Create and Manage Azure Policy Using Azure CLI

00:00

In the last video, we saw how we can create a policy assignment using Azure portal.

00:05

However,

00:06

when you develop automation scripts, you would like to use command line interface to assign the policies.

00:12

Let's see how we can use as your command line interface to do that.

00:20

If you have as your CLI installed on your local machine,

00:23

you can run those commands from your local machine.

00:26

But you could also run this in azure Cloud Shell.

00:29

Here I am in Azure Portal and I'm gonna begin starting Cloud Shell.

00:35

I also created a resource group for this demo.

00:38

I called it C Y B ese policy cli demo.

00:47

The first thing I need to do is I need to get information about the resource group.

00:53

I can run a CLI command to get the details about the resource group.

01:00

I have the ID location and so on everything that I need about this resource group.

01:07

The next thing is, I need to get information about the policy that I'm going to apply

01:12

for this demo. I will apply policy code audit resource location matches the research group location.

01:19

What that means is that the resource is that are created in the resource group need to have the same location as the resource group.

01:26

Let's get information about this policy.

01:33

This is the policy and the information that I will need from it is the name.

01:37

Now I can issue a command to do the policy assignment.

01:45

Here are the steps.

01:47

First thing is,

01:49

as your CLI has a policy command

01:53

and we'll say as your policy assignment create,

01:57

the next thing I need to provide is a friendly name for the assignment.

02:04

In my case, I will use audit resource location

02:09

next eventually display name, which will be helpful to find this policy assignment.

02:19

I'll just put audit resource location, matches the resource group,

02:23

the name of the research group location,

02:25

and then we need to specify the scope.

02:30

The scope needs to include the identify our of the resource group

02:37

because we would like to put this at the resource group scope.

02:42

I'll copy the identify

02:46

I need to provide the full identify of this group,

02:49

and the last thing I need to do is I need to identify the policy I want to assign.

02:59

In this particular case, we will use the policy name

03:08

and once I actually issued a command.

03:12

I received a successful message back, and this policy will be assigned to the resource group.

03:19

You can check this by going back to the resource group in Azure Portal

03:24

and clicking on the policy section.

03:30

You will see that audit resource location matches Resource Group

03:34

location is already assigned.

03:38

The policy is not evaluate yet. As you can see,

03:42

it's not started.

03:44

Let's go in the resource group and create a new resource there.

03:49

But before I do that, I want to check where the resource group is placed

03:53

and I find out it is in West U. S.

03:57

I will create a new resource that is not in this location. So we can see later how this policy reports on compliance.

04:05

Let's go back and we'll just create a simple storage account, which is based in East us, too.

04:15

We will search for storage account,

04:18

blob, file table and Q and will just create a new one in a different location than the resource group.

04:27

We will call it C Y B ese policy cli demo storage,

04:36

and we will pick up East us, too.

04:42

We will leave the rest, actually, by default

04:51

as you can see, because this is an audit policy, not enforcement policy, I am able to create a resource that is not in the location that the resource group has.

05:00

I'm not prevented from creating those. Resource is,

05:04

however,

05:05

we will see later. This will be an out of compliance resource.

05:13

In this video, we saw how we can use azure sea ally to assign policies.