Blue Clouds
Reputation: 8153
Error in policy definition deployment "parameter not found"
I am trying to deploy an azure policy via ARM template. This is my definition file . The error I get is Status Message: Unable to process template language expressions for resource '/subscriptions/xxx/providers/Microsoft.Authorization/policyDefinitions/deploy-rg-lock' at line '13' and column '9'. 'The template parameter 'tagName' is not found. Please see https://aka.ms/arm-template/#parameters for usage details.' (Code:InvalidTemplate)
{
"$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"policyDefinitionName": {
"type": "string"
}
},
"resources": [{
"type": "Microsoft.Authorization/policyDefinitions",
"name": "[parameters('policyDefinitionName')]",
"apiVersion": "2019-09-01",
"properties": {
"displayName": "Lock Resource Group based on tags",
"policyType": "Custom",
"mode": "All",
"description": "This policy locks a resource group if the tag mentioned in the parameter is not present",
"metadata": {
"category": "Tags"
},
"parameters": {
"tagName": {
"type": "String",
"metadata": {
"displayName": "Tag Name",
"description": "Tag name to prevent resource lock"
}
},
"tagValue": {
"type": "String",
"metadata": {
"displayName": "Tag Value",
"description": "Tag value to prevent resource lock"
}
}
},
"policyRule": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.Resources/subscriptions/resourceGroups"
},
{
"field": "[concat('tags[', parameters('tagName'), ']')]",
"notEquals": "[parameters('tagValue')]"
}
]
},
"then": {
"effect": "deployIfNotExists",
"details": {
"type": "Microsoft.Authorization/locks",
"roleDefinitionIds": [
"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293"
],
"existenceCondition": {
"field": "Microsoft.Authorization/locks/level",
"equals": "CanNotDelete"
},
"deployment": {
"properties": {
"mode": "incremental",
"template": {
"$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"name": "PolicyDeleteLock",
"type": "Microsoft.Authorization/locks",
"apiVersion": "2016-09-01",
"properties": {
"level": "CanNotDelete",
"notes": "Set by policy RG_ResourceLockCheck"
}
}
],
"outputs": {
"policy": {
"type": "string",
"value": "locked RG"
}
}
}
}
}
}
}
}
}
}]
}
Upvotes: 0
Views: 1615
Answers (2)
Ansuman Bal
Reputation: 11401
You can define the parameters tagName and tagValue as well.
So adding the parameters as I have applied below will solve the issue.
{
"$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"policyDefinitionName": {
"type": "string"
},
# define tag name and tag value
"tagName":{
"type": "string"
},
"tagValue": {
"type": "string"
},
"policyDefinitionID": {
"type": "string"
}
},
"resources": [{
"type": "Microsoft.Authorization/policyDefinitions",
"name": "[parameters('policyDefinitionName')]",
"apiVersion": "2019-09-01",
"properties": {
"displayName": "Lock Resource Group based on tags",
"policyType": "Custom",
"mode": "All",
"description": "This policy locks a resource group if the tag mentioned in the parameter is not present",
"metadata": {
"category": "tags"
},
"parameters": {
"": {
"type": "String",
"metadata": {
"displayName": "Cannot Delete",
"description": "Tag name to prevent resource lock"
}
},
"tagValue": {
"type": "String",
"metadata": {
"displayName": "Tag Value",
"description": "Tag value to prevent resource lock"
}
}
},
"policyRule": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.Resources/subscriptions/resourceGroups"
},
{
"field": "[concat('Tags[', parameters('tagName'), ']')]",
"notEquals": "[parameters('tagValue')]"
}
]
},
"then": {
"effect": "deployIfNotExists",
"details": {
"type": "Microsoft.Authorization/locks",
"roleDefinitionIds": [
"[parameters('policyDefinitionID')]"
],
"existenceCondition": {
"field": "Microsoft.Authorization/locks/level",
"equals": "CanNotDelete"
},
"deployment": {
"properties": {
"mode": "incremental",
"template": {
"$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"name": "PolicyDeleteLock",
"type": "Microsoft.Authorization/locks",
"apiVersion": "2016-09-01",
"properties": {
"level": "CanNotDelete",
"notes": "Set by policy RG_ResourceLockCheck"
}
}
],
"outputs": {
"policy": {
"type": "string",
"value": "locked RG"
}
}
}
}
}
}
}
}
}
}]
}
It will execute the after giving the command
Upvotes: 0
Blue Clouds
Reputation: 8153
Inside your policyRule, you need to escape ARM expressions with an extra opening bracket to prevent them from being evaluated at top-level. For example at line 45:
"field": "[concat('tags[', parameters('tagName'), ']')]"
Should become:
"field": "[[concat('tags[', parameters('tagName'), ']')]"
(Note that there is no extra closing bracket. It's a bit weird but this is how you should do it)
Do this for all ARM expressions inside the policy rule and it should work.
Upvotes: 1
Related Questions
- Resource was disallowed by policy
- Why is Az powershell returning this error on a simple "show policy definition" command?
- Assigning the Policy Set(Azure Initiative) using Powershell
- Azure Error "The template deployment failed because of policy violation. Please see details for more information."
- Azure Information Protection - Error: Policy is Missing
- 'Could not find member 'type' on object of type 'PolicyParameter'
- Deploying Azure policy ARM template using Azure Devops fails
- Azure Policy Deploying using Powershell
- Azure DeployIfNotExist Policy evalutes but do not deploy template/show compliant
- Azure policy deployment using visual studio