DEVHIDE
Login Or Sign up

Is it possible to set vm encryption from azure policy?

129 Views Asked by At

I want to try to enable vm encryption from a policy in azure.

I am currently getting this error below, I have a problem with my policy rule. I'm not sure how to change the "details" to set the vm encryption... any ideas??

│ RESPONSE 400: 400 Bad Request │ ERROR CODE: InvalidPolicyRule │ -------------------------------------------------------------------------------- │ { │ "error": { │ "code": "InvalidPolicyRule", │ "message": "Failed to parse policy rule: 'Could not find member 'Microsoft.Compute/virtualMachines/securityProfile.encryptionAtHost' on object of type 'ModifyEffectDetailsDefinition'. Path '['Microsoft.Compute/virtualMachines/securityProfile.encryptionAtHost']'.'." │ } │ } │ -----

This is my policy here :

{
    "type": "Microsoft.Authorization/policyDefinitions",
    "apiVersion": "2021-06-01",
    "name": "Enable VM Encryption at host",
    "properties": {
      "displayName": "Enable VM encryption at host",
      "mode": "Indexed",
      "description": "This policy enables VM encryption at host.",
      "metadata": {
          "category": "Compute"
      },
      "parameters": {},
      "policyRule": {
          "if": {
              "allOf": [
                  {
                      "field": "type",
                      "equals": "Microsoft.Compute/virtualMachines"
                  },
                  {
                      "field": "Microsoft.Compute/virtualMachines/securityProfile.encryptionAtHost",
                      "notEquals": "true"
                  }
              ]
          },
          "then": {
              "effect": "[parameters('effect')]",
              "details": {
                  "Microsoft.Compute/virtualMachines/securityProfile.encryptionAtHost": "true"
              }
          }
      },
      "policyType": "Custom"
    }
  }
json azure azure-virtual-machine azure-policy azure-vm-extension
Original Q&A
1

There are 1 best solutions below

0
On

I want to try to enable vm encryption from a policy in azure.

"Microsoft.Compute/virtualMachines/securityProfile.encryptionAtHost": "true"

For enabling securityProfile on VM using Policy the above parameter is not accepted

Here is the Azure Policy to enable VM encryption at the host for all VMs in a stopped state, using the effect: append.

Note: To update encryptionatHost property, the virtual machine should be in stopped state.

enter image description here

Azure Policy:

{
  "mode": "All",
  "policyRule": {
    "if": {
      "anyOf": [
        {
          "allOf": [
            {
              "field": "type",
              "equals": "Microsoft.Compute/virtualMachines"
            },
            {
              "field": "Microsoft.Compute/virtualMachines/securityProfile.encryptionAtHost",
              "notEquals": "true"
            }
          ]
        }
      ]
    },
    "then": {
      "effect": "[parameters('effect')]",
      "details": [
        {
          "field": "Microsoft.Compute/virtualMachines/securityProfile.encryptionAtHost",
          "value": {
            "value": "true",
            "action": "Allow"
          }
        }
      ]
    }
  },
  "parameters": {
    "effect": {
      "type": "String",
      "metadata": {
        "displayName": "Effect",
        "description": "Enable or disable the execution of the policy"
      },
      "allowedValues": [
        "Audit",
        "Deny",
        "Disabled",
        "Append"
      ],
      "defaultValue": "Append"
    }
  }
}

Response:

enter image description here

Alternatively, you can use a PowerShell script to update the encryptionAtHost setting on all VMs that have not been updated.

         #Fetching all VM's in Subscription
         
         $vm = Get-AzVM
    
          foreach($Vms in $vm){
    
          $vmname= $vms.name 
    
          $vmrg = $Vms.ResourceGroupName
    
         if($Vms.SecurityProfile.EncryptionAtHost -ne $true){
    
        Write-Host "Stopping VM:$vmname for enabling EncryptionAtHost"
    
        Stop-AzVM -ResourceGroupName $vmrg -Name $vmname -Force
    
        Update-AzVM -VM $vm -ResourceGroupName $vmrg -EncryptionAtHost $true
    
        Write-Host "Enabled EncryptionAtHost on VM: $vmname"
    
        Write-Host "Starting VM name:$vmname after enabling EncryptionAtHost"
    
        Start-AzVM -ResourceGroupName $vmrg -Name $vmname
    }
    }

Response:

enter image description here

Reference: Modify operations

Update a VM to enable encryption at host.

Related Questions in JSON

Related Questions in AZURE

Related Questions in AZURE-VIRTUAL-MACHINE

Related Questions in AZURE-POLICY

Related Questions in AZURE-VM-EXTENSION

Trending Questions

Popular # Hahtags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json python-3.x ruby-on-rails .net sql-server swift django angular objective-c pandas excel

Popular Questions

Copyright © 2021 Jogjafile Inc.