Built-in azure policy definition for Key vault name length is > 64 character which is limit in microsoft Azure policy as well as Git

Question

We are planning to use Azure built-in policy via Azure Devops pipeline for assignment, but it is failing due to Name length exceed.

Please any one support me how to handle this in our Azure devops pipeline for assignment.

Error from Azure devops pipeline job:

2021-07-05T12:27:24.9375507Z ##[error]InvalidPolicyDefinitionName : The policy definition name '[Preview]: Certificates should have the specified maximum validity period' is invalid. The policy definition name length must not exceed '64' characters.
CorrelationId: 47af344c-4680-4404-9f9b-4d2e0d9e22a6
2021-07-05T12:27:25.0900275Z ##[error]PowerShell exited with code '1'.

Built-in policy used is: [Preview]: Certificates should have the specified maximum validity period

Answer 1

Hello @Naveen Begur nagaraj ,

Thanks for reaching out.

Could you please confirm, are you creating a "New Policy definition" or "assigning existing policy?

Looking at above error which appears to be pipeline creating New Policy definition along with definition Name parameter value which exceed 64 characters rather than assigning existing policy .

You must use New-AzPolicyDefinition for Create a policy definition and New-AzPolicyAssignment for Policy assignment so could you please confirm PowerShell cmdlets that you were used within Azure Devops pipeline for assignment?

Here are some example for creating new policy definition and Policy assignment:

Example: Create a policy definition

New-AzPolicyDefinition -Name 'VMPolicyDefinition' -DisplayName 'Virtual Machine policy definition' -Policy '{"if":{"field":"type","equals":"Microsoft.Compute/virtualMachines"},"then":{"effect":"deny"}}'  

Example: Policy assignment

$definition = Get-AzPolicyDefinition | Where-Object { $_.Properties.DisplayName -eq '[Preview]: Certificates should have the specified maximum validity period'}   
New-AzPolicyAssignment -Name "DenyKeyVaultCert"  -PolicyDefinition $definition  

*Note: You can assign build-it policy definition directly rather than creating newly , following is one of the built-in policy definition [Preview]: Certificates should have the specified maximum validity period *

In above cmdlets in both example, the policy definition Display Name has the name length limit of 128 characters and policy Definition Resource Name has the limit of 64 characters.

Policy Definition Display Name :

Policy Definition Resource Name :

This limitation is by design and you need to limit the name accordingly. Please refer this article for reference.

So please make sure you don't exceed Max. allowed character length for Display Name and policy Definition Resource Name while creating/assigning policy definition.

Its worth referring to this article: https://techcommunity.microsoft.com/t5/azure-paas-blog/azure-policy-perform-policy-operations-through-azure-devops/ba-p/2045515

Hope this helps.

------
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

Answer 2

@sikumars-msft ,
Thank you very much for the update..

What Am doing?

1. Am trying to assign existing policy
2. Am using a powershell script for assign existing policy
3. Am getting the policy definition name list from the notepad and that name ($policydefname) Am using to fetch the policy definition details ($selected = Get-AzPolicyDefinition -Name $policyDefname)
   - while fetching the Azure policy Definition Am getting the error "
   InvalidPolicyDefinitionName : The policy definition name '[Preview]: Certificates should have
   the specified maximum validity period' is invalid. The policy definition name length must not
   exceed '64' characters.

            CorrelationId: 47af344c-4680-4404-9f9b-4d2e0d9e22a6  
            PowerShell exited with code '1'."  
   

4. Once fetched the policy definition details then assigning that policy to subscription or MG or Resource group (New-AzPolicyAssignment -Name $policyDefname -PolicyDefinition $selected -Scope $resourcegroupID -PolicyParameter "$($policyDefFolder)\values.dev.json" -Location 'eastus' -AssignIdentity)

My code:

param(
[Parameter(Mandatory=$false)][String]$policyAssignmentRG,
[Parameter(Mandatory=$true)][String]$policyDefRootFolder,
[Parameter(Mandatory=$false)][String]$subscriptionname,
[Parameter(Mandatory=$false)][String]$policyDefFolder
)
$Fullpath = Join-Path $policyDefRootFolder "Built-in-policydefinition.txt"
$policyresourcegroup = $policyAssignmentRG
$policysubscriptionname = $subscriptionname
write-host "'$($policyresourcegroup)' and '$($policysubscriptionname)'"
write-host $policyresourcegroup and $policyresourcegroup.count
write-host $policysubscriptionname and $policysubscriptionname.count
if($policyAssignmentRG -ne "false")
{
Write-host "'$($policyAssignmentRG)'"
write-host resource group $policyAssignmentRG.count
$resourcegroupID = ((Get-AzResourceGroup -Name $policyAssignmentRG).ResourceId)
}
if($subscriptionname -ne "false")
{
Write-host "'$($subscriptionname)'"
write-host subscription name: $subscriptionname.count
$Subscription = Get-AzSubscription -SubscriptionName $subscriptionname

}
foreach ($policydefname in (Get-Content -Path $Fullpath)) {

Write-Host Processing folder: $policydefname  
$selected =  Get-AzPolicyDefinition -Name $policydefname  
Write-Host Creating assignment for: $selected  
write-host "select release environment '$($Release.EnvironmentName))'"  
if ($resourcegroupID -ne $null)  
{  
Write-host "inside forloop '$($policyAssignmentRG)'"  
New-AzPolicyAssignment -Name $policydefname -PolicyDefinition $selected -Scope $resourcegroupID -PolicyParameter  "$($policyDefFolder)\values.dev.json" -Location 'eastus' -AssignIdentity  
}  
if($Subscription -ne $null)  
{  
Write-host "inside for loop1 '$($subscriptionname)'"  
New-AzPolicyAssignment -Name $policyDefFolder.Name -PolicyDefinition $selected -Scope "/subscriptions/$($Subscription.Id)" -PolicyParameter  "$($policyDefFolder)\values.dev.json" -Location 'eastus' -AssignIdentity  
}  

}

Answer 3

Thanks for detailed information @Naveen Begur nagaraj ,

All build-in Azure policy definition Name contains GUID value as shown below hence you must use Name GUID value while using Get-AzPolicyDefinition -Name 0a075868-4c26-42ef-914c-5bc007359560 .

Reason why its failing because you can't fetch policy definition by using DisplayName such as [Preview]: Certificates should have the specified maximum validity period , rather you must use Name parameter which is different from DisplayName so please update your notepad file with GUID value of respective policy.

This condition would applicable to New-AzPolicyAssignment as well. Example: New-AzPolicyAssignment -Name 0a075868-4c26-42ef-914c-5bc007359560 -PolicyDefinition $selected -Scope $resourcegroupID -PolicyParameter "$($policyDefFolder)\values.dev.json" -Location 'eastus' -AssignIdentity

Hope this helps.

------------------

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

Answer 4

@sikumars-msft ,
Thank you for the information, it is very useful and now my devops pipeline is working fine