You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/governance/policy/concepts/definition-structure-policy-rule.md
+1-1Lines changed: 1 addition & 1 deletion
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -633,7 +633,7 @@ The following functions are only available in policy rules:
633
633
-`field(fieldName)`
634
634
-`fieldName`: [Required] string - Name of the [field](./definition-structure-policy-rule.md#fields) to retrieve
635
635
- Returns the value of that field from the resource that is being evaluated by the If condition.
636
-
-`field` is primarily used with `auditIfNotExists` and `deployIfNotExists` to reference fields on the resource that are being evaluated. An example of this use can be seen in the [DeployIfNotExists example](effect-deploy-if-not-exists.md-example).
636
+
-`field` is primarily used with `auditIfNotExists` and `deployIfNotExists` to reference fields on the resource that are being evaluated. An example of this use can be seen in the [DeployIfNotExists example](effect-deploy-if-not-exists.md#deployifnotexists-example).
637
637
638
638
-`requestContext().apiVersion`
639
639
- Returns the API version of the request that triggered policy evaluation (example: `2021-09-01`). This value is the API version that was used in the PUT/PATCH request for evaluations on resource creation/update. The latest API version is always used during compliance evaluation on existing resources.
The `addToNetworkGroup` effect is used in Azure Virtual Network Manager to define dynamic network group membership. This effect is specific to `Microsoft.Network.Data`[policy mode](./definition-structure.md#resource-provider-modes) definitions only.
10
+
The `addToNetworkGroup` effect is used in Azure Virtual Network Manager to define dynamic network group membership. This effect is specific to `Microsoft.Network.Data`[policy mode](./definition-structure-basics.md#resource-provider-modes) definitions only.
11
11
12
12
With network groups, your policy definition includes your conditional expression for matching virtual networks meeting your criteria, and specifies the destination network group where any matching resources are placed. The `addToNetworkGroup` effect is used to place resources in the destination network group.
Copy file name to clipboardExpand all lines: articles/governance/policy/concepts/effect-basics.md
+1-1Lines changed: 1 addition & 1 deletion
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -36,7 +36,7 @@ The following list is some general guidance around interchangeable effects:
36
36
37
37
## Order of evaluation
38
38
39
-
Azure Policy's first evaluation is for requests to create or update a resource. Azure Policy creates a list of all assignments that apply to the resource and then evaluates the resource against each definition. For a [Resource Manager mode](./definition-structure.md#resource-manager-modes), Azure Policy processes several of the effects before handing the request to the appropriate Resource Provider. This order prevents unnecessary processing by a Resource Provider when a resource doesn't meet the designed governance controls of Azure Policy. With a [Resource Provider mode](./definition-structure.md#resource-provider-modes), the Resource Provider manages the evaluation and outcome and reports the results back to Azure Policy.
39
+
Azure Policy's first evaluation is for requests to create or update a resource. Azure Policy creates a list of all assignments that apply to the resource and then evaluates the resource against each definition. For a [Resource Manager mode](./definition-structure-basics.md#resource-manager-modes), Azure Policy processes several of the effects before handing the request to the appropriate Resource Provider. This order prevents unnecessary processing by a Resource Provider when a resource doesn't meet the designed governance controls of Azure Policy. With a [Resource Provider mode](./definition-structure-basics.md#resource-provider-modes), the Resource Provider manages the evaluation and outcome and reports the results back to Azure Policy.
40
40
41
41
-`disabled` is checked first to determine whether the policy rule should be evaluated.
42
42
-`append` and `modify` are then evaluated. Since either could alter the request, a change made might prevent an audit or deny effect from triggering. These effects are only available with a Resource Manager mode.
Copy file name to clipboardExpand all lines: articles/governance/policy/concepts/effect-modify.md
+7-7Lines changed: 7 additions & 7 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -7,13 +7,13 @@ ms.topic: conceptual
7
7
8
8
# Azure Policy definitions modify effect
9
9
10
-
The `modify` effect is used to add, update, or remove properties or tags on a subscription or resource during creation or update. Existing non-compliant resources can also be remediated with a [remediation task](../how-to/remediate-resources.md). Policy assignments with effect set as Modify require a [managed identity](../how-to/remediate-resources.md) to do remediation. A common example using `modify` effect is updating tags on resources such as 'costCenter'.
10
+
The `modify` effect is used to add, update, or remove properties or tags on a subscription or resource during creation or update. Existing non-compliant resources can also be remediated with a [remediation task](../how-to/remediate-resources.md). Policy assignments with effect set as Modify require a [managed identity](../how-to/remediate-resources.md) to do remediation. A common example using `modify` effect is updating tags on resources such as 'costCenter'.
11
11
12
12
There are some nuances in modification behavior for resource properties. Learn more about scenarios when modification is [skipped](#skipped-modification).
13
13
14
14
A single `modify` rule can have any number of operations. Supported operations are:
15
15
16
-
-_Add_, _replace_, or _remove_ resource tags. Only tags can be removed. For tags, a Modify policy should have [mode](./definition-structure.md#resource-manager-modes) set to `indexed` unless the target resource is a resource group.
16
+
-_Add_, _replace_, or _remove_ resource tags. Only tags can be removed. For tags, a Modify policy should have [mode](./definition-structure-basics.md#resource-manager-modes) set to `indexed` unless the target resource is a resource group.
17
17
-_Add_ or _replace_ the value of managed identity type (`identity.type`) of virtual machines and Virtual Machine Scale Sets. You can only modify the `identity.type` for virtual machines or Virtual Machine Scale Sets.
18
18
-_Add_ or _replace_ the values of certain aliases.
19
19
- Use `Get-AzPolicyAlias | Select-Object -ExpandProperty 'Aliases' | Where-Object { $_.DefaultMetadata.Attributes -eq 'Modifiable' }` in Azure PowerShell **4.6.0** or higher to get a list of aliases that can be used with `modify`.
@@ -26,7 +26,7 @@ A single `modify` rule can have any number of operations. Supported operations a
26
26
27
27
## Modify evaluation
28
28
29
-
Modify evaluates before the request gets processed by a Resource Provider during the creation or updating of a resource. The `modify` operations are applied to the request content when the `if` condition of the policy rule is met. Each `modify` operation can specify a condition that determines when it's applied.
29
+
Modify evaluates before the request gets processed by a Resource Provider during the creation or updating of a resource. The `modify` operations are applied to the request content when the `if` condition of the policy rule is met. Each `modify` operation can specify a condition that determines when it's applied.
30
30
31
31
When an alias is specified, more checks are performed to ensure that the `modify` operation doesn't change the request content in a way that causes the resource provider to reject it:
32
32
@@ -55,7 +55,7 @@ Modification of resource properties depends on the API request and the updated r
55
55
56
56
Imagine you apply a policy that modifies tags on a virtual machine (VM). Every time the VM is updated, such as during resizing or disk changes, the tags are updated accordingly regardless of the contents of the VM payload. This is because tags are independent of the VM properties.
57
57
58
-
However, if you apply a policy that modifies properties on a VM, modification is dependent on the resource payload. If you attempt to modify properties that are not included in the update payload, the modification will not take place. For instance, this can happen when patching the `assessmentMode` property of a VM (alias `Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration.patchSettings.assessmentMode`). The property is "nested", so if its parent properties are not included in the request, this omission is assumed to be intentional and modification is skipped. For modification to take place, the resource payload should contain this context.
58
+
However, if you apply a policy that modifies properties on a VM, modification is dependent on the resource payload. If you attempt to modify properties that are not included in the update payload, the modification will not take place. For instance, this can happen when patching the `assessmentMode` property of a VM (alias `Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration.patchSettings.assessmentMode`). The property is "nested", so if its parent properties are not included in the request, this omission is assumed to be intentional and modification is skipped. For modification to take place, the resource payload should contain this context.
59
59
60
60
## Modify properties
61
61
@@ -75,7 +75,7 @@ The `details` property of the `modify` effect has all the subproperties that def
75
75
- An array of all tag operations to be completed on matching resources.
76
76
- Properties:
77
77
-`operation` (required)
78
-
- Defines what action to take on a matching resource. Options are: `addOrReplace`, `Add`, and `Remove`.
78
+
- Defines what action to take on a matching resource. Options are: `addOrReplace`, `Add`, and `Remove`.
79
79
-`Add` behaves similar to the [append](./effect-append.md) effect.
80
80
-`Remove` is only supported for resource tags.
81
81
-`field` (required)
@@ -84,7 +84,7 @@ The `details` property of the `modify` effect has all the subproperties that def
84
84
- The value to set the tag to.
85
85
- This property is required if `operation` is _addOrReplace_ or _Add_.
86
86
-`condition` (optional)
87
-
- A string containing an Azure Policy language expression with [Policy functions](./definition-structure.md#policy-functions) that evaluates to _true_ or _false_.
87
+
- A string containing an Azure Policy language expression with [Policy functions](./definition-structure-policy-rule.md#policy-functions) that evaluates to _true_ or _false_.
88
88
- Doesn't support the following Policy functions: `field()`, `resourceGroup()`,
89
89
`subscription()`.
90
90
@@ -202,4 +202,4 @@ Example 3: Ensure that a storage account doesn't allow blob public access, the `
202
202
- Understand how to [programmatically create policies](../how-to/programmatically-create.md).
203
203
- Learn how to [get compliance data](../how-to/get-compliance-data.md).
204
204
- Learn how to [remediate non-compliant resources](../how-to/remediate-resources.md).
Mutation is used in Azure Policy for Kubernetes to remediate Azure Kubernetes Service (AKS) cluster components, like pods. This effect is specific to _Microsoft.Kubernetes.Data_[policy mode](./definition-structure.md#resource-provider-modes) definitions only.
10
+
Mutation is used in Azure Policy for Kubernetes to remediate Azure Kubernetes Service (AKS) cluster components, like pods. This effect is specific to _Microsoft.Kubernetes.Data_[policy mode](./definition-structure-basics.md#resource-provider-modes) definitions only.
11
11
12
12
To learn more, go to [Understand Azure Policy for Kubernetes clusters](./policy-for-kubernetes.md).
Copy file name to clipboardExpand all lines: articles/governance/policy/concepts/exemption-structure.md
+1-1Lines changed: 1 addition & 1 deletion
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -7,7 +7,7 @@ ms.topic: conceptual
7
7
8
8
# Azure Policy exemption structure
9
9
10
-
The Azure Policy exemptions feature is used to _exempt_ a resource hierarchy or an individual resource from evaluation of initiatives or definitions. Resources that are _exempt_ count toward overall compliance, but can't be evaluated or have a temporary waiver. For more information, see [Understand applicability in Azure Policy](./policy-applicability.md). Azure Policy exemptions also work with the following [Resource Manager modes](./definition-structure.md#resource-manager-modes): `Microsoft.Kubernetes.Data`, `Microsoft.KeyVault.Data`, and `Microsoft.Network.Data`.
10
+
The Azure Policy exemptions feature is used to _exempt_ a resource hierarchy or an individual resource from evaluation of initiatives or definitions. Resources that are _exempt_ count toward overall compliance, but can't be evaluated or have a temporary waiver. For more information, see [Understand applicability in Azure Policy](./policy-applicability.md). Azure Policy exemptions also work with the following [Resource Manager modes](./definition-structure-basics.md#resource-manager-modes): `Microsoft.Kubernetes.Data`, `Microsoft.KeyVault.Data`, and `Microsoft.Network.Data`.
11
11
12
12
You use JavaScript Object Notation (JSON) to create a policy exemption. The policy exemption contains elements for:
Copy file name to clipboardExpand all lines: articles/governance/policy/concepts/policy-as-code.md
+2-2Lines changed: 2 additions & 2 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -29,7 +29,7 @@ before it's too late and they're attempting to deploy in production.
29
29
30
30
Before getting into the details of Azure Policy as Code workflow, it's important to understand some fundamental concepts, like how to author policy definitions and initiative definitions, and how to leverage exemptions on assignments of those definitions:
Copy file name to clipboardExpand all lines: articles/governance/policy/concepts/regulatory-compliance.md
+2-2Lines changed: 2 additions & 2 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -11,7 +11,7 @@ Regulatory Compliance in Azure Policy provides built-in initiative definitions t
11
11
**controls** and **compliance domains** based on responsibility (_Customer_, _Microsoft_, _Shared_).
12
12
For Microsoft-responsible controls, we provide additional details of our audit results based on
13
13
third-party attestation and our implementation details to achieve that compliance.
14
-
Microsoft-responsible controls are of `policyType`[static](./definition-structure.md#policy-type).
14
+
Microsoft-responsible controls are of `policyType`[static](./definition-structure-basics.md#policy-type).
15
15
16
16
> [!NOTE]
17
17
> Regulatory Compliance is a Preview feature. For updated built-ins, the initiatives
@@ -60,7 +60,7 @@ compliance** tab provides a granular view of each resource that's evaluated by a
60
60
the currently viewed **control**.
61
61
62
62
> [!NOTE]
63
-
> An evaluation type of **Microsoft managed** is for a [static](./definition-structure.md#policy-type) policy definition `policyType`.
63
+
> An evaluation type of **Microsoft managed** is for a [static](./definition-structure-basics.md#policy-type) policy definition `policyType`.
64
64
65
65
:::image type="content" source="../media/regulatory-compliance/regulatory-compliance-policies.png" alt-text="Screenshot of the Regulatory Compliance details for the Boundary Protection control of the NIST SP 800-53 R4 built-in definition.":::
0 commit comments