So... I'm having some difficulty converting one of the builtins into a custom. (Why am I doing that? Internal matter, whether I agree or not is irrelevant, so please don't dis me on that decision. :-) )
Existing BuiltIn Policy:
The problem is coming in lines 40/43 of the json file.
main.tf file consists of:
# policy
locals {
json_keyvault_certmaxvalidityperiod = jsondecode(file("${path.module}/resourceprovider/KeyVault/Certificates should have the specified maximum validity period.json"))
}
resource "azurerm_policy_definition" "CertificatesShouldHaveSpecifiedMaximumValidityPeriod" {
name = "CertificatesShouldHaveSpecifiedMaximumValidityPeriod" # must match output.tf and ad ID to main
policy_type = "Custom" #Must always be Custom
mode = "All"
display_name = "CertificatesShouldHaveSpecifiedMaximumValidityPeriod" #add Custom to display name
description = "Manage your organizational compliance requirements by specifying the maximum amount of time that a certificate can be valid within your key vault."
metadata = jsonencode(local.json_keyvault_certmaxvalidityperiod.properties.metadata)
policy_rule = jsonencode(local.json_keyvault_certmaxvalidityperiod.properties.policyRule)
parameters = <<PARAMETERS
{
"effect" : {
"type": "string",
"metadata": {
"description": "Enable or disable the execution of the policy",
"displayName": "Effect"
}
},
"maximumValidityInMonths": {
"type": "integer",
"metadata": {
"description": "The limit to how long a certificate may be valid for. Certificates with lengthy validity periods aren\u0027t best practice.",
"displayName": "The maximum validity in months"
}
}
}
PARAMETERS
}
Using the json content as-is, performing terraform apply returns:
│ Error: creating/updating Policy Definition "CertificatesShouldHaveSpecifiedMaximumValidityPeriod": policy.DefinitionsClient#CreateOrUpdate: Failure responding to request: StatusCode=400 -- Original Error: autorest/azure: Service returned an error. Status=400 Code="InvalidProviderNameInPolicyAlias" Message="The policy definition 'CertificatesShouldHaveSpecifiedMaximumValidityPeriod' rule is invalid. The provider 'Microsoft.KeyVault.Data' referenced by the 'field' property 'Microsoft.KeyVault.Data/vaults/certificates/properties.validityInMonths' of the policy rule doesn't exist."
So, I looked at the definitions of the Microsoft.KeyVault.Data provider, and from the following, it looks like there shouldn't be "certificates", instead, it should be "secrets":
BUT... if I update lines 40/43 to reflect Microsoft.KeyVault.Data/vaults/secrets, the terraform apply returns:
│ Error: creating/updating Policy Definition "CertificatesShouldHaveSpecifiedMaximumValidityPeriod": policy.DefinitionsClient#CreateOrUpdate: Failure responding to request: StatusCode=400 -- Original Error: autorest/azure: Service returned an error. Status=400 Code="InvalidProviderNameInPolicyAlias" Message="The policy definition 'CertificatesShouldHaveSpecifiedMaximumValidityPeriod' rule is invalid. The provider 'Microsoft.KeyVault.Data' referenced by the 'field' property 'Microsoft.KeyVault.Data/vaults/secrets/properties.validityInMonths' of the policy rule doesn't exist."
Has anyone dealt with anything like this previously? Suggestions as to how to define the policy rule so as to fit the data provider?
CodePudding user response:
Its not possible to create keyvault policies with custom policy type as "Microsoft.Keyvault.Data" is supported only for built-in policy types as stated in Microsoft Document given in reference.
If you see in Azure Policy Extension in Visual Studio Code you can find all the properties of the resource providers present in azure but for keyvault its not present , they are empty.
Reference:
Details of the policy definition structure - Azure Policy | Microsoft Docs