Describe the bug
The error occurs when a policy is created that includes a parameter in the rules. If there is no policy, then the command works as expected. It looks like there is a quoting issue.
C:\Users\****>az policy definition create --name test --description "A test policy" --mode Indexed --rules "\"if\": { \"not\": { \"field\": \"type\", \"in\": \"[parameters('allowedTypes')]\" } }, \"then\": { \"effect\": \"deny\"}" --parameters "\"allowedTypes\": { \"type\": \"array\", \"metadata\": { \"description\": \"The list of resource types that can be deployed\", \"strongType\": \"resourceTypes\", \"displayName\": \"Allowed types\" }, \"defaultValue\": [ \"Microsoft.Web/sites\"] }" ]\" } }, \"then\": { \"effect\": \"deny\"}" was unexpected at this time. C:\Users\****> "C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\wbin\\..\python.exe" -IBm azure.cli policy definition create --name test --description "A test policy" --mode Indexed --rules "\"if\": { \"not\": { \"field\": \"type\", \"in\": \"[parameters('allowedTypes')]\" } }, \"then\": { \"effect\": \"deny\"}" --parameters "\"allowedTypes\": { \"type\": \"array\", \"metadata\": { \"description\": \"The list of resource types that can be deployed\", \"strongType\": \"resourceTypes\", \"displayName\": \"Allowed types\" }, \"defaultValue\": [ \"Microsoft.Web/sites\"] }"
The policy can be defined if JSON files are used instead.
To Reproduce
Run:
az policy definition create --name test --description "A test policy" --mode Indexed --rules "\"if\": { \"not\": { \"field\": \"type\", \"in\": \"[parameters('allowedTypes')]\" } }, \"then\": { \"effect\": \"deny\"}" --parameters "\"allowedTypes\": { \"type\": \"array\", \"metadata\": { \"description\": \"The list of resource types that can be deployed\", \"strongType\": \"resourceTypes\", \"displayName\": \"Allowed types\" }, \"defaultValue\": [ \"Microsoft.Web/sites\"] }"
Expected behavior
If the policy rules are implemented correctly, then the policy definition should work as expected.
Environment summary
Installed using the Windows MSI installer and then upgraded using the CLI upgrade option.
`C:\Users****>az --version
azure-cli 2.34.1
core 2.34.1
telemetry 1.0.6
Extensions:
account 0.2.2
azure-devops 0.23.0
db-up 0.2.6
Dependencies:
msal 1.16.0
azure-mgmt-resource 20.0.0
Python location 'C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\python.exe'
Extensions directory 'C:\Users*****.azure\cliextensions'
Python (Windows) 3.8.9 (tags/v3.8.9:a743f81, Apr 6 2021, 13:22:56) [MSC v.1928 32 bit (Intel)]`
Describe the bug
The error occurs when a policy is created that includes a parameter in the rules. If there is no policy, then the command works as expected. It looks like there is a quoting issue.
C:\Users\****>az policy definition create --name test --description "A test policy" --mode Indexed --rules "\"if\": { \"not\": { \"field\": \"type\", \"in\": \"[parameters('allowedTypes')]\" } }, \"then\": { \"effect\": \"deny\"}" --parameters "\"allowedTypes\": { \"type\": \"array\", \"metadata\": { \"description\": \"The list of resource types that can be deployed\", \"strongType\": \"resourceTypes\", \"displayName\": \"Allowed types\" }, \"defaultValue\": [ \"Microsoft.Web/sites\"] }" ]\" } }, \"then\": { \"effect\": \"deny\"}" was unexpected at this time. C:\Users\****> "C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\wbin\\..\python.exe" -IBm azure.cli policy definition create --name test --description "A test policy" --mode Indexed --rules "\"if\": { \"not\": { \"field\": \"type\", \"in\": \"[parameters('allowedTypes')]\" } }, \"then\": { \"effect\": \"deny\"}" --parameters "\"allowedTypes\": { \"type\": \"array\", \"metadata\": { \"description\": \"The list of resource types that can be deployed\", \"strongType\": \"resourceTypes\", \"displayName\": \"Allowed types\" }, \"defaultValue\": [ \"Microsoft.Web/sites\"] }"The policy can be defined if JSON files are used instead.
To Reproduce
Run:
az policy definition create --name test --description "A test policy" --mode Indexed --rules "\"if\": { \"not\": { \"field\": \"type\", \"in\": \"[parameters('allowedTypes')]\" } }, \"then\": { \"effect\": \"deny\"}" --parameters "\"allowedTypes\": { \"type\": \"array\", \"metadata\": { \"description\": \"The list of resource types that can be deployed\", \"strongType\": \"resourceTypes\", \"displayName\": \"Allowed types\" }, \"defaultValue\": [ \"Microsoft.Web/sites\"] }"Expected behavior
If the policy rules are implemented correctly, then the policy definition should work as expected.
Environment summary
Installed using the Windows MSI installer and then upgraded using the CLI upgrade option.
`C:\Users****>az --version
azure-cli 2.34.1
core 2.34.1
telemetry 1.0.6
Extensions:
account 0.2.2
azure-devops 0.23.0
db-up 0.2.6
Dependencies:
msal 1.16.0
azure-mgmt-resource 20.0.0
Python location 'C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\python.exe'
Extensions directory 'C:\Users*****.azure\cliextensions'
Python (Windows) 3.8.9 (tags/v3.8.9:a743f81, Apr 6 2021, 13:22:56) [MSC v.1928 32 bit (Intel)]`