Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Get-AzureRmPolicyDefinition cannot get builtin policies by using name parameter #5747

Closed
bgelens opened this issue Mar 15, 2018 · 3 comments
Closed

Get-AzureRmPolicyDefinition cannot get builtin policies by using name parameter #5747

bgelens opened this issue Mar 15, 2018 · 3 comments
Assignees
@darshanhs90 @Tiano2017
Labels
Policy Azure Resource Policy Resource Authorization AzRole* in Az.Resources Service Attention This issue is responsible by Azure service team.

Comments

@bgelens
Copy link

bgelens commented Mar 15, 2018
edited
Loading

Description

Right now you cannot use Get-AzureRmPolicyDefinition with the -Name parameter to get a specific builtin policy definition as it will throw a not found exception. Instead you need to run the cmdlet and pipe it to Where-Object which is not optimal.

The reason this happens is that the builtin policies are not exposed through the subscriptions route but actually through the providers route

Won't work:

https://management.azure.com/subscriptions/xxxx/providers/Microsoft.Authorization/polic
ydefinitions/e56962a6-4747-49cd-b67b-bf8b01975c4c?api-version=2016-12-01

Does work:

https://management.azure.com/providers/Microsoft.Authorization/policyDefinitions/e56962a6-4747-49cd-b67b-bf8b01975c4c?api-version=2016-12-01

Azure cli deals with this as expected by querying the providers route uri when a 404 was received on the subscriptions route uri. I would expect AzureRm equivalent to have the same behavior.

Script/Steps for Reproduction

This will fail:

Get-AzureRmPolicyDefinition -Name 'e56962a6-4747-49cd-b67b-bf8b01975c4c' -Debug
Absolute Uri:
https://management.azure.com/subscriptions/xxx/providers/Microsoft.Authorization/polic
ydefinitions/e56962a6-4747-49cd-b67b-bf8b01975c4c?api-version=2016-12-01

Headers:
User-Agent                    : AzurePowershell/v5.5.0,PSVersion/v5.1.16299.251
ParameterSetName              : GetByPolicyDefintionName
CommandName                   : Get-AzureRmPolicyDefinition

EBUG: ============================ HTTP RESPONSE ============================

Status Code:
NotFound

Headers:
Pragma                        : no-cache
x-ms-request-id               : uksouth:683e546d-801e-4524-be3a-5ec4ccc87b2c
x-ms-ratelimit-remaining-subscription-reads: 14998
x-ms-correlation-request-id   : cf68164f-2853-4142-8004-92f2d10800a1
x-ms-routing-request-id       : UKSOUTH:20180315T065153Z:cf68164f-2853-4142-8004-92f2d10800a1
Strict-Transport-Security     : max-age=31536000; includeSubDomains
X-Content-Type-Options        : nosniff
Cache-Control                 : no-cache
Date                          : Thu, 15 Mar 2018 06:51:53 GMT

Body:
{
  "error": {
    "code": "PolicyDefinitionNotFound",
    "message": "The policy definition 'e56962a6-4747-49cd-b67b-bf8b01975c4c' could not be found."
  }
}

Get-AzureRmPolicyDefinition : PolicyDefinitionNotFound : The policy definition 'e56962a6-4747-49cd-b67b-bf8b01975c4c' c
ould not be found.
At line:1 char:1
+ Get-AzureRmPolicyDefinition -Name 'e56962a6-4747-49cd-b67b-bf8b01975c ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : CloseError: (:) [Get-AzureRmPolicyDefinition], ErrorResponseMessageException
    + FullyQualifiedErrorId : PolicyDefinitionNotFound,Microsoft.Azure.Commands.ResourceManager.Cmdlets.Implementation
   .GetAzurePolicyDefinitionCmdlet

This does work:

Get-AzureRmPolicyDefinition | ? {$_.Name -eq 'e56962a6-4747-49cd-b67b-bf8b01975c4c'}
Name               : e56962a6-4747-49cd-b67b-bf8b01975c4c
ResourceId         : /providers/Microsoft.Authorization/policyDefinitions/e56962a6-4747-49cd-b67b-bf8b01975c4c
ResourceName       : e56962a6-4747-49cd-b67b-bf8b01975c4c
ResourceType       : Microsoft.Authorization/policyDefinitions
Properties         : @{displayName=Allowed locations; policyType=BuiltIn; description=This policy enables you to restri
                     ct the locations your organization can specify when deploying resources. Use to enforce your geo-c
                     ompliance requirements.; parameters=; policyRule=}
PolicyDefinitionId : /providers/Microsoft.Authorization/policyDefinitions/e56962a6-4747-49cd-b67b-bf8b01975c4c

az policy definition show --name e56962a6-4747-49cd-b67b-bf8b01975c4c -o table
Description                                                                                                                                                 DisplayName        Name                                  PolicyType
----------------------------------------------------------------------------------------------------------------------------------------------------------  -----------------  ------------------------------------  ------------
This policy enables you to restrict the locations your organization can specify when deploying resources. Use to enforce your geo-compliance requirements.  Allowed locations  e56962a6-4747-49cd-b67b-bf8b01975c4c  BuiltIn

Module Version

Get-Module -Name AzureRM -ListAvailable


    Directory: C:\Program Files\WindowsPowerShell\Modules


ModuleType Version    Name                                ExportedCommands
---------- -------    ----                                ----------------
Script     5.5.0      AzureRM
Script     5.3.0      AzureRM
Script     5.1.1      AzureRM
Script     5.0.1      AzureRM
Script     4.4.1      AzureRM

Environment Data

Name                           Value
----                           -----
PSVersion                      5.1.16299.251
PSEdition                      Desktop
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0...}
BuildVersion                   10.0.16299.251
CLRVersion                     4.0.30319.42000
WSManStackVersion              3.0
PSRemotingProtocolVersion      2.3
SerializationVersion           1.1.0.1
@cormacpayne cormacpayne assigned darshanhs90 and unassigned markcowl Mar 15, 2018
@cormacpayne cormacpayne added the Resource Authorization AzRole* in Az.Resources label Mar 15, 2018
@cormacpayne
Copy link
Member

@darshanhs90 Hey Haridarshan, would you mind taking a look at this issue? We were able to reproduce this issue locally, so it looks like a bug in the API

@darshanhs90
Copy link
Contributor

@vivsriaus Can you look into this,as this is a ARM commandlet
CC : @cyl3392207

@cormacpayne cormacpayne assigned Tiano2017 and unassigned vivsriaus Jun 8, 2018
@darshanhs90 darshanhs90 added the Policy Azure Resource Policy label Jun 26, 2018
@bsiegel bsiegel added the Service Attention This issue is responsible by Azure service team. label Sep 26, 2018
mentat9 added a commit to mentat9/azure-powershell that referenced this issue Jan 16, 2019
@mentat9
Fix for issue Azure#5747
89d9b9a 
Add/update tests for Azure#7522 and Azure#5747
maddieclayton pushed a commit that referenced this issue Jan 18, 2019
Merge pull request #8331 from mentat9/master
0a3985f 
Fixes for help, #7522 and #5747
@LizMS LizMS closed this as completed Jun 12, 2019
@LizMS LizMS closed this as completed Jun 12, 2019
@LizMS
Copy link

LizMS commented Jun 12, 2019

This issue has been fixed. Closing the item.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@darshanhs90 darshanhs90

@Tiano2017 Tiano2017

Labels
Policy Azure Resource Policy Resource Authorization AzRole* in Az.Resources Service Attention This issue is responsible by Azure service team.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
8 participants
@bsiegel @markcowl @vivsriaus @cormacpayne @darshanhs90 @bgelens @Tiano2017 @LizMS