Giters

gettek / terraform-azurerm-policy-as-code

Terraform modules that simplify the workflow of custom and built-in Azure Policies

Home Page:https://learn.microsoft.com/en-us/azure/governance/policy/concepts/policy-as-code

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Getting stuck in remidiation

Nikhleshk opened this issue · comments

commented

In assignments_org

module "org_mg_Network-Watcher_initiative" {
  source               = "..//modules/set_assignment"
  initiative           = module.Network-Watcher_initiative.initiative
  assignment_scope     = data.azurerm_management_group.org.id
  assignment_effect    = "DeployIfNotExists"
  skip_remediation     = true
  skip_role_assignment = false
  role_definition_ids = [
    data.azurerm_role_definition.Network_Contributor.id
  ]
  assignment_parameters = {
    effect1 = "AuditIfNotExists"
    listOfLocations = [
      "WestEurope",
      "NorthEurope",
      "EastUS"
    ]
  }
}

....................................................
In initiative.tf

module "Network-Watcher_initiative" {
  source                  = "..//modules/initiative"
  initiative_name         = "Network-Watcher_initiative"
  initiative_display_name = "[Network Watcher]: Network-Watcher"
  initiative_description  = "This initiative is used for Network Watcher should be enabled ."
  initiative_category     = "Network-Watcher"
  management_group        = data.azurerm_management_group.org.id
  member_definitions = [
    module.Network-Watcher["Network-Watcher-should-be-enabled"].definition,
    module.Network-Watcher["Deploy-network-watcher-when-VNET-are-created"].definition,
  ]
}

While running terraform plan getting below error

 Error: Invalid for_each argument
│
│   on ..\modules\set_assignment\main.tf line 122, in resource "azurerm_management_group_policy_remediation" "rem":
│  122:   for_each                = { for dr in local.definition_reference.mg : basename(dr.reference_id) => dr }
│     ├────────────────
│     │ local.definition_reference.mg will be known only after apply
│
│ The "for_each" value depends on resource attributes that cannot be determined until apply, 
│ so Terraform cannot predict how many instances will be created. To work around this, use   
│ the -target argument to first apply only the resources that the for_each depends on.
commented

this is fixed in #23

commented

Can you explain whats wrong i am doing in my code??

commented

Nothing wrong with your code but there was a logical issue in the set_assignment module which did not cater for the skip_remediation flag.

Also noticed you have mixed effects here, which could also cause mixed results but give 2.6.0 a try