From fc5841494ea1bce361bd28b1c1495d0bbb15bf7f Mon Sep 17 00:00:00 2001 From: Don Koning <81743089+DonKoning@users.noreply.github.com> Date: Thu, 14 Aug 2025 14:07:22 +0200 Subject: [PATCH 1/3] Add policy files --- .../azurepolicy.json | 68 +++++++++++++++++++ .../azurepolicy.parameters.json | 33 +++++++++ .../azurepolicy.rules.json | 17 +++++ 3 files changed, 118 insertions(+) create mode 100644 policyDefinitions/General/protect-resources-with-deny-action/azurepolicy.json create mode 100644 policyDefinitions/General/protect-resources-with-deny-action/azurepolicy.parameters.json create mode 100644 policyDefinitions/General/protect-resources-with-deny-action/azurepolicy.rules.json diff --git a/policyDefinitions/General/protect-resources-with-deny-action/azurepolicy.json b/policyDefinitions/General/protect-resources-with-deny-action/azurepolicy.json new file mode 100644 index 00000000..f159905e --- /dev/null +++ b/policyDefinitions/General/protect-resources-with-deny-action/azurepolicy.json @@ -0,0 +1,68 @@ +{ + "name": "927f91cf-9e9f-4d95-9deb-1579aed07ace", + "type": "Microsoft.Authorization/policyDefinitions", + "properties": { + "displayName": "Protect selected resources from deletion", + "description": "This policy protects selected resource types from accidental or malicious deletion.", + "policyType": "Custom", + "mode": "Indexed", + "metadata": { + "version": "1.0.0", + "category": "General" + }, + "version": "1.0.0", + "parameters": { + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Deny, or Disabled the execution of the Policy" + }, + "allowedValues": [ + "DenyAction", + "Disabled" + ], + "defaultValue": "DenyAction" + }, + "cascadeBehavior": { + "type": "String", + "metadata": { + "displayName": "Cascade Behavior", + "description": "Defines which behavior is followed when a resource is implicitly deleted when a resource group is removed." + }, + "allowedValues": [ + "deny", + "allow" + ], + "defaultValue": "deny" + }, + "protectedResourceTypes": { + "type": "Array", + "metadata": { + "displayName": "Protected Resource Types", + "description": "Array of resource types to protect from deletion (e.g., ['Microsoft.Network/vpnSites', 'Microsoft.Storage/storageAccounts'])" + } + } + }, + "policyRule": { + "if": { + "field": "type", + "in": "[parameters('protectedResourceTypes')]" + }, + "then": { + "effect": "[parameters('DenyAction')]", + "details": { + "actionNames": [ + "delete" + ], + "cascadeBehaviors": { + "resourceGroup": "[parameters('cascadeBehavior')]" + } + } + } + }, + "versions": [ + "1.0.0" + ] + } +} \ No newline at end of file diff --git a/policyDefinitions/General/protect-resources-with-deny-action/azurepolicy.parameters.json b/policyDefinitions/General/protect-resources-with-deny-action/azurepolicy.parameters.json new file mode 100644 index 00000000..f45099d3 --- /dev/null +++ b/policyDefinitions/General/protect-resources-with-deny-action/azurepolicy.parameters.json @@ -0,0 +1,33 @@ +{ + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Deny, or Disabled the execution of the Policy" + }, + "allowedValues": [ + "DenyAction", + "Disabled" + ], + "defaultValue": "DenyAction" + }, + "cascadeBehavior": { + "type": "String", + "metadata": { + "displayName": "Cascade Behavior", + "description": "Defines which behavior is followed when a resource is implicitly deleted when a resource group is removed." + }, + "allowedValues": [ + "deny", + "allow" + ], + "defaultValue": "deny" + }, + "protectedResourceTypes": { + "type": "Array", + "metadata": { + "displayName": "Protected Resource Types", + "description": "Array of resource types to protect from deletion (e.g., ['Microsoft.Network/vpnSites', 'Microsoft.Storage/storageAccounts'])" + } + } +} \ No newline at end of file diff --git a/policyDefinitions/General/protect-resources-with-deny-action/azurepolicy.rules.json b/policyDefinitions/General/protect-resources-with-deny-action/azurepolicy.rules.json new file mode 100644 index 00000000..d5c486a0 --- /dev/null +++ b/policyDefinitions/General/protect-resources-with-deny-action/azurepolicy.rules.json @@ -0,0 +1,17 @@ +{ + "if": { + "field": "type", + "in": "[parameters('protectedResourceTypes')]" + }, + "then": { + "effect": "[parameters('DenyAction')]", + "details": { + "actionNames": [ + "delete" + ], + "cascadeBehaviors": { + "resourceGroup": "[parameters('cascadeBehavior')]" + } + } + } +} \ No newline at end of file From 3b49f6d85cf6ae54b16c58c28e670290dc436d6c Mon Sep 17 00:00:00 2001 From: Don Koning <81743089+DonKoning@users.noreply.github.com> Date: Thu, 14 Aug 2025 14:11:27 +0200 Subject: [PATCH 2/3] typo --- .../General/protect-resources-with-deny-action/azurepolicy.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/policyDefinitions/General/protect-resources-with-deny-action/azurepolicy.json b/policyDefinitions/General/protect-resources-with-deny-action/azurepolicy.json index f159905e..1c758e19 100644 --- a/policyDefinitions/General/protect-resources-with-deny-action/azurepolicy.json +++ b/policyDefinitions/General/protect-resources-with-deny-action/azurepolicy.json @@ -16,7 +16,7 @@ "type": "String", "metadata": { "displayName": "Effect", - "description": "Deny, or Disabled the execution of the Policy" + "description": "Deny, or Disables the execution of the Policy" }, "allowedValues": [ "DenyAction", From 3f8896198aa0f24156db06e8ba9bb54599173ca8 Mon Sep 17 00:00:00 2001 From: Don Koning <81743089+DonKoning@users.noreply.github.com> Date: Thu, 14 Aug 2025 14:27:06 +0200 Subject: [PATCH 3/3] Fixes --- .../protect-resources-with-deny-action/azurepolicy.json | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/policyDefinitions/General/protect-resources-with-deny-action/azurepolicy.json b/policyDefinitions/General/protect-resources-with-deny-action/azurepolicy.json index 1c758e19..032888a2 100644 --- a/policyDefinitions/General/protect-resources-with-deny-action/azurepolicy.json +++ b/policyDefinitions/General/protect-resources-with-deny-action/azurepolicy.json @@ -4,7 +4,6 @@ "properties": { "displayName": "Protect selected resources from deletion", "description": "This policy protects selected resource types from accidental or malicious deletion.", - "policyType": "Custom", "mode": "Indexed", "metadata": { "version": "1.0.0", @@ -16,7 +15,7 @@ "type": "String", "metadata": { "displayName": "Effect", - "description": "Deny, or Disables the execution of the Policy" + "description": "Deny, or Disables the execution of the Policy." }, "allowedValues": [ "DenyAction", @@ -40,7 +39,7 @@ "type": "Array", "metadata": { "displayName": "Protected Resource Types", - "description": "Array of resource types to protect from deletion (e.g., ['Microsoft.Network/vpnSites', 'Microsoft.Storage/storageAccounts'])" + "description": "Array of resource types to protect from deletion (e.g., ['Microsoft.Network/vpnSites', 'Microsoft.Storage/storageAccounts'])." } } }, @@ -50,7 +49,7 @@ "in": "[parameters('protectedResourceTypes')]" }, "then": { - "effect": "[parameters('DenyAction')]", + "effect": "[parameters('effect')]", "details": { "actionNames": [ "delete"