Home > Enterprise >  Azure Policy - Set expiry for keys/secrets
Azure Policy - Set expiry for keys/secrets

Time:11-03

I am trying to write an Azure Policy that checks if a Azure key has an expiry date, if it does not then I want to do a DeployIfNotExists effect to set one. However I am getting a "ResourceNotFound" error.

Note: The "if" statement without the "then" statement works fine, when I run this policy it shows me which keys do not have a expiration date. Getting the issue when I add in the deployifnotexist effect.

{
  "mode": "All",
  "policyRule": {
    "if": {
      "allOf": [
        {
          "field": "type",
          "equals": "Microsoft.KeyVault/vaults/keys"
        },
        {
          "field": "Microsoft.KeyVault/vaults/keys/attributes.exp",
          "exists": false
        }
      ]
    },
    "then": {
      "effect": "deployIfNotExists",
      "details": {
        "type": "Microsoft.KeyVault/vaults/keys",
        "roleDefinitionIds": [
          "/providers/Microsoft.Authorization/roleDefinitions/8e3af657-a8ff-443c-a75c-2fe8c4bcb635"
        ],
        "deployment": {
          "properties": {
            "mode": "incremental",
            "template": {
              "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
              "contentVersion": "1.0.0.0",
              "resources": [
                {
                  "type": "Microsoft.KeyVault/vaults/keys",
                  "apiVersion": "2021-06-01-preview",
                  "properties": {
                    "exp": "10000"
                  }
                }
              ]
            }
          }
        }
      }
    }
  },
  "parameters": {}
}
<iframe name="sif1" sandbox="allow-forms allow-modals allow-scripts" frameborder="0"></iframe>

CodePudding user response:

Here you are working at the Data layer of the Key Vault, what is inside of it (Keys, Secrets, Certificates).

In that case, when it is not about the infrastructure as such (the configuration of the Key Vault itself), you have to use the Microsoft.KeyVault.Data mode for your custom policy instead of All.

That said, DeployIfNotExist policies are not yet supported - see official documentation about Azure Policy for Key Vault. You can only Audit or Deny.

  • Related