Home > Software engineering >  Bicep: azure policy assignment scope
Bicep: azure policy assignment scope

Time:11-10

I am trying to deploy an Azure Policy Assignment with Bicep.

resource policy_assignment 'Microsoft.Authorization/policyAssignments@2021-06-01' = {
  name: 'my_policy'
  location: 'westus'
  scope: subscriptionResourceId('Microsoft.Resources/resourceGroups',  resourceGroup().name)
  identity: {
    type: 'UserAssigned'
    userAssignedIdentities: {
      '/subscriptions/xxxxxxx-xxxxxx-xxxx-xxx/resourceGroups/my-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/mymi': {}
    }
  }
  properties: {
    parameters: {
      MyParamKey: '/subscriptions/xxxxx-xxx-xxxx-xxx-xxx/resourcegroups/my-rg2/providers/microsoft.network/virtualnetworks/vnetmy/subnets/default'
    }
    policyDefinitionId: '/subscriptions/xxxxx-xxx-xxxx-xxx-xxx//providers/Microsoft.Authorization/policyDefinitions/my-policy-def'
  }
}

When I check it with az bicep build --file .\policy_assignment.bicep , I get the error below:

C:$Path.bicep(4,10) : Error BCP036: The property "scope" expected a value of type "resource | tenant" but the provided value is of type "string".
C:$Path.bicep(13,32) : Warning BCP036: The property "MyParamKey" expected a value of type "ParameterValuesValue" but the provided value is of type "'/subscriptions/xxxxx-xxx/resourcegroups/my-rg2/providers/microsoft.network/virtualnetworks/vnetmy/subnets/default'".

I have two problems:

  • Definition of the scope of the policy assignment.
  • Definition of the parameter of the assignment

I couldn't find much example on the internet. The documentation of the Policy Assignment for Bicep is here.

Do you have any idea how can I correct these errors?

CodePudding user response:

This resource type most probably expects parameter values to be wrapped in objects with a value like :

parameters: {
  MyParamKey: {
    value: '/subscriptions/xxxxx-xxx-xxxx-xxx-xxx/resourcegroups/my-rg2/providers/microsoft.network/virtualnetworks/vnetmy/subnets/default'
  }
}

There are some other use cases like this one.

EDIT : As stated by @Thomas, the scope should be referred as scope: resourceGroup() since this is dynamically retrieved by your client with the right type Bicep is waiting for.

  • Related