Azure policy deployment using visual studio

Question

I am trying to use in built allowed locations Azure policy.

Below my ARM template definition

{
    "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
    "contentVersion": "1.0.0.0",
    "parameters": {
        "listOfAllowedLocations": {
            "type": "Array"
        }
    },
    "variables": {},
    "resources": [{
        "type": "Microsoft.Authorization/policyDefinitions",
        "name": "Test",
        "apiVersion": "2018-03-01",
        "properties": {
            "displayName": "Test allowed locations",
            "policyType": "BuiltIn",
            "description": "This policy enables you to restrict the locations your organization can specify when deploying resources. Use to enforce your geo-compliance requirements.",
            "parameters": {
                "listOfAllowedLocations": {
                    "type": "Array",
                    "metadata": {
                        "description": "The list of locations that can be specified when deploying resources.",
                        "strongType": "location",
                        "displayName": "Allowed locations"
                    }
                }
            },
            "policyRule": {
                "if": {
                    "not": {
                        "field": "location",
                        "in": "[parameters('listOfAllowedLocations')]"
                    }
                },
                "then": {
                    "effect": "Deny"
                }
            }
        }
    }],
    "outputs": {}
}

I am getting below error when I try to deploy this using Visual Studio deploy option

{
"error": {
"code": "InvalidPolicyUri",
"message": "The policy request scope '/subscriptions/xxx/resourcegroups/Test' should be '/', '/subscriptions/id' or '/providers/Microsoft.Management/managementGroups/id'."
 }
}

I really appreciate if someone can guide me the right way for deploying policies using Visual Studio. This template will go into DevOps release pipeline later once it is successful in VS deploy testing.

could you please post your `parameters.json` file where you defined the `listOfAllowedLocations` — Jayendran, Oct 09 '18 at 03:24
The error means `If you plan to apply this policy definition to multiple subscriptions, the location must be a management group that contains the subscriptions you will assign the initiative or policy to.` — Joy Wang, Oct 09 '18 at 05:58
Thank you Joy Wang. I am still clueless, would you be able to guide me more? — user3638580, Oct 09 '18 at 22:40
i tried by adding "scope": "[subscription().id]" in properties still no luck. — user3638580, Oct 10 '18 at 00:29
You are not trying to create a new definition right? For using built-in policies you only need to create a Policy Assignment referencing the built-in definition by its Id (instead of a new Policy Definition). — heren, Nov 02 '18 at 21:45

score 1 · Accepted Answer · answered Nov 30 '18 at 02:32

1

I figured it out. By default visual studio uses resource group deployment, that is the reason this is not working. We need to use New-AzureRmDeployment instead of New-AzureRmResourceGroupDeployment.

answered Nov 30 '18 at 02:32

user3638580

35
5

Azure policy deployment using visual studio

1 Answers1