I'm trying to create a policy that will block releasing a database to a resource group if it doesn't have an Elastic Pool in the settings. Unfortunately, every attempt to set the conditions ends with blocking database releases, regardless of whether they have this option enabled or not. I tried to use various fields types as a parameter (starting from the simplest as example):
"if": {
"allOf": [
{
"field": "type",
"notEquals": "Microsoft.Sql/servers/elasticPools"
},
"then": {
"effect": "Deny"
}
but it fails every time. How to correctly formulate the condition in JSON for policy to work? Maybe someone has an example of a ready configuration? Maybe is an example of a ready configuration somewhere?
I am working through a similar problem, and it seems the filter needs to be more explicit to work properly. You can see from the example below, I am filtering on databases AND the non-existence of the ElasticPoolID value...
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.Sql/servers/databases"
},
{
"not": {
"field": "Microsoft.Sql/servers/databases/elasticPoolId",
"exists": "true"
}
}
]
},
"then": {
"effect": "audit"
}
I haven't tried it denying creation yet, but it appears to work auditing existing DBs.