Azure Policy, exclude resource type

Question

Azure Policy, exclude resource type

Sumeet Sharma 0

I am currently using this policy to successfully disable public access for Azure Storage accounts. However, when provisioning Function Apps or App Services, the same policy is preventing their creation. I am attempting to make adjustments to the policy to exclude Function Apps and App Services, allowing them to be created without being blocked by this Policy.

Here is the JSON I have tried, but it is not working as expected. It is still blocking the creation of Function Apps and App Services, indicating that Azure Storage account public access should be restricted.

Tried to use the this policy to exempt the function and app services but still being blocked by the Policy.

Kindly suggest what adjustments to make to allow Azure app services to deploy without being blocked by the Storage accounts should restrict network access policy, or is there any better approach to deal with it. ?

{
  "mode": "Indexed",
  "policyRule": {
    "if": {
      "allOf": [
        {
          "field": "type",
          "notequals": "Microsoft.Web/sites"
        },
        {
          "anyOf": [
            {
              "field": "type",
              "equals": "Microsoft.Storage/storageAccounts"
            },
            {
              "field": "Microsoft.Storage/storageAccounts/networkAcls.defaultAction",
              "notEquals": "Deny"
            }
          ]
        }
      ]
    },
    "then": {
      "effect": "[parameters('effect')]"
    }
  },
  "parameters": {
    "effect": {
      "type": "String",
      "metadata": {
        "displayName": "Effect",
        "description": "The effect determines what happens when the policy rule is evaluated to match"
      },
      "allowedValues": [
        "Audit",
        "Deny",
        "Disabled"
      ],
      "defaultValue": "Audit"
    }
  }
}

tbgangav-MSFT 10,426 Moderator

Hi @Sumeet Sharma ,

To exclude Function Apps and App Services from the policy that restricts public access to Azure Storage accounts, you can modify the existing policy rule to include an additional condition that checks for the resource type of Function Apps and App Services and excludes them from the policy. Here is an example of what the modified policy rule might look like:

{
  "mode": "Indexed",
  "policyRule": {
    "if": {
      "allOf": [
        {
          "not": {
            "field": "type",
            "equals": "Microsoft.Web/sites"
          }
        },
        {
          "anyOf": [
            {
              "field": "type",
              "equals": "Microsoft.Storage/storageAccounts"
            },
            {
              "field": "Microsoft.Storage/storageAccounts/networkAcls.defaultAction",
              "notEquals": "Deny"
            }
          ]
        },
        {
          "not": {
            "anyOf": [
              {
                "field": "type",
                "equals": "Microsoft.Web/sites"
              },
              {
                "field": "type",
                "equals": "Microsoft.Web/serverFarms"
              }
            ]
          }
        }
      ]
    },
    "then": {
      "effect": "[parameters('effect')]"
    }
  },
  "parameters": {
    "effect": {
      "type": "String",
      "metadata": {
        "displayName": "Effect",
        "description": "The effect determines what happens when the policy rule is evaluated to match"
      },
      "allowedValues": [
        "Audit",
        "Deny",
        "Disabled"
      ],
      "defaultValue": "Audit"
    }
  }
}

This policy rule includes an additional condition that excludes resources of type "Microsoft.Web/sites" and "Microsoft.Web/serverFarms" (which are used by App Services) from the policy. You may try this one and see if it helps.

References:

Sumeet Sharma 0 Reputation points

2023-11-25T12:36:24.0266667+00:00

this is still not working

1 answer

Your answer

tbgangav-MSFT 10,426 Reputation points Moderator

2023-11-23T18:09:36.0933333+00:00

Hi @Sumeet Sharma ,

To exclude Function Apps and App Services from the policy that restricts public access to Azure Storage accounts, you can modify the existing policy rule to include an additional condition that checks for the resource type of Function Apps and App Services and excludes them from the policy. Here is an example of what the modified policy rule might look like:

{ "mode": "Indexed", "policyRule": { "if": { "allOf": [ { "not": { "field": "type", "equals": "Microsoft.Web/sites" } }, { "anyOf": [ { "field": "type", "equals": "Microsoft.Storage/storageAccounts" }, { "field": "Microsoft.Storage/storageAccounts/networkAcls.defaultAction", "notEquals": "Deny" } ] }, { "not": { "anyOf": [ { "field": "type", "equals": "Microsoft.Web/sites" }, { "field": "type", "equals": "Microsoft.Web/serverFarms" } ] } } ] }, "then": { "effect": "[parameters('effect')]" } }, "parameters": { "effect": { "type": "String", "metadata": { "displayName": "Effect", "description": "The effect determines what happens when the policy rule is evaluated to match" }, "allowedValues": [ "Audit", "Deny", "Disabled" ], "defaultValue": "Audit" } } }

This policy rule includes an additional condition that excludes resources of type "Microsoft.Web/sites" and "Microsoft.Web/serverFarms" (which are used by App Services) from the policy. You may try this one and see if it helps.

References:

Remediate anonymous read access to blob data (Azure Resource Manager deployments)

Azure Policy built-in policy definitions - App Service
Sumeet Sharma 0 Reputation points

2023-11-25T12:36:24.0266667+00:00

this is still not working

Answer 1

it is working applying this policy

{
  "mode": "Indexed",
  "policyRule": {
    "if": {
      "anyOf": [
        {
          "not": {
            "field": "type",
            "equals": "Microsoft.Web/serverfarms"
          }
        },
        {
          "allOf": [
            {
              "field": "type",
              "equals": "Microsoft.Storage/storageAccounts"
            },
            {
              "field": "Microsoft.Storage/storageAccounts/networkAcls.defaultAction",
              "equals": "Allow"
            }
          ]
        },
        {
          "not": {
            "anyOf": [
              {
                "field": "type",
                "equals": "Microsoft.Web/sites"
              },
              {
                "field": "type",
                "equals": "Microsoft.Web/serverfarms"
              }
            ]
          }
        }
      ],
      "allOf": [
        {
          "not": {
            "field": "type",
            "equals": "Microsoft.Web/serverfarms"
          }
        },
        {
          "allOf": [
            {
              "field": "type",
              "equals": "Microsoft.Storage/storageAccounts"
            },
            {
              "field": "Microsoft.Storage/storageAccounts/networkAcls.defaultAction",
              "equals": "Allow"
            }
          ]
        },
        {
          "not": {
            "anyOf": [
              {
                "field": "type",
                "equals": "Microsoft.Web/sites"
              },
              {
                "field": "type",
                "equals": "Microsoft.Web/serverfarms"
              }
            ]
          }
        }
      ]
    },
    "then": {
      "effect": "[parameters('effect')]"
    }
  },
  "parameters": {
    "effect": {
      "type": "String",
      "metadata": {
        "displayName": "Effect",
        "description": "The effect determines what happens when the policy rule is evaluated to match"
      },
      "allowedValues": [
        "Audit",
        "Deny",
        "Disabled"
      ],
      "defaultValue": "Audit"
    }
  }
}

Share via

Azure Policy, exclude resource type

1 answer

Your answer