I'm creating a Azure Policy, with much help i was able to get to the below json policy, but it is behaving in a different way than what I'm expecting.
As per my understanding (correct me if i'm wrong) :Azure Policy is basically an [if] and [then] statement. After [if] the allof tags comes into the picture which states that. If Condition [Type : Resource Group] Matches and [Tag Name Env != prod ] and [Tag Name OS != windows ] [then] deny.
But the result of the above policy is : if i specify [ Env = prod and specify OS = Linux ] in single ResourceGroup then the policy allows user to create Resource group. this should not be the outcome of the policy.
the expected result should be :
scenario 1(Policy is behaving correctly ) : if i specify only [Env = prod] then it should allow me to create ResourceGroup or else block me if i specify anything else
Scenario 2 (Policy is behaving correctly ) : [OS = Windows] then it should allow me to create RG or else block me if i specify anything else.
Scenario 3 (Policy is behaving incorrectly ): [env = prod and OS = linux] then it should block me as second TAG is not correct.
{
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.Resources/subscriptions/resourceGroups"
},
{
"field": "tags.Env",
"notEquals": "Prod"
},
{
"field": "tags.OS",
"notEquals": "windows"
}
]
},
"then": { "effect": "deny" }
}
The policy definition you provided is working as expected. It will only deny a resource group if tags.Env != "Prod" && tags.OS != "Windows"
. If you flip this condition, you can see that it will allow any resource group where tags.Env == "Prod" || tags.OS == "Windows"
tags.Env == "Prod" || tags.OS == "Windows"
, which is what you've experienced.
The following policy definition will deny any resource group which does not have the expected tags:
{
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.Resources/subscriptions/resourceGroups"
},
{
"anyOf": [
{
"field": "tags.Env",
"notEquals": "Prod"
},
{
"field": "tags.OS",
"notEquals": "windows"
}
]
}
]
},
"then": {
"effect": "deny"
}
}
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.