Azure Policy Rules
Azure Policy Rules
Azure Policy rules are structured into if and then blocks.
If block: This contains one or more conditions that determine when the policy is applied. Logical operators can be used to refine these conditions.
Then block: This defines the effect that occurs when the conditions in the if block are met.
Example Policy Rule Structure:
{
"if": {
<condition> | <logical operator>
},
"then": {
"effect": "deny | audit | modify | deployIfNotExists | append | etc."
}
}
Logical Operators
not: Inverts the condition.
allOf: Requires all conditions to be true (like a logical AND).
anyOf: Requires at least one condition to be true (like a logical OR).
Example of nested logical operators:
"if": {
"allOf": [
{
"not": {
"field": "tags",
"containsKey": "application"
}
},
{
"field": "type",
"equals": "Microsoft.Storage/storageAccounts"
}
]
}
Conditions
Conditions define criteria for evaluating values. Examples include:
equals: "stringValue"
like: "stringValue" (supports wildcards)
greaterOrEquals: integerValue or dateValue
Field Expressions
Conditions can reference specific fields like:
name: The resource's name.
location: The resource’s region.
id: The resource's unique ID.
Example condition using a field:
{
"field": "type",
"equals": "Microsoft.Network/publicIPAddresses"
}
Count and Value Expressions
You can use count expressions to evaluate arrays, like checking if a field has a specific number of values.
Example:
{
"count": {
"field": "Microsoft.Network/networkSecurityGroups/securityRules[*]"
},
"equals": 0
}
Policy Functions
Functions can introduce complex logic, such as:
utcNow(): Gets the current date and time.
ipRangeContains(): Checks if an IP range contains a specific address.
Example using ipRangeContains
:
{
"if": {
"count": {
"field": "Microsoft.Network/virtualNetworks/addressSpace.addressPrefixes[*]",
"where": {
"value": "[ipRangeContains('10.0.0.0/24', current('Microsoft.Network/virtualNetworks/addressSpace.addressPrefixes[*]'))]",
"equals": false
}
}
},
"then": {
"effect": "deny"
}
}
Last updated