(BICEP) Regarding microsoft azure polices - DeployIfNotExists - Locks

Question

I have a policy deployed via bicep with the following ruleset:

if: {
        allOf: [
          {
            field: 'type'
            equals: 'Microsoft.Resources/subscriptions/resourceGroups'
          }
          {
            field: '[concat(\'tags[\', \'DeployedByIaC\', \']\')]'
            equals: 'True'
          }
        ]
      }
      then: {
        effect: 'deployIfNotExists'
        details: {
          type: 'Microsoft.Authorization/locks'
          roleDefinitionIds: [
            '/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c' // Contributor role
          ]
          existenceCondition: {
            field: 'Microsoft.Authorization/locks/level'
            equals: 'ReadOnlyLock'
          }
          deployment: {
            properties: {
              mode: 'Incremental'
              template: {
                '$schema': 'https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#'
                contentVersion: '1.0.0.0'
                resources: [
                  {
                    type: 'Microsoft.Authorization/locks'
                    apiVersion: '2016-09-01'
                    name: 'ReadOnlyLock'
                    properties: {
                      level: 'ReadOnly'
                      notes: 'This lock is applied by policy.'
                    }
                  }
                ]
              }
            }
          }
        }
      }

All works fine and it scans for the tag no problem. But when it wants to deploy the lock i get the error it does not have enough rights

The assigment bicep code looks like:

resource createAssignment 'Microsoft.Authorization/policyAssignments@2023-04-01' = if (policy.builtin == false)  {
  name : policy.name
  identity: {
    type: 'SystemAssigned'
  }
  location: location
  properties: {
    displayName: policy.displayName
    policyDefinitionId: policy.id
  }
}

Rewritten the policy rule but no effect. I want to deploy this policy so when it gets the tag DeployedByIac it locks the resource group.

Answer 1

You have not granted your managed identity the right permissions to perform a resource lock.

It requires Microsoft.Authorization/* or Microsoft.Authorization/locks/* actions, which only the Owner and the User Access Administrator built-in roles have.
You are using Contributor.

roleDefinitionIds: [
'/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c' // Contributor role
          ]

• Owner: 8e3af657-a8ff-443c-a75c-2fe8c4bcb635.
• User Access Administrator: 18d7d88d-d35e-4fb5-a5c3-7773c20a72d9 These roles are heavily overprivileged for what you want to accomplish, so you are better off by creating a custom role for your use-case.

https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/lock-resources?tabs=json&wt.mc_id=MVP_323223#who-can-create-or-delete-locks

I can also see that there is a new role Storage Account Backup Contributor which can perform:

• Microsoft.Authorization/locks/read
• Microsoft.Authorization/locks/write
• Microsoft.Authorization/locks/delete

*** Updated below due to new error from OP ***

existenceCondition only proceed if true, unlike policyRule that only proceed if false. https://learn.microsoft.com/en-us/azure/governance/policy/concepts/effects?wt.mc_id=MVP_323223#deployifnotexists-properties

However, there is no such thing as ReadOnlyLock. The correct value is ReadOnly.
https://learn.microsoft.com/en-us/azure/templates/microsoft.authorization/locks?pivots=deployment-language-bicep&wt.mc_id=MVP_323223#managementlockproperties