Azurerm_policy_set_definition with boolean parameter

philip.lewis · May 9, 2024, 10:32am

Hi,

I’m going round in circles with this one.

I have an azurerm_policy_set_definition which accepts a boolean parameter.

      "bringYourOwnUserAssignedManagedIdentity": {
        "type": "Boolean",
        "metadata": {
          "displayName": "Bring Your Own User-Assigned Identity",
          "description": "Enable this to use your pre-created user-assigned managed identity. The pre-created identity MUST exist within the subscription otherwise the policy deployment will fail. If enabled, ensure that the User-Assigned Identity Name and Identity Resource Group Name parameters match the pre-created identity. If not enabled, the policy will create per subscription, per resource user-assigned managed identities in a new resource group named 'Built-In-Identity-RG'."
        },
        "allowedValues": [
          true,
          false
        ]
      }

I then have a policy_definition block which references the parameter above

      parameter_values = <<VALUE
      {
        "bringYourOwnUserAssignedManagedIdentity": {
            "value": parameters('bringYourOwnUserAssignedManagedIdentity')
        },
...

If I reference it as above then I get an error in the plan saying

“policy_definition_reference.0.parameter_values” contains an invalid JSON: invalid character ‘p’ looking for beginning of value"

If I change the reference to this

      parameter_values = <<VALUE
      {
        "bringYourOwnUserAssignedManagedIdentity": {
            "value": "parameters('bringYourOwnUserAssignedManagedIdentity')"
        },

Then my plan complains that the parameter is a bool not a string i.e it recieves “true” not true

I’ve looked everywhere and I can’t find any examples of how to pass a bool parameter correctly.

Any help much appreciated.

Phill

philip.lewis · May 9, 2024, 12:08pm

I’ve figured it out.

What I did in the end was to use the data resource with outputs to look at the structure of an existing policy initiative.

I could see it was using jsonencode instead of a HERE doc and more importantly I could see the correct way to reference the parameters was like this.

      parameter_values = jsonencode(
      {
        "effect": {
            "value": "[parameters('effect')]"
        },
        "bringYourOwnUserAssignedManagedIdentity": {
            "value": "[parameters('bringYourOwnUserAssignedManagedIdentity')]"
        },
...

I’m glad to say now it works.

There are two things that could go back into the documentation though for this resource.

The parameters = <<VALUE could be replace with the corresponding jsonencode() example. I read apparentlyamart saying hashicorp recommend the use of jsonencode() anyway so having it in the documentation would reinforce that.
The example in the docs only passes one parameter and that is an array of values. This confuses the way the parameters() code is interpreted for someone who is unsure. I couldn’t tell whether the [ ] were part of the parameter reference. i.e should I be typing [parameters()] or typing parameters() and the square brackets were associated with the array… To avoid the confusion if the example had multiple parameters in it - one string, one bool, one array for example it would make it easier to understand what is required.

Hope this helps

system · July 10, 2024, 12:08pm

This topic was automatically closed 62 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Setting Policy parameter in the Policy Assignment Azure azure	1	1782	November 29, 2021
Child resources created regardless of dependency reference Terraform	4	395	July 8, 2022
Use lifecycle.ignore_changes on dynamic block Terraform azure , policy-as-code	2	4570	August 29, 2023
Validate managed identity passed in from outside Terraform azure	0	253	September 24, 2021
Azurerm api management named value limitation Terraform azure	2	1205	February 11, 2021

Azurerm_policy_set_definition with boolean parameter

Related topics