I am trying to create a Deny policy to deny disk decryption (encrypted via Azure Disk Encryption), but the Deny isn't taking effect. I do see the disks not in compliance though. Here's the policy below:
{
"properties": {
"displayName": "Prevent disk decryption on virtual machines",
"policyType": "Custom",
"mode": "All",
"description": "VMs once encrypted, should not be allowed to be decrypted",
"metadata": {
"category": "Compute",
"createdBy": "454393d8-e9f1-424d-8054-52d45c90cf6c",
"createdOn": "2019-08-12T15:35:43.7697071Z",
"updatedBy": "454393d8-e9f1-424d-8054-52d45c90cf6c",
"updatedOn": "2019-08-12T18:41:36.6828893Z"
},
"parameters": {
"effect": {
"type": "String",
"metadata": {
"displayName": "Effect",
"description": "Enable or disable the execution of the policy"
},
"allowedValues": [
"Deny",
"Disabled",
"Audit"
],
"defaultValue": "Deny"
}
},
"policyRule": {
"if": {
"anyOf": [
{
"allOf": [
{
"field": "type",
"equals": "Microsoft.Compute/disks"
},
{
"field": "Microsoft.Compute/disks/encryptionSettingsCollection.enabled",
"notequals": "true"
}
]
},
{
"allOf": [
{
"field": "type",
"equals": "Microsoft.Compute/disks"
},
{
"field": "Microsoft.Compute/disks/encryptionSettings.enabled",
"notequals": "true"
}
]
},
{
"allOf": [
{
"field": "type",
"equals": "Microsoft.Compute/virtualMachines"
},
{
"field": "Microsoft.Compute/virtualMachines/storageProfile.osDisk.encryptionSettings.enabled",
"notequals": "true"
}
]
}
]
},
"then": {
"effect": "[parameters('effect')]"
}
}
},
"type": "Microsoft.Authorization/policyDefinitions",
"name": "ce6bfec6-c4db-46e0-a475-baf5b81063fc"
}
What am I doing wrong here?