search

Azure / ALZ-Bicep

This repository contains the Azure Landing Zones (ALZ) Bicep modules that help deliver and deploy the Azure Landing Zone conceptual architecture in a modular approach. https://aka.ms/alz/docs
MIT License
728 stars 485 forks source link

policyAssignmentManagementGroup.bicep doesnt seem to add a policy to additional management groups #753

Closed gsuttie closed 3 months ago

gsuttie commented 3 months ago

What happened? Provide a clear and concise description of the bug, including deployment details.

I a using the ALZ modules and particularly this one - ALZ-Bicep/infra-as-code/bicep/modules/policy/assignments/policyAssignmentManagementGroup.bicep

When I run this and populate the parameter called parPolicyAssignmentIdentityRoleAssignmentsAdditionalMgs like so ['mg-Test', 'mg-PreProduction'] neither of these 2 are being populated only the one I reference like so:-

az deployment mg create --name $deploymentID --location $primaryLocation --management-group-id 'mg-Production' --template-file ./policyAssignmentManagementGroup.bicep --parameters ./policyAssignmentManagementGroup.bicepparam --confirm-with-what-if ` --output none

so mg-Production is assigned a policy but neither of the 2 additional ones are (['mg-Test', 'mg-PreProduction'] )

Please provide the correlation id associated with your error or bug.

n/a

What was the expected outcome?

I would expect all 3 Management Groups to have the Policy assigned

Relevant log output

No response

Check previous GitHub issues

Code of Conduct

jtracey93 commented 3 months ago

Hey @gsuttie,

Can you share the module declaration code you are using and what version of the module?

Maybe via a gist or here as a comment so we can try and repro?

gsuttie commented 3 months ago

Module code im using is from policyAssignmentManagementGroup.bicep

And I am calling from PowerShell like so:-

az deployment mg create --name $deploymentID --location $primaryLocation --management-group-id 'mg-Production' --template-file ./policyAssignmentManagementGroup.bicep --parameters ./policyAssignmentManagementGroup.bicepparam --confirm-with-what-if ` --output none

Here is my bicepparameters file

using 'policyAssignmentManagementGroup.bicep'

param parPolicyAssignmentName = 'Iso27001' param parPolicyAssignmentDisplayName = 'ISO 27001-2013' param parPolicyAssignmentDescription = 'This policy assignment is for ISO 27001-2013' param parPolicyAssignmentDefinitionId = '/providers/Microsoft.Authorization/policySetDefinitions/89c6cddc-1c73-4ac1-b19c-54d1a15a42f2' param parPolicyAssignmentParameters = {} param parPolicyAssignmentParameterOverrides = {} //param parPolicyAssignmentNonComplianceMessages nonComplianceMessageType = []

param parPolicyAssignmentNotScopes = []

param parPolicyAssignmentEnforcementMode = 'Default' param parPolicyAssignmentOverrides = [] param parPolicyAssignmentResourceSelectors = [] param parPolicyAssignmentIdentityType = 'SystemAssigned' param parPolicyAssignmentIdentityRoleAssignmentsAdditionalMgs = ['mg-Test', 'mg-PreProduction'] param parPolicyAssignmentIdentityRoleAssignmentsSubs = [] param parPolicyAssignmentIdentityRoleAssignmentsResourceGroups = [] param parPolicyAssignmentIdentityRoleDefinitionIds = []

jtracey93 commented 3 months ago

Ah i see what this is now.

This module assigns a policy only to a single management group but it will allow you to assign a managed identity associated to the policy assignment for remediation to many scopes as this is a common requirement in ALZ.

So if you want the policy assigned to many management groups you need to call the module once for each assignment scope.

Hope that clears it up.