[SOLVED] Azure Policy DeployIfNotExists - deploy a resource into a different subscription and resource group

Azure Policy DeployIfNotExists - deploy a resource into a different subscription and resource group

I am trying to write an Azure Policy that would automatically link every Application Insights resource to my AMPLS instance.

In order to do that, the policy should look at the Microsoft.Insights/components/PrivateLinkScopedResources[*].ResourceId field and if it does not contain my AMPLS resource ID, it should trigger a deployment and deploy a child resource. This resource is unfortunately not a child of the Application Insights resource, but the AMPLS resource. Resource type of the child resource is Microsoft.Insights/privateLinkScopes/scopedResources

So, the policy needs to deploy the following template:

{
    "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
    "contentVersion": "1.0.0.0",
    "resources": [
        {
            "type": "Microsoft.Insights/privateLinkScopes/scopedResources",
            "apiVersion": "2021-07-01-preview",
            "name": "[format('{0}/{1}', 'my-ampls', 'my-test-app-insights')]",
            "properties": {
                "linkedResourceId": "/subscriptions/<sub ID here>/resourceGroups/<resource group here>/providers/microsoft.insights/components/my-test-app-insights"
            }
        }
    ]
}

The problem is, AMPLS resource is in a different subscription than the Application Insights resource. And I have no idea what to do to change the deployment scope of the policy from the resource group of the Application Insights resource to the resource group of the AMPLS resource.

Documentation here: https://learn.microsoft.com/en-us/azure/governance/policy/concepts/effects#deployifnotexists talks about a DeploymentScope property but it can only have one of two values: ResourceGroup and Subscription and it does not really allow you to select a different subscription and/or a resource group other than the ones the resource specified in the if type field resides in. I came up with the following policy definition but obviously it does not work because the deployment is looking for the AMPLs resource in the wrong subscription/resource group.

{
  "mode": "Indexed",
  "policyRule": {
    "if": {
      "field": "type",
      "equals": "microsoft.insights/components"
    },
    "then": {
      "effect": "[parameters('effect')]",
      "details": {
        "type": "microsoft.insights/components",
        "existenceCondition": {
          "field": "Microsoft.Insights/components/PrivateLinkScopedResources[*].ResourceId",
          "equals": "[parameters('ampls')]"
        },
        "roleDefinitionIds": [
          "/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
        ],
        "deployment": {
          "properties": {
            "mode": "Incremental",
            "template": {
              "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
              "contentVersion": "1.0.0.0",
              "parameters": {
                "resourceName": {
                  "type": "String"
                },
                "ampls": {
                  "type": "String"
                },
                "location": {
                  "type": "String"
                },
                "resourceId": {
                  "type": "String"
                }
              },
              "variables": {},
              "resources": [
                {
                  "type": "Microsoft.Insights/privateLinkScopes/scopedResources",
                  "apiVersion": "2021-07-01-preview",
                  "name": "[format('{0}/{1}', '[parameters('amplsName')]', 'parameters('resourceName')')]",
                  "location": "Global",
                  "dependsOn": [],
                  "properties": {
                    "linkedResourceId": "[parameters('resourceId')]"
                  }
                }
              ],
              "outputs": {}
            },
            "parameters": {
              "ampls": {
                "value": "[parameters('ampls')]"
              },
              "location": {
                "value": "[field('location')]"
              },
              "resourceName": {
                "value": "[field('name')]"
              },
              "resourceId": {
                "value": "[field('id')]"
              }
            }
          }
        }
      }
    }
  },
  "parameters": {
    "ampls": {
      "type": "String",
      "metadata": {
        "displayName": "AMPLS Resource ID",
        "description": "Enter AMPLS Resource ID",
        "strongType": "Microsoft.Insights/privateLinkScopes"
      }
    },
    "effect": {
      "type": "String",
      "metadata": {
        "displayName": "Effect",
        "description": "Enable or disable the execution of the policy"
      },
      "allowedValues": [
        "DeployIfNotExists",
        "Disabled"
      ],
      "defaultValue": "DeployIfNotExists"
    }
  }
}

Solution

Microsoft confirmed that the policy can only deploy resources into the resource group of the matching resource. However, deployment is also a resource, which can contain any other resource in a nested template. All you need to do is deploy a resource of Microsoft.Resources/deployments type and nest your resource inside it. This way you can deploy to any subscription and resource group the policy assignment managed ID has access to.