As part of the suggestion: https://github.com/microsoft/azure-container-apps/issues/338
I need some help in modifying the Azure Policy definition to include the below lines:
{
"allOf": [
{
"field": "type",
"equals": "Microsoft.Resources/subscriptions/resourceGroups"
},
{
"field": "[concat('tags[', parameters('tagName'), ']')]",
"exists": "false"
},
{
"anyOf": [
{
"value": "[startsWith(field('name'), 'MC_')]",
"notEquals": "true"
}
]
}
]
}
This is my existing Azure policy definition with allOf:
"policyRule": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.Network/virtualNetworks"
},
{
"field": "Microsoft.Network/virtualNetworks/addressSpace.addressPrefixes[*]",
"notContains": "11.22.33"
}
]
},
"then": {
"effect": "deny"
}
}
and another one with anyOf
"policyRule": {
"if": {
"anyOf": [
{
"not": {
"field": "[concat('tags[', parameters('tagnameteam'), ']')]",
"in": "[parameters('listofallowedtagvalues')]"
}
}
]
},
"then": {
"effect": "Deny"
}
}
}
How can I achieve it by modifying the existing Azure policy definition?
CodePudding user response:
It really depends on when you want the policy to trigger the effect... For example in the "allOf" policy:
"policyRule": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.Network/virtualNetworks"
},
{
"field": "Microsoft.Network/virtualNetworks/addressSpace.addressPrefixes[*]",
"notContains": "11.22.33"
},
{
"field": "type",
"equals": "Microsoft.Resources/subscriptions/resourceGroups"
},
{
"field": "[concat('tags[', parameters('tagName'), ']')]",
"exists": "false"
},
{
"anyOf": [
{
"value": "[startsWith(field('name'), 'MC_')]",
"notEquals": "true"
}
]
}
]
},
"then": {
"effect": "deny"
}
}
would mean that your old conditions AND the new ones have to apply (which is what I think you want?).
On the other hand, if you want that your old conditions OR the new ones should apply, you would need to add the two "allOf" parts in an "anyOf" part:
"policyRule": {
"if": {
"anyOf":[
{
"allOf": [
{
"field": "type",
"equals": "Microsoft.Network/virtualNetworks"
},
{
"field": "Microsoft.Network/virtualNetworks/addressSpace.addressPrefixes[*]",
"notContains": "11.22.33"
}
]
},
{
"allOf": [
{
"field": "type",
"equals": "Microsoft.Resources/subscriptions/resourceGroups"
},
{
"field": "[concat('tags[', parameters('tagName'), ']')]",
"exists": "false"
},
{
"anyOf": [
{
"value": "[startsWith(field('name'), 'MC_')]",
"notEquals": "true"
}
]
}
]
}
]
},
"then": {
"effect": "deny"
}
}
The same goes for the "anyOf" policy. If you want the old "anyOf" condition OR the new "allOf":
"policyRule": {
"if": {
"anyOf": [
{
"not": {
"field": "[concat('tags[', parameters('tagnameteam'), ']')]",
"in": "[parameters('listofallowedtagvalues')]"
}
},
{
"allOf": [
{
"field": "type",
"equals": "Microsoft.Resources/subscriptions/resourceGroups"
},
{
"field": "[concat('tags[', parameters('tagName'), ']')]",
"exists": "false"
},
{
"anyOf": [
{
"value": "[startsWith(field('name'), 'MC_')]",
"notEquals": "true"
}
]
}
]
}
]
},
"then": {
"effect": "Deny"
}
}
}
And if yo need to have both the "anyOf" and the new "allOf" parts to be true (which is the one, I think you want?):
"policyRule": {
"if": {
"allOf": [
{
"not": {
"field": "[concat('tags[', parameters('tagnameteam'), ']')]",
"in": "[parameters('listofallowedtagvalues')]"
}
},
{
"field": "type",
"equals": "Microsoft.Resources/subscriptions/resourceGroups"
},
{
"field": "[concat('tags[', parameters('tagName'), ']')]",
"exists": "false"
},
{
"anyOf": [
{
"value": "[startsWith(field('name'), 'MC_')]",
"notEquals": "true"
}
]
}
]
},
"then": {
"effect": "Deny"
}
}