I have an Azure policy that checks current value and target value. Resources are showing non-compliant for both matching and non-matching values.
Matching values:
Existence Condition:
"existenceCondition": {
"value": "[field('Microsoft.Network/frontdoorWebApplicationFirewallPolicies/customRules.rules[*].matchConditions[*].matchValue[*]')]",
"in": "[parameters('allowedIps')]"
},
Related
I have the following use case: I would like to have Azure policy, requiring to have two mandatory tags: Environment and Project for resource groups. There should not be the possibility to create a new resource group without those two tags and the already created resource groups, that do not have the two tags, should show as non-compliant. So far it sounds like a straight forward scenario, but I am not getting the expected result and it is getting harder and harder to keep my sanity, so please advise.
I have reviewed multiple threads in Stack Overflow, as well as this Microsoft article: How to build an audit Azure Policy with multiple parameters
.
I use the following code:
{
"mode": "All",
"policyRule": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.Resources/subscriptions/resourceGroups"
},
{
"field": "tags['Environment']",
"exists": "false"
},
{
"field": "tags['Project']",
"exists": "false"
}
]
},
"then": {
"effect": "deny"
}
},
"parameters": {}
}
Note: I have removed the parameters in the process of troubleshooting, and replaced them with values for simplification. The result was the same when using parameters', instead of explicit values.
My understanding is that allOf should act as a logical AND and should require all the conditions to be in place - To be a resource group, to have tag Environment and to have tag Project.
So what is the result? When creating a new resource group, the validation does not allow you to continue without providing tags for Environment and Project:
Note: You may see that there is the same policy name for the tag requirements and this is the only policy assignment ... everywhere! This is my personal test tenant, so there is no possibility for other policy assignments that I am not aware of.
The thing is that it allows me to continue further with only one tag provided:
Only Environment
Only Project
If we look at the compliance status, you may see that the resource group is marked as compliant by the policy:
but it has only a single tag - Project, without the tag Environment... and still marked as compliant.
So after this long walk-trough, my question is - How to make mandatory to have those two tags - Environment and Project. There could be other tags, but those two should be required and not allowing new resource groups to be created without providing them, and the old resource groups to be marked as non-compliant, if both are missing.
What I am missing that it does not work, as expected?
I have also used the code from the article ... 1:1 ... copy - paste, again I was able to continue only with single tag.
Please support.
I have followed other examples from Stack overflow, as official Microsoft article. Even the suggested example from the Microsoft article was not working as expected, or at least based on my expectation.
Your AllOf condition here indicates to the policy engine to detect an uncompliance resource if all conditions are met. Meaning that:
You are currently scanning a RG
The current RG does not have Environment tag
The current RG does not have a Project tag
We can phrase it as : "My item is uncompliant if this a RG which does not have an Environment AND does not have a Tag project".
If any of this condition is met (example one tag exist), the resource is then tagged as Compliant because it does not meet your overall condition.
You want to add an AnyOf condition here to make sure it breaks if one or the other tag does not exist. To phrase it the following way : "My item is uncompliant if this a RG which does not have an Environment OR does not have a Tag project".
Code:
{
"mode": "All",
"policyRule": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.Resources/subscriptions/resourceGroups"
},
{
"anyOf": [
{
"field": "tags['Environment']",
"exists": "false"
},
{
"field": "tags['Project']",
"exists": "false"
}
]
}
]
},
"then": {
"effect": "deny"
}
},
"parameters": {}
}
I need to enforce that when user creates a storage account in azure, it should get appended with customer managed keys. Platform managed keys are prohibited to be used by storage account. Below is the policy that's created . Although the policy is successfully deployed, the storage accounts that we create after the policy deployment does not append the customer manged key details that's defined inside the Azure policy even after 2 hours. When we try adding customer managed key, it instead throws error telling- "Policies attempted to append some fields which already exist in the request with different values. Fields: 'Microsoft.Storage/storageAccounts/encryption.KeySource'. Policy identifiers:'[{"policyAssignment":{"name":"Encryption settings to Storage Account for customer-provided key","id":"funRulerg-mj/providers/Microsoft.Authorization/policyAssignments/"
Can someone pls help me understand, why inspite of "append" effect the policy is not appending the customer managed keys to the storage account. And the error clearly tells that the policy is already in effect due to which it is not allowing to add any customer managed key as well to the storage accounts.
{
"properties": {
"displayName": "Append encryption settings to Storage Account for customer-provided key",
"description": "If customer-provided key isn't configured, append encryption settings to Storage Account using customer-provided key",
"mode": "all",
"parameters": {
"keyvaulturi": {
"type": "String",
"metadata": {
"description": "Uri location of the Key Vault to use for Storage Service Encryption"
}
},
"keyname": {
"type": "String",
"metadata": {
"description": "Name of the Key to use for Storage Service Encryption"
}
}
},
"policyRule": {
"if": {
"allof": [
{
"field": "type",
"equals": "Microsoft.Storage/storageAccounts"
},
{
"field": "Microsoft.Storage/storageAccounts/encryption.KeySource",
"equals": "Microsoft.Storage"
}
]
},
"then": {
"effect": "append",
"details": [
{
"field": "Microsoft.Storage/storageAccounts/encryption.KeySource",
"value": "Microsoft.Keyvault"
},
{
"field": "Microsoft.Storage/storageAccounts/encryption.keyvaultproperties.keyvaulturi",
"value": "[parameters('keyvaulturi')]"
},
{
"field": "Microsoft.Storage/storageAccounts/encryption.keyvaultproperties.keyname",
"value": "[parameters('keyname')]"
}
]
}
}
}
}
The field "Microsoft.Storage/storageAccounts/encryption.KeySource" is set to "Microsoft.Storage", and according to this https://rjygraham.com/posts/azure-policy-append-as-gentler-deny.html, "Append evaluates before the request gets processed by a Resource Provider during the creation or updating of a resource. Append adds fields to the resource when the if condition of the policy rule is met. If the append effect would override a value in the original request with a different value, then it acts as a deny effect and rejects the request". In the "details" policy is trying to change the vaule of field "Microsoft.Storage/storageAccounts/encryption.KeySource" to "Microsoft.Keyvault" this might be the issue.
Below is my use case:
I have two organisations Org1,Org2, when i replace Org2 from the channel configuration every thing works well, organisation gets removed from the channel, but when i remove the Org1 which is at index 0 in the config json and update it to the channel results in the error listed below. It seems like i am able to remove organisations in LIFO (LAST IN FIRST OUT) manner but i want to achieve the functionality where i can remove an organisation irrespective of the order of addition.
error applying config update to existing channel 'mychannel': initializing policymanager failed: policy Admins at path Channel/Application did not compile: identity index out of range, requested 1, but identities length is 1
It looks like you are not properly updating any policies that refer to the organization being removed.
When you remove an organization, you must remove the entire entry under Application.groups, for example Application.groups.Org1MSP.
You must also remove the organization from any policies under Application.policies, for example Application.policies.Admins.
Depending on the policy type, you may have one or more policies that look like this (AND('Org1MSP.admin', 'Org2MSP.admin')):
"Admins": {
"mod_policy": "Admins",
"policy": {
"type": 1,
"value": {
"identities": [
{
"principal": {
"msp_identifier": "Org1MSP",
"role": "ADMIN"
},
"principal_classification": "ROLE"
},
{
"principal": {
"msp_identifier": "Org2MSP",
"role": "ADMIN"
},
"principal_classification": "ROLE"
}
],
"rule": {
"n_out_of": {
"n": 1,
"rules": [
{
"signed_by": 0
},
{
"signed_by": 1
}
]
}
},
"version": 0
}
},
"version": "0"
}
It is not enough to remove the organization from the policy.value.identities array. The signed_by values in the policy.value.rule.n_out_of.rules array reference entries (by their array index) in the policy.value.identities array.
The error you have suggests that you have a policy somewhere with a signed_by value of 1, but the corresponding policy.value.identities array for the policy only has a length of 1.
is there any way how to restrict access or buy permissions at Azure Marketplace?
You can create a policy like the one below to restrict compute resources from a specific publisher -
{
"policyRule": {
"if": {
"allOf": [
{
"field": "Microsoft.Compute/imagePublisher",
"match": "[parameters('NotAllowedImage')]"
}
]
},
"then": {
"effect": "Deny"
}
},
"parameters": {
"NotAllowedImage": {
"type": "String",
"metadata": {
"displayName": "Not Allowed Image",
"description": "Not Allowed Image for Virtual Machine/Compute"
}
}
},
"metadata": {
"category": "Compute"
}
}
When you assign this image to a subscription or a resource group then at the time you will be asked to enter a value for the image name you would like to restrict , please enter "checkpoint" as your publisher name as this is the one you want to restrict. Save the assignment.
Now once you create a vm/compute resource from "checkpoint" this would fail the validation step as the policy would not allow to create such vm/compute resource.
The Category of the check point resources I see in market place is compute only.
We might not have restrictions on what we can choose from market place but we can utilize azure policy for certain resource regulation/compliance.
These policies would help enforce different rules over your resources(VM'S , VM-SKU , Network , Storage etc.). If you need resources created to stay compliant with your company standards/service level agreements.
Whenever we create resource which has policy tied to it these are evaluated and scanned for compliance with that policy.
More info here - https://learn.microsoft.com/en-us/azure/azure-policy/azure-policy-introduction
I'm creating an Azure resource template and getting this validation error when I specify tags:
New-AzureResourceGroupDeployment : Error 1: Code=InvalidTemplate;
Message=Deployment template validation failed: 'The template resource
'hosting-plan' at line '86' and column '10' is not valid: Template
language expression '[parameters('intranetConnectivity')]' is not
supported..'.
Here's the relevant section of the template:
"parameters": {
"intranetConnectivity": {
"type": "bool",
"defaultValue": false
},
...
}
"name": "[parameters('siteName')]",
"type": "Microsoft.Web/sites",
"location": "[parameters('siteLocation')]",
"tags": {
"[concat('hidden-related:', resourceGroup().id, '/providers/Microsoft.Web/serverfarms/', parameters('hostingPlanName'))]": "Resource",
"ServiceModel": "[parameters('serviceModel')]",
"IntranetConnectivity": "[parameters('intranetConnectivity')]",
"Environment": "[parameters('environment')]"
},
I thought maybe the parameter name was too long, but I get the same error regardless of the parameter name.
It turned out that it didn't like me using a boolean parameter in a string value. I changed the parameter definition to string and everything works.
"intranetConnectivity": {
"type": "string",
"allowedValues": [
"true",
"false"
],
"defaultValue": "false"
},
Just to clarify Tags only support string values, not anything else. Check the limitations
Not all resource types support tags. To determine if you can apply a tag to a resource type, see Tag support for Azure resources.
Each resource or resource group can have a maximum of 50 tag
name/value pairs. If you need to apply more tags than the maximum
allowed number, use a JSON string for the tag value. The JSON string
can contain many values that are applied to a single tag name. A
resource group can contain many resources that each have 50 tag
name/value pairs.
The tag name is limited to 512 characters, and the tag value is
limited to 256 characters. For storage accounts, the tag name is
limited to 128 characters, and the tag value is limited to 256
characters.
Generalized VMs don't support tags.
Tags applied to the resource group are not inherited by the resources
in that resource group.
Tags can't be applied to classic resources such as Cloud Services.
Tag names can't contain these characters: <, >, %, &, \, ?, /