Comments (10)
techlake
commented on June 24, 2024
Your policy definition is flawed in some way. You can test this independent of EPAC. I included the whole fixed Policy below.
- Your "properties" needs to spans the rest of the Policy instead of only displayName, and description. (this caused your error)
- "assigmentName" is not a legal field value -> remove
- "disabledAlerts" should be an empty list, not a list with one empty string as the only entry
Sidebar GitHub markdown tip -- enclose your JSON with a line containing ```json and end the code block with ```. This makes it readable in GitHub itself (like the code below).
{
"name": "emailalerts",
"properties": {
"displayName": "EPACemailalerts",
"description": "EPACemailalerts",
"parameters": {
"securityAlertPolicyEmail": {
"type": "String",
"metadata": {
"description": "The email address to send alerts",
"displayName": "Email Address"
}
}
},
"policyRule": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.Sql/managedInstances"
}
]
},
"then": {
"effect": "DeployIfNotExists",
"details": {
"type": "Microsoft.Sql/managedInstances/databases/securityAlertPolicies",
"name": "default",
"existenceCondition": {
"allOf": [
{
"field": "Microsoft.Sql/managedInstances/databases/securityAlertPolicies/state",
"equals": "Enabled"
}
]
},
"roleDefinitionIds": [
"/providers/Microsoft.Authorization/roleDefinitions/056cd41c-7e88-42e1-933e-88ba6a50c9c3"
],
"deployment": {
"properties": {
"mode": "incremental",
"template": {
"$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"location": {
"type": "string"
},
"sqlManagedInstanceName": {
"type": "string"
},
"sqlManagedInstanceDataBaseName": {
"type": "string"
},
"securityAlertPolicyEmail": {
"type": "string"
}
},
"variables": {},
"resources": [
{
"type": "Microsoft.Sql/managedInstances/databases/securityAlertPolicies",
"apiVersion": "2017-03-01-preview",
"name": "[concat(parameters('sqlManagedInstanceName'), '/', parameters('sqlManagedInstanceDataBaseName'), '/default')]",
"properties": {
"state": "Enabled",
"disabledAlerts": [],
"emailAddresses": [
"[parameters('securityAlertPolicyEmail')]"
],
"emailAccountAdmins": true,
"storageEndpoint": null,
"storageAccountAccessKey": "",
"retentionDays": 0
}
}
],
"outputs": {}
},
"parameters": {
"location": {
"value": "[field('location')]"
},
"sqlManagedInstanceName": {
"value": "[first(split(field('fullname'),'/'))]"
},
"sqlManagedInstanceDataBaseName": {
"value": "[field('name')]"
},
"securityAlertPolicyEmail": {
"value": "[parameters('securityAlertPolicyEmail')]"
}
}
}
}
}
}
}
}
}from enterprise-azure-policy-as-code.
MiguelElGallo
commented on June 24, 2024
Hello,
Thanks a lot for fixing the file and the tips for json.
I still get the error:
Create new and replaced (create) Policy definitions (1)
"emailalerts" - "EPACemailalerts"
Loaded Module 'Az.Accounts'
Loaded Module 'Az.MSGraph'
Loaded Module 'Az.Accounts'
Loaded Module 'Az.Authorization'
New-AzPolicyDefinition: /home/vsts/work/1/s/Scripts/Deploy/Deploy-AzPoliciesInitiativesAssignmentsFromPlan.ps1:195
Line |
195 | $null = New-AzPolicyDefinition @policyDefinition
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| Unexpected character encountered while parsing value: T. Path
| '', line 0, position 0.
##[error]PowerShell exited with code '1'.
This is the artifact that got generated
{
"updatedPolicyDefinitions": {},
"deletedInitiativeDefinitions": {},
"expiredExemptions": {},
"createdOn": "2022-08-18 06:03:18Z",
"deletedExemptions": {},
"deletedAssignments": {},
"noChanges": false,
"replacedExemptions": {},
"updatedExemptions": {},
"addedRoleAssignments": {
"/subscriptions/xxxxxxxxxxxxxxxx/providers/Microsoft.Authorization/policyAssignments/epacsqlalert": {
"roles": [
{
"scope": "/subscriptions/xxxxxxxxxxxxxxxx",
"roleDefinitionId": "/providers/Microsoft.Authorization/roleDefinitions/056cd41c-7e88-42e1-933e-88ba6a50c9c3",
"roleDisplayName": "SQL Security Manager"
}
],
"identity": null,
"DisplayName": "epac sql alerts"
},
"/subscriptions/xxxxxxx/providers/Microsoft.Authorization/policyAssignments/epacsqlalert": {
"roles": [
{
"scope": "/subscriptions/xxxxxxx",
"roleDefinitionId": "/providers/Microsoft.Authorization/roleDefinitions/056cd41c-7e88-42e1-933e-88ba6a50c9c3",
"roleDisplayName": "SQL Security Manager"
}
],
"identity": null,
"DisplayName": "epac sql alerts"
}
},
"replacedAssignments": {},
"removedRoleAssignments": {},
"rootScopeId": "/subscriptions/xxxxxxxxxx",
"updatedAssignments": {},
"deletedPolicyDefinitions": {},
"newInitiativeDefinitions": {},
"updatedInitiativeDefinitions": {},
"replacedPolicyDefinitions": {},
"newPolicyDefinitions": {
"emailalerts": {
"Metadata": null,
"Description": "EPACemailalerts",
"Name": "emailalerts",
"Mode": "All",
"Policy": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.Sql/managedInstances"
}
]
},
"then": {
"effect": "DeployIfNotExists",
"details": {
"type": "Microsoft.Sql/managedInstances/databases/securityAlertPolicies",
"name": "default",
"existenceCondition": {
"allOf": [
{
"field": "Microsoft.Sql/managedInstances/databases/securityAlertPolicies/state",
"equals": "Enabled"
}
]
},
"roleDefinitionIds": [
"/providers/Microsoft.Authorization/roleDefinitions/056cd41c-7e88-42e1-933e-88ba6a50c9c3"
],
"deployment": {
"properties": {
"mode": "incremental",
"template": {
"$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"location": {
"type": "string"
},
"sqlManagedInstanceName": {
"type": "string"
},
"sqlManagedInstanceDataBaseName": {
"type": "string"
},
"securityAlertPolicyEmail": {
"type": "string"
}
},
"variables": {},
"resources": [
{
"type": "Microsoft.Sql/managedInstances/databases/securityAlertPolicies",
"apiVersion": "2017-03-01-preview",
"name": "[concat(parameters('sqlManagedInstanceName'), '/', parameters('sqlManagedInstanceDataBaseName'), '/default')]",
"properties": {
"state": "Enabled",
"disabledAlerts": [],
"emailAddresses": [
"[parameters('securityAlertPolicyEmail')]"
],
"emailAccountAdmins": true,
"storageEndpoint": null,
"storageAccountAccessKey": "",
"retentionDays": 0
}
}
],
"outputs": {}
},
"parameters": {
"location": {
"value": "[field('location')]"
},
"sqlManagedInstanceName": {
"value": "[first(split(field('fullname'),'/'))]"
},
"sqlManagedInstanceDataBaseName": {
"value": "[field('name')]"
},
"securityAlertPolicyEmail": {
"value": "[parameters('securityAlertPolicyEmail')]"
}
}
}
}
}
}
},
"SubscriptionId": "xxxxxxxxxxxxxxxxxxx",
"DisplayName": "EPACemailalerts",
"Parameter": {
"securityAlertPolicyEmail": {
"type": "String",
"metadata": {
"description": "The email address to send alerts",
"displayName": "Email Address"
}
}
}
}
},
"orphanedExemptions": {},
"newAssignments": {
"/subscriptions/xxxxxxxxxxxxxxxx/providers/Microsoft.Authorization/policyAssignments/epacsqlalert": {
"Metadata": {
"roles": [
{
"scope": "/subscriptions/xxxxxxxxxxxxxxxx",
"roleDefinitionId": "/providers/Microsoft.Authorization/roleDefinitions/056cd41c-7e88-42e1-933e-88ba6a50c9c3",
"roleDisplayName": "SQL Security Manager"
}
]
},
"Description": "epac sql alerts",
"Name": "epacsqlalert",
"managedIdentityLocation": "northeurope",
"identityRequired": true,
"policyId": "/subscriptions/xxxxxxxx/providers/Microsoft.Authorization/policyDefinitions/emailalerts",
"PolicyParameterObject": {
"securityAlertPolicyEmail": "[email protected]"
},
"DisplayName": "epac sql alerts",
"Scope": "/subscriptions/xxxxxxxxxxxxxxxx",
"Id": "/subscriptions/xxxxxxxxxxxxxxxx/providers/Microsoft.Authorization/policyAssignments/epacsqlalert",
"EnforcementMode": "Default",
"NotScope": [
"/subscriptions/xxxxxxxxxxxxxxxx"
]
},
"/subscriptions/xxxxxx/providers/Microsoft.Authorization/policyAssignments/epacsqlalert": {
"Metadata": {
"roles": [
{
"scope": "/subscriptions/xxxxxx",
"roleDefinitionId": "/providers/Microsoft.Authorization/roleDefinitions/056cd41c-7e88-42e1-933e-88ba6a50c9c3",
"roleDisplayName": "SQL Security Manager"
}
]
},
"Description": "epac sql alerts",
"Name": "epacsqlalert",
"managedIdentityLocation": "northeurope",
"identityRequired": true,
"policyId": "/subscriptions/xxxxxxxxx/providers/Microsoft.Authorization/policyDefinitions/emailalerts",
"PolicyParameterObject": {
"securityAlertPolicyEmail": {
"value": "[email protected]"
}
},
"DisplayName": "epac sql alerts",
"Scope": "/subscriptions/xxxxxxx",
"Id": "/subscriptions/xxxxxxxx/providers/Microsoft.Authorization/policyAssignments/epacsqlalert",
"EnforcementMode": "Default"
}
},
"tenantID": null,
"rootScope": {
"SubscriptionId": "xxxxxx"
},
"replacedInitiativeDefinitions": {},
"newExemptions": {}
}from enterprise-azure-policy-as-code.
techlake
commented on June 24, 2024
Nothing strikes me as wrong.
Before going the support route:
Can you try to add meta data with a category, please? If that works it would be a bug in EPAC
from enterprise-azure-policy-as-code.
MiguelElGallo
commented on June 24, 2024
Hi,
Added the meta data, and now the policy deployed correctly.
Bug #1? :).
Thanks,
Miguel
from enterprise-azure-policy-as-code.
techlake
commented on June 24, 2024
This is a bug. I'll slot it into the next release. Likely late next week.
from enterprise-azure-policy-as-code.
martyh888
commented on June 24, 2024
This bug also occurs when there are no parameters and is omitted from the json which does occur so can we handle for this or if not then add some better error messages on the Confirm-ParametersMatch call
Currently fix is to add the line into the definition being blank
{
"name": "Newly created GUID",
"properties": {
"displayName": "Policy Display Name",
"policyType": "Custom",
"mode": "All",
"description": "Policy Description",
"metadata": {
"version": "1.0.0",
"category": "Your Category"
},
"parameters": {},
"policyRule": {
"if": {
"Insert Logic Here"
},
"then": {
"effect": "Audit, Deny, Modify, etc.",
"details": {
"roleDefinitionIds": [],
"operations": []
}
}
}
}
}from enterprise-azure-policy-as-code.
techlake
commented on June 24, 2024
I'll add this in the v6 release next week
from enterprise-azure-policy-as-code.
techlake
commented on June 24, 2024
@martyh888 Does this happen on New definitions??
from enterprise-azure-policy-as-code.
martyh888
commented on June 24, 2024
@martyh888 Does this happen on New definitions??
Yes I created a new policy definition without parameters block as was not in a current policy in portal and got the error. I haven't tried on an existing definition
from enterprise-azure-policy-as-code.
techlake
commented on June 24, 2024
Solved in v6.0
from enterprise-azure-policy-as-code.
Related Issues (20)
- Improve regression tests
- Assignment always replaced when using userAssignedIdentity HOT 1
- Remediation Task could not be created HOT 3
- Non EPAC exemptions are not being removed. HOT 1
- Outdated Policy-Exemption Schema HOT 2
- EPAC service principal does not have authorization to perform action 'Microsoft.Management/register/action' over scopes HOT 3
- Sudden issues with 'Code bug: Our root is not in this tree' HOT 5
- Build-DeploymentPlans fails in workflow because az.login is using an earlier version of Az.Accounts HOT 9
- Exemption counting does not support paging and fails above 1000 resources
- Not possible to have an exemption against an assignment where the scope is included in the assignment excluded scopes HOT 2
- Exporting policies resources for PSRule throwing exception HOT 4
- BUG - Github workflows fails to evaluate plan path
- Export-AzPolicyResources not producing ampersand in active-exemptions.csv
- Sync-ALZPolicies outdated Assignment files HOT 2
- Check groupNames against policyDefinitionGroups during plan
- Role Assignments that fail due to a read-only resource lock do not throw an error HOT 1
- groupNames missing when exporting existing initiatives HOT 2
- Build-ExemptionsPlan MethodInvocationException HOT 8
- Support for Snowflakev2 policy parameter using builtin assignment ADF_allowed_linked_service_resource_types HOT 2
- Getting the following error when pulling existing exemptions in the plan
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from enterprise-azure-policy-as-code.