AzPolicyAdvertizer

last sync: 2023-Jun-19 17:45:01 UTC

Community Policy definition

Audit Specified Resource Type For Any Lock

Name

Audit Specified Resource Type For Any Lock
Community-Policy GitHub

audit-resourcetype-for-lock

Version

n/a
details on versioning

Category

undefined
Microsoft docs

Description

This policy audits the specified resource type for any lock such as 'CanNotDelete' or 'ReadOnly'.

Mode

All

Type

Custom Community

Effect

Fixed
auditIfNotExists

Used RBAC Role

none

Rule Aliases

THEN-ExistenceCondition (1)

Alias	Namespace	ResourceType	DefaultPath	Modifiable
Microsoft.Authorization/locks/level	Microsoft.Authorization	locks	properties.level	false

Rule ResourceTypes

THEN-Details (1)
Microsoft.Authorization/locks

JSON

{5 itemsdisplayName: "Audit Specified Resource Type For Any Lock",
description: "This policy audits the specified resource type for any lock such as 'CanNotDelete' or 'ReadOnly'.",
mode: "All",
parameters: {2 itemsresourceTypes: {3 itemstype: "Array",
metadata: {2 itemsdescription: "Azure resource types to audit for any lock",
displayName: "resourceTypes"
},
defaultValue: [6 items"microsoft.network/expressroutecircuits",
"microsoft.network/expressroutegateways",
"microsoft.network/virtualnetworks",
"microsoft.network/virtualnetworkgateways",
"microsoft.network/vpngateways",
"microsoft.network/p2svpngateways"
]
},
lockLevel: {4 itemstype: "Array",
metadata: {2 itemsdescription: "The lock level to audit for",
displayName: "lockLevel"
},
allowedValues: [2 items"ReadOnly",
"CanNotDelete"
],
defaultValue: [2 items"ReadOnly",
"CanNotDelete"
]
}
},
policyRule: {2 itemsif: {2 itemsfield: "type",
in: "[parameters('resourceTypes')]"
},
then: {2 itemsdetails: {2 itemsexistenceCondition: {2 itemsfield: "Microsoft.Authorization/locks/level",
in: "[parameters('lockLevel')]"
},
type: "Microsoft.Authorization/locks"
},
effect: "auditIfNotExists"
}
}
}