DEVHIDE
Login Or Sign up

Is it possible to iterate effects in azure policy

89 Views Asked by At

Ask: I would like to know if it is possible to iterate the effects property in azure policy ex:

{
    "mode": "All",
    "policyRule": {
        "if": {
            "allOf": [
                {
                    "field": "type",
                    "in": [
                        "Microsoft.Compute/virtualMachines",
                        "Microsoft.Storage/storageAccounts",
                        "Microsoft.Network/networkInterfaces"
                    ]
                },
                {
                    "anyOf": [
                        {
                            "not": {
                                "field": "[concat('tags[', parameters('tags')[0].tagName, ']')]",
                                "exists": "true"
                            }
                        },
                        {
                            "not": {
                                "field": "[concat('tags[', parameters('tags')[1].tagName, ']')]",
                                "exists": "true"
                            }
                        }
                    ]
                }
            ]
        },
        "then": {
            "effect": "modify",
            "details": {
                "roleDefinitionIds": [
                    "/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
                ],
                "operations": [
                    {
                        "operation": "addOrReplace",
                        "field": "[concat('tags[', parameters('tags')[0].tagName, ']')]",
                        "value": "[parameters('tags')[0].tagValue]"
                    },
                    {
                        "operation": "addOrReplace",
                        "field": "[concat('tags[', parameters('tags')[1].tagName, ']')]",
                        "value": "[parameters('tags')[1].tagValue]"
                    }
                ]
            }
        }
    },
    "parameters": {
        "tags": {
            "type": "Array",
            "metadata": {
                "displayName": "tags",
                "description": "The tags to apply to the resources."
            },
            "defaultValue": [
                {
                    "tagName": "Environment",
                    "tagValue": "Production"
                },
                {
                    "tagName": "Department",
                    "tagValue": "IT"
                }
            ]
        }
    }
}

In the above policy I would like to iterate the operation / addOrReplace multiple times under the "modify" effect , instead of hardcoding like many times like in the policy

"operations": [
                    {
                        "operation": "addOrReplace",
                        "field": "[concat('tags[', parameters('tags')[0].tagName, ']')]",
                        "value": "[parameters('tags')[0].tagValue]"
                    },
                    {
                        "operation": "addOrReplace",
                        "field": "[concat('tags[', parameters('tags')[1].tagName, ']')]",
                        "value": "[parameters('tags')[1].tagValue]"
                    }
                ]

So, basically the requirement for me is to add multiple tags using "addOrReplace" through iteration instead of specifying each instance in the policy definition

azure azure-active-directory azure-resource-manager azure-rm-template azure-policy
Original Q&A
1

There are 1 best solutions below

0
Jahnavi On

After a workaround on the issue, I found that there is no default feature for iteration with the policy definition.

As a workaround, use referencing in policy definition. It means that you can create a policy definition for one single tag and reference it for the other tags multiple times. Refer below steps to meet your requirements.

{
    "mode": "All",
    "policyRule": {
        "if": {
            "allOf": [
                {
                    "field": "type",
                    "in": [
                        "Microsoft.Compute/virtualMachines",
                        "Microsoft.Storage/storageAccounts",
                        "Microsoft.Network/networkInterfaces"
                    ]
                },
                {
                    "anyOf": [
                        {
                            "not": {
                                "field": "[concat('tags[', parameters('tags')[0].tagName, ']')]",
                                "exists": "true"
                            }
                        },
                        {
                            "not": {
                                "field": "[concat('tags[', parameters('tags')[1].tagName, ']')]",
                                "exists": "true"
                            }
                        }
                    ]
                }
            ]
        },
        "then": {
            "effect": "modify",
            "details": {
                "roleDefinitionIds": [
                    "/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
                ],
                "operations": [
                    {
                        "operation": "addOrReplace",
                        "field": "[concat('tags[', parameters('tagName'), ']')]",
                        "value": "[parameters('tagValue')]"
                    }
                ]
            }
        }
    },
    "parameters": {
        "tagName": {
            "type": "String",
            "metadata": {
                "displayName": "xxx",
                "description": "<TagName>"
            }
        },
        "tagValue": {
            "type": "String",
            "metadata": {
                "displayName": "xxx",
                "description": "<Tagvalue>"
            }
        }
    }
}

And the reference definition file looks in the similar way as below.

"parameters": {
        "tagName1": {
            "type": "String", //First tag
             },
        "tagValue1": {
            "type": "String",
            },
        "tagName2": {
            "type": "String", //Second tag
             },
        "tagValue2": {
            "type": "String",
         }
    },
    "policyDefinitions": [
        {
            "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/tag1definitionID",
            "parameters": {
                "tagName": "[parameters('tag1')]",
                "tagValue": "[parameters('Value')]"
            }
        },
        {
            "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/tag2definitionID",
            "parameters": {
                "tagName": "[parameters('tag2')]",
                "tagValue": "[parameters('Value')]"
            }
        }
    ]

Related Questions in AZURE

Related Questions in AZURE-ACTIVE-DIRECTORY

Related Questions in AZURE-RESOURCE-MANAGER

Related Questions in AZURE-RM-TEMPLATE

Related Questions in AZURE-POLICY

Trending Questions

Popular # Hahtags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs

Popular Questions

.

Copyright © 2021 Jogjafile Inc.