Share via

I have create a azure police with deployeifnotexist effect for ACR network setting but not work expected

sanjeev sinha 0 Reputation points
2024-10-19T06:23:34.4766667+00:00 
{
  "properties": {
    "displayName": "acr-test-new1",
    "policyType": "Custom",
    "mode": "Indexed",
    "description": "test",
    "metadata": {
      "category": "Testing",
      "createdBy": "9ff4aca4-5ee7-44d7-825e-b62cd58411c6",
      "createdOn": "2024-10-17T13:06:20.1440532Z",
      "updatedBy": null,
      "updatedOn": null
    },
    "version": "1.0.0",
    "parameters": {
      "allowedIPs": {
        "type": "Array",
        "metadata": {
          "displayName": "Allowed IP Addresses",
          "description": "The IP addresses that should be allowed to access the ACR."
        }
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.ContainerRegistry/registries"
          },
          {
            "field": "Microsoft.ContainerRegistry/registries/networkRuleSet.defaultAction",
            "equals": "Allow"
          }
        ]
      },
      "then": {
        "effect": "deployIfNotExists",
        "details": {
          "type": "Microsoft.ContainerRegistry/registries",
          "existenceCondition": {
            "allOf": [
              {
                "field": "Microsoft.ContainerRegistry/registries/networkRuleSet.defaultAction",
                "equals": "Deny"
              },
              {
                "field": "Microsoft.ContainerRegistry/registries/networkRuleSet.ipRules[*].value",
                "in": "[parameters('allowedIPs')]"
              }
            ]
          },
          "roleDefinitionIds": [
            "/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
          ],
          "deployment": {
            "properties": {
              "mode": "incremental",
              "template": {
                "$schema": "http://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
                "contentVersion": "1.0.0.0",
                "resources": [
                  {
                    "type": "Microsoft.ContainerRegistry/registries",
                    "apiVersion": "2019-05-01",
                    "name": "[field('name')]",
                    "properties": {
                      "networkRuleSet": {
                        "defaultAction": "Deny",
                        "ipRules": [
                          {
                            "value": "[parameters('allowedIPs')]",
                            "action": "Allow"
                          }
                        ]
                      }
                    }
                  }
                ]
              }
            }
          }
        }
      }
    },
    "versions": [
      "1.0.0"
    ]
  },
  "id": "/subscriptions/45a2bf1a-40e1-4487-b6ff-1199b3422f67/providers/Microsoft.Authorization/policyDefinitions/30e06326-9abf-4c89-81fb-0f5cdfd313c6",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "30e06326-9abf-4c89-81fb-0f5cdfd313c6",
  "systemData": {
    "createdBy": "kumarinita18@outlook.com",
    "createdByType": "User",
    "createdAt": "2024-10-17T13:06:20.1123592Z",
    "lastModifiedBy": "kumarinita18@outlook.com",
    "lastModifiedByType": "User",
    "lastModifiedAt": "2024-10-17T13:06:20.1123592Z"
  }
}
Azure Policy
Azure Policy
An Azure service that is used to implement corporate governance and standards at scale for Azure resources.
931 questions

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Vinodh247 24,726 Reputation points MVP
    2024-10-19T11:40:51.04+00:00

    Hi ,

    Thanks for reaching out to Microsoft Q&A.

    It looks like your Azure Policy with the deployIfNotExists effect for setting network rules on an ACR may not be working as expected due to a few possiblereasons. Lets review the key aspects of your code and try to troubleshoot:

    Key Observations:

    deployIfNotExists Effect: This effect ensures that if a resource configuration doesn't exist, it will be deployed. However, for it to work correctly, the existence condition must be properly validated.

    Existence Condition: You are checking if the networkRuleSet.defaultAction is set to "Deny" and if the IP rules match the provided allowed IPs.

    Template Logic:

    • The deployment template you are using tries to set the networkRuleSet for the ACR to "defaultAction": "Deny" and allow specific IPs to access the registry.

    Potential Issues:

    1. Existence Condition: Your existenceCondition logic checks if the defaultAction is already "Deny." However, if the defaultAction is "Allow," the policy will not trigger the deployIfNotExists effect because you are looking for the wrong state.
      • Solution: You may need to modify the existence condition to check for the opposite of the desired state (e.g., check if the defaultAction is "Allow" and not "Deny").
    2. Handling IP Rules:
      • The expression "Microsoft.ContainerRegistry/registries/networkRuleSet.ipRules[*].value" checks for the presence of IPs, but it's possible the policy isn't validating the IPs correctly because it's looking for the exact match of all allowed IPs.
      • Solution: Ensure the in operator is used correctly, and check if the IP rule check can account for partial matches or missing rules, depending on your intent.
    3. Deployment Mode:
      • The deployment mode is set to "incremental", which might not fully replace the networkRuleSet. Consider switching it to "complete" mode if you want the policy to overwrite any existing configuration.

    Suggested Updates to Policy:

    1. Modify Existence Condition:
      • Instead of checking if the defaultAction is "Deny," check if it is "Allow," so the policy will trigger when it is not in the desired state.
    "existenceCondition": {
    "allOf": [
        {
            "field": "Microsoft.ContainerRegistry/registries/networkRuleSet.defaultAction",
            "equals": "Allow"
        },
        {
            "field": "Microsoft.ContainerRegistry/registries/networkRuleSet.ipRules[*].value",
            "in": "[parameters('allowedIPs')]"
        }
    ]
}
    1. If the networkRuleSet is partially updated, you may want to use complete mode in the deployment properties:

    "properties": { "mode": "complete", ... }

    Troubleshooting:

    • Check Policy Compliance: Verify the policy compliance status in Azure Policy to check if it was evaluated and applied.
    • Run a Dry Run: Test the deployment template logic outside of the policy to ensure it works as expected. Try deploying the ARM template with the IP rules manually.
    • Check for Conflicting Policies: Ensure no other policies are conflicting with this one, such as a "deny" policy that could block changes to the ACR network settings.

    Please feel free to click the 'Upvote' (Thumbs-up) button and 'Accept as Answer'. This helps the community by allowing others with similar queries to easily find the solution.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.