Using default effects and default parameters causes configuration change each time.
pmatthews05 opened this issue · comments
- Terraform Version: Terraform v1.3.5 on windows_amd64
I have the following file, for the purpose of the issue, I am creating 2 assignments based on the same azure policy definition. The only difference is the first one I'm expecting it to use the default effect and default parameters. The second assignment I am defining the effect.
terraform {
required_providers {
azurerm = {
source = "hashicorp/azurerm"
version = ">=3.23.0"
}
}
}
provider "azurerm" {
features {}
}
data azurerm_client_config current {}
data azurerm_subscription current {}
data "azurerm_management_group" "management_group" {
display_name = "beispm5-es"
}
data "azurerm_policy_definition" "key_vault_disable_public_network_access" {
display_name = "Azure Key Vault should disable public network access"
}
/*Uses default assignment and parameters */
module "key_vault_disable_public_network_access_assignment" {
source = "..//modules/def_assignment"
assignment_name = "kv_message"
definition = data.azurerm_policy_definition.key_vault_disable_public_network_access
assignment_scope = data.azurerm_management_group.management_group.id
assignment_enforcement_mode = true
/*assignment_effect = "Deny"*/
}
/* Assignment effect is entered */
module "key_vault_disable_public_network_access_assignment_no_message" {
source = "..//modules/def_assignment"
assignment_name = "kv_nomessage"
definition = data.azurerm_policy_definition.key_vault_disable_public_network_access
assignment_scope = data.azurerm_management_group.management_group.id
assignment_enforcement_mode = true
assignment_effect = "Deny"
}
I have run terraform apply
once.
Expected Behavior
When I run 'terraform apply' the second time without any changes made, I expect to see no configuration changes required.
Current Behavior
However, it thinks it need to add parameters = "null"
each time it run on the first assignment.
Possible Solution
Line 7 of def_assignment.tf
resource azurerm_management_group_policy_assignment def {
count = local.assignment_scope.mg
name = local.assignment_name
display_name = local.display_name
description = local.description
metadata = local.metadata
parameters = local.parameters == "null" ? "" : local.parameters //<-This is line 7
I believe you would need to do that for all the assignments, resources, resource groups etc. Unless there is a way of doing this on local.parameters.
Steps to Reproduce
Run the above code.