3

Azure Policy can be used to define conventions that, when Policy Enforcement is enabled, will prevent non-compliant resources from being created.

In scenarios where non-compliant resources need to be exempted this leads to having to coordinate several steps:

  1. Disable policy Enforcement
  2. Create the non-compliant resource
  3. Add the exemption for the non-compliant resource to the Policy Assignment
  4. Re-enable Enforcement
  5. Review if any unexpected changes occurred during the period of time Enforcement was disabled -- and how to bring things back to compliance

While the above is acceptable, I'm curious if there is an ability to simultaneously create the non-compliant resource and the exemption without the need to coordinate other steps and create the chance for other issues to be introduced.

Is there a way to create a resource and an policy assignment exemption for it simultaneously? Is this potentially in a preview or private preview feature?

STW
  • 44,917
  • 17
  • 105
  • 161

3 Answers3

1

From my experience a resource needs to exist before it can be included in an exemption. However, these docs confirm that exemptions do work on the hierarchy in Azure. This means that you could in steps create a resourcegroup to hold your non-compliant resources, then create the exemption with the scope of that resourcegroup and then create the non-compliant resources.

Roderick Bant
  • 1,534
  • 1
  • 9
  • 17
  • Thanks! We do use ResourceGroups where they're an option, but they aren't used for 100% of resources (especially where you start to get close to AAD/AD resources) -- so in those cases we're left exempting individual resources :-( – STW Feb 01 '23 at 16:13
1

It sounds like you are looking for an automated solution.
I have not done this or seen anyone else do this - still unsure of your use case. Why deploy a resource that needs to be exempted automatically?
Anyway, you might have a chance of achieving this with:

  1. Blueprints: https://learn.microsoft.com/en-us/azure/governance/blueprints/overview
  2. Manually executing a PowerShell script: https://learn.microsoft.com/en-us/cli/azure/policy/exemption?view=azure-cli-latest#az-policy-exemption-create (or API).
  3. IaC adding this to your ARM template https://learn.microsoft.com/en-us/azure/templates/microsoft.authorization/policyexemptions?pivots=deployment-language-arm-template
  4. Policy using Modify or DeployIfNotExists using https://learn.microsoft.com/en-us/azure/templates/microsoft.authorization/policyexemptions?pivots=deployment-language-arm-template
Niclas
  • 1,069
  • 4
  • 18
  • 33
  • Thanks! I'm largely weighing options, and agree having to exempt isn't a great approach--but in a couple of our scenarios we're working with resources that don't contain much data (so writing expressive policies isn't possible--and we might not have a viable alternative to exemptions). – STW Jan 29 '23 at 14:32
1

Short of the workaround shared by Roderick Bant (creating a Resource Group, exempting it, then creating Resources within it) it is not possible.

The resources must be created while the policy is not enforced, otherwise the exempt resources cannot be created at all. Creating a resource which will require an exception requires a series of steps:

  • Disabling Policy Enforcement
  • Creating the new resource
  • Creating the Policy Exception
  • Re-enabling Policy Enforcement
  • Validating and responding to any violations that occurred while the policy was not in effect
STW
  • 44,917
  • 17
  • 105
  • 161