Details of the scenario you tried and the problem that is occurring
Initial observation of mis-match between filename and defined parameters.effect.allowedValues
It is worth noting that the name of this policies file indicates the author intended Audit-Only use of the policy, however parameters.effect.allowedValues lists Deny and Disabled Effects as well. This is further documented in #118467 on the azure-docs repo
Condition
When using this policy with a "Deny" effect.
Cause
The rule located at properties.policyrule.if.allof.anyof.field specifies that "Microsoft.Search/searchServices/encryptionWithCmk.encryptionComplianceStatus" must have the value of compliant. This works perfectly with Audit, however it poses an issue with Deny because this value is ReadOnly value that is added to the resource by the Azure service fabric post-deployment. Not by the user, and there for is not present when the policy engine assesses deny effects. You will note the documentation for ARM templates for this resource does not list encryptionComplianceStatus as a user-configurable setting.
Effect
When you attempt to deploy a search services resource with this policy in effect you will be denied as the policy cannot validate the value of the missing ReadOnly parameter
Verbose logs showing the problem
Search Service Name: "srch-corp-demo-dev-use2-test"): performing CreateOrUpdate: unexpected status 403 with error: RequestDisallowedByPolicy: Resource 'srch-corp-demo-dev-use2-test' was disallowed by policy. Policy identifiers: '[{"policyAssignment":{"name":"Azure Cognitive Search services should use customer-managed keys to encrypt data at rest - Deny","id":"/providers/Microsoft.Management/managementGroups/REDACTED/providers/Microsoft.Authorization/policyAssignments/REDACTED"},"policyDefinition":{"name":"Azure Cognitive Search services should use customer-managed keys to encrypt data at rest","id":"/providers/Microsoft.Authorization/policyDefinitions/REDACTED"}}]'.
Suggested solution to the issue
There are a few plausible solutions,
Firstly, which I recommended in #118467 on the azure-docs repo would be to update the policy documentation so that it does not list as being useable with Deny Effect.The maintainers of that repo pointed me here as their table is not directly editable and is compiled from source, which leads me to believe we would have to update the parameters.effect.allowedValues for the doc to reflect that change.
Alternatively, removing the rule for Microsoft.Search/searchServices/encryptionWithCmk.encryptionComplianceStatus would likely allow the policy to be used with Deny Effect, however it would also reduce its efficacy as an Audit Policy. A better solution would be to add a deny policy explicitly for this usecase and make the existing policy Audit only.
Details of the scenario you tried and the problem that is occurring
Initial observation of mis-match between filename and defined
parameters.effect.allowedValuesIt is worth noting that the name of this policies file indicates the author intended Audit-Only use of the policy, however
parameters.effect.allowedValueslistsDenyandDisabledEffects as well. This is further documented in #118467 on the azure-docs repoCondition
When using this policy with a "Deny" effect.
Cause
The rule located at properties.policyrule.if.allof.anyof.field specifies that "Microsoft.Search/searchServices/encryptionWithCmk.encryptionComplianceStatus" must have the value of compliant. This works perfectly with Audit, however it poses an issue with Deny because this value is ReadOnly value that is added to the resource by the Azure service fabric post-deployment. Not by the user, and there for is not present when the policy engine assesses deny effects. You will note the documentation for ARM templates for this resource does not list encryptionComplianceStatus as a user-configurable setting.
Effect
When you attempt to deploy a search services resource with this policy in effect you will be denied as the policy cannot validate the value of the missing ReadOnly parameter
Verbose logs showing the problem
Search Service Name: "srch-corp-demo-dev-use2-test"): performing CreateOrUpdate: unexpected status 403 with error: RequestDisallowedByPolicy: Resource 'srch-corp-demo-dev-use2-test' was disallowed by policy. Policy identifiers: '[{"policyAssignment":{"name":"Azure Cognitive Search services should use customer-managed keys to encrypt data at rest - Deny","id":"/providers/Microsoft.Management/managementGroups/REDACTED/providers/Microsoft.Authorization/policyAssignments/REDACTED"},"policyDefinition":{"name":"Azure Cognitive Search services should use customer-managed keys to encrypt data at rest","id":"/providers/Microsoft.Authorization/policyDefinitions/REDACTED"}}]'.
Suggested solution to the issue
There are a few plausible solutions,
Firstly, which I recommended in #118467 on the azure-docs repo would be to update the policy documentation so that it does not list as being useable with Deny Effect.The maintainers of that repo pointed me here as their table is not directly editable and is compiled from source, which leads me to believe we would have to update the
parameters.effect.allowedValuesfor the doc to reflect that change.Alternatively, removing the rule for
Microsoft.Search/searchServices/encryptionWithCmk.encryptionComplianceStatuswould likely allow the policy to be used with Deny Effect, however it would also reduce its efficacy as an Audit Policy. A better solution would be to add a deny policy explicitly for this usecase and make the existing policy Audit only.