Giters

gettek / terraform-azurerm-policy-as-code

Terraform modules that simplify the workflow of custom and built-in Azure Policies

Home Page:https://learn.microsoft.com/en-us/azure/governance/policy/concepts/policy-as-code

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Definition creation fails

mezzofix opened this issue · comments

commented
  • Module Version:
  • Terraform Version: 3.3.1
  • AzureRM Provider Version: 3.34.0
#  Error: Error in function call
│
│   on ..\modules\definition\variables.tf line 107, in locals:107:   parameters = coalesce(var.policy_parameters, try((local.policy_object).properties.parameters, null))
│     ├────────────────
│     │ while calling coalesce(vals...)
│     │ local.policy_object is object with 5 attributes
│     │ var.policy_parameters is "../policies/Network/deny_private_dns_zones.json"
│
│ Call to function "coalesce" failed: all arguments must have the same type.

Expected Behavior

Definition gets created.

Current Behavior

Terraform deployment fails with the above code.

Link to the private dns policy from Azure Enterprise Scale that I'm trying to deploy https://raw.githubusercontent.com/Azure/Enterprise-Scale/main/src/resources/Microsoft.Authorization/policyDefinitions/Deny-Private-DNS-Zones.json

The definition.tf I'm using:

module "deny_nic_public_ip" {
  source            = "../modules/definition"
  policy_name       = "deny-private-dns-zones"
  display_name      = "Deny the creation of private DNS"
  policy_category   = "Network"
  file_path         = "../policies/Network/deny_private_dns_zones.json"
  policy_parameters = "../policies/Network/deny_private_dns_zones.json"
  policy_rule       = "../policies/Network/deny_private_dns_zones.json"
}

I've tested the same with one of the included policies in the repo, and got the same results.

Any advice please ? Thank you.

commented

No need to add explicit Params or Rule references if they exist in the same file:

module "deny_nic_public_ip" {
  source            = "../modules/definition"
  policy_name       = "deny_private_dns_zones"
  display_name      = "Deny the creation of private DNS"
  policy_category   = "Network"
}

The module should pick those up automatically

commented

Figured it out to make it work:
image

commented

Nice find on the effect syntax. var.policy_name only reflects whatever the filename is called, which can also be in the form of Deny-Private-DNS-Zones. The module will attempt to locate the file at different directories based on this logic

This is not a recommendation but the actual "name" property in the json object can be removed as the module also populates this from var.policy_name if missing. See here