Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We鈥檒l occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Archetype_config_overrides not working on extended archetype #913

Open
nyanhp opened this issue Mar 14, 2024 · 3 comments
Open

Archetype_config_overrides not working on extended archetype #913

nyanhp opened this issue Mar 14, 2024 · 3 comments

Comments

@nyanhp
Copy link

nyanhp commented Mar 14, 2024

Community Note

  • Please vote on this issue by adding a 馃憤 reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

Versions

terraform: 1.7.4

azure provider: 3.95.0

module: ~>5.0.0

Description

Describe the bug

Using archetype_config_overrides, the landing-zones archetype is not overridden with regards to policy assignments. Other archetypes like the platform can be successfully modified. What I suspect is that the extension to the landing zones might be the reason.

Why do both? We use the same project to manage multiple root ids. The extensions are used globally if you will, the overrides are used per root id. I've not found anything in the docs regarding the merging behavior.

Steps to Reproduce

Create an extension archetype_extension_es_landing_zones.tmpl.json in your library folder.

{
    "extend_es_landing_zones": {
        "policy_assignments": [
            "Deploy-Private-DNS-Zones"
        ],
        "policy_definitions": [],
        "policy_set_definitions": [],
        "role_definitions": [],
        "archetype_config": {
            "access_control": {},
            "parameters": {}
        }
    }
}

Plan changes, notice that no changes are planned for the landing-zones MG that pertain to changing the enforcement mode of Deny-Subnet-Without-Nsg.

module "enterprise_scale" {
  source  = "Azure/caf-enterprise-scale/azurerm"
  version = "~>5.0.0"

  default_location = var.default_location

  providers = {
    azurerm              = azurerm
    azurerm.connectivity = azurerm.connectivity
    azurerm.management   = azurerm.management
    azurerm.identity     = azurerm.identity
  }

  root_parent_id               = data.azurerm_client_config.core.tenant_id
  root_id                      = var.root_id
  root_name                    = var.root_name
  subscription_id_connectivity = local.subscriptions.connectivity
  subscription_id_management   = local.subscriptions.management
  subscription_id_identity     = local.subscriptions.identity

  strict_subscription_association = false

  deploy_core_landing_zones        = true
  deploy_connectivity_resources    = true
  deploy_identity_resources        = true
  deploy_management_resources      = true
  configure_connectivity_resources = local.network_config
  configure_identity_resources     = local.identity_config
  configure_management_resources   = local.management_config
  disable_telemetry                = true
  library_path                     = "${path.module}/../configurationdata/es_lib"

  archetype_config_overrides = {
    "${var.root_id}-platform" = {
      parameters = {}
      enforcement_mode = {
        Enforce-GR-KeyVault = false
      }
    }
    "${var.root_id}-landing-zones" = {
      parameters = {}
      enforcement_mode = {
        Deny-Subnet-Without-Nsg = false
      }
    }
  }

  custom_landing_zones = yamldecode(templatefile("${path.module}/../configurationdata/${var.root_id}/nonstandard-management-groups.yml", {
    rootid = var.root_id
  }))
}

Screenshots

Additional context
@tobiasehlert
Copy link
Contributor

tobiasehlert commented Mar 15, 2024
edited

@nyanhp, looks to me that you are missing to specify the archetype_id inside of your archetype_config_overrides objects.

It should a little more like this for you (I guess):

archetype_config_overrides = {
  "${var.root_id}-platform" = {
    archetype_id = "es_platform"
    parameters = {}
    enforcement_mode = {
      Enforce-GR-KeyVault = false
    }
  }
  "${var.root_id}-landing-zones" = {
    archetype_id = "es_landing-zones"
    parameters = {}
    enforcement_mode = {
      Deny-Subnet-Without-Nsg = false
    }
  }
}

I do something similar, except that I set the parameter instead to Audit instead of changing the enforcement_mode.

archetype_config_overrides = {
  landing-zones = {
    archetype_id = "es_landing_zones"
    parameters = {
      Deny-Subnet-Without-Nsg = {
        Effect = "Audit"
      }
    }
  }
}

@nyanhp
Copy link
Author

nyanhp commented Mar 15, 2024

Unfortunately that workaround does not work for me. It is ignored as long as I am using both an archetype extension as well as a config override. By the way, regardless of whether the archetype_id is used or not.

It's fine if it isn't supposed to work in the first place :) But then I would appreciate some callouts in the documentation.

@matt-FFFFFF
Copy link
Member

Hi!

Thanks for all the discussion 馃槉

This is not a scenario we have tested, so do not have a solution at this time.

We are somewhat limited by HCL and I can't therefore guarantee we will be able to solve this but we can have a look.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@tobiasehlert @matt-FFFFFF @nyanhp