3

I am trying to create a DeployIfNotExists policy from an existing AuditIfNotExists policy. It doesn't error while deploying, but it errors saying "No related resources match the effect details in the policy definition." when the policy is evaluated. The AuditIfnotExists policy does work well when I deploy it to the same management group. I wonder if I have missed something.

This policy is to create an alert for deletion of NSG groups if one doesn't exist. Here is the DeployIfNotExists policy - do you guys see any issue with it? Any input appreciated. Thank you.

{
  "$schema":"https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion":"1.0.0.0",
  "parameters":{
    "effect":{
      "type":"string",
      "metadata":{
        "displayName":"Effect",
        "description":"Enable or disable the execution of the policy"
      },
      "allowedValues":[
        "AuditIfNotExists",
        "deployIfNotExists",
        "Disabled"
      ],
      "defaultValue":"deployIfNotExists"
    }
  },
  "variables":{
    "actionGroupName":"dsactiongroup"
  },
  "resources":[
    {
      "name":"CIS5.2.3-EnsureAuditDeleteNSG",
      "type":"Microsoft.Authorization/policyDefinitions",
      "apiVersion":"2019-09-01",
      "properties":{
        "policyType":"Custom",
        "displayName":"CIS 5.2.3 Ensure that Activity Log Alert exists for Delete Network Security Group (Scored)",
        "description":"Monitor Activity Alerts exist for specific activities.",
        "mode":"all",
        "metadata":{
          "category":"Audit"
        },
        "parameters":{
          
        },
        "policyRule":{
          "if":{
            "allOf":[
              {
                "field":"type",
                "equals":"Microsoft.Resources/subscriptions"
              }
            ]
          },
          "then":{
            "effect":"[parameters('effect')]",
            "details":{
              "type":"Microsoft.Insights/ActivityLogAlerts",
              "existenceCondition":{
                "allOf":[
                  {
                    "allOf":[
                      {
                        "not":{
                          "field":"Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].field",
                          "notEquals":"category"
                        }
                      },
                      {
                        "not":{
                          "field":"Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].equals",
                          "notEquals":"Administrative"
                        }
                      }
                    ]
                  },
                  {
                    "allOf":[
                      {
                        "not":{
                          "field":"Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].field",
                          "notEquals":"resourceType"
                        }
                      },
                      {
                        "not":{
                          "field":"Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].equals",
                          "notEquals":"microsoft.network/networksecuritygroups"
                        }
                      }
                    ]
                  },
                  {
                    "allOf":[
                      {
                        "not":{
                          "field":"Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].field",
                          "notEquals":"operationName"
                        }
                      },
                      {
                        "not":{
                          "field":"Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].equals",
                          "notEquals":"Microsoft.Network/networkSecurityGroups/delete"
                        }
                      }
                    ]
                  }
                ]
              },
              "roleDefinitionIds":[
                "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa"
              ],
              "deployment":{
                "properties":{
                  "mode":"incremental",
                  "template":{
                    "$schema":"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
                    "contentVersion":"1.0.0.0",
                    "parameters":{
                      
                    },
                    "variables":{
                      "actionGroupName":"dactiongroup"
                    },
                    "resources":[
                      {
                        "name":"NSGRuleDeleted",
                        "type":"Microsoft.Insights/activityLogAlerts",
                        "location":"global",
                        "apiVersion":"2017-04-01",
                        "properties":{
                          "description":"NSG Rule Deleted",
                          "enabled":true,
                          "condition":{
                            "allOf":[
                              {
                                "field":"category",
                                "equals":"Administrative"
                              },
                              {
                                "field":"operationName",
                                "equals":"Microsoft.Network/networkSecurityGroups/securityRules/delete"
                              }
                            ]
                          },
                          "actions":{
                            "actionGroups":[
                              {
                                "actionGroupId":"[resourceId('Microsoft.Insights/actionGroups', variables('actionGroupName'))]"
                              }
                            ]
                          }
                        }
                      }
                    ],
                    "outputs":{
                      
                    }
                  },
                  "parameters":{
                    
                  }
                }
              }
            }
          }
        }
      }
    }
  ]
}
Grzegorz Smulko
  • 2,525
  • 1
  • 29
  • 42
user1197981
  • 133
  • 3
  • 8
  • Still stuck with this guys - trying to bump this up hoping someone with give some tips :) – user1197981 Nov 01 '20 at 10:54
  • did you find a solution? where do you see this error? – MoonHorse Dec 15 '20 at 10:38
  • The error who got, has this explanation: A resource of the type defined in then.details.type and related to the resource defined in the if portion of the policy rule doesn't exist. https://learn.microsoft.com/en-us/azure/governance/policy/how-to/determine-non-compliance – MoonHorse Dec 15 '20 at 11:30
  • any hint on how to solve ? – Tirbo06 Nov 02 '21 at 14:17
  • Did you manage to fix it? Otherwise, provide a screenshot of your non-compliant error (Compliance details) - from "reason for non-compliance" and downwards. If you fixed it, please upload solution for others to benefit from. Thanks – Niclas Jan 20 '23 at 22:55
  • The type value is wrong, it should be a resource provider+resource type, e.g. `Microsoft.Insights/ActivityLogAlerts`. Error here: `"resources": [ { "name": "CIS5.2.3-EnsureAuditDeleteNSG", "type": "Microsoft.Authorization/policyDefinitions",` – Niclas Jan 20 '23 at 23:18

0 Answers0