Adding the policy definition version to the reconstructed policy definition object and check for the version element in 4 places.

[JerJon]

The Build Deployment Plan will fail if you want to deploy a definition set that is using a custom policy definition with a version element directly in the properties element.

In the function Build-PolicyPlan, every custom policy definition is being re-constructed ( Constructing Policy Set parameters for splatting ) but the version is not being added to the new construction.

This action will have its negative effect in the Build-PolicySetPlan fuction where the version can't be found. The function Confirm-PolicyDefinitionInPolicySetMatch looks for the properties.version element of metadata.version element.

Only if the version exist in the metadata element the plan will be build. But if the custom policy has the version (Azure Policy Standard) directly under the properties element the build will fail.

In this PR

• the version element will be added to the reconstructed policyDefinition
• and the Confirm-PolicyDefinitionInPolicySetMatch fuction will check for the existents of the version element 1 4 places instead of 2 (version, metadata.version, properties.version or properties.metadata.version).

All the official ellements should exist in the reconstructed policyDefintion object
https://learn.microsoft.com/en-us/azure/governance/policy/concepts/definition-structure-basics

• displayName
• description
• mode
• version
• metadata
• parameters
• policyRule

[stefanpetter]

Very nice @JerJon. Looking forward to get this merged asap. @sdecker This bug is preventing us from using the latest EPAC version in production. Is there any way we can assist in getting this in to main asap? :) Thanks in advance!

[anwather]

@JerJon @kjdejager can someone provide an example policy that this failing for? My understanding is that versions for custom policies aren't yet supported... It's on the roadmap and happy to cater early for it but I just want to see an example if possible.

[JerJon]

Hello @anwather

Version is a property that can be used in a Custom Policy, but is still in Preview.

https://learn.microsoft.com/en-us/azure/governance/policy/concepts/definition-structure-basics#version-preview

Using version within metadata is (yet ;-) ) the most common practice but we want to be as close to the builtIn policy structure as posible to prevent all kind of script exceptions.

I'll create and add an example as soon as posible.

[JerJon]

@anwather I attached 2 files (1 custom policy definition for inheriting a missing tag and 1 policy set containing this custom policy definition).

The first time deploying the definition and definition set everything will go fine (because the custom policy definition doesn't exist yet and therefor it will not be in the allDefinitions object).

The second time building the plan will fail with the error message:
===================================================================================================
Processing Policy Set JSON files in folder './Applications/EPAC/policies/policySetDefinitions'
===================================================================================================
Number of Policy Set files = 11
/home/vsts/.local/share/powershell/Modules/EnterprisePolicyAsCode/10.8.3/internal/functions/Build-PolicySetPlan.ps1:209
Line |
 209 |  … $policyDefinitionsMatch = Confirm-PolicyDefinitionsInPolicySetMatch `
     |                              ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
     | Cannot bind argument to parameter 'Version1' because it is an empty
     | string.

##[error]PowerShell exited with code '1'.

def-tag-inherit.jsonc
set-tag-inherit.jsonc

[anwather]

Thanks will give this a go tomorrow and test your fix, should be fine after that. Get Outlook for Android<https://aka.ms/AAb9ysg>

…

________________________________ From: JJongman ***@***.***> Sent: Tuesday, 25 February 2025 20:06:31 To: Azure/enterprise-azure-policy-as-code ***@***.***> Cc: Anthony Watherston ***@***.***>; Mention ***@***.***> Subject: Re: [Azure/enterprise-azure-policy-as-code] Adding the policy definition version to the reconstructed policy definition object and check for the version element in 4 places. (PR #891) @anwather<https://github.com/anwather> I attached 2 files (1 custom policy definition for inheriting a missing tag and 1 policy set containing this custom policy definition). The first time deploying the definition and definition set everything will go fine (because the custom policy definition doesn't exist yet and therefor it will not be in the allDefinitions object). The second time building the plan will fail with the error message: Processing Policy Set JSON files in folder './Applications/EPAC/policies/policySetDefinitions' Number of Policy Set files = 11 /home/vsts/.local/share/powershell/Modules/EnterprisePolicyAsCode/10.8.3/internal/functions/Build-PolicySetPlan.ps1:209 Line | 209 | … $policyDefinitionsMatch = Confirm-PolicyDefinitionsInPolicySetMatch ` | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | Cannot bind argument to parameter 'Version1' because it is an empty | string. ##[error]PowerShell exited with code '1'. def-tag-inherit.jsonc<https://github.com/user-attachments/files/18960942/def-tag-inherit.jsonc> set-tag-inherit.jsonc<https://github.com/user-attachments/files/18960943/set-tag-inherit.jsonc> — Reply to this email directly, view it on GitHub<#891 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/ACWCJVV3VQJTJAPZTCRZ46T2RQXBPAVCNFSM6AAAAABXYKA4G2VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDMOBRGIYTKOJRGY>. You are receiving this because you were mentioned.Message ID: ***@***.***> [JerJon]JerJon left a comment (Azure/enterprise-azure-policy-as-code#891)<#891 (comment)> @anwather<https://github.com/anwather> I attached 2 files (1 custom policy definition for inheriting a missing tag and 1 policy set containing this custom policy definition). The first time deploying the definition and definition set everything will go fine (because the custom policy definition doesn't exist yet and therefor it will not be in the allDefinitions object). The second time building the plan will fail with the error message: Processing Policy Set JSON files in folder './Applications/EPAC/policies/policySetDefinitions' Number of Policy Set files = 11 /home/vsts/.local/share/powershell/Modules/EnterprisePolicyAsCode/10.8.3/internal/functions/Build-PolicySetPlan.ps1:209 Line | 209 | … $policyDefinitionsMatch = Confirm-PolicyDefinitionsInPolicySetMatch ` | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | Cannot bind argument to parameter 'Version1' because it is an empty | string. ##[error]PowerShell exited with code '1'. def-tag-inherit.jsonc<https://github.com/user-attachments/files/18960942/def-tag-inherit.jsonc> set-tag-inherit.jsonc<https://github.com/user-attachments/files/18960943/set-tag-inherit.jsonc> — Reply to this email directly, view it on GitHub<#891 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/ACWCJVV3VQJTJAPZTCRZ46T2RQXBPAVCNFSM6AAAAABXYKA4G2VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDMOBRGIYTKOJRGY>. You are receiving this because you were mentioned.Message ID: ***@***.***>

[anwather]

Thanks tested and working. @JerJon ikf you're ok can you change it from draft and I'll release.

[JerJon]

@anwather sorry for the delay but I'm not satisfied with my own solution.
I want to test some other situations other than we are facing.
And indeed the API is still not supporting the version property (instead of what the documentation is saying) as you already said.