When setting merge_effects = false definition effect parameter issue?
mezzofix opened this issue · comments
- I am running the latest version
- I checked the documentation and found no answer
- I checked to make sure that this issue has not already been filed
Context
Using the initiative module to create initiative with built-in policy definitions
- Module Version: latest
- Terraform Version: v1.3.1
- AzureRM Provider Version: >=3.34.0
data "azurerm_policy_definition" "configure_azure_cache_for_redis_to_use_private_dns_zones" {
display_name = "Configure Azure Cache for Redis to use private DNS zones"
}
data "azurerm_policy_definition" "configure_azure_key_vaults_to_use_private_dns_zones" {
display_name = "[Preview]: Configure Azure Key Vaults to use private DNS zones"
}
data "azurerm_policy_definition" "configure_container_registries_to_use_private_dns_zones" {
display_name = "Configure Container registries to use private DNS zones"
}
module "configure_private_dns_zones_for_private_endpoints" {
source = "../modules/initiative"
initiative_name = "TF Configure Azure PaaS services to use private DNS zones"
initiative_display_name = "[Network]: TF Configure Azure PaaS services to use private DNS zones"
initiative_description = "This policy initiative is a group of policies that ensures private endpoints to Azure PaaS services are integrated with Azure Private DNS zones"
initiative_category = "Network"
merge_effects = false
merge_parameters = false
member_definitions = [
data.azurerm_policy_definition.configure_azure_cache_for_redis_to_use_private_dns_zones,
data.azurerm_policy_definition.configure_azure_key_vaults_to_use_private_dns_zones,
data.azurerm_policy_definition.configure_container_registries_to_use_private_dns_zones
]
}
Expected Behavior
merge_effects = false and merge_parameters = false because I'd like to have the ability to set the effect per policy definition rather than once for all, merge parametes disabled as each policy definition needs to link to a private DNS zone that matches the given Azure service. Following the logic from documentation When setting merge_effects = false each definition effect parameter will be suffixed with its respective policy definition reference Id e.g. "effect_AutoEnrollSubscriptions". I would assume the same would happen with the above code.
Current Behavior
However, looks like what is being used instead is the definition ID guid:
Possible Solution
Steps to Reproduce
- Run the above code?
Hi, built-in definitions use a GUID as the policyName property which is formatted and used by the initiative module as the definitionReference to suffix each parameterName as seen here. I can only suggest that creating local library copies of these definitions can overcome this as using the displayName property for the suffix is unlikely to be implemented.
Btw, you only need to specify one of either merge_effects or merge_parameters, no need for both, as the latter will include effects.
Yes, you are right, I've listed the policies with az policy definition list and can see name reflecting a GUID. Just to make sure that I understand correctly, you’re suggesting to basically created a custom policy definition out of a built one, store it in the policies directory , and to replace the name property with a descriptive name like configure_azure_cache_for_redis_to_use_private_dns_zones and to deploy it with definition module ?
If that is correct, can I use the exported json definition AS-IS by just replacing the name property?
{
"description": "Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone can be linked to your virtual network to resolve to Azure Cache for Redis. Learn more at: https://aka.ms/privatednszone.",
"displayName": "Configure Azure Cache for Redis to use private DNS zones",
"id": "/providers/Microsoft.Authorization/policyDefinitions/e016b22b-e0eb-436d-8fd7-160c4eaed6e2",
"metadata": {
"category": "Cache",
"version": "1.0.0"
},
"mode": "Indexed",
"name": "e016b22b-e0eb-436d-8fd7-160c4eaed6e2",
"parameters": {
"effect": {
"allowedValues": [
"DeployIfNotExists",
"Disabled"
],
"defaultValue": "DeployIfNotExists",
"metadata": {
"additionalProperties": null,
"assignPermissions": null,
"description": "Enable or disable the execution of the policy",
"displayName": "Effect",
"strongType": null
},
"type": "String"
},
"privateDnsZoneId": {
"allowedValues": null,
"defaultValue": null,
"metadata": {
"additionalProperties": null,
"assignPermissions": null,
"description": "The resource id of the private DNS zone",
"displayName": "Private DNS Zone Id",
"strongType": "Microsoft.Network/privateDnsZones"
},
"type": "String"
}
},
"policyRule": {
"if": {
"allOf": [
{
"equals": "Microsoft.Network/privateEndpoints",
"field": "type"
},
{
"count": {
"field": "Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*]",
"where": {
"equals": "redisCache",
"field": "Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*]"
}
},
"greaterOrEquals": 1
}
]
},
"then": {
"details": {
"deployment": {
"properties": {
"mode": "incremental",
"parameters": {
"location": {
"value": "[field('location')]"
},
"privateDnsZoneId": {
"value": "[parameters('privateDnsZoneId')]"
},
"privateEndpointName": {
"value": "[field('name')]"
}
},
"template": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"location": {
"type": "string"
},
"privateDnsZoneId": {
"type": "string"
},
"privateEndpointName": {
"type": "string"
}
},
"resources": [
{
"apiVersion": "2020-03-01",
"location": "[parameters('location')]",
"name": "[concat(parameters('privateEndpointName'), '/deployedByPolicy')]",
"properties": {
"privateDnsZoneConfigs": [
{
"name": "privatelink-redis-cache-windows-net",
"properties": {
"privateDnsZoneId": "[parameters('privateDnsZoneId')]"
}
}
]
},
"type": "Microsoft.Network/privateEndpoints/privateDnsZoneGroups"
}
]
}
}
},
"roleDefinitionIds": [
"/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7"
],
"type": "Microsoft.Network/privateEndpoints/privateDnsZoneGroups"
},
"effect": "[parameters('effect')]"
}
},
"policyType": "BuiltIn",
"systemData": null,
"type": "Microsoft.Authorization/policyDefinitions"
}
EDIT:
Unfortunately, the above did not work:
Looks like it is unable to locate the json object for policy parameters and policy rule but both are present as seen in the above policy snippet. Could you please give me a hand to solve this? Appreciate all suggestions !
EDIT2:
Providing the path for policy rule and parameters:
terraform apply
Thank you !
Appears properties is missing from the original definition json, its what most of the code is encapsulated in, may be easier to refer to the definition via this GitHub link and safer to clone this repo and copy the files directly into your local library.
Hope this helps!
Please retry without explicitly specifying policy_rule and policy_parameters and the module should pick it up given var.category reflects the correct folder.
@gettek Thank you so much, it worked with your suggestions ! I really appreciate all your support, great work with this project !!!
This issue is stale because it has been open for 30 days with no activity.
This issue was closed because it has been inactive for 14 days since being marked as stale.
@mezzofix : alternatively, you could also just replace d.name in this line by d.display_name - this will have the desired effect on the parameter names.
However, this will cause problems in case you have different policies with the same display_name in your initiative. You'll have to judge yourself whether that is likely - I have decided it is not very likely for my environment... But the solution proposed by @gettek is certainly cleaner.