Azure policy for Key Vault network rules

Senior Member

Hi,

I am working on a policy to control the firewall for Azure key vault. I am looking to do the below:

Ensure that the firewall is enabled for the keyvault,
Allow only specific IP addresses to be added to the keyvault,
Allow the list of IP addresses to be empty.

I have been able to get the first 2 working perfectly, but seem to keep falling down when trying to delete any IP addresses from the list.

The policy I currently have is:

"policyRule": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.KeyVault/vaults"
},
{
"field": "Microsoft.KeyVault/vaults/networkAcls.defaultAction",
"notEquals": "Deny"
},
{
"allOf": [
{
"field": "Microsoft.KeyVault/vaults/networkAcls.ipRules[*].value",
"notIn": "[[parameters('allowedIPAddresses')]"
},
{
"field": "Microsoft.KeyVault/vaults/networkAcls.ipRules[*].value",
"notEquals": ""
}
]
}
]
},
"then": {
"effect": "[parameters('effect')]"
}



As far as I can see I believe this should work?

Thanks

Dan

1 Reply

@clouddan 

 

try this condition

{
 "value": "[length(field('Microsoft.KeyVault/vaults/networkAcls.ipRules'))]",
 "notEquals": "0"
 }