Azure Policy: Cosmos DB Backup type

Christophe Humbert 121 Reputation points
2024-11-15T09:13:18.0933333+00:00

Hello

I have the following policy where I want to check if the Cosmos DB are in Continuous Backup Mode (ideally later to check for 30D but first things first)

I did this very basic Policy but the result is the opposite of the expectations

properties": {
    "displayName": "Azure Cosmos Backup Definition [test]",
    "policyType": "Custom",
    "mode": "All",
    "description": "This policy enables you to audit taht continuous backup is enabled",
    "metadata": {
      "category": "Cosmos DB"
    },
    "version": "1.0.0",
    "parameters": {
      "policyEffect": {
        "type": "String",
        "metadata": {
          "displayName": "Policy Effect",
          "description": "The desired effect of the policy."
        },
        "allowedValues": [
          "Audit",
          "Disabled"
        ],
        "defaultValue": "Audit"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.DocumentDB/databaseAccounts"
          },
          {
            "field": "Microsoft.DocumentDB/databaseAccounts/backupPolicy.type",
            "equals": "Continuous"
          }
        ]
      },
      "then": {
        "effect": "[parameters('policyEffect')]"
      }
    },
    "versions": [
      "1.0.0"
    ]
  },
  "id": "/providers/Microsoft.Management/managementGroups/xxxxxxx/providers/Microsoft.Authorization/policyDefinitions/06899040-902a-4816-aa1f-0db587e207a0",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "06899040-902a-4816-aa1f-0db587e207a0",
  "systemData": {
    "createdBy": "wwwwwwwwwwww",
    "createdByType": "User",
    "createdAt": "2024-11-14T14:12:57.15076Z",
    "lastModifiedBy": "zzzzzzzz",
    "lastModifiedByType": "User",
    "lastModifiedAt": "2024-11-14T14:55:59.7193798Z"
  }
}


and the result is the opposite of the expected outcome with CosmosDB backup Policy Continuous marked as non compliant

See non compliant message:

eason for non-compliance

Current value must not be equal to the target value.

Field

Microsoft.DocumentDB/databaseAccounts/backupPolicy.type

Path

properties.backupPolicy.type

Current value

"Continuous"

Target value

"Continuous"

Thanks

Azure Cosmos DB
Azure Cosmos DB
An Azure NoSQL database service for app development.
1,698 questions
Azure Policy
Azure Policy
An Azure service that is used to implement corporate governance and standards at scale for Azure resources.
934 questions
{count} votes

Accepted answer
  1. Sai Raghunadh M 1,295 Reputation points Microsoft Vendor
    2024-11-15T11:39:08.7666667+00:00

    Hi @Christophe Humbert,

    Thanks for the question and using MS Q&A platform.

    It seems that you're trying to create an Azure Policy to ensure that Azure Cosmos DB resources are in Continuous Backup Mode. However, the policy you're currently using is returning the opposite result of what you expect.

    Your policy uses the "equals" condition to check if the backupPolicy.type is set to "Continuous". This is fine for checking the compliance of resources, but the non-compliant message you're seeing suggests that the policy logic isn't behaving as expected.

    You should use the notEquals condition to check that the backupPolicy.type is not "Continuous". This way, if the backupPolicy.type is anything other than "Continuous", the resource will be flagged as non-compliant.

    Please try this updated Policy rule

    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.DocumentDB/databaseAccounts"
          },
          {
            "field": "Microsoft.DocumentDB/databaseAccounts/backupPolicy.type",
            "notEquals": "Continuous"
          }
        ]
      },
      "then": {
        "effect": "[parameters('policyEffect')]"
      }
    }
    

    Hope this helps. Do let us know if you any further queries. If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.

    1 person found this answer helpful.

1 additional answer

Sort by: Most helpful
  1. Sina Salam 13,371 Reputation points
    2024-11-15T11:34:01.19+00:00

    Hello Christophe Humbert,

    Welcome to the Microsoft Q&A and thank you for posting your questions here.

    I understand that you would like to evaluate and check if the Cosmos DB are in Continuous Backup Mode.

    Your policy is correctly set up to check if the Cosmos DB accounts have the backup policy type set to Continuous. But the non-compliance message suggests that there might be an issue with how the policy is being evaluated or applied.

    For this review, there are a few things to check and try as listed below:

    • Check that the policy is assigned to the correct scope (e.g., subscription, resource group) where your Cosmos DB accounts are located.
    • Policy evaluations can take some time to reflect the correct compliance state. You might want to manually trigger a policy evaluation to see if the compliance state updates correctly.
    • Double-check the field path in your policy definition. The path should match exactly with the structure of the resource properties. In your case, it looks correct, but it’s worth verifying against the actual resource properties.
    • Make sure that the policy effect is set correctly. Since you are using “Audit”, it should only log the compliance state without enforcing any changes.

    This is a slightly modified version of your policy definition for clarity as discussed:

    {
      "properties": {
        "displayName": "Azure Cosmos Backup Definition [test]",
        "policyType": "Custom",
        "mode": "All",
        "description": "This policy enables you to audit that continuous backup is enabled",
        "metadata": {
          "category": "Cosmos DB"
        },
        "version": "1.0.0",
        "parameters": {
          "policyEffect": {
            "type": "String",
            "metadata": {
              "displayName": "Policy Effect",
              "description": "The desired effect of the policy."
            },
            "allowedValues": [
              "Audit",
              "Disabled"
            ],
            "defaultValue": "Audit"
          }
        },
        "policyRule": {
          "if": {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.DocumentDB/databaseAccounts"
              },
              {
                "field": "Microsoft.DocumentDB/databaseAccounts/backupPolicy.type",
                "equals": "Continuous"
              }
            ]
          },
          "then": {
            "effect": "[parameters('policyEffect')]"
          }
        }
      },
      "id": "/providers/Microsoft.Management/managementGroups/xxxxxxx/providers/Microsoft.Authorization/policyDefinitions/06899040-902a-4816-aa1f-0db587e207a0",
      "type": "Microsoft.Authorization/policyDefinitions",
      "name": "06899040-902a-4816-aa1f-0db587e207a0",
      "systemData": {
        "createdBy": "wwwwwwwwwwww",
        "createdByType": "User",
        "createdAt": "2024-11-14T14:12:57.15076Z",
        "lastModifiedBy": "zzzzzzzz",
        "lastModifiedByType": "User",
        "lastModifiedAt": "2024-11-14T14:55:59.7193798Z"
      }
    }
    

    I hope this is helpful! Do not hesitate to let me know if you have any other questions.

    Please don't forget to close up the thread here by upvoting and accept it as an answer if it is helpful.


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.