5

I'm currently trying to understand the Azure policies. I think I've got my head around the aliases, but I'm having trouble understanding where to find the correct values for ExistenceCondition equals field

  1. How does it different from the PolicyRule we applied?
  2. Should i keep ExistanceCondition almost same as PolicyRule?

Policy rule i applied : 

    "if":{
            "allOf":[
               {
                  "field":"type",
                  "equals":"Microsoft.Insights/metricalerts"
               },
               {
                  "field":"Microsoft.Insights/metricalerts/enabled",
                  "equals":"true"
               },
               {
                  "field":"Microsoft.Insights/metricalerts/actions[*]",
                  "less":"1"
               }
            ]
         }
Serg
  • 2,346
  • 3
  • 29
  • 38
Sachin Kalia
  • 1,027
  • 14
  • 24
  • One scenario to use `ExistenceCondition` is to check resources other than resources that `PolicyRule` specified. – ccshih Jun 30 '20 at 09:05
  • For example, for all A type resources, check if exists B type resource that reference A. In this case, `PolicyRule` specifies A resources while `ExistenceCondition` specifies B resources. – ccshih Jul 01 '20 at 07:46
  • Did you find the answer? – Blue Clouds Jul 13 '21 at 11:01
  • @ccshih what if we ignore 'ExistenceCondition' ? documentation says that it will then not trigger the deployment. Then it should be mandatory right? – Blue Clouds Jul 14 '21 at 13:36

4 Answers4

5

ExistenceCondition is the opposite of policyRule in terms of control direction. In policy rule you proceed only if the condition is true. in ExistenceCondition you proceed only if the condition is false. In the example below in policyRule you filter only the storageAccount then proceed. The deploy happens only if the condition is false (deleteRetentionPolicy.enabled ==false) so it proceeds and deploy. So once deploy is done, it will be deleteRetentionPolicy.enabled ==true

    "policyRule": {
        "if": {
            "allOf": [
                {
                    "field": "type",
                    "equals": "Microsoft.Storage/storageAccounts"
                },
                {
                    "field": "kind",
                    "in": [
                        "Storage",
                        "StorageV2",
                        "BlobStorage",
                        "BlockBlobStorage"
                    ]
                }
            ]
        },
        "then": {
            "effect": "DeployIfNotExists",
            "details": {
                "type": "Microsoft.Storage/storageAccounts/blobServices",
                "existenceCondition": {
                    "field": "Microsoft.Storage/storageAccounts/blobServices/default.deleteRetentionPolicy.enabled",
                    "equals": true
                },
David Gardiner
  • 16,892
  • 20
  • 80
  • 117
Blue Clouds
  • 7,295
  • 4
  • 71
  • 112
0

See this example:

https://learn.microsoft.com/en-us/azure/governance/policy/samples/pattern-effect-details#sample-2-explanation

"details": {
    "type": "Microsoft.Compute/virtualMachines/extensions",
    "existenceCondition": {
        "allOf": [{
                "field": "Microsoft.Compute/virtualMachines/extensions/publisher",
                "equals": "[parameters('publisher')]"
            },
            {
                "field": "Microsoft.Compute/virtualMachines/extensions/type",
                "equals": "[parameters('type')]"
            }
        ]
    }
}

The existenceCondition uses policy language elements, such as logical operators, to determine if a matching related resource exists. In this example, the values checked against each alias are defined in parameters.

Allan Xu
  • 7,998
  • 11
  • 51
  • 122
0

ExistenceCondition apply only to policy with effect AuditIfNotExists and DeployIfNotExists.

In case of AuditIfNotExists

"If any matching related resource evaluates to true, the effect is satisfied and doesn't trigger the audit."

In case of DeployIfNotExists

"If any matching related resource evaluates to true, the effect is satisfied and doesn't trigger the deployment."

Existing resource which does not match ExistenceCondition will be marked as non-complaint. Resources filtered out by PolicyRule will not be marked as non-complaint.

Deep
  • 5,772
  • 2
  • 26
  • 36
0

With ExistenceCondition, you can evaluate all subresources of a specific type and then base your logic around that. So Microsoft.Compute/virtualMachine could have 0-to-many Microsoft.Compute/virtualMachines/extensions sub-resources. How would you check if there is at least one extension that has the MicrosoftWindowsServer as publisher? You couldn't do that without the ExistenceCondition feature. Because if you would try to do that on a higher level, it will fail when there might be other extensions installed with a different publisher.

r3verse
  • 1,000
  • 8
  • 19