CODEWITHSUNDEEP
azureazure-resource-managerazure-policy
aquib.qureshi
aquib.qureshi

Reputation: 647

how to find the flow of azure policy

I'm creating a Azure Policy, with much help i was able to get to the below json policy, but it is behaving in a different way than what I'm expecting.

As per my understanding (correct me if i'm wrong) :Azure Policy is basically an [if] and [then] statement. After [if] the allof tags comes into the picture which states that. If Condition [Type : Resource Group] Matches and [Tag Name Env != prod ] and [Tag Name OS != windows ] [then] deny.

But the result of the above policy is : if i specify [ Env = prod and specify OS = Linux ] in single ResourceGroup then the policy allows user to create Resource group. this should not be the outcome of the policy.

the expected result should be :

scenario 1(Policy is behaving correctly) : if i specify only [Env = prod] then it should allow me to create ResourceGroup or else block me if i specify anything else

Scenario 2 (Policy is behaving correctly) : [OS = Windows] then it should allow me to create RG or else block me if i specify anything else.

Scenario 3 (Policy is behaving incorrectly): [env = prod and OS = linux] then it should block me as second TAG is not correct.

{
  "if": {
    "allOf": [
      {
        "field": "type",
        "equals": "Microsoft.Resources/subscriptions/resourceGroups"
      },
      {
        "field": "tags.Env",
        "notEquals": "Prod"
      },
      {
        "field": "tags.OS",
        "notEquals": "windows"
      }
    ]
  },
  "then": { "effect": "deny" }
}

Upvotes: 0

Views: 306

Answers (1)

sapphiremirage
sapphiremirage

Reputation: 505

The policy definition you provided is working as expected. It will only deny a resource group if tags.Env != "Prod" && tags.OS != "Windows". If you flip this condition, you can see that it will allow any resource group where tags.Env == "Prod" || tags.OS == "Windows", which is what you've experienced.

The following policy definition will deny any resource group which does not have the expected tags:

{
    "if": {
        "allOf": [
            {
                "field": "type",
                "equals": "Microsoft.Resources/subscriptions/resourceGroups"
            },
            {
                "anyOf": [
                    {
                        "field": "tags.Env",
                        "notEquals": "Prod"
                    },
                    {
                        "field": "tags.OS",
                        "notEquals": "windows"
                    }
                ]
            }
        ]
    },
    "then": {
        "effect": "deny"
    }
}

Upvotes: 1

Related Questions