Giters

gettek / terraform-azurerm-policy-as-code

Terraform modules that simplify the workflow of custom and built-in Azure Policies

Home Page:https://learn.microsoft.com/en-us/azure/governance/policy/concepts/policy-as-code

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Using default effects and default parameters causes configuration change each time.

pmatthews05 opened this issue · comments

commented
  • Terraform Version: Terraform v1.3.5 on windows_amd64

I have the following file, for the purpose of the issue, I am creating 2 assignments based on the same azure policy definition. The only difference is the first one I'm expecting it to use the default effect and default parameters. The second assignment I am defining the effect.

terraform {
  required_providers {
    azurerm = {
      source  = "hashicorp/azurerm"
      version = ">=3.23.0"
    }
  }
}

provider "azurerm" {
  features {}
}

data azurerm_client_config current {}

data azurerm_subscription current {}

data "azurerm_management_group" "management_group" {
  display_name = "beispm5-es"
}

data "azurerm_policy_definition" "key_vault_disable_public_network_access" {
  display_name = "Azure Key Vault should disable public network access"
}

/*Uses default assignment and parameters */
module "key_vault_disable_public_network_access_assignment" {
  source               = "..//modules/def_assignment"
  assignment_name = "kv_message"
  definition                  = data.azurerm_policy_definition.key_vault_disable_public_network_access
  assignment_scope            = data.azurerm_management_group.management_group.id
  assignment_enforcement_mode = true
  /*assignment_effect = "Deny"*/
}

/* Assignment effect is entered */
module "key_vault_disable_public_network_access_assignment_no_message" {
  source               = "..//modules/def_assignment"
  assignment_name = "kv_nomessage"
  definition                  = data.azurerm_policy_definition.key_vault_disable_public_network_access
  assignment_scope            = data.azurerm_management_group.management_group.id
  assignment_enforcement_mode = true
  assignment_effect = "Deny"
}

I have run terraform apply once.

Expected Behavior

When I run 'terraform apply' the second time without any changes made, I expect to see no configuration changes required.

Current Behavior

However, it thinks it need to add parameters = "null" each time it run on the first assignment.
image

Possible Solution

Line 7 of def_assignment.tf

resource azurerm_management_group_policy_assignment def {
  count                = local.assignment_scope.mg
  name                 = local.assignment_name
  display_name         = local.display_name
  description          = local.description
  metadata             = local.metadata
  parameters           = local.parameters == "null" ? "" : local.parameters  //<-This is line 7

I believe you would need to do that for all the assignments, resources, resource groups etc. Unless there is a way of doing this on local.parameters.

Steps to Reproduce

Run the above code.