Posted on Leave a comment

Enforce Azure policy on virtual machines

On previous articles I have used Azure policy to enforce and inherit tags on azure resources.

However sometimes you need to enforce Azure policy only on specific resources. For this purpose you can use logical expression. Lets examine how we can apply an azure policy only on virtual machine resources. Under the policy rule, you will need to search for the field that equals Microsoft.Compute/virtualMachines. By doing so you can target only the specific resource and then based on your logic you can perform actions.

    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Compute/virtualMachines"
          },
          {
            "field": "[concat('tags[', parameters('something'), ']')]",
            "exists": "false"
          }
        ]
      },
      "then": {
        "effect": "audit"
      }
    }
  },

In the above scenario the policy rule evaluates to true and audits when a tag named something does not exist and the resource is a virtual machine.