Skip to content

script-policy-assignment.adoc

Latest commit

 

History

History
81 lines (64 loc) · 6.4 KB

script-policy-assignment.adoc

File metadata and controls

81 lines (64 loc) · 6.4 KB

policy-assignment.py

Update subscription policy post-deployment

Note
Before Using

  • Authenticate with Azure before invoking the script.

  • Be sure that you are in the root folder of the toolkit.

  • This script requires the permissions defined by the SecOps role.

Predefined policies are enforced at the subscription and resource group level as part of toolkit resource deployment. These policies are defined in standard Azure Resource Manager Policy json format and are stored in the modules/policies folder in a structure corresponding to the management group or subscription.

To assign a built-in policy to a subscription, you must include policyDefinitionId and name properties as a policy object in your policy file.

To assign management group policies, you must include policyDefinitionId and name properties as a policy object in your policy file. If your organization has different policy requirements than what the toolkit assumes, you can update these files to modify the policies.

This script can be used to update policy after deploying resources. To use this script, open a terminal/command line, navigate to the root of the toolkit folder, and then run the following command:

Docker
python policy_assignment.py --configuration-file-path {path to deployment configuration file} -file {path to your policy file} --management-group-id {your management group id} -sid {your
subscription id} -rg {name of resource group}
Linux/OSX
python3 policy_assignment.py --configuration-file-path {path to deployment configuration file} -file {path to your policy file} --management-group-id {your management group id} -sid {your
subscription id} -rg {name of resource group}
Windows
py policy_assignment.py --configuration-file-path {path to deployment configuration file} -file {path to your policy file} --management-group-id {your management group id} -sid {your
subscription id} -rg {name of resource group}

Arguments

Argument Required? Description 
--configuration-file-path

Required

Path to json file containing environment configuration information, environment where the policies will be applied.

 
-file
--policy-file

Required

Path to json file containing the policies to be applied.

 
--management-group-id

Optional

If specified, the policies are assigned to a management group. This value takes precedence over subscription-id and resource-group.

 
-sid
--subscription-id

Optional

Specifies the subscription id where the policies are applied.

 
-rg
--resource-group

Optional

Specifies a resource group target for applying policy. If specified, policy is only applied to that resource group.