There is 1 policy definition on Managed Identity in Azure for Container Apps.
Just curious on how this built-in policy apply as i am new with policies. Can someone help on how to use or demonstrate a configuration how to assign the policy definition and use in Container Apps Service? Thank you and looking for the experts here.
To apply the built-in Azure Policy "Managed Identity should be enabled for Container Apps", follow these steps to ensure that all Container Apps in your specified scope have Managed Identity enabled
In search type Policy, under that look for definitions on the left side column, under Definitions, search for "Managed Identity should be enabled for Container Apps"
You can also use CLI
az policy definition list --query "[?contains(displayName, 'Managed Identity should be enabled for Container Apps')]" -o table
Assign the policy to your target scope for example your resource group under which you will deploy your ACA
az policy assignment create \ --name $POLICY_NAME \ --scope "/subscriptions/$SUBSCRIPTION_ID/resourceGroups/$RESOURCE_GROUP" \ --policy $POLICY_ID
Done. You can validate the same by deploying a test container App
Let's say this one is non-compliant, another is compliant. The policy should tell you now if it's non-compliant
az containerapp create \
--name test-noncompliant-app \
--resource-group <your-resource-group-name> \
--environment <your-container-app-environment-name> \
--image mcr.microsoft.com/azuredocs/containerapps-helloworld:latest
Now check. trigger a fresh scan
az policy state trigger-scan --resource-group $RESOURCE_GROUP
Let it run. Once you get the prompt back now check-
az policy state list \
--filter "policyAssignmentName eq '$POLICY_NAME'" \
--query "[?complianceState=='NonCompliant'].{Resource: resourceId, Compliance: complianceState}" \
-o table
You can check the same from portal as well
You can even prevent non-compliant resources from being created, enable enforcement mode. Checkout - Tutorial: Create and manage policies to enforce compliance and MS Doc