search

Azure / azure-cli

Azure Command-Line Interface
MIT License
3.99k stars 2.96k forks source link

`az policy definition create` unexpectedly rejects policy definition JSON which Portal and New-AzPolicyDefinition accept #28377

Closed MatthewMWR closed 2 months ago

MatthewMWR commented 7 months ago

Describe the bug

Using this policy definition json, I can successfully create a policy defintion using Azure Portal (Policy > Definitions > Add) or Az PowerShell (New-AzPolicyDefintion), but az policy definition create fails with the following:

~ > az policy definition create --name "[Preview] SSH Posture Control policy" --rules https://raw.githubusercontent.com/Azure/azure-osconfig/main/src/adapters/mc/sshpreview/OsConfigPolicy_DeployIfNotExists.json
(InvalidPolicyRule) Failed to parse policy rule: 'Could not find member 'properties' on object of type 'PolicyRuleDefinition'. Path 'properties'.'.
Code: InvalidPolicyRule
Message: Failed to parse policy rule: 'Could not find member 'properties' on object of type 'PolicyRuleDefinition'. Path 'properties'.'..

I have tried providing the JSON by URL, or by file. I have not tried inline as this is a complex JSON and cmdline escaping would be madness. I concede this could be user error. Perhaps this command is expecting different input that its Portal and PowerShell parallels?

Thanks

Related command

az policy definition create

Errors

(InvalidPolicyRule) Failed to parse policy rule: 'Could not find member 'properties' on object of type 'PolicyRuleDefinition'. Path 'properties'.'. Code: InvalidPolicyRule Message: Failed to parse policy rule: 'Could not find member 'properties' on object of type 'PolicyRuleDefinition'. Path 'properties'.'..

Issue script & Debug output

~ > az policy definition create --name "[Preview] SSH Posture Control policy" --rules https://raw.githubusercontent.com/Azure/azure-osconfig/main/src/adapters/mc/sshpreview/OsConfigPolicy_DeployIfNotExists.json --debug cli.knack.cli: Command arguments: ['policy', 'definition', 'create', '--name', '[Preview] SSH Posture Control policy', '--rules', 'https://raw.githubusercontent.com/Azure/azure-osconfig/main/src/adapters/mc/sshpreview/OsConfigPolicy_DeployIfNotExists.json', '--debug'] cli.knack.cli: init debug log: Enable color in terminal. cli.knack.cli: Event: Cli.PreExecute [] cli.knack.cli: Event: CommandParser.OnGlobalArgumentsCreate [<function CLILogging.on_global_arguments at 0x7fb7ff46a1f0>, <function OutputProducer.on_global_arguments at 0x7fb7ff386d30>, <function CLIQuery.on_global_arguments at 0x7fb7ff31d310>] cli.knack.cli: Event: CommandInvoker.OnPreCommandTableCreate [] cli.azure.cli.core: Modules found from index for 'policy': ['azure.cli.command_modules.policyinsights', 'azure.cli.command_modules.resource'] cli.azure.cli.core: Loading command modules: cli.azure.cli.core: Name Load Time Groups Commands cli.azure.cli.core: policyinsights 0.122 9 17 cli.azure.cli.core: resource 0.015 51 228 cli.azure.cli.core: Total (2) 0.137 60 245 cli.azure.cli.core: These extensions are not installed and will be skipped: ['azext_next'] cli.azure.cli.core: Loading extensions: cli.azure.cli.core: Name Load Time Groups Commands Directory cli.azure.cli.core: ai-examples 0.069 1 1 /usr/lib/python3.9/site-packages/azure-cli-extensions/ai-examples cli.azure.cli.core: Total (1) 0.069 1 1
cli.azure.cli.core: Loaded 60 groups, 246 commands. cli.azure.cli.core: Found a match in the command table. cli.azure.cli.core: Raw command : policy definition create cli.azure.cli.core: Command table: policy definition create cli.knack.cli: Event: CommandInvoker.OnPreCommandTableTruncate [<function AzCliLogging.init_command_file_logging at 0x7fb7fe7c4940>] cli.azure.cli.core.azlogging: metadata file logging enabled - writing logs to '/home/matthew/.azure/commands/2024-02-15.21-58-33.policy_definition_create.946.log'. az_command_data_logger: command args: policy definition create --name {} --rules {} --debug cli.knack.cli: Event: CommandInvoker.OnPreArgumentLoad [<function register_global_subscription_argument..add_subscription_parameter at 0x7fb7fe76b550>] cli.knack.cli: Event: CommandInvoker.OnPostArgumentLoad [] cli.knack.cli: Event: CommandInvoker.OnPostCommandTableCreate [<function register_ids_argument..add_ids_arguments at 0x7fb7fe793550>, <function register_cache_arguments..add_cache_arguments at 0x7fb7fe737430>] cli.knack.cli: Event: CommandInvoker.OnCommandTableLoaded [] cli.knack.cli: Event: CommandInvoker.OnPreParseArgs [] cli.knack.cli: Event: CommandInvoker.OnPostParseArgs [<function OutputProducer.handle_output_argument at 0x7fb7ff386dc0>, <function CLIQuery.handle_query_parameter at 0x7fb7ff31d3a0>, <function register_ids_argument..parse_ids_arguments at 0x7fb7fe7373a0>] cli.azure.cli.core.commands.client_factory: Getting management service client client_type=PolicyClient urllib3.connectionpool: Starting new HTTP connection (1): localhost:50342 urllib3.connectionpool: http://localhost:50342 "POST /oauth2/token HTTP/1.1" 200 2241 msrestazure.azure_active_directory: MSI: Retrieving a token from http://localhost:50342/oauth2/token, with payload {'resource': 'https://management.core.windows.net/'} cli.azure.cli.core.auth.adal_authentication: MSIAuthenticationWrapper.get_token: scopes=('https://management.core.windows.net//.default',), kwargs={} urllib3.connectionpool: Starting new HTTP connection (1): localhost:50342 urllib3.connectionpool: http://localhost:50342 "POST /oauth2/token HTTP/1.1" 200 2241 msrestazure.azure_active_directory: MSI: Retrieving a token from http://localhost:50342/oauth2/token, with payload {'resource': 'https://management.core.windows.net/'} cli.azure.cli.core.auth.adal_authentication: Normalize expires_on: '1708035460' -> 1708035460 cli.azure.cli.core.sdk.policies: Request URL: 'https://management.azure.com/subscriptions/54ea281d-e6f7-4e09-a315-8eba4de04b2d/providers/Microsoft.Authorization/policyDefinitions/%5BPreview%5D%20SSH%20Posture%20Control%20policy?api-version=2021-06-01' cli.azure.cli.core.sdk.policies: Request method: 'PUT' cli.azure.cli.core.sdk.policies: Request headers: cli.azure.cli.core.sdk.policies: 'Content-Type': 'application/json' cli.azure.cli.core.sdk.policies: 'Content-Length': '10060' cli.azure.cli.core.sdk.policies: 'Accept': 'application/json' cli.azure.cli.core.sdk.policies: 'x-ms-client-request-id': '5c50fe54-cc4d-11ee-a6cb-00155dcea10a' cli.azure.cli.core.sdk.policies: 'CommandName': 'policy definition create' cli.azure.cli.core.sdk.policies: 'ParameterSetName': '--name --rules --debug' cli.azure.cli.core.sdk.policies: 'User-Agent': 'AZURECLI/2.57.0 (RPM) azsdk-python-azure-mgmt-resource/23.1.0b2 Python/3.9.14 (Linux-5.10.102.2-microsoft-standard-x86_64-with-glibc2.35) cloud-shell/1.0' cli.azure.cli.core.sdk.policies: 'Authorization': '*' cli.azure.cli.core.sdk.policies: Request body: cli.azure.cli.core.sdk.policies: {"properties": {"policyRule": {"properties": {"displayName": "[Preview] SSH Posture Control policy", "policyType": "Custom", "mode": "Indexed", "description": "This policy ensures that the SSH Server is securely configured on the Linux device", "metadata": {"category": "Guest Configuration", "version": "1.0.0.0", "requiredProviders": ["Microsoft.GuestConfiguration"], "guestConfiguration": {"name": "LinuxSshServerSecurityBaseline", "version": "1.", "configurationParameter": {"AllowUsers": "Ensure allowed users for SSH access are configured;DesiredObjectValue", "DenyUsers": "Ensure denied users for SSH are configured;DesiredObjectValue", "AllowGroups": "Ensure allowed groups for SSH are configured;DesiredObjectValue", "DenyGroups": "Ensure denied groups for SSH are configured;DesiredObjectValue"}}}, "parameters": {"IncludeArcMachines": {"type": "string", "metadata": {"displayName": "Include Arc connected machines", "description": "By selecting this option, you agree to be charged monthly per Arc connected machine.", "portalReview": "true"}, "allowedValues": ["true", "false"], "defaultValue": "false"}, "AllowUsers": {"type": "string", "metadata": {"displayName": "Allowed users for SSH", "description": "List of users to be allowed to connect with SSH. Default is all authenticated users ('@')"}, "defaultValue": "@"}, "DenyUsers": {"type": "string", "metadata": {"displayName": "Denied users for SSH", "description": "List of users to be denied to connect with SSH. Default is root"}, "defaultValue": "root"}, "AllowGroups": {"type": "string", "metadata": {"displayName": "Allowed groups for SSH", "description": "List of user groups to be allowed to connect with SSH. Default is all groups ('')"}, "defaultValue": ""}, "DenyGroups": {"type": "string", "metadata": {"displayName": "Denied groups for SSH", "description": "List of user groups to be denied to connect with SSH. Default is root"}, "defaultValue": "root"}}, "policyRule": {"if": {"anyOf": [{"allOf": [{"anyOf": [{"field": "type", "equals": "Microsoft.Compute/virtualMachines"}, {"field": "type", "equals": "Microsoft.Compute/virtualMachineScaleSets"}]}, {"field": "tags['aks-managed-orchestrator']", "exists": "false"}, {"field": "tags['aks-managed-poolName']", "exists": "false"}, {"anyOf": [{"field": "Microsoft.Compute/imagePublisher", "in": ["microsoft-aks", "qubole-inc", "datastax", "couchbase", "scalegrid", "checkpoint", "paloaltonetworks", "debian", "credativ"]}, {"allOf": [{"field": "Microsoft.Compute/imagePublisher", "equals": "OpenLogic"}, {"field": "Microsoft.Compute/imageSKU", "notLike": "6"}]}, {"allOf": [{"field": "Microsoft.Compute/imagePublisher", "equals": "Oracle"}, {"field": "Microsoft.Compute/imageSKU", "notLike": "6"}]}, {"allOf": [{"field": "Microsoft.Compute/imagePublisher", "equals": "RedHat"}, {"field": "Microsoft.Compute/imageSKU", "notLike": "6"}]}, {"allOf": [{"field": "Microsoft.Compute/imagePublisher", "equals": "center-for-internet-security-inc"}, {"field": "Microsoft.Compute/imageOffer", "notLike": "cis-windows"}]}, {"allOf": [{"field": "Microsoft.Compute/imagePublisher", "equals": "Suse"}, {"field": "Microsoft.Compute/imageSKU", "notLike": "11"}]}, {"allOf": [{"field": "Microsoft.Compute/imagePublisher", "equals": "Canonical"}, {"field": "Microsoft.Compute/imageSKU", "notLike": "12"}]}, {"allOf": [{"field": "Microsoft.Compute/imagePublisher", "equals": "microsoft-dsvm"}, {"field": "Microsoft.Compute/imageOffer", "notLike": "dsvm-win"}]}, {"allOf": [{"field": "Microsoft.Compute/imagePublisher", "equals": "cloudera"}, {"field": "Microsoft.Compute/imageSKU", "notLike": "6"}]}, {"allOf": [{"field": "Microsoft.Compute/imagePublisher", "equals": "microsoft-ads"}, {"field": "Microsoft.Compute/imageOffer", "like": "linux"}]}, {"allOf": [{"anyOf": [{"field": "Microsoft.Compute/virtualMachines/osProfile.linuxConfiguration", "exists": true}, {"field": "Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType", "like": "Linux"}, {"field": "Microsoft.Compute/virtualMachineScaleSets/osProfile.linuxConfiguration", "exists": true}, {"field": "Microsoft.Compute/virtualMachineScaleSets/virtualMachineProfile.storageProfile.osDisk.osType", "like": "Linux"}]}, {"anyOf": [{"field": "Microsoft.Compute/imagePublisher", "exists": false}, {"field": "Microsoft.Compute/imagePublisher", "notIn": ["OpenLogic", "RedHat", "credativ", "Suse", "Canonical", "microsoft-dsvm", "cloudera", "microsoft-ads", "center-for-internet-security-inc", "Oracle", "AzureDatabricks", "azureopenshift"]}]}]}]}]}, {"allOf": [{"value": "[parameters('IncludeArcMachines')]", "equals": true}, {"anyOf": [{"allOf": [{"field": "type", "equals": "Microsoft.HybridCompute/machines"}, {"field": "Microsoft.HybridCompute/imageOffer", "like": "linux"}]}, {"allOf": [{"field": "type", "equals": "Microsoft.ConnectedVMwarevSphere/virtualMachines"}, {"field": "Microsoft.ConnectedVMwarevSphere/virtualMachines/osProfile.osType", "like": "linux"}]}]}]}]}, "then": {"effect": "deployIfNotExists", "details": {"roleDefinitionIds": ["/providers/Microsoft.Authorization/roleDefinitions/088ab73d-1256-47ae-bea9-9de8e7131f31"], "type": "Microsoft.GuestConfiguration/guestConfigurationAssignments", "name": "[concat('LinuxSshServerSecurityBaseline$pid', uniqueString(policy().assignmentId, policy().definitionReferenceId))]", "existenceCondition": {"allOf": [{"field": "Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus", "equals": "Compliant"}, {"field": "Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash", "equals": "[base64(concat('Ensure allowed users for SSH access are configured;DesiredObjectValue', '=', parameters('AllowUsers'), ',', 'Ensure denied users for SSH are configured;DesiredObjectValue', '=', parameters('DenyUsers'), ',', 'Ensure allowed groups for SSH are configured;DesiredObjectValue', '=', parameters('AllowGroups'), ',', 'Ensure denied groups for SSH are configured;DesiredObjectValue', '=', parameters('DenyGroups')))]"}]}, "deployment": {"properties": {"mode": "incremental", "parameters": {"vmName": {"value": "[field('name')]"}, "location": {"value": "[field('location')]"}, "type": {"value": "[field('type')]"}, "assignmentName": {"value": "[concat('LinuxSshServerSecurityBaseline$pid', uniqueString(policy().assignmentId, policy().definitionReferenceId))]"}, "AllowUsers": {"value": "[parameters('AllowUsers')]"}, "DenyUsers": {"value": "[parameters('DenyUsers')]"}, "AllowGroups": {"value": "[parameters('AllowGroups')]"}, "DenyGroups": {"value": "[parameters('DenyGroups')]"}}, "template": {"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", "contentVersion": "1.0.0.0", "parameters": {"vmName": {"type": "string"}, "location": {"type": "string"}, "type": {"type": "string"}, "assignmentName": {"type": "string"}, "AllowUsers": {"type": "string"}, "DenyUsers": {"type": "string"}, "AllowGroups": {"type": "string"}, "DenyGroups": {"type": "string"}}, "resources": [{"condition": "[equals(toLower(parameters('type')), toLower('Microsoft.Compute/virtualMachines'))]", "apiVersion": "2018-11-20", "type": "Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments", "name": "[concat(parameters('vmName'), '/Microsoft.GuestConfiguration/', parameters('assignmentName'))]", "location": "[parameters('location')]", "properties": {"guestConfiguration": {"name": "LinuxSshServerSecurityBaseline", "version": "1.", "assignmentType": "ApplyAndAutoCorrect", "configurationParameter": [{"name": "Ensure allowed users for SSH access are configured;DesiredObjectValue", "value": "[parameters('AllowUsers')]"}, {"name": "Ensure denied users for SSH are configured;DesiredObjectValue", "value": "[parameters('DenyUsers')]"}, {"name": "Ensure allowed groups for SSH are configured;DesiredObjectValue", "value": "[parameters('AllowGroups')]"}, {"name": "Ensure denied groups for SSH are configured;DesiredObjectValue", "value": "[parameters('DenyGroups')]"}]}}}, {"condition": "[equals(toLower(parameters('type')), toLower('Microsoft.HybridCompute/machines'))]", "apiVersion": "2018-11-20", "type": "Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments", "name": "[concat(parameters('vmName'), '/Microsoft.GuestConfiguration/', parameters('assignmentName'))]", "location": "[parameters('location')]", "properties": {"guestConfiguration": {"name": "LinuxSshServerSecurityBaseline", "version": "1.", "assignmentType": "ApplyAndAutoCorrect", "configurationParameter": [{"name": "Ensure allowed users for SSH access are configured;DesiredObjectValue", "value": "[parameters('AllowUsers')]"}, {"name": "Ensure denied users for SSH are configured;DesiredObjectValue", "value": "[parameters('DenyUsers')]"}, {"name": "Ensure allowed groups for SSH are configured;DesiredObjectValue", "value": "[parameters('AllowGroups')]"}, {"name": "Ensure denied groups for SSH are configured;DesiredObjectValue", "value": "[parameters('DenyGroups')]"}]}}}, {"condition": "[equals(toLower(parameters('type')), toLower('Microsoft.Compute/virtualMachineScaleSets'))]", "apiVersion": "2018-11-20", "type": "Microsoft.Compute/virtualMachineScaleSets/providers/guestConfigurationAssignments", "name": "[concat(parameters('vmName'), '/Microsoft.GuestConfiguration/', parameters('assignmentName'))]", "location": "[parameters('location')]", "properties": {"guestConfiguration": {"name": "LinuxSshServerSecurityBaseline", "version": "1.", "assignmentType": "ApplyAndAutoCorrect", "configurationParameter": [{"name": "Ensure allowed users for SSH access are configured;DesiredObjectValue", "value": "[parameters('AllowUsers')]"}, {"name": "Ensure denied users for SSH are configured;DesiredObjectValue", "value": "[parameters('DenyUsers')]"}, {"name": "Ensure allowed groups for SSH are configured;DesiredObjectValue", "value": "[parameters('AllowGroups')]"}, {"name": "Ensure denied groups for SSH are configured;DesiredObjectValue", "value": "[parameters('DenyGroups')]"}]}}}]}}}}}}}, "name": "6d76c6e7-0670-4931-8741-16cff3fbfa3e"}}} urllib3.connectionpool: Starting new HTTPS connection (1): management.azure.com:443 urllib3.connectionpool: https://management.azure.com:443 "PUT /subscriptions/54ea281d-e6f7-4e09-a315-8eba4de04b2d/providers/Microsoft.Authorization/policyDefinitions/%5BPreview%5D%20SSH%20Posture%20Control%20policy?api-version=2021-06-01 HTTP/1.1" 400 178 cli.azure.cli.core.sdk.policies: Response status: 400 cli.azure.cli.core.sdk.policies: Response headers: cli.azure.cli.core.sdk.policies: 'Cache-Control': 'no-store, no-cache' cli.azure.cli.core.sdk.policies: 'Pragma': 'no-cache' cli.azure.cli.core.sdk.policies: 'Content-Length': '178' cli.azure.cli.core.sdk.policies: 'Content-Type': 'application/json' cli.azure.cli.core.sdk.policies: 'Expires': '-1' cli.azure.cli.core.sdk.policies: 'x-ms-ratelimit-remaining-subscription-writes': '1199' cli.azure.cli.core.sdk.policies: 'x-ms-request-id': '45689d55-4154-419c-9dbf-3aba517cbcee' cli.azure.cli.core.sdk.policies: 'x-ms-correlation-request-id': '45689d55-4154-419c-9dbf-3aba517cbcee' cli.azure.cli.core.sdk.policies: 'x-ms-routing-request-id': 'WESTUS:20240215T215833Z:45689d55-4154-419c-9dbf-3aba517cbcee' cli.azure.cli.core.sdk.policies: 'Strict-Transport-Security': 'max-age=31536000; includeSubDomains' cli.azure.cli.core.sdk.policies: 'X-Content-Type-Options': 'nosniff' cli.azure.cli.core.sdk.policies: 'X-Cache': 'CONFIG_NOCACHE' cli.azure.cli.core.sdk.policies: 'X-MSEdge-Ref': 'Ref A: 5327E314CC284D59B9AF6B24AAE3F855 Ref B: SJC211051205031 Ref C: 2024-02-15T21:58:33Z' cli.azure.cli.core.sdk.policies: 'Date': 'Thu, 15 Feb 2024 21:58:33 GMT' cli.azure.cli.core.sdk.policies: Response content: cli.azure.cli.core.sdk.policies: {"error":{"code":"InvalidPolicyRule","message":"Failed to parse policy rule: 'Could not find member 'properties' on object of type 'PolicyRuleDefinition'. Path 'properties'.'."}} cli.azure.cli.core.azclierror: Traceback (most recent call last): File "/usr/lib64/az/lib/python3.9/site-packages/knack/cli.py", line 233, in invoke cmd_result = self.invocation.execute(args) File "/usr/lib64/az/lib/python3.9/site-packages/azure/cli/core/commands/init.py", line 664, in execute raise ex File "/usr/lib64/az/lib/python3.9/site-packages/azure/cli/core/commands/init.py", line 729, in _run_jobs_serially results.append(self._run_job(expanded_arg, cmd_copy)) File "/usr/lib64/az/lib/python3.9/site-packages/azure/cli/core/commands/init.py", line 698, in _run_job result = cmd_copy(params) File "/usr/lib64/az/lib/python3.9/site-packages/azure/cli/core/commands/init.py", line 334, in call return self.handler(args, kwargs) File "/usr/lib64/az/lib/python3.9/site-packages/azure/cli/core/commands/command_operation.py", line 121, in handler return op(*command_args) File "/usr/lib64/az/lib/python3.9/site-packages/azure/cli/command_modules/resource/custom.py", line 3316, in create_policy_definition return policy_client.policy_definitions.create_or_update(name, parameters) File "/usr/lib64/az/lib/python3.9/site-packages/azure/core/tracing/decorator.py", line 76, in wrapper_use_tracer return func(args, kwargs) File "/usr/lib64/az/lib/python3.9/site-packages/azure/mgmt/resource/policy/v2021_06_01/operations/_operations.py", line 2550, in create_or_update raise HttpResponseError(response=response, error_format=ARMErrorFormat) azure.core.exceptions.HttpResponseError: (InvalidPolicyRule) Failed to parse policy rule: 'Could not find member 'properties' on object of type 'PolicyRuleDefinition'. Path 'properties'.'. Code: InvalidPolicyRule Message: Failed to parse policy rule: 'Could not find member 'properties' on object of type 'PolicyRuleDefinition'. Path 'properties'.'.

cli.azure.cli.core.azclierror: (InvalidPolicyRule) Failed to parse policy rule: 'Could not find member 'properties' on object of type 'PolicyRuleDefinition'. Path 'properties'.'. Code: InvalidPolicyRule Message: Failed to parse policy rule: 'Could not find member 'properties' on object of type 'PolicyRuleDefinition'. Path 'properties'.'. az_command_data_logger: (InvalidPolicyRule) Failed to parse policy rule: 'Could not find member 'properties' on object of type 'PolicyRuleDefinition'. Path 'properties'.'. Code: InvalidPolicyRule Message: Failed to parse policy rule: 'Could not find member 'properties' on object of type 'PolicyRuleDefinition'. Path 'properties'.'. cli.knack.cli: Event: Cli.PostExecute [<function AzCliLogging.deinit_cmd_metadata_logging at 0x7fb7fe7c4b80>] az_command_data_logger: exit code: 1 cli.main: Command ran in 0.917 seconds (init: 0.139, invoke: 0.778) telemetry.main: Begin splitting cli events and extra events, total events: 1 telemetry.client: Accumulated 0 events. Flush the clients. telemetry.main: Finish splitting cli events and extra events, cli events: 1 telemetry.save: Save telemetry record of length 3884 in cache telemetry.main: Begin creating telemetry upload process. telemetry.process: Creating upload process: "/usr/bin/python3.9 /usr/lib/az/lib/python3.9/site-packages/azure/cli/telemetry/init.py /home/matthew/.azure" telemetry.process: Return from creating process telemetry.main: Finish creating telemetry upload process. ~ >

Expected behavior

Policy definition should be created

Environment Summary

~ > az --version
azure-cli                         2.57.0

core                              2.57.0
telemetry                          1.1.0

Extensions:
ai-examples                        0.2.5
azure-iot                        0.10.13
ml                                2.22.0
ssh                                2.0.2

Dependencies:
msal                              1.26.0
azure-mgmt-resource             23.1.0b2

Python location '/usr/bin/python3.9'
Extensions directory '/home/matthew/.azure/cliextensions'
Extensions system directory '/usr/lib/python3.9/site-packages/azure-cli-extensions'

Python (Linux) 3.9.14 (main, Oct 12 2023, 19:48:32) 
[GCC 11.2.0]

Legal docs and information: aka.ms/AzureCliLegal

Your CLI is up-to-date.

Additional context

No response

yonzhan commented 7 months ago

Thank you for opening this issue, we will look into it.

MatthewMWR commented 7 months ago

Please advise on what to expect from here. We have a customer facing private preview impacted by this. Also, can you help me understand the significance of the bug label having been removed and the question label added? If it has been confirmed this is not a bug but some kind of user error, please advise what the use error was.

MatthewMWR commented 5 months ago

Hi @yonzhan , friendly bump on this.

zioproto commented 3 months ago

This is a known issue:

The example in the docs shows:

az policy definition create --name readOnlyStorage --rules "{ \"if\": \
    { \"field\": \"type\", \"equals\": \"Microsoft.Storage/storageAccounts/write\" }, \
        \"then\": { \"effect\": \"deny\" } }"

What is passed to the --rules argument is not the complete json file, but only the policyRule block

MatthewMWR commented 2 months ago

Thank you for the clarification. I was assuming it would want the same input as portal and powershell workflows. Now I see the distinction.