Cannot get "management_group_id" with "azurerm_policy_definition" after upgrade Terraform Version

Question

Cannot get "management_group_id" with "azurerm_policy_definition" after upgrade Terraform Version

TimWanierke opened this issue 5 years ago · comments

twanierke commented 5 years ago

Community Note

Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform (and AzureRM Provider) Version

Terraform v0.12.3
provider.azurerm v1.30.1

Affected Resource(s)

azurerm_policy_definition

Terraform Configuration Files

locals {
  environment_name = terraform.workspace == "QA" ? "_QA" : ""
}

data "azurerm_management_group" "ManagementRoot" {
  group_id = terraform.workspace == "QA" ? "ManagementRoot_QA" : "ManagementRoot"
}

data "azurerm_policy_definition" "MG_Diag_NSG_DEF" {
  display_name        = MG Diagnostics Microsoft.Network-networkSecurityGroups"
  management_group_id = data.azurerm_management_group.ManagementRoot.group_id
}

resource "azurerm_policy_assignment" "MG_Diag_NSG" {
  name                 = "MG_Diag_NSG${local.environment_name}"
  scope                = data.azurerm_management_group.ManagementRoot.id
  policy_definition_id = data.azurerm_policy_definition.MG_Diag_NSG_DEF.id
  description          = "Enable Diagnostic Logs forwarding to central Log Analytics Workspace for NSG"
  display_name         = "MG Diagnostics Microsoft.Network-networkSecurityGroups"
  location             = "westeurope"

  identity {
    type = "SystemAssigned"
  }

  parameters = <<PARAMETERS
  {
    "logAnalytics": {
      "value": "/subscriptions/.../resourceGroups/RG_Monitoring_cHUB01/providers/Microsoft.OperationalInsights/workspaces/MONITORING-cHUB01"
    }
  }
  
PARAMETERS

}

Debug Output

Error: Can not parse "management_group_id" as a resource id: Cannot parse Azure ID: parse ManagementRoot_QA: invalid URI for request

Panic Output

Expected Behavior

The ID/path of Azure Policy should be returned by the resource provider "azurerm_policy_definition". When the policy definition is not stored on the tenant root the policy ID will not be returned anymore. This was working when I used the Terraform Version 0.11.

As workaround we stored the policy definition directly on the tenant root, but this is only a workaround.

Actual Behavior

Steps to Reproduce

terraform plan

Important Factoids

References

#0000

Sadik Tekin · Answer 1 · Thu Aug 22 2019 20:39:06 GMT+0800 (China Standard Time)

Same issue here, had to hardcode policy_definition_id URI temporarily until fixed:

policy_definition_id = "${data.azurerm_management_group.ManagementRoot.id}/providers/Microsoft.Authorization/policySetDefinitions/MG_Diag_NSG${local.environment_name}"

Sadik Tekin · Answer 2 · Mon Sep 21 2020 22:11:19 GMT+0800 (China Standard Time)

Not sure in which version but can confirm this is now fixed!

Just ensure you specify the management group name in the data source block:

data azurerm_policy_definition def {
  name                  = local.policy_name
  management_group_name = local.definition_scope
}

Tom Harvey · Answer 3 · Mon Sep 21 2020 22:30:20 GMT+0800 (China Standard Time)

Closing since this has been fixed according to @gettek

Deleted user · Answer 4 · Wed Oct 21 2020 22:50:37 GMT+0800 (China Standard Time)

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. If you feel I made an error 🤖 🙉 , please reach out to my human friends 👉 hashibot-feedback@hashicorp.com. Thanks!