stackoom
  简体   繁体   中英

how to find the flow of azure policy

 原文  2019-01-12 06:33:26       azure/ azure-resource-manager/ azure-policy

Question

I'm creating a Azure Policy, with much help i was able to get to the below json policy, but it is behaving in a different way than what I'm expecting.

As per my understanding (correct me if i'm wrong) :Azure Policy is basically an [if] and [then] statement. After [if] the allof tags comes into the picture which states that. If Condition [Type : Resource Group] Matches and [Tag Name Env != prod ] and [Tag Name OS != windows ] [then] deny.

But the result of the above policy is : if i specify [ Env = prod and specify OS = Linux ] in single ResourceGroup then the policy allows user to create Resource group. this should not be the outcome of the policy.

the expected result should be :

scenario 1(Policy is behaving correctly ) : if i specify only [Env = prod] then it should allow me to create ResourceGroup or else block me if i specify anything else

Scenario 2 (Policy is behaving correctly ) : [OS = Windows] then it should allow me to create RG or else block me if i specify anything else.

Scenario 3 (Policy is behaving incorrectly ): [env = prod and OS = linux] then it should block me as second TAG is not correct. 

{
  "if": {
    "allOf": [
      {
        "field": "type",
        "equals": "Microsoft.Resources/subscriptions/resourceGroups"
      },
      {
        "field": "tags.Env",
        "notEquals": "Prod"
      },
      {
        "field": "tags.OS",
        "notEquals": "windows"
      }
    ]
  },
  "then": { "effect": "deny" }
}

1 answers

solution1
 1 ACCPTED  2019-01-17 00:18:05

The policy definition you provided is working as expected. It will only deny a resource group if tags.Env != "Prod" && tags.OS != "Windows" . If you flip this condition, you can see that it will allow any resource group where tags.Env == "Prod" || tags.OS == "Windows" tags.Env == "Prod" || tags.OS == "Windows" , which is what you've experienced.

The following policy definition will deny any resource group which does not have the expected tags: 

{
    "if": {
        "allOf": [
            {
                "field": "type",
                "equals": "Microsoft.Resources/subscriptions/resourceGroups"
            },
            {
                "anyOf": [
                    {
                        "field": "tags.Env",
                        "notEquals": "Prod"
                    },
                    {
                        "field": "tags.OS",
                        "notEquals": "windows"
                    }
                ]
            }
        ]
    },
    "then": {
        "effect": "deny"
    }
}

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question How to find azure policy guest configuration details How to create Azure Policy? Azure: How to fix "The policy requires the caller '...' to use on-behalf-of (OBO) flow" when accessing Key Vault from App Service? Find Azure backup/retention associated with backup policy Azure Policy - Find Ressources without Tags How to restrict "Publisher" by Azure Policy How to prepare JSON in Azure Policy How to upload azure custom policy How to integrate Azure Policy with Azure DevOps? How to find Azure VM applied backup protection policy name via Powershell
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM