Closed phx-tim-butters closed 7 months ago
Hi @phx-tim-butters
The provider should re-write the resource ids for any referenced policies.
You can see in the error that the management group has been set to tb-dev
.
Do you know the correct resource id for the definition in question?
Hey @matt-FFFFFF
I think it was a race condition, I have it currently set to 600 seconds delay before policy assignment but seemingly that still wasn't enough. I'll be upping this today to do some further tests.
In the terraform-azurerm-caf-enterprise-scale module, the providerId is parameterized on the archetype policy assignments - so I put 2 and 2 together and got 5 in relation to this new (better) approach. Good to know the provider does this.
Wow. Some race condition!
In the future I hope to see some user defined retryable error support in terraform or the provider.
This would go a long way to cleaner IaC code.
We are customising the id of all management groups.
For Example;
module "alz_archetype_root" { source = "Azure/avm-ptn-alz/azurerm" version = "0.4.1" id = var.deploy_abbreviation == "" ? "${var.org_abbreviation}" : "${var.org_abbreviation}-${var.deploy_abbreviation}" display_name = var.deploy_abbreviation == "" ? "${var.org_abbreviation}" : "${var.org_abbreviation}-${var.deploy_abbreviation}"
As a consequence, all Policy Assignments for Custom Definition Sets are failing with a 400 Not Found
On looking into the downloaded alzlib folder, for all Policy Assignments that are assigning a Definition Set, the default static Management Group is stated.
{ "type": "Microsoft.Authorization/policyAssignments", "apiVersion": "2022-06-01", "name": "Audit-PeDnsZones", "dependsOn": [], "properties": { "description": "Audits the deployment of Private Link Private DNS Zone resources in the Corp landing zone.", "displayName": "Audit Private Link Private DNS Zone resources", "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/alz/providers/Microsoft.Authorization/policyDefinitions/Audit-PrivateLinkDnsZones" }
The PolicyDefinitionId needs to contain a parameter for the customised Management Group Id, in a similar way to the "location" value of a Policy Assignment