08a-4ee3-9f76-95e2bxxxxxxa/providers/Microsoft.Authorization/policyDefinitions/Audit Storage Account that Allows Connections from all Vnet",
"metadata": null,
"mode": null,
"name": "Audit Storage Account that Allows Connections from all Vnet",
"parameters": {},
"policyRule": {
"if": {
"allOf": [
{
"equals": "microsoft.storage/storageaccounts",
"field": "type"
},
{
"allOf": [
{
"equals": "Allow",
"field": "Microsoft.Storage/storageAccounts/networkAcls.defaultAction"
},
{
"equals": "Prod",
"field": "tags.environment"
}
]
}
]
},
"then": {
"effect": "audit"
}
},
"policyType": "Custom",
"type": "Microsoft.Authorization/policyDefinitions"
}
CLI
Same policy as above but query in variable
StgAccountQuery="where type =~ 'microsoft.storage/storageaccounts' | where aliases['Microsoft.Storage/storageAccounts/networkAcls.defaultAction'] =='Allow' and tags.environment== 'Prod'|summarize count()" graph2policy --query "$StgAccountQuery" --effect "audit" --create "Audit Storage Account that Allows Connections from all Vnet"
After creation the policy is ready for assignment. I assigned it to my test subscription and as you can see in my example it shows that one of my storage accounts are non-compliant.
Summary
Resource Graph is a handy tool and as you might have understood its very useful when looking for specific properties or anomalies in your resources. Together with the GraphToPolicy it’s easy to create Azure Policys based on your Resource Graph Querys.
Credit for the tool goes to robinchapas https://github.com/robinchapas/ConvertToPolicy
If you have any questions you can reach me at tobias.vuorenmaa@xenit.se
Tags : Azure, Azure Governance, Azure Policy, Azure Resource Graph
Personlig rådgivning
Vi erbjuder personlig rådgivning med författaren för 1400 SEK per timme. Anmäl ditt intresse i här så återkommer vi så snart vi kan.
Add comment