Share via

Azure Policy with Terraform Error: The policy effect 'details' property could not be parsed.

Branden Connell 126 Reputation points
2021-09-24T14:06:24.89+00:00

I am trying to add our own custom policies in Terraform, but keep running into this error when trying to add more than one variable. 

╷
│ Error: creating/updating Policy Definition "k8s_seccomp_governance": policy.DefinitionsClient#CreateOrUpdate: Failure responding to request: StatusCode=400 -- Original Error: autorest/azure: Service returned an error. Status=400 Code="InvalidPolicyRuleEffectDetails" Message="The policy definition 'k8s_seccomp_governance' rule is invalid. The policy effect 'details' property could not be parsed."
│ 
│   with azurerm_policy_definition.k8s_seccomp_governance,
│   on policy_definitions.tf line 1, in resource "azurerm_policy_definition" "k8s_seccomp_governance":
│    1: resource "azurerm_policy_definition" "k8s_seccomp_governance" {
│ 
╵

If I load the json into azure cli in the same format, I get no errors and everything works fine.

Code: 

resource "azurerm_policy_definition" "k8s_seccomp_governance" {
  name         = "k8s_seccomp_governance"
  description  = "Kubernetes cluster containers should only use allowed seccomp profiles"
  policy_type  = "Custom"
  mode         = "All"
  display_name = "AMPS K8s Seccomp Governance"

  metadata = <<METADATA
    {
    "category": "Kubernetes",
    "version": "1.0.0"
    }

METADATA

  policy_rule = <<POLICY_RULE
    {
      "if": {
        "field": "type",
        "in": ["AKS Engine", "Microsoft.Kubernetes/connectedClusters", "Microsoft.ContainerService/managedClusters"]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "constraintTemplate": "https://store.policy.core.windows.net/kubernetes/allowed-seccomp-profiles/v2/template.yaml",
          "constraint": "https://store.policy.core.windows.net/kubernetes/allowed-seccomp-profiles/v2/constraint.yaml",
          "excludedNamespaces": "[parameters('excludedNamespaces')]"
        }
      }
    }

POLICY_RULE

  parameters = <<PARAMETERS
  {
    "effect": {
      "type": "String",
      "metadata": {
        "displayName": "Effect",
        "description": "'audit' allows a non-compliant resource to be created or updated, but flags it as non-compliant. 'deny' blocks the non-compliant resource creation or update. 'disabled' turns off the policy."
      },
      "allowedValues": ["audit", "deny","disabled"],
      "defaultValue": "audit"
    },
    "excludedNamespaces": {
      "type": "Array",
      "metadata": {
        "displayName": "Namespace exclusions",
        "description": "List of Kubernetes namespaces to exclude from policy evaluation."
      },
      "defaultValue": ["kube-system", "gatekeeper-system", "azure-arc"]
    }
  }
PARAMETERS

}
Azure Policy
Azure Policy
An Azure service that is used to implement corporate governance and standards at scale for Azure resources.
1,014 questions
Accepted answer
  1. Branden Connell 126 Reputation points
    2021-09-24T15:36:00.783+00:00

    Nevermind, I was able to fix this by updating mode: "All" to mode = "Microsoft.Kubernetes.Data"

    2 people found this answer helpful.

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. bharathn-msft 5,106 Reputation points Microsoft Employee Moderator
    2021-09-30T02:16:31.46+00:00

    Thanks again @Branden Connell for your queries and helping the community members.

    <<Sharing this information from comments to here for broader community usage>>

    Details on different types of "Mode" element with in the the policy definition, have been documented here. Please review it.

    Let us know if you have any further queries. Thank you

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.