Azure ARM policies, using the predefined definitions via CLI

Question

I would like to know if it is possible to use the default pre-defined ARM policies for assignments through the CLI.

Essentially, I have noticed that there is a default policy to restrict the location within the portal, so if you use the portal you can can select this and then it allows you to select some regions.

If I create a location policy from the cli, I seem to have to create a brand new custom policy definition, which shows up alongside the default one in the definitions page.

Is there a way to simly use the default one, but specify which regions??

Here is the custom definition:

    az policy definition create --name permittedRegions --description "location policy" --rules '{    
  "if" : {
    "not" : {
      "field" : "location",
      "in" : ["westus", "westus2", "centralus", "westcentralus"]
    }
  },
  "then" : {
    "effect" : "deny"
  }
}'

az policy assignment create --name permittedRegionsInSubscription --policy permittedRegions --scope /subscriptions/"$subscriptionId"

Answer 1

Looking at the code of Azure CLI for this method, I don't think its possible. Only parameters it accepts are policy, name, display_name, resource_group_name, scope. And to use default policy you need to pass parameter(s).

Take a look here

Powershell seems to support that:

New-AzureRmPolicyAssignment -Name <string> -Scope <string> -PolicyDefinition <psobject>
    -PolicyParameter <string> [-DisplayName <string>]

Answer 2

If my understanding is right, I think it is possible.

You can apply the policy to the desired scope by using the policy assignment command:

az policy assignment create --name regionPolicyAssignment --policy regionPolicyDefinition --scope /subscriptions/{subscription-id}/resourceGroups/{resource-group-name}

More information about this please refer to this link: Use scripts to assign policy.

Also, you could use azure cli 2.0 to update your policy, please refer to this link.