Azure Policy Custom Template with Terraform-CodePudding

I am trying to build a custom seccomp template for Azure Policy using Terraform and keep running into errors when adding multiple paramaters similar to how the templates are built. If I build these into Azure manually, I have no problems.

My Terraform is below, the error I keep getting in this example is

╷
│ Error: creating/updating Policy Definition "k8s_seccomp_governance": policy.DefinitionsClient#CreateOrUpdate: Failure responding to request: StatusCode=400 -- Original Error: autorest/azure: Service returned an error. Status=400 Code="InvalidPolicyRuleEffectDetails" Message="The policy definition 'k8s_seccomp_governance' rule is invalid. The policy effect 'details' property could not be parsed."
│ 
│   with azurerm_policy_definition.k8s_seccomp_governance,
│   on policy_definitions.tf line 1, in resource "azurerm_policy_definition" "k8s_seccomp_governance":
│    1: resource "azurerm_policy_definition" "k8s_seccomp_governance" {
│ 
╵

Code:

resource "azurerm_policy_definition" "k8s_seccomp_governance" {
  name         = "k8s_seccomp_governance"
  description  = "Kubernetes cluster containers should only use allowed seccomp profiles"
  policy_type  = "Custom"
  mode         = "All"
  display_name = "AMPS K8s Seccomp Governance"

  metadata = <<METADATA
    {
    "category": "Kubernetes",
    "version": "1.0.0"
    }

METADATA

  policy_rule = <<POLICY_RULE
    {
      "if": {
        "field": "type",
        "in": [
          "AKS Engine",
          "Microsoft.Kubernetes/connectedClusters",
          "Microsoft.ContainerService/managedClusters"
        ]
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "constraintTemplate": "https://store.policy.core.windows.net/kubernetes/allowed-seccomp-profiles/v2/template.yaml",
          "constraint": "https://store.policy.core.windows.net/kubernetes/allowed-seccomp-profiles/v2/constraint.yaml",
          "excludedNamespaces": "[parameters('excludedNamespaces')]"
        }
      }
    }

POLICY_RULE

  parameters = <<PARAMETERS
  {
    "effect": {
      "type": "String",
      "metadata": {
        "displayName": "Effect",
        "description": "'audit' allows a non-compliant resource to be created or updated, but flags it as non-compliant. 'deny' blocks the non-compliant resource creation or update. 'disabled' turns off the policy."
      },
      "allowedValues": ["audit", "deny","disabled"],
      "defaultValue": "audit"
    },
    "excludedNamespaces": {
      "type": "Array",
      "metadata": {
        "displayName": "Namespace exclusions",
        "description": "List of Kubernetes namespaces to exclude from policy evaluation."
      },
      "defaultValue": ["kube-system", "gatekeeper-system", "azure-arc"]
    }
  }
PARAMETERS

}

To add,

If I don't include description, then I get this error:

╷
│ Error: creating/updating Policy Definition "k8s_seccomp_governance": policy.DefinitionsClient#CreateOrUpdate: Failure responding to request: StatusCode=400 -- Original Error: autorest/azure: Service returned an error. Status=400 Code="UnusedPolicyParameters" Message="The policy 'k8s_seccomp_governance' has defined parameters 'excludedNamespaces' which are not used in the policy rule. Please either remove these parameters from the definition or ensure that they are used in the policy rule."
│ 
│   with azurerm_policy_definition.k8s_seccomp_governance,
│   on policy_definitions.tf line 1, in resource "azurerm_policy_definition" "k8s_seccomp_governance":
│    1: resource "azurerm_policy_definition" "k8s_seccomp_governance" {
│ 
╵

CodePudding user response：

I was able to resolve this, the problem was that I was using mode: "All" and needed to change it to mode = "Microsoft.Kubernetes.Data" for these to work