Azure policy definitions as code: avoiding duplicate parameter definitions

by

I’m looking to create a number of Azure policies using infrastructure as code.

The MS Documentation advises a structure as below:

.
|
|- policies/  ________________________ # Root folder for policy resources
|  |- policy1/  ______________________ # Subfolder for a policy
|     |- policy.json _________________ # Policy definition
|     |- policy.parameters.json ______ # Policy definition of parameters
|     |- policy.rules.json ___________ # Policy rule
|     |- assign.<name1>.json _________ # Assignment 1 for this policy definition
|     |- assign.<name2>.json _________ # Assignment 2 for this policy definition
|  |- policy2/  ______________________ # Subfolder for a policy
|     |- policy.json _________________ # Policy definition
|     |- policy.parameters.json ______ # Policy definition of parameters
|     |- policy.rules.json ___________ # Policy rule
|     |- assign.<name1>.json _________ # Assignment 1 for this policy definition
|     |- assign.<name2>.json _________ # Assignment 2 for this policy definition
|

This makes sense, but all examples of policy definitions I’ve seen include the parameter definitions; so I don’t see the value in having the separate policy.parameters.json file if it’s just duplicating information.

Question

Is there a way to avoid this duplication; e.g. by having the policy.json file refer to the policy.parameters.json file instead of copying its content, or is there some value added by having this duplication?

(The same scenario occurs for the rules file; I assume the answer for that section would be the same…)

Example of this duplication

From the Azure Community Policies repo:

Policy File includes these lines:

"parameters": {
  "tagName": {
    "type": "String",
    "defaultValue": "DateCreated",
    "metadata": {
      "displayName": "Tag Name",
      "description": "Name of the tag, such as 'Date'"
    }
  }
}

Parameters file exactly duplicates the content found under the above parameters section above (well almost; in this case the description differs slightly, but that feels like a mistake rather than a justification):

{
  "tagName": {
    "type": "String",
    "defaultValue": "DateCreated",
    "metadata": {
      "displayName": "Tag Name",
      "description": "Name of the tag, such as 'DateCreated'"
    }
  }
}

Answer

Answer from the MS Docs team:

The structure is partially to help with some of the SDK functions that
take those components as a standalone file. For example, in Azure CLI
the command for creating a policy assignment, az policy assignment
create, uses a params (or p) parameter that expects a JSON string or
path of just the parameter node. While you could add extra steps in
your pipeline to shard the “core” file that has this information, the
team felt it was a cleaner path to have each file used as part of the
source.

Attribution
Source : Link , Question Author : JohnLBevan , Answer Author : JohnLBevan

Leave a Comment