Search code examples
azure-policy

What are my options to debug Custom Azure policies or evaluate fields outside policy engine?

I am trying to build a few custom policies and I am dealing with some complex field expressions like below:

    "then": {
        "effect": "[parameters('effect')]",
        "details": {
            "type": "Microsoft.Network/azureFirewalls",
            "existenceCondition": {
                "count": {
                    "field": "Microsoft.Network/azureFirewalls/ipConfigurations[*]",
                    "where": {
                        "field": "Microsoft.Network/azureFirewalls/ipConfigurations[*].subnet.id",
                        "like": "[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/*/providers/Microsoft.Network/virtualNetworks/', first(split(field('fullName'), '/')), '/subnets/AzureFirewallSubnet')]"
                    }
                },
                "equals": 1
            }
        }
    }

The expression does not work the way I expect. Is there any way to evaluate some of the fields or expressions mentioned above for a resource outside policy engine by making Powershell calls?

For example, when I need to debug things, how do I evaluate expressions like this outside the plolicy engine:

"field": "Microsoft.Network/azureFirewalls/ipConfigurations[*].subnet.id",
"like": "[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/*/providers/Microsoft.Network/virtualNetworks/', first(split(field('fullName'), '/')), '/subnets/AzureFirewallSubnet')]"
Solution

  • Resource Graph Query

    To get current values of aliases. I like to use a Resource Graph Query via API (Postman). To do this, use the following endpoint with Bearer Token authorization.

    POST https://management.azure.com/providers/Microsoft.ResourceGraph/resources?api-version=2019-04-01

    Resource Graph Query Body Payload:

    {
    "query": "Resources | where type =~ 'Microsoft.Network' | project aliases",
    "subscriptions": [
        "{{subscription_id}}"
    ]
}

    UPDATE: Jan 29 2022. It looks like Alias values are no longer indexed in Resource Graph. In this case I would use the method described below. Also you can verify the alias path you are using by running Get-AzPolicyAlias in powershell. For example,(Get-AzPolicyAlias -NamespaceMatch 'microsoft.security' -ResourceTypeMatch 'pricings' ).Aliases will provide a list of all aliases under the Microsoft.Security/pricings resource provider. However, they do not tell you the current value. To get the current value you can write a policy and use the method described below.

    Azure Policy Portal Feedback

    Also, another good place to check for Azure Policy feedback is the Compliance tab of the Azure Policy portal blade. If you can get your policy to evaluate to Non-Compliant it will give you feedback why it has been evaluated that way.

    To do this from the Policy blade

    • Click Compliance
    • Click your assignment name
    • Click the applicable policy definition name
    • View any Non-Compliant resource
    • Click the ellipses ... at the far right of the row
    • Select Compliant Reason.

    This will show you valuable nuggets of information as far as Target Value, Current Value, etc.