alzlib Policy Assignments incorrect for Custom Definition Sets

[phx-tim-butters]

We are customising the id of all management groups.

For Example;

module "alz_archetype_root" { source = "Azure/avm-ptn-alz/azurerm" version = "0.4.1" id = var.deploy_abbreviation == "" ? "${var.org_abbreviation}" : "${var.org_abbreviation}-${var.deploy_abbreviation}" display_name = var.deploy_abbreviation == "" ? "${var.org_abbreviation}" : "${var.org_abbreviation}-${var.deploy_abbreviation}"

As a consequence, all Policy Assignments for Custom Definition Sets are failing with a 400 Not Found

Error: creating Scoped Policy Assignment (Scope: "/providers/Microsoft.Management/managementGroups/tb-landing_zones-dev" │ Policy Assignment Name: "Enforce-TLS-SSL"): unexpected status 400 with error: PolicySetDefinitionNotFound: The policy assignment create request is invalid. The policy set definition '/providers/Microsoft.Management/managementGroups/tb-dev/providers/Microsoft.Authorization/policySetDefinitions/Enforce-EncryptTransit' could not be found. │ │ with module.alz_archetype_landing_zones.azurerm_management_group_policy_assignment.this["Enforce-TLS-SSL"], │ on .terraform/modules/alz_archetype_landing_zones/main.tf line 102, in resource "azurerm_management_group_policy_assignment" "this": │ 102: resource "azurerm_management_group_policy_assignment" "this" { │ │ creating Scoped Policy Assignment (Scope: "/providers/Microsoft.Management/managementGroups/tb-landing_zones-dev" │ Policy Assignment Name: "Enforce-TLS-SSL"): unexpected status 400 with error: PolicySetDefinitionNotFound: The policy assignment create request is invalid. The policy set definition │ '/providers/Microsoft.Management/managementGroups/tb-dev/providers/Microsoft.Authorization/policySetDefinitions/Enforce-EncryptTransit' could not be found.

On looking into the downloaded alzlib folder, for all Policy Assignments that are assigning a Definition Set, the default static Management Group is stated.

{ "type": "Microsoft.Authorization/policyAssignments", "apiVersion": "2022-06-01", "name": "Audit-PeDnsZones", "dependsOn": [], "properties": { "description": "Audits the deployment of Private Link Private DNS Zone resources in the Corp landing zone.", "displayName": "Audit Private Link Private DNS Zone resources", "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/alz/providers/Microsoft.Authorization/policyDefinitions/Audit-PrivateLinkDnsZones" }

The PolicyDefinitionId needs to contain a parameter for the customised Management Group Id, in a similar way to the "location" value of a Policy Assignment

[matt-FFFFFF]

Hi @phx-tim-butters

The provider should re-write the resource ids for any referenced policies.

You can see in the error that the management group has been set to tb-dev.

Do you know the correct resource id for the definition in question?

[phx-tim-butters]

Hey @matt-FFFFFF

I think it was a race condition, I have it currently set to 600 seconds delay before policy assignment but seemingly that still wasn't enough. I'll be upping this today to do some further tests.

In the terraform-azurerm-caf-enterprise-scale module, the providerId is parameterized on the archetype policy assignments - so I put 2 and 2 together and got 5 in relation to this new (better) approach. Good to know the provider does this.

[matt-FFFFFF]

Wow. Some race condition!

In the future I hope to see some user defined retryable error support in terraform or the provider.

This would go a long way to cleaner IaC code.