Share via

Restrict Savings Plan creation outside specified subscription in Mgmt group via Azure Policy

Vishal P 0 Reputation points
2025-01-08T13:50:14.38+00:00

Using Terraform/Azure Policies, I want to restrict the creation of savings plans only to one of our subscriptions i.e Prod. We have more than 10 subscriptions in the tenant in different management groups.

Since Savings Plans don't have a straightforward path, I'm facing difficulties creating a policy for them.

Here's the policy I have so far:


resource "azurerm_policy_definition" "restrict_savings_plan" {
  name         = "restrict-savings-plan-creation"
  policy_type  = "Custom"
  mode         = "All"
  display_name = "Restrict Savings Plan Creation to Prod Subscription"

  policy_rule = <
Azure Policy
Azure Policy
An Azure service that is used to implement corporate governance and standards at scale for Azure resources.
944 questions

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Vidya Viraktamath 235 Reputation points Microsoft Employee
    2025-01-08T19:32:35.8233333+00:00

    Thanks for posting your question in the Microsoft Q&A forum.

    To restrict the creation of savings plans to only one subscription (Prod) using Terraform and Azure Policies, you can define a custom policy and assign it to the specific subscription. Here's how you can complete your policy definition:

    Policy Definition

    resource "azurerm_policy_definition" "restrict_savings_plan" {
  name         = "restrict-savings-plan-creation"
  policy_type  = "Custom"
  mode         = "All"
  display_name = "Restrict Savings Plan Creation to Prod Subscription"

  policy_rule = <<POLICY_RULE
  {
    "if": {
      "allOf": [
        {
          "field": "type",
          "equals": "Microsoft.Compute/savingsPlans"
        },
        {
          "not": {
            "field": "subscriptionId",
            "equals": "YOUR_PROD_SUBSCRIPTION_ID"
          }
        }
      ]
    },
    "then": {
      "effect": "Deny"
    }
  }
  POLICY_RULE
}

    Policy Assignment

    Next, you need to assign this policy to your management group or subscription. Here's an example of how to assign it to a management group:

    resource "azurerm_policy_assignment" "restrict_savings_plan_assignment" {
  name                 = "restrict-savings-plan-assignment"
  policy_definition_id = azurerm_policy_definition.restrict_savings_plan.id
  scope                = "/subscriptions/YOUR_PROD_SUBSCRIPTION_ID"
  display_name         = "Restrict Savings Plan Creation to Prod Subscription"
}

    Explanation

    • Policy Rule: The policy rule checks if the resource type is Microsoft.Compute/savingsPlans and if the subscription ID is not equal to your Prod subscription ID. If both conditions are met, the policy denies the creation of the savings plan.
    • Policy Assignment: The policy is assigned to the specific subscription (Prod) where you want to allow the creation of savings plans.

    Replace YOUR_PROD_SUBSCRIPTION_ID with the actual subscription ID of your Prod environment.

    By following these steps, you can restrict the creation of savings plans to only your Prod subscription. If you have any further questions or need additional assistance, feel free to ask!

    Please don't forget to close up the thread here by upvoting and accept it as an answer if it is helpful

    0 comments
  2. Pavan Minukuri 1,025 Reputation points Microsoft Vendor
    2025-01-14T07:53:37.6066667+00:00

    Hi Vishal P
    To restrict the creation of Azure Savings Plans to a specific subscription (Prod) using Terraform and Azure Policies, define a custom policy that checks the resource type and subscription ID.
    Here’s how to define the policy to prevent the creation of Savings Plans outside your designated subscription.

    resource "azurerm_policy_definition" "restrict_savings_plan" {
  name         = "restrict-savings-plan-creation"
  policy_type  = "Custom"
  mode         = "All"
  display_name = "Restrict Savings Plan Creation to Prod Subscription"
  policy_rule = <<POLICY
{
  "if": {
    "allOf": [
      {
        "field": "type",
        "equals": "Microsoft.Billing/billingAccounts/savingsPlanOrders/savingsPlans"
      },
      {
        "not": {
          "field": "subscriptionId",
          "equals": "<YOUR_PROD_SUBSCRIPTION_ID>"
        }
      }
    ]
  },
  "then": {
    "effect": "deny"
  }
}
POLICY
}

    The policy checks if the resource type is Microsoft.Billing/billingAccounts/savingsPlanOrders/savingsPlans.
    It ensures that the subscription ID is not equal to your production subscription ID (<YOUR_PROD_SUBSCRIPTION_ID>).

    Next, you need to assign this policy to the appropriate scope (which can be a management group or individual subscription):

    resource "azurerm_policy_assignment"
 "restrict_savings_plan_assignment" {
  name                 = "restrict-savings-plan-assignment"
  policy_definition_id = azurerm_policy_definition.restrict_savings_plan.id
  scope                = "/subscriptions/<YOUR_PROD_SUBSCRIPTION_ID>"
  display_name         = "Restrict Savings Plan Creation to Prod Subscription"
}

    Replace <YOUR_PROD_SUBSCRIPTION_ID> with the actual ID of your production subscription.

    Initialize Terraform and apply the configuration:

    terraform init
terraform apply

    This setup will deny attempts to create Savings Plans in subscriptions other than your specified production subscription, with a denial message for unauthorized attempts.
    Ensure your Azure account has sufficient permissions to create and assign policies and verify that the resource type and fields in the policy rule are correct to avoid unexpected behavior.

    Please let us know if you required anything

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.