Automating ARM Policies

In a previous post I discussed using Azure Resource Manager Policies for enhancing governance.  I mentioned that I had put together a simple Azure Automation demonstration that automatically applies policies to resource groups within a subscription.  I have made this sample PowerShell script available for download to demonstrate one possible option for applying ARM policies.  This is a demonstration script only and has not been fully reviewed for production use.  Use at your own risk.

This script is designed to be executed by Azure Automation on a scheduled basis.  It utilizes an AzureRunAsConnection that has been configured with ownership permissions over the subscription.  You will need to use the New-AzureRmRoleAssignment cmdlet to assign ownership permissions to the AzureRunAsConnection account.  The contributor role cannot  apply policies.

To use this script you need to setup an Azure Storage account which will hold the ARM JSON policy templates.  The storage account needs to provide anonymous access to the policy files.  Policies should be placed inside of a container named according to the resource group where the policies should be applied. For example, if you have a resource group named myRG you would create a container in the storage account called myrg and place all of the policies which should be assigned to the resource group in that container.

Inside of the script there are variables that need to be set for the AzureRunAsConnection name, subscription ID, storage account name, and storage account key.

Once the storage account is setup, script updated and Azure Automation configured the policies will be automatically applied on a scheduled basis.  This enables the addition, removal or change of policies by only making changes to the files in the storage account.  No additional steps are required.

Leave a Reply