Giters

gettek / terraform-azurerm-policy-as-code

Terraform modules that simplify the workflow of custom and built-in Azure Policies

Home Page:https://learn.microsoft.com/en-us/azure/governance/policy/concepts/policy-as-code

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

set_assignment - every apply trigger azurerm_role_assignment.rem_role delete/create

judiethel opened this issue · comments

commented

Issue Template

Prerequisites

  • I am running the latest version
  • I checked the documentation and found no answer
  • I checked to make sure that this issue has not already been filed

Context

  • Module Version: 2.8.3
  • Terraform Version: [v1.6.3]
module "configure_policy_data_assigment_to_sub" {
  for_each = toset(var.policy_data.assignment.scope_sub_ids)

  source                      = "gettek/policy-as-code/azurerm//modules/set_assignment"
  version                     = "2.8.3"
  initiative                  = module.configure_policy_data_initiative
  assignment_scope            = data.azurerm_subscription.initiative_assign_to_sub[each.key].id
  assignment_location         = var.policy_data.assignment.location
  assignment_enforcement_mode = true
  skip_role_assignment        = false
  skip_remediation            = false
  assignment_parameters       = local.parameter_list_for_assignment
}

I guess this is the code which causes the issue. This in from submodule of the initiative.

  # get role definition IDs
  role_definition_ids = {
    for d in var.member_definitions :
    d.name => try(jsondecode(d.policy_rule).then.details.roleDefinitionIds, [])
  }

  # combine all discovered role definition IDs
  all_role_definition_ids = try(distinct([for v in flatten(values(local.role_definition_ids)) : lower(v)]), [])

Expected Behavior

I expecte that the Azure initiative will be assigned to the given subscription. The assignment works fine as I can tell.

Current Behavior

I discovered, that each time I run a terraform plan/apply it will recreate the azurerm_role_assignment.rem_role.
image

Terraform detects a difference in the role_definition_id. Looks like some informations are missing in the

"/subscriptions/aae7c2ce-523b-4715-b8ec-c4848196c981/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"

Would it be possible to generate the correct ids?

"/providers/microsoft.authorization/roledefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"

I also have tried to do this: https://registry.terraform.io/modules/gettek/policy-as-code/azurerm/2.2.0#error-invalid-for_each-argument

Not sure if this is a new issue of can be solved by myself.

Thank you for taking a look into this one.

commented

Hi @judiethel, try changing the assignment parameter to below:
initiative = module.configure_policy_data_initiative.initiative, appears you are missing the sub resource