CODEWITHSUNDEEP
azureazure-policy
user1876202
user1876202

Reputation: 361

Azure Policy - Set expiry for keys/secrets

I am trying to write an Azure Policy that checks if a Azure key has an expiry date, if it does not then I want to do a DeployIfNotExists effect to set one. However I am getting a "ResourceNotFound" error.

Note: The "if" statement without the "then" statement works fine, when I run this policy it shows me which keys do not have a expiration date. Getting the issue when I add in the deployifnotexist effect.

{
  "mode": "All",
  "policyRule": {
    "if": {
      "allOf": [
        {
          "field": "type",
          "equals": "Microsoft.KeyVault/vaults/keys"
        },
        {
          "field": "Microsoft.KeyVault/vaults/keys/attributes.exp",
          "exists": false
        }
      ]
    },
    "then": {
      "effect": "deployIfNotExists",
      "details": {
        "type": "Microsoft.KeyVault/vaults/keys",
        "roleDefinitionIds": [
          "/providers/Microsoft.Authorization/roleDefinitions/8e3af657-a8ff-443c-a75c-2fe8c4bcb635"
        ],
        "deployment": {
          "properties": {
            "mode": "incremental",
            "template": {
              "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
              "contentVersion": "1.0.0.0",
              "resources": [
                {
                  "type": "Microsoft.KeyVault/vaults/keys",
                  "apiVersion": "2021-06-01-preview",
                  "properties": {
                    "exp": "10000"
                  }
                }
              ]
            }
          }
        }
      }
    }
  },
  "parameters": {}
}

Upvotes: 1

Views: 1034

Answers (1)

Jul_DW
Jul_DW

Reputation: 1064

Here you are working at the Data layer of the Key Vault, what is inside of it (Keys, Secrets, Certificates).

In that case, when it is not about the infrastructure as such (the configuration of the Key Vault itself), you have to use the Microsoft.KeyVault.Data mode for your custom policy instead of All.

That said, DeployIfNotExist policies are not yet supported - see official documentation about Azure Policy for Key Vault. You can only Audit or Deny.

Upvotes: 1

Related Questions