DEVHIDE
Login Or Sign up

How to show the virtual machine name instead of the extension name in this policy?

25 Views Asked by At

I've made the following Azure Policy to determine if an extension have been provisioned by Azure Active Directory so I have a way to know if a machine have the AD addon installed. However, although the policy works, it shows the extension name instead of the virtual machine it is deployed. In other words, rather than checking if the virtual machine has the AD extension deployed, it checks if the extension was provisioned by Azure.ActiveDirectory.

{
  "mode": "All",
  "policyRule": {
    "if": {
      "allOf": [
        {
          "field": "type",
          "equals": "Microsoft.Compute/virtualMachines/extensions"
        },
        {
          "AnyOf": [
            {
              "field": "Microsoft.Compute/virtualMachines/extensions/publisher",
              "notEquals": "Microsoft.Azure.ActiveDirectory"
            },
            {
              "field": "Microsoft.Compute/virtualMachines/extensions/publisher",
              "exists": true
            }
          ]
        }
      ]
    },
    "then": {
      "effect": "[parameters('effect')]"
    }
  },
  "parameters": {
    "effect": {
      "type": "String",
      "metadata": {
        "displayName": "Effect",
        "description": "Se puede elegir si desactivar o auditar cuando no se ha instalado el addon del AD en las máquinas virtuales",
        "portalReview": true
      },
      "allowedValues": [
        "Audit",
        "Disabled"
      ],
      "defaultValue": "Audit"
    }
  }
}

I've checked that extensions installed in the virtual machines can be found inside the parameter called "resources" at the end of the VM json. However, those have no alias so it has to be done through "Microsoft.Compute/virtualMachines/extensions". Any idea on how to solve this one?

json azure-policy
Original Q&A
1

There are 1 best solutions below

0
Niclas On

In Azure Policy, the type field in the if condition refers to the resource type being evaluated. In your case, it is Microsoft.Compute/virtualMachines/extensions, which means the policy is evaluating each VM extension. That is why the policy shows the extension name instead of the VM name.

To show the VM name instead, you need to evaluate the VMs and check if they have the desired extension. However, Azure Policy does not support checking nested resources like VM extensions when evaluating a parent resource like a VM.

A workaround could be to use Azure Policy to audit VMs that do not have the desired extension, and then use Azure Resource Graph (ARG) to query the non-compliant VMs and their extensions. This way, you can see which VMs do not have the desired extension.

You can try this Azure Resource Graph query to search the VMs and their extensions:

Resources
| where type == 'microsoft.compute/virtualmachines'
| extend
    JoinID = toupper(id),
    OSName = tostring(properties.osProfile.computerName),
    OSType = tostring(properties.storageProfile.osDisk.osType),
    VMSize = tostring(properties.hardwareProfile.vmSize)
| join kind=leftouter(
    Resources
    | where type == 'microsoft.compute/virtualmachines/extensions'
    | extend
        VMId = toupper(substring(id, 0, indexof(id, '/extensions'))),
        ExtensionName = name
) on $left.JoinID == $right.VMId
| summarize Extensions = make_list(ExtensionName) by id, OSName, OSType, VMSize
| order by tolower(OSName) asc

This query will return a list of VMs and their extensions, which you can then filter to find the VMs that do not have the desired extension. Run via Azure Resource Graph Explorer.

https://learn.microsoft.com/en-us/azure/governance/resource-graph/samples/advanced?tabs=azure-cli&wt.mc_id=MVP_323223#list-all-extensions-installed-on-a-virtual-machine

Related Questions in JSON

Related Questions in AZURE-POLICY

Trending Questions

Popular # Hahtags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs

Popular Questions

.

Copyright © 2021 Jogjafile Inc.