With Azure Blueprints (preview) you can add things to a Blueprint definition and apply them to your subscription - including required Azure Policies, role based access control, resource groups and Azure Resource Manager templates. But with some Azure Policies, you can specify certain conditions (known as parameters), allowing you to use the same base policy definition but query or audit on different things. For example, you might want to restrict one subscription to only allow resources in US Azure regions, and use another subscription for only Australian Azure regions, if you have workloads or business departments with specific geographical limitations for compliance reasons.
When we use Azure Blueprints to apply Azure Policy, we can set parameters there instead. I investigated the behaviour of changing Azure Policy parameters, and how to update them if they had previously been applied.
Scenario 1 Blueprint definition - Azure Policy with no parameters
For this scenario, I created an Azure Blueprint and added the policy "Allowed locations", but did not configure any parameters. I then saved and published the Blueprint.
No Azure Policy parameters set in the Blueprint definition
Then when I assigned the Blueprint to my subscription, I set the allowed locations policy parameters to only allow the Australia regions. (This is setting the parameters on Blueprint assignment)
To add other regions so they are allowed too, I go back to Blueprints, right-click and choose Update Assignment.
Now I can choose new parameter values and select Assign.
Note: This does not update the Blueprint version and I can't add a note to say I updated the parameters.
Scenario 2 Blueprint definition - Azure Policy with defined parameters
For the next scenario, I created a Blueprint, added the Allowed locations policy, and set the policy parameters to only allow the Australia regions. Then I saved, publish and assigned the Blueprint to my subscription.
(This is setting the parameters in the Blueprint definition)
Working as expected with only Australia regions allowed
With this scenario, to add additional locations I need to edit the Blueprint definition, edit the allowed locations Azure Policy artifact, then save the Blueprint definition. This saves it as a Draft and shows I have unpublished changes. Then I need to publish the Blueprint, which forces me to update the version number and it's recommended but optional that I add some notes on what I changed.
Next, I need to update the assignment of the blueprint to my subscription, and I can pick the new updated version number.
Scenario 3 Blueprint definition - Azure Initiative with defined parameters
For my final scenario, I created an Azure Policy Initiative. This allows me to bundle more than one Azure Policy together (useful for checking compliance) and requires me to set parameters in the Policy Initiative. They can be initiative parameters (values used by more than one policy in the initiative) or policy parameters set for each individual policy.
In my policy initiative, I added the allowed locations policy and set the policy parameters to Australia regions. Then I created a Blueprint, added the Policy Initiative, published the Blueprint and assigned it to my subscription.
(This is setting the parameters in an Azure Policy Initiative)
Azure Policy parameters in a Policy Initiative
Here, I need to edit the policy initiative to add new allowed regions, THEN I need to update the blueprint assignment. I don't have to change the Blueprint definition as it's reading the policy initiative, but I also haven't updated the Blueprint version or added any change notes.
Instead, I could edit the Blueprint definition but make no changes, and still save the Blueprint definition then publish it as a new version. And update the assignment to the new version. This process does work when you have changed a policy initiative definition and gives you that versioning functionality.
Changing Azure Policy parameters and applying them with Azure Blueprints does vary depending on where you set the parameters - in the Blueprint definition, on Blueprint assignment or in an Azure Policy Initiative. In general, Azure Blueprints will read and apply policy parameters on updating the assignment.