azure name pattern policy not working on subnet, but name pattern policy working for vnet

Kumar Biradar 96 Reputation points
2020-12-16T06:12:26.64+00:00

I have create one name pattern policy assignment, policy definition for vnet and another policy assignment, policy definition for subnet.
name pattern policy working only for vnet, but subnet name patter policy not working.

Here i attached my terrform script in .txt file

   # Define Azure Policy Definition  
   resource "azurerm_policy_definition" "subnetpolicy" {  
     name         = "subnet-Naming-Convention"  
     policy_type  = "Custom"  
     mode         = "Indexed"  
     display_name = "Subnet_Naming_Convention"  
     
     metadata     = <<METADATA  
       {  
       "category": "Naming"  
       }  
     METADATA  
     
     policy_rule = <<POLICY_RULE  
       {  
       "if": {  
   		"allOf":[  
   			{  
   				"not":{  
   					"field":"name",  
   					"match":"[parameters('namePattern')]"  
   				}  
   			},  
   			{  
   				"field": "type",  
   				"equals": "Microsoft.Network/virtualNetworks/subnets"  
   			}  
   		]  
       },  
       "then": {   
         "effect": "deny"  
       }  
     }  
   POLICY_RULE  
     
     parameters = <<PARAMETERS  
       {  
   		"namePattern":{  
   			"type": "String",  
   			"metadata":{  
   				"displayName": "namePattern",  
   				"description": "? for letter, # for numbers"  
   			}  
   		}  
     }  
   PARAMETERS  
   }  
     
     
   # Define Azure Policy Assignment  
   resource "azurerm_policy_assignment" "subnetpolicy-assignment" {  
     name                 = "Naming-Convention-Assignment-Subnet"  
     scope                = var.scope  
     policy_definition_id = azurerm_policy_definition.subnetpolicy.id  
     description          = "Naming convention for subnet"  
     display_name         = "Naming-Convention-Assignment-For-Subnet"  
     
     parameters = <<PARAMETERS  
   {  
     "namePattern": {  
       "value": "snet-${var.env}-??????-###"  
     }  
   }  
   PARAMETERS  
   }  
     
     
   # Define Azure Policy Definition  
   resource "azurerm_policy_definition" "vnetpolicy" {  
     name         = "Virtual-Network-Naming-Convention"  
     policy_type  = "Custom"  
     mode         = "Indexed"  
     display_name = "Virtual_Network_Naming_Convention"  
     
     metadata     = <<METADATA  
       {  
       "category": "Naming"  
       }  
     METADATA  
     
     policy_rule = <<POLICY_RULE  
       {  
       "if": {  
   		"allOf":[  
   			{  
   				"not":{  
   					"field":"name",  
   					"match":"[parameters('namePattern')]"  
   				}  
   			},  
   			{  
   				"field": "type",  
   				"equals": "Microsoft.Network/VirtualNetworks"  
   			}  
   		]  
       },  
       "then": {   
         "effect": "deny"  
       }  
     }  
   POLICY_RULE  
     
     parameters = <<PARAMETERS  
       {  
   		"namePattern":{  
   			"type": "String",  
   			"metadata":{  
   				"displayName": "namePattern",  
   				"description": "? for letter, # for numbers"  
   			}  
   		}  
     }  
   PARAMETERS  
   }  
     
     
   # Define Azure Policy Assignment  
   resource "azurerm_policy_assignment" "vnetpolicy-assignment" {  
     name                 = "Naming-Convention-Assignment-For-Vnet"  
     scope                = var.scope  
     policy_definition_id = azurerm_policy_definition.vnetpolicy.id  
     description          = "Naming convention for Vnet"  
     display_name         = "Naming-Convention-Assignment-For-Virtual-Network"  
     
     parameters = <<PARAMETERS  
   {  
     "namePattern": {  
       "value": "vnet-????-????-###"  
     }  
   }  
   PARAMETERS  
   }  

48603-mainvnet.txt

Azure Policy
Azure Policy
An Azure service that is used to implement corporate governance and standards at scale for Azure resources.
816 questions
{count} votes

Accepted answer
  1. Kumar Biradar 96 Reputation points
    2020-12-24T14:36:31.267+00:00

    i used the below code started working

    policy_rule = <<POLICY_RULE
      {
        "if": {
          "anyOf": [
            {
              "allOf": [
                {
                  "field": "type",
                  "equals": "Microsoft.Network/virtualNetworks"
                },
                {
                  "not": {
                    "field": "Microsoft.Network/virtualNetworks/subnets[*].name",
                    "match": "[parameters('namePattern')]"
                  }
                }
              ]
            },
            {
              "allOf": [
                {
                  "field": "type",
                  "equals": "Microsoft.Network/virtualNetworks/subnets"
                },
                {
                  "not": {
                    "field": "name",
                    "match": "[parameters('namePattern')]"
                  }
                }
              ]
            }
          ]
        },
        "then": {
          "effect": "Deny"
        }
      }
    POLICY_RULE
    
    0 comments No comments

0 additional answers

Sort by: Most helpful