I'm writting a simple policy, if it's a Azure PaaS SQL, and have public IP in the firewall rule, it will evaluate.
{
"mode": "All",
"policyRule": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.Sql/servers"
},
{
"allOf": [
{
"field": "Microsoft.Sql/servers/firewallRules/startIpAddress",
"equals": "xxx.xxx.xxx.xxx"
},
{
"field": "Microsoft.Sql/servers/firewallRules/endIpAddress",
"equals": "xxx.xxx.xxx.xxx"
}
]
}
]
},
"then": {
"effect": "[parameters('effect')]"
},
"parameters": {
"effect": {
"type": "String",
"metadata": {
"displayName": "Effect",
"description": "Enable or disable the execution of the policy"
},
"allowedValues": [
"Disabled",
"Audit"
],
"defaultValue": "Audit"
}
}
}
I found when I click to add this definition, the error message tells me
Editing policy definition 'sql firewall audit' in 'RogerBlueprint' failed.
The policy definition targets multiple resource types, but the policy rule is authored in a way that makes the policy not applicable to the target resource types 'Microsoft.Sql/servers,Microsoft.Sql/servers/firewallRules'.
This is because the policy rule has a condition that can never be satisfied by the target resource types.
If an alias is used, please make sure that the alias gets evaluated against only the resource type it belongs to by adding a type condition before it, or split the policy into multiple ones to avoid targeting multiple resource types.
I wonder is it true that in IF condition, can you not use two resource types together?
CodePudding user response:
That is indeed true - from an ARM standpoint Microsoft.Sql/servers and Microsoft.Sql/servers/firewallRules are two different objects, even though there is a parent <> child relation.
The way the policy engine runs is that it is scanning every ARM component one by one. In your case, it clearly says that it won't succeed since a given object cannot be of two types at the same type. Under the hood, the alias Microsoft.Sql/servers/firewallRules is identified as being a type not a property.
If the logic applies to all your servers in a given scope, then you could keep the policy focused on Microsoft.Sql/servers/firewallRules :
{
"mode": "All",
"policyRule": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.Sql/servers/firewallRules"
},
{
"allOf": [
{
"field": "Microsoft.Sql/servers/firewallRules/startIpAddress",
"equals": "xxx.xxx.xxx.xxx"
},
{
"field": "Microsoft.Sql/servers/firewallRules/endIpAddress",
"equals": "xxx.xxx.xxx.xxx"
}
]
}
]
},
"then": {
"effect": "[parameters('effect')]"
},
"parameters": {
"effect": {
"type": "String",
"metadata": {
"displayName": "Effect",
"description": "Enable or disable the execution of the policy"
},
"allowedValues": [
"Disabled",
"Audit"
],
"defaultValue": "Audit"
}
}
}