Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Not possible to update policyDefinitionReferenceId with New- or Update-AzPolicySetDefinition #25112

Open
vegazbabz opened this issue Jun 6, 2024 · 1 comment
Open

Not possible to update policyDefinitionReferenceId with New- or Update-AzPolicySetDefinition #25112

vegazbabz opened this issue Jun 6, 2024 · 1 comment
Assignees
@VeryEarly
Labels
bug This issue requires a change to an existing behavior in the product in order to be resolved. customer-reported

Comments

@vegazbabz
Copy link

Description

I want to update my policyDefinitionReferenceIds in my policy initiative definition definitions.json.

I am using a policy initiative definition file:
networkdef.json
and a parameter file:
networkparam.json
These 2 files are how I created the policy initiative definition. However, the policyDefinitionReferenceIds is being overwritten by the system and automatically generated. You can see that result in the first file (definitions.json)

To create the definition, I use this command:

$metadata = ConvertTo-Json @{ version = "1.0.0"; category = "Network" }

New-AzPolicySetDefinition `
-Name 'Enforce-Guardrails-Network' `
-DisplayName 'Enforce recommended guardrails for Network and Networking services' `
-PolicyDefinition C:\temp\networkdef.json `
-Parameter C:\Temp\networkparam.json `
-ManagementGroupName 'MG-ID' `
-Description 'This policy initiative is a group of policies that ensures Network and Networking services are compliant per regulated Landing Zones.' `
-Metadata $metadata

The above code, should have created the policyDefinitionReferenceIds for me. However, it is ignored as I said.

When I then try to update them again, I get the same result regardless if I use Update-AzPolicySetDefinition or New-AzPolicySetDefinition.
New-AzPolicySetDefinition -Name 'Enforce-Guardrails-Network' -PolicyDefinition .\definitions.json -Parameter .\networkparam.json
or
Update-AzPolicySetDefinition -Name 'Enforce-Guardrails-Network' -PolicyDefinition .\definitions.json -Parameter .\networkparam.json

Output:

  {
    "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/35f9c03a-cc27-418e-9c0c-539ff999d010",
    "policyDefinitionReferenceId": "15299596690223791311",
    "groupNames": []
  }

Expected Output

  {
    "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/35f9c03a-cc27-418e-9c0c-539ff999d010",
    "policyDefinitionReferenceId": "Deny-Nsg-GW-subnet",
    "groupNames": [],
  }

When running the $DebugPreference it is clear that the property policyDefinitionReferenceId is not part of the properties available

Issue script & Debug output

"policyDefinitions": [
      {
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/35f9c03a-cc27-418e-9c0c-539ff999d010",
        "groupNames": []
      },

Environment data

Name                           Value
----                           -----
PSVersion                      7.4.2
PSEdition                      Core
GitCommitId                    7.4.2
OS                             Microsoft Windows 10.0.22631
Platform                       Win32NT
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0…}
PSRemotingProtocolVersion      2.3
SerializationVersion           1.1.0.1
WSManStackVersion              3.0

Module versions

ModuleType Version    PreRelease Name                                ExportedCommands
---------- -------    ---------- ----                                ----------------
Script     3.0.0                 Az.Accounts                         {Add-AzEnvironment, Clear-AzCon…
Script     7.1.0                 Az.Resources                        {Export-AzResourceGroup, Export…

Error output

No errors. See above message.
@vegazbabz vegazbabz added bug This issue requires a change to an existing behavior in the product in order to be resolved. needs-triage This is a new issue that needs to be triaged to the appropriate team. labels Jun 6, 2024
@microsoft-github-policy-service microsoft-github-policy-service bot added customer-reported needs-triage This is a new issue that needs to be triaged to the appropriate team. and removed needs-triage This is a new issue that needs to be triaged to the appropriate team. labels Jun 6, 2024
@dolauli dolauli removed the needs-triage This is a new issue that needs to be triaged to the appropriate team. label Jun 20, 2024
@mentat9
Copy link
Member

mentat9 commented Jul 11, 2024
edited
Loading

Thank-you for reporting this problem. I have repro'd the issue, and we are pursuing a fix. In the meantime, you can work around it by using the property name "id" instead of "policyDefinitionReferenceId" in your input file like this:

  {
    "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/35f9c03a-cc27-418e-9c0c-539ff999d010",
    "id": "Deny-Nsg-GW-subnet",
    "groupNames": []
  }

This will correctly serialize to "policyDefinitionReferenceId" in the backend:

  {
    "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/35f9c03a-cc27-418e-9c0c-539ff999d010",
    "policyDefinitionReferenceId": "Deny-Nsg-GW-subnet",
    "groupNames": []
  }

Sorry for the inconvenience this has caused: we will address it on our end as soon as possible.

mentat9 added a commit to mentat9/azure-powershell that referenced this issue Jul 11, 2024
@mentat9
Interim fix for Azure#25112.
04d45dc 
 - Root cause is wrong naming of a serialization property
 - This fix is a workaround for the incorrect name
 - Needs to be updated once the root cause is corrected
@mentat9 mentat9 mentioned this issue Jul 11, 2024
Open
6 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@VeryEarly VeryEarly

Labels
bug This issue requires a change to an existing behavior in the product in order to be resolved. customer-reported
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@dolauli @mentat9 @VeryEarly @vegazbabz