Search code examples
azureazure-sql-databaseazure-resource-managerazure-policyazure-bicep

Azure ARM policy deployment deny specific sku.name

I am extremely confused about arm deployment for policies, and I hope somebody can help me to solve this issue.

I would like to have in place a policy which denies the database deployment based on their Sku.name.

Right noe I would like to allow the creation of databases that they are standard or Basic, and Deny all the other sku.

I have this json configuration, but it works partially.

{
    "properties": {
      "displayName": "Not allowed resource types",
      "policyType": "BuiltIn",
      "mode": "All",
      "description": "This policy enables you to specify the resource types that your organization cannot deploy.",
      "parameters": {
        "listOfAllowedSKUs": {
          "type": "Array",
          "metadata": {
            "description": "The list of resource types that cannot be deployed.",
            "displayName": "Not allowed resource types",
            "strongType": "resourceTypes"
          }
        }
      },
      "policyRule": {
        "if": {
          "field": "type",
          "in": "[parameters('listOfAllowedSKUs')]"
        },
        "then": {
          "effect": "Deny"
        }
      }
    },
    "id": "/providers/Microsoft.Authorization/policyDefinitions/6c112d4e-5bc7-47ae-a041-ea2d9dccd749",
    "type": "Microsoft.Authorization/policyDefinitions",
    "name": "6c112d4e-5bc7-47ae-a041-ea2d9dccd749"
  }

parameters:

{
    "listOfAllowedSKUs": {
    "type": "Array",
    "allowedValues": [
      "Standard",
      "Basic"
    ],
    "metadata": {
      "displayName": "Allowed SKUs",
      "description": "The list of SKUs that can be specified for databases."
    }
  }
}

and the rules:

{
    "if": {
        "not": {
          "field": "Microsoft.Sql/servers/databases/sku.name",
            "in": "[parameters('listOfAllowedSKUs')]"
          }
    },
    "then": {
      "effect": "deny"
    }
}

When I Deploy this policy, I can deploy only the Basic Sku, while all the other, Standard included, are denied.

How can I allow to create both Basic and Standard?

Thank you so much to whoever will spend his precious time to help me understand this.

Solution

  • Looking at the documentation:

    • sku tier: The tier or edition of the particular SKU, e.g. Basic, Premium.
    • sku name: The name of the SKU, typically, a letter + Number code, e.g. P3.

    So you would need to filter on the sku tier in you case. For Basic, name and tier are the same.
    For Standard, tier is Standard but name can be S1...S12

    {
    "if": {
        "not": {
          "field": "Microsoft.Sql/servers/databases/sku.tier",
            "in": "[parameters('listOfAllowedSKUs')]"
          }
    },
    "then": {
      "effect": "deny"
    }
}