Open c-baumgartner opened 1 week ago
Hi @c-baumgartner
This is a known issue with the provider at the moment. We are eagerly awaiting developments on deferred actions.
Until that time you can't use the module in the way you have done.
The module does not need to be dependent on the RG and sentinel deployment if you know the names of the resources you can feed them in as string literals.
The ordering is typically not strictly important as the policy assignment will take some time to be effective anyway.
It's not ideal, I realise, but this is where we are at this time.
Hi @matt-FFFFFF,
thank you for your feedback. Good to know that there is something on the roadmap to fix this.
In regard to the ordering, this was also our plan to not have a dependency on the alz module. But unfortunately, when I construct the resource id and try to apply the code without creating the log analytics workspace first, I get these errors:
│ Error: Failed to create/update resource
│
│ with module.alz_architecture.azapi_resource.policy_role_assignments["e8a47a4b-c2a6-5cf9-a06d-be0a82864931"],
│ on .terraform/modules/alz_architecture/main.policy_role_assignments.tf line 1, in resource "azapi_resource" "policy_role_assignments":
│ 1: resource "azapi_resource" "policy_role_assignments" {
│
│ creating/updating Resource: (ResourceId "/subscriptions/44a36e73-14b6-423f-9fb3-672ae9c6376d/resourceGroups/rg-GABcbag-SentinelCore/providers/Microsoft.OperationalInsights/workspaces/log-GABcbag-SentinelCore/providers/Microsoft.Authorization/roleAssignments/e8a47a4b-c2a6-5cf9-a06d-be0a82864931" / Api Version "2022-04-01"): PUT
│ https://management.azure.com/subscriptions/44a36e73-14b6-423f-9fb3-672ae9c6376d/resourceGroups/rg-GABcbag-SentinelCore/providers/Microsoft.OperationalInsights/workspaces/log-GABcbag-SentinelCore/providers/Microsoft.Authorization/roleAssignments/e8a47a4b-c2a6-5cf9-a06d-be0a82864931
│ --------------------------------------------------------------------------------
│ RESPONSE 404: 404 Not Found
│ ERROR CODE: ResourceNotFound
│ --------------------------------------------------------------------------------
│ {
│ "error": {
│ "code": "ResourceNotFound",
│ "message": "The Resource 'Microsoft.OperationalInsights/workspaces/log-GABcbag-SentinelCore' under resource group 'rg-GABcbag-SentinelCore' was not found. For more details please go to https://aka.ms/ARMResourceNotFoundFix"
│ }
│ }
│ --------------------------------------------------------------------------------
│
╵
This was the reason we tried to set the LAW up first. Another workaround would be to have some (sub)layering in our solution to deploy the LAW first and then the governance/alz module.
Do you have any other idea how to work around managed identity rbac assignment in this case?
SO when I deploy both the LAW gets created before the policy role assignments - this is not enforced but is typically the case because the MG and policy work takes longer.
I have done some experimentation with allow-defferal
and this solves the issue, allowing breaking down into multiple plan/apply cycles.
Hi Matt, very interesting observation that you don't run into this. I can repeatedly reproduce the issue. What I have tried was to set retries and ramp up the values to their maximum - without luck to get over the 404 ( big thanks to my colleague for having this idea with the retries ). The -allow-deferral sounds like a plan for the future but we have to wait until Tofu will ship this feature. So to make the code robust and reliable we will make some changes to the design by using a separate layer to deploy the LAW upfront (or use -target as a substitution for the -allow-deferral parameter in the meantime)
Just fyi the retries settings I have used:
retries = {
policy_role_assignments = {
error_message_regex = [
"^The Resource 'Microsoft.OperationalInsights/workspaces",
]
interval_seconds = 120
max_interval_seconds = 300
}
}
module.alz_architecture.azapi_resource.policy_role_assignments["d7a4caa9-2f5c-5990-a3be-3ea8ba390fe8"]: Still creating... [4m20s elapsed]
module.alz_architecture.azapi_resource.policy_role_assignments["d7a4caa9-2f5c-5990-a3be-3ea8ba390fe8"]: Still creating... [4m30s elapsed]
module.alz_architecture.azapi_resource.policy_role_assignments["d7a4caa9-2f5c-5990-a3be-3ea8ba390fe8"]: Still creating... [4m40s elapsed]
module.alz_architecture.azapi_resource.policy_role_assignments["d7a4caa9-2f5c-5990-a3be-3ea8ba390fe8"]: Still creating... [4m50s elapsed]
╷
│ Error: Failed to create/update resource
│
│ with module.alz_architecture.azapi_resource.policy_role_assignments["d7a4caa9-2f5c-5990-a3be-3ea8ba390fe8"],
│ on .terraform/modules/alz_architecture/main.policy_role_assignments.tf line 1, in resource "azapi_resource" "policy_role_assignments":
│ 1: resource "azapi_resource" "policy_role_assignments" {
│
│ creating/updating Resource: (ResourceId
│ "/subscriptions/44a36e73-14b6-423f-9fb3-672ae9c6376d/resourceGroups/rg-GABcbag-SentinelCore/providers/Microsoft.OperationalInsights/workspaces/log-GABcbag-SentinelCore/providers/Microsoft.Authorization/roleAssignments/d7a4caa9-2f5c-5990-a3be-3ea8ba390fe8"
│ / Api Version "2022-04-01"): context deadline exceede
This is the example I am using and it deploys just fine. #RR
I think you might need to await the release of v2.0.1 of azapi as it contains some improvements to the retry
Check for previous/existing GitHub issues
Issue Type?
Bug
(Optional) Module Version
0.9.0-beta2
(Optional) Correlation Id
No response
Description
Calling ALZ module without depends_on works without an issue. But when setting a dependency to another module it will fail with the following error:
We need to have one resource (LogAnalytics Workspace) and one resource group created upfront.
Module call that *is working:
The following call will fail with the above error in the plan phase:
This is the corresponding architecture definition:
Addition
Commenting out the ALZ module for the first apply, and then commenting it in (including the depends_on) works.
The strange thing is again, there are no dynamic references to the outputs of the other modules. Only one hard coded resource id referencing to the log analytics workspace in the
policy_assignments_to_modify
The two locals are just strings. I have also tried to make the azapi_client_config a pre-req to the ALZ by adding it in the depends_on list, too