I am trying to build a custom seccomp template for Azure Policy using Terraform and keep running into errors when adding multiple paramaters similar to how the templates are built. If I build these into Azure manually, I have no problems.
My Terraform is below, the error I keep getting in this example is
╷
│ Error: creating/updating Policy Definition "k8s_seccomp_governance": policy.DefinitionsClient#CreateOrUpdate: Failure responding to request: StatusCode=400 -- Original Error: autorest/azure: Service returned an error. Status=400 Code="InvalidPolicyRuleEffectDetails" Message="The policy definition 'k8s_seccomp_governance' rule is invalid. The policy effect 'details' property could not be parsed."
│
│ with azurerm_policy_definition.k8s_seccomp_governance,
│ on policy_definitions.tf line 1, in resource "azurerm_policy_definition" "k8s_seccomp_governance":
│ 1: resource "azurerm_policy_definition" "k8s_seccomp_governance" {
│
╵
Code:
resource "azurerm_policy_definition" "k8s_seccomp_governance" {
name = "k8s_seccomp_governance"
description = "Kubernetes cluster containers should only use allowed seccomp profiles"
policy_type = "Custom"
mode = "All"
display_name = "AMPS K8s Seccomp Governance"
metadata = <<METADATA
{
"category": "Kubernetes",
"version": "1.0.0"
}
METADATA
policy_rule = <<POLICY_RULE
{
"if": {
"field": "type",
"in": [
"AKS Engine",
"Microsoft.Kubernetes/connectedClusters",
"Microsoft.ContainerService/managedClusters"
]
},
"then": {
"effect": "[parameters('effect')]",
"details": {
"constraintTemplate": "https://store.policy.core.windows.net/kubernetes/allowed-seccomp-profiles/v2/template.yaml",
"constraint": "https://store.policy.core.windows.net/kubernetes/allowed-seccomp-profiles/v2/constraint.yaml",
"excludedNamespaces": "[parameters('excludedNamespaces')]"
}
}
}
POLICY_RULE
parameters = <<PARAMETERS
{
"effect": {
"type": "String",
"metadata": {
"displayName": "Effect",
"description": "'audit' allows a non-compliant resource to be created or updated, but flags it as non-compliant. 'deny' blocks the non-compliant resource creation or update. 'disabled' turns off the policy."
},
"allowedValues": ["audit", "deny","disabled"],
"defaultValue": "audit"
},
"excludedNamespaces": {
"type": "Array",
"metadata": {
"displayName": "Namespace exclusions",
"description": "List of Kubernetes namespaces to exclude from policy evaluation."
},
"defaultValue": ["kube-system", "gatekeeper-system", "azure-arc"]
}
}
PARAMETERS
}
To add,
If I don't include description, then I get this error:
╷
│ Error: creating/updating Policy Definition "k8s_seccomp_governance": policy.DefinitionsClient#CreateOrUpdate: Failure responding to request: StatusCode=400 -- Original Error: autorest/azure: Service returned an error. Status=400 Code="UnusedPolicyParameters" Message="The policy 'k8s_seccomp_governance' has defined parameters 'excludedNamespaces' which are not used in the policy rule. Please either remove these parameters from the definition or ensure that they are used in the policy rule."
│
│ with azurerm_policy_definition.k8s_seccomp_governance,
│ on policy_definitions.tf line 1, in resource "azurerm_policy_definition" "k8s_seccomp_governance":
│ 1: resource "azurerm_policy_definition" "k8s_seccomp_governance" {
│
╵
I was able to resolve this, the problem was that I was using mode: "All" and needed to change it to mode = "Microsoft.Kubernetes.Data" for these to work
Collected from the Internet
Please contact [email protected] to delete if infringement.
Comments