I need to enforce that when user creates a storage account in azure, it should get appended with customer managed keys. Platform managed keys are prohibited to be used by storage account. Below is the policy that's created . Although the policy is successfully deployed, the storage accounts that we create after the policy deployment does not append the customer manged key details that's defined inside the Azure policy even after 2 hours. When we try adding customer managed key, it instead throws error telling- "Policies attempted to append some fields which already exist in the request with different values. Fields: 'Microsoft.Storage/storageAccounts/encryption.KeySource'. Policy identifiers:'[{"policyAssignment":{"name":"Encryption settings to Storage Account for customer-provided key","id":"funRulerg-mj/providers/Microsoft.Authorization/policyAssignments/" Can someone pls help me understand, why inspite of "append" effect the policy is not appending the customer managed keys to the storage account. And the error clearly tells that the policy is already in effect due to which it is not allowing to add any customer managed key as well to the storage accounts.
{
"properties": {
"displayName": "Append encryption settings to Storage Account for customer-provided key",
"description": "If customer-provided key isn't configured, append encryption settings to Storage Account using customer-provided key",
"mode": "all",
"parameters": {
"keyvaulturi": {
"type": "String",
"metadata": {
"description": "Uri location of the Key Vault to use for Storage Service Encryption"
}
},
"keyname": {
"type": "String",
"metadata": {
"description": "Name of the Key to use for Storage Service Encryption"
}
}
},
"policyRule": {
"if": {
"allof": [
{
"field": "type",
"equals": "Microsoft.Storage/storageAccounts"
},
{
"field": "Microsoft.Storage/storageAccounts/encryption.KeySource",
"equals": "Microsoft.Storage"
}
]
},
"then": {
"effect": "append",
"details": [
{
"field": "Microsoft.Storage/storageAccounts/encryption.KeySource",
"value": "Microsoft.Keyvault"
},
{
"field": "Microsoft.Storage/storageAccounts/encryption.keyvaultproperties.keyvaulturi",
"value": "[parameters('keyvaulturi')]"
},
{
"field": "Microsoft.Storage/storageAccounts/encryption.keyvaultproperties.keyname",
"value": "[parameters('keyname')]"
}
]
}
}
}
}