Azure Policy definitions append effect

The append effect is used to add more fields to the requested resource during creation or update. A common example is specifying allowed IPs for a storage resource.

Important

append is intended for use with non-tag properties. While append can add tags to a resource during a create or update request, it's recommended to use the modify effect for tags instead.

Append evaluation

The append effect evaluates before the request gets processed by a Resource Provider during the creation or updating of a resource. Append adds fields to the resource when the if condition of the policy rule is met. If the append effect would override a value in the original request with a different value, then it acts as a deny effect and rejects the request. To append a new value to an existing array, use the [*] version of the alias.

When a policy definition using the append effect is run as part of an evaluation cycle, it doesn't make changes to resources that already exist. Instead, it marks any resource that meets the if condition as non-compliant.

Append properties

An append effect only has a details array, which is required. Because details is an array, it can take either a single field/value pair or multiples. Refer to definition structure for the list of acceptable fields.

Append examples

Example 1: Single field/value pair using a non-[*] alias with an array value to set IP rules on a storage account. When the non-[*] alias is an array, the effect appends the value as the entire array. If the array already exists, a deny event occurs from the conflict.

"then": {
  "effect": "append",
  "details": [
    {
      "field": "Microsoft.Storage/storageAccounts/networkAcls.ipRules",
      "value": [
        {
          "action": "Allow",
          "value": "134.5.0.0/21"
        }
      ]
    }
  ]
}

Example 2: Single field/value pair using an [*] alias with an array value to set IP rules on a storage account. When you use the [*] alias, the effect appends the value to a potentially pre-existing array. Arrays that don't exist are created.

"then": {
  "effect": "append",
  "details": [
    {
      "field": "Microsoft.Storage/storageAccounts/networkAcls.ipRules[*]",
      "value": {
        "value": "40.40.40.40",
        "action": "Allow"
      }
    }
  ]
}

Next steps

• Review examples at Azure Policy samples.
• Review the Azure Policy definition structure.
• Understand how to programmatically create policies.
• Learn how to get compliance data.
• Learn how to remediate non-compliant resources.
• Review Azure management groups.