Deny specified sku.name in Azure ARM policy deployment

Published: 13 February 2022 / Updated: 18 February 2022

Category: Azure Bicep

Tag: azure, azure-bicep, azure-policy, azure-resource-manager, azure-sql-database

Problem

I’m completely perplexed by policy arm deployment, and I’m hoping that someone can assist me in resolving this problem.

I’d like to have a policy in place that prevents database deployment depending on the user’s Sku.name.

Right now, I’d like to allow the construction of standard or basic databases while denying all other skus.

I’ve got this json configuration, but it just works in part.

{
    "properties": {
      "displayName": "Not allowed resource types",
      "policyType": "BuiltIn",
      "mode": "All",
      "description": "This policy enables you to specify the resource types that your organization cannot deploy.",
      "parameters": {
        "listOfAllowedSKUs": {
          "type": "Array",
          "metadata": {
            "description": "The list of resource types that cannot be deployed.",
            "displayName": "Not allowed resource types",
            "strongType": "resourceTypes"
          }
        }
      },
      "policyRule": {
        "if": {
          "field": "type",
          "in": "[parameters('listOfAllowedSKUs')]"
        },
        "then": {
          "effect": "Deny"
        }
      }
    },
    "id": "/providers/Microsoft.Authorization/policyDefinitions/6c112d4e-5bc7-47ae-a041-ea2d9dccd749",
    "type": "Microsoft.Authorization/policyDefinitions",
    "name": "6c112d4e-5bc7-47ae-a041-ea2d9dccd749"
  }

parameters:

{
    "listOfAllowedSKUs": {
    "type": "Array",
    "allowedValues": [
      "Standard",
      "Basic"
    ],
    "metadata": {
      "displayName": "Allowed SKUs",
      "description": "The list of SKUs that can be specified for databases."
    }
  }
}

and the rules:

{
    "if": {
        "not": {
          "field": "Microsoft.Sql/servers/databases/sku.name",
            "in": "[parameters('listOfAllowedSKUs')]"
          }
    },
    "then": {
      "effect": "deny"
    }
}

When I deploy this policy, I can only deploy the Basic Sku; all others, including Standard, are denied.

How can I allow both Basic and Standard to be created?

Thank you so much to anyone who will take the time to explain this to me.

Asked by Nayden Van

Solution #1

Observing the documentation:

In your instance, you’ll need to filter by sku tier. The name and tier for Basic are the same. The tier for Standard is Standard, although the name can be anything from S1 through S12.

{
    "if": {
        "not": {
          "field": "Microsoft.Sql/servers/databases/sku.tier",
            "in": "[parameters('listOfAllowedSKUs')]"
          }
    },
    "then": {
      "effect": "deny"
    }
}

Answered by Thomas

Post is based on https://stackoverflow.com/questions/69154583/azure-arm-policy-deployment-deny-specific-sku-name