Rediger

Del via


Azure Policy pattern: logical operators

A policy definition can contain several conditional statements. You might need each statement to be true or only need some of them to be true. To support these needs, the language has logical operators for not, allOf, and anyOf. They're optional and can be nested to create complex scenarios.

Sample 1: One logical operator

This policy definition evaluates Azure Cosmos DB accounts to see whether automatic failovers and multiple write locations are configured. When they aren't, the audit triggers and creates a log entry when the non-compliant resource is created or updated.

{
  "properties": {
    "mode": "all",
    "displayName": "Audit Automatic Failover for CosmosDB accounts",
    "description": "This policy audits Automatic Failover for CosmosDB accounts",
    "policyRule": {
      "if": {
        "allOf": [{
            "field": "type",
            "equals": "Microsoft.DocumentDB/databaseAccounts"
          },
          {
            "field": "Microsoft.DocumentDB/databaseAccounts/enableAutomaticFailover",
            "equals": "false"
          },
          {
            "field": "Microsoft.DocumentDB/databaseAccounts/enableMultipleWriteLocations",
            "equals": "false"
          }
        ]
      },
      "then": {
        "effect": "audit"
      }
    },
    "parameters": {},
    "metadata": {}
  }
}

Sample 1: Explanation

"policyRule": {
  "if": {
    "allOf": [{
        "field": "type",
        "equals": "Microsoft.DocumentDB/databaseAccounts"
      },
      {
        "field": "Microsoft.DocumentDB/databaseAccounts/enableAutomaticFailover",
        "equals": "false"
      },
      {
        "field": "Microsoft.DocumentDB/databaseAccounts/enableMultipleWriteLocations",
        "equals": "false"
      }
    ]
  },
  "then": {

The policyRule.if block uses a single allOf to ensure that all three conditions are true. Only when all of these conditions evaluate to true does the audit effect trigger.

Sample 2: Multiple logical operators

This policy definition evaluates resources for a naming pattern. If a resource doesn't match, it's denied.

{
    "properties": {
        "displayName": "Match multiple name patterns.",
        "description": "Allows one of multiple naming patterns for resources.",
        "mode": "Indexed",
        "policyRule": {
            "if": {
                "allOf": [{
                        "not": {
                            "field": "name",
                            "match": "contoso??????"
                        }
                    },
                    {
                        "not": {
                            "field": "name",
                            "match": "contoso-???-##"
                        }
                    }
                ]
            },
            "then": {
                "effect": "deny"
            }
        }
    }
}

Sample 2: Explanation

"if": {
    "allOf": [{
            "not": {
                "field": "name",
                "match": "contoso??????"
            }
        },
        {
            "not": {
                "field": "name",
                "match": "contoso-???-##"
            }
        }
    ]
},

This policyRule.if block also includes a single allOf, but each condition is wrapped with the not logical operator. The conditional inside the not logical operator evaluates first and then evaluates the not to determine whether the entire clause is true or false. If both not logical operators evaluate to true, the policy effect triggers.

Sample 3: Combining logical operators

This policy definition evaluates Spring on Azure accounts to see whether either trace isn't enabled or if trace isn't in a successful state.

{
    "properties": {
        "displayName": "Audit Azure Spring Cloud instances where distributed tracing is not enabled",
        "description": "Distributed tracing tools in Azure Spring Cloud allow debugging and monitoring the complex interconnections between microservices in an application. Distributed tracing tools should be enabled and in a healthy state.",
        "mode": "Indexed",
        "policyRule": {
            "if": {
                "allOf": [{
                        "field": "type",
                        "equals": "Microsoft.AppPlatform/Spring"
                    },
                    {
                        "anyOf": [{
                                "field": "Microsoft.AppPlatform/Spring/trace.enabled",
                                "notEquals": "true"
                            },
                            {
                                "field": "Microsoft.AppPlatform/Spring/trace.state",
                                "notEquals": "Succeeded"
                            }
                        ]
                    }
                ]
            },
            "then": {
                "effect": "audit"
            }
        }
    }
}

Sample 3: Explanation

"policyRule": {
    "if": {
        "allOf": [{
                "field": "type",
                "equals": "Microsoft.AppPlatform/Spring"
            },
            {
                "anyOf": [{
                        "field": "Microsoft.AppPlatform/Spring/trace.enabled",
                        "notEquals": "true"
                    },
                    {
                        "field": "Microsoft.AppPlatform/Spring/trace.state",
                        "notEquals": "Succeeded"
                    }
                ]
            }
        ]
    },
    "then": {
        "effect": "audit"
    }
}

This policyRule.if block includes both the allOf and anyOf logical operators. The anyOf logical operator evaluates true as long as one included condition is true. As the type is at the core of the allOf, it must always evaluate true. If the type and one of the conditions in the anyOf are true, the policy effect triggers.

Next steps