Azure Cognitive Search services should use customer-managed keys to encrypt data at rest: Does not function with Deny Effect

[cmurrayjr]

Details of the scenario you tried and the problem that is occurring

Initial observation of mis-match between filename and defined parameters.effect.allowedValues

It is worth noting that the name of this policies file indicates the author intended Audit-Only use of the policy, however parameters.effect.allowedValues lists Deny and Disabled Effects as well. This is further documented in #118467 on the azure-docs repo

Condition

When using this policy with a "Deny" effect.

Cause

The rule located at properties.policyrule.if.allof.anyof.field specifies that "Microsoft.Search/searchServices/encryptionWithCmk.encryptionComplianceStatus" must have the value of compliant. This works perfectly with Audit, however it poses an issue with Deny because this value is ReadOnly value that is added to the resource by the Azure service fabric post-deployment. Not by the user, and there for is not present when the policy engine assesses deny effects. You will note the documentation for ARM templates for this resource does not list encryptionComplianceStatus as a user-configurable setting.

Effect

When you attempt to deploy a search services resource with this policy in effect you will be denied as the policy cannot validate the value of the missing ReadOnly parameter

Verbose logs showing the problem

Search Service Name: "srch-corp-demo-dev-use2-test"): performing CreateOrUpdate: unexpected status 403 with error: RequestDisallowedByPolicy: Resource 'srch-corp-demo-dev-use2-test' was disallowed by policy. Policy identifiers: '[{"policyAssignment":{"name":"Azure Cognitive Search services should use customer-managed keys to encrypt data at rest - Deny","id":"/providers/Microsoft.Management/managementGroups/REDACTED/providers/Microsoft.Authorization/policyAssignments/REDACTED"},"policyDefinition":{"name":"Azure Cognitive Search services should use customer-managed keys to encrypt data at rest","id":"/providers/Microsoft.Authorization/policyDefinitions/REDACTED"}}]'.

Suggested solution to the issue

There are a few plausible solutions,

• Firstly, which I recommended in #118467 on the azure-docs repo would be to update the policy documentation so that it does not list as being useable with Deny Effect.The maintainers of that repo pointed me here as their table is not directly editable and is compiled from source, which leads me to believe we would have to update the parameters.effect.allowedValues for the doc to reflect that change.

• Alternatively, removing the rule for Microsoft.Search/searchServices/encryptionWithCmk.encryptionComplianceStatus would likely allow the policy to be used with Deny Effect, however it would also reduce its efficacy as an Audit Policy. A better solution would be to add a deny policy explicitly for this usecase and make the existing policy Audit only.