-
Notifications
You must be signed in to change notification settings - Fork 502
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Error while assigning a Built-in Policy Initiative using SystemAssigned Identity #51
Comments
Thank you for reporting this @john-nicholls-development... I'll try to reproduce this behaviour and come back to you on this ASAP. Please can you confirm which version of the module you are using when you get this error? |
We are currently building with 0.0.8 |
@john-nicholls-development, we implemented a few fixes to the logic for this in Please also take note of the upgrade guidance. |
Edit: Hi, I get the same problem in both 0.8 and in. 1.1. It is after we have the init backend and then run the plane step that we get the error message.
There were more policies that do not go through after our upgrade to 1.1. BR |
Just a quick update. We have managed to duplicate this error and are working on a fix. |
We're making good progress on this, however we still have an outstanding issue which is preventing us from releasing a fix. The original error reported above by @john-nicholls-development occurs when the module detects a Under "normal" operation this part of the module processes correctly and I am able to correctly assign the
We have identified a fix to handle these duplications, ensuring the module can successfully perform the lookup on external definitions when duplicates exist, however this has just pushed the problem further downstream. Despite this not being an issue when no duplicates exist (with or without the "fix"), the module now generates the following error, which is actually harder to identify as this being the cause:
I will continue to investigate this particular issue (as the data model is correctly generating th required values as part of plan). Assuming this is within our control in the module and not something which needs addressing in the provider or Terraform itself, we hope to provide a full fix soon. During our investigations, we also identified a minor bug causing the module to miss In the meantime, we will work on documentation for an example deployment to show how you can decompose your deployment into multiple instances of the module to better handle nested deployments and allow you to create these assignments at multiple scopes within a single hierarchy. |
- Update the library templates to use `root_scope_resource_id` for policies deployed by this module - Fix to remove incorrect Managed Identity from `Deploy-ASC-Monitoring` policy - Fix to address missing Role Assignments for Policy Assignments using internal Policy Set Definitions - Improve logic when processing Role Assignments for Policy Assignments with Managed Identities - Initial work towards #51 where duplicate Policy Assignments at different scopes cause a duplicate key error - Fix a bug where changing the `archetype_id` for an existing Management Group fails during the `plan` stage
For the issue Error: Invalid for_each argument
on .terraform/modules/enterprise_scale_lz1/resources.role_assignments.tf line 2, in resource "azurerm_role_assignment" "enterprise_scale":
2: for_each = local.azurerm_role_assignment_enterprise_scale It is still in place for version 0.3.1. # The following locals are used to extract the Role Assignment
# configuration from the archetype module outputs.
locals {
es_role_assignments_by_management_group = flatten([
for archetype in values(module.management_group_archetypes) :
archetype.configuration.azurerm_role_assignment
])
es_role_assignments_by_subscription = []
es_role_assignments = concat(
local.es_role_assignments_by_management_group,
local.es_role_assignments_by_subscription,
local.es_role_assignments_by_policy_assignment,
)
}
# The following locals are used to build the map of Role
# Assignments to deploy.
locals {
/*
azurerm_role_assignment_enterprise_scale = {
for assignment in local.es_role_assignments :
assignment.resource_id => assignment
}
*/
azurerm_role_assignment_enterprise_scale = {}
} After the first apply, the change can be reverted and applied again. For the second apply the module output is already in state and TF can determine the values correctly. So guess it cannot determine the output from the module if that may help. |
@petr-stupka... thank you for your additional feedback on this issue. Would you be able to share your configuration with us please so we can try to reproduce? |
Regarding my previous response where I mention:
Please refer to our recent Wiki page, Deploy Using Module Nesting. Hopefully this covers how to do this in a bit more detail. |
Hi @krowlandson regarding the 'Error: Invalid for_each argument' So I played with it a bit and realized I been wrong with the module like I mentioned before. So I hope I'm correct now :) The issue is with built-in policy which have managed identity roles defined: "roleDefinitionIds": [
"/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
], This section in ES module is trying to create list of those roles for the specific policy from locals {
es_role_assignments_by_policy_assignment = flatten([
for policy_assignment_id, policy_id in local.policy_assignments_with_managed_identity : [
for role_definition_id in try(local.policy_roles[policy_id], local.empty_list) : [
{
resource_id = "${local.azurerm_policy_assignment_enterprise_scale[policy_assignment_id].scope_id}${local.provider_path.role_assignment}${uuidv5(uuidv5("url", role_definition_id), policy_assignment_id)}"
scope_id = local.azurerm_policy_assignment_enterprise_scale[policy_assignment_id].scope_id
principal_id = try(local.principal_id_by_policy_assignment[policy_assignment_id], null)
role_definition_name = null
role_definition_id = role_definition_id
}
]
]
])
} However as you can see the policy_roles = {
"/providers/Microsoft.Authorization/policyDefinitions/cd3aa116-8754-49c9-a813-ad46512ece54" = (known after apply)
"/providers/Microsoft.Management/managementGroups/brz365-dev-management/providers/Microsoft.Authorization/policyDefinitions/Deny-Required-Tag-RG" = []
"/providers/Microsoft.Management/managementGroups/brz365-dev-management/providers/Microsoft.Authorization/policySetDefinitions/Deny-Required-Tags-RG" = []
"/providers/Microsoft.Management/managementGroups/brz365-dev-management/providers/Microsoft.Authorization/policySetDefinitions/Mod-Inherit-Tags-RG" = (known after apply)
} Any 'workaround' tip? I'm happy to give it try. |
@petr-stupka... I'm not sure whether this is just because you've setup an output for The reason I ask is that a default deployment of the module would have many more values in the One observation I can make from the above (regardless of approach), is that Our recommendation would be to follow the module user guide and examples page for a successful deployment. Specifically, I would recommend looking at our guide for Deploy Custom Landing Zone Archetypes and Expand built in archetype definitions. We have limited documentation currently on creating custom policies and roles, but this is on our backlog and will be published soon. |
Closing issue as we believe this was fixed in release v0.4.0 |
Our client would like the PCI v3.2.1:2018 Policy Initiative (id: /providers/Microsoft.Authorization/policySetDefinitions/496eeda9-8f2f-4d5e-8dfd-204f0a92ed41) assigned to their subscriptions, however when attempting this we get the following error:
Policy Assignment document looks like this:
Not quite sure what I'm doing wrong here, any help is appreciated.
The text was updated successfully, but these errors were encountered: