Support Azure Policy exported via new "Export definitions" feature #13324
Description
Description of the new feature
Within the Azure Portal, you can now export policy definitions into your GitHub repository. The export structure is based on a raw API dump (Example here):
Policy Definition
{
"properties": {
"displayName": "Append-Route-NextHopVirtualAppliance",
"policyType": "Custom",
"mode": "All",
"metadata": {
"category": "Network"
},
"parameters": {
"routeTableSettings": {
"type": "Object",
"metadata": {
"displayName": "Route Table Settings",
"description": "Location-specific settings for route tables."
}
}
},
"policyRule": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.Network/routeTables"
},
{
"count": {
"field": "Microsoft.Network/routeTables/routes[*]",
"where": {
"allOf": [
{
"field": "Microsoft.Network/routeTables/routes[*].addressPrefix",
"equals": "0.0.0.0/0"
},
{
"field": "Microsoft.Network/routeTables/routes[*].nextHopType",
"equals": "VirtualAppliance"
},
{
"field": "Microsoft.Network/routeTables/routes[*].nextHopIpAddress",
"equals": "[parameters('routeTableSettings')[field('location')].virtualApplianceIpAddress]"
}
]
}
},
"equals": 0
}
]
},
"then": {
"effect": "append",
"details": [
{
"field": "Microsoft.Network/routeTables/routes[*]",
"value": {
"name": "internet",
"properties": {
"addressPrefix": "0.0.0.0/0",
"nextHopType": "VirtualAppliance",
"nextHopIpAddress": "[parameters('routeTableSettings')[field('location')].virtualApplianceIpAddress]"
}
}
}
]
}
}
},
"id": "/subscriptions/#{AZURE_SUBSCRIPTION_ID}#/providers/Microsoft.Authorization/policyDefinitions/e40e326a-2592-4a41-a3f6-d9621b2eac0d",
"type": "Microsoft.Authorization/policyDefinitions",
"name": "e40e326a-2592-4a41-a3f6-d9621b2eac0d"
}Policy Assignment
{
"sku": {
"name": "A0",
"tier": "Free"
},
"properties": {
"displayName": "Append-Route-NextHopVirtualAppliance",
"policyDefinitionId": "/subscriptions/#{AZURE_SUBSCRIPTION_ID}#/providers/Microsoft.Authorization/policyDefinitions/e40e326a-2592-4a41-a3f6-d9621b2eac0d",
"scope": "/subscriptions/#{AZURE_SUBSCRIPTION_ID}#",
"notScopes": [],
"parameters": {
"routeTableSettings": {
"value": {
"northeurope": {
"virtualApplianceIpAddress": "10.0.0.23"
},
"westeurope": {
"virtualApplianceIpAddress": "10.1.0.23"
},
"disabled": {
"virtualApplianceIpAddress": ""
}
}
}
},
"enforcementMode": "Default"
},
"id": "/subscriptions/#{AZURE_SUBSCRIPTION_ID}#/providers/Microsoft.Authorization/policyAssignments/183522334d244074a746bac6",
"type": "Microsoft.Authorization/policyAssignments",
"name": "183522334d244074a746bac6"
}When creating the policy definition via New-AzPolicyDefinition results in an error, since Azure PowerShell currently cannot handle the raw API dump:
As a workaround, customers can use either armclient or Invoke-AzRestMethod.
Proposed implementation details (optional)
Add a parameter to also support raw API dumps to any Azure Policy cmdlet. Even better, would be to detect the format automatically (i.e. top-level properties object in JSON yes/no).