'managed identity' Issue with initiatives
madhurshukla23 opened this issue · comments
Madhur Shukla commented
Issue Template
data "azurerm_policy_set_definition" "vm_monitoring" {
display_name = "Legacy - Enable Azure Monitor for VMs"
}
module "org_mg_vm_monitoring" {
source = "../../azure-tfmodule/azure-policy-tfmodule/modules/set_assignment"
initiative = data.azurerm_policy_set_definition.vm_monitoring
assignment_scope = data.azurerm_management_group.org.id
re_evaluate_compliance = false
skip_remediation = false
skip_role_assignment = false
assignment_parameters = {
logAnalytics_1 = "/subscriptions/${var.resources.logs.law_subscription_id}/resourceGroups/${var.resources.logs.resource_group_name}/providers/Microsoft.OperationalInsights/workspaces/${var.resources.logs.log_analytics_workspace}",
}
}
Prerequisites
- I am running the latest version
- I checked the documentation and found no answer
- I checked to make sure that this issue has not already been filed
Context
- Module Version:
- Terraform Version:
- AzureRM Provider Version:
# add code here
Expected Behavior
Current Behavior
Possible Solution
Failure Information (for bugs)
│ Error: creating Scoped Policy Assignment (Scope: "/providers/Microsoft.Management/managementGroups/968a4da8-609a-4c94-bf6e-35a85b64f927"
│ Policy Assignment Name: "55f3eceb-5573-4f18-9695-"): policyassignments.PolicyAssignmentsClient#Create: Failure responding to request: StatusCode=400 -- Original Error: autorest/azure: Service returned an error. Status=400 Code="ResourceIdentityRequired" Message="The policy assignment '55f3eceb-5573-4f18-9695-' request is invalid. Policy assignments must include a 'managed identity' when assigning 'DeployIfNotExists' policy definitions. Please see https://aka.ms/azurepolicyremediation for usage information."
│
│ with module.org_mg_vm_monitoring.azurerm_management_group_policy_assignment.set[0],
│ on ..\..\azure-tfmodule\azure-policy-tfmodule\modules\set_assignment\main.tf line 1, in resource "azurerm_management_group_policy_assignment" "set":
│ 1: resource "azurerm_management_group_policy_assignment" "set" {
│
│ creating Scoped Policy Assignment (Scope: "/providers/Microsoft.Management/managementGroups/968a4da8-609a-4c94-bf6e-35a85b64f927"
│ Policy Assignment Name: "55f3eceb-5573-4f18-9695-"): policyassignments.PolicyAssignmentsClient#Create: Failure responding to
│ request: StatusCode=400 -- Original Error: autorest/azure: Service returned an error. Status=400 Code="ResourceIdentityRequired"
│ Message="The policy assignment '55f3eceb-5573-4f18-9695-' request is invalid. Policy assignments must include a 'managed identity'
│ when assigning 'DeployIfNotExists' policy definitions. Please see https://aka.ms/azurepolicyremediation for usage information."
Steps to Reproduce
Failure Logs
Sadik Tekin commented
Hi @madhurshukla23 ,
When assigning built-in initiatives you must explicitly specify role_definition_ids as shown here
In your case:
data "azurerm_role_definition" "log_analytics_contributor" {
name = "Log Analytics Contributor"
}
data "azurerm_policy_set_definition" "vm_monitoring" {
display_name = "Legacy - Enable Azure Monitor for VMs"
}
module "org_mg_vm_monitoring" {
source = "../../azure-tfmodule/azure-policy-tfmodule/modules/set_assignment"
initiative = data.azurerm_policy_set_definition.vm_monitoring
assignment_scope = data.azurerm_management_group.org.id
re_evaluate_compliance = false
skip_remediation = false
skip_role_assignment = false
role_definition_ids = [
data.azurerm_role_definition.log_analytics_contributor.id
]
assignment_parameters = {
logAnalytics_1 = "/subscriptions/${var.resources.logs.law_subscription_id}/resourceGroups/${var.resources.logs.resource_group_name}/providers/Microsoft.OperationalInsights/workspaces/${var.resources.logs.log_analytics_workspace}",
}
}
Madhur Shukla commented
thanks alot, this solved my issue