Giters

gettek / terraform-azurerm-policy-as-code

Terraform modules that simplify the workflow of custom and built-in Azure Policies

Home Page:https://learn.microsoft.com/en-us/azure/governance/policy/concepts/policy-as-code

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Role Assignment behavior with User Assigned Managed Identity

ashkuren opened this issue · comments

commented

Hi @gettek ,

I would like to know if the behavior below is intended with regards to the variable skip_role_assignment.
When we specify identity_ids (User Assigned Managed Identity), Role Assignments are never made.

terraform-azurerm-policy-as-code/modules/def_assignment/variables.tf

Lines 162 to 165 in 88f1afe

identity_type = length(try(coalescelist(var.role_definition_ids, lookup(jsondecode(var.definition.policy_rule).then.details, "roleDefinitionIds", [])), [])) > 0 ? length(var.identity_ids) > 0 ? { type = "UserAssigned" } : { type = "SystemAssigned" } : {}
# try to use policy definition roles if explicit roles are ommitted
role_definition_ids = var.skip_role_assignment == false && try(values(local.identity_type)[0], "") == "SystemAssigned" ? try(coalescelist(var.role_definition_ids, lookup(jsondecode(var.definition.policy_rule).then.details, "roleDefinitionIds", [])), []) : []

In this piece of code, local.role_definition_ids is always [] as local.identity_type == UserAssigned.

Should the Role Assignments be independent of Identity Type used?

commented

Hi, yes this is intentional as mentioned in the ReadMe here. User Managed Identities will likely have their role assignments configured independently hence shifting this responsibility away from the module.

commented

This issue is stale because it has been open for 30 days with no activity.

commented

This issue was closed because it has been inactive for 14 days since being marked as stale.