Skip to content

Instantly share code, notes, and snippets.

@krnese

krnese/ARM template to deploy policy definitions, assignment, and resource deployment to invoke the deployIfNotExists templates

Created April 20, 2020 15:57
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save krnese/bda73207dfbd5bc41b2bddd5be1ca157 to your computer and use it in GitHub Desktop.
Save krnese/bda73207dfbd5bc41b2bddd5be1ca157 to your computer and use it in GitHub Desktop.
Download ZIP
compliant resource deployment
Raw
ARM template to deploy policy definitions, assignment, and resource deployment to invoke the deployIfNotExists templates
{
"$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"sharedServicesRgName": {
"type": "string",
"metadata": {
"description": "Provide name for the shared services resource group"
}
},
"workspaceName": {
"type": "string",
"metadata": {
"description": "Provide name for the Log Analytics workspace"
}
},
"resourceLocation": {
"type": "string",
"metadata": {
"description": "Select the Azure region for your deployments and resources."
}
},
"keyVaultName": {
"type": "string",
"metadata": {
"description": "Provide name for the Key Vault"
}
},
"objectIdForAccessPolicy": {
"type": "string",
"defaultValue": "8414a158-d79d-4682-a0d3-b036663e76af",
"metadata": {
"description": "Provide the objectId of the principal who will have permissions to KV access policy."
}
},
"azureMigrateRgName": {
"type": "string",
"metadata": {
"description": "Provide name for the Azure Migrate project"
}
}
},
"variables": {
// The template will create 3 policy definitions with deployIfNotExists effect
"policyDefinitions": {
"deployAzureMigrate": "Deploy-AzureMigrate",
"deployLogAnalytics": "Deploy-LogAnalytics",
"deployKeyVault": "Deploy-KeyVault"
},
// The template will do subsequent assignment of all policy definitions that will be deployed at the subscription scope
"policyAssignments": {
"deployAzureMigrate": "Assign-AzureMigrate",
"deployLogAnalytics": "Assign-LogAnalytics",
"deployKeyVault": "Assign-KeyVault"
}
},
"resources": [
{
// Creating policy to deploy and govern Azure Migrate on the subscription
"type": "Microsoft.Authorization/policyDefinitions",
"apiVersion": "2019-09-01",
"name": "[variables('policyDefinitions').deployAzureMigrate]",
"properties": {
"displayName": "Deploy Azure Migrate if not exist on subscription",
"mode": "All",
"policyType": "Custom",
"parameters": {
"azureMigrateRgName": {
"type": "string",
"metadata": {
"description": "Provide Migrate name that will be created for the subscription",
"displayName": "Resource name for Azure Migrate that will be created"
}
},
"resourceLocation": {
"type": "string",
"metadata": {
"description": "Provide location for resources"
}
}
},
"policyRule": {
"if": {
"field": "type",
"equals": "Microsoft.Resources/subscriptions"
},
"then": {
"effect": "deployIfNotExists",
"details": {
"type": "Microsoft.Migrate/migrateProjects",
"deploymentScope": "Subscription",
"existenceScope": "Subscription",
"roleDefinitionIds": [
"/providers/Microsoft.Authorization/roleDefinitions/8e3af657-a8ff-443c-a75c-2fe8c4bcb635"
],
"existenceCondition": {
"allOf": [
{
"field": "name",
"like": "[[parameters('azureMigrateRgName')]"
}
]
},
"deployment": {
"location": "[deployment().location]",
"properties": {
"mode": "incremental",
"parameters": {
"azureMigrateRgName": {
"value": "[[parameters('azureMigrateRgName')]"
},
"resourceLocation": {
"value": "[[parameters('resourceLocation')]"
}
},
"template": {
"$schema": "http://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json",
"contentVersion": "1.0.0.0",
"parameters": {
"azureMigrateRgName": {
"type": "string"
},
"resourceLocation": {
"type": "string"
}
},
"variables": {},
"resources": [
{
"type": "Microsoft.Resources/resourceGroups",
"apiVersion": "2018-05-01",
"name": "[[parameters('azureMigrateRgName')]",
"location": "[[parameters('resourceLocation')]",
"properties": {}
},
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2018-05-01",
"name": "[[concat('migrate', uniqueString('dep'))]",
"resourceGroup": "[[parameters('azureMigrateRgName')]",
"dependsOn": [
"[[resourceId('Microsoft.Resources/resourceGroups/', parameters('azureMigrateRgName'))]"
],
"properties": {
"mode": "Incremental",
"template": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {},
"variables": {},
"resources": [
{
"type": "Microsoft.Migrate/MigrateProjects",
"apiVersion": "2019-06-01",
"name": "[[parameters('azureMigrateRgName')]",
"location": "[[parameters('resourceLocation')]",
"dependsOn": [],
"properties": {}
},
{
"type": "Microsoft.Migrate/MigrateProjects/Solutions",
"apiVersion": "2019-06-01",
"name": "[[concat(parameters('azureMigrateRgName'),'/Servers-Assessment-ServerAssessment')]",
"dependsOn": [
"[[resourceId('Microsoft.Migrate/migrateProjects/, parameters('azureMigrateRgName'))]"
],
"properties": {
"tool": "ServerAssessment",
"purpose": "Assessment",
"goal": "Servers",
"status": "Active",
"details": null
}
},
{
"type": "Microsoft.Migrate/MigrateProjects/Solutions",
"apiVersion": "2019-06-01",
"name": "[[concat(parameters('azureMigrateRgName'),'/Servers-Discovery-ServerDiscovery')]",
"properties": {
"tool": "ServerDiscovery",
"purpose": "Discovery",
"goal": "Servers",
"status": "Inactive",
"details": null
}
},
{
"type": "Microsoft.Migrate/MigrateProjects/Solutions",
"apiVersion": "2019-06-01",
"name": "[[concat(parameters('azureMigrateRgName'),'/Servers-Migration-ServerMigration')]",
"properties": {
"tool": "ServerMigration",
"purpose": "Migration",
"goal": "Servers",
"status": "Active",
"details": null
}
},
{
"type": "Microsoft.Migrate/MigrateProjects/Solutions",
"apiVersion": "2019-06-01",
"name": "[[concat(parameters('azureMigrateRgName'),'/Databases-Assessment-DataMigrationAssistant')]",
"properties": {
"tool": "DataMigrationAssistant",
"purpose": "Assessment",
"goal": "Databases",
"status": "Active",
"details": null
}
},
{
"type": "Microsoft.Migrate/MigrateProjects/Solutions",
"apiVersion": "2019-06-01",
"name": "[[concat(parameters('azMigrateRgName'),'/Databases-Migration-DatabaseMigrationService')]",
"copy": {
"name": "MIG-DB-Service",
"count": 1
},
"dependsOn": [
"MIG-DB-Assistant"
],
"properties": {
"tool": "DatabaseMigrationService",
"purpose": "Migration",
"goal": "Databases",
"status": "Active",
"details": null
}
},
{
"type": "Microsoft.Migrate/MigrateProjects/providers/locks",
"apiVersion": "2016-09-01",
"name": "[[concat(parameters('azMigrateRgName'), '/Microsoft.Authorization/AzureMigrateDoNotDelete')]",
"comments": "Resource lock Azure Migrate",
"properties": {
"level": "CannotDelete"
}
}
],
"outputs": {}
}
}
}
],
"outputs": {}
}
}
}
}
}
}
}
},
{
// Assigning the policy definition to create Azure Migrate project
"type": "Microsoft.Authorization/policyAssignments",
"apiVersion": "2019-09-01",
"name": "[variables('policyAssignments').deployAzureMigrate]",
"location": "[deployment().location]",
"dependsOn": [
"[variables('policyDefinitions').deployAzureMigrate]"
],
"identity": {
"type": "SystemAssigned"
},
"properties": {
"description": "This policy deploys Azure Migrate",
"displayName": "Policy to deploy Azure Migrate on the subscription",
"scope": "[subscription().id]",
"policyDefinitionId": "[subscriptionResourceId('Microsoft.Authorization/policyDefinitions/', variables('policyDefinitions').deployAzureMigrate)]",
"parameters": {
"azureMigrateRgName": {
"value": "[parameters('azureMigrateRgName')]"
},
"resourceLocation": {
"value": "[parameters('resourceLocation')]"
}
}
}
},
{
// Create role assignment for the policyAssignment for Azure Migrate
"type": "Microsoft.Authorization/roleAssignments",
"apiVersion": "2019-04-01-preview",
"name": "[guid(variables('policyAssignments').deployAzureMigrate)]",
"dependsOn": [
"[variables('policyAssignments').deployAzureMigrate]"
],
"properties": {
"principalType": "ServicePrincipal",
"roleDefinitionId": "[reference(concat('/providers/Microsoft.Authorization/policyDefinitions/', variables('policyDefinitions').deployAzureMigrate), '2019-09-01').policyRule.then.details.roleDefinitionIds[0]]",
"principalId": "[toLower(reference(concat('/providers/Microsoft.Authorization/policyAssignments/', variables('policyAssignments').deployAzureMigrate), '2019-09-01', 'Full' ).identity.principalId)]"
}
},
{
// Trigger the template deployment in the policyDefiniton to create Azure Migrate once assignment is successful
"type": "Microsoft.Resources/deployments",
"apiVersion": "2018-05-01",
"location": "[deployment().location]",
"name": "azMigratePolicyResourceDeployment",
"dependsOn": [
"[variables('policyAssignments').deployAzureMigrate]"
],
"properties": {
"mode": "incremental",
"template": "[reference(variables('policyDefinitions').deployAzureMigrate, '2019-09-01').policyRule.then.details.deployment.properties.template]",
"parameters": "[reference(variables('policyAssignments').deployAzureMigrate, '2019-09-01').parameters]"
}
},
{
// Create policyDefinition using deployIfNotExists to create Key Vault on the subscription
"type": "Microsoft.Authorization/policyDefinitions",
"apiVersion": "2019-09-01",
"name": "[variables('policyDefinitions').deployKeyVault]",
"properties": {
"displayName": "Deploy Azure Key Vault if not exist on subscription",
"mode": "All",
"policyType": "Custom",
"parameters": {
"keyVaultName": {
"type": "string",
"metadata": {
"description": "Provide Key Vault name that will be created for the subscription",
"displayName": "Resource name for the Key Vault that will be created"
}
},
"objectIdForAccessPolicy": {
"type": "string",
"metadata": {
"description": "Provide objectId of principal with access to policy",
"displayName": "Principal with access to policy"
}
},
"sharedServicesRgName": {
"type": "string",
"metadata": {
"description": "Provide name for Resource group"
}
},
"resourceLocation": {
"type": "string",
"metadata": {
"description": "Provide location for resources"
}
}
},
"policyRule": {
"if": {
"field": "type",
"equals": "Microsoft.Resources/subscriptions"
},
"then": {
"effect": "deployIfNotExists",
"details": {
"type": "Microsoft.KeyVault/vaults",
"deploymentScope": "Subscription",
"existenceScope": "Subscription",
"roleDefinitionIds": [
"/providers/Microsoft.Authorization/roleDefinitions/8e3af657-a8ff-443c-a75c-2fe8c4bcb635"
],
"existenceCondition": {
"allOf": [
{
"field": "name",
"like": "[[parameters('keyVaultName')]"
}
]
},
"deployment": {
"location": "[deployment().location]",
"properties": {
"mode": "incremental",
"parameters": {
"sharedServicesRgName": {
"value": "[[parameters('sharedServicesRgName')]"
},
"keyVaultName": {
"value": "[[parameters('keyVaultName')]"
},
"objectIdForAccessPolicy": {
"value": "[[parameters('objectIdForAccessPolicy')]"
},
"resourceLocation": {
"value": "[[parameters('resourceLocation')]"
}
},
"template": {
"$schema": "http://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json",
"contentVersion": "1.0.0.0",
"parameters": {
"sharedServicesRgName": {
"type": "string"
},
"keyVaultName": {
"type": "string"
},
"resourceLocation": {
"type": "string"
},
"objectIdForAccessPolicy": {
"type": "string"
}
},
"variables": {},
"resources": [
{
"type": "Microsoft.Resources/resourceGroups",
"apiVersion": "2018-05-01",
"name": "[[parameters('sharedServicesRgName')]",
"location": "[[parameters('resourceLocation')]",
"properties": {}
},
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2018-05-01",
"name": "[[concat('kv', uniqueString('dep'))]",
"resourceGroup": "[[parameters('sharedServicesRgName')]",
"dependsOn": [
"[[resourceId('Microsoft.Resources/resourceGroups/', parameters('sharedServicesRgName'))]"
],
"properties": {
"mode": "Incremental",
"template": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {},
"variables": {},
"resources": [
{
"type": "Microsoft.KeyVault/vaults",
"name": "[[parameters('keyVaultName')]",
"apiVersion": "2016-10-01",
"location": "[[parameters('resourceLocation')]",
"tags": {
"displayName": "KeyVault"
},
"properties": {
"createMode": "default",
"enabledForDeployment": true,
"enabledForDiskEncryption": true,
"enabledForTemplateDeployment": true,
"tenantId": "[[subscription().tenantId]",
"sku": {
"name": "premium",
"family": "A"
},
"networkAcls": {
"defaultAction": "Allow",
"bypass": "AzureServices",
"virtualNetworkRules": [],
"ipRules": []
},
"accessPolicies": [
{
"objectId": "[[parameters('objectIdForAccessPolicy')]",
"tenantId": "[[subscription().tenantId]",
"permissions": {
"keys": [
"get",
"list",
"update",
"create",
"import",
"delete",
"recover",
"backup",
"restore"
],
"secrets": [
"get",
"list",
"set",
"delete",
"recover",
"backup",
"restore"
],
"certificates": [
"get",
"list",
"update",
"create",
"import",
"delete",
"recover",
"deleteissuers",
"recover",
"managecontacts",
"manageissuers",
"getissuers",
"listissuers",
"setissuers"
]
}
}
]
}
},
{
"type": "Microsoft.KeyVault/vaults/providers/locks",
"apiVersion": "2016-09-01",
"name": "[[concat(parameters('keyVaultName'), '/Microsoft.Authorization/keyVaultDoNotDelete')]",
"dependsOn": [
"[[concat('Microsoft.KeyVault/vaults/', parameters('keyVaultName'))]"
],
"comments": "Resource lock on key vault",
"properties": {
"level": "CannotDelete"
}
}
],
"outputs": {}
}
}
}
],
"outputs": {}
}
}
}
}
}
}
}
},
{
"type": "Microsoft.Authorization/policyAssignments",
"apiVersion": "2019-09-01",
"name": "[variables('policyAssignments').deployKeyVault]",
"location": "[deployment().location]",
"dependsOn": [
"[variables('policyDefinitions').deployKeyVault]"
],
"identity": {
"type": "SystemAssigned"
},
"properties": {
"description": "This policy deploys Key Vault",
"displayName": "Policy to deploy Key Vault on the subscription",
"scope": "[subscription().id]",
"policyDefinitionId": "[subscriptionResourceId('Microsoft.Authorization/policyDefinitions/', variables('policyDefinitions').deployKeyVault)]",
"parameters": {
"sharedServicesRgName": {
"value": "[parameters('sharedServicesRgName')]"
},
"keyVaultName": {
"value": "[parameters('keyVaultName')]"
},
"resourceLocation": {
"value": "[parameters('resourceLocation')]"
},
"objectIdForAccessPolicy": {
"value": "[parameters('objectIdForAccessPolicy')]"
}
}
}
},
{
"type": "Microsoft.Authorization/roleAssignments",
"apiVersion": "2019-04-01-preview",
"name": "[guid(variables('policyAssignments').deployKeyVault)]",
"dependsOn": [
"[variables('policyAssignments').deployKeyVault]"
],
"properties": {
"principalType": "ServicePrincipal",
"roleDefinitionId": "[reference(concat('/providers/Microsoft.Authorization/policyDefinitions/', variables('policyDefinitions').deployKeyVault), '2019-09-01').policyRule.then.details.roleDefinitionIds[0]]",
"principalId": "[toLower(reference(concat('/providers/Microsoft.Authorization/policyAssignments/', variables('policyAssignments').deployKeyVault), '2019-09-01', 'Full' ).identity.principalId)]"
}
},
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2018-05-01",
"location": "[deployment().location]",
"name": "keyVaultPolicyResourceDeployment",
"dependsOn": [
"[variables('policyAssignments').deployKeyVault]"
],
"properties": {
"mode": "incremental",
"template": "[reference(variables('policyDefinitions').deployKeyVault, '2019-09-01').policyRule.then.details.deployment.properties.template]",
"parameters": "[reference(variables('policyAssignments').deployKeyVault, '2019-09-01').parameters]"
}
},
{
"type": "Microsoft.Authorization/policyDefinitions",
"apiVersion": "2019-09-01",
"name": "[variables('policyDefinitions').deployLogAnalytics]",
"properties": {
"displayName": "Deploy Azure Log Analytics if not exist on subscription",
"mode": "All",
"policyType": "Custom",
"parameters": {
"workspaceName": {
"type": "string",
"metadata": {
"description": "Provide Log Analytics workspace name that will be created for the subscription",
"displayName": "Resource name Log Analytics workspace that will be created"
}
},
"resourceLocation": {
"type": "string",
"metadata": {
"description": "Select Azure region for Log Analytics workspace",
"strongType": "location",
"displayName": "Location for Log Analytics workspace"
}
},
"sharedServicesrgName": {
"type": "string",
"metadata": {
"description": "Provide name for Resource group"
}
}
},
"policyRule": {
"if": {
"field": "type",
"equals": "Microsoft.Resources/subscriptions"
},
"then": {
"effect": "deployIfNotExists",
"details": {
"type": "Microsoft.OperationalInsights/workspaces",
"deploymentScope": "Subscription",
"existenceScope": "Subscription",
"roleDefinitionIds": [
"/providers/Microsoft.Authorization/roleDefinitions/8e3af657-a8ff-443c-a75c-2fe8c4bcb635"
],
"existenceCondition": {
"allOf": [
{
"field": "name",
"like": "[[parameters('workspaceName')]"
},
{
"field": "location",
"equals": "[[parameters('resourceLocation')]"
}
]
},
"deployment": {
"location": "[deployment().location]",
"properties": {
"mode": "incremental",
"parameters": {
"sharedServicesRgName": {
"value": "[[parameters('sharedServicesRgName')]"
},
"workspaceName": {
"value": "[[parameters('workspaceName')]"
},
"location": {
"value": "[[parameters('resourceLocation')]"
}
},
"template": {
"$schema": "http://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json",
"contentVersion": "1.0.0.0",
"parameters": {
"sharedServicesRgName": {
"type": "string"
},
"workspaceName": {
"type": "string"
},
"resourceLocation": {
"type": "string"
}
},
"variables": {},
"resources": [
{
"type": "Microsoft.Resources/resourceGroups",
"apiVersion": "2018-05-01",
"name": "[[parameters('sharedServicesRgName')]",
"location": "[[parameters('resourceLocation')]",
"properties": {}
},
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2018-05-01",
"name": "[[concat('mgmt', uniqueString('dep'))]",
"resourceGroup": "[[parameters('sharedServicesRgName')]",
"dependsOn": [
"[[resourceId('Microsoft.Resources/resourceGroups/', parameters('sharedServicesRgName'))]"
],
"properties": {
"mode": "Incremental",
"template": {
"$schema": "http://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json",
"contentVersion": "1.0.0.0",
"parameters": {},
"variables": {},
"resources": [
{
"apiVersion": "2017-03-15-preview",
"location": "[[parameters('resourceLocation')]",
"name": "[[parameters('workspaceName')]",
"type": "Microsoft.OperationalInsights/workspaces",
"properties": {
"sku": {
"name": "pergb2018"
},
"enableLogAccessUsingOnlyResourcePermissions": true
}
}
],
"outputs": {}
}
}
}
],
"outputs": {}
}
}
}
}
}
}
}
},
{
"type": "Microsoft.Authorization/policyAssignments",
"apiVersion": "2019-09-01",
"name": "[variables('policyAssignments').deployLogAnalytics]",
"location": "[deployment().location]",
"dependsOn": [
"[variables('policyDefinitions').deployLogAnalytics]"
],
"identity": {
"type": "SystemAssigned"
},
"properties": {
"description": "This policy deploys Log Analytics",
"displayName": "Policy to deploy Log Analytics on the subscription",
"scope": "[subscription().id]",
"policyDefinitionId": "[subscriptionResourceId('Microsoft.Authorization/policyDefinitions/', variables('policyDefinitions').deployLogAnalytics)]",
"parameters": {
"sharedServicesRgName": {
"value": "[parameters('sharedServicesRgName')]"
},
"workspaceName": {
"value": "[parameters('workspaceName')]"
},
"resourceLocation": {
"value": "[parameters('resourceLocation')]"
}
}
}
},
{
"type": "Microsoft.Authorization/roleAssignments",
"apiVersion": "2019-04-01-preview",
"name": "[guid(variables('policyAssignments').deployLogAnalytics)]",
"dependsOn": [
"[variables('policyAssignments').deployLogAnalytics]"
],
"properties": {
"principalType": "ServicePrincipal",
"roleDefinitionId": "[reference(concat('/providers/Microsoft.Authorization/policyDefinitions/', variables('policyDefinitions').deployLogAnalytics), '2019-09-01').policyRule.then.details.roleDefinitionIds[0]]",
"principalId": "[toLower(reference(concat('/providers/Microsoft.Authorization/policyAssignments/', variables('policyAssignments').deployLogAnalytics), '2019-09-01', 'Full' ).identity.principalId)]"
}
},
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2018-05-01",
"location": "[deployment().location]",
"name": "logAnalyticsPolicyResourceDeployment",
"dependsOn": [
"[variables('policyAssignments').deployLogAnalytics]"
],
"properties": {
"mode": "incremental",
"template": "[reference(variables('policyDefinitions').deployLogAnalytics, '2019-09-01').policyRule.then.details.deployment.properties.template]",
"parameters": "[reference(variables('policyAssignments').deployLogAnalytics, '2019-09-01').parameters]"
}
}
]
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment