question

WendelinNiesl avatar image
0 Votes"
WendelinNiesl asked ·

[Azure Policy] Alias is not being recognized

Hello,

I'm trying to create policy for Azure API Management Named Values.
It seems that API Management has moved the naming for them from:

 Microsoft.ApiManagement/service/properties

to:

 Microsoft.ApiManagement/service/namedValues

And now I cannot access the displayName with this policy:

 {
   "mode": "All",
   "policyRule": {
       "if": {
         "allOf": [
           {
             "field": "type",
             "equals": "Microsoft.ApiManagement/service/namedValues"
           },
           {
             "not": {
               "anyOf": [
                 {
                   "field": "name",
                   "match": "...-...-"
                 },
                 {
                   "field": "Microsoft.ApiManagement/service/namedValues/displayName",
                   "like": "*"
                 }
               ]
             }
           }
         ]
       },
       "then": {
         "effect": "deny"
       }
   },
   "parameters": {    
   }
 }

Can someone check if this field is already included?

 Microsoft.ApiManagement/service/namedValues/displayName


Thanks and Best Regards!

Wendelin


azure-api-managementazure-policy
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

olufemiaMSFT avatar image
0 Votes"
olufemiaMSFT answered ·

Happy to help, Wendelin,

Mind sharing additional details on how/where you came across this? Very possible we are not looking at the same thing.


Checked internally and can confirm the alias is still: Microsoft.ApiManagement/service/properties/displayName .
I don't see any alias for /service/namedValues...

PS cmdlet used:

$temp = Get-AzPolicyAlias -Namespace 'Microsoft.ApiManagement'
$temp.aliases | Where-Object { $_.Name -like 'displayName' } | Select-Object -Property Name

Looking forward to your reply.

Cheers.

· Share
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

WendelinNiesl avatar image
0 Votes"
WendelinNiesl answered ·

Hello and thanks for the fast response!

I've tried the Microsoft.ApiManagement/service/properties/displayName at first like f.e. this policy rule:

  "policyRule": {
       "if": {
         "allOf": [
           {
             "field": "type",
             "equals": "Microsoft.ApiManagement/service/properties"
           },
           {
             "not": {
               "anyOf": [
                 {
                   "field": "Microsoft.ApiManagement/service/properties/displayName",
                   "like": "APIM_*"
                 }
               ]
             }
           }
         ]
       },
       "then": {
         "effect": "deny"
       }
     }
   },

But as this didn't have any effect on resource creation, I've traced the HTTP Request which gets executed when creating a named value and found out that the resource is now:
Microsoft.ApiManagement/service/XXX/namedValues/123?api-version=2019-12-01-preview&asyncId=XXX&asyncCode=200

So I've changed the type to:
Microsoft.ApiManagement/service/namedValues
and at least I could create an effective policy for the "name" property.

As I wanted to check the "displayName", I've been looking for the respective displayName resource as follows:
Microsoft.ApiManagement/service/namedValues/displayName
but couldn't find it.

My main goal is to create a Regex expression which I hope will be available soon as per this link:
https://feedback.azure.com/forums/915958-azure-governance/suggestions/34148341-azure-policy-support-for-regex-in-match-conditio
that checks each named value before creation to have following format:
[A-Z0-9]+_.*

Thanks in advance!

BR

· Share
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

olufemiaMSFT avatar image
0 Votes"
olufemiaMSFT answered ·

Thanks for sharing additional information. I agree there's certainly unexpected behavior - as you clearly outline above.
In order to fast-track a resolution, I suggest we redirect this issue to the technical support team for a deeper look.

Do you have an Azure support plan?

If yes, raise a support request using these steps including the details you shared above. If you do not have a support plan, send mail to AzCommunity@microsoft.com include your subscription ID and a link to this Q&A post (for context) and my team will help connect you with the Azure policy support channel.

Looking forward to your response.

Have a nice weekend.


· Share
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.