Creating Policy for AAS (Azure Analysis Services)

Question

Does anyone have experience in writing Azure Policy for Analysis Services? I am stuck on getting one completed. I am attempting to create policy that enforces what IPs can be added to the public IP side. So far I have this and it does work:

{
"parameters": {
  "allowedAddressRanges": {
    "type": "Array",
    "metadata": {
      "displayName": "Address Range",
      "description": "The list of allowed external IP address ranges"
    }
  }
},
"policyRule": {
  "if": {
    "allOf": [
      {
        "field": "type",
        "equals": "Microsoft.AnalysisServices/servers"
      },
      {
        "not": {
          "field": "Microsoft.AnalysisServices/servers/ipV4FirewallSettings.firewallRules[*]",
          "in": "[parameters('allowedAddressRanges')]"
        }
      }
    ]
  },
  "then": {
    "effect": "audit"
  }
}

}

Do I need to go further down the alias path to something like:

"Microsoft.AnalysisServices/servers/ipV4FirewallSettings.firewallRules[*].rangeStart"

Everton Barciela Everton Barciela · Accepted Answer · 2021-02-01T11:25:55

This is an old thread but since it hasn't been answered yet, perhaps someone can benefit from my findings. Looking at the aliases available for Azure Analysis Services we can notice the following :

Microsoft.AnalysisServices/servers/ipV4FirewallSettings.firewallRules
Microsoft.AnalysisServices/servers/ipV4FirewallSettings.firewallRules[*]
Microsoft.AnalysisServices/servers/ipV4FirewallSettings.firewallRules[*].firewallRuleName
Microsoft.AnalysisServices/servers/ipV4FirewallSettings.firewallRules[*].rangeStart
Microsoft.AnalysisServices/servers/ipV4FirewallSettings.firewallRules[*].rangeEnd

Based on the notation above, I had to go down until "rangeStart" and "rangeEnd". This is what works for me:

{
    "mode": "All",
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.AnalysisServices/servers"
          },
          {
            "not": {
                "anyOf": [
                    {
                        "field": "Microsoft.AnalysisServices/servers/ipV4FirewallSettings.firewallRules[*].rangeStart",
                        "in": "[parameters('allowedAddressRanges')]"
                    },
                    {
                        "field": "Microsoft.AnalysisServices/servers/ipV4FirewallSettings.firewallRules[*].rangeEnd",
                        "in": "[parameters('allowedAddressRanges')]"
                    }
                ]
            }
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]"
      }
    },
    "parameters": {
        "effect": {
            "type": "String",
            "metadata": {
                "displayName": "Effect",
                "description": "The effect determines what happens when the policy rule is evaluated to match"
            },
            "allowedValues": [
                "Audit",
                "Deny",
                "Disabled"
            ],
            "defaultValue": "Deny"
        },      
        "allowedAddressRanges": {
            "type": "Array",
            "metadata": {
                "displayName": "Address Range",
                "description": "The list of allowed IP address ranges"
            },
            "allowedValues": [
                "0.0.0.0",
                "0.0.0.0",
                "0.0.0.0",
                "0.0.0.0",
                "0.0.0.0"
            ],
            "defaultValue": [
                "0.0.0.0",
                "0.0.0.0",
                "0.0.0.0",
                "0.0.0.0",
                "0.0.0.0"    
            ]
        }
    }
}

reference: https://docs.microsoft.com/en-us/azure/templates/microsoft.analysisservices/servers#IPv4FirewallRule

Creating Policy for AAS (Azure Analysis Services)

1 Answers