Azure Policy with Terraform Error: The policy effect 'details' property could not be parsed.

Branden Connell 126 Reputation points
2021-09-24T14:06:24.89+00:00

I am trying to add our own custom policies in Terraform, but keep running into this error when trying to add more than one variable.

╷
│ Error: creating/updating Policy Definition "k8s_seccomp_governance": policy.DefinitionsClient#CreateOrUpdate: Failure responding to request: StatusCode=400 -- Original Error: autorest/azure: Service returned an error. Status=400 Code="InvalidPolicyRuleEffectDetails" Message="The policy definition 'k8s_seccomp_governance' rule is invalid. The policy effect 'details' property could not be parsed."
│ 
│   with azurerm_policy_definition.k8s_seccomp_governance,
│   on policy_definitions.tf line 1, in resource "azurerm_policy_definition" "k8s_seccomp_governance":
│    1: resource "azurerm_policy_definition" "k8s_seccomp_governance" {
│ 
╵

If I load the json into azure cli in the same format, I get no errors and everything works fine.

Code:

resource "azurerm_policy_definition" "k8s_seccomp_governance" {
  name         = "k8s_seccomp_governance"
  description  = "Kubernetes cluster containers should only use allowed seccomp profiles"
  policy_type  = "Custom"
  mode         = "All"
  display_name = "AMPS K8s Seccomp Governance"

  metadata = <<METADATA
    {
    "category": "Kubernetes",
    "version": "1.0.0"
    }

METADATA

  policy_rule = <<POLICY_RULE
    {
      "if": {
        "field": "type",
        "in": ["AKS Engine", "Microsoft.Kubernetes/connectedClusters", "Microsoft.ContainerService/managedClusters"]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "constraintTemplate": "https://store.policy.core.windows.net/kubernetes/allowed-seccomp-profiles/v2/template.yaml",
          "constraint": "https://store.policy.core.windows.net/kubernetes/allowed-seccomp-profiles/v2/constraint.yaml",
          "excludedNamespaces": "[parameters('excludedNamespaces')]"
        }
      }
    }

POLICY_RULE

  parameters = <<PARAMETERS
  {
    "effect": {
      "type": "String",
      "metadata": {
        "displayName": "Effect",
        "description": "'audit' allows a non-compliant resource to be created or updated, but flags it as non-compliant. 'deny' blocks the non-compliant resource creation or update. 'disabled' turns off the policy."
      },
      "allowedValues": ["audit", "deny","disabled"],
      "defaultValue": "audit"
    },
    "excludedNamespaces": {
      "type": "Array",
      "metadata": {
        "displayName": "Namespace exclusions",
        "description": "List of Kubernetes namespaces to exclude from policy evaluation."
      },
      "defaultValue": ["kube-system", "gatekeeper-system", "azure-arc"]
    }
  }
PARAMETERS

}
Azure Policy
Azure Policy
An Azure service that is used to implement corporate governance and standards at scale for Azure resources.
830 questions
{count} vote

Accepted answer
  1. Branden Connell 126 Reputation points
    2021-09-24T15:36:00.783+00:00

    Nevermind, I was able to fix this by updating mode: "All" to mode = "Microsoft.Kubernetes.Data"

    2 people found this answer helpful.

1 additional answer

Sort by: Most helpful
  1. bharathn-msft 5,086 Reputation points Microsoft Employee
    2021-09-30T02:16:31.46+00:00

    Thanks again @Branden Connell for your queries and helping the community members.

    <<Sharing this information from comments to here for broader community usage>>

    Details on different types of "Mode" element with in the the policy definition, have been documented here. Please review it.

    Let us know if you have any further queries. Thank you

    0 comments No comments