search

Azure / PSRule.Rules.Azure

Rules to validate Azure resources and infrastructure as code (IaC) using PSRule.
https://azure.github.io/PSRule.Rules.Azure/
MIT License
389 stars 84 forks source link

[BUG] Export-AzPolicyAssignmentRuleData unable to export Azure policy as PSRule (parameter was not set or a defaultValue was defined) [Custom policy: Key vault - Firewall Settings DENY] #2738

Closed Marc013 closed 6 months ago

Marc013 commented 6 months ago

Existing rule

No response

Description of the issue

Unable to export policy assignment data to PSRule when a default value for a parameter is not provided or set.

{
    "Name": "00000000-0000-0000-0000-000000000000",
    "ResourceId": "/providers/Microsoft.Management/managementGroups/MyManagementGroup/providers/Microsoft.Authorization/policyDefinitions/00000000-0000-0000-0000-000000000000",
    "ResourceName": "00000000-0000-0000-0000-000000000000",
    "ResourceType": "Microsoft.Authorization/policyDefinitions",
    "SubscriptionId": null,
    "Properties": {
        "Description": "This Azure Policy denies the deployment of an Azure Key Vault when the 'Allow access from' setting is not set to 'Private endpoints and selected networks' or when the Firewall does contain any IP addresses outside of the approved ones.",
        "DisplayName": "Key vault - Firewall Settings DENY",
        "Metadata": {
            "version": "0.0.1",
            "category": "Key Vault",
            "status": "Active",
            "Control": "ABC1, ABC2, ABC3, ABC4, ABC5",
            "purpose": "This Azure Policy denies the deployment of an Azure Key Vault when the 'Allow access from' setting is not set to 'Private endpoints and selected networks' or when the Firewall does contain any IP addresses outside of the approved ones.",
            "tags": [
                {
                    "managedpolicy": "true"
                }
            ],
            "createdBy": "00000000-0000-0000-0000-000000000000",
            "createdOn": "2023-06-14T14:18:25.4051154Z",
            "updatedBy": null,
            "updatedOn": null
        },
        "Mode": "All",
        "Parameters": {
            "allowedAddressRanges": {
                "type": "Array",
                "metadata": {
                    "displayName": "Allowed Address Ranges",
                    "description": "The list of IP Addresses or IP Address Ranges that are allowed for the Firewall Setting on the Key Vault"
                }
            },
            "policyEffect": {
                "type": "String",
                "metadata": {
                    "displayName": "Policy Effect",
                    "description": "The Policy Effect associated with this Policy Definition"
                },
                "defaultValue": "Deny"
            }
        },
        "PolicyRule": {
            "if": {
                "allOf": [
                    {
                        "field": "type",
                        "equals": "Microsoft.KeyVault/vaults"
                    },
                    {
                        "anyOf": [
                            {
                                "allOf": [
                                    {
                                        "count": {
                                            "field": "Microsoft.KeyVault/vaults/networkAcls.ipRules[*]"
                                        },
                                        "greater": 0
                                    },
                                    {
                                        "not": {
                                            "field": "Microsoft.KeyVault/vaults/networkAcls.ipRules[*].value",
                                            "in": "[parameters('allowedAddressRanges')]"
                                        }
                                    }
                                ]
                            },
                            {
                                "field": "Microsoft.KeyVault/vaults/networkAcls.defaultAction",
                                "equals": "Allow"
                            }
                        ]
                    }
                ]
            },
            "then": {
                "effect": "[parameters('policyEffect')]"
            }
        },
        "PolicyType": 1
    },
    "PolicyDefinitionId": "/providers/Microsoft.Management/managementGroups/MyManagementGroup/providers/Microsoft.Authorization/policyDefinitions/00000000-0000-0000-0000-000000000000"
}

Error messages

An error occurred evaluating expression '[parameters('allowedAddressRanges')]' line 64. The parameter named 'allowedAddressRanges' was not set or a defaultValue was defined.

Reproduction

Exporting policy assignment data to custom PSRule using pwsh function Export-AzPolicyAssignmentRuleData

Version of PSRule

2.9.0

Version of PSRule for Azure

1.33.2

Additional context

If desired, I can provide another custom policy that is experiencing this same issue.

BernieWhite commented 6 months ago

@Marc013 To assign a policy definition normally you would need to provide a value for the parameter. What is being set in the assignment or initiative?

Marc013 commented 6 months ago

@Bernie, I was informed this policy was not correctly used (value 443 was provided as parameter input) and will be removed shortly.