Forum Discussion
Azure Policy - Enable Hybrid Use Benefit
Hello there.
I'm struggling with a custom policy. My requirements are the following:
- Enable Hybrid Use Benefit for Microsoft.Compute/virtualMachines (properties.licenseType=Windows_Server)
- Work for both Marketplace and not-Marketplace virtual machines (ASRed, etc)
- Fix deployments that are done without it enabled
- Allow remediation of existing resources
Initially I found Community Policy - deploy-hybrid-benefit-windows which works for Marketplace, but not for VMs without imagePublisher and imageOffer. I identified properties.storageProfile.osDisk.osType as another way to identify Windows machines.
The full policy if below, but it only works for remediation, it does not work for new deployments. What am I doing wrong?
I also found this issue, which suggests adding a licenseType to the If, but then the all resources are in compliance: https://github.com/Azure/azure-policy/issues/426 remediation does not work and new resources don't as well.
Any help is very appreciated!
{
"displayName": "Deploy Azure Hybrid Benefit for Windows.",
"mode": "Indexed",
"description": "This policy ensures virtual machines are configured for Azure Hybrid Benefit for Windows Server - https://docs.microsoft.com/en-us/azure/virtual-machines/windows/hybrid-use-benefit-licensing#ways-to-use-azure-hybrid-benefit-for-windows-server.",
"metadata": {
"category": "Compute",
"version": "1.0.1"
},
"parameters": {
"effect": {
"type": "string",
"metadata": {
"displayName": "Effects",
"description": "Enable or disable the execution of the Policy."
},
"allowedValues": [
"DeployIfNotExists",
"Disabled"
],
"defaultValue": "DeployIfNotExists"
}
},
"policyRule": {
"if": {
"allOf": [{
"field": "type",
"equals": "Microsoft.Compute/virtualMachines"
},
{
"field": "Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType",
"equals": "Windows"
}
]
},
"then": {
"effect": "[parameters('effect')]",
"details": {
"type": "Microsoft.Compute/virtualMachines",
"existenceCondition": {
"allOf": [
{
"field": "Microsoft.Compute/virtualMachines/licenseType",
"equals": "Windows_Server"
}
]
},
"roleDefinitionIds": [
"/providers/Microsoft.Authorization/roleDefinitions/9980e02c-c2be-4d73-94e8-173b1dc7cf3c"
],
"deployment": {
"properties": {
"mode": "incremental",
"template": {
"contentVersion": "1.0.0.0",
"parameters": {
"vmName": {
"type": "String"
},
"licenseType": {
"defaultValue": "None",
"type": "String",
"allowedValues" : [
"None",
"Windows_Server"
]
}
},
"variables": {},
"resources": [
{
"type": "Microsoft.Compute/virtualMachines",
"apiVersion": "2021-03-01",
"name": "[parameters('vmName')]",
"location": "[resourceGroup().location]",
"properties": {
"licenseType": "[parameters('licenseType')]"
}
}
],
"outputs": {
"policy": {
"type": "string",
"value": "[concat('Changed LicenseType for Windows VM', ': ', parameters('vmName'), '- ', parameters('licenseType'))]"
}
}
},
"parameters": {
"vmName": {
"value": "[field('name')]"
},
"licenseType": {
"value": "Windows_Server"
}
}
}
}
}
}
}
}
Thanks, Joel.
No RepliesBe the first to reply
