[Azure Policy] Alias is not being recognized

Question

Hello,

I'm trying to create policy for Azure API Management Named Values.
It seems that API Management has moved the naming for them from:

Microsoft.ApiManagement/service/properties

to:

Microsoft.ApiManagement/service/namedValues

And now I cannot access the displayName with this policy:

{
  "mode": "All",
  "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.ApiManagement/service/namedValues"
          },
          {
            "not": {
              "anyOf": [
                {
                  "field": "name",
                  "match": "...-...-"
                },
                {
                  "field": "Microsoft.ApiManagement/service/namedValues/displayName",
                  "like": "*"
                }
              ]
            }
          }
        ]
      },
      "then": {
        "effect": "deny"
      }
  },
  "parameters": {    
  }
}

Can someone check if this field is already included?

Microsoft.ApiManagement/service/namedValues/displayName

Thanks and Best Regards!

Wendelin

Answer 1

Happy to help, Wendelin,

Mind sharing additional details on how/where you came across this? Very possible we are not looking at the same thing.

Checked internally and can confirm the alias is still: Microsoft.ApiManagement/service/properties/displayName .
I don't see any alias for /service/namedValues...

PS cmdlet used:

$temp = Get-AzPolicyAlias -Namespace 'Microsoft.ApiManagement'
$temp.aliases | Where-Object { $_.Name -like 'displayName' } | Select-Object -Property Name

Looking forward to your reply.

Cheers.

Answer 2

Hello and thanks for the fast response!

I've tried the Microsoft.ApiManagement/service/properties/displayName at first like f.e. this policy rule:

 "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.ApiManagement/service/properties"
          },
          {
            "not": {
              "anyOf": [
                {
                  "field": "Microsoft.ApiManagement/service/properties/displayName",
                  "like": "APIM_*"
                }
              ]
            }
          }
        ]
      },
      "then": {
        "effect": "deny"
      }
    }
  },

But as this didn't have any effect on resource creation, I've traced the HTTP Request which gets executed when creating a named value and found out that the resource is now:
Microsoft.ApiManagement/service/XXX/namedValues/123?api-version=2019-12-01-preview&asyncId=XXX&asyncCode=200

So I've changed the type to:
Microsoft.ApiManagement/service/namedValues
and at least I could create an effective policy for the "name" property.

As I wanted to check the "displayName", I've been looking for the respective displayName resource as follows:
Microsoft.ApiManagement/service/namedValues/displayName
but couldn't find it.

My main goal is to create a Regex expression which I hope will be available soon as per this link:
https://feedback.azure.com/forums/915958-azure-governance/suggestions/34148341-azure-policy-support-for-regex-in-match-conditio
that checks each named value before creation to have following format:
[A-Z0-9]+_.*

Thanks in advance!

BR

Answer 3

Thanks for sharing additional information. I agree there's certainly unexpected behavior - as you clearly outline above.
In order to fast-track a resolution, I suggest we redirect this issue to the technical support team for a deeper look.

Do you have an Azure support plan?

If yes, raise a support request using these steps including the details you shared above. If you do not have a support plan, send mail to AzCommunity@microsoft.com include your subscription ID and a link to this Q&A post (for context) and my team will help connect you with the Azure policy support channel.

Looking forward to your response.

Have a nice weekend.