MDR
Reputation: 51
Azure DeployIfNotExist Policy evalutes but do not deploy template/show compliant
I am working on DeployIfNotExist Azure Policy which checks all vnets, checks if specific peering exists and if so checks UDR settings in place. If different than specified, it aims to deploy required UDR.
I am not able to get this to work and the current state is that initial check works fine (non-compliant vnets are reported) but no automatic remediation is done for new/updated vnets. Further, if I do manual remediation, the vnet is still marked as non-compliant.
Azure Policy Policy Rule below.
{
"if": {
"anyOf": [
{
"allOf": [
{
"field": "type",
"equals": "Microsoft.Network/virtualNetworks"
},
{
"field": "Microsoft.Network/virtualNetworks/VirtualNetworkPeerings[*].peeringState",
"equals": "Connected"
},
{
"field": "Microsoft.Network/virtualNetworks/VirtualNetworkPeerings[*].name",
"equals": "peerSpokeToHub"
}
]
},
{
"allOf": [
{
"field": "type",
"equals": "Microsoft.Network/virtualNetworks/VirtualNetworkPeerings"
},
{
"field": "Microsoft.Network/virtualNetworks/virtualNetworkPeerings/remoteVirtualNetwork.id",
"exists": "true"
}
]
}
]
},
"then": {
"effect": "deployIfNotExists",
"details": {
"type": "Microsoft.Network/virtualNetworks/subnets",
"existenceCondition": {
"allOf": [
{
"field": "Microsoft.Network/virtualNetworks/subnets/routeTable.id",
"exists": "true"
},
{
"field": "Microsoft.Network/virtualNetworks/subnets/routeTable.routes[*].name",
"equals": "toNVA"
},
{
"field": "Microsoft.Network/virtualNetworks/subnets/routeTable.routes[*].addressPrefix",
"equals": "0.0.0.0/0"
},
{
"field": "Microsoft.Network/virtualNetworks/subnets/routeTable.routes[*].nextHopType",
"equals": "VirtualAppliance"
},
{
"field": "Microsoft.Network/virtualNetworks/subnets/routeTable.routes[*].nextHopIpAddress",
"in": ["10.0.0.1", "10.0.0.2"]
},
{
"field": "Microsoft.Network/virtualNetworks/subnets/routeTable.routes[*].provisioningState",
"equals": "Succeeded"
}
]
},
"roleDefinitionIds": [
"/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
],
"deployment": {
"properties": {
"mode": "incremental",
"template": {
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"vNetName": {
"type": "string",
"metadata": {
"description": "subnet to attach udr"
}
},
"RouteTableName": {
"type": "string",
"metadata": {
"description": "Name of a route table upon remediation"
}
},
"location": {
"type": "string",
"metadata": {
"description": "location of resource"
}
},
"NVAip": {
"type": "string",
"metadata": {
"description": "NVA IP"
}
}
},
"resources": [
{
"name": "[parameters('RouteTableName')]",
"type": "Microsoft.Network/routeTables",
"apiVersion": "2018-11-01",
"location": "[parameters('location')]",
"properties": {
"routes": [
{
"properties": {
"addressPrefix": "0.0.0.0/0",
"nextHopType": "VirtualAppliance",
"nextHopIpAddress": "[parameters('NVAip')]"
},
"name": "toNVA"
}
]
}
},
{
"apiVersion": "2017-08-01",
"name": "apply-routetable-to-subnet",
"type": "Microsoft.Resources/deployments",
"resourceGroup": "[resourceGroup().name]",
"dependsOn": [
"[concat('Microsoft.Network/routeTables/', 'RouteTable')]"
],
"properties": {
"mode": "Incremental",
"template": {
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"apiVersion": "2018-08-01",
"type": "Microsoft.Network/virtualNetworks/subnets",
"name": "[concat(parameters('vNetName'),'/default')]",
"location": "[resourceGroup().location]",
"properties": {
"addressPrefix": "[reference(resourceId(resourceGroup().name, 'Microsoft.Network/virtualNetworks/subnets', parameters('vNetName'), 'default'), '2018-03-01').addressPrefix]",
"routeTable": {
"id": "[resourceId('Microsoft.Network/routeTables', parameters('RouteTableName'))]"
},
"networkSecurityGroup": {
"id": "[reference(resourceId(resourceGroup().name, 'Microsoft.Network/virtualNetworks/subnets', parameters('vNetName'), 'default'), '2018-03-01').networkSecurityGroup.id]"
}
}
}
]
}
}
}
]
},
"parameters": {
"vNetName": {
"value": "[field('fullName')]"
},
"RouteTableName": {
"value": "[parameters('RouteTableName')]"
},
"NVAip": {
"value": "[parameters('fortigateIp')]"
},
"location": {
"value": "[field('location')]"
}
}
}
}
}
}
}
Upvotes: 1
Views: 1214
Answers (1)
Kemley
Reputation: 204
This seems like a problem with your ARM template. I would be sure to test it and check it. The ARM VSCode extension now has a what-if testing capability that lets you see what happens when you are to deploy that template.
Upvotes: 1
Related Questions
- Deploying access policies in Azure
- DeployIfNotExists policy at Subscription level
- Azure Error "The template deployment failed because of policy violation. Please see details for more information."
- Error in policy definition deployment "parameter not found"
- Azure Information Protection - Error: Policy is Missing
- Deploying Azure policy ARM template using Azure Devops fails
- Azure Policy Deploying using Powershell
- Azure policy deployment using visual studio
- VS2013 and Azure - deployment template validation failed, although I haven't edited neither template nor project properties
- Azure Resource Template Deployment issues