-
Notifications
You must be signed in to change notification settings - Fork 1
/
main.bicep
70 lines (66 loc) · 1.56 KB
/
main.bicep
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
targetScope = 'subscription'
param listOfAllowedLocations array = [
'norwayeast'
'westeurope'
]
@allowed([
'Audit'
'Deny'
])
param policyEffect string
resource locationPolicyDefinition 'Microsoft.Authorization/policyDefinitions@2020-09-01' = {
name: 'custom-allowed-location'
properties: {
displayName: 'Custom - allowed location for resources'
policyType: 'Custom'
description: 'Use policy to restrict where resources can be deployed'
parameters: {
allowedLocations: {
type: 'Array'
}
effect: {
type: 'String'
}
}
metadata: {
category: 'Locations'
}
policyRule: {
if: {
allOf: [
{
field: 'location'
notIn: '[parameters(\'allowedLocations\')]'
}
{
field: 'location'
notEquals: 'global'
}
{
field: 'type'
notEquals: 'Microsoft.AzureActiveDirectory/b2cDirectories'
}
]
}
then: {
effect: '[parameters(\'effect\')]'
}
}
}
}
resource locationPolicy 'Microsoft.Authorization/policyAssignments@2020-09-01' = {
name: 'Resource-location-restriction'
properties: {
policyDefinitionId: locationPolicyDefinition.id
displayName: 'Restrict location for Azure resources'
description: 'Policy will either Audit or Deny resources being deployed in other locations'
parameters: {
allowedLocations: {
value: listOfAllowedLocations
}
Effect: {
value: policyEffect
}
}
}
}