Can Azure Policy parse extension settings to evaluate existence condition & compliance?

Question

Can Azure Policy parse extension settings to evaluate existence condition & compliance?

Anonymous

We want to build a policy with Deploy If Not Exists (effect) to deploy/update an extension with appropriate settings. We have the below existence condition with the last condition about the presence of a certain setting in extension settings. Is this valid? When assigning the policy to a scope, for example for a VM without the extension, the policy deploys the extension but still evaluates to be non-compliant. Thus, is to reiterate, is policy support evaluation limited to few subfields in extensions documented here ? https://github.com/maciejporebski/azure-policy-aliases/blob/master/aliases/Microsoft.Compute/virtualMachines-extensions.md

0 comments

1 answer

Your answer

Answer 1

Stanislav Zhelyazkov 29,586 MVP Volunteer Moderator

Hi,

It is not clear exactly what you want to achieve. May be will be good to elaborate and explain in details. Overall the link contains all the aliases for Azure VM extensions you can use in policy conditions. If certain property is not available as alias it cannot be used.

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

Anonymous

Apologies I had previously missed to paste/provide snapshots of existence condition and policy non-compliance explanation - basically our policy needs to be able to deploy an extension with settings "enableAMA" or update the extension is present with the same settings. Please see our existence condition, we are use a "contains" operator to check if the setting is present. The problem I am trying to highlight is policy is always showing non-compliance. Is this expected? Can it read extension settings. If this is possible, could you please suggest a workaround as our customers are blocked?

User's image

          "existenceCondition": {
            "allOf": [
              {
                "field": "Microsoft.Compute/virtualMachines/extensions/type",
                "equals": "samepleExtension"
              },
              {
                "field": "Microsoft.Compute/virtualMachines/extensions/publisher",
                "equals": "Microsoft.Azure.Monitoring.samepleExtension"
              },
              {
                "field": "Microsoft.Compute/virtualMachines/extensions/provisioningState",
                "equals": "Succeeded"
              },
              {
                "field": "Microsoft.Compute/virtualMachines/extensions/settings",
                "contains": "enableAMA"
              }
            ]
          },

Stanislav Zhelyazkov 29,586 Reputation points MVP Volunteer Moderator

2024-08-03T05:11:07.0166667+00:00

Contains works on the values of arrays. Microsoft.Compute/virtualMachines/extensions/setting is an object. You can try with condition containsKey instead of contains and see if that works.
Anonymous

2024-08-05T16:18:22.45+00:00

Thank you for your suggestion, attempted - but seeing the below non-compliance message - I have raised a support ticket at this point.

"existenceCondition": {

  "allOf": [

{

  "field": "Microsoft.Compute/virtualMachines/extensions/type",

  "equals": "samepleExtension"

},

{

  "field": "Microsoft.Compute/virtualMachines/extensions/publisher",

  "equals": "Microsoft.Azure.Monitoring.samepleExtension"

},

{

  "field": "Microsoft.Compute/virtualMachines/extensions/provisioningState",

  "equals": "Succeeded"

},

{

  "value": "Microsoft.Compute/virtualMachines/extensions/settings",

  "containsKey": "enableAMA"

}

]

},

Reason for non-compliance

Current value must contain the target value as a key.

Expression

Microsoft.Compute/virtualMachines/extensions/settings

Current value

"Microsoft.Compute/virtualMachines/extensions/settings"

Target value

"enableAMA"

Share via

Can Azure Policy parse extension settings to evaluate existence condition & compliance?

1 answer

Your answer