Azure Policy
An Azure service that is used to implement corporate governance and standards at scale for Azure resources.
811 questions
Azure Policy Deployifnotexist Nested Templates and Parameters
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(57.599999999999994, 80%, 15%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECH%3C/text%3E%3C/svg%3E)
Christophe Humbert
101
Reputation points
Hello,
I have a policy to deploy an alert on all subs not having it (as you can not create alert with MG group scope for now)...And I was not able to have parameters bein taken into account from the Policy down to the two nested templates for the deployment...I had to repeat the default value to have the remediation task not failing (i.e. the deployement).
Any hints would be nice
{
"properties": {
"displayName": "Alert for VNET Peering",
"policyType": "Custom",
"mode": "All",
"metadata": {
"category": "Monitoring",
"createdBy": "USERID",
"createdOn": "2024-05-07T08:32:23.1194688Z",
"updatedBy": null,
"updatedOn": null
},
"version": "1.0.0",
"parameters": {
"enabled": {
"type": "String",
"metadata": {
"displayName": "Alert State",
"description": "Alert state for the alert"
},
"allowedValues": [
"true",
"false"
],
"defaultValue": "true"
},
"alertResourceGroupName": {
"type": "String",
"metadata": {
"displayName": "Resource Group Name",
"description": "Resource group the alert is placed in"
},
"defaultValue": "rg-amba-monitoring-001"
},
"MonitorDisable": {
"type": "String",
"metadata": {
"displayName": "Effect",
"description": "Tag name to disable monitoring on resource. Set to true if monitoring should be disabled"
},
"defaultValue": "MonitorDisable"
}
},
"policyRule": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.Network/virtualNetworks/"
},
{
"field": "[concat('tags[', parameters('MonitorDisable'), ']')]",
"notEquals": "true"
}
]
},
"then": {
"effect": "deployIfNotExists",
"details": {
"roleDefinitionIds": [
"/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
],
"type": "Microsoft.Insights/activityLogAlerts",
"name": "AlertVNETPeering",
"existenceScope": "resourceGroup",
"resourceGroupName": "[parameters('alertResourceGroupName')]",
"deploymentScope": "subscription",
"existenceCondition": {
"allOf": [
{
"field": "Microsoft.Insights/ActivityLogAlerts/enabled",
"equals": "[parameters('enabled')]"
},
{
"count": {
"field": "Microsoft.Insights/ActivityLogAlerts/condition.allOf[*]",
"where": {
"anyOf": [
{
"allOf": [
{
"field": "Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].field",
"equals": "category"
},
{
"field": "Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].equals",
"equals": "Administrative"
}
]
},
{
"allOf": [
{
"field": "Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].field",
"equals": "operationName"
},
{
"field": "Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].equals",
"equals": "Microsoft.Network/virtualNetworks/virtualNetworkPeerings/write"
}
]
}
]
}
},
"equals": 2
}
]
},
"deployment": {
"location": "westeurope",
"properties": {
"mode": "incremental",
"template": {
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"alertResourceGroupName": {
"type": "string",
"defaultValue": "rg-amba-monitoring-001"
},
"enabled": {
"type": "string",
"defaultValue": "true"
}
},
"variables": {},
"resources": [
{
"type": "Microsoft.Resources/resourceGroups",
"apiVersion": "2021-04-01",
"location": "westeurope",
"name": "[parameters('alertResourceGroupName')]"
},
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2019-10-01",
"name": "AlertVNETPeering",
"resourceGroup": "[parameters('alertResourceGroupName')]",
"dependsOn": [
"[concat('Microsoft.Resources/resourceGroups/', parameters('alertResourceGroupName'))]"
],
"properties": {
"mode": "Incremental",
"template": {
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"enabled": {
"type": "string",
"defaultValue": "true"
},
"alertResourceGroupName": {
"type": "string",
"defaultValue": "rg-amba-monitoring-001"
}
},
"variables": {},
"resources": [
{
"type": "microsoft.insights/activityLogAlerts",
"apiVersion": "2020-10-01",
"name": "ActivityVNETPeeringCreateUpdate",
"location": "global",
"properties": {
"description": "Activity Log VNET Peering Create or Update",
"enabled": "[parameters('enabled')]",
"scopes": [
"[subscription().id]"
],
"condition": {
"allOf": [
{
"field": "category",
"equals": "Administrative"
},
{
"field": "operationName",
"equals": "Microsoft.Network/virtualNetworks/virtualNetworkPeerings/write"
},
{
"field": "status",
"containsAny": [
"succeeded"
]
}
]
},
"actions": {
"actionGroups": [
{
"actionGroupId": "/subscriptions/XXXxxx/resourcegroups/RGGROUPZZZ/providers/microsoft.insights/actiongroups/ag_vnetpeeringalert",
"webhookProperties": {}
}
]
}
}
}
]
}
}
}
]
}
}
}
}
}
},
"versions": [
"1.0.0"
]
},
"id": "/providers/Microsoft.Management/managementGroups/MGID/providers/Microsoft.Authorization/policyDefinitions/POLID",
"type": "Microsoft.Authorization/policyDefinitions",
"name": "c62d80ee-da27-4fbf-be32-ef4086046a22",
"systemData": {
"createdBy": "userupn",
"createdByType": "User",
"createdAt": "2024-05-14T06:57:27.9570401Z",
"lastModifiedBy": "userupn",
"lastModifiedByType": "User",
"lastModifiedAt": "2024-05-14T12:59:29.9138366Z"
}
}
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(211.20000000000002, 43%, 30%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMM%3C/text%3E%3C/svg%3E)
Monalla-MSFT 12,281 Reputation points2024-05-16T21:33:18.94+00:00 @Christophe Humbert - Thanks for reaching out to us. Can you please clarify which parameters aren't being respected & in which spots in the nested template. It would also help to understand where you "had to repeat the default value to have the remediation task not failing".
-
Christophe Humbert 101 Reputation points
2024-05-17T08:02:16.37+00:00 Hello @Monalla-MSFT
As you can see the parameters are Enabled (line 15, 123, 150) and **alertResourceGroupName (27,119,154)**are repeated 3 times. Ideally the first occurrence should be sufficient but in that case the policy won' t workThanks for looking into it
-
Christophe Humbert 101 Reputation points
2024-05-29T08:03:13.96+00:00 Anyone?
-
Monalla-MSFT 12,281 Reputation points
2024-05-30T18:06:57.0566667+00:00 @Christophe Humbert - Apologies for the delay in response, I am looking into this currently and will get back to you shortly. Thank you for your patience.
Sign in to comment