locked
Azure ARM Policy not always applied RRS feed

  • Question

  • Hello,

    I created a custom ARM Policy for storage accounts with a deny effect if https only traffic is not enabled, and applied it to the subscription

    $policyRule = '{"if": {"allOf": [{"field": "type","equals": "Microsoft.Storage/storageAccounts"},{"not": {"field": "Microsoft.Storage/storageAccounts/supportsHttpsTrafficOnly","equals": "True"}}]},"then": {"effect": "deny"}}'
    $policyDefinition = New-AzureRmPolicyDefinition -Name "Https traffic only storage account" -Description "Https traffic only storage account" -Policy $policyRule
    New-AzureRmPolicyAssignment -Name "StorageHttpsOnly" -Scope "/subscriptions/$subscriptionId" -PolicyDefinition $policyDefinition 


    I then tried to create 10 storage accounts with https only traffic disabled

    $testRuns = 1..10
    $resourceGroupName = "test-rg"
    
    
    foreach($currentRun in $testRuns)
    {    
        
        $storageCreationError = $null
        $storageAccountName = "teststoragesma$currentRun"
    
        New-AzureRmStorageAccount -ResourceGroupName $resourceGroupName -Name $storageAccountName -SkuName Standard_LRS -Location "North Europe" -Kind StorageV2 -AccessTier Cool -EnableHttpsTrafficOnly $false -ErrorAction SilentlyContinue -ErrorVariable storageCreationError | Out-Null
    
        if($storageCreationError)
        {
            Write-Host "Storage $storageAccountName not created" 
            Write-Host $storageCreationError.Exception.Message       
        }
        else
        {
            Write-Host "Storage $storageAccountName created"
        }
    }

    Some storage accounts are created 

    Storage teststoragesma1 not created
    Resource 'teststoragesma1' was disallowed by policy ...
    Storage teststoragesma2 created
    Storage teststoragesma3 not created
    Resource 'teststoragesma3' was disallowed by policy ...
    Storage teststoragesma4 not created
    Resource 'teststoragesma4' was disallowed by policy ...
    Storage teststoragesma5 not created
    Resource 'teststoragesma5' was disallowed by policy ...
    Storage teststoragesma6 not created
    Resource 'teststoragesma6' was disallowed by policy ...
    Storage teststoragesma7 created
    Storage teststoragesma8 not created
    Resource 'teststoragesma8' was disallowed by policy ...
    Storage teststoragesma9 not created
    Resource 'teststoragesma9' was disallowed by policy ...
    Storage teststoragesma10 not created
    Resource 'teststoragesma10' was disallowed by policy ...

    If I try to change their configuration in the portal, the policy is applied.

    Is there something wrong with  the policy definition, or do I miss a step ?

    Thanks in Advance

    Tuesday, February 27, 2018 2:14 PM

Answers

  • This actually looks like it is hitting a race condition on creation and bypassing the rule for some reason (unknown until it is troubleshot). The steps you are taking to apply are correct and I am able to reproduce the behavior also. You can add a timer pause/delay in the loop and mitigate the issue. I can raise this as an issue however, you should open a ticket with support on this issue yourself as well if the workaround is not sufficient.

    Hope that helps, please mark as answered and open a support case.

    ~Theo


    Wednesday, February 28, 2018 5:19 AM

All replies

  • This actually looks like it is hitting a race condition on creation and bypassing the rule for some reason (unknown until it is troubleshot). The steps you are taking to apply are correct and I am able to reproduce the behavior also. You can add a timer pause/delay in the loop and mitigate the issue. I can raise this as an issue however, you should open a ticket with support on this issue yourself as well if the workaround is not sufficient.

    Hope that helps, please mark as answered and open a support case.

    ~Theo


    Wednesday, February 28, 2018 5:19 AM
  • Hello,

    We will open a support case, we can't rely on a delay for needs.

    Thanks you

    Wednesday, February 28, 2018 12:21 PM