In my previous article I explained how to Create Your Own PowerShell APIs for Azure Governance with Azure Function App and how that can be useful for your daily Azure Administrator tasks.
Today I have another example of how to use that PowerShell API.
Azure Policies are a great way to prevent users from messing up your environment. But sometimes we need to make an exception to be able to deploy or edit something.
Here is a very simple PowerShell script that will allow you to add/remove exception Resource Group from your existing Azure Policy Assignment:
Please note that if you created Policy Assignments from Portal and not from Templates, Policy Assignment Name will not be the name you see in the portal, but something completely different. You can check names like this:
Get-AzPolicyAssignment | select Name
The script will check if the provided policy assignment name exists and if the resource group exists before editing the policy assignment. If either one does not exist, it will return an error message and exit without modifying the policy assignment.
Here is how you can call your function:
Update-PolicyAssignmentExclusionList -PolicyAssignmentName "MyPolicyAssignment" -ResourceGroupName "MyResourceGroup" -Action "add"
<policy-assignment-name>: The name of the policy assignment to edit.
<resource-group-to-modify>: The name of the resource group to add or remove from the exclusion list.
<add-or-remove>: Either “add” or “remove” to indicate whether you want to add or remove the resource group from the exclusion list.
You can easily rewrite it to work inside Azure Functions. Additionally, you can customize the script further to suit your specific needs. For example, you can modify the script to add or remove multiple resource groups from the exclusion list at once, or to accept Subscriptions and Management Groups, or you can add error handling to provide more informative error messages.
Next time you receive a message that your deployment was denied due to Azure Policy, you will have a quick and easy way to crate temporary exception and proceed with your deployment.
And as a bonus, here is anoter quick script that you can use to quickly get the list of all Policy Assignments:
I hope this was useful. Keep clouding around.