Azure DevTest Labs Policies

Azure DevTest Labs offers a powerful cloud-based development workstation environment and great alternative to a local development workstation/laptop when it comes to software development. This blog post is not so much talking about the benefits of DevTest Lab, but more about how to create policies for DevTest Labs using Bicep. Although there is a good support for deploying DevTest labs with Bicep, there is little to no documentation when it comes to creating policies for DevTest Labs in Bicep. In this blog post, we will focus on creating policies for DevTest Labs using Bicep and how to go about doing this.

A Brief Overview of Azure DevTest Labs

Azure DevTest Labs is a managed service that enables developers to quickly create, manage, and share development and test environments. It provides a range of features and tools designed to streamline the development process, minimize costs, and improve overall productivity. By leveraging the power of the cloud, developers can easily spin up virtual machines (VMs) pre-configured with the necessary tools, frameworks, and software needed for their projects.

Existing Documentation Limitations

While the existing documentation covers various aspects of Azure DevTest Labs, it lacks clear guidance on setting up policies with DevTest Labs in Bicep. This blog post aims to address that gap by providing a Bicep script for creating a DevTest Lab and applying policies to it. Shout out to my colleague Illian Y for persisting and not giving up and finding a away around undocumented features and showing me.

Existing Documentation For Creating a DevTest Lab

The existing documentation for creating a DevTest Lab is pretty good, but when it comes to creating policies for DevTest Lab this is where the documentation falls short. The documentation does not provide a Bicep script for creating policies for DevTest Labs.

Vanilla DevTest Lab

resource lab 'Microsoft.DevTestLab/labs@2018-09-15' = {
  name: 'testLab'
  location: 'australiacentral'
  tags: {
    tagName1: 'test-tag'
    tagName2: 'test-tag1'
  }
  properties: {
    environmentPermission: 'Contributor'
    labStorageType: 'Premium'
    mandatoryArtifactsResourceIdsLinux: []
    mandatoryArtifactsResourceIdsWindows: []
    premiumDataDisks: 'Disabled'
    announcement: {
      enabled: 'Disabled'
      expired: false
    }
    support: {
      enabled: 'Enabled'
      markdown: 'Test'
    }
  }
}

Creating Policies for DevTest Labs in Bicep

The documentation states all the possible policies that can be created under the fact name in PolicyProperties

Below is a list of three of those policies that can be created in Bicep.

• Allowed VM Sizes
• Allowed VMs Per User
• Allowed Premium SSD Per User

Linking the policies to the DevTest Labs

This is the important glue that is missing from the documentation, how to link the policies to the DevTest Labs. The way to do this is to create a resource policySetParent and link it to the DevTest Labs. The policySetParent resource is then used as the parent for the policies.

resource policySetParent 'Microsoft.DevTestLab/labs/policysets@2018-09-15' existing = {
  parent: lab
  name: 'default'
}

Allowed VM Sizes

resource allowedVmSizesPolicies 'Microsoft.DevTestLab/labs/policysets/policies@2018-09-15' = {
  name: 'allowedVmSizesPolicy'
  location: location
  parent: policySetParent
  properties: {
    evaluatorType: 'AllowedValuesPolicy'
    factName: 'LabVmSize'
    status: 'Enabled'
    threshold: '["Standard_D4_v2","Standard_E4_v2"]'
  }
}

Allowed VM’s per user

resource allowedVmsPerUserPolicies 'Microsoft.DevTestLab/labs/policysets/policies@2018-09-15' = {
  name: 'allowedVmsPerUserPolicy'
  location: location
  parent: policySetParent
  properties: {
    evaluatorType: 'MaxValuePolicy'
    factName: 'UserOwnedLabVmCount'
    status: 'Enabled'
    threshold: '4'
  }
}

Allowed Premium SSD Per User

resource allowedPremiumSSDPerUserPolicies 'Microsoft.DevTestLab/labs/policysets/policies@2018-09-15' = {
  name: 'allowedPremiumSSDPerUserPolicy'
  location: location
  parent: policySetParent
  properties: {
    evaluatorType: 'MaxValuePolicy'
    factName: 'UserOwnedLabPremiumVmCount'
    status: 'Enabled'
    threshold: '4'
  }
}

References

• Main & thumbnail image was taken from the Azure site