Can Azure Policy parse extension settings to evaluate existence condition & compliance?

Venkata Naga Kartik Pidatala 10 Microsoft Employee

We want to build a policy with Deploy If Not Exists (effect) to deploy/update an extension with appropriate settings. We have the below existence condition with the last condition about the presence of a certain setting in extension settings. Is this valid? When assigning the policy to a scope, for example for a VM without the extension, the policy deploys the extension but still evaluates to be non-compliant. Thus, is to reiterate, is policy support evaluation limited to few subfields in extensions documented here ? https://github.com/maciejporebski/azure-policy-aliases/blob/master/aliases/Microsoft.Compute/virtualMachines-extensions.md

1 answer

Stanislav Zhelyazkov 24,611 Reputation points MVP

2024-08-02T06:32:29.77+00:00

Hi,

It is not clear exactly what you want to achieve. May be will be good to elaborate and explain in details. Overall the link contains all the aliases for Azure VM extensions you can use in policy conditions. If certain property is not available as alias it cannot be used.

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.
Please sign in to rate this answer.
Venkata Naga Kartik Pidatala 10 Reputation points Microsoft Employee

2024-08-02T15:50:27.1733333+00:00

Apologies I had previously missed to paste/provide snapshots of existence condition and policy non-compliance explanation - basically our policy needs to be able to deploy an extension with settings "enableAMA" or update the extension is present with the same settings. Please see our existence condition, we are use a "contains" operator to check if the setting is present. The problem I am trying to highlight is policy is always showing non-compliance. Is this expected? Can it read extension settings. If this is possible, could you please suggest a workaround as our customers are blocked?

"existenceCondition": { "allOf": [ { "field": "Microsoft.Compute/virtualMachines/extensions/type", "equals": "samepleExtension" }, { "field": "Microsoft.Compute/virtualMachines/extensions/publisher", "equals": "Microsoft.Azure.Monitoring.samepleExtension" }, { "field": "Microsoft.Compute/virtualMachines/extensions/provisioningState", "equals": "Succeeded" }, { "field": "Microsoft.Compute/virtualMachines/extensions/settings", "contains": "enableAMA" } ] },

Stanislav Zhelyazkov 24,611 Reputation points MVP

2024-08-03T05:11:07.0166667+00:00

Contains works on the values of arrays. Microsoft.Compute/virtualMachines/extensions/setting is an object. You can try with condition containsKey instead of contains and see if that works.

Venkata Naga Kartik Pidatala 10 Reputation points Microsoft Employee

2024-08-05T16:18:22.45+00:00

Thank you for your suggestion, attempted - but seeing the below non-compliance message - I have raised a support ticket at this point.

"existenceCondition": {

  "allOf": [

{

  "field": "Microsoft.Compute/virtualMachines/extensions/type",

  "equals": "samepleExtension"

},

{

  "field": "Microsoft.Compute/virtualMachines/extensions/publisher",

  "equals": "Microsoft.Azure.Monitoring.samepleExtension"

},

{

  "field": "Microsoft.Compute/virtualMachines/extensions/provisioningState",

  "equals": "Succeeded"

},

{

  "value": "Microsoft.Compute/virtualMachines/extensions/settings",

  "containsKey": "enableAMA"

}

]

},

Reason for non-compliance

Current value must contain the target value as a key.

Expression

Microsoft.Compute/virtualMachines/extensions/settings

Current value

"Microsoft.Compute/virtualMachines/extensions/settings"

Target value

"enableAMA"
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.

Share via

Can Azure Policy parse extension settings to evaluate existence condition & compliance?

1 answer

Your answer