I tried reproducing the situation through the SandBox environment provided through this tutorial and following were my observations:
- An Azure Policy Initiative
containers-assignment
is assigned to the scopeConcierge Subscription/learn-xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
which has the following Policies:
- The definition of the Policy
Allowed resource types
(Reference ID:allowed-resource-types_1
) is as follows:
"properties": {{
"displayName": "Allowed resource types",
"policyType": "BuiltIn",
"mode": "Indexed",
"description": "This policy enables you to specify the resource types that your organization can deploy. Only resource types that support 'tags' and 'location' will be affected by this policy. To restrict all resources please duplicate this policy and change the 'mode' to 'All'.",
"metadata": {
"version": "1.0.0",
"category": "General"
},
"parameters": {
"listOfResourceTypesAllowed": {
"type": "Array",
"metadata": {
"description": "The list of resource types that can be deployed.",
"displayName": "Allowed resource types",
"strongType": "resourceTypes"
}
}
},
"policyRule": {
"if": {
"not": {
"field": "type",
"in": "[parameters('listOfResourceTypesAllowed')]"
}
},
"then": {
"effect": "deny"
}
}
},
"id": "/providers/Microsoft.Authorization/policyDefinitions/a08ec900-254a-4555-9bf5-e42af04b5c5c",
"type": "Microsoft.Authorization/policyDefinitions",
"name": "a08ec900-254a-4555-9bf5-e42af04b5c5c"
} - Upon attempting a Duplicate Initiative operation, under the Policy Parameters I could see:
- Among the 37 selected values for the
Allowed resource types
parameter name (Reference ID:allowed-resource-types_1
),virtualMachineScaleSet/*
resource types were not selected. Hence assuming that the existing Initiative definition wasn't assigned with these values in the Policy Parameters >Allowed resource types
parameter. This disallowed your AKS node pool Virtual machine Scale Setaks-nodepool1-12846700-vmss
to be deployed. - As it so happens that the user of the SandBox environment provided through this tutorial does not have
Microsoft.Authorization/PolicyAssignments/write
permission on the scopeConcierge Subscription/learn-xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
and hence thecontainer-initiative
automated assignment cannot be modified or removed by the user.
I would recommend you to report this issue at the Report feedback section at the end of this document (as shown below). You can add details from this thread to support your feedback.
----
Hope this helps.
Please "Accept as Answer" if it helped, so that it can help others in the community looking for help on similar topics.