I recently upgraded to the latest version and encountered a problem that did not pass the parameters that have been defined for the built-in policies. I will mention that for custom policies everything works correctly. I will try to explain all this. I use a lot of built-in policies an example is the inheritance of tags from RG (have several such policies). I defined the assignment in the following format and each time the PolicyParameterObject parameter." {} was empty
`
{
"nodeName": "/SP1-MO-000-InheritTag8FromResourceGroup",
"managedIdentityLocation": {
"*": "westeurope"
},
"assignment": {
"name": "SP1-MO-000-InheritTag8FromResourceGroup",
"displayName": "SP1-MO-000-InheritTag8FromResourceGroup",
"description": "Adds or replaces."
},
"definitionEntry": {
"policyName": "cd3aa116-8754-49c9-a813-ad46512ece54",
"friendlyNameToDocumentIfGuid": "SP1-MO-000-InheritTag8FromResourceGroup"
},
"parameters": {
"tagName": "cost"
},
"scope": {
"dev": [
"/subscriptions/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
]
}
}`
excerpt from policy-plan file:
`
"/subscriptions/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx/providers/Microsoft.Authorization/policyAssignments/SP1-MO-000-InheritTag8FromResourceGroup": {
"Id": "/subscriptions/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx/providers/Microsoft.Authorization/policyAssignments/SP1-MO-000-InheritTag8FromResourceGroup",
"EnforcementMode": "Default",
"PolicyParameterObject": {},
"managedIdentityLocation": "westeurope",
"Description": "Adds or replaces the specified tag and value from the parent resource group when any resource is created or updated. Existing resources can be remediated by triggering a remediation task.",
"DisplayName": "SP1-MO-000-InheritTag8FromResourceGroup",
"Metadata": {
"roles": [
{
"roleDefinitionId": "/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c",
"roleDisplayName": "Contributor",
"scope": "/subscriptions/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
}
]
},
"identityRequired": true,
"Name": "SP1-MO-000-InheritTag8FromResourceGroup",
"Scope": "/subscriptions/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
"policyId": "/providers/Microsoft.Authorization/policyDefinitions/cd3aa116-8754-49c9-a813-ad46512ece54"
},
`
after hours of troubleshooting and researching how the whole solution works, I found out that the "Build-AzPolicyAssignmentsPlan.ps1" file has been updated and he following 4 lines of code have been replaced by these two
$parametersInDefinition = $initiativeDefinition.Parameter
$parametersInDefinition = $initiativeDefinition.parameters
$parametersInDefinition = $policyDefinition.Parameter
$parametersInDefinition = $policyDefinition.parameters
by
$parametersInDefinition = $initiativeDefinition.Parameter (line 133)
$parametersInDefinition = $policyDefinition.Parameter (line 162)
`
if ($policyAssignmentEntry.initiativeName) {
$name = $policyAssignmentEntry.initiativeName
if ($friendlyName) {
$policySpecText = "Initiative '$name' - '$friendlyName'"
}
else {
$policySpecText = "Initiative '$name'"
}
$result = Confirm-InitiativeDefinitionUsedExists -allInitiativeDefinitions $allInitiativeDefinitions -replacedInitiativeDefinitions $replacedInitiativeDefinitions -initiativeNameRequired $name
if ($result.usingUndefinedReference) {
continue
}
else {
$initiativeDefinition = $allInitiativeDefinitions[$name]
$parametersInDefinition = $initiativeDefinition.Parameter
if ($customInitiativeDefinitions.ContainsKey($name)) {
# is custom
$policyDefinitionId = $rootScopeId + "/providers/Microsoft.Authorization/policySetDefinitions/" + $name
}
else {
# is built in
$policyDefinitionId = "/providers/Microsoft.Authorization/policySetDefinitions/" + $name
}
$policySpec = @{ initiativeId = $policyDefinitionId }
if ($initiativeNeededRoleDefinitionIds.ContainsKey($name)) {
$roleDefinitionIds = $initiativeNeededRoleDefinitionIds.$name
}
}
}
elseif ($policyAssignmentEntry.policyName) {
$name = $policyAssignmentEntry.policyName
if ($friendlyName) {
$policySpecText = "Policy '$name' - '$friendlyName'"
}
else {
$policySpecText = "Policy '$($name)'"
}
$result = Confirm-PolicyDefinitionUsedExists -allPolicyDefinitions $allPolicyDefinitions -replacedPolicyDefinitions $replacedPolicyDefinitions -policyNameRequired $name
if ($result.usingUndefinedReference) {
continue
}
else {
$policyDefinition = $allPolicyDefinitions[$name]
$parametersInDefinition = $policyDefinition.Parameter
if ($customPolicyDefinitions.ContainsKey($name)) {
# is custom
$policyDefinitionId = $rootScopeId + "/providers/Microsoft.Authorization/policyDefinitions/" + $name
}
else {
# is built in
$policyDefinitionId = "/providers/Microsoft.Authorization/policyDefinitions/" + $name
}
$policySpec = @{ policyId = $policyDefinitionId }
if ($policyNeededRoleDefinitionIds.ContainsKey($name)) {
$roleDefinitionIds = $policyNeededRoleDefinitionIds.$name
}
}
}
else {
Write-Error "Neither policyName nor initiativeName specified for Assignment `'$($def.assignment.DisplayName)`' ($($def.assignment.Name)) - must specify exactly one"
continue
}
`
after the changes I made below everything returned to normal
`
if ($policyAssignmentEntry.initiativeName) {
$name = $policyAssignmentEntry.initiativeName
if ($friendlyName) {
$policySpecText = "Initiative '$name' - '$friendlyName'"
}
else {
$policySpecText = "Initiative '$name'"
}
$result = Confirm-InitiativeDefinitionUsedExists -allInitiativeDefinitions $allInitiativeDefinitions -replacedInitiativeDefinitions $replacedInitiativeDefinitions -initiativeNameRequired $name
if ($result.usingUndefinedReference) {
continue
}
else {
$initiativeDefinition = $allInitiativeDefinitions[$name]
if ($customInitiativeDefinitions.ContainsKey($name)) {
# is custom
$policyDefinitionId = $rootScopeId + "/providers/Microsoft.Authorization/policySetDefinitions/" + $name
$parametersInDefinition = $initiativeDefinition.Parameter
}
else {
# is built in
$policyDefinitionId = "/providers/Microsoft.Authorization/policySetDefinitions/" + $name
$parametersInDefinition = $policyDefinition.parameters
}
$policySpec = @{ initiativeId = $policyDefinitionId }
if ($initiativeNeededRoleDefinitionIds.ContainsKey($name)) {
$roleDefinitionIds = $initiativeNeededRoleDefinitionIds.$name
}
}
}
elseif ($policyAssignmentEntry.policyName) {
$name = $policyAssignmentEntry.policyName
if ($friendlyName) {
$policySpecText = "Policy '$name' - '$friendlyName'"
}
else {
$policySpecText = "Policy '$($name)'"
}
$result = Confirm-PolicyDefinitionUsedExists -allPolicyDefinitions $allPolicyDefinitions -replacedPolicyDefinitions $replacedPolicyDefinitions -policyNameRequired $name
if ($result.usingUndefinedReference) {
continue
}
else {
$policyDefinition = $allPolicyDefinitions[$name]
if ($customPolicyDefinitions.ContainsKey($name)) {
# is custom
$policyDefinitionId = $rootScopeId + "/providers/Microsoft.Authorization/policyDefinitions/" + $name
$parametersInDefinition = $policyDefinition.Parameter
}
else {
# is built in
$policyDefinitionId = "/providers/Microsoft.Authorization/policyDefinitions/" + $name
$parametersInDefinition = $policyDefinition.parameters
}
$policySpec = @{ policyId = $policyDefinitionId }
if ($policyNeededRoleDefinitionIds.ContainsKey($name)) {
$roleDefinitionIds = $policyNeededRoleDefinitionIds.$name
}
}
}
`
Did a similar problem occur for you?
Whether changing 'Parameter' and 'parameters' for 'Parameter' was intentional?
br,
Aleksander