Error: expanding JSON for policy_rule: json: cannot unmarshal string into Go value of type map[string]interface {}

[rayaashokkumar321]

Hi @gettek,

I am getting the error message mentioned in the subject because of the policy rule mentioned in modules/definition/main.tf, here is the policy json code I am trying to deploy, can you please help to resolve this?

  "properties": {
    "displayName": "Config diag settings for Blob Service to Log Analytics workspace",
    "description": "Deploys the diagnostic settings for Blob Services to stream resource logs to a Log Analytics workspace when any blob Service which is missing this diagnostic settings is created or updated.",
    "policyType": "BuiltIn",
    "mode": "All",
    "metadata": {
      "category": "Storage",
      "version": "4.0.0"
    },
    "version": "4.0.0",
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "DeployIfNotExists",
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "DeployIfNotExists"
      },
      "profileName": {
        "type": "String",
        "metadata": {
          "displayName": "Profile name",
          "description": "The diagnostic settings profile name"
        },
        "defaultValue": "blobServicesDiagnosticsLogsToWorkspace"
      },
      "logAnalytics": {
        "type": "String",
        "metadata": {
          "displayName": "Log Analytics workspace",
          "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.",
          "strongType": "omsWorkspace",
          "assignPermissions": true
        }
      },
      "metricsEnabled": {
        "type": "Boolean",
        "metadata": {
          "displayName": "Enable metrics",
          "description": "Whether to enable metrics stream to the Log Analytics workspace - True or False"
        },
        "allowedValues": [
          true,
          false
        ],
        "defaultValue": true
      },
      "logsEnabled": {
        "type": "Boolean",
        "metadata": {
          "displayName": "Enable logs",
          "description": "Whether to enable logs stream to the Log Analytics workspace - True or False"
        },
        "allowedValues": [
          true,
          false
        ],
        "defaultValue": true
      }
    },
    "policyRule": {
      "if": {
        "field": "type",
        "equals": "Microsoft.Storage/storageAccounts/blobServices"
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Insights/diagnosticSettings",
          "name": "[parameters('profileName')]",
          "existenceCondition": {
            "allOf": [
              {
                "field": "Microsoft.Insights/diagnosticSettings/logs.enabled",
                "equals": "[parameters('logsEnabled')]"
              },
              {
                "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled",
                "equals": "[parameters('metricsEnabled')]"
              },
              {
                "field": "Microsoft.Insights/diagnosticSettings/workspaceId",
                "equals": "[parameters('logAnalytics')]"
              }
            ]
          },
          "roleDefinitionIds": [
            "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa",
            "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293"
          ],
          "deployment": {
            "properties": {
              "mode": "incremental",
              "template": {
                "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
                "contentVersion": "1.0.0.0",
                "parameters": {
                  "resourceName": {
                    "type": "string"
                  },
                  "location": {
                    "type": "string"
                  },
                  "logAnalytics": {
                    "type": "string"
                  },
                  "metricsEnabled": {
                    "type": "bool"
                  },
                  "logsEnabled": {
                    "type": "bool"
                  },
                  "profileName": {
                    "type": "string"
                  }
                },
                "variables": {},
                "resources": [
                  {
                    "type": "Microsoft.Storage/storageAccounts/blobServices/providers/diagnosticSettings",
                    "apiVersion": "2021-05-01-preview",
                    "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]",
                    "location": "[parameters('location')]",
                    "dependsOn": [],
                    "properties": {
                      "workspaceId": "[parameters('logAnalytics')]",
                      "metrics": [
                        {
                          "category": "AllMetrics",
                          "enabled": "[parameters('metricsEnabled')]"
                        }
                      ],
                      "logs": [
                        {
                          "category": "StorageRead",
                          "enabled": "[parameters('logsEnabled')]"
                        },
                        {
                          "category": "StorageWrite",
                          "enabled": "[parameters('logsEnabled')]"
                        },
                        {
                          "category": "StorageDelete",
                          "enabled": "[parameters('logsEnabled')]"
                        }
                      ]
                    }
                  }
                ],
                "outputs": {}
              },
              "parameters": {
                "location": {
                  "value": "[field('location')]"
                },
                "resourceName": {
                  "value": "[field('fullName')]"
                },
                "logAnalytics": {
                  "value": "[parameters('logAnalytics')]"
                },
                "metricsEnabled": {
                  "value": "[parameters('metricsEnabled')]"
                },
                "logsEnabled": {
                  "value": "[parameters('logsEnabled')]"
                },
                "profileName": {
                  "value": "[parameters('profileName')]"
                }
              }
            }
          }
        }
      }
    },
    "versions": [
      "4.0.0"
    ]
  }
}

Thanks, Gettek
Ashok

[gettek]

Hi @rayaashokkumar321, appears you may be missing the opening curly bracket { before "properties": {. See above

[rayaashokkumar321]

Hi @gettek ,

I have in code like below

{
"properties": {

[gettek]

@rayaashokkumar321, I cannot replicate the issue, can you please share some TF code, the Policy itself appears fine

[rayaashokkumar321]

Here is the tf code, which is in 3 different files

module "deploy_resource_diagnostic_setting" {
  source = "..//modules/definition"
  for_each = toset([
    for p in fileset(path.module, "../policies/Monitoring-2/*.json") :
    trimsuffix(basename(p), ".json")
  ])
  policy_name         = each.key
  policy_category     = "Monitoring"
  management_group_id = "/providers/Microsoft.Management/managementGroups/mg-tp"
}

module "platform_diagnostics_initiative" {
  source                  = "..//modules/initiative"
  initiative_name         = "platform_diagnostics_initiative"
  initiative_display_name = "[Platform]: Diagnostics Settings Policy Initiative"
  initiative_description  = "Collection of policies that deploy resource and activity log forwarders to logging core resources"
  initiative_category     = "Monitoring"
  merge_effects           = false # will not merge "effect" parameters
  management_group_id     = "/providers/Microsoft.Management/managementGroups/mg-tp"

  # Populate member_definitions with a for loop
  member_definitions = [for mon in module.deploy_resource_diagnostic_setting : mon.definition]
}

module "org_mg_platform_diagnostics_initiative" {
  source           = "..//modules/set_assignment"
  initiative       = module.platform_diagnostics_initiative.initiative
  assignment_scope = "/providers/Microsoft.Management/managementGroups/mg-tp"

  # resource remediation options
  re_evaluate_compliance = var.re_evaluate_compliance
  skip_remediation       = var.skip_remediation
  skip_role_assignment   = var.skip_role_assignment
  # role_definition_ids    = [data.azurerm_role_definition.contributor.id] # using explicit roles

  # NOTE: You may omit parameters at assignment to use the definitions 'defaultValue'
  assignment_parameters = {
    # workspaceId                                        = local.dummy_resource_ids.azurerm_log_analytics_workspace
    # storageAccountId                                   = local.dummy_resource_ids.azurerm_storage_account
    # eventHubName                                       = local.dummy_resource_ids.azurerm_eventhub_namespace
    # eventHubAuthorizationRuleId                        = local.dummy_resource_ids.azurerm_eventhub_namespace_authorization_rule
    metricsEnabled                                     = "True"
    logsEnabled                                        = "True"
    # effect_DeployApplicationGatewayDiagnosticSetting   = "DeployIfNotExists"
    # effect_DeployEventhubDiagnosticSetting             = "DeployIfNotExists"
    # effect_DeployFirewallDiagnosticSetting             = "DeployIfNotExists"
    # effect_DeployKeyvaultDiagnosticSetting             = "AuditIfNotExists"
    # effect_DeployLoadbalancerDiagnosticSetting         = "AuditIfNotExists"
    # effect_DeployNetworkInterfaceDiagnosticSetting     = "AuditIfNotExists"
    # effect_DeployNetworkSecurityGroupDiagnosticSetting = "AuditIfNotExists"
    # effect_DeployPublicIpDiagnosticSetting             = "AuditIfNotExists"
    # effect_DeployStorageAccountDiagnosticSetting       = "DeployIfNotExists"
    # effect_DeploySubscriptionDiagnosticSetting         = "DeployIfNotExists"
    # effect_DeployVnetDiagnosticSetting                 = "AuditIfNotExists"
    # effect_DeployVnetGatewayDiagnosticSetting          = "AuditIfNotExists"
  }

[gettek]

Try changing policy_category = "Monitoring-2"

As the definition readme states:

This module depends on populating var.policy_name and var.policy_category to correspond with the respective custom policy definition json file found in the local library. You can also parse in other template files and data sources at runtime.