search

Azure / terraform-azurerm-avm-ptn-alz

Terraform module to deploy Azure Landing Zones
https://registry.terraform.io/modules/Azure/avm-ptn-alz/azurerm
MIT License
62 stars 15 forks source link

[AVM Module Issue]: Feature - Ability to place dependancy on higher archetypes #37

Closed phx-tim-butters closed 3 months ago

phx-tim-butters commented 6 months ago

Check for previous/existing GitHub issues

Module specific issue

Issue Type?

Feature Request

(Optional) Module Version

0.6.0

(Optional) Correlation Id

No response

Description

When deploying Greenfield with a typical ALZ policy set, I've found that the root archetype doesn't finish deploying before the lower archetypes start.

I'm in a position where I can re-produce a Policy Assignment on the Landing Zone archetype failing due to the Policy (Set) Definition not having been completed on the Root archetype yet.

On a subsequent run, the the Apply suceeds.

Having the ability to provide a dependancy on an previous module archetype would be great. At the moment I am not able to specify a Depends On based on any of the outputs from the module as the data sources within the modules are not refreshed with an explict dependancy - this causes (I believet the alz or alzlib provider) to fail a for_each lookup.

Error: Invalid for_each argument
│
│   on .terraform\modules\alz_archetype_platform\main.tf line 156, in resource "azurerm_role_definition" "this":
│  156:   for_each = local.alz_role_definitions_decoded
│     ├────────────────
│     │ local.alz_role_definitions_decoded will be known only after apply
│
│ The "for_each" map includes keys derived from resource attributes that cannot be determined until apply, and so Terraform cannot determine the full set of keys that will identify the instances of this resource.
│
│ When working with unknown values in for_each, it's better to define the map keys statically in your configuration and place apply-time results only in the map values.
│
│ Alternatively, you could use the -target planning option to first apply only the resources that the for_each value depends on, and then apply a second time to fully converge.

A workaround would be to specify a large delay on lower archetypes - but that would impede subsequent operations.

I have circumvented the issue by adding the following to the module to specifically force a wait for Policy Definitions to complete (basically creates a null resource output of the module that is created once policy assignments in the root have completed, therefor inferring policy definitions and sets have been completed)

main.tf

resource "null_resource" "policy_assignment_dependency" {
  triggers = {
    dependancy_id = var.policy_assignment_dependency
  }
}
resource "azurerm_management_group_policy_assignment" "this" {
....

  depends_on = [
    time_sleep.before_policy_assignments,
    null_resource.policy_assignment_dependency
  ]

variables.tf

variable "policy_assignment_dependency" {
  type    = string
  default = ""
}

outputs.tf

output "after_policy_creation" {
  value = time_sleep.after_policy_creation.id
}

Root.tf

module "alz_archetype_platform" {
  //Having to adjust current version of module to circumvent issues with dependancy and alz provider changes 07/03/24
  source  = "Azure/avm-ptn-alz/azurerm"
  version = "0.6.0"
  //source                             = "../../../../modules/avm-pln-alz/0.5.0"
  id                                 = var.deploy_abbreviation == "" ? "${var.org_abbreviation}-platform" : "${var.org_abbreviation}-platform-${var.deploy_abbreviation}"
  display_name                       = var.deploy_abbreviation == "" ? "${var.org_abbreviation}-platform" : "${var.org_abbreviation}-platform-${var.deploy_abbreviation}"
  parent_resource_id                 = module.alz_archetype_root.management_group_resource_id
  base_archetype                     = "platform_override"
  default_location                   = var.default_location
  default_log_analytics_workspace_id = module.alz_management_resources.log_analytics_workspace.id
  delays                             = local.default_delays
  policy_assignment_dependency       = module.alz_archetype_root.after_policy_creation

  providers = {
    alz = alz
  }
}
matt-FFFFFF commented 6 months ago

Hi! Interesting feedback, we will look into a solution that has module outputs that indicate when policy (set) definitions have been deployed

matt-FFFFFF commented 6 months ago

I am hoping the depends_on issue will disappear soon when the language experiment unknown_instances is fully released

matt-FFFFFF commented 3 months ago

We are making significant changes to the provider so will close this for now. Once the next version is released please open a new issue if still relevant.