policyAssignmentManagementGroup.bicep doesnt seem to add a policy to additional management groups
gsuttie opened this issue · comments
What happened? Provide a clear and concise description of the bug, including deployment details.
I a using the ALZ modules and particularly this one - ALZ-Bicep/infra-as-code/bicep/modules/policy/assignments/policyAssignmentManagementGroup.bicep
When I run this and populate the parameter called parPolicyAssignmentIdentityRoleAssignmentsAdditionalMgs like so ['mg-Test', 'mg-PreProduction'] neither of these 2 are being populated only the one I reference like so:-
az deployment mg create --name $deploymentID
--location $primaryLocation --management-group-id 'mg-Production'
--template-file ./policyAssignmentManagementGroup.bicep --parameters ./policyAssignmentManagementGroup.bicepparam
--confirm-with-what-if `
--output none
so mg-Production is assigned a policy but neither of the 2 additional ones are (['mg-Test', 'mg-PreProduction'] )
Please provide the correlation id associated with your error or bug.
n/a
What was the expected outcome?
I would expect all 3 Management Groups to have the Policy assigned
Relevant log output
No response
Check previous GitHub issues
- I have searched the issues for this item and found no duplicate
Code of Conduct
- I agree to follow this project's Code of Conduct
Hey @gsuttie,
Can you share the module declaration code you are using and what version of the module?
Maybe via a gist or here as a comment so we can try and repro?
Module code im using is from policyAssignmentManagementGroup.bicep
And I am calling from PowerShell like so:-
az deployment mg create --name $deploymentID
--location $primaryLocation --management-group-id 'mg-Production'
--template-file ./policyAssignmentManagementGroup.bicep --parameters ./policyAssignmentManagementGroup.bicepparam
--confirm-with-what-if `
--output none
Here is my bicepparameters file
using 'policyAssignmentManagementGroup.bicep'
param parPolicyAssignmentName = 'Iso27001'
param parPolicyAssignmentDisplayName = 'ISO 27001-2013'
param parPolicyAssignmentDescription = 'This policy assignment is for ISO 27001-2013'
param parPolicyAssignmentDefinitionId = '/providers/Microsoft.Authorization/policySetDefinitions/89c6cddc-1c73-4ac1-b19c-54d1a15a42f2'
param parPolicyAssignmentParameters = {}
param parPolicyAssignmentParameterOverrides = {}
//param parPolicyAssignmentNonComplianceMessages nonComplianceMessageType = []
param parPolicyAssignmentNotScopes = []
param parPolicyAssignmentEnforcementMode = 'Default'
param parPolicyAssignmentOverrides = []
param parPolicyAssignmentResourceSelectors = []
param parPolicyAssignmentIdentityType = 'SystemAssigned'
param parPolicyAssignmentIdentityRoleAssignmentsAdditionalMgs = ['mg-Test', 'mg-PreProduction']
param parPolicyAssignmentIdentityRoleAssignmentsSubs = []
param parPolicyAssignmentIdentityRoleAssignmentsResourceGroups = []
param parPolicyAssignmentIdentityRoleDefinitionIds = []
Ah i see what this is now.
This module assigns a policy only to a single management group but it will allow you to assign a managed identity associated to the policy assignment for remediation to many scopes as this is a common requirement in ALZ.
So if you want the policy assigned to many management groups you need to call the module once for each assignment scope.
Hope that clears it up.