You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Details of the scenario you tried and the problem that is occurring
Initial observation of mis-match between filename and defined parameters.effect.allowedValues
It is worth noting that the name of this policies file indicates the author intended Audit-Only use of the policy, however parameters.effect.allowedValues lists Deny and Disabled Effects as well. This is further documented in #118467 on the azure-docs repo
Condition
When using this policy with a "Deny" effect.
Cause
The rule located at properties.policyrule.if.allof.anyof.field specifies that "Microsoft.Search/searchServices/encryptionWithCmk.encryptionComplianceStatus" must have the value of compliant. This works perfectly with Audit, however it poses an issue with Deny because this value is ReadOnly value that is added to the resource by the Azure service fabric post-deployment. Not by the user, and there for is not present when the policy engine assesses deny effects. You will note the documentation for ARM templates for this resource does not list encryptionComplianceStatus as a user-configurable setting.
Effect
When you attempt to deploy a search services resource with this policy in effect you will be denied as the policy cannot validate the value of the missing ReadOnly parameter
Verbose logs showing the problem
Search Service Name: "srch-corp-demo-dev-use2-test"): performing CreateOrUpdate: unexpected status 403 with error: RequestDisallowedByPolicy: Resource 'srch-corp-demo-dev-use2-test' was disallowed by policy. Policy identifiers: '[{"policyAssignment":{"name":"Azure Cognitive Search services should use customer-managed keys to encrypt data at rest - Deny","id":"/providers/Microsoft.Management/managementGroups/REDACTED/providers/Microsoft.Authorization/policyAssignments/REDACTED"},"policyDefinition":{"name":"Azure Cognitive Search services should use customer-managed keys to encrypt data at rest","id":"/providers/Microsoft.Authorization/policyDefinitions/REDACTED"}}]'.
Suggested solution to the issue
There are a few plausible solutions,
Firstly, which I recommended in #118467 on the azure-docs repo would be to update the policy documentation so that it does not list as being useable with Deny Effect.The maintainers of that repo pointed me here as their table is not directly editable and is compiled from source, which leads me to believe we would have to update the parameters.effect.allowedValues for the doc to reflect that change.
Alternatively, removing the rule for Microsoft.Search/searchServices/encryptionWithCmk.encryptionComplianceStatus would likely allow the policy to be used with Deny Effect, however it would also reduce its efficacy as an Audit Policy. A better solution would be to add a deny policy explicitly for this usecase and make the existing policy Audit only.
The text was updated successfully, but these errors were encountered:
Details of the scenario you tried and the problem that is occurring
Initial observation of mis-match between filename and defined
parameters.effect.allowedValues
It is worth noting that the name of this policies file indicates the author intended Audit-Only use of the policy, however
parameters.effect.allowedValues
listsDeny
andDisabled
Effects as well. This is further documented in #118467 on the azure-docs repoCondition
When using this policy with a "Deny" effect.
Cause
The rule located at properties.policyrule.if.allof.anyof.field specifies that "Microsoft.Search/searchServices/encryptionWithCmk.encryptionComplianceStatus" must have the value of compliant. This works perfectly with Audit, however it poses an issue with Deny because this value is ReadOnly value that is added to the resource by the Azure service fabric post-deployment. Not by the user, and there for is not present when the policy engine assesses deny effects. You will note the documentation for ARM templates for this resource does not list encryptionComplianceStatus as a user-configurable setting.
Effect
When you attempt to deploy a search services resource with this policy in effect you will be denied as the policy cannot validate the value of the missing ReadOnly parameter
Verbose logs showing the problem
Search Service Name: "srch-corp-demo-dev-use2-test"): performing CreateOrUpdate: unexpected status 403 with error: RequestDisallowedByPolicy: Resource 'srch-corp-demo-dev-use2-test' was disallowed by policy. Policy identifiers: '[{"policyAssignment":{"name":"Azure Cognitive Search services should use customer-managed keys to encrypt data at rest - Deny","id":"/providers/Microsoft.Management/managementGroups/REDACTED/providers/Microsoft.Authorization/policyAssignments/REDACTED"},"policyDefinition":{"name":"Azure Cognitive Search services should use customer-managed keys to encrypt data at rest","id":"/providers/Microsoft.Authorization/policyDefinitions/REDACTED"}}]'.
Suggested solution to the issue
There are a few plausible solutions,
Firstly, which I recommended in #118467 on the azure-docs repo would be to update the policy documentation so that it does not list as being useable with Deny Effect.The maintainers of that repo pointed me here as their table is not directly editable and is compiled from source, which leads me to believe we would have to update the
parameters.effect.allowedValues
for the doc to reflect that change.Alternatively, removing the rule for
Microsoft.Search/searchServices/encryptionWithCmk.encryptionComplianceStatus
would likely allow the policy to be used with Deny Effect, however it would also reduce its efficacy as an Audit Policy. A better solution would be to add a deny policy explicitly for this usecase and make the existing policy Audit only.The text was updated successfully, but these errors were encountered: