Built-In DeployIfNotExists policies for diagnostic settings on Table and Queue Storage is reporting faulty non-compliance

[theautomationdude]

Details of the scenario you tried and the problem that is occurring

DeployIfNotExists policies for Table and Queue Storage is reporting non-compliance on storage accounts where instances of these services have not been created (this happens on every new storage account creation)

This applies to both: /providers/Microsoft.Authorization/policyDefinitions/7bd000e3-37c7-4928-9f31-86c4b77c5c45 (https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Storage/QueueServicesLogsToWorkspace_DINE.json)

and

/providers/Microsoft.Authorization/policyDefinitions/2fb86bf3-d221-43d1-96d1-2434af34eaa0 (https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Storage/TableServicesLogsToWorkspace_DINE.json)

Verbose logs showing the problem

Suggested solution to the issue

Add a criteria in the If statement to look for an actual instance... Similar to the the fix in pull #1078 "policyRule": { "if": { "field": "type", "equals": "Microsoft.Storage/storageAccounts/tableServices" }, "allOf": [ { "field": "type", "equals": "Microsoft.Storage/storageAccounts/tableServices" }, { "field": "Microsoft.Storage/storageAccounts/tableServices/tables/tableName", "exists": true } ] },

And a similar evaluation for the Queue Services...

Then the policy would only evaluate to true and run the DeployIfNotExists Effect when there is an actual table / queue created...

If policy is Guest Configuration - details about target node