Giters

gettek / terraform-azurerm-policy-as-code

Terraform modules that simplify the workflow of custom and built-in Azure Policies

Home Page:https://learn.microsoft.com/en-us/azure/governance/policy/concepts/policy-as-code

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Additional policy metadata not saved

timwebster9 opened this issue · comments

commented

Issue Template

Prerequisites

  • I am running the latest version
  • I checked the documentation and found no answer
  • I checked to make sure that this issue has not already been filed

Context

  • Module Version: 2.6.0
  • Terraform Version: 1.2.3
  • AzureRM Provider Version: 3.10.0
    "metadata": {
      "version": "1.0.0",
      "category": "Batch",
      "propertyA": "A",
      "propertyB": "B
    },

Expected Behavior

Anything included in the 'metadata' object should be saved to the policy definition

Current Behavior

Any additional metadata besides 'version' and 'category' won't be saved in the policy definition. In the above snippet, 'propertyA' and 'propertyB' won't be saved.

Possible Solution

I think the problem lies here:

terraform-azurerm-policy-as-code/modules/definition/variables.tf

Line 100 in 531e542

metadata = coalesce(var.policy_metadata, merge({ category = local.category },{ version = local.version }), try((local.policy_object).properties.metadata))

local.category and local.version will always be populated due to the logic on lines 91 and 92. Since they will be populated, the coalesce function on line 100 will always return the 2nd argument, which is the merge of category and version. The 3rd argument (the metadata in the policy file itself) will never get used. This is assuming you don't provide a var.policy_metadata variable.

Also, I tried putting all the metadata into the var.policy_metadata variable instead, but then got an error about not all objects being the same type in the coalesce function, I guess because category and version are strings and policy_metadata is an object.

Failure Information (for bugs)

Steps to Reproduce

  1. Write a policy definition with additional metadata
  2. Deploy it using the 'definitions' module
  3. observe that only 'category' and 'version' fields of the metadata are present in the policy definition when viewed in the Azure portal.
commented

Thanks @timwebster9 the fallback will be moved to its correct position within coalesce() in the next release

commented

thanks @gettek. If we need to supply custom metadata, what approach do you recommend?:

  1. put the entire metadata object in the policy .json file
  2. put the entire metadata object in var.policy_metadata
  3. populate var.policy_category and var.policy_version, and the custom metadata in the .json file or var.policy_metadata?
commented

I'd put common ones in the definition.json, anything you parse into var.policy_metadata will intentionally override these at runtime after this fix, as well as var.assignment_metadata if the attributes need to be different at assignment or omit to use the same.