Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Expand field() expressions for Azure Policy #1323

Open
ArmaanMcleod opened this issue Mar 22, 2022 · 6 comments
Open

Expand field() expressions for Azure Policy #1323

ArmaanMcleod opened this issue Mar 22, 2022 · 6 comments
Assignees
@BernieWhite
Labels
bug Something isn't working feature: policy-as-rules Issues that related to exporting policy as rules. long-term Long term milestones that will be released over multiple releases. .NET Pull requests that update .net code

Comments

@ArmaanMcleod
Copy link
Contributor

ArmaanMcleod commented Mar 22, 2022
edited by BernieWhite
Loading

In Azure Policy, we can have field expressions like field('type'). We should be able to expand these expressions when emitting JSON rules.

Related to #181
@ArmaanMcleod ArmaanMcleod added the enhancement New feature or request label Mar 22, 2022
@ArmaanMcleod ArmaanMcleod self-assigned this Mar 22, 2022
@BernieWhite BernieWhite added this to the v1.15.0 milestone Mar 23, 2022
@BernieWhite BernieWhite modified the milestones: v1.15.0, v1.16.0 May 5, 2022
@BernieWhite BernieWhite removed this from the v1.16.0 milestone Jun 9, 2022
@BernieWhite BernieWhite added the .NET Pull requests that update .net code label Sep 16, 2022
@BernieWhite BernieWhite added ms-hack-2022 Issues related to Microsoft Global Hackathon 2022 bug Something isn't working and removed enhancement New feature or request labels Sep 16, 2022
@BernieWhite
Copy link
Collaborator

Repoduction:

Export-AzPolicyAssignmentRuleData -AssignmentFile .\policy\nnn.assignment.json -OutputPath .\policy-rule\

Some additional information about these errors when running Export-AzPolicyAssignmentRuleData includes:

Export-AzPolicyAssignmentRuleData: An error occurred evaluating expression '[field('type')]' line 63. The function "field" was not found.
Export-AzPolicyAssignmentRuleData: An error occurred evaluating expression '[first(split(field('fullName'), '/'))]' line 1066. The function "field" was not found.

Additional error stack:

xception             :
    Type           : PSRule.Rules.Azure.Data.Template.ExpressionEvaluationException
    Expression     : [field('name')]
    TargetSite     :
        Name          : EvaluateExpression
        DeclaringType : PSRule.Rules.Azure.Data.Template.TemplateVisitor, Microsoft.PSRule.Rules.Azure.Core, Version=0.0.1.0, Culture=neutral, PublicKeyToken=null
        MemberType    : Method
        Module        : Microsoft.PSRule.Rules.Azure.Core.dll
    Message        : An error occurred evaluating expression '[field('name')]' line 34403. The function "field" was not found.
    InnerException :
        Type       : System.NotImplementedException
        TargetSite :
            Name          : Element
            DeclaringType : PSRule.Rules.Azure.Data.Template.ExpressionBuilder, Microsoft.PSRule.Rules.Azure.Core, Version=0.0.1.0, Culture=neutral, PublicKeyToken=null
            MemberType    : Method
            Module        : Microsoft.PSRule.Rules.Azure.Core.dll
        Message    : The function "field" was not found.
        Source     : Microsoft.PSRule.Rules.Azure.Core
        HResult    : -2147467263
        StackTrace :
   at PSRule.Rules.Azure.Data.Template.ExpressionBuilder.Element(TokenStream stream, ExpressionToken element) in
C:\Dev\Workspace\PSRule.Rules.Azure\src\PSRule.Rules.Azure\Data\Template\ExpressionBuilder.cs:line 61
   at PSRule.Rules.Azure.Data.Template.ExpressionBuilder.Lexer(TokenStream stream) in C:\Dev\Workspace\PSRule.Rules.Azure\src\PSRule.Rules.Azure\Data\Template\ExpressionBuilder.cs:line 42
   at PSRule.Rules.Azure.Data.Template.ExpressionBuilder.Build(String s) in C:\Dev\Workspace\PSRule.Rules.Azure\src\PSRule.Rules.Azure\Data\Template\ExpressionBuilder.cs:line 31
   at PSRule.Rules.Azure.Data.Policy.PolicyAssignmentVisitor.PolicyAssignmentContext.BuildExpression(String expression) in
C:\Dev\Workspace\PSRule.Rules.Azure\src\PSRule.Rules.Azure\Data\Policy\PolicyAssignmentVisitor.cs:line 114
   at PSRule.Rules.Azure.Data.Template.TemplateVisitor.<>c__DisplayClass80_0`1.<Expression>b__0() in
C:\Dev\Workspace\PSRule.Rules.Azure\src\PSRule.Rules.Azure\Data\Template\TemplateVisitor.cs:line 1345
   at PSRule.Rules.Azure.Data.Template.TemplateVisitor.EvaluateExpression[T](ITemplateContext context, String value, IJsonLineInfo lineInfo) in
C:\Dev\Workspace\PSRule.Rules.Azure\src\PSRule.Rules.Azure\Data\Template\TemplateVisitor.cs:line 1671
    Source         : Microsoft.PSRule.Rules.Azure.Core
    HResult        : -2146233088
    StackTrace     :
   at PSRule.Rules.Azure.Data.Template.TemplateVisitor.EvaluateExpression[T](ITemplateContext context, String value, IJsonLineInfo lineInfo) in
C:\Dev\Workspace\PSRule.Rules.Azure\src\PSRule.Rules.Azure\Data\Template\TemplateVisitor.cs:line 1675
   at PSRule.Rules.Azure.Data.Template.TemplateVisitor.EvaluateExpression[T](ITemplateContext context, JToken value) in
C:\Dev\Workspace\PSRule.Rules.Azure\src\PSRule.Rules.Azure\Data\Template\TemplateVisitor.cs:line 1660
   at PSRule.Rules.Azure.Data.Template.TemplateVisitor.ExpandPropertyToken(ITemplateContext context, JToken value) in
C:\Dev\Workspace\PSRule.Rules.Azure\src\PSRule.Rules.Azure\Data\Template\TemplateVisitor.cs:line 1377
   at PSRule.Rules.Azure.Data.Policy.PolicyAssignmentVisitor.PolicyAssignmentContext.ExpandPolicyRule(JToken policyRule) in
C:\Dev\Workspace\PSRule.Rules.Azure\src\PSRule.Rules.Azure\Data\Policy\PolicyAssignmentVisitor.cs:line 536
   at PSRule.Rules.Azure.Data.Policy.PolicyAssignmentVisitor.PolicyAssignmentContext.ExpandPolicyRule(JToken policyRule) in
C:\Dev\Workspace\PSRule.Rules.Azure\src\PSRule.Rules.Azure\Data\Policy\PolicyAssignmentVisitor.cs:line 542
   at PSRule.Rules.Azure.Data.Policy.PolicyAssignmentVisitor.PolicyAssignmentContext.ExpandPolicyRule(JToken policyRule) in
C:\Dev\Workspace\PSRule.Rules.Azure\src\PSRule.Rules.Azure\Data\Policy\PolicyAssignmentVisitor.cs:line 542
   at PSRule.Rules.Azure.Data.Policy.PolicyAssignmentVisitor.PolicyAssignmentContext.AddDefinition(JObject definition, String definitionId) in
C:\Dev\Workspace\PSRule.Rules.Azure\src\PSRule.Rules.Azure\Data\Policy\PolicyAssignmentVisitor.cs:line 156
   at PSRule.Rules.Azure.Data.Policy.PolicyAssignmentVisitor.VisitDefinitions(PolicyAssignmentContext context, IEnumerable`1 definitions) in
C:\Dev\Workspace\PSRule.Rules.Azure\src\PSRule.Rules.Azure\Data\Policy\PolicyAssignmentVisitor.cs:line 687
   at PSRule.Rules.Azure.Data.Policy.PolicyAssignmentVisitor.Assignment(PolicyAssignmentContext context, JObject assignment) in
C:\Dev\Workspace\PSRule.Rules.Azure\src\PSRule.Rules.Azure\Data\Policy\PolicyAssignmentVisitor.cs:line 706
   at PSRule.Rules.Azure.Data.Policy.PolicyAssignmentVisitor.Visit(PolicyAssignmentContext context, JObject assignment) in
C:\Dev\Workspace\PSRule.Rules.Azure\src\PSRule.Rules.Azure\Data\Policy\PolicyAssignmentVisitor.cs:line 665
   at PSRule.Rules.Azure.Data.Policy.PolicyAssignmentHelper.ProcessAssignment(String assignmentFile, PolicyAssignmentContext& assignmentContext) in
C:\Dev\Workspace\PSRule.Rules.Azure\src\PSRule.Rules.Azure\Data\Policy\PolicyAssignmentHelper.cs:line 50
CategoryInfo          : NotSpecified: ({
                        "identity": {…7a7"
                        }
                        ]
                        }:JObject) [Export-AzPolicyAssignmentRuleData], ExpressionEvaluationException
FullyQualifiedErrorId : System.NotImplementedException,Export-AzPolicyAssignmentRuleData
InvocationInfo        :
    MyCommand        : Export-AzPolicyAssignmentRuleData
    ScriptLineNumber : 1
    OffsetInLine     : 1
    HistoryId        : 5
    Line             : Export-AzPolicyAssignmentRuleData -AssignmentFile .\policy\d6d94deb-09b7-40cb-b64f-e63d1beda4f2.assignment.json -OutputPath .\policy-rule\
    PositionMessage  : At line:1 char:1
                       + Export-AzPolicyAssignmentRuleData -AssignmentFile .\policy\d6d94deb-0 …
                       + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    InvocationName   : Export-AzPolicyAssignmentRuleData
    CommandOrigin    : Internal
ScriptStackTrace      : at Export-AzPolicyAssignmentRuleData<Process>, C:\Dev\Workspace\PSRule.Rules.Azure\out\modules\PSRule.Rules.Azure\PSRule.Rules.Azure.psm1: line 421
                        at <ScriptBlock>, <No file>: line 1
PipelineIterationInfo :

@BernieWhite BernieWhite mentioned this issue Sep 16, 2022
Closed
@ghost ghost self-assigned this Sep 19, 2022
@BernieWhite BernieWhite added the feature: policy-as-rules Issues that related to exporting policy as rules. label Sep 29, 2022
@BernieWhite BernieWhite removed the ms-hack-2022 Issues related to Microsoft Global Hackathon 2022 label Nov 23, 2022
@BernieWhite BernieWhite assigned BernieWhite and unassigned ghost Nov 23, 2022
@BernieWhite
Copy link
Collaborator

Simple cases such as [field('type')] can be converted to a PSRule object path.

Complex cases will need additional complex expression support upstream in PSRule. For example:

  • [first(split(field('fullName'), '/'))]
  • [if(equals(field('Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType'), 'Windows'), field('Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration.patchSettings.assessmentMode'), field('Microsoft.Compute/virtualMachines/osProfile.linuxConfiguration.patchSettings.assessmentMode'))]
  • [empty(field('Microsoft.Network/virtualNetworks/subnets[*].ipConfigurations[*].id'))]
  • [concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/*/providers/Microsoft.Network/virtualNetworks/', first(split(field('fullName'), '/')), '/subnets/AzureFirewallSubnet')]

BernieWhite added a commit to BernieWhite/PSRule.Rules.Azure that referenced this issue Nov 23, 2022
@BernieWhite
Fixes for policy function handling Azure#1654 Azure#1323
9841dc0
This was referenced Nov 23, 2022
Merged
Closed
BernieWhite added a commit that referenced this issue Nov 23, 2022
@BernieWhite
Fixes for policy function handling #1654 #1323 (#1898)
aef85d0
This was referenced Nov 23, 2022
Merged
Merged
@BernieWhite BernieWhite added this to the v1.22.0 milestone Jan 29, 2023
@BernieWhite BernieWhite reopened this Jan 29, 2023
BernieWhite added a commit to BernieWhite/PSRule.Rules.Azure that referenced this issue Jan 29, 2023
@BernieWhite
Fixes for simple field cases Azure#1323
f91d24d
@BernieWhite BernieWhite mentioned this issue Jan 29, 2023
Merged
7 tasks
BernieWhite added a commit that referenced this issue Jan 29, 2023
@BernieWhite
Fixes for simple field cases #1323 (#2009)
0e3876a
This was referenced Jan 29, 2023
Merged
Merged
@BernieWhite BernieWhite removed this from the v1.22.0 milestone Feb 5, 2023
@BernieWhite BernieWhite mentioned this issue Oct 15, 2023
Closed
@Marc013
Copy link

Marc013 commented Feb 29, 2024
edited
Loading

@BernieWhite,
Can you please indicate whether there is any attention on this issue?
Currently, this issue prevents 100% coverage (currently reaching ~75%) for creating rules based on assigned Azure policy initiatives.

It would be great when issue The function "field" was not found. would be solved as soon as possible.

@BernieWhite BernieWhite added the long-term Long term milestones that will be released over multiple releases. label Mar 3, 2024
@BernieWhite
Copy link
Collaborator

Hi @Marc013, yes we're making progress on field cases. But if you have specific cases that are failing we'd like to know about them as separate issues so we can directly track and close them.

Specifically if you have failing built-in policies, please post their resource IDs, so we can add them to tests. i.e. /providers/Microsoft.Authorization/policyDefinitions/bef3f64c-5290-43b7-85b0-9b254eef4c47

If you have custom policies that are failing, we would appreciate original policy JSON with placeholders for anything sensitive and error message.

BernieWhite added a commit to BernieWhite/PSRule.Rules.Azure that referenced this issue Mar 3, 2024
@BernieWhite
Fixes for policy as rule and policy ignore Azure#1731 #181 Azure#1323
a1317b6
@BernieWhite BernieWhite mentioned this issue Mar 3, 2024
Merged
7 tasks
BernieWhite added a commit that referenced this issue Mar 3, 2024
@BernieWhite
Fixes for policy as rule and policy ignore #1731 #181 #1323 (#2720)
036db3d
This was referenced Mar 3, 2024
Merged
Merged
This was referenced Mar 5, 2024
Closed
Closed
Closed
Closed
Open
Open
Open
Open
Open
Open
Open
Open
Open
Open
@Marc013
Copy link

Marc013 commented Mar 5, 2024

@BernieWhite
I've created the bugs as requested and referenced this issue.
Please reach out when any more information is required.

@BernieWhite
Copy link
Collaborator

Thanks @Marc013

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@BernieWhite BernieWhite

Labels
bug Something isn't working feature: policy-as-rules Issues that related to exporting policy as rules. long-term Long term milestones that will be released over multiple releases. .NET Pull requests that update .net code
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@BernieWhite @ArmaanMcleod @Marc013