Azure Policy - How to audit Node and Runtime version on Function Apps

Paul Matthews 11 Reputation points
2022-06-24T14:20:04.697+00:00

I am trying to write 3 policies.

  • Audit Function App that are not version 4 runtime.
  • Audit Function App that are not the latest Node Version
  • Audit Function App that are not the latest .Net Framework Version - Working!

I have been able to audit the .NET Framework Function apps in our environment, using the following policy.

"policyRule": {  
      "if": {  
        "allOf": [  
          {  
            "field": "type",  
            "equals": "Microsoft.Web/sites"  
          },  
          {  
            "field": "kind",  
            "like": "functionapp*"  
          }  
        ]  
      },  
      "then": {  
        "effect": "[parameters('effect')]",  
        "details": {  
          "type": "Microsoft.Web/sites/config",  
          "name": "web",  
          "existenceCondition": {  
            "field": "Microsoft.Web/sites/config/netFrameworkVersion",  
            "equals": "v6.0"  
          }  
        }  
      }  
    }  

I've attempted the following for Node but the value it finds is always "".

 "policyRule": {  
      "if": {  
        "allOf": [  
          {  
            "field": "type",  
            "equals": "Microsoft.Web/sites"  
          },  
          {  
            "field": "kind",  
            "like": "functionapp*"  
          }  
        ]  
      },  
      "then": {  
        "effect": "[parameters('effect')]",  
        "details": {  
          "type": "Microsoft.Web/sites/config",  
          "name": "web",  
          "existenceCondition": {  
            "field": "Microsoft.Web/sites/config/nodeVersion",  
            "in": [  
              "14",  
              "12"  
            ]  
          }  
        }  
      }  
    }  

I've attempted the policy for Azure Function App Run time, but the values all show up as "******".

"policyRule": {  
      "if": {  
        "allOf": [  
          {  
            "field": "type",  
            "equals": "Microsoft.Web/sites"  
          },  
          {  
            "field": "kind",  
            "like": "functionapp*"  
          }  
        ]  
      },  
      "then": {  
        "effect": "[parameters('effect')]",  
        "details": {  
          "type": "Microsoft.Web/sites/config",  
          "name": "web",  
          "existenceCondition": {  
            "field": "Microsoft.Web/sites/config/platform.runtimeVersion",  
            "equals": "4"  
          }  
        }  
      }  
    }  

Is it possible to get the node and runtime version? Am I just using the wrong field value?

Azure Functions
Azure Functions
An Azure service that provides an event-driven serverless compute platform.
5,398 questions
Azure Policy
Azure Policy
An Azure service that is used to implement corporate governance and standards at scale for Azure resources.
957 questions
{count} votes

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.