Closed phx-tim-butters closed 6 months ago
Just fyi, I'm simplifying the config as per above - I'm actually using a custom lib to specify a policy assignment for applying the Azure Update Manager config as an example.
Further to example above for sake of testing; Override achetype =
{
"base_archetype": "root",
"name": "root_override",
"policy_assignments_to_add": [
"Update-Ring1"
]
}
{
"name": "Update-Ring1",
"type": "Microsoft.Authorization/policyAssignments",
"apiVersion": "2019-09-01",
"properties": {
"description": "You can use Azure Update Manager in Azure to save recurring deployment schedules to install operating system updates for your Windows Server and Linux machines in Azure, in on-premises environments, and in other cloud environments connected using Azure Arc-enabled servers. This policy will also change the patch mode for the Azure Virtual Machine to 'AutomaticByPlatform'. See more: https://aka.ms/umc-scheduled-patching",
"displayName": "Schedule recurring updates using Azure Update Manager - Ring 1 (Tuesday Midnight)",
"notScopes": [],
"parameters": {
"maintenanceConfigurationResourceId": {
"value": ""
},
"tagValues": {
"value": [
{
"key": "Update Manager Policy",
"value": "Ring1"
}
]
}
},
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ba0df93e-e4ac-479a-aac2-134bbae39a1a",
"nonComplianceMessages": [
{
"message": "Azure Update Manager Update not applied"
}
],
"scope": "${current_scope_resource_id}",
"enforcementMode": null
},
"location": "${default_location}",
"identity": {
"type": "SystemAssigned"
}
}
Hi @phx-tim-butters thanks for reporting this
In our alzreference
demo, we do supply defaults in from resources in the same root module and this works.
The error you are getting is strange and I will try to reproduce
I have managed to reproduce, it seems Terraform is trying to creating the plat
and landing_zones
before the root
.
Because the provider can't find the root MG in its memory, it assumes that the plat and landing_zones MGs have external parents.
As a workaround, for now, if you remove the dependency between the policy assignment parameter and the resource, then it will work.
You can interpolate the resource id using locals, e.g.:
/subscriptions/${local.subscription_id}/resourceGroups/${local.resourceGroupName}/providers/...
Hi @phx-tim-butters
I have fixed this now, upcoming release of 0.6.0
should resolve - I also took your example and published it as a demonstration.
fixed by #35
Awesome stuff Matt thank you.
Check for previous/existing GitHub issues
Module specific issue
Issue Type?
Feature Request
(Optional) Module Version
0.5.0
(Optional) Correlation Id
No response
Description
The new work towards using the alzlib is great, and being able to reference policy assignment adjustments through HCL is fantastic.
However, I need to pull in referenced TF controlled resources (used within the same root module using the ptn alz module). However, when used on first run (nothing in state), the alz module will fail a plan. Only when the referenced resources exist in state, does it allow me the ability to specific referenced resources within the policy_assignments_to_modify. I'm circumventing this by using -target for now, to create the resources first.
Error Details Only errors when there are two Management Groups linked to the Root Group
╵