question

NaveenBegurnagaraj-6327 avatar image
0 Votes"
NaveenBegurnagaraj-6327 asked sikumars commented

Built-in azure policy definition for Key vault name length is > 64 character which is limit in microsoft Azure policy as well as Git

We are planning to use Azure built-in policy via Azure Devops pipeline for assignment, but it is failing due to Name length exceed.

Please any one support me how to handle this in our Azure devops pipeline for assignment.

Error from Azure devops pipeline job:

2021-07-05T12:27:24.9375507Z ##[error]InvalidPolicyDefinitionName : The policy definition name '[Preview]: Certificates should have the specified maximum validity period' is invalid. The policy definition name length must not exceed '64' characters.
CorrelationId: 47af344c-4680-4404-9f9b-4d2e0d9e22a6
2021-07-05T12:27:25.0900275Z ##[error]PowerShell exited with code '1'.

Built-in policy used is: [Preview]: Certificates should have the specified maximum validity period

azure-key-vault
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

sikumars avatar image
1 Vote"
sikumars answered

Hello @NaveenBegurnagaraj-6327,

Thanks for reaching out.

Could you please confirm, are you creating a "New Policy definition" or "assigning existing policy?

Looking at above error which appears to be pipeline creating New Policy definition along with definition Name parameter value which exceed 64 characters rather than assigning existing policy .

You must use New-AzPolicyDefinition for Create a policy definition and New-AzPolicyAssignment for Policy assignment so could you please confirm PowerShell cmdlets that you were used within Azure Devops pipeline for assignment?

Here are some example for creating new policy definition and Policy assignment:

Example: Create a policy definition

 New-AzPolicyDefinition -Name 'VMPolicyDefinition' -DisplayName 'Virtual Machine policy definition' -Policy '{"if":{"field":"type","equals":"Microsoft.Compute/virtualMachines"},"then":{"effect":"deny"}}'

Example: Policy assignment

 $definition = Get-AzPolicyDefinition | Where-Object { $_.Properties.DisplayName -eq '[Preview]: Certificates should have the specified maximum validity period'} 
 New-AzPolicyAssignment -Name "DenyKeyVaultCert"  -PolicyDefinition $definition

Note: You can assign build-it policy definition directly rather than creating newly , following is one of the built-in policy definition [Preview]: Certificates should have the specified maximum validity period

In above cmdlets in both example, the policy definition Display Name has the name length limit of 128 characters and policy Definition Resource Name has the limit of 64 characters.


Policy Definition Display Name :
112265-image.png


Policy Definition Resource Name :
112259-image.png


This limitation is by design and you need to limit the name accordingly. Please refer this article for reference.

So please make sure you don't exceed Max. allowed character length for Display Name and policy Definition Resource Name while creating/assigning policy definition.

Its worth referring to this article: https://techcommunity.microsoft.com/t5/azure-paas-blog/azure-policy-perform-policy-operations-through-azure-devops/ba-p/2045515

Hope this helps.


Please "Accept the answer" if the information helped you. This will help us and others in the community as well.




image.png (45.4 KiB)
image.png (29.9 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

NaveenBegurnagaraj-6327 avatar image
0 Votes"
NaveenBegurnagaraj-6327 answered sikumars commented

@sikumars-msft ,
Thank you for the information, it is very useful and now my devops pipeline is working fine

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Glad that above issue resolved :)

0 Votes 0 ·
sikumars avatar image
0 Votes"
sikumars answered

Thanks for detailed information @NaveenBegurnagaraj-6327,

All build-in Azure policy definition Name contains GUID value as shown below hence you must use Name GUID value while using Get-AzPolicyDefinition -Name 0a075868-4c26-42ef-914c-5bc007359560 .

Reason why its failing because you can't fetch policy definition by using DisplayName such as [Preview]: Certificates should have the specified maximum validity period , rather you must use Name parameter which is different from DisplayName so please update your notepad file with GUID value of respective policy.

This condition would applicable to New-AzPolicyAssignment as well. Example: New-AzPolicyAssignment -Name 0a075868-4c26-42ef-914c-5bc007359560 -PolicyDefinition $selected -Scope $resourcegroupID -PolicyParameter "$($policyDefFolder)\values.dev.json" -Location 'eastus' -AssignIdentity

112575-image.png

Hope this helps.


Please "Accept the answer" if the information helped you. This will help us and others in the community as well.



image.png (72.1 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

NaveenBegurnagaraj-6327 avatar image
0 Votes"
NaveenBegurnagaraj-6327 answered

@sikumars-msft ,
Thank you very much for the update..

What Am doing?


  1. Am trying to assign existing policy

  2. Am using a powershell script for assign existing policy

  3. Am getting the policy definition name list from the notepad and that name ($policydefname) Am using to fetch the policy definition details ($selected = Get-AzPolicyDefinition -Name $policyDefname)
    - while fetching the Azure policy Definition Am getting the error "
    InvalidPolicyDefinitionName : The policy definition name '[Preview]: Certificates should have
    the specified maximum validity period' is invalid. The policy definition name length must not
    exceed '64' characters.

               CorrelationId: 47af344c-4680-4404-9f9b-4d2e0d9e22a6
                  PowerShell exited with code '1'."
    

  4. Once fetched the policy definition details then assigning that policy to subscription or MG or Resource group (New-AzPolicyAssignment -Name $policyDefname -PolicyDefinition $selected -Scope $resourcegroupID -PolicyParameter "$($policyDefFolder)\values.dev.json" -Location 'eastus' -AssignIdentity)


My code:

param(
[Parameter(Mandatory=$false)][String]$policyAssignmentRG,
[Parameter(Mandatory=$true)][String]$policyDefRootFolder,
[Parameter(Mandatory=$false)][String]$subscriptionname,
[Parameter(Mandatory=$false)][String]$policyDefFolder
)
$Fullpath = Join-Path $policyDefRootFolder "Built-in-policydefinition.txt"
$policyresourcegroup = $policyAssignmentRG
$policysubscriptionname = $subscriptionname
write-host "'$($policyresourcegroup)' and '$($policysubscriptionname)'"
write-host $policyresourcegroup and $policyresourcegroup.count
write-host $policysubscriptionname and $policysubscriptionname.count
if($policyAssignmentRG -ne "false")
{
Write-host "'$($policyAssignmentRG)'"
write-host resource group $policyAssignmentRG.count
$resourcegroupID = ((Get-AzResourceGroup -Name $policyAssignmentRG).ResourceId)
}
if($subscriptionname -ne "false")
{
Write-host "'$($subscriptionname)'"
write-host subscription name: $subscriptionname.count
$Subscription = Get-AzSubscription -SubscriptionName $subscriptionname

}
foreach ($policydefname in (Get-Content -Path $Fullpath)) {

 Write-Host Processing folder: $policydefname
 $selected =  Get-AzPolicyDefinition -Name $policydefname
 Write-Host Creating assignment for: $selected
 write-host "select release environment '$($Release.EnvironmentName))'"
 if ($resourcegroupID -ne $null)
 {
 Write-host "inside forloop '$($policyAssignmentRG)'"
 New-AzPolicyAssignment -Name $policydefname -PolicyDefinition $selected -Scope $resourcegroupID -PolicyParameter  "$($policyDefFolder)\values.dev.json" -Location 'eastus' -AssignIdentity
 }
 if($Subscription -ne $null)
 {
 Write-host "inside for loop1 '$($subscriptionname)'"
 New-AzPolicyAssignment -Name $policyDefFolder.Name -PolicyDefinition $selected -Scope "/subscriptions/$($Subscription.Id)" -PolicyParameter  "$($policyDefFolder)\values.dev.json" -Location 'eastus' -AssignIdentity
 }

}








5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.