What happened? Provide a clear and concise description of the bug, including deployment details.

I a using the ALZ modules and particularly this one - ALZ-Bicep/infra-as-code/bicep/modules/policy/assignments/policyAssignmentManagementGroup.bicep

When I run this and populate the parameter called parPolicyAssignmentIdentityRoleAssignmentsAdditionalMgs like so ['mg-Test', 'mg-PreProduction'] neither of these 2 are being populated only the one I reference like so:-

az deployment mg create --name $deploymentID
--location $primaryLocation --management-group-id 'mg-Production'
--template-file ./policyAssignmentManagementGroup.bicep --parameters ./policyAssignmentManagementGroup.bicepparam
--confirm-with-what-if `
--output none

so mg-Production is assigned a policy but neither of the 2 additional ones are (['mg-Test', 'mg-PreProduction'] )

Please provide the correlation id associated with your error or bug.

n/a

What was the expected outcome?

I would expect all 3 Management Groups to have the Policy assigned

Relevant log output

No response

Check previous GitHub issues

• I have searched the issues for this item and found no duplicate

Code of Conduct

• I agree to follow this project's Code of Conduct

Hey @gsuttie,

Can you share the module declaration code you are using and what version of the module?

Maybe via a gist or here as a comment so we can try and repro?

Module code im using is from policyAssignmentManagementGroup.bicep

And I am calling from PowerShell like so:-

az deployment mg create --name $deploymentID
--location $primaryLocation --management-group-id 'mg-Production'
--template-file ./policyAssignmentManagementGroup.bicep --parameters ./policyAssignmentManagementGroup.bicepparam
--confirm-with-what-if `
--output none

Here is my bicepparameters file

using 'policyAssignmentManagementGroup.bicep'

param parPolicyAssignmentName = 'Iso27001'
param parPolicyAssignmentDisplayName = 'ISO 27001-2013'
param parPolicyAssignmentDescription = 'This policy assignment is for ISO 27001-2013'
param parPolicyAssignmentDefinitionId = '/providers/Microsoft.Authorization/policySetDefinitions/89c6cddc-1c73-4ac1-b19c-54d1a15a42f2'
param parPolicyAssignmentParameters = {}
param parPolicyAssignmentParameterOverrides = {}
//param parPolicyAssignmentNonComplianceMessages nonComplianceMessageType = []

param parPolicyAssignmentNotScopes = []

param parPolicyAssignmentEnforcementMode = 'Default'
param parPolicyAssignmentOverrides = []
param parPolicyAssignmentResourceSelectors = []
param parPolicyAssignmentIdentityType = 'SystemAssigned'
param parPolicyAssignmentIdentityRoleAssignmentsAdditionalMgs = ['mg-Test', 'mg-PreProduction']
param parPolicyAssignmentIdentityRoleAssignmentsSubs = []
param parPolicyAssignmentIdentityRoleAssignmentsResourceGroups = []
param parPolicyAssignmentIdentityRoleDefinitionIds = []

Ah i see what this is now.

This module assigns a policy only to a single management group but it will allow you to assign a managed identity associated to the policy assignment for remediation to many scopes as this is a common requirement in ALZ.

So if you want the policy assigned to many management groups you need to call the module once for each assignment scope.

Hope that clears it up.