Giters

gettek / terraform-azurerm-policy-as-code

Terraform modules that simplify the workflow of custom and built-in Azure Policies

Home Page:https://learn.microsoft.com/en-us/azure/governance/policy/concepts/policy-as-code

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Role Definitions are not assigned to System Managed Identities

ashkuren opened this issue · comments

commented

Role Definitions are not assigned to System Managed Identities

Prerequisites

  • I am running the latest version
  • I checked the documentation and found no answer
  • I checked to make sure that this issue has not already been filed

Context

  • Module Version: 2.7.0
  • Terraform Version: 1.3.7
  • AzureRM Provider Version: 3.37.0

Expected Behavior

Policy Assignment has a Managed Identity and Permissions assigned.

Current Behavior

Policy Assignment has a Managed Identity that does not have any permissions.
image

Possible Root Cause

terraform-azurerm-policy-as-code/modules/def_assignment/variables.tf

Line 165 in 9e05009

role_definition_ids = var.skip_role_assignment == false && local.identity_type == { type = "SystemAssigned" } ? try(coalescelist(var.role_definition_ids, lookup(jsondecode(var.definition.policy_rule).then.details, "roleDefinitionIds", [])), []) : []

local.identity_type == { type = "SystemAssigned" } is always evaluates to false and therefore local.role_definition_ids is always an empty list.

Possibly related: hashicorp/terraform#27643

Possible Solution

role_definition_ids = var.skip_role_assignment == false && local.identity_type.type == "SystemAssigned" ? try(coalescelist(var.role_definition_ids, lookup(jsondecode(var.definition.policy_rule).then.details, "roleDefinitionIds", [])), []) : []

Steps to Reproduce

Create any policy assignment with definition that contains roleDefinitionIds.

commented

Thank you for raising, overlooked this in my tests...

Should be fixed in working branch 2.7.1, could you kindly retry and report back. Thanks

commented

Works as expected now. Thank you for quick fix.