From 8a50b4d806e18b7281965d7aa4d6aef3e430fc05 Mon Sep 17 00:00:00 2001 From: Niclas <31761897+vegazbabz@users.noreply.github.com> Date: Fri, 20 Oct 2023 16:54:50 +0200 Subject: [PATCH] Tag policies (#390) --------- Co-authored-by: Niclas Madsen --- .../azurepolicy.json | 52 ++++++++++++++++ .../azurepolicy.parameters.json | 22 +++++++ .../azurepolicy.rules.json | 17 ++++++ .../azurepolicy.json | 59 +++++++++++++++++++ .../azurepolicy.parameters.json | 29 +++++++++ .../azurepolicy.rules.json | 17 ++++++ .../azurepolicy.json | 52 ++++++++++++++++ .../azurepolicy.parameters.json | 22 +++++++ .../azurepolicy.rules.json | 17 ++++++ 9 files changed, 287 insertions(+) create mode 100644 policyDefinitions/Tags/validate-date-tag-on-subscription/azurepolicy.json create mode 100644 policyDefinitions/Tags/validate-date-tag-on-subscription/azurepolicy.parameters.json create mode 100644 policyDefinitions/Tags/validate-date-tag-on-subscription/azurepolicy.rules.json create mode 100644 policyDefinitions/Tags/validate-email-tag-on-subscription/azurepolicy.json create mode 100644 policyDefinitions/Tags/validate-email-tag-on-subscription/azurepolicy.parameters.json create mode 100644 policyDefinitions/Tags/validate-email-tag-on-subscription/azurepolicy.rules.json create mode 100644 policyDefinitions/Tags/validate-length-of-subscription-tag/azurepolicy.json create mode 100644 policyDefinitions/Tags/validate-length-of-subscription-tag/azurepolicy.parameters.json create mode 100644 policyDefinitions/Tags/validate-length-of-subscription-tag/azurepolicy.rules.json diff --git a/policyDefinitions/Tags/validate-date-tag-on-subscription/azurepolicy.json b/policyDefinitions/Tags/validate-date-tag-on-subscription/azurepolicy.json new file mode 100644 index 00000000..c45f41eb --- /dev/null +++ b/policyDefinitions/Tags/validate-date-tag-on-subscription/azurepolicy.json @@ -0,0 +1,52 @@ +{ + "name": "28e5394c-3122-4f50-a926-c7f168f0ebcc", + "type": "Microsoft.Authorization/policyDefinitions", + "properties": { + "displayName": "Validate date tag on subscription", + "description": "Validate a date tag on a subscription, e.g. ExpirationDate, in a YYYY-MM-DD format.", + "metadata": { + "version": "1.0.0", + "category": "Tags" + }, + "mode": "All", + "parameters": { + "tagExpirationDate": { + "type": "String", + "metadata": { + "displayName": "tagExpirationDate", + "description": "Name of the tag containing a date value." + } + }, + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Deny, Audit or Disabled the execution of the Policy" + }, + "allowedValues": [ + "Deny", + "Audit", + "Disabled" + ], + "defaultValue": "Audit" + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Resources/subscriptions" + }, + { + "field": "[concat('tags[',parameters('tagExpirationDate'), ']')]", + "notMatch": "####-##-##" + } + ] + }, + "then": { + "effect": "[parameters('effect')]" + } + } + } +} diff --git a/policyDefinitions/Tags/validate-date-tag-on-subscription/azurepolicy.parameters.json b/policyDefinitions/Tags/validate-date-tag-on-subscription/azurepolicy.parameters.json new file mode 100644 index 00000000..97045966 --- /dev/null +++ b/policyDefinitions/Tags/validate-date-tag-on-subscription/azurepolicy.parameters.json @@ -0,0 +1,22 @@ +{ + "tagExpirationDate": { + "type": "String", + "metadata": { + "displayName": "tagExpirationDate", + "description": "Name of the tag containing a date value." + } + }, + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Deny, Audit or Disabled the execution of the Policy" + }, + "allowedValues": [ + "Deny", + "Audit", + "Disabled" + ], + "defaultValue": "Audit" + } +} diff --git a/policyDefinitions/Tags/validate-date-tag-on-subscription/azurepolicy.rules.json b/policyDefinitions/Tags/validate-date-tag-on-subscription/azurepolicy.rules.json new file mode 100644 index 00000000..24890705 --- /dev/null +++ b/policyDefinitions/Tags/validate-date-tag-on-subscription/azurepolicy.rules.json @@ -0,0 +1,17 @@ +{ + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Resources/subscriptions" + }, + { + "field": "[concat('tags[',parameters('tagExpirationDate'), ']')]", + "notMatch": "####-##-##" + } + ] + }, + "then": { + "effect": "[parameters('effect')]" + } +} diff --git a/policyDefinitions/Tags/validate-email-tag-on-subscription/azurepolicy.json b/policyDefinitions/Tags/validate-email-tag-on-subscription/azurepolicy.json new file mode 100644 index 00000000..1a4857e5 --- /dev/null +++ b/policyDefinitions/Tags/validate-email-tag-on-subscription/azurepolicy.json @@ -0,0 +1,59 @@ +{ + "name": "151a7585-6199-43c8-887d-5f83dce26aa2", + "type": "Microsoft.Authorization/policyDefinitions", + "properties": { + "displayName": "Validate email tag on subscription", + "description": "Ensure subscription tag value for an email tag follows format *@domain.com.", + "metadata": { + "version": "1.0.0", + "category": "Tags" + }, + "mode": "All", + "parameters": { + "tagEmail": { + "type": "String", + "metadata": { + "displayName": "tagEmail", + "description": "Name of the tag containing the email address, e.g. 'SubOwner-Email'" + } + }, + "tagValueEmailDomain": { + "type": "String", + "metadata": { + "displayName": "emailDomain", + "description": "Enter the domain name of the email address, e.g. Accenture.com" + } + }, + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Deny, Audit or Disabled the execution of the Policy" + }, + "allowedValues": [ + "Deny", + "Audit", + "Disabled" + ], + "defaultValue": "Audit" + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Resources/subscriptions" + }, + { + "field": "[concat('tags[',parameters('tagEmail'), ']')]", + "notLike": "[concat('*@',parameters('tagValueEmailDomain'))]" + } + ] + }, + "then": { + "effect": "[parameters('effect')]" + } + } + } +} diff --git a/policyDefinitions/Tags/validate-email-tag-on-subscription/azurepolicy.parameters.json b/policyDefinitions/Tags/validate-email-tag-on-subscription/azurepolicy.parameters.json new file mode 100644 index 00000000..22dc124f --- /dev/null +++ b/policyDefinitions/Tags/validate-email-tag-on-subscription/azurepolicy.parameters.json @@ -0,0 +1,29 @@ +{ + "tagEmail": { + "type": "String", + "metadata": { + "displayName": "tagEmail", + "description": "Name of the tag containing the email address, e.g. 'SubOwner-Email'" + } + }, + "tagValueEmailDomain": { + "type": "String", + "metadata": { + "displayName": "emailDomain", + "description": "Enter the domain name of the email address, e.g. Accenture.com" + } + }, + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Deny, Audit or Disabled the execution of the Policy" + }, + "allowedValues": [ + "Deny", + "Audit", + "Disabled" + ], + "defaultValue": "Audit" + } +} diff --git a/policyDefinitions/Tags/validate-email-tag-on-subscription/azurepolicy.rules.json b/policyDefinitions/Tags/validate-email-tag-on-subscription/azurepolicy.rules.json new file mode 100644 index 00000000..834f2340 --- /dev/null +++ b/policyDefinitions/Tags/validate-email-tag-on-subscription/azurepolicy.rules.json @@ -0,0 +1,17 @@ +{ + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Resources/subscriptions" + }, + { + "field": "[concat('tags[',parameters('tagEmail'), ']')]", + "notLike": "[concat('*@',parameters('tagValueEmailDomain'))]" + } + ] + }, + "then": { + "effect": "[parameters('effect')]" + } +} diff --git a/policyDefinitions/Tags/validate-length-of-subscription-tag/azurepolicy.json b/policyDefinitions/Tags/validate-length-of-subscription-tag/azurepolicy.json new file mode 100644 index 00000000..618ad272 --- /dev/null +++ b/policyDefinitions/Tags/validate-length-of-subscription-tag/azurepolicy.json @@ -0,0 +1,52 @@ +{ + "name": "64b026ea-d1f4-429d-b580-8d41c760bece", + "type": "Microsoft.Authorization/policyDefinitions", + "properties": { + "displayName": "Validate length of subscription tag", + "description": "Validate the length of a subscription tag value.", + "metadata": { + "version": "1.0.0", + "category": "Tags" + }, + "mode": "All", + "parameters": { + "tagCostCenter": { + "type": "String", + "metadata": { + "displayName": "tagCostCenter", + "description": "Name of the tag, e.g. CostCenter" + } + }, + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Deny, Audit or Disabled the execution of the Policy" + }, + "allowedValues": [ + "Deny", + "Audit", + "Disabled" + ], + "defaultValue": "Audit" + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Resources/subscriptions" + }, + { + "value": "[string(length(field(concat('tags[', parameters('tagCostCenter'), ']'))))]", + "notEquals": "6" + } + ] + }, + "then": { + "effect": "[parameters('effect')]" + } + } + } +} diff --git a/policyDefinitions/Tags/validate-length-of-subscription-tag/azurepolicy.parameters.json b/policyDefinitions/Tags/validate-length-of-subscription-tag/azurepolicy.parameters.json new file mode 100644 index 00000000..5b51f9da --- /dev/null +++ b/policyDefinitions/Tags/validate-length-of-subscription-tag/azurepolicy.parameters.json @@ -0,0 +1,22 @@ +{ + "tagCostCenter": { + "type": "String", + "metadata": { + "displayName": "tagCostCenter", + "description": "Name of the tag, e.g. CostCenter" + } + }, + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Deny, Audit or Disabled the execution of the Policy" + }, + "allowedValues": [ + "Deny", + "Audit", + "Disabled" + ], + "defaultValue": "Audit" + } +} diff --git a/policyDefinitions/Tags/validate-length-of-subscription-tag/azurepolicy.rules.json b/policyDefinitions/Tags/validate-length-of-subscription-tag/azurepolicy.rules.json new file mode 100644 index 00000000..afbe5ac9 --- /dev/null +++ b/policyDefinitions/Tags/validate-length-of-subscription-tag/azurepolicy.rules.json @@ -0,0 +1,17 @@ +{ + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Resources/subscriptions" + }, + { + "value": "[string(length(field(concat('tags[', parameters('tagCostCenter'), ']'))))]", + "notEquals": "6" + } + ] + }, + "then": { + "effect": "[parameters('effect')]" + } +}