Azure Policy - value count not behaving as expected

Question

Azure Policy - value count not behaving as expected

Niclas Madsen 0 MVP

Hello,

I am trying to create a policy that will only allow certain values in a specific tag name.

https://learn.microsoft.com/en-us/azure/governance/policy/concepts/definition-structure#value-count-examples

According to the examples and the description of "current", then it should evaluate each array value and see if they match the where clause.

E.g. Environment = DEV
Environment = STG
Environment = PRD.

This behavior seem to not be true though?!

User's image

This is a picture of the non-compliance for a resource group that SHOULD BE compliant, since the tag is Environment = DEV.

I tried to put the Count.value = DEV and that one is working, but as soon as there are more values in the array, it is not working. It is showing compliance only for the incorrect tags.

Furthermore, I have tried to use match, like, and notmatch instead of equals. Also not after where. I also tried to parameterized the array with no difference.

{
  "mode": "All",
  "policyRule": {
    "if": {
      "allOf": [
        {
          "field": "type",
          "equals": "Microsoft.Resources/subscriptions/resourceGroups"
        },
        {
          "count": {
            "value": [
              "DEV",
              "STG",
              "PRD"
            ],
            "where": {
              "field": "[concat('tags[', parameters('envTagName'), ']')]",
              "equals": "[current()]"
            }
          },
          "greaterOrEquals": 1
        }
      ]
    },
    "then": {
      "effect": "[parameters('effect')]"
    }
  },
  "parameters": {
    "effect": {
      "type": "String",
      "metadata": {
        "displayName": "Effect",
        "description": "Enable or disable the execution of the audit policy"
      },
      "allowedValues": [
        "Audit",
        "Deny",
        "Disabled"
      ],
      "defaultValue": "Audit"
    },
    "envTagName": {
      "type": "String",
      "metadata": {
        "displayName": "Environment Tag Name",
        "description": "Name of the tag, such as 'environment'"
      },
      "defaultValue": "Environment"
    }
  }
}

1 answer

Your answer

Answer 1

Luke Murray 11,436 MVP Volunteer Moderator

Take a look at the Array, its a new feature in Q4 of 2022:

"parameters": {
    "allowedLocations": {
        "type": "array",
        "metadata": {
            "description": "The list of allowed locations for resources.",
            "displayName": "Allowed locations",
            "strongType": "location"
        },
        "defaultValue": "eastus2",
        "allowedValues": [
            "eastus2",
            "eastus",
            "westus2"
        ]

    }
}

https://learn.microsoft.com/en-us/azure/governance/policy/how-to/author-policies-for-arrays

Niclas Madsen 0 MVP

Thanks, although this does not help my problem. I have already tried using a parameterized value.
So it does not matter if you use a parameterized array or create the array in the count.value, the issue is the same.

{
	"properties": {
		"displayName": "Require tags and its values on resource groups",
		"policyType": "Custom",
		"mode": "All",
		"description": "Enforces a required tag and its value on resource groups.",
		"metadata": {
			"version": "1.0.0",
			"category": "Tags"
		},
		"version": "1.0.0",
		"parameters": {
			"effect": {
				"type": "String",
				"metadata": {
					"displayName": "Effect",
					"description": "Enable or disable the execution of the audit policy"
				},
				"allowedValues": [
					"Audit",
					"Deny",
					"Disabled"
				],
				"defaultValue": "Deny"
			},
			"envTagName": {
				"type": "String",
				"metadata": {
					"displayName": "Environment Tag Name",
					"description": "Name of the tag, such as 'environment'"
				},
				"defaultValue": "Environment"
			},
			"envAllowedTagValues": {
				"type": "Array",
				"metadata": {
					"displayName": "Tag Values",
					"description": "Value of the tag, such as 'DEV'"
				},
				"allowedValues": [
					"DEV",
					"STG",
					"PRD"
				],
				"defaultValue": [
					"DEV",
					"STG",
					"PRD"
				]
			}
		},
		"policyRule": {
			"if": {
				"allOf": [
					{
						"field": "type",
						"equals": "Microsoft.Resources/subscriptions/resourceGroups"
					},
					{
						"count": {
							"value": "[parameters('envAllowedTagValues')]",
							"name": "namePatternRequiredTag",
							"where": {
									"field": "[concat('tags[', parameters('envTagName'), ']')]",
									"equals": "[current('namePatternRequiredTag')]"
							}
						},
						"greaterOrEquals": 1
					}
				]
			},
			"then": {
				"effect": "[parameters('effect')]"
			}
		}
	}
}

Luke Murray 11,436 MVP Volunteer Moderator

I'm doing some testing.

Just waiting for compliance to update so far:

{
  "mode": "All",
  "policyRule": {
    "if": {
      "allOf": [
        {
          "field": "type",
          "equals": "Microsoft.Resources/subscriptions/resourceGroups"
        },
        {
          "count": {
            "value": [
              "Dev",
              "Stg",
              "Prod"
            ],
            "where": {
              "field": "[concat('tags[', parameters('envTagName'), ']')]",
              "notEquals": "[current()]"
            }
          },
          "greaterOrEquals": 1
        }
      ]
    },
    "then": {
      "effect": "Audit"
    }
  },
  "parameters": {
    "envTagName": {
      "type": "String",
      "metadata": {
        "displayName": "Environment Tag Name",
        "description": "Name of the tag, such as 'environment'"
      },
      "defaultValue": "Environment"
    }
  }
}

Same error, will do some further checking:

User's image

Luke Murray 11,436 Reputation points MVP Volunteer Moderator

2023-01-29T23:46:42.0366667+00:00

{share} - Here is an example Community policy: https://github.com/Azure/Community-Policy/tree/master/Policies/Tags/require-tag-and-value-from-set
Niclas Madsen 0 Reputation points MVP

2023-01-29T23:56:11.5633333+00:00

I have seen this policy using "in". This is case-insensitive. I would preferably like to use "match", which is why I used the count value. So the question is really not so much about the policy anymore, but more about the "value count" + current-function seems to be bugged.
SwathiDhanwada-MSFT 18,996 Reputation points Moderator

2023-01-31T03:40:12.3166667+00:00

Niclas - I am checking this with product team. I will respond to you as soon as I get a response. Thanks for reporting this.
Niclas Madsen 0 Reputation points MVP

2023-02-01T18:50:52.31+00:00

@SwathiDhanwada-MSFT any news?
SwathiDhanwada-MSFT 18,996 Reputation points Moderator

2023-02-03T14:01:04.29+00:00

It seems count is reserved for aliases that are arrays. Tag values do not support arrays. Hence your policy isn't working as expected.
SwathiDhanwada-MSFT 18,996 Reputation points Moderator

2023-02-08T05:06:02.2066667+00:00

Hope the information provided is useful. Let me know if you have further questions.
Niclas Madsen 0 Reputation points MVP

2023-02-16T23:42:52.8333333+00:00

I think you should update the documentation around this. You can close the ticket. Thanks

Share via

Azure Policy - value count not behaving as expected

1 answer

Your answer