Azure-docs: Impact on existing recources?
The page talks about audit and remediation but where is the information on the impact of resources? If you apply a no allow on /VitualMachines will the machines in that RG be de-allocated? Thanks in advance.
Document Details
⚠Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.
- ID: 7ff8ed82-0cf5-7f1a-737d-a66bd859682c
- Version Independent ID: bb921220-f3c0-cbd1-b348-07cbff68540e
- Content: Evaluate the impact of a new Azure policy - Azure Policy
- Content Source: articles/governance/policy/concepts/evaluate-impact.md
- Service: azure-policy
- GitHub Login: @DCtheGeek
- Microsoft Alias: dacoulte
Aus-A-Lot
All 3 comments
DCtheGeek
on 20 Mar 2020
@Aus-A-Lot Thanks for the question! As this article mentions in the intro, Policy evaluates _create_ and _update_ requests to perform the _effect_ defined in the policy definition on them. Information on how each effect impacts the request is on the effects page. Each effect explains how it handles a _create_ (PUT) or _update_ (PATCH) call to Azure and also how the evaluation cycle of existing resources affects their compliance.
Short answer: No, a Deny policy effect won't de-allocate existing resources. It rejects requests on _create_ or _update_ based on the policy definition. Existing non-compliant resources are marked as just that, _Non-compliant_. If the resource is _Non-compliant_ to a Modify or DeployIfNotExists policy definition, then it can use Remediation tasks to adjust existing resources.
Thanks for the question!
@MicrosoftDocs/azure-cxp-triage Please label 'product-question' and #please-close.
DCtheGeek
on 20 Mar 2020
Thanks so much for the quick and clear answer! That helped a lot.
Aus-A-Lot
on 20 Mar 2020
Related issues
bityob
·
3Comments
Favna
·
3Comments
JamesDLD
·
3Comments
Ponant
·
3Comments
mrdfuse
·
3Comments
Most helpful comment
@Aus-A-Lot Thanks for the question! As this article mentions in the intro, Policy evaluates _create_ and _update_ requests to perform the _effect_ defined in the policy definition on them. Information on how each effect impacts the request is on the effects page. Each effect explains how it handles a _create_ (PUT) or _update_ (PATCH) call to Azure and also how the evaluation cycle of existing resources affects their compliance.
Short answer: No, a Deny policy effect won't de-allocate existing resources. It rejects requests on _create_ or _update_ based on the policy definition. Existing non-compliant resources are marked as just that, _Non-compliant_. If the resource is _Non-compliant_ to a Modify or DeployIfNotExists policy definition, then it can use Remediation tasks to adjust existing resources.
Thanks for the question!
@MicrosoftDocs/azure-cxp-triage Please label 'product-question' and #please-close.