DEVHIDE
Login Or Sign up

How to verify if VM has a set of extensions through Azure policy?

240 Views Asked by At

I'm trying to verify if a set of extensions are installed on VM, I have written the following policy but I think it is just evaluating the first extension or the policy is not behaving as desired. Can you help in solving this?

{
  "mode": "All",
  "policyRule": {
    "if": {
      "allOf": [
        {
          "field": "type",
          "equals": "Microsoft.Compute/virtualMachines"
        },
        {
          "field": "Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType",
          "equals": "Windows"
        }
      ]
    },
    "then": {
      "effect": "auditIfNotExists",
      "details": {
        "type": "Microsoft.Compute/virtualMachines/extensions",
        "existenceCondition": {
          "allOf": [
            {
              "field": "Microsoft.Compute/virtualMachines/extensions/type",
              "equals": "NetworkWatcherAgentWindows"
            },
            {
              "field": "Microsoft.Compute/virtualMachines/extensions/type",
              "equals": "ConfigurationforWindows"
            },
            {
              "field": "Microsoft.Compute/virtualMachines/extensions/type",
              "equals": "DependencyAgentWindows"
            },
            {
              "field": "Microsoft.Compute/virtualMachines/extensions/type",
              "equals": "VMAccessAgent"
            },
                        {
              "field": "Microsoft.Compute/virtualMachines/extensions/type",
              "equals": "AzureDiskEncryption"
            }
          ]        
        }
      }
    }
  }
}

The extensions are listed as a resource similar to the type: "Microsoft.Compute/VirtualMachines", following is how an installed extension looks like in an ARM template

{
    "type": "Microsoft.Compute/virtualMachines/extensions",
    "apiVersion": "2023-03-01",
    "name": "[concat(parameters('virtualMachines_ironmanjboxsit_name'), '/AzureNetworkWatcherExtension')]",
    "location": "eastasia",
    "dependsOn": [
        "[resourceId('Microsoft.Compute/virtualMachines', parameters('virtualMachines_ironmanjboxsit_name'))]"
    ],
    "properties": {
        "autoUpgradeMinorVersion": true,
        "publisher": "Microsoft.Azure.NetworkWatcher",
        "type": "NetworkWatcherAgentWindows",
        "typeHandlerVersion": "1.4"
    }
}

Error/Problematic Behaviour:

The extensions I'm checking are a small set of what the VMs have. For example shown below, the VM also has AzureSecurityCenter extension on it along with the set of extensions I've mentioned in the policy.

enter image description here

azure azure-resource-manager azure-policy
Original Q&A
1

There are 1 best solutions below

1
On

How to verify if VM has a set of extensions through Azure policy?

Here is an updated policy to audit windows virtual machines , if the specified extensions are not present on VM

{
    "mode": "All",
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Compute/virtualMachines"
          },
               {
                  "anyOf":[
          {
            "field": "Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration",
            "exists": "true"
          },
          {
            "field": "Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType",
            "like": "Windows"
          }
                  ]
              }
        ]
      },
      "then": {
        "effect": "AuditIfNotExists",
        "details": {
          "type": "Microsoft.Compute/virtualMachines/extensions",
          "existenceCondition": {
            "allOf": [
              {
                "field": "Microsoft.Compute/virtualMachines/extensions/type",
                "equals": "NetworkWatcherAgentWindows"
              },
              {
                "field": "Microsoft.Compute/virtualMachines/extensions/type",
                "equals": "ConfigurationforWindows"
              },
              {
                "field": "Microsoft.Compute/virtualMachines/extensions/type",
                "equals": "DependencyAgentWindows"
              },
              {
                "field": "Microsoft.Compute/virtualMachines/extensions/type",
                "equals": "VMAccessAgent"
              },
              {
                "field": "Microsoft.Compute/virtualMachines/extensions/type",
                "equals": "AzureDiskEncryption"
              }
            ]
          }
        }
      }
    },
    "parameters": {}
  }

After assigning the policy to the scope, it will begin auditing the Azure Windows virtual machines as shown below.

Note: The policy will take some time to audit the resources after it's assigned, so please wait for a while to see the results.

enter image description here

Related Questions in AZURE

Related Questions in AZURE-RESOURCE-MANAGER

Related Questions in AZURE-POLICY

Trending Questions

Popular # Hahtags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json python-3.x ruby-on-rails .net sql-server swift django angular objective-c pandas excel

Popular Questions

Copyright © 2021 Jogjafile Inc.