Share via

Can Azure Policy parse extension settings to evaluate existence condition & compliance?

Venkata Naga Kartik Pidatala 10 Reputation points Microsoft Employee
2024-08-01T16:45:57.1366667+00:00

Our requirement is to build an Azure Policy with Deploy If Not Exists effect to deploy/update an extension with certain settings. We are using the below existence condition of our custom policy. The issue is, upon assigning the policy, even after deploying the extension on the VMs in scope, the policy still remains non-compliant with the below reasons. Thus, to reiterate, apart from a few extension settings subfields such workspaceId etc documented here - https://github.com/maciejporebski/azure-policy-aliases/blob/master/aliases/Microsoft.Compute/virtualMachines-extensions.md

Can Azure Policy Engine parse through extension settings ?

User's image

User's image

For more reference - below how is the extension settings look in powershell

User's image

Azure Policy
Azure Policy
An Azure service that is used to implement corporate governance and standards at scale for Azure resources.
911 questions
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Q&A Assist
    2024-08-01T16:45:57.1733333+00:00
    AI generated content. This question contains an answer created with AI from Q&A Assist. Learn more

    Azure Policy can evaluate the existence of extension settings to determine compliance. However, the existence condition in the policy definition needs to be written correctly to evaluate the extension settings. The existence condition should use the same language as the policy rule for the if condition and should be evaluated against each related resource individually. If any matching related resource evaluates to true, the effect is satisfied and doesn't trigger the deployment. It's possible that the policy is not evaluating the extension settings correctly due to an incorrect existence condition.

    References:

    0 comments
  2. Sebastian Hoff 0 Reputation points Microsoft Employee
    2024-08-06T10:27:09.55+00:00

    Hello Venkata,

    the 'settings' property inside the resource type 'Microsoft.Compute/virtualMachines/extensions' returns an object (due to that, the output is masked in the Azure Portal). In order to use "contains" you would therefore first have to convert the object into a string. In theory, that would look like this for example:

            {

              "value": "[string(field('Microsoft.Compute/virtualMachines/extensions/settings'))]",

              "contains": "enableAMA"

            }

    Sadly, this still wouldn't work in your scenario because as opposed to the field accessor, the field() function looks at the if-section resource and not at the then-section resource.

    The above would only work for you if you would check the resource type of 'Microsoft.Compute/virtualMachines/extensions' in the if-section of your policy definition. You could then use the condition from above (also in the if-section) to verify what's inside the 'settings' field.

    I hope this helps,

    Seb

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.