Fixed app service plan policy to allow for func consumption plans

jonathan-vella · Apr 30, 2021 · ccedcf8 · ccedcf8
1 parent 39d8d7d
commit ccedcf8
Show file tree

Hide file tree

Showing 2 changed files with 114 additions and 105 deletions.
diff --git a/bicep/naming-convention-plan.bicep b/bicep/naming-convention-plan.bicep
@@ -1,11 +1,57 @@
 targetScope = 'subscription'
 
-module plan '../modules/naming-convention-generic.bicep' = {
+@allowed([
+ 'Deny'
+ 'Audit'
+ 'Disabled'
+])
+@description('The effect determines what happens when the policy rule is evaluated to match')
+param effect string = 'Deny'
+
+@allowed([
+ 'Default'
+ 'DoNotEnforce'
+])
+@description('When enforcement mode is disabled, the policy effect isn\'t enforced (i.e. deny policy won\'t deny resources). Compliance assessment results are still available.')
+param enforcementMode string = 'Default'
+
+resource genericPolicy 'Microsoft.Authorization/policyDefinitions@2020-03-01' = {
  name: 'policy-naming-convention-plan'
- params: {
- pattern: 'plan-*'
- policyName: 'policy-naming-convention-plan'
- assignmentName: 'assignment-naming-convention-plan'
- type: 'Microsoft.Web/serverfarms'
+ properties: {
+ policyType: 'Custom'
+ mode: 'All'
+ policyRule: {
+ if: {
+ allOf: [
+ {
+ field: 'type' 
+ equals: 'Microsoft.Web/serverfarms'
+ }
+ {
+ allOf:[
+ {
+ field: 'name'
+ notLike: 'plan-*'
+ }
+ {
+ field: 'name'
+ notLike: 'asp-*' // Function app with consumption plan
+ }
+ ]
+ }
+ ]
+ }
+ then: {
+ effect: effect
+ }
+ }
+ }
+}
+
+resource genericAssignment 'Microsoft.Authorization/policyAssignments@2020-03-01' = {
+ name: 'assignment-naming-convention-plan'
+ properties: {
+ policyDefinitionId: genericPolicy.id
+ enforcementMode: enforcementMode
  }
 }
diff --git a/dist/naming-convention-plan.json b/dist/naming-convention-plan.json
@@ -1,122 +1,85 @@
 {
  "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
+ "parameters": {
+ "effect": {
+ "type": "string",
+ "defaultValue": "Deny",
+ "metadata": {
+ "description": "The effect determines what happens when the policy rule is evaluated to match"
+ },
+ "allowedValues": [
+ "Deny",
+ "Audit",
+ "Disabled"
+ ]
+ },
+ "enforcementMode": {
+ "type": "string",
+ "defaultValue": "Default",
+ "metadata": {
+ "description": "When enforcement mode is disabled, the policy effect isn't enforced (i.e. deny policy won't deny resources). Compliance assessment results are still available."
+ },
+ "allowedValues": [
+ "Default",
+ "DoNotEnforce"
+ ]
+ }
+ },
  "functions": [],
  "resources": [
  {
- "type": "Microsoft.Resources/deployments",
- "apiVersion": "2019-10-01",
+ "type": "Microsoft.Authorization/policyDefinitions",
+ "apiVersion": "2020-03-01",
  "name": "policy-naming-convention-plan",
- "location": "[deployment().location]",
  "properties": {
- "expressionEvaluationOptions": {
- "scope": "inner"
- },
- "mode": "Incremental",
- "parameters": {
- "pattern": {
- "value": "plan-*"
- },
- "policyName": {
- "value": "policy-naming-convention-plan"
- },
- "assignmentName": {
- "value": "assignment-naming-convention-plan"
- },
- "type": {
- "value": "Microsoft.Web/serverfarms"
- }
- },
- "template": {
- "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#",
- "contentVersion": "1.0.0.0",
- "parameters": {
- "pattern": {
- "type": "string"
- },
- "policyName": {
- "type": "string"
- },
- "assignmentName": {
- "type": "string"
- },
- "type": {
- "type": "string"
- },
- "effect": {
- "type": "string",
- "defaultValue": "Deny",
- "metadata": {
- "description": "The effect determines what happens when the policy rule is evaluated to match"
- },
- "allowedValues": [
- "Deny",
- "Audit",
- "Disabled"
- ]
- },
- "enforcementMode": {
- "type": "string",
- "defaultValue": "Default",
- "metadata": {
- "description": "When enforcement mode is disabled, the policy effect isn't enforced (i.e. deny policy won't deny resources). Compliance assessment results are still available."
+ "policyType": "Custom",
+ "mode": "All",
+ "policyRule": {
+ "if": {
+ "allOf": [
+ {
+ "field": "type",
+ "equals": "Microsoft.Web/serverfarms"
  },
- "allowedValues": [
- "Default",
- "DoNotEnforce"
- ]
- }
- },
- "functions": [],
- "resources": [
- {
- "type": "Microsoft.Authorization/policyDefinitions",
- "apiVersion": "2020-03-01",
- "name": "[parameters('policyName')]",
- "properties": {
- "policyType": "Custom",
- "mode": "All",
- "policyRule": {
- "if": {
- "allOf": [
- {
- "field": "type",
- "equals": "[parameters('type')]"
- },
- {
- "field": "name",
- "notLike": "[parameters('pattern')]"
- }
- ]
+ {
+ "allOf": [
+ {
+ "field": "name",
+ "notLike": "plan-*"
  },
- "then": {
- "effect": "[parameters('effect')]"
+ {
+ "field": "name",
+ "notLike": "asp-*"
  }
- }
+ ]
  }
- },
- {
- "type": "Microsoft.Authorization/policyAssignments",
- "apiVersion": "2020-03-01",
- "name": "[parameters('assignmentName')]",
- "properties": {
- "policyDefinitionId": "[subscriptionResourceId('Microsoft.Authorization/policyDefinitions', parameters('policyName'))]",
- "enforcementMode": "[parameters('enforcementMode')]"
- },
- "dependsOn": [
- "[subscriptionResourceId('Microsoft.Authorization/policyDefinitions', parameters('policyName'))]"
- ]
- }
- ]
+ ]
+ },
+ "then": {
+ "effect": "[parameters('effect')]"
+ }
  }
  }
+ },
+ {
+ "type": "Microsoft.Authorization/policyAssignments",
+ "apiVersion": "2020-03-01",
+ "name": "assignment-naming-convention-plan",
+ "properties": {
+ "policyDefinitionId": "[subscriptionResourceId('Microsoft.Authorization/policyDefinitions', 'policy-naming-convention-plan')]",
+ "enforcementMode": "[parameters('enforcementMode')]"
+ },
+ "dependsOn": [
+ "[subscriptionResourceId('Microsoft.Authorization/policyDefinitions', 'policy-naming-convention-plan')]"
+ ]
  }
  ],
  "metadata": {
  "_generator": {
  "name": "bicep",
  "version": "0.3.1.62928",
- "templateHash": "13991777216998822847"
+ "templateHash": "6562831825047563319"
  }
  }
 }