skip to Main Content

I have a resource whitelist policy defined as follows:

{
  "properties": {
    "displayName": "Deny resource creation if not in whitelist",
    "policyType": "Custom",
    "mode": "Indexed",
    "description": "This policy denies the creation resources which are not allowed in the whitelist.",
    "policyRule": {
      "if": {
        "not": {
          "field": "type",
          "in": [
            "Microsoft.KeyVault/vaults",
            "Microsoft.Storage/storageAccounts"
          ]
        }
      },
      "then": {
        "effect": "Deny"
      }
    }
  },
  "id": "<POLICYDEFINITIONID>",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "Deny_resource_creation_if_not_in_whitelist",
}

This policy works as expected when assigned to a resource group.

I also have a second policy assigned at the subscription level to deploy the first policy on resource groups with names starting with "rg-*":

{
  "properties": {
    "displayName": "Deploy resource whitelist policy",
    "policyType": "Custom",
    "mode": "All",
    "description": "This policy assigns the resource whitelist policy to resource groups starting with rg-*.",
    "policyRule": {
      "if": {
        "allOf": [
          {
            "equals": "Microsoft.Resources/subscriptions/resourceGroups",
            "field": "type"
          },
          {
            "field": "name",
            "like": "rg-*"
          }
        ]
      },
      "then": {
        "details": {
          "deployment": {
            "properties": {
              "mode": "incremental",
              "template": {
                "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
                "contentVersion": "1.0.0.0",
                "resources": [
                  {
                    "apiVersion": "2022-06-01",
                    "name": "[guid('<POLICYDEFINITIONID>', resourceGroup().name)]",
                    "properties": {
                      "displayName": "Deny resource creation if not in whitelist",
                      "enforcementMode": "Default",
                      "policyDefinitionId": "<POLICYDEFINITIONID>"
                    },
                    "type": "Microsoft.Authorization/policyAssignments"
                  }
                ]
              }
            }
          },
          "evaluationDelay": "AfterProvisioning",
          "roleDefinitionIds": [
            "/providers/Microsoft.Authorization/roleDefinitions/8e3af657-a8ff-443c-a75c-2fe8c4bcb635"
          ],
          "type": "Microsoft.Authorization/policyAssignments"
        },
        "effect": "DeployIfNotExists"
      }
    }
  },
  "id": "",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "Deploy_resource_whitelist_policy",
}

The second policy is evaluated, I can see a successful deployIfNotExists event but in fact the assignment is not created.

A few additional facts:

  • I successfully deployed the policy assignment ARM template from the Azure portal
  • When replacing the policy assignment ARM template with a simple storage account ARM template it works, a storage account is created in the resource group.

Any help would be much appreciated.

2

Answers


  1. Chosen as BEST ANSWER

    I finally solved this using only the first policy and a value expression condition:

    {
      "properties": {
        "displayName": "Deny resource creation if not in whitelist",
        "policyType": "Custom",
        "mode": "Indexed",
        "description": "This policy denies the creation resources which are not allowed in the whitelist.",
        "policyRule": {
          "if": {
            "allOf": [
              {
                "field": "type",
                "notIn": [
                  "Microsoft.KeyVault/vaults",
                  "Microsoft.Storage/storageAccounts"
                ]
              },
              {
                "value": "[resourceGroup().name]",
                "like": "rg-*"
              }
            ]
          },
          "then": {
            "effect": "Deny"
          }
        }
      },
      "id": "<POLICYDEFINITIONID>",
      "type": "Microsoft.Authorization/policyDefinitions",
      "name": "Deny_resource_creation_if_not_in_whitelist",
    }
    

  2. Your policy assignment in the example seems to be missing a scope property to assign it to the given resourcegroup. Try adding a scope property to the policy assignment.

    "template": {
        "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
        "contentVersion": "1.0.0.0",
        "resources": [
        {
            "apiVersion": "2022-06-01",
            "name": "[guid('<POLICYDEFINITIONID>', resourceGroup().name)]",
            "properties": {
                "displayName": "Deny resource creation if not in whitelist",
                "enforcementMode": "Default",
                "policyDefinitionId": "<POLICYDEFINITIONID>"
                "scope": "[subscriptionResourceId('Microsoft.Resources/resourceGroups', resourceGroup().name)]"
        },
        "type": "Microsoft.Authorization/policyAssignments"
    }```
    
    Login or Signup to reply.
Please signup or login to give your own answer.
Back To Top
Search