0

I'm working on infrastructure as code (IaC) using ARM templates and I'm creating and assigning a policy initiative to a subscription. In the code below I have assigned two definitions to the initiative and the template works correctly, creating the initiative definition and assigning it to my subscription. In the code you see that the first definition as a parameters named "effect". This is the name of the pre-defined parameter. But the second definition has a parameter also called "effect". How do I define a second parameter in the initiative, which I can use for the second definition?

I'm using New-AzDeployment to deploy the template and we're going to use AzDo for IaC.

{
  "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "variables": {
    "scopeResourceId": "[subscription().id]",
    "policySetDefinitionLocation": "westeurope",
    "policyInitiativeDefinitionName": "MyDefinition",
    "policyInitiativeAssignmentName": "MyDefinitionAssignment",
    "policyInitiativeDisplayName": "My Definition",

    "policyDefinitionIdStorageAccountsEnableHttps": "404c3081-a854-4457-ae30-26a93ef643f9",
    "policyDefinitionIdStorageAccountsTrustMicrosoftServices": "c9d007d0-c057-4772-b18c-01e546713bcd"
  },
  "resources": [
    {
      "type": "Microsoft.Authorization/policySetDefinitions",
      "apiVersion": "2019-09-01",
      "name": "[variables('policyInitiativeDefinitionName')]",
      "properties": {
        "displayName": "[variables('policyInitiativeDisplayName')]",
        "policyType": "Custom",
        "parameters": {
          "effect": {
            "type": "string",
            "metadata": {
              "displayName": "Secure transfer to storage accounts should be enabled",
              "description": "Enable of disable the monitoring of secure transfer for storage accounts"
            },
            "allowedValues": [
              "Audit",
              "Deny",
              "Disabled"
            ],
            "defaultValue": "Audit"
          }
        },
        "policyDefinitions": [
          {
            "policyDefinitionId": "[tenantResourceId('Microsoft.Authorization/policyDefinitions', variables('policyDefinitionIdStorageAccountsEnableHttps'))]",
            "parameters": {
              "effect": {
                "value": "Audit"
              }
            }
          },
          {
            "policyDefinitionId": "[tenantResourceId('Microsoft.Authorization/policyDefinitions', variables('policyDefinitionIdStorageAccountsTrustMicrosoftServices'))]"
          }
        ]
      }
    },
    {
      "type": "Microsoft.Authorization/policyAssignments",
      "apiVersion": "2019-09-01",
      "name": "[variables('policyInitiativeAssignmentName')]",
      "location": "[variables('policySetDefinitionLocation')]",
      "dependsOn": [
        "[variables('policyInitiativeDefinitionName')]"
      ],
      "properties": {
        "scope": "[variables('scopeResourceId')]",
        "policyDefinitionId": "[extensionResourceId(variables('scopeResourceId'), 'Microsoft.Authorization/policySetDefinitions', variables('policyInitiativeDefinitionName'))]",
        "displayName": "[variables('policyInitiativeDisplayName')]",
        "parameters": {
          "effect": {
            "value": "Deny"
          }
        }
      }
    }
  ]
}

Below is an example of what I'm looking for. I can't named both parameters "effect", because there can't be duplicatie parameters. But I think I can't name the parameter "effect1" (like in the example below), because I get the error: "The policy set definition 'MyDefinition' is attempting to assign the parameter(s) 'effect1' which are not defined in the policy definition".

{
    "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#",
    "contentVersion": "1.0.0.0",
    "variables": {
        "scopeResourceId": "[subscription().id]",
        "policySetDefinitionLocation": "westeurope",
        "policyInitiativeDefinitionName": "MyDefinition",
        "policyInitiativeAssignmentName": "MyDefinitionAssignment",
        "policyInitiativeDisplayName": "My Definition",

        "policyDefinitionIdStorageAccountsEnableHttps": "404c3081-a854-4457-ae30-26a93ef643f9",
        "policyDefinitionIdStorageAccountsTrustMicrosoftServices": "c9d007d0-c057-4772-b18c-01e546713bcd"
    },
    "resources": [
        {
            "type": "Microsoft.Authorization/policySetDefinitions",
            "apiVersion": "2019-09-01",
            "name": "[variables('policyInitiativeDefinitionName')]",
            "properties": {
                "displayName": "[variables('policyInitiativeDisplayName')]",
                "policyType": "Custom",
                "parameters": {
                    "effect": {
                        "type": "string",
                        "metadata": {
                            "displayName": "Secure transfer to storage accounts should be enabled",
                            "description": "Enable of disable the monitoring of secure transfer for storage accounts"
                        },
                        "allowedValues": [
                            "Audit",
                            "Deny",
                            "Disabled"
                        ],
                        "defaultValue": "Audit"
                    },
                    "effect1": {
                        "type": "string",
                        "metadata": {
                            "displayName": "Storage accounts should allow access from trusted Microsoft services",
                            "description": "Enable of disable the monitoring of allowing access from trusted Microsoft services for storage accounts"
                        },
                        "allowedValues": [
                            "Audit",
                            "Deny",
                            "Disabled"
                        ],
                        "defaultValue": "Audit"
                    }
                },
                "policyDefinitions": [
                    {
                        "policyDefinitionId": "[tenantResourceId('Microsoft.Authorization/policyDefinitions', variables('policyDefinitionIdStorageAccountsEnableHttps'))]",
                        "parameters": {
                            "effect": {
                                "value": "Audit"
                            }
                        }
                    },
                    {
                        "policyDefinitionId": "[tenantResourceId('Microsoft.Authorization/policyDefinitions', variables('policyDefinitionIdStorageAccountsTrustMicrosoftServices'))]",
                        "parameters": {
                            "effect1": {
                                "value": "Audit"
                            }
                        }
                    }
                ]
            }
        },
        {
            "type": "Microsoft.Authorization/policyAssignments",
            "apiVersion": "2019-09-01",
            "name": "[variables('policyInitiativeAssignmentName')]",
            "location": "[variables('policySetDefinitionLocation')]",
            "dependsOn": [
                "[variables('policyInitiativeDefinitionName')]"
            ],
            "properties": {
                "scope": "[variables('scopeResourceId')]",
                "policyDefinitionId": "[extensionResourceId(variables('scopeResourceId'), 'Microsoft.Authorization/policySetDefinitions', variables('policyInitiativeDefinitionName'))]",
                "displayName": "[variables('policyInitiativeDisplayName')]",
                "parameters": {
                    "effect": {
                        "value": "Deny"
                    },
                    "effect1": {
                        "value": "Deny"
                    }
                }
            }
        }
    ]
}
nielsvdc
  • 21
  • 5
  • same way you defined it for the first one? i dont get it – 4c74356b41 Feb 06 '20 at 08:13
  • If you define a second parameter the same way as the first in the policySetDefinition, you get an error that you can't have parameters with the same name. But you also need to use the "effect" parameter also for the second policyDefinition, as this policy also takes the "effect" parameter. So the problem is that I have two policy definitions that both take a parameters named "effect". How you I define the parameters in the initiative? – nielsvdc Feb 06 '20 at 21:33
  • can't you just rename the parameter? – 4c74356b41 Feb 07 '20 at 05:33
  • I added an 2nd example of what I expect I would be able to do someway, but the second policy definition also expects a parameter "effect". – nielsvdc Feb 07 '20 at 13:14
  • well, just rename it in the definition as well, doh – 4c74356b41 Feb 07 '20 at 15:36
  • Ah, that's a little bit of information I hadn't supplied yet. The two definitions are built-in policies. If you could supply me a working and tested example, that would be great! – nielsvdc Feb 08 '20 at 07:06
  • What is the exact error you get when you put have both parameters as effect? Also if both have the same type,default values, and allowed values why not just do 1 parameter called effect for both policies? – Kemley Feb 19 '20 at 19:05

0 Answers0