Error when creating initative with a mix of custom & built-in Policy definitions without merging effects
Egoorbis opened this issue · comments
Issue Template
Prerequisites
- I am running the latest version
- I checked the documentation and found no answer
- I checked to make sure that this issue has not already been filed
Context
I used the example for creating an initiative with a mix of custom & built-in Policy definitions without merging effects. I've updated the built-in policy to deploy use the policy Configure Linux virtual machine scale sets to run Azure Monitor Agent with system-assigned managed identity-based authentication.
- Module Version: 2.9.0
- Terraform Version: 1.7.3
- AzureRM Provider Version: 3.93.0
initiatives.tf
data "azurerm_policy_definition" "deploy_ama_on_linux_vms" {
display_name = "Configure Linux virtual machine scale sets to run Azure Monitor Agent with system-assigned managed identity-based authentication"
}
module "configure_asc_initiative" {
source = "gettek/policy-as-code/azurerm//modules/initiative"
initiative_name = "configure_asc_initiative"
initiative_display_name = "[Security]: Configure Azure Security Center"
initiative_description = "Deploys and configures Azure Security Center settings and defines exports"
initiative_category = "Security Center"
management_group_id = data.azurerm_management_group.org.id
merge_effects = false
member_definitions = [
module.configure_asc["auto_enroll_subscriptions"].definition,
module.configure_asc["auto_provision_log_analytics_agent_custom_workspace"].definition,
module.configure_asc["auto_set_contact_details"].definition,
module.configure_asc["export_asc_alerts_and_recommendations_to_eventhub"].definition,
module.configure_asc["export_asc_alerts_and_recommendations_to_log_analytics"].definition,
data.azurerm_policy_definition.deploy_ama_on_linux_vms,
]
}
# get all the generated parameter names so we know what to use during assignment
output "list_of_initiative_parameters" {
value = keys(module.configure_asc_initiative.parameters)
}
}
definitions.tf
locals {
security_center_policies = {
auto_enroll_subscriptions = "Enable Azure Security Center on Subcriptions"
auto_provision_log_analytics_agent_custom_workspace = "Enable Security Center's auto provisioning of the Log Analytics agent on your subscriptions with custom workspace"
auto_set_contact_details = "Automatically set the security contact email address and phone number should they be blank on the subscription"
export_asc_alerts_and_recommendations_to_eventhub = "Export to Event Hub for Azure Security Center alerts and recommendations"
export_asc_alerts_and_recommendations_to_log_analytics = "Export to Log Analytics Workspace for Azure Security Center alerts and recommendations"
}
}
module "configure_asc" {
source = "gettek/policy-as-code/azurerm//modules/definition"
for_each = local.security_center_policies
policy_name = each.key
display_name = title(replace(each.key, "_", " "))
policy_description = each.value
policy_category = "Security Center"
management_group_id = data.azurerm_management_group.org.id
}
Expected Behavior
Deploy azure policy definitions and initiative with mix of custom and built-in policy
Current Behavior
The following error is thrown. This only happens with a mix of custom and built-in policies. It doesn't happen if I only use custom or only built-in policies. I've tried with different built-in policies, the result is always the same.
╷
│ Error: Invalid value for input variable
│
│ on initatives.tf line 14, in module "configure_asc_initiative":
│ 14: member_definitions = [
│ 15: module.configure_asc["auto_enroll_subscriptions"].definition,
│ 16: module.configure_asc["auto_provision_log_analytics_agent_custom_workspace"].definition,
│ 17: module.configure_asc["auto_set_contact_details"].definition,
│ 18: module.configure_asc["export_asc_alerts_and_recommendations_to_eventhub"].definition,
│ 19: module.configure_asc["export_asc_alerts_and_recommendations_to_log_analytics"].definition,
│ 20: data.azurerm_policy_definition.deploy_ama_on_linux_vms,
│ 21: ]
│
│ The given value is not suitable for module.configure_asc_initiative.var.member_definitions declared at
│ .terraform\modules\configure_asc_initiative\modules\initiative\variables.tf:50,1-30: all list elements must have the same type.
Possible Solution
I compared the output of module.configure_asc["export_asc_alerts_and_recommendations_to_log_analytics"].definition with data.azurerm_policy_definition.deploy_ama_on_linux_vms and can see that there are differences, which most probably cause the error.
Failure Information (for bugs)
Steps to Reproduce
- Create definitions.tf
- Create initiatives.tf
- Configure data.tf and backend
- Run terraform init and then terraform plan