Add policy to existing Initiative error with parameters
judiethel opened this issue · comments
Hello
Prerequisites
- I am running the latest version
- I checked the documentation and found no answer
- I checked to make sure that this issue has not already been filed
Thank you for this module. Not sure if I have discovered an issue. Maybe you can have a look at this as well.
My problem is the following:
If I run the below code, the initiative is created successfully and everything is good.
When I change the order and first deploy the first two policies and then the third in another run, I run into an error:
Error: updating Policy Set Definition "Initiative-ManagementGroup-Root-intg": policy.SetDefinitionsClient#CreateOrUpdateAtManagementGroup: Failure responding to request: StatusCode=400 -- Original Error: autorest/azure: Service returned an error. Status=400 Code="InvalidPolicySetParameterUpdate" Message="The policy contains new parameter(s) 'logAnalytics_B79fa14e238a4c2dB376442ce508fc84' which are not present in the existing policy and have no default value. New parameters may be added to a policy only if they have a default value."
with module.configure_cpm_mgmt_root_initiative.azurerm_policy_set_definition.set
on .terraform/modules/configure_cpm_mgmt_root_initiative/modules/initiative/main.tf line 1, in resource "azurerm_policy_set_definition" "set":
resource "azurerm_policy_set_definition" "set" {
locals {
initiative_management_group_root = {
"Configure Azure Defender for DNS to be enabled" = {
type : "BuiltIn"
},
"Configure Azure Defender for Key Vaults to be enabled" = {
type : "BuiltIn"
},
"Deploy - Configure diagnostic settings for SQL Databases to Log Analytics workspace" = {
type : "BuiltIn"
},
}
}
data "azurerm_policy_definition_built_in" "cpm_mgmt_root_policies_built_in" {
for_each = { for k, v in local.initiative_management_group_root : k => v if v.type == "BuiltIn" }
display_name = each.key
}
module "configure_cpm_mgmt_root_initiative" {
source = "gettek/policy-as-code/azurerm//modules/initiative"
version = "2.8.3"
initiative_name = "Initiative-ManagementGroup-Root-${var.environment_shortcut}"
initiative_display_name = "[CPM]: Initiative-ManagementGroup-Root-${var.environment_shortcut}"
initiative_description = "Deploys and configures Azure Security Center settings and defines exports"
initiative_category = "CPM"
management_group_id = data.azurerm_management_group.cmp_management_test.id
merge_effects = false
merge_parameters = false
member_definitions = concat([for builtin_policy in data.azurerm_policy_definition_built_in.cpm_mgmt_root_policies_built_in : builtin_policy], [for custom_policy in module.configure_cpm_mgmt_root_policies : custom_policy.definition])
}
It would be nice if you can help. For us, it is important to add/remove policies from Initiatives.
Kind Regards
Hi @judiethel,
Please ensure all of your definition parameters have a defaultValue
, as the error suggests: New parameters may be added to a policy only if they have a default value
. See #50 for more information.
In addition I would suggest suffixing your initiative_name
with a version, for example v1
and incrementing this each time you add/remove member_definitions
to force a recreation.
Hope this helps
Hello @gettek,
thank you for your response, I will try to add a prefix to my initiative_name
.
I know that the error suggest to put a default value, but when I use BuiltIn policies I cannot edit the policy definition. Or is there another way to set the parameters?
Regards
You could in theory use the definition
module to create a custom version of the built in one but that kind of defeats the purpose and introduces some management overhead hence why I'd recommend to just suffix the initiative_name
, much easier.
I've not tested the below but could be something along these lines...
locals {
initiative_management_group_root = {
"Configure Azure Defender for DNS to be enabled" = {
type : "BuiltIn"
},
"Configure Azure Defender for Key Vaults to be enabled" = {
type : "BuiltIn"
},
"Deploy - Configure diagnostic settings for SQL Databases to Log Analytics workspace" = {
type : "BuiltIn"
},
}
}
data "azurerm_policy_definition_built_in" "cpm_mgmt_root_policies_built_in" {
for_each = { for k, v in local.initiative_management_group_root : k => v if v.type == "BuiltIn" }
display_name = each.key
}
module "parameterised_test" {
for_each = { for k, v in data.azurerm_policy_definition_built_in.cpm_mgmt_root_policies_built_in : k => v }
source = "gettek/policy-as-code/azurerm//modules/definition"
policy_name = "Custom Name"
display_name = "Custom Display Name"
policy_description = "Custom Description"
policy_category = "Custom Category"
policy_version = "Custom Version"
management_group_id = data.azurerm_management_group.org.id
policy_metadata = each.value.properties.metadata
policy_rule = each.value.properties.policyRule
policy_parameters = { my custom params here }
}
You may need to wrap some values in jsonencode()
/jsondecode()
Thank you for your help. I solved my issue according to your tips.