Creating Custom Policy in VS Code
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
Already have an account? Sign In »
1 hour 5 minutes
let's go ahead and create some custom policies in visual studio code
for our exercise. We will do the following.
We will use the built in policy that restricts the resource types for resource is created in a specific resource group.
instead of denying it will just change this to auditing,
we will also create a very simple custom policy that audits the naming conventions used in that resource group.
We will also create one more policy which will require specific tags to be applied to. The resource is in that group.
When we create resource is in that resource group.
If we don't specify those tags, the creation of those resource is will be denied.
At the end, we will bundle all these policies in a single initiative and apply it to the resource group.
Let's go ahead and do that.
We'll start with the policy to restrict the resource types allowed in the resource groups.
There's a built in policy for that.
We'll just copy that built in policy and modify it slightly.
We need to go and search for that. Built in definition,
the name of the policy is called allowed resource types.
This is the second policy.
I will open that policy and save it locally to my machine.
I could say Save as and I'll put it in a new folder called Sai Buri Policies on My Machine.
I'll just rename it to custom allowed resource type policy. Jason.
In order to make it a custom policy, we need to remove some of the information. So the first four lines
we need to leave on Lee the policy rule.
We'll delete the metadata.
We'll leave the parameters
will remove the identifier, the name and the type.
Now we have a policy,
which is exactly the same as the built in policy.
The only thing that we will change is instead of having the deny effect,
we will have the audit effect, which means that we will not be denied creating Resource is, but we will receive notifications if resource is outside, the specified list are created.
This is our first policy.
Let's create two other simple policies.
We'll create a new file.
We'll save it in the same location as a chase on file.
We will call it custom enforced name policy definition. Jason,
this will have a very simple rule.
Let me just copy and paste it.
We will have a single parameter that has named Pattern.
This pattern can include question marks for letters or hash for numbers.
If the name doesn't match, this pattern will have audit effect on that policy.
Let's save that.
Then we will create one more,
which will be required. Tags
will create a new file.
We'll save it as a Jason.
We'll call it custom required tags. Policy definition.
This one will look like this.
We will have our policy rule.
If any of those things air false, we will deny the creation of the resource.
What that means is that we will require each resource to have a tag owner, tag, owner, email and tag department.
Those are the three custom policies that we created.
We can deploy these policies using command line interface, but for simplicity, let's go to the portal and do that in the portal.
Here we are in the portal.
I'll go to the policy service in the definitions,
and I'll create a new policy definition.
I will put this policy definition at the subscription level.
I will go with audit resource types.
I'll add some descriptions like policy for auditing resource types.
I'll go and copy the definition from here and paste it in the field.
I will save this policy now.
If you go in filtered by custom policy types, you'll see that I have audit resource types and some other test policy that I have created.
Let's do one more
We will have the second one, which will be enforced names
again. We'll put it at the subscription level.
Well, actually, call it audit resource names.
This policy audits the naming conventions for the resource is
we will pace the policy inside the field.
We'll save it.
So we have audit resource names, audit resource types.
I need to fix my naming convention
the last time that what we do
is required. Mandatory tags for the resource is
new Policy definition
again at the subscription level.
Require mandatory tag policy.
Mentor E tags
and we will save it.
The next thing we will do is we will create initiative definition.
We will get on Lee the custom policies
we will add the resource types who will add the resource names will add the mandatory tags
and we'll call it our custom initiatives.
This initiative includes three policies
audit resource types. Audit names for resource is and require mandatory tags.
We will save this initiative.
Actually, I forgot to put the name pattern here.
We will use three letters
dash ese dash policy and
maybe five other letters.
They allow resource types.
We also need to select the allow resource types for this initiative.
It takes a little bit toe, actually, load all those resource types.
Here are the storage account selections.
We will go and select all of them.
Which means that this policy will audit every resource that is not storage account related.
That you is a little bit odd, but
at last we will go and save the initiative.
And this is how you create your initiatives and custom policies.
In this video, we saw how we can create custom policies and initiatives in Azure