Comments (2)
SebastianClaesson
commented on June 11, 2024
Hi @Dushelov ,
I'm taking a wild guess here - This is because you most likely have mode set to Indexed and not all.
More about Azure policy mode can be found here: Azure Policy Mode
Short description - running with 'All' mode will allow the policy to parse through all the Azure resource types, whilst Indexed mode will only allow resource types that has support for Tags and Location, which in your case, the Subnet does not have, as you can double-check in the ARM / Bicep reference documentation here: Subnet docs
I've tested in my tenant with a policy I wrote to deny Microsoft.Network/virtualNetworks with child resources but allow "microsoft.sql/servers" which means for example "microsoft.sql/servers/databases" so I can create a server and then all the databases needed on that.
{
"properties": {
"displayName": "Allowed parent with child resource types",
"policyType": "Custom",
"mode": "All",
"metadata": {
"version": "1.0.0",
"category": "General"
},
"parameters": {
"effect": {
"type": "String",
"metadata": {
"displayName": "Effect",
"description": "Enable or disable the execution of the policy"
},
"allowedValues": [
"Audit",
"Disabled",
"Deny"
],
"defaultValue": "Audit"
},
"resourceType": {
"type": "Array",
"metadata": {
"displayName": "Allowed resource type",
"description": "An array containing parent resource types"
},
"defaultValue": [
"microsoft.network/privatednszones",
"microsoft.sql/servers",
"microsoft.compute/disks",
"microsoft.compute/virtualmachines",
"microsoft.compute/virtualmachinescalesets",
"microsoft.containerservice/managedclusters",
"microsoft.devtestlab/schedules",
"microsoft.managedidentity/userassignedidentities",
"microsoft.network/firewallpolicies",
"microsoft.network/loadbalancers",
"microsoft.network/networkinterfaces",
"microsoft.network/networksecuritygroups",
"microsoft.network/networkwatchers",
"microsoft.network/publicipaddresses",
"microsoft.network/routetables",
"microsoft.storage/storageaccounts",
"microsoft.resources/subscriptions",
"microsoft.authorization/policyassignments",
"microsoft.authorization/policydefinitions",
"microsoft.authorization/roleassignments",
"microsoft.authorization/roledefinitions",
"microsoft.security/pricings",
"microsoft.policyinsights/remediations"
]
}
},
"policyRule": {
"if": {
"value": "[concat(split(field('type'),'/')[0],'/',split(field('type'),'/')[1])]",
"notin": "[parameters('resourceType')]"
},
"then": {
"effect": "[parameters('effect')]"
}
}
}
}from community-policy.
techlake
commented on June 11, 2024
Question has been answered; closing.
from community-policy.
Related Issues (20)
- [New] Container Registries enable zone redundancy
- [New] Storage Accounts enable purge protection HOT 1
- [New] Storage Accounts default to OAuth authentication HOT 1
- [New] Storage Accounts block external copy scope HOT 1
- [New] Storage Accounts block deletion HOT 1
- [New] Storage Accounts enable Advanced Threat Protection HOT 1
- [New] Log Analytics Workspace require retention in days
- VM App policy for Scaleset HOT 1
- Azure Policy for DeployIfNotExists for Key Vault not working as expected HOT 10
- Enhance validation script
- Links to Github broken on website HOT 1
- Validate in the pipeline that policy id is not equal to any built-in policies HOT 3
- Undefined Parameter - configurationURL HOT 1
- Typo in deploy-private-endpoint-private-dns-zone-link HOT 1
- Links all broken ? HOT 8
- Incorerct role definition ID for policy "Deploy Resource Lock on RGs - tag exclusion"? HOT 1
- issue Address space must be pre-allocated to region policy HOT 3
- Depandabot Security finding HOT 1
- Bug in policy deploy-sas-expiration-policy-on-storage-account
- contributions: update file extension validation - only accept .json HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from community-policy.