Menu
I have got the following very basic policy that aims to enforce a naming convention on new resource groups.
{
"mode": "All",
"policyRule": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.Resources/resourceGroups"
},
{
"field": "name",
"notLike": "rg-*"
}
]
},
"then": {
"effect": "deny"
}
},
"parameters": {}
}
The policy is assigned at the subscription level, and policy enforcement = enabled. There are no exclusions and as you can see from the policy the effect is set to deny.
However, this policy simply does not have any effect. I am able to create new resource groups with names like noncompliant, ... at will. Also, I have waited for more than 30min for the policy to take effect (actually I waited for more than 24h).
Interestingly enough, the following policy takes effect (almost immediately after assigning), where the only difference is the comparison on the resource type.
{
"mode": "All",
"policyRule": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.Network/virtualNetworks"
},
{
"field": "name",
"notLike": "vnet-*"
}
]
},
"then": {
"effect": "deny"
}
},
"parameters": {}
}
I really don't get what's going wrong here. Anything special about resource groups in the context of policies I haven't come across yet?
758
I figured it out by looking at a built-in policy dealing with resource groups. Actually the string a compared against was wrong. The following policy works...
{
"mode": "All",
"policyRule": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.Resources/subscriptions/resourceGroups"
},
{
"field": "name",
"notLike": "rg-*"
}
]
},
"then": {
"effect": "deny"
}
},
"parameters": {}
}
In case anyone is looking for a turnkey-ready solution have a look at my azure-naming-convention-initiative, which is basically a collection of policies to enforce Microsofts naming convention recommendation.
117
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With