Restrict Savings Plan creation outside specified subscription in Mgmt group via Azure Policy

Question

Using Terraform/Azure Policies, I want to restrict the creation of savings plans only to one of our subscriptions i.e Prod. We have more than 10 subscriptions in the tenant in different management groups.

Since Savings Plans don't have a straightforward path, I'm facing difficulties creating a policy for them.

Here's the policy I have so far:

resource "azurerm_policy_definition" "restrict_savings_plan" {
  name         = "restrict-savings-plan-creation"
  policy_type  = "Custom"
  mode         = "All"
  display_name = "Restrict Savings Plan Creation to Prod Subscription"

  policy_rule = <

Answer 1

Hi Vishal P

Welcome to the Microsoft Q&A Platform! Thank you for asking your question here.

First, identify the resource provider and associated resource types for Savings Plans. If Azure offers a specific resource type for Savings Plans, you can target them directly.

Create a policy that blocks the creation of the identified resource types, unless the subscription is the one you wish to permit.

Assign this policy to the root management group or to all management groups, excluding the one that contains the Prod subscription.

resource "azurerm_policy_definition" "restrict_savings_plan" {
  name         = "restrict-savings-plan-creation"
  policy_type  = "Custom"
  mode         = "All"
  display_name = "Restrict Savings Plan Creation to Prod Subscription"
  description  = "This policy restricts the creation of Savings Plans to the designated Prod subscription."
  policy_rule = <<POLICY_RULE
  {
    "if": {
      "allOf": [
        {
          "field": "type",
          "equals": "<SavingsPlanResourceType>"
        },
        {
          "not": {
            "field": "subscriptionId",
            "equals": "<ProdSubscriptionId>"
          }
        }
      ]
    },
    "then": {
      "effect": "deny"
    }
  }
  POLICY_RULE
}
resource "azurerm_policy_assignment" "restrict_savings_plan_assignment" {
  name                 = "restrict-savings-plan-assignment"
  policy_definition_id = azurerm_policy_definition.restrict_savings_plan.id
  scope                = "/providers/Microsoft.Management/managementGroups/<ManagementGroupId>"
}

Replace <SavingsPlanResourceType> with the correct resource type for Savings Plans. You can check Azure's documentation or use Azure Resource Graph to find it.

Replace <ProdSubscriptionId> with the subscription ID for your production subscription, where Savings Plans are allowed.

Replace <ManagementGroupId> with the ID of the management group where you want to apply the policy, or use the tenant root for a broader scope.

Note:

If Azure doesn't provide a specific resource type for Savings Plans that can be controlled by policies, you can use alternatives like role-based access control (RBAC) or custom scripts to enforce the policy.

Make sure to test the policy in a non-production environment first to confirm it works as expected before applying it to the whole system.

let us know if any help, we will always help as you needed.!

Please do not forget to "Accept the answer” and upvote it wherever the information provided helps you, this can be beneficial to other community members.it would be greatly appreciated and helpful to others.

Answer 2

Thanks for posting your question in the Microsoft Q&A forum.

To restrict the creation of savings plans to only one subscription (Prod) using Terraform and Azure Policies, you can define a custom policy and assign it to the specific subscription. Here's how you can complete your policy definition:

Policy Definition

resource "azurerm_policy_definition" "restrict_savings_plan" {
  name         = "restrict-savings-plan-creation"
  policy_type  = "Custom"
  mode         = "All"
  display_name = "Restrict Savings Plan Creation to Prod Subscription"

  policy_rule = <<POLICY_RULE
  {
    "if": {
      "allOf": [
        {
          "field": "type",
          "equals": "Microsoft.Compute/savingsPlans"
        },
        {
          "not": {
            "field": "subscriptionId",
            "equals": "YOUR_PROD_SUBSCRIPTION_ID"
          }
        }
      ]
    },
    "then": {
      "effect": "Deny"
    }
  }
  POLICY_RULE
}

Policy Assignment

Next, you need to assign this policy to your management group or subscription. Here's an example of how to assign it to a management group:

resource "azurerm_policy_assignment" "restrict_savings_plan_assignment" {
  name                 = "restrict-savings-plan-assignment"
  policy_definition_id = azurerm_policy_definition.restrict_savings_plan.id
  scope                = "/subscriptions/YOUR_PROD_SUBSCRIPTION_ID"
  display_name         = "Restrict Savings Plan Creation to Prod Subscription"
}

Explanation

• Policy Rule: The policy rule checks if the resource type is Microsoft.Compute/savingsPlans and if the subscription ID is not equal to your Prod subscription ID. If both conditions are met, the policy denies the creation of the savings plan.
• Policy Assignment: The policy is assigned to the specific subscription (Prod) where you want to allow the creation of savings plans.

Replace YOUR_PROD_SUBSCRIPTION_ID with the actual subscription ID of your Prod environment.

By following these steps, you can restrict the creation of savings plans to only your Prod subscription. If you have any further questions or need additional assistance, feel free to ask!

Please don't forget to close up the thread here by upvoting and accept it as an answer if it is helpful

Answer 3

Hi Vishal P
To restrict the creation of Azure Savings Plans to a specific subscription (Prod) using Terraform and Azure Policies, define a custom policy that checks the resource type and subscription ID.
Here’s how to define the policy to prevent the creation of Savings Plans outside your designated subscription.

resource "azurerm_policy_definition" "restrict_savings_plan" {
  name         = "restrict-savings-plan-creation"
  policy_type  = "Custom"
  mode         = "All"
  display_name = "Restrict Savings Plan Creation to Prod Subscription"
  policy_rule = <<POLICY
{
  "if": {
    "allOf": [
      {
        "field": "type",
        "equals": "Microsoft.Billing/billingAccounts/savingsPlanOrders/savingsPlans"
      },
      {
        "not": {
          "field": "subscriptionId",
          "equals": "<YOUR_PROD_SUBSCRIPTION_ID>"
        }
      }
    ]
  },
  "then": {
    "effect": "deny"
  }
}
POLICY
}

The policy checks if the resource type is Microsoft.Billing/billingAccounts/savingsPlanOrders/savingsPlans.
It ensures that the subscription ID is not equal to your production subscription ID (<YOUR_PROD_SUBSCRIPTION_ID>).

Next, you need to assign this policy to the appropriate scope (which can be a management group or individual subscription):

resource "azurerm_policy_assignment"
 "restrict_savings_plan_assignment" {
  name                 = "restrict-savings-plan-assignment"
  policy_definition_id = azurerm_policy_definition.restrict_savings_plan.id
  scope                = "/subscriptions/<YOUR_PROD_SUBSCRIPTION_ID>"
  display_name         = "Restrict Savings Plan Creation to Prod Subscription"
}

Replace <YOUR_PROD_SUBSCRIPTION_ID> with the actual ID of your production subscription.

Initialize Terraform and apply the configuration:

terraform init
terraform apply

This setup will deny attempts to create Savings Plans in subscriptions other than your specified production subscription, with a denial message for unauthorized attempts.
Ensure your Azure account has sufficient permissions to create and assign policies and verify that the resource type and fields in the policy rule are correct to avoid unexpected behavior.

Please let us know if you required anything