Background information:
Sometimes we found unexpected results of resource compliance status for some policies. To troubleshoot these kinds of problems, we first need to understand how Azure Policy evaluates resource.
Internally, there are two types of Policy evaluation(actions):
And in this article, we will be discussing more about the troubleshooting steps for second type (compliance scan).
Problem scenario
A custom policy enforces Disk encryption marks virtual machine OS disk with encryption enabled as non-compliant.
Troubleshooting steps
"policyRule": {
"if": {
"allOf": [{
"field": "type",
"equals": "Microsoft.Compute/disks"
}, {
"field": "Microsoft.Compute/disks/encryptionSettings.enabled",
"notequals": "true"
}
]
},
"then": {
"effect": "audit"
}
a. To find the right REST API, run a search with keyword as "Azure REST API list/get <resource type>"
b. Run the REST API using "Try It" feature shown as below:
c. the payload of the resource will be in the response body of the REST API call shown as below:
In this scenario, you can see from the resource payload above, it does not contain a property named "Microsoft.Compute/disks/encryptionSettings.enabled" and has a property called "encryption.type" instead. The actual response payload doesn’t match the policy rule and that is why the policy would evaluate it as non-compliant.
In the scenario, if the resource payload has a value for "encryption.type" then it indicates the disk is encrypted. So, we can modify the policy rule as below to solve the issue:
{
"mode": "All",
"policyRule": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.Compute/disks"
},
{
"field": "Microsoft.Compute/disks/encryption.type",
"equals": ""
}
]
},
"then": {
"effect": "audit"
}
}
}
**The troubleshooting approach above applies to other policy compliance issues as well.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.