Add Payg-SQLArc policy

Author: Alexander (Sasha) Nosov

samples/manage/azure-arc-enabled-sql-server/monitor-compliance/README.md

@@ -0,0 +1,69 @@
+# Paygo-SQLArc (Windows only)
+
+This Azure Policy ensures that all SQL Arc servers using `LicenseType = Paid` are marked as non-compliant. Servers with `LicenseType = LicenseOnly` are treated as compliant. The remediated task sets `LicenseType = PAYG`.
+
+Use Azure CLI or PowerShell to create the policy definition:
+
+## Artifacts
+
+- **policy.json**: Main policy definition referencing external parameter and rule files.
+- **params.json**: Defines policy parameters.
+- **rules.json**: Contains the policy rule logic.
+
+## Create policy
+Use the following command to create policy
+
+```bash
+
+#!/bin/bash
+
+az policy definition create \
+  --name "Paygo-SQLArc" \
+  --display-name "Paygo-SQLArc" \
+  --description "This Azure Policy ensures that all SQL Arc servers using LicenseType = Paid are marked as non-compliant. Servers with LicenseType = LicenseOnly are treated as compliant. The remediated task sets LicenseType = PAYG." \
+  --rules @rules.json \
+  --params @params.json \
+  --mode Indexed \
+  --subscription "<your-subscription-id>"\
+```
+
+## Assign policy
+
+Use the following command to assign policy
+
+```bash
+#!/bin/bash
+
+# Set variables
+SUB_ID="<your-subscription-id>"
+RG_NAME="<your-resoure-group>" # optional
+SCOPE="/subscriptions/$SUB_ID/resourceGroups/$RG_NAME"
+LOCATION="<your-azure-region>"
+
+# Create policy assignment
+az policy assignment create \
+  --name "Paygo-SQLArc-Assign" \
+  --policy "Paygo-SQLArc" \
+  --scope "$SCOPE" \
+  --params '{ "effect": { "value": "DeployIfNotExists" } }' \
+  --mi-system-assigned \
+  --role "Contributor" \
+  --identity-scope "$SCOPE" \
+  --location "$LOCATION"
+```
+
+## Create remediation task
+
+Us the following command to create a remediation task
+
+```bash
+#!/bin/bash
+
+RG_NAME="<your-resoure-group>"
+
+az policy remediation create \
+  --name "Remediate-Paygo-SQLArc" \
+  --policy-assignment "Paygo-SQLArc-Assign" \
+  --resource-group "$RG_NAME" \
+  --resource-discovery-mode ReEvaluateCompliance
+```

samples/manage/azure-arc-enabled-sql-server/monitor-compliance/arc-sql-payg-compliance/params.json

@@ -0,0 +1,14 @@
+{
+  "effect": {
+    "type": "String",
+    "metadata": {
+      "displayName": "Effect",
+      "description": "Enable or disable the execution of the policy."
+    },
+    "allowedValues": [
+      "DeployIfNotExists",
+      "Disabled"
+    ],
+    "defaultValue": "DeployIfNotExists"
+  }
+}

samples/manage/azure-arc-enabled-sql-server/monitor-compliance/arc-sql-payg-compliance/policy.json

@@ -0,0 +1,14 @@
+{
+  "properties": {
+    "displayName": "Paygo-SQLArc (Windows only)",
+    "policyType": "Custom",
+    "mode": "Indexed",
+    "description": "Policy to replace all SQL Arc server that use License type = 'Paid' with License type = 'PAYG'. Treat License type = 'LicenseOnly' as compliant",
+    "metadata": {
+      "category": "SQLArc",
+      "version": "1.0.0"
+    },
+    "parameters": "./params.json",
+    "policyRule": "./rules.json"
+  }
+}

samples/manage/azure-arc-enabled-sql-server/monitor-compliance/arc-sql-payg-compliance/rules.json

@@ -0,0 +1,98 @@
+{
+  "if": {
+    "allOf": [
+      {
+        "equals": "Microsoft.HybridCompute/machines/extensions",
+        "field": "type"
+      },
+      {
+        "equals": "Microsoft.AzureData",
+        "field": "Microsoft.HybridCompute/machines/extensions/publisher"
+      },
+      {
+        "equals": "WindowsAgent.SqlServer",
+        "field": "Microsoft.HybridCompute/machines/extensions/type"
+      }
+    ]
+  },
+  "then": {
+    "effect": "[parameters('effect')]",
+    "details": {
+      "type": "Microsoft.HybridCompute/machines/extensions",
+      "roleDefinitionIds": [
+        "/providers/Microsoft.Authorization/roleDefinitions/7392c568-9289-4bde-aaaa-b7131215889d",
+        "/providers/Microsoft.Authorization/roleDefinitions/acdd72a7-3385-48ef-bd42-f606fba81ae7"
+      ],
+      "name": "[field('fullName')]",
+      "existenceCondition": {
+        "anyOf": [
+          {
+            "equals": "[string(createObject('LicenseType','PAYG'))]",
+            "value": "[string(intersection(if(empty(field('Microsoft.HybridCompute/machines/extensions/settings')), createObject(), field('Microsoft.HybridCompute/machines/extensions/settings')), createObject('LicenseType','PAYG')))]"
+          },
+          {
+            "equals": "[string(createObject('LicenseType','LicenseOnly'))]",
+            "value": "[string(intersection(if(empty(field('Microsoft.HybridCompute/machines/extensions/settings')), createObject(), field('Microsoft.HybridCompute/machines/extensions/settings')), createObject('LicenseType','LicenseOnly')))]"
+          }
+        ]
+      },
+      "evaluationDelay": "AfterProvisioningSuccess",
+      "deployment": {
+        "properties": {
+          "mode": "incremental",
+          "template": {
+            "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+            "contentVersion": "1.0.0.0",
+            "parameters": {
+              "extensionName": {
+                "type": "string"
+              },
+              "vmLocation": {
+                "type": "string"
+              },
+              "agentName": {
+                "type": "string"
+              },
+              "existingSettings": {
+                "type": "object"
+              }
+            },
+            "variables": {
+              "vmExtensionPublisher": "Microsoft.AzureData",
+              "updatedSettings": {
+                "LicenseType": "PAYG"
+              }
+            },
+            "resources": [
+              {
+                "name": "[parameters('extensionName')]",
+                "type": "Microsoft.HybridCompute/machines/extensions",
+                "location": "[parameters('vmLocation')]",
+                "apiVersion": "2022-11-10",
+                "properties": {
+                  "publisher": "[variables('vmExtensionPublisher')]",
+                  "type": "[parameters('agentName')]",
+                  "settings": "[union(parameters('existingSettings'), variables('updatedSettings'))]"
+                }
+              }
+            ]
+          },
+          "parameters": {
+            "extensionName": {
+              "value": "[field('fullName')]"
+            },
+            "vmLocation": {
+              "value": "[field('location')]"
+            },
+            "agentName": {
+              "value": "[field('name')]"
+            },
+            "existingSettings": {
+              "value": "[field('Microsoft.HybridCompute/machines/extensions/settings')]"
+            }
+          }
+        }
+      }
+    }
+  }
+}

samples/manage/azure-hybrid-benefit/modify-license-type/ModifiedResources_20251013_203148.csv

@@ -0,0 +1,6 @@
+"TenantID","SubID","ResourceName","ResourceType","Status","OriginalLicenseType","ResourceGroup","Location"
+"72f988bf-86f1-41af-91ab-2d7cd011db47","fa58cf66-caaf-4ba9-875d-f310d3694845","SQL2012EEArc","Microsoft.SqlVirtualMachine/sqlVirtualMachines","VM running","AHUB","ajayj","westus2"
+"72f988bf-86f1-41af-91ab-2d7cd011db47","fa58cf66-caaf-4ba9-875d-f310d3694845","SQL2022EE","Microsoft.SqlVirtualMachine/sqlVirtualMachines","VM running","AHUB","ajayj","westus2"
+"72f988bf-86f1-41af-91ab-2d7cd011db47","fa58cf66-caaf-4ba9-875d-f310d3694845","sql2025devstd","Microsoft.SqlVirtualMachine/sqlVirtualMachines","VM running","AHUB","ajayj","westus2"
+"72f988bf-86f1-41af-91ab-2d7cd011db47","fa58cf66-caaf-4ba9-875d-f310d3694845","ajayjsqlmi","Microsoft.Sql/managedInstances","Ready","BasePrice","ajayj","westus2"
+"72f988bf-86f1-41af-91ab-2d7cd011db47","fa58cf66-caaf-4ba9-875d-f310d3694845","AdventureworksLT","Microsoft.Sql/servers/databases","Online","BasePrice","ajayj","westus2"

samples/manage/azure-hybrid-benefit/modify-license-type/ModifiedResources_20251013_210723.csv

@@ -0,0 +1,8 @@
+"TenantID","SubID","ResourceName","ResourceType","Status","OriginalLicenseType","ResourceGroup","Location"
+"72f988bf-86f1-41af-91ab-2d7cd011db47","fa58cf66-caaf-4ba9-875d-f310d3694845","SQL2019Arc","Microsoft.SqlVirtualMachine/sqlVirtualMachines","VM running","PAYG","ajayj","westus2"
+"72f988bf-86f1-41af-91ab-2d7cd011db47","fa58cf66-caaf-4ba9-875d-f310d3694845","sql2022rtmdev","Microsoft.SqlVirtualMachine/sqlVirtualMachines","VM running","PAYG","ajayj","westus2"
+"72f988bf-86f1-41af-91ab-2d7cd011db47","fa58cf66-caaf-4ba9-875d-f310d3694845","sqldbmi2","Microsoft.Sql/managedInstances","Ready","LicenseIncluded","ajayj","westus"
+"72f988bf-86f1-41af-91ab-2d7cd011db47","fa58cf66-caaf-4ba9-875d-f310d3694845","sqldbmi1","Microsoft.Sql/managedInstances","Ready","LicenseIncluded","ajayj","westus"
+"72f988bf-86f1-41af-91ab-2d7cd011db47","fa58cf66-caaf-4ba9-875d-f310d3694845","AlwaysEncrypted","Microsoft.Sql/servers/databases","Online","LicenseIncluded","ajayj","westcentralus"
+"72f988bf-86f1-41af-91ab-2d7cd011db47","fa58cf66-caaf-4ba9-875d-f310d3694845","dbmirroringspn","Microsoft.Sql/servers/databases","Online","LicenseIncluded","ajayj","westus2"
+"72f988bf-86f1-41af-91ab-2d7cd011db47","fa58cf66-caaf-4ba9-875d-f310d3694845","dbmirrortest","Microsoft.Sql/servers/databases","Online","LicenseIncluded","ajayj","westus2"

samples/manage/azure-hybrid-benefit/modify-license-type/ModifiedResources_20251013_211053.csv

@@ -0,0 +1,2 @@
+"TenantID","SubID","ResourceName","ResourceType","Status","OriginalLicenseType","ResourceGroup","Location"
+"72f988bf-86f1-41af-91ab-2d7cd011db47","fa58cf66-caaf-4ba9-875d-f310d3694845","SQL2019Arc","Microsoft.SqlVirtualMachine/sqlVirtualMachines","VM running","PAYG","ajayj","westus2"

samples/manage/azure-hybrid-benefit/modify-license-type/ModifiedResources_20251013_213825.csv

@@ -0,0 +1,2 @@
+"TenantID","SubID","ResourceName","ResourceType","Status","OriginalLicenseType","ResourceGroup","Location"
+"72f988bf-86f1-41af-91ab-2d7cd011db47","fa58cf66-caaf-4ba9-875d-f310d3694845","SQL2019Arc","Microsoft.SqlVirtualMachine/sqlVirtualMachines","VM running","PAYG","ajayj","westus2"

samples/manage/azure-hybrid-benefit/modify-license-type/Paygo-SQLArc.json

@@ -111,7 +111,7 @@ The script produces a report listing the affected resources by creating a `Modif
 - Location
 
 > [!NOTE]
-> - If `-ReportOnly` is specified, the report shows the resources that would be affected without the actuall change being applied.
+> - If `-ReportOnly` is specified, the report shows the resources that would be affected without the actual change being applied.
 
 
 # Script execution examples