Merge pull request #271279 from davidsmatlak/ds-restructure-policy-effects-20240404

Restructure Azure Policy effect article

Author: American-Dipper

articles/governance/index.yml

@@ -11,7 +11,7 @@ metadata:
   ms.topic: hub-page
   author: davidsmatlak
   ms.author: davidsmatlak
-  ms.date: 01/05/2024
+  ms.date: 04/08/2024
 
 highlightedContent:
   items:
@@ -49,8 +49,8 @@ productDirectory:
           text: Azure Policy glossary
         - url: ./policy/concepts/definition-structure-basics.md
           text: Policy definition structure
-        - url: ./policy/concepts/effects.md
-          text: Azure Policy effects
+        - url: ./policy/concepts/effect-basics.md
+          text: Azure Policy effect
         - url: ./policy/index.yml
           text: See more >
     - title: Azure Blueprints

articles/governance/policy/.openpublishing.redirection.policy.json

@@ -814,6 +814,11 @@
       "source_path_from_root": "/articles/governance/policy/concepts/definition-structure.md",
       "redirect_url": "/azure/governance/policy/concepts/definition-structure-basics",
       "redirect_document_id": false
+    },
+    {
+      "source_path_from_root": "/articles/governance/policy/concepts/effects.md",
+      "redirect_url": "/azure/governance/policy/concepts/effect-basics",
+      "redirect_document_id": false
     }
   ]
 }

articles/governance/policy/concepts/effect-add-to-network-group.md

@@ -0,0 +1,23 @@
+---
+title: Azure Policy definitions addToNetworkGroup effect
+description: Azure Policy definitions addToNetworkGroup effect determines how compliance is managed and reported.
+ms.date: 04/08/2024
+ms.topic: conceptual
+---
+
+# Azure Policy definitions addToNetworkGroup effect
+
+The `addToNetworkGroup` effect is used in Azure Virtual Network Manager to define dynamic network group membership. This effect is specific to `Microsoft.Network.Data` [policy mode](./definition-structure.md#resource-provider-modes) definitions only.
+
+With network groups, your policy definition includes your conditional expression for matching virtual networks meeting your criteria, and specifies the destination network group where any matching resources are placed. The `addToNetworkGroup` effect is used to place resources in the destination network group.
+
+To learn more, go to [Configuring Azure Policy with network groups in Azure Virtual Network Manager](../../../virtual-network-manager/concept-azure-policy-integration.md).
+
+## Next steps
+
+- Review examples at [Azure Policy samples](../samples/index.md).
+- Review the [Azure Policy definition structure](definition-structure-basics.md).
+- Understand how to [programmatically create policies](../how-to/programmatically-create.md).
+- Learn how to [get compliance data](../how-to/get-compliance-data.md).
+- Learn how to [remediate non-compliant resources](../how-to/remediate-resources.md).
+- Review [Azure management groups](../../management-groups/overview.md).

articles/governance/policy/concepts/effect-append.md

@@ -0,0 +1,70 @@
+---
+title: Azure Policy definitions append effect
+description: Azure Policy definitions append effect determines how compliance is managed and reported.
+ms.date: 04/08/2024
+ms.topic: conceptual
+---
+
+# Azure Policy definitions append effect
+
+The `append` effect is used to add more fields to the requested resource during creation or update. A common example is specifying allowed IPs for a storage resource.
+
+> [!IMPORTANT]
+> `append` is intended for use with non-tag properties. While `append` can add tags to a resource during a create or update request, it's recommended to use the [modify](./effect-modify.md) effect for tags instead.
+
+## Append evaluation
+
+The `append` effect evaluates before the request gets processed by a Resource Provider during the creation or updating of a resource. Append adds fields to the resource when the `if` condition of the policy rule is met. If the append effect would override a value in the original request with a different value, then it acts as a deny effect and rejects the request. To append a new value to an existing array, use the `[*]` version of the alias.
+
+When a policy definition using the append effect is run as part of an evaluation cycle, it doesn't make changes to resources that already exist. Instead, it marks any resource that meets the `if` condition as non-compliant.
+
+## Append properties
+
+An append effect only has a `details` array, which is required. Because `details` is an array, it can take either a single `field/value` pair or multiples. Refer to [definition structure](./definition-structure-policy-rule.md#fields) for the list of acceptable fields.
+
+## Append examples
+
+Example 1: Single `field/value` pair using a non-`[*]` [alias](./definition-structure-alias.md) with an array `value` to set IP rules on a storage account. When the non-`[*]` alias is an array, the effect appends the `value` as the entire array. If the array already exists, a `deny` event occurs from the conflict.
+
+```json
+"then": {
+  "effect": "append",
+  "details": [
+    {
+      "field": "Microsoft.Storage/storageAccounts/networkAcls.ipRules",
+      "value": [
+        {
+          "action": "Allow",
+          "value": "134.5.0.0/21"
+        }
+      ]
+    }
+  ]
+}
+```
+
+Example 2: Single `field/value` pair using an `[*]` [alias](./definition-structure-alias.md) with an array `value` to set IP rules on a storage account. When you use the `[*]` alias, the effect appends the `value` to a potentially pre-existing array. Arrays that don't exist are created.
+
+```json
+"then": {
+  "effect": "append",
+  "details": [
+    {
+      "field": "Microsoft.Storage/storageAccounts/networkAcls.ipRules[*]",
+      "value": {
+        "value": "40.40.40.40",
+        "action": "Allow"
+      }
+    }
+  ]
+}
+```
+
+## Next steps
+
+- Review examples at [Azure Policy samples](../samples/index.md).
+- Review the [Azure Policy definition structure](definition-structure-basics.md).
+- Understand how to [programmatically create policies](../how-to/programmatically-create.md).
+- Learn how to [get compliance data](../how-to/get-compliance-data.md).
+- Learn how to [remediate non-compliant resources](../how-to/remediate-resources.md).
+- Review [Azure management groups](../../management-groups/overview.md).

articles/governance/policy/concepts/effect-audit-if-not-exists.md

@@ -0,0 +1,108 @@
+---
+title: Azure Policy definitions auditIfNotExists effect
+description: Azure Policy definitions auditIfNotExists effect determines how compliance is managed and reported.
+ms.date: 04/08/2024
+ms.topic: conceptual
+---
+
+# Azure Policy definitions auditIfNotExists effect
+
+The `auditIfNotExists` effect enables auditing of resources _related_ to the resource that matches the `if` condition, but don't have the properties specified in the `details` of the `then` condition.
+
+## AuditIfNotExists evaluation
+
+`auditIfNotExists` runs after a Resource Provider processed a create or update resource request and returned a success status code. The audit occurs if there are no related resources or if the resources defined by `ExistenceCondition` don't evaluate to true. For new and updated resources, Azure Policy adds a `Microsoft.Authorization/policies/audit/action` operation to the activity log and marks the resource as non-compliant. When triggered, the resource that satisfied the `if` condition is the resource that is marked as non-compliant.
+
+## AuditIfNotExists properties
+
+The `details` property of the AuditIfNotExists effects has all the subproperties that define the related resources to match.
+
+- `type` (required)
+  - Specifies the type of the related resource to match.
+  - If `type` is a resource type underneath the `if` condition resource, the policy queries for resources of this `type` within the scope of the evaluated resource. Otherwise, policy queries within the same resource group or subscription as the evaluated resource depending on the `existenceScope`.
+- `name` (optional)
+  - Specifies the exact name of the resource to match and causes the policy to fetch one specific resource instead of all resources of the specified type.
+  - When the condition values for `if.field.type` and `then.details.type` match, then `name` becomes _required_ and must be `[field('name')]`, or `[field('fullName')]` for a child resource. However, an [audit](./effect-audit.md) effect should be considered instead.
+
+> [!NOTE]
+>
+> `type` and `name` segments can be combined to generically retrieve nested resources.
+>
+> To retrieve a specific resource, you can use `"type": "Microsoft.ExampleProvider/exampleParentType/exampleNestedType"` and `"name": "parentResourceName/nestedResourceName"`.
+>
+> To retrieve a collection of nested resources, a wildcard character `?` can be provided in place of the last name segment. For example, `"type": "Microsoft.ExampleProvider/exampleParentType/exampleNestedType"` and `"name": "parentResourceName/?"`. This can be combined with field functions to access resources related to the evaluated resource, such as `"name": "[concat(field('name'), '/?')]"`."
+
+- `resourceGroupName` (optional)
+  - Allows the matching of the related resource to come from a different resource group.
+  - Doesn't apply if `type` is a resource that would be underneath the `if` condition resource.
+  - Default is the `if` condition resource's resource group.
+- `existenceScope` (optional)
+  - Allowed values are _Subscription_ and _ResourceGroup_.
+  - Sets the scope of where to fetch the related resource to match from.
+  - Doesn't apply if `type` is a resource that would be underneath the `if` condition resource.
+  - For _ResourceGroup_, would limit to the resource group in `resourceGroupName` if specified. If `resourceGroupName` isn't specified, would limit to the `if` condition resource's resource group, which is the default behavior.
+  - For _Subscription_, queries the entire subscription for the related resource. Assignment scope should be set at subscription or higher for proper evaluation.
+  - Default is _ResourceGroup_.
+- `evaluationDelay` (optional)
+  - Specifies when the existence of the related resources should be evaluated. The delay is only
+    used for evaluations that are a result of a create or update resource request.
+  - Allowed values are `AfterProvisioning`, `AfterProvisioningSuccess`, `AfterProvisioningFailure`,
+    or an ISO 8601 duration between 0 and 360 minutes.
+  - The _AfterProvisioning_ values inspect the provisioning result of the resource that was
+    evaluated in the policy rule's `if` condition. `AfterProvisioning` runs after provisioning is
+    complete, regardless of outcome. Provisioning that takes more than six hours, is treated as a
+    failure when determining _AfterProvisioning_ evaluation delays.
+  - Default is `PT10M` (10 minutes).
+  - Specifying a long evaluation delay might cause the recorded compliance state of the resource to
+    not update until the next
+    [evaluation trigger](../how-to/get-compliance-data.md#evaluation-triggers).
+- `existenceCondition` (optional)
+  - If not specified, any related resource of `type` satisfies the effect and doesn't trigger the
+    audit.
+  - Uses the same language as the policy rule for the `if` condition, but is evaluated against
+    each related resource individually.
+  - If any matching related resource evaluates to true, the effect is satisfied and doesn't trigger
+    the audit.
+  - Can use [field()] to check equivalence with values in the `if` condition.
+  - For example, could be used to validate that the parent resource (in the `if` condition) is in
+    the same resource location as the matching related resource.
+
+## AuditIfNotExists example
+
+Example: Evaluates Virtual Machines to determine whether the Antimalware extension exists then audits when missing.
+
+```json
+{
+  "if": {
+    "field": "type",
+    "equals": "Microsoft.Compute/virtualMachines"
+  },
+  "then": {
+    "effect": "auditIfNotExists",
+    "details": {
+      "type": "Microsoft.Compute/virtualMachines/extensions",
+      "existenceCondition": {
+        "allOf": [
+          {
+            "field": "Microsoft.Compute/virtualMachines/extensions/publisher",
+            "equals": "Microsoft.Azure.Security"
+          },
+          {
+            "field": "Microsoft.Compute/virtualMachines/extensions/type",
+            "equals": "IaaSAntimalware"
+          }
+        ]
+      }
+    }
+  }
+}
+```
+
+## Next steps
+
+- Review examples at [Azure Policy samples](../samples/index.md).
+- Review the [Azure Policy definition structure](definition-structure-basics.md).
+- Understand how to [programmatically create policies](../how-to/programmatically-create.md).
+- Learn how to [get compliance data](../how-to/get-compliance-data.md).
+- Learn how to [remediate non-compliant resources](../how-to/remediate-resources.md).
+- Review [Azure management groups](../../management-groups/overview.md).

articles/governance/policy/concepts/effect-audit.md

@@ -0,0 +1,112 @@
+---
+title: Azure Policy definitions audit effect
+description: Azure Policy definitions audit effect determines how compliance is managed and reported.
+ms.date: 04/08/2024
+ms.topic: conceptual
+---
+
+# Azure Policy definitions audit effect
+
+The `audit` effect is used to create a warning event in the activity log when evaluating a non-compliant resource, but it doesn't stop the request.
+
+## Audit evaluation
+
+Audit is the last effect checked by Azure Policy during the creation or update of a resource. For a Resource Manager mode, Azure Policy then sends the resource to the Resource Provider. When evaluating a create or update request for a resource, Azure Policy adds a `Microsoft.Authorization/policies/audit/action` operation to the activity log and marks the resource as non-compliant. During a standard compliance evaluation cycle, only the compliance status on the resource is updated.
+
+## Audit properties
+
+For a Resource Manager mode, the audit effect doesn't have any other properties for use in the `then` condition of the policy definition.
+
+For a Resource Provider mode of `Microsoft.Kubernetes.Data`, the audit effect has the following subproperties of `details`. Use of `templateInfo` is required for new or updated policy definitions as `constraintTemplate` is deprecated.
+
+- `templateInfo` (required)
+  - Can't be used with `constraintTemplate`.
+  - `sourceType` (required)
+    - Defines the type of source for the constraint template. Allowed values: `PublicURL` or `Base64Encoded`.
+    - If `PublicURL`, paired with property `url` to provide location of the constraint template. The location must be publicly accessible.
+
+      > [!WARNING]
+      > Don't use SAS URIs, URL tokens, or anything else that could expose secrets in plain text.
+
+    - If `Base64Encoded`, paired with property `content` to provide the base 64 encoded constraint template. See [Create policy definition from constraint template](../how-to/extension-for-vscode.md) to create a custom definition from an existing [Open Policy Agent](https://www.openpolicyagent.org/) (OPA) Gatekeeper v3 [constraint template](https://open-policy-agent.github.io/gatekeeper/website/docs/howto/#constraint-templates).
+- `constraint` (deprecated)
+  - Can't be used with `templateInfo`.
+  - The CRD implementation of the Constraint template. Uses parameters passed via `values` as `{{ .Values.<valuename> }}`. In example 2 below, these values are    `{{ .Values.excludedNamespaces }}` and `{{ .Values.allowedContainerImagesRegex }}`.
+- `constraintTemplate` (deprecated)
+  - Can't be used with `templateInfo`.
+  - Must be replaced with `templateInfo` when creating or updating a policy definition.
+  - The Constraint template CustomResourceDefinition (CRD) that defines new Constraints. The template defines the Rego logic, the Constraint schema, and the Constraint parameters that are passed via `values` from Azure Policy. For more information, go to [Gatekeeper constraints](https://open-policy-agent.github.io/gatekeeper/website/docs/howto/#constraints).
+- `constraintInfo` (optional)
+  - Can't be used with `constraint`, `constraintTemplate`, `apiGroups`, `kinds`, `scope`, `namespaces`, `excludedNamespaces`, or `labelSelector`.
+  - If `constraintInfo` isn't provided, the constraint can be generated from `templateInfo` and policy.
+  - `sourceType` (required)
+    - Defines the type of source for the constraint. Allowed values: `PublicURL` or `Base64Encoded`.
+    - If `PublicURL`, paired with property `url` to provide location of the constraint. The location must be publicly accessible.
+
+      > [!WARNING]
+      > Don't use SAS URIs or tokens in `url` or anything else that could expose a secret.
+
+- `namespaces` (optional)
+  - An _array_ of
+    [Kubernetes namespaces](https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/)
+    to limit policy evaluation to.
+  - An empty or missing value causes policy evaluation to include all namespaces not defined in _excludedNamespaces_.
+- `excludedNamespaces` (optional)
+  - An _array_ of [Kubernetes namespaces](https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/) to exclude from policy evaluation.
+- `labelSelector` (optional)
+  - An _object_ that includes _matchLabels_ (object) and _matchExpression_ (array) properties to allow specifying which Kubernetes resources to include for policy evaluation that matched the provided [labels and selectors](https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/).
+  - An empty or missing value causes policy evaluation to include all labels and selectors, except
+    namespaces defined in _excludedNamespaces_.
+- `scope` (optional)
+  - A _string_ that includes the [scope](https://open-policy-agent.github.io/gatekeeper/website/docs/howto/#the-match-field) property to allow specifying if cluster-scoped or namespaced-scoped resources are matched.
+- `apiGroups` (required when using _templateInfo_)
+  - An _array_ that includes the [API groups](https://kubernetes.io/docs/reference/using-api/#api-groups) to match. An empty array (`[""]`) is the core API group.
+  - Defining `["*"]` for _apiGroups_ is disallowed.
+- `kinds` (required when using _templateInfo_)
+  - An _array_ that includes the [kind](https://kubernetes.io/docs/concepts/overview/working-with-objects/kubernetes-objects/#required-fields)
+    of Kubernetes object to limit evaluation to.
+  - Defining `["*"]` for _kinds_ is disallowed.
+- `values` (optional)
+  - Defines any parameters and values to pass to the Constraint. Each value must exist and match a property in the validation `openAPIV3Schema` section of the Constraint template CRD.
+
+## Audit example
+
+Example 1: Using the audit effect for Resource Manager modes.
+
+```json
+"then": {
+  "effect": "audit"
+}
+```
+
+Example 2: Using the audit effect for a Resource Provider mode of `Microsoft.Kubernetes.Data`. The additional information in `details.templateInfo` declares use of `PublicURL` and sets `url` to the location of the Constraint template to use in Kubernetes to limit the allowed container images.
+
+```json
+"then": {
+  "effect": "audit",
+  "details": {
+    "templateInfo": {
+      "sourceType": "PublicURL",
+      "url": "https://store.policy.core.windows.net/kubernetes/container-allowed-images/v1/template.yaml",
+    },
+    "values": {
+      "imageRegex": "[parameters('allowedContainerImagesRegex')]"
+    },
+    "apiGroups": [
+      ""
+    ],
+    "kinds": [
+      "Pod"
+    ]
+  }
+}
+```
+
+## Next steps
+
+- Review examples at [Azure Policy samples](../samples/index.md).
+- Review the [Azure Policy definition structure](definition-structure-basics.md).
+- Understand how to [programmatically create policies](../how-to/programmatically-create.md).
+- Learn how to [get compliance data](../how-to/get-compliance-data.md).
+- Learn how to [remediate non-compliant resources](../how-to/remediate-resources.md).
+- Review [Azure management groups](../../management-groups/overview.md).