Getting an syntax error when I want to create a policy definition with Azure CLI in on Windows

Alexandru Popescu 0 Reputation points
2024-04-17T15:55:35.1066667+00:00

I'm quite new in Azure Cloud.

I'm getting an syntax error when I want to create a policy definition with Azure CLI in on Windows:

az policy definition create --name 'denyCoolTiering' --description ' Deny cool access tiering for storage' --rules '{

"if": {

    "allOf": [{

            "field": "type",

            "equals": "Microsoft.Storage/storageAccounts"

        },

        {

            "field": "kind",

            "equals": "BlobStorage"

        },

        {

            "field": "Microsoft.Storage/storageAccounts/accessTier",

            "equals": "cool"

        }

    ]

},

"then": {

    "effect": "deny"

}

}'

Failed to parse string as JSON:

{

Error detail: Expecting property name enclosed in double quotes: line 1 column 2 (char 1)

The provided JSON string may have been parsed by the shell. See https://docs.microsoft.com/cli/azure/use-cli-effectively#use-quotation-marks-in-arguments

PowerShell requires additional quoting rules. See https://github.com/Azure/azure-cli/blob/dev/doc/quoting-issues-with-powershell.md

Running the same command in Cloud Shell worked perfectly :

az policy definition create --name 'denyCoolTiering1' --description 'Deny cool access tiering for storage1' --rules '{

"if": {

    "allOf": [{

            "field": "type",

            "equals": "Microsoft.Storage/storageAccounts"

        },

        {

            "field": "kind",

            "equals": "BlobStorage"

        },

        {

            "field": "Microsoft.Storage/storageAccounts/accessTier",

            "equals": "cool"

        }

    ]

},

"then": {

    "effect": "deny"

}

}'

{

"description": "Deny cool access tiering for storage1",

"displayName": null,

"id": "/subscriptions/9b8cb95c-8abf-4c8e-a32f-ff89105eb571/providers/Microsoft.Authorization/policyDefinitions/denyCoolTiering1",

"metadata": {

"createdBy": "6fe10299-d0ae-44d5-8be6-ec65193cbac8",

"createdOn": "2024-04-17T15:39:18.802222Z",

"updatedBy": null,

"updatedOn": null

},

"mode": "Indexed",

"name": "denyCoolTiering1",

"parameters": null,

"policyRule": {

"if": {

  "allOf": [

    {

      "equals": "Microsoft.Storage/storageAccounts",

      "field": "type"

    },

    {

      "equals": "BlobStorage",

      "field": "kind"

    },

    {

      "equals": "cool",

      "field": "Microsoft.Storage/storageAccounts/accessTier"

    }

  ]

},

"then": {

  "effect": "deny"

}

},

"policyType": "Custom",

"systemData": {

"createdAt": "2024-04-17T15:39:18.782662+00:00",

"createdBy": "alexpopescu070@gmail.com",

"createdByType": "User",

"lastModifiedAt": "2024-04-17T15:39:18.782662+00:00",

"lastModifiedBy": "alexpopescu070@gmail.com",

"lastModifiedByType": "User"

},

"type": "Microsoft.Authorization/policyDefinitions"

}

What can be the problem ?

Azure Policy
Azure Policy
An Azure service that is used to implement corporate governance and standards at scale for Azure resources.
795 questions

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Deleted

    This answer has been deleted due to a violation of our Code of Conduct. The answer was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.

    Comments have been turned off. Learn more

  2. AnuragSingh-MSFT 19,936 Reputation points
    2024-04-25T08:25:30.9466667+00:00

    @Alexandru Popescu, thank you for posting this question on Microsoft Q&A.

    The error being received is due to the environment where the cmd is being run:

    1. If you run this directly in Azure Shell (bash) it would work as expected because there are no escaping related issues for double quotes (").
    2. For the same az cli cmd to work in windows cmd prompt, you would have to pass the entire definition in a single line (instead of breaking it into multiple lines) as below: 
         az policy definition create --name "custom readOnlyStorage" --rules "{ \"if\": { \"field\": \"type\", \"equals\": \"Microsoft.Storage/storageAccounts/write\" }, \"then\": { \"effect\": \"deny\" } }"
    3. However, if you are running from PowerShell, the syntax differs a bit - 
       az --% policy definition create --name "custom readOnlyStorage" --rules "{ \"if\": { \"field\": \"type\", \"equals\": \"Microsoft.Storage/storageAccounts/write\" }, \"then\": { \"effect\": \"deny\" } }"

    Note the presence of "--%" in the cmd after az. It happens because az is not a PowerShell native cmd, but a batchfile (.cmd). When it is called from PowerShell, the cmdprompt is invoked to execute the az cli cmd. For more details see, Quoting issues with PowerShell

    You may also consider using the New-AzPolicyDefinition from PowerShell to be able to split the Policy definition in multiple lines as below:

    New-AzPolicyDefinition -Name 'custom deny storage 2' -DisplayName 'custom deny storage 2' -Policy '{
       "if": {
           "allOf": [
               {
                   "field": "type",
                   "equals": "Microsoft.Storage/storageAccounts"
               },
               {
                   "field": "kind",
                   "equals": "BlobStorage"
               },
               {
                   "field": "Microsoft.Storage/storageAccounts/accessTier",
                   "equals": "cool"
               }
           ]
       },
       "then": {
           "effect": "deny"
       }
   }'

    Hope this helps.

    If the answer did not help, please add more context/follow-up question for it. Else, if the answer helped, please click Accept answer so that it can help others in the community looking for help on similar topics.

    0 comments