Azure Governance
Azure Governance is a portfolio of platform capabilities that helps customers address the need for control at scale without sacrificing developer agility. This includes services like Azure Policy, Azure Blueprints, Azure Resource Graph & Management Groups.
More details about the services are available in the Azure Governance documentation. If you have a technical issue, please open a post on the developer forums through Stack Overflow.
Products that we listen to in this space include: Azure Policy, Azure Blueprints, Azure Resource Graph, Azure Subscriptions and Azure Management Groups
-
Azure Policy - Enable faster (itterative) development of Policies
When developping Policies, testing is a very time consuming process as Policy evaluation takes place once every 30 minutes. You can trigger an on-demand scan, but it still takes a lot more time and effort than I'd like to be able to try filters and logic fast.
3 votes -
Generate Alert when there is an audit on deployment.
I've got a customer who wants to be informed via mail when a VM or a service is deployed outside the EU due to GDPR requirements.
He wants to deploy those compontents in a separate resource group, where there is the allowed locations policy is attached but with the audit action instead of the deny action
3 votes -
GitOps
How does this work with GitOps?
3 votes -
Allow use of resourceGroup() functions within a resource group artifact
When using an ARM template artifact within a resource group artifact, allow us to use the resourceGroup() functions, like respourceGroup().location. Currently, we receive the error: Error: 'The function 'resourceGroup' is not valid.'
3 votesWe are working on a fix to make sure all ARM template functions work if they are deployed by a blueprint
-
Option to delete non-blueprint RBAC Assignment when blueprint is assigned
In a case where membership needed to be strictly controlled, the Blueprint configuration should offer an "Overwrite" option. This would remove any accounts manually added and block any accounts from being manually added.
Overwrite Scenario
Config
• Account Admin role on a Subscription 1 has Amber and Brian.
• Blueprint defines the members of the Account Admin role as Amber and Chuck and is assigned to Management Group A.
Result
• When Subscription 1 is moved to Management Group A the members of the Account Admin role is updated to Amber and Chuck3 votes -
azure policy check string length
It would be great if there will be in future a possibility to check the length of the resource Name at the deployment.
So it would be much easier to Control the naming convention for a resource.
3 votesSupport for length is coming soon (along with there: https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-template-functions-string)
-Liz
-
Parameters Concatenation
I have a naming policy for resource type and i am naming it at a category level. I.e
If Resource is of type CDN or Network then name should be CLIENT1-DEV-INT-<nameofresource>
else If the Resource is of type AppFunction, AppService then name should be CLIENT1-DEV-WEB-<nameofresource>
etc.So this Policy will be massive and having multiple clients I need to introduce a parameter to cover for first bit to be same i.e instead of hard coding CLIENT1-DEV I use parameter and make policy general and use CONCATENATION in the LIKE portion of policy like below.
{
"policyRule": {
"if": {
"not":…3 votes -
Resource Changes: Track resource move
Create a change log when a resource is moved to a different resource group and maintain its history from before it moved
2 votes -
Tree View for Management Groups hierarchies
Add a tree view for hierarchy built in "Management Groups". The current UI is functional, but difficult to view/verify/export the actual organizational structure architects are building. A view similar to the slideware, docs, and icon for "Management Groups" would be fantastic!
2 votes -
Blueprint Parameters Validation
Currently the only Blueprint Parameter validation properties that are accepted is "defaultValue" and "allowedValues". Please add the following that are supported by ARM Template Parameters and would provide a much better experience for an Blueprint Assigner:
- minValue
- maxValue
- minLength
- maxLengthMore information about the above properties can be found here: https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-authoring-templates#parameters
2 votes -
Add additional strongTypes for Blueprint
Please add the following strongTypes that are supported by Azure Policy:
storageSkus
vmSKUs
existingResourceGroups
omsWorkspaceAdditionally, I would like the following:
existingVNETs - displays existing Virtual Networks
existingVNETSubnets - displays exiting VNET Subnets2 votes -
Blueprints do not create managed identities for deployifnotexist policy initiatives
Currently Azure Blueprints can assign policy initiatives but do not properly create the managed service identity for deployifnotexist policy definitions within the initiative. This needs to be corrected as that is basic functionality of a policy initiative assignment. The managed identity is created correctly if directly assigning the policy definition outside of an initiative.
2 votes -
Add support in ARM template to validate values in an object
I would like to be able to validate certain values that are a part of an object in a parameter file. In the same way that it's possible to do this with simple strings or to validate that a object specified in the parameter file matches one of the objects in "allowedValues" for the object in the templates parameter section. Currently I'll have to specify all possible variants of an object and that isn't feasible if I want to validate more than two-three values that might have 3 or more values that should be allowed. It's also not possible to…
2 votes -
subscription transfer process
Subscription Transfer process
I lost my blueprints after the subscription transfer.
I understand RBaC perms are lost but still don't understand why my Blueprints had to disappear as well.
This has happened twice.
Microsoft advised that resources will remain the same but that's not the case.
Are Blueprints assigned to a resource group and subscription different?2 votes -
Allow a Blueprint or ARM Template Item timeout limit to be set
I have a Blueprint defined which has a purpose of provisioning a complete infrastructure but it is timing out due to one of its components being an ASE.
The overall template is based on the ISO 27001 foundation as supplied by MS but does a few other tings too, including deploying an Application Service Environment.
It all progresses nicely to a point - the components are all there and the ASE is undergoing provisioning however, it eventually throws an error with:
'Template' failed to deploy. Exceeded maximum wait time of '02:00:00'. Message: 'Deployment didn't get into terminal status within the…
2 votes -
Ability to query for DNS Zones CNAME type in Azure Resource Graph
I am able to filter out resources by provider (e.g., 'Microsoft.Network') and higher-level types (e.g., 'Microsoft.Network/dnszones'). However, not all resource types are supported by Resource Graph. For example, DNS Zone record types aren't supported. I would like to get a response for a query like this one:
az graph query -q "where type =~ 'microsoft.network/dnszones/cname'"
2 votes -
Azure Blueprint (policy assignment) - Tag value should accept null values so we can put the tag later on.
Azure Blueprint (policy assignment) - Tag value should accept null values. For example, we want to put 'function' tag in each VM and function can be app, db, ad etc. If we put 'app' as a value then all the VMs will have the same tag. We want to be 'function' tag there but we want to put the value at the time of creation as per the role of VM.
Another one, Azure Blueprint (policy assignment). When we delete the blueprint, the blueprint got deleted but the policy does not get deleted. In this case, we have to delete…
2 votes -
Azure Blueprints sample for Service Fabric Cluster
It would be great to have a sample Azure Blueprints for stamping out different Service Fabric clusters. Unfortunately I haven't managed to find a sample online and tried to create one manually but failed as I am totally new to Azure and there are way too many pieces required for a putting together an Azure Blueprints for a secured multi-node type Service Fabric cluster.
2 votes -
Add "evaluate" booleans to Azure Policy ARM schema definitions
If you are working with policies, and have existing parameters and rules file from working with CLI / PowerShell, then you cannot copy and paste the JSON into the policyRule and parameters properties in Microsoft.Authorization/oplicyDefinitions. It will error and is very gard to workaround.
I suggest adding evaluatePolicyRule and evaluateParameters booleans, both defaulting to false. Also an evaluate boolean that sets both of the above, also defaulting to false.
2 votes -
Add "evaluate" booleans to Azure Policy ARM schema definitions
If you are working with policies, and have existing parameters and rules file from working with CLI / PowerShell, then you cannot copy and paste the JSON into the policyRule and parameters properties in Microsoft.Authorization/oplicyDefinitions. It will error.
I suggest adding evaluatePolicyRule and evaluateParameters booleans, both defaulting to false. Also an evaluate boolean that sets both of the above, also defaulting to false.
The tags.initiative.json shows my workaround, but it is very ugly. The tags.initiative.2.json file shows how I think it could and should look.
2 votes
- Don't see your idea?