Introduction:
In this tutorial/guide, we will go through the process of creating an Azure Policy Initiative that deploys a default budget/anomaly alert to all subscriptions under a management group. So you can regain visibility of your Azure spend and have peace of mind that you have some monitoring in place for your subscriptions.
The code for this walkthrough can be found here on my GitHub. I have to give credit to the Team at Microsoft who maintain the Azure Landing Zone policies as my work was built off of a Policy definition they wrote here and found here on AZAdvertizer
Additional Features added:
- Added Two forecast alerts for the Policy
- Developed a Bicep deployment around the Policy
- Wrote a new Policy Definition for Anomaly Alerts
- Both definitions added to an Policy Initiative
- Policy Initiative Assignment and role Assignment
How it works:
This build includes:
- 2x Policy Definitions
- 1x Policy Initiative (Policy Set Definition)
- 1x Policy Assignment with system managed Identity
- 1x Role Assignment to Management Group
The Policy Definitions are as follows:
- Deploy a Budget
- Deploy a Anomaly Alert
Deploy a Budget:
The ‘budget.json’ file includes the policy definition for the budget deployment policy. This policy should be assigned at the management group scope. It will target all ‘subscription’ resources under the target management group.
It will then assess if the subscriptions have a budget set that matches exactly the following:
- Budget Amount
- Time Grain (Monthly, Annually, etc.)
- Cost (rather than usage)
If a budget exists that matches all of the above (set in param file) then subscriptions are compliant. If a budget does not, the subscription is non-compliant and then you must run a remediation task to deploy another Budget.
Tip: if you already have a default/standard budget in some subscriptions, set the above to match your current deployment and it will be marked as compliant.
Tip 2: if the above condition of existence doesn’t work for you. Simply head to budget.json file and remove any of the three conditions. For example if you just wanted compliance to rely on having a monthly cost Budget of any amount. You can remove the object containing ‘amount’
Deploy a Anomaly Alert:
The ‘anomaly-alert.json’ file include the policy definition for the anomaly alert deployment policy. This policy should be assigned at the management group scope. It will target all ‘subscription’ resources under the targets management group.
It will then assess if the subscriptions have an anomaly alert set that matches exactly the following:
- alertDisplayName
If an anomaly alert exists that matches the above display name (set in param file) then subscriptions are compliant. If an anomaly alert does not, the subscription is non-compliant and you must run a remediation task.
Step-1: Prerequisites
- Sufficient permissions to assign roles in that management group.
- Subscriptions have ‘PolicyInsights’ registered
- Action group to process the alerts
Step-2: Getting Started
Now that you have at least one subscription that falls under a management group with the PolicyInsights provider registered.
Head over to my github repository here. And grab the required files. Under blog/DefaultBudgetsAndAnomalyAlerts or copy and paste the code in the same file structure and names.
Step-3: Setting Parameters
As all environments are different almost all the inputs have been parameterized (bar one or two). So please fill out the bicepparam file as required making sure none of the parameters are left blank.
Note that this deployment was designed for the UK South region. If you have a requirement to deploy to another region, you will need to go into the .json files and configure the location input as well as on the bicep file.
And don’t worry if you aren’t sure what a parameter does (or is) . I have attached allowed values and descriptions to all.
Next change the management group name and deployment name in the powershell file
Step-4: Deploying to Azure
Deploying to Azure is easy. Make sure you Zip up the folder containing the code. Then you need to start a shell session in your Azure environment
Next run the following commands
unzip ./example.zip
cd ./example
./example-deploy.ps1
Step-5: Remediation
Now that you have deployed the Policy and initiative. You will need to remediate for your existing subscriptions.
Navigate to Policy>Remediation
Then remediate both Budget and Anomaly alert deployments. After successful remediation. You can find the resources in each subscription deployments.
Step-6: Success
You should now have default budget and anomaly alerts deployed to your subscriptions!
If you got stuck at any part, or need any help. Reach out to me on LinkedIn
Step-7: Extra’s
If you don’t want to use an action group. feel free to delete the existing action group resource and associated parameters for Policy Initiatives.