Azure Function Apps -Deny policy not working

PatricS 61 Reputation points
2022-02-09T09:10:39.937+00:00

Im trying to use a deny policy for Function apps.
it passes evaluation when im deploying a function app, but if i try to modify/update settings afterwards the policy kicks in.
So it kind of works ?

{
  "mode": "All",
  "policyRule": {
    "if": {
      "allOf": [
        {
          "field": "type",
          "equals": "Microsoft.Web/sites"
        },
        {
          "field": "kind",
          "like": "functionapp*"
        },
        {
          "field": "Microsoft.Web/sites/httpsOnly",
          "equals": "false"
        }
      ]
    },
    "then": {
      "effect": "deny"
    }
  },
  "parameters": {}
}
Azure Policy
Azure Policy
An Azure service that is used to implement corporate governance and standards at scale for Azure resources.
776 questions
{count} votes

Accepted answer
  1. SwathiDhanwada-MSFT 17,136 Reputation points
    2022-02-15T16:55:00.19+00:00

    @PatricSen Its possible. Here is the policy definition which I have tested.

    {
      "properties": {
        "displayName": "FunctionApp",
        "policyType": "Custom",
        "mode": "All",
        "parameters": {
          "effect": {
            "type": "String",
            "metadata": {
              "displayName": "Effect",
              "description": "Enable or disable the execution of the policy"
            },
            "allowedValues": [
              "DeployIfNotExists",
              "AuditIfNotExists",
              "Disabled"
            ],
            "defaultValue": "DeployIfNotExists"
          }
        },
        "policyRule": {
          "if": {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.Web/sites"
              },
              {
                "field": "kind",
                "like": "functionapp*"
              }
            ]
          },
          "then": {
            "effect": "[parameters('effect')]",
            "details": {
              "type": "Microsoft.Web/sites",
              "name": "[field('name')]",
              "existenceCondition": {
                "field": "Microsoft.Web/sites/httpsOnly",
                "equals": "true"
              },
              "roleDefinitionIds": [
                "/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
              ],
              "deployment": {
                "properties": {
                  "mode": "incremental",
                  "parameters": {
                    "functionname": {
                      "value": "[field('name')]"
                    },
                    "location": {
                      "value": "[field('location')]"
                    }
                  },
                  "template": {
                    "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
                    "contentVersion": "1.0.0.0",
                    "parameters": {
                      "functionname": {
                        "type": "string"
                      },
                      "location": {
                        "type": "string"
                      },
                      "kind": {
                        "type": "string"
                      }
                    },
                    "resources": [
                      {
                        "type": "Microsoft.Web/sites",
                        "apiVersion": "2021-02-01",
                        "name": "[parameters('functionname')]",
                        "location": "[parameters('location')]",
                        "kind": "[parameters('kind')]",
                        "properties": {
                          "httpsOnly": "true"
                        }
                      }
                    ]
                  }
                }
              }
            }
          }
        }
      }
    }
    

2 additional answers

Sort by: Most helpful
  1. SwathiDhanwada-MSFT 17,136 Reputation points
    2022-02-09T10:52:33.037+00:00

    @PatricSten In ideal condition , if the resource is function app and if the property httpsOnly is set to false , the policy definition should deny the creation of function app. However, you might have noticed when creating new function app from azure portal, it doesn't deny the creation the function app. Policy definition might have worked only when you are trying to set the value of httpsOnly property to false for existing function app resources.

    Kindly note in a few instances, the creation pattern of a resource type doesn't follow normal REST patterns. In these cases, deny policies may not work or may only work for some properties. For example, certain resource types may PUT only a subset of the properties of the resource type to create the entire resource. (In function app when its being created from portal, we don't have option to set httpsOnly property ). With such types the resource provider selects the values for properties not provided in the payload. Such a resource might be created with a non-compliant value even though a deny policy exists to prevent it. A similar result may occur if a set of resource types can be created using a collection PUT.

    I will check and revert if there is an alternative solution for this scenario.


  2. PatricS 61 Reputation points
    2022-05-17T14:48:28.4+00:00

    @SwathiDhanwada-MSFT Hi !
    Is it possible to create a deployifnotexist for field": "Microsoft.KeyVault" and the property: publicNetworkAccess enabled/disabled ?
    Or is the Alias missing for that?
    br
    Patric