azure / community-policy Goto Github PK
View Code? Open in Web Editor NEWThis repo is for Microsoft Azure customers and Microsoft teams to collaborate in making custom policies.
License: MIT License
This repo is for Microsoft Azure customers and Microsoft teams to collaborate in making custom policies.
License: MIT License
Hello.
I'm trying to create policy for deny resource types except specified (plus their child types).
So for that I made a rule like this:
"policyRule": {
"if": {
"value": "[concat(split(field('type'),'/')[0],'/',split(field('type'),'/')[1])]",
"notin": "[parameters('allowListResourceTypes')]"
},
"then": {
"effect": "[parameters('effect')]"
}
}
Where effect is deny, and allowListResourceTypes
is array like:
[
"Microsoft.Network/virtualNetworks",
"Microsoft.Automation/automationAccounts",
...
]
Which in theory must to include child resources, cause any resource would have Microsoft.<Provider>/<resourceType>
orMicrosoft.<Provider>/<resourceType>/<childType>
. So in cases by splitting 1 and second part I must receive Microsoft.<Provider>/<resourceType>
.
But in practice it works for Microsoft.Network/virtualNetworks
but not work for Microsoft.Network/virtualNetworks/subnets
, works for Microsoft.Automation/automationAccounts
but not for Microsoft.Automation/automationAccounts/runbooks
.
Could you please provide any advice, where is the gap in my logic?
Hi @mrajess ,
Greetings!!
Kindly be informed that, below policy is unable to evaluate the non-compliant resource details when i pass target region as suggested but it is able to identify when i pass region as single location from the assignment parameters section. Please advise on this.
Thank you.
Issue: Azure Policy for DeployIfNotExists for Key Vault not working as expected
Behaviour:
Expected Behavior:
Hi, I was going to try out Azure policies, using a template from this github: Policies/Network/Deploy NSG rule/
I updated the resources to have a single deny rule though:
{
"PolicyType": "Custom",
"description": "This policy deploys a default Deny All rule to a newly deployed NSG, if it doesn't already exist in the NSG.",
"mode": "Indexed",
"displayName": "NSG default Inbound Deny All",
"parameters": {
"access": {
"type": "String",
"metadata": {
"description": "The network traffic should be denied.",
"displayName": "access"
},
"defaultValue": "Deny"
},
"destinationAddressPrefix": {
"type": "String",
"metadata": {
"description": "The destination address prefix. CIDR or destination IP range. Asterisk '*' can also be used to match all source IPs. Default tags such as 'VirtualNetwork', 'AzureLoadBalancer' and 'Internet' can also be used.",
"displayName": "destinationAddressPrefix"
},
"defaultValue": "*"
},
"destinationPortRange": {
"type": "String",
"metadata": {
"description": "The destination port or range. Integer or range between 0 and 65535. Asterisk '*' can also be used to match all ports.",
"displayName": "destinationPortRange"
},
"defaultValue": "*"
},
"direction": {
"type": "String",
"metadata": {
"description": "The direction of the rule. The direction specifies if rule will be evaluated on incoming or outgoing traffic. - Inbound or Outbound",
"displayName": "direction"
},
"defaultValue": "Inbound"
},
"effect": {
"type": "String",
"metadata": {
"description": "The effect determines what happens when the policy rule is evaluated to match",
"displayName": "Effect"
},
"defaultValue": "deployIfNotExists"
},
"protocol": {
"type": "String",
"metadata": {
"description": "Network protocol this rule applies to. - Tcp, Udp, Icmp, Esp, *, Ah",
"displayName": "protocol"
},
"defaultValue": "*"
},
"sourceAddressPrefix": {
"type": "String",
"metadata": {
"description": "The CIDR or source IP range. Asterisk '*' can also be used to match all source IPs. Default tags such as 'VirtualNetwork', 'AzureLoadBalancer' and 'Internet' can also be used. If this is an ingress rule, specifies where network traffic originates from.",
"displayName": "sourceAddressPrefix"
},
"defaultValue": "*"
},
"sourcePortRange": {
"type": "String",
"metadata": {
"description": "The source port or range. Integer or range between 0 and 65535. Asterisk '*' can also be used to match all ports.",
"displayName": "sourcePortRange"
},
"defaultValue": "*"
}
},
"policyRule": {
"if": {
"equals": "Microsoft.Network/networkSecurityGroups",
"field": "type"
},
"then": {
"details": {
"type": "Microsoft.Network/networkSecurityGroups/securityRules",
"existenceCondition": {
"count": {
"field": "Microsoft.Network/networkSecurityGroups/securityRules[*]",
"where": {
"allOf": [
{
"equals": "[parameters('protocol')]",
"field": "Microsoft.Network/networkSecurityGroups/securityRules[*].protocol"
},
{
"equals": true,
"value": "[equals(field('Microsoft.Network/networkSecurityGroups/securityRules[*].sourcePortRange'), parameters('sourcePortRange'))]"
},
{
"equals": true,
"value": "[equals(field('Microsoft.Network/networkSecurityGroups/securityRules[*].destinationPortRange'), parameters('destinationPortRange'))]"
},
{
"equals": true,
"value": "[equals(field('Microsoft.Network/networkSecurityGroups/securityRules[*].sourceAddressPrefix'), parameters('sourceAddressPrefix'))]"
},
{
"equals": true,
"value": "[equals(field('Microsoft.Network/networkSecurityGroups/securityRules[*].destinationAddressPrefix'), parameters('destinationAddressPrefix'))]"
},
{
"equals": "[parameters('access')]",
"field": "Microsoft.Network/networkSecurityGroups/securityRules[*].access"
},
{
"equals": "[parameters('direction')]",
"field": "Microsoft.Network/networkSecurityGroups/securityRules[*].direction"
}
]
}
},
"notEquals": 0
},
"deployment": {
"properties": {
"mode": "incremental",
"template": {
"$schema": "http://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"rulename": {
"type": "String"
},
"access": {
"type": "String"
},
"description": {
"type": "String"
},
"destinationAddressPrefix": {
"type": "Array"
},
"destinationPortRange": {
"type": "Array"
},
"direction": {
"type": "String"
},
"priority": {
"type": "Integer"
},
"protocol": {
"type": "String"
},
"sourceAddressPrefix": {
"type": "Array"
},
"sourcePortRange": {
"type": "Array"
},
"nsgName": "[field('name')]" },
"resources": [
{
"type": "Microsoft.Network/networkSecurityGroups/securityRules",
"apiVersion": "2022-05-01",
"name": "[concat(parameters('nsgName'), '/Default DenyAnyAnyInbound')]",
"properties": {
"protocol": "*",
"sourcePortRange": "*",
"destinationPortRange": "*",
"sourceAddressPrefix": "*",
"destinationAddressPrefix": "*",
"access": "Deny",
"priority": 4089,
"direction": "Inbound",
"sourcePortRanges": [],
"destinationPortRanges": [],
"sourceAddressPrefixes": [],
"destinationAddressPrefixes": [],
"description": "managed deny rule"
}
}
]
}
}
},
"roleDefinitionIds": [
"/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7"
]
},
"effect": "[parameters('effect')]"
}
}
}
However, none of the NSGs that I create receive an incremental update to include the rule.
Even if i don't update the policy definition to my custom wants, and leave it as default copy from the github, my newly created NSGs don't receive an incremental update.
And when I try to remediate the resources, the portal gives back: InvalidDeployment
Is the code for Deploy NSG rule
definition on github still valid?
The policy gives invalidparameters in split() function by array. It expects a string. The current value is:
"value": "[split(field('Microsoft.Network/virtualNetworks/virtualNetworkPeerings[*].remoteVirtualNetwork.id'), '/')[2]]",
the new one:
"value": "[split**(string**(field('Microsoft.Network/virtualNetworks/virtualNetworkPeerings[*].remoteVirtualNetwork.id')), '/')[2]]",
However, the change the policy is not working appropiately
Under the section "Files, folders and naming conventions" there's a statement that a Azure policy needs to include 4 different files.
There's a description stating
Same under "Pull requests"
PR must:
However, there's also a section stating that the README.md is optional
https://github.com/Azure/Community-Policy/blob/master/CONTRIBUTING.md#readmemd-optional
Is the guideline that the README.md must be included or is it optional?
Hi @mrajess
Very quick question on the (rather nice) deny-ports-nsg policy which I'm adapting for JIT restrictions.
Is there any reason why it uses:
{
"not": {
"field": "Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefix",
"notEquals": "*"
}
}
on lines 12-17 rather than
{
"field": "Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefix",
"equals": "*"
}
I think they're the same but is there a nuance I'm unaware of?
Thanks - Rich
For azurepolicy.json, I'm getting the following error when I try and build a custom policy:
The 'field' property 'Microsoft.Sql/publicNetworkAccess' of the policy rule does not exist as an alias under provider 'Microsoft.Sql'.
Following error encountered while creating the custom policy - deploy-dsc-extension-to-azure-vm-and-arc-connected-machines
Error/Bug
A function or parameter in policy '1e2e506d-89aa-46f1-8cf0-7660ae6dd7fa' could not be validated. If using template functions, try following the tips in: https://aka.ms/policy-avoiding-template-failures. The inner exception 'The policy '1e2e506d-89aa-46f1-8cf0-7660ae6dd7fa' has undefined parameter 'configurationUrl' which is used in the policy rule. Please either define it in policy definition or remove the reference in policy rule.'.
Trying to use the below use the below policy
however I'm getting the below error message.
Creating remediation task 'xxxxxxxxxxxxxxxx' failed. A function or parameter in policy assignment 'xxxxxxxxxxxxxxxx' associated with the policy definition 'xxxxxxxxxxxxxxxxxx' could not be validated. Please either fix the policy or remove the policy assignment to unblock. If using template functions, try following the tips in: https://aka.ms/policy-avoiding-template-failures. The inner exception 'Unable to evaluate the template language function 'json'. The argument provided is not a valid JSON string.'.
I removed the json() function from the below line.
Then I get the below error
Creating remediation task xxxxx failed. A function or parameter in policy assignment xxxxxxxxx associated with the policy definition xxxxxxxx could not be validated. Please either fix the policy or remove the policy assignment to unblock. If using template functions, try following the tips in: https://aka.ms/policy-avoiding-template-failures. The inner exception 'Unable to evaluate the template language function 'json'. The argument provided is not a valid JSON string.'.
There appears to me unneeded dependencies in the resources section of the policy. This causes issues if some services are removed from the policy.
I was trying to create a police that automatically creates certain nsg rules, when an nsg is created. I have tried many ways, but with out any success. Is it possible to create this police?
Json code I tried:
{
"properties": {
"displayName": "Creat automatically deny-all-out Network Security Groups",
"policyType": "Custom",
"mode": "Indexed",
"policyRule": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.Network/networkSecurityGroups"
}
]
},
"then": {
"effect": "append",
"details": [
{
"field": "Microsoft.Network/networkSecurityGroups/securityRules/direction",
"value": "Outbound"
},
{
"field": "Microsoft.Network/networkSecurityGroups/securityRules/sourcePortRanges",
"value": "*"
},
{
"field": "Microsoft.Network/networkSecurityGroups/securityRules/sourceApplicationSecurityGroups[*].name",
"value": "Any"
},
{
"field": "Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange",
"value": "*"
},
{
"field": "Microsoft.Network/networkSecurityGroups/securityRules/protocol",
"value": "Any"
},
{
"field": "Microsoft.Network/networkSecurityGroups/securityRules/access",
"value": "Deny"
},
{
"field": "Microsoft.Network/networkSecurityGroups/securityRules/priority",
"value": "4096"
}
]
}
}
}
}
There is a typo in this policy:
policyDefinitions/Network/deploy-private-endpoint-private-dns-zone-link
"variables": {
"pvtendpointdnsgroupname": "[concat(parameters('privateEndpointName'),'/default')]",
"groupIdMap": {
"sqlServer": "privatelink.database.windows.net",
"blob": "privatelink.blob.core.windows.net",
"blob_secondary": "privatelink.blob.core.windows.ne", <---
"table": "table.core.windows.net",
"table_secondary": "table.core.windows.net",
"queue": "privatelink.queue.core.windows.net",
"queue_secondary": "privatelink.queue.core.windows.net",
"file": "privatelink.file.core.windows.net",
"file_secondary": "privatelink.file.core.windows.net",
"web": "privatelink.web.core.windows.net",
"web_secondary": "privatelink.web.core.windows.net"
},
Will create a PR to fix this.
All of the Azure policies so far generated are kept as ARM templates.
Is there an idea to also deliver these as bicep files that can be used as part of AzOps or other engines?
If so, I'd be happy to help to get that started.
Before creating the deploy-storage-monitoring-log-analytics policy, I ran JimGBritt's policies for diagnostic settings to LogAnalytics.
I ran the following command:
$definition = New-AzPolicyDefinition `
-Name "deploy-storage-monitoring-log-analytics" `
-DisplayName "Deploy Diagnostic Settings for Azure Storage, including blobs, files, tables, and queues to a Log Analytics workspace" `
-Description "Deploys the diagnostic settings for Azure Storage, including blobs, files, tables, and queues to stream to a regional Log Analytics workspace when any Azure Storage which is missing this diagnostic settings is created or updated." `
-Policy 'https://raw.githubusercontent.com/Azure/Community-Policy/master/Policies/Storage/deploy-storage-monitoring-log-analytics/azurepolicy.rules.json' `
-Parameter 'https://raw.githubusercontent.com/Azure/Community-Policy/master/Policies/Storage/deploy-storage-monitoring-log-analytics/azurepolicy.parameters.json' -Mode Indexed
$definition
$assignment = New-AzPolicyAssignment -Name "Diagnostic Settings for Azure Storage PROD" -Scope "/subscriptions/<tenantid>" `
-Description "Deploys the diagnostic settings for Azure Storage, including blobs, files, tables, and queues to stream to a regional Log Analytics workspace when any Azure Storage which is missing this diagnostic settings is created or updated." `
-logAnalytics "/subscriptions/<tenantid>/resourcegroups/<resourcegroup>/providers/microsoft.operationalinsights/workspaces/<law>" `
-profileName "MonitoringDiagnosticsSettings" -metricsEnabled "True" `
-PolicyDefinition $definition -Location "westeurope" -AssignIdentity
$assignment
In the Azure Portal I edited the policy (to exclude some resource groups and assign the proper RBAC to the assigned identity), and triggered a policy evalutation.
The result is that there is a list of compliant resources:
However, if I check the diagnostic settings, they are not as expected (no blob, queue, table and file diagnostics enabled):
The non-compliant resources do have the proper setting:
How come these settings are incorrect? Creating a remediation task fails as the settings are already present, and the "compliant" resources cannot be configured correctly.
The file CONTRIBUTING.md has a third bullet titled
with a broken URL:
"https://github.com/Azure/Community-Policy/blob/master/1-contribution-guide/useful-tools.md"
Hi,
Your folder structure has changed from 'Policies' to 'policyDefinitions'
This has broken the links under 'Name', for example:
https://www.azadvertizer.net/azpolicyadvertizer/monitoring_deploy-diagnostic-setting-for-activity-log-event-hub.html
to:
Join the Monthly Call on Azure Governance (register here) -> register here link is broken.
error: unable to create file
deploy-diagnostic-settings-to-azure-firewall/policies/Deploy_Diagnostic_Settings_for_Azure_Firewall_to_Log_Analytics_workspace_855bd88d-18bf-42c2-a519-9e7798bb7ee4/assign.Deploy_Diagnostic_Settings_for_Azure_Firewall_to_Log_Analytics_workspace_15f454a0c98e4178a3bcc7bf.json: Filename too long
Currently Azure Storage account supports diagnostic settings to stream resource logs to Event Hub but unlike Log Analytics, there's no Azure Policy to enforce adding or Auditing storage accounts deployed without Diagnostic settings routing to Eventhub.
I notice all these policies don't have a $schema associated with them. Is there a schema for just the JSON Policy (there's a schema for rules and schema for the arm template, but not for the policy that I can find). If not then how do you validate your azure policy JSON is correct?
Hi @fawohlsc /Team,
Trust you are doing well.
In my environment, we have few subnets without being assigned to any NSG. So I would like to deploy the above custom definition to enforce the NSG for subnets that have none.
While assigning the assignment, I have passed the parameters as suggested below for networksecuritygroupsettings
{
"northeurope": { // I have given the location of the vnet that subnets belongs to
"resourceGroupName": "random name",
"networkSecurityGroupName": "random nsg name"
},
"westeurope": {
"resourceGroupName": "we-network",
"networkSecurityGroupName": "we-default-nsg"
},
"disabled": {
"resourceGroupName": "",
"networkSecurityGroupName": ""
}
}
But it is not able to identify the non-compliant resources and it is showing 100% compliant. Scope also I have correctly assigned. Can you please advise me here please?
Hi @mrajess,
I also have tried the below definition file
enforce-subnets-must-have-nsg-and-nsg-must-have-same-suffix-as-subnet/
but i am getting the below error
parameters 'exceptionList' which are not used in the policy rule. Please either remove these parameters from the definition or ensure that they are used in the policy rule. So i tried by removing the exceptionList parameter from definition but still it is not accepting the definition to save and it is giving below error.
The existing policy has '1' parameter(s) which is greater than the count of parameter(s) '0' in the policy being added. Policy parameters cannot be removed during policy update.
Could you kindly advise me here please. I got struck here.
Looking forward to hearing from you.
Thank you,
Kind regards,
Maheswara.
I am doing schema validation while creating custom policies for azure aks.
the current schema https://github.com/Azure/azure-resource-manager-schemas/blob/main/schemas/2020-10-01/policyDefinition.json is outdated as it doesnt support templateInfo argument used for creating custom policies for aks.
https://learn.microsoft.com/en-us/azure/aks/use-azure-policy#create-and-assign-a-custom-policy-definition-preview
There should be an Azure Policy for auditing the active geo-replications which are not enabled on Azure SQL databases.
Add checking for azurepolicy.rules.json and azurepolicy.parameters.json
I have tried using this policy in deny mode and looks like it doesnt work. I was able to create rules with any(*) source on inbound rules in NSG.
Have you guys come across issues with NSG policy rules?
Hi!
I saw there is a policy for VM Application and Windows Virtual machines.
Is there also a policy for VMSS? Thanks!
How to create name pattern match for management group
{
"properties": {
"displayName": "Management group naming policy",
"policyType": "Custom",
"mode": "All",
"description": "Management group naming policy",
"metadata": {
"category": "demo",
"createdBy": "9c09fb2b-1087-426f-bb28-e61deabe80d8",
"createdOn": "2020-12-05T07:02:00.0603529Z",
"updatedBy": "9c09fb2b-1087-426f-bb28-e61deabe80d8",
"updatedOn": "2020-12-06T11:03:06.3194647Z"
},
"parameters": {
"namePattern": {
"type": "String",
"metadata": {
"displayName": "namePattern",
"description": "? for letter, # for numbers"
}
}
},
"policyRule": {
"if": {
"allOf": [
{
"not": {
"field": "name",
"match": "[parameters('namePattern')]"
}
},
{
"field": "type",
"equals": "Microsoft.Management/managementGroups"
}
]
},
"then": {
"effect": "deny"
}
}
},
"id": "/providers/Microsoft.Management/managementGroups/xxxxxxx/providers/Microsoft.Authorization/policyDefinitions/xxxxx",
"type": "Microsoft.Authorization/policyDefinitions",
"name": "7fd51680-8e1f-4981-9c3e-ce273005cdb2"
}
Hello,
I created a policy that restricts the name of the resources and resource groups. For example, all names must contain a certain parameter. But I wanted to add an exception, like "all names must contain a certain parameter or the name must be 'MonitorAgent'". But didn't work has expected. Is any other way to make this policy right?
This is the policy defenition that I tried:
{
"mode": "Indexed",
"policyRule": {
"if": {
"anyOf": [
{
"field": "name",
"notContains": "MicrosoftMonitoringAgent"
},
{
"not": {
"field": "name",
"contains": "[parameters('namePattern')]"
}
}
]
},
"then": {
"effect": "deny"
}
},
"parameters": {
"namePattern": {
"type": "String",
"metadata": {
"displayName": "namePattern",
"description": "Pattern to use for names. Can include ? for letters and # for numbers."
}
}
}
}
Hello,
I am debugging azure policy and still get wrong compliance status.
For example I have two azure arc VM with tags:
ClientCode: ggg and Environment: dev
ClientCode: hhh and Environment: acc
My policy should pick up that servers as compliant, but shows still incompliant. I have tried a lot of different approaches, but could not make it work. It those two tags are not like described ones, the policy should mark vm as compliant.
{
"properties": {
"displayName": "test tag exclude",
"policyType": "Custom",
"mode": "Indexed",
"description": "Test tag matching",
"metadata": {
"version": "0.0.1-preview",
"category": "Tags",
"preview": true
},
"parameters": {
"tagValuesExclude": {
"type": "Array",
"metadata": {
"displayName": "Tags on machines to exclude",
"description": "The list of tags that need to be excluded for getting target machines (case sensitive). Example: [ {\"key\": \"tagKey1\", \"value\": \"value1*\"}, {\"key\": \"tagKey2\", \"value\": \"value2*\"}]."
},
"defaultValue": [
{"key":"ClientCode", "value":"aaa*"},
{"key":"Environment", "value":"prd*"}
]
}
},
"policyRule": {
"if": {
"count": {
"value": "[parameters('tagValuesExclude')]",
"name": "tagExclude",
"where": {
"field": "tags['current('tagExclude').key']",
"notLike": "[current('tagExclude').value]"
}
},
"equals": "[length(parameters('tagValuesExclude'))]"
},
"then": {
"effect": "audit"
}
}
}
}
For the policy definition policyDefinitions/General/deploy-resource-lock-on-rgs-tag-exclusion/azurepolicy.json
, is the role defintion correct?
In the code, it has:
"/providers/Microsoft.Authorization/roleDefinitions/35b50af1-b556-492f-8595-cbf5cb531055"
But I cannot see any built-in role (https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles) with the role Id of 35b50af1-b556-492f-8595-cbf5cb531055
.
Assuming this code is sourced from https://github.com/grabery/graber.cloud-azure-templates/blob/main/gov/policies/audit-and-deploy-resource-lock/azdeploy.json, then that definition uses a role Id of 8e3af657-a8ff-443c-a75c-2fe8c4bcb635
, i.e. Owner.
Script should:
Hi
I'm trying to understand how it can work. Let's take a single policy for AKS
https://github.com/Azure/Community-Policy/tree/main/policyDefinitions/Kubernetes/block-usage-of-the-default-namespace-in-a-kubernetes-cluster
The policy JSON file references contraints templates
"effect": "[parameters('effect')]",
"details": {
"constraintTemplate": "https://raw.githubusercontent.com/Azure/Community-Policy/master/Policies/Kubernetes/block-default-namespace/template.yaml",
"constraint": "https://raw.githubusercontent.com/Azure/Community-Policy/master/Policies/Kubernetes/block-default-namespace/constraint.yaml",
"values": {
"excludedNamespaces": "[parameters('excludedNamespaces')]"
}
But all these links are broken
That's the case for most of policies. I found the reason, in June @techlake did this commit and removed half of the files with this commit
@techlake was it the desired outcome ? I see several commit for this PR saying "policy cleaning" but I'm not sure the current policies could work without the missing files (even if they have to be base64encoded and then injected).
Thanks for your feedback, I may be missing something obivous :)
Does the APIM policy support operate the JSON file??
From Browser side:
HTTP Header_1 : "Base 64 json file"
{ a : "a", b : "b" }
In the APIM policy :
HTTP Header_2: "Base 64 json file"
{ c : { a : "a", b : "b" } }
Here is the example for this requirement. Thanks
Hello,
I tried to use the "Virtual Machine NIC must have NSG" policy to specifically block VMs NIC creation without NSG but when I deploy a new VM it passes validation without NSG.
My best guess is that the field "Microsoft.Network/networkInterfaces/virtualMachine.id", with which the policy makes sure the NIC belongs to a VM, is created after the initial validation.
Thanks
I have a parameterized policy which works exactly as expected when in Audit mode. When flipped to DeployIfNotExists (DINE), the policy "works" in that it automatically remediates newly deployed resources correctly. It also correctly remediates existing resources when a remediation task is invoked. However, the Compliance state of the policy assignment itself shows 0 resources compliant once all in-scope resources have been remediated. I've read this link top to bottom multiple times, but nowhere do I see this behavior outlined.
I'm trying to understand if this is a potential bug as we're doing an existenceCondition in line with other DINE examples. The differing behavior between Audit and DINE has us hyper-focused on the DINE portion.
"parameters": {
"effect": {
"type": "String",
"metadata": {
"displayName": "Effect",
"description": "Enable or disable the execution of the policy"
},
"allowedValues": [
"DeployIfNotExists",
"Disabled",
"Audit"
],
"defaultValue": "DeployIfNotExists"
},
...
"policyRule": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.KeyVault/vaults"
},
{
"field": "Microsoft.KeyVault/vaults/enableRbacAuthorization",
"equals": "false"
},
{
"field": "Microsoft.Keyvault/vaults/accessPolicies[*].objectId",
"notEquals": "[parameters('AadObjectId')]"
}
]
},
"then": {
"effect": "[parameters('effect')]",
"details": {
"type": "Microsoft.Keyvault/vaults/accessPolicies",
"existenceCondition": {
"allOf": [
{
"field": "Microsoft.Keyvault/vaults/accessPolicies[*].objectId",
"notequals": "[parameters('AadObjectId')]"
}
]
},
...
This also exhibits the same behavior with an inverse and even simpler existenceCondition:
"existenceCondition": {
"equals": "[parameters('wizAadObjectId')]",
"field": "Microsoft.Keyvault/vaults/accessPolicies[*].objectId"
},
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.