Duplicating selected resources from an Azure Policy Assignment
In order to troubleshoot a problem we needed to duplicate the list of selected resources.
We ran into an issue and needed to get a list of all allowed resources in a policy assignment.
In order to troubleshoot a problem, we needed to duplicate the list of selected resources. Trying to go through the list and check them one by one is ridiculous and we were not going to do that.
Get the list
- Get the identifier of the policy assignment, I used the portal to do this.
- Using the Azure PowerShell Core plugins run the command to get the policy assignment using the specified Id from step 1.
$x = Get-AzPolicyAssignment -id /subscriptions/XXXXXXXX-7826-41e6-85f7-0dc185449802/providers/Microsoft.Authorization/policyAssignments/XXXXXXXXceac4047ad07d889
- Dump out the parameter values
$x.Properties.Parameters.listOfResourceTypesAllowed.value
Create a JSON file
- Convert the values to a string array. This is needed because when converting to JSON it includes a bunch of properties since each value is actually not a string object.
$values = $x.Properties.Parameters.listOfResourceTypesAllowed.value | % { $_.ToString() }
- Convert string array to the correct object graph
$o = @{ listOfResourceTypesAllowed = @{ values = $values }; }
- Save the object as JSON
$o | ConvertTo-Json | Set-Content roles.json -Encoding utf8
Apply roles to an assignment
- Get the identifier of the assignment you want to apply the selected resources to. I used the portal, it was easy.
- Set the parameters on the assignment
Set-AzPolicyAssignment -Id "/subscriptions/XXXXXXXX-7826-41e6-85f7-0dc185449802/providers/Microsoft.Authorization/policyAssignments/XXXXXXXX6d514aaf9084320d" -PolicyParameter roles.json
Terraform problem
We had to do this due to an error we were getting while using Terraform to create an Application Insights object while a policy was assigned to the subscription. The error we were getting was
Error: Error update Application Insights Billing Feature "ai-xxx" (Resource Group "rg-xxx"): insights.ComponentCurrentBillingFeaturesClient#Update: Failure responding to request: StatusCode=403 -- Original Error: autorest/azure: Service returned an error. Status=403 Code="RequestDisallowedByPolicy"
Turns out that the feature is not in the UI, as in, you cannot select it. To add it you have to do it manually through PowerShell. And after that, every time you change the selected resources in the UI it will remove that manually added entry. We are opening a case with Microsoft on this.
For reference, here is our Terraform file:
resource "azurerm_application_insights" "app_insights" {
name = "ai-xxx"
location = azurerm_resource_group.keyvault.location
resource_group_name = azurerm_resource_group.keyvault.name
application_type = "other"
}
Conclusion
I do not know why there is a resource type not in the list of resources, hopefully Microsoft gets it fixed, this is annoying. The requirement for needing this resource type in Terraform was added in this pull request:
It feels like there may be a bug in here. If the value is not set in the Terraform file then maybe not try and set it when creating it.