I have got the following very basic policy that aims to enforce a naming convention on new resource groups.
{
"mode": "All",
"policyRule": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.Resources/resourceGroups"
},
{
"field": "name",
"notLike": "rg-*"
}
]
},
"then": {
"effect": "deny"
}
},
"parameters": {}
}
The policy is assigned at the subscription level, and policy enforcement = enabled. There are no exclusions and as you can see from the policy the effect is set to deny.
However, this policy simply does not have any effect. I am able to create new resource groups with names like noncompliant, ... at will. Also, I have waited for more than 30min for the policy to take effect (actually I waited for more than 24h).
Interestingly enough, the following policy takes effect (almost immediately after assigning), where the only difference is the comparison on the resource type.
{
"mode": "All",
"policyRule": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.Network/virtualNetworks"
},
{
"field": "name",
"notLike": "vnet-*"
}
]
},
"then": {
"effect": "deny"
}
},
"parameters": {}
}
I really don't get what's going wrong here. Anything special about resource groups in the context of policies I haven't come across yet?
