Aug 11 2021 09:09 AM - edited Aug 12 2021 05:28 AM
Hi,
I am working on a policy to control the firewall for Azure key vault. I am looking to do the below:
Ensure that the firewall is enabled for the keyvault,
Allow only specific IP addresses to be added to the keyvault,
Allow the list of IP addresses to be empty.
I have been able to get the first 2 working perfectly, but seem to keep falling down when trying to delete any IP addresses from the list.
The policy I currently have is:
"policyRule": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.KeyVault/vaults"
},
{
"field": "Microsoft.KeyVault/vaults/networkAcls.defaultAction",
"notEquals": "Deny"
},
{
"allOf": [
{
"field": "Microsoft.KeyVault/vaults/networkAcls.ipRules[*].value",
"notIn": "[[parameters('allowedIPAddresses')]"
},
{
"field": "Microsoft.KeyVault/vaults/networkAcls.ipRules[*].value",
"notEquals": ""
}
]
}
]
},
"then": {
"effect": "[parameters('effect')]"
}
As far as I can see I believe this should work?
Thanks
Dan
Sep 02 2021 05:11 AM
try this condition
{ | |
"value": "[length(field('Microsoft.KeyVault/vaults/networkAcls.ipRules'))]", | |
"notEquals": "0" | |
} |