Logo

dev-resources.site

for different kinds of informations.

Azure Policy - Add custom error messages

Published at
9/13/2023
Categories
azure
policy
Author
wilfriedwoivre
Main Article
https://dev.to/wilfriedwoivre/azure-policy-add-custom-error-messages-18dp
Categories
2 categories in total
azure
open
policy
open
Author
14 person written this
wilfriedwoivre
open
Azure Policy - Add custom error messages

Azure Policy is very useful to do governance on Azure, however the error messages are not always clear, but it is possible to customize them as we will see in this article

Let’s imagine a policy for your storage accounts to validate that they will all be accessible only in https, so we will have a policy like this:

"if": {
    "allOf": [
        {
            "field": "type",
            "equals": "Microsoft.Storage/storageAccounts"
        },
        {
            "field": "Microsoft.Storage/storageAccounts/supportsHttpsTrafficOnly",
            "equals": false
        }
    ]
},
"then": {
    "effect": "deny"
}
Enter fullscreen mode Exit fullscreen mode

When assigning it, you will want to give it a name, at this point you have several choices:

  • Put a name that speaks to all those who will have the error message such as AllowOnlyStorageAccountWithOnlyHttpsSupport
  • Put a unique identifier such as 4cd4c48a-9a10-4386-ae0e-45ee0205231b, since we agree that there is nothing better than a Guid, or not …
  • Have a nomenclature on your different Azure Policies in order to find them easily and avoid typos or approximate English, except that there is a risk of ending up with a code that is not always clear such as STG-SPEC-NWK-RSK0 (Storage-Specific-Network-Risk_0)
  • The answer D

Well, to be honest, I prefer the third choice, because a nomenclature can be declined and there is no need to invent a name for everything. The real drawback however is that sometimes your policies get triggered and your users legitimately ask you “If not Wilfried, what does this error code mean?” Well you should know that now all these support concerns are over, because Microsoft has provided the ability to put custom error messages like this:

So when you create your Storage Account, for example in powershell, you will get this message:

PS C:\Users\wilfr> New-AzStorageAccount -Name policytestwwo -ResourceGroupName policy-test-2 -Kind StorageV2 -SkuName Standard_LRS -Location westeurope -AccessTier Hot -EnableHttpsTrafficOnly $false
New-AzStorageAccount : Resource 'policytestwwo' was disallowed by policy. Reasons: 'Allow only storage account with
only https support enabled'. See error details for policy resource IDs.
At line:1 char:1
+ New-AzStorageAccount -Name policytestwwo -ResourceGroupName policy-te ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo : CloseError: (:) [New-AzStorageAccount], CloudException
    + FullyQualifiedErrorId : Microsoft.Azure.Commands.Management.Storage.NewAzureStorageAccountCommand
Enter fullscreen mode Exit fullscreen mode

And voilà there you have your custom message! Of course, you can put whatever you want like a link to your internal documentation for this Policy.

policy Article's
30 articles in total
Favicon
Microsoft Certified Azure Administrator Associate Exam (AZ-104) Lab Preparation #2: Azure Policy
Favicon
Developer Self-Service with Resourcely
Favicon
Unlocking Fine-Grained Authorization with Amazon Verified Permissions: An Underrated AWS Service
Favicon
Optimizing AWS Infrastructure Deployment: Terraform, Sentinel, and CI/CD Best Practices
Favicon
Apple lanza su IA centrada en la privacidad: un nuevo paradigma para la inteligencia artificial
Favicon
Apple Launches Its Privacy-Focused AI: A New Paradigm for Artificial Intelligence
Favicon
Developing a Conflict of Interest Policy for Government Contracting
Favicon
Developing an Effective Compliance Program for Government Contracts
Favicon
How to Change a Southwest Airlines Flight?
Favicon
10 free access control and permission management for modern web-app
Favicon
Editing an IAM Service Role, and Attaching Service Roles to AWS Resources
Favicon
Restrict GitHub branches to specific prefixes
Favicon
Creating an AI policy
Favicon
Creating, testing and Deleting Policies
Favicon
A Comprehensive Guide to Testing in Terraform: Keep your tests, validations, checks, and policies in order
Favicon
Azure DevOps のブランチ保護
Favicon
Ensure proper Governance with Azure Policy
Favicon
Cross-Account Access to Amazon S3 using STS:AssumeRole
Favicon
Azure Policy - Find unused policies
Favicon
How to implement Policy Object pattern in Ruby on Rails?
Favicon
Washington, DC, and open—for maintainers
Favicon
Admission controllers for policy enforcement - motivation and theory
Favicon
MQTT policy enforcement with Pipy
Favicon
Linux Security Modules
Favicon
Azure Storage - Control usage of your SAS Keys
Favicon
Azure Storage - Simplify your keys rotation
Favicon
Proposal for a Sunset Policy for a GitHub Action
Favicon
Azure Policy - Trigger policy scan
Favicon
IAM Core Concepts
Favicon
Azure Policy - Add custom error messages

Featured ones:

Favicon
Open
abubakersiddique761
Favicon
Open
0x3d_site
Favicon
Open
0x2e_tech
Favicon
Open
0x4c-quest
Favicon
Open
gittech