Why has the following policy no effect? I was expecting it to prevent the creation of any resource group that doesn't start with rg-*. However, any pattern for a resource group name can be used.
{
"properties": {
"policyType": "Custom",
"mode": "All",
"policyRule": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.Resources/resourceGroups"
},
{
"field": "name",
"notLike": "rg-*"
}
]
},
"then": {
"effect": "Deny"
}
}
},
"id": "/subscriptions/.../providers/Microsoft.Authorization/policyDefinitions/policy-naming-convention-rg",
"type": "Microsoft.Authorization/policyDefinitions",
"name": "policy-naming-convention-rg"
}
It is correctly assigned and also I've waited long enough so it had time to become effective. An ARM template that can be used to create a resource group looks as follows:
So the type should match, and field also. I am puzzled. Any idea?
{
"$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#",
"contentVersion": "1.0.0.1",
"parameters": {
"rgName": {
"type": "string"
},
"rgLocation": {
"type": "string"
},
"tags": {
"type": "object",
"defaultValue": {}
}
},
"variables": {},
"resources": [
{
"type": "Microsoft.Resources/resourceGroups",
"apiVersion": "2018-05-01",
"location": "[parameters('rgLocation')]",
"name": "[parameters('rgName')]",
"properties": {},
"tags": "[parameters('tags')]"
}
],
"outputs": {}
}
CodePudding user response:
Please, see this SO question, I think it could be of help. Basically, you need to use Microsoft.Resources/subscriptions/resourceGroups not Microsoft.Resources/resourceGroups when defining your policy.
It is not exactly your use case, but the Microsoft Azure provides an example of Azure Policies related to resource groups in which the mentioned naming convention is used.