question

BrandenConnell-0687 avatar image
1 Vote"
BrandenConnell-0687 asked bharathn-msft answered

Azure Policy with Terraform Error: The policy effect 'details' property could not be parsed.

I am trying to add our own custom policies in Terraform, but keep running into this error when trying to add more than one variable.


╷
│ Error: creating/updating Policy Definition "k8s_seccomp_governance": policy.DefinitionsClient#CreateOrUpdate: Failure responding to request: StatusCode=400 -- Original Error: autorest/azure: Service returned an error. Status=400 Code="InvalidPolicyRuleEffectDetails" Message="The policy definition 'k8s_seccomp_governance' rule is invalid. The policy effect 'details' property could not be parsed."
│ 
│   with azurerm_policy_definition.k8s_seccomp_governance,
│   on policy_definitions.tf line 1, in resource "azurerm_policy_definition" "k8s_seccomp_governance":
│    1: resource "azurerm_policy_definition" "k8s_seccomp_governance" {
│ 
╵



If I load the json into azure cli in the same format, I get no errors and everything works fine.

Code:

resource "azurerm_policy_definition" "k8s_seccomp_governance" {
  name         = "k8s_seccomp_governance"
  description  = "Kubernetes cluster containers should only use allowed seccomp profiles"
  policy_type  = "Custom"
  mode         = "All"
  display_name = "AMPS K8s Seccomp Governance"

  metadata = <<METADATA
    {
    "category": "Kubernetes",
    "version": "1.0.0"
    }

METADATA

  policy_rule = <<POLICY_RULE
    {
      "if": {
        "field": "type",
        "in": ["AKS Engine", "Microsoft.Kubernetes/connectedClusters", "Microsoft.ContainerService/managedClusters"]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "constraintTemplate": "https://store.policy.core.windows.net/kubernetes/allowed-seccomp-profiles/v2/template.yaml",
          "constraint": "https://store.policy.core.windows.net/kubernetes/allowed-seccomp-profiles/v2/constraint.yaml",
          "excludedNamespaces": "[parameters('excludedNamespaces')]"
        }
      }
    }

POLICY_RULE

  parameters = <<PARAMETERS
  {
    "effect": {
      "type": "String",
      "metadata": {
        "displayName": "Effect",
        "description": "'audit' allows a non-compliant resource to be created or updated, but flags it as non-compliant. 'deny' blocks the non-compliant resource creation or update. 'disabled' turns off the policy."
      },
      "allowedValues": ["audit", "deny","disabled"],
      "defaultValue": "audit"
    },
    "excludedNamespaces": {
      "type": "Array",
      "metadata": {
        "displayName": "Namespace exclusions",
        "description": "List of Kubernetes namespaces to exclude from policy evaluation."
      },
      "defaultValue": ["kube-system", "gatekeeper-system", "azure-arc"]
    }
  }
PARAMETERS

}
azure-policy
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

If I do not include description, I get this error:

╷
│ Error: creating/updating Policy Definition "k8s_seccomp_governance": policy.DefinitionsClient#CreateOrUpdate: Failure responding to request: StatusCode=400 -- Original Error: autorest/azure: Service returned an error. Status=400 Code="UnusedPolicyParameters" Message="The policy 'k8s_seccomp_governance' has defined parameters 'excludedNamespaces' which are not used in the policy rule. Please either remove these parameters from the definition or ensure that they are used in the policy rule."
│ 
│   with azurerm_policy_definition.k8s_seccomp_governance,
│   on policy_definitions.tf line 1, in resource "azurerm_policy_definition" "k8s_seccomp_governance":
│    1: resource "azurerm_policy_definition" "k8s_seccomp_governance" {
│ 
╵
1 Vote 1 ·
BrandenConnell-0687 avatar image
1 Vote"
BrandenConnell-0687 answered bharathn-msft commented

Nevermind, I was able to fix this by updating mode: "All" to mode = "Microsoft.Kubernetes.Data"

· 3
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Glad to hear you got the fix @BrandenConnell-0687 . Thank you for sharing for it here for broader community usage.

1 Vote 1 ·

Is there a documented resource that shares all available parameters for every type of Mode? I've been going through Azure documentation and cannot find a good resource.

1 Vote 1 ·
bharathn-msft avatar image bharathn-msft BrandenConnell-0687 ·

@BrandenConnell-0687 - Apologies for delay in getting back to you. Regarding your query around documentation for available parameters for types of mode , I was able to come across this documentation. Hope this helps.

If you have any further queries please let us know. Thank you


1 Vote 1 ·
bharathn-msft avatar image
0 Votes"
bharathn-msft answered

Thanks again @BrandenConnell-0687 for your queries and helping the community members.

<<Sharing this information from comments to here for broader community usage>>

Details on different types of "Mode" element with in the the policy definition, have been documented here. Please review it.

Let us know if you have any further queries. Thank you


5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.