azure / community-policy Goto Github PK

This repo is for Microsoft Azure customers and Microsoft teams to collaborate in making custom policies.

License: MIT License

Open Policy Agent 79.58% PowerShell 20.42%

community-policy's Introduction

Community Policy Repo

The purpose of this repo is for Azure Policy users and Microsoft internal teams to share and collaborate on custom policies. These policies are built either by customers or Microsoft Support engineers for customers. These are NOT Built-in policies hence are not check, tested or validated in any form by the Azure Policy Release Team. Please be wary of this and always TEST your policies before enforcing. Happy Coding!

For Built-in policies repo, please visit here: azure-policy

Contributing

This project welcomes contributions and suggestions. Most contributions require you to agree to a Contributor License Agreement (CLA) declaring that you have the right to, and actually do, grant us the rights to use your contribution. For details, visit https://cla.opensource.microsoft.com.

To get started contributing to the samples, please visit our contribution guide. We also have a PowerShell script that will validate your Policy against the contribution guide and fix problems for you. You can find it here.

When you submit a pull request, a CLA bot will automatically determine whether you need to provide a CLA and decorate the PR appropriately (e.g., status check, comment). Simply follow the instructions provided by the bot. You will only need to do this once across all repos using our CLA.

This project has adopted the Microsoft Open Source Code of Conduct. For more information see the Code of Conduct FAQ or contact [email protected] with any additional questions or comments.

Getting Support

The general Azure Policy support role that this repository has is not supported by standard Azure support channels. See below for information about getting support help for Azure Policy.

General Questions

If you have questions you haven't been able to answer from the Azure Policy documentation, there are a few places that host discussions on Azure Policy:

Microsoft Tech Community Azure Governance conversation space
Join the Monthly Call on Azure Governance (register here)
Search or add to Azure Policy discussions on StackOverflow

If your questions are more in-depth or involve information that is not public, open a new Azure Customer Support ticket.

Documentation Corrections

To report issues in the Azure Policy online documentation, look for a feedback area at the bottom of the page. If you don't see a place to enter feedback, you can also directly open a new issue at the Microsoft Docs GitHub.

New built-in Policy Proposals

If you have ideas for new built-in policies you want to suggest to Microsoft, you can submit them to Azure Governance Ideas. These suggestions are actively reviewed and prioritized for implementation.

Other Support for Azure Policy

If you are encountering livesite issues or difficulties in implementing new policies that may be due to problems in Azure Policy itself, open a support ticket at Azure Customer Support. If you want to submit an idea for consideration, add an idea or upvote an existing idea at Azure Governance User Voice.

Azure Policy Resources

Articles

References

community-policy's People

Contributors

Stargazers

Watchers

Forkers

kenieva calecarter rahulkhengare yane3628 noopman jbpaux cmendible dustypaulson bajumar poonguzhalia emandm dcthegeek itsec365 vickatte eosho rohitnayakmsft wenesak xyh1 adstuart reddyavinash5 aaaaasam johnkozitzki sw47 hgolla-repos ramyasreechakka https-github-com-vfulitod176641 mhomol jmorleyjones woehrl01 ciphertxt dihenry msmirnoff rajkrishnamurthy jeffdmipshell manojtiwary pauharri fawohlsc adi928 damonashman kknapik donk-msft andrewgoodson spencer2306 kasattejaswi marcosgm raiyanalam mikisho ryanlwilliams ramona-saintandre sbkuehn arvindmits keyoke pagyp radoslawcz imabgd zeromagic jeevacodepro isabella232 venkat1726 mamadcamzis ankitsehwaag bmcorsino mbarry-gh wiklinowy sachincldcvr mayhashah7 rubicondimitri pechuk adedlamina v-eddyv ssakarim imihaljko mijoseph-incomm aschabus thebitstreamer st185229 jatin1407 sarita-msft chavamartinez25 kainepro ccarroyo1978 chaddumas amahajan-75 cloud-repos sahanaprabhakar jassmit evico-tr daniellarsennz nosportugal tjsullivan1 basvanbennekommsft dshamanthreddy tulpy energetic-it sanjayntms phosatti msaravindh judexman01 gummigroda heaven2k

community-policy's Issues

[New] Container Registries enable zone redundancy

#362

deploy-storage-monitoring-log-analytics reports incorrect compliancy and non-compliancy

Before creating the deploy-storage-monitoring-log-analytics policy, I ran JimGBritt's policies for diagnostic settings to LogAnalytics.

I ran the following command:

$definition = New-AzPolicyDefinition `
    -Name "deploy-storage-monitoring-log-analytics" `
    -DisplayName "Deploy Diagnostic Settings for Azure Storage, including blobs, files, tables, and queues to a Log Analytics workspace" `
    -Description "Deploys the diagnostic settings for Azure Storage, including blobs, files, tables, and queues to stream to a regional Log Analytics workspace when any Azure Storage which is missing this diagnostic settings is created or updated." `
    -Policy 'https://raw.githubusercontent.com/Azure/Community-Policy/master/Policies/Storage/deploy-storage-monitoring-log-analytics/azurepolicy.rules.json' `
    -Parameter 'https://raw.githubusercontent.com/Azure/Community-Policy/master/Policies/Storage/deploy-storage-monitoring-log-analytics/azurepolicy.parameters.json' -Mode Indexed

$definition

$assignment = New-AzPolicyAssignment -Name "Diagnostic Settings for Azure Storage PROD" -Scope "/subscriptions/<tenantid>" `
    -Description "Deploys the diagnostic settings for Azure Storage, including blobs, files, tables, and queues to stream to a regional Log Analytics workspace when any Azure Storage which is missing this diagnostic settings is created or updated." `
    -logAnalytics "/subscriptions/<tenantid>/resourcegroups/<resourcegroup>/providers/microsoft.operationalinsights/workspaces/<law>" `
    -profileName "MonitoringDiagnosticsSettings" -metricsEnabled "True" `
    -PolicyDefinition $definition -Location "westeurope" -AssignIdentity

$assignment

In the Azure Portal I edited the policy (to exclude some resource groups and assign the proper RBAC to the assigned identity), and triggered a policy evalutation.

The result is that there is a list of compliant resources:

However, if I check the diagnostic settings, they are not as expected (no blob, queue, table and file diagnostics enabled):

The non-compliant resources do have the proper setting:

How come these settings are incorrect? Creating a remediation task fails as the settings are already present, and the "compliant" resources cannot be configured correctly.

modify-subnet-nsg

Hi @fawohlsc /Team,

Trust you are doing well.

In my environment, we have few subnets without being assigned to any NSG. So I would like to deploy the above custom definition to enforce the NSG for subnets that have none.

While assigning the assignment, I have passed the parameters as suggested below for networksecuritygroupsettings

{
"northeurope": { // I have given the location of the vnet that subnets belongs to
"resourceGroupName": "random name",
"networkSecurityGroupName": "random nsg name"
},
"westeurope": {
"resourceGroupName": "we-network",
"networkSecurityGroupName": "we-default-nsg"
},
"disabled": {
"resourceGroupName": "",
"networkSecurityGroupName": ""
}
}

But it is not able to identify the non-compliant resources and it is showing 100% compliant. Scope also I have correctly assigned. Can you please advise me here please?

Hi @mrajess,

I also have tried the below definition file

enforce-subnets-must-have-nsg-and-nsg-must-have-same-suffix-as-subnet/

but i am getting the below error

parameters 'exceptionList' which are not used in the policy rule. Please either remove these parameters from the definition or ensure that they are used in the policy rule. So i tried by removing the exceptionList parameter from definition but still it is not accepting the definition to save and it is giving below error.

The existing policy has '1' parameter(s) which is greater than the count of parameter(s) '0' in the policy being added. Policy parameters cannot be removed during policy update.

Could you kindly advise me here please. I got struck here.

Looking forward to hearing from you.

Thank you,
Kind regards,
Maheswara.

Please provide latest schema for PolicyDefinition.

I am doing schema validation while creating custom policies for azure aks.
the current schema https://github.com/Azure/azure-resource-manager-schemas/blob/main/schemas/2020-10-01/policyDefinition.json is outdated as it doesnt support templateInfo argument used for creating custom policies for aks.
https://learn.microsoft.com/en-us/azure/aks/use-azure-policy#create-and-assign-a-custom-policy-definition-preview

Policy not working?

Hi, I was going to try out Azure policies, using a template from this github: Policies/Network/Deploy NSG rule/

I updated the resources to have a single deny rule though:

{
    "PolicyType": "Custom",
    "description": "This policy deploys a default Deny All rule to a newly deployed NSG, if it doesn't already exist in the NSG.",
    "mode": "Indexed",
    "displayName": "NSG default Inbound Deny All",
    "parameters": {
        "access": {
            "type": "String",
            "metadata": {
                "description": "The network traffic should be denied.",
                "displayName": "access"
            },
            "defaultValue": "Deny"
        },
        "destinationAddressPrefix": {
            "type": "String",
            "metadata": {
                "description": "The destination address prefix. CIDR or destination IP range. Asterisk '*' can also be used to match all source IPs. Default tags such as 'VirtualNetwork', 'AzureLoadBalancer' and 'Internet' can also be used.",
                "displayName": "destinationAddressPrefix"
            },
            "defaultValue": "*"
        },
        "destinationPortRange": {
            "type": "String",
            "metadata": {
                "description": "The destination port or range. Integer or range between 0 and 65535. Asterisk '*' can also be used to match all ports.",
                "displayName": "destinationPortRange"
            },
            "defaultValue": "*"
        },
        "direction": {
            "type": "String",
            "metadata": {
                "description": "The direction of the rule. The direction specifies if rule will be evaluated on incoming or outgoing traffic. - Inbound or Outbound",
                "displayName": "direction"
            },
            "defaultValue": "Inbound"
        },
        "effect": {
            "type": "String",
            "metadata": {
                "description": "The effect determines what happens when the policy rule is evaluated to match",
                "displayName": "Effect"
            },
            "defaultValue": "deployIfNotExists"
        },
        "protocol": {
            "type": "String",
            "metadata": {
                "description": "Network protocol this rule applies to. - Tcp, Udp, Icmp, Esp, *, Ah",
                "displayName": "protocol"
            },
            "defaultValue": "*"
        },
        "sourceAddressPrefix": {
            "type": "String",
            "metadata": {
                "description": "The CIDR or source IP range. Asterisk '*' can also be used to match all source IPs. Default tags such as 'VirtualNetwork', 'AzureLoadBalancer' and 'Internet' can also be used. If this is an ingress rule, specifies where network traffic originates from.",
                "displayName": "sourceAddressPrefix"
            },
            "defaultValue": "*"
        },
        "sourcePortRange": {
            "type": "String",
            "metadata": {
                "description": "The source port or range. Integer or range between 0 and 65535. Asterisk '*' can also be used to match all ports.",
                "displayName": "sourcePortRange"
            },
            "defaultValue": "*"
        }
    },
    "policyRule": {
        "if": {
            "equals": "Microsoft.Network/networkSecurityGroups",
            "field": "type"
        },
        "then": {
            "details": {
                "type": "Microsoft.Network/networkSecurityGroups/securityRules",
                "existenceCondition": {
                    "count": {
                        "field": "Microsoft.Network/networkSecurityGroups/securityRules[*]",
                        "where": {
                            "allOf": [
                                {
                                    "equals": "[parameters('protocol')]",
                                    "field": "Microsoft.Network/networkSecurityGroups/securityRules[*].protocol"
                                },
                                {
                                    "equals": true,
                                    "value": "[equals(field('Microsoft.Network/networkSecurityGroups/securityRules[*].sourcePortRange'), parameters('sourcePortRange'))]"
                                },
                                {
                                    "equals": true,
                                    "value": "[equals(field('Microsoft.Network/networkSecurityGroups/securityRules[*].destinationPortRange'), parameters('destinationPortRange'))]"
                                },
                                {
                                    "equals": true,
                                    "value": "[equals(field('Microsoft.Network/networkSecurityGroups/securityRules[*].sourceAddressPrefix'), parameters('sourceAddressPrefix'))]"
                                },
                                {
                                    "equals": true,
                                    "value": "[equals(field('Microsoft.Network/networkSecurityGroups/securityRules[*].destinationAddressPrefix'), parameters('destinationAddressPrefix'))]"
                                },
                                {
                                    "equals": "[parameters('access')]",
                                    "field": "Microsoft.Network/networkSecurityGroups/securityRules[*].access"
                                },
                                {
                                    "equals": "[parameters('direction')]",
                                    "field": "Microsoft.Network/networkSecurityGroups/securityRules[*].direction"
                                }
                            ]
                        }
                    },
                    "notEquals": 0
                },
                "deployment": {
                    "properties": {
                        "mode": "incremental",
                        "template": {
                            "$schema": "http://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#",
                            "contentVersion": "1.0.0.0",
                            "parameters": {
                                "rulename": {
                                    "type": "String"
                                },
                                "access": {
                                    "type": "String"
                                },
                                "description": {
                                    "type": "String"
                                },
                                "destinationAddressPrefix": {
                                    "type": "Array"
                                },
                                "destinationPortRange": {
                                    "type": "Array"
                                },
                                "direction": {
                                    "type": "String"
                                },
                                "priority": {
                                    "type": "Integer"
                                },
                                "protocol": {
                                    "type": "String"
                                },
                                "sourceAddressPrefix": {
                                    "type": "Array"
                                },
                                "sourcePortRange": {
                                    "type": "Array"
                                },
                                "nsgName": "[field('name')]"                            },
                            "resources": [
                                {
                                    "type": "Microsoft.Network/networkSecurityGroups/securityRules",
                                    "apiVersion": "2022-05-01",
                                    "name": "[concat(parameters('nsgName'), '/Default DenyAnyAnyInbound')]",
                                    "properties": {
                                        "protocol": "*",
                                        "sourcePortRange": "*",
                                        "destinationPortRange": "*",
                                        "sourceAddressPrefix": "*",
                                        "destinationAddressPrefix": "*",
                                        "access": "Deny",
                                        "priority": 4089,
                                        "direction": "Inbound",
                                        "sourcePortRanges": [],
                                        "destinationPortRanges": [],
                                        "sourceAddressPrefixes": [],
                                        "destinationAddressPrefixes": [],
										"description": "managed deny rule"
                                    }
                                }
                            ]
                        }
                    }
                },
                "roleDefinitionIds": [
                    "/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7"
                ]
            },
            "effect": "[parameters('effect')]"
        }
    }
}

However, none of the NSGs that I create receive an incremental update to include the rule.
Even if i don't update the policy definition to my custom wants, and leave it as default copy from the github, my newly created NSGs don't receive an incremental update.
And when I try to remediate the resources, the portal gives back: InvalidDeployment

Is the code for Deploy NSG rule definition on github still valid?

Creating Azure policies as bicep files.

All of the Azure policies so far generated are kept as ARM templates.
Is there an idea to also deliver these as bicep files that can be used as part of AzOps or other engines?

If so, I'd be happy to help to get that started.

Undefined Parameter - configurationURL

Following error encountered while creating the custom policy - deploy-dsc-extension-to-azure-vm-and-arc-connected-machines

Error/Bug
A function or parameter in policy '1e2e506d-89aa-46f1-8cf0-7660ae6dd7fa' could not be validated. If using template functions, try following the tips in: https://aka.ms/policy-avoiding-template-failures. The inner exception 'The policy '1e2e506d-89aa-46f1-8cf0-7660ae6dd7fa' has undefined parameter 'configurationUrl' which is used in the policy rule. Please either define it in policy definition or remove the reference in policy rule.'.

Add a support for auditing Azure SQL databases which aren't enabled the active geo-replications

There should be an Azure Policy for auditing the active geo-replications which are not enabled on Azure SQL databases.

Links to Github broken on website

Hi,

Your folder structure has changed from 'Policies' to 'policyDefinitions'

This has broken the links under 'Name', for example:
https://www.azadvertizer.net/azpolicyadvertizer/monitoring_deploy-diagnostic-setting-for-activity-log-event-hub.html

https://github.com/Azure/Community-Policy/tree/main/Policies/Monitoring/deploy-diagnostic-setting-for-activity-log-event-hub

to:

https://github.com/Azure/Community-Policy/tree/main/policyDefinitions/Monitoring/deploy-diagnostic-settings-for-activity-log-to-event-hub

Error Cloning

error: unable to create file
deploy-diagnostic-settings-to-azure-firewall/policies/Deploy_Diagnostic_Settings_for_Azure_Firewall_to_Log_Analytics_workspace_855bd88d-18bf-42c2-a519-9e7798bb7ee4/assign.Deploy_Diagnostic_Settings_for_Azure_Firewall_to_Log_Analytics_workspace_15f454a0c98e4178a3bcc7bf.json: Filename too long

Azure policy count and notlike for the tags

Hello,
I am debugging azure policy and still get wrong compliance status.
For example I have two azure arc VM with tags:
ClientCode: ggg and Environment: dev
ClientCode: hhh and Environment: acc

My policy should pick up that servers as compliant, but shows still incompliant. I have tried a lot of different approaches, but could not make it work. It those two tags are not like described ones, the policy should mark vm as compliant.

{
    "properties": {
        "displayName": "test tag exclude",
        "policyType": "Custom",
        "mode": "Indexed",
        "description": "Test tag matching",
        "metadata": {
            "version": "0.0.1-preview",
            "category": "Tags",
            "preview": true
        },
        "parameters": {
            "tagValuesExclude": {
                "type": "Array",
                "metadata": {
                    "displayName": "Tags on machines to exclude",
                    "description": "The list of tags that need to be excluded for getting target machines (case sensitive). Example: [ {\"key\": \"tagKey1\", \"value\": \"value1*\"}, {\"key\": \"tagKey2\", \"value\": \"value2*\"}]."
                },
                "defaultValue": [
                    {"key":"ClientCode", "value":"aaa*"},
                    {"key":"Environment", "value":"prd*"}
                ]
            }
        },
        "policyRule": {
            "if": {
                        "count": {
                            "value": "[parameters('tagValuesExclude')]",
                            "name": "tagExclude",
                            "where": {
                                "field": "tags['current('tagExclude').key']",
                                "notLike": "[current('tagExclude').value]"
                            }
                        },
                        "equals": "[length(parameters('tagValuesExclude'))]"
            },
            "then": {
                "effect": "audit"
            }
        }
    }
}

Enhance validation script

Add checking for azurepolicy.rules.json and azurepolicy.parameters.json

[New] Log Analytics Workspace require retention in days

#374

Azure Policy for DeployIfNotExists for Key Vault not working as expected

Issue: Azure Policy for DeployIfNotExists for Key Vault not working as expected

Behaviour:

Deployed the policy following:
https://github.com/Azure/Community-Policy/tree/main/policyDefinitions/Key%20Vault/enable-soft-delete-and-purge-protection-on-key-vaults
The Policy evaluates Key vaults that do not have enablePurgeProtection as complaint.
It remediates new resources automatically, however the state is not displayed in compliance state
The policy fails to work on the Keyvaults that are created via old API (viz that provided us the option for "enableSoftDelete" to be disabled/enabled)

Expected Behavior:

The existing resources will be remidiated by remediation task
The new / updated resources will be auto-remidiated and show up as "Complaint"
The policy should also work well with the resources that had been created via old API - enableSoftDelete as False

[New] Container Registries enable retention policy

#355

VM App policy for Scaleset

Hi!

I saw there is a policy for VM Application and Windows Virtual machines.

Is there also a policy for VMSS? Thanks!

Run Submit-PullRequest.ps1 on PR creation

[New] Container Registries enable trust policy

#358

Link broken (Azure Governance monthly call link)

Join the Monthly Call on Azure Governance (register here) -> register here link is broken.

Typo in deploy-private-endpoint-private-dns-zone-link

There is a typo in this policy:
policyDefinitions/Network/deploy-private-endpoint-private-dns-zone-link

                "variables": {
                  "pvtendpointdnsgroupname": "[concat(parameters('privateEndpointName'),'/default')]",
                  "groupIdMap": {
                    "sqlServer": "privatelink.database.windows.net",
                    "blob": "privatelink.blob.core.windows.net",
                    "blob_secondary": "privatelink.blob.core.windows.ne",   <---
                    "table": "table.core.windows.net",
                    "table_secondary": "table.core.windows.net",
                    "queue": "privatelink.queue.core.windows.net",
                    "queue_secondary": "privatelink.queue.core.windows.net",
                    "file": "privatelink.file.core.windows.net",
                    "file_secondary": "privatelink.file.core.windows.net",
                    "web": "privatelink.web.core.windows.net",
                    "web_secondary": "privatelink.web.core.windows.net"
                  },

Will create a PR to fix this.

Incorerct role definition ID for policy "Deploy Resource Lock on RGs - tag exclusion"?

For the policy definition policyDefinitions/General/deploy-resource-lock-on-rgs-tag-exclusion/azurepolicy.json, is the role defintion correct?

In the code, it has:

"/providers/Microsoft.Authorization/roleDefinitions/35b50af1-b556-492f-8595-cbf5cb531055"

But I cannot see any built-in role (https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles) with the role Id of 35b50af1-b556-492f-8595-cbf5cb531055.

Assuming this code is sourced from https://github.com/grabery/graber.cloud-azure-templates/blob/main/gov/policies/audit-and-deploy-resource-lock/azdeploy.json, then that definition uses a role Id of 8e3af657-a8ff-443c-a75c-2fe8c4bcb635, i.e. Owner.

Very quick question on the (rather nice) deny-ports-nsg policy which I'm adapting for JIT restrictions.

Is there any reason why it uses:

{
  "not": {
    "field": "Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefix",
    "notEquals": "*"
  }
}

on lines 12-17 rather than

{
  "field": "Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefix",
  "equals": "*"
}

I think they're the same but is there a nuance I'm unaware of?

Thanks - Rich

Azure Policy JSON Schema?

I notice all these policies don't have a $schema associated with them. Is there a schema for just the JSON Policy (there's a schema for rules and schema for the arm template, but not for the policy that I can find). If not then how do you validate your azure policy JSON is correct?

Bug in Submit-PolicyDefinitionFile.ps1

Need Info: How to create name pattern match for management group

How to create name pattern match for management group

{
  "properties": {
    "displayName": "Management group naming policy",
    "policyType": "Custom",
    "mode": "All",
    "description": "Management group naming policy",
    "metadata": {
      "category": "demo",
      "createdBy": "9c09fb2b-1087-426f-bb28-e61deabe80d8",
      "createdOn": "2020-12-05T07:02:00.0603529Z",
      "updatedBy": "9c09fb2b-1087-426f-bb28-e61deabe80d8",
      "updatedOn": "2020-12-06T11:03:06.3194647Z"
    },
    "parameters": {
      "namePattern": {
        "type": "String",
        "metadata": {
          "displayName": "namePattern",
          "description": "? for letter, # for numbers"
        }
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "not": {
              "field": "name",
              "match": "[parameters('namePattern')]"
            }
          },
          {
            "field": "type",
            "equals": "Microsoft.Management/managementGroups"
          }
        ]
      },
      "then": {
        "effect": "deny"
      }
    }
  },
  "id": "/providers/Microsoft.Management/managementGroups/xxxxxxx/providers/Microsoft.Authorization/policyDefinitions/xxxxx",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "7fd51680-8e1f-4981-9c3e-ce273005cdb2"
}

Validate in the pipeline that policy id is not equal to any built-in policies

enforce lowercase or uppercase policy not working

Trying to use the below use the below policy

https://github.com/Azure/Community-Policy/blob/master/Policies/Tags/enforce-lowercase-or-uppercase-on-tags-and-their-values-on-resource-groups/azurepolicy.json

however I'm getting the below error message.
Creating remediation task 'xxxxxxxxxxxxxxxx' failed. A function or parameter in policy assignment 'xxxxxxxxxxxxxxxx' associated with the policy definition 'xxxxxxxxxxxxxxxxxx' could not be validated. Please either fix the policy or remove the policy assignment to unblock. If using template functions, try following the tips in: https://aka.ms/policy-avoiding-template-failures. The inner exception 'Unable to evaluate the template language function 'json'. The argument provided is not a valid JSON string.'.
I removed the json() function from the below line.

Community-Policy/Policies/Tags/enforce-lowercase-or-uppercase-on-tags-and-their-values-on-resource-groups/azurepolicy.json

Line 37 in ce3370d

    
           "value": "[json(if(equals(parameters('toLowerOrToUpper'), 'Lowercase'), toLower(string(field('tags'))),toUpper(string(field('tags')))))]"

Then I get the below error
Creating remediation task xxxxx failed. A function or parameter in policy assignment xxxxxxxxx associated with the policy definition xxxxxxxx could not be validated. Please either fix the policy or remove the policy assignment to unblock. If using template functions, try following the tips in: https://aka.ms/policy-avoiding-template-failures. The inner exception 'Unable to evaluate the template language function 'json'. The argument provided is not a valid JSON string.'.

Links all broken ?

I'm trying to understand how it can work. Let's take a single policy for AKS
https://github.com/Azure/Community-Policy/tree/main/policyDefinitions/Kubernetes/block-usage-of-the-default-namespace-in-a-kubernetes-cluster

The policy JSON file references contraints templates

   "effect": "[parameters('effect')]",
        "details": {
          "constraintTemplate": "https://raw.githubusercontent.com/Azure/Community-Policy/master/Policies/Kubernetes/block-default-namespace/template.yaml",
          "constraint": "https://raw.githubusercontent.com/Azure/Community-Policy/master/Policies/Kubernetes/block-default-namespace/constraint.yaml",
          "values": {
            "excludedNamespaces": "[parameters('excludedNamespaces')]"
          }

But all these links are broken

That's the case for most of policies. I found the reason, in June @techlake did this commit and removed half of the files with this commit

@techlake was it the desired outcome ? I see several commit for this PR saying "policy cleaning" but I'm not sure the current policies could work without the missing files (even if they have to be base64encoded and then injected).

Thanks for your feedback, I may be missing something obivous :)

Contribution guide is contradictory

Under the section "Files, folders and naming conventions" there's a statement that a Azure policy needs to include 4 different files.

azurepolicy.json
azurepolicy.rules.json
azurepolicy.parameters.json
README.md

There's a description stating

Include a README.md file that explains how the Azure Policy works, and how to assign it at scope.
Guidelines on the README.md file below.

Same under "Pull requests"
PR must:

Contain a single Policy (with 4 files)
Requests for changes must be answered within 30 days
- PR will be deleted after this time

However, there's also a section stating that the README.md is optional
https://github.com/Azure/Community-Policy/blob/master/CONTRIBUTING.md#readmemd-optional

Is the guideline that the README.md must be included or is it optional?

issue Address space must be pre-allocated to region policy

The policy gives invalidparameters in split() function by array. It expects a string. The current value is:

"value": "[split(field('Microsoft.Network/virtualNetworks/virtualNetworkPeerings[*].remoteVirtualNetwork.id'), '/')[2]]",

the new one:

"value": "[split**(string**(field('Microsoft.Network/virtualNetworks/virtualNetworkPeerings[*].remoteVirtualNetwork.id')), '/')[2]]",

However, the change the policy is not working appropiately

Can't get the policy "Virtual Machine NIC must have NSG" to work

Hello,

I tried to use the "Virtual Machine NIC must have NSG" policy to specifically block VMs NIC creation without NSG but when I deploy a new VM it passes validation without NSG.
My best guess is that the field "Microsoft.Network/networkInterfaces/virtualMachine.id", with which the policy makes sure the NIC belongs to a VM, is created after the initial validation.

Thanks

NSG-Flow logs deployment policy is not working

Hi @mrajess ,

Greetings!!

Kindly be informed that, below policy is unable to evaluate the non-compliant resource details when i pass target region as suggested but it is able to identify when i pass region as single location from the assignment parameters section. Please advise on this.

https://github.com/Azure/Community-Policy/blob/master/Policies/Network/deploy-nsg-flow-logs/azurepolicy.json

Thank you.

deny-nsgs-with-rules-with-source-any doesnt seem to be working as expected

https://github.com/Azure/Community-Policy/blob/master/Policies/Network/deny-nsgs-with-rules-with-source-any/azurepolicy.json

I have tried using this policy in deny mode and looks like it doesnt work. I was able to create rules with any(*) source on inbound rules in NSG.
Have you guys come across issues with NSG policy rules?

[New] Storage Accounts block deletion

#370

Police NSG rules creation

I was trying to create a police that automatically creates certain nsg rules, when an nsg is created. I have tried many ways, but with out any success. Is it possible to create this police?

Json code I tried:
{
"properties": {
"displayName": "Creat automatically deny-all-out Network Security Groups",
"policyType": "Custom",
"mode": "Indexed",
"policyRule": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.Network/networkSecurityGroups"
}
]
},
"then": {
"effect": "append",
"details": [
{
"field": "Microsoft.Network/networkSecurityGroups/securityRules/direction",
"value": "Outbound"
},
{
"field": "Microsoft.Network/networkSecurityGroups/securityRules/sourcePortRanges",
"value": "*"
},

      {
        "field": "Microsoft.Network/networkSecurityGroups/securityRules/sourceApplicationSecurityGroups[*].name",
        "value": "Any"
      },
      {
        "field": "Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange",
        "value": "*"
      },
      {
        "field": "Microsoft.Network/networkSecurityGroups/securityRules/protocol",
        "value": "Any"
      },
      {
        "field": "Microsoft.Network/networkSecurityGroups/securityRules/access",
        "value": "Deny"
      },
      {
        "field": "Microsoft.Network/networkSecurityGroups/securityRules/priority",
        "value": "4096"
      }
    ]
  }
}

}
}

Create required file generation and validations script

Script should:

Validate format, contribution guide.
Require only the complete definition file

Does the Azure APIM policy support operate the JSON file?

Does the APIM policy support operate the JSON file??

From Browser side:
HTTP Header_1 : "Base 64 json file"

{ a : "a", b : "b" }

In the APIM policy :

Read all the JSON from Header
Decode Base 64
Reformat the JSON file, and forward to backend service in another HTTP Header name

HTTP Header_2: "Base 64 json file"

{ c : { a : "a", b : "b" } }

Here is the example for this requirement. Thanks

An Azure Policy to deploy Diagnostic Settings for Azure Storage to Event Hub

Currently Azure Storage account supports diagnostic settings to stream resource logs to Event Hub but unlike Log Analytics, there's no Azure Policy to enforce adding or Auditing storage accounts deployed without Diagnostic settings routing to Eventhub.

[New] Storage Accounts enable purge protection

#364

Broken Link

The file CONTRIBUTING.md has a third bullet titled

"Useful Tools. Useful resources and tools for Azure development."

with a broken URL:

"https://github.com/Azure/Community-Policy/blob/master/1-contribution-guide/useful-tools.md"

Issue with alias for azurepolicy.json

For azurepolicy.json, I'm getting the following error when I try and build a custom policy:

The 'field' property 'Microsoft.Sql/publicNetworkAccess' of the policy rule does not exist as an alias under provider 'Microsoft.Sql'.

NSG Flow Log Policy Dependencies

There appears to me unneeded dependencies in the resources section of the policy. This causes issues if some services are removed from the policy.

https://github.com/Azure/Community-Policy/blob/master/Policies/Security/deployifnotexists-security-center-tier-by-service/azurepolicy.json#L197

DeployIfNotExists effect results in different compliance results versus Audit effect

Problem

I have a parameterized policy which works exactly as expected when in Audit mode. When flipped to DeployIfNotExists (DINE), the policy "works" in that it automatically remediates newly deployed resources correctly. It also correctly remediates existing resources when a remediation task is invoked. However, the Compliance state of the policy assignment itself shows 0 resources compliant once all in-scope resources have been remediated. I've read this link top to bottom multiple times, but nowhere do I see this behavior outlined.

I'm trying to understand if this is a potential bug as we're doing an existenceCondition in line with other DINE examples. The differing behavior between Audit and DINE has us hyper-focused on the DINE portion.

"parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "DeployIfNotExists",
          "Disabled",
          "Audit"
        ],
        "defaultValue": "DeployIfNotExists"
      },
...

Relevant Policy Snippet

 "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.KeyVault/vaults"
          },
          {
            "field": "Microsoft.KeyVault/vaults/enableRbacAuthorization",
            "equals": "false"
          },
          {
            "field": "Microsoft.Keyvault/vaults/accessPolicies[*].objectId",
            "notEquals": "[parameters('AadObjectId')]"
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Keyvault/vaults/accessPolicies",
          "existenceCondition": {
            "allOf": [
              {
                "field": "Microsoft.Keyvault/vaults/accessPolicies[*].objectId",
                "notequals": "[parameters('AadObjectId')]"
              }
            ]
          },
...

This also exhibits the same behavior with an inverse and even simpler existenceCondition:

        "existenceCondition": {
          "equals": "[parameters('wizAadObjectId')]",
          "field": "Microsoft.Keyvault/vaults/accessPolicies[*].objectId"
        },

[New] Storage Accounts block external copy scope

#368

Bulk-run Submit-PolicyDefinitionFile to fix existing Policies

Policy - Name Restriction

Hello,

I created a policy that restricts the name of the resources and resource groups. For example, all names must contain a certain parameter. But I wanted to add an exception, like "all names must contain a certain parameter or the name must be 'MonitorAgent'". But didn't work has expected. Is any other way to make this policy right?

This is the policy defenition that I tried:

{
"mode": "Indexed",
"policyRule": {
"if": {
"anyOf": [
{
"field": "name",
"notContains": "MicrosoftMonitoringAgent"
},
{
"not": {
"field": "name",
"contains": "[parameters('namePattern')]"
}
}
]
},
"then": {
"effect": "deny"
}
},
"parameters": {
"namePattern": {
"type": "String",
"metadata": {
"displayName": "namePattern",
"description": "Pattern to use for names. Can include ? for letters and # for numbers."
}
}
}
}

[New] Storage Accounts default to OAuth authentication

#366

Deny resource types question

Hello.

I'm trying to create policy for deny resource types except specified (plus their child types).
So for that I made a rule like this:

        "policyRule": {
            "if": {
                "value": "[concat(split(field('type'),'/')[0],'/',split(field('type'),'/')[1])]",
                "notin": "[parameters('allowListResourceTypes')]"
            },
            "then": {
                "effect": "[parameters('effect')]"
            }
        }

Where effect is deny, and allowListResourceTypes is array like:

[
   "Microsoft.Network/virtualNetworks",
   "Microsoft.Automation/automationAccounts",
   ...
]

Which in theory must to include child resources, cause any resource would have Microsoft.<Provider>/<resourceType> orMicrosoft.<Provider>/<resourceType>/<childType>. So in cases by splitting 1 and second part I must receive Microsoft.<Provider>/<resourceType>.
But in practice it works for Microsoft.Network/virtualNetworks but not work for Microsoft.Network/virtualNetworks/subnets, works for Microsoft.Automation/automationAccounts but not for Microsoft.Automation/automationAccounts/runbooks.

Could you please provide any advice, where is the gap in my logic?