search

microsoft / PSRule

Validate infrastructure as code (IaC) and objects using PowerShell rules.
https://microsoft.github.io/PSRule/v2/
MIT License
386 stars 49 forks source link

Cast exception when expanding the union of an array and an AccessPolicyEntry[] #1670

Closed Werewolfkiss closed 9 months ago

Werewolfkiss commented 10 months ago

Description of the issue

Get a cast exception when trying to union a keyvault access policy.

To Reproduce

Have bicep template trying to add an access policy to a keyvault while preserving existing policies. In the below bicep if you replace the accessPolicies param with either existingAccessPolicies or newAccessPolicies the expansion works fine.

var newAccessPolicies = [
  {
    tenantId: azurefunction.outputs.identity.tenantId
    objectId: azurefunction.outputs.identity.principalId
    permissions: {
      keys: [
        'Get'
        'List'
      ]
      secrets: [
        'Get'
        'List'
      ]
      certificates: []
    }
  }
]

resource keyvault 'Microsoft.KeyVault/vaults@2021-11-01-preview' existing = {
  scope: resourcegroup
  name: vaultName
}

var existingAccessPolicies = keyvault.properties.accessPolicies
var accessPolicies = union(existingAccessPolicies, newAccessPolicies)

@description('Sets the access policies for the OnBoard keyvault')
module ap '../../../features/Security/Key Vault/v1.2/templates/keyvault.accesspolicies.bicep' = {
  scope: resourcegroup
  name: format(uniqueDeployName, 'keyvaultpolicies')
  params: {
    accessPolicies: accessPolicies
    keyVaultName: vaultName
  }
}

Expected behaviour

No issues expanding template

Error output

An error occurred evaluating expression '[parameters('accessPolicies')]' line 1167. Cannot cast Newtonsoft.Json.Linq.JObject to Newtonsoft.Json.Linq.JToken.

Module in use and version:

Captured output from $PSVersionTable:

Name                           Value
----                           -----
PSVersion                      5.1.19041.3570
PSEdition                      Desktop
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0...}
BuildVersion                   10.0.19041.3570
CLRVersion                     4.0.30319.42000
WSManStackVersion              3.0
PSRemotingProtocolVersion      2.3
SerializationVersion           1.1.0.1
github-actions[bot] commented 10 months ago

Thanks for raising your first issue, the team appreciates the time you have taken 😉

BernieWhite commented 10 months ago

Thanks for reporting the issue @Werewolfkiss.

Are you able to provide a sample implementation of ../../../vdl-ets-backoffice/features/Security/Key Vault/v1.2/templates/keyvault.accesspolicies.bicep that we can use to reproduce the issue?

Doesn't need to be your full internal implementation, just enough of it that fails similarly to the issue you've report. Thanks.

Werewolfkiss commented 9 months ago

@BernieWhite Yea no problem its just a module because of scope nothing else so

param keyVaultName string

param accessPolicies array

resource ap 'Microsoft.KeyVault/vaults/accessPolicies@2022-07-01' = {
  name: '${keyVaultName}/add'
  properties: {
    accessPolicies: accessPolicies
  }
}
BernieWhite commented 9 months ago

Hi @Werewolfkiss. This should be fixed in PSRule for Azure v1.32.1.