I deploy a policy via bicep that checks if a virtual machine has the tag 'BackupRetention' and that is filled in with 1 of the 4 specific retentions How ever i keep getting back non compliances. aswell for non compliant ( a vm that doesnt have the tag) and a vm that has the correct tagging.
Policyruleset:
if: {
allOf: [
{
field: 'type'
equals: 'Microsoft.Compute/virtualMachines'
}
{
anyOf: [
{
field: 'tags[\'BackupRetention\']'
notEquals: 'backup-week'
}
{
field: 'tags[\'BackupRetention\']'
notEquals: 'backup-day'
}
{
field: 'tags[\'BackupRetention\']'
notEquals: 'backup-month'
}
{
field: 'tags[\'BackupRetention\']'
notEquals: 'backup-year'
}
]
}
]
}
then: {
effect: 'modify'
details: {
roleDefinitionIds: [
'/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c' // Contributor role
]
operations: [
{
operation: 'addOrReplace'
field: 'tags[\'BackupRetention\']'
value: 'None' // replace with the value you want to set
}
]
}
}
Non Compliant messages:
Reason for non-compliance
Current value must not be equal to the target value.
Field
type
Current value
"Microsoft.Compute/virtualMachines"
Target value
"Microsoft.Compute/virtualMachines"
Reason for non-compliance
Current value must be equal to the target value.
Field
tags['BackupRetention']
Current value
"backup-week"
Target value
"backup-day"
I tried several options , even the modify parameter ... does not work. Im kinda pulling my hair out.
This block needs allOf instead of anyOf