Set Assignment - Display Name and Description Variables are ignored
birdnathan opened this issue · comments
Issue Template
Prerequisites
- I am running the latest version
- I checked the documentation and found no answer
- I checked to make sure that this issue has not already been filed
Context
The assignment_display_name and assignment_description parameters are ignored and always default to " "
- Module Version: 2.7.2
- Terraform Version: 1.4.2
- AzureRM Provider Version: 3.49.0
data "azurerm_role_definition" "log_analytics_contributor" {
name = "Log Analytics Contributor"
}
data "azurerm_role_definition" "monitoring_contributor" {
name = "Monitoring Contributor"
}
module "diagnostics_assignment" {
source = "gettek/policy-as-code/azurerm//modules/set_assignment"
initiative = module.diagnostics_initiative
assignment_scope = "/subscriptions/GUID"
assignment_effect = "DeployIfNotExists"
assignment_display_name = "DIAGNOSTICS - Deploy Diagnostic Settings to Azure Services"
assignment_description = "This policy set deploys the configurations of application Azure resources to forward diagnostic logs and metrics to an Azure Log Analytics workspace. See the list of policies of the services that are included"
assignment_parameters = {
"logAnalytics" = "/subscriptions/GUID/resourceGroups/RG-NAME/providers/Microsoft.OperationalInsights/workspaces/ala01"
}
role_definition_ids = [
"/subscriptions/GUID${data.azurerm_role_definition.log_analytics_contributor.role_definition_id}",
"/subscriptions/GUID${data.azurerm_role_definition.monitoring_contributor.role_definition_id}"
]
depends_on = [
module.diagnostics_initiative
]
}
Expected Behavior
These values should be honoured
Current Behavior
Defaults to ""
Failure Information (for bugs)
the coelsce logic in https://github.com/gettek/terraform-azurerm-policy-as-code/blob/2.7.2/modules/set_assignment/variables.tf doesnt seem to work, always defaults to "".
Hi @birdnathan thanks for raising this, appears the default values in those variables may need to be removed for the coalesce to work correctly, although does seem to be working at my end, will test and fix in the next release.
@birdnathan please give working branch 2.7.3 a try
@gettek Nearly. Only works if i remove var.initiative.display_name and var.initiative.description from lines 145 and 146 in variables.tf - https://github.com/gettek/terraform-azurerm-policy-as-code/blob/2.7.3/modules/set_assignment/variables.tf
display_name = try(coalesce(var.assignment_display_name), "")
description = try(coalesce(var.assignment_description), "")
I did try to update the variables in this file in the branch too but still doesnt work - https://github.com/gettek/terraform-azurerm-policy-as-code/blob/2.7.3/modules/initiative/variables.tf
@birdnathan, I can't seem to replicate this issue, the plan from this commit gives the desired result:
Can you confirm your current setup please
module "diagnostics_policies" {
for_each = fileset("./Policies/Diagnostics", "*")
source = "gettek/policy-as-code/azurerm//modules/definition"
policy_name = trimsuffix(each.value, ".json")
policy_category = "Diagnostics"
}
module "diagnostics_initiative" {
source = "gettek/policy-as-code/azurerm//modules/initiative"
initiative_name = "XXX-Deploy-Diagnostics-LogAnalytics"
initiative_display_name = "[XXX] Deploy Diagnostic Settings to Azure Services"
initiative_description = "This policy set deploys the configurations of application Azure resources to forward diagnostic logs and metrics to an Azure Log Analytics workspace. See the list of policies of the services that are included "
initiative_category = "Diagnostics"
member_definitions = [
for pol in module.diagnostics_policies :
pol.definition
]
depends_on = [
module.diagnostics_policies
]
}
data "azurerm_role_definition" "log_analytics_contributor" {
name = "Log Analytics Contributor"
}
data "azurerm_role_definition" "monitoring_contributor" {
name = "Monitoring Contributor"
}
module "diagnostics_assignment" {
//source = "gettek/policy-as-code/azurerm//modules/set_assignment"
source = "./modules/set_assignment" //points to copy of 2.7.3
initiative = module.diagnostics_initiative
assignment_scope = "/subscriptions/GUID"
assignment_effect = "DeployIfNotExists"
assignment_display_name = "DIAGNOSTICS - Deploy Diagnostic Settings to Azure Services"
assignment_description = "This policy set deploys the configurations of application Azure resources to forward diagnostic logs and metrics to an Azure Log Analytics workspace. See the list of policies of the services that are included"
assignment_parameters = {
"logAnalytics" = "/subscriptionsGUID/resourceGroups/RG-NAME/providers/Microsoft.OperationalInsights/workspaces/LA-NAME"
}
role_definition_ids = [
"/subscriptions/GUID${data.azurerm_role_definition.log_analytics_contributor.role_definition_id}",
"/subscriptions/GUID${data.azurerm_role_definition.monitoring_contributor.role_definition_id}"
]
depends_on = [
module.diagnostics_initiative
]
}
@birdnathan appears you were missing the attribute .initiative
on initiative = module.diagnostics_initiative.initiative
data "azurerm_subscription" "current" {}
module "diagnostics_assignment" {
source = "../..//modules/set_assignment" //points to copy of 2.7.3
initiative = module.diagnostics_initiative.initiative
assignment_scope = data.azurerm_subscription.current.id
assignment_effect = "DeployIfNotExists"
assignment_display_name = "DIAGNOSTICS - Deploy Diagnostic Settings to Azure Services"
assignment_description = "This policy set deploys the configurations of application Azure resources to forward diagnostic logs and metrics to an Azure Log Analytics workspace. See the list of policies of the services that are included"
skip_remediation = true
skip_role_assignment = true
assignment_parameters = {
logAnalytics = "${data.azurerm_subscription.current.id}/resourceGroups/RG-NAME/providers/Microsoft.OperationalInsights/workspaces/LA-NAME"
}
role_definition_ids = [
"${data.azurerm_subscription.current.id}${data.azurerm_role_definition.log_analytics_contributor.role_definition_id}",
"${data.azurerm_subscription.current.id}${data.azurerm_role_definition.monitoring_contributor.role_definition_id}"
]
depends_on = [
module.diagnostics_initiative
]
}
Also when creating definitions or initiatives beneath Management Groups, i.e. at Subscription scope, you may need to skip both remediation & role assignment on initial apply to prevent "Invalid for_each argument"
error.
There are of coarse workarounds to this such as adding a data source to current subscription directly in the module or having the scope as an input but will unlikely be implemented anytime soon as most workflows use MGs.
Hope this helps
Thanks @gettek - good spot. All working as expected.