How to create in Terraform Azure PolicyDefinition with local JSON-file?
I want to create an Azure PolicyDefinition and I am using the code below:
resource "azurerm_policy_definition" "name-caf-alz-policy-sandbox-denyvnetpeering" {
name = "Audit-AzureHybridBenefit"
display_name = "Unused resources driving cost should be avoided"
description = "Optimize cost by enabling Azure Hybrid Benefit. Leverage this Policy definition as a cost control to reveal Virtual Machines not using AHUB."
mode = "All"
policy_type = "Custom"
policy_rule = file("${path.module}/lib/policy_definitions/policy_definition_es_deny_vnet_peer_cross_sub.json")
management_group_id = data.azurerm_management_group.namemgmtgroup.id
}
When I run this command via Azure DevOps, Terraform Validate, Init, and Plan are working but when I do Terraform Apply I get this error:
creating/updating Policy Definition "Audit-AzureHybridBenefit": policy.DefinitionsClient#CreateOrUpdateAtManagementGroup: Failure responding to request: StatusCode=400 -- Original Error: autorest/azure: Service returned an error. Status=400 Code="InvalidPolicyRule" Message="Failed to parse policy rule: 'Could not find member 'apiVersion' on object of type 'PolicyRuleDefinition'. Path 'apiVersion'.'."
When I change the policy_rule to
jsonencode(file("${path.module}/lib/policy_definitions/policy_definition_es_deny_vnet_peer_cross_sub.json"))
Error: expanding JSON for policy_rule: JSON: cannot unmarshal string into Go value of type map[string]interface {}
The JSON-file itself works succesfully when creating it via the GUI.
JSON-file itself can be found at
The issue indicates that the Apiversion property, which is present in the Json file path you provided, is incompatible. The Structure of Policy defintion Json as specified in this Doc should not always include the apiversion property.
To verify the issue properly, I've tried adding the Json policy in the policy rule of .tf file and it worked as expected as shown.
provider "azurerm"{
features{}
}
resource "azurerm_policy_definition" "name-caf-alz-policy-sandbox-denyvnetpeering" {
name = "Audit-AzureHybridBenefit"
display_name = "Unused resources driving cost should be avoided"
description = "Optimize cost by enabling Azure Hybrid Benefit. Leverage this Policy definition as a cost control to reveal Virtual Machines not using AHUB."
mode = "All"
policy_type = "Custom"
policy_rule = <<POLICY_RULE
{
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.Network/virtualNetworks/virtualNetworkPeerings"
},
{
"field": "Microsoft.Network/virtualNetworks/virtualNetworkPeerings/remoteVirtualNetwork.id",
"notcontains": "[[subscription().id]"
}
]
},
"then": {
"effect": "[[parameters('effect')]"
}
}
POLICY_RULE
}
As you are not using parameters in the Policy, I have not included the parameters block below. If required, you may add it to the policyrule with the following structure to make it work.
parameters = <<PARAMETERS
{
"effect": {
"type": "String",
"metadata": {
"displayName": "Effect",
"description": "Enable or disable the execution of the policy"
},
"allowedValues": [
"Audit",
"Deny",
"Disabled"
],
"defaultValue": "Deny"
}
}
PARAMETERS
Executed terraform init and validated the configuration using terraform validate:
Executed terraform apply:
Created policy definition successfully in the Portal:
Or
if you only want to work with file(path) function, you don't need to include jsonencode function because the policy_rule input to the azurerm_policy_definition resource should be a map representing the JSON structure, not a string. Make sure the syntax and path has correctly given.
- How can I define compile time constants in bicep configuration language?
- Outlook calendar don't render with FullCalendar
- Azure functions decoding error for IotHub device connection state message schema
- How do I set scope in Azure API Manager (APIM) when using D_application_id
- How to mount multiple disks in a loop using ansible
- How can I get sub value in nested json via KQL?
- Azure .NET SDK: Scale Azure SQL databases through SDK
- How can I invoke Azure Trusted Signing from a Linux OS?
- How to transfer "Set Variable" activity output into Json file using "Copy Data" activity or any other options?
- Verify Microsoft Access token on my ASP.NET Core Web API
- I'm trying to install the package from a private Azure DevOps repository using the pip install command, but I'm encountering an error
- Unable to define the sites for an App Registration for SahrePoint with Site.Selected
- Check if the resource exists before using data
- Not able to see azure 'LifecyclePolicyCompleted event' log
- Direct Web Push gives Error when used from Notification Hub
- Azure Remove User Consent to API
- Flutter-Azure Deviops pipelineThe discrepancy between the number of tests reported as passed or failed in the pipeline output and the test report
- App_location on deployment of a static webapp
- MSINotEnabled - Can't use KeyVault Reference in Azure Function
- Reading values from a key value based file and passing these values to azure devops template
- Deleting an Azure Loadbalancer Frontend IP configuration from python?
- How to retrieve the front door id from a Microsoft CDN (classic)
- What is HEAD operation in CosmosDB reported in Azure Monitoring
- Deploying a Python App to Azure App Service with Github Actions
- How to Query User Access Logs for Azure Front Door
- How can I add email recipients to a Graph API request programmatically?
- How to create Azure Devops Service Connection Docker Registry Type Other
- Problem with CORS policy in React front end with FastAPI on the back trying to use Microsoft Single Sign-on
- Azure Document Intelligence Custom Classification Python API
- Azure Function App unaccounted for time in Application Insights Timeline