Hi,
I am currently working on a policy to control IP addresses that are allowed access to a Key Vault.
I so far have the policy successfully auditing the below:
Ensuring that the key vault firewall is switched on.
Restricting the IP addresses that are allowed access to the key vault.
The part where I am falling over is I would also like to allow the list of IP addresses to be blank, but if I remove any existing IP addresses I am still denied due to an empty entry not being in the list of allowed IP addresses.
The policy I currently have is below:
"policyRule": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.KeyVault/vaults"
},
{
"not": {
"field": "Microsoft.KeyVault/vaults/createMode",
"equals": "recover"
}
},
{
"field": "Microsoft.KeyVault/vaults/networkAcls.defaultAction",
"notEquals": "Deny"
},
{
"anyof": [
{
"field": "Microsoft.KeyVault/vaults/networkAcls.ipRules[*].value",
"notIn": "[[parameters('allowedIPAddresses')]"
},
{
"field": "Microsoft.KeyVault/vaults/networkAcls.ipRules",
"notEquals": ""
}
]
}
]
},
"then": {
"effect": "[[parameters('effect')]"
}
}
Does anybody know how to check if the field is empty?
Thanks

