Deny-VNET-Peering-To-Non-Approved-VNETs prevent deployment of isolated vNet

[lodrantl]

Describe the bug When the Deny-VNET-Peering-To-Non-Approved-VNETs with action Deny is applied on a subscription you cannot create a new vnet without any peerings into that subscription.

Steps to reproduce

1. Apply Deny-VNET-Peering-To-Non-Approved-VNETs on a subscription
2. Attempt to deploy an empty vnet

Terraform code for vNET:

resource "azurerm_virtual_network" "vnet" {
  name                = "vnet-test"
  address_space       = ["10.172.16.0/24"]
  location            = azurerm_resource_group.rg.location
  resource_group_name = azurerm_resource_group.rg.name
}

Deployment error

[
  {
    "info": {
      "evaluationDetails": {
        "evaluatedExpressions": [
          {
            "expression": "type",
            "expressionKind": "Field",
            "expressionValue": "Microsoft.Network/virtualNetworks",
            "operator": "Equals",
            "path": "type",
            "result": "True",
            "targetValue": "Microsoft.Network/virtualNetworks"
          },
          {
            "expression": "Microsoft.Network/virtualNetworks/virtualNetworkPeerings[*].remoteVirtualNetwork.id",
            "expressionKind": "Field",
            "operator": "In",
            "path": "properties.VirtualNetworkPeerings[*].properties.remoteVirtualNetwork.id",
            "result": "False",
            "targetValue": []
          },
          {
            "expression": "Microsoft.Network/virtualNetworks/virtualNetworkPeerings[*].remoteVirtualNetwork.id",
            "expressionKind": "Field",
            "operator": "Exists",
            "path": "properties.VirtualNetworkPeerings[*].properties.remoteVirtualNetwork.id",
            "result": "False",
            "targetValue": "False"
          }
        ],
        "reason": "This resource must be compliant with the assigned policy."
      },
      "policyAssignmentDisplayName": "Prevent vnet peering",
      "policyAssignmentId": "/providers/Microsoft.Management/managementGroups/canary-landing-zones/providers/Microsoft.Authorization/policyAssignments/Deny-VNET-Peering",
      "policyAssignmentName": "Deny-VNET-Peering",
      "policyAssignmentParameters": {
        "allowedVnets": [],
        "effect": "Deny"
      },
      "policyAssignmentScope": "/providers/Microsoft.Management/managementGroups/canary-landing-zones",
      "policyDefinitionDisplayName": "Deny vNet peering to non-approved vNets",
      "policyDefinitionEffect": "Deny",
      "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/canary/providers/Microsoft.Authorization/policyDefinitions/Deny-VNET-Peering-To-Non-Approved-VNETs",
      "policyDefinitionName": "Deny-VNET-Peering-To-Non-Approved-VNETs",
      "policyExemptionIds": []
    },
    "type": "PolicyViolation"
  }
]

If policy is set to Audit, the isolated vNet is marked as compliant.

https://github.com/lodrantl/Enterprise-Scale/commit/4d6d6e9632720c57fb04230e8809b586e166267a could possibly fix the issue, but I am not certain if it changes the way the policy was meant to work.

[anttonalkio]

We encountered the same problem and caused us a lot of headaches first. I don't know if this workaround works with Terraform but at least in bicep if you explicitly define an empty array for virtualNetworkPeerings the policy stops complaining

resource vnet 'Microsoft.Network/virtualNetworks@2023-11-01' = {
  name: 'test-vnet'
  location: location
  properties: {
    addressSpace: {
      addressPrefixes: [
        '10.0.0.0/16'
      ]
    }
    virtualNetworkPeerings: [

    ]
  }
}

[Springstone]

@lodrantl and @anttonalkio just to let you know, a bug has been detected in policy enforcement that is impacting this specific policy. Engineering is working on addressing the issue and we'll keep you posted.

[Springstone]

@lodrantl and @anttonalkio is this still an issue, as a fix was published that addressed this particular policy behavior.