Coder Perfect

azure policy assignment scope is a biceps muscle.

/

Category: Azure Bicep

Tag: , ,

Problem

I’m using Bicep to deploy an Azure Policy Assignment.

resource policy_assignment 'Microsoft.Authorization/policyAssignments@2021-06-01' = {
  name: 'my_policy'
  location: 'westus'
  scope: subscriptionResourceId('Microsoft.Resources/resourceGroups',  resourceGroup().name)
  identity: {
    type: 'UserAssigned'
    userAssignedIdentities: {
      '/subscriptions/xxxxxxx-xxxxxx-xxxx-xxx/resourceGroups/my-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/mymi': {}
    }
  }
  properties: {
    parameters: {
      MyParamKey: '/subscriptions/xxxxx-xxx-xxxx-xxx-xxx/resourcegroups/my-rg2/providers/microsoft.network/virtualnetworks/vnetmy/subnets/default'
    }
    policyDefinitionId: '/subscriptions/xxxxx-xxx-xxxx-xxx-xxx//providers/Microsoft.Authorization/policyDefinitions/my-policy-def'
  }
}

When I run az bicep build —file.policy assignment.bicep, I receive the following error:

C:$Path.bicep(4,10) : Error BCP036: The property "scope" expected a value of type "resource | tenant" but the provided value is of type "string".
C:$Path.bicep(13,32) : Warning BCP036: The property "MyParamKey" expected a value of type "ParameterValuesValue" but the provided value is of type "'/subscriptions/xxxxx-xxx/resourcegroups/my-rg2/providers/microsoft.network/virtualnetworks/vnetmy/subnets/default'".

I have two problems:

On the internet, I couldn’t discover many examples. The Bicep Policy Assignment documentation may be found here.

Do you have any suggestions for how I could solve these errors?

Asked by MoonHorse

Solution #1

Most likely, this resource type wants argument values to be wrapped in objects with a value like:

parameters: {
  MyParamKey: {
    value: '/subscriptions/xxxxx-xxx-xxxx-xxx-xxx/resourcegroups/my-rg2/providers/microsoft.network/virtualnetworks/vnetmy/subnets/default'
  }
}

There are a few other use cases that are similar to this one.

EDIT : As stated by @Thomas, the scope should be referred as scope: resourceGroup() since this is dynamically retrieved by your client with the right type Bicep is waiting for.

Answered by Jul_DW

Post is based on https://stackoverflow.com/questions/69886386/bicep-azure-policy-assignment-scope