Yes, you read that right AuditIfExists NOT AuditIfNotExists.
My use case is that I want to audit all my Azure SQL Servers for firewall rules that have a specific IP Address and I want all the Policy dashboard metrics to relate to the SQL Servers NOT the Firewall Rules. (i.e. 2 SQL Servers each containing 3 Firewall Rules should identify 2 resources, not 6 as would be reported by a direct Audit of Microsoft.SQL/servers/firewallRules).
Many of my other custom policies check related resources and report these metrics up on behalf of a parent when using AuditIfNotExists or DeployIfNotExists. However, the fundamental basis of these checks is that the non-existence of the subtype creates a non-compliant state regardless of the existence condition evaluation result. So, in my case, if a SQL Server has 0 firewall rules (which would be a compliant state for me) then the policy evaluates it as non-compliant. If I attempt to check for existence again in my existence condition as suggested by @mentat9 in this policy issues thread (https://github.com/Azure/azure-policy/issues/374) it is obvious through a few tries that the Policy engine does not even evaluate the existence condition if no objects of the desired type exist.
Below is my policyRule from one of my latest attempts.
"policyRule": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.Sql/servers"
}
]
},
"then": {
"effect": "[parameters('effect')]",
"details": {
"type": "Microsoft.Sql/servers/firewallRules",
"roleDefinitionIds": [
"/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
],
"existenceCondition": {
"anyOf": [
{
"field": "Microsoft.Sql/servers/firewallRules/startIpAddress",
"exists": false
},
{
"allOf": [
{
"field": "Microsoft.Sql/servers/firewallRules/startIpAddress",
"notequals": "0.0.0.0"
},
{
"field": "Microsoft.Sql/servers/firewallRules/endIpAddress",
"notequals": "0.0.0.0"
}
]
}
]
}
}
}
}
How about Count expression?