Azure Policy (deployifnotexists) not behaving as expected

1.1k views Asked by At

This is my first post here. What I'm trying to do in Azure is deployifnotexists for storage accounts if certain settings are not enabled. I've attached my code. What I want to do is this:

  1. Check for secure transfer being enabled
  2. Check for TLS1_2 only
  3. Check the FW
  4. On the FW, have the Azure Services accepted (e.g. nsg flow logs etc)

If any of those conditions are not met, then deploy them through the ARM template. What is catching me is that I have intentionally put in bad settings to see it work and it will not say that they are non-compliant.

{
  "mode": "All",
  "policyRule": {
    "if": {
      "field": "type",
      "equals": "Microsoft.Storage/storageAccounts"
    },
    "then": {
      "effect": "deployIfNotExists",
      "details": {
        "type": "Microsoft.Storage/storageAccounts",
        "roleDefinitionIds": [
          "/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
        ],
        "existenceCondition": {
          "allOf": [
            {
              "field": "Microsoft.Storage/storageAccounts/supportsHttpsTrafficOnly",
              "equals": true
            },
            {
              "field": "Microsoft.Storage/storageAccounts/minimumTlsVersion",
              "equals": "TLS1_2"
            },
            {
              "field": "Microsoft.Storage/storageAccounts/networkAcls.defaultAction",
              "equals": "deny"
            },
            {
              "field": "Microsoft.Storage/storageAccounts/networkAcls.bypass",
              "contains": "AzureServices"
            }
          ]
        },
        "deployment": {
          "properties": {
            "mode": "incremental",
            "template": {
              "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
              "contentVersion": "1.0.0.0",
              "parameters": {
                "storageAccountName": {
                  "type": "String",
                  "metadata": {
                    "description": "storageAccountName"
                  }
                },
                "location": {
                  "type": "String",
                  "metadata": {
                    "description": "location"
                  }
                }
              },
              "variables": {},
              "resources": [
                {
                  "type": "Microsoft.Storage/storageAccounts",
                  "apiVersion": "2019-06-01",
                  "name": "[parameters('storageAccountName')]",
                  "location": "[parameters('location')]",
                  "properties": {
                    "minimumTlsVersion": "TLS1_2",
                    "networkAcls": {
                      "bypass": "AzureServices",
                      "defaultAction": "Deny"
                    },
                    "supportsHttpsTrafficOnly": true
                  }
                }
              ],
              "outputs": {}
            },
            "parameters": {
              "storageAccountName": {
                "value": "[field('Name')]"
              },
              "location": {
                "value": "[field('location')]"
              }
            }
          }
        }
      }
    }
  },
  "parameters": {}
}

Thanks everyone

1

There are 1 answers

0
Harken350 On

So through further reading and talking with more experienced colleagues I've determined that "deployIfNotExists" conditions are not to be used for a resources own settings.

By that I mean I cannot "deployIfNotExists" to a storage accounts storage account settings (as above) but i could deploy diagnostic logging to a SA. I am closing this question. I will try append and if I do anything good I'll loop it back in to this question for keen eyes.