search

Azure / PSRule.Rules.Azure

Rules to validate Azure resources and infrastructure as code (IaC) using PSRule.
https://azure.github.io/PSRule.Rules.Azure/
MIT License
396 stars 86 forks source link

[BUG] Export-AzPolicyAssignmentRuleData unable to export Azure policy as PSRule (The function "field" was not found) [Custom policy: Prevent cross tenant Private Link for key vault] #2734

Open Marc013 opened 8 months ago

Marc013 commented 8 months ago

Existing rule

No response

Description of the issue

Unable to export policy assignment data to PSRule.

{
    "Name": "00000000-0000-0000-0000-000000000000",
    "ResourceId": "/providers/Microsoft.Management/managementGroups/MyManagementGroup/providers/Microsoft.Authorization/policyDefinitions/00000000-0000-0000-0000-000000000000",
    "ResourceName": "00000000-0000-0000-0000-000000000000",
    "ResourceType": "Microsoft.Authorization/policyDefinitions",
    "SubscriptionId": null,
    "Properties": {
        "Description": "This policy prevents private link between tenants for key vault.",
        "DisplayName": "Prevent cross tenant Private Link for key vault",
        "Metadata": {
            "version": "0.0.2",
            "category": "Network",
            "status": "Active",
            "Control": "ABC1, ABC2, ABC3, ABC4, ABC5",
            "purpose": "This policy prevents private link between tenants for key vault.",
            "tags": [
                {
                    "managedpolicy": "true"
                }
            ],
            "createdBy": "00000000-0000-0000-0000-000000000000",
            "createdOn": "2023-06-14T14:18:44.6748556Z",
            "updatedBy": null,
            "updatedOn": null
        },
        "Mode": "All",
        "Parameters": {
            "effect": {
                "type": "String",
                "metadata": {
                    "description": "The effect of the policy",
                    "displayName": "Effect"
                },
                "allowedValues": [
                    "Audit",
                    "Deny",
                    "Disabled"
                ],
                "defaultValue": "Deny"
            }
        },
        "PolicyRule": {
            "if": {
                "allOf": [
                    {
                        "equals": "Microsoft.KeyVault/vaults/privateEndpointConnections",
                        "field": "type"
                    },
                    {
                        "anyOf": [
                            {
                                "exists": false,
                                "field": "Microsoft.KeyVault/vaults/privateEndpointConnections/privateEndpoint.id"
                            },
                            {
                                "notEquals": "[subscription().subscriptionId]",
                                "value": "[split(concat(field('Microsoft.KeyVault/vaults/privateEndpointConnections/privateEndpoint.id'), '//'), '/')[2]]"
                            }
                        ]
                    }
                ]
            },
            "then": {
                "effect": "[parameters('effect')]"
            }
        },
        "PolicyType": 1
    },
    "PolicyDefinitionId": "/providers/Microsoft.Management/managementGroups/MyManagementGroup/providers/Microsoft.Authorization/policyDefinitions/00000000-0000-0000-0000-000000000000"
}

Error messages

An error occurred evaluating expression '[split(concat(field('Microsoft.KeyVault/vaults/privateEndpointConnections/privateEndpoint.id'), '//'), '/')[2]]' line 57. The function "field" was not found.

Reproduction

Exporting policy assignment data

Version of PSRule

2.9.0

Version of PSRule for Azure

1.33.2

Additional context

This bug is related to #1323

BernieWhite commented 5 months ago

Currently we need to support indexing into an array of string with a runtime token to fully complete this implementation which requires support to be added to PSRule.