This article is contributed. See the original author and article here.
Azure Policy – What’s the length of Policy assignments name?
Introduction:
If you’re not familiar with Azure policy or Terraform please read these documents about Azure Policy, Terraform with Azure and Azure Policy with Terraform
Azure Policy can evaluate resources in Azure Resource Manager by comparing the properties of resources with the policy rules.
These rules in JSON format are known as Policy Definition. These Policy Assignments can be assigned in every scope in Azure, like subscription, Management Group And what’s the relation between Terraform with Azure Policy?
Terraform is an open-source tool for provisioning and managing cloud infrastructure. It also supported by Azure.We can also use Terraform to assign Azure Policies.
This Blog will discuss the length of Azure Policy Assignment name using Powershell script and Terraform. And clarify what is resource name and display name of Azure Policy Assignments
Discussion:
You may already have experience in using Azure Policy, but did did you pay attention to what’s the maximum length for Azure Policy Assignment name? And did you notice there’re display name and resource name for Azure Policy Assignments?
Based on this document Azure Name rules, we know that
policyAssignments | scope of assignment | 1-128 display name | Display name can contain any characters. |
The above document mentions the length of display name and resource name. Especially for Management Group, it only 24 characters can use as the resource name.
So, if the length is more than 24 characters, what’s the error would you get? Now let’s start a test for it.
Tests:
Powershell:
Using Powershell there is a script can assign Policy, here is the refence link for your interesting New-AzureRmPolicyAssignment (AzureRM.Resources) | Microsoft Docs
New-AzureRmPolicyAssignment
-Name <String>
-Scope <String>
[-NotScope <String[]>]
[-DisplayName <String>]
[-Description <String>]
[-PolicyDefinition <PSObject>]
[-PolicySetDefinition <PSObject>]
[-Metadata <String>]
[-Sku <Hashtable>]
[-AssignIdentity]
[-Location <String>]
[-ApiVersion <String>]
[-Pre]
[-DefaultProfile <IAzureContextContainer>]
[-InformationAction <ActionPreference>]
[-InformationVariable <String>]
[<CommonParameters>]
You can see here are two parameter Name and DisplayName. So how to run this script ?
To run this script, I need get the Definition ID using Get-AzPolicyDefinition
$definition = Get-AzPolicyDefinition | Where-Object { $_.Properties.DisplayName -eq ‘Audit VMs that do not use managed disks’ }
- First, I tried to use Name with value “Audit VMs without managed disks npdi1_csam1_CC001321121_PublicIP” it’s 64 characters. And Display Name as “‘Audit VMs without managed disks Assignment npdi1_csam1_CC00_PublicIP VMs without managed disks npdi1_csam1_CC001321121_PublicIP” it’s 127 characters. Then assigned it in my Management group.
Then I got error “The assignment name must not exceed ‘24’ characters”
- And then I change the Name to “Audit VMs no PublicIP”, it can create Policy Assignment successfully.
- After that I change Display name to “Audit VMs without managed disks Assignment npdi1_csam1_CC00_PublicIP VMs without managed disks npdi1_csam1_CC001321121_PublicIPAA” it’s 129 characters.
It shows error “The policy assignment ‘Audit VMs no PublicIP‘ display name exceeded the allowed length limit. Current length: ‘129’, allowed maximum length: ‘128’.
Now we check in Azure portal, here only shows one Policy Assignment “Audit VMs without managed disks Assignment npdi1_csam1_CC00_PublicIP VMs without managed disks npdi1_csam1_CC001321121_PublicIP”
Meanwhile the name “Audit VMs no PublicIP” is used I the Assignment ID.
So, in Powershell Script name is the Resource name mentioned in the document. And assign in Management Group scope, the maximum length is 24 characters.
And Display Name is the display name in Powershell script. It needs to less than 128 characters.
Based on the test above we also know that the Assignment name we checked in Azure portal is the display name.
Terraform:
To test in Terraform, you need to understand the way to assign a Policy in Terraform, you can check in the document above or from here again Azure Policy with Terraform
It needs to create a main.tf file in Cloud shell Bash console or local Bash console.
Similar like Powershell script, it also has name and display name. Here I also use Management Group as the scope.
provider “azurerm” {
version = “2.35.0”
features {}
}
resource “azurerm_policy_assignment” “npdi1_csam1_CC0_PublicIP” {
name = “ Audit VMs without managed disks npdi1_csam1_CC001321121_PublicIP “
scope = “/providers/Microsoft.Management/managementGroups/testmymanagement”
policy_definition_id = “/providers/Microsoft.Management/managementGroups/testmymanagement/providers/Microsoft.Authorization/policyDefinitions/23a424a8-d05c-4824-916a-d9422272d299”
description = “Shows all virtual machines not using managed disks”
display_name = “Audit VMs without managed disks Assignment npdi1_csam1_CC00_PublicIP VMs without managed disks npdi1_csam1_CC001321121_PublicIP”
}
I got same error with Powershell Script.
Then change Name to “Audit VMs no PublicIP” an display name to “Audit VMs without managed disks Assignment npdi1_csam1_CC00_PublicIP VMs without managed disks npdi1_csam1_CC001321121_PublicIPAA”. We have same error for display name exceed to 128 characters.
Test Result Summary
- From this test we know that the resource name use Azure Policy Assignment is the last part of Assignment ID.
- The display name is the Assignment name that show in Azure portal. The maximin length is 128 characters.
Please pay attention about the length of name and display name when you assign a Policy in PowerShell script and Terraform.
Welcome to provide your comments about this blog, if you are interested about Terraform with Azure Policy please also read this Blog Implementing Azure Policy using Terraform from my colleague Sannidhya.
Brought to you by Dr. Ware, Microsoft Office 365 Silver Partner, Charleston SC.
Recent Comments