Search code examples
jsonazureazure-rm-templateazure-policy

Error while deploying Azure Json policy using powershell


I am trying to create a policy for Azure CIS, and getting the following error when I attempt to deploy it via powershell on the management group level - im trying to figure out what is missing as it says invalid template.

It looks like the error is related to something to do with the scope, but not sure what exactly is going on:

New-AzManagementGroupDeployment : 1:19:17 AM - The deployment 'cis1.23-azurepolicy' failed with error(s). Showing 1 out of 1 error(s).
Status Message: Unable to process template language expressions for resource
'/providers/Microsoft.Management/managementGroups/MGName/providers/Microsoft.Authorization/policyDefinitions/CIS1.23-EnsureNoCustomerOwnerRoles' at line '23' and
column '9'. 'The deployment metadata 'SUBSCRIPTION' is not valid.' (Code:InvalidTemplate)

Here is the template:

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "effect": {
      "type": "string",
      "metadata": {
        "displayName": "Effect",
        "description": "Enable or disable the execution of the policy"
      },
      "allowedValues": [
        "Audit",
        "Disabled"
      ],
      "defaultValue": "Audit"
    }
  },
  "variables": {},
  "resources": [
    {
        "name": "CIS1.23-EnsureNoCustomerOwnerRoles",
      "type": "Microsoft.Authorization/policyDefinitions",
      "apiVersion": "2018-03-01",
      "properties": {
        "policyType": "Custom",
        "displayName": "CIS 1.23 Custom Owner Roles should not exist (Not Scored)",
        "description": "This policy checks that Custom Roles with Owner privileges are removed",
        "mode": "all",
        "metadata": {
          "category": "Identity"
          
        },
        "parameters": {
          "effect": {
            "type": "String",
            "metadata": {
              "displayName": "Effect",
              "description": "Enable or disable the execution of the policy"
            },
            "allowedValues": [
              "Audit",
              "Disabled"
            ],
            "defaultValue": "Audit"
          }
        
        },
        "policyRule": {
          "if": {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.Authorization/roleDefinitions"
              },
              {
                "field": "Microsoft.Authorization/roleDefinitions/type",
                "equals": "CustomRole"
              },
              {
                "anyOf": [
                  {
                    "not": {
                      "field": "Microsoft.Authorization/roleDefinitions/permissions[*].actions[*]",
                      "notEquals": "*"
                    }
                  },
                  {
                    "not": {
                      "field": "Microsoft.Authorization/roleDefinitions/permissions.actions[*]",
                      "notEquals": "*"
                    }
                  }
                ]
              },
              {
                "anyOf": [
                  {
                    "not": {
                      "field": "Microsoft.Authorization/roleDefinitions/assignableScopes[*]",
                      "notIn": [
                        "[concat(subscription().id,'/')]",
                        "[subscription().id]",
                        "/"
                      ]
                    }
                  },
                  {
                    "not": {
                      "field": "Microsoft.Authorization/roleDefinitions/assignableScopes[*]",
                      "notLike": "/providers/Microsoft.Management/*"
                    }
                  }
                ]
              }
            ]
          },
          "then": {
            "effect": "[parameters('effect')]"
          }
        }
      }
    }
 

Solution

  • You are deploying the ARM template to a management group, but you are referencing the ARM template subscription() function. The subscription() function is only valid when deploying to a subscription or resource group. When deploying to a management group then there is no subscription that could be referenced.

    To resolve this you need to deploy this policy to a subscription, not to a management group.