How can I create an Azure policy that validates Resource Group Names

3
votes

I am trying to create an Azure policy which I can assign at the subscription level, and control the naming of the resource groups in the subscription.

Policies need to target a resource type or otherwise limit their application, else they apply globally to all resources.

What resource type (or other method) can I use to limit my validation to the resource group name only?

Here is what I am trying:

$definition = New-AzureRmPolicyDefinition -Name resourceGroupNamePatterns 
   -Description "Restrict resource group names to allowed prefixes only" -Policy '{
    "if": {
        "allOf": [
          {
            "not": {
              "field": "name",
              "like": "Pattern1-*"
            }
          },
          {
            "not": {
              "field": "name",
              "like": "Pattern2-*"
            }
          },
          {
            "field": "type",
            "equals": "Microsoft.Resources/subscriptions/resourcegroups"
          }
        ]
    },
    "then": {
        "effect": "deny"
    }
}'
2
azureazure-powershell

2 Answers

2
votes

Not sure if this question is still relevant, but at the time of posting Azure Policy did not support evaluation on resource groups.

The policy definition provided in the question is correct.

Please try updating your powershell version, and updating the policy definition. It will default to mode: all which in turn will enable policy evaluation on resource groups.

Documentation about Policy mode: https://docs.microsoft.com/en-us/azure/azure-policy/policy-definition

Mode

The mode determines which resource types will be evaluated for a policy. The supported modes are:

  • all: evaluate resource groups and all resource types
  • indexed: only evaluate resource types that support tags and location

We recommend that you set mode to all. All policy definitions created through the portal use the all mode. If you use PowerShell or Azure CLI, you need to specify the mode parameter and set it to all.

1
votes

The resource groups are Microsoft.Resources/subscriptions/resourcegroups type. You can kinda infer that from the resource provider operations:

Get-AzureRmProviderOperation 'Microsoft.Resources/*'