set_assignment - every apply trigger azurerm_role_assignment.rem_role delete/create
judiethel opened this issue · comments
Issue Template
Prerequisites
- I am running the latest version
- I checked the documentation and found no answer
- I checked to make sure that this issue has not already been filed
Context
- Module Version: 2.8.3
- Terraform Version: [v1.6.3]
module "configure_policy_data_assigment_to_sub" {
for_each = toset(var.policy_data.assignment.scope_sub_ids)
source = "gettek/policy-as-code/azurerm//modules/set_assignment"
version = "2.8.3"
initiative = module.configure_policy_data_initiative
assignment_scope = data.azurerm_subscription.initiative_assign_to_sub[each.key].id
assignment_location = var.policy_data.assignment.location
assignment_enforcement_mode = true
skip_role_assignment = false
skip_remediation = false
assignment_parameters = local.parameter_list_for_assignment
}
I guess this is the code which causes the issue. This in from submodule of the initiative.
# get role definition IDs
role_definition_ids = {
for d in var.member_definitions :
d.name => try(jsondecode(d.policy_rule).then.details.roleDefinitionIds, [])
}
# combine all discovered role definition IDs
all_role_definition_ids = try(distinct([for v in flatten(values(local.role_definition_ids)) : lower(v)]), [])
Expected Behavior
I expecte that the Azure initiative will be assigned to the given subscription. The assignment works fine as I can tell.
Current Behavior
I discovered, that each time I run a terraform plan/apply it will recreate the azurerm_role_assignment.rem_role
.
Terraform detects a difference in the role_definition_id. Looks like some informations are missing in the
"/subscriptions/aae7c2ce-523b-4715-b8ec-c4848196c981/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
Would it be possible to generate the correct ids?
"/providers/microsoft.authorization/roledefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
I also have tried to do this: https://registry.terraform.io/modules/gettek/policy-as-code/azurerm/2.2.0#error-invalid-for_each-argument
Not sure if this is a new issue of can be solved by myself.
Thank you for taking a look into this one.
Hi @judiethel, try changing the assignment parameter to below:
initiative = module.configure_policy_data_initiative.initiative
, appears you are missing the sub resource