How do you use Azure Policy to deployIfNotExists a Policy Exemption to a resource group?

Question

    {
  "mode": "All",
  "policyRule": {
    "if": {
      "allOf": [
        {
          "field": "type",
          "equals": "Microsoft.Resources/subscriptions/resourceGroups"
        },
        {
          "field": "name",
          "like": "test*"
        }
      ]
    },
    "then": {
      "effect": "deployIfNotExists",
      "details": {
        "evaluationDelay": "AfterProvisioning",
        "name": "current",
        "type": "Microsoft.Authorization/policyExemptions",
        "existenceCondition": {
          "field": "name",
          "like": "test*"
        },
        "roleDefinitionIds": [
          "/providers/Microsoft.Authorization/roleDefinitions/36243c78-bf99-498c-9df9-86d9f8d28608"
        ],
        "deployment": {
          "properties": {
            "mode": "incremental",
            "contentVersion": "1.0.0.0",
            "template": {
              "parameters": {},
              "variables": {},
              "resources": [
                {
                  "type": "Microsoft.Authorization/policyExemptions",
                  "name": "testPolicyExemptW",
                  "apiVersion": "2020-07-01-preview",
                  "scope": "/subscriptions/subscriptionId/resourceGroups/test-policy-exemption-rg",
                  "properties": {
                    "description": "Testing123",
                    "displayName": "testpolicyexemptionrgWaiver",
                    "exemptionCategory": "Waiver",
                    "policyAssignmentId": "/subscriptions/subscriptionId/resourceGroups/test-policy-exemption-rg/providers/Microsoft.Authorization/policyAssignments/d6a5982e20fc49dcbe5025b2"
                  }
                }
              ]
            }
          }
        }
      }
    }
  },
  "parameters": {}
}

This policy definition passes validation. The assignment is successfully assigned to a subscription scope. If I try to remediate, the remediate state fails. After checking the details, I get "The deployment definition is invalid. Please see https://aka.ms/arm-deploy for usage details".

Answer 1

Below is the Json script that evaluates the virtual machine for Auditifnotexists

{
    "if": {
        "field": "type",
        "equals": "Microsoft.Compute/virtualMachines"
    },
    "then": {
        "effect": "auditIfNotExists",
        "details": {
            "type": "Microsoft.Compute/virtualMachines/extensions",
            "existenceCondition": {
                "allOf": [{
                        "field": "Microsoft.Compute/virtualMachines/extensions/publisher",
                        "equals": "Microsoft.Azure.Security"
                    },
                    {
                        "field": "Microsoft.Compute/virtualMachines/extensions/type",
                        "equals": "IaaSAntimalware"
                    }
                ]
            }
        }
    }
}

Here is the complete document for Auditifnotexists.

Answer 2

Is the policy assignment an assignment of a policy set definition? If so you need to also include policyDefinitionReferenceIds in the "properties" as per documentation: https://docs.microsoft.com/en-us/azure/templates/microsoft.authorization/policyexemptions?tabs=json

Also you can try deploying the ARM template by itself via powershell and checking the error message you get or the activity log in the portal, maybe you will get a more detailed error message.