Duplicating selected resources from an Azure Policy Assignment

We ran into an issue and needed to get a list of all allowed resources in a policy assignment.

In order to troubleshoot a problem, we needed to duplicate the list of selected resources. Trying to go through the list and check them one by one is ridiculous and we were not going to do that.

Get the list

1. Get the identifier of the policy assignment, I used the portal to do this.
2. Using the Azure PowerShell Core plugins run the command to get the policy assignment using the specified Id from step 1.

   $x = Get-AzPolicyAssignment -id /subscriptions/XXXXXXXX-7826-41e6-85f7-0dc185449802/providers/Microsoft.Authorization/policyAssignments/XXXXXXXXceac4047ad07d889
   

3. Dump out the parameter values

   $x.Properties.Parameters.listOfResourceTypesAllowed.value
   

Create a JSON file

1. Convert the values to a string array. This is needed because when converting to JSON it includes a bunch of properties since each value is actually not a string object.

   $values = $x.Properties.Parameters.listOfResourceTypesAllowed.value | % { $_.ToString() }
   

2. Convert string array to the correct object graph

   $o = @{ listOfResourceTypesAllowed = @{ values = $values }; }
   

3. Save the object as JSON

   $o | ConvertTo-Json | Set-Content roles.json -Encoding utf8
   

Apply roles to an assignment

1. Get the identifier of the assignment you want to apply the selected resources to. I used the portal, it was easy.
2. Set the parameters on the assignment

   Set-AzPolicyAssignment -Id "/subscriptions/XXXXXXXX-7826-41e6-85f7-0dc185449802/providers/Microsoft.Authorization/policyAssignments/XXXXXXXX6d514aaf9084320d" -PolicyParameter roles.json
   

Terraform problem

We had to do this due to an error we were getting while using Terraform to create an Application Insights object while a policy was assigned to the subscription. The error we were getting was

Error: Error update Application Insights Billing Feature "ai-xxx" (Resource Group "rg-xxx"): insights.ComponentCurrentBillingFeaturesClient#Update: Failure responding to request: StatusCode=403 -- Original Error: autorest/azure: Service returned an error. Status=403 Code="RequestDisallowedByPolicy"

Turns out that the feature is not in the UI, as in, you cannot select it. To add it you have to do it manually through PowerShell. And after that, every time you change the selected resources in the UI it will remove that manually added entry. We are opening a case with Microsoft on this.

For reference, here is our Terraform file:

resource "azurerm_application_insights" "app_insights" {
  name                = "ai-xxx"
  location            = azurerm_resource_group.keyvault.location
  resource_group_name = azurerm_resource_group.keyvault.name
  application_type    = "other"
}

Conclusion

I do not know why there is a resource type not in the list of resources, hopefully Microsoft gets it fixed, this is annoying. The requirement for needing this resource type in Terraform was added in this pull request:

Fix issue #584 add option to set AI daily cap and hit daily cap… (#5480) · terraform-providers/terraform-provider-azurerm@0446b69

This PR should fix #584, so we can set now a daily cap for Applications Insight in GB. Beside setting a daily cap for Applications Insight it's also possible now to disable notifications if dai...

GitHubterraform-providers

It feels like there may be a bug in here. If the value is not set in the Terraform file then maybe not try and set it when creating it.