Details of the scenario you tried and the problem that is occurring
The following policies included in this initiative support "Deny" effects, however can't be used in the Microsoft Cloud Security Benchmark as the assignment parameters only support "Audit" and "Disabled".
The value 'Deny'
| is not allowed for policy parameter
| 'firewallShouldBeEnabledOnKeyVaultMonitoringEffect' in policy definition
| '1f3afdf9-d0c9-4c3d-847f-89da613e70a8'. The allowed values are 'Audit,
| Disabled'.
New-AzManagementGroupDeployment: /home/vsts/work/1/s/pipeline-scripts/Deploy-ALZPolicyAssignments.ps1:29
Line |
29 | New-AzManagementGroupDeployment @inputObject
| ~~~~~~~~~~~~
| 11:11:23 - The deployment
| 'alz-PolicyAssignmentsDeployment-20231207T1112568206Z' failed with
| error(s). Showing 2 out of 2 error(s). Status Message: The value 'Deny'
| is not allowed for policy parameter
| 'containerRegistriesShouldNotAllowUnrestrictedNetworkAccessMonitoringEffect' in policy definition '1f3afdf9-d0c9-4c3d-847f-89da613e70a8'. The allowed values are 'Audit, Disabled'. (Code:PolicyParameterValueNotAllowed) Status Message: At least one resource deployment operation failed. Please list deployment operations for details. Please see https://aka.ms/arm-deployment-operations for usage details. (Code: DeploymentFailed) - The value 'Deny' is not allowed for policy parameter 'containerRegistriesShouldNotAllowUnrestrictedNetworkAccessMonitoringEffect' in policy definition '1f3afdf9-d0c9-4c3d-847f-89da613e70a8'. The allowed values are 'Audit, Disabled'. (Code:PolicyParameterValueNotAllowed) CorrelationId: ca910fe7-1b99-4e90-9700-c2ee10f5d266
[error]PowerShell exited with code '1'.
New-AzManagementGroupDeployment: /home/vsts/work/1/s/pipeline-scripts/Deploy-ALZPolicyAssignments.ps1:29
Line |
29 | New-AzManagementGroupDeployment @inputObject
| ~~~~~~~~~~~~
| 13:26:20 - The deployment
| 'alz-PolicyAssignmentsDeployment-20231207T1312599552Z' failed with
| error(s). Showing 2 out of 2 error(s). Status Message: The value 'Deny'
| is not allowed for policy parameter
| 'publicNetworkAccessShouldBeDisabledForMySqlServersMonitoringEffect' in
| policy definition '1f3afdf9-d0c9-4c3d-847f-89da613e70a8'. The allowed
| values are 'Audit, Disabled'. (Code:PolicyParameterValueNotAllowed)
| Status Message: At least one resource deployment operation failed.
| Please list deployment operations for details. Please see
| https://aka.ms/arm-deployment-operations for usage details. (Code:
| DeploymentFailed) - The value 'Deny' is not allowed for policy
| parameter
| 'publicNetworkAccessShouldBeDisabledForMySqlServersMonitoringEffect' in
| policy definition '1f3afdf9-d0c9-4c3d-847f-89da613e70a8'. The allowed
| values are 'Audit, Disabled'. (Code:PolicyParameterValueNotAllowed)
| CorrelationId: c079c8d6-6899-4119-90bd-064b765ed42c
New-AzManagementGroupDeployment: /home/vsts/work/1/s/pipeline-scripts/Deploy-ALZPolicyAssignments.ps1:29
Line |
29 | New-AzManagementGroupDeployment @inputObject
| ~~~~~~~~~~~~
| 13:08:31 - The deployment
| 'alz-PolicyAssignmentsDeployment-20231207T1312092717Z' failed with
| error(s). Showing 2 out of 2 error(s). Status Message: The value 'Deny'
| is not allowed for policy parameter
| 'publicNetworkAccessShouldBeDisabledForMariaDbServersMonitoringEffect'
| in policy definition '1f3afdf9-d0c9-4c3d-847f-89da613e70a8'. The allowed
| values are 'Audit, Disabled'. (Code:PolicyParameterValueNotAllowed)
| Status Message: At least one resource deployment operation failed.
| Please list deployment operations for details. Please see
| https://aka.ms/arm-deployment-operations for usage details. (Code:
| DeploymentFailed) - The value 'Deny' is not allowed for policy
| parameter
| 'publicNetworkAccessShouldBeDisabledForMariaDbServersMonitoringEffect'
| in policy definition '1f3afdf9-d0c9-4c3d-847f-89da613e70a8'. The allowed
| values are 'Audit, Disabled'. (Code:PolicyParameterValueNotAllowed)
| CorrelationId: 9e16204a-ad06-4aae-bba8-c6c13e6d719a
New-AzManagementGroupDeployment: /home/vsts/work/1/s/pipeline-scripts/Deploy-ALZPolicyAssignments.ps1:29
Line |
29 | New-AzManagementGroupDeployment @inputObject
| ~~~~~~~~~~~~
| 15:04:19 - The deployment
| 'alz-PolicyAssignmentsDeployment-20231207T1512540731Z' failed with
| error(s). Showing 2 out of 2 error(s). Status Message: The value 'Deny'
| is not allowed for policy parameter
| 'publicNetworkAccessShouldBeDisabledForPostgreSqlServersMonitoringEffect' in policy definition '1f3afdf9-d0c9-4c3d-847f-89da613e70a8'. The allowed values are 'Audit, Disabled'. (Code:PolicyParameterValueNotAllowed) Status Message: At least one resource deployment operation failed. Please list deployment operations for details. Please see https://aka.ms/arm-deployment-operations for usage details. (Code: DeploymentFailed) - The value 'Deny' is not allowed for policy parameter 'publicNetworkAccessShouldBeDisabledForPostgreSqlServersMonitoringEffect' in policy definition '1f3afdf9-d0c9-4c3d-847f-89da613e70a8'. The allowed values are 'Audit, Disabled'. (Code:PolicyParameterValueNotAllowed) CorrelationId: 6a5ac4fc-dae3-415b-a14b-cdd5b0b10858
Suggested solution to the issue
Update list of "allowedValues" in policy initiative parameters for these policies to include "deny"
Details of the scenario you tried and the problem that is occurring
The following policies included in this initiative support "Deny" effects, however can't be used in the Microsoft Cloud Security Benchmark as the assignment parameters only support "Audit" and "Disabled".
Container registries should not allow unrestricted network access -https://www.azadvertizer.net/azpolicyadvertizer/d0793b48-0edc-4296-a390-4c75d1bdfd71.html
Public network access should be disabled for PostgreSQL servers - https://www.azadvertizer.net/azpolicyadvertizer/b52376f7-9612-48a1-81cd-1ffe4b61032c.html
Public network access should be disabled for MySQL servers - https://www.azadvertizer.net/azpolicyadvertizer/d9844e8a-1437-4aeb-a32c-0c992f056095.html
Public network access should be disabled for MariaDB servers - https://www.azadvertizer.net/azpolicyadvertizer/fdccbe47-f3e3-4213-ad5d-ea459b2fa077.html
Azure Key Vault should have firewall enabled - https://www.azadvertizer.net/azpolicyadvertizer/55615ac9-af46-4a59-874e-391cc3dfb490.html
Verbose logs showing the problem
The value 'Deny' | is not allowed for policy parameter | 'firewallShouldBeEnabledOnKeyVaultMonitoringEffect' in policy definition | '1f3afdf9-d0c9-4c3d-847f-89da613e70a8'. The allowed values are 'Audit, | Disabled'.
New-AzManagementGroupDeployment: /home/vsts/work/1/s/pipeline-scripts/Deploy-ALZPolicyAssignments.ps1:29 Line | 29 | New-AzManagementGroupDeployment @inputObject |
~~~~~~~~~~~~ | 11:11:23 - The deployment | 'alz-PolicyAssignmentsDeployment-20231207T1112568206Z' failed with | error(s). Showing 2 out of 2 error(s). Status Message: The value 'Deny' | is not allowed for policy parameter | 'containerRegistriesShouldNotAllowUnrestrictedNetworkAccessMonitoringEffect' in policy definition '1f3afdf9-d0c9-4c3d-847f-89da613e70a8'. The allowed values are 'Audit, Disabled'. (Code:PolicyParameterValueNotAllowed) Status Message: At least one resource deployment operation failed. Please list deployment operations for details. Please see https://aka.ms/arm-deployment-operations for usage details. (Code: DeploymentFailed) - The value 'Deny' is not allowed for policy parameter 'containerRegistriesShouldNotAllowUnrestrictedNetworkAccessMonitoringEffect' in policy definition '1f3afdf9-d0c9-4c3d-847f-89da613e70a8'. The allowed values are 'Audit, Disabled'. (Code:PolicyParameterValueNotAllowed) CorrelationId: ca910fe7-1b99-4e90-9700-c2ee10f5d266[error]PowerShell exited with code '1'.
New-AzManagementGroupDeployment: /home/vsts/work/1/s/pipeline-scripts/Deploy-ALZPolicyAssignments.ps1:29 Line | 29 | New-AzManagementGroupDeployment @inputObject |
~~~~~~~~~~~~ | 13:26:20 - The deployment | 'alz-PolicyAssignmentsDeployment-20231207T1312599552Z' failed with | error(s). Showing 2 out of 2 error(s). Status Message: The value 'Deny' | is not allowed for policy parameter | 'publicNetworkAccessShouldBeDisabledForMySqlServersMonitoringEffect' in | policy definition '1f3afdf9-d0c9-4c3d-847f-89da613e70a8'. The allowed | values are 'Audit, Disabled'. (Code:PolicyParameterValueNotAllowed) | Status Message: At least one resource deployment operation failed. | Please list deployment operations for details. Please see | https://aka.ms/arm-deployment-operations for usage details. (Code: | DeploymentFailed) - The value 'Deny' is not allowed for policy | parameter | 'publicNetworkAccessShouldBeDisabledForMySqlServersMonitoringEffect' in | policy definition '1f3afdf9-d0c9-4c3d-847f-89da613e70a8'. The allowed | values are 'Audit, Disabled'. (Code:PolicyParameterValueNotAllowed) | CorrelationId: c079c8d6-6899-4119-90bd-064b765ed42cNew-AzManagementGroupDeployment: /home/vsts/work/1/s/pipeline-scripts/Deploy-ALZPolicyAssignments.ps1:29 Line | 29 | New-AzManagementGroupDeployment @inputObject |
~~~~~~~~~~~~ | 13:08:31 - The deployment | 'alz-PolicyAssignmentsDeployment-20231207T1312092717Z' failed with | error(s). Showing 2 out of 2 error(s). Status Message: The value 'Deny' | is not allowed for policy parameter | 'publicNetworkAccessShouldBeDisabledForMariaDbServersMonitoringEffect' | in policy definition '1f3afdf9-d0c9-4c3d-847f-89da613e70a8'. The allowed | values are 'Audit, Disabled'. (Code:PolicyParameterValueNotAllowed) | Status Message: At least one resource deployment operation failed. | Please list deployment operations for details. Please see | https://aka.ms/arm-deployment-operations for usage details. (Code: | DeploymentFailed) - The value 'Deny' is not allowed for policy | parameter | 'publicNetworkAccessShouldBeDisabledForMariaDbServersMonitoringEffect' | in policy definition '1f3afdf9-d0c9-4c3d-847f-89da613e70a8'. The allowed | values are 'Audit, Disabled'. (Code:PolicyParameterValueNotAllowed) | CorrelationId: 9e16204a-ad06-4aae-bba8-c6c13e6d719aNew-AzManagementGroupDeployment: /home/vsts/work/1/s/pipeline-scripts/Deploy-ALZPolicyAssignments.ps1:29 Line | 29 | New-AzManagementGroupDeployment @inputObject |
~~~~~~~~~~~~ | 15:04:19 - The deployment | 'alz-PolicyAssignmentsDeployment-20231207T1512540731Z' failed with | error(s). Showing 2 out of 2 error(s). Status Message: The value 'Deny' | is not allowed for policy parameter | 'publicNetworkAccessShouldBeDisabledForPostgreSqlServersMonitoringEffect' in policy definition '1f3afdf9-d0c9-4c3d-847f-89da613e70a8'. The allowed values are 'Audit, Disabled'. (Code:PolicyParameterValueNotAllowed) Status Message: At least one resource deployment operation failed. Please list deployment operations for details. Please see https://aka.ms/arm-deployment-operations for usage details. (Code: DeploymentFailed) - The value 'Deny' is not allowed for policy parameter 'publicNetworkAccessShouldBeDisabledForPostgreSqlServersMonitoringEffect' in policy definition '1f3afdf9-d0c9-4c3d-847f-89da613e70a8'. The allowed values are 'Audit, Disabled'. (Code:PolicyParameterValueNotAllowed) CorrelationId: 6a5ac4fc-dae3-415b-a14b-cdd5b0b10858Suggested solution to the issue
Update list of "allowedValues" in policy initiative parameters for these policies to include "deny"
Alternatively, review PR:
https://github.com/Azure/azure-policy/pull/1252
If policy is Guest Configuration - details about target node
N/A