Error when creating initative with a mix of custom & built-in Policy definitions without merging effects

Question

Error when creating initative with a mix of custom & built-in Policy definitions without merging effects

Egoorbis opened this issue 4 months ago · comments

Egoorbis commented 4 months ago

Issue Template

Prerequisites

I am running the latest version
I checked the documentation and found no answer
I checked to make sure that this issue has not already been filed

Context

I used the example for creating an initiative with a mix of custom & built-in Policy definitions without merging effects. I've updated the built-in policy to deploy use the policy Configure Linux virtual machine scale sets to run Azure Monitor Agent with system-assigned managed identity-based authentication.

Module Version: 2.9.0
Terraform Version: 1.7.3
AzureRM Provider Version: 3.93.0

initiatives.tf

data "azurerm_policy_definition" "deploy_ama_on_linux_vms" {
  display_name = "Configure Linux virtual machine scale sets to run Azure Monitor Agent with system-assigned managed identity-based authentication"
}

module "configure_asc_initiative" {
  source                  = "gettek/policy-as-code/azurerm//modules/initiative"
  initiative_name         = "configure_asc_initiative"
  initiative_display_name = "[Security]: Configure Azure Security Center"
  initiative_description  = "Deploys and configures Azure Security Center settings and defines exports"
  initiative_category     = "Security Center"
  management_group_id     = data.azurerm_management_group.org.id
  merge_effects           = false

  member_definitions = [
    module.configure_asc["auto_enroll_subscriptions"].definition,
    module.configure_asc["auto_provision_log_analytics_agent_custom_workspace"].definition,
    module.configure_asc["auto_set_contact_details"].definition,
    module.configure_asc["export_asc_alerts_and_recommendations_to_eventhub"].definition,
    module.configure_asc["export_asc_alerts_and_recommendations_to_log_analytics"].definition,
    data.azurerm_policy_definition.deploy_ama_on_linux_vms,
  ]
}

# get all the generated parameter names so we know what to use during assignment
output "list_of_initiative_parameters" {
  value = keys(module.configure_asc_initiative.parameters)
}

}

definitions.tf

locals {
  security_center_policies = {
    auto_enroll_subscriptions                              = "Enable Azure Security Center on Subcriptions"
    auto_provision_log_analytics_agent_custom_workspace    = "Enable Security Center's auto provisioning of the Log Analytics agent on your subscriptions with custom workspace"
    auto_set_contact_details                               = "Automatically set the security contact email address and phone number should they be blank on the subscription"
    export_asc_alerts_and_recommendations_to_eventhub      = "Export to Event Hub for Azure Security Center alerts and recommendations"
    export_asc_alerts_and_recommendations_to_log_analytics = "Export to Log Analytics Workspace for Azure Security Center alerts and recommendations"
  }
}

module "configure_asc" {
  source              = "gettek/policy-as-code/azurerm//modules/definition"
  for_each            = local.security_center_policies
  policy_name         = each.key
  display_name        = title(replace(each.key, "_", " "))
  policy_description  = each.value
  policy_category     = "Security Center"
  management_group_id = data.azurerm_management_group.org.id
}

Expected Behavior

Deploy azure policy definitions and initiative with mix of custom and built-in policy

Current Behavior

The following error is thrown. This only happens with a mix of custom and built-in policies. It doesn't happen if I only use custom or only built-in policies. I've tried with different built-in policies, the result is always the same.

╷
│ Error: Invalid value for input variable
│
│   on initatives.tf line 14, in module "configure_asc_initiative":
│   14:   member_definitions = [
│   15:     module.configure_asc["auto_enroll_subscriptions"].definition,
│   16:     module.configure_asc["auto_provision_log_analytics_agent_custom_workspace"].definition,
│   17:     module.configure_asc["auto_set_contact_details"].definition,
│   18:     module.configure_asc["export_asc_alerts_and_recommendations_to_eventhub"].definition,
│   19:     module.configure_asc["export_asc_alerts_and_recommendations_to_log_analytics"].definition,
│   20:     data.azurerm_policy_definition.deploy_ama_on_linux_vms,
│   21:   ]
│
│ The given value is not suitable for module.configure_asc_initiative.var.member_definitions declared at
│ .terraform\modules\configure_asc_initiative\modules\initiative\variables.tf:50,1-30: all list elements must have the same type.

Possible Solution

I compared the output of module.configure_asc["export_asc_alerts_and_recommendations_to_log_analytics"].definition with data.azurerm_policy_definition.deploy_ama_on_linux_vms and can see that there are differences, which most probably cause the error.

Failure Information (for bugs)

Steps to Reproduce

Create definitions.tf
Create initiatives.tf
Configure data.tf and backend
Run terraform init and then terraform plan

Failure Logs

Sadik Tekin · Answer 1 · Mon Feb 26 2024 19:15:59 GMT+0800 (China Standard Time)

Hi @Egoorbis, thanks for raising this.

Please try again with working branch 2.9.1....

member_definitions should be of type any