Bug Report: Portal Deployment fails with error InvalidCreatePolicyAssignmentRequest

[humblejay]

Describe the bug Portal deployment for Azure Landing Zone fails

Steps to reproduce

1. Deploy ALZ from Portal, select "Enable Private DNS Zones" option
2. Deployment fails with error

{
  "code": "DeploymentFailed",
  "message": "At least one resource deployment operation failed. Please list deployment operations for details. Please see https://aka.ms/arm-deployment-operations for usage details.",
  "details": [
    {
      "code": "BadRequest",
      "message": "{\r\n  \"error\": {\r\n    \"code\": \"InvalidCreatePolicyAssignmentRequest\",\r\n    \"message\": \"The policy definition specified in policy assignment 'Deploy-Private-DNS-Zones' is out of scope. Policy definitions should be specified only at or above the policy assignment scope. If the management groups hierarchy changed recently or if assigning a management group policy to new subscription, please allow up to 30 minutes for the hierarchy changes to apply and try again.\"\r\n  }\r\n}"
    }
  ]
}

Screenshots

[Springstone]

Hi @humblejay. This is unfortunately a platform issue that we try to work around, but sometimes it's not enough. TLDR the policy isn't available yet when we try do the assignment. In Azure, when you create a policy it takes a while to replicate and register in the engine, typically around 10 minutes, but can take up to 30 minutes. Any error messages that contain "wait for 30 minutes" are related to the same issue.

If you re-run the portal deployment using the exact same parameters, you'll see it will succeed because the policy is now registered.

I'll close the issue, as there is no action on our side. Feel free to re-open if you have additional queries.

[Springstone]

Latest release also increases the delay a bit to help minimize this issue.