PolicySetDefinitions

[pattisanta]

Hi I need to deploy policy initiative. I'm having an issue with looping thru policy to create the initiative. here is an example of what I have tired with one way working and the way does not work.
targetScope = 'subscription'

var parameters = {
AppServiceappsshouldbeinjectedintoavirtualnetwork: {
type: 'String'
defaultValue: 'Deny'
allowedValues: [
'Audit'
'Deny'
'Disabled'
]
metadata: {
displayName: 'App Service apps should be injected into a virtual network'
description: 'Enable or disable the execution of the policy'
}

}
AppServiceappsshoulduseaSKUthatsupportsprivatelink: {
type: 'String'
defaultValue: 'Disabled'
allowedValues: [
'Audit'
'Deny'
'Disabled'
]
metadata: {
displayName: 'App Service apps should use a SKU that supports private link'
description: 'Enable or disable the execution of the policy'
}

}
AppServiceEnvironmentshouldbeconfiguredwithstrongestTLSCiphersuites: {
type: 'String'
defaultValue: 'Audit'
allowedValues: [
'Audit'
'Disabled'
]
metadata: {
displayName: 'App Service Environment should be configured with strongest TLS Cipher suites'
description: 'Enable or disable the execution of the policy'
}
}
}

var policies = [
{
defRefId: 'App Service apps should be injected into a virtual network_1'
defId: tenantResourceId('Microsoft.Authorization/policyDefinitions' ,'72d04c29-f87d-4575-9731-419ff16a2757')
parameters: {
effect: {
value:'[parameters('AppServiceappsshouldbeinjectedintoavirtualnetwork')]'
}
}
}
{
defRefId: 'App Service apps should use a SKU that supports private link_1'
defId: tenantResourceId('Microsoft.Authorization/policyDefinitions' ,'546fe8d2-368d-4029-a418-6af48a7f61e5')
parameters: {
effect: {
value:'[parameters('AppServiceappsshoulduseaSKUthatsupportsprivatelink')]'
}
}
}
{
defRefId: 'App Service Environment should be configured with strongest TLS Cipher suites_1'
defId: tenantResourceId('Microsoft.Authorization/policyDefinitions' ,'817dcf37-e83d-4999-a472-644eada2ea1e')
parameters: {
effect: {
value:'[parameters('AppServiceEnvironmentshouldbeconfiguredwithstrongestTLSCiphersuites')]'
}
}
}
]

resource BuiltIn_Initiative 'Microsoft.Authorization/policySetDefinitions@2021-06-01' = {
name: 'MyTestPolicyInitiative'
properties: {
displayName: 'MyTestPolicyInitiative'
policyType: 'Custom'
description: 'This Initiative contains BuiltIn Policies'
metadata: {
category: 'General'
}

parameters: parameters

// If we do this, it works.
// policyDefinitions: [
//   {
//     policyDefinitionReferenceId: policies[0].defRefId
//     policyDefinitionId: policies[0].defId
//     parameters: policies[0].parameters
//   }
//   {
//     policyDefinitionReferenceId: policies[1].defRefId
//     policyDefinitionId: policies[1].defId
//     parameters: policies[1].parameters
//   }
//   {
//     policyDefinitionReferenceId: policies[2].defRefId
//     policyDefinitionId: policies[2].defId
//     parameters: policies[2].parameters
//   }
// ]

// If we do this, it doesn't work.why doesn't this work?
policyDefinitions: [for policy in policies: {
    policyDefinitionReferenceId: policy.defRefId
    policyDefinitionId: policy.defId
    parameters: policy.parameters
  }
]

}
}

Regards,
Patti

[johnlokerse]

@pattisanta Your Bicep syntax looks correct to me. What error message do you get?

I reproduced your code and deployed it to my Azure tenant, and it deploys without errors:

var policies = [
  {
    defRefId: 'App Service apps should be injected into a virtual network_1'
    defId: tenantResourceId('Microsoft.Authorization/policyDefinitions' ,'72d04c29-f87d-4575-9731-419ff16a2757')
    parameters: {
      effect: {
        value: 'deny'
      }
    }
  }
  {
    defRefId: 'App Service apps should use a SKU that supports private link_1'
    defId: tenantResourceId('Microsoft.Authorization/policyDefinitions' ,'546fe8d2-368d-4029-a418-6af48a7f61e5')
    parameters: {
      effect: {
        value: 'deny'
      }
    }
  }
  {
    defRefId: 'App Service Environment should be configured with strongest TLS Cipher suites_1'
    defId: tenantResourceId('Microsoft.Authorization/policyDefinitions' ,'817dcf37-e83d-4999-a472-644eada2ea1e')
    parameters: {
      effect: {
        value: 'deny'
      }
    }
  }
]

var policiesFor = [for policy in policies: {
  policyDefinitionReferenceId: policy.defRefId
  policyDefinitionId: policy.defId
  parameters: policy.parameters
}]

var policiesMap = map(policies, policy => {
  policyDefinitionReferenceId: policy.defRefId
  policyDefinitionId: policy.defId
  parameters: policy.parameters
})

output outOutputArrayObject array = policies
output outOutputFor array = policiesFor
output outOutputMap array = policiesMap

[pattisanta]

@johnlokerse
This is the option that I am running into the error
My question was why doesn't this work?
policyDefinitions: [for policy in policies: {
policyDefinitionReferenceId: policy.defRefId
policyDefinitionId: policy.defId
parameters: policy.parameters
}
]

This is the error that I am getting. 'The template parameter 'policy parameter name' is not found.

This one I know works.
policyDefinitions: [
{
policyDefinitionReferenceId: policies[0].defRefId
policyDefinitionId: policies[0].defId
parameters: policies[0].parameters
}
{
policyDefinitionReferenceId: policies[1].defRefId
policyDefinitionId: policies[1].defId
parameters: policies[1].parameters
}
{
policyDefinitionReferenceId: policies[2].defRefId
policyDefinitionId: policies[2].defId
parameters: policies[2].parameters
}
]

Thanks for responding,
Patti

[johnlokerse]

I tried to reproduce it with the code you provided, but could not get it to work in my tenant somehow.

I would suggest to take a look at the Enterprise Policy as Code (EPAC) framework https://azure.github.io/enterprise-azure-policy-as-code/ to manage your policies. I have done Azure Policy management in Bicep too, and my experience was horrible. It's complex and unmaintainable. EPAC really helps you make Azure Policy management easy (I love it!).