azure-policy
azure-policy copied to clipboard
Azure
Azure Policy does not support DNS Security Policies
Details of the scenario you tried and the problem that is occurring
When writing an Azure policy that applies to a DNS Security Policy (Microsoft.Network/dnsResolverPolicies), the policy does not evaluate and no resource is found.
Example:
{
"mode": "All",
"policyRule": {
"if": {
"field": "type",
"equals": "Microsoft.Network/dnsResolverPolicies"
},
"then": {
"effect": "audit"
}
}
}
Microsoft also provides several builtin policies for this resource type that does not evaluate resources.
❯ az policy definition list --query "[?policyType=='BuiltIn' && contains(@.to_string(@), 'dnsresolverpolicies')].[displayName, name]" --output table
Column1 Column2
------------------------------------------------------------------------------------------- ------------------------------------
Enable logging by category group for microsoft.network/dnsresolverpolicies to Event Hub 0fdc6116-c747-449c-b9cc-330fcd4c5c9c
Enable logging by category group for microsoft.network/dnsresolverpolicies to Storage b79bf56e-c296-4829-afea-6ac9263e7687
Enable logging by category group for microsoft.network/dnsresolverpolicies to Log Analytics dc1b5908-da05-4eed-a988-c5e32fdb682d
Verbose logs showing the problem
No resources are evaluated, so there are no logs to be found.
Suggested solution to the issue
Microsoft.Network/dnsResolverPolicies resource type should be evaluated like any other Azure resources using Azure Policy.
