azure policy | To deny the action of removing user assigned identity from a virtual machine is not working - Stack Overflow

admin管理员组

文章数量:1122832

I want to create an azure policy with deny effect to prevent action of removing user assigned identity from a virtual machine is not working but I am not able to do so as we are using terraform to create virtual machines qhere I will assign identity and this policy is restricting the creation, means deny action is coming into effect while creating VM. This new policy is preventing creation of VM . We need logic so that it should not prevent creation of VM and enforce on the VM that already exists and should trigger only during modification or a PUT request alone. I have tried it with PUT method also - with this I can create a VM through terraform but if I try to remove user assigned identity from the virtual machine it will do this successfully. I want to know whether this case is feasible or not ?

{
  "if": {
    "allOf": [
      {
        "field": "type",
        "equals": "Microsoft.Compute/virtualMachines"
      },      
      {
        "field": "tags['network_environment']",
        "in": "[parameters('allowedEnvironments')]"
      }
      
    ]
  },
  "then": {
    "effect": "deny"
    "details": {
      "type": "Microsoft.Compute/virtualMachines",
      "existenceCondition": {
        "allOf": [
          {
            "not": {
              "field": "identity.type",
              "contains": "UserAssigned"
            }
          },
          {
            "not": {
              "field": "identity.userAssignedIdentities",
              "containsKey": "[parameters('userAssignedIdentityResourceId')]"
            }
          }
        ]
      }
    }
  }
}

I want to create an azure policy with deny effect to prevent action of removing user assigned identity from a virtual machine is not working but I am not able to do so as we are using terraform to create virtual machines qhere I will assign identity and this policy is restricting the creation, means deny action is coming into effect while creating VM. This new policy is preventing creation of VM . We need logic so that it should not prevent creation of VM and enforce on the VM that already exists and should trigger only during modification or a PUT request alone. I have tried it with PUT method also - with this I can create a VM through terraform but if I try to remove user assigned identity from the virtual machine it will do this successfully. I want to know whether this case is feasible or not ?

{
  "if": {
    "allOf": [
      {
        "field": "type",
        "equals": "Microsoft.Compute/virtualMachines"
      },      
      {
        "field": "tags['network_environment']",
        "in": "[parameters('allowedEnvironments')]"
      }
      
    ]
  },
  "then": {
    "effect": "deny"
    "details": {
      "type": "Microsoft.Compute/virtualMachines",
      "existenceCondition": {
        "allOf": [
          {
            "not": {
              "field": "identity.type",
              "contains": "UserAssigned"
            }
          },
          {
            "not": {
              "field": "identity.userAssignedIdentities",
              "containsKey": "[parameters('userAssignedIdentityResourceId')]"
            }
          }
        ]
      }
    }
  }
}

• azure
• virtual-machine
• azure-managed-identity
• azure-policy

Share Improve this question Follow edited Nov 29, 2024 at 8:01 Venkat V 7,42622 gold badges44 silver badges1515 bronze badges Recognized by Microsoft Azure Collective asked Nov 21, 2024 at 8:55 Srishti gargSrishti garg 1333 bronze badges 1

• Do you want to deny the action of UAM removal from the existing VM instead of the new VM? – Venkat V Commented Nov 21, 2024 at 9:17

Add a comment  | 

1 Answer 1

Sorted by: Reset to default 0

azure policy | To deny the action of removing user assigned identity from a virtual machine is not working

Azure Policy does not support HTTP triggers such as PUT and POST. As a result, there is no way to allow VM creation with a User-Assigned Managed Identity while blocking the assignment of UAMI to existing VMs

The ExistenceCondition can apply only to policy effect with AuditIfNotExists and DeployIfNotExists not Deny action, Follow the Stack link by Deep.

Alternatively, you can use Exclusions in Azure Policy to bypass the policy for a specific resource group. This allows resources in the specified resource group to be created with a User-Assigned Managed Identity (UAMI), while still blocking the removal of UAMIs from resources in other resource groups

I created a policy to block UAMs from being assigned to VMs, but it is also blocking VM creation through any method, including code

When creating or modifying a resource, Azure uses the PUT operation for both actions. Therefore, it is not possible to allowi VM creation with a User-Assigned Managed Identity and Block removal of UAM form existing VM.

Reference: Azure Policy exemption

Azure Policy pattern: effects

本文标签：