Share via

Can Azure Policy parse extension settings to evaluate existence condition & compliance?

Venkata Naga Kartik Pidatala 10 Reputation points Microsoft Employee
2024-08-02T16:55:01.4433333+00:00

Our requirement is to build an Azure Policy with Deploy If Not Exists effect to deploy/update an extension with certain settings. We are using the below existence condition of our custom policy. The issue is, upon assigning the policy, even after deploying the extension on the VMs in scope, the policy still remains non-compliant with the below reasons. Thus, to reiterate, apart from a few extension settings subfields such workspaceId etc documented here - https://github.com/maciejporebski/azure-policy-aliases/blob/master/aliases/Microsoft.Compute/virtualMachines-extensions.md

Can Azure Policy Engine parse through extension settings ?

User's image

User's image

For more reference - below how is the extension settings look in powershell

User's image

Azure Policy
Azure Policy
An Azure service that is used to implement corporate governance and standards at scale for Azure resources.
911 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Sina Salam 11,991 Reputation points
    2024-08-02T18:35:29.82+00:00

    Hello Venkata Naga Kartik Pidatala,

    Welcome to the Microsoft Q&A and thank you for posting your questions here.

    Problem

    I understand that you are using existence condition for your custom policy, and due to the error you have encountered, you would like to affirm if the Azure Policy parse extension settings to evaluate existence condition and compliance.

    Solution

    Azure Policy can evaluate existence conditions and compliance based on extension settings. When using the DeployIfNotExists effect, you can define an existence condition that specifies the desired state of an extension.

    There are a few ways you can make it work by:

    • You can specify conditions based on specific subfields within the extension settings, such as workspaceId, as documented in the https://github.com/maciejporebski/azure-policy-aliases/blob/master/aliases/Microsoft.Compute/virtualMachines-extensions.md
    • The existence condition is evaluated individually for each related resource. So, you need to match the related resources so that if any related resource meets the specified condition, the policy is considered compliant for that resource and if no related resource matches the condition, the policy triggers the deployment of the specified ARM template.
    • Policies with the DeployIfNotExists effect require a managed identity with appropriate permissions to perform remediation and ensure the managed identity has the necessary rights to deploy resources.
    • Lastly, you will need to verify that your existence condition accurately identifies the related resources and review the ARM template used for deployment to ensure it aligns with your desired extension settings.

    Accept Answer

    I hope this is helpful! Do not hesitate to let me know if you have any other questions.

    ** Please don't forget to close up the thread here by upvoting and accept it as an answer if it is helpful ** so that others in the community facing similar issues can easily find the solution.

    Best Regards,

    Sina Salam

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.