{
  "id": "policy/azure-policy-denies-resource-group-location-mismatch",
  "signature": "Resource 'myresource' was disallowed by policy. Policy: 'Allowed locations'. Reason: 'The resource location 'eastus2' is not permitted.'",
  "signature_zh": "资源'myresource'被策略禁止。策略：'允许的位置'。原因：'资源位置'eastus2'不被允许。'",
  "regex": "Resource '.*' was disallowed by policy\\. Policy: 'Allowed locations'\\. Reason: 'The resource location '.*' is not permitted\\.'",
  "domain": "policy",
  "category": "config_error",
  "subcategory": null,
  "root_cause": "Azure Policy 'Allowed locations' restricts resource deployment to a predefined list of regions, and the resource's location does not match any allowed region.",
  "root_cause_type": "generic",
  "root_cause_zh": "Azure策略'允许的位置'将资源部署限制在预定义的区域列表中，而资源的位置与任何允许的区域都不匹配。",
  "versions": [
    {
      "version": "Azure Policy 2.0",
      "introduced": null,
      "deprecated": null,
      "removed": null,
      "behavior_change": null,
      "status": "active"
    },
    {
      "version": "Azure Resource Manager 2023-03-01",
      "introduced": null,
      "deprecated": null,
      "removed": null,
      "behavior_change": null,
      "status": "active"
    }
  ],
  "os_specific": {},
  "dead_ends": [
    {
      "action": "",
      "why_fails": "The policy may apply to multiple resource groups or subscriptions; changing location randomly may still violate the policy if the new location is also not allowed.",
      "fail_rate": 0.6,
      "condition": "",
      "sources": []
    },
    {
      "action": "",
      "why_fails": "The policy is evaluated at deployment time; recreating in the same disallowed location will trigger the same denial.",
      "fail_rate": 0.8,
      "condition": "",
      "sources": []
    },
    {
      "action": "",
      "why_fails": "The policy is enforced by Azure Resource Manager; retrying without changing the location will consistently fail.",
      "fail_rate": 0.95,
      "condition": "",
      "sources": []
    }
  ],
  "workarounds": [
    {
      "action": "Identify the allowed locations from the policy assignment and redeploy the resource to one of those regions. Use Azure CLI: `az policy assignment list --query \"[?policyDefinitionId=='/providers/Microsoft.Authorization/policyDefinitions/e56962a6-4747-49cd-b67b-bf8b01975c4c'].{name:name, parameters:parameters}\"` to get the allowed list.",
      "success_rate": 0.85,
      "how": "Identify the allowed locations from the policy assignment and redeploy the resource to one of those regions. Use Azure CLI: `az policy assignment list --query \"[?policyDefinitionId=='/providers/Microsoft.Authorization/policyDefinitions/e56962a6-4747-49cd-b67b-bf8b01975c4c'].{name:name, parameters:parameters}\"` to get the allowed list.",
      "condition": "",
      "sources": []
    },
    {
      "action": "Create an exemption for the resource group or specific resource via Azure Portal: Policy > Compliance > Select policy > Create exemption. This bypasses the policy for that scope.",
      "success_rate": 0.7,
      "how": "Create an exemption for the resource group or specific resource via Azure Portal: Policy > Compliance > Select policy > Create exemption. This bypasses the policy for that scope.",
      "condition": "",
      "sources": []
    },
    {
      "action": "Modify the policy assignment to include the desired location by updating the parameters: `az policy assignment update --name \"allowed-locations\" --resource-group \"my-rg\" --parameters \"{\\\"listOfAllowedLocations\\\":{\\\"value\\\":[\\\"eastus\\\",\\\"eastus2\\\"]}}\"`.",
      "success_rate": 0.8,
      "how": "Modify the policy assignment to include the desired location by updating the parameters: `az policy assignment update --name \"allowed-locations\" --resource-group \"my-rg\" --parameters \"{\\\"listOfAllowedLocations\\\":{\\\"value\\\":[\\\"eastus\\\",\\\"eastus2\\\"]}}\"`.",
      "condition": "",
      "sources": []
    }
  ],
  "workarounds_zh": [
    "Identify the allowed locations from the policy assignment and redeploy the resource to one of those regions. Use Azure CLI: `az policy assignment list --query \"[?policyDefinitionId=='/providers/Microsoft.Authorization/policyDefinitions/e56962a6-4747-49cd-b67b-bf8b01975c4c'].{name:name, parameters:parameters}\"` to get the allowed list.",
    "Create an exemption for the resource group or specific resource via Azure Portal: Policy > Compliance > Select policy > Create exemption. This bypasses the policy for that scope.",
    "Modify the policy assignment to include the desired location by updating the parameters: `az policy assignment update --name \"allowed-locations\" --resource-group \"my-rg\" --parameters \"{\\\"listOfAllowedLocations\\\":{\\\"value\\\":[\\\"eastus\\\",\\\"eastus2\\\"]}}\"`."
  ],
  "transition_graph": {
    "leads_to": [],
    "preceded_by": [],
    "frequently_confused_with": []
  },
  "official_doc_url": "https://learn.microsoft.com/en-us/azure/governance/policy/concepts/effects",
  "official_doc_section": null,
  "error_code": "PolicyViolation",
  "verification_tier": "ai_generated",
  "confidence": 0.85,
  "fix_success_rate": 0.8,
  "resolvable": "true",
  "first_seen": "2023-01-15",
  "last_confirmed": "2024-06-01",
  "last_updated": "2024-06-01",
  "evidence_count": 1,
  "tags": [],
  "locale": "en",
  "aliases": []
}