Add policy to existing Initiative error with parameters

Question

Add policy to existing Initiative error with parameters

judiethel opened this issue 8 months ago · comments

judiethel commented 8 months ago

Hello

Prerequisites

I am running the latest version
I checked the documentation and found no answer
I checked to make sure that this issue has not already been filed

Thank you for this module. Not sure if I have discovered an issue. Maybe you can have a look at this as well.

My problem is the following:

If I run the below code, the initiative is created successfully and everything is good.

When I change the order and first deploy the first two policies and then the third in another run, I run into an error:

Error: updating Policy Set Definition "Initiative-ManagementGroup-Root-intg": policy.SetDefinitionsClient#CreateOrUpdateAtManagementGroup: Failure responding to request: StatusCode=400 -- Original Error: autorest/azure: Service returned an error. Status=400 Code="InvalidPolicySetParameterUpdate" Message="The policy contains new parameter(s) 'logAnalytics_B79fa14e238a4c2dB376442ce508fc84' which are not present in the existing policy and have no default value. New parameters may be added to a policy only if they have a default value."
with module.configure_cpm_mgmt_root_initiative.azurerm_policy_set_definition.set
on .terraform/modules/configure_cpm_mgmt_root_initiative/modules/initiative/main.tf line 1, in resource "azurerm_policy_set_definition" "set":
resource "azurerm_policy_set_definition" "set" {

locals {
  initiative_management_group_root = {
    "Configure Azure Defender for DNS to be enabled" = {
      type : "BuiltIn"
    },
    "Configure Azure Defender for Key Vaults to be enabled" = {
      type : "BuiltIn"
    },
    "Deploy - Configure diagnostic settings for SQL Databases to Log Analytics workspace" = {
      type : "BuiltIn"
    },
    }
}

data "azurerm_policy_definition_built_in" "cpm_mgmt_root_policies_built_in" {
  for_each     = { for k, v in local.initiative_management_group_root : k => v if v.type == "BuiltIn" }
  display_name = each.key
}

module "configure_cpm_mgmt_root_initiative" {
  source                  = "gettek/policy-as-code/azurerm//modules/initiative"
  version                 = "2.8.3"
  initiative_name         = "Initiative-ManagementGroup-Root-${var.environment_shortcut}"
  initiative_display_name = "[CPM]: Initiative-ManagementGroup-Root-${var.environment_shortcut}"
  initiative_description  = "Deploys and configures Azure Security Center settings and defines exports"
  initiative_category     = "CPM"
  management_group_id     = data.azurerm_management_group.cmp_management_test.id
  merge_effects           = false
  merge_parameters        = false

  member_definitions = concat([for builtin_policy in data.azurerm_policy_definition_built_in.cpm_mgmt_root_policies_built_in : builtin_policy], [for custom_policy in module.configure_cpm_mgmt_root_policies : custom_policy.definition])
}

It would be nice if you can help. For us, it is important to add/remove policies from Initiatives.

Kind Regards

Sadik Tekin · Answer 1 · Fri Nov 03 2023 21:53:37 GMT+0800 (China Standard Time)

Hi @judiethel,

Please ensure all of your definition parameters have a defaultValue, as the error suggests: New parameters may be added to a policy only if they have a default value. See #50 for more information.

In addition I would suggest suffixing your initiative_name with a version, for example v1 and incrementing this each time you add/remove member_definitions to force a recreation.

Hope this helps

judiethel · Answer 2 · Fri Nov 03 2023 22:03:59 GMT+0800 (China Standard Time)

Hello @gettek,

thank you for your response, I will try to add a prefix to my initiative_name.

I know that the error suggest to put a default value, but when I use BuiltIn policies I cannot edit the policy definition. Or is there another way to set the parameters?

Regards

Sadik Tekin · Answer 3 · Fri Nov 03 2023 23:51:14 GMT+0800 (China Standard Time)

You could in theory use the definition module to create a custom version of the built in one but that kind of defeats the purpose and introduces some management overhead hence why I'd recommend to just suffix the initiative_name, much easier.

I've not tested the below but could be something along these lines...

locals {
  initiative_management_group_root = {
    "Configure Azure Defender for DNS to be enabled" = {
      type : "BuiltIn"
    },
    "Configure Azure Defender for Key Vaults to be enabled" = {
      type : "BuiltIn"
    },
    "Deploy - Configure diagnostic settings for SQL Databases to Log Analytics workspace" = {
      type : "BuiltIn"
    },
    }
}

data "azurerm_policy_definition_built_in" "cpm_mgmt_root_policies_built_in" {
  for_each     = { for k, v in local.initiative_management_group_root : k => v if v.type == "BuiltIn" }
  display_name = each.key
}

module "parameterised_test" {
  for_each            = { for k, v in data.azurerm_policy_definition_built_in.cpm_mgmt_root_policies_built_in : k => v }
  source              = "gettek/policy-as-code/azurerm//modules/definition"
  policy_name         = "Custom Name"
  display_name        = "Custom Display Name"
  policy_description  = "Custom Description"
  policy_category     = "Custom Category"
  policy_version      = "Custom Version"
  management_group_id = data.azurerm_management_group.org.id

  policy_metadata   = each.value.properties.metadata
  policy_rule       = each.value.properties.policyRule
  policy_parameters = { my custom params here }
}

You may need to wrap some values in jsonencode()/jsondecode()

judiethel · Answer 4 · Wed Nov 22 2023 18:26:48 GMT+0800 (China Standard Time)

Thank you for your help. I solved my issue according to your tips.