Search code examples
azureazure-policy

Azure policy modify effect

I have a azure custom policy, it checks all storage account, if there's no VNet and subnet setup on them as selected network, it would go and modify them to have VNet integration according to the parameters I entered. The parameter I entered is an array of subnet info as following

            "allowedNetworks": {
                "type": "array",
                "metadata": {
                    "description": "The list of allowed virtual networks",
                    "displayName": "Allowed Networks"
                },
                "defaultValue": [
                    {
                        "id": "/subscriptions/xxx/resourceGroups/test3/providers/Microsoft.Network/virtualNetworks/rogertest3-vnet/subnets/default",
                        "action": "Allow",
                        "state": "Succeeded"
                    },
                    {
                        "id": "/subscriptions/xxx/resourceGroups/test3/providers/Microsoft.Network/virtualNetworks/rogertest3-vnet/subnets/AzureBastionSubnet",
                        "action": "Allow",
                        "state": "Succeeded"
                    }
                ]
            }

and the effect is as following

"then": {
                "effect": "[parameters('effect')]",
                "details": {
                    "roleDefinitionIds": [
                        "/providers/microsoft.authorization/roleDefinitions/17d1049b-9a84-46fb-8f53-869881c3d3ab"
                    ],
                    "conflictEffect": "audit",
                    "operations": [
                        {
                            "operation": "addOrReplace",
                            "field": "Microsoft.Storage/storageAccounts/networkAcls.virtualNetworkRules",
                            "value": "[parameters('allowednetworks')]"
                        },
                        {
                            "operation": "addOrReplace",
                            "field": "Microsoft.Storage/storageAccounts/networkAcls.defaultAction",
                            "value": "Deny"
                        }
                    ]
                }
            }

it works well, however there're some behaviours around this modify effect I'm bit confused about.

  1. If I create a new storage account, and it falls under the scope of this policy. I notice it would automatically adds this VNet integration, even if I select "all networks" at the time of creation

  2. If I try manually change any storage account to all network, the UI would quickly revert to VNet integration, so it's not doing anything, and it would not give an error message. Doing with powershell gives the same result.

This is a bit contradictory to what I understand as modify effect, I thought modify effect is not mandatory, it would only apply to storage accounts, if you go with remediation

Solution

  • actually It is by design, just found out. Modify effect gives this desired state configuration effect, so when you create something, policy will evaluate it, if it fits with the policy, Policy will take effect.