Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community

[Solved] Azure Policy to check the networkAcls.ipRules configuration for a Storage Account

MVP

Hi all!

 

I'm trying to configure a Policy, that I anticipated shouldn't be to tricky, but for some reason I have a hard time getting it to work...

 

Edit: Started working out of nowhere a few minutes ago...

 

Configuration is as follow

 

 

 

 

    "parameters": {
      "allowedIPAddress": {
        "type": "Array",
        "metadata": {
          "displayName": "Allowed IP Addresses",
          "description": "The list of allowed IP adresses for this resource."
        }
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "Microsoft.Storage/storageAccounts/networkAcls.ipRules",
            "exists": "true"
          },
          {
            "field": "Microsoft.Storage/storageAccounts/networkAcls.ipRules[*].value",
            "notIn": "[parameters('allowedIPAddress')]"
          }
        ]
      },
      "then": {
        "effect": "deny"
      }
    }

 

 

 

 

According to the documentation at https://docs.microsoft.com/en-us/azure/governance/policy/how-to/author-policies-for-arrays this should work, right? Only difference I have from the examples is that I check an array instead.
 
Just to add: I'm having a hard time getting the example code in the documentation to work also, so this might be a person problem :facepalm:
 
Thanks!
2 Replies

Hi @Anders Eide,

 

Is there not another {} Missing?

One at the beginning befor the parameters and one at the end?

 

Kind regards, Peter

Hi @Peter_Beckendorf!

 

I've only added the perameters and policyRule object to the code snippet to avoid to much bloat in the post :)

 

I've updated the original post to fix the indention issue so it's easier to read