Details of the scenario you tried and the problem that is occurring
DeployIfNotExists policies for Table and Queue Storage is reporting non-compliance on storage accounts where instances of these services have not been created (this happens on every new storage account creation)
Add a criteria in the If statement to look for an actual instance... Similar to the the fix in pull #1078
"policyRule": {
"if": {
"field": "type",
"equals": "Microsoft.Storage/storageAccounts/tableServices"
},
"allOf": [
{
"field": "type",
"equals": "Microsoft.Storage/storageAccounts/tableServices"
},
{
"field": "Microsoft.Storage/storageAccounts/tableServices/tables/tableName",
"exists": true
}
]
},
And a similar evaluation for the Queue Services...
Then the policy would only evaluate to true and run the DeployIfNotExists Effect when there is an actual table / queue created...
If policy is Guest Configuration - details about target node
Details of the scenario you tried and the problem that is occurring
DeployIfNotExists policies for Table and Queue Storage is reporting non-compliance on storage accounts where instances of these services have not been created (this happens on every new storage account creation)
This applies to both: /providers/Microsoft.Authorization/policyDefinitions/7bd000e3-37c7-4928-9f31-86c4b77c5c45 (https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Storage/QueueServicesLogsToWorkspace_DINE.json)
and
/providers/Microsoft.Authorization/policyDefinitions/2fb86bf3-d221-43d1-96d1-2434af34eaa0 (https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Storage/TableServicesLogsToWorkspace_DINE.json)
Verbose logs showing the problem
Suggested solution to the issue
Add a criteria in the If statement to look for an actual instance... Similar to the the fix in pull #1078 "policyRule": { "if": { "field": "type", "equals": "Microsoft.Storage/storageAccounts/tableServices" }, "allOf": [ { "field": "type", "equals": "Microsoft.Storage/storageAccounts/tableServices" }, { "field": "Microsoft.Storage/storageAccounts/tableServices/tables/tableName", "exists": true } ] },
And a similar evaluation for the Queue Services...
Then the policy would only evaluate to true and run the DeployIfNotExists Effect when there is an actual table / queue created...
If policy is Guest Configuration - details about target node