azure-powershell icon indicating copy to clipboard operation
azure-powershell copied to clipboard
verified publisher icon Azure

Get-AzPolicyDefinition - Migration Help for Az 12.0.0, it appears the policy id is under a section call “id” and not “PolicyDefinitionID”

Open Alex-wdy opened this issue 1 year ago • 1 comments

Description

I've a customer needing assistance in reconfiguring their PowerShell scripts for their environment as their PowerShell cmdlet formats are out of date per guidelines of our documentation: Migration guide for Az 12.0.0 | Microsoft Learn

ISSUE: ADO pipeline to deploy/create new Policy Initiatives to be assigned at tenant level scope “16b9c567-9b8b-4112-a115-xxx” is failing with PowerShell script error:

"The referenced policyDefinitionID | '/providers/Microsoft.Management/managementGroups/16b9c567-9b8b-4112-a115-cfecbxxxx/providers/Microsoft.Authorization/policyDefinitions/RBACAzureKubernetespolicy' doesn't exist at the specified scope"

TROUBLESHOOTING: A collection of debug logs were taken over the course of 2 weeks, implementing Verbose statement to output the variable “$existingPolicyDefintions” that was linked to the Az cmdlet Get-AzPolicyDefinition that was being executed in the "Set-InitiativeDefinitions" PS script withing the pipeline to pull the list of policy definitions defined at the tenant level scope, at first there was conflict in pulling the proper output of the ids from the var as for a couple instances it's ouput in the debug was found empty or the id would have an additional quotation mark appended at the end. Either of these outputs in comparison to the id that it should equal within the if condition of the script would result in failure and script termination.

It was finally determined debugging at the source of where the $existingPolicyDefinitions" was created that when trying to retrieve the ids of the policies at tenant ($existingPolicyDefinitions | select PolicyDefinitionID) fetching property “PolicyDefinitionID” the results were null, indicating the property being fetched does not exists within the configuration of the policy definition resource output.

After separate testing with the Get-AzPolicyDefinition cmdlet to see what output looks like for the proeprties of a policy definition, it appears the policy id is under a section call “id” and not “PolicyDefinitionID”. Once it was tested to switch out every instance of implementations of fetching the PolicyDefinitionID property to “id” from the var $existingPolicyDefinitions, the output of getting the proper policy ids was successful eliminating the specified error.

SOLUTION: The PS script for the ADO deployment is configured to use the latest version of AzPowerShell and recently in the beginning of September, there were updates announced per documentation under “Az 12.0.0 Migration Guide” of cmdlet break changes and property deprecations such as “PolicyDefinitionID” :

Migration guide for Az 12.0.0 | Microsoft Learn

Because the script is 3 or 4 years old, there has been no updates to the format of calling the proper properties of certain Az cmdlets that are mentioned in Migration guide documentation. Script may face more related failures/errors in Pipeline until all usage of Az cmdlets in reference to fetching their certain properties have the proper updates format. Because this scope involves reconfiguration of PowerShell script(s) and not break/fix support scenario, an expert in this area is needed to assist this strategic customer.

Issue script & Debug output

TROUBLESHOOTING: A collection of debug logs were taken over the course of 2 weeks, implementing Verbose statement to output the variable “$existingPolicyDefintions” that was linked to the Az cmdlet Get-AzPolicyDefinition that was being executed in the "Set-InitiativeDefinitions" PS script withing the pipeline to pull the list of policy definitions defined at the tenant level scope, at first there was conflict in pulling the proper output of the ids from the var as for a couple instances it's ouput in the debug was found empty or the id would have an additional quotation mark appended at the end. Either of these outputs in comparison to the id that it should equal within the if condition of the script would result in failure and script termination.
 
It was finally determined debugging at the source of where the $existingPolicyDefinitions" was created that when trying to retrieve the ids of the policies at tenant ($existingPolicyDefinitions | select PolicyDefinitionID) fetching property “PolicyDefinitionID” the results were null, indicating the property being fetched does not exists within the configuration of the policy definition resource output. 
 
After separate testing with the Get-AzPolicyDefinition cmdlet to see what output looks like for the proeprties of a policy definition, it appears the policy id is under a section call “id” and not “PolicyDefinitionID”. Once it was tested to switch out every instance of implementations of fetching the PolicyDefinitionID property to “id” from the var $existingPolicyDefinitions, the output of getting the proper policy ids was successful eliminating the specified error.

Environment data

PS

Module versions

Az.Resource

Error output

No response

Alex-wdy avatar Sep 27 '24 08:09 Alex-wdy

Policy team will follow up with email. And we need get the error log or expected results.

Alex-wdy avatar Oct 10 '24 07:10 Alex-wdy