[Solved] Azure Policy to check the networkAcls.ipRules configuration for a Storage Account

%3CLINGO-SUB%20id%3D%22lingo-sub-1108536%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20Policy%20to%20check%20the%20networkAcls.ipRules%20configuration%20for%20a%20Storage%20Account%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1108536%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F74103%22%20target%3D%22_blank%22%3E%40Anders%20Eide%3C%2FA%3E%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIs%20there%20not%20another%20%7B%7D%20Missing%3F%3C%2FP%3E%3CP%3EOne%20at%20the%20beginning%20befor%20the%20parameters%20and%20one%20at%20the%20end%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EKind%20regards%2C%20Peter%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1109448%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20Policy%20to%20check%20the%20networkAcls.ipRules%20configuration%20for%20a%20Storage%20Account%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1109448%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F294699%22%20target%3D%22_blank%22%3E%40Peter_Beckendorf%3C%2FA%3E!%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EI've%20only%20added%20the%20perameters%20and%20policyRule%20object%20to%20the%20code%20snippet%20to%20avoid%20to%20much%20bloat%20in%20the%20post%20%3A)%3C%2Fimg%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EI've%20updated%20the%20original%20post%20to%20fix%20the%20indention%20issue%20so%20it's%20easier%20to%20read%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1107170%22%20slang%3D%22en-US%22%3E%5BSolved%5D%20Azure%20Policy%20to%20check%20the%20networkAcls.ipRules%20configuration%20for%20a%20Storage%20Account%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1107170%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20all!%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EI'm%20trying%20to%20configure%20a%20Policy%2C%20that%20I%20anticipated%20shouldn't%20be%20to%20tricky%2C%20but%20for%20some%20reason%20I%20have%20a%20hard%20time%20getting%20it%20to%20work...%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EEdit%3A%20Started%20working%20out%20of%20nowhere%20a%20few%20minutes%20ago...%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EConfiguration%20is%20as%20follow%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CPRE%20class%3D%22lia-code-sample%20language-javascript%22%3E%3CCODE%3E%20%20%20%20%22parameters%22%3A%20%7B%0A%20%20%20%20%20%20%22allowedIPAddress%22%3A%20%7B%0A%20%20%20%20%20%20%20%20%22type%22%3A%20%22Array%22%2C%0A%20%20%20%20%20%20%20%20%22metadata%22%3A%20%7B%0A%20%20%20%20%20%20%20%20%20%20%22displayName%22%3A%20%22Allowed%20IP%20Addresses%22%2C%0A%20%20%20%20%20%20%20%20%20%20%22description%22%3A%20%22The%20list%20of%20allowed%20IP%20adresses%20for%20this%20resource.%22%0A%20%20%20%20%20%20%20%20%7D%0A%20%20%20%20%20%20%7D%0A%20%20%20%20%7D%2C%0A%20%20%20%20%22policyRule%22%3A%20%7B%0A%20%20%20%20%20%20%22if%22%3A%20%7B%0A%20%20%20%20%20%20%20%20%22allOf%22%3A%20%5B%0A%20%20%20%20%20%20%20%20%20%20%7B%0A%20%20%20%20%20%20%20%20%20%20%20%20%22field%22%3A%20%22Microsoft.Storage%2FstorageAccounts%2FnetworkAcls.ipRules%22%2C%0A%20%20%20%20%20%20%20%20%20%20%20%20%22exists%22%3A%20%22true%22%0A%20%20%20%20%20%20%20%20%20%20%7D%2C%0A%20%20%20%20%20%20%20%20%20%20%7B%0A%20%20%20%20%20%20%20%20%20%20%20%20%22field%22%3A%20%22Microsoft.Storage%2FstorageAccounts%2FnetworkAcls.ipRules%5B*%5D.value%22%2C%0A%20%20%20%20%20%20%20%20%20%20%20%20%22notIn%22%3A%20%22%5Bparameters('allowedIPAddress')%5D%22%0A%20%20%20%20%20%20%20%20%20%20%7D%0A%20%20%20%20%20%20%20%20%5D%0A%20%20%20%20%20%20%7D%2C%0A%20%20%20%20%20%20%22then%22%3A%20%7B%0A%20%20%20%20%20%20%20%20%22effect%22%3A%20%22deny%22%0A%20%20%20%20%20%20%7D%0A%20%20%20%20%7D%3C%2FCODE%3E%3C%2FPRE%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CDIV%3E%0A%3CDIV%3E%3CSPAN%3EAccording%20to%20the%20documentation%20at%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fgovernance%2Fpolicy%2Fhow-to%2Fauthor-policies-for-arrays%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fgovernance%2Fpolicy%2Fhow-to%2Fauthor-policies-for-arrays%3C%2FA%3E%26nbsp%3Bthis%20should%20work%2C%20right%3F%20Only%20difference%20I%20have%20from%20the%20examples%20is%20that%20I%20check%20an%20array%20instead.%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%26nbsp%3B%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3EJust%20to%20add%3A%20I'm%20having%20a%20hard%20time%20getting%20the%20example%20code%20in%20the%20documentation%20to%20work%20also%2C%20so%20this%20might%20be%20a%20person%20problem%20%3CIMG%20class%3D%22lia-deferred-image%20lia-image-emoji%22%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Fhtml%2Fimages%2Femoticons%2Ffacepalm_40x40.gif%22%20alt%3D%22%3Afacepalm%3A%22%20title%3D%22%3Afacepalm%3A%22%20%2F%3E%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%26nbsp%3B%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3EThanks!%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3C%2FDIV%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1107170%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%20Policy%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
MVP

Hi all!

 

I'm trying to configure a Policy, that I anticipated shouldn't be to tricky, but for some reason I have a hard time getting it to work...

 

Edit: Started working out of nowhere a few minutes ago...

 

Configuration is as follow

 

 

 

 

    "parameters": {
      "allowedIPAddress": {
        "type": "Array",
        "metadata": {
          "displayName": "Allowed IP Addresses",
          "description": "The list of allowed IP adresses for this resource."
        }
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "Microsoft.Storage/storageAccounts/networkAcls.ipRules",
            "exists": "true"
          },
          {
            "field": "Microsoft.Storage/storageAccounts/networkAcls.ipRules[*].value",
            "notIn": "[parameters('allowedIPAddress')]"
          }
        ]
      },
      "then": {
        "effect": "deny"
      }
    }

 

 

 

 

According to the documentation at https://docs.microsoft.com/en-us/azure/governance/policy/how-to/author-policies-for-arrays this should work, right? Only difference I have from the examples is that I check an array instead.
 
Just to add: I'm having a hard time getting the example code in the documentation to work also, so this might be a person problem :facepalm:
 
Thanks!
2 Replies

Hi @Anders Eide,

 

Is there not another {} Missing?

One at the beginning befor the parameters and one at the end?

 

Kind regards, Peter

Hi @Peter_Beckendorf!

 

I've only added the perameters and policyRule object to the code snippet to avoid to much bloat in the post :)

 

I've updated the original post to fix the indention issue so it's easier to read