Azure
Azure Machine Learning CMK policy bug
Situation
Across the azure tenant the following built-in policy is enabled: "Azure Machine Learning workspaces should be encrypted with a customer-managed key"
Since AI Studio is GA it uses the same resource provider as ML Studio namely: "Microsoft.MachineLearningServices/workspaces@version" and differentiates on the property "kind" per the following:
- ML Studio (kind: "default")
- AI Hub (kind: "hub")
- AI Project (kind: "project")
Azure engineers want to provision all three types. Everything is fine for ML Studio and AI Hub, because they can define encryption as following (bicep snippet):
encryption: {
status: 'Enabled'
keyVaultProperties: {
keyVaultArmId: keyvault.id
keyIdentifier: keyvault::key.properties.keyUriWithVersion
}
}
Error
Because the policy is not specific to ML Studio and AI Hub, it forces the AI Project to also contain these properties:
"policyRule": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.MachineLearningServices/workspaces"
},
{
"not": {
"field": "Microsoft.MachineLearningServices/workspaces/encryption.status",
"equals": "enabled"
}
}
]
},
Solution
Upgrade the built-in policy to be specific for the kind ML Studio and AI Hub or create two policies and make them separately specific to ML studio and AI Hub.
"policyRule": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.MachineLearningServices/workspaces"
},
{
"not": {
"field": "Microsoft.MachineLearningServices/workspaces/kind",
"equals": "project"
}
},
{
"not": {
"field": "Microsoft.MachineLearningServices/workspaces/encryption.status",
"equals": "enabled"
}
}
]
},
