@Alexandru Popescu, thank you for posting this question on Microsoft Q&A.
The error being received is due to the environment where the cmd is being run:
- If you run this directly in Azure Shell (bash) it would work as expected because there are no escaping related issues for double quotes (").
- For the same az cli cmd to work in windows cmd prompt, you would have to pass the entire definition in a single line (instead of breaking it into multiple lines) as below:
az policy definition create --name "custom readOnlyStorage" --rules "{ \"if\": { \"field\": \"type\", \"equals\": \"Microsoft.Storage/storageAccounts/write\" }, \"then\": { \"effect\": \"deny\" } }"
- However, if you are running from PowerShell, the syntax differs a bit -
az --% policy definition create --name "custom readOnlyStorage" --rules "{ \"if\": { \"field\": \"type\", \"equals\": \"Microsoft.Storage/storageAccounts/write\" }, \"then\": { \"effect\": \"deny\" } }"
Note the presence of "--%" in the cmd after az.
It happens because az
is not a PowerShell native cmd, but a batchfile (.cmd). When it is called from PowerShell, the cmdprompt is invoked to execute the az cli cmd. For more details see, Quoting issues with PowerShell
You may also consider using the New-AzPolicyDefinition from PowerShell to be able to split the Policy definition in multiple lines as below:
New-AzPolicyDefinition -Name 'custom deny storage 2' -DisplayName 'custom deny storage 2' -Policy '{
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.Storage/storageAccounts"
},
{
"field": "kind",
"equals": "BlobStorage"
},
{
"field": "Microsoft.Storage/storageAccounts/accessTier",
"equals": "cool"
}
]
},
"then": {
"effect": "deny"
}
}'
Hope this helps.
If the answer did not help, please add more context/follow-up question for it. Else, if the answer helped, please click Accept answer so that it can help others in the community looking for help on similar topics.