How to add an object inside policySetDefinitions parameters

[bakharzy]

Is your feature request related to a problem? Please describe.

Let's assume a policy have more than one parameter. We want to be able to set those parameters when deploying the policy (in Bicep).

Describe the solution you'd like

Here is an example:

resource SecurityInitiative 'Microsoft.Authorization/policySetDefinitions@2020-09-01' = {
  name: initiativeName
  properties: {
    policyType: 'Custom'
    displayName: initiativeName
    description: '${initiativeName} via ${policySource}'
    metadata: {
      category: policyCategory
      source: policySource
      version: '1.0.0'
    }
    parameters: {
      storagePolicy: {
        type: 'object'
        metadata: {
          displayName: 'Storage Policy'
          description: 'Specifies the minimum TLS version and effect for storage accounts policy'
        }
        defaultValue: {
          minimumTlsVersion: 'TLS1_2'
          effect: 'Audit'
        }
      }
      effectOfSecureTransferForStorageAccount: {
        type: 'String'
        metadata: {
          displayName: 'Effect'
          description: 'Enable or disable the execution of the policy'
        }
        allowedValues: [
          'Audit'
          'Disabled'
          'Deny'
        ]
        defaultValue: 'Audit'
      }
      effectOfGuestConfigExtention: {
        type: 'String'
        metadata: {
          displayName: 'Effect'
          description: 'Enable or disable the execution of the policy'
        }
        allowedValues: [
          'AuditIfNotExists'
          'Disabled'
        ]
        defaultValue: 'AuditIfNotExists'
      }

    }
    policyDefinitions: [
      {
        // Storage accounts should have the specified minimum TLS version
        policyDefinitionId: '/providers/Microsoft.Authorization/policyDefinitions/fe83a0eb-a853-422d-aac2-1bffd182c5d0'
        policyDefinitionReferenceId: 'Storage accounts should have the specified minimum TLS version'
        parameters: {
          minimumTlsVersion: {
            value: '[parameters(\'storagePolicy\').minimumTlsVersion]'
          }
          effect: {
            value: '[parameters(\'storagePolicy\').effect]'
          }
        }
      }
      {
        // Secure transfer to storage accounts should be enabled
        policyDefinitionId: '/providers/Microsoft.Authorization/policyDefinitions/404c3081-a854-4457-ae30-26a93ef643f9'
        policyDefinitionReferenceId: 'Secure transfer to storage accounts should be enabled'
        parameters: {
          effect: {
            value: '[parameters(\'effectOfSecureTransferForStorageAccount\')]'
          }
        }
      }
      {
        // Guest Configuration extension should be installed on your machines
        policyDefinitionId: '/providers/Microsoft.Authorization/policyDefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045c'
        policyDefinitionReferenceId: 'Guest Configuration extension should be installed on your machines'
        parameters: {
          effect: {
            value: '[parameters(\'effectOfGuestConfigExtention\')]'
          }
        }
      }
    ]
  }
}

The first built-in policy (id: fe83a0eb-a853-422d-aac2-1bffd182c5d0) can have two parameters (minimumTlsVersion and effect). The second and third policies also have parameters with common name ('effect').

Questions

Is it possible to have all the parameters of a policy in one object defined in the parameters property of policySetDefinitions? If it's possible, how do we later set this object parameter in policyDefinitions? I would also like to set those parameters in the assignment (Microsoft.Authorization/policyAssignments)

resource SecurityAssignment 'Microsoft.Authorization/policyAssignments@2020-09-01' = {
  name: assignmentName
  properties: {
    displayName: assignmentName
    description: '${assignmentName} via ${policySource}'
    enforcementMode: assignmentEnforcementMode
    metadata: {
      source: policySource
      version: '1.0.0'
    }
    policyDefinitionId: SecurityInitiativeID
    parameters: {
      storagePolicy: {
        minimumTlsVersion: {
          value: SOMEVALUE
        }
        effect: {
          value: 'SOMEVALUE'
        }
      }
// ... other parameters
    }
  }
}

If the object type is not supported, how would you suggest to define the effect parameter for these three different policies?
@anthony-c-martin