| title | description | ms.date | ms.topic |
|---|---|---|---|
Pattern: Logical operators in a policy definition |
This Azure Policy pattern provides examples of how to use the logical operators in a policy definition. |
08/17/2021 |
sample |
A policy definition can contain several conditional statements. You might need each statement to be true or only need some of them to be true. To support these needs, the language has logical operators for not, allOf, and anyOf. They're optional and can be nested to create complex scenarios.
This policy definition evaluates Azure Cosmos DB accounts to see whether automatic failovers and multiple write locations are configured. When they aren't, the audit triggers and creates a log entry when the non-compliant resource is created or updated.
:::code language="json" source="~/policy-templates/patterns/pattern-logical-operators-1.json":::
:::code language="json" source="~/policy-templates/patterns/pattern-logical-operators-1.json" range="6-22" highlight="3":::
The policyRule.if block uses a single allOf to ensure that all three conditions are true. Only when all of these conditions evaluate to true does the audit effect trigger.
This policy definition evaluates resources for a naming pattern. If a resource doesn't match, it's denied.
:::code language="json" source="~/policy-templates/patterns/pattern-logical-operators-2.json":::
:::code language="json" source="~/policy-templates/patterns/pattern-logical-operators-2.json" range="7-21" highlight="2,3,9":::
This policyRule.if block also includes a single allOf, but each condition is wrapped with the not logical operator. The conditional inside the not logical operator evaluates first and then evaluates the not to determine whether the entire clause is true or false. If both not logical operators evaluate to true, the policy effect triggers.
This policy definition evaluates Spring on Azure accounts to see whether either trace isn't enabled or if trace isn't in a successful state.
:::code language="json" source="~/policy-templates/patterns/pattern-logical-operators-3.json":::
:::code language="json" source="~/policy-templates/patterns/pattern-logical-operators-3.json" range="6-28" highlight="3,8":::
This policyRule.if block includes both the allOf and anyOf logical operators. The anyOf logical operator evaluates true as long as one included condition is true. As the type is at the core of the allOf, it must always evaluate true. If the type and one of the conditions in the anyOf are true, the policy effect triggers.
- Review other patterns and built-in definitions.
- Review the Azure Policy definition structure.
- Review Understanding policy effects.