Share via

ARM template does not identify policy function

Jorell Macapagal 41 Reputation points
2021-12-21T08:40:44.36+00:00

When trying to deploy policy definitions using New-AzSubscriptionDeployment, it doesn't recognize the built-in policy functions.

159281-image.png

Below is the deployment json. 

{  
    "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#",  
    "contentVersion": "1.0.0.0",  
    "resources": [  
        {  
            "type": "Microsoft.Authorization/policyDefinitions",  
            "name": "storage-audit-secure-transfer-enabled",  
            "apiVersion": "2019-09-01",  
            "properties": {  
                "displayName": "storage-audit-secure-transfer-enabled",  
                "policyType": "Custom",  
                "mode": "All",  
                "description": "Audit requirement of Secure transfer in your storage account.",  
                "parameters": {},  
                "policyRule": {  
                    "if": {  
                        "allOf": [  
                            {  
                                "field": "type",  
                                "equals": "Microsoft.Storage/storageAccounts"  
                            },  
                            {  
                                "anyOf": [  
                                    {  
                                        "allOf": [  
                                            {  
                                                "value": "[requestContext().apiVersion]",  
                                                "less": "2019-04-01"  
                                            },  
                                            {  
                                                "field": "Microsoft.Storage/storageAccounts/supportsHttpsTrafficOnly",  
                                                "exists": "false"  
                                            }  
                                        ]  
                                    },  
                                    {  
                                        "field": "Microsoft.Storage/storageAccounts/supportsHttpsTrafficOnly",  
                                        "equals": "false"  
                                    }  
                                ]  
                            }  
                        ]  
                    },  
                    "then": {  
                        "effect": "audit"  
                    }  
                }  
            }  
        }  
    ]  
}
Azure Policy
Azure Policy

An Azure service that is used to implement corporate governance and standards at scale for Azure resources.

0 comments

Answer accepted by question author

AnuragSingh-MSFT 21,566 Reputation points Moderator
2021-12-23T14:10:19.663+00:00

Hi @Jorell Macapagal ,

Welcome to Microsoft Q&A! Thanks for posting the question.

There are some differences in functions() as available in ARM templates and Policy definition. The requestContext().apiVersion function is available to use in a policy rule, but differs from use in an Azure Resource Manager template (ARM template). Similarly, all Resource Manager template functions are available to use within a policy rule, except a few functions and user-defined functions.

Please refer to this link for more details.

As a workaround, I would request using the Portal to create Policy definition when these functions are to be used. Please let me know if you have any questions.

---
Please 'Accept as answer' and ‘Upvote’ if it helped so that it can help others in the community looking for help on similar topics.

Was this answer helpful?

1 person found this answer helpful.

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.