Policy Compliance
Inspect detailed compliance results from Clophi's own compliance engine, including the exact fields, conditions, and counted array objects that caused resources to fail.
Overview
Clophi uses its own compliance engine to evaluate resources against their assigned policies. You can configure how frequently the engine runs so that compliance reports.
For each non-compliant resource, Clophi records:
- Every policy condition that failed, with its exact match expression.
- The specific resource fields that violated each condition.
- Full count logic details: Every object counted within a policy's count block are displayed
Why this matters
Azure tells you a resource is non-compliant. Clophi tells you exactly which condition failed, on which field. For count-logic which objects of the array caused it.
Accessing Compliance Reports
Compliance reports are reached from the Policy Assignment Dashboard. Click the Resource Compliance element on any assignment to open the resource compliance list.
The Resource Compliance list will show every resource in the assignment's scope, marked as compliant or non-compliant.
Reading the Compliance Report
The compliance report uses a split view that maps resource state on the left to policy rule evaluation on the right.
Resource state (left side)
The resource is rendered in the standard resource form, with any non-compliant fields highlighted in red.
(Note: You can switch to code view to see the same data as a complete ARM template. Non-compliant values remain highlighted in red there as well.)
Policy rule evaluation (right side)
The policy rule is displayed on right-hand tab with any non-compliant conditions marked in red also. This lets you trace a failed condition back to the exact field that caused it on the left.
Count logic and matching members
When a policy rule uses a count block to evaluate array properties, the compliance report shows which array members were matched. These appear in the rule as Matching Members entries. Clophi is the only place where you can see this information, even Azure does not expose this!
Matching member references include an index suffix that identifies the specific element:
Microsoft.Network/virtualNetworks/subnets[*]3 In this example, [*]3 indicates that the 3rd subnet within the virtual network triggered the count match. To inspect it directly, navigate to the corresponding object in the resource form on the left — in this case, Subnet3.
Get policy rule explanations
If any logic block in the policy rule is unclear, click the question mark next to it to get an explanation of what the block evaluates.
Remediating Non-Compliant Resources
Once you've identified what's wrong, the recommended path to remediation is through Clophi's Deployed Resources. Import the non-compliant resource, adjust the non-compliant fields in the resource form, and redeploy directly from Clophi.
The Deployed Resources workflow uses the full ARM schema for the resources. Resource forms in Clophi includes properties that are not available in the Azure Portal, and lets you push corrections in a single deployment. See the Deployed Resources page for the complete workflow.
