Home > Net >  Modifying Azure policy definition allOf and anyOff?
Modifying Azure policy definition allOf and anyOff?

Time:11-26

As part of the suggestion: https://github.com/microsoft/azure-container-apps/issues/338

I need some help in modifying the Azure Policy definition to include the below lines:

 {
   "allOf": [
     {
       "field": "type",
       "equals": "Microsoft.Resources/subscriptions/resourceGroups"
     },
     {
       "field": "[concat('tags[', parameters('tagName'), ']')]",
       "exists": "false"
     },
     {
       "anyOf": [
         {
           "value": "[startsWith(field('name'), 'MC_')]",
           "notEquals": "true"
         }
       ]
     }
   ]
 }

This is my existing Azure policy definition with allOf:

   "policyRule": {
     "if": {
       "allOf": [
         {
           "field": "type",
           "equals": "Microsoft.Network/virtualNetworks"
         },
         {
           "field": "Microsoft.Network/virtualNetworks/addressSpace.addressPrefixes[*]",
           "notContains": "11.22.33"
         }
       ]
     },
     "then": {
       "effect": "deny"
     }
   }

and another one with anyOf

     "policyRule": {
       "if": {
         "anyOf": [
           {
             "not": {
               "field": "[concat('tags[', parameters('tagnameteam'), ']')]",
               "in": "[parameters('listofallowedtagvalues')]"
             }
           }
         ]
       },
       "then": {
         "effect": "Deny"
       }
     }
   }

How can I achieve it by modifying the existing Azure policy definition?

CodePudding user response:

It really depends on when you want the policy to trigger the effect... For example in the "allOf" policy:

      "policyRule": {
     "if": {
       "allOf": [
        {
        "field": "type",
        "equals": "Microsoft.Network/virtualNetworks"
        },
        {
        "field": "Microsoft.Network/virtualNetworks/addressSpace.addressPrefixes[*]",
        "notContains": "11.22.33"
        },
        {
        "field": "type",
        "equals": "Microsoft.Resources/subscriptions/resourceGroups"
        },
        {
        "field": "[concat('tags[', parameters('tagName'), ']')]",
        "exists": "false"
        },
        {
        "anyOf": [
            {
            "value": "[startsWith(field('name'), 'MC_')]",
            "notEquals": "true"
            }
        ]
        }
       ]
     },
     "then": {
       "effect": "deny"
     }
   }

would mean that your old conditions AND the new ones have to apply (which is what I think you want?).

On the other hand, if you want that your old conditions OR the new ones should apply, you would need to add the two "allOf" parts in an "anyOf" part:

"policyRule": {
    "if": {
        "anyOf":[
            {
                "allOf": [
                    {
                      "field": "type",
                      "equals": "Microsoft.Network/virtualNetworks"
                    },
                    {
                      "field": "Microsoft.Network/virtualNetworks/addressSpace.addressPrefixes[*]",
                      "notContains": "11.22.33"
                    }
                  ]
            },
            {
                "allOf": [
                    {
                    "field": "type",
                    "equals": "Microsoft.Resources/subscriptions/resourceGroups"
                    },
                    {
                    "field": "[concat('tags[', parameters('tagName'), ']')]",
                    "exists": "false"
                    },
                    {
                    "anyOf": [
                        {
                        "value": "[startsWith(field('name'), 'MC_')]",
                        "notEquals": "true"
                        }
                    ]
                    }
                ]
                  
            }
        ]
      
    },
    "then": {
      "effect": "deny"
    }
  }

The same goes for the "anyOf" policy. If you want the old "anyOf" condition OR the new "allOf":

"policyRule": {
    "if": {
      "anyOf": [
        {
          "not": {
            "field": "[concat('tags[', parameters('tagnameteam'), ']')]",
            "in": "[parameters('listofallowedtagvalues')]"
          }
        },
        {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.Resources/subscriptions/resourceGroups"
              },
              {
                "field": "[concat('tags[', parameters('tagName'), ']')]",
                "exists": "false"
              },
              {
                "anyOf": [
                  {
                    "value": "[startsWith(field('name'), 'MC_')]",
                    "notEquals": "true"
                  }
                ]
              }
            ]
          }
      ]
    },
    "then": {
      "effect": "Deny"
    }
  }
}

And if yo need to have both the "anyOf" and the new "allOf" parts to be true (which is the one, I think you want?):

"policyRule": {
    "if": {
      "allOf": [
        {
          "not": {
            "field": "[concat('tags[', parameters('tagnameteam'), ']')]",
            "in": "[parameters('listofallowedtagvalues')]"
          }
        },

        {
          "field": "type",
          "equals": "Microsoft.Resources/subscriptions/resourceGroups"
        },
        {
          "field": "[concat('tags[', parameters('tagName'), ']')]",
          "exists": "false"
        },
        {
          "anyOf": [
            {
              "value": "[startsWith(field('name'), 'MC_')]",
              "notEquals": "true"
            }
          ]
        }
      ]
    },
    "then": {
      "effect": "Deny"
    }
  }

Page link:https//www.codepudding.com/net/622731.html

Prev:Connecting with Blob Container in one specific notebook in DataBricks
Next:Is it possible to retrieve file path/url information when querying BULK OPENROWSET in Azure Synapse?
  • Related

About Us:  Contact Us      Terms of Service       Privacy Policy

Copyright © 2010-2023,Powered By CodePudding