Bicep: policy remediation task complains about missing parameter
Below is my bicep code to create and assign a policy to detect key vaults which don't have diagnostic settings. And the policy has a deployIfNotExists setting. So It should be capable of creating the missing diagnostic setting as well. (from portal with remediation process)
targetScope = 'subscription'
param diagnosticSettingName string = 'kv-local-diag'
param location string = 'westus'
resource localWorkspace 'Microsoft.OperationalInsights/workspaces@2021-12-01-preview' existing = {
scope: resourceGroup('myResourceGroup')
name: 'la-demo-01'
}
resource kvPolicy 'Microsoft.Authorization/policyDefinitions@2020-09-01' = {
name: 'bicepKvPolicy'
properties: {
displayName: 'Keyvault central diagnostics policy'
description: 'DeployIfNotExists a when diagnostic is not available for the keyvault'
policyType: 'Custom'
mode: 'All'
metadata: {
category: 'Custom'
source: 'Bicep'
version: '0.1.0'
}
parameters: {}
policyRule: {
if: {
allOf: [
{
field: 'type'
equals: 'microsoft.keyvault/vaults'
}
]
}
then: {
effect: 'deployIfNotExists'
details: {
roleDefinitionIds: [
'/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c'
]
type: 'Microsoft.Insights/diagnosticSettings'
existenceCondition: {
allOf: [
{
field: 'Microsoft.Insights/diagnosticSettings/logs[*].category'
equals: 'audit'
}
]
}
deployment: {
properties: {
mode: 'incremental'
template: {
'$schema': 'https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#'
contentVersion: '1.0.0.0'
parameters: {
resourceName: {
type: 'String'
metadata: {
displayName: 'resourceName'
description: 'Name of the resource'
}
}
}
variables: {}
resources: [
{
type: 'microsoft.keyvault/vaults/providers/diagnosticSettings'
apiVersion: '2021-05-01-preview'
name: diagnosticSettingName
scope: '[concat(parameters(\'resourceName\'),\'/Microsoft.Insights/\', \'-${diagnosticSettingName}\')]'
properties: {
workspaceId: localWorkspace.id
logs: [
{
category: 'AuditEvent'
categoryGroup: null
enabled: true
retentionPolicy: {
days: 90
enabled: true
}
}
]
metrics: [
{
category: 'AllMetrics'
enabled: true
retentionPolicy: {
days: 90
enabled: true
}
timeGrain: null
}
]
}
}
]
}
}
parameters: {
resourceName: {
value: '[field(\'name\')]'
}
}
}
}
}
}
}
}
resource bicepExampleAssignment 'Microsoft.Authorization/policyAssignments@2022-06-01' = {
name: 'bicepExampleAssignment'
location: location
identity: {
type: 'SystemAssigned'
}
properties: {
displayName: 'KV diagnostic policy assignement'
description: 'KV diagnostic policy assignment'
enforcementMode: 'Default'
metadata: {
source: 'Bicep'
version: '0.1.0'
}
policyDefinitionId: kvPolicy.id
resourceSelectors: [
{
name: 'selector'
selectors: [
{
kind: 'resourceType'
in: [
'microsoft.keyvault/vaults'
]
}
]
}
]
nonComplianceMessages: [
{
message: 'Resource is not compliant with a DeployIfNotExists policy'
}
]
}
}
resource roleAssignment 'Microsoft.Authorization/roleAssignments@2020-04-01-preview' = {
name: guid(bicepExampleAssignment.name, bicepExampleAssignment.type, subscription().subscriptionId)
properties: {
principalId: bicepExampleAssignment.identity.principalId
roleDefinitionId: '/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c'
}
}After my deployment, I can see that my policy is created and assigned properly. When I create a remediation task in the Azure portal. Also, I can see that the policy is picking up Key Vaults with missing diagnostic settings.
At this stage, I'm creating a remediation task and expecting the task to deploy the diagnostic setting. But when I check the result, I can see that the task failed with the error below: Details Code InvalidTemplate Message Deployment template validation failed: 'The value for the template parameter 'resourceName' at line '1' and column '223' is not provided. Please see https://aka.ms/arm-create-parameter-file for usage details.'.
I understand that the resource creation operation complains about the parameter value (resourceName) not being provided. But I expect the remediation task to automatically pick the resource name from the resources listed by the compliance process.
I would so much appreciate that if you can advise me on what might be missing / wrong in my bicep template.
Your code looks good for me. The Parameters object in the bicep template is missing some braces. Check it to ensure that you are following the correct template and that there are no syntax errors.
I modified your code as below and it worked for me.
targetScope = 'subscription'
param diagnosticSettingName string = 'kv-local-diag'
param location string = 'westus'
resource localWorkspace 'Microsoft.OperationalInsights/workspaces@2021-12-01-preview' existing = {
scope: resourceGroup('myResourceGroup')
name: 'newws'
}
resource kvPolicy 'Microsoft.Authorization/policyDefinitions@2020-09-01' = {
name: ''
properties: {
displayName: 'Keyvault central diagnostics policy'
description: ''
policyType: 'Custom'
mode: 'All'
metadata: {
category: 'Custom'
source: 'Bicep'
version: '0.1.0'
}
parameters: {}
policyRule: {
if: {
allOf: [
{
field: 'type'
equals: 'microsoft.keyvault/vaults'
}
]
}
then: {
effect: 'deployIfNotExists'
details: {
roleDefinitionIds: [
'/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c'
]
type: 'Microsoft.Insights/diagnosticSettings'
existenceCondition: {
allOf: [
{
field: 'Microsoft.Insights/diagnosticSettings/logs[*].category'
equals: 'audit'
}
]
}
deployment: {
properties: {
mode: 'incremental'
template: {
'$schema': 'https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#'
contentVersion: '1.0.0.0'
parameters: {
resourceName: {
type: 'String'
metadata: {
displayName: 'resourceName'
description: 'Name of the resource'
}
}
}
resources: [
{
type: 'Microsoft.Insights/diagnosticSettings'
name: 'efef'
apiVersion: '2017-05-01-preview'
properties: {
workspaceId: localWorkspace.id
logs: [
{
category: 'AuditEvent'
enabled: true
retentionPolicy: {
enabled: true
days: 30
}
}
]
}
}
]}
parameters: {
resourceName: {
value: [resourceId('Microsoft.KeyVault/vaults', 'name')]
}
}
}
}
}
}
}
}
}
Deployed using below Az CLI commands:
az bicep build --file <filename.bicep>
az deployment group create --name Deployment --resource-group <resourceGroup> --template-file <filename.bicep>
Output:
