I have following policy rule. Finally it should check existence of a resourcegroup on subscription level. If it does not exist, a remediation task deployment should be started. I would like to pass parameters to this rule.
{
"if": {
"field": "type",
"equals": "Microsoft.Resources/subscriptions"
},
"then": {
"effect": "DeployIfNotExists",
"details": {
"type": "Microsoft.Resources/subscriptions/resourceGroups",
"name": "my_resource_group",
"roleDefinitionIds": [
"/providers/Microsoft.Authorization/roleDefinitions/{builtinroleGUID}"
],
"existenceScope": "Subscription",
"existenceCondition": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.Resources/subscriptions/resourceGroups"
},
{
"field": "name",
"equals": "parameters('resourceGroup')"
}
]
},
"deploymentScope": "Subscription",
"deployment": {
"location": "westeurope",
"properties": {
"mode": "incremental",
"parameters": {
"targetResourceGroup": {
"value": "[parameters('resourceGroup')]"
},
"ascWorkflowName": {
"value": "[parameters('securityAutomationWorkflowName')]"
},
"location": {
"value": "[parameters('location')]"
},
"logicAppName": {
"value": "[parameters('logicAppName')]"
},
"logicAppSubscription": {
"value": "[parameters('logicAppSubscription')]"
}
},
"template": {
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"targetResourceGroup": {
"type": "string"
},
"ascWorkflowName": {
"type": "string"
},
"location": {
"type": "string",
"defaultValue": "westeurope"
},
"logicAppName": {
"type": "string"
},
"logicAppSubscription": {
"type": "string"
}
},
"variables": {
"logicAppName": "[parameters('logicAppName')]",
"logicAppTriggerName": "When_an_Azure_Security_Center_Recommendation_is_created_or_triggered",
"logicAppResourceId": "[concat('/subscriptions/', parameters('logicAppSubscription'), '/resourceGroups/', parameters('targetResourceGroup') , '/providers/Microsoft.Logic/workflows/', variables('logicAppName'))]",
"ascWorkflowTriggerId": "[concat('/subscriptions/', parameters('logicAppSubscription'), '/resourceGroups/', parameters('targetResourceGroup') , '/providers/Microsoft.Logic/workflows/', variables('logicAppName') ,'/triggers/', variables('logicAppTriggerName'))]"
},
"resources": [
{
"apiVersion": "2019-01-01-preview",
"name": "[parameters('ascWorkflowName')]",
"type": "Microsoft.Security/automations",
"location": "westeurope",
"tags": {},
"properties": {
"description": "Workflow to push security center recommendations to our logicApp that routes it to serviceNow",
"isEnabled": true,
"scopes": [
{
"description": "[concat('scope for current subscriptionId:', subscription().subscriptionId)]",
"scopePath": "[concat('/subscriptions/',subscription().subscriptionId)]"
}
],
"sources": [
{
"eventSource": "Assessments",
"ruleSets": [
{
"rules": [
{
"propertyJPath": "type",
"propertyType": "String",
"expectedValue": "Microsoft.Security/assessments",
"operator": "Contains"
}
]
}
]
}
],
"actions": [
{
"logicAppResourceId": "[variables('logicAppResourceId')]",
"actionType": "LogicApp",
"uri": "[listCallbackUrl(variables('ascWorkflowTriggerId'), '2016-06-01').value]"
}
]
}
}
]
}
}
}
}
}
}
With this setup I would expect that the resourceGroup parameter reference links to the parameter of the parent policy-set /initiative. But what I get is an error using the azure-cli in powershell. Why do I get the error?
function ConvertTo-PolicyJson {
param (
[PSCustomObject] $inputObject
)
# See this issue with convertto-json array serialization problem -
# https://stackoverflow.com/questions/20848507/why-does-powershell-give-different-result-in-one-liner-than-two-liner-when-conve/38212718#38212718
# Remove the redundant ETS-supplied .Count property
$removed = Remove-TypeData System.Array -erroraction 'silentlycontinue'
$json = ConvertTo-Json $inputObject -Depth 10
return $json.replace('"', '\"').replace("`n","").replace("`r","" )
}
...
$policyRuleParametersJson = ConvertTo-PolicyJson @{
"resourceGroup" = @{
"type" = "String"
"defaultValue" = "$ResourceGroup"
"metadata" = @{
"description" = "The resource group where the resources are located in"
"displayName" = "Resource group"
"strongType" = "existingResourceGroups"
}
}}
...
$policySetJson = ConvertTo-PolicyJson @(
@{
"policyDefinitionId" = "/subscriptions/$Subscription/providers/Microsoft.Authorization/policyDefinitions/$ResourceGroupExistsPolicyName"
"parameters" = @{
"resourceGroup" = @{
"value" = "my_resource_group"
} }
...
$policyDefinitionSetCreateResult = az policy set-definition create `
--subscription $Subscription `
--definitions $policySetJson `
--params $policyRuleParametersJson `
--name $PolicySetName `
--description $PolicySetDescription `
--display-name $PolicySetDisplayName
The error I am getting is:
The policy set 'my-policy-set' has defined parameters 'resourceGroup' which are not used in referenced policy definitions. Please either remove these parameters from the definition or ensure that they are used.
But I have used the resourceGroup parameter as far as I know. By the way I condensed the error example to one parameter (resourceGroup). Finally I would like to use more parameters.
Can somebody help please?
