azure.subscription

Subscription Resource

example:

This policy creates Azure Policy scoped to the current subscription if doesn’t exist.

policies:
  - name: azure-policy-sample
    resource: azure.subscription
    filters:
      - type: missing
        policy:
          resource: azure.policyassignments
          filters:
            - type: value
              key: properties.displayName
              op: eq
              value_type: normalize
              value: dn_sample_policy
    actions:
      - type: add-policy
        name: sample_policy
        display_name: dn_sample_policy
        definition_name: "Audit use of classic storage accounts"

Filters

• diagnostic-settings

• event

• list-item

• missing

• reduce

• value

missing

Assert the absence of a particular resource.

Intended for use at a logical account/subscription/project level

This works as an effectively an embedded policy thats evaluated.

example:

Notify if an s3 bucket is missing

policies:
  - name: missing-s3-bucket
    resource: account
    filters:
      - type: missing
        policy:
          resource: s3
          filters:
            - Name: my-bucket
    actions:
      - notify

properties:
  policy:
    properties:
      resource:
        type: string
    required:
    - resource
    type: object
  type:
    enum:
    - missing
required:
- policy
- type

Actions

• add-policy

• logic-app

• notify

• webhook

add-policy

Parent base class for filters and actions.

properties:
  definition_name:
    type: string
  display_name:
    type: string
  name:
    type: string
  scope:
    type: string
  type:
    enum:
    - add-policy
required:
- name
- display_name
- definition_name
- type