Adding new policy definition to handle custom roles with exclusionlist (

#480) * adding new Azure policy for custom roles * Updating display name * moving parameters in correct alphabetic order --------- Co-authored-by: Sebastian Claesson <[email protected]>
Azure · Oct 16, 2024 · 0465268 · 0465268
1 parent c158559
commit 0465268
Show file tree

Hide file tree

Showing 3 changed files with 101 additions and 0 deletions.
diff --git a/policyDefinitions/Authorization/deny-custom-roles-with-exclusionlist/azurepolicy.json b/policyDefinitions/Authorization/deny-custom-roles-with-exclusionlist/azurepolicy.json
@@ -0,0 +1,57 @@
+{
+  "name": "4eaae358-7df4-4338-ae26-c4547ebe9403",
+  "type": "Microsoft.Authorization/policyDefinitions",
+  "properties": {
+    "displayName": "Deny custom roles with exclusionlist",
+    "description": "This policy will audit or deny the creation of RBAC custom roles, excluding specified role definition names.",
+    "metadata": {
+      "version": "1.0.0",
+      "category": "Authorization"
+    },
+    "mode": "All",
+    "parameters": {
+      "excludedRoleNames": {
+        "type": "array",
+        "metadata": {
+          "displayName": "Excluded Role Names",
+          "description": "Names of Roles to be excluded from the policy."
+        },
+        "defaultValue": []
+      },
+      "effect": {
+        "type": "string",
+        "metadata": {
+          "displayName": "Effect",
+          "description": "Deny, Audit or Disabled the execution of the Policy"
+        },
+        "allowedValues": [
+          "Deny",
+          "Audit",
+          "Disabled"
+        ],
+        "defaultValue": "Audit"
+      }
+    },
+    "policyRule": {
+      "if": {
+        "allOf": [
+          {
+            "field": "type",
+            "equals": "Microsoft.Authorization/roleDefinitions"
+          },
+          {
+            "field": "Microsoft.Authorization/roleDefinitions/type",
+            "notEquals": "BuiltInRole"
+          },
+          {
+            "field": "Microsoft.Authorization/roleDefinitions/roleName",
+            "notIn": "[parameters('ExcludedRoleNames')]"
+          }
+        ]
+      },
+      "then": {
+        "effect": "[parameters('effect')]"
+      }
+    }
+  }
+}
diff --git a/...efinitions/Authorization/deny-custom-roles-with-exclusionlist/azurepolicy.parameters.json b/...efinitions/Authorization/deny-custom-roles-with-exclusionlist/azurepolicy.parameters.json
@@ -0,0 +1,23 @@
+{
+    "excludedRoleNames": {
+        "type": "array",
+        "metadata": {
+            "displayName": "Excluded Role Names",
+            "description": "Names of Roles to be excluded from the policy."
+        },
+        "defaultValue": []
+    },
+    "effect": {
+        "type": "string",
+        "metadata": {
+            "displayName": "Effect",
+            "description": "Deny, Audit or Disabled the execution of the Policy"
+        },
+        "allowedValues": [
+            "Deny",
+            "Audit",
+            "Disabled"
+        ],
+        "defaultValue": "Audit"
+    }
+}
diff --git a/policyDefinitions/Authorization/deny-custom-roles-with-exclusionlist/azurepolicy.rules.json b/policyDefinitions/Authorization/deny-custom-roles-with-exclusionlist/azurepolicy.rules.json
@@ -0,0 +1,21 @@
+{
+    "if": {
+        "allOf": [
+            {
+                "field": "type",
+                "equals": "Microsoft.Authorization/roleDefinitions"
+            },
+            {
+                "field": "Microsoft.Authorization/roleDefinitions/type",
+                "notEquals": "BuiltInRole"
+            },
+            {
+                "field": "Microsoft.Authorization/roleDefinitions/roleName",
+                "notIn": "[parameters('ExcludedRoleNames')]"
+            }
+        ]
+    },
+    "then": {
+        "effect": "[parameters('effect')]"
+    }
+}