azure.subscription¶
Subscription Resource
- example:
This policy creates Azure Policy scoped to the current subscription if doesn’t exist.
policies:
- name: azure-policy-sample
resource: azure.subscription
filters:
- type: missing
policy:
resource: azure.policyassignments
filters:
- type: value
key: properties.displayName
op: eq
value_type: normalize
value: dn_sample_policy
actions:
- type: add-policy
name: sample_policy
display_name: dn_sample_policy
definition_name: "Audit use of classic storage accounts"
Filters¶
advisor-recommendation¶
Filter resources by Azure Advisor Recommendations
Select all categories with ‘all’
- example:
policies:
- name: disks-with-cost-recommendations
resource: azure.disk
filters:
- type: advisor-recommendation
category: Cost
key: '[].properties.recommendationTypeId'
op: contains
value: '48eda464-1485-4dcf-a674-d0905df5054a'
properties:
category:
type: string
default:
type: object
key:
type: string
op:
enum:
- eq
- equal
- ne
- not-equal
- gt
- greater-than
- ge
- gte
- le
- lte
- lt
- less-than
- glob
- regex
- regex-case
- in
- ni
- not-in
- contains
- difference
- intersect
type:
enum:
- advisor-recommendation
value:
oneOf:
- type: array
- type: string
- type: boolean
- type: number
- type: 'null'
value_from:
additionalProperties: 'False'
properties:
expr:
oneOf:
- type: integer
- type: string
format:
enum:
- csv
- json
- txt
- csv2dict
headers:
patternProperties:
? ''
: type: string
type: object
url:
type: string
required:
- url
type: object
value_path:
type: string
value_regex:
type: string
value_type:
enum:
- age
- integer
- expiration
- normalize
- size
- cidr
- cidr_size
- swap
- resource_count
- expr
- unique_size
- date
- version
- float
required:
- category
- type
missing¶
Assert the absence of a particular resource.
Intended for use at a logical account/subscription/project level
This works as an effectively an embedded policy thats evaluated.
- example:
Notify if an s3 bucket is missing
policies:
- name: missing-s3-bucket
resource: account
filters:
- type: missing
policy:
resource: s3
filters:
- Name: my-bucket
actions:
- notify
properties:
policy:
properties:
resource:
type: string
required:
- resource
type: object
type:
enum:
- missing
required:
- policy
- type
Actions¶
add-policy¶
Parent base class for filters and actions.
properties:
definition_name:
type: string
display_name:
type: string
name:
type: string
scope:
type: string
type:
enum:
- add-policy
required:
- name
- display_name
- definition_name
- type