From 7cc93833e58b6f1f72bd067a4b43f77e984e120d Mon Sep 17 00:00:00 2001 From: Michiel Janssen <69252746+digitmj@users.noreply.github.com> Date: Sat, 13 Jan 2024 14:21:58 +0000 Subject: [PATCH] added policy to deny vnet peering removal --- .../azurepolicy.json | 57 +++++++++++++++++++ .../azurepolicy.parameters.json | 22 +++++++ .../azurepolicy.rules.json | 22 +++++++ 3 files changed, 101 insertions(+) create mode 100644 policyDefinitions/Network/vnet-peering-deny-removal/azurepolicy.json create mode 100644 policyDefinitions/Network/vnet-peering-deny-removal/azurepolicy.parameters.json create mode 100644 policyDefinitions/Network/vnet-peering-deny-removal/azurepolicy.rules.json diff --git a/policyDefinitions/Network/vnet-peering-deny-removal/azurepolicy.json b/policyDefinitions/Network/vnet-peering-deny-removal/azurepolicy.json new file mode 100644 index 00000000..2ce58e08 --- /dev/null +++ b/policyDefinitions/Network/vnet-peering-deny-removal/azurepolicy.json @@ -0,0 +1,57 @@ +{ + "name": "6f194805-9450-4e29-bd6a-9bc370329126", + "type": "Microsoft.Authorization/policyDefinitions", + "properties": { + "displayName": "Deny VNet peering removal", + "description": "This Policy will deny the deletion of VNets peerings with a specified name.", + "metadata": { + "version": "1.0.0", + "category": "Network" + }, + "mode": "All", + "parameters": { + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "DenyAction or Disabled the execution of the Policy" + }, + "allowedValues": [ + "DenyAction", + "Disabled" + ], + "defaultValue": "DenyAction" + }, + "peeringName": { + "type": "String", + "metadata": { + "displayName": "VNet peering name", + "description": "Name of the VNet peering that is not allowed to be removed" + }, + "defaultValue": "Spoke-to-Hub" + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Network/virtualNetworks/virtualNetworkPeerings" + }, + { + "field": "name", + "equals": "[parameters('peeringName')]" + } + ] + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "actionNames": [ + "delete" + ] + } + } + } + } +} \ No newline at end of file diff --git a/policyDefinitions/Network/vnet-peering-deny-removal/azurepolicy.parameters.json b/policyDefinitions/Network/vnet-peering-deny-removal/azurepolicy.parameters.json new file mode 100644 index 00000000..8cf47eaf --- /dev/null +++ b/policyDefinitions/Network/vnet-peering-deny-removal/azurepolicy.parameters.json @@ -0,0 +1,22 @@ +{ + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "DenyAction or Disabled the execution of the Policy" + }, + "allowedValues": [ + "DenyAction", + "Disabled" + ], + "defaultValue": "DenyAction" + }, + "peeringName": { + "type": "String", + "metadata": { + "displayName": "VNet peering name", + "description": "Name of the VNet peering that is not allowed to be removed" + }, + "defaultValue": "Spoke-to-Hub" + } +} \ No newline at end of file diff --git a/policyDefinitions/Network/vnet-peering-deny-removal/azurepolicy.rules.json b/policyDefinitions/Network/vnet-peering-deny-removal/azurepolicy.rules.json new file mode 100644 index 00000000..27584898 --- /dev/null +++ b/policyDefinitions/Network/vnet-peering-deny-removal/azurepolicy.rules.json @@ -0,0 +1,22 @@ +{ + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Network/virtualNetworks/virtualNetworkPeerings" + }, + { + "field": "name", + "equals": "[parameters('peeringName')]" + } + ] + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "actionNames": [ + "delete" + ] + } + } +} \ No newline at end of file