Set Assignment - Display Name and Description Variables are ignored

Question

Set Assignment - Display Name and Description Variables are ignored

birdnathan opened this issue a year ago · comments

Nathan Bird commented a year ago

Issue Template

Prerequisites

I am running the latest version
I checked the documentation and found no answer
I checked to make sure that this issue has not already been filed

Context

The assignment_display_name and assignment_description parameters are ignored and always default to " "

Module Version: 2.7.2
Terraform Version: 1.4.2
AzureRM Provider Version: 3.49.0

data "azurerm_role_definition" "log_analytics_contributor" {
  name = "Log Analytics Contributor"
}

data "azurerm_role_definition" "monitoring_contributor" {
  name = "Monitoring Contributor"
}

module "diagnostics_assignment" {
  source     = "gettek/policy-as-code/azurerm//modules/set_assignment"
  initiative = module.diagnostics_initiative

  assignment_scope        = "/subscriptions/GUID"
  assignment_effect       = "DeployIfNotExists"
  assignment_display_name = "DIAGNOSTICS - Deploy Diagnostic Settings to Azure Services"
  assignment_description  = "This policy set deploys the configurations of application Azure resources to forward diagnostic logs and metrics to an Azure Log Analytics workspace. See the list of policies of the services that are included"
  assignment_parameters = {
    "logAnalytics" = "/subscriptions/GUID/resourceGroups/RG-NAME/providers/Microsoft.OperationalInsights/workspaces/ala01"
  }

  role_definition_ids = [
    "/subscriptions/GUID${data.azurerm_role_definition.log_analytics_contributor.role_definition_id}",
    "/subscriptions/GUID${data.azurerm_role_definition.monitoring_contributor.role_definition_id}"
  ]

  depends_on = [
    module.diagnostics_initiative
  ]
}

Expected Behavior

These values should be honoured

Current Behavior

Defaults to ""

Failure Information (for bugs)

the coelsce logic in https://github.com/gettek/terraform-azurerm-policy-as-code/blob/2.7.2/modules/set_assignment/variables.tf doesnt seem to work, always defaults to "".

Sadik Tekin · Answer 1 · Wed Mar 29 2023 20:25:01 GMT+0800 (China Standard Time)

Hi @birdnathan thanks for raising this, appears the default values in those variables may need to be removed for the coalesce to work correctly, although does seem to be working at my end, will test and fix in the next release.

Sadik Tekin · Answer 2 · Wed Mar 29 2023 22:05:49 GMT+0800 (China Standard Time)

@birdnathan please give working branch 2.7.3 a try

Nathan Bird · Answer 3 · Wed Mar 29 2023 23:00:50 GMT+0800 (China Standard Time)

@gettek Nearly. Only works if i remove var.initiative.display_name and var.initiative.description from lines 145 and 146 in variables.tf - https://github.com/gettek/terraform-azurerm-policy-as-code/blob/2.7.3/modules/set_assignment/variables.tf

display_name = try(coalesce(var.assignment_display_name), "")
description = try(coalesce(var.assignment_description), "")

I did try to update the variables in this file in the branch too but still doesnt work - https://github.com/gettek/terraform-azurerm-policy-as-code/blob/2.7.3/modules/initiative/variables.tf

Sadik Tekin · Answer 4 · Thu Mar 30 2023 19:36:14 GMT+0800 (China Standard Time)

@birdnathan, I can't seem to replicate this issue, the plan from this commit gives the desired result:

Can you confirm your current setup please

Nathan Bird · Answer 5 · Thu Mar 30 2023 19:46:58 GMT+0800 (China Standard Time)

@gettek

module "diagnostics_policies" {
  for_each        = fileset("./Policies/Diagnostics", "*")
  source          = "gettek/policy-as-code/azurerm//modules/definition"
  policy_name     = trimsuffix(each.value, ".json")
  policy_category = "Diagnostics"
}

module "diagnostics_initiative" {
  source                  = "gettek/policy-as-code/azurerm//modules/initiative"
  initiative_name         = "XXX-Deploy-Diagnostics-LogAnalytics"
  initiative_display_name = "[XXX] Deploy Diagnostic Settings to Azure Services"
  initiative_description  = "This policy set deploys the configurations of application Azure resources to forward diagnostic logs and metrics to an Azure Log Analytics workspace. See the list of policies of the services that are included "
  initiative_category     = "Diagnostics"



  member_definitions = [
    for pol in module.diagnostics_policies :
    pol.definition
  ]

  depends_on = [
    module.diagnostics_policies
  ]
}

data "azurerm_role_definition" "log_analytics_contributor" {
  name = "Log Analytics Contributor"
}

data "azurerm_role_definition" "monitoring_contributor" {
  name = "Monitoring Contributor"
}

module "diagnostics_assignment" {
  //source = "gettek/policy-as-code/azurerm//modules/set_assignment"
  source     = "./modules/set_assignment" //points to copy of 2.7.3
  initiative = module.diagnostics_initiative

  assignment_scope        = "/subscriptions/GUID"
  assignment_effect       = "DeployIfNotExists"
  assignment_display_name = "DIAGNOSTICS - Deploy Diagnostic Settings to Azure Services"
  assignment_description  = "This policy set deploys the configurations of application Azure resources to forward diagnostic logs and metrics to an Azure Log Analytics workspace. See the list of policies of the services that are included"
  assignment_parameters = {
    "logAnalytics" = "/subscriptionsGUID/resourceGroups/RG-NAME/providers/Microsoft.OperationalInsights/workspaces/LA-NAME"
  }

  role_definition_ids = [
    "/subscriptions/GUID${data.azurerm_role_definition.log_analytics_contributor.role_definition_id}",
    "/subscriptions/GUID${data.azurerm_role_definition.monitoring_contributor.role_definition_id}"
  ]

  depends_on = [
    module.diagnostics_initiative
  ]
}

Sadik Tekin · Answer 6 · Thu Mar 30 2023 21:46:36 GMT+0800 (China Standard Time)

@birdnathan appears you were missing the attribute .initiative on initiative = module.diagnostics_initiative.initiative

data "azurerm_subscription" "current" {}

module "diagnostics_assignment" {
  source     = "../..//modules/set_assignment" //points to copy of 2.7.3
  initiative = module.diagnostics_initiative.initiative

  assignment_scope        = data.azurerm_subscription.current.id
  assignment_effect       = "DeployIfNotExists"
  assignment_display_name = "DIAGNOSTICS - Deploy Diagnostic Settings to Azure Services"
  assignment_description  = "This policy set deploys the configurations of application Azure resources to forward diagnostic logs and metrics to an Azure Log Analytics workspace. See the list of policies of the services that are included"
  skip_remediation        = true
  skip_role_assignment    = true

  assignment_parameters = {
    logAnalytics = "${data.azurerm_subscription.current.id}/resourceGroups/RG-NAME/providers/Microsoft.OperationalInsights/workspaces/LA-NAME"
  }

  role_definition_ids = [
    "${data.azurerm_subscription.current.id}${data.azurerm_role_definition.log_analytics_contributor.role_definition_id}",
    "${data.azurerm_subscription.current.id}${data.azurerm_role_definition.monitoring_contributor.role_definition_id}"
  ]

  depends_on = [
    module.diagnostics_initiative
  ]
}

Also when creating definitions or initiatives beneath Management Groups, i.e. at Subscription scope, you may need to skip both remediation & role assignment on initial apply to prevent "Invalid for_each argument" error.

There are of coarse workarounds to this such as adding a data source to current subscription directly in the module or having the scope as an input but will unlikely be implemented anytime soon as most workflows use MGs.

Hope this helps

Nathan Bird · Answer 7 · Fri Mar 31 2023 00:29:04 GMT+0800 (China Standard Time)

Thanks @gettek - good spot. All working as expected.