Custom Azure Policy is getting an error

Richard Duane Wolford Jr 216

I wrote a group policy for Azure where I want to force all resources to log diagnostics to an analytics workspace, but it's not working and I don't know why. The error I get when I try to create the policy is

"Failed to parse policy rule: 'Could not find member 'parameters' on object of type 'IfNotExistsEffectDetailsDefinition'. Path 'parameters'.'."

Here is the policy JSON:

Richard Duane Wolford Jr 216

Okay, for some reason the JSON didn't show up, here it is:

{ "properties": {
        "displayName": "TestSample",
        "description": "TestDescription",
        "mode": "all",
    "policyRule": {
        "if": {
            "field": "type",
            "in": [
                "Microsoft.Compute/virtualMachines",
                "Microsoft.Network/networkSecurityGroups",
                "Microsoft.Storage/storageAccounts",
                "Microsoft.Web/sites",
                "Microsoft.Sql/servers/databases"
            ]
        },
        "then": {
            "effect": "deployIfNotExists",
            "details": {
                "type": "Microsoft.Insights/diagnosticSettings",
                "existenceCondition": {
                    "field": "Microsoft.Insights/diagnosticSettings/workspaceId",
                    "equals": "[parameters('workspaceId')]"
                },
                "deployment": {
                    "properties": {
                        "mode": "incremental",
                        "template": {
                            "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
                            "contentVersion": "1.0.0.0",
                            "resources": [
                                {
                                    "type": "Microsoft.Insights/diagnosticSettings",
                                    "name": "[concat(parameters('resourceName'), '/', parameters('diagnosticSettingsName'))]",
                                    "apiVersion": "2017-05-01-preview",
                                    "properties": {
                                        "workspaceId": "[parameters('workspaceId')]",
                                        "logs": [
                                            {
                                                "category": "AllLogs",
                                                "enabled": true
                                            }
                                        ],
                                        "metrics": [
                                            {
                                                "category": "AllMetrics",
                                                "enabled": true
                                            }
                                        ]
                                    }
                                }
                            ]
                        }
                    }
                },
                "parameters": {
                    "resourceName": {
                        "value": "[field('name')]"
                    },
                    "diagnosticSettingsName": {
                        "value": "AllDiagnostics"
                    },
                    "workspaceId": {
                        "value": "[parameters('workspaceId')]"
                    }
                }
            }
        }
    },
    "parameters": {
        "workspaceId": {
            "type": "String",
            "metadata": {
                "description": "The ID of the Log Analytics workspace to send diagnostics data to."
            }
        }
    }
}
}

SwathiDhanwada-MSFT 18,766 Reputation points

2023-05-09T10:47:17.22+00:00

@Richard Duane Wolford Jr Did you get chance to look into my previous comment? Kindly revert if you have further questions.
SwathiDhanwada-MSFT 18,766 Reputation points

2023-05-10T04:13:07.54+00:00

@Richard Duane Wolford Jr Hope the solution provided is helpful.

It the solution provided answers your query, kindly "Accept As Answer" as the it would be helpful for the community members who are looking for similar issue. If not, kindly provide further context on your issue and I will provide a solution accordingly.
Richard Duane Wolford Jr 216 Reputation points

2023-05-11T10:05:31.1966667+00:00

The solution doesn't help, it doesn't say why that error is occurring. Do one of those types not support "effect"? If I change "effect" to "audit", it then says the same error but about the "details" section.

SwathiDhanwada-MSFT 18,766

@Richard Duane Wolford Jr Your policy format is incorrect. The parameters section is misplaced incorrectly within your definition. Here is the updated policy definition :

{
  "mode": "All",
  "policyRule": {
    "if": {
      "field": "type",
      "in": [
        "Microsoft.Compute/virtualMachines",
        "Microsoft.Network/networkSecurityGroups",
        "Microsoft.Storage/storageAccounts",
        "Microsoft.Web/sites",
        "Microsoft.Sql/servers/databases"
      ]
    },
    "then": {
      "effect": "deployIfNotExists",
      "details": {
        "type": "Microsoft.Insights/diagnosticSettings",
        "existenceCondition": {
          "field": "Microsoft.Insights/diagnosticSettings/workspaceId",
          "equals": "[parameters('workspaceId')]"
        },
        "deployment": {
          "properties": {
            "mode": "incremental",
            "template": {
              "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
              "contentVersion": "1.0.0.0",
              "parameters": {
                "resourceName": {
                  "type": "string"
                },
                "diagnosticSettingsName": {
                  "type": "string"
                },
                "workspaceId": {
                  "type": "string"
                }
              },
              "resources": [
                {
                  "type": "Microsoft.Insights/diagnosticSettings",
                  "name": "[concat(parameters('resourceName'), '/', parameters('diagnosticSettingsName'))]",
                  "apiVersion": "2017-05-01-preview",
                  "properties": {
                    "workspaceId": "[parameters('workspaceId')]",
                    "logs": [
                      {
                        "category": "AllLogs",
                        "enabled": true
                      }
                    ],
                    "metrics": [
                      {
                        "category": "AllMetrics",
                        "enabled": true
                      }
                    ]
                  }
                }
              ]
            }
          },
          "parameters": {
            "resourceName": {
              "value": "[field('name')]"
            },
            "diagnosticSettingsName": {
              "value": "AllDiagnostics"
            },
            "workspaceId": {
              "value": "[parameters('workspaceId')]"
            }
          }
        }
      }
    }
  },
  "parameters": {
    "workspaceId": {
      "type": "String",
      "metadata": {
        "displayName": "workspaceId",
        "description": "The ID of the Log Analytics workspace to send diagnostics data to."
      }
    }
  }
}

SwathiDhanwada-MSFT 18,766 Reputation points

2023-05-15T05:01:35.91+00:00

@Richard Duane Wolford Jr Hope the provided policy definition has provided you solution why are prompted with error. Let me know if you have further questions.

1 answer

SwathiDhanwada-MSFT 18,766

@Richard Duane Wolford Jr Thank you for posting your query. Kindly note that each Azure resource type has a unique set of categories listed in the diagnostic settings. Each resource type therefore requires a separate policy definition. Some resource types have built-in policy definitions that you can assign without modification. For other resource types, you can create a custom definition.

For list of the built-in policy definitions for resource types you have listed in your policy, you can refer this document.

For resource types that don't have a built-in policy, you need to create a custom policy definition. You could do create a new policy manually in the Azure portal by copying an existing built-in policy and then modifying it for your resource type. Alternatively, create the policy programmatically by using a script in the PowerShell Gallery.

The script Create-AzDiagPolicy creates policy files for a particular resource type that you can install by using PowerShell or the Azure CLI. Use the following procedure to create a custom policy definition for diagnostic settings:

Ensure that you have Azure PowerShell installed.

Install the script by using the following command:

Install-Script -Name Create-AzDiagPolicy

Run the script by using the parameters to specify where to send the logs. You'll be prompted to specify a subscription and resource type.

For example, to create a policy definition that sends logs to a Log Analytics workspace and an event hub, use the following command:

Create-AzDiagPolicy.ps1 -ExportLA -ExportEH -ExportDir ".\PolicyFiles"

Alternatively, you can specify a subscription and resource type in the command. For example, to create a policy definition that sends logs to a Log Analytics workspace and an event hub for SQL Server databases, use the following command:

Create-AzDiagPolicy.ps1 -SubscriptionID xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx -ResourceType Microsoft.Sql/servers/databases  -ExportLA -ExportEH -ExportDir ".\PolicyFiles"

The script creates separate folders for each policy definition. Each folder contains three files named azurepolicy.json, azurepolicy.rules.json, and azurepolicy.parameters.json. If you want to create the policy manually in the Azure portal, you can copy and paste the contents of azurepolicy.json because it includes the entire policy definition. Use the other two files with PowerShell or the Azure CLI to create the policy definition from a command line.

The following examples show how to install the policy definition from both PowerShell and the Azure CLI. Each example includes metadata to specify a category of Monitoring to group the new policy definition with the built-in policy definitions.

New-AzPolicyDefinition -name "Deploy Diagnostic Settings for SQL Server database to Log Analytics workspace" -policy .\Apply-Diag-Settings-LA-Microsoft.Sql-servers-databases\azurepolicy.rules.json -parameter .\Apply-Diag-Settings-LA-Microsoft.Sql-servers-databases\azurepolicy.parameters.json -mode All -Metadata '{"category":"Monitoring"}'

az policy definition create --name 'deploy-diag-setting-sql-database--workspace' --display-name 'Deploy Diagnostic Settings for SQL Server database to Log Analytics workspace'  --rules 'Apply-Diag-Settings-LA-Microsoft.Sql-servers-databases\azurepolicy.rules.json' --params 'Apply-Diag-Settings-LA-Microsoft.Sql-servers-databases\azurepolicy.parameters.json' --subscription 'AzureMonitor_Docs' --mode All

Richard Duane Wolford Jr 216 Reputation points

2023-05-10T14:04:37.49+00:00

Hi, I don't think this will help right now though, my policy file is getting an error, I can't find the source of the error? So I can't create any policies at all since my JSON isn't working.
SwathiDhanwada-MSFT 18,766 Reputation points

2023-05-11T04:39:49.6466667+00:00

@Richard Duane Wolford Jr Can you please let me know if you are using the same policy file that you have shared in your question? If so, its not the correct policy definition. If you are referring to any other policy file, kindly share the policy file and the error you are prompting with, so that I can provide a solution for the same.

SwathiDhanwada-MSFT 18,766

@Richard Duane Wolford Jr Your policy format is incorrect. The parameters section is misplaced incorrectly within your definition. Here is the updated policy definition :

{
  "mode": "All",
  "policyRule": {
    "if": {
      "field": "type",
      "in": [
        "Microsoft.Compute/virtualMachines",
        "Microsoft.Network/networkSecurityGroups",
        "Microsoft.Storage/storageAccounts",
        "Microsoft.Web/sites",
        "Microsoft.Sql/servers/databases"
      ]
    },
    "then": {
      "effect": "deployIfNotExists",
      "details": {
        "type": "Microsoft.Insights/diagnosticSettings",
        "existenceCondition": {
          "field": "Microsoft.Insights/diagnosticSettings/workspaceId",
          "equals": "[parameters('workspaceId')]"
        },
        "deployment": {
          "properties": {
            "mode": "incremental",
            "template": {
              "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
              "contentVersion": "1.0.0.0",
              "parameters": {
                "resourceName": {
                  "type": "string"
                },
                "diagnosticSettingsName": {
                  "type": "string"
                },
                "workspaceId": {
                  "type": "string"
                }
              },
              "resources": [
                {
                  "type": "Microsoft.Insights/diagnosticSettings",
                  "name": "[concat(parameters('resourceName'), '/', parameters('diagnosticSettingsName'))]",
                  "apiVersion": "2017-05-01-preview",
                  "properties": {
                    "workspaceId": "[parameters('workspaceId')]",
                    "logs": [
                      {
                        "category": "AllLogs",
                        "enabled": true
                      }
                    ],
                    "metrics": [
                      {
                        "category": "AllMetrics",
                        "enabled": true
                      }
                    ]
                  }
                }
              ]
            }
          },
          "parameters": {
            "resourceName": {
              "value": "[field('name')]"
            },
            "diagnosticSettingsName": {
              "value": "AllDiagnostics"
            },
            "workspaceId": {
              "value": "[parameters('workspaceId')]"
            }
          }
        }
      }
    }
  },
  "parameters": {
    "workspaceId": {
      "type": "String",
      "metadata": {
        "displayName": "workspaceId",
        "description": "The ID of the Log Analytics workspace to send diagnostics data to."
      }
    }
  }
}

Richard Duane Wolford Jr 216 Reputation points

2023-05-31T17:35:34.5533333+00:00

I apologize but I've been offline for a bit. I've not worked on this change but will today.

Richard Duane Wolford Jr 216

I've written a new policy definition and am getting a different error: "Creating policy definition 'All Diagnostics' in 'Duane' failed. Failed to parse policy rule: 'Error converting value "[concat('/subscriptions/', subscription().subscriptionId)]" to type 'System.Nullable`1[Microsoft.WindowsAzure.Governance.PolicyService.Models.Evaluation.TargetScope]'. Path 'deploymentScope'.'."

{
    "properties": {
        "displayName": "Enable diagnostics for all resources",
        "policyType": "Custom",
        "mode": "All",
        "description": "Enables diagnostics for all resources in the subscription.",
        "metadata": {
            "category": "Monitoring"
        },
        "parameters": {},
        "policyRule": {
            "if": {
                "field": "type",
                "equals": "*"
            },
            "then": {
                "effect": "deployIfNotExists",
                "details": {
                    "type": "Microsoft.Insights/diagnosticSettings",
                    "name": "[concat('default-', parameters('diagnosticSettingsName'))]",
                    "existenceCondition": {
                        "allOf": [
                            {
                                "field": "Microsoft.Insights/diagnosticSettings/logs[*].enabled",
                                "equals": true
                            }
                        ]
                    },
                    "deploymentScope": "[concat('/subscriptions/', subscription().subscriptionId)]",
                    "properties": {
                        "workspaceId": "[parameters('workspaceId')]",
                        "logs": [
                            {
                                "category": "*",
                                "enabled": true,
                                "retentionPolicy": {
                                    "days": 0,
                                    "enabled": false
                                }
                            }
                        ]
                    }
                }
            }
        }
    }
}

Richard Duane Wolford Jr 216 Reputation points

2023-05-31T18:42:03.37+00:00

This has been scoped to a subscription btw.
Richard Duane Wolford Jr 216 Reputation points

2023-05-31T18:44:21.5733333+00:00

Oh and new error, I forgot to add the parameters, so I updated to this, but now I'm told that the "properties" entry is not allowed (the one at the very top, it has squiggles below it and that's the tooltip that pops up). Thanks again everyone, I need to get this thing up asap.

Richard Duane Wolford Jr 216

Here's the policy I ended up writing, hopefully it grabs what I need

{
  "mode": "All",
  "policyRule": {
    "if": {
      "field": "type",
      "equals": "*"
    },
    "then": {
      "effect": "deployIfNotExists",
      "details": {
        "type": "Microsoft.Insights/diagnosticSettings",
        "existenceCondition": {
          "field": "Microsoft.Insights/diagnosticSettings/workspaceId",
          "equals": "[parameters('workspaceId')]"
        },
        "deployment": {
          "properties": {
            "mode": "incremental",
            "template": {
              "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
              "contentVersion": "1.0.0.0",
              "parameters": {
                "resourceName": {
                  "type": "string"
                },
                "diagnosticSettingsName": {
                  "type": "string"
                },
                "workspaceId": {
                  "type": "string"
                }
              },
              "resources": [
                {
                  "type": "Microsoft.Insights/diagnosticSettings",
                  "name": "[concat(parameters('resourceName'), '/', parameters('diagnosticSettingsName'))]",
                  "apiVersion": "2017-05-01-preview",
                  "properties": {
                    "workspaceId": "[parameters('workspaceId')]",
                    "logs": [
                      {
                        "category": "AllLogs",
                        "enabled": true
                      }
                    ],
                    "metrics": [
                      {
                        "category": "AllMetrics",
                        "enabled": true
                      }
                    ]
                  }
                }
              ]
            }
          },
          "parameters": {
            "resourceName": {
              "value": "[field('name')]"
            },
            "diagnosticSettingsName": {
              "value": "AllDiagnostics"
            },
            "workspaceId": {
              "value": "[parameters('workspaceId')]"
            }
          }
        }
      }
    }
  },
  "parameters": {
    "workspaceId": {
      "type": "String",
      "metadata": {
        "displayName": "workspaceId",
        "description": "The ID of the Log Analytics workspace to send diagnostics data to."
      }
    }
  }
}

SwathiDhanwada-MSFT 18,766 Reputation points

2023-06-05T04:47:33.42+00:00

Richard Duane Wolford Jr Glad to see that you have resolved the issue. Just checking if you need any further assistance in authoring the policy as from the comments I could see, you were able to fix the errors you were prompted with. Thanks

Share via

Custom Azure Policy is getting an error

1 answer

Your answer