In Azure, you can use Azure Policy with its field parameter to check for or enforce certain Azure resource configurations.
For instance, the built-in policy “Allowed virtual machine size SKUs” uses the field parameter to restrict the available VM SKUs. This is especially useful for not accidentally provisioning very expensive VM SKUs like the ones from the M family.
If you now want to create a custom Azure Policy definition and use the field parameter, it is not that easy to identify the correct field path definitions.
Let us examine an example use case in which we want to ensure that the clusterAdmin endpoint is disabled on an Azure Kubernetes Service cluster.
Per Azure CLI, we query the provider namespace Microsoft.ContainerService for its resource type aliases.
az provider show --namespace Microsoft.ContainerService --expand "resourceTypes/aliases" --query "resourceTypes[].aliases[].name"
When we scroll through the entire output, we finally find the alias Microsoft.ContainerService/managedClusters/disableLocalAccounts we were looking for.
The policy rule in an Azure Policy definition to enforce Azure Kubernetes Service cluster deployments without the clusterAdmin endpoint is then the following one.
"policyRule": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.ContainerService/managedClusters"
},
{
"field": "Microsoft.ContainerService/managedClusters/disableLocalAccounts",
"equals": "false"
}
]
},
"then": {
"effect": "Deny"
}
}
Summary
Unfortunately, it is a bit hidden in the Azure documentation on how to query the available resource type aliases.
Additionally, there is no list available in the documentation. Hence, you either need to use the Visual Studio Code Azure Policy extension, the Azure PowerShell, the Azure CLI, or the REST API for it.