Add arc-sql-licence-type-compliance policy

Alexander (Sasha) Nosov · Alexander (Sasha) Nosov · commit 9b40c9f6ebf9 · 2026-04-02T09:53:43.000-07:00
diff --git a/samples/manage/azure-arc-enabled-sql-server/compliance/arc-sql-licence-type-compliance/README.md b/samples/manage/azure-arc-enabled-sql-server/compliance/arc-sql-licence-type-compliance/README.md
@@ -0,0 +1,131 @@
+# LicenceType-SQLArc
+
+This Azure Policy ensures that all SQL Arc servers have the required `LicenseType` value. Servers that do not match the required license type are marked as non-compliant. The remediation task sets `LicenseType` to the value specified by the `requiredLicenseType` parameter.
+
+Use Azure CLI or PowerShell to create the policy definition.
+
+## Artifacts
+
+- **policy.json**: Main policy definition referencing external parameter and rule files.
+- **params.json**: Defines policy parameters.
+- **rules.json**: Contains the policy rule logic.
+
+## Copy policy artifacts to your environment
+
+```PowerShell
+
+curl https://raw.githubusercontent.com/microsoft/sql-server-samples/refs/heads/master/samples/manage/azure-arc-enabled-sql-server/compliance/arc-sql-licence-type-compliance/params.json -o params.json
+curl https://raw.githubusercontent.com/microsoft/sql-server-samples/refs/heads/master/samples/manage/azure-arc-enabled-sql-server/compliance/arc-sql-licence-type-compliance/rules.json -o rules.json
+
+```
+
+## Create policy
+
+Use the following command to create policy
+
+```PowerShell
+
+$SubId      = "<your-subscription-id>"
+$PolicyName = "LicenceType-SQLArc"
+
+az policy definition create `
+  --name $PolicyName `
+  --display-name $PolicyName `
+  --description "This Azure Policy ensures that all SQL Arc servers have the required LicenseType. Servers that do not match are marked as non-compliant and remediated to the required license type." `
+  --rules "@rules.json" `
+  --params "@params.json" `
+  --mode Indexed `
+  --subscription $SubId `
+  --only-show-errors | Out-Null
+```
+
+## Assign policy
+
+Use the following command to assign policy
+
+```PowerShell
+
+$SubId               = "<your-subscription-id>"
+$RgName              = "<your-resource-group>"    # optional; set to "" to target subscription scope
+$Location            = "<your-azure-region>"      # e.g., eastus, westus2
+$RequiredLicenseType = "PAYG"                     # e.g., PAYG, LicenseOnly
+
+if ([string]::IsNullOrWhiteSpace($RgName)) {
+  $Scope = "/subscriptions/$SubId"
+} else {
+  $Scope = "/subscriptions/$SubId/resourceGroups/$RgName"
+}
+
+az account set --subscription $SubId
+
+az policy assignment create `
+  --name "LicenceType-SQLArc-Assign" `
+  --policy "LicenceType-SQLArc" `
+  --scope "$Scope" `
+  --params "{ \"effect\": { \"value\": \"DeployIfNotExists\" }, \"requiredLicenseType\": { \"value\": \"$RequiredLicenseType\" } }" `
+  --mi-system-assigned `
+  --role "Contributor" `
+  --identity-scope "$Scope" `
+  --location "$Location" `
+  --only-show-errors | Out-Null
+```
+
+## Create remediation task
+
+Use the following command to create a remediation task
+
+```PowerShell
+
+$RemediationName      = "Remediate-LicenceType-SQLArc"
+$PolicyAssignmentName = "LicenceType-SQLArc-Assign"
+$SubId                = "<your-subscription-id>"
+$RgName               = "<your-resource-group>"
+
+az account set --subscription $SubId
+
+if ([string]::IsNullOrWhiteSpace($RgName)) {
+  az policy remediation create `
+    --name $RemediationName `
+    --policy-assignment $PolicyAssignmentName `
+    --resource-discovery-mode ReEvaluateCompliance `
+    --only-show-errors | Out-Null
+} else {
+  az policy remediation create `
+    --name $RemediationName `
+    --policy-assignment $PolicyAssignmentName `
+    --resource-group "$RgName" `
+    --resource-discovery-mode ReEvaluateCompliance `
+    --only-show-errors | Out-Null
+}
+```
+
+## Remove remediation task
+
+```PowerShell
+
+$RemediationName = "Remediate-LicenceType-SQLArc"
+$RgName          = "<your-resource-group>"
+$SubId           = "<your-subscription-id>"
+
+if ([string]::IsNullOrWhiteSpace($RgName)) {
+    az policy remediation cancel `
+      --name $RemediationName `
+      --subscription $SubId `
+      --only-show-errors | Out-Null
+    az policy remediation delete `
+      --name $RemediationName `
+      --subscription $SubId `
+      --only-show-errors | Out-Null
+} else {
+    az policy remediation cancel `
+      --name $RemediationName `
+      --resource-group $RgName `
+      --subscription $SubId `
+      --only-show-errors | Out-Null
+    az policy remediation delete `
+      --name $RemediationName `
+      --resource-group $RgName `
+      --subscription $SubId `
+      --only-show-errors | Out-Null
+}
+```
diff --git a/samples/manage/azure-arc-enabled-sql-server/compliance/arc-sql-licence-type-compliance/params.json b/samples/manage/azure-arc-enabled-sql-server/compliance/arc-sql-licence-type-compliance/params.json
@@ -0,0 +1,27 @@
+{
+  "effect": {
+    "type": "String",
+    "metadata": {
+      "displayName": "Effect",
+      "description": "Enable or disable the execution of the policy."
+    },
+    "allowedValues": [
+      "DeployIfNotExists",
+      "Disabled"
+    ],
+    "defaultValue": "DeployIfNotExists"
+  },
+  "requiredLicenseType": {
+    "type": "String",
+    "metadata": {
+      "displayName": "Required License Type",
+      "description": "The license type that SQL Arc servers must have to be considered compliant."
+    },
+    "allowedValues": [
+      "PAYG",
+      "Paid",
+      "LicenseOnly"
+    ],
+    "defaultValue": "PAYG"
+  }
+}
diff --git a/samples/manage/azure-arc-enabled-sql-server/compliance/arc-sql-licence-type-compliance/policy.json b/samples/manage/azure-arc-enabled-sql-server/compliance/arc-sql-licence-type-compliance/policy.json
@@ -0,0 +1,14 @@
+{
+  "properties": {
+    "displayName": "LicenceType-SQLArc",
+    "policyType": "Custom",
+    "mode": "Indexed",
+    "description": "Policy to ensure all SQL Arc servers have the required LicenseType. Servers that do not match are marked as non-compliant and remediated to the required license type.",
+    "metadata": {
+      "category": "SQLArc",
+      "version": "1.0.0"
+    },
+    "parameters": "./params.json",
+    "policyRule": "./rules.json"
+  }
+}
diff --git a/samples/manage/azure-arc-enabled-sql-server/compliance/arc-sql-licence-type-compliance/rules.json b/samples/manage/azure-arc-enabled-sql-server/compliance/arc-sql-licence-type-compliance/rules.json
@@ -0,0 +1,96 @@
+{
+  "if": {
+    "allOf": [
+      {
+        "equals": "Microsoft.HybridCompute/machines/extensions",
+        "field": "type"
+      },
+      {
+        "equals": "Microsoft.AzureData",
+        "field": "Microsoft.HybridCompute/machines/extensions/publisher"
+      },
+      {
+        "equals": "WindowsAgent.SqlServer",
+        "field": "Microsoft.HybridCompute/machines/extensions/type"
+      }
+    ]
+  },
+  "then": {
+    "effect": "[parameters('effect')]",
+    "details": {
+      "type": "Microsoft.HybridCompute/machines/extensions",
+      "roleDefinitionIds": [
+        "/providers/Microsoft.Authorization/roleDefinitions/7392c568-9289-4bde-aaaa-b7131215889d",
+        "/providers/Microsoft.Authorization/roleDefinitions/acdd72a7-3385-48ef-bd42-f606fba81ae7"
+      ],
+      "name": "[field('fullName')]",
+      "existenceCondition": {
+        "equals": "[string(createObject('LicenseType', parameters('requiredLicenseType')))]",
+        "value": "[string(intersection(if(empty(field('Microsoft.HybridCompute/machines/extensions/settings')), createObject(), field('Microsoft.HybridCompute/machines/extensions/settings')), createObject('LicenseType', parameters('requiredLicenseType'))))]"
+      },
+      "evaluationDelay": "AfterProvisioningSuccess",
+      "deployment": {
+        "properties": {
+          "mode": "incremental",
+          "template": {
+            "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+            "contentVersion": "1.0.0.0",
+            "parameters": {
+              "extensionName": {
+                "type": "string"
+              },
+              "vmLocation": {
+                "type": "string"
+              },
+              "agentName": {
+                "type": "string"
+              },
+              "existingSettings": {
+                "type": "object"
+              },
+              "requiredLicenseType": {
+                "type": "string"
+              }
+            },
+            "variables": {
+              "vmExtensionPublisher": "Microsoft.AzureData",
+              "updatedSettings": {
+                "LicenseType": "[parameters('requiredLicenseType')]"
+              }
+            },
+            "resources": [
+              {
+                "name": "[parameters('extensionName')]",
+                "type": "Microsoft.HybridCompute/machines/extensions",
+                "location": "[parameters('vmLocation')]",
+                "apiVersion": "2022-11-10",
+                "properties": {
+                  "publisher": "[variables('vmExtensionPublisher')]",
+                  "type": "[parameters('agentName')]",
+                  "settings": "[union(parameters('existingSettings'), variables('updatedSettings'))]"
+                }
+              }
+            ]
+          },
+          "parameters": {
+            "extensionName": {
+              "value": "[field('fullName')]"
+            },
+            "vmLocation": {
+              "value": "[field('location')]"
+            },
+            "agentName": {
+              "value": "[field('name')]"
+            },
+            "existingSettings": {
+              "value": "[field('Microsoft.HybridCompute/machines/extensions/settings')]"
+            },
+            "requiredLicenseType": {
+              "value": "[parameters('requiredLicenseType')]"
+            }
+          }
+        }
+      }
+    }
+  }
+}
