Cannot get "management_group_id" with "azurerm_policy_definition" after upgrade Terraform Version
TimWanierke opened this issue Β· comments
Community Note
- Please vote on this issue by adding a π reaction to the original issue to help the community and maintainers prioritize this request
- Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
- If you are interested in working on this issue or have submitted a pull request, please leave a comment
Terraform (and AzureRM Provider) Version
Terraform v0.12.3
provider.azurerm v1.30.1
Affected Resource(s)
azurerm_policy_definition
Terraform Configuration Files
locals {
environment_name = terraform.workspace == "QA" ? "_QA" : ""
}
data "azurerm_management_group" "ManagementRoot" {
group_id = terraform.workspace == "QA" ? "ManagementRoot_QA" : "ManagementRoot"
}
data "azurerm_policy_definition" "MG_Diag_NSG_DEF" {
display_name = MG Diagnostics Microsoft.Network-networkSecurityGroups"
management_group_id = data.azurerm_management_group.ManagementRoot.group_id
}
resource "azurerm_policy_assignment" "MG_Diag_NSG" {
name = "MG_Diag_NSG${local.environment_name}"
scope = data.azurerm_management_group.ManagementRoot.id
policy_definition_id = data.azurerm_policy_definition.MG_Diag_NSG_DEF.id
description = "Enable Diagnostic Logs forwarding to central Log Analytics Workspace for NSG"
display_name = "MG Diagnostics Microsoft.Network-networkSecurityGroups"
location = "westeurope"
identity {
type = "SystemAssigned"
}
parameters = <<PARAMETERS
{
"logAnalytics": {
"value": "/subscriptions/.../resourceGroups/RG_Monitoring_cHUB01/providers/Microsoft.OperationalInsights/workspaces/MONITORING-cHUB01"
}
}
PARAMETERS
}
Debug Output
Error: Can not parse "management_group_id" as a resource id: Cannot parse Azure ID: parse ManagementRoot_QA: invalid URI for request
Panic Output
Expected Behavior
The ID/path of Azure Policy should be returned by the resource provider "azurerm_policy_definition". When the policy definition is not stored on the tenant root the policy ID will not be returned anymore. This was working when I used the Terraform Version 0.11.
As workaround we stored the policy definition directly on the tenant root, but this is only a workaround.
Actual Behavior
Steps to Reproduce
terraform plan
Important Factoids
References
- #0000
Same issue here, had to hardcode policy_definition_id
URI temporarily until fixed:
policy_definition_id = "${data.azurerm_management_group.ManagementRoot.id}/providers/Microsoft.Authorization/policySetDefinitions/MG_Diag_NSG${local.environment_name}"
Not sure in which version but can confirm this is now fixed!
Just ensure you specify the management group name in the data source block:
data azurerm_policy_definition def {
name = local.policy_name
management_group_name = local.definition_scope
}
Closing since this has been fixed according to @gettek
I'm going to lock this issue because it has been closed for 30 days β³. This helps our maintainers find and focus on the active issues.
If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. If you feel I made an error π€ π , please reach out to my human friends π hashibot-feedback@hashicorp.com. Thanks!